CN109639712B - Method and system for preventing DDOS attack - Google Patents
Method and system for preventing DDOS attack Download PDFInfo
- Publication number
- CN109639712B CN109639712B CN201811640337.3A CN201811640337A CN109639712B CN 109639712 B CN109639712 B CN 109639712B CN 201811640337 A CN201811640337 A CN 201811640337A CN 109639712 B CN109639712 B CN 109639712B
- Authority
- CN
- China
- Prior art keywords
- server
- client
- sequence number
- syn
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Abstract
The invention discloses a method and a system for protecting DDOS attack, wherein the method comprises the steps that a client sends a SYN request message to a server through intermediate cleaning equipment at retransmission interval time, the intermediate cleaning equipment records first quintuple information and first sequence number information in the SYN request message, after the SYN confirmation message with a correct confirmation number sent by the server is received, whether the current connection request is overtime is determined, if not, the intermediate cleaning equipment sends a confirmation message to the server, the intermediate cleaning equipment verifies the client according to the confirmation message, and sends the confirmation message to the server after the verification is passed, so that TCP connection is established with the server. Because the [ SYN, ACK ] message behavior that the client does not respond to the error acknowledgement number or the two behaviors that the client does not respond to the TCP connection broken by the opposite end do not exist, the normal communication between the normal client and the server is ensured while the DDOS attack is prevented.
Description
Technical Field
The embodiment of the invention relates to the technical field of DDOS (Distributed Denial of Service) attack protection, in particular to a method and a system for preventing DDOS attack.
Background
A SYN (synchronization Sequence number) Flood attack is one of the most common DDoS methods, and a large number of TCP connection requests are forged by using a vulnerability of TCP (Transmission Control Protocol), so as to achieve the purpose of exhausting resources of an attacked. In order to defend against the SYN Flood attack, the following two main protection schemes are currently used:
first, as shown in fig. 1, it can be seen from fig. 1 that in the scheme, after receiving a SYN request message, an intermediate cleansing device replies a [ SYN, ACK (acknowledgement) ] message with an error acknowledgement number, and a normal client generally returns a RST message to break the connection and reinitiates three-way handshake, so that after verification by the intermediate cleansing device, subsequent communication is directly performed with a server; the attacker can not support protocol interaction, so that the SYN Flood message is intercepted by the intermediate cleaning equipment to realize the protection function. In the scheme, the client establishes the TCP connection with the intermediate cleaning device through three-way handshake, and the TCP connection is authenticated by the intermediate cleaning device, that is, the TCP connection initiated by the client is not established with the server, but the intermediate cleaning device is used to establish the TCP connection instead of the server.
Secondly, as shown in fig. 2, it can be seen from fig. 2 that the scheme is that after receiving a SYN message, the intermediate cleansing device replies a [ SYN, ACK ] message with a correct acknowledgement number, a normal client replies an ACK message to establish a TCP connection with the intermediate cleansing device, the intermediate cleansing device replies a RST (reset) message to block the connection at this time, and the client generally makes a connection request again, thereby directly communicating with the server after being verified by the intermediate cleansing device; the attacker can not support protocol interaction, so that the message of the SYN Flood is intercepted by the intermediate cleaning equipment to realize the protection function. In the scheme, the client establishes TCP connection with the intermediate cleaning equipment through three-way handshake, then the intermediate cleaning equipment verifies the client in a disconnection mode, and the intermediate cleaning equipment is used for replacing a server to establish TCP connection.
With the increasing explosion of network attacks, many normal clients, especially payment-type clients, currently have such protocol behaviors: firstly, not responding to the error SYN, ACK message returned by the server; and secondly, for the established TCP connection, the response is not carried out after the connection is broken by the intermediate cleaning equipment. When the existing SYN Flood protection algorithm is used for protection, the clients with the two protocol behaviors do not respond any more, so that the normal communication of the clients using the two protocol behaviors is blocked, and the normal service is influenced.
Disclosure of Invention
The embodiment of the invention provides a method and a system for preventing DDOS attack, which are used for ensuring normal service communication of a client under the condition of preventing DDOS attack.
The method for protecting DDOS attack provided by the embodiment of the invention comprises the following steps:
a client sends a SYN request message to a server through intermediate cleaning equipment at retransmission interval time, wherein the SYN request message comprises first quintuple information and first sequence number information;
after receiving a SYN request message sent to the server by the client, the intermediate cleaning equipment records the first quintuple information and the first sequence number information and forwards the SYN request message to the server so that the server sends a SYN confirmation message;
after receiving a SYN confirmation message with a correct confirmation number sent by the server, the client determines whether the current connection request is overtime;
if not, the client sends a confirmation message to the server through the intermediate cleaning equipment, wherein the confirmation message comprises second quintuple information and second sequence number information;
after receiving the confirmation message sent to the server by the client, the intermediate cleaning equipment verifies the client according to the second quintuple information and the second sequence number information, and forwards the confirmation message to the server after the verification is passed, so that the client and the server complete the establishment of the TCP connection.
In the technical scheme, after receiving a SYN confirmation message sent by a server, a client sends the confirmation message to the server through an intermediate cleaning device if a current connection request is not overtime, and the intermediate cleaning device sends the confirmation message to the server after verifying the client, so that TCP connection is established with the server. Meanwhile, the intermediate cleaning equipment realizes the verification of the client in the process of establishing the TCP connection between the client and the server, and does not need to establish the TCP connection between the client and the intermediate cleaning equipment, so that the efficiency of establishing the TCP connection between the client and the server is improved, and the system resources are saved.
Optionally, the method further includes:
if the client determines that the current connection request is overtime, the client sends a RST message to the server through the intermediate cleaning equipment, wherein the RST message comprises third quintuple information and third sequence number information;
after receiving the RST message sent to the server by the client, the intermediate cleaning equipment verifies the client according to the third quintuple information and the third sequence number information, and forwards the RST message to the server after the RST message passes the verification;
and the client sends a TCP connection request to the server, establishes the TCP connection with the server and communicates.
In the above technical solution, after the client receives the SYN acknowledgement message sent by the server, if the current connection request is not overtime, the intermediate cleaning equipment can send a confirmation message to the server, the intermediate cleaning equipment sends the confirmation message to the server after the client is verified according to the second quintuple information and the second sequence number information in the confirmation message, or if the current connection request is overtime, the RST message is sent to the server through the intermediate cleaning equipment, the intermediate cleaning equipment sends the RST message to the server after the client is verified according to the third quintuple information and the third sequence number information in the RST message, therefore, the TCP connection is established with the server, and the [ SYN, ACK ] message behavior that the client does not respond to the error acknowledgement number or the two behaviors that the client does not respond to the TCP connection broken by the opposite end do not exist. The method ensures normal communication between the normal client and the server while preventing DDOS attack, can be well adapted to payment type or mobile type clients, and solves the problem that the conventional SYN Flood protection scheme blocks normal services. Meanwhile, the intermediate cleaning equipment realizes the verification of the client in the process of establishing the TCP connection between the client and the server, and does not need to establish the TCP connection between the client and the intermediate cleaning equipment, so that the efficiency of establishing the TCP connection between the client and the server is improved, and the system resources are saved.
Optionally, after the intermediate cleaning device forwards the confirmation packet to the server, the client directly communicates with the server.
In the technical scheme, after the intermediate cleaning equipment forwards the confirmation message to the server, the client and the server complete the establishment of the TCP connection, and the client can directly communicate with the server without being verified by the intermediate cleaning equipment.
Optionally, before the intermediate cleansing device receives the SYN request packet sent by the client, the method further includes:
and the intermediate cleaning equipment counts the SYN messages sent to the server, and enters a protection state when the SYN messages reaching the same destination address exceed a threshold value.
Correspondingly, the embodiment of the invention also provides a system for preventing DDOS attack, which comprises: the system comprises a client, an intermediate cleaning device and a server;
the client is used for sending a SYN request message to the server through the intermediate cleaning equipment at the retransmission interval time, wherein the SYN request message comprises first quintuple information and first sequence number information;
the intermediate cleaning device is configured to record the first quintuple information and the first sequence number information after receiving a SYN request packet sent by the client to the server, and forward the SYN request packet to the server, so that the server sends a SYN acknowledgement packet;
the client is also used for determining whether the current connection request is overtime or not after receiving a SYN confirmation message with a correct confirmation number sent by the server; if not, sending a confirmation message to the server through the intermediate cleaning equipment, wherein the confirmation message comprises second quintuple information and second sequence number information;
and the intermediate cleaning equipment is further used for verifying the client according to the second quintuple information and the second sequence number information after receiving a confirmation message sent to the server by the client, and forwarding the confirmation message to the server after the verification is passed so that the client and the server complete the establishment of a Transmission Control Protocol (TCP) connection.
Optionally, the client is further configured to send a RST message to the server through the intermediate cleaning device if it is determined that the current connection request is overtime, where the RST message includes third five-tuple information and third sequence number information;
the intermediate cleaning equipment is further used for verifying the client according to the third quintuple information and the third sequence number information after receiving the RST message sent by the client to the server, and forwarding the RST message to the server after the RST message passes verification;
the client is also used for sending a TCP connection request to the server, establishing the TCP connection with the server and carrying out communication.
Optionally, the client is further configured to:
and after the intermediate cleaning equipment forwards the confirmation message to the server, directly communicating with the server.
Optionally, the intermediate cleaning apparatus is further configured to:
before receiving a SYN request message sent by a client, counting the SYN messages sent to a server, and entering a protection state when confirming that the SYN messages reaching the same destination address exceed a threshold value.
Correspondingly, the embodiment of the invention also provides a computer-readable storage medium, and the computer-readable storage medium stores computer-executable instructions, and the computer-executable instructions are used for enabling the computer to execute the method for preventing the DDOS attack.
Correspondingly, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the method for preventing the DDOS attack according to the obtained program.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of a SYN Flood attack defense scheme according to an embodiment of the present invention;
FIG. 2 is a schematic diagram illustrating a SYN Flood attack defense scheme according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a system architecture according to an embodiment of the present invention;
fig. 4 is a flowchart illustrating a method for protecting against DDOS attacks according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a method for protecting against DDOS attacks according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a system for protecting against DDOS attacks according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 3 is a system architecture to which the present invention is applied. Referring to FIG. 3, the system architecture may include a client 100, an intermediate cleaning appliance 200, and a server 300.
The intermediate cleaning device 200 is located between the client 100 and the server 300, and is configured to intercept a SYN Flood attack and verify the client.
It should be noted that the structure shown in fig. 3 is only an example, and the embodiment of the present invention is not limited thereto.
Based on the above description, fig. 4 exemplarily shows a flow of a method for protecting against DDOS attack, where the flow may be performed by a system for protecting against DDOS attack, and the flow for protecting against DDOS attack will be described below in a manner that a client, an intermediate cleaning device and a server interact with each other.
As shown in fig. 4, the specific steps of the process include:
step 401, the client sends a SYN request message to the intermediate cleaning device.
The SYN request message comprises first quintuple information and first sequence number information, and the first quintuple information and the first sequence number information are used for verifying the client by the intermediate cleaning equipment after the intermediate cleaning equipment receives a message sent by the client in the subsequent process, and verifying whether the client is a normal client. The SYN request packet is sent at a retransmission interval, and because the SYN request packet is a retransmitted packet, the SYN request packet is the first packet sent by the client to the server, and therefore, the sequence number is equivalent to 1. At this time, the intermediate cleaning device is already in the protection state and all SYN request messages are verified, so that the SYN request message sent by the client for the first time is cleaned by the intermediate cleaning device, namely, the SYN request message sent for the first time is refused to be forwarded to the server, so that the SYN Flood attack is prevented. Therefore, after the client does not receive the response of the server at the retransmission interval time, the client resends the SYN request message once, and the SYN request message is released only when the intermediate cleaning equipment receives the SYN request message again.
In the embodiment of the invention, the retransmission interval time is made to be adaptable (set according to experience) so as to achieve the aim of accurately matching the SYN retransmission interval of the client service and cleaning forged SYN Flood messages, or achieve the aim of cleaning SYN Flood messages by other means.
It should be noted that before the client sends the SYN request message, the intermediate cleaning device may count the SYN message sent to the server, and enter the protection state when it is confirmed that the SYN message reaching the same destination address exceeds the threshold, so as to protect against the SYN Flood attack. The threshold may be set empirically.
Step 402, the intermediate cleaning device records the first quintuple information and the first serial number information.
The SYN request message sent by the client to the server and received by the intermediate cleaning equipment comprises first quintuple information and first serial number information, and the intermediate cleaning equipment can record the first quintuple information and the first serial number information so as to verify the client in subsequent interaction and verify whether the client is a normal client.
In step 403, the intermediate cleaning device sends a SYN request message to the server.
