CN110213204B - Attack protection method and device, equipment and readable storage medium - Google Patents

Attack protection method and device, equipment and readable storage medium Download PDF

Info

Publication number
CN110213204B
CN110213204B CN201810204686.4A CN201810204686A CN110213204B CN 110213204 B CN110213204 B CN 110213204B CN 201810204686 A CN201810204686 A CN 201810204686A CN 110213204 B CN110213204 B CN 110213204B
Authority
CN
China
Prior art keywords
message
icmp
packet
information
retransmission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810204686.4A
Other languages
Chinese (zh)
Other versions
CN110213204A (en
Inventor
陈国�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810204686.4A priority Critical patent/CN110213204B/en
Publication of CN110213204A publication Critical patent/CN110213204A/en
Application granted granted Critical
Publication of CN110213204B publication Critical patent/CN110213204B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an attack protection method, an attack protection device, equipment and a readable storage medium, wherein the method comprises the following steps: when monitoring that the destination IP suffers ICMP FLOOD attack, intercepting an ICMP message sent to the destination IP, determining whether the ICMP message is a retransmission message, forwarding the ICMP message to a server when the ICMP message is the retransmission message, and discarding the ICMP message when the ICMP message is not the retransmission message. Considering that the sending end of the attack destination IP sends the ICMP message irregularly and no retransmission message exists, the sending end can be effectively determined to be the attack end or the normal end by verifying whether the ICMP message sent to the destination IP is the retransmission message, so that the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the ICMP FLOOD attack is protected, meanwhile, the false killing of the normal message is avoided, and the false alarm causing the abnormal service is avoided.

Description

Attack protection method and device, equipment and readable storage medium
Technical Field
The present invention relates to the field of network communication security technologies, and in particular, to an attack protection method and apparatus, a device, and a readable storage medium.
Background
Internet Control Message Protocol flooding (ICMP FLOOD) attack is one of common Distributed Denial of Service (DDOS) attacks, the ICMP FLOOD is a typical DDOS attack method for blocking bandwidth, and a large amount of ICMP spam messages are sent to an attacked server through a botnet, so that the bandwidth of the attacked server is blocked, and a normal request cannot be responded, thereby achieving the purpose of Service Denial.
In the prior art, a mode (speed limiting mode) of limiting the number of ICMP messages transmitted is adopted to protect ICMP FLOOD attack, however, the mode has the following disadvantages: (1) the transmission of the normal ICMP message is limited, the condition of mistaken killing exists, and the mistaken killing of the ICMP message can cause dialing detection misjudgment, thereby causing the false alarm of abnormal service. (2) A plurality of dial-up test servers are specially used for carrying out batch detection by utilizing ICMP messages, if the servers suffer from ICMP FLOOD attack and use a speed limiting mode, the service of the detection servers is seriously influenced, and the detection services are unavailable. (3) Under the condition that the attack end is too dispersed, the number of ICMP messages transmitted in a speed-limiting mode is larger, so that the service is unavailable.
Disclosure of Invention
The invention mainly aims to provide an attack protection method, an attack protection device, equipment and a readable storage medium, aiming at solving the problems that the attack protection method in the prior art has false killing and can cause false alarm of abnormal service; the service of the detection server is influenced, so that the detection service is unavailable; the technical problem that the service is unavailable is caused in the case that the attack ends are too scattered.
In order to achieve the above object, a first aspect of the present invention provides an attack protection method, including:
intercepting an ICMP message sent to a destination IP when monitoring that an interconnected protocol IP between the destination networks suffers from ICMP FLOOD attack;
when the ICMP message is a retransmission message, forwarding the ICMP message to a server;
and when the ICMP message is not a retransmission message, discarding the ICMP message.
To achieve the above object, a second aspect of the present invention provides an attack-prevention device, including:
the system comprises an interception module, a message sending module and a message sending module, wherein the interception module is used for intercepting an ICMP message sent to a destination IP when monitoring that an Internet Protocol (IP) among destination networks suffers from ICMP FLOOD attack;
a first forwarding module, configured to forward the ICMP packet to a server when the ICMP packet is a retransmission packet;
and the discarding module is used for discarding the ICMP message when the ICMP message is not a retransmission message.
To achieve the above object, a third aspect of the present invention provides an apparatus comprising: the attack protection method comprises a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor executes the computer program to realize the steps of the attack protection method according to the first aspect of the embodiment of the invention.
To achieve the above object, a fourth aspect of the present invention provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the attack protection method according to the first aspect of the present invention.
The invention provides an attack protection method, when monitoring that a destination IP suffers ICMP FLOOD attack, intercepting an ICMP message sent to the destination IP, when the ICMP message is a retransmission message, forwarding the ICMP message to a server, and when the ICMP message is not the retransmission message, discarding the ICMP message. Compared with the prior art, the method has the advantages that the sending end of the attack destination IP sends the ICMP message irregularly and no retransmission message exists, so that the sending end can be effectively determined to be the attack end or the normal end by verifying whether the ICMP message sent to the destination IP is the retransmission message, the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the normal message is prevented from being killed by mistake while the ICMP FLOOD attack is protected, and the false alarm causing abnormal service is avoided; for the detection server, ICMP messages of the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1a is a schematic diagram of a framework of a shield system according to an embodiment of the present invention;
FIG. 1b is a flow chart of an attack protection method according to an embodiment of the present invention;
FIG. 2 is another schematic flow chart of an attack protection method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating that an attack end cannot bypass a retransmission verification according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a retransmission verification at a normal peer in an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an attack protection apparatus according to an embodiment of the present invention;
FIG. 6 is another schematic structural diagram of an attack protection apparatus according to an embodiment of the present invention
Fig. 7 is a block diagram of a device.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
The technical problem of false alarm of abnormal service can be caused due to false killing of the attack protection method in the prior art.
In order to solve the above problems, the present invention provides an attack protection method. Compared with the prior art, the method has the advantages that the sending end of the attack destination IP sends the ICMP message irregularly and no retransmission message exists, so that whether the sending end is the attack end or the normal end can be effectively determined by verifying whether the ICMP message sent to the destination IP is the retransmission message, the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the normal message is prevented from being killed by mistake while ICMP FLOOD attack is protected, and false alarm caused by abnormal service is avoided; for the detection server, ICMP messages reaching the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
Fig. 1a is a schematic diagram of a framework of a protection system according to an embodiment of the present invention, where the framework includes a protection end, a server end, and a client end, where the client end includes an attack end and a normal end. The client side can send an ICMP message to the protection side, the protection side verifies whether the ICMP message is a retransmission message, if the ICMP message is determined to be the retransmission message, the ICMP message is forwarded to the server side, and if the ICMP message is determined not to be the retransmission message, the ICMP message is discarded, so that the ICMP message can be effectively filtered, and the error killing of the ICMP message sent by a normal side is avoided on the premise of ensuring the protection of ICMP FLOOD attack.
Referring to fig. 1b, a schematic flow chart of an attack protection method according to an embodiment of the present invention is shown, where the method includes:
step 101, intercepting an ICMP message sent to a destination IP when monitoring that the destination IP suffers ICMP FLOOD attack; executing step 102 or step 103;
step 102, when the ICMP message is a retransmission message, forwarding the ICMP message to a server;
step 103, when the ICMP message is not a retransmission message, discarding the ICMP message.
In the embodiment of the present invention, the attack protection method is implemented by an attack protection device (hereinafter, referred to as a protection device), where the protection device is a program module and is stored in a readable storage medium of an apparatus, and the apparatus may specifically be a protection terminal (protection server), and a processor in the protection terminal may call the protection device in the readable storage medium to implement the protection method.
In the embodiment of the invention, the monitoring equipment monitors the messages sent by the client and determines the number of ICMP messages sent to each destination IP within a preset time period. The ICMP message does not carry a specific service.
When the number of the ICMP messages sent to a certain destination IP within a preset time period is monitored to be larger than or equal to a preset safety threshold value, the destination IP is shown to be attacked by ICMP FLOOD. Wherein the preset time period may be 5 seconds, 10 seconds, etc.
After monitoring that the destination IP suffers from ICMP FLOOD attack, the protection device intercepts an ICMP message sent to the destination IP and acquires message information of the ICMP message, wherein the message information comprises a source IP, the destination IP and a message type. The message type is the ICMP type.
The retransmission verification means verifying whether an ICMP packet sent to the destination IP is a retransmission packet, and the protection device performs retransmission verification on the ICMP packet by using the packet information of the ICMP packet.
The principle of determining whether the ICMP message is an attack message based on retransmission verification is as follows: when sending the ICMP message, the attack end performing ICMP FLOOD attack on the destination IP sends the ICMP message irregularly, and irregular sending modes including source IP continuous change and the like cause that the sent ICMP message has no retransmission message, so that retransmission verification cannot be passed. The client that normally sends the ICMP packet to the destination IP is regular in sending the ICMP packet, for example, the source IP used by the normal end is relatively fixed, and the retransmission packet is sent within a certain time, so that the ICMP packet sent by the normal end has a retransmission packet, and can be verified by retransmission.
In the embodiment of the invention, when the ICMP message passes retransmission verification, the ICMP message is indicated to be a retransmission message, the protective device forwards the ICMP message to the server, and when the ICMP message does not pass retransmission verification, the ICMP message is indicated to be not a retransmission message, and the protective device discards the ICMP message.
In the embodiment of the invention, when the destination IP is monitored to suffer from ICMP FLOOD attack, the ICMP message sent to the destination IP is intercepted, when the ICMP message is a retransmission message, the ICMP message is forwarded to a server, and when the ICMP message is not the retransmission message, the ICMP message is discarded. Compared with the prior art, the method has the advantages that the sending end of the attack destination IP sends the ICMP message irregularly and no retransmission message exists, so that the sending end can be effectively determined to be the attack end or the normal end by verifying whether the ICMP message sent to the destination IP is the retransmission message, the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the normal message is prevented from being killed by mistake while the ICMP FLOOD attack is protected, and the false alarm causing abnormal service is avoided; for the detection server, ICMP messages of the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
Fig. 2 is a schematic flow chart of an attack protection method according to an embodiment of the present invention, including:
step 201, when monitoring that a destination IP suffers from ICMP FLOOD attack, intercepting an ICMP message sent to the destination IP, and acquiring an ICMP type, an ICMP packet length and a fragment field value of the ICMP message;
step 202, when the ICMP type is not a preset legal type, or when the ICMP packet length is greater than or equal to a preset packet length, or when the fragment field value identifies that the ICMP packet is a fragment packet, determining that the ICMP packet is an attack packet, and discarding the ICMP packet;
step 203, when the ICMP type is a preset legal type, the ICMP packet length is less than a preset packet length, and the fragment field value identifies that the ICMP message is a non-fragment message, acquiring the sending end information of the ICMP message; continuing to execute step 204;
in the embodiment of the invention, when the destination IP is monitored to suffer ICMP FLOOD attack, an ICMP message sent to the destination IP is intercepted, and the validity of the ICMP message is verified.
Specifically, the guard device acquires the ICMP type, ICMP packet length, and fragmentation field value of the ICMP packet.
The type of ICMP may be found in the following table:
Figure BDA0001595562970000061
Figure BDA0001595562970000071
Figure BDA0001595562970000081
in the type table, the legal types are type 0 and type 8, and the other types are illegal types.
The ICMP type is stored in a type field of the ICMP message, the protection device can acquire the value of the type field, and when the value represents type 0 or type 8, the value represents that the ICMP type is a legal type, the ICMP message is a legal message, otherwise, the value represents an illegal type, and the ICMP message is an illegal message, namely an attack message, so that whether the ICMP message is a reflection associated ICMP attack message or not can be effectively identified through the ICMP type.
The protection device can read the value of the packet length field, and the ICMP packet length represented by the value exceeds the preset packet length, which means that the ICMP packet is an attack packet, and the ICMP packet length represented by the value is less than the preset packet length, which means that the ICMP packet is a legal packet, so that whether the ICMP packet is an ICMP big packet attack packet can be effectively identified through the ICMP packet length.
The method comprises the steps that a fragmentation field is further arranged in a packet header of an ICMP message, a protection device can read a fragmentation field value in the fragmentation field, when the fragmentation field value indicates that the ICMP message is a fragmentation message, the ICMP message is determined to be an attack message, and when the fragmentation field value indicates that the ICMP message is not a fragmentation message, the ICMP message is determined to be a legal message, so that whether the ICMP message is a fragmentation message or not can be effectively identified through the distribution field value of the ICMP message.
In the embodiment of the present invention, as for the ICMP type, the ICMP packet length, and the fragment field value of the obtained ICMP packet, as long as any one of the parameters indicates that the ICMP packet is an attack packet, it may be directly determined that the ICMP packet is an attack packet, that is, when the ICMP type is not a preset legal type, or when the ICMP packet length is greater than or equal to a preset packet length, or when the fragment field value identifies that the ICMP packet is a fragment packet, it is determined that the ICMP packet is an attack packet, and the protection device discards the ICMP packet.
When the ICMP type is a preset legal type, the ICMP packet length is less than the preset packet length, and the field value is assigned to identify that the ICMP packet is a non-fragmented packet, in order to further determine whether the ICMP packet is an ICMP packet sent by a normal end, it is further determined whether the sending end information of the ICMP packet is in a trusted list.
Step 204, searching a trust list, wherein the trust list comprises sending end information of the ICMP message which is verified as a retransmission message;
step 205, when the sending end information is not found in the trust list, obtaining message information of the ICMP message;
the protection end is provided with a trust list, and the trust list contains the information of the sending end which passes the retransmission verification.
In the embodiment of the present invention, after the ICMP message passes the validity verification, the sending end information of the ICMP message is obtained, where the sending end information at least includes a source IP for sending the ICMP message, and in addition, the sending end information may also include a Time To Live (TTL) value of the ICMP message sent by the sending end.
It can be understood that a trust list can be formed by retransmitting message information of an ICMP message for verification, so that the sending end information is located at a sending end in the trust list, the sent ICMP message can be forwarded to a server, and the ICMP message not sent by the sending end in the trust list needs to be retransmitted and verified.
The protector determines whether a sending end sending the ICMP message is trustable or not by using the sending end information and the trust list, and when the trust list contains the sending end information, the protector indicates that the sending end is trustable, and the ICMP message is forwarded to a server. And when the trust list does not contain the sending end information, acquiring the message information of the ICMP message for retransmission verification, and determining whether the ICMP message is a retransmission message. The specific retransmission verification method can refer to steps 206 and 207.
Step 206, searching a first packet message database, and determining whether first packet message information same as the message information exists, wherein the first packet message database comprises the first packet message information of the first ICMP message sent by the sending end and the corresponding relation of the receiving time of the first ICMP message;
step 207, determining whether the ICMP message is a retransmission message according to the search result;
step 208, when the ICMP message is a retransmission message, forwarding the ICMP message to a server;
step 209, when the ICMP message is not a retransmission message, discarding the ICMP message.
In the embodiment of the present invention, when the trust list does not contain the sending end information, it indicates that the ICMP message is not sent by a trusted sending end, and may be an attack message, or may be a message that has not been subjected to retransmission verification. At this time, the guard device performs retransmission verification on the ICMP packet.
The retransmission verification needs to use a first packet message database, where the first packet message database includes a correspondence between first packet message information of a first ICMP message sent by a sending end and receiving time of the first ICMP message. It can be understood that if one sending end sends A, B, C, D, E ICMP messages to the destination IP, the message a is the first packet message, and if the time interval between the message B and the message C is longer than the preset time length, the message C may also be considered as the first packet message. When determining that one ICMP message is a first packet message, the protection device records the corresponding relation between the first packet message information of the ICMP message and the receiving time of the received ICMP message in a first packet message database.
In the embodiment of the invention, the protective device searches the first packet message database, determines whether the first packet message information identical to the message information of the intercepted ICMP message exists or not, and determines whether the ICMP message is a retransmission message or not according to the search result.
Specifically, when the first packet of message information identical to the message information is found and the time length from the receiving time corresponding to the identical first packet of message information is less than or equal to the preset time length, determining the ICMP message as a retransmission message; for example, the source IP of the message information is IP1, the destination IP is IP2, and the ICMP type is type 0, if the same first packet message information is searched in the first packet message database, the time length from the receiving time of the first packet message information to the current time is determined, and if the time length is 3 seconds and is less than the preset time length of 7 seconds, the ICMP message is determined to be a retransmission message.
Or when the first packet of message information identical to the message information is not found, or when the first packet of message information identical to the message information is found and the time length from the receiving time corresponding to the identical first packet of message information is longer than the preset time length, determining that the ICMP message is not a retransmission message.
It can be understood that, in order to facilitate the search of the first packet message database, the first packet message database may be updated in real time based on the receiving time, for example, if it is determined whether the time length of the retransmission message is 10 seconds, only the information of the first packet message in the latest 10 seconds is retained in the first packet message database, and the first packet message data whose receiving time exceeds 10 seconds from the current time is deleted. In this case, as long as the same first packet message information is found in the first packet message database, it can be determined that the message is a retransmission message, and it can be determined that the message is not a retransmission message if the same first packet message information is not found in the first packet message database.
Further, in the embodiment of the present invention, when it is determined that the ICMP message is a retransmission message, the sending end information of the ICMP message is added to the trust list.
Further, in the embodiment of the present invention, when it is determined that the ICMP message is not a retransmission message, the ICMP message may be an attack message or a first packet message, and no matter whether the ICMP is an attack message or a first packet message, the protection device discards the ICMP message, assumes the ICMP message as the first packet message, and adds the correspondence between the message information of the ICMP message and the reception time to the first packet message database, so that if an ICMP message with the same message information is intercepted within a specified time period, it may be determined that the intercepted ICMP message is a retransmission message. For example, if it is determined that the message a is not a retransmission message, the corresponding relationship between the message information B and the receiving time C of the message a is added to the first packet message database, and if the message D is intercepted within a specified 10 seconds (the time length from the receiving time C is 10 seconds), and the message D has the message information B, which is the same as the message a, the message D is determined to be a retransmission message.
For better understanding of the retransmission verification in the embodiment of the present invention, please refer to fig. 3, which is a schematic diagram of the attack end being unable to bypass the retransmission verification in the embodiment of the present invention, and refer to fig. 4, which is a schematic diagram of the retransmission verification of the normal end in the embodiment of the present invention. As can be seen from fig. 3, the attack end irregularly sends the messages a1, a2, a3 and a4 (all ICMP messages), cannot pass retransmission verification, and all the messages that cannot pass retransmission verification are discarded and will not be forwarded to the server end. In fig. 4, the protection end intercepts a message b1 sent by the client, the message b1 does not pass retransmission verification, the protection end discards the message b1, adds the message information of the message b1 to the first packet message database, and within a specified time, the protection end intercepts the message b2 sent by the client, and determines that the message information of the message b2 is the same as that of the message b1, at this time, the message b2 passes retransmission verification, and for retransmitting the message, the protection end adds the source IP and TTL of the message b2 to a trust (i.e., a trust list), and the protection end further forwards the message b3 and the message b4, of which the IP and TTL are the same as those of the message b2, to the server end, and the server end feeds back a response of the corresponding message.
It should be noted that, when performing validity verification, lookup of a trust list, and retransmission verification on an ICMP packet, in actual execution, the method is not limited to the flow in the embodiment shown in fig. 2, and may also be performed as follows:
when monitoring that a target IP suffers ICMP FLOOD attack, intercepting an ICMP message sent to the target IP, acquiring sending end information of the ICMP message, searching a trust list by using the sending end information, determining that the ICMP message is sent by a trusted sending end when the sending end information is searched in the trust list, forwarding the ICMP message to a server, performing validity verification on the ICMP message when the sending end information is not searched in the trust list, acquiring message information if the validity verification is passed, and performing retransmission verification by using the message information, so that the sequence in the process is as follows: trust list lookup, validity verification, and retransmission verification.
Or intercepting an ICMP message sent to the destination IP when monitoring that the destination IP suffers from ICMP FLOOD attack, and carrying out validity verification on the ICMP message, carrying out retransmission verification on the ICMP message after the ICMP message passes the validity verification, and carrying out search of a trust list when the ICMP message does not pass the retransmission verification, so that the sequence in the process is validity verification, retransmission verification and trust list search.
It should be noted that the ICMP message that can be filtered out by the validity verification can be filtered out by the retransmission verification, and in the embodiment of the present invention, the validity verification is usually performed before the retransmission verification, and the data amount in the first packet message database can be effectively reduced, and the resource occupation can be reduced. Alternatively, the legitimacy verification and trust list lookup is performed only on either of them.
It should be noted that, in the embodiment of the present invention, the source IP in the trust list may be further monitored to further determine whether a malicious source IP exists in the trust list. Specifically, the protection device may further perform the following steps:
step A, monitoring the quantity of ICMP messages sent by a source IP in the trust list;
and step B, when monitoring that the number of ICMP messages sent by the source IP is greater than or equal to a preset threshold value in a preset time period, deleting the source IP or the source IP and the survival time value from the trust list.
In the embodiment of the invention, the trust list comprises the source IP and the TTL which pass the retransmission verification, the protection device monitors the number of ICMP messages sent by the source IP in the trust list, when the number of the ICMP messages sent by the source IP is greater than or equal to a preset threshold value in a preset time period, the source IP is indicated to be a malicious source IP, and the source IP, or the source IP and the survival time value are deleted from the trust list.
Furthermore, the protection device can also set an untrusted list, wherein the untrusted list contains a source IP which is monitored and determined as a malicious source on the trusted list, and therefore, the source IP is used; or, after the source IP and the time-to-live value are deleted from the trust list, the source IP may be deleted; alternatively, the source IP and time to live values are added to the untrusted list. The guard will intercept and discard ICMP messages sent by all active IPs in the untrusted list.
In the embodiment of the invention, when monitoring that a destination IP suffers ICMP FLOOD attack, intercepting an ICMP message sent to the destination IP, and carrying out validity verification by using an ICMP type, an ICMP packet length and a fragment field value of the ICMP message, when the validity verification is not passed, indicating that the ICMP message is an attack message, discarding the ICMP message, when the validity verification is passed, determining whether sending end information of the ICMP message is in a trust list, if the sending end information is in the trust list, forwarding the ICMP message to a server, if the sending end information is not in the trust list, carrying out retransmission verification on the ICMP message, when the ICMP message is determined to be a retransmission message, forwarding the ICMP message to the server, and when the ICMP message is determined not to be a retransmission message, discarding the ICMP message. Through the mode, whether the ICMP message is an attack message or not can be effectively determined, and compared with the mode of limiting the speed of the ICMP message, the method can effectively avoid mistaken killing of the ICMP message and avoid false alarm causing abnormal service; for the detection server, ICMP messages reaching the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
The protection method in the embodiment of the invention can effectively protect ICMP FLOOD attacks in various scenes under the condition of not mistakenly killing normal ICMP messages, avoid the transparent transmission of attack messages, effectively improve the effectiveness of the protection of DDOS attacks, and play an important role in guaranteeing services such as dial-up test servers and the like which depend on ICMP messages; in addition, the influence on the service with poor performance can be avoided.
Referring to fig. 5, an attack protection apparatus according to an embodiment of the present invention includes:
an intercepting module 501, configured to intercept an ICMP message sent to a destination network when it is monitored that an internet protocol IP interconnected between the destination networks is attacked by an ICMP FLOOD;
a first forwarding module 502, configured to forward the ICMP packet to a server when the ICMP packet is a retransmission packet;
a discarding module 503, configured to discard the ICMP packet when the ICMP packet is not a retransmission packet.
In the embodiment of the present invention, the content of the apparatus shown in fig. 5 is similar to the content described in each step in the embodiment shown in fig. 1b, and specifically, refer to fig. 1b, which is not repeated herein.
In the embodiment of the invention, when the destination IP is monitored to suffer ICMP FLOOD attack, an ICMP message sent to the destination IP is intercepted, when the ICMP message is a retransmission message, the ICMP message is forwarded to a server, and when the ICMP message is not the retransmission message, the ICMP message is discarded. Compared with the prior art, the method has the advantages that the sending end of the attack destination IP sends the ICMP message irregularly and no retransmission message exists, so that whether the sending end is the attack end or the normal end can be effectively determined by verifying whether the ICMP message sent to the destination IP is the retransmission message, the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the normal message is prevented from being killed by mistake while ICMP FLOOD attack is protected, and false alarm caused by abnormal service is avoided; for the detection server, ICMP messages of the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
Referring to fig. 6, an attack protection apparatus in an embodiment of the present invention includes an intercepting module 501, a first forwarding module 502, and a discarding module 503 in the embodiment shown in fig. 5, and is similar to the contents described in the embodiment shown in fig. 5, and will not be described herein again.
In an embodiment of the present invention, the apparatus further comprises:
a first obtaining module 601, configured to obtain message information of the ICMP message after the intercepting module 501;
a first searching module 602, configured to search a first packet message database, and determine whether there is first packet message information that is the same as the message information, where the first packet message database includes a correspondence between first packet message information of a first ICMP message sent by a sending end and receiving time of the first ICMP message;
a determining module 603, configured to determine whether the ICMP packet is a retransmission packet according to a search result;
the determining module 603 is specifically configured to:
when the first packet of message information which is the same as the message information is found and the time length of the receiving time corresponding to the same first packet of message information is less than or equal to the preset time length, determining the ICMP message as a retransmission message;
and when the first packet of message information identical to the message information is not found, or when the first packet of message information identical to the message information is found and the time length of the receiving time corresponding to the same first packet of message information is longer than the preset time length, determining that the ICMP message is not a retransmission message.
In an embodiment of the present invention, the apparatus further comprises:
a second obtaining module 604, configured to obtain sending end information of the ICMP message before the first obtaining module 601; it is understood that the second obtaining module 604 may also be executed when the ICMP message is not a retransmission message.
A second searching module 605, configured to search a trust list, where the trust list includes sending end information of an ICMP message that is verified as a retransmission message;
a first executing module 606, configured to execute the first obtaining module 601 when the sending end information is not found in the trust list, where it may be understood that, if the second obtaining module 604 is executed when the ICMP message is not a retransmission message, the first executing module triggers to execute the discarding module 503;
a second forwarding module 607, configured to forward the ICMP packet to a server when the sending end information is found in the trust list.
In the embodiment of the invention, the information of the sending end comprises a source IP, or comprises the source IP and a survival time value;
the device still includes:
the monitoring module is used for monitoring the quantity of ICMP messages sent by the source IP in the trust list;
and the deleting module is used for deleting the source IP or the source IP and the survival time value from the trust list when the condition that the number of the ICMP messages sent by the source IP is greater than or equal to a preset threshold value in a preset time period is monitored.
In an embodiment of the present invention, the apparatus further comprises:
a third obtaining module 608, configured to obtain an ICMP type, an ICMP packet length, and a fragment field value of the ICMP packet before the first obtaining module 601;
a message discarding module 609, configured to determine that the ICMP message is an attack message and discard the ICMP message when the ICMP type is not a preset legal type, or when the ICMP packet length is greater than or equal to a preset packet length, or when the fragment field value identifies that the ICMP message is a fragment message;
an executing module 610, configured to trigger the first obtaining module 601 when the ICMP type is a preset legal type, the ICMP packet length is smaller than a preset packet length, and the fragment field value identifies that the ICMP packet is a non-fragment packet.
In the embodiment of the present invention, the content of the apparatus shown in fig. 6 is similar to the content described in each step in the embodiment shown in fig. 2, and specifically refer to fig. 2, which is not described herein again.
In the embodiment of the invention, when monitoring that a destination IP suffers ICMP FLOOD attack, intercepting an ICMP message sent to the destination IP, and carrying out validity verification by using an ICMP type, an ICMP packet length and a fragment field value of the ICMP message, when the validity verification is not passed, indicating that the ICMP message is an attack message, discarding the ICMP message, when the validity verification is passed, determining whether sending end information of the ICMP message is in a trust list, if the sending end information is in the trust list, forwarding the ICMP message to a server, if the sending end information is not in the trust list, carrying out retransmission verification on the ICMP message, when the ICMP message is determined to be a retransmission message, forwarding the ICMP message to the server, and when the ICMP message is determined not to be a retransmission message, discarding the ICMP message. Through the mode, whether the ICMP message is an attack message or not can be effectively determined, and compared with the mode of limiting the speed of the ICMP message, the method can effectively avoid mistaken killing of the ICMP message and avoid false alarm causing abnormal service; for the detection server, ICMP messages of the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack end is too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
The protection method in the embodiment of the invention can effectively protect ICMP FLOOD attacks in various scenes under the condition of not mistakenly killing normal ICMP messages, avoid the transparent transmission of attack messages, effectively improve the effectiveness of the protection of DDOS attacks, and play an important role in guaranteeing services such as dial-up test servers and the like which depend on ICMP messages; in addition, the influence on the service with poor performance can be avoided.
An embodiment of the present invention further provides an apparatus, which includes a memory, a processor, and a computer program stored in the memory and running on the processor, where when the processor executes the computer program, each step in the attack protection method in the embodiment shown in fig. 1b or fig. 2 is implemented.
Embodiments of the present invention further provide a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements each step in the attack protection method in the embodiment shown in fig. 1b or fig. 2.
It can be understood that, in the embodiment of the present invention, the attack protection apparatus is a device, and the device may specifically be a protection end, and for better understanding of the technical solution in the embodiment of the present invention, please refer to fig. 7, which is a schematic structural diagram of a device 70 in the embodiment of the present invention. The device 70 includes a processor 701, a memory 702, and a transceiver 703. the memory 702 may include read-only memory and random access memory, and provides operating instructions and data to the processor 701. A portion of the memory 702 may also include non-volatile random access memory (NVRAM).
In some embodiments, the memory 702 stores the following elements: an executable module or a data structure, or a subset thereof, or an expanded set thereof.
In the embodiment of the present invention, by calling the operation instruction stored in the memory 702 (the operation instruction may be stored in the operating system), the following processes are performed: when the destination IP is monitored to be attacked by ICMP FLOOD, an ICMP message sent to the destination IP is intercepted, when the ICMP message is a retransmission message, the ICMP message is forwarded to a server, and when the ICMP message is not the retransmission message, the ICMP message is discarded.
Compared with the prior art, the equipment provided by the embodiment of the invention considers that the sending end of the attack destination IP sends the ICMP message irregularly and does not have the retransmission message, so that the sending end can be effectively determined to be the attack end or the normal end by verifying whether the ICMP message sent to the destination IP is the retransmission message, the non-retransmission message sent by the attack end can be discarded, the ICMP message sent by the normal end can be forwarded, the ICMP FLOOD attack is protected, meanwhile, the mistaken killing of the normal message is avoided, and the misinformation causing abnormal service is avoided; for the detection server, ICMP messages reaching the detection server are all sent by a normal end, so that the influence on the detection service is effectively avoided; and under the condition that the attack ends are too dispersed, the ICMP message sent by the attack end can be effectively identified, and the influence on the service is avoided.
Where processor 701 controls the operation of device 70, processor 701 may also be referred to as a CPU (Central Processing Unit). The memory 702 may include both read-only memory and random access memory, and provides instructions and data to the processor 701. A portion of the memory 702 may also include non-volatile random access memory (NVRAM). The various components of device 70 in a particular application are coupled together by a bus system 704, where bus system 704 may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, however, the various buses are designated in the figure as the bus system 704.
The method disclosed in the above embodiments of the present invention may be applied to the processor 701, or implemented by the processor 701. The processor 701 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the processor 701. The processor 910 may be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The storage medium is located in the memory 702, and the processor 701 reads the information in the memory 702 and performs the steps of the above method in combination with the hardware thereof.
The above apparatus 70 can be understood by referring to the description of the embodiment shown in fig. 1b and fig. 2, and will not be described in detail herein.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is merely a logical division, and in actual implementation, there may be other divisions, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or modules, and may be in an electrical, mechanical or other form.
The modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, that is, may be located in one place, or may also be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is substantially or partly contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that, for the sake of simplicity, the above-mentioned method embodiments are described as a series of acts or combinations, but those skilled in the art should understand that the present invention is not limited by the described order of acts, as some steps may be performed in other orders or simultaneously according to the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no acts or modules are necessarily required of the invention.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In view of the above description of the attack protection method and apparatus, device and readable storage medium provided by the present invention, those skilled in the art may change the embodiments and application scope according to the idea of the embodiments of the present invention, and in summary, the content of the present specification should not be construed as limiting the present invention.

Claims (11)

1. An attack protection method, characterized in that the method comprises:
intercepting an ICMP message sent to a destination network when monitoring that a protocol IP interconnected among destination networks is attacked by an Internet control message protocol flooding ICMP FLOOD, and acquiring an ICMP type, an ICMP packet length and a fragment field value of the ICMP message;
when the ICMP type is a preset legal type, the ICMP packet length is less than a preset packet length, and the fragment field value marks that the ICMP message is a non-fragment message, acquiring message information of the ICMP message; the message information comprises a source IP, a destination IP and an ICMP type;
searching a first packet message database, and determining whether first packet message information identical to the message information exists or not, wherein the first packet message database comprises the first packet message information of a first ICMP message sent by a sending end and the corresponding relation of the receiving time of the first ICMP message; when the first packet of message information which is the same as the message information is found and the time length from the receiving time corresponding to the same first packet of message information is less than or equal to the preset time length, determining the ICMP message as a retransmission message; when the first packet of message information identical to the message information is not found, or when the first packet of message information identical to the message information is found and the time length of the receiving time corresponding to the same first packet of message information is longer than the preset time length, determining that the ICMP message is not a retransmission message;
when the ICMP message is a retransmission message, searching a source IP of the ICMP message in an untrusted list, and forwarding the ICMP message to a server if the source IP of the ICMP message is not searched; if the ICMP message is found, the ICMP message is discarded; the untrusted list comprises malicious source IPs for monitoring and determining the trusted list, the trusted list comprises source IPs of ICMP messages verified as retransmission messages, and the malicious source IPs refer to the source IPs in the trusted list, wherein the number of the ICMP messages sent in a preset time period is greater than or equal to a preset threshold value;
when the ICMP message is not a retransmission message, discarding the ICMP message, and adding the corresponding relation between the message information of the ICMP message and the receiving time to the first packet message database;
further comprising:
monitoring the quantity of ICMP messages sent by a source IP in the trust list;
and when the number of ICMP messages sent by the source IP is greater than or equal to a preset threshold value in a preset time period, deleting the source IP from the trust list.
2. The method of claim 1, wherein before the obtaining the message information of the ICMP message or before the discarding the ICMP message, further comprising:
acquiring sending end information of the ICMP message;
searching the trust list;
when the sending end information is not found in the trust list, continuing to execute the step of acquiring the message information of the ICMP message or continuing to execute the step of giving up the ICMP message;
and when the sending end information is found in the trust list, forwarding the ICMP message to a server.
3. The method of claim 2, further comprising:
and when the ICMP message is a retransmission message, adding the sending end information of the ICMP message into the trust list.
4. The method according to claim 2 or 3, wherein the sender information comprises a source IP, or comprises a source IP and a time-to-live value;
the removing the source IP from the trust list comprises:
and deleting the source IP and the time-to-live value from the trust list.
5. The method of claim 1, further comprising:
when the ICMP type is not a preset legal type, or when the ICMP packet length is greater than or equal to a preset packet length, or when the fragment field value identifies that the ICMP message is a fragment message, determining that the ICMP message is an attack message, and discarding the ICMP message.
6. An attack-protection device, the device comprising:
the system comprises an interception module, a message forwarding module and a message forwarding module, wherein the interception module is used for intercepting an ICMP message sent to a destination IP when monitoring that the protocol IP interconnected among the destination networks is attacked by an ICMP FLOOD (Internet control message protocol flooding);
a third obtaining module, configured to obtain an ICMP type, an ICMP packet length, and a fragment field value of the ICMP packet;
the execution module is used for triggering a first acquisition module when the ICMP type is a preset legal type, the ICMP packet length is less than a preset packet length, and the fragment field value marks that the ICMP message is a non-fragment message;
a first obtaining module, configured to obtain message information of the ICMP message;
a first searching module, configured to search a first packet message database, and determine whether first packet message information identical to the message information exists, where the first packet message database includes a correspondence between first packet message information of a first ICMP message sent by a sending end and receiving time of the first ICMP message;
a determining module, configured to determine that the ICMP packet is a retransmission packet when first packet message information identical to the message information is found and a duration of a receiving time corresponding to the identical first packet message information is less than or equal to a preset duration; when the first packet of message information identical to the message information is not found, or when the first packet of message information identical to the message information is found and the time length of the receiving time corresponding to the same first packet of message information is longer than the preset time length, determining that the ICMP message is not a retransmission message;
a first forwarding module, configured to, when the ICMP packet is a retransmission packet, search a source IP of the ICMP packet in an untrusted list, and forward the ICMP packet to a server if the source IP of the ICMP packet is not found; if the ICMP message is found, the ICMP message is discarded; the untrusted list comprises malicious source IP for monitoring and determining the trusted list, the trusted list comprises source IP of ICMP messages verified as retransmission messages, and the malicious source IP is the source IP in the trusted list, wherein the number of the ICMP messages sent in a preset time period is greater than or equal to a preset threshold value;
a discarding module, configured to discard the ICMP packet and add a corresponding relationship between packet information of the ICMP packet and receiving time to the first packet database when the ICMP packet is not a retransmission packet;
the monitoring module is used for monitoring the quantity of ICMP messages sent by the source IP in the trust list;
and the deleting module is used for deleting the source IP from the trust list when the number of the ICMP messages sent by the source IP is greater than or equal to a preset threshold value in a preset time period.
7. The apparatus of claim 6, further comprising:
a second obtaining module, configured to obtain sending end information of the ICMP packet before the first obtaining module, or when the ICMP packet is not a retransmission packet;
the second searching module is used for searching a trust list, and the trust list comprises sending end information of an ICMP message verified as a retransmission message;
the first execution module is used for executing the first acquisition module or continuously executing the discarding module when the sending end information is not found in the trust list;
and the second forwarding module is used for forwarding the ICMP message to a server when the sending end information is found in the trust list.
8. The apparatus of claim 7, wherein the sender information comprises a source IP, or comprises a source IP and a time-to-live value;
the removing the source IP from the trust list comprises:
and deleting the source IP and the time-to-live value from the trust list.
9. The apparatus of claim 6, further comprising:
a message discarding module, configured to determine that the ICMP message is an attack message and discard the ICMP message when the ICMP type is not a preset legal type, or when the ICMP packet length is greater than or equal to a preset packet length, or when the fragment field value identifies that the ICMP message is a fragment message.
10. An apparatus comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the processor implements the steps of the attack protection method according to any one of claims 1 to 5 when executing the computer program.
11. A readable storage medium, having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the attack protection method according to any one of claims 1 to 5.
CN201810204686.4A 2018-03-13 2018-03-13 Attack protection method and device, equipment and readable storage medium Active CN110213204B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810204686.4A CN110213204B (en) 2018-03-13 2018-03-13 Attack protection method and device, equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810204686.4A CN110213204B (en) 2018-03-13 2018-03-13 Attack protection method and device, equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN110213204A CN110213204A (en) 2019-09-06
CN110213204B true CN110213204B (en) 2022-09-23

Family

ID=67779052

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810204686.4A Active CN110213204B (en) 2018-03-13 2018-03-13 Attack protection method and device, equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN110213204B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798451A (en) * 2019-09-29 2020-02-14 新华三信息安全技术有限公司 Security authentication method and device
CN112261056B (en) * 2020-10-27 2022-11-11 南方电网数字电网研究院有限公司 Communication control method and device for power system, control equipment and storage medium
CN112910839B (en) * 2021-01-12 2023-04-25 杭州迪普科技股份有限公司 Method and device for defending DNS attack
CN114039747B (en) * 2021-10-21 2023-05-16 烽火通信科技股份有限公司 DDOS data retransmission attack prevention method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355419A (en) * 2008-08-22 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN105610852A (en) * 2016-01-15 2016-05-25 腾讯科技(深圳)有限公司 Method and device for processing ACK (Acknowledgement) flooding attack
CN106357688A (en) * 2016-11-04 2017-01-25 中国联合网络通信集团有限公司 Method and device for defending Internet Control Message Protocol (ICMP) flood attack
CN106411791A (en) * 2016-09-05 2017-02-15 上海斐讯数据通信技术有限公司 ICMP fragmented packet reassembly method and forwarding method, controller, and switch
CN106506726A (en) * 2016-12-12 2017-03-15 北京云端智度科技有限公司 A kind of method of verification DNS real users

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355419A (en) * 2008-08-22 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN105610852A (en) * 2016-01-15 2016-05-25 腾讯科技(深圳)有限公司 Method and device for processing ACK (Acknowledgement) flooding attack
CN106411791A (en) * 2016-09-05 2017-02-15 上海斐讯数据通信技术有限公司 ICMP fragmented packet reassembly method and forwarding method, controller, and switch
CN106357688A (en) * 2016-11-04 2017-01-25 中国联合网络通信集团有限公司 Method and device for defending Internet Control Message Protocol (ICMP) flood attack
CN106506726A (en) * 2016-12-12 2017-03-15 北京云端智度科技有限公司 A kind of method of verification DNS real users

Also Published As

Publication number Publication date
CN110213204A (en) 2019-09-06

Similar Documents

Publication Publication Date Title
CN110213204B (en) Attack protection method and device, equipment and readable storage medium
US20140157405A1 (en) Cyber Behavior Analysis and Detection Method, System and Architecture
CN109005175B (en) Network protection method, device, server and storage medium
CN110198293B (en) Attack protection method and device for server, storage medium and electronic device
CN101589595B (en) A containment mechanism for potentially contaminated end systems
US7797749B2 (en) Defending against worm or virus attacks on networks
US7926108B2 (en) SMTP network security processing in a transparent relay in a computer network
US7478429B2 (en) Network overload detection and mitigation system and method
CN107710680B (en) Method and device for sending network attack defense strategy and network attack defense
US20050198519A1 (en) Unauthorized access blocking apparatus, method, program and system
Haris et al. Detecting TCP SYN flood attack based on anomaly detection
US20090031423A1 (en) Proactive worm containment (pwc) for enterprise networks
US7610624B1 (en) System and method for detecting and preventing attacks to a target computer system
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
KR20150037940A (en) Network traffic processing system
KR20060116741A (en) Method and apparatus for identifying and disabling worms in communication networks
Karig et al. Remote denial of service attacks and countermeasures
US10834125B2 (en) Method for defending against attack, defense device, and computer readable storage medium
CN108667829B (en) Network attack protection method, device and storage medium
CN110198290B (en) Information processing method, equipment, device and storage medium
WO2019096104A1 (en) Attack prevention
Kumarasamy et al. An active defense mechanism for TCP SYN flooding attacks
EP1461704B1 (en) Protecting against malicious traffic
KR20110027386A (en) Apparatus, system and method for protecting malicious packets transmitted outside from user terminal
CN114567484B (en) Message processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant