CN110855719B - Low-delay TCP (Transmission control protocol) cross-message firewall detection method - Google Patents

Low-delay TCP (Transmission control protocol) cross-message firewall detection method Download PDF

Info

Publication number
CN110855719B
CN110855719B CN201911286043.XA CN201911286043A CN110855719B CN 110855719 B CN110855719 B CN 110855719B CN 201911286043 A CN201911286043 A CN 201911286043A CN 110855719 B CN110855719 B CN 110855719B
Authority
CN
China
Prior art keywords
message
messages
receiving end
buffer area
data receiving
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911286043.XA
Other languages
Chinese (zh)
Other versions
CN110855719A (en
Inventor
刘颖
范渊
吴永越
郑学新
刘韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu DBAPPSecurity Co Ltd
Original Assignee
Chengdu DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu DBAPPSecurity Co Ltd filed Critical Chengdu DBAPPSecurity Co Ltd
Priority to CN201911286043.XA priority Critical patent/CN110855719B/en
Publication of CN110855719A publication Critical patent/CN110855719A/en
Application granted granted Critical
Publication of CN110855719B publication Critical patent/CN110855719B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of firewall detection, and discloses a low-delay TCP (transmission control protocol) cross-message firewall detection method, which is characterized by comprising the following steps of: when N messages are detected, firstly backing up the messages 2-N in a buffer area, and then sending the messages to a data receiving end; assembling and detecting messages 1-N in a buffer area; if the attack is detected, blocking processing is carried out; if no attack is detected; and sending the message 1 to a data receiving end, and emptying a buffer area to finish detection. The invention has the beneficial effects that: the invention can effectively detect the cross-message; the invention effectively reduces the delay in the detection process.

Description

Low-delay TCP (Transmission control protocol) cross-message firewall detection method
Technical Field
The invention relates to the technical field of firewall detection, in particular to a low-delay TCP (transmission control protocol) cross-message firewall detection method.
Background
The cross-packet attack means that the data of the attack spans two or more IP packets. In a single-message attack, the attack data is complete in one IP message, so that the firewall can recognize the attack by detecting one message. In a cross-packet attack, the attack data is distributed among two or more packets, and it is impossible for the firewall to detect any packet and recognize the attack.
The TCP protocol is a connection-oriented, reliable, byte-stream based transport layer communication protocol. Is the most widely used protocol of the current internet, and most application layer protocols are built on top of the TCP protocol.
The IP protocol is a connectionless and unreliable network layer protocol, and is usually located at the bottom layer of the TCP protocol for implementing interconnection of networks.
Because the IP protocol is connectionless, it is unreliable, which means that the IP packets may be lost and the sending and receiving order may not be consistent. In order to ensure reliability, the TCP protocol needs to reassemble the underlying IP packets into a byte stream before the byte stream can be processed by the application. The basis for its reassembly is the SEQ field in the TCP header.
In the prior art, the current firewall may adopt methods for the attack as follows:
a. and single-packet detection, wherein one IP message is detected each time, and if no attack message is detected, the IP message is released immediately. Its advantages are low delay and no cross-message attack detection
b. And (4) cache detection, namely detecting a plurality of IP messages (determining the detection starting position and length according to an application layer protocol) each time, namely caching and combining a plurality of messages for detection, and sending the messages once again if no attack is found, namely sending all the messages after the detection is finished.
Disclosure of Invention
The invention aims to provide a low-delay TCP (transmission control protocol) cross-message firewall detection method, which can obviously reduce the delay of firewall cross-message detection and has the detection capability of cross-IP (Internet protocol) messages.
The invention is realized by the following technical scheme:
a method for detecting TCP (Transmission control protocol) cross-message firewall with low delay includes the steps of treating a first message and a subsequent message differently, making judgment (forwarding or blocking) on the assumption that a firewall needs to detect N messages, caching the messages after the firewall receives a message 1, and caching and immediately forwarding the messages after the firewall receives a message 2-N. And after the N messages are cached, recombining the N messages, executing detection, and determining whether to forward the message 1 according to a detection result.
Further, in order to better implement the invention, the method specifically comprises the following steps:
step S1: the buffer area receives the messages 1-N and judges whether the received messages are the messages 1 or the messages 2-N;
if the message is the message 1, directly storing the message;
if the message is the message 2-N, storing and sending the message 2-N to a data receiving end;
step S2: assembling and detecting the message 1 and the message 2-N in the buffer area according to the TCP serial number;
if the attack is found, blocking treatment is carried out;
if no attack is found, sending the buffer area message 1 to a data receiving end, and emptying the message 1-N of the buffer area;
step S3: the data receiving end assembles the messages 1-N and sends the messages to the destination end.
Further, in order to better implement the present invention, the blocking processing in step S2 specifically includes: and sending the RST or FIN message according to the serial number of the message 1 to disconnect. Do nothing, or send the RST message to the receiving end.
Further, in order to better implement the present invention, the data receiving end is a data receiving end based on a TCP protocol stack.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the invention can effectively carry out cross-message detection;
(2) the invention can effectively reduce the delay in the detection process.
Drawings
FIG. 1 is a flow chart of the operation of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
the invention is realized by the following technical scheme, as shown in figure 1, the invention discloses a low-delay TCP (transmission control protocol) cross-message firewall detection method, when N messages are detected, firstly backing up the messages 2-N in a buffer area, and then sending the messages to a data receiving end; simultaneously assembling and detecting the messages 1-N in the buffer area; if the attack is detected, blocking processing is carried out; if no attack is detected; and sending the message 1 to a data receiving end, emptying a buffer area, and repeating the operation until the detection is finished.
It should be noted that, through the above improvement, the present invention uses the principle that the TCP data receiving end can process only by recombining data, and bypasses the first packet and forwards the latter packet first, so that only the first IP packet has a larger delay, and the subsequent packet has a smaller delay. Meanwhile, the data receiving end cannot be assembled normally under the condition that the message 1 is not received, and the data receiving end cannot be provided for an application program to use. The firewall only needs to control whether to discard or forward the message 1 to control whether the data receiving end discards or uses all the data it receives.
Example 2:
the embodiment is further optimized on the basis of the above embodiment, as shown in fig. 1, and further, to better implement the present invention, the method specifically includes the following steps:
step S1: the buffer area receives the messages 1-N and judges whether the received messages are the messages 1 or the messages 2-N;
if the message is the message 1, directly storing the message;
if the message is the message 2-N, storing and sending the message 2-N to a data receiving end;
step S2: assembling and detecting the message 1 and the message 2-N in the buffer area according to the TCP serial number;
if the attack is found, blocking treatment is carried out;
if no attack is found, the buffer area message 1 is sent to a data receiving end, and the message 1-N of the buffer area is emptied.
It should be noted that, through the above improvement, even if the attack data is already sent to the data receiving end, since the message 1 is not yet received, the data receiving end cannot assemble and send the messages 1 to N to the application program, and thus the attack cannot be formed
If the firewall discards the message 1, the data receiving end discards all the received messages, namely the messages 1-N. The same function as that of the existing method b is realized, and low delay is realized at the same time;
other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 3:
the present embodiment is further optimized based on the above embodiment, as shown in fig. 1, further, in order to better implement the present invention, the blocking processing in step S2 specifically includes: and discarding the message 1 or sending the RST message to a receiving end.
Further, in order to better implement the present invention, the data receiving end is a data receiving end based on a TCP protocol stack.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 4:
this embodiment is the best embodiment of the present invention, as shown in fig. 1, a low-delay TCP cross-packet firewall detection method, when there are N packets to be detected, first backup the packets 2-N in the buffer, and then send it to the data receiving end based on the TCP protocol; assembling and detecting messages 1-N in a buffer area; if the attack is detected, blocking processing is carried out; if no attack is detected; and sending the message 1 to a data receiving end based on a TCP protocol, clearing a buffer area and completing detection.
Further, in order to better implement the invention, the method specifically comprises the following steps:
step S1: the buffer area receives the messages 1-N and judges whether the received messages are the messages 1 or the messages 2-N;
if the message is the message 1, directly storing the message;
if the message is the message 2-N, storing and sending the message 2-N to a data receiving end based on a TCP (transmission control protocol);
step S2: assembling and detecting the message 1 and the message 2-N in the buffer area according to the TCP serial number;
if the attack is found, the RST or FIN message is sent according to the serial number of the message 1 to disconnect.
If no attack is found, sending the buffer area message 1 to a data receiving end based on a TCP protocol, and emptying the message 1-N of the buffer area; the data receiving end based on the TCP protocol receives the message 1-N assembly and sends the message to the destination end.
It should be noted that, through the above improvement, compared with the prior art, the present invention has sent part of the messages to the data receiving end based on the TCP protocol before the detection, and directly sends the following N-1 messages to the receiving end without detecting the result, and realizes blocking or releasing the N messages by blocking or releasing the message 1, so as to save the delay of network sending and also reduce the delay of the whole detection process.
The method deliberately constructs out-of-order messages to reduce delay. The principle is that the TCP protocol stack at the receiving end of the user ensures that the data is assembled according to the sequence of the TCP seq and then sent to the destination end.
The processing logic at the tcp data receiver is as follows:
step 1, receiving messages 2 to N;
step 2, putting the messages 2 to N into a receiving queue; the receiving queue is a buffer area;
step 3, waiting for the message 1, if overtime, executing the step 6, and if the message 1 is received, executing the step 4;
step 4, checking whether the message 1 has an FIN or RST mark, if so, executing step 6, and if not, executing step 5;
step 5, assembling the messages 1 to n, sending the messages to a destination end, and executing the step 1;
step 6, emptying the buffer area, closing the connection and executing the step 1;
as can be seen from the above, even if the attack data is already sent to the data receiving end, since the message 1 is not yet received, the data receiving end cannot assemble and send the message to the application program, and thus the attack cannot be formed. If the firewall discards the message 1 or sends the FIN, the receiving end discards all the received messages after the RST. The same functionality as in the prior art method b is achieved while achieving low latency.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.

Claims (4)

1. A low-delay TCP (transmission control protocol) cross-message firewall detection method is characterized by comprising the following steps: when N messages are detected, firstly backing up the messages 2-N in a buffer area, and then sending the messages to a data receiving end; assembling and detecting messages 1-N in a buffer area; if the attack is detected, blocking processing is carried out; the blocking treatment specifically refers to: discarding the message 1, or sending the RST message to a receiving end, or disconnecting the FIN message; if no attack is detected; and sending the message 1 to a data receiving end, and emptying a buffer area to finish detection.
2. The method according to claim 1, wherein the method comprises the following steps: the method specifically comprises the following steps:
step S1: the buffer area receives the messages 1-N and judges whether the received messages are the messages 1 or the messages 2-N;
if the message is the message 1, directly storing the message;
if the message is the message 2-N, storing and sending the message 2-N to a data receiving end;
step S2: assembling and detecting the message 1 and the message 2-N in the buffer area according to the TCP serial number;
if the attack is found, blocking treatment is carried out;
if no attack is found, sending the buffer area message 1 to a data receiving end, and emptying the message 1-N of the buffer area;
step S3: the data receiving end assembles the messages 1-N and sends the messages to the destination end.
3. The method according to claim 2, wherein the method comprises the following steps: the blocking processing in step S2 specifically includes: and sending the RST or FIN message according to the serial number of the message 1 to disconnect.
4. The method according to claim 1, wherein the method comprises the following steps: the data receiving end is based on a TCP protocol stack.
CN201911286043.XA 2019-12-13 2019-12-13 Low-delay TCP (Transmission control protocol) cross-message firewall detection method Active CN110855719B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911286043.XA CN110855719B (en) 2019-12-13 2019-12-13 Low-delay TCP (Transmission control protocol) cross-message firewall detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911286043.XA CN110855719B (en) 2019-12-13 2019-12-13 Low-delay TCP (Transmission control protocol) cross-message firewall detection method

Publications (2)

Publication Number Publication Date
CN110855719A CN110855719A (en) 2020-02-28
CN110855719B true CN110855719B (en) 2021-12-17

Family

ID=69609121

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911286043.XA Active CN110855719B (en) 2019-12-13 2019-12-13 Low-delay TCP (Transmission control protocol) cross-message firewall detection method

Country Status (1)

Country Link
CN (1) CN110855719B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547126A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Network virus detecting method based on network data streams and device thereof
CN101674234A (en) * 2009-08-21 2010-03-17 曙光信息产业(北京)有限公司 Fragments-reassembling method of IP messages and device thereof
CN105939314A (en) * 2015-09-21 2016-09-14 杭州迪普科技有限公司 Network protection method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160205135A1 (en) * 2015-01-14 2016-07-14 Nguyen Nguyen Method and system to actively defend network infrastructure

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547126A (en) * 2008-03-27 2009-09-30 北京启明星辰信息技术股份有限公司 Network virus detecting method based on network data streams and device thereof
CN101674234A (en) * 2009-08-21 2010-03-17 曙光信息产业(北京)有限公司 Fragments-reassembling method of IP messages and device thereof
CN105939314A (en) * 2015-09-21 2016-09-14 杭州迪普科技有限公司 Network protection method and device

Also Published As

Publication number Publication date
CN110855719A (en) 2020-02-28

Similar Documents

Publication Publication Date Title
Barakat et al. On TCP performance in a heterogeneous network: a survey
US8681798B2 (en) Communications apparatus and frame control method
KR100785293B1 (en) System and Method for TCP Congestion Control Using Multiple TCP ACKs
US7042907B2 (en) Packet transfer apparatus and method
EP1344359B1 (en) Method of enhancing the efficiency of data flow in communication systems
US8484331B2 (en) Real time protocol packet tunneling
KR20130082070A (en) Communication apparatus and communication method
WO2004054207A2 (en) Apparatus for implementing a lightweight, reliable, packet-based transport protocol
CN101436978A (en) Method for authentic data transmission using UDP protocol
CN102694810B (en) TCP ground acceleration method for satellite network
WO2012126424A2 (en) Method and device for forwarding data packet
WO2007040428A1 (en) Method for providing messaging using appropriate communication protocol
US8289860B2 (en) Application monitor apparatus
Wang et al. Use of TCP decoupling in improving TCP performance over wireless networks
Thubert IPv6 over low-power Wireless Personal Area network (6LoWPAN) selective fragment recovery
US7623546B1 (en) Latency improvement for file transfers over network connections
CN110855719B (en) Low-delay TCP (Transmission control protocol) cross-message firewall detection method
US7330439B1 (en) Packet data transmission in third generation mobile system
US20030103458A1 (en) Congestion avoidance apparatus and method for communication network
US7286546B2 (en) Method and system for providing reliable and fast communications with mobile entities
US9525629B2 (en) Method and apparatus for transmitting data packets
JP2006191354A (en) Data distribution management device and data distribution management method
WO2015048999A1 (en) Method and proxy node for source to destination packet transfer
CN113424578B (en) Acceleration method and device for transmission control protocol
Zimmermann et al. Making TCP More Robust to Long Connectivity Disruptions (TCP-LCD)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant