CN110071939A - The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD - Google Patents

The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD Download PDF

Info

Publication number
CN110071939A
CN110071939A CN201910369103.8A CN201910369103A CN110071939A CN 110071939 A CN110071939 A CN 110071939A CN 201910369103 A CN201910369103 A CN 201910369103A CN 110071939 A CN110071939 A CN 110071939A
Authority
CN
China
Prior art keywords
syn
threshold value
processor
firewall
improved method
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910369103.8A
Other languages
Chinese (zh)
Other versions
CN110071939B (en
Inventor
董超
陈夏裕
孙杨
蔡艳林
杨明勋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Original Assignee
Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd filed Critical Jiangsu Hengtong Industrial Control Safety Research Institute Co Ltd
Priority to CN201910369103.8A priority Critical patent/CN110071939B/en
Publication of CN110071939A publication Critical patent/CN110071939A/en
Application granted granted Critical
Publication of CN110071939B publication Critical patent/CN110071939B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD the invention discloses a kind of.The present invention protects the improved method in industrial network for tradition DDOS firewall SYN FLOOD, comprising: step 1: the data packet in capture Ethernet;Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;Step 3: it is compared according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, enters step four, if it exceeds threshold value then enters step eight.Beneficial effects of the present invention: this patent carries out active release processing for threshold portion SYN FLood attack traffic is less than, it reduces by the target of attack EMS memory occupation time, make by target of attack being restored to not by normal operating conditions when attacking faster, to achieve the effect that security protection to industrial equipment.

Description

The improvement in industrial network is protected for traditional DDOS firewall SYN FLOOD Method
Technical field
The present invention relates to firewall fields, and in particular to one kind is protected for tradition DDOS firewall SYN FLOOD in work Improved method in industry network.
Background technique
Network state synchronous flood attack (hereinafter referred to as: SYN Flood attack) be the irrationality using Transmission Control Protocol and A kind of network attack generated.Transmission Control Protocol regulation: TCP connection has to pass through both sides' three-way handshake exchange information, confirmed errorless Afterwards, the exchange of Fang Jinhang data;That is, subsequent data exchange be based on three-way handshake generate trusting relationship and into Capable.Its specific data exchange process: according to Transmission Control Protocol, when B host receives the SYN with SYN flag position of A host transmission After data packet, it should to A host response one have SYN and ACK flag position SYN/ACK data packet, then B host start into The ack msg bag-like state with ACK flag position for entering to wait A host to send.According to Transmission Control Protocol, which is SYN_WAIT shape State, this state will continue for some time, if during this period of time, B host does not receive the ack msg packet of A host transmission, B host just thinks that A host is abandoned this time connecting.In general, operating system can just be this time when SYN_WAIT state Connection distributes a certain amount of memory.
The SYN Flood attack detecting mode of traditional DDOS firewall is judged by threshold value, more than presetting Threshold value when, firewall start SYN Flood prevention policies, attack is cleaned.
There are following technical problems for traditional technology:
However, SYN Flood target of attack often has memory size small, and CPU processing speed is not in environment of industrial network Situations such as sufficient, traditional firewall are not handled more than the attack traffic before threshold value, and attack traffic is caused to reach by attack mesh Mark makes by the consumption of target of attack memory certain time or the phenomenon that refusal service of certain time occurs.
Summary of the invention
The technical problem to be solved in the present invention is to provide one kind to protect for tradition DDOS firewall SYN FLOOD in industry Improved method in network.
In order to solve the above-mentioned technical problems, the present invention provides one kind to protect for tradition DDOS firewall SYN FLOOD Improved method in industrial network, comprising:
Step 1: the data packet in capture Ethernet;
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, into Enter step 4, if it exceeds threshold value then enters step eight;
Step 4: it conversates statistic for purpose IP address;
Step 5: session status is changed to be successfully established, is deleted from statistical form;
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1;
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges it Memory occupied by SYN_WAIT state;
Step 9: SYN Flood cleaning process is executed;
Step 10: cleaning terminates, and executes step 1.
A kind of computer equipment can be run on a memory and on a processor including memory, processor and storage The step of computer program, the processor realizes any one the method when executing described program.
A kind of computer readable storage medium, is stored thereon with computer program, realization when which is executed by processor The step of any one the method.
A kind of processor, the processor is for running program, wherein described program executes described in any item when running Method.
Beneficial effects of the present invention:
This patent carries out active release processing for threshold portion SYN FLood attack traffic is less than, and reduction is attacked Target memory holding time makes by target of attack being restored to not by normal operating conditions when attacking, thus right faster Industrial equipment achievees the effect that security protection.
Detailed description of the invention
Fig. 1 is the stream of improved method of the present invention for tradition DDOS firewall SYN FLOOD protection in industrial network Cheng Tu.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings and specific examples, so that those skilled in the art can be with It more fully understands the present invention and can be practiced, but illustrated embodiment is not as a limitation of the invention.
Fig. 1 is flow chart of the invention, is included the following steps:
Step 1: the data packet in capture Ethernet.
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address.
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, into Enter step 4, if it exceeds threshold value then enters step eight.
Step 4: it conversates statistic for purpose IP address.
Step 5: session status is changed to be successfully established, is deleted from statistical form.
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1.
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges it Memory occupied by SYN_WAIT state.
Step 9: SYN Flood cleaning process is executed.
Step 10: cleaning terminates, and executes step 1.
Embodiment described above is only to absolutely prove preferred embodiment that is of the invention and being lifted, protection model of the invention It encloses without being limited thereto.Those skilled in the art's made equivalent substitute or transformation on the basis of the present invention, in the present invention Protection scope within.Protection scope of the present invention is subject to claims.

Claims (4)

1. a kind of protect the improved method in industrial network for traditional DDOS firewall SYN FLOOD, which is characterized in that packet It includes:
Step 1: the data packet in capture Ethernet;
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, enters step Rapid four, if it exceeds threshold value then enters step eight;
Step 4: it conversates statistic for purpose IP address;
Step 5: session status is changed to be successfully established, is deleted from statistical form;
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1;
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges its SYN_ Memory occupied by WAIT state;
Step 9: SYN Flood cleaning process is executed;
Step 10: cleaning terminates, and executes step 1.
2. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor Calculation machine program, which is characterized in that the step of processor realizes claim 1 the method when executing described program.
3. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor The step of claim 1 the method is realized when row.
4. a kind of processor, which is characterized in that the processor is for running program, wherein right of execution when described program is run Benefit require 1 described in method.
CN201910369103.8A 2019-05-05 2019-05-05 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network Active CN110071939B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910369103.8A CN110071939B (en) 2019-05-05 2019-05-05 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910369103.8A CN110071939B (en) 2019-05-05 2019-05-05 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Publications (2)

Publication Number Publication Date
CN110071939A true CN110071939A (en) 2019-07-30
CN110071939B CN110071939B (en) 2021-06-29

Family

ID=67370164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910369103.8A Active CN110071939B (en) 2019-05-05 2019-05-05 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Country Status (1)

Country Link
CN (1) CN110071939B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535861A (en) * 2019-08-30 2019-12-03 杭州迪普信息技术有限公司 It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior
CN112583850A (en) * 2020-12-27 2021-03-30 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN117201202A (en) * 2023-11-07 2023-12-08 北京金睛云华科技有限公司 Reflection amplification Flood attack flow storage method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697397A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for guarding against attack realized for networked devices
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack
CN101163041A (en) * 2007-08-17 2008-04-16 中兴通讯股份有限公司 Method of preventing syn flood and router equipment
CN101296223A (en) * 2007-04-25 2008-10-29 北京天融信网络安全技术有限公司 Method for implementing fire wall chip participation in SYN proxy
CN104601578A (en) * 2015-01-19 2015-05-06 福建星网锐捷网络有限公司 Recognition method and device for attack message and core device
WO2016197498A1 (en) * 2015-06-10 2016-12-15 中兴通讯股份有限公司 Method and device for preventing network attack, and storage medium
CN107547507A (en) * 2017-06-27 2018-01-05 新华三技术有限公司 A kind of anti-attack method, device, router device and machinable medium
CN109327426A (en) * 2018-01-11 2019-02-12 白令海 A kind of firewall attack defense method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697397A (en) * 2004-05-13 2005-11-16 华为技术有限公司 Method for guarding against attack realized for networked devices
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack
CN101296223A (en) * 2007-04-25 2008-10-29 北京天融信网络安全技术有限公司 Method for implementing fire wall chip participation in SYN proxy
CN101163041A (en) * 2007-08-17 2008-04-16 中兴通讯股份有限公司 Method of preventing syn flood and router equipment
CN104601578A (en) * 2015-01-19 2015-05-06 福建星网锐捷网络有限公司 Recognition method and device for attack message and core device
WO2016197498A1 (en) * 2015-06-10 2016-12-15 中兴通讯股份有限公司 Method and device for preventing network attack, and storage medium
CN107547507A (en) * 2017-06-27 2018-01-05 新华三技术有限公司 A kind of anti-attack method, device, router device and machinable medium
CN109327426A (en) * 2018-01-11 2019-02-12 白令海 A kind of firewall attack defense method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
文旭: "网络行为管理系统中IPv6会话管理", 《电子测量技术》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535861A (en) * 2019-08-30 2019-12-03 杭州迪普信息技术有限公司 It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior
CN110535861B (en) * 2019-08-30 2022-01-25 杭州迪普信息技术有限公司 Method and device for counting SYN packet number in SYN attack behavior identification
US11677769B2 (en) 2019-08-30 2023-06-13 Hangzhou Dptech Technologies Co., Ltd. Counting SYN packets
CN112583850A (en) * 2020-12-27 2021-03-30 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN112583850B (en) * 2020-12-27 2023-02-24 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN117201202A (en) * 2023-11-07 2023-12-08 北京金睛云华科技有限公司 Reflection amplification Flood attack flow storage method
CN117201202B (en) * 2023-11-07 2024-01-02 北京金睛云华科技有限公司 Reflection amplification Flood attack flow storage method

Also Published As

Publication number Publication date
CN110071939B (en) 2021-06-29

Similar Documents

Publication Publication Date Title
CN110071939A (en) The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN101083563B (en) Method and apparatus for preventing distributed refuse service attack
US8353003B2 (en) System and method for controlling a flow of data a network interface controller to a host processor
US8769681B1 (en) Methods and system for DMA based distributed denial of service protection
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
CN107395632B (en) SYN Flood protection method, device, cleaning equipment and medium
US7404210B2 (en) Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs
CN110784415B (en) ECN quick response method and device
CN102510385A (en) Method for preventing fragment attack of IP (Internet Protocol) datagram
CN106487790B (en) Cleaning method and system for ACK FLOOD attacks
CN102970118B (en) Transmission control protocol acknowledgement (TCP ACK) message processing method and device and wireless network equipment
WO2016177131A1 (en) Method, apparatus, and system for preventing dos attacks
CN101170402A (en) A method and system for preventing from TCP attack based on network stream technology
CN107438066B (en) DoS/DDoS attack defense module and method based on SDN controller
Abdelmoniem et al. T-RACKs: A faster recovery mechanism for TCP in data center networks
CN111756685A (en) DDOS attack detection method based on hypothesis test
CN101299765B (en) Method for defending against DDOS attack
Luo et al. The NewShrew attack: A new type of low-rate TCP-Targeted DoS attack
CN105939322A (en) Message attack protection method and device
CN101217574A (en) A method and system for dynamic adjustment of network address transferring strategy
CN112714102A (en) SYN Flood attack defense method under multi-core heterogeneous platform
CN106657082A (en) Fast HTTP redirection method
CN108449280B (en) Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages
CN113791901B (en) Efficient TCP retransmission realization method for load balancing equipment
CN102164135B (en) Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant