CN110099027B - Service message transmission method and device, storage medium and electronic device - Google Patents
Service message transmission method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN110099027B CN110099027B CN201810085054.0A CN201810085054A CN110099027B CN 110099027 B CN110099027 B CN 110099027B CN 201810085054 A CN201810085054 A CN 201810085054A CN 110099027 B CN110099027 B CN 110099027B
- Authority
- CN
- China
- Prior art keywords
- fields
- service
- group
- message
- watermark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a transmission method and device of a service message, a storage medium and an electronic device. Wherein, the method comprises the following steps: acquiring a first service message sent by a first object to a second object, wherein the first service message comprises a watermark feature code and a message load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and forwarding the first service message to the second object under the condition that the matching result indicates that the second group of fields are successfully matched. The invention solves the technical problem of lower security of network service in the related technology.
Description
Technical Field
The present invention relates to the field of internet, and in particular, to a method and an apparatus for transmitting a service packet, a storage medium, and an electronic apparatus.
Background
The DDoS is an abbreviation of Distributed Denial of Service, and refers to a type of network attack in which a target host denies Service to a normal user or makes communication between the target host and the outside abnormal through a certain technical means with Distributed characteristics, such as using protocol loopholes, sending intensive data packets, and the like. DDoS attacks are of various types, and are mainly classified into two categories, namely "network layer (also called traffic type) attacks" and "application layer attacks" according to an attack level; the method is mainly divided into TCP DDoS attack, UDP DDoS attack, ICMP DDoS attack and the like according to protocol classification.
Hackers can use DDoS attackers to control multiple machines to attack the service-providing server at the same time, so as to achieve the purpose of 'preventing normal users from using services'. DDoS attacks are one of common high-hazard security threats, are always the heart of enterprise security departments, and according to statistics of authority departments, in recent years, the DDoS attack frequency increases by 17% on a par, in the actual DDoS attack process, the attack flow is very often 10Gbps, which is equivalent to 100 optical fiber bandwidths of 100M, according to the statistics data of the security of the telecommunication network in China, in recent years, the attack with the flow rate exceeding 10Gbps exceeds 45000 times per month, and the attack with the flow rate exceeding 40Gbps exceeds 1628 times per month. At present, the main causes of DDoS attacks include pranks, malignant competition, extinct lasso and other causes. DDoS attacks are the most common way to affect the normal operation of an enterprise network, the biggest damage caused by attacks is the loss of business due to the fact that the service provided by a server cannot be achieved, and the influence caused by the damage cannot disappear within a long period of time after the attacks are finished, so that enterprises and organizations are disastrous.
In view of the technical problem of low security of network services in the related art, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a transmission method and device of a service message, a storage medium and an electronic device, which are used for at least solving the technical problem of low security of network service in the related technology.
According to an aspect of the embodiments of the present invention, a method for transmitting a service packet is provided, including: acquiring a first service message sent by a first object to a second object, wherein the first service message comprises a watermark feature code and a message load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and forwarding the first service message to the second object under the condition that the matching result indicates that the second group of fields are successfully matched.
According to an aspect of the embodiments of the present invention, a method for transmitting a service packet is provided, including: filling the watermark feature code and the message load into a first service message to be sent, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code; and sending the first service message to a second object.
According to another aspect of the embodiments of the present invention, there is also provided a transmission apparatus for a service packet, including: the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a first service message sent by a first object to a second object, and the first service message comprises a watermark feature code and a message load; the matching unit is used for matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and forwarding the first service message to the second object under the condition that the matching result indicates that the second group of fields are successfully matched.
According to another aspect of the embodiments of the present invention, there is also provided a transmission apparatus for a service packet, including: the device comprises a filling unit, a sending unit and a receiving unit, wherein the filling unit is used for filling the watermark feature code and the message load to a first service message to be sent, and a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code; and the sending unit is used for sending the first service message to the second object.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium including a stored program which, when executed, performs the above-described method.
According to another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor executes the above method through the computer program.
In the embodiment of the invention, a first service message sent by a first object to a second object is obtained, wherein the first service message comprises a watermark feature code and a message load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a flow diagram of an alternative safeguard strategy according to an embodiment of the present invention;
FIG. 2 is a flow diagram of an alternative safeguard strategy according to an embodiment of the present invention;
FIG. 3 is a flow diagram of an alternative safeguard strategy according to an embodiment of the present invention;
FIG. 4 is a flow diagram of an alternative safeguard strategy according to an embodiment of the present invention;
fig. 5 is a flowchart of an alternative attack server in the related art;
fig. 6 is a flowchart of an alternative attack server in the related art;
fig. 7 is a schematic diagram of a hardware environment of a transmission method of a service packet according to an embodiment of the present invention;
fig. 8 is a flowchart of an alternative service packet transmission method according to an embodiment of the present invention;
fig. 9 is a schematic diagram of an alternative service packet according to an embodiment of the present invention;
fig. 10 is a schematic diagram of an alternative service packet according to an embodiment of the present invention;
fig. 11 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
fig. 12 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
fig. 13 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
fig. 14 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
fig. 15 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
fig. 16 is a flowchart of an alternative transmission method of a service packet according to an embodiment of the present invention;
FIG. 17 is a schematic illustration of an alternative incremental trend in accordance with an embodiment of the present invention;
FIG. 18 is a schematic illustration of an alternative regression curve according to an embodiment of the present invention;
fig. 19 is a schematic diagram of an alternative transmission apparatus for service packets according to an embodiment of the present invention;
fig. 20 is a schematic diagram of an alternative transmission apparatus for service packets according to an embodiment of the present invention;
and
fig. 21 is a block diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial terms or terms appearing in the description of the embodiments of the present invention are applied to the following explanations:
broiler chicken: also called puppet, refers to a machine that can be remotely controlled by hackers, such as inducing a client click with "grey pigeon" or the like, or a computer is hacked by hackers or a user computer has a bug and is planted with trojans, and hackers can manipulate it at will and use it to do anything, and broilers are usually used as DDoS attacks. The system can be various systems, such as windows, linux, unix and the like, and can be a server of a company, an enterprise and a school.
IP: the Protocol IP for interconnection between networks is a foreign language abbreviation of Internet Protocol.
UDP Flood: the method belongs to flow type DDoS attack, and a large number of UDP packets are used for impacting a DNS server or a Radius authentication server and a streaming media video server. UDP Flood at 100 kbps often paralyzes backbones on the line, such as firewalls, causing paralysis of the entire network segment.
Payload of data frame: refers to the data actually transmitted except for the protocol header, agreed upon features.
With the upgrade of DDoS attack and defense countermeasure technology, more and more DDoS attack methods become more advanced, and in order to bypass the protection strategy of the traditional DDoS protection device, an attacker uses a real source IP to initiate a normal TCP connection to an attacked server through broilers, and sends a large amount of garbage messages such as randomly filled pshack and ack messages after the TCP connection is established. Since the attacker uses the real IP of the broiler chicken, the traditional reverse detection algorithm cannot identify the malicious source IP, so that effective protection cannot be provided.
According to an aspect of an embodiment of the present invention, several alternative embodiments of protection policies are provided for the TCP protocol.
For the TCP DDoS protection technology, whether a source IP is forged or not can be judged through methods of reverse detection, message retransmission and the like, and if an attacker forges the source IP to attack, the attacker cannot pass a reverse detection algorithm or a retransmission verification algorithm, so that the protection purpose is achieved.
1) DDoS protection strategy: the reverse detection algorithm, which protects the TCP attack initiated by the fake source IP, is shown in fig. 1:
step S102, an attacker 101 forges a source IP and sends an attack message to a server 105, and a TCP DDoS attack is initiated;
step S104, after receiving the message, the protective equipment 103 replaces the server to send a reverse detection message;
and step S106, as the source IP is forged, the reverse detection message cannot be responded, the forged source IP cannot be added into trust, and the attack flow is intercepted by the protection equipment.
The flow of the normal client response reverse probing algorithm is shown in fig. 2:
step S202, the normal client 107 sends a request message to the server 105;
step S204, after receiving the message, the protective device 103 replaces the server to send a reverse detection message;
step S206, the normal client side responds to the reverse detection message and automatically reconnects the reverse detection message;
step S208, the client responds to the reverse detection message, adds the source IP where the client is located into a trust list, and releases the subsequent message of the IP;
step S210, the normal client sends the request message to the server again;
step S212, the server returns a response message.
2) DDoS protection strategy: the retransmission verification algorithm and the TCP attack flow initiated by the protection forged source IP are shown in fig. 3:
step S302, an attacker 101 sends an attack message to a server and initiates a TCP DDoS attack;
step S304, after the protection device receives the message, discarding the first request message (i.e. the attack message) of the source IP;
step S306, the source IP is forged, the request cannot be retransmitted, and the attack traffic is intercepted by the protection device.
The normal client retransmits the request message, and the flow is as shown in fig. 4:
step S402, the normal client 107 sends a request message to the server 105;
step S404, after the protective device receives the message, discarding the first request message of the source IP;
step S406, the normal client retransmits the request message;
step S408, adding the source IP where the client is located into the trust list, and releasing the subsequent message of the IP.
With the upgrade of the DDoS attack and defense countermeasure method, an attacker can use the real IP of the broiler, and when an attack method of sending a large amount of spam messages after a real user initiates TCP connection is simulated to attack a server, the protection technology can mistake a malicious source IP as a trusted client and add the trusted client to trust, so that attack traffic is transmitted transparently. The flow of the broiler chicken bypassing the reverse detection algorithm is shown in fig. 5:
step S502, the attacker 101 sends an attack message to the server 105 by using the real broiler IP and initiates TCP DDoS attack;
step S504, after receiving the message, the protective device 103 replaces the server to send a reverse detection message;
step S506, the client side where the broiler chicken is located responds to the reverse detection message and automatically reconnects the broiler chicken;
step S508, the client side where the broiler chicken is located responds to the reverse detection message, adds the source IP where the broiler chicken is located into a trust list, and passes the subsequent message of the IP;
step S510, the client side where the broiler chicken is located sends a request message to the server again;
step S512, the server returns a response message;
step S514, the client side where the broiler chicken is located sends a large amount of spam messages to the server.
The flow of the broiler bypassing the retransmission verification algorithm is shown in fig. 6:
step S602, the attacker 101 uses the real broiler IP to send an attack message to the server 105;
step S604, after the protective device receives the message, discarding the first request message of the source IP;
step S606, the client side where the broiler chicken is located retransmits the request message;
step S608, adding the source IP of the client where the broiler chicken is located into a trust list, and passing the subsequent message of the IP.
Step S610, the client side where the broiler chicken is located sends a large amount of spam messages to the server.
Therefore, the method for reverse detection, message retransmission and the like can judge whether the source IP is a fake protection scheme, an attacker can use the DDoS attack initiated by the real IP of the broiler chicken to bypass the DDoS protection algorithm, and the protection algorithm can not provide effective protection.
According to an aspect of an embodiment of the present invention, several alternative embodiments of the protection policy are also provided for the UDP protocol.
The UDP protection scheme may be divided into several protection schemes such as speed limit, feature filtering, packet length limitation, and source port filtering:
1) the speed limit protection scheme comprises the following steps: the method comprises the steps that a specified threshold value is limited according to a source IP, a target IP, a source port, a target port and a protocol number (UDP) quintuple, partial attack flow is intercepted through a speed limit strategy, and UDP FLOOD attack is relieved;
2) characteristic filtering: according to part of UDP attack methods, fixed character strings or characteristics different from normal service messages exist in the sent UDP attack messages, and the UDP attack can be prevented by intercepting the UDP messages matched with the characteristics;
3) packet length restriction strategy: most UDP service messages are not too long in single packet length, and an attacker usually sets UDP attack messages to be very large in length (usually more than one kilobyte) in order to achieve the purpose of blocking the bandwidth of an attacked server through UDP attack;
4) and filtering at the source port: many UDP flows attack by reflection amplification methods, such as SSDP reflection, CHARGEN reflection, SNMP reflection, and so on. The source port is usually fixed for the reflection attack, such as a simple Service Discovery protocol ssdp (simple Service Discovery protocol) reflection source port 1900, a charge reflection source port 19, and so on. The protection device UDP protection can be implemented by filtering the common reflection port.
The scheme can play a certain role in relieving UDP attacks, but the defect still exists, and UDP attacks with various methods cannot be perfectly protected:
1) the speed limit strategy has the following defects: although the speed-limiting strategy can relieve UDP attacks to a certain extent, the existing network strategy limits speed to normal traffic and malicious traffic indiscriminately, so that the risk of killing normal traffic by mistake exists, and for an attack method for forging a source IP, the number of attack sources is usually very large, and the protection effect of the speed-limiting strategy is poor;
2) the characteristic filtering defects are as follows: the use scene of the strategy is that the attack message has a fixed character string or characteristic different from a normal service message, so that the attack message can be effectively protected, and the attack message can not play a role in the aspect of a characteristic-free attack method;
3) the packet length limiting strategy has the following disadvantages: similar to the feature filtering, the attack message can be effectively protected only by the feature that the message length is obviously different from that of the normal service exists, otherwise, the protection purpose is difficult to achieve;
4) source port filtering has the disadvantages that: except for reflection attack, the common UDP FLOOD has no port aggregation, and more times, a random source port is used for initiating the attack, and the protection purpose is difficult to achieve by a source port filtering strategy.
It can be seen that the protection schemes applied to TCP and UDP still have defects, and in order to solve the problems, according to an aspect of the embodiments of the present invention, a method embodiment of a method for transmitting a service packet is also provided.
Optionally, in this embodiment, the transmission method of the service packet may be applied to a hardware environment formed by the server 701, the protection device 703, and the terminal 705 as shown in fig. 7. As shown in fig. 7, a server 701 is connected to a terminal 705 through a network including, but not limited to: the terminal 705 is not limited to a PC, a mobile phone, a tablet computer, etc. for example, the terminal may be a wan, a man-machine interface, or a lan. The method for transmitting the service packet according to the embodiment of the present invention may be executed by the protection device 703, may be executed by the terminal 705, and may also be executed by both the protection device 703 and the terminal 705. The terminal 705 executing the method for transmitting the service packet according to the embodiment of the present invention may also be executed by a client installed thereon. As shown in fig. 7:
step S702, the terminal and the protection device share the same watermark calculation method, and when the terminal sends a service message, the watermark feature code is embedded into the specified service message position and sent to the server;
step S704, the protective device intercepts the service message sent by the terminal, calculates the watermark feature code according to the shared watermark calculation method, and then compares the watermark feature code with the watermark in the received message;
step S706, if the two are the same, the service message is a legal service message, the protective device passes the service message, and the service message is forwarded to the server;
step S708, if they are different, it indicates that the service packet is an illegal service packet, and the protection device discards the service packet.
Fig. 8 is a flowchart of an optional service packet transmission method according to an embodiment of the present invention, and is applied to a terminal side, as shown in fig. 8, where the method may include the following steps:
step S802, the watermark feature code and the message load are filled into a first service message to be sent, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code.
The first object is a sending end of the message, the second object is a receiving end of the message, and the first object and the second object may be hardware objects, such as a server, a terminal and the like, or software objects, such as a software client, a web page client and the like.
The first service packet may also be referred to as a data packet, and as shown in fig. 9 and fig. 10, the first service packet may be divided into three parts, where the first part is an inherent part of the packet, such as an IP packet header and a TCP packet header in a TCP packet, and an IP packet header and a UDP packet header in a UDP packet; the second part is a message load, namely the effective load of the message, and is used for bearing service data; the third part, namely the watermark feature code part, is used for bearing watermark fingerprint information, and the watermark feature codes of two adjacent service messages are different, such as the first service message and the service message before the first service message, or the first service message and the service message after the first service message.
An optional watermark feature is shown in fig. 9 and fig. 10, for the watermark feature code, it can be divided into two parts, one is a first group of fields, and the first object informs the second object of the information such as the version of the watermark algorithm, the key version, the initial field, etc. it uses through the first group of fields; the second is a second set of fields used to indicate the watermark fingerprint, the sequence number.
Optionally, the filling the watermark feature code and the message load into the first service message to be sent may include:
1) carrying a target string (initial field) in a second field of the first set of fields;
2) carrying key indication information (such as key version) in a third field of the first set of fields;
3) carrying watermark indication information (such as watermark algorithm version) in a fourth field of the first set of fields;
4) carrying a watermark fingerprint in a first field of the second set of fields;
5) a fifth field of the second set of fields carries the sequence number.
And then filling the watermark feature code carrying the information and the message load into the first service message.
Step S804, the first service packet is sent to the second object.
Through the steps, the watermark feature code and the message load are filled into a first service message to be sent, a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code, and the first service message is sent to a second object; the protection equipment matches a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
Fig. 11 is a flowchart of an optional transmission method of a service packet according to an embodiment of the present invention, which is applied to a protection device, and as shown in fig. 11, the method may include the following steps:
step S1102 is to obtain a first service packet sent by the first object to the second object, where the first service packet includes a watermark feature code and a packet load.
The first object is a sending end of the message, the second object is a receiving end of the message, and the first object and the second object may be hardware objects, such as a server, a terminal and the like, or software objects, such as a software client, a web page client and the like.
The first service packet may also be referred to as a data packet and may be divided into three parts, where the first part is an inherent part of the packet, such as an IP packet header and a TCP packet header in a TCP packet, and an IP packet header and a UDP packet header in a UDP packet; the second part is a message load, namely the effective load of the message, and is used for bearing service data; the third part, namely the watermark feature code part, is used for bearing watermark fingerprint information, and the watermark feature codes of two adjacent service messages are different, such as the first service message and the service message before the first service message, or the first service message and the service message after the first service message.
And step S1104, matching a second group of fields in the watermark feature code through the first group of fields in the watermark feature code to obtain a matching result.
The guard device may employ a corresponding policy to match a second set of fields in the watermark signature over the first set of fields in the watermark signature according to the level of the guard.
For the watermark feature code, the method can be divided into two parts, one part is a first group of fields, and the first object informs a second object of information such as a watermark algorithm, a key and the like adopted by the second object through the first group of fields; the second of which is a second set of fields used to indicate the watermark fingerprint.
Step S1106, forwarding the first service packet to the second object when the matching result indicates that the second group of fields is successfully matched.
In other words, only the first object and the protection device that have defined the usage of the watermark feature code can know the watermark fingerprint in the watermark feature code, so the protection device can detect whether the received service packet is legal (i.e., the second group of fields is successfully matched) through the watermark feature code carried by the protection device, and if so, the service packet is released, otherwise, the service packet is discarded.
Through the steps S1102 to S1106, a first service packet sent by the first object to the second object is obtained, where the first service packet includes a watermark feature code and a packet load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
In the technical solution provided in step S1104, matching the second group of fields in the watermark feature code through the first group of fields in the watermark feature code, and obtaining a matching result may include the following three technical solutions:
(1) in the first scheme, the first service message is detected (first packet inspection)
In step S12, the operation indicated by the first set of fields is performed to obtain the operation result.
The first service packet may be a service packet, such as a first service packet received by the protection device.
Optionally, performing the operation indicated by the first set of fields, and obtaining the operation result may include:
and step S122, under the condition that the second field in the first group of fields is the target character string, acquiring the hash value according to the indication of the third field in the first group of fields.
As shown in fig. 9 and fig. 10, that is, whether the initial field is a fixed character string (i.e., a target character string) is detected, and if so, the service packet carries the watermark feature code; and acquiring a corresponding hash code version according to the third field key version, and acquiring a corresponding hash value by using the hash code version.
In step S124, an operation indicated by the fourth field in the first group of fields is performed on the hash value and the object information of the first object, so as to obtain an operation result.
The object information of the first object may include a destination IP, a destination port number, a watermark sequence number, and the like of the terminal, that is, the hash value and the object information of the first object are processed according to the version of the watermark algorithm indicated by the fourth field, so as to obtain the operation result.
In step S14, in the case that the operation result is the same as the first field in the second set of fields, the matching result is determined to be a first matching result, wherein the first matching result is used to indicate that the second set of fields is successfully matched to.
If the calculated watermark fingerprint is the same as the watermark fingerprint carried by the service message, determining that the matching result is a first matching result; if any one of the operations in steps S122 to S124 fails or the operation result is incorrect, if the second field in the first group of fields is not the target character string and the operation result is different from the first field in the second group of fields, it is determined that the matching result is the fourth matching result, and the fourth matching result is used to indicate that the second group of fields is successfully matched.
In the light protection of the first scheme, all service packets after the first service packet may be directly released when the matching result is the first matching result, and all service packets after the first service packet may be discarded when the matching result is the fourth matching result.
Optionally, in order to prevent a hacker from using a broiler (a user machine invaded by viruses or trojans) to launch an attack, a first time limit may be set in the case that the matching result is a fourth matching result, and all service messages subsequent to the first service message are discarded within the first time limit, because there may be a true user demand later on the user machine, which may avoid that the true demand of the user is filtered at the time of launching.
(2) Scheme two, the trend of the serial number in the service message is detected (replay protection)
The first service packet may represent a service packet set, and when a matching result is obtained by matching a second group of fields in the watermark feature code with a first group of fields in the watermark feature code, the method may be implemented by:
step S22, for the service packets continuously received by the protection device (the sum may be recorded as the service packet set), the operation indicated by the first group of fields is executed one by one for the service packets, so as to obtain an operation result.
The specific process is referred to the above step S122 to step S144.
And step S24, matching the operation result with the first field in the second group of fields aiming at the service message of which the operation result is obtained by calculation.
As mentioned above, the matching result includes the first matching result and the fourth matching result, and if the first matching result is the first matching result, the serial number in the service message is recorded, and the service message is taken as one of the plurality of service messages, in other words, the plurality of service messages are service messages whose matching result is the first matching result.
If the fourth matching result is obtained and the message is not the first message, directly releasing the service message: and under the condition that a fifth service message and a sixth service message exist in the service message set, forwarding the sixth service message to the second object, wherein a first field in a second group of fields of the fifth service message is the same as the operation result, the first field in the second group of fields of the sixth service message is different from the operation result, and the receiving time of the sixth service message is later than that of the fifth service message.
The reason why the service packet is directly released if the result of the fourth matching is that: on the terminal, a certain service data (such as a voice) is packaged into a data packet and attached with a watermark feature code, but when the data packet is transmitted in a form of TCP or the like, the data packet may be divided into a plurality of service messages due to an overlength, if a certain service message does not carry the watermark feature code, but the previous service message carries the watermark feature code, which indicates that the service message is the divided data packet, not an attack message, and can be released directly.
Step S26, when the first field in the second group of fields of each service packet in the plurality of service packets is the same as the operation result, and the fifth field (i.e. the sequence number) in the second group of fields in the plurality of service packets is different and meets a predetermined condition, determining that the matching result is a second matching result, where the second matching result is used to indicate that the second group of fields is successfully matched, and the operation result is obtained by performing the operation indicated by the first group of fields.
Optionally, determining whether a fifth field in the second group of fields in the multiple traffic messages satisfies a predetermined condition may include the following two implementation schemes:
1) determined by the number of increasing trends
Step S262, a second service packet in the multiple service packets is searched, a serial number indicated by a fifth field in the second service packet is not less than a serial number indicated by a fifth field in a third service packet and is less than a serial number indicated by a fifth field in a fourth service packet, the third service packet is a service packet adjacent to the second service packet and received before the second service packet in the multiple service packets, and the fourth service packet is a service packet adjacent to the second service packet and received after the second service packet in the multiple service packets.
The above-mentioned serial number is a serial number used for recording the watermark by the protection device, such as 1-10 (or other digital fields), and the serial number value of the latter service message is +1 every time a service message is sent.
The second service packet is equivalent to an inflection point appearing in the growth trend, and counting the number of the second service packets is equivalent to counting the number of the growth trends.
Step S264, determining that a fifth field in the second group of fields in the multiple service messages does not satisfy a predetermined condition when the number of the found second service messages is smaller than a first threshold, where the first threshold is smaller than the number of the multiple service messages, for example, the number of the multiple service messages is 10, and the first threshold is 4.
Step S266, determining that a fifth field in the second group of fields in the multiple service messages meets a predetermined condition under the condition that the number of the searched second service messages is not less than the first threshold, where the first threshold is less than the number of the multiple service messages.
2) Determination by linear regression coefficients
The plurality of service messages can be well arranged according to the receiving order, under the condition that the regression coefficient b of the sequence number indicated by the fifth field in the second group of fields in the plurality of service messages is more than 0, the fifth field in the second group of fields in the plurality of service messages is determined to meet the preset condition,
xiindicates the order of reception of the sequence numbers indicated by the fifth field in the ith traffic message, yiIndicating the order of reception of the sequence numbers indicated by the fifth field in the ith traffic message,
represents an average value of the reception order of the sequence numbers indicated by the fifth field of the plurality of traffic messages,
and n is the number of the plurality of service messages.
(3) Scheme three, watermark strict checking
If the first normal service message is captured by the attacker and sent to the protection device, the attacker can cheat the trust of the protection device, so that the 'watermark strict check' can be opened to prevent similar events from occurring.
Optionally, the first service packet includes a plurality of service packets that are continuously received and whose number is a second threshold, and the matching of a second group of fields in the watermark feature code is performed through a first group of fields in the watermark feature code, and obtaining a matching result includes:
and under the condition that the first field in the second group of fields of each service message in the plurality of service messages is different from the operation result, determining the matching result as a third matching result, wherein the third matching result is used for indicating that the second group of fields are not successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields.
In other words, the number of packets of a normal service packet is limited (e.g., the second threshold), even if there is a packet, so that when a plurality of consecutive service packets all carry the hydrological feature code, it indicates an illegal attack.
In the technical solution provided in step S1106, in a case that the matching result indicates that the second group of fields is successfully matched, the first service packet is forwarded to the second object.
Optionally, for the above three technical solutions, when the technical solutions are applied in TCP communication, the matching result obtained for each technical solution is:
1) under the condition that the matching result indicates that the second group of fields are successfully matched, forwarding a target service message sent by the first object to the second object through the first session to the second object, wherein the first session is a session established when the first object sends the first service message to the second object, and the target service message comprises the first service message;
2) and in the case that the matching result indicates that the second group of fields is not successfully matched, discarding the service message sent by the first object to the second object through the first session.
Alternatively, for the above first and second solutions, when these solutions are applied in UDP communication, the matching result obtained for each solution is:
1) under the condition that the matching result indicates that the second group of fields are successfully matched, forwarding a target service message sent by the first object to the second object, wherein the target service message comprises the first service message;
2) after matching the second set of fields in the watermark signature with the first set of fields in the watermark signature to obtain a matching result, the method further comprises: and under the condition that the matching result indicates that the second group of fields are not successfully matched, discarding the service message sent by the first object to the second object.
As an alternative embodiment, the following description will take the above technical solution applied in TCP communication as an example:
by sharing the same watermark calculation method with the protection equipment through the client, when the client sends a packet, the watermark feature code is embedded into the specified data packet position; after receiving the message, the protection device checks the watermark feature code, releases the legal watermark message and intercepts malicious flow, and by the scheme, the DDoS attack method (including the garbage message sent by the broilers) which cannot be protected by the protection algorithm can be effectively protected, so that the service damage caused by the DDoS attack can be avoided.
The basic flow of the implementation of the TCP watermark protection scheme is shown in fig. 7:
in step S702, the client 701 of the user and the protection device 703 share the same watermark calculation method, and when the client sends a data packet (i.e., a service packet), the watermark feature code is embedded into the specified data packet position. The watermark signature calculation method is shown in fig. 9.
For example, a watermark may be added to the first 20 bytes of the TCP packet header, the watermark including an initial field, an algorithm version, a key version, a watermark fingerprint, and a sequence number.
Initial field (Initial Vector, also called fixed string): a watermark start field for the guard identification, optionally a corresponding 64-bit random number unique to each client, is randomly generated by the console based on the application identification appid.
Watermark Algorithm Version (Algorithm Version): for the guard device to distinguish the versions of the watermark calculation algorithm.
Key Version (Key Version): the method is used for the guard equipment to distinguish watermark versions so as to solve the operation problem that a client has a plurality of versions in the existing network, and the information is input by a client through a control console.
Watermark fingerprint (Footprint): the method is used for verifying normal or abnormal behaviors by the protective equipment, and the information is calculated by a client according to a specified field negotiated in advance and a specified algorithm.
Sequence number (Sequence): the serial number of the recorded watermark is used for protecting equipment so as to solve the problem of replay attack, the problem can be filled in by a client, and the serial number of each message is + 1.
In step S704, the protection device 703 receives a packet (also referred to as a service packet) sent by the client, calculates a watermark feature code according to a shared watermark calculation method, and then compares the watermark feature code with the watermark in the received packet. The watermark feature code calculation scheme is as follows:
and (3) watermark fingerprint calculation: footprint ═ watermarking algorithm (destination IP + destination port + HashCode + Sequence).
An alternative watermarking algorithm is CRC 32; the symbol "+" represents a bitwise exclusive or; the "Hashcode" may be a user-defined field.
Step S706, if the data packets are the same, it indicates that the received data packet is a legal data packet (i.e., a service packet), and the protection device passes the data packet.
Step S708, if they are different, it indicates that the packet is an illegal packet (i.e., a service packet), and the protection device discards the packet.
In the detailed protection process of the TCP watermark protection scheme, the whole protection scheme can be divided into 3 modules from the perspective of software functions: first package checking module, replay protection module and watermark strict checking module
1) The first package inspection module executes the first package inspection flow as shown in fig. 12:
step S1202, a client (including normal users and broilers) initiates TCP three-way handshake to a server to establish TCP connection;
step S1204, ADS records the conversation, each TCP connection that initiates to protecting the server will be all recorded and tracked by the protective device;
step S1206, after the client establishes the TCP connection, the client sends a TCP service message;
step S1208, the ADS of the protection device performs stream reassembly according to the message SEQ ID (i.e. the serial number), and through the stream reassembly, the protection device confirms the first message of the TCP session and checks the watermark feature code of the message;
step S1210, ADS checks the first 8 bytes (initial field) of the first message, if they are correct, then step S1212 is executed, otherwise step S1214 is executed;
step S1212, if not, the message is a malicious message: discarding the message; the protection device sends RST messages to the client and the server (the receiver of RST can distinguish whether the other end is abnormally closed or normally closed) so as to disconnect; marking the conversation as an abnormal conversation, namely intercepting all messages of the conversation;
step S1214, the protective device reads the first 9-20 bytes (algorithm version, key version, watermark fingerprint, serial number) of the message, then calculates the watermark fingerprint according to the watermark fingerprint calculation method, and compares the watermark fingerprint with the watermark fingerprint in the message, if the calculation is wrong or the comparison is inconsistent, step S1216 is executed, otherwise, step S1218 is executed;
step S1216, if the watermark fingerprint calculation fails (for example, the algorithm version does not exist, the key version does not exist) or the watermark fingerprint in the message is inconsistent with the one calculated by the protection device, the watermark check fails, and the message is a malicious message: discarding the message; the protection equipment sends RST messages to the client and the server, and the connection is disconnected; and marking the conversation as an abnormal conversation, namely intercepting all messages of the conversation.
Step S1218, if the watermark check is correct, the message is legal: releasing the message; marking the conversation as normal and allowing the subsequent message of the conversation to pass; the serial number is recorded.
2) Replay protection module
The replay protection module is to avoid that an attacker plays back and initiates a message replay attack through an attack tool after acquiring a first service message of a normal client, and the specific steps are as shown in fig. 13:
step S1220, the message after the first packet inspection module can select whether to enter the replay protection flow, if so, step S1224 is executed, otherwise, step S1222 is executed;
step S1222, if the replay protection flow is not entered, after the first packet is checked and trusted, all subsequent messages of the trusted session are directly released;
step S1224, if the replay protection process is started, continuing to track and check the session trusting the first packet check module;
step S1226, each message checks the first 8 bytes, judges whether the first 8 bytes are the initial field, if so, executes step S1230, otherwise executes step S1228;
step S1228, if the first 8 bytes are checked and confirmed not to be the initial field, directly forwarding the message and releasing the message;
step S1230, comparing the calculated watermark fingerprint with the watermark fingerprint in the message to determine whether the calculated watermark fingerprint is consistent, if the first 8 bytes are checked to confirm that the field is an initial field (also called a fixed character string), checking the first 9-20 bytes (algorithm version, key version, watermark fingerprint and serial number) of the message, then calculating the watermark fingerprint according to the watermark fingerprint calculation method, comparing the watermark fingerprint with the watermark fingerprint in the message to determine whether the two are consistent, if so, executing step S1232, otherwise, executing step S1228;
step S1232, if the check is correct, releasing the message and recording the serial number of the message;
in step S1234, the guard device determines whether the number of sequence numbers recorded in the session exceeds M (M indicates configurable), if so, performs step S1236, and if not, performs step S1220.
If the number of the serial number records does not exceed M, the serial number records are not completed, and the step S1220 is returned;
step S1236, if the number of the sequence numbers exceeds M, the number of the sequence numbers is proved to meet the configuration, the replay attack analysis and protection can be performed, all the sequence numbers of the session counted above are subjected to statistical analysis to increase the trend times, whether the increase trend times exceeds N is judged, if yes, the step S1240 is executed, and if not, the step S1238 is executed;
step S1238, if the number of times of the incremental trend does not exceed N, it indicates that the session has a replay behavior (if an attacker uses a normal packet to continuously replay, the sequence numbers of each packet are consistent, there is no incremental trend), and the session is a malicious session: discarding the message; the protection equipment sends RST messages to the client and the server, and the connection is disconnected; marking the conversation as an abnormal conversation, namely intercepting all messages of the conversation;
in step S1240, if the number of times of the incremental trend exceeds N (N indicates configurable), it indicates that the session has no replay behavior, and all subsequent messages are released.
To illustrate the above mentioned increasing trend times, the following is exemplified:
the total number of serial numbers configured on the protective equipment is 10, and the increasing trend is 4. It means that the replay protection module requires that 10 sequence numbers are recorded, and after 10 sequence numbers are recorded, there must be an increasing trend of 4 or more to pass the replay protection check, otherwise the session is identified as malicious.
As shown in fig. 17, the abscissa is the reception order of the respective sequence numbers, 1 represents the sequence number of the first reception record, and so on; the ordinate is the specific value of the sequence number (as mentioned above, a normal client adds 1 to the last packet each time it sends a packet).
The increasing trend is shown by the black line in fig. 17, and if the current sequence number is larger than the previous sequence number, it is marked as an increasing trend, so fig. 17 has 4 increasing trends.
3) Watermark strict checking module
The watermark strict checking module mainly aims at solving the following problems: if the hacker captures the first normal message by packet capture, then the following method is used for attack: establishing a TCP session; the captured normal message is used as a first message for playback; and continuously sending the malicious message (without the watermark feature code) filled randomly after the captured normal message is played back.
If an attacker uses the above attack method, the protection of the first packet inspection module and the replay protection module can be bypassed, in order to solve the attack, the watermark strict inspection module needs to be entered, and the specific execution steps are as shown in fig. 14:
step S1242, the message after passing through the first packet inspection module may choose whether to enter watermark strict inspection protection, if so, step S1246 is executed, otherwise, step S1244 is executed.
Step S1244, after the first packet is checked and trusted, all the subsequent messages of the trusted session are directly released.
Step S1246, if entering watermark strict check, the first packet check module trusting conversation continues tracking, and makes watermark feature code check for each subsequent message, and makes record for each watermark check failure.
In step S1248, it is determined whether P watermark checks fail (i.e., fixed string or watermark check fails) continuously, if yes, step S1250 is executed, otherwise, step S1244 is executed.
Step S1250, if P watermark checks fail continuously, it indicates that there is an abnormal behavior in the session, and the session is a malicious session: and discarding the message. And the protection equipment sends RST messages to the client and the server, and the connection is disconnected. And marking the conversation as an abnormal conversation, namely intercepting all messages of the conversation.
By adopting the technical scheme of the application, the beneficial effects brought lie in at least:
1) by sharing the same watermark calculation method with the protection equipment, the protection equipment can accurately identify whether a message sent by the client is legal or not, intercept illegal flow continuously, forward the legal flow, and effectively protect DDoS attacks, even real broiler attacks which are difficult to protect by the DDoS protection strategy, so that the DDoS protection capability is greatly improved, and the service stability is guaranteed;
2) the TCP watermark protection scheme is provided, the watermark fingerprint is calculated through the server IP, the port, the user defined field (hashcode) and the serial number, the purposes that normal user access is free from error and malicious flow is completely cleaned can be achieved, and an attacker cannot decode the watermark fingerprint because the watermark fingerprint is calculated through an algorithm;
3) the method and the device are equivalent to providing a protection scheme for preventing attackers from capturing normal messages and replaying the messages, and the attackers cannot realize attack through message replay;
4) the application also equivalently provides a strict checking mode, the watermark checking granularity can be further enhanced, and the watermark checking can be carried out on the subsequent messages of the session, so that the attack bypass that an attacker replays the normal messages first and then sends the junk messages can be avoided.
The TCP watermark protection scheme can be used by the server and can also be provided for third-party users to use, DDoS attack is effectively prevented after the users access the scheme, even real broiler attack which is difficult to protect by the DDoS protection strategy can also be effectively prevented, and DDoS protection capability is greatly improved.
The present invention also provides an alternative embodiment, which takes the application of the above first and second schemes in UDP communication as an example for explanation:
the applicant has analyzed the above mentioned UDP protection scheme and realized that the reason why UDP FLOOD protection is very difficult for traffic using UDP protocol can be summarized as follows:
1) the UDP protocol itself is an unreliable transport protocol not based on connection, and cannot judge the legitimacy of the source IP through methods such as reverse detection and retransmission according to the behavior of the TCP protocol stack, that is, it cannot judge whether the source IP is legitimate from the algorithm level, unlike the TCP protocol;
2) the types of messages of UDP services are more, and the messages have no fixed characteristics or fields, and attack messages of UDP FLOOD generally have no fixed characteristics, so that the messages are difficult to distinguish which messages are normal service messages and which messages are attack messages;
3) an attacker usually forges a source IP to initiate UDP FLOOD, so after the attack, a server receives a great number of requests sent by the source IP, and at the moment, the server cannot judge whether the source IP is a malicious source IP or a normal client IP.
It can be seen that due to the above characteristics, UDP FLOOD cannot distinguish legal traffic and malicious traffic by means of protocol stack behavior, message characteristics, and the like, so UDP FLOOD has a great difficulty in protection.
In the technical scheme of the application, the same watermark calculation method is shared by the client and the protection equipment, and when the client sends a packet, the watermark feature code is embedded into the specified data packet position; after receiving the message, the protective device checks the watermark feature code, releases the legal watermark message and intercepts malicious flow.
By sharing the same watermark calculation method between the client and the protection device, the protection device can accurately identify whether the message sent by the client is legal or not, intercept illegal traffic continuously and forward legal traffic, effectively protect all UDP FLOOD attacks, greatly improve DDoS protection capability and guarantee service stability. The following is a detailed description:
basic usage scenario and procedure of UDP watermark protection scheme is shown in fig. 7
In step S702, the client 701 of the user and the protection device 703 share the same watermark calculation method, and when the client sends a data packet (i.e., a service packet), the watermark feature code is embedded into the specified data packet position. The watermark signature calculation method is shown in fig. 10.
For example, a watermark may be added to the first 20 bytes of the UDP header, the watermark including an initial field, an algorithm version, a key version, a watermark fingerprint, and a sequence number.
Initial field (Initial Vector, also called fixed string): a watermark start field for the guard identification, optionally a corresponding 64-bit random number unique to each client, is randomly generated by the console based on the application identification appid.
Watermark Algorithm Version (Algorithm Version): for the guard device to distinguish the versions of the watermark calculation algorithm.
Key Version (Key Version): the method is used for the guard equipment to distinguish watermark versions so as to solve the operation problem that a client has a plurality of versions in the existing network, and the information is input by a client through a control console.
Watermark fingerprint (Footprint): the method is used for verifying normal or abnormal behaviors by the protective equipment, and the information is calculated by a client according to a specified field negotiated in advance and a specified algorithm.
Sequence number (Sequence): the serial number of the recorded watermark is used for protecting equipment so as to solve the problem of replay attack, the problem can be filled in by a client, and the serial number of each message is + 1.
In step S704, the protection device 703 receives a packet (also referred to as a service packet) sent by the client, calculates a watermark feature code according to a shared watermark calculation method, and then compares the watermark feature code with the watermark in the received packet. The watermark feature code calculation scheme is as follows:
and (3) watermark fingerprint calculation: watermark fingerprint Footprint ═ watermark algorithm (destination IP + destination port + HashCode + Sequence).
An alternative watermarking algorithm is CRC 32; the symbol "+" represents a bitwise exclusive or; the "Hashcode" may be a user-defined field.
Step S706, if the data packets are the same, it indicates that the received data packet is a legal data packet (i.e., a service packet), and the protection device passes the data packet.
Step S708, if they are different, it indicates that the packet is an illegal packet (i.e., a service packet), and the protection device discards the packet.
In the detailed protection flow of the UDP watermark protection scheme, the whole protection scheme may be divided into 2 software modules: watermark protection module, replay attack protection module.
1) The watermark protection module executes the flow shown in fig. 15:
step S1502, the client (including normal users and broilers) sends UDP messages.
In step S1504, the protection device checks the first 8 bytes (initial field) of the UDP packet to see if it is correct, if so, step S1508 is executed, otherwise, step S1506 is executed.
Step S1506, if the initial field is incorrect, the message is a malicious message, and the message is discarded.
Step S1508, if the initial field is correct, the message is released. The protection device reads the first 9-20 bytes (algorithm version, key version, watermark fingerprint, serial number) of the message, then calculates the watermark fingerprint according to the watermark fingerprint calculation method, compares the calculated watermark fingerprint with the watermark fingerprint in the message, and determines whether the comparison is the same or consistent, if so, step S1512 is executed, otherwise, step S1510 is executed.
In step S1510, if the watermark fingerprint calculation fails (for example, the algorithm version does not exist, the key version does not exist) or the watermark fingerprint in the message is inconsistent with the one calculated by the protection device, the watermark check fails, the message is a malicious message, the interception is performed, and the serial number is recorded.
Step S1512, if the watermark check is correct, the message is released.
2) Replay protection module
The replay protection module is to avoid that an attacker plays back and initiates a message replay attack through an attack tool after acquiring a service message of a normal client, and the specific steps are as shown in fig. 16:
the message after passing through the watermark protection module can be selected whether to enter a replay protection process, if not, the watermark protection module passes, all subsequent messages of the quintuple (the quintuple comprises a source IP, a destination IP, a source port, a destination port and a protocol, the following steps are carried out directly, and if the replay protection process is started.
Step S1514, tracking continues for the five-tuple that passed through the watermark guard module.
Step S1516, each message checks the first 8 bytes, checks the first 8 bytes (initial field) of the UDP message, if the check is correct, then S1520 is executed, otherwise, step S1518 is executed.
Step S1518, if not the initial field, the message is released.
Step S1520, if the first 8 bytes check confirm the initial field (also called fixed character string, the same below), check the first 9-20 bytes (algorithm version, key version, watermark fingerprint, serial number) of the message, then calculate the watermark fingerprint according to the watermark fingerprint calculation method, and compare with the watermark fingerprint in the message, whether the comparison is the same or consistent, if yes, carry out step S1524, otherwise carry out step S1522.
Step S1522, if the check is incorrect, the message is released.
Step S1524, if the check is correct, the serial number of the packet is recorded.
In step S1526, the protection device determines whether the sequence number recorded by the quintuple exceeds N (N indicates configurable), if so, step S1530 is executed, otherwise, step S1528 is executed.
In step S1528, if N has not been exceeded, it indicates that the serial number recording is not completed, and the recording of the serial number continues.
Step S1530, if N is exceeded, it indicates that the number of sequence numbers has satisfied the configuration, and may perform replay attack analysis and protection, perform linear regression calculation on all sequence numbers of the quintuple counted in the above steps, if the calculated regression coefficient is greater than 0, that is, the sequence number is in an ascending trend, it indicates that the quintuple is an access behavior of a normal user, mark the quintuple as legal, and release the subsequent message. Otherwise, if the regression coefficient is not greater than 0, that is, the sequence number does not show an ascending trend, it is indicated that the quintuple has a replay attack behavior, the quintuple is marked as illegal, and the subsequent message is discarded.
It should be noted that the sequence number of the normal service packet will be increased continuously, and the sequence numbers of all the packets of the replay attack are consistent and do not increase. In order to protect against replay attacks, the sequence numbers of the same quintuple packet need to be recorded, analyzed and counted. And performing linear regression on the receiving sequence of the sequence numbers and the values of the sequence numbers, and analyzing whether the service interaction is normal or replay attack by judging whether a regression coefficient is greater than 0.
The total quantity of the serial numbers is 10, when 10 serial numbers are received and recorded, the linear regression is carried out on the receiving sequence of the serial numbers and the assignment of the serial numbers, and x isiRepresenting the order of the sequence numbers, yiA value representing a specific serial number,
the average value of the order is represented,
represents the average value of the sequence numbers, and the calculation formula is as follows:
the above
The calculation result can also be denoted as b, for example, as shown in fig. 18, the abscissa represents the order, the ordinate represents the specific serial number, the black line represents the regression line, and the point represents the service packet. The linear regression calculation results in a regression coefficient greater than 0 (slope of the straight line greater than 0 °), indicating that the sequence number is in an upward trend.
In the technical scheme of the application:
1) a protection scheme of UDP watermark is provided, and watermark fingerprint is calculated through a server IP, a port, a user defined field (hash) and a serial number. The purposes that normal user access is not blocked and malicious traffic is completely cleaned can be achieved, and an attacker cannot decode the watermark fingerprint because the watermark fingerprint is calculated by an algorithm;
2) and a protection scheme for capturing normal messages and replaying the messages by an attacker is also provided. An attacker cannot realize the attack through message replay.
The UDP watermark protection scheme can be provided for third-party users (such as cloud storage application) to use, after the users access the scheme, all UDP attack methods can be effectively covered, meanwhile, normal service flow is not affected, user experience is not affected, and DDoS protection capability is greatly improved.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
According to another aspect of the embodiment of the present invention, a service packet transmission apparatus for implementing the service packet transmission method is further provided. Fig. 19 is a schematic diagram of an optional service packet transmission apparatus according to an embodiment of the present invention, which may be a part of a terminal, as shown in fig. 19, the apparatus may include: a padding unit 1901 and a transmitting unit 1903.
A filling unit 1901, configured to fill the watermark feature code and the packet load into a first service packet to be sent, where a first group of fields of the watermark feature code is used to indicate a second group of fields of the matched watermark feature code.
Optionally, the filling unit is further configured to: carrying a target character string in a second field of the first group of fields, carrying key indication information in a third field of the first group of fields, carrying watermark indication information in a fourth field of the first group of fields, carrying a watermark fingerprint in the first field of the second group of fields, and carrying a sequence number in a fifth field of the second group of fields; and filling the watermark feature code carrying the information and the message load into the first service message.
Filling the watermark feature code and the message load to a first service message to be sent through the module, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code, and sending the first service message to a second object; the protection equipment matches a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
According to another aspect of the embodiment of the present invention, a service packet transmission apparatus for implementing the service packet transmission method is further provided. Fig. 20 is a schematic diagram of an optional transmission apparatus for a service packet according to an embodiment of the present invention, which may be used as a part of a protection device, as shown in fig. 20, the apparatus may include: an acquisition unit 2001, a matching unit 2003, and a forwarding unit 2005.
An obtaining unit 2001, configured to obtain a first service packet sent by a first object to a second object, where the first service packet includes a watermark feature code and a packet load;
a matching unit 2003, configured to match a second group of fields in the watermark feature code with a first group of fields in the watermark feature code to obtain a matching result;
a forwarding unit 2005, configured to forward the first service packet to the second object if the matching result indicates that the second group of fields is successfully matched.
It should be noted that the obtaining unit 2001 in this embodiment may be configured to execute step S1102 in this embodiment, the matching unit 2003 in this embodiment may be configured to execute step S1104 in this embodiment, and the forwarding unit 2005 in this embodiment may be configured to execute step S1106 in this embodiment.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may operate in a hardware environment as shown in fig. 7, and may be implemented by software or hardware.
Acquiring a first service message sent by a first object to a second object through the module, wherein the first service message comprises a watermark feature code and a message load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
In an alternative embodiment, the matching unit may include: the execution module is used for executing the operation indicated by the first group of fields to obtain an operation result; and the first matching module is used for determining the matching result as a first matching result under the condition that the operation result is the same as the first field in the second group of fields, wherein the first matching result is used for indicating that the second group of fields are successfully matched.
Optionally, the executing module may be further configured to: under the condition that a second field in the first group of fields is a target character string, acquiring a hash value according to the indication of a third field in the first group of fields; and executing the operation indicated by the fourth field in the first group of fields on the hash value and the object information of the first object to obtain an operation result.
In another alternative embodiment, the first service packet includes a plurality of service packets, and the matching unit may include: and the second matching module is used for determining that the matching result is a second matching result under the condition that the first field in the second group of fields of each service message in the plurality of service messages is the same as the operation result, the fifth field in the second group of fields in the plurality of service messages is different and meets a preset condition, wherein the second matching result is used for indicating that the second group of fields are successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields.
Optionally, the determining, by the second matching module, whether a fifth field in the second group of fields in the multiple service messages satisfies a predetermined condition includes:
searching a second service message in the plurality of service messages, wherein the serial number indicated by a fifth field in the second service message is not less than the serial number indicated by the fifth field in a third service message and less than the serial number indicated by the fifth field in a fourth service message, the third service message is a service message which is adjacent to the second service message and is received before the second service message in the plurality of service messages, and the fourth service message is a service message which is adjacent to the second service message and is received after the second service message in the plurality of service messages;
determining that a fifth field in a second group of fields in the plurality of service messages does not meet a preset condition under the condition that the number of the searched second service messages is smaller than a first threshold value, wherein the first threshold value is smaller than the number of the plurality of service messages;
and under the condition that the number of the searched second service messages is not less than a first threshold value, determining that a fifth field in a second group of fields in the plurality of service messages meets a preset condition, wherein the first threshold value is less than the number of the plurality of service messages.
Optionally, the determining, by the second matching module, whether a fifth field in the second group of fields in the multiple service messages satisfies a predetermined condition may further include:
determining that a fifth field of a second set of fields of the plurality of traffic messages satisfies a predetermined condition in a case where a regression coefficient b of sequence numbers indicated by the fifth field of the second set of fields of the plurality of traffic messages is greater than 0,
xiindicating the order of reception of the sequence numbers indicated by the fifth field in the ith traffic message,yiIndicating the order of reception of the sequence numbers indicated by the fifth field in the ith traffic message,
represents an average value of the reception order of the sequence numbers indicated by the fifth field of the plurality of traffic messages,
and n is the number of the plurality of service messages.
Optionally, the matching unit may include: the first forwarding module is configured to forward a sixth service packet to the second object when a fifth service packet and the sixth service packet exist in the multiple service packets, where a first field in a second group of fields of the fifth service packet is the same as the operation result, a first field in the second group of fields of the sixth service packet is different from the operation result, and a receiving time of the sixth service packet is later than that of the fifth service packet.
In another optional embodiment, the first service packet includes a plurality of service packets that are consecutively received and whose number is a second threshold, and the matching unit may include: and the third matching module is used for determining that the matching result is a third matching result under the condition that the first field in the second group of fields of each service message in the plurality of service messages is different from the operation result, wherein the third matching result is used for indicating that the second group of fields are not successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields.
In an alternative embodiment, the forwarding unit may include: the second forwarding module is used for forwarding a target service message sent by the first object to the second object through the first session to the second object under the condition that the matching result indicates that the second group of fields are successfully matched, wherein the first session is a session established when the first object sends the first service message to the second object, and the target service message comprises the first service message; and the first discarding module is used for discarding the service message sent by the first object to the second object through the first session under the condition that the matching result indicates that the second group of fields are not successfully matched.
By adopting the technical scheme of the application, the beneficial effects brought lie in at least:
1) by sharing the same watermark calculation scheme between the client and the protection equipment, the protection equipment can accurately identify whether a message sent by the client is legal or not, intercept illegal flow continuously, forward the legal flow, and effectively protect DDoS attacks, even real broiler attacks which are difficult to protect by the DDoS protection strategy, so that the DDoS protection capability is greatly improved, and the service stability is ensured;
2) the TCP watermark protection scheme is provided, the watermark fingerprint is calculated through the server IP, the port, the user defined field (hashcode) and the serial number, the purposes that normal user access is free from error and malicious flow is completely cleaned can be achieved, and an attacker cannot decode the watermark fingerprint because the watermark fingerprint is calculated through an algorithm;
3) the method and the device are equivalent to providing a protection scheme for preventing attackers from capturing normal messages and replaying the messages, and the attackers cannot realize attack through message replay;
4) the application also equivalently provides a strict checking mode, the watermark checking granularity can be further enhanced, and the watermark checking can be carried out on the subsequent messages of the session, so that the attack bypass that an attacker replays the normal messages first and then sends the junk messages can be avoided.
In another alternative embodiment, the forwarding unit may include: the third forwarding module is used for forwarding a target service message sent by the first object to the second object under the condition that the matching result indicates that the second group of fields are successfully matched, wherein the target service message comprises the first service message; and the second discarding module is used for discarding the service message sent by the first object to the second object under the condition that the matching result indicates that the second group of fields are not successfully matched.
Through the embodiment, the protection scheme of the UDP watermark is provided, and the watermark fingerprint is calculated through the IP (Internet protocol), the port, the user-defined field (hash code) and the serial number of the server. The purposes that normal user access is not blocked and malicious traffic is completely cleaned can be achieved, and an attacker cannot decode the watermark fingerprint because the watermark fingerprint is calculated by an algorithm; and a protection scheme for capturing normal messages and replaying the messages by an attacker is also provided. An attacker cannot realize the attack through message replay.
It should be noted here that the modules described above are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above embodiments. It should be noted that the modules described above as a part of the apparatus may be operated in a hardware environment as shown in fig. 7, may be implemented by software, and may also be implemented by hardware, where the hardware environment includes a network environment.
According to another aspect of the embodiment of the present invention, a server or a terminal for implementing the transmission method of the service packet is also provided.
Fig. 21 is a block diagram of a terminal according to an embodiment of the present invention, and as shown in fig. 21, the terminal may include: one or more processors 2101 (only one of which is shown in fig. 21), a memory 2103, and a transmission device 2105 (such as the transmission device in the above-described embodiment) may also include an input-output device 2107, as shown in fig. 21.
The memory 2103 may be used to store software programs and modules, such as program instructions/modules corresponding to the method and apparatus for transmitting a service packet in the embodiment of the present invention, and the processor 2101 executes various functional applications and data processing by operating the software programs and modules stored in the memory 2103, that is, the method for transmitting a service packet is implemented. The memory 2103 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 2103 can further include memory located remotely from the processor 2101, which can be connected to the terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 2105 is used for receiving or transmitting data via a network, and can also be used for data transmission between the processor and the memory. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 2105 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 2105 is a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Among them, the memory 2103 is used for storing an application program in particular.
The processor 2101 may invoke an application program stored in the memory 2103 via the transmission 2105 to perform the following steps:
acquiring a first service message sent by a first object to a second object, wherein the first service message comprises a watermark feature code and a message load;
matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result;
and forwarding the first service message to the second object under the condition that the matching result indicates that the second group of fields are successfully matched.
The processor 2101 is further configured to perform the following steps:
filling the watermark feature code and the message load into a first service message to be sent, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code;
and sending the first service message to a second object.
By adopting the embodiment of the invention, the first service message sent by the first object to the second object is obtained, and the first service message comprises the watermark feature code and the message load; matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; and under the condition that the matching result indicates that the second group of fields are successfully matched, the first service message is forwarded to the second object, and under the condition that the matching result indicates that the second group of fields are not successfully matched, the first service message is discarded, namely, the attack message can be filtered through the matching operation, and cannot reach the server to influence the network service provided by the server, so that the technical problem of lower security of the network service in the related technology can be solved, and the technical effect of improving the security of the network server is further achieved.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
It can be understood by those skilled in the art that the structure shown in fig. 21 is only an illustration, and the terminal may be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, and a Mobile Internet Device (MID), a PAD, etc. Fig. 21 is a diagram illustrating a structure of the electronic device. For example, the terminal may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 21, or have a different configuration than shown in FIG. 21.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be used to execute a program code of a transmission method of a service packet.
Optionally, in this embodiment, the storage medium may be located on at least one of a plurality of network devices in a network shown in the above embodiment.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps:
s31, acquiring a first service message sent by a first object to a second object, wherein the first service message comprises a watermark feature code and a message load;
s32, matching a second group of fields in the watermark feature code through the first group of fields in the watermark feature code to obtain a matching result;
and S33, forwarding the first service message to the second object under the condition that the matching result indicates that the second group of fields are successfully matched.
Optionally, the storage medium is further arranged to store program code for performing the steps of:
s41, filling the watermark feature code and the message load into a first service message to be sent, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code;
and S42, sending the first service message to the second object.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments, and this embodiment is not described herein again.
Optionally, in this embodiment, the storage medium may include, but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (15)
1. A method for transmitting a service packet is characterized by comprising the following steps:
acquiring a first service message sent by a first object to a second object, wherein the first service message comprises a watermark feature code and a message load;
the first service message comprises a plurality of service messages, and the matching of a second group of fields in the watermark feature code is performed through a first group of fields in the watermark feature code, so that the matching result is obtained, wherein the matching result comprises: determining that the matching result is a second matching result when a first field in the second group of fields of each service packet in the service packets is the same as an operation result, a fifth field in the second group of fields in the service packets is different and meets a predetermined condition, wherein the second matching result is used for indicating that the second group of fields are successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields;
and forwarding the first service packet to the second object under the condition that the matching result indicates that the second group of fields are successfully matched.
2. The method of claim 1, wherein matching a second set of fields in the watermark signature with a first set of fields in the watermark signature, and obtaining a matching result comprises:
executing the operation indicated by the first group of fields to obtain an operation result;
determining the matching result as a first matching result if the operation result is the same as a first field in the second set of fields, wherein the first matching result is used for indicating that the second set of fields are successfully matched.
3. The method of claim 2, wherein performing the operation indicated by the first set of fields and obtaining the operation result comprises:
under the condition that a second field in the first group of fields is a target character string, acquiring a hash value according to the indication of a third field in the first group of fields;
and executing the operation indicated by a fourth field in the first group of fields on the hash value and the object information of the first object to obtain the operation result.
4. The method of claim 1, wherein determining whether a fifth field of the second set of fields in the plurality of traffic messages satisfies the predetermined condition by:
searching a second service message in the plurality of service messages, wherein a serial number indicated by a fifth field in the second service message is not less than a serial number indicated by a fifth field in a third service message and less than a serial number indicated by a fifth field in a fourth service message, the third service message is a service message adjacent to the second service message and received before the second service message in the plurality of service messages, and the fourth service message is a service message adjacent to the second service message and received after the second service message in the plurality of service messages;
determining that a fifth field in the second group of fields in the plurality of service messages does not meet the predetermined condition under the condition that the number of the searched second service messages is smaller than a first threshold, wherein the first threshold is smaller than the number of the plurality of service messages;
and determining that a fifth field in the second group of fields in the plurality of service messages meets the predetermined condition under the condition that the number of the searched second service messages is not less than the first threshold, wherein the first threshold is less than the number of the plurality of service messages.
5. The method of claim 4, wherein determining whether a fifth field of the second set of fields in the plurality of traffic messages satisfies the predetermined condition by:
determining that a fifth field of the second set of fields of the plurality of traffic messages satisfies the predetermined condition if a regression coefficient b of sequence numbers indicated by the fifth field of the second set of fields of the plurality of traffic messages is greater than 0,
xiindicates the order of reception of the sequence numbers indicated by the fifth field in the ith traffic message, yiA value representing a sequence number indicated by a fifth field in the ith traffic message,
an average value representing a reception order of the sequence numbers indicated by the fifth fields of the plurality of traffic messages,
and the average value of the serial numbers indicated by the fifth fields of the plurality of service messages is represented, and n is the number of the plurality of service messages.
6. The method of claim 1, wherein in matching a second set of fields in the watermark signature with a first set of fields in the watermark signature to obtain a matching result, the method further comprises:
and forwarding a sixth service packet to the second object under the condition that a fifth service packet and the sixth service packet exist in the plurality of service packets, wherein a first field in the second group of fields of the fifth service packet is the same as an operation result, a first field in the second group of fields of the sixth service packet is different from the operation result, and the receiving time of the sixth service packet is later than that of the fifth service packet.
7. The method according to claim 1, wherein the first service packet includes a plurality of service packets received consecutively and the number of the service packets is a second threshold, and wherein matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result further includes:
and determining that the matching result is a third matching result under the condition that the first field in the second group of fields of each service message in the plurality of service messages is different from the operation result, wherein the third matching result is used for indicating that the second group of fields are not successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields.
8. The method according to any one of claims 1 to 7,
in a case that the matching result indicates that the second group of fields is successfully matched, forwarding the first service packet to the second object includes: under the condition that the matching result indicates that the second group of fields are successfully matched, forwarding a target service message sent by the first object to the second object through a first session to the second object, wherein the first session is a session established when the first object sends the first service message to the second object, and the target service message comprises the first service message;
after matching a second set of fields in the watermark signature with a first set of fields in the watermark signature to obtain a matching result, the method further comprises: and in the case that the matching result indicates that the second group of fields is not successfully matched, discarding the service message sent by the first object to the second object through the first session.
9. The method according to any of claims 1 to 5, wherein in case that the matching result indicates that the second group of fields is successfully matched, forwarding the first traffic packet to the second object comprises:
in a case that the matching result indicates that the second group of fields is successfully matched, forwarding the first service packet to the second object includes: under the condition that the matching result indicates that the second group of fields are successfully matched, forwarding a target service message sent by the first object to the second object, wherein the target service message comprises the first service message;
after matching a second set of fields in the watermark signature with a first set of fields in the watermark signature to obtain a matching result, the method further comprises: and in the case that the matching result indicates that the second group of fields is not successfully matched, discarding the service message sent by the first object to the second object.
10. A method for transmitting a service packet is characterized by comprising the following steps:
filling a watermark feature code and a message load into a first service message to be sent, wherein a first group of fields of the watermark feature code is used for indicating a second group of fields of the matched watermark feature code; the first service message comprises a plurality of service messages;
matching a second group of fields in the watermark feature code through the first group of fields to obtain a matching result, wherein the matching result comprises: determining that the matching result is a second matching result when a first field in the second group of fields of each service packet in the service packets is the same as an operation result, a fifth field in the second group of fields in the service packets is different and meets a predetermined condition, wherein the second matching result is used for indicating that the second group of fields are successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields;
and sending the first service message to a second object.
11. The method of claim 10, wherein populating the watermark signature and the message payload into the first service message to be transmitted comprises:
carrying a target character string in a second field of the first group of fields, carrying key indication information in a third field of the first group of fields, carrying watermark indication information in a fourth field of the first group of fields, carrying a watermark fingerprint in the first field of the second group of fields, and carrying a sequence number in a fifth field of the second group of fields;
and filling the watermark feature code carrying information and the message load into the first service message.
12. A device for transmitting a service packet, comprising:
the device comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a first service message sent by a first object to a second object, and the first service message comprises a watermark feature code and a message load;
the matching unit is used for matching a second group of fields in the watermark feature code through a first group of fields in the watermark feature code to obtain a matching result; the first service message comprises a plurality of service messages;
the matching unit includes:
a matching module, configured to determine that a matching result is a second matching result when a first field in the second group of fields of each service packet in the plurality of service packets is the same as an operation result, and a fifth field in the second group of fields in the plurality of service packets is different and meets a predetermined condition, where the second matching result is used to indicate that the second group of fields is successfully matched, and the operation result is obtained by executing an operation indicated by the first group of fields;
and a forwarding unit, configured to forward the first service packet to the second object when the matching result indicates that the second group of fields is successfully matched.
13. A device for transmitting a service packet, comprising:
a filling unit, configured to fill a watermark feature code and a message load into a first service message to be sent, where a first group of fields of the watermark feature code is used to indicate a second group of fields of the matched watermark feature code; the first service message comprises a plurality of service messages;
matching a second group of fields in the watermark feature code through the first group of fields to obtain a matching result, wherein the matching result comprises: determining that the matching result is a second matching result when a first field in the second group of fields of each service packet in the service packets is the same as an operation result, a fifth field in the second group of fields in the service packets is different and meets a predetermined condition, wherein the second matching result is used for indicating that the second group of fields are successfully matched, and the operation result is obtained by executing the operation indicated by the first group of fields;
and the sending unit is used for sending the first service message to a second object.
14. A storage medium, characterized in that the storage medium comprises a stored program, wherein the program when executed performs the method of any of the preceding claims 1 to 11.
15. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor executes the method of any of the preceding claims 1 to 11 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810085054.0A CN110099027B (en) | 2018-01-29 | 2018-01-29 | Service message transmission method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810085054.0A CN110099027B (en) | 2018-01-29 | 2018-01-29 | Service message transmission method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110099027A CN110099027A (en) | 2019-08-06 |
| CN110099027B true CN110099027B (en) | 2021-09-28 |
Family
ID=67441895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810085054.0A Active CN110099027B (en) | 2018-01-29 | 2018-01-29 | Service message transmission method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110099027B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110752996A (en) * | 2019-10-24 | 2020-02-04 | 杭州迪普信息技术有限公司 | Message forwarding method and device |
| CN111314358B (en) * | 2020-02-21 | 2023-02-17 | 深圳市腾讯计算机系统有限公司 | Attack protection method, device, system, computer storage medium and electronic equipment |
| CN111404877A (en) * | 2020-02-24 | 2020-07-10 | 联合汽车电子有限公司 | Message transmission method and system |
| CN114079572A (en) * | 2020-08-11 | 2022-02-22 | 华为技术有限公司 | Network attack defense method, CP device and UP device |
| CN112134893B (en) * | 2020-09-25 | 2023-08-29 | 杭州迪普科技股份有限公司 | Internet of things safety protection method and device, electronic equipment and storage medium |
| CN112187793B (en) * | 2020-09-28 | 2022-09-16 | 绿盟科技集团股份有限公司 | Protection method and device for ACK Flood attack |
| CN114553452B (en) * | 2020-11-25 | 2023-06-02 | 华为技术有限公司 | Attack defense method and protection equipment |
| CN114285620A (en) * | 2021-12-20 | 2022-04-05 | 北京安天网络安全技术有限公司 | Network threat monitoring method and device and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040187032A1 (en) * | 2001-08-07 | 2004-09-23 | Christoph Gels | Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators |
-
2018
- 2018-01-29 CN CN201810085054.0A patent/CN110099027B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| CN104917765A (en) * | 2015-06-10 | 2015-09-16 | 杭州华三通信技术有限公司 | Attack prevention method, and equipment |
| CN105491060A (en) * | 2015-12-30 | 2016-04-13 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for defending attack of distribution denial of service (DDOS), client and defense device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110099027A (en) | 2019-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110099027B (en) | Service message transmission method and device, storage medium and electronic device | |
| US10284594B2 (en) | Detecting and preventing flooding attacks in a network environment | |
| Yaar et al. | Pi: A path identification mechanism to defend against DDoS attacks | |
| Xu et al. | Sustaining availability of web services under distributed denial of service attacks | |
| Belenky et al. | On IP traceback | |
| Ambrosin et al. | Lineswitch: Efficiently managing switch flow in software-defined networking while effectively tackling dos attacks | |
| US7478429B2 (en) | Network overload detection and mitigation system and method | |
| CN110198293B (en) | Attack protection method and device for server, storage medium and electronic device | |
| US20110238855A1 (en) | Processing data flows with a data flow processor | |
| US20110231564A1 (en) | Processing data flows with a data flow processor | |
| US20030046577A1 (en) | System and method for the detection of and reaction to computer hacker denial of service attacks | |
| Ling et al. | TorWard: Discovery of malicious traffic over Tor | |
| KR20080028381A (en) | Method for defending against denial of service attacks in ip networks by target victim self-identification and control | |
| US20180026997A1 (en) | System and method for voice security in a telecommunications network | |
| JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
| US20050086512A1 (en) | Worm blocking system and method using hardware-based pattern matching | |
| Shah et al. | TCP/IP network protocols—Security threats, flaws and defense methods | |
| Simon et al. | AS-based accountability as a cost-effective DDoS defense | |
| Devi et al. | Cloud-based DDoS attack detection and defence system using statistical approach | |
| Chen et al. | An inline detection and prevention framework for distributed denial of service attacks | |
| KR20110027386A (en) | Apparatus, system and method for protecting malicious packets transmitted outside from user terminal | |
| KR101686472B1 (en) | Network security apparatus and method of defending an malicious behavior | |
| Mavrommatis | Confronting and intrusion detection techniques of cyber-attacks in wired and wireless communication networks | |
| Upadhyay et al. | Security Flaw in TCP/IP and Proposed Measures | |
| JP2010212916A (en) | Scan attack illegal intrusion defense apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |