CN1466306A - Method for preventing network state synchronous flood attack and protecting network in transparent mode - Google Patents
Method for preventing network state synchronous flood attack and protecting network in transparent mode Download PDFInfo
- Publication number
- CN1466306A CN1466306A CNA021234221A CN02123422A CN1466306A CN 1466306 A CN1466306 A CN 1466306A CN A021234221 A CNA021234221 A CN A021234221A CN 02123422 A CN02123422 A CN 02123422A CN 1466306 A CN1466306 A CN 1466306A
- Authority
- CN
- China
- Prior art keywords
- syn
- network
- safeguard
- flood
- flag bit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 230000001360 synchronised effect Effects 0.000 title claims description 6
- 235000014510 cooky Nutrition 0.000 claims abstract description 14
- 230000004044 response Effects 0.000 claims description 3
- 230000015654 memory Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 239000012467 final product Substances 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
- 238000007599 discharging Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Abstract
This invention discloses a method for preventing SYN flood attack and protecting the network under a transparent mode including the following steps: 1 Not designing IP address to SYN flood protection equipments as the network data packet cc network interface equipments but to be a mixed mode 2 processing in SYN cookie way process to network data packet by the SYN flood protection equipments to prevent from SYN flood attack and protect the network. It is hidden on network ordinarily at the same time, SYN flood protection equipments can process SYN cookie to network data.
Description
Technical field
The network state synchronous flood attack), the method for protecting network the present invention relates to a kind of method of protecting network, refer to that especially a kind of SYN Flood that prevents attacks (Chinese translation: under transparent mode.The invention belongs to network service and network safety filed.
Background technology
Network state synchronous flood attack (attacking hereinafter to be referred as: SYN Flood) is to utilize the irrationality of Transmission Control Protocol and a kind of network attack of producing.Transmission Control Protocol regulation: TCP connects must be through both sides' three-way handshake exchange message, through confirm errorless after, the side carries out the exchange of data; That is to say, follow-up exchanges data be based on that three-way handshake produces trusting relationship carry out.Its concrete data exchange process is as shown in Figure 1: according to Transmission Control Protocol, receive the SYN packet that has the SYN flag bit of A main frame transmission when the B main frame after, the SYN/ACK packet that should have SYN and ACK flag bit to one of A host response, the B main frame begins to enter the ack msg bag state that has the ACK flag bit of waiting for that the A main frame sends then.According to Transmission Control Protocol, this state is the SYN_WAIT state, and this state will continue for some time, if during this period of time, the B main frame is not received the ack msg bag that the A main frame sends, and the B main frame thinks that just the A main frame abandons this time connecting.In general, operating system can just be distributed a certain amount of internal memory for this connects in the SYN_WAIT state.
If the B main frame is received the SYN bag of a large amount of source addresses through forging, then can distribute a large amount of internal memories, and enter the SYN_WAIT state, and in the time of SYN_WAIT state continuance, can not discharge these internal memories.Because the source address of these SYN packets is through forging, so the B main frame can not be received corresponding ack msg bag, that is to say, the a large amount of internal memories of B host assignment also carry out the SYN_WAIT state and continue for some time just might discharging these internal memories afterwards, during this period of time, issue the SYN bag of B main frame, also can not respond even the B main frame is received A main frame that real SYN packet is a necessary being, because the memory source of B main frame is depleted, can't respond real connection.Here it is, and so-called SYN Flood attacks, and is called " SYN flood attack " again.
At present, prevent that other main frames or network from avoiding the method that SYN Flood attacks and having two kinds: the SYN Cookie method of a kind of IP of being based on address; A kind of bandwidth constraints method that is based on the IP address.Because the IP address is the identify label of the network equipment, if there is the IP address in the network equipment, just there is the possibility that is subjected to the diverse network attack in this equipment itself so.Therefore; no matter be based on the SYN Cookie method of IP address; or IP address-based bandwidth constraints method; the SYN Flood safeguard that is used for protecting other main frames or network to avoid SYN Flood attack also is provided with the IP address because of himself; so; exist SYN Flood safeguard self to have equally and be subjected to the possibility that diverse network is attacked, prevent that SYN Flood from attacking, the purpose of protecting network and can not fundamentally play.
Summary of the invention
In view of the foregoing, the purpose of this invention is to provide a kind of method of protecting separate unit main frame or network to avoid SYN Flood attack, protecting network under transparent mode, simultaneously, this method also makes SYN Flood safeguard self avoid SYN Flood and attacks.
For achieving the above object, the present invention is by the following technical solutions: a kind ofly prevent that under transparent mode SYN Flood from attacking, the method for protecting network, it may further comprise the steps:
1., the Network Interface Unit " SYN Flood safeguard " do not transmitted as network packet is provided with the IP address, and it is set to promiscuous mode;
2., by " SYN Flood safeguard " network packet through " SYN Flood safeguard " is carried out the processing of SYN Cookie mode;
3., after SYN Cookie handles normal termination, set up TCP by " SYN Flood safeguard " with destination host and be connected.
Because the present invention does not set the IP address to the Network Interface Unit that the equipment of realizing SYN Flood protection is transmitted as network packet, but it is set to promiscuous mode, can accomplish under the normal operation being " stealthy " on network, so the fail safe of SYN Flood safeguard self is very good; Simultaneously, SYN Flood safeguard can carry out SYN Cookie to network data again to be handled, and prevents the generation of SYN Flood, so the present invention compares with the method for the existing SYN of preventing Flood attack in the world, has better fail safe; Do not need to increase any configuration in the use, get final product operate as normal without any need for user's human intervention, cost is low, use is simple, convenience; And can fundamentally play the purpose that prevents that SYN Flood from attacking.
Description of drawings
Fig. 1 is TCP annexation figure
Fig. 2 is for realizing annexation embodiment 1 figure of the object of the invention SYN Flood safeguard in network
Fig. 3 is for realizing annexation embodiment 2 figures of the object of the invention SYN Flood safeguard in network
Fig. 4 is for realizing annexation embodiment 3 figures of the object of the invention SYN Flood safeguard in network
Fig. 5 is a workflow diagram of the present invention
The specific embodiment of the invention
As Fig. 2, Fig. 3, shown in Figure 4, realize that the SYN Flood safeguard of objects of the present invention is made of a main frame that has two Network Interface Units at least.In use, the IN interface of SYN Flood safeguard being linked to each other with network by HUB/Switch, is that unit or server link to each other with protected object with its OUT interface directly or by HUB/Switch or fire compartment wall.The Network Interface Unit that " SYN Flood safeguard " transmitted as network packet among the present invention just is meant " IN " and " OUT " interface.Guan Li purpose for convenience, " SYN Flood safeguard " can also have except that " management interface " transmitted as network packet (i.e. " IN " and " OUT " interface)." management interface " can configuration of IP address, but this is not that " SYN Flood safeguard " operate as normal is necessary, and promptly under the situation that does not have " management interface ", " SYN Flood safeguard " also can operate as normal.
The present invention realizes preventing that SYN Flood from attacking, the principle of protecting network is: the Network Interface Unit that " SYN Flood safeguard " transmitted as network packet is not provided with the IP address, but it is set to promiscuous mode; Network packet through " SYN Flood safeguard " is carried out the processing of SYN Cookie mode, prevent that to reach SYN Flood from attacking, the purpose of protecting network.
Fig. 5 realizes preventing that for the present invention SYN Flood from attacking, the flow chart of protecting network.As shown in the figure, it may further comprise the steps:
1., the Network Interface Unit " SYN Flood safeguard " do not transmitted as network packet is provided with the IP address, and it is set to promiscuous mode;
The present invention realizes the Network Interface Unit of transmitting as network packet is not set the IP address by operating system, and be set to promiscuous mode.
Promiscuous mode is a kind of mode of operation of Network Interface Unit.Under promiscuous mode, Network Interface Unit no longer comes the selective reception network packet according to self IP address set, but all will be received for the network packet of any IP address " target ip address ".Network Interface Unit is arranged to promiscuous mode can be realized by operating system, operating system also can be cancelled the promiscuous mode of Network Interface Unit is set, and only makes it to enter the mode of operation of coming the selective reception network packet according to self IP address set.For example, under FreeBSD operating system, use following order Network Interface Unit can be arranged to promiscuous mode:
sysctl-w?net.link.ether.bridge=1
2., by " SYN Flood safeguard " network packet through " SYN Flood safeguard " is carried out the processing of SYN Cookie mode:
A, obtain the tcp data bag;
B, judged whether the SYN flag bit? if there is the SYN flag bit, just response has the tcp data bag of SYN/ACK flag bit, and contains the password of customization in network packet;
Do c, if there is no SYN flag bit then judge whether to have only the ACK flag bit? if also there is not the ACK flag bit, then normally transmit the tcp data bag by " SYN Flood safeguard "; If there is the ACK flag bit, then change next step over to;
Do you if there is the ACK flag bit in d, judge once more whether the password in the network packet legal? if illegal, normally transmit the tcp data bag by " SYN Flood safeguard "; If legal, then set up TCP with destination host and be connected by " SYN Flood safeguard ".
3., after SYN Cookie handles normal termination, set up TCP by " SYN Flood safeguard " with destination host and be connected.
The present invention does not set the IP address to the Network Interface Unit that the equipment of realizing SYN Flood protection is transmitted as network packet, but it is set to promiscuous mode, can accomplish under the normal operation being " stealthy " on network, so the fail safe of SYN Flood safeguard self is very good; Simultaneously, SYN Flood safeguard can carry out SYN Cookie to network data again to be handled, and prevents the generation of SYN Flood.The present invention is safe; Do not need to increase any configuration in the use, get final product operate as normal without any need for user's human intervention, cost is low, use is simple, convenience; And can fundamentally play the purpose that prevents that SYN Flood from attacking.
Claims (2)
1, a kind of method that under transparent mode, prevents network state synchronous flood attack, protecting network, it may further comprise the steps:
1., the Network Interface Unit " SYN Flood safeguard " do not transmitted as network packet is provided with the IP address, and it is set to promiscuous mode;
2., by " SYN Flood safeguard " network packet through " SYN Flood safeguard " is carried out the processing of SYN Cookie mode;
3., after SYN Cookie handles normal termination, set up TCP by " SYN Flood safeguard " with destination host and be connected.
2, a kind of method that prevents network state synchronous flood attack, protecting network under transparent mode according to claim 1 is characterized in that: described SYN Cookie mode data processing may further comprise the steps:
1., obtain the tcp data bag;
2., judged whether the SYN flag bit? if there is the SYN flag bit, just response has the tcp data bag of SYN/ACK flag bit, and contains the password of customization in network packet;
3., if there is no SYN flag bit, then judge whether to have only the ACK flag bit? if also there is not the ACK flag bit, then normally transmit the tcp data bag by " SYN Flood safeguard "; If there is the ACK flag bit, then change next step over to;
Do you if 4. there is the ACK flag bit, judge once more whether the password in the network packet legal? if illegal, normally transmit the tcp data bag by " SYN Flood safeguard "; If legal, then set up TCP with destination host and be connected by " SYNFlood safeguard ".
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021234221A CN100429881C (en) | 2002-06-27 | 2002-06-27 | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB021234221A CN100429881C (en) | 2002-06-27 | 2002-06-27 | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1466306A true CN1466306A (en) | 2004-01-07 |
| CN100429881C CN100429881C (en) | 2008-10-29 |
Family
ID=34142322
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB021234221A Expired - Lifetime CN100429881C (en) | 2002-06-27 | 2002-06-27 | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100429881C (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100454895C (en) * | 2005-06-30 | 2009-01-21 | 华为技术有限公司 | Method for raising network security via message processing |
| CN101436958B (en) * | 2007-11-16 | 2011-01-26 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN103546486A (en) * | 2013-11-04 | 2014-01-29 | 北京荣之联科技股份有限公司 | SYN Cookie source authentication method and device for preventing DDOS attack |
-
2002
- 2002-06-27 CN CNB021234221A patent/CN100429881C/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100454895C (en) * | 2005-06-30 | 2009-01-21 | 华为技术有限公司 | Method for raising network security via message processing |
| CN101436958B (en) * | 2007-11-16 | 2011-01-26 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN103546486A (en) * | 2013-11-04 | 2014-01-29 | 北京荣之联科技股份有限公司 | SYN Cookie source authentication method and device for preventing DDOS attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100429881C (en) | 2008-10-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7571479B2 (en) | Denial of service defense by proxy | |
| CN101019405B (en) | Method and system for mitigating denial of service in a communication network | |
| US7627677B2 (en) | Process to thwart denial of service attacks on the internet | |
| US8320242B2 (en) | Active response communications network tap | |
| CN1305271C (en) | Network safety isolating and information exchanging system and method based on proxy mapping | |
| US7260833B1 (en) | One-way network transmission interface unit | |
| JP4575219B2 (en) | Security gateway system and method and program thereof | |
| US20070025374A1 (en) | TCP normalization engine | |
| US20060026292A1 (en) | Data communication method and information processing apparatus for acknowledging signal reception by using low-layer protocol | |
| CN100420197C (en) | Method for guarding against attack realized for networked devices | |
| CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
| CN1889510A (en) | Method for raising network security via message processing | |
| CN101136917B (en) | Transmission control protocol blocking module and soft switch method | |
| CN1152517C (en) | Method of guarding network attack | |
| CN101141396B (en) | Packet processing method and network appliance | |
| CN1466306A (en) | Method for preventing network state synchronous flood attack and protecting network in transparent mode | |
| CN1367434A (en) | Intraconnection network computer and Internet unauthorized connection monitoring system and its method | |
| CN100479419C (en) | Method for preventing refusal service attack | |
| CN106657082A (en) | Fast HTTP redirection method | |
| CN2781655Y (en) | Device for safety connecting digital inage network with local network | |
| CN1426169A (en) | Method for improving route repeat liability of access server | |
| CN104780178A (en) | Connection management method for preventing TCP attack | |
| CN111526124B (en) | Isolated communication system and method based on internal and external networks | |
| CN101989985B (en) | Hardware-based core router TCP connection sate maintenance module design scheme | |
| US20080052402A1 (en) | Method, a Computer Program, a Device, and a System for Protecting a Server Against Denial of Service Attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: BEIJING SHENZHOU LVMENG INFORMATION SECURITY TECHN Free format text: FORMER NAME: ZHONGLIAN NSFOCUS INFORMATION TECHNOLOGY (BEIJING) CO., LTD. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee after: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY (BEIJING) Co.,Ltd. |
|
| ASS | Succession or assignment of patent right |
Owner name: NSFOCUS TECHNOLOGY CO., LTD. Effective date: 20130927 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20130927 Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee after: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee after: NSFOCUS Technologies Group Co.,Ltd. Patentee after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai five storey building Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Patentee before: NSFOCUS TECHNOLOGIES Inc. |
|
| CP01 | Change in the name or title of a patent holder | ||
| CX01 | Expiry of patent term |
Granted publication date: 20081029 |
|
| CX01 | Expiry of patent term |