After the intermediate cleaning device records the first quintuple information and the first sequence number information in the SYN request message, the SYN request message can be released, and the SYN request message is sent to the server, so that the server sends a SYN acknowledgement message to the client.
In step 404, the server sends a SYN acknowledgement message to the client.
After receiving the SYN request message sent by the client, the server sends a SYN acknowledgement message to the client, wherein the SYN acknowledgement message is a SYN acknowledgement message with a correct acknowledgement number.
In step 405, the client determines whether the current connection request is overtime, if yes, the process proceeds to step 410, otherwise, the process proceeds to step 406.
After receiving a SYN acknowledgement message with a correct acknowledgement number sent by a server, a client needs to first determine whether a current connection request is overtime, where overtime refers to whether the TCP connection establishment time exceeds the TCP connection establishment time, and if so, the client may give up establishing the TCP connection. If not, the client side does not cause the TCP connection establishment overtime after returning the confirmation message.
In step 406, the client sends a confirmation message to the intermediate cleaning device.
When the client confirms that the current connection request is not timed out in step 405, the client may continue to send a confirmation message to the server, and since the intermediate cleaning device has not yet verified the client, the confirmation message will still be intercepted by the intermediate cleaning device, so that the confirmation message sent by the client to the server will first pass through the intermediate cleaning device. The confirmation message is used for completing the establishment of the TCP connection with the server. The acknowledgement message includes second quintuple information and second sequence number information, so that the intermediate device verifies the client according to the second quintuple information and the second sequence number information.
Step 407, the intermediate cleaning device verifies the client.
After receiving a confirmation message sent by the client, the intermediate cleaning equipment verifies the client according to second quintuple information and second sequence number information in the confirmation message, specifically: and the intermediate cleaning equipment compares the first quintuple information and the first sequence number information of the client with the second quintuple information and the second sequence number information, if the first quintuple information and the first sequence number information are consistent with the second quintuple information and the second sequence number information, the client is confirmed to be a normal client and passes the verification, after the verification is passed, the intermediate cleaning equipment can not intercept the communication message between the client and the server, and the communication between the client and the server is released until the TCP connection established between the client and the server is disconnected.
If the second quintuple information and the second sequence number information sent by the client are not verified at this time, the inconsistency with the first quintuple information and the first sequence number information of the client is indicated, the client is also possible to be a DDOS attacker, the intermediate cleaning equipment intercepts the confirmation message at the position, the confirmation message is not released and is sent to the server, and therefore the purpose of preventing the DDOS attack is achieved.
Because the [ SYN, ACK ] message behavior that the client does not respond to the error acknowledgement number or the two behaviors that the client does not respond to the message and the TCP connection is broken by the opposite end do not exist, the direct normal communication between the client and the server is ensured while DDOS attack is protected, the payment type or mobile type client can be well adapted, and the problem that the normal service communication of the normal client is blocked by the existing SYN Flood protection scheme is solved. Meanwhile, the intermediate cleaning equipment realizes the verification of the client in the process of establishing the TCP connection between the client and the server, and does not need to establish the TCP connection between the client and the intermediate cleaning equipment, so that the efficiency of establishing the TCP connection between the client and the server is improved, and the system resources are saved.
Step 408, the intermediate cleaning device sends a confirmation message to the server.
After the verification of the client is passed, the intermediate cleaning equipment sends a confirmation message to the server so as to establish TCP connection between the client and the server.
Step 409, the client establishes a TCP connection with the server.
After the client establishes TCP connection with the server, the client can directly communicate with the server without being intercepted by intermediate cleaning equipment.
In step 410, the client sends the RST message to the intermediate cleansing apparatus.
In step 405, when the client determines that the current connection request times out, the client may send an RST message to the server, so as to restart the process of establishing the TCP connection with the server. The RST message includes third quintuple information and third sequence number information, so that the intermediate cleaning device verifies the client according to the third quintuple information and the third sequence number information.
In step 411, the intermediate cleaning device verifies the client.
After receiving the RST message sent by the client to the server, the intermediate cleaning device verifies the client according to the third five-tuple information and the third sequence number information in the RST message, specifically: and the intermediate cleaning equipment compares the first quintuple information and the first sequence number information of the client with the third quintuple information and the third sequence number information, if the first quintuple information and the first sequence number information are consistent with the third quintuple information and the third sequence number information, the client is confirmed to be a normal client and is verified to be passed, after the verification is passed, the intermediate cleaning equipment can not intercept the communication message between the client and the server, the communication between the client and the server is released, and the subsequent client and the server reestablish TCP connection until the TCP connection established between the client and the server is disconnected.
If the third quintuple information and the third sequence number information sent by the client are not verified at this time, the inconsistency with the first quintuple information and the first sequence number information of the client is indicated, the client is also possible to be a DDOS attacker, the intermediate cleaning equipment intercepts the confirmation message at the position, the confirmation message is not released and is sent to the server, and therefore the purpose of preventing the DDOS attack is achieved. Meanwhile, the connection can not be disconnected by the intermediate cleaning equipment, and the direct normal communication between the normal client which does not respond to the disconnection of the opposite terminal and the server is also ensured, that is, the intermediate cleaning equipment can not intercept the message of the client which does not respond to the disconnection of the opposite terminal, but continuously verifies the sender of the message. The scheme in the prior art is that the intermediate cleaning equipment intercepts the message which does not respond to the disconnection of the opposite terminal, so that the direct normal communication between the normal client and the server is influenced.
Meanwhile, the intermediate cleaning equipment realizes the verification of the client in the process of establishing the TCP connection between the client and the server, and does not need to establish the TCP connection between the client and the intermediate cleaning equipment, so that the efficiency of establishing the TCP connection between the client and the server is improved, and the system resources are saved.
In step 412, the intermediate cleansing device sends the RST message to the server.
After the verification of the client side is passed, the intermediate cleaning equipment can pass the RST message and send the RST message to the server, and at the moment, the server does not respond after receiving the RST message, and only needs to wait for the client side to send out a TCP connection establishment request again.
In step 413, the client sends a first SYN request message to the server.
When the intermediate cleaning device verifies the client in step 411, the intermediate cleaning device does not intercept the message subsequently sent by the client, and at this time, the client directly sends the first SYN request message to the server.
In step 414, the server sends a first SYN acknowledgement message to the client.
After receiving a first SYN request message sent by a client, a server sends a first SYN confirmation message to the client.
Step 415, the client sends a first acknowledgement message to the server.
After receiving the first SYN acknowledgement message sent by the server, the client may send the first acknowledgement message to the server to complete establishment of the TCP connection.
Through the three-way handshake between the client and the server in steps 413 to 415, the client and the server can successfully establish a TCP connection, and TCP communication is achieved.
The above embodiment shows that, after receiving the SYN acknowledgement message sent by the server, if the current connection request is not overtime, the intermediate cleaning equipment can send a confirmation message to the server, the intermediate cleaning equipment sends the confirmation message to the server after the client is verified according to the second quintuple information and the second sequence number information in the confirmation message, or if the current connection request is overtime, the RST message is sent to the server through the intermediate cleaning equipment, the intermediate cleaning equipment sends the RST message to the server after the client is verified according to the third quintuple information and the third sequence number information in the RST message, therefore, the TCP connection is established with the server, and the [ SYN, ACK ] message behavior that the client does not respond to the error acknowledgement number or the two behaviors that the client does not respond to the TCP connection broken by the opposite end do not exist. The method ensures normal communication between the normal client and the server while preventing DDOS attack, can be well adapted to payment type or mobile type clients, and solves the problem that the conventional SYN Flood protection scheme blocks normal services. Meanwhile, the intermediate cleaning equipment realizes the verification of the client in the process of establishing the TCP connection between the client and the server, and does not need to establish the TCP connection between the client and the intermediate cleaning equipment, so that the efficiency of establishing the TCP connection between the client and the server is improved, and the system resources are saved.
In order to better explain the embodiment of the present invention, the following describes the procedure of protecting against DDOS attacks through a specific real-time scenario.
As shown in fig. 5, first, an attacker may forge a large number of SYN Flood configuration messages to send to the server, and then the SYN Flood messages are counted by the intermediate cleaning device, and the intermediate cleaning device enters a protection state when the SYN Flood messages exceed the SYN message threshold set by the protected server. The intermediate cleaning device intercepts and cleans the subsequently received SYN Flood messages by a certain means, for example, SYN retransmission intervals are made to be adaptable, so that forged SYN Flood messages are cleaned while the SYN retransmission intervals of the customer services are accurately matched, or the purpose of cleaning SYN Flood messages is achieved by other means.
In the whole attack process, as the server is in a protected state on the intermediate cleaning equipment, the following steps of processing flows are carried out for the server accessed by a normal client:
(1) and the client sends a SYN message request to carry out TCP connection with the server.
(2) After intercepting a first SYN request message of a client, the intermediate cleaning equipment receives the retransmitted SYN request message at retransmission interval time, records the message quintuple and the sequence number information of the SYN request message, and puts the message through.
(3) After receiving the SYN message, the server returns a correct [ SYN, ACK ] message to the client. After receiving the message, the client end can be divided into two situations: first, the TCP connection request is timed out at this time; second, the TCP connection does not time out at this point.
(4) If the connection request is not overtime at the moment, the client side can return an ACK message, the intermediate cleaning equipment can verify that the intermediate cleaning equipment is a normal client side according to quintuple information and a serial number of the ACK message, the intermediate cleaning equipment is verified and then sends the message to the server, and the subsequent client side and the server can directly communicate.
(5) If the connection request is tested to be overtime, the client side can return an RST message, the intermediate cleaning equipment can verify that the intermediate cleaning equipment is a normal client side according to the message quintuple and the serial number of the RST message, after verification, the RST message is sent to the server, the connection is broken, the client side can carry out the TCP connection request again, the intermediate cleaning equipment can directly release the connection request and subsequent message interaction, and the client side and the server are directly communicated.
Compared with the existing mainstream SYN Flood protection scheme, the scheme for preventing DDOS attack provided by the embodiment of the invention can ensure normal communication between a common client and a server while cleaning the SYN Flood message, and can ensure that wrong [ SYN, ACK ] messages are not responded, or normal communication between the client and the server with disconnected opposite ends is not responded. The embodiment of the invention is well adapted to the payment client and the mobile client at present, and solves the problem that the conventional SYN Flood protection scheme blocks normal service.
Based on the same technical concept, fig. 6 exemplarily shows a structure of a system for protecting against DDOS attacks, which can execute a flow for protecting against DDOS attacks, according to an embodiment of the present invention.
As shown in fig. 6, the system specifically includes: a client 601, an intermediate cleaning device 602 and a server 603;
the client 601 is configured to send a SYN request packet to the server 603 through the intermediate cleaning device 602 at a retransmission interval time, where the SYN request packet includes first quintuple information and first sequence number information;
the intermediate cleaning device 602 is configured to record the first quintuple information and the first sequence number information after receiving a SYN request packet sent by the client 601 to the server 603, and forward the SYN request packet to the server 603, so that the server 603 sends a SYN acknowledgement packet;
the client 601 is further configured to determine whether the current connection request is overtime after receiving a SYN acknowledgement packet with a correct acknowledgement number sent by the server 603; and if not, sending a confirmation message to the server 603 through the intermediate cleaning device 602, where the confirmation message includes second quintuple information and second sequence number information;
the intermediate cleaning device 602 is further configured to, after receiving a confirmation packet sent by the client 601 to the server 603, verify the client 601 according to the second quintuple information and the second sequence number information, and forward the confirmation packet to the server 603 after the verification is passed, so that the client 601 and the server 603 complete establishment of a TCP connection.
Optionally, the client 601 is further configured to send a RST message to the server 603 through the intermediate cleaning device 602 if it is determined that the current connection request is overtime, where the RST message includes third five-tuple information and third sequence number information;
the intermediate cleaning device 602 is further configured to, after receiving the RST packet sent by the client 601 to the server 603, verify the client 601 according to the third five-tuple information and the third sequence number information, and forward the RST packet to the server 603 after the verification is passed;
the client 601 is further configured to send a TCP connection request to the server 603, establish the TCP connection with the server 603, and perform communication.
Optionally, the client 601 is further configured to:
after the intermediate cleaning apparatus 602 forwards the confirmation message to the server 603, the intermediate cleaning apparatus directly communicates with the server 603.
Optionally, the intermediate cleaning apparatus 602 is further configured to:
before receiving the SYN request message sent by the client 601, counting the SYN messages sent to the server 603, and entering a protection state when confirming that the SYN messages reaching the same destination address exceed a threshold value.
Based on the same technical concept, the embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored, and the computer-executable instructions are used to enable the computer to execute the above method for protecting against DDOS attacks.
Based on the same technical concept, an embodiment of the present invention further provides a computing device, including:
a memory for storing program instructions;
and the processor is used for calling the program instructions stored in the memory and executing the method for preventing the DDOS attack according to the obtained program.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (8)
1. A method of protecting against distributed denial of service, DDOS, attacks, comprising:
a client sends a SYN request message of a synchronization sequence number to a server through intermediate cleaning equipment at retransmission interval time, wherein the SYN request message comprises first quintuple information and first sequence number information;
after receiving a SYN request message sent to the server by the client, the intermediate cleaning equipment records the first quintuple information and the first sequence number information and forwards the SYN request message to the server so that the server sends a SYN confirmation message;
after receiving a SYN confirmation message with a correct confirmation number sent by the server, the client determines whether the current connection request is overtime;
if not, the client sends a confirmation message to the server through the intermediate cleaning equipment, wherein the confirmation message comprises second quintuple information and second sequence number information;
after receiving a confirmation message sent to the server by the client, the intermediate cleaning equipment compares first quintuple information and first sequence number information of the client with second quintuple information and second sequence number information, if the first quintuple information and the first sequence number information are consistent with the second quintuple information and the second sequence number information, confirms that the client passes the verification, and forwards the confirmation message to the server after the verification is passed so as to enable the client and the server to complete the establishment of a Transmission Control Protocol (TCP) connection;
if so, the client sends a reset RST message to the server through the intermediate cleaning equipment, wherein the RST message comprises third quintuple information and third sequence number information;
after receiving the RST message sent to the server by the client, the intermediate cleaning equipment compares the first quintuple information and the first sequence number information of the client with the third quintuple information and the third sequence number information, if the first quintuple information and the first sequence number information are consistent with the third quintuple information and the third sequence number information, confirms that the client passes the verification, and forwards the RST message to the server after the verification passes;
and the client sends a TCP connection request to the server, establishes the TCP connection with the server and communicates.
2. The method of claim 1, wherein the client communicates directly with the server after the intermediate cleansing device forwards the confirmation message to the server.
3. The method of any of claims 1 to 2, wherein the intermediate cleansing device, prior to receiving the SYN request message sent by the client, further comprises:
and the intermediate cleaning equipment counts the SYN messages sent to the server, and enters a protection state when the SYN messages reaching the same destination address exceed a threshold value.
4. A system for protecting against distributed denial of service (DDOS) attacks, comprising: the system comprises a client, an intermediate cleaning device and a server;
the client is used for sending a SYN request message of a synchronization sequence number to the server through the intermediate cleaning equipment at the retransmission interval time, wherein the SYN request message comprises first quintuple information and first sequence number information;
the intermediate cleaning device is configured to record the first quintuple information and the first sequence number information after receiving a SYN request packet sent by the client to the server, and forward the SYN request packet to the server, so that the server sends a SYN acknowledgement packet;
the client is also used for determining whether the current connection request is overtime or not after receiving a SYN confirmation message with a correct confirmation number sent by the server; if not, sending a confirmation message to the server through the intermediate cleaning equipment, wherein the confirmation message comprises second quintuple information and second sequence number information;
after receiving a confirmation message sent to the server by the client, the intermediate cleaning equipment compares first quintuple information and first sequence number information of the client with second quintuple information and second sequence number information, if the first quintuple information and the first sequence number information are consistent with the second quintuple information and the second sequence number information, confirms that the client passes the verification, and forwards the confirmation message to the server after the verification is passed so as to enable the client and the server to complete the establishment of a Transmission Control Protocol (TCP) connection;
if yes, sending a reset RST message to the server through the intermediate cleaning equipment, wherein the RST message comprises third quintuple information and third sequence number information;
after receiving the RST message sent to the server by the client, the intermediate cleaning equipment compares the first quintuple information and the first sequence number information of the client with the third quintuple information and the third sequence number information, if the first quintuple information and the first sequence number information are consistent with the third quintuple information and the third sequence number information, confirms that the client passes the verification, and forwards the RST message to the server after the verification passes;
the client is also used for sending a TCP connection request to the server, establishing the TCP connection with the server and carrying out communication.
5. The system of claim 4, wherein the client is further to:
and after the intermediate cleaning equipment forwards the confirmation message to the server, directly communicating with the server.
6. The system of any of claims 4 to 5, wherein the intermediate cleaning apparatus is further configured to:
before receiving a SYN request message sent by a client, counting the SYN messages sent to a server, and entering a protection state when confirming that the SYN messages reaching the same destination address exceed a threshold value.
7. A computer-readable storage medium having stored thereon computer-executable instructions for causing a computer to perform the method of any one of claims 1 to 3.
8. A computing device, comprising:
a memory for storing program instructions;
a processor for calling program instructions stored in said memory to execute the method of any one of claims 1 to 3 in accordance with the obtained program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640337.3A CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811640337.3A CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109639712A CN109639712A (en) | 2019-04-16 |
| CN109639712B true CN109639712B (en) | 2021-09-10 |
Family
ID=66054647
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811640337.3A Active CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109639712B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110995612B (en) * | 2019-11-25 | 2023-08-29 | 浙江中控技术股份有限公司 | Message processing method, system and communication equipment |
| CN111526126B (en) * | 2020-03-29 | 2022-11-01 | 杭州迪普科技股份有限公司 | Data security transmission method, data security device and system |
| CN111970308A (en) * | 2020-09-03 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for protecting SYN Flood attack |
| CN112055028B (en) * | 2020-09-11 | 2023-08-08 | 北京知道创宇信息技术股份有限公司 | Network attack defense method, device, electronic equipment and storage medium |
| CN112615866B (en) * | 2020-12-22 | 2022-07-05 | 南京易安联网络技术有限公司 | Pre-authentication method, device and system for TCP connection |
| CN112702358A (en) * | 2021-01-04 | 2021-04-23 | 北京金山云网络技术有限公司 | SYN Flood attack protection method and device, electronic device and storage medium |
| CN113726757B (en) * | 2021-08-24 | 2023-08-22 | 杭州迪普科技股份有限公司 | Verification method and device of HTTPS protocol client |
| CN114124489B (en) * | 2021-11-11 | 2024-04-05 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
| CN114697088B (en) * | 2022-03-17 | 2024-03-15 | 神州绿盟成都科技有限公司 | Method and device for determining network attack and electronic equipment |
| CN114640704B (en) * | 2022-05-18 | 2022-08-19 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
| CN115499216B (en) * | 2022-09-15 | 2024-03-19 | 中国电信股份有限公司 | Attack defending method and device, storage medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599957A (en) * | 2009-06-04 | 2009-12-09 | 东软集团股份有限公司 | A kind of defence method of SYN flood attack and device |
| CN104683293A (en) * | 2013-11-27 | 2015-06-03 | 杭州迪普科技有限公司 | SYN attack defense method based on logic device |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| US9742732B2 (en) * | 2012-03-12 | 2017-08-22 | Varmour Networks, Inc. | Distributed TCP SYN flood protection |
| CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
-
2018
- 2018-12-29 CN CN201811640337.3A patent/CN109639712B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101599957A (en) * | 2009-06-04 | 2009-12-09 | 东软集团股份有限公司 | A kind of defence method of SYN flood attack and device |
| US9742732B2 (en) * | 2012-03-12 | 2017-08-22 | Varmour Networks, Inc. | Distributed TCP SYN flood protection |
| CN104683293A (en) * | 2013-11-27 | 2015-06-03 | 杭州迪普科技有限公司 | SYN attack defense method based on logic device |
| CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
| CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109639712A (en) | 2019-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109639712B (en) | Method and system for preventing DDOS attack | |
| CN105827646B (en) | The method and device of ssyn attack protection | |
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| CN101390064B (en) | Preventing network reset denial of service attacks using embedded authentication information | |
| CN101404579B (en) | Method and device for preventing network attack | |
| EP1625466B1 (en) | Using TCP to authenticate IP source addresses | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| CN101594269B (en) | Method, device and gateway device for detecting abnormal connection | |
| CN109005175B (en) | Network protection method, device, server and storage medium | |
| CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
| CN110365658B (en) | Reflection attack protection and flow cleaning method, device, equipment and medium | |
| US20120227088A1 (en) | Method for authenticating communication traffic, communication system and protective apparatus | |
| CN103347016A (en) | Attack defense method | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN109005194B (en) | No-port shadow communication method based on KCP protocol and computer storage medium | |
| US11689564B2 (en) | Method and apparatus for processing data in cleaning device | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN111970308A (en) | Method, device and equipment for protecting SYN Flood attack | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| CN112152880A (en) | Link health detection method and device | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN108667829B (en) | Network attack protection method, device and storage medium | |
| CN112187793A (en) | Protection method and device for ACK Flood attack | |
| EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
| US20130055349A1 (en) | Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |