CN111031077A - Flow cleaning method, flow cleaning system and equipment - Google Patents

Flow cleaning method, flow cleaning system and equipment Download PDF

Info

Publication number
CN111031077A
CN111031077A CN202010161736.2A CN202010161736A CN111031077A CN 111031077 A CN111031077 A CN 111031077A CN 202010161736 A CN202010161736 A CN 202010161736A CN 111031077 A CN111031077 A CN 111031077A
Authority
CN
China
Prior art keywords
service server
tcp
message
tcp connection
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010161736.2A
Other languages
Chinese (zh)
Other versions
CN111031077B (en
Inventor
程行峰
蓝维宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yuanshi Network Security Technology Co Ltd
Original Assignee
Hangzhou Yuanshi Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yuanshi Network Security Technology Co Ltd filed Critical Hangzhou Yuanshi Network Security Technology Co Ltd
Priority to CN202010161736.2A priority Critical patent/CN111031077B/en
Publication of CN111031077A publication Critical patent/CN111031077A/en
Application granted granted Critical
Publication of CN111031077B publication Critical patent/CN111031077B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a flow cleaning method, a flow cleaning system and a device, comprising: the flow cleaning equipment judges the legality of the data message which does not hit the TCP connection table, and sends the legal data message to the attacked service server, so that the legal TCP data message can be prevented from being lost, and further the interruption of the legal TCP long connection is prevented.

Description

Flow cleaning method, flow cleaning system and equipment
Technical Field
The present application relates to the field of computer communications, and in particular, to a flow cleaning method, a flow cleaning system, and a flow cleaning device.
Background
In the existing traffic cleansing technology, a core forwarding device located at the edge of a data center may pull traffic destined to an attacked server onto a traffic cleansing device.
The traffic cleaning device creates a TCP (Transmission Control Protocol) connection table in real time after traffic traction, and the TCP connection table records a new legal TCP connection on an attacked server after traffic traction. The traffic cleaning equipment can adopt the TCP connection table to identify whether the dragged TCP data message is an illegal message or not.
Specifically, the flow cleaning device detects whether the dragged TCP data packet hits the TCP connection table, and if not, determines that the TCP data packet is an illegal packet, and discards the TCP data packet.
However, since the TCP connection table records a valid TCP connection newly established on the attacked server after traffic pulling, but not all established valid TCP connections on the attacked server, a data packet that does not hit the TCP connection table is not all an illegal packet, and also includes a valid packet carried on a part of the valid TCP connection. Therefore, by adopting the above-mentioned traffic cleaning method, although the illegal message can be cleaned, the legal TCP data message which does not hit the TCP connection table is cleaned at the same time. The legal TCP data message is discarded, so that the long connection between the attacked server and the external legal TCP is interrupted.
Disclosure of Invention
In view of this, the present application provides a traffic cleansing method, a traffic cleansing system and a device, so as to prevent the problem of long connection disconnection of a legal TCP due to the fact that a legal TCP data packet is discarded by a traffic cleansing device.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided a flow cleaning method, which is applied to a flow cleaning apparatus, the method including:
receiving an alarm message sent by a flow detection device, wherein the alarm message comprises: identification of the attacked target service server;
responding to the alarm message, issuing a traction route to core forwarding equipment of a data center, so that the core forwarding equipment pulls the TCP message sent to the target service server to the equipment based on the traction route;
receiving a TCP message drawn by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before a drawing route is issued when the data message does not hit a recorded TCP connection table corresponding to the target service server;
if so, sending the data message to the target service server through the core forwarding equipment;
wherein the TCP connection table includes: and information of legal TCP connection established on the target service server after the pull route is released.
Optionally, the method further includes:
responding to the alarm message, sending an acquisition request carrying a target service server identifier to the flow detection equipment, and receiving a trusted connection table entry corresponding to the target service server and returned by the flow detection equipment; wherein, the trusted connection table entry includes: the information of the established legal TCP connection on the target service server before the pull route is released;
the detecting whether the TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before the pull route is issued includes:
detecting whether the data message hits the obtained trusted connection table item;
if yes, determining that the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pull route is released;
if not, determining that the TCP connection corresponding to the data message is not a legal TCP connection established on the target service server before the pull route is released.
Optionally, the method further includes:
after determining that the data message hits the trusted connection table entry, extracting characteristic information of the data message, and generating TCP connection information corresponding to the data message;
adding the generated TCP connection information to the TCP connection table.
Optionally, the method further includes:
if the data message hits the TCP connection table, the data message is sent to the target service server through the core forwarding equipment;
and if the data message does not hit the credible connection table, discarding the data message.
Optionally, the method further includes:
if the TCP message pulled by the flow detection equipment is a control message, detecting whether the control message is an attack message;
if not, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding equipment.
According to a second aspect of the present application, there is provided a flow cleaning method applied to a flow detection device, the method including:
receiving traffic forwarded by core forwarding equipment of a data center, where the traffic includes: the traffic sent by the external terminal to the service server of the data center and the traffic sent by the service server of the data center to the external terminal;
when it is determined that a target service server in the data center is attacked based on the received traffic, sending an alarm message carrying the target server identifier to the traffic cleaning equipment;
the warning message is used for triggering the flow cleaning equipment to issue a traction route to core forwarding equipment of a data center, so that the core forwarding equipment pulls a TCP message sent to the target service server to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment; wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
Optionally, the method further includes:
identifying information of established TCP connections on each service server based on the received traffic;
based on the information of TCP connection established on each service server, establishing a trusted connection table entry corresponding to each service server respectively, and adding the established trusted connection table entry into the trusted connection table;
the trusted connection table entry corresponding to each service server comprises: information to the TCP connection currently established on the traffic server.
Optionally, the method further includes:
receiving an acquisition request sent by the flow cleaning equipment; the acquisition request carries an identifier of a target service server;
and returning a trusted connection table entry corresponding to the service server to the flow cleaning equipment.
Optionally, each trusted connection table entry includes an aging duration;
the method further comprises the following steps:
when the aging duration of any trusted connection table entry is detected to arrive, deleting the trusted connection table entry from the trusted connection table;
alternatively, the first and second electrodes may be,
and based on the received flow, when recognizing that any TCP connection established on any service server is disconnected, deleting a trusted connection table entry corresponding to the any TCP connection from the trusted connection table.
According to a third aspect of the application, there is provided a flow washing device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform a flow washing method.
According to a fourth aspect of the present application, there is provided a flow sensing device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform a flow cleansing method.
According to a fifth aspect of the present application, there is provided a flow cleaning system, the system comprising: flow detection equipment and flow cleaning equipment;
the traffic detection device is configured to receive traffic forwarded by a core forwarding device of a data center, where the traffic includes: the traffic sent by the external terminal to the service server in the data center and the traffic sent by the service server in the data center to the external terminal; when it is determined that a target service server in the data center is attacked based on the received traffic, sending an alarm message carrying the target server identifier to the traffic cleaning equipment;
the flow cleaning equipment is used for responding to the alarm message, issuing a traction route to core forwarding equipment of a data center, and drawing a TCP message sent to the target service server to the core forwarding equipment to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment;
wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
As can be seen from the above description, since the traffic cleansing device determines the validity of the data packet that misses the TCP connection table, and sends the valid data packet to the attacked service server, it is possible to prevent the valid TCP data packet from being lost, thereby preventing the interruption of the valid TCP long connection.
Drawings
FIG. 1 is a block diagram illustrating a networking architecture of a bypass DDoS defense system according to an exemplary embodiment of the present application;
FIG. 2 is a flow chart illustrating a flow purge method according to an exemplary embodiment of the present application;
FIG. 3 is a flow chart illustrating another flow purge method according to an exemplary embodiment of the present application;
FIG. 4 is a schematic illustration of a flow purge method according to an exemplary embodiment of the present application;
FIG. 5 is a hardware block diagram of a flow purge device according to an exemplary embodiment of the present application;
FIG. 6 is a block diagram of a flow cleaning apparatus for use with a flow cleaning device according to an exemplary embodiment of the present application;
FIG. 7 is a hardware block diagram of a flow detection device according to an exemplary embodiment of the present application;
FIG. 8 is a block diagram illustrating a flow cleaning apparatus for use with a flow sensing device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
It should be noted that the control packet described herein refers to a TCP control packet, and the data packet described herein refers to a TCP data packet, which is not described in detail below.
Before introducing the traffic cleansing method provided by the present application, several common attack modes are introduced.
SYN Flood attack: when TCP establishes connection, an attacker emits a large amount of SYN messages to be sent to the server by using a large amount of other IP addresses which are not the attacker, so that the server respectively sends SYN ACK messages to equipment indicated by source IP addresses of the large amount of SYN messages, and TCP half-connection states corresponding to the SYN messages respectively are maintained. Because the server maintains a large number of TCP half-connection states corresponding to each SYN message sent by an attacker, the equipment resources of the server are greatly consumed, the server is paralyzed, and the purpose of attack is achieved.
ACK Flood attack: the server processes the data message with the ACK flag bit in the following way: when receiving a data message with an ACK flag, the server protocol stack needs to check the data message, and sends the data message to the transport layer after the data message passes the check.
When an attacker imitates a large number of other IP addresses which are not the attacker and sends data messages with ACK flag bits to the server, the server can check the large number of data messages with the ACK flag bits, and the check of the large number of data messages with the ACK flag bits can consume a large amount of system resources of the server to cause the server to be paralyzed, so that the purpose of attack is achieved.
After the attack mode is introduced, a networking architecture related to the traffic cleaning method of the present application and a traditional traffic cleaning method are introduced.
Referring to fig. 1, fig. 1 is a diagram illustrating a networking architecture of a distributed denial of Service (DDoS) defense system according to an exemplary embodiment of the present application.
The networking includes: data center, flow detection equipment, flow cleaning equipment, etc. In practical applications, the networking may further include other devices, such as forwarding devices (e.g., switches, routers, etc.) between the data center and the traffic cleansing device, and the networking is only exemplary and not limited specifically herein.
1) Data center
The data center includes: a plurality of service servers, core forwarding equipment positioned at the edge of the data center, and the like.
And the service server is used for carrying out service interaction with an external terminal outside the data center.
And the core router is used for forwarding the service traffic sent by the external terminal to the data center to a service server in the data center and forwarding the traffic sent by the service server to the external terminal outside the data center. The core forwarding device may be a core router, a core switch, etc. The core forwarding device is not specifically limited herein.
Of course, the devices included in the data center are only exemplified and not particularly limited.
2) Flow detection device
And the flow detection equipment is connected with the core forwarding equipment positioned in the data center. The core forwarding device can forward the traffic sent by the terminal to the data center to the traffic detection device in a mirror image mode, a light splitting mode and the like. Or, the core forwarding device may forward the traffic sent by the data center to the external terminal to the traffic detection device in a mirror image, light splitting, or other manners. The traffic detection device may determine the attacked service server in the data center based on the traffic forwarded by the core forwarding device.
The traffic detection device may be a server, a server cluster constructed by a plurality of servers, or a forwarding device configured with an attack detection function, and the traffic detection device is only described as an example and is not particularly limited.
3) Flow cleaning equipment
The flow cleaning equipment is connected with the flow detection equipment and the core forwarding equipment. The traffic cleaning device is mainly used for cleaning traffic (referred to as a traction traffic volume herein) which is drawn by the core forwarding device and sent to the attacked service server, discarding the attacking traffic in the traction traffic, and forwarding normal traffic in the traction traffic to the core forwarding device, so that the core forwarding device sends the normal traffic to the attacked service server.
The flow rate cleansing device may be a server, a server cluster constructed by a plurality of servers, or a forwarding device configured with an attack detection function, and the like, and here, the flow rate cleansing device is only described as an example, and is not particularly limited thereto.
The following conventional flow cleaning technique is described.
In the traditional flow cleaning technology, the core forwarding device forwards the flow sent from the external terminal to the data center to the flow detection device in a mirror image mode, a light splitting mode and the like.
The traffic detection device may determine the attacked service server in the data center based on the traffic forwarded by the core forwarding device. Then, the traffic detection device may notify the traffic cleaning device of the information of the attacked service server, and the traffic cleaning device may pull the traffic (referred to as a pulling traffic for short) sent by the attacked service server on the core forwarding device to the traffic cleaning device.
The drag flow rate includes: TCP control messages for establishing connection with the attacked server, and TCP data messages sent to the attacked server.
For the TCP control message, the traffic cleansing device may detect whether the sender of the TCP control message is an attacker. If not, the flow cleaning equipment determines that the TCP control message is a legal message. The traffic cleansing device may add characteristic information (e.g., quintuple information) of the TCP packet to a locally maintained TCP connection table. The TCP connection table records the information of the legal TCP connection newly established on the attacked service server after the traffic is migrated to the standby traffic cleaning equipment.
In addition, the flow cleaning equipment also injects the legal TCP control message back to the attacked service server, so that the service server establishes TCP connection with the sender of the legal TCP control message.
For a TCP data packet, the traffic cleaning device may match the TCP data packet with a TCP connection table, and if the TCP data packet hits the TCP connection table, the traffic cleaning device may determine that the TCP data packet is a valid packet, and forward the TCP data packet to an attacked service server through a core router, so that the attacked service server performs service processing on the valid data packet. And if the TCP data message does not hit the TCP connection table, the flow cleaning equipment discards the TCP data message.
However, in practical applications, a TCP data packet that misses the TCP connection table may include: the method comprises the steps of sending illegal TCP data messages with ACK flag bits by an attacker in ACK Flood attack and carrying legal TCP data messages by legal TCP connections established on an attacked server before flow traction.
Therefore, by adopting the above-mentioned traffic cleaning method, although the illegal TCP data packet with the ACK flag bit can be cleaned, the legal TCP data packet carried by the legal TCP connection established on the attacked server before the traffic pulling is also cleaned. Because the legal TCP data message is discarded, the TCP long connection between the attacked server and the normal external terminal is interrupted.
For example, as shown in fig. 1, it is assumed that an external terminal 1 of a data center and a service server 2 in the data center have established a legal TCP connection 1, and data interaction is performed through the TCP connection 1. After a period of time, the traffic detection device detects that the service server 2 is attacked, and the traffic detection device sends the identifier of the service server 2 to the traffic cleaning device.
The traffic cleaning device forwards the traffic addressed to the service server 2 from the core forwarding device to the traffic cleaning device.
For a TCP control message (such as TCP control message 2) in the pulled traffic, the traffic cleansing device may detect whether the TCP control message 2 is legal. Assuming that the TCP control packet 2 is legal, the traffic cleaning device adds the packet characteristic information of the TCP control packet 2 as the information of the TCP connection 2 corresponding to the TCP control packet 2 in the TCP connection table. It is assumed that information of the legitimate TCP connection 2 is recorded in the TCP connection table at this time.
For the TCP data message in the pulled flow, the flow cleaning equipment detects whether the TCP data message hits a TCP connection table. If not, the TCP data message is discarded.
It is assumed that the external terminal 1 still sends a TCP datagram 1 to the traffic server 2 over the legitimate TCP connection 1, which TCP datagram 1 will be pulled to the traffic washer. The traffic cleansing device will detect whether the TCP data message 1 hits the TCP connection table.
In this example, the traffic cleansing device will discard TCP datagram 1 because TCP datagram 1 cannot hit the TCP connection table because the TCP connection table only records information of legitimate TCP connection 2. Since the TCP datagram 1 is discarded, the corresponding legitimate TCP connection 1 of the TCP datagram 1 is interrupted.
In view of this, the present application provides a traffic cleaning method, where after determining that a data packet pulled by a traffic cleaning device does not hit a TCP connection table, the traffic cleaning device further detects whether a TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before the pull route is issued, and when determining that the TCP connection of the data packet is a legal TCP connection, returns the TCP data packet to an attacked service server of a data center.
The flow cleaning equipment also judges the legality of the TCP data message which does not hit the TCP connection table and sends the legal TCP data message to the attacked service server, so that the legal TCP data message can be prevented from being lost, and further the interruption of the legal TCP long connection is prevented.
Before describing the flow cleaning method provided by the present application, several concepts related to the present application will be described.
1. Trusted connection table
1) Contents of trusted connection table
A credible connection table is maintained on the flow detection equipment and used for representing legal TCP connection information established on each service server until the current service server is ended.
The trusted connection table comprises a plurality of trusted connection table entries, each trusted connection table entry records information of a legal TCP connection, and each trusted connection table entry corresponds to one service server. For example, a trusted connection table entry records characteristic information (e.g., quadruplet information, source IP address, source port number, destination IP address, and destination port number) of a packet carried on a legitimate TCP connection. Of course, in practical applications, each trusted connection entry may also include other contents, such as aging time, etc. The trusted connection table entry is only exemplary and not specifically limited.
For example, table 1 is a trusted connection table as exemplified herein.
Figure 71144DEST_PATH_IMAGE001
Wherein, table 1 is the trusted connection table. The second row in table 1 is a trusted connection table entry, and the third row in table 1 is also a trusted connection table entry.
The trusted connection table entry is described with the second behavior example in table 1.
A destination IP (Internet Protocol) address in the second row in table 1 is an IP address of the service server, the trusted connection table entry shown in the second row in table 1 corresponds to the service server with an address of 200.1.1.1, and the trusted connection table entry shown in the second row in table 1 includes: information of the TCP connection established between the external terminal with IP address 100.1.1.1 and the service server with IP address 200.1.1.1, that is, quadruple information of the TCP packet carried on the TCP connection.
2) Creation of trusted connection tables
In this embodiment of the application, the core forwarding device of the data center may forward, to the traffic detection device, traffic sent by the external terminal to the service server in the data center and traffic sent by the service server in the data center to the external terminal in a preset manner.
For example, the preset manner may be a light splitting manner, a mirror image manner, and the like, and the preset manner is not specifically limited herein.
The traffic detection device may identify information of the TCP connection established on each service server based on traffic sent by an external terminal to a service server in the data center and traffic sent by the service server of the data center to the external terminal. The traffic detection device may respectively establish a trusted connection table entry corresponding to each service server based on information of the TCP connection established on each service server, and add the established trusted connection table entry to the trusted connection table. The trusted connection table entry corresponding to each service server comprises: information to terminate a TCP connection currently established on the traffic server.
For example, the traffic detection device may identify a packet for performing a three-way handshake between the service server and the external terminal from the received traffic, determine that the service server and the external terminal establish a TCP connection through the three-way handshake packet, and obtain information of the established TCP connection based on the three-way handshake packet. The traffic detection device may generate a trusted connection table entry corresponding to the service server according to the TCP connection information, and add the trusted connection table entry to the trusted connection table.
3) Deletion of trusted connection tables
In the embodiment of the present application, each trusted connection table entry includes an aging duration. And when the flow detection equipment detects that the aging duration of any trusted connection table entry arrives, deleting the trusted connection table entry from the trusted connection table.
In addition, when the flow detection device detects that the flow sent by the core forwarding device hits any trusted connection table entry, the aging duration of the any trusted connection table entry is refreshed.
In this embodiment of the application, when the traffic detection device may recognize that any TCP connection established on any service server is disconnected based on the received traffic, the trusted connection table entry corresponding to the any TCP connection is deleted from the trusted connection table.
For example, the traffic detection device may recognize a message that a certain service server waves the external terminal four times from the received traffic, and determine that the service server and the external terminal are disconnected from the TCP connection. At this time, the traffic detection device may delete the trusted connection table entry corresponding to the disconnected TCP connection from the trusted connection table.
2. TCP connection table
1) Contents of TCP connection table
A TCP connection table is maintained on the flow cleaning device. The TCP connection table includes: and information of legal TCP connection established on the attacked target service server after the pull route is released.
The TCP connection table includes a plurality of TCP connection table entries, each of which records information of a new legal TCP connection established on the attacked traffic server after the pulling route is issued (or after traffic pulling).
For example, a TCP connection table entry records the four-tuple information of the packet carried by the legal TCP connection. Of course, in practical applications, each TCP connection table entry further includes attribute information of the TCP connection, and the like, and the TCP connection table entry is only exemplarily illustrated here and is not specifically limited.
2) Creation of TCP connection table entry
In the embodiment of the application, the core forwarding device forwards the traffic sent by the external terminal to the data center to the traffic detection device in a mirror image mode, a light splitting mode and the like.
And when determining that the service server in the data center is attacked based on the received flow, the flow detection equipment sends an alarm message carrying the target server identifier to the flow cleaning equipment.
Then, the traffic detection device may issue a pull route to a core forwarding device of the data center in response to the alarm message, so that the core forwarding device pulls the TCP packet sent to the target service server to the local device based on the pull route.
If the TCP message is a control message, the flow detection equipment can detect whether the control message is an attack message or not through a preset strategy. If the control message is not an attack message, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding device.
It should be noted that the preset policy may be: the traffic cleansing device responds a message with a specified serial number (for clarity of description, it is referred to as a first message) to the sender of the control message, and then the traffic cleansing device can detect whether a response message of the first message returned by the sender is received, and if the response message of the first message is not received, it determines that the control message is an attack message. If the response message of the first message is received, the traffic cleaning device may further detect whether the sequence number of the response message is the specified sequence number plus 1, and if the sequence number of the response message is not the specified sequence number plus 1, determine that the control message is an attack message. If the serial number of the response message is the sequencing serial number plus 1, the control message is determined to be a legal message.
Here, only the preset policy is exemplarily described, and in practical applications, the traffic cleansing device may further detect whether the TCP control packet is legal by using a method that is commonly used by those skilled in the art to detect an attack packet.
Referring to fig. 2, fig. 2 is a flow chart illustrating a flow cleaning method according to an exemplary embodiment of the present application, which may include the following steps.
Step 201: the method comprises the following steps that a flow detection device receives flow forwarded by a core forwarding device of a data center, wherein the flow comprises the following steps: traffic sent by an external terminal to a service server in a data center, and traffic sent by the service server of the data center to the external terminal.
When the method is implemented, the core forwarding device deployed at the edge of the data center can forward the traffic sent by the external terminal to the service server in the data center and the traffic sent by the service server in the data center to the external terminal to the traffic detection device in a preset mode.
For example, the preset manner may be a light splitting manner, a mirror image manner, and the like, and the preset manner is not specifically limited herein.
Step 202: and when determining that a target service server in the data center is attacked based on the received flow, the flow detection equipment sends an alarm message carrying the target server identifier to the flow cleaning equipment.
In an alternative manner of determining that a service server is attacked, the traffic detection device may monitor traffic of each service server. And if the flow of a certain service server is greater than a preset threshold value, the flow detection equipment determines that the service server is attacked.
Of course, the traffic detection device may also detect the number of concurrent connections of each service server, and if the number of concurrent connections of a certain service server is higher than a preset threshold, it is determined that the service server is attacked.
Of course, in practical applications, the traffic detection device may also detect whether a CPU (central processing Unit) utilization rate or a memory occupancy rate of each service server is higher than a preset threshold to identify whether the service server is attacked. Here, the identification method for identifying whether the service server is attacked is only exemplarily described, and the identification method is not particularly limited.
In the embodiment of the application, when the traffic detection device identifies that the target service server is attacked, the traffic detection device may send an alarm message carrying the identifier of the target server to the traffic cleaning device.
The target server identifier is information that uniquely identifies the target server. The destination server identification may be an IP address of the destination server, etc. The target server identifier is merely exemplary and is not particularly limited.
Step 203: the method comprises the following steps that a flow cleaning device receives an alarm message sent by a flow detection device, wherein the alarm message comprises: identification of the target traffic server being attacked.
Step 204: and the flow cleaning equipment responds to the alarm message, and issues a traction route to core forwarding equipment of a data center so that the core forwarding equipment can be used for drawing the TCP message sent to the target service server to the equipment based on the traction route.
In implementation, the traffic cleansing device may issue a pull route to a core forwarding device of the data center in response to the alert message.
The function of the pull route is to cause the core forwarding device to pull the TCP packet sent to the target service server to the local flow cleaning device based on the pull route.
For example, the destination IP address of the pull route is the IP address of the attacked target traffic server, and the next hop is the traffic cleaning device.
The core forwarding device sends the TCP message hitting the pull route to the flow cleaning device. Wherein, the TCP message hitting the traction route is the message sent to the attacked target service server.
Step 205: and the flow cleaning equipment receives the TCP message drawn by the core forwarding equipment, and if the TCP message is a data message, when the data message does not hit the recorded TCP connection table corresponding to the target service server, whether the TCP connection corresponding to the data message is legal TCP connection established on the target service server before the drawing route is released is detected.
Step 205 is explained in detail below with reference to steps 2051 to 2054.
In step 2051, the traffic cleaning device detects whether the pulled TCP packet is a data packet.
Step 2052: if the TCP message is a data message, the traffic cleaning device can detect whether the data message hits the recorded TCP connection table corresponding to the target service server.
And step 2053, if the data message hits the recorded TCP connection table corresponding to the target service server, determining that the data message is a legal message, and the traffic cleaning device may send the data message to the target service server through the core forwarding device.
Step 2054: if the data message does not hit the recorded TCP connection table corresponding to the target service server, the flow cleaning equipment further detects whether the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the traction route is released.
One detection mode is described below.
When receiving an alarm message sent by a flow detection device, a flow cleaning device may send an acquisition request carrying a target service server identifier to the flow detection device in response to the alarm message. The acquisition request carries the identifier of the target service server.
After receiving the acquisition request, the traffic detection device may search a trusted connection table entry corresponding to the identifier of the target service server in a trusted connection table maintained by the traffic detection device, and return at least one found trusted connection table entry to the traffic cleaning device.
For example, the trusted connection table on the traffic detection device is shown in table 1.
If the identifier of the target service server is the IP address of the target service server, i.e. 200.1.1.2, the trusted connection table entry returned to the traffic cleaning device by the traffic detection device is as shown in table 2.
Figure 690344DEST_PATH_IMAGE002
In this embodiment of the present application, when it is determined that the data packet misses the recorded TCP connection table corresponding to the target service server, the traffic cleaning device may detect whether the data packet hits a trusted connection table entry returned by the traffic detection device.
If the data message hits at least one returned credible connection table item, the flow cleaning equipment determines that the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the traction route is released.
If the data message misses at least one returned credible connection table item, the flow cleaning equipment determines that the TCP connection corresponding to the data message is not the legal TCP connection established on the target service server before the traction route is issued.
Step 206: and if so, sending the data message to the target service server through the core forwarding equipment.
In the implementation of the application, if the TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before the pull route is issued, the data packet is determined to be a legal packet, and the data packet is sent to the target service server, so that the target service server performs service processing on the data packet.
If the TCP connection corresponding to the data message is not the legal TCP connection established on the target service server before the traction route is issued, determining that the data message is an illegal message, and discarding the data message.
In addition, in the embodiment of the application, the traffic cleansing device may further supplement information of the legal TCP connection in the TCP connection table, so that the more comprehensive information of the legal TCP connection established on the target server may be recorded in the TCP connection table.
When the data message is hit in the trusted connection table, the traffic cleaning equipment extracts the characteristic information of the data message, generates TCP connection information corresponding to the data message, and adds the generated TCP connection information to the TCP connection table.
In addition, in this embodiment of the application, when receiving a TCP packet sent by a core forwarding device, if the TCP packet is a control packet, the traffic cleaning device may detect whether the control packet is an attack packet.
If the control message is not an attack message, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding equipment, so that the target service server establishes TCP connection with a sender of the control message.
If the control message is an attack message, the control message is discarded to prevent the target service server from establishing TCP connection with the sender of the control message.
The method for detecting whether the control packet is an attack packet refers to the above description in the creation of the TCP connection table, which is not described herein again.
As can be seen from the above description, since the traffic cleansing device also determines the validity of the data packet that does not hit the TCP connection table, and sends the valid data packet to the attacked service server, the valid data packet can be prevented from being lost, thereby preventing the interruption of the long connection of the valid TCP.
Referring to fig. 3, fig. 3 is a flow chart illustrating another flow cleaning method according to an exemplary embodiment of the present application. The method may include the steps shown below.
Step 301: the method comprises the following steps that a flow detection device receives flow forwarded by a core forwarding device of a data center, wherein the flow comprises the following steps: traffic sent by an external terminal to a service server in a data center, and traffic sent by the service server of the data center to the external terminal.
Specifically, refer to the description in step 201, which is not described herein again.
Step 302: and when determining that a target service server in the data center is attacked based on the received flow, the flow detection equipment sends an alarm message carrying the target server identifier to the flow cleaning equipment.
Specifically, refer to the description in step 202, which is not described herein again.
Step 303: and the flow cleaning equipment responds to the alarm message, and issues a traction route to core forwarding equipment of a data center so that the core forwarding equipment can be used for drawing the TCP message sent to the target service server to the equipment based on the traction route.
Specifically, refer to the description in step 204, which is not described herein again.
Step 304: and the flow cleaning equipment detects whether the TCP data message hits a TCP connection table corresponding to the attacked target server or not aiming at the dragged TCP data message.
Wherein, this TCP connection table includes: information of legal TCP connection established on the target service server after sending the pull route
If the TCP data packet hits the TCP connection table corresponding to the attacked target server, step 308 is executed.
If the TCP data packet does not hit the TCP connection table corresponding to the attacked target server, step 305 is executed.
Step 305: and detecting whether the TCP data message hits a trusted connection table item which is acquired from the flow detection equipment and corresponds to the target service server.
Wherein, the trusted connection table entry includes: and the traction route issues the established legal TCP connection on the target service server.
If the TCP data packet hits the obtained trusted connection table, step 307 to step 308 are executed.
If the TCP data packet does not hit the obtained trusted connection table, step 306 is executed.
Step 306: and the flow cleaning equipment discards the TCP data message.
Step 307: and the flow cleaning equipment adds the TCP connection information corresponding to the TCP data message to a TCP connection table.
Step 308: and the flow cleaning equipment sends the TCP data message to a target service server through the core forwarding equipment.
It can be seen from the above description that, since the TCP connection table records the legal TCP connection established on the target service server after the pull route is issued, and the trusted connection table entry records the legal TCP connection established on the target service server before the pull route is issued, the two tables can completely describe all the legal TCP connections established by the target service server. Therefore, the legality of the TCP data message is identified based on the two tables, all legal TCP messages can be accurately identified, and the problem of long connection interruption of legal TCP caused by discarding the TCP messages due to misjudgment of the legal TCP messages as illegal TCP messages can be effectively solved.
The flow cleaning method provided in the present application is explained in detail below by specific examples.
For example, as shown in fig. 4, it is assumed that the IP address of the service server 2 in the data center is 200.1.1.2 and the IP address of the external terminal 1 is 100.1.1.2.
It is assumed that the external terminal 1 of the data center has established a legal TCP connection 1 with the service server 2 in the data center, and performs data interaction through the TCP connection. The trusted connection table of the flow detection device at this time is shown in table 3.
Figure 488535DEST_PATH_IMAGE003
After a period of time, the traffic detection device detects that the service server 2 is attacked, and the traffic detection device may send an alarm message to the traffic cleaning device, where the alarm message carries the IP address of the service server 2.
The flow cleaning device sends a traction route to the core forwarding device, so that the core forwarding device sends the TCP message sent to the service server 2 to the flow cleaning device, and obtains the trusted connection table entry shown in table 3 from the flow detection device.
If the pulled TCP packet is a TCP control packet (herein, referred to as TCP control packet 1), the traffic cleansing device may detect whether the TCP control packet 1 is legal. Assuming that the TCP control message 1 is legal, the traffic cleaning device adds the quadruple information of the TCP control message 1 as the information of the TCP connection 2 corresponding to the TCP control message 1 in the TCP connection table.
Assume that the quadruplet information of TCP control packet 1 is source IP address 100.1.1.3, source port 5003, destination IP address 200.1.1.2 and destination port 3003.
At this time, the TCP connection table maintained on the traffic washer is shown in table 4.
Figure 484173DEST_PATH_IMAGE004
When the flow cleaning equipment receives the TCP data message 1 of the TCP connection 1. The quadruple information of the TCP datagram 1 is 100.1.1.2 for the source IP address, 5002 for the source port, 200.1.1.2 for the destination IP address and 3002 for the destination port.
The traffic cleansing device may detect whether the TCP data message 1 hits table 4. In this example, TCP datagram 1 does not hit Table 4. The traffic cleaning device may further detect whether the TCP data packet 1 hits table 3, and since the TCP data packet 1 hits table 3, the traffic cleaning device determines that the TCP data packet 1 is a legal packet, and sends the TCP data packet 1 to the service server 2 through the core forwarding device.
Compared with the prior art, after detecting that the TCP connection table shown in the table 4 does not indicate that the TCP data message 1 is not hit, the flow cleaning equipment does not directly discard the TCP data message 1, but further detects whether the TCP data message 1 is legal or not through the credible connection table shown in the table 3, so that the legal data message can be effectively prevented from being lost, and further the interruption of the legal TCP long connection is prevented.
FIG. 5 is a hardware block diagram of a flow purge device according to an exemplary embodiment of the present application
This flow cleaning equipment includes: a communication interface 501, a processor 502, a machine-readable storage medium 503, and a bus 504; wherein the communication interface 501, the processor 502 and the machine-readable storage medium 503 are in communication with each other via a bus 504. The processor 502 may perform the flow cleansing method described above by reading and executing machine-executable instructions in the machine-readable storage medium 503 corresponding to the flow cleansing control logic.
The machine-readable storage medium 503 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 403 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 6, fig. 6 is a block diagram of a flow cleaning apparatus applied to a flow cleaning device according to an exemplary embodiment of the present application, where the apparatus may be applied to the flow cleaning device, and may include the following units.
A receiving unit 601, configured to receive an alarm message sent by a traffic detection device, where the alarm message includes: identification of the attacked target service server;
a publishing unit 602, configured to, in response to the alarm message, publish a pull route to a core forwarding device of a data center, so that the core forwarding device pulls, to a local device, a TCP packet sent to the target service server based on the pull route;
a detecting unit 603, configured to receive a TCP packet pulled by the core forwarding device, and if the TCP packet is a data packet, detect whether a TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before a pull route is issued when the data packet misses a recorded TCP connection table corresponding to the target service server;
a forwarding unit 604, configured to send the data packet to the target service server through the core forwarding device if the data packet is received;
wherein the TCP connection table includes: and information of legal TCP connection established on the target service server after the pull route is released.
Optionally, the apparatus further comprises:
an obtaining unit 605 (not shown in fig. 6) configured to send, in response to the alarm message, an obtaining request carrying an identifier of a target service server to the traffic detection device, and receive a trusted connection table entry corresponding to the target service server and returned by the traffic detection device; wherein, the trusted connection table entry includes: the information of the established legal TCP connection on the target service server before the pull route is released;
the detecting unit 603 is configured to detect whether the data packet hits the obtained trusted connection table entry when detecting whether the TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before the pull route is released; if yes, determining that the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pull route is released; if not, determining that the TCP connection corresponding to the data message is not a legal TCP connection established on the target service server before the pull route is released.
Optionally, the apparatus further comprises:
an adding unit 606 (not shown in fig. 6), configured to extract feature information of the data packet after determining that the data packet hits the trusted connection table entry, and generate TCP connection information corresponding to the data packet; adding the generated TCP connection information to the TCP connection table.
Optionally, the forwarding unit 604 is further configured to send the data packet to the target service server through the core forwarding device if the data packet hits the TCP connection table; and if the data message does not hit the credible connection table, discarding the data message.
Optionally, the apparatus further comprises:
a creating unit 607, configured to detect whether a TCP packet pulled by the traffic detection device is an attack packet if the TCP packet is a control packet; if not, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding equipment.
Referring to fig. 7, fig. 7 is a hardware structure diagram of a flow rate detection device according to an exemplary embodiment of the present application
The flow rate detection device includes: a communication interface 701, a processor 702, a machine-readable storage medium 703, and a bus 704; the communication interface 701, the processor 702, and the machine-readable storage medium 703 are in communication with one another via a bus 704. The processor 702 may perform the flow cleansing methods described above by reading and executing machine-executable instructions corresponding to flow cleansing control logic in the machine-readable storage medium 703.
The machine-readable storage medium 703 as referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 403 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
Referring to fig. 8, fig. 8 is a block diagram of a flow cleaning apparatus applied to a flow detection device according to an exemplary embodiment of the present application. The device can be applied to flow detection equipment and can comprise the following units.
A receiving unit 801, configured to receive traffic forwarded by a core forwarding device of a data center, where the traffic includes: the traffic sent by the external terminal to the service server of the data center and the traffic sent by the service server of the data center to the external terminal;
a sending unit 802, configured to send an alarm message carrying an identifier of a target service server to the traffic cleaning device when it is determined that the target service server in the data center is attacked based on the received traffic;
the warning message is used for triggering the flow cleaning equipment to issue a traction route to core forwarding equipment of a data center, so that the core forwarding equipment pulls a TCP message sent to the target service server to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment; wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
Optionally, the apparatus further comprises:
a creating unit 803 (not shown in fig. 8) configured to identify information of the established TCP connections on the respective service servers based on the received traffic; based on the information of TCP connection established on each service server, establishing a trusted connection table entry corresponding to each service server respectively, and adding the established trusted connection table entry into the trusted connection table; the trusted connection table entry corresponding to each service server comprises: information to the TCP connection currently established on the traffic server.
Optionally, the receiving unit 801 is further configured to receive an acquisition request sent by the flow cleaning device; the acquisition request carries an identifier of a target service server;
the sending unit 802 is further configured to return a trusted connection table entry corresponding to the service server to the traffic cleaning device.
Optionally, each trusted connection table entry includes an aging duration;
the device further comprises:
a deleting unit 804, configured to delete any trusted connection table entry from the trusted connection table when it is detected that the aging duration of the trusted connection table entry arrives; or, based on the received flow, when recognizing that any TCP connection established on any service server is disconnected, deleting the trusted connection table entry corresponding to the any TCP connection from the trusted connection table.
In addition, this application still provides a flow cleaning system, the system includes: flow detection equipment and flow cleaning equipment;
the traffic detection device is configured to receive traffic forwarded by a core forwarding device of a data center, where the traffic includes: the traffic sent by the external terminal to the service server in the data center and the traffic sent by the service server in the data center to the external terminal; when it is determined that a target service server in the data center is attacked based on the received traffic, sending an alarm message carrying the target server identifier to the traffic cleaning equipment;
the flow cleaning equipment is used for responding to the alarm message, issuing a traction route to core forwarding equipment of a data center, and drawing a TCP message sent to the target service server to the core forwarding equipment to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment;
wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
Optionally, the traffic cleaning device is configured to send, in response to the alarm message, an acquisition request carrying a target service server identifier to the traffic detection device;
the flow detection device is used for returning a trusted connection table entry corresponding to the service server to the flow cleaning device;
the flow cleaning equipment is used for detecting whether the data message hits the acquired credible connection table item when detecting whether the TCP connection corresponding to the data message is legal TCP connection established on the target service server before the traction route is released; if yes, determining that the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pull route is released; if not, determining that the TCP connection corresponding to the data message is not a legal TCP connection established on the target service server before the pull route is released.
Optionally, the flow cleaning apparatus for the method further includes: after determining that the data message hits the trusted connection table entry, extracting characteristic information of the data message, and generating TCP connection information corresponding to the data message; adding the generated TCP connection information to the TCP connection table.
Optionally, the traffic cleaning device is configured to send the data packet to the target service server through the core forwarding device if the data packet hits the TCP connection table; and if the data message does not hit the credible connection table, discarding the data message.
Optionally, the traffic cleaning device is configured to detect whether a TCP packet pulled by the traffic detection device is a control packet or not; if not, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding equipment.
Optionally, the traffic detection device is configured to identify information of TCP connections established on each service server based on the received traffic; based on the information of TCP connection established on each service server, establishing a trusted connection table entry corresponding to each service server respectively, and adding the established trusted connection table entry into the trusted connection table; the trusted connection table entry corresponding to each service server comprises: information to the TCP connection currently established on the traffic server.
Optionally, each trusted connection table entry includes an aging duration;
the flow detection device is used for deleting the trusted connection table item from the trusted connection table when detecting that the aging duration of any trusted connection table item reaches;
alternatively, the first and second electrodes may be,
and based on the received flow, when recognizing that any TCP connection established on any service server is disconnected, deleting a trusted connection table entry corresponding to the any TCP connection from the trusted connection table.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A flow cleaning method, wherein the method is applied to a flow cleaning device, and the method comprises:
receiving an alarm message sent by a flow detection device, wherein the alarm message comprises: identification of the attacked target service server;
responding to the alarm message, issuing a traction route to core forwarding equipment of a data center, so that the core forwarding equipment pulls the TCP message sent to the target service server to the equipment based on the traction route;
receiving a TCP message drawn by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before a drawing route is issued when the data message does not hit a recorded TCP connection table corresponding to the target service server;
if so, sending the data message to the target service server through the core forwarding equipment;
wherein the TCP connection table includes: and information of legal TCP connection established on the target service server after the pull route is released.
2. The method of claim 1, further comprising:
responding to the alarm message, sending an acquisition request carrying a target service server identifier to the flow detection equipment, and receiving a trusted connection table entry corresponding to the target service server and returned by the flow detection equipment; wherein, the trusted connection table entry includes: the information of the established legal TCP connection on the target service server before the pull route is released;
the detecting whether the TCP connection corresponding to the data packet is a legal TCP connection established on the target service server before the pull route is issued includes:
detecting whether the data message hits the obtained trusted connection table item;
if yes, determining that the TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pull route is released;
if not, determining that the TCP connection corresponding to the data message is not a legal TCP connection established on the target service server before the pull route is released.
3. The method of claim 2, further comprising:
after determining that the data message hits the trusted connection table entry, extracting characteristic information of the data message, and generating TCP connection information corresponding to the data message;
adding the generated TCP connection information to the TCP connection table.
4. The method of claim 2, further comprising:
if the data message hits the TCP connection table, the data message is sent to the target service server through the core forwarding equipment;
and if the data message does not hit the credible connection table, discarding the data message.
5. The method of claim 1, further comprising:
if the TCP message pulled by the flow detection equipment is a control message, detecting whether the control message is an attack message;
if not, extracting the characteristic information of the control message, generating TCP connection information corresponding to the control message, adding the TCP connection information to the TCP connection table, and sending the control message to the target service server through the core forwarding equipment.
6. A flow cleaning method is applied to flow detection equipment, and comprises the following steps:
receiving traffic forwarded by core forwarding equipment of a data center, where the traffic includes: the traffic sent by the external terminal to the service server of the data center and the traffic sent by the service server of the data center to the external terminal;
when it is determined that a target service server in the data center is attacked based on the received traffic, sending an alarm message carrying the target server identifier to the traffic cleaning equipment;
the warning message is used for triggering the flow cleaning equipment to issue a traction route to core forwarding equipment of a data center, so that the core forwarding equipment pulls a TCP message sent to the target service server to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment; wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
7. The method of claim 6, further comprising:
identifying information of established TCP connections on each service server based on the received traffic;
based on the information of TCP connection established on each service server, establishing a trusted connection table entry corresponding to each service server respectively, and adding the established trusted connection table entry into the trusted connection table;
the trusted connection table entry corresponding to each service server comprises: information to the TCP connection currently established on the traffic server.
8. The method of claim 7, further comprising:
receiving an acquisition request sent by the flow cleaning equipment; the acquisition request carries an identifier of a target service server;
and returning a trusted connection table entry corresponding to the service server to the flow cleaning equipment.
9. The method of claim 6, wherein each trusted connection table entry includes an aging duration;
the method further comprises the following steps:
when the aging duration of any trusted connection table entry is detected to arrive, deleting the trusted connection table entry from the trusted connection table;
alternatively, the first and second electrodes may be,
and based on the received flow, when recognizing that any TCP connection established on any service server is disconnected, deleting a trusted connection table entry corresponding to the any TCP connection from the trusted connection table.
10. A flow washing device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method of any one of claims 1 to 5.
11. A flow sensing device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method of any one of claims 6 to 9.
12. A flow cleaning system, comprising: flow detection equipment and flow cleaning equipment;
the traffic detection device is configured to receive traffic forwarded by a core forwarding device of a data center, where the traffic includes: the traffic sent by the external terminal to the service server in the data center and the traffic sent by the service server in the data center to the external terminal; when it is determined that a target service server in the data center is attacked based on the received traffic, sending an alarm message carrying the target server identifier to the traffic cleaning equipment;
the flow cleaning equipment is used for responding to the alarm message, issuing a traction route to core forwarding equipment of a data center, and drawing a TCP message sent to the target service server to the core forwarding equipment to the equipment based on the traction route; receiving a TCP message pulled by the core forwarding equipment, if the TCP message is a data message, detecting whether a TCP connection corresponding to the data message is a legal TCP connection established on the target service server before the pulling route is issued when the data message does not hit a recorded TCP connection table; if so, sending the data message to the target service server through the core forwarding equipment;
wherein the TCP connection table includes: and the legal TCP connection is established on the target service server after the pull route is released.
CN202010161736.2A 2020-03-10 2020-03-10 Flow cleaning method, flow cleaning system and equipment Active CN111031077B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010161736.2A CN111031077B (en) 2020-03-10 2020-03-10 Flow cleaning method, flow cleaning system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010161736.2A CN111031077B (en) 2020-03-10 2020-03-10 Flow cleaning method, flow cleaning system and equipment

Publications (2)

Publication Number Publication Date
CN111031077A true CN111031077A (en) 2020-04-17
CN111031077B CN111031077B (en) 2020-06-09

Family

ID=70199441

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010161736.2A Active CN111031077B (en) 2020-03-10 2020-03-10 Flow cleaning method, flow cleaning system and equipment

Country Status (1)

Country Link
CN (1) CN111031077B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113709156A (en) * 2021-08-27 2021-11-26 哈尔滨工业大学 NIDS network penetration detection method, computer and storage medium
US11895141B1 (en) * 2022-12-01 2024-02-06 Second Sight Data Discovery, Inc. Apparatus and method for analyzing organization digital security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106027511A (en) * 2016-05-13 2016-10-12 北京工业大学 Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol)
CN106131039A (en) * 2016-07-26 2016-11-16 广州华多网络科技有限公司 The processing method and processing device of SYN flood attack
US20170264637A1 (en) * 2014-11-26 2017-09-14 Huawei Technologies Co., Ltd. Method, Apparatus and System for Processing Attack Behavior of Cloud Application in Cloud Computing System

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170264637A1 (en) * 2014-11-26 2017-09-14 Huawei Technologies Co., Ltd. Method, Apparatus and System for Processing Attack Behavior of Cloud Application in Cloud Computing System
CN106027511A (en) * 2016-05-13 2016-10-12 北京工业大学 Protocol isolation method based on deep resolution of Modbus/TCP (Transmission Control Protocol)
CN106131039A (en) * 2016-07-26 2016-11-16 广州华多网络科技有限公司 The processing method and processing device of SYN flood attack

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113709156A (en) * 2021-08-27 2021-11-26 哈尔滨工业大学 NIDS network penetration detection method, computer and storage medium
CN113709156B (en) * 2021-08-27 2022-09-27 哈尔滨工业大学 NIDS network penetration detection method, computer and storage medium
US11895141B1 (en) * 2022-12-01 2024-02-06 Second Sight Data Discovery, Inc. Apparatus and method for analyzing organization digital security

Also Published As

Publication number Publication date
CN111031077B (en) 2020-06-09

Similar Documents

Publication Publication Date Title
KR101270041B1 (en) System and method for detecting arp spoofing
US7818786B2 (en) Apparatus and method for managing session state
KR101263329B1 (en) Method and apparatus for preventing network attacks, method and apparatus for processing transmission and receipt of packet comprising the same
CN109617931B (en) DDoS attack defense method and system of SDN controller
US6973040B1 (en) Method of maintaining lists of network characteristics
US8817792B2 (en) Data forwarding method, data processing method, system and relevant devices
KR20090006838A (en) Malicious attack detection system and an associated method of use
KR20130014226A (en) Dns flooding attack detection method on the characteristics by attack traffic type
CN108234473B (en) Message anti-attack method and device
CN108270722B (en) Attack behavior detection method and device
US20110026529A1 (en) Method And Apparatus For Option-based Marking Of A DHCP Packet
CN101656638B (en) Inter-domain prefix hijacking detection method for error configuration
CN111031077B (en) Flow cleaning method, flow cleaning system and equipment
CN106487790B (en) Cleaning method and system for ACK FLOOD attacks
US20130263268A1 (en) Method for blocking a denial-of-service attack
CN108965263A (en) Network attack defence method and device
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
WO2019096104A1 (en) Attack prevention
Al-Duwairi et al. A novel packet marking scheme for IP traceback
Yim et al. Probabilistic route selection algorithm to trace DDoS attack traffic source
CN113810398B (en) Attack protection method, device, equipment and storage medium
KR100640004B1 (en) Apparatus and method for managing session state
CN113014530B (en) ARP spoofing attack prevention method and system
CN114531270A (en) Defense method and device for segmented routing label detection
CN110768975B (en) Flow cleaning method and device, electronic equipment and machine readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant