CN114500021A - Attack detection method and device, electronic equipment and storage medium - Google Patents
Attack detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114500021A CN114500021A CN202210053231.3A CN202210053231A CN114500021A CN 114500021 A CN114500021 A CN 114500021A CN 202210053231 A CN202210053231 A CN 202210053231A CN 114500021 A CN114500021 A CN 114500021A
- Authority
- CN
- China
- Prior art keywords
- sequence number
- client
- number information
- information
- confirmation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 67
- 238000012790 confirmation Methods 0.000 claims abstract description 111
- 238000012795 verification Methods 0.000 claims abstract description 61
- 238000000034 method Methods 0.000 claims abstract description 24
- 230000008569 process Effects 0.000 claims abstract description 16
- 230000000977 initiatory effect Effects 0.000 claims abstract description 13
- 230000007123 defense Effects 0.000 claims description 139
- 230000004044 response Effects 0.000 claims description 34
- 230000001360 synchronised effect Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 16
- 238000004364 calculation method Methods 0.000 claims description 14
- 238000012545 processing Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000003672 processing method Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an attack detection method, an attack detection device, electronic equipment and a storage medium. The attack detection method comprises the following steps: when an ACK confirmation message sent by a client during a third handshake with the client in a TCP three-way handshake process is received, discarding the ACK confirmation message without initiating a TCP connection request to a target server, wherein the ACK confirmation message carries sequence number information and confirmation sequence number information; when a data request sent by the client is received, verifying the data request according to the serial number information and the confirmation serial number information to obtain a verification result; when the verification result is determined to be successful, a TCP connection establishment request is sent to a target server to establish TCP connection, and the data request is sent to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an attack detection method and apparatus, an electronic device, and a storage medium.
Background
The null connection attack is an attack in which an attacked client does not send data or sends abnormal service data after completing three-way handshake connection with a target server to establish TCP (Transmission Control Protocol) connection, thereby causing connection resources to be occupied all the time and not to be released, and when resources of the target server are exhausted, the attacked client cannot respond to a normal request of the client.
At present, a security defense device or a reverse proxy server is generally arranged between a client and a target server, and a processing method of the security defense device or the reverse proxy server for a null connection attack is generally as follows: the client establishes TCP connection after completing three-way handshake with the security defense device or the reverse proxy server, and analyzes the data request sent by the client, however, the null connection attack belongs to application layer attack, and can automatically complete three-way handshake with the security defense device or the reverse proxy server and establish TCP connection without sending data or sending abnormal service data, thereby occupying resources of a target server, and when the resources of the target server are exhausted, the client cannot respond to the normal request of the client.
Disclosure of Invention
In order to solve the problems that the existing processing method for the null connection attack occupies resources of a target server and cannot respond to a normal request of a client after the resources of the target server are exhausted, embodiments of the application provide an attack detection method and apparatus, an electronic device, and a storage medium.
In a first aspect, an embodiment of the present application provides an attack detection method implemented by a security defense device side (or a reverse proxy server side), including:
when an ACK confirmation message sent by a client during a third handshake with the client in a TCP three-way handshake process is received, discarding the ACK confirmation message without initiating a TCP connection request to a target server, wherein the ACK confirmation message carries sequence number information and confirmation sequence number information;
when a data request sent by the client is received, verifying the data request according to the serial number information and the confirmation serial number information to obtain a verification result;
when the verification result is determined to be successful, a TCP connection establishment request is sent to a target server to establish TCP connection, and the data request is sent to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
In one possible implementation, a TCP three-way handshake is made with the client by:
receiving a SYN synchronous message sent by a client, wherein the SYN message carries first sequence number information, first confirmation sequence number information and the client information, and the client information comprises IP information and port number information of the client;
performing hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, determining the hash value as second sequence number information, and returning a SYN-ACK response message carrying the second sequence number information and second confirmation sequence number information to the client;
and receiving the ACK confirmation message sent by the client.
In a possible implementation, the data request includes third sequence number information, third acknowledgement sequence number information, and requested data length information;
according to the serial number information and the confirmation serial number information, verifying the data request to obtain a verification result, specifically comprising:
checking whether the third sequence number is the same as the sequence number and checking whether the third acknowledgement sequence number is the same as the acknowledgement sequence number;
if the third sequence number is the same as the sequence number, the third confirmation sequence number is the same as the confirmation sequence number, and the data length information is not zero, determining that the verification is passed;
and if the third sequence number is different from the sequence number, the third confirmation sequence number is different from the confirmation sequence number, or the data length information is zero, the confirmation check fails.
In a possible implementation manner, initiating a TCP connection establishment request to a target server to establish a TCP connection specifically includes:
sending a first SYN synchronous message to the target server;
and receiving a first SYN-ACK response message returned by the target server, establishing TCP connection with the target server, and establishing a connection table.
In a second aspect, an embodiment of the present application provides an attack detection apparatus implemented by a security defense device side (or a reverse proxy server side), including:
the device comprises a discarding unit and a sending unit, wherein the discarding unit is used for discarding an ACK (acknowledgement character) confirmation message when receiving the ACK confirmation message sent by a client in the third handshake with the client in the TCP three-way handshake process, and does not send a TCP connection request to a target server, and the ACK confirmation message carries sequence number information and confirmation sequence number information;
the verification unit is used for verifying the data request according to the serial number information and the confirmation serial number information when receiving the data request sent by the client side to obtain a verification result;
the processing unit is used for initiating a TCP connection establishment request to a target server to establish TCP connection when the verification result is determined to be successful, and sending the data request to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
In a possible implementation, the discarding unit is specifically configured to perform a TCP three-way handshake with the client by:
receiving a SYN synchronous message sent by a client, wherein the SYN message carries first sequence number information, first confirmation sequence number information and the client information, and the client information comprises IP information and port number information of the client;
performing hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, determining the hash value as second sequence number information, and returning a SYN-ACK response message carrying the second sequence number information and second confirmation sequence number information to the client;
and receiving the ACK confirmation message sent by the client.
In a possible implementation, the data request includes third sequence number information, third acknowledgement sequence number information, and requested data length information;
the verification unit is specifically configured to:
checking whether the third sequence number is the same as the sequence number and checking whether the third acknowledgement sequence number is the same as the acknowledgement sequence number;
if the third sequence number is the same as the sequence number, the third confirmation sequence number is the same as the confirmation sequence number, and the data length information is not zero, determining that the verification is passed;
and if the third sequence number is different from the sequence number, the third confirmation sequence number is different from the confirmation sequence number, or the data length information is zero, the confirmation check fails.
In a possible implementation, the processing unit is specifically configured to:
sending a first SYN synchronization message to the target server;
and receiving a first SYN-ACK response message returned by the target server, establishing TCP connection with the target server, and establishing a connection table.
In a third aspect, an embodiment of the present application provides an attack detection method implemented on a client side, including:
in the process of TCP three-way handshake with security defense equipment, sending an ACK (acknowledgement) message to the security defense equipment during the third-way handshake, wherein the ACK message carries sequence number information and acknowledgement sequence number information;
and sending a data request to the security defense equipment so that the security defense equipment verifies the data request according to the serial number information and the confirmation number information, and when the verification is determined to be successful, the security defense equipment sends a TCP connection establishment request to a target server to establish TCP connection, and sends the data request to the target server, and when the verification is determined to be failed, the data request is directly discarded.
In one possible embodiment, a TCP three-way handshake is made with the security defense device by:
sending a SYN synchronous message to the security defense device, wherein the SYN synchronous message carries first sequence number information, first confirmation sequence number information and client information, and the client information comprises IP information and port number information of the client;
receiving a SYN-ACK response message returned by the security defense device, wherein the SYN-ACK response message carries second sequence number information and second confirmation sequence number information, and the second sequence number information is a hash value obtained by performing hash calculation on IP information, port number information and current timestamp information of the client by the security defense device;
and sending the ACK message to the security defense equipment.
In a fourth aspect, an embodiment of the present application provides a client-side implemented attack detection apparatus, including:
the system comprises a first sending unit, a second sending unit and a third sending unit, wherein the first sending unit is used for sending an ACK (acknowledgement) message to the security defense equipment during the third handshake in the TCP three-way handshake process with the security defense equipment, and the ACK message carries sequence number information and acknowledgement sequence number information;
and the second sending unit is used for sending a data request to the security defense equipment so that the security defense equipment verifies the data request according to the serial number information and the confirmation number information, and when the verification is determined to be successful, the security defense equipment sends a TCP connection establishment request to a target server to establish TCP connection and sends the data request to the target server, and when the verification is determined to be failed, the data request is directly discarded.
As a possible implementation manner, the first sending unit is specifically configured to perform TCP three-way handshake with the security defense device by:
sending a SYN synchronous message to the security defense device, wherein the SYN synchronous message carries first sequence number information, first confirmation sequence number information and client information, and the client information comprises IP information and port number information of the client;
receiving a SYN-ACK response message returned by the security defense device, wherein the SYN-ACK response message carries second sequence number information and second confirmation sequence number information, and the second sequence number information is a hash value obtained by performing hash calculation on IP information, port number information and current timestamp information of the client by the security defense device;
and sending the ACK message to the security defense equipment.
In a fifth aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the attack detection method described in the present application when executing the program.
In a sixth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the attack detection method described in the present application.
The beneficial effects of the embodiment of the application are as follows:
in the attack detection method, the attack detection device, the electronic device and the storage medium provided by the embodiment of the application, when the security defense device (or the reverse proxy server) receives the ACK confirmation message sent by the client during the third handshake of the client in the TCP three-way handshake process with the client, the ACK confirmation message is discarded, a TCP connection request is not initiated to the target server, wherein, the ACK acknowledgement message carries the sequence number information and the acknowledgement sequence number information, when receiving the data request sent by the client, the data request is checked according to the sequence number information and the acknowledgement number information in the ACK acknowledgement message, when the verification is successful, a TCP connection establishment request is initiated to the target server to establish the TCP connection, and after the TCP connection is established, the data request sent by the client is sent to the target server, and when the verification fails, the data request is directly discarded. In the attack detection method provided by the embodiment of the application, when the security defense device (or the reverse proxy server) receives the ACK confirmation message sent by the client during the third handshake with the client, the security defense device directly discards the ACK confirmation message without establishing TCP connection with the target server, that is: after the security defense device and the client perform the third handshake, resources are not allocated to the client, relevant connection information is not recorded, but the data request is verified when the first data request sent by the client is received after the third handshake, if the verification is successful, the client can be determined to be a normal client, if the client does not continue to initiate the data request after the third handshake, or if the client initiates the data request and the data request verification fails, the client can be determined to be an attacked client, the data request is directly discarded, and TCP connection is not established with the target server, so that the null connection attack can be effectively defended, the resources of the target server cannot be consumed, and the data transmission efficiency between the target server and the normal client is improved.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic view of an application scenario of an attack detection method provided in an embodiment of the present application;
fig. 2 is a schematic view of an implementation flow of an attack detection method provided in an embodiment of the present application;
fig. 3 is a schematic implementation flow diagram of an attack detection method implemented by a security defense device side (or a reverse proxy server side) according to an embodiment of the present application;
fig. 4 is a schematic diagram of an attack detection apparatus implemented by a security defense device side (or a reverse proxy server side) according to an embodiment of the present disclosure;
fig. 5 is a schematic implementation flow diagram of an attack detection method implemented on a client side according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an attack detection apparatus implemented on a client side according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to solve the problems in the background art, embodiments of the present application provide an attack detection method, an attack detection apparatus, an electronic device, and a storage medium.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it should be understood that the preferred embodiments described herein are merely for illustrating and explaining the present application, and are not intended to limit the present application, and that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
Referring to fig. 1, which is a schematic view of an application scenario of the attack detection method provided in the embodiment of the present application, the method may include a client 110, a security defense device 120, and a target server 130, where when the client 110 sends a data request to the target server 130, the security defense device 120 intercepts the data request, and determines whether to pass the data request to the target server 130 after performing security detection on the data request. In this embodiment of the present disclosure, the security defense device 120 intercepts a TCP connection establishment request sent by the client 110 to the target server 130, performs a three-way handshake with the client 110, and discards an ACK acknowledgement packet sent by the client during the third handshake after the security defense device 120 and the client complete the three-way handshake, does not initiate TCP connection with the target server, does not allocate resources to the client, and does not record connection information, where the connection information may include, but is not limited to, the following information: client IP information, port number information, protocol number information, current TCP connection state information, traffic information, etc., if a subsequent client 110 initiates a data request to a target server, the security defense apparatus 120 intercepts the data request and verifies it, if the verification is successful, the security defense apparatus 120 initiates a TCP connection establishment request to the target server 130 to establish a TCP connection, creates a connection table to record connection information and allocate resources to the client, sends the data request to the target server 130, if the verification is failed, the security defense apparatus 120 directly discards the data request, because the security defense apparatus 120 does not establish a TCP connection with the target server 130 after the client 110 performs a three-way handshake with the security defense apparatus 120, when the client 110 subsequently does not send any data or send data to the target server 130, the security defense device 120 checks the first data sent by the client 110 after the three-way handshake with the client 110 is completed, to determine whether the client 110 is a normal client, i.e., whether the client is attacked, and establishes a TCP connection with the target server 130 if the client 110 is not attacked, so that the null connection attack is effectively defended, the resources of the target server are not consumed, and the data transmission efficiency between the target server and the normal client is improved.
It should be noted that the attack detection method provided in the embodiment of the present application may be applied to not only the security defense device but also the reverse proxy server, which is not limited in the embodiment of the present application, and the following embodiments of the present application are only described as being applied to the security defense device.
Based on the above application scenarios, exemplary embodiments of the present application will be described in more detail below, and it should be noted that the above application scenarios are only shown for the convenience of understanding the spirit and principles of the present application, and the embodiments of the present application are not limited in any way herein. Rather, embodiments of the present application may be applied to any scenario where applicable.
As shown in fig. 2, which is a schematic view of an implementation flow of an attack detection method provided in an embodiment of the present application, the attack detection method may specifically include the following steps:
s21, the client sends a SYN synchronization message to the security defense device, wherein the SYN message carries the first sequence number information, the first confirmation sequence number information and the client information.
In specific implementation, the client sends a SYN synchronization packet to the security defense device, that is, initiates a first TCP handshake, at this time, the client enters a SYN _ send state (synchronization SENT state), and the SYN synchronization packet may be recorded as: SYN (seq ═ X, ack ═ 0), where X is the first sequence number and is the initial sequence number specified by the client, and ack denotes a response flag bit, which may take the value of 0. The client information may include, but is not limited to, the following: IP information and port number information of the client.
S22, the security defense device carries out hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, and the hash value is determined to be second serial number information.
In specific implementation, after receiving the SYN synchronization packet sent by the client, the security defense device extracts client information therein, and if the client information includes IP information and port number information of the client, performs hash calculation on the IP information, the port number information, and current timestamp information of the client to obtain a hash value, determines the hash value as second sequence number information, where the second sequence number is an initial sequence number carried in a first synchronization response packet returned to the client when the security defense device performs TCP handshake with the client for the second time (i.e., the SYN-ACK response packet in step S23). In the implementation process, the hash value may be calculated according to any hash algorithm, which is not limited in the embodiment of the present application.
S23, the security defense equipment returns a SYN-ACK response message carrying the second sequence number information and the second acknowledgement sequence number information to the client.
In specific implementation, the security defense device returns a SYN-ACK response packet carrying second sequence number information and second acknowledgement sequence number information to the client, that is, performs a second TCP handshake with the client, at this time, the security defense device enters a SYN _ RECV state (synchronous reception state), and the SYN-ACK response packet may be recorded as: SYN + ACK (seq ═ Y, ACK ═ X +1), where Y ═ hash (ip + port + timestamp), i.e.: IP Information (IP) of the client, port number information (port) of the client, and a hash value of the current timestamp (timestamp). In this step, the security defense device does not record the connection information, i.e.: the client is not allocated with resources due to the information such as the IP information, the port number information, the protocol number information, the current TCP connection state information, the flow information and the like of the client, so that any resource of the target server is not consumed.
S24, the client sends an ACK message to the security defense device, and the ACK message carries the sequence number information and the acknowledgement sequence number information.
In specific implementation, after sending the ACK acknowledgement message to the security defense device, the client sends the ACK acknowledgement message to the security defense device, that is, initiates a third TCP handshake to the security defense device, where the ACK acknowledgement message may be recorded as: ACK (seq ═ X +1, ACK ═ Y +1), where the sequence number information in the ACK acknowledgement message is: x +1, confirming that the sequence number information is: y +1 (i.e., the client's IP information, the client's port number information, and the hash value of the current timestamp plus 1).
S25, the safety defense equipment discards the ACK confirmation message and does not initiate a TCP connection request to the target server.
In specific implementation, after receiving the ACK confirmation message sent by the client, the security defense device directly discards the ACK confirmation message without initiating a TCP connection request to the target server, so that it is ensured that connection information is not recorded, and resources are not allocated to the client.
For example, in a scenario where a client is attacked by null connection, the client initiates 1000 times of TCP three-way handshake to the security defense device, and after the TCP three-way handshake for the third time, the security defense device discards an ACK acknowledgement packet sent by the client, and does not initiate a TCP connection request to the target server, so that no resource is consumed.
S26, the client sends a data request to the security defense device.
In specific implementation, the security defense device waits for a data request subsequently sent by the client, and the null connection attack includes two situations: if the client does not send the data request to the security defense device for the next period of time, the security defense device does not consume the resources of the target server because the security defense device does not establish the TCP connection with the target server; if the client sends a data request to the security defense device, step S27 is executed, and the data request may include the third sequence number information, the third acknowledgement sequence number information, and the requested data length information. The data request message may be recorded as: PSH + ACK (seq ═ X ', ACK ═ Y', payload ═ 200), where the third sequence number is: x', third confirmation number: y', payload is the length of data requested by the client from the target server.
S27, the safety defense equipment verifies the data request according to the sequence number information and the confirmation sequence number information in the ACK confirmation message to obtain a verification result, and when the verification result is determined to be successful, the step S28-the step S211 are executed; when it is determined that the verification result is verification failure, step S212 is performed.
In specific implementation, after the security defense device receives a data request sent by a client, a third serial number (X ') and a third acknowledgement serial number (Y') are extracted, whether the third serial number (X ') is the same as the serial number (X +1) in an ACK acknowledgement message or not is checked, and whether the third acknowledgement serial number (Y') is the same as the acknowledgement serial number (Y +1) in the ACK acknowledgement message or not is checked, because after the client completes three-way handshake with the security defense device, if the client is a normal client, that is, the client is not attacked by null connection, in a first data request sent by the client to the security defense device, the carried serial number and acknowledgement serial number should be the same as the serial number and acknowledgement serial number in the ACK acknowledgement message sent to the security defense device during the third handshake, and the requested data length should not be 0, if the third sequence number (X ') is the same as the sequence number (X +1) in the ACK acknowledgment message, the third acknowledgment sequence number (Y') is the same as the acknowledgment sequence number (Y +1) in the ACK acknowledgment message, and the data length information (payload) is not zero, it is determined that the check is passed, the client is a normal client, if the third sequence number (X ') is different from the sequence number (X +1) in the ACK acknowledgment message, and the third acknowledgment sequence number (Y') is also different from the acknowledgment sequence number (Y +1) in the ACK acknowledgment message, or the data length information is 0, the acknowledgment check is failed, and the client is an abnormal client, that is: the client under the null connection attack may also be a client under other attacks, and at this time, the security defense device needs to further analyze data sent by the client to determine the attack source.
S28, the security defense device sends a first SYN synchronization message to the target server.
In specific implementation, if the security defense device successfully verifies the data request sent by the client, the security defense device initiates a TCP connection establishment request to the target server to establish a TCP connection, and first, the security defense device sends a first SYN synchronization packet to the target server, that is, initiates a first handshake to the target server, where the first SYN synchronization packet may be recorded as: SYN (seq ═ X ', ack ═ 0), where X' is an initial serial number specified by the security defense device, and the response flag ack takes a value of 0.
S29, the target server returns the first SYN-ACK response message to the security defense equipment.
In specific implementation, after receiving the first SYN synchronization packet sent by the security defense device, the target server returns a first SYN-ACK response packet, that is, a second TCP handshake, to the security defense device, where the first SYN-ACK response packet may be recorded as: SYN + ACK ═ (seq ═ Z, ACK ═ X' +1), where Z is the initial sequence number specified by the target server.
S210, the security defense device establishes TCP connection with the target server and establishes a connection table.
In specific implementation, in this embodiment of the present application, the security defense device may not establish a third TCP handshake with the target server, and after receiving the first SYN-ACK response packet returned by the target server, the security defense device may establish a TCP connection with the target server only by confirming that the response flag is X' +1, and establish a connection table, record connection information, and allocate resources to the client for a subsequent data request of the client to the target server, where the connection table may include, but is not limited to, the following information: the client side comprises IP information, port number information, protocol number information, current TCP connection state information, flow information and the like.
S211, the security defense device sends a data request to the target server.
In specific implementation, the security defense device sends the data request (namely, the data request sent by the client intercepted by the security defense device) to the target server.
And then, the target server returns the data requested by the client to the security defense equipment, and the security defense equipment sends the data to the client.
S212, the security defense device directly discards the data request.
In specific implementation, if the security defense device fails to check the data request sent by the client, the data request is directly discarded.
In the flow of the attack detection method provided by the embodiment of the present application, the security defense device may also be replaced by a reverse proxy server, which is not limited in the embodiment of the present application.
In the attack detection method provided by the embodiment of the application, a security defense device (or a reverse proxy server) receives a SYN synchronization message sent by a client, the SYN synchronization message carries first sequence number information, first confirmation number information and client information, hash calculation is performed on IP information, port number information and a current timestamp of the client to obtain a hash value, the hash value is determined to be second sequence number information, a SYN-ACK response message carrying the second sequence number information and the second confirmation sequence number information is returned to the client, an ACK confirmation message returned by the client is received, the ACK confirmation message is discarded, a TCP connection request is not initiated to a target server, wherein the ACK confirmation message carries sequence number information and confirmation sequence number information, and when a data request sent by the client is received, a third sequence number and third confirmation number information contained in the data request are verified according to the sequence number information and the confirmation number information in the ACK confirmation message When the verification is successful, a TCP connection establishment request is sent to the target server to establish the TCP connection, the data request sent by the client is sent to the target server after the TCP connection is established, and when the verification is failed, the data request is directly discarded. In the attack detection method provided in the embodiment of the present application, after receiving a SYN synchronization packet sent by a client, a security defense device (or a reverse proxy server) uses a hash value obtained by performing hash calculation based on client information as a sequence number in a SYN-ACK response packet, and after receiving an ACK acknowledgement packet of the client, directly discards the ACK acknowledgement packet without establishing a TCP connection with a target server, that is: when the security defense device and the client do not allocate resources for the client during the second handshake and after the third handshake, the related connection information is not recorded, but after the third handshake, when the first data request sent by the client is received, the data request is verified, if the verification is successful, the client can be determined to be a normal client, if the client does not continue to initiate the data request after the third handshake, or if the client initiates the data request and the data request verification fails, the client can be determined to be an attacked client, the data request is directly discarded, and the TCP connection is not established with the target server, so that the null connection attack can be effectively defended, the resources of the target server cannot be consumed, and the data transmission efficiency between the target server and the normal client is improved.
Based on the same inventive concept, the embodiment of the present application further provides an attack detection method implemented by the security defense device side (or the reverse proxy server side), and as the principle of solving the problem of the attack detection method implemented by the security defense device side (or the reverse proxy server side) is similar to that of the attack detection method, the implementation of the attack detection method implemented by the security defense device side (or the reverse proxy server side) can refer to the implementation of the attack detection method, and repeated parts are not described again.
As shown in fig. 3, an implementation flow diagram of an attack detection method implemented by a security defense device side (or a reverse proxy server side) provided in the embodiment of the present application may include the following steps:
and S31, when receiving an ACK confirmation message sent by the client during the third handshake with the client in the TCP three-way handshake process, discarding the ACK confirmation message without initiating a TCP connection request to the target server, wherein the ACK confirmation message carries sequence number information and confirmation sequence number information.
In specific implementation, when receiving an ACK acknowledgement message sent by a client during a third handshake with the client in a TCP three-way handshake process, the security defense device (or the reverse proxy server) discards the ACK acknowledgement message without initiating a TCP connection request to the target server.
S32, when receiving the data request sent by the client, checking the data request according to the serial number information and the confirmed serial number information to obtain a check result, executing the step S33 when the check result is determined to be a check success, and executing the step S34 when the check result is determined to be a check failure.
And S33, initiating a TCP connection establishment request to the target server to establish the TCP connection, and sending the data request to the target server.
S34, directly discarding the requested data.
In one possible implementation, a TCP three-way handshake is made with the client by:
receiving a SYN synchronous message sent by a client, wherein the SYN message carries first sequence number information, first confirmation sequence number information and the client information, and the client information comprises IP information and port number information of the client;
performing hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, determining the hash value as second sequence number information, and returning a SYN-ACK response message carrying the second sequence number information and second confirmation sequence number information to the client;
and receiving the ACK confirmation message sent by the client.
In a possible implementation, the data request includes third sequence number information, third acknowledgement sequence number information, and requested data length information;
according to the serial number information and the confirmation serial number information, verifying the data request to obtain a verification result, specifically comprising:
checking whether the third sequence number is the same as the sequence number and checking whether the third acknowledgement sequence number is the same as the acknowledgement sequence number;
if the third sequence number is the same as the sequence number, the third confirmation sequence number is the same as the confirmation sequence number, and the data length information is not zero, determining that the verification is passed;
and if the third sequence number is different from the sequence number, the third confirmation sequence number is different from the confirmation sequence number, or the data length information is zero, the confirmation check fails.
In a possible implementation manner, initiating a TCP connection establishment request to a target server to establish a TCP connection specifically includes:
sending a first SYN synchronization message to the target server;
and receiving a first SYN-ACK response message returned by the target server, establishing TCP connection with the target server, and establishing a connection table.
Based on the same inventive concept, the embodiments of the present application further provide an attack detection apparatus implemented by the security defense apparatus side (or the reverse proxy server side), and as the principle of solving the problem of the attack detection apparatus implemented by the security defense apparatus side (or the reverse proxy server side) is similar to that of the attack detection method, the implementation of the attack detection apparatus implemented by the security defense apparatus side (or the reverse proxy server side) can refer to the implementation of the attack detection method, and repeated parts are not described again.
As shown in fig. 4, a schematic diagram of an attack detection apparatus implemented by a security defense device side (or a reverse proxy server side) provided in the embodiment of the present application may include:
a discarding unit 41, configured to discard an ACK acknowledgment packet sent by a client during a third handshake with the client in a TCP three-way handshake process, without initiating a TCP connection request to a target server, where the ACK acknowledgment packet carries sequence number information and acknowledgment sequence number information;
a checking unit 42, configured to, when a data request sent by the client is received, check the data request according to the serial number information and the confirmation serial number information, and obtain a checking result;
a processing unit 43, configured to, when it is determined that the verification result is successful, initiate a TCP connection establishment request to a target server to establish a TCP connection, and send the data request to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
In a possible implementation, the discarding unit 41 is specifically configured to perform a TCP three-way handshake with the client by:
receiving a SYN synchronous message sent by a client, wherein the SYN message carries first sequence number information, first confirmation sequence number information and the client information, and the client information comprises IP information and port number information of the client;
performing hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, determining the hash value as second sequence number information, and returning a SYN-ACK response message carrying the second sequence number information and second confirmation sequence number information to the client;
and receiving the ACK confirmation message sent by the client.
In a possible implementation, the data request includes third sequence number information, third acknowledgement sequence number information, and requested data length information;
the verification unit 42 is specifically configured to:
checking whether the third sequence number is the same as the sequence number and checking whether the third acknowledgement sequence number is the same as the acknowledgement sequence number;
if the third sequence number is the same as the sequence number, the third confirmation sequence number is the same as the confirmation sequence number, and the data length information is not zero, determining that the verification is passed;
and if the third sequence number is different from the sequence number, the third confirmation sequence number is different from the confirmation sequence number, or the data length information is zero, the confirmation check fails.
In a possible implementation, the processing unit 43 is specifically configured to:
sending a first SYN synchronization message to the target server;
and receiving a first SYN-ACK response message returned by the target server, establishing TCP connection with the target server, and establishing a connection table.
Based on the same inventive concept, the embodiment of the present application further provides an attack detection method implemented by the client side, and as the principle of solving the problem of the attack detection method implemented by the client side is similar to that of the attack detection method, the implementation of the attack detection method implemented by the client side can refer to the implementation of the attack detection method, and repeated details are not repeated.
As shown in fig. 5, an implementation flow diagram of the attack detection method implemented on the client side provided in the embodiment of the present application may include the following steps:
s51, the client sends an ACK confirmation message to the security defense device during the third handshake in the TCP three-way handshake process with the security defense device, wherein the ACK confirmation message carries the sequence number information and the confirmation sequence number information.
S52, sending a data request to the security defense device, so that the security defense device verifies the data request according to the serial number information and the confirmation number information, when the verification is determined to be successful, the security defense device sends a TCP connection establishment request to the target server to establish TCP connection, and sends the data request to the target server, and when the verification is determined to be failed, the data request is directly discarded.
In one possible embodiment, a TCP three-way handshake is made with the security defense device by:
sending a SYN synchronous message to the security defense device, wherein the SYN synchronous message carries first sequence number information, first confirmation sequence number information and client information, and the client information comprises IP information and port number information of the client;
receiving a SYN-ACK response message returned by the security defense device, wherein the SYN-ACK response message carries second sequence number information and second confirmation sequence number information, and the second sequence number information is a hash value obtained by performing hash calculation on IP information, port number information and current timestamp information of the client by the security defense device;
and sending the ACK message to the security defense equipment.
Based on the same inventive concept, embodiments of the present application further provide an attack detection apparatus implemented by a client side, and because a principle of solving a problem of the attack detection apparatus implemented by the client side is similar to that of the attack detection method, the implementation of the attack detection apparatus implemented by the client side may refer to the implementation of the attack detection method, and repeated details are not repeated.
As shown in fig. 6, a schematic diagram of an attack detection apparatus implemented on a client side provided in the application embodiment may include:
a first sending unit 61, configured to send an ACK acknowledgement packet to the security defense device during a third TCP handshake with the security defense device, where the ACK acknowledgement packet carries sequence number information and acknowledgement sequence number information;
a second sending unit 62, configured to send a data request to the security defense device, so that the security defense device verifies the data request according to the sequence number information and the acknowledgement number information, and when it is determined that the verification is successful, the security defense device sends a TCP connection establishment request to a target server to establish a TCP connection, and sends the data request to the target server, and when it is determined that the verification is failed, the data request is directly discarded.
As a possible implementation, the first sending unit 61 is specifically configured to perform TCP three-way handshake with the security defense device by:
sending a SYN synchronous message to the security defense device, wherein the SYN synchronous message carries first sequence number information, first confirmation sequence number information and client information, and the client information comprises IP information and port number information of the client;
receiving a SYN-ACK response message returned by the security defense device, wherein the SYN-ACK response message carries second sequence number information and second confirmation sequence number information, and the second sequence number information is a hash value obtained by performing hash calculation on IP information, port number information and current timestamp information of the client by the security defense device;
and sending the ACK message to the security defense equipment.
Based on the same technical concept, an embodiment of the present application further provides an electronic device 700, and referring to fig. 7, the electronic device 700 is configured to implement the attack detection method described in the foregoing method embodiment, and the electronic device 700 of this embodiment may include: a memory 701, a processor 702, and a computer program, such as an attack detection program, stored in the memory and executable on the processor. The processor implements the steps in the above described attack detection method embodiments when executing the computer program. Alternatively, the processor implements the functions of the modules/units in the above device embodiments when executing the computer program.
In the embodiment of the present application, a specific connection medium between the memory 701 and the processor 702 is not limited. In the embodiment of the present application, the memory 701 and the processor 702 are connected by the bus 703 in fig. 7, the bus 703 is indicated by a thick line in fig. 7, and the connection manner between other components is merely schematically illustrated and is not limited thereto. The bus 703 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The memory 701 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 701 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a Hard Disk Drive (HDD) or a solid-state drive (SSD), or any other medium which can be used to carry or store desired program code in the form of instructions or data structures and which can be accessed by a computer. Memory 701 may be a combination of the above.
The processor 702 is configured to invoke the computer program stored in the memory 701 to execute the attack detection method in each of the above exemplary embodiments.
The embodiment of the present application further provides a computer-readable storage medium, which stores computer-executable instructions required to be executed by the processor, and includes a program required to be executed by the processor.
In some possible embodiments, the various aspects of the attack detection method provided by the present application may also be implemented in the form of a program product, which includes program code for causing an electronic device to perform the steps in the attack detection method according to various exemplary embodiments of the present application described above in this specification, when the program product is run on the electronic device.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. An attack detection method, comprising:
when an ACK confirmation message sent by a client during a third handshake with the client in a TCP three-way handshake process is received, discarding the ACK confirmation message without initiating a TCP connection request to a target server, wherein the ACK confirmation message carries sequence number information and confirmation sequence number information;
when a data request sent by the client is received, verifying the data request according to the serial number information and the confirmation serial number information to obtain a verification result;
when the verification result is determined to be successful, a TCP connection establishment request is sent to a target server to establish TCP connection, and the data request is sent to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
2. The method of claim 1, wherein a TCP three-way handshake is made with the client by:
receiving a SYN synchronous message sent by a client, wherein the SYN message carries first sequence number information, first confirmation sequence number information and the client information, and the client information comprises IP information and port number information of the client;
performing hash calculation on the IP information, the port number information and the current timestamp information of the client to obtain a hash value, determining the hash value as second sequence number information, and returning a SYN-ACK response message carrying the second sequence number information and second confirmation sequence number information to the client;
and receiving the ACK confirmation message sent by the client.
3. The method of claim 2, wherein the data request includes third sequence number information, third acknowledgement sequence number information, and requested data length information;
according to the serial number information and the confirmation serial number information, verifying the data request to obtain a verification result, specifically comprising:
checking whether the third sequence number is the same as the sequence number and checking whether the third acknowledgement sequence number is the same as the acknowledgement sequence number;
if the third sequence number is the same as the sequence number, the third confirmation sequence number is the same as the confirmation sequence number, and the data length information is not zero, determining that the verification is passed;
and if the third sequence number is different from the sequence number, the third confirmation sequence number is different from the confirmation sequence number, or the data length information is zero, the confirmation check fails.
4. The method of claim 2, wherein initiating a TCP connection establishment request to the target server to establish the TCP connection comprises:
sending a first SYN synchronization message to the target server;
and receiving a first SYN-ACK response message returned by the target server, establishing TCP connection with the target server, and establishing a connection table.
5. An attack detection method, comprising:
in the process of TCP three-way handshake with security defense equipment, sending an ACK (acknowledgement) message to the security defense equipment during the third-way handshake, wherein the ACK message carries sequence number information and acknowledgement sequence number information;
and sending a data request to the security defense equipment so that the security defense equipment verifies the data request according to the serial number information and the confirmation number information, and when the verification is determined to be successful, the security defense equipment sends a TCP connection establishment request to a target server to establish TCP connection, and sends the data request to the target server, and when the verification is determined to be failed, the data request is directly discarded.
6. The method of claim 5, wherein a TCP three-way handshake is made with the security defense device by:
sending a SYN synchronous message to the security defense device, wherein the SYN synchronous message carries first sequence number information, first confirmation sequence number information and client information, and the client information comprises IP information and port number information of the client;
receiving a SYN-ACK response message returned by the security defense device, wherein the SYN-ACK response message carries second sequence number information and second confirmation sequence number information, and the second sequence number information is a hash value obtained by performing hash calculation on IP information, port number information and current timestamp information of the client by the security defense device;
and sending the ACK message to the security defense equipment.
7. An attack detection apparatus, comprising:
the device comprises a discarding unit and a sending unit, wherein the discarding unit is used for discarding an ACK (acknowledgement character) confirmation message when receiving the ACK confirmation message sent by a client in the third handshake with the client in the TCP three-way handshake process, and does not send a TCP connection request to a target server, and the ACK confirmation message carries sequence number information and confirmation sequence number information;
the verification unit is used for verifying the data request according to the serial number information and the confirmation serial number information when receiving the data request sent by the client side to obtain a verification result;
the processing unit is used for initiating a TCP connection establishment request to a target server to establish TCP connection when the verification result is determined to be successful, and sending the data request to the target server; and when the verification result is determined to be verification failure, directly discarding the data request.
8. An attack detection apparatus, comprising:
the system comprises a first sending unit, a second sending unit and a third sending unit, wherein the first sending unit is used for sending an ACK (acknowledgement) message to the security defense equipment during the third handshake in the TCP three-way handshake process with the security defense equipment, and the ACK message carries sequence number information and acknowledgement sequence number information;
and the second sending unit is used for sending a data request to the security defense equipment so that the security defense equipment verifies the data request according to the serial number information and the confirmation number information, and when the verification is determined to be successful, the security defense equipment sends a TCP connection establishment request to a target server to establish TCP connection and sends the data request to the target server, and when the verification is determined to be failed, the data request is directly discarded.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the attack detection method according to any one of claims 1 to 6 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the attack detection method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210053231.3A CN114500021B (en) | 2022-01-18 | 2022-01-18 | Attack detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210053231.3A CN114500021B (en) | 2022-01-18 | 2022-01-18 | Attack detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500021A true CN114500021A (en) | 2022-05-13 |
| CN114500021B CN114500021B (en) | 2024-07-26 |
Family
ID=81511249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210053231.3A Active CN114500021B (en) | 2022-01-18 | 2022-01-18 | Attack detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500021B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844723A (en) * | 2022-06-16 | 2022-08-02 | 北京百度网讯科技有限公司 | Network attack protection method, device, equipment and storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6772334B1 (en) * | 2000-08-31 | 2004-08-03 | Networks Associates, Inc. | System and method for preventing a spoofed denial of service attack in a networked computing environment |
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN1731784A (en) * | 2004-08-06 | 2006-02-08 | 华为技术有限公司 | Safety management method for hyper text transport protocol service |
| CA2514039A1 (en) * | 2005-07-28 | 2007-01-28 | Third Brigade Inc. | Tcp normalization engine |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
| CN101729513A (en) * | 2008-10-27 | 2010-06-09 | 成都市华为赛门铁克科技有限公司 | Network authentication method and device |
| CN101771695A (en) * | 2010-01-07 | 2010-07-07 | 福建星网锐捷网络有限公司 | Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment |
| CN101834833A (en) * | 2009-03-13 | 2010-09-15 | 丛林网络公司 | Server protection for distributed denial-of-service attack |
| KR101263381B1 (en) * | 2011-12-07 | 2013-05-21 | 주식회사 시큐아이 | Method and apparatus for defending against denial of service attack in tcp/ip networks |
| CN105099952A (en) * | 2014-05-23 | 2015-11-25 | 华为技术有限公司 | Method and device for allocating resources |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
| US20170366466A1 (en) * | 2016-06-20 | 2017-12-21 | Mediatek Inc. | Method of Reducing Transmission Control Protocol Acknowledgement and Wireless Device Using The Same |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN111314358A (en) * | 2020-02-21 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attack protection method, device, system, computer storage medium and electronic equipment |
-
2022
- 2022-01-18 CN CN202210053231.3A patent/CN114500021B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6772334B1 (en) * | 2000-08-31 | 2004-08-03 | Networks Associates, Inc. | System and method for preventing a spoofed denial of service attack in a networked computing environment |
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN1731784A (en) * | 2004-08-06 | 2006-02-08 | 华为技术有限公司 | Safety management method for hyper text transport protocol service |
| CA2514039A1 (en) * | 2005-07-28 | 2007-01-28 | Third Brigade Inc. | Tcp normalization engine |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101729513A (en) * | 2008-10-27 | 2010-06-09 | 成都市华为赛门铁克科技有限公司 | Network authentication method and device |
| CN101834833A (en) * | 2009-03-13 | 2010-09-15 | 丛林网络公司 | Server protection for distributed denial-of-service attack |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
| CN101771695A (en) * | 2010-01-07 | 2010-07-07 | 福建星网锐捷网络有限公司 | Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment |
| KR101263381B1 (en) * | 2011-12-07 | 2013-05-21 | 주식회사 시큐아이 | Method and apparatus for defending against denial of service attack in tcp/ip networks |
| CN105099952A (en) * | 2014-05-23 | 2015-11-25 | 华为技术有限公司 | Method and device for allocating resources |
| US20170366466A1 (en) * | 2016-06-20 | 2017-12-21 | Mediatek Inc. | Method of Reducing Transmission Control Protocol Acknowledgement and Wireless Device Using The Same |
| CN106302495A (en) * | 2016-08-25 | 2017-01-04 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence of a kind of ACK Flood attack and intervening guard device |
| CN107968785A (en) * | 2017-12-03 | 2018-04-27 | 浙江工商大学 | A kind of method of defending DDoS (Distributed Denial of Service) attacks in SDN data centers |
| CN111314358A (en) * | 2020-02-21 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attack protection method, device, system, computer storage medium and electronic equipment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114844723A (en) * | 2022-06-16 | 2022-08-02 | 北京百度网讯科技有限公司 | Network attack protection method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500021B (en) | 2024-07-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9826068B2 (en) | Load balancing and session persistence in packet networks | |
| JP6858749B2 (en) | Devices and methods for establishing connections in load balancing systems | |
| CA2516975C (en) | Using tcp to authenticate ip source addresses | |
| US8925068B2 (en) | Method for preventing denial of service attacks using transmission control protocol state transition | |
| EP3090515B1 (en) | Communication network with load balancing functionality | |
| US20060221946A1 (en) | Connection establishment on a tcp offload engine | |
| CN106688218B (en) | Method and apparatus for controlling handshaking in a packet transport network | |
| CN103347016A (en) | Attack defense method | |
| CN112422396B (en) | TCP network transmission acceleration method and system based on SSLVPN channel | |
| EP3103237B1 (en) | Method and device for detecting a malicious sctp receiver terminal | |
| EP0956685A1 (en) | Communications protocol with improved security | |
| CN107800723A (en) | CC attack guarding methods and equipment | |
| CN107995233B (en) | Method for establishing connection and corresponding equipment | |
| KR20100135855A (en) | Method for enabling faster recovery of client applications in the event of server failure | |
| CN104601541A (en) | Data transmission method, server and user equipment | |
| CN112187793A (en) | Protection method and device for ACK Flood attack | |
| CN114500021B (en) | Attack detection method and device, electronic equipment and storage medium | |
| CN107104919B (en) | Firewall equipment and processing method of Stream Control Transmission Protocol (SCTP) message | |
| WO2022001705A1 (en) | Method, apparatus and device for supporting tcp dynamic migration, and storage medium | |
| CN105357209A (en) | WEB authentication method and WEB authentication device | |
| CN113872949B (en) | Address resolution protocol response method and related device | |
| KR102027434B1 (en) | Security apparatus and method for operating the same | |
| CN105491057B (en) | Prevent the data transmission method and device of distributed denial of service ddos attack | |
| CN114024712B (en) | Authentication method, authentication device, computer equipment and storage medium | |
| CN117527311A (en) | Bypass blocking method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |