CN110213204A - Attack guarding method and device, equipment and readable storage medium storing program for executing - Google Patents
Attack guarding method and device, equipment and readable storage medium storing program for executing Download PDFInfo
- Publication number
- CN110213204A CN110213204A CN201810204686.4A CN201810204686A CN110213204A CN 110213204 A CN110213204 A CN 110213204A CN 201810204686 A CN201810204686 A CN 201810204686A CN 110213204 A CN110213204 A CN 110213204A
- Authority
- CN
- China
- Prior art keywords
- packet
- message
- icmp
- icmp packet
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of attack guarding method and devices, equipment and readable storage medium storing program for executing, method includes: when monitoring that destination IP is attacked by ICMP FLOOD, intercept the icmp packet for being sent to the destination IP, determine whether the icmp packet is to retransmit message, when being to retransmit message, the icmp packet is forwarded to server, when not being to retransmit message, abandons the icmp packet.In view of the transmitting terminal of attack destination IP is irregular transmission icmp packet, and there is no retransmit message, therefore, it is sent to by way of whether the icmp packet of destination IP be to retransmit message verifying, can effectively determine that transmitting terminal is attack end or normal end, the non-re-transmission message for the transmission of attack end is abandoned, the icmp packet sent for normal end can forward, while protecting ICMP FLOOD attack, avoids manslaughtering normal message, avoid the wrong report for causing service exception.
Description
Technical field
The present invention relates to Network Communicate Security technical field more particularly to a kind of attack guarding method and device, equipment and
Readable storage medium storing program for executing.
Background technique
Internet Control Message Protocol floods (Internet Control Message Protocol FLOOD, ICMP
FLOOD) attack is one that common distributed denial of service (Distributed Denial of Service, DDOS) is attacked
Kind, ICMP FLOOD is the DDOS attack gimmick of typical barrage width, is initiated by Botnet by attack server
A large amount of ICMP rubbish messages, so that being blocked by attack server bandwidth, normal request be cannot respond to, and reach the mesh of refusal service
's.
It is (speed limit mode) protection ICMP by the way of the quantity of the icmp packet of limitation transmission in the prior art
FLOOD attack, however this mode has the disadvantage in that (1) limits the transmission of normal icmp packet, there are the feelings manslaughtered
Condition, and manslaughter icmp packet and will lead to testing erroneous judgement, so as to cause the wrong report of service exception.(2) now many testings take in net
Business device does batch exclusively with icmp packet and detects, if this kind of server is attacked by ICMP FLOOD and use speed limit
Mode can seriously affect the business of detecting server, cause detection service unavailable.(3) the case where end excessively disperses is being attacked
Under, the quantity of the icmp packet of speed limit mode transparent transmission can be bigger, causes business unavailable.
Summary of the invention
The main purpose of the present invention is to provide a kind of attack guarding method and device, equipment and readable storage medium storing program for executing, purports
It is manslaughtered solving attack guarding method presence in the prior art, and the wrong report of service exception can be caused;Influence detecting server
Business causes detection service unavailable;Lead to the not available technical problem of business in the case where attacking end and excessively dispersing.
To achieve the above object, first aspect present invention provides a kind of attack guarding method, comprising:
When the protocol IP for monitoring to interconnect between purpose network is attacked by ICMP FLOOD, interception is sent to the mesh
IP icmp packet;
When the icmp packet is to retransmit message, the icmp packet is forwarded to server;
When the icmp packet is not to retransmit message, the icmp packet is abandoned.
To achieve the above object, second aspect of the present invention provides a kind of attack protective device, comprising:
Blocking module, for when the protocol IP for monitoring to interconnect between purpose network by ICMP FLOOD attack when,
Intercept the icmp packet for being sent to the destination IP;
First forwarding module, for when the icmp packet is to retransmit message, the icmp packet to be forwarded to service
Device;
Discard module, for abandoning the icmp packet when the icmp packet is not to retransmit message.
To achieve the above object, third aspect present invention provides a kind of equipment, comprising: memory, processor and is stored in
The computer program run on the memory and on the processor, when the processor executes the computer program,
Each step in the attack guarding method provided such as first aspect of the embodiment of the present invention is provided.
To achieve the above object, fourth aspect present invention provides a kind of computer readable storage medium, is stored thereon with meter
Calculation machine program when the computer program is executed by processor, realizes the attack guarding method provided such as first aspect present invention
In each step.
The present invention provides a kind of attack guarding method, when monitoring that destination IP is attacked by ICMP FLOOD, intercepts
It is sent to the icmp packet of the destination IP, when the icmp packet is to retransmit message, which is forwarded to server, when this
Icmp packet is not when retransmitting message, to abandon the icmp packet.Compared with the existing technology, it is contemplated that attack the transmitting terminal of destination IP
Irregular transmission icmp packet, and there is no retransmit message, therefore, by verify be sent to destination IP icmp packet whether
It is the mode for retransmitting message, can effectively determines that transmitting terminal is attack end or normal end, so that sending for attack end non-
Retransmitting message can abandon, and the icmp packet sent for normal end can forward, while protecting ICMP FLOOD attack,
It avoids manslaughtering normal message, avoids the wrong report for causing service exception;For detecting server, reach detecting server
Icmp packet is all that normal end is sent, and effectively avoids the influence to detection service;And in the case where attack end excessively disperses,
It can effectively identify the icmp packet that attack end is sent, avoid the influence to business.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those skilled in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 a is the block schematic illustration of guard system in the embodiment of the present invention;
Fig. 1 b is a flow diagram of attack guarding method in the embodiment of the present invention;
Fig. 2 is another flow diagram of attack guarding method in the embodiment of the present invention;
Fig. 3 is that attack end can not be around the schematic diagram for retransmitting verifying in the embodiment of the present invention;
Fig. 4 is the schematic diagram of the re-transmission verifying of normal end in the embodiment of the present invention;
Fig. 5 is the structural schematic diagram that protective device is attacked in the embodiment of the present invention;
Fig. 6 is another structural schematic diagram that protective device is attacked in the embodiment of the present invention
Fig. 7 is a kind of structural block diagram of equipment.
Specific embodiment
In order to make the invention's purpose, features and advantages of the invention more obvious and easy to understand, below in conjunction with the present invention
Attached drawing in embodiment, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described reality
Applying example is only a part of the embodiment of the present invention, and not all embodiments.Based on the embodiments of the present invention, those skilled in the art
Member's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Since in the prior art there is the technical issues of manslaughtering, causing the wrong report of service exception in attack guarding method.
To solve the above-mentioned problems, the present invention proposes a kind of attack guarding method.Compared with the existing technology, it is contemplated that attack
The transmitting terminal of destination IP is irregular transmission icmp packet, and there is no message is retransmitted, and therefore, is sent to destination IP by verifying
Icmp packet whether be the mode for retransmitting message, can effectively determine transmitting terminal be attack end or normal end so that for
The non-re-transmission message that attack end is sent can abandon, and the icmp packet sent for normal end can forward, in protection ICMP
While FLOOD is attacked, avoids manslaughtering normal message, avoid the wrong report for causing service exception;For detecting server, reach
Icmp packet to detecting server is all that normal end is sent, and effectively avoids the influence to detection service;And in attack end mistake
In the case where dispersion, it can effectively identify the icmp packet that attack end is sent, avoid the influence to business.
Fig. 1 a is please referred to, is the block schematic illustration of the guard system in the embodiment of the present invention, which includes anti-
Protect end, server end and client, wherein include attack end and normal end in client.Client can be sent to protection end
Icmp packet, protection end verify whether the icmp packet is to retransmit message, however, it is determined that the icmp packet is to retransmit message, then should
Icmp packet is forwarded to server end, however, it is determined that the ICMO message is not to retransmit message, then abandons the icmp packet, make it possible to
Processing effectively is filtered to icmp packet, under the premise of ensuring to protect ICMP FLOOD attack, avoids sending out normal end
The icmp packet sent is manslaughtered.
Fig. 1 b is please referred to, is the flow diagram of attack guarding method in the embodiment of the present invention, this method comprises:
Step 101, when monitoring that destination IP is attacked by ICMP FLOOD, intercept and be sent to the ICMP of the destination IP
Message;Execute step 102 or step 103;
Step 102, when the icmp packet be retransmit message when, the icmp packet is forwarded to server;
Step 103, when the icmp packet be not retransmit message when, abandon the icmp packet.
In embodiments of the present invention, attack guarding method is real by attack protective device (hereinafter referred to as are as follows: protective device)
Existing, which is program module, is stored in the readable storage medium storing program for executing of equipment, which is specifically as follows protection end
(protection server) protects the processor in end that can call the protective device in readable storage medium storing program for executing, above-mentioned anti-to realize
Maintaining method.
In embodiments of the present invention, the message that monitoring device sends client is monitored, and is determined in preset time period
Inside it is sent to the number of the icmp packet of each destination IP.Wherein, icmp packet is not carry specific business.
When the number for the icmp packet for monitoring to be sent to some destination IP within preset time period is greater than or equal to default peace
Full threshold value then shows that the destination IP is attacked by ICMP FLOOD.Wherein, preset time period can be 5 seconds, 10 seconds etc..
Wherein, after monitoring destination IP by ICMP FLOOD attack, protective device interception is sent to the destination IP
Icmp packet, and will acquire the message information of the icmp packet, which includes source IP, destination IP and type of message.It should
Type of message is ICMP type.
Wherein, retransmit whether the icmp packet that verifying refers to that verifying is sent to destination IP is to retransmit message, protective device will be sharp
Re-transmission verifying is carried out to the icmp packet with the message information of the icmp packet.
Wherein, it determines whether icmp packet is that the principle of attack message is based on retransmitting to verify: ICMP is carried out to destination IP
The attack end of FLOOD attack is irregular transmission icmp packet when sending icmp packet, including source IP constantly changes
Etc. irregular sending method will lead to its transmission icmp packet there is no retransmit message, also just can not by retransmit test
Card.And the client of icmp packet is normally sent to destination IP, it is regular for sending icmp packet, such as normal end uses
Source IP be relatively-stationary, and retransmitting message was sent in specified time, so that the icmp packet that normal end is sent is tool
Have and retransmit message, can also be verified by retransmitting.
In embodiments of the present invention, when icmp packet is by retransmitting verifying, show that the icmp packet is to retransmit message, prevent
The icmp packet is forwarded to server by protection unit, when the icmp packet does not pass through re-transmission verifying, shows the icmp packet not
It is to retransmit message, protective device will abandon the icmp packet.
In embodiments of the present invention, when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to the purpose
The icmp packet of IP, when the icmp packet be retransmit message when, which is forwarded to server, when the icmp packet not
It is when retransmitting message, to abandon the icmp packet.Compared with the existing technology, it is contemplated that the transmitting terminal for attacking destination IP is irregular hair
Icmp packet is sent, and there is no message is retransmitted, therefore, is sent to whether the icmp packet of destination IP is to retransmit message by verifying
Mode, can effectively determine that transmitting terminal is attack end or normal end, enable the non-re-transmission message sent for attack end
Enough to abandon, the icmp packet sent for normal end can forward, and while protecting ICMP FLOOD attack, avoid to normal
Message is manslaughtered, and the wrong report for causing service exception is avoided;For detecting server, the icmp packet for reaching detecting server is all
What normal end was sent, effectively avoid the influence to detection service;And in the case where attack end excessively disperses, can effectively it know
Not Gong Ji end send icmp packet, avoid the influence to business.
Referring to Fig. 2, for the flow diagram of attack guarding method in the embodiment of the present invention, comprising:
Step 201, when monitoring that destination IP is attacked by ICMP FLOOD, intercept and be sent to the ICMP of the destination IP
Message obtains the ICMP type of the icmp packet, ICMP packet length and fragment field value;
Step 202 is greater than or waits when the ICMP type is not preset legal types, or when the ICMP packet is long
When default packet is long, alternatively, determining the ICMP report when it is fragment message that the fragment field value, which identifies the icmp packet,
Text is attack message, abandons the icmp packet;
Step 203, when the ICMP type is preset legal types, and the ICMP packet is long is less than default packet length, and
When the fragment field value mark icmp packet is non-fragment message, the transmitting terminal letter for obtaining the icmp packet
Breath;Continue to execute step step 204;
In embodiments of the present invention, when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to the purpose
The icmp packet of IP, and legitimate verification is carried out to the icmp packet.
Specifically, protective device will acquire the ICMP type of icmp packet, ICMP packet length and fragment field value.
Wherein, the type of ICMP sees following table:
Wherein, in the above-mentioned type table, legal types are type 0 and type 8, and other types are illegal type.
Wherein, ICMP type is stored in the type field of icmp packet, the available the type field of protective device
Value, and when value expression type 0 or type 8, indicate that the ICMP type is legal types, icmp packet is legal message, no
It then, is illegal type, and icmp packet is invalid packet, i.e. therefore attack message can be identified effectively by ICMP type
Whether icmp packet is the ICMP attack message for reflecting association.
Wherein, the long field of packet is provided in the packet header of icmp packet, protective device can read the value of the long field of the packet, and
Long ICMP packet represented by the value is more than to indicate that the icmp packet is attack message, ICMP represented by the value when presetting to wrap long
When packet is long long less than default packet, indicate that the icmp packet is therefore legal message can be identified effectively by ICMP packet length
Whether icmp packet is the big packet attack message of ICMP.
Wherein, fragment field is additionally provided in the packet header of icmp packet, protective device can be read in the fragment field
Fragment field value determines that the icmp packet is attack when the fragment field value indicates that the icmp packet is a fragment message
Message determines that the icmp packet is legal message when it is a fragment message that the fragment field value, which indicates the icmp packet not,
Therefore, it can effectively identify whether icmp packet is fragment message by the allocation field value of icmp packet.
In embodiments of the present invention, for the ICMP type of the icmp packet of acquisition, ICMP packet length and fragment field value, only
Wherein any one parameter to indicate that icmp packet is attack message, can directly determine the icmp packet is attack message,
That is, when ICMP type is not preset legal types, alternatively, when ICMP packet is long long more than or equal to default packet, alternatively, working as
When fragment field value mark icmp packet is fragment message, determine that the icmp packet is attack message, protective device will abandon should
Icmp packet.
Wherein, when ICMP type is preset legal types, and ICMP packet is long is less than default packet and grows, and allocation field value mark
When knowledge icmp packet is non-fragment message, in order to further determine whether the icmp packet is that the ICMP that normal end is sent is reported
Therefore whether the transmission client information for further determining the icmp packet is in trust list by text.
Step 204 searches trust list, and the trust list includes to have verified that retransmit the transmission of the icmp packet of message
Client information;
Step 205, when the transmission client information is not found in the trust list, obtain the report of the icmp packet
Literary information;
Protection end is provided with trust list, retransmits the transmission client information of verifying in the trust list comprising having passed through.
In embodiments of the present invention, icmp packet will acquire the transmitting terminal of icmp packet after through legitimate verification
Information, wherein the source IP for sending the icmp packet is included at least in the transmission client information, in addition, the transmission client information can be with
Lifetime value (Time To Live, TTL) comprising the icmp packet that transmitting terminal is sent.
It is understood that trust list can be constituted by retransmitting the message information of the icmp packet of verifying, so that hair
Sending end information is located at the transmitting terminal in trust list, and the icmp packet of transmission can be forwarded to server, without arranging in the trust
The icmp packet that transmitting terminal in table is sent needs to carry out re-transmission verifying.
Protective device will determine that the transmitting terminal for sending the icmp packet whether may be used using the transmission client information and trust list
Trust, when in trust list including the transmission client information, shows the transmitting terminal trusted, and the icmp packet will be forwarded to clothes
Business device.When not including above-mentioned transmission client information in the trust list, then the message information for obtaining the icmp packet is retransmitted
Verifying determines whether the icmp packet is to retransmit message.Specific re-transmission verification mode can be refering to step 206 and step 207.
Step 206 searches first packet message data library, it is determined whether there is first packet message letter identical with the message information
Breath, first packet message data library include the first packet message information and the first ICMP for the first icmp packet that transmitting terminal is sent
The corresponding relationship of the receiving time of message;
Step 207 determines whether the icmp packet is to retransmit message according to lookup result;
Step 208, when the icmp packet be retransmit message when, forward the icmp packet to server;
Step 209, when the icmp packet be not retransmit message when, abandon the icmp packet.
In embodiments of the present invention, when in trust list not comprising sending client information, show that the icmp packet is not
What the transmitting terminal of trust was sent, it may be possible to attack message, it is also possible to without the message for retransmitting verifying.At this point, protective device
Re-transmission verifying will be carried out to the icmp packet.
Wherein, it retransmits verifying to need to use first packet message data library, be sent out in the first packet message data library comprising transmitting terminal
The corresponding relationship of the receiving time of the first packet message information and first icmp packet of the first icmp packet sent.It is understood that
Be, if a transmitting terminal has sent five icmp packets of A, B, C, D, E to destination IP, message A then headed by packet voice, and if reporting
Time interval between literary B and message C is greater than preset duration, then message C is it is also assumed that be first packet message.Protective device is true
Headed by some fixed icmp packet when packet voice, then by the first packet message information of the icmp packet and connecing for icmp packet is received
Corresponding relationship between time receiving is recorded in first packet message data library.
In embodiments of the present invention, protective device will search first packet message data library, it is determined whether exist and interception
The identical first packet message information of the message information of icmp packet, and determine whether icmp packet is to retransmit report according to lookup result
Text.
Specifically, believing when finding first packet message information identical with message information, and apart from the identical first packet message
When ceasing the duration of corresponding receiving time less than or equal to preset time period, it is determined that the icmp packet is to retransmit message;For example,
The source IP of message information be IP1, destination IP IP2, and ICMP type be type 0, if in first packet message data library search with
Above-mentioned identical first packet message information, it is determined that duration of the receiving time of the first packet message information apart from current time, if should
Shi Changwei 3 seconds, it is less than preset time period 7 seconds, it is determined that icmp packet is to retransmit message.
Alternatively, when not finding first packet message information identical with message information, alternatively, when find and message information
Identical first packet message information, and the duration apart from the corresponding receiving time of the identical first packet message information is greater than preset time period
When, it is determined that the icmp packet is not to retransmit message.
It is understood that for the ease of the lookup in first packet message data library, it can be based on receiving time in real time to first packet
Message data library is updated, such as, however, it is determined that whether be retransmit message when it is 10 seconds a length of, then in first packet message data library only
Only retain the first packet message information in nearest 10 seconds, duration of the receiving time apart from current time is more than 10 seconds first packet message numbers
According to will all delete.It in this case, can as long as finding identical first packet message information in first packet message data library
Determination is to retransmit message, does not find identical first packet message information in first packet message data library, then can determine not it is to retransmit
Message.
Further, in embodiments of the present invention, when determining icmp packet is to retransmit message, by the hair of the icmp packet
Sending end information is added in trust list.
Further, in embodiments of the present invention, when determining icmp packet not is to retransmit message, which may
It is attack message either first packet message, and no matter ICMP is attack message or first packet message, protective device will abandon should
Icmp packet, and the icmp packet is assumed to be first packet message, by the message information of the icmp packet and the correspondence of receiving time
Relationship is added in first packet message data library, so that in stipulated time section, if intercepting with identical message information
Icmp packet can then determine the icmp packet intercepted to retransmit message.Such as, however, it is determined that message A is not to retransmit message, then
The corresponding relationship of the message information B of message A and receiving time C is added in first packet message data library, if defined 10
In second (apart from receiving time C when it is 10 seconds a length of), intercept message D, and message D has message information B, it is identical as message A,
Determine message D then to retransmit message.
Re-transmission verifying in embodiment in order to better understand the present invention, referring to Fig. 3, to be attacked in the embodiment of the present invention
It end can not be around the schematic diagram for retransmitting verifying, referring to Fig. 4, for the signal of the re-transmission verifying of normal end in the embodiment of the present invention
Figure.From figure 3, it can be seen that attack irregular transmission message a1, a2, a3 and the a4 in end (being icmp packet), can not pass through weight
Verifying is passed, and can not will be all dropped by retransmitting the message of verifying, server end will not be forwarded to.From Fig. 4, end is protected
The message b1 of client transmission is intercepted, message b1 does not pass through re-transmission verifying, and protection end has abandoned message b1, and by message b1's
Message information is added in first packet message data library, and within a specified time, and protection end has intercepted the message b2 of client transmission,
And determining that message b2 is identical as the message information of message b1, message b2 has passed through re-transmission verifying at this time, to retransmit message, protection
The source IP of message b2 and TTL are added to trusts (i.e. trust list) by end, and protect end will also continue to forward source IP and TTL and
For b2 identical message b3 and message b4 to server end, server end will feed back the response of corresponding message.
It should be noted that carrying out legitimate verification, the lookup of trust list and re-transmission verifying in reality to icmp packet
When execution, the process being not limited in embodiment illustrated in fig. 2 can also be as follows:
When monitoring that destination IP is attacked by ICMP FLOOD, the icmp packet for being sent to destination IP is intercepted, and obtain
The transmission client information of icmp packet, using the transmitting terminal information searching trust list, when finding transmitting terminal in trust list
When information, determines that the icmp packet is that the transmitting terminal trusted is sent, be forwarded to server, do not found when in trust list
When the transmission client information, legitimate verification is carried out to the icmp packet, if message information is obtained by legitimate verification, and
Re-transmission verifying is carried out using message information, therefore, order in above process are as follows: trust list searches, legitimate verification and again
Pass verifying.
Alternatively, the icmp packet for being sent to destination IP is intercepted when monitoring that destination IP is attacked by ICMP FLOOD, and
Legitimate verification is carried out to the icmp packet, after the icmp packet passes through legitimate verification, weight is carried out to the icmp packet
Verifying is passed, when the icmp packet does not pass through re-transmission verifying, then carries out the lookup of trust list, therefore, order in above process
For legitimate verification, retransmit verification and trust list lookup.
It should be noted that the icmp packet that legitimate verification can filter out, retransmitting verifying can be filled into, at this
In inventive embodiments, usual legitimate verification is to execute before retransmitting verifying, and can effectively reduce first packet message number
According to the data volume in library, the occupancy of resource is reduced.Alternatively, legitimate verification and trust list lookup only carry out it is therein any one
It is a.
It should be noted that in embodiments of the present invention, further the source IP in trust list can also be monitored,
To further determine that in the trust list with the presence or absence of malicious source IP.Specifically, following steps can also be performed in protective device:
Step A, the quantity of the icmp packet sent to the source IP in the trust list is monitored;
Step B, when monitoring within the preset period, the quantity for the icmp packet that source IP is sent is greater than or equal to default
When threshold value, by the source IP, alternatively, source IP and lifetime value are deleted from the trust list.
It in embodiments of the present invention, will be right comprising having passed through the source IP for retransmitting verifying and TTL, protective device in trust list
The quantity for the icmp packet that source IP in trust list is sent is monitored, when monitoring within the preset period, source IP hair
When the quantity of the icmp packet sent is greater than or equal to preset threshold, then show that the source IP is malicious source IP, then by the source IP, or
Source IP and lifetime value are deleted from trust list.
Further, distrust list can also be arranged in protective device, which includes to carry out to trust list
Monitoring is determined as the source IP of malicious source, therefore, by source IP;Alternatively, source IP and lifetime value be in trust list after deleting,
It can be by the source IP;Distrust in list alternatively, source IP and lifetime value are added to.Protective device will intercept and abandon this not
The icmp packet that all source IPs in trust list are sent.
In embodiments of the present invention, when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to destination IP
Icmp packet, and using the ICMP type of the icmp packet, ICMP packet is long and fragment field value progress legitimate verification, when not
When passing through legitimate verification, shows that the icmp packet is attack message, the icmp packet will be abandoned, when passing through legitimate verification
When, by the transmission client information of the determining icmp packet whether in trust list, if forwarding the ICMP to report in trust list
Text is to server, if carrying out re-transmission verifying to the icmp packet not in trust list, when determining that the icmp packet is to retransmit
When message, the icmp packet is forwarded to abandon the icmp packet when determining the icmp packet not is to retransmit message to server.
By the above-mentioned means, can effectively determine whether icmp packet is attack message, relative to the mode of icmp packet speed limit, energy
It is enough effectively to avoid manslaughtering icmp packet, avoid the wrong report for causing service exception;For detecting server, reach detection clothes
The icmp packet of business device is all that normal end is sent, and effectively avoids the influence to detection service;And excessively disperse at attack end
In the case of, it can effectively identify the icmp packet that attack end is sent, avoid the influence to business.
Means of defence in through the embodiment of the present invention can be in the case where not manslaughtering normal icmp packet, effectively
The ICMP FLOOD protected under various scenes is attacked, and is avoided the transparent transmission of attack message, is effectively improved the protection to DDOS attack
Validity, and have important guaranteeing role highly dependent upon the business of icmp packet for testing server etc.;Further, it is also possible to
The poor business of performance is avoided result in be affected.
Referring to Fig. 5, device includes: to attack protective device in the embodiment of the present invention
Blocking module 501, for being attacked when the protocol IP for monitoring to interconnect between purpose network by ICMP FLOOD
When, intercept the icmp packet for being sent to the destination IP;
First forwarding module 502, for when the icmp packet is to retransmit message, the icmp packet to be forwarded to clothes
Business device;
Discard module 503, for abandoning the icmp packet when the icmp packet is not to retransmit message.
In embodiments of the present invention, the description of the content of device shown in fig. 5 and each step in Fig. 1 b illustrated embodiment
Content it is similar, can be specifically not repeated herein with b refering to fig. 1.
In embodiments of the present invention, when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to the purpose
The icmp packet of IP, when the icmp packet be retransmit message when, which is forwarded to server, when the icmp packet not
It is when retransmitting message, to abandon the icmp packet.Compared with the existing technology, it is contemplated that the transmitting terminal for attacking destination IP is irregular hair
Icmp packet is sent, and there is no message is retransmitted, therefore, is sent to whether the icmp packet of destination IP is to retransmit message by verifying
Mode, can effectively determine that transmitting terminal is attack end or normal end, enable the non-re-transmission message sent for attack end
Enough to abandon, the icmp packet sent for normal end can forward, and while protecting ICMP FLOOD attack, avoid to normal
Message is manslaughtered, and the wrong report for causing service exception is avoided;For detecting server, the icmp packet for reaching detecting server is all
What normal end was sent, effectively avoid the influence to detection service;And in the case where attack end excessively disperses, can effectively it know
Not Gong Ji end send icmp packet, avoid the influence to business.
Referring to Fig. 6, to attack protective device in the embodiment of the present invention, including the interception mould in embodiment as shown in Figure 5
Block 501, the first forwarding module 502 and discard module 503, and it is similar to content described in embodiment illustrated in fig. 5, it does not do herein
It repeats.
In embodiments of the present invention, device further include:
First obtains module 601, for obtaining the message information of the icmp packet after blocking module 501;
First searching module 602, for searching first packet message data library, it is determined whether exist identical as the message information
First packet message information, first packet message data library include transmitting terminal send first icmp packet first packet message information and
The corresponding relationship of the receiving time of the first icmp packet;
Determining module 603, for determining whether the icmp packet is to retransmit message according to lookup result;
Wherein it is determined that module 603 is specifically used for:
When finding first packet message information identical with the message information, and apart from the identical first packet message information
When the duration of corresponding receiving time is less than or equal to preset time period, it is determined that the icmp packet is to retransmit message;
When not finding first packet message information identical with the message information, alternatively, when finding and the message
The identical first packet message information of information, and the duration apart from the corresponding receiving time of the identical first packet message information is greater than institute
When stating preset time period, it is determined that the icmp packet is not to retransmit message.
In embodiments of the present invention, device further include:
Second obtains module 604, for before first obtains module 601, obtaining the transmitting terminal letter of the icmp packet
Breath;It is understood that the second acquisition module 604 can also the execution when icmp packet is not to retransmit message.
Second searching module 605, for searching trust list, the trust list includes to have verified that retransmit message
The transmission client information of icmp packet;
First execution module 606, for when not finding the transmission client information in the trust list, described in execution
First obtains module 601, it is to be understood that if second obtains module 604 when icmp packet is not to retransmit message to execute,
Triggering is executed the discard module 503 by the first execution module;
Second forwarding module 607, for when finding the transmission client information in the trust list, by the ICMP
Message is forwarded to server.
In embodiments of the present invention, transmitting terminal information includes source IP, or including source IP and lifetime value;
Device further include:
The quantity of monitoring modular, the icmp packet for sending to the source IP in the trust list is monitored;
Removing module, for when monitoring within the preset period, the quantity for the icmp packet that source IP is sent be greater than or
When equal to preset threshold, by the source IP, alternatively, source IP and lifetime value are deleted from the trust list.
Device in embodiments of the present invention further include:
Third obtains module 608, for obtaining the ICMP of the icmp packet before described first obtains module 601
Type, ICMP packet length and fragment field value;
Packet loss module 609 for when the ICMP type is not preset legal types, or works as the ICMP
When packet is long long more than or equal to default packet, alternatively, when it is fragment message that the fragment field value, which identifies the icmp packet, really
The fixed icmp packet is attack message, abandons the icmp packet;
Execution module 610, for being preset legal types when the ICMP type, and the ICMP packet is long less than default
Packet length, and the fragment field value identifies the icmp packet when being non-fragment message, triggers described first and obtains module 601.
In embodiments of the present invention, the description of each step in the content and embodiment illustrated in fig. 2 of device shown in fig. 6
Content is similar, specifically can be referring to Fig.2, being not repeated herein.
In embodiments of the present invention, when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to destination IP
Icmp packet, and using the ICMP type of the icmp packet, ICMP packet is long and fragment field value progress legitimate verification, when not
When passing through legitimate verification, shows that the icmp packet is attack message, the icmp packet will be abandoned, when passing through legitimate verification
When, by the transmission client information of the determining icmp packet whether in trust list, if forwarding the ICMP to report in trust list
Text is to server, if carrying out re-transmission verifying to the icmp packet not in trust list, when determining that the icmp packet is to retransmit
When message, the icmp packet is forwarded to abandon the icmp packet when determining the icmp packet not is to retransmit message to server.
By the above-mentioned means, can effectively determine whether icmp packet is attack message, relative to the mode of icmp packet speed limit, energy
It is enough effectively to avoid manslaughtering icmp packet, avoid the wrong report for causing service exception;For detecting server, reach detection clothes
The icmp packet of business device is all that normal end is sent, and effectively avoids the influence to detection service;And excessively disperse at attack end
In the case of, it can effectively identify the icmp packet that attack end is sent, avoid the influence to business.
Means of defence in through the embodiment of the present invention can be in the case where not manslaughtering normal icmp packet, effectively
The ICMP FLOOD protected under various scenes is attacked, and is avoided the transparent transmission of attack message, is effectively improved the protection to DDOS attack
Validity, and have important guaranteeing role highly dependent upon the business of icmp packet for testing server etc.;Further, it is also possible to
The poor business of performance is avoided result in be affected.
The embodiment of the present invention also provides a kind of equipment, including memory, processor and be stored on the memory and
The computer program run on processor when the processor executes above-mentioned computer program, is realized and is implemented as shown in Fig. 1 b or Fig. 2
Each step in attack guarding method in example.
The embodiment of the present invention also provides a kind of readable storage medium storing program for executing, is stored thereon with computer program, the computer program
When being executed by processor, realize such as each step in the attack guarding method in Fig. 1 b or embodiment illustrated in fig. 2.
It is understood that in embodiments of the present invention, above-mentioned attack protective device is a kind of equipment, the equipment is specific
It can be protection end, in order to better understand the present invention the technical solution in embodiment, referring to Fig. 7, being the embodiment of the present invention
The structural schematic diagram of middle equipment 70.The equipment 70 includes processor 701, memory 702 and transceiver 703, and memory 702 can be with
Operational order and data are provided including read-only memory and random access memory, and to processor 701.The one of memory 702
Part can also include nonvolatile RAM (NVRAM).
In some embodiments, memory 702 stores following element: executable modules or data structures, or
Their subset of person or their superset.
In embodiments of the present invention, by calling the operational order of the storage of memory 702, (operational order is storable in behaviour
Make in system), execute following procedure: when monitoring that destination IP is attacked by ICMP FLOOD, interception is sent to the destination IP
Icmp packet, when the icmp packet be retransmit message when, which is forwarded to server, when the icmp packet is not
When retransmitting message, the icmp packet is abandoned.
Compared in the prior art, equipment provided in an embodiment of the present invention, it is contemplated that the transmitting terminal for attacking destination IP is nothing
Rule sends icmp packet, and there is no message is retransmitted, and therefore, is sent to whether the icmp packet of destination IP is weight by verifying
The mode for passing message can effectively determine that transmitting terminal is attack end or normal end, so that the non-re-transmission sent for attack end
Message can abandon, and the icmp packet sent for normal end can forward, and while protecting ICMP FLOOD attack, avoid
Normal message is manslaughtered, the wrong report for causing service exception is avoided;For detecting server, reach the ICMP report of detecting server
Text is all that normal end is sent, and effectively avoids the influence to detection service;And in the case where attack end excessively disperses, Neng Gouyou
The icmp packet that the identification attack end of effect is sent, avoids the influence to business.
Wherein, processor 701 controls the operation of equipment 70, and processor 701 can also be known as CPU (Central
Processing Unit, central processing unit).Memory 702 may include read-only memory and random access memory, and
Instruction and data is provided to processor 701.The a part of of memory 702 can also include nonvolatile RAM
(NVRAM).The various components of equipment 70 are coupled by bus system 704 in specific application, wherein bus system 704
It can also include power bus, control bus and status signal bus in addition etc. in addition to including data/address bus.But for clear theory
For the sake of bright, various buses are all designated as bus system 704 in figure.
The method that the embodiments of the present invention disclose can be applied in processor 701, or be realized by processor 701.
Processor 701 may be a kind of IC chip, the processing capacity with signal.During realization, the above method it is each
Step can be completed by the integrated logic circuit of the hardware in processor 701 or the instruction of software form.Above-mentioned processing
Device 910 can be general processor, digital signal processor (DSP), specific integrated circuit (ASIC), ready-made programmable gate array
(FPGA) either other programmable logic device, discrete gate or transistor logic, discrete hardware components.May be implemented or
Person executes disclosed each method, step and the logic diagram in the embodiment of the present invention.General processor can be microprocessor or
Person's processor is also possible to any conventional processor etc..The step of method in conjunction with disclosed in the embodiment of the present invention, can be straight
Connect and be presented as that hardware decoding processor executes completion, or in decoding processor hardware and software module combination executed
At.Software module can be located at random access memory, and flash memory, read-only memory, programmable read only memory or electrically-erasable can
In the storage medium of this fields such as programmable memory, register maturation.The storage medium is located at memory 702, and processor 701 is read
Information in access to memory 702, in conjunction with the step of its hardware completion above method.
Above equipment 70 can be understood that this place does not do excessive superfluous with the description of b refering to fig. 1 and embodiment illustrated in fig. 2
It states.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.For example, the apparatus embodiments described above are merely exemplary, for example, the division of the module, only
Only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple module or components can be tied
Another system is closed or is desirably integrated into, or some features can be ignored or not executed.Another point, it is shown or discussed
Mutual coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or logical of device or module
Letter connection can be electrical property, mechanical or other forms.
The module as illustrated by the separation member may or may not be physically separated, aobvious as module
The component shown may or may not be physical module, it can and it is in one place, or may be distributed over multiple
On network module.Some or all of the modules therein can be selected to realize the mesh of this embodiment scheme according to the actual needs
's.
It, can also be in addition, each functional module in each embodiment of the present invention can integrate in a processing module
It is that modules physically exist alone, can also be integrated in two or more modules in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.
If the integrated module is realized in the form of software function module and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the present invention
Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can store journey
The medium of sequence code.
It should be noted that for the various method embodiments described above, describing for simplicity, therefore, it is stated as a series of
Combination of actions, but those skilled in the art should understand that, the present invention is not limited by the sequence of acts described because
According to the present invention, certain steps can use other sequences or carry out simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, and related actions and modules might not all be this hair
Necessary to bright.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment
Point, it may refer to the associated description of other embodiments.
The above are retouch to a kind of attack guarding method provided by the present invention and device, equipment and readable storage medium storing program for executing
It states, for those skilled in the art, thought according to an embodiment of the present invention can in specific embodiments and applications
There is change place, to sum up, the contents of this specification are not to be construed as limiting the invention.
Claims (15)
1. a kind of attack guarding method, which is characterized in that the described method includes:
When monitoring that the protocol IP interconnected between purpose network attacks by the Internet Control Message Protocol ICMP FLOOD that floods
When hitting, the icmp packet for being sent to the destination IP is intercepted;
When the icmp packet is to retransmit message, the icmp packet is forwarded to server;
When the icmp packet is not to retransmit message, the icmp packet is abandoned.
2. the method according to claim 1, wherein the interception is sent to after the icmp packet of the destination IP
Further include:
Obtain the message information of the icmp packet;
Search first packet message data library, it is determined whether there is first packet message information identical with the message information, the first packet
Message data library includes the reception of the first packet message information and the first icmp packet for the first icmp packet that transmitting terminal is sent
The corresponding relationship of time;
Determine whether the icmp packet is to retransmit message according to lookup result.
3. according to the method described in claim 2, it is characterized in that, whether described determine the icmp packet according to lookup result
To retransmit message, comprising:
When finding first packet message information identical with the message information, and it is corresponding apart from the identical first packet message information
Receiving time duration be less than or equal to preset time period when, it is determined that the icmp packet be retransmit message;
When not finding first packet message information identical with the message information, alternatively, when finding and the message information
Identical first packet message information, and the duration apart from the corresponding receiving time of the identical first packet message information be greater than it is described pre-
When setting duration, it is determined that the icmp packet is not to retransmit message.
4. according to the method described in claim 2, it is characterized in that, the method also includes:
When the icmp packet is not to retransmit message, the message information of the icmp packet and the corresponding of receiving time are closed
System, is added in first packet message data library.
5. according to method described in claim 2 to 4 any one, which is characterized in that the report for obtaining the icmp packet
Before literary information, alternatively, before the discarding icmp packet, further includes:
Obtain the transmission client information of the icmp packet;
Trust list is searched, the trust list includes to have verified that retransmit the transmission client information of the icmp packet of message;
When not finding the transmission client information in the trust list, the report for obtaining the icmp packet is continued to execute
The step of literary information, or continue to execute described the step of abandoning the icmp packet;
When finding the transmission client information in the trust list, the icmp packet is forwarded to server.
6. according to the method described in claim 5, it is characterized in that, the method also includes:
When the icmp packet is to retransmit message, the transmission client information of the icmp packet is added to the trust list
In.
7. method according to claim 5 or 6, which is characterized in that the transmitting terminal information includes source IP, or including source
IP and lifetime value;
The method also includes:
The quantity for the icmp packet that source IP in the trust list is sent is monitored;
It, will when the quantity for the icmp packet that source IP is sent is greater than or equal to preset threshold when monitoring within the preset period
The source IP, alternatively, source IP and lifetime value are deleted from the trust list.
8. according to method described in claim 2 to 4 any one, which is characterized in that the report for obtaining the icmp packet
Before literary information further include:
Obtain the ICMP type of the icmp packet, ICMP packet length and fragment field value;
It is greater than or equal to default packet length when the ICMP type is not preset legal types, or when the ICMP packet is long
When, alternatively, determining the icmp packet for attack report when it is fragment message that the fragment field value, which identifies the icmp packet,
Text abandons the icmp packet;
When the ICMP type is preset legal types, and the ICMP packet is long is less than default packet length, and the fragment field
When the value mark icmp packet is non-fragment message, the step of the message information for obtaining the icmp packet is continued to execute
Suddenly.
9. a kind of attack protective device, which is characterized in that described device includes:
Blocking module monitors that the protocol IP interconnected between purpose network floods by Internet Control Message Protocol for working as
When ICMP FLOOD is attacked, the icmp packet for being sent to the destination IP is intercepted;
First forwarding module, for when the icmp packet is to retransmit message, the icmp packet to be forwarded to server;
Discard module, for abandoning the icmp packet when the icmp packet is not to retransmit message.
10. device according to claim 9, which is characterized in that described device further include:
First obtains module, for obtaining the transmission client information of the icmp packet after blocking module;
First searching module, for searching first packet message data library, it is determined whether there is first packet identical with the message information
Message information, first packet message data library include the first packet message information and the head for the first icmp packet that transmitting terminal is sent
The corresponding relationship of the receiving time of a icmp packet;
Determining module, for determining whether the icmp packet is to retransmit message according to lookup result;
The determining module is specifically used for:
When finding first packet message information identical with the message information, and it is corresponding apart from the identical first packet message information
Receiving time duration be less than or equal to preset time period when, it is determined that the icmp packet be retransmit message;
When not finding first packet message information identical with the message information, alternatively, when finding and the message information
Identical first packet message information, and the duration apart from the corresponding receiving time of the identical first packet message information be greater than it is described pre-
When setting duration, it is determined that the icmp packet is not to retransmit message.
11. according to the method described in claim 10, it is characterized in that, described device further include:
Second obtains module, is used for before first obtains module, alternatively, obtaining when the icmp packet is not to retransmit message
Take the transmission client information of the icmp packet;
Second searching module, for searching trust list, the trust list includes to have verified that retransmit the icmp packet of message
Transmission client information;
First execution module is obtained for when not finding the transmission client information in the trust list, executing described first
Modulus block, or continue to execute the discard module;
Second forwarding module, for when finding the transmission client information in the trust list, the icmp packet to be turned
It is sent to server.
12. device according to claim 10, which is characterized in that the transmitting terminal information includes source IP, or including source
IP and lifetime value;
Described device further include:
The quantity of monitoring modular, the icmp packet for sending to the source IP in the trust list is monitored;
Removing module monitors within the preset period that the quantity for the icmp packet that source IP is sent is greater than or equal to for working as
When preset threshold, by the source IP, alternatively, source IP and lifetime value are deleted from the trust list.
13. device according to claim 9 or 10, which is characterized in that described device further include:
Third obtains module, for obtaining the ICMP type of the icmp packet, ICMP packet before described first obtains module
Long and fragment field value;
Packet loss module, for when the ICMP type is not preset legal types, or when the ICMP packet is grown up
In or be equal to default packet it is long when, alternatively, when it is fragment message that the fragment field value, which identifies the icmp packet, determine described in
Icmp packet is attack message, abandons the icmp packet;
Execution module, for being preset legal types when the ICMP type, and the ICMP packet is long less than default packet length, and
When the fragment field value mark icmp packet is non-fragment message, triggers described first and obtain module.
14. a kind of equipment, including memory, processor and the meter for being stored on the memory and running on the processor
Calculation machine program, which is characterized in that when the processor executes the computer program, realize such as claim 1 to 8 any one
Each step in the attack guarding method.
15. a kind of readable storage medium storing program for executing, is stored thereon with computer program, which is characterized in that the computer program is processed
When device executes, each step of the attack guarding method as described in claim 1 to 8 any one is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810204686.4A CN110213204B (en) | 2018-03-13 | 2018-03-13 | Attack protection method and device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810204686.4A CN110213204B (en) | 2018-03-13 | 2018-03-13 | Attack protection method and device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110213204A true CN110213204A (en) | 2019-09-06 |
| CN110213204B CN110213204B (en) | 2022-09-23 |
Family
ID=67779052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810204686.4A Active CN110213204B (en) | 2018-03-13 | 2018-03-13 | Attack protection method and device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110213204B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798451A (en) * | 2019-09-29 | 2020-02-14 | 新华三信息安全技术有限公司 | Security authentication method and device |
| CN112261056A (en) * | 2020-10-27 | 2021-01-22 | 南方电网数字电网研究院有限公司 | Communication control method and device for power system, control equipment and storage medium |
| CN112910839A (en) * | 2021-01-12 | 2021-06-04 | 杭州迪普科技股份有限公司 | DNS attack defense method and device |
| CN114039747A (en) * | 2021-10-21 | 2022-02-11 | 烽火通信科技股份有限公司 | Method, device, equipment and storage medium for preventing DDOS data retransmission attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355419A (en) * | 2008-08-22 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for avoiding network attack |
| CN105610852A (en) * | 2016-01-15 | 2016-05-25 | 腾讯科技(深圳)有限公司 | Method and device for processing ACK (Acknowledgement) flooding attack |
| CN106357688A (en) * | 2016-11-04 | 2017-01-25 | 中国联合网络通信集团有限公司 | Method and device for defending Internet Control Message Protocol (ICMP) flood attack |
| CN106411791A (en) * | 2016-09-05 | 2017-02-15 | 上海斐讯数据通信技术有限公司 | ICMP fragmented packet reassembly method and forwarding method, controller, and switch |
| CN106506726A (en) * | 2016-12-12 | 2017-03-15 | 北京云端智度科技有限公司 | A kind of method of verification DNS real users |
-
2018
- 2018-03-13 CN CN201810204686.4A patent/CN110213204B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101355419A (en) * | 2008-08-22 | 2009-01-28 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for avoiding network attack |
| CN105610852A (en) * | 2016-01-15 | 2016-05-25 | 腾讯科技(深圳)有限公司 | Method and device for processing ACK (Acknowledgement) flooding attack |
| CN106411791A (en) * | 2016-09-05 | 2017-02-15 | 上海斐讯数据通信技术有限公司 | ICMP fragmented packet reassembly method and forwarding method, controller, and switch |
| CN106357688A (en) * | 2016-11-04 | 2017-01-25 | 中国联合网络通信集团有限公司 | Method and device for defending Internet Control Message Protocol (ICMP) flood attack |
| CN106506726A (en) * | 2016-12-12 | 2017-03-15 | 北京云端智度科技有限公司 | A kind of method of verification DNS real users |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110798451A (en) * | 2019-09-29 | 2020-02-14 | 新华三信息安全技术有限公司 | Security authentication method and device |
| CN112261056A (en) * | 2020-10-27 | 2021-01-22 | 南方电网数字电网研究院有限公司 | Communication control method and device for power system, control equipment and storage medium |
| CN112910839A (en) * | 2021-01-12 | 2021-06-04 | 杭州迪普科技股份有限公司 | DNS attack defense method and device |
| CN112910839B (en) * | 2021-01-12 | 2023-04-25 | 杭州迪普科技股份有限公司 | Method and device for defending DNS attack |
| CN114039747A (en) * | 2021-10-21 | 2022-02-11 | 烽火通信科技股份有限公司 | Method, device, equipment and storage medium for preventing DDOS data retransmission attack |
| CN114039747B (en) * | 2021-10-21 | 2023-05-16 | 烽火通信科技股份有限公司 | DDOS data retransmission attack prevention method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110213204B (en) | 2022-09-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| Beitollahi et al. | Analyzing well-known countermeasures against distributed denial of service attacks | |
| Ambrosin et al. | Lineswitch: Efficiently managing switch flow in software-defined networking while effectively tackling dos attacks | |
| US7966658B2 (en) | Detecting public network attacks using signatures and fast content analysis | |
| EP2289221B1 (en) | Network intrusion protection | |
| US6725378B1 (en) | Network protection for denial of service attacks | |
| US7926108B2 (en) | SMTP network security processing in a transparent relay in a computer network | |
| KR101217647B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks based on specified source/destination IP address pairs | |
| US20140157405A1 (en) | Cyber Behavior Analysis and Detection Method, System and Architecture | |
| CN110213204A (en) | Attack guarding method and device, equipment and readable storage medium storing program for executing | |
| US20020032774A1 (en) | Thwarting source address spoofing-based denial of service attacks | |
| KR101067781B1 (en) | Method and apparatus for defending against denial of service attacks in IP networks by target victim self-identification and control | |
| WO2002021771A1 (en) | Device to protect victim sites during denial of service attacks | |
| CN109657463B (en) | Method and device for defending message flooding attack | |
| Daniels et al. | Identification of host audit data to detect attacks on low-level IP vulnerabilities | |
| Singh et al. | Malicious ICMP tunneling: Defense against the vulnerability | |
| Almaini et al. | Delegation of authentication to the data plane in software-defined networks | |
| JP2004140524A (en) | Method and apparatus for detecting dos attack, and program | |
| Kao et al. | Automatic Blocking Mechanism for Information Security with SDN. | |
| Kumarasamy et al. | An active defense mechanism for TCP SYN flooding attacks | |
| Strother | Denial of service protection the nozzle | |
| Kassing et al. | Order P4-66: Characterizing and mitigating surreptitious programmable network device exploitation | |
| Shing | An improved tarpit for network deception | |
| Selvaraj | Distributed Denial of Service Attack Detection, Prevention and Mitigation Service on Cloud Environment | |
| Goldschmidt | Adaptive SYN Flood Mitigation Based on Attack Vector Detection and Mitigation Process Monitoring |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |