CN110071939A - The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD - Google Patents
The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD Download PDFInfo
- Publication number
- CN110071939A CN110071939A CN201910369103.8A CN201910369103A CN110071939A CN 110071939 A CN110071939 A CN 110071939A CN 201910369103 A CN201910369103 A CN 201910369103A CN 110071939 A CN110071939 A CN 110071939A
- Authority
- CN
- China
- Prior art keywords
- syn
- threshold value
- processor
- firewall
- improved method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD the invention discloses a kind of.The present invention protects the improved method in industrial network for tradition DDOS firewall SYN FLOOD, comprising: step 1: the data packet in capture Ethernet;Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;Step 3: it is compared according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, enters step four, if it exceeds threshold value then enters step eight.Beneficial effects of the present invention: this patent carries out active release processing for threshold portion SYN FLood attack traffic is less than, it reduces by the target of attack EMS memory occupation time, make by target of attack being restored to not by normal operating conditions when attacking faster, to achieve the effect that security protection to industrial equipment.
Description
Technical field
The present invention relates to firewall fields, and in particular to one kind is protected for tradition DDOS firewall SYN FLOOD in work
Improved method in industry network.
Background technique
Network state synchronous flood attack (hereinafter referred to as: SYN Flood attack) be the irrationality using Transmission Control Protocol and
A kind of network attack generated.Transmission Control Protocol regulation: TCP connection has to pass through both sides' three-way handshake exchange information, confirmed errorless
Afterwards, the exchange of Fang Jinhang data;That is, subsequent data exchange be based on three-way handshake generate trusting relationship and into
Capable.Its specific data exchange process: according to Transmission Control Protocol, when B host receives the SYN with SYN flag position of A host transmission
After data packet, it should to A host response one have SYN and ACK flag position SYN/ACK data packet, then B host start into
The ack msg bag-like state with ACK flag position for entering to wait A host to send.According to Transmission Control Protocol, which is SYN_WAIT shape
State, this state will continue for some time, if during this period of time, B host does not receive the ack msg packet of A host transmission,
B host just thinks that A host is abandoned this time connecting.In general, operating system can just be this time when SYN_WAIT state
Connection distributes a certain amount of memory.
The SYN Flood attack detecting mode of traditional DDOS firewall is judged by threshold value, more than presetting
Threshold value when, firewall start SYN Flood prevention policies, attack is cleaned.
There are following technical problems for traditional technology:
However, SYN Flood target of attack often has memory size small, and CPU processing speed is not in environment of industrial network
Situations such as sufficient, traditional firewall are not handled more than the attack traffic before threshold value, and attack traffic is caused to reach by attack mesh
Mark makes by the consumption of target of attack memory certain time or the phenomenon that refusal service of certain time occurs.
Summary of the invention
The technical problem to be solved in the present invention is to provide one kind to protect for tradition DDOS firewall SYN FLOOD in industry
Improved method in network.
In order to solve the above-mentioned technical problems, the present invention provides one kind to protect for tradition DDOS firewall SYN FLOOD
Improved method in industrial network, comprising:
Step 1: the data packet in capture Ethernet;
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, into
Enter step 4, if it exceeds threshold value then enters step eight;
Step 4: it conversates statistic for purpose IP address;
Step 5: session status is changed to be successfully established, is deleted from statistical form;
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1;
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges it
Memory occupied by SYN_WAIT state;
Step 9: SYN Flood cleaning process is executed;
Step 10: cleaning terminates, and executes step 1.
A kind of computer equipment can be run on a memory and on a processor including memory, processor and storage
The step of computer program, the processor realizes any one the method when executing described program.
A kind of computer readable storage medium, is stored thereon with computer program, realization when which is executed by processor
The step of any one the method.
A kind of processor, the processor is for running program, wherein described program executes described in any item when running
Method.
Beneficial effects of the present invention:
This patent carries out active release processing for threshold portion SYN FLood attack traffic is less than, and reduction is attacked
Target memory holding time makes by target of attack being restored to not by normal operating conditions when attacking, thus right faster
Industrial equipment achievees the effect that security protection.
Detailed description of the invention
Fig. 1 is the stream of improved method of the present invention for tradition DDOS firewall SYN FLOOD protection in industrial network
Cheng Tu.
Specific embodiment
The present invention will be further explained below with reference to the attached drawings and specific examples, so that those skilled in the art can be with
It more fully understands the present invention and can be practiced, but illustrated embodiment is not as a limitation of the invention.
Fig. 1 is flow chart of the invention, is included the following steps:
Step 1: the data packet in capture Ethernet.
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address.
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, into
Enter step 4, if it exceeds threshold value then enters step eight.
Step 4: it conversates statistic for purpose IP address.
Step 5: session status is changed to be successfully established, is deleted from statistical form.
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1.
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges it
Memory occupied by SYN_WAIT state.
Step 9: SYN Flood cleaning process is executed.
Step 10: cleaning terminates, and executes step 1.
Embodiment described above is only to absolutely prove preferred embodiment that is of the invention and being lifted, protection model of the invention
It encloses without being limited thereto.Those skilled in the art's made equivalent substitute or transformation on the basis of the present invention, in the present invention
Protection scope within.Protection scope of the present invention is subject to claims.
Claims (4)
1. a kind of protect the improved method in industrial network for traditional DDOS firewall SYN FLOOD, which is characterized in that packet
It includes:
Step 1: the data packet in capture Ethernet;
Step 2: parsing Transmission Control Protocol SYN message carries out quantity statistics for purpose IP address;
Step 3: comparing according to the threshold value of preset value and SYN counting messages number, if statistical number is less than threshold value, enters step
Rapid four, if it exceeds threshold value then enters step eight;
Step 4: it conversates statistic for purpose IP address;
Step 5: session status is changed to be successfully established, is deleted from statistical form;
Step 6: the session establishment timing aging mechanism for being in SYN_WAIT state prevents statistical form infinite extension.
Step 7: Message processing terminates, and executes step 1;
Step 8: the session statistical form generated according to four, five, six steps sends FIN message to destination IP, discharges its SYN_
Memory occupied by WAIT state;
Step 9: SYN Flood cleaning process is executed;
Step 10: cleaning terminates, and executes step 1.
2. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the step of processor realizes claim 1 the method when executing described program.
3. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
The step of claim 1 the method is realized when row.
4. a kind of processor, which is characterized in that the processor is for running program, wherein right of execution when described program is run
Benefit require 1 described in method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910369103.8A CN110071939B (en) | 2019-05-05 | 2019-05-05 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910369103.8A CN110071939B (en) | 2019-05-05 | 2019-05-05 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110071939A true CN110071939A (en) | 2019-07-30 |
CN110071939B CN110071939B (en) | 2021-06-29 |
Family
ID=67370164
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910369103.8A Active CN110071939B (en) | 2019-05-05 | 2019-05-05 | Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110071939B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535861A (en) * | 2019-08-30 | 2019-12-03 | 杭州迪普信息技术有限公司 | It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior |
CN112583850A (en) * | 2020-12-27 | 2021-03-30 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN117201202A (en) * | 2023-11-07 | 2023-12-08 | 北京金睛云华科技有限公司 | Reflection amplification Flood attack flow storage method |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
CN101163041A (en) * | 2007-08-17 | 2008-04-16 | 中兴通讯股份有限公司 | Method of preventing syn flood and router equipment |
CN101296223A (en) * | 2007-04-25 | 2008-10-29 | 北京天融信网络安全技术有限公司 | Method for implementing fire wall chip participation in SYN proxy |
CN104601578A (en) * | 2015-01-19 | 2015-05-06 | 福建星网锐捷网络有限公司 | Recognition method and device for attack message and core device |
WO2016197498A1 (en) * | 2015-06-10 | 2016-12-15 | 中兴通讯股份有限公司 | Method and device for preventing network attack, and storage medium |
CN107547507A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of anti-attack method, device, router device and machinable medium |
CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
-
2019
- 2019-05-05 CN CN201910369103.8A patent/CN110071939B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697397A (en) * | 2004-05-13 | 2005-11-16 | 华为技术有限公司 | Method for guarding against attack realized for networked devices |
CN1972286A (en) * | 2006-12-05 | 2007-05-30 | 苏州国华科技有限公司 | A defense method aiming at DDoS attack |
CN101296223A (en) * | 2007-04-25 | 2008-10-29 | 北京天融信网络安全技术有限公司 | Method for implementing fire wall chip participation in SYN proxy |
CN101163041A (en) * | 2007-08-17 | 2008-04-16 | 中兴通讯股份有限公司 | Method of preventing syn flood and router equipment |
CN104601578A (en) * | 2015-01-19 | 2015-05-06 | 福建星网锐捷网络有限公司 | Recognition method and device for attack message and core device |
WO2016197498A1 (en) * | 2015-06-10 | 2016-12-15 | 中兴通讯股份有限公司 | Method and device for preventing network attack, and storage medium |
CN107547507A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of anti-attack method, device, router device and machinable medium |
CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
Non-Patent Citations (1)
Title |
---|
文旭: "网络行为管理系统中IPv6会话管理", 《电子测量技术》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110535861A (en) * | 2019-08-30 | 2019-12-03 | 杭州迪普信息技术有限公司 | It is a kind of to identify the method and device that SYN packet quantity is counted in ssyn attack behavior |
CN110535861B (en) * | 2019-08-30 | 2022-01-25 | 杭州迪普信息技术有限公司 | Method and device for counting SYN packet number in SYN attack behavior identification |
US11677769B2 (en) | 2019-08-30 | 2023-06-13 | Hangzhou Dptech Technologies Co., Ltd. | Counting SYN packets |
CN112583850A (en) * | 2020-12-27 | 2021-03-30 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN112583850B (en) * | 2020-12-27 | 2023-02-24 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN117201202A (en) * | 2023-11-07 | 2023-12-08 | 北京金睛云华科技有限公司 | Reflection amplification Flood attack flow storage method |
CN117201202B (en) * | 2023-11-07 | 2024-01-02 | 北京金睛云华科技有限公司 | Reflection amplification Flood attack flow storage method |
Also Published As
Publication number | Publication date |
---|---|
CN110071939B (en) | 2021-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110071939A (en) | The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD | |
CN101083563B (en) | Method and apparatus for preventing distributed refuse service attack | |
US8353003B2 (en) | System and method for controlling a flow of data a network interface controller to a host processor | |
US8769681B1 (en) | Methods and system for DMA based distributed denial of service protection | |
US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
US7404210B2 (en) | Method and apparatus for defending against distributed denial of service attacks on TCP servers by TCP stateless hogs | |
CN110784415B (en) | ECN quick response method and device | |
CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
CN106487790B (en) | Cleaning method and system for ACK FLOOD attacks | |
CN102970118B (en) | Transmission control protocol acknowledgement (TCP ACK) message processing method and device and wireless network equipment | |
WO2016177131A1 (en) | Method, apparatus, and system for preventing dos attacks | |
CN101170402A (en) | A method and system for preventing from TCP attack based on network stream technology | |
CN107438066B (en) | DoS/DDoS attack defense module and method based on SDN controller | |
Abdelmoniem et al. | T-RACKs: A faster recovery mechanism for TCP in data center networks | |
CN111756685A (en) | DDOS attack detection method based on hypothesis test | |
CN101299765B (en) | Method for defending against DDOS attack | |
Luo et al. | The NewShrew attack: A new type of low-rate TCP-Targeted DoS attack | |
CN105939322A (en) | Message attack protection method and device | |
CN101217574A (en) | A method and system for dynamic adjustment of network address transferring strategy | |
CN112714102A (en) | SYN Flood attack defense method under multi-core heterogeneous platform | |
CN106657082A (en) | Fast HTTP redirection method | |
CN108449280B (en) | Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages | |
CN113791901B (en) | Efficient TCP retransmission realization method for load balancing equipment | |
CN102164135B (en) | Device and method for defending prepositioned reconfigurable DDoS (distributed denial of service) attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |