CN110798451A - Security authentication method and device - Google Patents
Security authentication method and device Download PDFInfo
- Publication number
- CN110798451A CN110798451A CN201910932280.2A CN201910932280A CN110798451A CN 110798451 A CN110798451 A CN 110798451A CN 201910932280 A CN201910932280 A CN 201910932280A CN 110798451 A CN110798451 A CN 110798451A
- Authority
- CN
- China
- Prior art keywords
- application layer
- message
- layer message
- packet
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application provides a method and a device for security authentication, and relates to the technical field of communication. The scheme of this application includes: and the network security equipment receives the first application layer message, and discards the first application layer message if the first application layer message is the first application layer message. If the second application layer message is received in a specified time period and is determined to be a retransmission message of the first application layer message, forwarding the second application layer message to the server, and updating the session state of the second application layer message into an authentication passing state; and if the second application layer message is not received in the specified time period or is received in the specified time period and is determined to be the wrong retransmission message of the first application layer message, the connection between the terminal and the server is interrupted. The method and the device can identify and defend application layer attacks, and improve network security.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for security authentication.
Background
At present, the phenomenon of network attack is very common, and with the enhancement of network layer attack defense means, the mixed attack of network layer bandwidth type attack and application layer attack is increased gradually. Compared with network layer attack, the client side of the application layer attack only needs to consume very small bandwidth resources and host resources, so that the server can consume very large bandwidth resources or host resources, namely, the destructive power of the application layer attack is large.
However, at present, network security equipment can identify and defend network layer attacks, but cannot identify and defend application layer attacks, so that potential network security risks exist.
Disclosure of Invention
In view of this, embodiments of the present application provide a method and an apparatus for security authentication, so as to implement identification and defense against application layer attacks, and improve network security. The specific technical scheme is as follows:
in a first aspect, the present application provides a method for security authentication, where the method is applied to a network security device located between a terminal and a server, and the method includes:
receiving a first application layer message;
if the first application layer message is determined to be the first application layer message, discarding the first application layer message;
if a second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message, forwarding the second application layer message to a server, and updating the session state of the second application layer message into an authentication passing state;
and if the second application layer message is not received in the specified time period or is received in the specified time period and is determined to be an error retransmission message of the first application layer message, the connection between the terminal and the server is interrupted.
In a possible implementation manner, the first application layer packet is determined to be the first application layer packet by the following method:
judging whether an ACK (acknowledgement character) marking bit of the first application layer message is set or not;
if yes, judging whether the first application layer message comprises load data;
if yes, judging whether the session state corresponding to the first application layer message is an unauthenticated state or not;
and if so, determining the first application layer message as a first application layer message.
In one possible implementation, the method further includes:
if the ACK flag bit of the first application layer message is not set or the first application layer message does not include load data, discarding the first application layer message and interrupting the connection between the terminal and the server.
In one possible implementation, the method further includes:
if the first application layer message is determined to be the first application layer message, updating the session state corresponding to the first application layer message to be an authentication state, and recording the moment of receiving the first application layer message and the message confirmation number of the first application layer message;
determining that the second application layer packet is a retransmission packet of the first application layer packet by:
and if the session state of the second application layer message is an authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is a retransmission message of the first application layer message.
In one possible implementation, the method further includes:
if the first application layer message is determined to be the first application layer message, updating the session state corresponding to the first application layer message to be an authentication state, and recording the moment of receiving the first application layer message and the message confirmation number of the first application layer message;
determining that the second application layer packet is an erroneous retransmission packet of the first application layer packet by:
and under the condition that the session state of the second application layer message is an authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message acknowledgement number of the second application layer message is different from the message acknowledgement number of the first application layer message, determining that the second application layer message is an erroneous retransmission message of the first application layer message.
In a possible implementation manner, after discarding the first application layer packet, the method further includes:
judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not;
if the second application layer message is smaller than the first application layer message, discarding the second application layer message;
if not, judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is greater than a second time threshold value or not; if so, discarding the second application layer message, and interrupting the connection between the terminal and the server; and if not, determining that the second application layer message is received in the specified time period.
In one possible implementation, the method further includes:
and adding the source IP address of the second application layer message into a white list.
In a second aspect, the present application provides an apparatus for security authentication, where the apparatus is applied to a network security device located between a terminal and a server, and the apparatus includes:
the receiving module is used for receiving a first application layer message;
a discarding module, configured to discard the first application layer packet if it is determined that the first application layer packet is the first application layer packet;
the sending module is used for forwarding a second application layer message to a server if the second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message;
the updating module is used for updating the session state of the second application layer message into an authentication passing state if the second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message;
and the interruption module is used for interrupting the connection between the terminal and the server if the second application layer message is not received in the specified time period or the second application layer message is received in the specified time period and the second application layer message is determined to be an error retransmission message of the first application layer message.
In one possible implementation, the apparatus further includes: a determination module;
the determining module is configured to determine that the first application layer packet is a first application layer packet by:
judging whether an ACK (acknowledgement character) marking bit of the first application layer message is set or not;
if yes, judging whether the first application layer message comprises load data;
if yes, judging whether the session state corresponding to the first application layer message is an unauthenticated state or not;
and if so, determining the first application layer message as a first application layer message.
In a possible implementation manner, the discarding module is further configured to discard the first application layer packet and trigger the interrupting module to interrupt the connection between the terminal and the server if the ACK flag bit of the first application layer packet is not set or the first application layer packet does not include load data.
In a possible implementation manner, the updating module is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgment number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is a retransmission packet of the first application layer packet by:
and if the session state of the second application layer message is an authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is a retransmission message of the first application layer message.
In a possible implementation manner, the updating module is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgment number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is an erroneous retransmission packet of the first application layer packet by:
and under the condition that the session state of the second application layer message is an authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message acknowledgement number of the second application layer message is different from the message acknowledgement number of the first application layer message, determining that the second application layer message is an erroneous retransmission message of the first application layer message.
In one possible implementation, the apparatus further includes: a judgment module;
the judging module is used for judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not;
the discarding module is configured to discard the second application layer packet if the determination result of the determining module is smaller than the predetermined value;
the judging module is further configured to judge whether a time interval between a time of receiving the second application layer packet and a time of receiving the first application layer packet is greater than a second time threshold if the judgment result of the judging module is not less than the first time threshold;
the discarding module is further configured to discard the second application layer packet and trigger the interrupting module to interrupt the connection between the terminal and the server if the determining module determines that a time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is greater than a second time threshold;
the determining module is further configured to determine that the second application layer packet is received within the specified time period if the determining module determines that a time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is not greater than a second time threshold.
In one possible implementation, the apparatus further includes:
and the white list module is used for adding the source IP address of the second application layer message into a white list.
In a third aspect, an embodiment of the present application provides a network security device, where the network security device includes: a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: a method of implementing a secure authentication as described in the first aspect.
In a fourth aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements the method for secure authentication described in the first aspect.
In a fifth aspect, embodiments of the present application further provide a computer program product containing instructions, which when run on a computer, cause the computer to perform the method for secure authentication described in the first aspect.
By adopting the method and the device for security authentication provided by the embodiment of the application, the network security equipment receives the first application layer message, and discards the first application layer message if the first application layer message is the first application layer message. If the second application layer message is received in a specified time period and is determined to be a retransmission message of the first application layer message, forwarding the second application layer message to the server, and updating the session state of the second application layer message into an authentication passing state; and if the second application layer message is not received in the specified time period or is received in the specified time period and is determined to be the wrong retransmission message of the first application layer message, the connection between the terminal and the server is interrupted. Therefore, in the embodiment of the application, a retransmission mechanism of the terminal to the first application layer message can be utilized, and after the first application layer message is discarded, if the retransmission message of the first application layer message is received in a specified time period, the authentication is passed; if the wrong retransmission message of the first application layer message is received in the appointed time period, the connection between the terminal and the server is interrupted, so that the terminal is prevented from continuously sending the application layer attack message to the server, and the defense to the attack message is realized. Compared with the prior art, the embodiment of the application realizes the identification and defense of application layer attacks and improves the security of network communication.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a network architecture according to an embodiment of the present application;
fig. 2 is a flowchart of a method for security authentication according to an embodiment of the present application;
fig. 3 is a flowchart of another method for secure authentication according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a security authentication apparatus according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a network security device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application is applied to a network architecture as shown in fig. 1, where the network architecture includes a terminal, a security device, and a server.
The terminal can be a mobile phone, a computer, a wearable device with a wireless communication function, and the like.
The security device may be a firewall, and the security device is disposed between the terminal and the server and configured to perform security verification on the terminal accessing the server.
In the embodiment of the application, in the process of establishing the network connection between the terminal and the server, the network security device can perform TCP network authentication on the terminal, and after the authentication is passed, the TCP connection is established between the terminal and the server. And the network security device generates session information of a session established between the terminal and the server.
Optionally, the session information includes five-tuple information and a session state, and the session state is an unauthenticated state after the TCP connection is established.
Subsequently, the application layer authentication can be performed by the following method provided by the embodiment of the present application.
As shown in fig. 2, an embodiment of the present application provides a method for security authentication, where the method is applied to a network security device between a terminal and a server, and the method includes:
s201, receiving a first application layer message.
When the network security equipment receives the first application layer message, the time for receiving the first application layer message can be recorded.
S202, if the first application layer message is determined to be the first application layer message, discarding the first application layer message.
In one embodiment, the network security device may determine that the first application layer packet is the first application layer packet (i.e., the application layer first packet) by: and judging whether an ACK mark bit of the first application layer message is set, if so, judging whether the first application layer message comprises load data, if so, judging whether a session state corresponding to the first application layer message is an unauthenticated state, and if so, determining that the first application layer message is the first application layer message.
After the TCP connection is established between the terminal and the server, the session state of the session between the terminal and the server is an unauthenticated state, and the protocol specifies that the ACK flag bit of the first application layer packet is set (for example, set to 1), so that if all the determination results are yes, it is determined that the first application layer packet is the first application layer packet.
Optionally, if the ACK flag bit of the first application layer packet is not set, or the first application layer packet does not include load data, it is determined that the first application layer packet is an abnormal packet, and the server discards the first application layer packet and interrupts connection between the terminal and the server.
In this embodiment, the network security device may send a Reset connection (RST) message to the terminal and the server, respectively, so as to interrupt the connection between the terminal and the server.
S203, if the second application layer message is received in the designated time period and the second application layer message is determined to be the retransmission message of the first application layer message, the second application layer message is forwarded to the server, and the session state of the second application layer message is updated to be the authentication passing state.
Based on the retransmission mechanism of the terminal, if the transmission of the first application layer message fails, the terminal retransmits the first application layer message. If the network security device receives the retransmission message of the first application layer message in the designated time period, the network security device considers that the retransmission message is not an attack message and accords with a normal retransmission mechanism, so that the session state of the second application layer message is updated to be an authentication passing state.
The network security device may search for session information that matches the five-tuple of the second application layer packet and update the session state included in the session information to an authentication-passed state.
S204, if the second application layer message is not received in the specified time period or the wrong second application layer message is received in the specified time period and the second application layer message is determined to be the wrong retransmission message of the first application layer message, the connection between the terminal and the server is interrupted.
By adopting the security authentication method provided by the embodiment of the application, the network security device receives the first application layer message, and discards the first application layer message if the first application layer message is the first application layer message. If the second application layer message is received in a specified time period and is determined to be a retransmission message of the first application layer message, forwarding the second application layer message to the server, and updating the session state of the second application layer message into an authentication passing state; and if the second application layer message is not received in the specified time period or is received in the specified time period and is determined to be the wrong retransmission message of the first application layer message, the connection between the terminal and the server is interrupted. Therefore, in the embodiment of the application, a retransmission mechanism of the terminal to the first application layer message can be utilized, and after the first application layer message is discarded, if the retransmission message of the first application layer message is received in a specified time period, the authentication is passed; if the wrong retransmission message of the first application layer message is received in the appointed time period, the connection between the terminal and the server is interrupted, so that the terminal is prevented from continuously sending the application layer attack message to the server, and the defense to the attack message is realized. Compared with the prior art, the embodiment of the application realizes the identification and defense of application layer attacks and improves the security of network communication.
In the embodiment of the application, if it is determined that the first application layer packet is the first application layer packet, the session state corresponding to the first application layer packet is updated to the authentication state, and the time when the first application layer packet is received and the packet acknowledgement number of the first application layer packet are recorded.
The message acknowledgement number is used to indicate the sequence number of the next byte that the terminal expects to receive. As an example, if the terminal has received all bytes with sequence numbers 0-535 sent by the server, the message acknowledgment number of the next message sent by the terminal to the server is 536.
For the above S203, if the second application layer packet is received within the specified time period, the server may determine that the second application layer packet is a retransmission packet of the first application layer packet in the following manner:
and if the session state of the second application layer message is the authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is the retransmission message of the first application layer message.
When the network security device receives a first application layer packet (i.e., a first application layer packet), the network security device may determine a packet sequence number of the first application layer packet, and record a packet sequence number of a next packet to be received in the session information. For example, if the message serial number of the first application layer message is 10000, after the network security device discards the first application layer message, the serial number recorded in the session information is 10000.
In addition, if the first application layer packet of the terminal is discarded, the terminal needs to retransmit the first application layer packet, and at this time, the sequence number of the next byte expected to be received by the terminal is the same as the sequence number of the next byte expected to be received by the terminal when the first application layer packet is sent, so that the packet acknowledgment number carried by the first application layer packet and the retransmission packet of the first application layer packet is the same.
For the above S204, the server may determine that the second application layer packet is an erroneous retransmission packet of the first application layer packet by the following method:
and under the condition that the session state of the second application layer message is the authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message confirmation number of the second application layer message is different from the message confirmation number of the first application layer message, determining that the second application layer message is the wrong retransmission message of the first application layer message.
In an implementation manner of the embodiment of the present application, as shown in fig. 3, in step S202, if it is determined that the first application layer packet is the first application layer packet, after discarding the first application layer packet, the method further includes the following steps:
s301, receiving a second application layer message, wherein the session state of the second application layer message is an authentication state.
S302, whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not is judged.
The first time threshold is the shortest time required for the terminal to retransmit the first application layer message, and can be set according to an empirical value.
If yes, executing S303; if not, go to step S304.
S303, discarding the second application layer message.
If the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than the first time threshold, the network security device can determine that the received message is not the retransmission message of the first application layer message, so that the second application layer message can be discarded, and the network security device can continuously wait for receiving the retransmission message of the first application layer message.
S304, judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is larger than a second time threshold value.
If yes, go to S305; if not, go to S306.
The second time threshold is the longest time required for the terminal to retransmit the first application layer message, and can be set according to an empirical value.
S305, discarding the second layer application message, and interrupting the connection between the terminal and the server.
If the time interval is greater than the second time threshold, it indicates that the terminal does not retransmit the first application layer packet within the specified time period, that is, within the specified retransmission time period, and the network security device may determine that the second application layer packet received after exceeding the second time threshold is an abnormal packet, so that the second application layer packet is discarded, and the connection between the terminal and the server is interrupted.
S306, determining that the second application layer message is received in the appointed time period.
In one embodiment, after determining that the second application layer packet is a retransmission packet of the first application layer packet, the session state of the second application layer packet is updated to an authentication-passing state. When the network security device receives the application layer message again, the session information can be searched according to the quintuple information of the application layer message, if the session state of the searched session information is the authentication passing state, the application layer message is forwarded to the server, namely, the application layer message passing the session authentication can be forwarded, the application layer message not passing the session authentication cannot be forwarded to the server, and the security of network communication can be ensured.
In another embodiment, the network security device may add the source IP address of the second application layer packet to a white list, and then other packets including the source IP address may be forwarded to the server by the network security device without undergoing TCP authentication and application layer authentication. That is, the network security device does not need to perform TCP authentication and application layer authentication on the packets corresponding to other sessions including the source IP address.
When the network security equipment receives the message again, the network security equipment can judge whether the source IP address of the message is in the white list, if so, the message is forwarded without authentication of an application layer, the message forwarding speed can be improved, and the service response speed is accelerated.
Based on the same technical concept, an embodiment of the present application further provides a device for security authentication, where the device is applied to a network security device between a terminal and a server, and as shown in fig. 4, the device includes: a receiving module 401, a discarding module 402, a sending module 403, an updating module 404 and an interrupting module 405.
A receiving module 401, configured to receive a first application layer packet;
a discarding module 402, configured to discard the first application layer packet if it is determined that the first application layer packet is the first application layer packet;
a sending module 403, configured to forward the second application layer packet to the server if the second application layer packet is received within a specified time period and the second application layer packet is determined to be a retransmission packet of the first application layer packet;
an updating module 404, configured to update a session state of the second application layer packet to an authentication-passing state if the second application layer packet is received within a specified time period and the second application layer packet is determined to be a retransmission packet of the first application layer packet;
the interrupting module 405 is configured to interrupt the connection between the terminal and the server if the second application layer packet is not received in the specified time period or the second application layer packet is received in the specified time period and it is determined that the second application layer packet is an erroneous retransmission packet of the first application layer packet.
Optionally, the apparatus further comprises: a determination module;
a determining module, configured to determine that the first application layer packet is a first application layer packet by:
judging whether an ACK (acknowledgement character) marking bit of the first application layer message is set or not;
if yes, judging whether the first application layer message comprises load data;
if yes, judging whether the session state corresponding to the first application layer message is an unauthenticated state or not;
if so, determining that the first application layer message is the first application layer message.
Optionally, the discarding module 402 is further configured to discard the first application layer packet and trigger the interrupting module 405 to interrupt the connection between the terminal and the server if the ACK flag bit of the first application layer packet is not set or the first application layer packet does not include load data.
Optionally, the updating module 404 is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgment number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is a retransmission packet of the first application layer packet by:
and if the session state of the second application layer message is the authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is the retransmission message of the first application layer message.
Optionally, the updating module 404 is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgment number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is an erroneous retransmission packet of the first application layer packet by:
and under the condition that the session state of the second application layer message is the authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message confirmation number of the second application layer message is different from the message confirmation number of the first application layer message, determining that the second application layer message is the wrong retransmission message of the first application layer message.
Optionally, the apparatus further comprises: a judgment module;
the judging module is used for judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not;
a discarding module 402, configured to discard the second application layer packet if the determination result of the determining module is smaller than the threshold;
the judging module is further used for judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is greater than a second time threshold value or not if the judging result of the judging module is not less than the first time threshold value;
the discarding module 402 is further configured to discard the second application layer packet and trigger the interrupting module 405 to interrupt the connection between the terminal and the server if the determining module determines that the time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is greater than a second time threshold;
the determining module is further configured to determine that the second application layer packet is received within a specified time period if the determining module determines that the time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is not greater than the second time threshold.
Optionally, the apparatus further comprises:
and the white list module is used for adding the source IP address of the second application layer message into a white list.
The embodiment of the present application further provides a network security device, as shown in fig. 5, which includes a processor 501, a communication interface 502, a memory 503 and a communication bus 504, wherein the processor 501, the communication interface 502, and the memory 503 complete mutual communication through the communication bus 504,
a memory 503 for storing a computer program;
the processor 501 is configured to implement the steps executed by the network security device in the foregoing method embodiments when executing the program stored in the memory 503.
The communication bus mentioned in the network security device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the network security device and other devices.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
In yet another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above-mentioned methods for secure authentication.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described methods of secure authentication.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.
Claims (16)
1. A method for security authentication is applied to a network security device located between a terminal and a server, and the method comprises the following steps:
receiving a first application layer message;
if the first application layer message is determined to be the first application layer message, discarding the first application layer message;
if a second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message, forwarding the second application layer message to a server, and updating the session state of the second application layer message into an authentication passing state;
and if the second application layer message is not received in the specified time period or is received in the specified time period and is determined to be an error retransmission message of the first application layer message, the connection between the terminal and the server is interrupted.
2. The method of claim 1, wherein the first application layer packet is determined to be a first application layer packet by:
judging whether an ACK (acknowledgement character) marking bit of the first application layer message is set or not;
if yes, judging whether the first application layer message comprises load data;
if yes, judging whether the session state corresponding to the first application layer message is an unauthenticated state or not;
and if so, determining the first application layer message as a first application layer message.
3. The method of claim 2, further comprising:
if the ACK flag bit of the first application layer message is not set or the first application layer message does not include load data, discarding the first application layer message and interrupting the connection between the terminal and the server.
4. The method of claim 2, further comprising:
if the first application layer message is determined to be the first application layer message, updating the session state corresponding to the first application layer message to be an authentication state, and recording the moment of receiving the first application layer message and the message confirmation number of the first application layer message;
determining that the second application layer packet is a retransmission packet of the first application layer packet by:
and if the session state of the second application layer message is an authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is a retransmission message of the first application layer message.
5. The method of claim 2, further comprising:
if the first application layer message is determined to be the first application layer message, updating the session state corresponding to the first application layer message to be an authentication state, and recording the moment of receiving the first application layer message and the message confirmation number of the first application layer message;
determining that the second application layer packet is an erroneous retransmission packet of the first application layer packet by:
and under the condition that the session state of the second application layer message is an authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message acknowledgement number of the second application layer message is different from the message acknowledgement number of the first application layer message, determining that the second application layer message is an erroneous retransmission message of the first application layer message.
6. The method of claim 1, wherein after discarding the first application layer packet, the method further comprises:
judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not;
if the second application layer message is smaller than the first application layer message, discarding the second application layer message;
if not, judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is greater than a second time threshold value or not; if so, discarding the second application layer message, and interrupting the connection between the terminal and the server; and if not, determining that the second application layer message is received in the specified time period.
7. The method of claim 1 or 4, further comprising:
and adding the source IP address of the second application layer message into a white list.
8. An apparatus for security authentication, the apparatus being applied to a network security device located between a terminal and a server, the apparatus comprising:
the receiving module is used for receiving a first application layer message;
a discarding module, configured to discard the first application layer packet if it is determined that the first application layer packet is the first application layer packet;
the sending module is used for forwarding a second application layer message to a server if the second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message;
the updating module is used for updating the session state of the second application layer message into an authentication passing state if the second application layer message is received in a specified time period and the second application layer message is determined to be a retransmission message of the first application layer message;
and the interruption module is used for interrupting the connection between the terminal and the server if the second application layer message is not received in the specified time period or the second application layer message is received in the specified time period and the second application layer message is determined to be an error retransmission message of the first application layer message.
9. The apparatus of claim 8, further comprising: a determination module;
the determining module is configured to determine that the first application layer packet is a first application layer packet by:
judging whether an ACK (acknowledgement character) marking bit of the first application layer message is set or not;
if yes, judging whether the first application layer message comprises load data;
if yes, judging whether the session state corresponding to the first application layer message is an unauthenticated state or not;
and if so, determining the first application layer message as a first application layer message.
10. The method of claim 9,
the discarding module is further configured to discard the first application layer packet and trigger the interrupting module to interrupt the connection between the terminal and the server if the ACK flag bit of the first application layer packet is not set or the first application layer packet does not include load data.
11. The apparatus of claim 9,
the updating module is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgement number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is a retransmission packet of the first application layer packet by:
and if the session state of the second application layer message is an authentication state, the message serial number of the second application layer message is the same as the message serial number in the session information corresponding to the second application layer message, and the message acknowledgement number of the second application layer message is the same as the message acknowledgement number of the first application layer message, determining that the second application layer message is a retransmission message of the first application layer message.
12. The apparatus of claim 9,
the updating module is further configured to update a session state corresponding to the first application layer packet to an authentication state if it is determined that the first application layer packet is the first application layer packet, and record a time when the first application layer packet is received and a packet acknowledgement number of the first application layer packet;
the determining module is further configured to determine that the second application layer packet is an erroneous retransmission packet of the first application layer packet by:
and under the condition that the session state of the second application layer message is an authentication state, if the message serial number of the second application layer message is different from the message serial number in the session information corresponding to the second application layer message and/or the message acknowledgement number of the second application layer message is different from the message acknowledgement number of the first application layer message, determining that the second application layer message is an erroneous retransmission message of the first application layer message.
13. The apparatus of claim 8, further comprising: a judgment module;
the judging module is used for judging whether the time interval between the moment of receiving the second application layer message and the moment of receiving the first application layer message is smaller than a first time threshold value or not;
the discarding module is configured to discard the second application layer packet if the determination result of the determining module is smaller than the predetermined value;
the judging module is further configured to judge whether a time interval between a time of receiving the second application layer packet and a time of receiving the first application layer packet is greater than a second time threshold if the judgment result of the judging module is not less than the first time threshold;
the discarding module is further configured to discard the second application layer packet and trigger the interrupting module to interrupt the connection between the terminal and the server if the determining module determines that a time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is greater than a second time threshold;
the determining module is further configured to determine that the second application layer packet is received within the specified time period if the determining module determines that a time interval between the time of receiving the second application layer packet and the time of receiving the first application layer packet is not greater than a second time threshold.
14. The apparatus of claim 8 or 11, further comprising:
and the white list module is used for adding the source IP address of the second application layer message into a white list.
15. A network security device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 7.
16. A machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to: carrying out the method steps of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910932280.2A CN110798451A (en) | 2019-09-29 | 2019-09-29 | Security authentication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910932280.2A CN110798451A (en) | 2019-09-29 | 2019-09-29 | Security authentication method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110798451A true CN110798451A (en) | 2020-02-14 |
Family
ID=69438766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910932280.2A Pending CN110798451A (en) | 2019-09-29 | 2019-09-29 | Security authentication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798451A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114567484A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN115378764A (en) * | 2022-08-19 | 2022-11-22 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and electronic apparatus |
| WO2023060881A1 (en) * | 2021-10-15 | 2023-04-20 | 华为技术有限公司 | Method and apparatus for identifying source address of message |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030135625A1 (en) * | 2002-01-15 | 2003-07-17 | International Business Machines Corporation | Blended SYN cookies |
| CN102739683A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Network attack filtering method and device |
| US20140337614A1 (en) * | 2013-05-07 | 2014-11-13 | Imperva, Inc. | Selective modification of encrypted application layer data in a transparent security gateway |
| CN104780065A (en) * | 2015-04-01 | 2015-07-15 | 福建星网锐捷网络有限公司 | Hot spare method and system for TCP (transmission control protocol) |
| CN108810019A (en) * | 2018-07-13 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Refusal service attack defending method, apparatus, equipment and storage medium |
| CN110166471A (en) * | 2019-05-28 | 2019-08-23 | 杭州迪普科技股份有限公司 | A kind of portal authentication method and device |
| CN110198293A (en) * | 2018-04-08 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Attack guarding method, device, storage medium and the electronic device of server |
| CN110213204A (en) * | 2018-03-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Attack guarding method and device, equipment and readable storage medium storing program for executing |
-
2019
- 2019-09-29 CN CN201910932280.2A patent/CN110798451A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030135625A1 (en) * | 2002-01-15 | 2003-07-17 | International Business Machines Corporation | Blended SYN cookies |
| CN102739683A (en) * | 2012-06-29 | 2012-10-17 | 杭州迪普科技有限公司 | Network attack filtering method and device |
| US20140337614A1 (en) * | 2013-05-07 | 2014-11-13 | Imperva, Inc. | Selective modification of encrypted application layer data in a transparent security gateway |
| CN104780065A (en) * | 2015-04-01 | 2015-07-15 | 福建星网锐捷网络有限公司 | Hot spare method and system for TCP (transmission control protocol) |
| CN110213204A (en) * | 2018-03-13 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Attack guarding method and device, equipment and readable storage medium storing program for executing |
| CN110198293A (en) * | 2018-04-08 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Attack guarding method, device, storage medium and the electronic device of server |
| CN108810019A (en) * | 2018-07-13 | 2018-11-13 | 腾讯科技(深圳)有限公司 | Refusal service attack defending method, apparatus, equipment and storage medium |
| CN110166471A (en) * | 2019-05-28 | 2019-08-23 | 杭州迪普科技股份有限公司 | A kind of portal authentication method and device |
Non-Patent Citations (2)
| Title |
|---|
| 程光 等著: "《互联网大数据挖掘与分类》", 31 December 2015 * |
| 金伟等: "针对DDoS攻击的检测与控制系统", 《网络空间安全》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2023060881A1 (en) * | 2021-10-15 | 2023-04-20 | 华为技术有限公司 | Method and apparatus for identifying source address of message |
| CN114567484A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN114567484B (en) * | 2022-02-28 | 2024-03-12 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN115378764A (en) * | 2022-08-19 | 2022-11-22 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and electronic apparatus |
| CN115378764B (en) * | 2022-08-19 | 2024-04-05 | 山石网科通信技术股份有限公司 | Communication method, device, storage medium and electronic device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10284594B2 (en) | Detecting and preventing flooding attacks in a network environment | |
| CN109889547B (en) | Abnormal network equipment detection method and device | |
| CN110519265B (en) | Method and device for defending attack | |
| CN110198293B (en) | Attack protection method and device for server, storage medium and electronic device | |
| CN111314328A (en) | Network attack protection method and device, storage medium and electronic equipment | |
| EP2739002B1 (en) | Systems and methods for transparently monitoring network traffic for denial of service attacks | |
| CN110798451A (en) | Security authentication method and device | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| US10382481B2 (en) | System and method to spoof a TCP reset for an out-of-band security device | |
| US20190020681A1 (en) | Method and system for processing forged tcp packet | |
| CN111314358A (en) | Attack protection method, device, system, computer storage medium and electronic equipment | |
| CN110191104A (en) | A kind of method and device of security protection | |
| CN116827853A (en) | Path processing method and device and electronic equipment | |
| JP4391455B2 (en) | Unauthorized access detection system and program for DDoS attack | |
| CN112511516B (en) | Attack protection method and device | |
| CN109617893B (en) | Method and device for preventing botnet DDoS attack and storage medium | |
| CN111200505B (en) | Message processing method and device | |
| CN112702358A (en) | SYN Flood attack protection method and device, electronic device and storage medium | |
| CN114124489B (en) | Method, cleaning device, equipment and medium for preventing flow attack | |
| CN111193689B (en) | Network attack processing method and device, electronic equipment and storage medium | |
| US11683327B2 (en) | Demand management of sender of network traffic flow | |
| CN114567484B (en) | Message processing method and device, electronic equipment and storage medium | |
| CN113839826A (en) | Method and device for detecting windows terminal and computer readable storage medium | |
| CN112437011A (en) | Flow table matching method and device, electronic equipment and medium | |
| CN117560211A (en) | Flooding attack defense method, device, equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200214 |
|
| RJ01 | Rejection of invention patent application after publication |