CN112702358A - SYN Flood attack protection method and device, electronic device and storage medium - Google Patents

SYN Flood attack protection method and device, electronic device and storage medium Download PDF

Info

Publication number
CN112702358A
CN112702358A CN202110005409.2A CN202110005409A CN112702358A CN 112702358 A CN112702358 A CN 112702358A CN 202110005409 A CN202110005409 A CN 202110005409A CN 112702358 A CN112702358 A CN 112702358A
Authority
CN
China
Prior art keywords
client
syn
authentication
target server
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110005409.2A
Other languages
Chinese (zh)
Inventor
宋建昌
高玉玺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN202110005409.2A priority Critical patent/CN112702358A/en
Publication of CN112702358A publication Critical patent/CN112702358A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention relates to a method and a device for protecting SYN Flood attack, electronic equipment and a storage medium, comprising the following steps: when a SYN message for requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, counting a first accumulated requested connection amount of the target server until the current time in a current protection period; determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode; if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, releasing the SYN message. Therefore, the method and the device can ensure the authentication accuracy, reduce the protection pressure, avoid downlink network congestion, further avoid influencing the service quality of normal services, and comprehensively meet the user requirements.

Description

SYN Flood attack protection method and device, electronic device and storage medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method and a device for protecting against SYN Flood attack, electronic equipment and a storage medium.
Background
The SYN Flood attack is one of the most popular DDoS (Distributed Denial of Service attack) modes, and is an attack mode that uses TCP (Transmission Control Protocol) Protocol defects to send a large number of forged TCP connection requests, so that resources of an attacked party are exhausted (such as full load of a CPU or insufficient memory).
At present, in order to defend against SYN Flood attacks, a DDoS protection system may be arranged between a client and a server, a SYN message sent by the client to the server first reaches the DDoS protection system, after receiving the SYN message, the DDoS protection system authenticates the client sending the SYN message first, if the authentication result indicates that the client is illegal, the SYN message is discarded, and if the authentication result indicates that the client is legal, the SYN message is sent to the server, so that the resource consumption of the server caused by the arrival of the attack message at the server can be avoided.
However, in the prior art, when the DDoS protection system authenticates a client, a single fixed authentication mechanism is adopted, such as a packet loss retransmission authentication mechanism or a syn-cookie authentication mechanism, and different authentication mechanisms have advantages and disadvantages, such as a simple and efficient packet loss retransmission authentication mechanism, but the authentication accuracy is poor, attack messages are easily missed, and a syn-cookie authentication mechanism has high authentication accuracy, but when the number of the attack messages is large, a large number of syn + ack messages are generated, which easily causes downlink network congestion, thereby affecting the quality of service of normal services. Therefore, the SYN Flood attack protection scheme in the prior art is single and cannot meet the user requirements comprehensively.
Disclosure of Invention
In view of this, in order to solve the technical problems that the SYN Flood attack protection scheme in the prior art is single and cannot fully meet the user requirements, embodiments of the present invention provide a method and an apparatus for protecting against SYN Flood attacks, an electronic device, and a storage medium.
In a first aspect, an embodiment of the present invention provides a method for protecting against a SYN Flood attack, including:
when a SYN message for requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, counting a first accumulated requested connection amount of the target server until the current time in a current protection period;
determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, releasing the SYN message.
In one possible embodiment, the method further comprises:
in a preset counting period, when a SYN message requesting connection to the target server is received, counting a second accumulated requested connection amount of the target server in the preset counting period;
when the second accumulated requested connection amount is determined to reach a first set threshold value, determining that the target server is attacked by SYN Flood, and recording a mark for identifying that the target server is attacked by SYN Flood in a set storage medium;
when the second accumulated requested connection amount is determined not to reach the first set threshold, if the mark is recorded in the set storage medium, deleting the mark recorded in the set storage medium;
the determining that the target server is attacked by the SYN Flood includes:
and when the flag is determined to be recorded in the setting storage medium, determining that the target server is attacked by the SYN Flood.
In a possible embodiment, the determining a target authentication method based on the first accumulated requested connection amount to authenticate the client corresponding to the SYN packet by using the target authentication method includes:
judging whether the first accumulated requested connection amount reaches a second set threshold value;
if so, authenticating the client corresponding to the SYN message by adopting a first authentication mechanism to obtain a first authentication result, and if the first authentication result indicates that the client is an illegal client, determining that the client is the illegal client;
if the first authentication result shows that the client is a legal client, continuing to authenticate the client by adopting a second authentication mechanism to obtain a second authentication result;
if the second authentication result indicates that the client is an illegal client, determining that the client is an illegal client; and if the second authentication result shows that the client is a legal client, determining that the client is a legal client.
In one possible embodiment, the method further comprises:
if the first accumulated requested connection quantity does not reach the second set threshold, authenticating the client by adopting the second authentication mechanism to obtain a third authentication result;
if the third authentication result indicates that the client is an illegal client, determining that the client is an illegal client; and if the third authentication result shows that the client is a legal client, determining that the client is a legal client.
In one possible embodiment, the method further comprises:
when a SYN message requesting connection to a target server is received, analyzing the SYN message to obtain a source IP address of the SYN message;
searching a pre-stored blacklist according to the source IP address, if the source IP address is searched from the blacklist, determining that a client corresponding to the SYN message is an illegal client, and discarding the SYN message;
and if the source IP address is not found in the blacklist, determining whether the target server is attacked by SYN Flood.
In a possible implementation manner, before the determining a target authentication manner based on the first accumulated requested connection amount to authenticate the client corresponding to the SYN packet by using the target authentication manner, the method further includes:
searching a pre-stored white list according to the source IP address, if the source IP address is searched from the white list, determining that the client corresponding to the SYN message is a legal client, and releasing the SYN message;
and if the source IP address is not found in the white list, executing the step of determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode.
In one possible embodiment, the method further comprises:
if the authentication result shows that the client is an illegal client, updating the blacklist according to the source IP address;
and if the authentication result shows that the client is a legal client, updating the white list according to the source IP address.
In one possible embodiment, the first authentication mechanism comprises: a packet loss retransmission authentication mechanism;
the second authentication mechanism comprises: syn-cookie authentication mechanism or source authentication mechanism.
In a second aspect, an embodiment of the present invention provides a device for protecting against a SYN Flood attack, including:
the first counting module is used for counting a first accumulated requested connection amount of a target server in a current protection period until the target server is at the current moment if the target server is determined to be attacked by SYN Flood when a SYN message requesting connection to the target server is received;
the authentication module is used for determining a target authentication mode based on the first accumulated requested connection quantity so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
the processing module is used for discarding the SYN message if the authentication result shows that the client is an illegal client; and if the authentication result shows that the client is a legal client, releasing the SYN message.
In one possible embodiment, the method further comprises:
a second counting module, configured to count, in a preset counting period, a second accumulated requested connection amount of the target server in the preset counting period when a SYN packet requesting connection to the target server is received;
a recording module, configured to determine that the target server is attacked by SYN Flood when it is determined that the second accumulated requested connection amount reaches a first set threshold, and record a flag for identifying that the target server is attacked by SYN Flood in a set storage medium;
a deleting module, configured to delete the flag recorded in the setting storage medium if the flag is recorded in the setting storage medium when it is determined that the second accumulated requested connection amount does not reach the first setting threshold;
the first statistical module includes:
a first determining submodule configured to determine that the target server is attacked by the SYN Flood when it is determined that the flag is recorded in the setting storage medium.
In one possible embodiment, the authentication module comprises:
the judgment submodule is used for judging whether the first accumulated requested connection amount reaches a second set threshold value;
a first processing sub-module, configured to authenticate a client corresponding to the SYN message by using a first authentication mechanism if the first accumulated requested connection amount reaches a second set threshold, so as to obtain a first authentication result;
a second determining submodule, configured to determine that the client is an illegal client if the first authentication result indicates that the client is an illegal client;
the second processing submodule is used for continuing to adopt a second authentication mechanism to authenticate the client side to obtain a second authentication result if the first authentication result shows that the client side is a legal client side;
the second determining sub-module is further configured to determine that the client is an illegal client if the second authentication result indicates that the client is an illegal client; and if the second authentication result shows that the client is a legal client, determining that the client is a legal client.
In one possible implementation, the second processing sub-module is further configured to:
if the first accumulated requested connection quantity does not reach the second set threshold, authenticating the client by adopting the second authentication mechanism to obtain a third authentication result;
the second determining sub-module is further configured to determine that the client is an illegal client if the third authentication result indicates that the client is an illegal client; and if the third authentication result shows that the client is a legal client, determining that the client is a legal client.
In one possible embodiment, the method further comprises:
the analysis module is used for analyzing the SYN message when receiving the SYN message requesting connection to the target server to obtain the source IP address of the SYN message;
the first searching module is used for searching a pre-stored blacklist according to the source IP address;
the processing module is further configured to: if the source IP address is found from the blacklist, determining that the client corresponding to the SYN message is an illegal client, and discarding the SYN message;
and the determining module is used for determining whether the target server is attacked by the SYN Flood if the source IP address is not found in the blacklist.
In one possible embodiment, the method further comprises:
the second searching module is used for searching a pre-stored white list according to the source IP address;
the processing module is further configured to: if the source IP address is found from the white list, determining that the client corresponding to the SYN message is a legal client, and releasing the SYN message;
the authentication module is to: and if the source IP address is not found in the white list, executing the step of determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode.
In one possible embodiment, the method further comprises:
the updating module is used for updating the blacklist according to the source IP address if the authentication result shows that the client is an illegal client; and if the authentication result shows that the client is a legal client, updating the white list according to the source IP address.
In one possible embodiment, the first authentication mechanism comprises: a packet loss retransmission authentication mechanism;
the second authentication mechanism comprises: syn-cookie authentication mechanism or source authentication mechanism.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor and a memory, wherein the processor is configured to execute a protection program for SYN Flood attack stored in the memory, so as to implement the method for protecting against SYN Flood attack according to any one of the first aspects.
In a fourth aspect, an embodiment of the present invention provides a storage medium, where one or more programs are stored, and the one or more programs are executable by one or more processors to implement the method for protecting against a SYN Flood attack according to any one of the first aspects.
According to the technical scheme provided by the embodiment of the invention, when a SYN message requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, the first accumulated requested connection amount of the target server ending to the current moment in the current protection period is counted; and determining a target authentication mode based on the first accumulated requested connection quantity to authenticate the client corresponding to the SYN message by adopting the target authentication mode, so that the authentication mode which is in accordance with the current actual scene can be dynamically selected according to the quantity of the attack messages, the authentication accuracy is ensured, the protection pressure can be reduced, the downlink network congestion is avoided, the influence on the service quality of normal services is avoided, and the user requirements are comprehensively met.
Drawings
Fig. 1 is a schematic view of an application scenario of a method for protecting against SYN Flood attack according to an embodiment of the present invention;
fig. 2 is a flowchart of an embodiment of a method for protecting against a SYN Flood attack according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating another exemplary method for defending against a SYN Flood attack according to an embodiment of the present invention;
fig. 4 is a block diagram of an embodiment of a device for protecting against a SYN Flood attack according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An application scenario of the method for protecting against SYN Flood attack according to the embodiment of the present invention is first described below:
referring to fig. 1, an application scenario diagram of the method for protecting against SYN Flood attack according to the embodiment of the present invention is shown. Fig. 1 includes a client 11, a DDoS (Distributed Denial of Service attack) protection system 12, and a server 13.
In an application, no matter what role the client 11 is in, the client 11 can request to establish a TCP connection with the server 13, where the client 11 can be a valid client or a puppet machine controlled by an attacker, that is, an illegal client.
In the TCP protocol, the process of the client 11 establishing a TCP connection with the server 13 includes the following steps: firstly, a client 11 sends a TCP message containing a SYN mark to a server 13, namely a SYN message requesting to connect the server 13; secondly, the server 13 returns a SYN + ACK message to the client 11, which indicates that the connection request of the client 11 is accepted; thirdly, the client 11 returns an ACK acknowledgement message to the server 13, so far that the client 11 establishes a TCP connection with the server 13. The above TCP connection process is referred to as a "three-way handshake" in the TCP protocol.
Further, if the server 13 returns the SYN + ACK message to the client 11 and waits for a period of time, and does not receive the ACK acknowledgement message returned by the client 11, the server 13 may return the SYN + ACK message to the client 11 again, and if the ACK acknowledgement message returned by the client 11 is not received after waiting for a period of time, the server 13 discards the SYN message received in the first step, that is, discards an incomplete TCP connection (hereinafter referred to as a half connection) with the client 11. In the TCP protocol, the time from when the server receives the SYN message to when the SYN message is discarded is referred to as SYN Timeout, which is typically on the order of minutes, approximately 30 seconds to 2 minutes.
Based on the above description, if the client 11 is an illegal client and sends a large amount of SYN messages to the server 13 under the control of an attacker, the server 13 needs to maintain a very large semi-connection list, and continuously performs a retry of SYN + ACK on IP addresses in the semi-connection list, which results in a large consumption of memory resources and computational resources of the server 13, and in severe cases, the server 13 is busy processing SYN messages sent by the illegal client and overwhelms SYN messages sent by legal clients, and at this time, the server 13 loses response from the perspective of normal clients. The above case is referred to as a SYN Flood attack (SYN Flood attack) on the server 13 in the TCP protocol.
In order to defend against SYN Flood attacks, as shown in fig. 1, a DDoS protection system 12 is arranged on a communication link between a client 11 and a server 13, so that the DDoS protection system 12 authenticates the client 11, and when an authentication result indicates that the client 11 is legitimate, a SYN message sent by the client 11 to the server 13 is released to the server 13.
It should be noted that, in an application, the DDoS protection system 12 may be composed of a single electronic device or multiple electronic devices, and only a single electronic device is illustrated in fig. 1 as an example.
As an embodiment, in the application scenario shown in fig. 1, the DDoS protection system 12 may implement authentication on the client by using the protection method for SYN Flood attack provided by the present invention, so as to implement defense against SYN Flood attack.
The following describes the method for protecting against SYN Flood attack according to an embodiment of the present invention with reference to the drawings, and the embodiment is not limited to the embodiment of the present invention.
Referring to fig. 2, a flowchart of an embodiment of a method for protecting against a SYN Flood attack according to an embodiment of the present invention is provided. As one example, the method may be applied to an electronic device, which in one example is the protection system 12 illustrated in FIG. 1. As shown in fig. 2, the method may include the steps of:
step 201, when receiving a SYN message requesting connection to a target server, if it is determined that the target server is attacked by SYN Flood, counting a first accumulated requested connection amount of the target server until the current time in a current protection period.
The target server refers to a server to which SYN Flood attack protection is required, such as the server 13 illustrated in fig. 1.
In application, when determining that the target server is attacked by SYN Flood, the SYN Flood attack protection on the target server can be started, in other words, when receiving the SYN message requesting connection to the target server, if determining that the target server is attacked by SYN Flood, the method for protecting against the SYN Flood attack provided by the present invention can be executed.
As an embodiment, whether the target server is attacked by SYN Flood may be determined according to the number of SYN messages received per unit time requesting connection to the target server, and it may be understood that if the number of SYN messages received per unit time requesting connection to the target server exceeds a normal range, it means that the target server is likely attacked by SYN Flood, and if the number of SYN messages received per unit time requesting connection to the target server is within the normal range, it means that the target server is not attacked by SYN Flood.
Based on this, the electronic device may periodically (for example, every 5 seconds) count the number of received SYN messages requesting connection to the target server within a preset statistical period (for example, within 1 second), that is, count the accumulated requested connection amount (hereinafter, referred to as a second accumulated requested connection amount for convenience of description) of the target server within the preset statistical period. When it is determined that the second accumulated requested connection amount reaches a set threshold (hereinafter referred to as a first set threshold for descriptive convenience), it is determined that the target server is attacked by the SYN Flood, whereas when it is determined that the second accumulated requested connection amount does not reach the first set threshold, it is determined that the target server is not attacked by the SYN Flood. The first set threshold value can be dynamically set by the user according to the actual service requirement.
Further, in this embodiment, when the electronic device first determines that the target server is attacked by the SYN Flood, a protection period is opened until the electronic device determines that the target server is not attacked by the SYN Flood, and the protection period is ended; subsequently, when the electronic device determines that the target server is attacked by the SYN Flood again, a protection period is started again until the electronic device determines that the target server is not attacked by the SYN Flood again, and the protection period is ended.
For example, if it is assumed that the second accumulated requested connection amount of the target server in the preset statistical period reaches the first set threshold in 0 to 1 second, a protection period is started in 1 st second, and then, if it is assumed that the second accumulated requested connection amount of the target server in the preset statistical period does not reach the first set threshold in 6 to 7 seconds, the protection period is ended in 7 th second, that is, the start time of the protection period is 1 st second, and the end time is 7 th second.
For one embodiment, when it is determined that the target server is attacked by SYN Flood, the electronic device may record, in a storage medium (e.g., a local cache), a flag for identifying that the target server is attacked by SYN Flood; if the target server is determined not to be attacked by the SYN Flood, the flag recorded in the setting storage medium may be deleted if the flag is recorded in the setting storage medium.
Based on this, in this step 201, it is possible to determine whether or not the target server is attacked by SYN Flood by determining whether or not the flag is recorded in the setting storage medium. When the mark is determined to be recorded in the set storage medium, determining that the target server is attacked by the SYN Flood; when it is determined that the flag is not recorded in the setting storage medium, it is determined that the target server is not attacked by the SYN Flood.
As can be seen from the description in step 201, in the embodiment of the present invention, when receiving the SYN message requesting connection to the target server, if it is determined that the target server is attacked by the SYN Flood, the accumulated requested connection amount (hereinafter referred to as a first accumulated requested connection amount for convenience of description) of the target server up to the current time in the current protection period is counted. The first accumulated requested connection amount is: and the electronic equipment stops receiving the quantity of SYN messages requesting connection to the target server at the current moment in the current protection period. Based on this, counting the first accumulated requested connection amount of the target server up to the current time in the current protection period includes: the current first cumulative requested connection amount is increased by 1. It will be appreciated that the initial value of the first cumulative requested connection amount is 0, and that the first cumulative requested connection amount is reset to 0 each time a guard period ends.
Step 202, determining a target authentication mode based on the first accumulated requested connection amount, and authenticating the client corresponding to the SYN message by adopting the target authentication mode.
Step 203, if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, the SYN message is released.
Steps 202 to 203 are explained in a unified manner as follows:
as can be seen from the description in step 202, in the embodiment of the present invention, instead of using a single fixed authentication method to authenticate the client, a target authentication method is determined based on the first accumulated requested connection amount, so as to authenticate the client using the target authentication method. Therefore, the authentication mode can be flexibly applied according to the actual service scene so as to comprehensively meet the user requirements.
Specifically, as an embodiment, it may be determined whether the first accumulated requested connection amount reaches a set threshold (for convenience of description, hereinafter referred to as a second set threshold), if so, it may be considered that the current attack packet is more, in this case, a simple and efficient first authentication mechanism may be first adopted to authenticate the client corresponding to the received SYN packet, to obtain an authentication result (for convenience of description, hereinafter referred to as a first authentication result), and if the first authentication result indicates that the client is an illegal client, the client is directly determined to be an illegal client, and then the SYN packet sent by the client is discarded.
Optionally, the first authentication mechanism includes a packet loss retransmission authentication mechanism.
It can be understood that, because the first authentication mechanism is simple and efficient, the client corresponding to the received SYN packet is authenticated by using the first authentication mechanism, so that most attack packets can be filtered out simply and efficiently under the condition that a large number of attack packets are available.
Further, although the first authentication mechanism is simple and efficient, the authentication accuracy is low, so if the first authentication result indicates that the client is a legal client, the SYN message sent by the client is released instead of directly determining that the client is a legal client, the second authentication mechanism with high authentication accuracy is continuously adopted to authenticate the client again to obtain an authentication result (hereinafter referred to as a second authentication result for convenience of description), and if the second authentication result indicates that the client is an illegal client, the client is determined to be an illegal client, and the SYN message sent by the client is discarded; and if the second authentication result shows that the client is a legal client, determining that the client is the legal client, and further releasing the SYN message sent by the client.
Optionally, the second authentication mechanism includes: syn-cookie authentication mechanism or source authentication mechanism.
Therefore, under the condition that the number of attack messages is large, the first authentication mechanism is adopted to authenticate the client, most attack messages can be filtered simply and efficiently, the protection pressure can be reduced, the downlink network congestion is avoided, and the service quality of normal services is further prevented from being influenced. Further, when the first authentication result shows that the client is a legal client, the client is continuously authenticated again by adopting a second authentication mechanism with higher authentication accuracy, and a final authentication result is determined according to the second authentication result, so that the authentication accuracy can be ensured, and the attack message is prevented from being missed.
If the judgment shows that the first accumulated requested connection quantity does not reach the second set threshold value, the current attack message is considered to be less, under the circumstance, a second authentication mechanism with higher authentication accuracy can be directly adopted to authenticate the client corresponding to the received SYN message, and an authentication result (for convenience in description, hereinafter referred to as a third authentication result) is obtained; if the third authentication result indicates that the client is a legal client, the client can be directly determined to be a legal client, and the SYN message sent by the client is released.
According to the technical scheme provided by the embodiment of the invention, when a SYN message requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, the first accumulated requested connection amount of the target server ending to the current moment in the current protection period is counted; and determining a target authentication mode based on the first accumulated requested connection quantity to authenticate the client corresponding to the SYN message by adopting the target authentication mode, so that the authentication mode which is in accordance with the current actual scene can be dynamically selected according to the quantity of the attack messages, the authentication accuracy is ensured, the protection pressure can be reduced, the downlink network congestion is avoided, the influence on the service quality of normal services is avoided, and the user requirements are comprehensively met.
As an embodiment, in the flow shown in fig. 2, if the final authentication result indicates that the client is a valid client, the IP address of the client may be recorded in a white list, so that when the electronic device receives a SYN message requesting connection to the target server, if it is determined that the target server is attacked by SYN Flood, it may first be determined whether the IP address of the client corresponding to the SYN message is in the white list, if so, it may be directly determined that the client is a valid client, and further the SYN message is released, and if not, the above steps 202 to 203 may be further performed. The processing can further save the resources of the electronic equipment and improve the efficiency of the electronic equipment for protecting the SYN Flood attack.
If the final authentication result indicates that the client is an illegal client, the IP address of the client can be recorded in the blacklist, so that when the electronic device receives the SYN message requesting connection to the target server, whether the IP address of the client corresponding to the SYN message is in the blacklist can be determined first, if so, the client can be directly determined to be the illegal client, and then the SYN message is discarded, and if not, the steps 201 to 203 can be further executed. The processing can further save the resources of the electronic equipment and improve the efficiency of the electronic equipment for protecting the SYN Flood attack.
This embodiment is explained below by the flow shown in fig. 3 on the basis of the flow shown in fig. 2:
referring to fig. 3, a flowchart of another embodiment of a method for protecting against a SYN Flood attack according to an embodiment of the present invention is shown in fig. 3, where the method may include the following steps:
step 301, when receiving a SYN packet requesting connection to a target server, counting a first accumulated requested connection amount of the target server until the current time in a current protection period.
Step 302, analyzing the SYN message to obtain the source IP address of the SYN message.
It will be appreciated that the source IP address of the SYN message is the IP address of the client that sent the SYN message.
Step 303, searching a pre-stored blacklist according to the source IP address, if the source IP address is found from the blacklist, executing step 309, and if the source IP address is not found from the blacklist, executing step 304.
Step 304, determining whether the target server is attacked by the SYN Flood, if so, executing step 305; if not, the SYN message is released.
Step 305, searching a pre-stored white list according to the source IP address, if the source IP address is found from the white list, executing step 310, and if the source IP address is not found from the white list, executing step 306.
Step 306, judging whether the first accumulated requested connection amount reaches a first set threshold, if so, executing step 307; if not, go to step 308.
Step 307, authenticating the client corresponding to the SYN message by adopting a first authentication mechanism to obtain a first authentication result, and if the first authentication result indicates that the client is an illegal client, executing step 309; if the first authentication result indicates that the ue is a valid ue, step 308 is executed.
Step 308, authenticating the client by using a second authentication mechanism to obtain a second authentication result, and if the second authentication result indicates that the client is an illegal client, executing step 309; if the second authentication result indicates that the ue is a valid ue, step 310 is executed.
Step 309, determining the client as an illegal client, discarding the SYN packet, and updating the blacklist according to the source IP address.
Step 310, determining the client as a valid client, passing the SYN packet through, and updating a white list according to the source IP address.
The following describes steps 301 to 310 collectively:
the white list records the IP address of the legal client, and the black list records the IP address of the illegal client.
Based on this, as an embodiment, when receiving a SYN packet requesting connection to a target server, first analyzing the SYN packet to obtain a source IP address of the SYN packet, then searching a blacklist according to the source IP address analyzed in step 302, if the source IP address is searched from the blacklist, directly determining that a client corresponding to the source IP address is an illegal client, and further releasing the SYN packet sent by the client; if the source IP address is not found in the blacklist, the client corresponding to the source IP address is authenticated through steps 303 to 308.
In addition, as can be seen from the description in step 309, after the client is determined to be an illegal client, the IP address of the client may be recorded in the blacklist, and thus, after the electronic device receives the SYN message sent by the client again, the electronic device may directly determine that the client is an illegal client by searching the IP address of the client in the blacklist without performing subsequent steps, which may save resources of the electronic device and improve the efficiency of the electronic device in protecting against SYN Flood attacks.
When determining that the target server is attacked by the SYN Flood, in step 305, searching a white list according to the source IP address analyzed in step 301, and if the source IP address is searched from the white list, determining that the client corresponding to the source IP address is a valid client, and further releasing the SYN message sent by the client; if the source IP address is not found in the white list, the client corresponding to the source IP address is authenticated through steps 304 to 306. For a specific authentication process, reference may be made to the related description in the embodiment shown in fig. 2, which is not described herein again.
In addition, as can be seen from the description in step 310, after the client is determined to be a valid client, the IP address of the client may be recorded in the white list, so that after the electronic device receives the SYN packet sent by the client again, the client may be directly determined to be a valid client by searching the IP address of the client in the white list, and the authentication process described in steps 304 to 306 is not required to be performed again, which may save resources of the electronic device and improve the efficiency of the electronic device in protecting against SYN Flood attacks.
In addition, as an embodiment, an effective duration of the IP address in the white/black list may also be set, and if the duration existing in the white/black list reaches the effective duration from the recording of the IP address to the white/black list, the IP address may be deleted from the white/black list. Therefore, the white/black list can be dynamically adjusted according to the actual scene, and the attack message is prevented from being missed or being wrongly identified as the attack message.
Corresponding to the foregoing embodiments of the method for protecting against SYN Flood attacks, the present invention further provides embodiments of a device for protecting against SYN Flood attacks.
Referring to fig. 4, a block diagram of an embodiment of a device for protecting against a SYN Flood attack is provided according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes:
a first counting module 41, configured to, when receiving a SYN message requesting connection to a target server, count a first accumulated requested connection amount that is up to a current time within a current protection period of the target server if it is determined that the target server is attacked by a SYN Flood;
an authentication module 42, configured to determine a target authentication manner based on the first accumulated requested connection amount, and authenticate a client corresponding to the SYN packet in the target authentication manner;
a processing module 43, configured to discard the SYN packet if the authentication result indicates that the client is an illegal client; and if the authentication result shows that the client is a legal client, releasing the SYN message.
In a possible embodiment, it also comprises (not shown in fig. 4):
a second counting module, configured to count, in a preset counting period, a second accumulated requested connection amount of the target server in the preset counting period when a SYN packet requesting connection to the target server is received;
a recording module, configured to determine that the target server is attacked by SYN Flood when it is determined that the second accumulated requested connection amount reaches a first set threshold, and record a flag for identifying that the target server is attacked by SYN Flood in a set storage medium;
a deleting module, configured to delete the flag recorded in the setting storage medium if the flag is recorded in the setting storage medium when it is determined that the second accumulated requested connection amount does not reach the first setting threshold;
the first statistical module 41 comprises (not shown in fig. 4):
a first determining submodule configured to determine that the target server is attacked by the SYN Flood when it is determined that the flag is recorded in the setting storage medium.
In one possible embodiment, the authentication module 42 comprises (not shown in fig. 4):
the judgment submodule is used for judging whether the first accumulated requested connection amount reaches a second set threshold value;
a first processing sub-module, configured to authenticate a client corresponding to the SYN message by using a first authentication mechanism if the first accumulated requested connection amount reaches a second set threshold, so as to obtain a first authentication result;
a second determining submodule, configured to determine that the client is an illegal client if the first authentication result indicates that the client is an illegal client;
the second determining submodule is used for continuing to adopt a second authentication mechanism to authenticate the client side to obtain a second authentication result if the first authentication result shows that the client side is a legal client side;
the second determining sub-module is further configured to determine that the client is an illegal client if the second authentication result indicates that the client is an illegal client; and if the second authentication result shows that the client is a legal client, determining that the client is a legal client.
In a possible implementation, the second processing sub-module is further configured to:
if the first accumulated requested connection quantity does not reach the second set threshold, authenticating the client by adopting the second authentication mechanism to obtain a third authentication result;
the second determining submodule is further used for determining that the client is an illegal client if the third authentication result shows that the client is an illegal client; and if the third authentication result shows that the client is a legal client, determining that the client is a legal client.
In a possible embodiment, it also comprises (not shown in fig. 4):
the analysis module is used for analyzing the SYN message when receiving the SYN message requesting connection to the target server to obtain the source IP address of the SYN message;
the first searching module is used for searching a pre-stored blacklist according to the source IP address;
the processing module is further configured to: if the source IP address is found from the blacklist, determining that the client corresponding to the SYN message is an illegal client, and discarding the SYN message;
and the determining module is used for determining whether the target server is attacked by the SYN Flood if the source IP address is not found in the blacklist.
In one possible embodiment, the method further comprises:
the second searching module is used for searching a pre-stored white list according to the source IP address;
the processing module 43 is further configured to: if the source IP address is found from the white list, determining that the client corresponding to the SYN message is a legal client, and releasing the SYN message;
the authentication module 42 is configured to: and if the source IP address is not found in the white list, executing the step of determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode.
In a possible embodiment, it also comprises (not shown in fig. 4):
the updating module is used for updating the blacklist according to the source IP address if the authentication result shows that the client is an illegal client; and if the authentication result shows that the client is a legal client, updating the white list according to the source IP address.
In one possible embodiment, the first authentication mechanism comprises: a packet loss retransmission authentication mechanism;
the second authentication mechanism comprises: syn-cookie authentication mechanism or source authentication mechanism.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, where the electronic device 500 shown in fig. 5 includes: at least one processor 501, memory 502, at least one network interface 504, and other user interfaces 503. The various components in the electronic device 500 are coupled together by a bus system 505. It is understood that the bus system 505 is used to enable connection communications between these components. The bus system 505 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 505 in FIG. 5.
The user interface 503 may include, among other things, a display, a keyboard, or a pointing device (e.g., a mouse, trackball, touch pad, or touch screen, among others.
It is to be understood that the memory 502 in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a Read-only memory (ROM), a programmable Read-only memory (PROM), an erasable programmable Read-only memory (erasabprom, EPROM), an electrically erasable programmable Read-only memory (EEPROM), or a flash memory. The volatile memory may be a Random Access Memory (RAM) which functions as an external cache. By way of example, but not limitation, many forms of RAM are available, such as static random access memory (staticiram, SRAM), dynamic random access memory (dynamic RAM, DRAM), synchronous dynamic random access memory (syncronous DRAM, SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM ), Enhanced Synchronous DRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and direct memory bus RAM (DRRAM). The memory 502 described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
In some embodiments, memory 502 stores elements, executable units or data structures, or a subset thereof, or an expanded set thereof as follows: an operating system 5021 and application programs 5022.
The operating system 5021 includes various system programs, such as a framework layer, a core library layer, a driver layer, and the like, and is used for implementing various basic services and processing hardware-based tasks. The application 5022 includes various applications, such as a media player (MediaPlayer), a Browser (Browser), and the like, for implementing various application services. The program for implementing the method according to the embodiment of the present invention may be included in the application program 5022.
In the embodiment of the present invention, by calling a program or an instruction stored in the memory 502, specifically, a program or an instruction stored in the application 5022, the processor 501 is configured to execute the method steps provided by the method embodiments, for example, including:
when a SYN message for requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, counting a first accumulated requested connection amount of the target server in a current protection period;
determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, releasing the SYN message.
The method disclosed by the above-mentioned embodiments of the present invention may be applied to the processor 501, or implemented by the processor 501. The processor 501 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 501. The processor 501 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software elements in the decoding processor. The software elements may be located in ram, flash, rom, prom, or eprom, registers, among other storage media that are well known in the art. The storage medium is located in the memory 502, and the processor 501 reads the information in the memory 502 and completes the steps of the method in combination with the hardware.
It is to be understood that the embodiments described herein may be implemented in hardware, software, firmware, middleware, microcode, or any combination thereof. For a hardware implementation, the processing units may be implemented within one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), general purpose processors, controllers, micro-controllers, microprocessors, other electronic units configured to perform the functions described herein, or a combination thereof.
For a software implementation, the techniques described herein may be implemented by means of units performing the functions described herein. The software codes may be stored in a memory and executed by a processor. The memory may be implemented within the processor or external to the processor.
The electronic device provided in this embodiment may be the electronic device shown in fig. 5, and may perform all the steps of the method for protecting against the SYN Flood attack shown in fig. 2 to 3, so as to achieve the technical effect of the method for protecting against the SYN Flood attack shown in fig. 2 to 3, which is described with reference to fig. 2 to 3 for brevity, and is not described herein again.
The embodiment of the invention also provides a storage medium (computer readable storage medium). The storage medium herein stores one or more programs. Among others, the storage medium may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, a hard disk, or a solid state disk; the memory may also comprise a combination of memories of the kind described above.
When one or more programs in the storage medium are executable by one or more processors, the method for protecting against the SYN Flood attack executed on the electronic device side is implemented.
The processor is used for executing a protection program of the SYN Flood attack stored in the memory so as to realize the following steps of the protection method of the SYN Flood attack executed on the electronic equipment side:
when a SYN message for requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, counting a first accumulated requested connection amount of the target server in a current protection period;
determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, releasing the SYN message.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (11)

1. A method for protecting against SYN Flood attacks, comprising:
when a SYN message for requesting connection to a target server is received, if the target server is determined to be attacked by SYN Flood, counting a first accumulated requested connection amount of the target server until the current time in a current protection period;
determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
if the authentication result shows that the client is an illegal client, discarding the SYN message; and if the authentication result shows that the client is a legal client, releasing the SYN message.
2. The method of claim 1, further comprising:
in a preset counting period, when a SYN message requesting connection to the target server is received, counting a second accumulated requested connection amount of the target server in the preset counting period;
when the second accumulated requested connection amount is determined to reach a first set threshold value, determining that the target server is attacked by SYN Flood, and recording a mark for identifying that the target server is attacked by SYN Flood in a set storage medium;
when the second accumulated requested connection amount is determined not to reach the first set threshold, if the mark is recorded in the set storage medium, deleting the mark recorded in the set storage medium;
the determining that the target server is attacked by the SYN Flood includes:
and when the flag is determined to be recorded in the setting storage medium, determining that the target server is attacked by the SYN Flood.
3. The method of claim 1, wherein the determining a target authentication method based on the first accumulated requested connection amount to authenticate the client corresponding to the SYN packet using the target authentication method comprises:
judging whether the first accumulated requested connection amount reaches a second set threshold value;
if so, authenticating the client corresponding to the SYN message by adopting a first authentication mechanism to obtain a first authentication result, and if the first authentication result indicates that the client is an illegal client, determining that the client is the illegal client;
if the first authentication result shows that the client is a legal client, continuing to authenticate the client by adopting a second authentication mechanism to obtain a second authentication result;
if the second authentication result indicates that the client is an illegal client, determining that the client is an illegal client; and if the second authentication result shows that the client is a legal client, determining that the client is a legal client.
4. The method of claim 3, further comprising:
if the first accumulated requested connection quantity does not reach the second set threshold, authenticating the client by adopting the second authentication mechanism to obtain a third authentication result;
if the third authentication result indicates that the client is an illegal client, determining that the client is an illegal client; and if the third authentication result shows that the client is a legal client, determining that the client is a legal client.
5. The method of claim 1, further comprising:
when a SYN message requesting connection to a target server is received, analyzing the SYN message to obtain a source IP address of the SYN message;
searching a pre-stored blacklist according to the source IP address, if the source IP address is searched from the blacklist, determining that a client corresponding to the SYN message is an illegal client, and discarding the SYN message;
and if the source IP address is not found in the blacklist, determining whether the target server is attacked by SYN Flood.
6. The method according to claim 5, further comprising, before said determining a target authentication method based on the first accumulated requested connection amount to authenticate the client corresponding to the SYN packet in the target authentication method:
searching a pre-stored white list according to the source IP address, if the source IP address is searched from the white list, determining that the client corresponding to the SYN message is a legal client, and releasing the SYN message;
and if the source IP address is not found in the white list, executing the step of determining a target authentication mode based on the first accumulated requested connection amount so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode.
7. The method of claim 6, further comprising:
if the authentication result shows that the client is an illegal client, updating the blacklist according to the source IP address;
and if the authentication result shows that the client is a legal client, updating the white list according to the source IP address.
8. The method of claim 3 or 4, wherein the first authentication mechanism comprises: a packet loss retransmission authentication mechanism;
the second authentication mechanism comprises: syn-cookie authentication mechanism or source authentication mechanism.
9. A SYN Flood attack protection device, comprising:
the first counting module is used for counting a first accumulated requested connection amount of a target server in a current protection period until the target server is at the current moment if the target server is determined to be attacked by SYN Flood when a SYN message requesting connection to the target server is received;
the authentication module is used for determining a target authentication mode based on the first accumulated requested connection quantity so as to authenticate the client corresponding to the SYN message by adopting the target authentication mode;
the processing module is used for discarding the SYN message if the authentication result shows that the client is an illegal client; and if the authentication result shows that the client is a legal client, releasing the SYN message.
10. An electronic device, comprising: a processor and a memory, the processor being configured to execute a protection program for a SYN Flood attack stored in the memory to implement the method of protecting against a SYN Flood attack according to any one of claims 1 to 8.
11. A storage medium storing one or more programs executable by one or more processors to implement the method of protecting against a SYN Flood attack according to any one of claims 1 to 8.
CN202110005409.2A 2021-01-04 2021-01-04 SYN Flood attack protection method and device, electronic device and storage medium Pending CN112702358A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110005409.2A CN112702358A (en) 2021-01-04 2021-01-04 SYN Flood attack protection method and device, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110005409.2A CN112702358A (en) 2021-01-04 2021-01-04 SYN Flood attack protection method and device, electronic device and storage medium

Publications (1)

Publication Number Publication Date
CN112702358A true CN112702358A (en) 2021-04-23

Family

ID=75514573

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110005409.2A Pending CN112702358A (en) 2021-01-04 2021-01-04 SYN Flood attack protection method and device, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN112702358A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115314312A (en) * 2022-08-12 2022-11-08 北京知道创宇信息技术股份有限公司 Authentication server protection method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN109639712A (en) * 2018-12-29 2019-04-16 北京神州绿盟信息安全科技股份有限公司 A kind of method and system for protecting DDOS attack
CN111212096A (en) * 2020-01-02 2020-05-29 杭州圆石网络安全技术有限公司 Method, device, storage medium and computer for reducing IDC defense cost
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN109639712A (en) * 2018-12-29 2019-04-16 北京神州绿盟信息安全科技股份有限公司 A kind of method and system for protecting DDOS attack
CN111212096A (en) * 2020-01-02 2020-05-29 杭州圆石网络安全技术有限公司 Method, device, storage medium and computer for reducing IDC defense cost
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115314312A (en) * 2022-08-12 2022-11-08 北京知道创宇信息技术股份有限公司 Authentication server protection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US6816910B1 (en) Method and apparatus for limiting network connection resources
US9596262B2 (en) Determination of adaptive idle timeout
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
US8321955B2 (en) Systems and methods for protecting against denial of service attacks
US8453208B2 (en) Network authentication method, method for client to request authentication, client, and device
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US10333970B2 (en) Front-end protocol for server protection
US8769681B1 (en) Methods and system for DMA based distributed denial of service protection
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
Karig et al. Remote denial of service attacks and countermeasures
JP2004507978A (en) System and method for countering denial of service attacks on network nodes
WO2015078388A1 (en) Processing method and device for denial of service attacks
WO2020037781A1 (en) Anti-attack method and device for server
CN1630248A (en) SYN flooding attack defence method based on connection request authentication
WO2014048746A1 (en) Device, system and method for reducing attacks on dns
US11616796B2 (en) System and method to protect resource allocation in stateful connection managers
US9680950B1 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
CN110198290B (en) Information processing method, equipment, device and storage medium
CN110798451A (en) Security authentication method and device
CN112702358A (en) SYN Flood attack protection method and device, electronic device and storage medium
CN114095224A (en) Message detection method and device, electronic equipment and storage medium
US20050182929A1 (en) Efficient hash table protection for data transport protocols
CN113242260A (en) Attack detection method and device, electronic equipment and storage medium
US7784096B2 (en) Outgoing connection attempt limiting to slow down spreading of viruses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210423

RJ01 Rejection of invention patent application after publication