CN117201201B - Syn flood attack storage method based on full-flow storage backtracking system - Google Patents
Syn flood attack storage method based on full-flow storage backtracking system Download PDFInfo
- Publication number
- CN117201201B CN117201201B CN202311469197.9A CN202311469197A CN117201201B CN 117201201 B CN117201201 B CN 117201201B CN 202311469197 A CN202311469197 A CN 202311469197A CN 117201201 B CN117201201 B CN 117201201B
- Authority
- CN
- China
- Prior art keywords
- message
- mapping relation
- syn
- template
- port number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000013507 mapping Methods 0.000 claims abstract description 123
- 230000004044 response Effects 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 7
- 238000012790 confirmation Methods 0.000 claims description 2
- 230000006870 function Effects 0.000 abstract description 7
- 238000004458 analytical method Methods 0.000 abstract description 5
- 238000004891 communication Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 238000003745 diagnosis Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 101100256965 Caenorhabditis elegans sip-1 gene Proteins 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000003012 network analysis Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a synflood attack storage method based on a full-flow storage backtracking system. The method comprises the steps of obtaining a message, and extracting a destination ip address of the message; inquiring the mapping relation table according to the destination ip address, and inquiring a first mapping relation if the mapping relation exists; otherwise, establishing a mapping relation group, and adding the mapping relation group into a mapping relation table; if the first mapping relation exists, judging whether the second mapping relation corresponds to the first mapping relation; otherwise, adding a source ip in the first mapping relation; if the second mapping relation exists, judging whether the second mapping relation is a template association mode; otherwise, a corresponding second mapping relation is newly established, and judgment is carried out; if the template association mode is the template association mode, creating a second mapping relation corresponding to the source ip address; otherwise, the message is stored in the second mapping relation. In this way, the storage space can be greatly saved, the target ip retrieval performance is improved, and the analysis and backtracking functions of the attack message are improved.
Description
Technical Field
The present invention relates generally to the field of network security, and more particularly, to a synflood attack storage method based on a full-flow storage backtracking system.
Background
For security manufacturers, the full-flow storage backtracking system generally has network analysis products with multiple functions of data packet acquisition, protocol decoding and analysis, flow statistics, fault diagnosis, performance management and the like, can provide high-precision network diagnosis analysis, displays network communication panorama in multiple layers, and effectively helps network managers to comb network applications. SYN Flood flooding attack is one of the most popular modes of DoS (Denial of Service, denial of service attack) and DDoS (Distributed Denial of Service, distributed denial of service attack) at present, and is an attack mode of using TCP protocol defects to send a large number of forged TCP SYN connection requests, so that the resources of an attacked party are exhausted (CPU is full or memory is insufficient), and finally the system or the server is down. When syn flooding attack is encountered, the full-flow storage backtracking system can suddenly enlarge the storage space due to massive attack, and secondly, because the ip addresses of syn flood attack are mostly forged, massive attack in a short time can greatly reduce the retrieval performance due to the sudden increase of the number of the ip addresses. In the current manufacturer, the processing of the synflood attack is basically that the complete storage message is related to the index, and even some systems do not analyze whether the traffic is attack traffic, so that a large amount of storage space is occupied and the retrieval performance is affected.
Disclosure of Invention
According to the embodiment of the invention, a synflood attack storage scheme based on a full-flow storage backtracking system is provided. The scheme can greatly save the storage space, improve the target ip retrieval performance and improve the analysis and backtracking functions of the attack messages.
In a first aspect of the present invention, a synflood attack storage method based on a full-flow storage backtracking system is provided. The method comprises the following steps:
s101, acquiring a message, and extracting a destination ip address of the message;
s102, inquiring a mapping relation table according to the destination ip address, and executing S103 if a mapping relation group corresponding to the destination ip address exists in the mapping relation table; otherwise, establishing a mapping relation group of the destination ip address, and adding the mapping relation group of the destination ip address into the mapping relation table; the mapping relation group comprises a first mapping relation and a second mapping relation; the first mapping relationship is 1 between a destination ip address and an attack ip address: n is a mapping relation; the second mapping relation is 1 between an attack ip address and a synflood attack interaction message: m is a mapping relation;
s103, inquiring the first mapping relation, and if the source ip address of the message exists in the first mapping relation, executing S104; otherwise, adding the source ip in the first mapping relation;
s104, judging whether a second mapping relation corresponding to the source ip address exists in the first mapping relation, and if so, executing S105; otherwise, a second mapping relation corresponding to the source ip is newly established, and S105 is executed;
s105, judging whether the attack mode of the message is a template association mode, if so, creating a second mapping relation corresponding to the source ip address by using a template associated with the template association mode; otherwise, the message is stored into a second mapping relation according to the message type of the message.
Further, the adding the mapping relation group of the destination ip to the mapping relation table includes:
and newly establishing a destination ip address in the mapping relation table, creating a first mapping relation corresponding to the destination ip address, and adding a source ip address corresponding to the destination ip address into the first mapping relation.
Further, the determining whether the attack mode of the message is a template association mode includes:
s401, for the messages of the same session, acquiring the type of the last message and the serial number of the last message, and the type of the current message and the serial number of the current message;
s402, if the type of the previous message is a serial number request and the type of the current message is a serial number response, executing S403;
s403, if the sequence number of the current message is the next sequence number of the previous message, the sequence number type of the syn response message is correct, and S404 is executed; otherwise, syn responds to the error of the message sequence number type, and S405 is executed;
s404, judging whether a message is received in the first time, if so, the attack mode of the message is a normal mode; otherwise, associating the attack mode of the message with a first template;
s405, judging whether a reset message is received in a second time, if so, the attack mode of the message is a normal mode; otherwise, the attack mode of the message is related to the first template.
Further, the first template comprises a source port number, a destination port number, a syn serial number, a syn confirmation response number and corresponding storage spaces;
the second template is: source port number, destination port number, syn-seq information, syn-ack-error-seq information, and their respective corresponding storage spaces.
Further, when the attack mode of the message is associated with the first template, creating a second mapping relationship corresponding to the source ip by using the template associated with the template association mode, including:
if the message is a syn message, creating an empty item by using the first template, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information to the empty item corresponding to the first template;
if the message is a syn-ack message, extracting source port number, destination port number and syn-ack-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if no corresponding item is found, a null item is newly established by the first template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the first template.
Further, when the attack mode of the message is associated with the second template, creating a second mapping relationship corresponding to the source ip by using the template associated with the template association mode, including:
if the message is a syn message, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information to an empty item corresponding to the second template;
if the message is a syn-ack message, extracting a source port number, a destination port number, syn-ack-seq information and syn-ack-error-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if the corresponding item is not found, a null item is newly established by the second template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the second template.
Further, the adding the source ip in the first mapping relationship includes:
and updating the source ip address and the fix_info field in the first mapping relation according to the source ip of the message.
Further, the storing the message into the second mapping relationship according to the message type of the message includes:
extracting the type, serial number, source port number and destination port number of the message; extracting the type, the serial number, the source port number and the destination port number of the last message from the first mapping relation;
if the type of the message is the same as the type of the previous message, updating the sequence number in the first mapping relation of the message; otherwise, a new item is added in the second mapping relation, the type is the type of the message and the number is 1, and the first mapping relation is updated by the new item.
In a second aspect of the invention, an electronic device is provided. At least one processor of the electronic device; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of the first aspect of the invention.
In a third aspect of the invention, there is provided a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of the first aspect of the invention.
It should be understood that the description in this summary is not intended to limit the critical or essential features of the embodiments of the invention, nor is it intended to limit the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
The above and other features, advantages and aspects of embodiments of the present invention will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals denote like or similar elements, in which:
FIG. 1 shows a flow chart of a synflood attack storage method based on a full flow storage backtracking system according to an embodiment of the present invention;
fig. 2 shows a diagram of 1: n: m represents an intention;
FIG. 3 illustrates an N representing intent in accordance with an embodiment of the present invention;
FIG. 4 illustrates a template association mode decision flow diagram according to an embodiment of the present invention;
FIG. 5 shows a block diagram of an exemplary electronic device capable of implementing embodiments of the invention; wherein 500 is an electronic device, 501 is a CPU, 502 is a ROM, 503 is a RAM, 504 is a bus, 505 is an I/O interface, 506 is an input unit, 507 is an output unit, 508 is a storage unit, 509 is a communication unit.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
Fig. 1 shows a flowchart of a synflood attack storage method based on a full-flow storage backtracking system according to an embodiment of the present invention.
The method comprises the following steps:
s101, acquiring a message, and extracting a destination ip address (dip) of the message.
S102, inquiring a mapping relation table (D table) according to the destination ip address, and executing S103 if a mapping relation group (1:N:M table) corresponding to the destination ip address exists in the mapping relation table; otherwise, establishing a mapping relation group of the destination ip address, and adding the mapping relation group of the destination ip address into the mapping relation table.
The mapping relation group comprises a first mapping relation (N table) and a second mapping relation (M table); the first mapping relationship is 1 between a destination ip address and an attack ip address: n is a mapping relation; the second mapping relation is 1 between an attack ip address and a synflood attack interaction message: m mapping relation.
Specifically, the adding the mapping relation group of the destination ip to the mapping relation table includes:
and newly establishing a destination ip address in the mapping relation table, creating a first mapping relation corresponding to the destination ip address, and adding a source ip address corresponding to the destination ip address into the first mapping relation.
The index of the generic full-flow store backtracking system is session-based, whereas sessions are typically message-based five-tuple (sip, sport, dip, dport, procal). In this embodiment, as shown in fig. 2, the design of the synflood attack packet is not based on a session, but based on the ip address of the device under attack (i.e. target ip, dest_ip), and massive attack ip addresses (i.e. attack ip, attack_ip), where 1 is established: and N mapping tables, wherein each table address maps M synflood attack interaction messages. For each attack target, establish 1: n: m mapping table, wherein 1 dest ip corresponds to N ats, and 1 ats corresponds to M synflood attack interactive messages.
Specifically, as shown in fig. 3, each element in the N table is designed based on the source ip address, each element still needs to apply for 3 spaces of 32 bits, representing information related to the source ip, and compared with complete message information of each source ip, each group of source ip messages only needs to store 96-bit spaces, so that space is saved, and the necessary tracing information in syn flood attack is stored. The 2-bit serial number, the 16-bit source port and the 16-bit destination port form a fix info field of the N table.
Specifically, the M table stores a series of messages of the source ip address, and in a default, a very simple mode M table is used, and the storage space occupied by each message is 8 bits, wherein the category occupies 3 bits, and the number occupies 5 bits. The 3-bit category corresponds to each message and is divided into 8 categories, namely:
1.syn request (000);
2.syn reply right(001);
3.syn reply err(010);
4.syn reset(011);
an ack normal message (100);
a syn request-syn reply right message pair (101);
a syn request-syn reply err message pair (110);
8. legal type (111).
The numbers in brackets above represent the values filled in the categories.
The number represents the number of such messages, and the number occupies 5 bits, which means the number of each type of message occupies 5 bits. 2^5 =32, i.e. a maximum of 32 in number.
In this embodiment, only attack messages are considered, and messages which can successfully establish three-way handshake for the authenticated common messages are not considered. And in the process of mass synflood attack, when the validity of the ip address is verified, part of legal syn request messages are discarded, and the messages are not the same as the above 1: n: m in the mapping table of M.
In addition, for the message passing the verification, the message and the message which can establish the three-way handshake by the verification are normally stored together. In this embodiment, an index is individually established for such a message, and the message is marked as a legal mark after verification, and the validity thereof is recorded.
Thus, the syn flood index information is set to 1 based on the attacked device dest ip: n: m table form design, ordinary message still uses session index mode.
S103, inquiring the first mapping relation (N table), and if the source ip address of the message exists in the first mapping relation (N table), executing S104; otherwise, the source ip is added in the first mapping relation (N table).
Specifically, adding the source ip requires updating two fields in the N table, namely a 32-bit sip and a 64-bit fix_info field. The definition of the update N- > fix_info field means: the extracted 32-bit seq, 16-bit source port number and 16-bit destination port number of the extracted message are respectively recorded in the last seq field of the N table, and the source port number and the destination port number are respectively recorded in the last seq field of the N table. It should be noted that, for the first packet, it is not necessary to create an M table corresponding to the source ip.
In this embodiment, adding the source ip of the syn packet in the first mapping relationship includes:
and updating the source ip address and the fix_info field in the first mapping relation according to the source ip of the syn message.
S104, judging whether a second mapping relation corresponding to the source ip address exists in the first mapping relation, and if so, executing S105; otherwise, the source ip address is a second message, a second mapping relationship corresponding to the source ip is newly built, and S105 is executed.
S105, judging whether the attack mode of the message is a template association mode, if so, creating a second mapping relation corresponding to the source ip address by using a template associated with the template association mode; otherwise, the message is stored into a second mapping relation according to the message type of the message.
In this embodiment, as shown in fig. 4, the determining whether the attack mode of the packet is a template association mode includes:
s401, for the messages of the same session, acquiring the type of the last message and the serial number of the last message, and the type of the current message and the serial number of the current message;
s402, if the type of the previous message is a serial number request and the type of the current message is a serial number response, executing S403;
s403, if the sequence number of the current message is the next sequence number of the previous message, the sequence number type of the syn response message is correct, and S404 is executed; otherwise, syn responds to the error of the message sequence number type, and S405 is executed;
s404, judging whether an ack message is received in the first time, if so, the attack mode of the message is a normal mode; otherwise, associating the attack mode of the message with a first template;
s405, judging whether a reset message is received in a second time, if so, the attack mode of the message is a normal mode; otherwise, the attack mode of the message is related to the first template.
Specifically, for the messages of the same session, the type type=last_type of the last message is obtained, and the sequence number seq=last_seq of the last message is obtained; extracting from the current message, wherein the type type=cur_type of the current message, and the sequence number of the current message is cur_seq. When last_type=seq request, cur_type=seq reply, if cur_seq=last_seq+1 is satisfied, type=syn-ack right, at which time a timer t1 is added; if an ack message is received within t1, type=normal; if no ack message is received within t1, type=mode 1. The pattern 1 corresponds to a first template. If cur_seq-! Type=syn-ack err, when added to timer t2, =last_seq+1; if a reset message is received within t2, type=normal; if no reset message is received within t2, type=mode 2, mode 2 corresponds to the second template. The remaining scenes, type=other.
In this embodiment, the header field of the message includes a syn flag bit, and when the syn flag bit=1ack=0, the message is a syn message; when syn flag bit=1ack=1, the message is a syn-ack message; when syn flag bit=0ack=1, it is ack message; the three messages are messages of several basic types when tcp messages are connected mutually, and are called syn messages for short, syn-ack messages and ack messages for short.
In this embodiment, the first template includes a source port number, a destination port number, a syn serial number, a syn acknowledgement number, and respective storage spaces thereof. The first template is shown in table 1 below:
| sport | dport | syn-seq | syn-ack-seq |
| 16 bits | 16 bits | 32 bits | 32 bits |
TABLE 1
Because the messages appear in pairs in the mode 1, the characteristics of syn message interaction can be utilized according to the first template storage, and the storage space is saved.
In this embodiment, the second template is: source port number, destination port number, syn-seq information, syn-ack-error-seq information, and their respective corresponding storage spaces.
| sport | dport | syn-seq | syn-ack-seq | syn-ack-error-seq |
| 16 bits | 16 bits | 32 bits | 32 bits | 32 bits |
TABLE 2
The firewall is determined to exist in the mode 2, and the firewall is determined to be a white list or not under the condition of a limited number of message reply syn ack err messages, so that the M table of the template 2 is adopted at the moment.
In this embodiment, when the attack mode of the message is associated with the first template, the template associated with the template association mode is used to create the second mapping relationship corresponding to the source ip, which includes two cases, that is, a case that the message is a syn message and a syn-ack message.
If the message is syn message, creating an empty item in the M table by using the first template, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information into the empty item corresponding to the first template.
If the message is a syn-ack message, extracting source port number, destination port number and syn-ack-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if no corresponding item is found, a null item is newly established by the first template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the first template.
In this embodiment, when the attack mode of the packet associates with the second template, creating a second mapping relationship corresponding to the source ip by using the template associated with the template association mode includes:
if the message is a syn message, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information to an empty item corresponding to the second template;
if the message is a syn-ack message, extracting a source port number, a destination port number, syn-ack-seq information and syn-ack-error-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if the corresponding item is not found, a null item is newly established by the second template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the second template.
In this embodiment, storing the message in the second mapping relationship according to the message type of the message includes:
extracting the type, serial number, source port number and destination port number of the message; extracting the type, the serial number, the source port number and the destination port number of the last message from the first mapping relation; if the type of the message is the same as the type of the previous message, updating the sequence number in the first mapping relation of the message; otherwise, a new item is added in the second mapping relation, the type is the type of the syn message and the number is 1, and the first mapping relation is updated by the new item.
Specifically, the type of the extracted message is type1, the sequence number seq1 of the message, the port numbers sport1 and dport1 of the message, and the principle is that the messages are stored in an M table according to the time sequence. The type2, the sequence number seq2, the port sport2 and the dport2 of the last message are extracted from fix info of the N table.
Assuming that message type1 is equal to type2, the seq value in fix_info of the N table is updated. type refers to the type of message.
If the number of messages of this type is received <32, then the number +1. If the number=32, the m table creates one entry, type=type1, number=1.
Assuming that message type1 is not equal to type2, then M table creates 1 entry, m— type=type 1, M- > number=1. For example, the state of the last message in the N table is type 2=syn, and assuming that the type of the message to be processed is syn-ack right, a new item is added to the message, type 1=syn-ack right, and the number=1, and at this time, the fix_info information in the N table is updated to be the information of the message.
When type1 is syn-ack type, if type 2=syn type and Sport 1= =dport 2 and dport 1= =sport 2 and seq1=seq2+1, then type=syn-ack right updates all values of N table fix_info. If type 2=syn-type and Sport 1= dport2 and dport 1= Sport2 and seq1 +=seq2+1, then type=seq-ack err, the state of the remaining fix-info is not modified for the message type=seq-ack-err.
When type 1=reset type, an entry is newly added in the M table; if type 2=syn-ack-err and the sip 2=sip 1 of the message marks the sip message as a legal message (i.e., type 1=legal message), the seq=0 of the fix-info item is updated, which means that the sip is legal ip and the other fix-info items of the N table are not updated. The rest of the cases type1 = reset number +1, and the fix-info entry of the N table is not updated.
When type=ack type, an entry is newly added in the M table; if Sport 1= dport2 and dport 1= Sport2 are satisfied, and seq 2= seq1+1, this ip is marked as legal message, type = legal message, the seq=0 of the fix-info item is updated, representing that this sip is legal ip, and the other fix-info items of the N table are not updated. In the rest, type=reset number+1, and the fix-info entry of the N table is not updated.
When the rest is the case, all values of the N table fix_info, fix_info- > type=type 1, fix_info- > seq=seq 1, fix_info- > sport=sport 1, fix_info- > dport=dport 1 are updated.
The storage optimization of the synflood message comprises three related attack messages, namely a syn message, a syn-ack seq serial number accurate message and a syn-ack serial number error message, which are not only independent synflood attacks, but also independent block storage of the three types of messages. By classifying, the ddos-resistant method of the equipment can be analyzed, so that a user can know attack means more clearly when the attack is visualized.
In some embodiments, the flood message alone uses 1: n: m, and the common message is indexed based on the session. Such that when a user needs to query for relevant information:
when the destination ip is queried, the method is divided into two parts:
1. the information built in the common block through the session table normally indexes that the destination ip is relevant;
2. and in the flood block, taking all message information of the 1:N:M index linked list for the destination ip.
When visually exposing an attack, for each target under attack, 1 based on dest ip is used directly: n: m table and is shown.
Meanwhile, in the embodiment, synflood is stored separately, so that the index performance of the target ip is improved, and the index performance of the attack message is also improved, because the backtracking of the attack traffic is a common function for a full traffic storage index system. After encountering an attack, a user can independently check and analyze the flow of the flooding attack, and then independently store the flow, so that the acquisition range of the attack flow is greatly shortened during indexing, and the overall performance is further improved. The syn flood is stored independently, and the common message is stored independently, so that the visualization performance of the common index and the attack message is improved.
According to an embodiment of the invention, for most attack messages, only 1 is stored: the N table saves space; only in case of multiple syn attacks on the same ip will the M table appear. The storage space can be greatly saved, the target ip retrieval performance is improved, and the analysis and backtracking functions of the attack message are improved.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are alternative embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
According to an embodiment of the invention, the invention further provides an electronic device and a readable storage medium.
Fig. 5 shows a schematic block diagram of an electronic device 500 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
The device 500 comprises a computing unit 501 that may perform various suitable actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 502 or loaded from a storage unit 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data required for the operation of the device 500 can also be stored. The computing unit 501, ROM 502, and RAM 503 are connected to each other by a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Various components in the device 500 are connected to the I/O interface 505, including: an input unit 506 such as a keyboard, a mouse, etc.; an output unit 507 such as various types of displays, speakers, and the like; a storage unit 508 such as a magnetic disk, an optical disk, or the like; and a communication unit 509 such as a network card, modem, wireless communication transceiver, etc. The communication unit 509 allows the device 500 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The computing unit 501 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 501 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 501 performs the respective methods and processes described above, for example, the methods S101 to S105 or S401 to S405. For example, in some embodiments, methods S101-S105 or S401-S405 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 508. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 500 via the ROM 502 and/or the communication unit 509. When the computer program is loaded into RAM 503 and executed by the computing unit 501, one or more steps of the methods S101-S105 or S401-S405 described above may be performed. Alternatively, in other embodiments, the computing unit 501 may be configured to perform the methods S101-S105 or S401-S405 by any other suitable means (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present invention may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein. The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (8)
1. The synflood attack storage method based on the full-flow storage backtracking system is characterized by comprising the following steps of:
s101, acquiring a message, and extracting a destination ip address of the message;
s102, inquiring a mapping relation table according to the destination ip address, and executing S103 if a mapping relation group corresponding to the destination ip address exists in the mapping relation table; otherwise, establishing a mapping relation group of the destination ip address, and adding the mapping relation group of the destination ip address into the mapping relation table; the mapping relation group comprises a first mapping relation and a second mapping relation; the first mapping relationship is 1 between a destination ip address and an attack ip address: n is a mapping relation; the second mapping relation is 1 between an attack ip address and a synflood attack interaction message: m is a mapping relation;
s103, inquiring the first mapping relation, and if the source ip address of the message exists in the first mapping relation, executing S104; otherwise, adding the source ip in the first mapping relation;
s104, judging whether a second mapping relation corresponding to the source ip address exists in the first mapping relation, and if so, executing S105; otherwise, a second mapping relation corresponding to the source ip is newly established, and S105 is executed;
s105, judging whether the attack mode of the message is a template association mode, if so, creating a second mapping relation corresponding to the source ip address by using a template associated with the template association mode; otherwise, storing the message into a second mapping relation according to the message type of the message;
the judging whether the attack mode of the message is a template association mode comprises the following steps:
s401, for the messages of the same session, acquiring the type of the last message and the serial number of the last message, and the type of the current message and the serial number of the current message;
s402, if the type of the previous message is a serial number request and the type of the current message is a serial number response, executing S403;
s403, if the sequence number of the current message is the next sequence number of the previous message, the sequence number type of the syn response message is correct, and S404 is executed; otherwise, syn responds to the error of the message sequence number type, and S405 is executed;
s404, judging whether a message is received in the first time, if so, the attack mode of the message is a normal mode; otherwise, associating the attack mode of the message with a first template;
s405, judging whether a reset message is received in a second time, if so, the attack mode of the message is a normal mode; otherwise, associating the attack mode of the message with a second template;
the first template comprises a source port number, a destination port number, a sequence number of syn, a confirmation response number of syn and corresponding storage spaces;
the second template is: source port number, destination port number, syn-seq information, syn-ack-error-seq information, and their respective corresponding storage spaces.
2. The method according to claim 1, wherein adding the set of mappings of the destination ip to the mapping table comprises:
and newly establishing a destination ip address in the mapping relation table, creating a first mapping relation corresponding to the destination ip address, and adding a source ip address corresponding to the destination ip address into the first mapping relation.
3. The method according to claim 1, wherein when the attack pattern of the message associates with the first template, creating the second mapping relationship corresponding to the source ip using the template associated with the template association pattern comprises:
if the message is a syn message, creating an empty item by using the first template, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information to the empty item corresponding to the first template;
if the message is a syn-ack message, extracting source port number, destination port number and syn-ack-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if no corresponding item is found, a null item is newly established by the first template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the first template.
4. The method according to claim 1, wherein when the attack pattern of the message associates with the second template, creating the second mapping relationship corresponding to the source ip using the template associated with the template association pattern comprises:
if the message is a syn message, extracting the source port number, the destination port number and the syn-seq information of the syn message, and recording the information to an empty item corresponding to the second template;
if the message is a syn-ack message, extracting a source port number, a destination port number, syn-ack-seq information and syn-ack-error-seq information of the syn-ack message; searching a corresponding item according to a source port number and a destination port number, and if the corresponding item is found, recording syn-ack-seq information into the corresponding item; if the corresponding item is not found, a null item is newly established by the second template, and the source port number, the destination port number and the syn-ack-seq information of the syn-ack message are recorded in the null item corresponding to the second template.
5. The method according to claim 1, wherein adding the source ip in the first mapping relation comprises:
and updating the source ip address and the fix_info field in the first mapping relation according to the source ip of the message.
6. The method according to claim 1, wherein storing the message in the second mapping relation according to the message type of the message comprises
Extracting the type, serial number, source port number and destination port number of the message; extracting the type, the serial number, the source port number and the destination port number of the last message from the first mapping relation;
if the type of the message is the same as the type of the previous message, updating the sequence number in the first mapping relation of the message; otherwise, a new item is added in the second mapping relation, the type is the type of the message and the number is 1, and the first mapping relation is updated by the new item.
7. An electronic device comprising at least one processor; and
a memory communicatively coupled to the at least one processor; it is characterized in that the method comprises the steps of,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-6.
8. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311469197.9A CN117201201B (en) | 2023-11-07 | 2023-11-07 | Syn flood attack storage method based on full-flow storage backtracking system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311469197.9A CN117201201B (en) | 2023-11-07 | 2023-11-07 | Syn flood attack storage method based on full-flow storage backtracking system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117201201A CN117201201A (en) | 2023-12-08 |
| CN117201201B true CN117201201B (en) | 2024-01-02 |
Family
ID=89003858
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311469197.9A Active CN117201201B (en) | 2023-11-07 | 2023-11-07 | Syn flood attack storage method based on full-flow storage backtracking system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117201201B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234473A (en) * | 2017-12-28 | 2018-06-29 | 新华三技术有限公司 | A kind of message anti-attack method and device |
| CN111314379A (en) * | 2020-03-20 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attacked domain name identification method and device, computer equipment and storage medium |
| CN112714102A (en) * | 2020-12-02 | 2021-04-27 | 国家计算机网络与信息安全管理中心 | SYN Flood attack defense method under multi-core heterogeneous platform |
| US11108812B1 (en) * | 2018-04-16 | 2021-08-31 | Barefoot Networks, Inc. | Data plane with connection validation circuits |
-
2023
- 2023-11-07 CN CN202311469197.9A patent/CN117201201B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234473A (en) * | 2017-12-28 | 2018-06-29 | 新华三技术有限公司 | A kind of message anti-attack method and device |
| US11108812B1 (en) * | 2018-04-16 | 2021-08-31 | Barefoot Networks, Inc. | Data plane with connection validation circuits |
| CN111314379A (en) * | 2020-03-20 | 2020-06-19 | 深圳市腾讯计算机系统有限公司 | Attacked domain name identification method and device, computer equipment and storage medium |
| CN112714102A (en) * | 2020-12-02 | 2021-04-27 | 国家计算机网络与信息安全管理中心 | SYN Flood attack defense method under multi-core heterogeneous platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117201201A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108667730B (en) | Message forwarding method, device, storage medium and equipment based on load balancing | |
| US9584412B2 (en) | Ascertaining per-hop network characteristics | |
| US10476629B2 (en) | Performing upper layer inspection of a flow based on a sampling rate | |
| US20150215236A1 (en) | Method and apparatus for locality sensitive hash-based load balancing | |
| US7840655B2 (en) | Address resolution protocol change enabling load-balancing for TCP-DCR implementations | |
| CN103188042B (en) | A kind of matching process of IP packet and coupling accelerator | |
| US9009782B2 (en) | Steering traffic among multiple network services using a centralized dispatcher | |
| EP3493507A1 (en) | Session persistence method and apparatus, and storage medium | |
| CN106878311B (en) | HTTP message rewriting method and device | |
| CN112015575A (en) | Message processing method, device and related equipment | |
| CN114095415B (en) | Route determination method, device, gateway equipment and storage medium | |
| EP3355520B1 (en) | System and method for traffic steering and analysis | |
| CN117201201B (en) | Syn flood attack storage method based on full-flow storage backtracking system | |
| WO2020187295A1 (en) | Monitoring of abnormal host | |
| CN107493234B (en) | Message processing method and device based on virtual network bridge | |
| CN115314319B (en) | Network asset identification method and device, electronic equipment and storage medium | |
| CN114567687B (en) | Message forwarding method, device, equipment, medium and program product | |
| CN114006955B (en) | Data processing method, device, equipment and readable storage medium | |
| US20170070430A1 (en) | Network-on-chip flit transmission method and apparatus | |
| CN109889619B (en) | Abnormal domain name monitoring method and device based on block chain | |
| EP3618389B1 (en) | Systems and methods for operating a networking device | |
| CN113726904A (en) | Server proxy method, device, equipment and computer readable storage medium | |
| CN113806091A (en) | Data processing method, device and equipment | |
| CN110809065A (en) | IPv 6-based IP-free network communication method, electronic equipment and storage medium thereof | |
| CN115664844B (en) | Honeypot camouflage simulation method and device based on protocol agent and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |