TW201828646A - Anti-attack data transmission method and apparatus solving the technical problem of accidentally damaging normal transmitted data traffic due to the adoption of an existing anti-attack method - Google Patents

Abstract

This invention discloses an anti-attack data transmission method and apparatus, wherein the method comprises the following steps: obtaining a communication protocol packet to be transmitted; performing anti-attack preprocessing on data located in an information bit of a packet header in the communication protocol packet to generate processing information; storing the processing information on an extension bit in the packet header of the communication protocol packet to obtain a converted communication protocol packet, wherein the packet header of the communication protocol packet comprises the information bit and the extension bit; and transmitting the converted communication protocol packet to a receiving device. This invention solves the technical problem of accidentally damaging normal transmitted data traffic due to the adoption of an existing anti-attack method.

Description

 Anti-attack data transmission method and device  

The present invention relates to the field of computers, and in particular to an anti-attack data transmission method and apparatus.

Currently, in the prior art, common communication attack methods include the following two types:

1. SYN attack, the attack principle is as follows: SYN attack is a kind of DOS attack. It utilizes TCP protocol defects and consumes CPU and memory resources by sending a large number of semi-join requests. In addition to affecting the host, SYN attacks can also harm network systems such as routers and firewalls. In fact, SYN attacks do not care what the target system is. As long as these systems open TCP services, they can be implemented. The server receives the connection request (syn=j), adds the information to the unconnected queue, and sends the request packet to the client (syn=k, ack=j+1), and enters the SYN_RECV state. When the server does not receive the acknowledgement packet from the client, the request packet is resent until the timeout expires, and the entry is deleted from the unconnected queue. With IP spoofing, SYN attacks can achieve good results. Usually, the client spoofs a large number of non-existing IP addresses in a short time, and continuously sends SYN packets to the server. The server replies with a confirmation packet and waits for confirmation from the client. Since the source address does not exist, the server needs to retransmit continuously until timeout. These forged SYN packets will occupy the unconnected queue for a long time, the normal SYN request is discarded, and the target system runs slowly, causing serious The network is blocked and even the system is paralyzed.

2, ACK attack, the attack principle is as follows: After the TCP connection is established, all data transmission TCP messages are with the ACK flag bit, and the host needs to receive a data packet with the ACK flag bit. Check whether the connection quad represented by the data packet exists, and if so, check whether the status indicated by the data packet is legal, and then pass the data packet to the application layer. If the data packet is found to be illegal during the check, for example, the purpose of the data packet is not open, the host operating system protocol stack will respond to the RST packet to tell the other party that the port does not exist. Usually the status detection firewall does something similar, except that the firewall only intercepts illegal data packets and does not respond.

Comparing the complexity of the actions taken by the host and the firewall when receiving the ACK message and the SYN message, it is obvious that the load caused by the ACK message is much smaller. Therefore, in the actual environment, only when the attacker sends an ACK message at a rate of a certain degree, the load on the host and the firewall can be greatly changed. When the packet sending rate is large, the host operating system will consume a lot of effort to receive the message and judge the status, and at the same time, actively respond to the RST message, and the normal data packet may not be processed in time. At this time, the performance of the client (in the case of IE) is that the response to the access page is slow and the packet loss rate is high. However, the stateful inspection firewall can effectively filter the attack packets by using the powerful hardware capabilities. Of course, if the attack traffic is very large, the firewall will be overwhelmed and cause the entire network to crash due to the need to maintain a large connection state table and check the status of a large number of ACK packets.

In order to solve the above problems, the currently commonly used processing method is: broadband frequency cleaning. Broadband traffic cleaning to alleviate the pressure on the network and servers from attack traffic. Among them, the broadband traffic cleaning solution is mainly divided into three steps: The first step is to use a dedicated detection device to analyze and monitor user traffic. In the second step, when the server is attacked, the detecting device reports to the dedicated service management platform to generate a cleaning task to pull the user traffic to the traffic cleaning center. In the third step, the traffic cleaning center cleans the user traffic that is pulled. And the legitimate traffic of the cleaned user is injected back to the server.

However, in the existing cleaning schemes, because the communication protocols are different, and the traffic cleaning method is used to defend against attacks, it is likely to cause accidental injury, and the normal data flow amount is filtered as attack traffic. In response to the above problems, no effective solution has been proposed yet.

According to an aspect of the embodiments of the present invention, an anti-attack data transmission method is provided, including: acquiring a communication protocol message to be transmitted; and preventing data in the information bit of the message protocol header in the message protocol header. Attack preprocessing, generating processing information; storing the processing information in the extension bit of the communication protocol message in the header of the message, to obtain a converted communication protocol message, wherein the foregoing communication protocol message is The message header includes the information bit and the extension bit; and the converted communication protocol message is sent to the receiving device

Optionally, the anti-attack pre-processing of the information on the information bit in the packet header of the foregoing communication protocol packet includes at least one of: adjusting an order of the information on the information bit; or the information bit The data on the whole is compressed locally or locally, and the characters are filled to the compressed idle position; or the data on the information bit is encrypted in whole or in part; or the data on the information bit is whole or partial. Signature.

Optionally, before the anti-attack pre-processing of the information on the information bit in the packet header of the foregoing communication protocol packet, the method further includes: placing, in the communication protocol packet, a partial byte located in the header of the packet Set to the above extension bit.

Optionally, setting a partial byte group located in the packet header in the communication protocol packet as the extension bit element includes: setting a partial byte group in the sequence number and/or the confirmation number in the message header to be the foregoing Extension bit.

Optionally, before the sending the converted communication protocol message to the receiving device, the method further includes: determining whether the data flow of the current communication protocol message is greater than a predetermined threshold; if the data flow quantity is greater than the predetermined threshold, A gateway type network device is disposed in the transmission link before the receiving device, so that the gateway type network device agent forwards the converted communication protocol message to the third party device for processing.

Optionally, the device for performing anti-attack pre-processing on the information in the information protocol packet in the foregoing communication protocol packet includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

According to another aspect of the embodiments of the present invention, an anti-attack data transmission method is further provided, including: receiving a converted communication protocol packet obtained by anti-attack pre-processing; and located in the converted communication protocol packet according to the foregoing The processing information of the attack defense pre-processing indicated by the extension bit of the packet header parses the converted communication protocol packet; and obtaining the information bit of the converted communication protocol packet located at the header of the packet And the data header of the foregoing communication protocol packet includes the information bit and the extension bit.

Optionally, the device for parsing the converted communication protocol message according to the processing information of the anti-attack pre-processing indicated by the extension bit in the header of the packet in the converted communication protocol message includes at least one of the following: NIC driver, virtual network card or local gateway.

According to still another aspect of the embodiments of the present invention, an anti-attack data transmission device is provided, which is located in a sending device, where the device includes: an acquiring unit, configured to acquire a communication protocol packet to be transmitted; and an anti-attack pre-processing unit, The method is configured to perform anti-attack pre-processing on the information bit located in the information bit of the message protocol header to generate processing information, and the saving unit is configured to save the foregoing processing information in the foregoing communication protocol message in the foregoing message. a header of the communication protocol packet, wherein the packet header of the communication protocol packet includes the information bit and the extension bit, and the sending unit is configured to send the conversion The subsequent communication protocol message to the receiving device.

Optionally, the attack defense pre-processing unit includes at least one of: an adjustment module, configured to adjust an order of the information on the information bit; or a compression module, configured to perform overall on the information bit Or partial compression, and fill the character to the compressed idle position; or an encryption module for encrypting the data on the information bit in whole or in part; or a signature module for the information bit The information on the whole is signed in whole or in part.

Optionally, the foregoing apparatus further includes: a setting unit, configured to: before the anti-attack pre-processing of the data on the information bit located in the header of the communication protocol packet, the communication protocol packet is located in the packet A partial byte of the header is set as the above extension bit.

Optionally, the setting unit includes: a setting module, configured to set a partial byte in the serial number and/or the confirmation number in the message header to the extended bit.

Optionally, the device further includes: a determining unit, configured to determine, before sending the converted communication protocol message to the receiving device, whether the data flow of the current communication protocol message is greater than a predetermined threshold; When the amount of the data flow is greater than the predetermined threshold, the gateway type network device is configured in the transmission link before reaching the receiving device, so that the gateway type network device proxying the receiving device reports the converted communication protocol. The file is forwarded to a third-party device for processing.

Optionally, the foregoing attack defense pre-processing unit includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

According to still another aspect of the embodiments of the present invention, an anti-attack data transmission device is provided, which is located in a receiving device, where the device includes: a receiving unit, configured to receive a converted communication protocol report obtained after anti-attack pre-processing And a parsing unit, configured to parse the converted communication protocol packet according to the processing information of the anti-attack pre-processing indicated by the extension bit located in the packet header in the converted communication protocol packet; And obtaining the data located in the information bit of the message header in the converted communication protocol message, wherein the message header of the communication protocol message includes the information bit and the extension bit.

Optionally, the parsing unit includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

In the embodiment of the present invention, the anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the processing information of the anti-attack pre-processing is stored in the original communication protocol packet. Further, the converted communication protocol message is sent to the receiving device. That is to say, the transmitting device sends a communication protocol packet that has been subjected to attack defense pre-processing to the information on the information bit of the packet header, so as to distinguish the normal data flow amount from the abnormal data flow amount. It is convenient for the receiving device to obtain the communication protocol packet obtained through the correct parsing, and filter out the abnormal packet that cannot be correctly parsed, so as to achieve the purpose of accurately attacking the attack behavior during the anti-communication process without affecting the normal communication, and then Avoid the problem of the amount of data flow that is normally transmitted due to the existing anti-attack method.

Further, in this embodiment, only the data on the information bits in the packet header is subjected to anti-attack pre-processing to achieve transparency on the transmission link, and the translated communication protocol packet is prevented from being deciphered. Improve security during data transfer.

S102-S108‧‧‧Steps

202‧‧‧ Terminal

206‧‧‧Server

302‧‧‧Gateway network equipment

402‧‧‧TCP client

404‧‧‧TCP server

406-1‧‧‧ NIC driver

406-2‧‧‧ NIC driver

502-1‧‧‧Virtual Network Card

502-2‧‧‧Virtual Network Card

602-1‧‧‧Local gateway

602-2‧‧‧Local gateway

S702-S706‧‧‧Steps

802‧‧‧ acquisition unit

804‧‧‧Anti-attack pre-processing unit

806‧‧‧Save unit

808‧‧‧Send unit

902‧‧‧ receiving unit

904‧‧‧ analytical unit

906‧‧‧Acquisition unit

The drawings are intended to provide a further understanding of the invention and are intended to be a part of the invention. In the drawings: FIG. 1 is a flowchart of an optional anti-attack data transmission method according to an embodiment of the present invention; FIG. 2 is an application of a Kobe-selected anti-attack data transmission method according to an embodiment of the present invention; FIG. 3 is a schematic diagram of an optional anti-attack data transmission method according to an embodiment of the present invention; FIG. 4 is a schematic diagram of another optional anti-attack data transmission method according to an embodiment of the present invention; FIG. 6 is a schematic diagram of still another optional anti-attack data transmission method according to an embodiment of the present invention; FIG. 7 is a schematic diagram of an optional anti-attack data transmission method according to an embodiment of the present invention; A flowchart of still another optional attack prevention data transmission method of the embodiment; FIG. 8 is a schematic diagram of an optional attack prevention data transmission apparatus according to an embodiment of the present invention; and FIG. 9 is a diagram according to an embodiment of the present invention. A schematic diagram of another optional anti-attack data transmission device.

The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the drawings in the embodiments of the present invention. It is obvious that the described embodiments are only It is an embodiment of the invention, but not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts shall fall within the scope of the present invention.

It should be noted that the terms "first", "second" and the like in the specification and the claims of the present invention are used to distinguish similar items, and are not necessarily used to describe a specific order or order. It is to be understood that the materials so used are interchangeable, where appropriate, so that the embodiments of the invention described herein can be carried out in a sequence other than those illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.

Example 1

According to an embodiment of the present invention, an embodiment of an anti-attack data transmission method is provided. It should be noted that the steps shown in the flowchart of the drawing may be executed in a computer system such as a set of computer executable instructions, and Although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in a different order than here.

FIG. 1 is a method for transmitting an attack defense data according to an embodiment of the present invention. As shown in FIG. 1 , the method includes the following steps: S102: Acquire a communication protocol message to be transmitted; S104, in a message header of a communication protocol message The information on the information bit is subjected to anti-attack pre-processing to generate processing information; S106, the processing information is stored in the extension bit of the communication protocol message in the message header, and the converted communication protocol message is obtained, wherein The message header of the communication protocol packet includes an information bit and an extension bit; S108, and the converted communication protocol message is sent to the receiving device.

Optionally, in this embodiment, the foregoing attack data transmission method may be, but is not limited to, being applied to an application environment as shown in FIG. 2, and the terminal 202 as the transmitting device transmits and receives the network 204 according to a predetermined communication protocol. The server 206 of the device communicates, wherein the network may include, but is not limited to, a local area network, a metropolitan area network, or a wide area network. The foregoing terminals may include, but are not limited to, a mobile phone, a PC, a notebook, or a tablet. The above is only an example, and the embodiment does not limit this.

It should be noted that the foregoing sending device may be, but not limited to, an collecting device that can collect data in the network, for example, a router, and can collect the communication protocol packet to be transmitted through the NET FLOW protocol.

Specifically, after obtaining the communication protocol packet to be transmitted, the terminal 202, as the transmitting device, performs anti-attack pre-processing on the information in the information packet of the packet header in the communication protocol packet, and generates corresponding processing. The information is stored in the extension bit of the communication protocol message in the message header to obtain the converted communication protocol message, and further, the converted communication protocol message is sent to the receiving device. Server 206.

It should be noted that, in the embodiment of the present invention, anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the processing information of the anti-attack pre-processing is stored in the original The newly-configured extension bit in the communication protocol packet, wherein the anti-attack pre-processing operation is performed by the sending device and the receiving device to perform an operation on the data on the packet header information bit to achieve the defense communication process. The purpose of the attack behavior that occurs. That is to say, after the sending device performs the anti-attack pre-processing agreed with the receiving device, the receiving device can directly parse according to the agreement. If the data can be parsed, it is a normal data flow, and if it cannot be parsed normally, it can be determined. For the abnormal data flow, it can directly discard the attack behavior corresponding to the abnormal data flow. Further, in the process of communicating with the receiving device according to the communication protocol, the transmitting device improves the security and accuracy of the data transmission without affecting the normal communication, and avoids the accidental injury caused by the existing attack prevention mode. The problem of the amount of process.

Optionally, in this embodiment, the foregoing communication protocol packet may be, but not limited to, a Transmission Control Protocol (TCP), where the data format of the TCP protocol packet may be as follows: a data format of the TCP protocol packet:

It can be seen from the above that the first 20 bytes in the TCP protocol message are fixed, and the 4N bytes are added later as needed. The header length, URG, ACK, RST, SYN, FIN, window size, TCP checksum, and emergency indicators are all information bits that contain important information in the TCP protocol message.

In this embodiment, unlike the prior art, the entire TCP protocol packet is protected against attack protection, but the data on the information bit of the packet header is used for anti-attack pre-processing protection, thereby facilitating the receiving device to receive. When the TCP protocol packet is sent, all data flow volumes can be cleaned and filtered without using broadband traffic cleaning to avoid the problem that the normal data flow amount is mistakenly killed as an abnormal data flow. The receiving device can directly parse the communication protocol packet forged by the attack terminal by judging whether the data on the corresponding information bit can be parsed according to the agreed manner, thereby further improving the accuracy of the attack defense behavior during the data transmission process. The format of the converted communication protocol packet is as follows: the format of the converted communication protocol packet:

Optionally, in this embodiment, the extension bit in the foregoing communication protocol packet may be, but is not limited to, an extension bit added in the original communication protocol packet, that is, without increasing the packet length. Set the partial location to the extension bit used to store the processing information of the anti-attack pre-processing. Therefore, the security of data transmission is ensured without increasing the packet load overhead.

Optionally, in this embodiment, the foregoing attack defense pre-processing may include, but is not limited to, at least one of the following operations: 1) adjusting the order of the information on the information bit; or 2) performing the overall information on the information bit or Local compression and filling of the characters to the compressed idle position; or 3) whole or partial encryption of the information on the information bits; or 4) overall or partial signature of the information on the information bits.

It should be noted that the above information bits are used to refer to the information on all information bits, and the information bits are used to refer to the information in some information bits. In addition, the above-mentioned padding characters may be, but are not limited to, characters having no practical meaning, and may be, but not limited to, extended bits as other information. This embodiment does not limit this.

Optionally, in this embodiment, before sending the converted communication protocol packet to the receiving device, the method further includes: S1, deploying the network device. In other words, the network devices in the network are laid out according to the actual data flow.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device.

Optionally, in this embodiment, when the data flow quantity is less than or equal to a predetermined threshold, the anti-attack pre-processing of the communication protocol message to be transmitted may be directly performed by setting at least one of the following devices on the sending side: network card driver, virtual NIC or local gateway.

Through the embodiment provided by the present invention, the anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the anti-attack pre-processing information is stored in the original communication protocol packet. On the newly set extension bit, further, the converted communication protocol message is sent to the receiving device. That is to say, the transmitting device sends a communication protocol packet that has been subjected to attack defense pre-processing to the information on the information bit of the packet header, so as to distinguish the normal data flow amount from the abnormal data flow amount. It is convenient for the receiving device to obtain the communication protocol packet obtained through the correct parsing, and filter out the abnormal packet that cannot be correctly parsed, so as to achieve the purpose of accurately attacking the attack behavior during the anti-communication process without affecting the normal communication, and then Avoid the problem of the amount of data flow that is normally transmitted due to the existing anti-attack method. Further, in this embodiment, only the data on the information bits in the packet header is subjected to anti-attack pre-processing, and the data in all the communication protocol packets is not used to implement transparency on the transmission link. Avoid translating communication protocol messages to further improve the security of data transmission.

As an optional solution, the anti-attack pre-processing of the data in the communication protocol packet located on the information bit at the head of the packet includes at least one of the following:

1) Adjust the order of the information on the information bits; or specifically combine the following examples to illustrate that the information bits located in the header of the TCP protocol message include the header length, URG, ACK, RST, SYN, FIN, and window size. , TCP checksum and emergency indicators. In this embodiment, when anti-attack pre-processing is performed on the data on the information bit, the order of the data may be adjusted accordingly to ensure that the TCP protocol packet is properly encapsulated and transmitted. The protocol packet is used for anti-attack pre-processing.

For example, the data format of the converted TCP protocol message can be as follows:

It can be seen from the above that in this example, by adjusting the order of URG, RST, and SYN, the location relationship known in the communication protocol packet is changed, thereby implementing protection against third-party devices and avoiding attacks generated by third-party devices.

2) compressing the data on the information bit in whole or in part, and filling the character into the compressed idle position; or specifically combining the following examples, the information bit in the TCP protocol message at the head of the message includes the header. Part length, URG, ACK, RST, SYN, FIN, window size, TCP checksum and emergency indicator. In this embodiment, when anti-attack pre-processing is performed on the data on the information bit, the data on the information bit may be compressed in whole or in part to ensure normal packaging and transmission of the TCP protocol packet. In the process, the purpose of anti-attack pre-processing for TCP protocol packets is achieved.

For example, the data format of the converted TCP protocol message can be as follows:

It can be seen from the above that in this example, the TCP checksum is locally compressed, for example, from 16 bits to 10 bits, and the compressed idle position is filled with a certain character to change the TCP checksum in the communication protocol. A well-known location relationship in the packet, thereby implementing protection against third-party devices and avoiding attacks generated by third-party devices.

Optionally, in this embodiment, the data in the information bit may be compressed in a proportioned manner, and the compression mode is the same as the local compression. This embodiment is not described here.

3) encrypting the information on the information bit in whole or in part; or alternatively, in this embodiment, all the information on the information bit may be encrypted as a whole, or only part of the information bit may be partially reserved. The location data is locally encrypted. This example does not limit the way encryption is performed.

4) Sign the information on the information bits in whole or in part.

Optionally, in the embodiment, the signature refers to a digit string that can only be generated by a sender of the information, which is also a valid proof that the sender of the information sends the authenticity of the information. .

Optionally, in this embodiment, the entire signature authentication may be performed on all the information on the information bit, or only the partial signature authentication may be performed on the data in some predetermined positions in the information bit. Make any restrictions.

According to the embodiment provided by the present invention, the anti-attack pre-processing of the data in the information packet of the packet header in the communication protocol packet is performed by using at least one of the foregoing manners, and the data of the packet header is pre-processed. Further improving the security of the communication protocol packet to be transmitted, so as to prevent the third-party device from launching the attack after deciphering the pre-processing operation; further, the receiving device may parse the received device according to the manner corresponding to the pre-processing operation. The converted communication protocol message correctly identifies the normal data flow and the abnormal data flow, and overcomes the error problem existing in the prior art.

As an optional solution, before the anti-attack pre-processing of the information in the information packet of the packet header in the communication protocol packet, the method further includes: S1, the part of the communication protocol packet located at the head of the packet The tuple is set to an extension bit.

Optionally, in this embodiment, setting a partial byte in the packet header of the communication protocol packet to the extension bit includes: S12, the part of the sequence number and/or the confirmation number in the packet header. The byte is set to an extended bit.

Optionally, in this embodiment, the foregoing attack data transmission method is implemented based on the TCP protocol packet, and in the embodiment, the packet header of the TCP protocol packet is transmitted in consideration of the characteristics of the IP forwarding and the characteristics of the TCP protocol. The original part of the field is set to the extension bit, so that the TCP protocol packet to be transmitted is preprocessed to ensure that the TCP protocol is in the case of not increasing the packet load overhead (that is, without increasing the packet length). Compatibility and consistency during transmission.

It should be noted that in the TCP protocol message, the serial number and the confirmation number are both 32 Bit. The role of these two sequence numbers is to identify the length of the last transmitted message. Considering the existing network transmission environment, in the case of Ethernet, the maximum length of a single message is 8192 bytes (Jumbo frame length). And 32Bit can represent 2^32=4G bytes, so there is room for this part of the data. For example, if 28Bit is used as the sequence number and 4Bit is reserved as the extension bit, then the 8Bit can be used to identify the processing information of the above preprocessing. Using the extension bit element, at least one pre-processing operation is performed on the information on the information bit of the message header, TCP header reassembly, obfuscation, encryption, etc., and the converted TCP communication protocol message is sent to Receiving device.

Through the embodiment provided by the present invention, by setting an extension bit in the original communication protocol message, the operation of preprocessing the data on the information bit of the message header by using the extended bit element is realized, so as to facilitate reception. The device correctly parses out the corresponding data according to the agreement, so as to achieve an accurate distinction between the normal data flow and the abnormal data flow, and overcome the problem of the data flow of the normal transmission in the prior art.

As an optional solution, before sending the converted communication protocol message to the receiving device, the method further includes: S1, determining whether the data flow of the current communication protocol message is greater than a predetermined threshold; S2, if the data flow quantity is greater than a predetermined threshold Then, the gateway type network device is configured in the transmission link before the receiving device, so that the gateway type network device proxy receiving device forwards the converted communication protocol message to the third party device for processing.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device. The foregoing predetermined threshold may be, but is not limited to, determined according to a processing load of the receiving device.

Specifically, in the following example, the TCP protocol message is taken as an example. As shown in FIG. 3, before the terminal 202 sends the TCP protocol message to the server 206, the terminal 202 as the transmitting device can judge according to the current network traffic. Whether the server 206 of the receiving device can process normally. For example, if the predetermined threshold is 100M and the current data flow is 120M, the terminal 202 as the transmitting device determines that the data flow amount is greater than a predetermined threshold after comparison, and the gateway type network device 302 is deployed in the network to The gateway type network device 302 is caused to forward the excess 20M data flow to the third party device to avoid the problem that the receiving device has a system crash due to overload.

Through the embodiment provided by the present invention, the relationship between the data flow rate of the current communication protocol message and the predetermined threshold value is compared in advance, so as to determine whether the gateway type network device is set in the transmission link, thereby realizing the anti-attack. In the process, avoid the problem that the receiving device has a system crash due to overload.

As an optional solution, the apparatus for performing anti-attack pre-processing on the information in the information protocol packet in the packet header includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

Specifically, it is described in conjunction with the following example: As an optional implementation manner, as shown in FIG. 4, a TCP protocol packet is taken as an example, and a TCP client 402 is provided on a terminal as a transmitting device, and a server serving as a receiving device is provided. A TCP server 404 is provided thereon. In this embodiment, the network card driver 406-1 is set at the TCP client as an anti-attack device to implement the pre-processing in the anti-attack transmission method; the network card driver 406-2 is set on the TCP server as the defense The attack detecting device implements the parsing operation in the above anti-attack transmission method.

It should be noted that, in this embodiment, the TCP client still uses the physical network card to communicate normally. Only the network card driver will detect the destination of the communication. If it finds that it is communicating with the external TCP protocol anti-attack detection device, the data packet will be processed according to the format set in advance, and vice versa.

As another optional implementation manner, as shown in FIG. 5, a TCP protocol message is taken as an example, a TCP client 402 is provided on a terminal as a transmitting device, and a TCP server is provided on a server as a receiving device. 404. In this embodiment, the virtual network card 502-1 is set as the anti-attack device on the TCP client to implement the pre-processing in the anti-attack transmission method; the virtual network card 502-2 is set on the TCP server as the defense The attack detecting device implements the parsing operation in the above anti-attack transmission method.

It should be noted that in this embodiment, this type is more like a link tunnel. The TCP client only needs to send data to the specified network card. The physical link changes are not perceived in the specific operation, and all communication with the external TCP protocol anti-attack detection device is represented by the virtual network card.

As another optional implementation manner, as shown in FIG. 6, the TCP protocol packet is taken as an example, and a TCP client is provided on the terminal as the transmitting device, and a TCP server is provided on the server as the receiving device. In this embodiment, the local gateway 602-1 is set as the anti-attack device on the TCP client to implement the pre-processing in the anti-attack transmission method; the local gateway 602-2 is set on the TCP server. As an attack detection device, the analysis operation in the above-described attack defense transmission method is implemented.

It should be noted that, in this embodiment, the TCP client only needs to establish a communication relationship with the local gateway in this scenario. The local gateway is responsible for communicating with the external TCP protocol anti-attack detection device.

Through the embodiments provided by the present invention, the above-mentioned anti-attack data transmission is implemented through different devices to implement diversification of anti-attack control.

Example 2

According to an embodiment of the present invention, an embodiment of an anti-attack data transmission method is provided. It should be noted that the steps shown in the flowchart of the drawing may be executed in a computer system such as a set of computer executable instructions, and Although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be performed in a different order than here.

FIG. 7 is a method for transmitting an attack defense data according to an embodiment of the present invention. As shown in FIG. 7, the method includes the following steps: S702: Receive a converted communication protocol packet obtained after anti-attack pre-processing; S704, according to the conversion The communication protocol message in the subsequent communication protocol message is located in the packet of the anti-attack pre-processing of the anti-attack pre-processing indicated by the extension bit of the packet header; S706, and the obtained communication protocol packet is located at the head of the packet. The information on the information bit, wherein the message header of the communication protocol message includes an information bit and an extension bit.

Optionally, in this embodiment, the foregoing attack data transmission method may be, but is not limited to, being applied to an application environment as shown in FIG. 2, and the terminal 202 as the transmitting device transmits and receives the network 204 according to a predetermined communication protocol. The server 206 of the device communicates, wherein the network may include, but is not limited to, a regional network, a metropolitan area network, or a wide area network. The terminals may include, but are not limited to, a mobile phone, a PC, a notebook, or a tablet. The above is only an example, and the embodiment does not limit this.

It should be noted that the above receiving device may also be, but not limited to, a router. By installing a predetermined program in the router, the processing information of the anti-attack pre-processing indicated by the extension bit located in the header of the received communication protocol packet is parsed to obtain the converted communication protocol packet. .

Specifically, the server 206 as the receiving device receives the converted communication protocol message obtained after the anti-attack pre-processing; further, according to the extended bit in the message header of the converted communication protocol message The anti-attack pre-processing processing information parses the converted communication protocol message to obtain the information in the converted communication protocol message located in the information bit of the packet header, wherein the packet header of the communication protocol packet includes Information bits and extension bits.

It should be noted that, in the embodiment of the present invention, anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the processing information of the anti-attack pre-processing is stored in the original The newly added extension bit in the communication protocol message, so that the receiving device can parse and obtain the information on the information header of the message according to the agreement of both parties. If the data can be correctly parsed, it is a normal data flow. If the data cannot be parsed correctly, it can be determined as an abnormal data flow, and the attack behavior corresponding to the abnormal data flow can be directly prevented by discarding. Further, in the process of communicating with the receiving device according to the communication protocol, the transmitting device improves the security and accuracy of the data transmission without affecting the normal communication, and avoids the accidental injury caused by the existing attack prevention mode. The problem of the amount of process.

Optionally, in this embodiment, the foregoing communication protocol packet may be, but not limited to, a Transmission Control Protocol (TCP), where the data format of the TCP protocol packet may be as follows: a data format of the TCP protocol packet:

It can be seen from the above that the first 20 bytes in the TCP protocol message are fixed, and the 4N bytes are added later as needed. The header length, URG, ACK, RST, SYN, FIN, window size, TCP checksum, and emergency indicators are all information bits that contain important information in the TCP protocol message.

In this embodiment, unlike the prior art, the entire TCP protocol packet is protected against attack protection, but the data on the information bit of the packet header is used for anti-attack pre-processing protection, thereby facilitating the receiving device to receive. When the TCP protocol packet is sent, all data flow volumes can be cleaned and filtered without using broadband traffic cleaning to avoid the problem that the normal data flow amount is mistakenly killed as an abnormal data flow. The receiving device can directly parse the communication protocol packet forged by the attack terminal by judging whether the data on the corresponding information bit can be parsed according to the agreed manner, thereby further improving the accuracy of the attack defense behavior during the data transmission process. The format of the converted communication protocol packet is as follows: the format of the converted communication protocol packet:

Optionally, in this embodiment, the extension bit in the foregoing communication protocol packet may be, but is not limited to, an extension bit added in the original communication protocol packet, that is, without increasing the packet length. Set the partial location to the extension bit used to store the processing information of the anti-attack pre-processing. Therefore, the security of data transmission is ensured without increasing the packet load overhead.

Optionally, in this embodiment, the foregoing attack defense pre-processing may include, but is not limited to, at least one of the following operations: 1) adjusting the order of the information on the information bit; or 2) performing the overall information on the information bit or Local compression and filling of the characters to the compressed idle position; or 3) whole or partial encryption of the information on the information bits; or 4) overall or partial signature of the information on the information bits.

It should be noted that the above information bits are used to refer to the information on all information bits, and the information bits are used to refer to the information in some information bits. In addition, the above-mentioned padding characters may be, but are not limited to, characters having no practical meaning, and may be, but not limited to, extended bits as other information. This embodiment does not limit this.

Optionally, in this embodiment, before sending the converted communication protocol packet to the receiving device, the method further includes: S1, deploying the network device. In other words, the network devices in the network are laid out according to the actual data flow.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device.

Optionally, in this embodiment, when the data flow quantity is less than or equal to a predetermined threshold, the anti-attack pre-processing of the communication protocol message to be transmitted may be directly performed by setting at least one of the following devices on the sending side: network card driver, virtual NIC or local gateway.

Through the embodiment provided by the present invention, the server 206 as the receiving device receives the converted communication protocol message obtained after the anti-attack pre-processing; further, according to the extended bit in the packet header of the converted communication protocol message The processing information of the anti-attack pre-processing indicated by the meta-analysis resolves the converted communication protocol message to obtain the information on the information bit located in the header of the message in the converted communication protocol message, wherein the communication protocol message is reported The header includes information bits and extension bits. That is, the receiving device parses the data on the information bit in the header of the received communication protocol packet, and processes the correctly parsed normal data flow, and filters out the abnormal data flow. In order to distinguish between the normal data flow and the abnormal data flow, the receiving device can obtain the communication protocol packets that are correctly parsed, and filter out the abnormal packets that cannot be correctly parsed, so as not to affect the normal communication. The purpose of the attack behavior occurring in the process of accurate defense communication is achieved, thereby avoiding the problem of the data flow of the normal transmission caused by the existing attack prevention mode.

As an optional solution, the device for parsing the converted communication protocol message according to the processing information of the anti-attack pre-processing indicated by the extension bit in the header of the converted communication protocol message includes at least one of the following: NIC driver, virtual network card or local gateway.

Specifically, it is described in conjunction with the following example: As an optional implementation manner, as shown in FIG. 4, a TCP protocol packet is taken as an example, and a TCP client 402 is provided on a terminal as a transmitting device, and a server serving as a receiving device is provided. A TCP server 404 is provided thereon. In this embodiment, the network card driver 406-1 is set at the TCP client as an anti-attack device to implement the pre-processing in the anti-attack transmission method; the network card driver 406-2 is set on the TCP server as the defense The attack detecting device implements the parsing operation in the above anti-attack transmission method.

It should be noted that, in this embodiment, the TCP client still uses the physical network card to communicate normally. Only the NIC driver will detect the destination of the communication. If it finds that it is communicating with the external TCP protocol anti-attack detection device, the data packet will be processed according to the format set in advance, and vice versa.

As another optional implementation manner, as shown in FIG. 5, a TCP protocol message is taken as an example, a TCP client 402 is provided on a terminal as a transmitting device, and a TCP server is provided on a server as a receiving device. 404. In this embodiment, the virtual network card 502-1 is set as the anti-attack device on the TCP client to implement the pre-processing in the anti-attack transmission method; the virtual network card 502-2 is set on the TCP server as the defense The attack detecting device implements the parsing operation in the above anti-attack transmission method.

It should be noted that in this embodiment, this type is more like a link tunnel. The TCP client only needs to send data to the specified network card. The physical link changes are not perceived in the specific operation, and all communication with the external TCP protocol anti-attack detection device is represented by the virtual network card.

As another optional implementation manner, as shown in FIG. 6, the TCP protocol packet is taken as an example, and a TCP client is provided on the terminal as the transmitting device, and a TCP server is provided on the server as the receiving device. In this embodiment, the local gateway 602-1 is set as the anti-attack device on the TCP client to implement the pre-processing in the anti-attack transmission method; the local gateway 602-2 is set on the TCP server. As an attack detection device, the analysis operation in the above-described attack defense transmission method is implemented.

It should be noted that, in this embodiment, the TCP client only needs to establish a communication relationship with the local gateway in this scenario. The local gateway is responsible for communicating with the external TCP protocol anti-attack detection device.

Through the embodiments provided by the present invention, the above-mentioned anti-attack data transmission is implemented through different devices to achieve diversification of anti-attack control.

Example 3

According to an embodiment of the present invention, an embodiment of an anti-attack data transmission apparatus is provided. The apparatus is located in a transmitting device. As shown in FIG. 8, the apparatus includes: 1) an obtaining unit 802, configured to acquire a communication protocol to be transmitted. The anti-attack pre-processing unit 804 is configured to perform anti-attack pre-processing on the information bits located in the information bits of the packet header in the communication protocol packet to generate processing information; and 3) a saving unit 806 for processing The information is stored in the extension bit of the communication protocol message in the message header, and the converted communication protocol message is obtained, wherein the message header of the communication protocol message includes the information bit and the extension bit; 4) The sending unit 808 is configured to send the converted communication protocol message to the receiving device.

Optionally, in this embodiment, the foregoing attack data transmission device may be, but is not limited to, applied to an application environment as shown in FIG. 2, and the terminal 202 as the transmitting device transmits and receives the network 204 according to a predetermined communication protocol. The server 206 of the device communicates, wherein the network may include, but is not limited to, a regional network, a metropolitan area network, or a wide area network. The terminals may include, but are not limited to, a mobile phone, a PC, a notebook, or a tablet. The above is only an example, and the embodiment does not limit this.

It should be noted that the foregoing sending device may be, but not limited to, an collecting device that can collect data in the network, for example, a router, and can collect the communication protocol packet to be transmitted through the NETFLOW protocol.

Specifically, after obtaining the communication protocol packet to be transmitted, the terminal 202, as the transmitting device, performs anti-attack pre-processing on the information in the information packet of the packet header in the communication protocol packet, and generates corresponding processing. The information is stored in the extension bit of the communication protocol message in the message header to obtain the converted communication protocol message, and further, the converted communication protocol message is sent to the receiving device. Server 206.

It should be noted that, in the embodiment of the present invention, anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the processing information of the anti-attack pre-processing is stored in the original The newly-configured extension bit in the communication protocol packet, wherein the anti-attack pre-processing operation is performed by the sending device and the receiving device to perform an operation on the data on the packet header information bit to achieve the defense communication process. The purpose of the attack behavior that occurs. That is to say, after the sending device performs the anti-attack pre-processing agreed with the receiving device, the receiving device can directly parse according to the agreement. If the data can be parsed, it is a normal data flow, and if it cannot be parsed normally, it can be determined. For the abnormal data flow, you can directly discard the attack behavior corresponding to the abnormal data flow. Further, in the process of communicating with the receiving device according to the communication protocol, the transmitting device improves the security and accuracy of the data transmission without affecting the normal communication, and avoids the accidental injury caused by the existing attack prevention mode. The problem of the amount of process.

Optionally, in this embodiment, the foregoing communication protocol packet may be, but not limited to, a Transmission Control Protocol (TCP), where the data format of the TCP protocol packet may be as follows: a data format of the TCP protocol packet:

It can be seen from the above that the first 20 bytes in the TCP protocol message are fixed, and the 4N bytes are added later as needed. The header length, URG, ACK, RST, SYN, FIN, window size, TCP checksum, and emergency indicators are all information bits that contain important information in the TCP protocol message.

In this embodiment, unlike the prior art, the entire TCP protocol packet is protected against attack protection, but the data on the information bit of the packet header is used for anti-attack pre-processing protection, thereby facilitating the receiving device to receive. When the TCP protocol packet is sent, all data flow volumes can be cleaned and filtered without using broadband traffic cleaning to avoid the problem that the normal data flow amount is mistakenly killed as an abnormal data flow. The receiving device can directly parse the communication protocol packet forged by the attack terminal by judging whether the data on the corresponding information bit can be parsed according to the agreed manner, thereby further improving the accuracy of the attack defense behavior during the data transmission process. The format of the converted communication protocol packet is as follows: the format of the converted communication protocol packet:

Optionally, in this embodiment, the extension bit in the foregoing communication protocol packet may be, but is not limited to, an extension bit added in the original communication protocol packet, that is, without increasing the packet length. Set the partial location to the extension bit used to store the processing information of the anti-attack pre-processing. Therefore, the security of data transmission is ensured without increasing the packet load overhead.

Optionally, in this embodiment, the foregoing attack defense pre-processing may include, but is not limited to, at least one of the following operations: 1) adjusting the order of the information on the information bit; or 2) performing the overall information on the information bit or Local compression and filling of the characters to the compressed idle position; or 3) whole or partial encryption of the information on the information bits; or 4) overall or partial signature of the information on the information bits.

It should be noted that the above information bits are used to refer to the information on all information bits, and the information bits are used to refer to the information in some information bits. In addition, the above-mentioned padding characters may be, but are not limited to, characters having no practical meaning, and may be, but not limited to, extended bits as other information. This embodiment does not limit this.

Optionally, in this embodiment, before sending the converted communication protocol packet to the receiving device, the method further includes: S1, deploying the network device. In other words, the network devices in the network are laid out according to the actual data flow.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device.

Optionally, in this embodiment, when the data flow quantity is less than or equal to a predetermined threshold, the anti-attack pre-processing of the communication protocol message to be transmitted may be directly performed by setting at least one of the following devices on the sending side: network card driver, virtual NIC or local gateway.

Through the embodiment provided by the present invention, the anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the anti-attack pre-processing information is stored in the original communication protocol packet. On the newly set extension bit, further, the converted communication protocol message is sent to the receiving device. That is to say, the transmitting device sends a communication protocol packet that has been subjected to attack defense pre-processing to the information on the information bit of the packet header, so as to distinguish the normal data flow amount from the abnormal data flow amount. It is convenient for the receiving device to obtain the communication protocol packet obtained through the correct parsing, and filter out the abnormal packet that cannot be correctly parsed, so as to achieve the purpose of accurately attacking the attack behavior during the anti-communication process without affecting the normal communication, and then Avoid the problem of the amount of data flow that is normally transmitted due to the existing anti-attack method. Further, in this embodiment, only the data on the information bits in the packet header is subjected to anti-attack pre-processing, and the data in all the communication protocol packets is not used to implement transparency on the transmission link. Avoid translating communication protocol messages to further improve the security of data transmission.

As an optional solution, the anti-attack pre-processing unit 804 includes at least one of the following:

1) The adjustment module is used to adjust the order of the data on the information bit; or specifically combined with the following example, the information bits in the TCP protocol message at the head of the message include the length of the header, URG, ACK, RST, SYN, FIN, window size, TCP checksum and emergency indicators. In this embodiment, when anti-attack pre-processing is performed on the data on the information bit, the order of the data may be adjusted accordingly to ensure that the TCP protocol packet is properly encapsulated and transmitted. The protocol packet is used for anti-attack pre-processing.

For example, the data format of the converted TCP protocol message can be as follows:

It can be seen from the above that in this example, by adjusting the order of URG, RST, and SYN, the location relationship known in the communication protocol packet is changed, thereby implementing protection against third-party devices and avoiding attacks generated by third-party devices.

2) The compression module is used for performing overall or partial compression on the information on the information bit, and filling the character to the compressed idle position; or specifically combining the following examples, the TCP protocol message is located at the message header. The information bits include header length, URG, ACK, RST, SYN, FIN, window size, TCP checksum, and emergency metrics. In this embodiment, when anti-attack pre-processing is performed on the data on the information bit, the data on the information bit may be compressed in whole or in part to ensure normal packaging and transmission of the TCP protocol packet. In the process, the purpose of anti-attack pre-processing for TCP protocol packets is achieved.

For example, the data format of the converted TCP protocol message can be as follows:

It can be seen from the above that in this example, the TCP checksum is locally compressed, for example, from 16 bits to 10 bits, and the compressed idle position is filled with a certain character to change the TCP checksum in the communication protocol. A well-known location relationship in the packet, thereby implementing protection against third-party devices and avoiding attacks generated by third-party devices.

Optionally, in this embodiment, the data in the information bit may be compressed in a proportioned manner, and the compression mode is the same as the local compression. This embodiment is not described here.

3) an encryption module for performing overall or partial encryption on the information on the information bit; or alternatively, in this embodiment, all the information on the information bit may be encrypted as a whole, or only The data in some predetermined positions in the information bit is locally encrypted. This example does not limit the encryption method.

4) A signature module for signing the data on the information bit in whole or in part.

Optionally, in the embodiment, the signature refers to a digit string that can only be generated by a sender of the information, which is also a valid proof that the sender of the information sends the authenticity of the information. .

Optionally, in this embodiment, the entire signature authentication may be performed on all the information on the information bit, or only the partial signature authentication may be performed on the data in some predetermined positions in the information bit. Make any restrictions.

According to the embodiment provided by the present invention, the anti-attack pre-processing of the data in the information packet of the packet header in the communication protocol packet is performed by using at least one of the foregoing manners, and the data of the packet header is pre-processed. Further improving the security of the communication protocol packet to be transmitted, so as to prevent the third-party device from launching the attack after deciphering the pre-processing operation; further, the receiving device may parse the received device according to the manner corresponding to the pre-processing operation. The converted communication protocol message correctly identifies the normal data flow and the abnormal data flow, and overcomes the error problem existing in the prior art.

As an optional solution, the foregoing apparatus further includes: 1) a setting unit, configured to: before the anti-attack pre-processing of the data located in the information bit of the packet header in the communication protocol packet, the communication protocol packet is located Some of the bytes in the header of the message are set as extension bits.

Optionally, in this embodiment, the setting unit includes: 1) a setting module, configured to set a partial byte in the sequence number and/or the confirmation number in the message header as the extended bit.

Optionally, in this embodiment, the foregoing anti-attack data transmission apparatus is implemented based on the TCP protocol packet, and in the embodiment, the packet header of the TCP protocol packet is transmitted in consideration of the characteristics of the IP forwarding and the characteristics of the TCP protocol. The original part of the field is set to the extension bit, so that the TCP protocol packet to be transmitted is preprocessed to ensure that the TCP protocol is in the case of not increasing the packet load overhead (that is, without increasing the packet length). Compatibility and consistency during transmission.

It should be noted that in the TCP protocol message, the serial number and the confirmation number are both 32 Bit. The role of these two sequence numbers is to identify the length of the last transmitted message. Considering the existing network transmission environment, in the case of Ethernet, the maximum length of a single message is 8192 bytes (Jumbo frame length). And 32Bit can represent 2^32=4G bytes, so there is room for this part of the data. For example, if 28Bit is used as the sequence number and 4Bit is reserved as the extension bit, then the 8Bit can be used to identify the processing information of the above preprocessing. Using the extension bit element, at least one pre-processing operation is performed on the information on the information bit of the message header, TCP header reassembly, obfuscation, encryption, etc., and the converted TCP communication protocol message is sent to Receiving device.

Through the embodiment provided by the present invention, by setting an extension bit in the original communication protocol message, the operation of preprocessing the data on the information bit of the message header by using the extended bit element is realized, so as to facilitate reception. The device correctly parses out the corresponding data according to the agreement, so as to achieve an accurate distinction between the normal data flow and the abnormal data flow, and overcome the problem of the data flow of the normal transmission in the prior art.

As an optional solution, the foregoing apparatus further includes: 1) a determining unit, configured to determine, before sending the converted communication protocol message to the receiving device, whether the data flow of the current communication protocol message is greater than a predetermined threshold; 2) configuring a unit, configured to configure a gateway type network device in a transmission link before reaching the receiving device when the data flow amount is greater than a predetermined threshold, so that the gateway type network device proxy receiving device converts the communication protocol packet Forward to a third-party device for processing.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device. The foregoing predetermined threshold may be, but is not limited to, determined according to a processing load of the receiving device.

Specifically, in the following example, the TCP protocol message is taken as an example. As shown in FIG. 3, before the terminal 202 sends the TCP protocol message to the server 206, the terminal 202 as the transmitting device can judge according to the current network traffic. Whether the server 206 of the receiving device can process normally. For example, if the predetermined threshold is 100M and the current data flow is 120M, the terminal 202 as the transmitting device determines that the data flow amount is greater than a predetermined threshold after comparison, and the gateway type network device 302 is deployed in the network to The gateway type network device 302 is caused to forward the excess 20M data flow to the third party device to avoid the problem that the receiving device has a system crash due to overload.

Through the embodiment provided by the present invention, the relationship between the data flow rate of the current communication protocol message and the predetermined threshold value is compared in advance, so as to determine whether the gateway type network device is set in the transmission link, thereby realizing the anti-attack. In the process, avoid the problem that the receiving device has a system crash due to overload.

As an optional solution, the anti-attack pre-processing unit includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

Specifically, it is described in conjunction with the following example: As an optional implementation manner, as shown in FIG. 4, a TCP protocol packet is taken as an example, and a TCP client 402 is provided on a terminal as a transmitting device, and a server serving as a receiving device is provided. A TCP server 404 is provided thereon. In this embodiment, the network card driver 406-1 is set at the TCP client as an anti-attack device to implement pre-operation in the anti-attack transmission device; the network card driver 406-2 is set on the TCP server as an anti-attack device. The attack detection device implements an analysis operation in the above-described attack defense transmission device.

It should be noted that, in this embodiment, the TCP client still uses the physical network card to communicate normally. Only the network card driver will detect the destination of the communication. If it finds that it is communicating with the external TCP protocol anti-attack detection device, the data packet will be processed according to the format set in advance, and vice versa.

As another optional implementation manner, as shown in FIG. 5, a TCP protocol message is taken as an example, a TCP client 402 is provided on a terminal as a transmitting device, and a TCP server is provided on a server as a receiving device. 404. In this embodiment, the virtual network card 502-1 is set as the anti-attack device on the TCP client to implement the pre-processing operation in the anti-attack transmission device; the virtual network card 502-2 is set on the TCP server as the defense The attack detection device implements an analysis operation in the above-described attack defense transmission device.

It should be noted that in this embodiment, this type is more like a link tunnel. The TCP client only needs to send data to the specified network card. The physical link changes are not perceived in the specific operation, and all communication with the external TCP protocol anti-attack detection device is represented by the virtual network card.

As another optional implementation manner, as shown in FIG. 6, the TCP protocol packet is taken as an example, and a TCP client is provided on the terminal as the transmitting device, and a TCP server is provided on the server as the receiving device. In this embodiment, the local gateway 602-1 is set at the TCP client as an anti-attack device to implement the pre-processing operation in the anti-attack transmission device; the local gateway 602-2 is set on the TCP server. As an attack detection device, an analysis operation in the above-described attack prevention transmission device is implemented.

It should be noted that, in this embodiment, the TCP client only needs to establish a communication relationship with the local gateway in this scenario. The local gateway is responsible for communicating with the external TCP protocol anti-attack detection device.

Through the embodiments provided by the present invention, the above-mentioned anti-attack data transmission is implemented through different devices to implement diversification of anti-attack control.

Example 4

According to an embodiment of the present invention, an embodiment of an anti-attack data transmission apparatus is provided. The apparatus is located in a receiving device. As shown in FIG. 9, the apparatus includes: 1) a receiving unit 902, configured to receive an anti-attack pre-processing. The obtained converted communication protocol message; 2) the parsing unit 904, configured to parse the converted communication according to the processing information of the anti-attack pre-processing indicated by the extension bit located in the header of the converted communication protocol message An agreement message; 3) an obtaining unit 906, configured to obtain information in the translated communication protocol message located on the information bit at the head of the message, wherein the message header of the communication protocol message includes the information bit and the extension Bit.

Optionally, in this embodiment, the foregoing attack data transmission device may be, but is not limited to, applied to an application environment as shown in FIG. 2, and the terminal 202 as the transmitting device transmits and receives the network 204 according to a predetermined communication protocol. The server 206 of the device communicates, wherein the network may include, but is not limited to, a regional network, a metropolitan area network, or a wide area network. The terminals may include, but are not limited to, a mobile phone, a PC, a notebook, or a tablet. The above is only an example, and the embodiment does not limit this.

It should be noted that the foregoing receiving device may also be, but not limited to, a router. By installing a predetermined program in the router, the processing information of the anti-attack pre-processing indicated by the extension bit located in the header of the received communication protocol packet is parsed to obtain the converted communication protocol packet. .

Specifically, the server 206 as the receiving device receives the converted communication protocol message obtained after the anti-attack pre-processing; further, according to the extended bit in the message header of the converted communication protocol message The anti-attack pre-processing processing information parses the converted communication protocol message to obtain the information in the converted communication protocol message located in the information bit of the packet header, wherein the packet header of the communication protocol packet includes Information bits and extension bits.

It should be noted that, in the embodiment of the present invention, anti-attack pre-processing is performed on the information on the information bit of the protocol packet to be directly transmitted on the transmitting device, and the processing information of the anti-attack pre-processing is stored in the original The newly added extension bit in the communication protocol message, so that the receiving device can parse and obtain the information on the information header of the message according to the agreement of both parties. If the data can be correctly parsed, it is a normal data flow. If the data cannot be parsed correctly, it can be determined as an abnormal data flow, and the attack behavior corresponding to the abnormal data flow can be directly prevented by discarding. Further, in the process of communicating with the receiving device according to the communication protocol, the transmitting device improves the security and accuracy of the data transmission without affecting the normal communication, and avoids the accidental injury caused by the existing attack prevention mode. The problem of the amount of process.

Optionally, in this embodiment, the foregoing communication protocol packet may be, but not limited to, a Transmission Control Protocol (TCP), where the data format of the TCP protocol packet may be as follows: Data format of the TCP protocol packet:

It can be seen from the above that the first 20 bytes in the TCP protocol message are fixed, and the 4N bytes are added later as needed. The header length, URG, ACK, RST, SYN, FIN, window size, TCP checksum, and emergency indicators are all information bits that contain important information in the TCP protocol message.

In this embodiment, unlike the prior art, the entire TCP protocol packet is protected against attack protection, but the data on the information bit of the packet header is used for anti-attack pre-processing protection, thereby facilitating the receiving device to receive. When the TCP protocol packet is sent, all data flow volumes can be cleaned and filtered without using broadband traffic cleaning to avoid the problem that the normal data flow amount is mistakenly killed as an abnormal data flow. The receiving device can directly parse the communication protocol packet forged by the attack terminal by judging whether the data on the corresponding information bit can be parsed according to the agreed manner, thereby further improving the accuracy of the attack defense behavior during the data transmission process. The format of the message of the converted communication protocol packet is as follows: The format of the packet of the converted communication protocol packet:

Optionally, in this embodiment, the extension bit in the foregoing communication protocol packet may be, but is not limited to, an extension bit added in the original communication protocol packet, that is, without increasing the packet length. Set the partial location to the extension bit used to store the processing information of the anti-attack pre-processing. Therefore, the security of data transmission is ensured without increasing the packet load overhead.

Optionally, in this embodiment, the foregoing attack defense pre-processing may include, but is not limited to, at least one of the following operations: 1) adjusting the order of the information on the information bit; or 2) performing the overall information on the information bit or Local compression and filling of the characters to the compressed idle position; or 3) whole or partial encryption of the information on the information bits; or 4) overall or partial signature of the information on the information bits.

It should be noted that the above information bits are used to refer to the information on all information bits, and the information bits are used to refer to the information in some information bits. Furthermore, the padding characters described above may be, but are not limited to, characters having no practical meaning, and may be, but are not limited to, extended bits as other information. This embodiment does not limit this.

Optionally, in this embodiment, before sending the converted communication protocol packet to the receiving device, the method further includes: S1, deploying the network device. In other words, the network devices in the network are laid out according to the actual data flow.

Optionally, in this embodiment, when the data flow quantity is greater than a predetermined threshold, a gateway type network device is set between the sending device and the receiving device, so that the network device forwards part of the data flow to the third party. Receiving the device to avoid overloading of the original receiving device, thereby reducing the load on the device and avoiding the system crash due to overloading of the receiving device.

Optionally, in this embodiment, when the data flow quantity is less than or equal to a predetermined threshold, the anti-attack pre-processing of the communication protocol message to be transmitted may be directly performed by setting at least one of the following devices on the sending side: network card driver, virtual NIC or local gateway.

Through the embodiment provided by the present invention, the server 206 as the receiving device receives the converted communication protocol message obtained after the anti-attack pre-processing; further, according to the extended bit in the packet header of the converted communication protocol message The processing information of the anti-attack pre-processing indicated by the meta-analysis resolves the converted communication protocol message to obtain the information on the information bit located in the header of the message in the converted communication protocol message, wherein the communication protocol message is reported The header includes information bits and extension bits. That is, the receiving device parses the data on the information bit in the header of the received communication protocol packet, and processes the correctly parsed normal data flow, and filters out the abnormal data flow. In order to distinguish between the normal data flow and the abnormal data flow, the receiving device can obtain the communication protocol packets that are correctly parsed, and filter out the abnormal packets that cannot be correctly parsed, so as not to affect the normal communication. The purpose of the attack behavior occurring in the process of accurate defense communication is achieved, thereby avoiding the problem of the data flow of the normal transmission caused by the existing attack prevention mode.

As an alternative, the parsing unit 904 includes at least one of the following: a network card driver, a virtual network card, or a local gateway.

Specifically, it is described in conjunction with the following example: As an optional implementation manner, as shown in FIG. 4, a TCP protocol packet is taken as an example, and a TCP client 402 is provided on a terminal as a transmitting device, and a server serving as a receiving device is provided. A TCP server 404 is provided thereon. In this embodiment, the network card driver 406-1 is set at the TCP client as an anti-attack device to implement pre-operation in the anti-attack transmission device; the network card driver 406-2 is set on the TCP server as an anti-attack device. The attack detection device implements an analysis operation in the above-described attack defense transmission device.

It should be noted that, in this embodiment, the TCP client still uses the physical network card to communicate normally. Only the network card driver will detect the destination of the communication. If it finds that it is communicating with the external TCP protocol anti-attack detection device, the data packet will be processed according to the format set in advance, and vice versa.

As another optional implementation manner, as shown in FIG. 5, a TCP protocol message is taken as an example, a TCP client 402 is provided on a terminal as a transmitting device, and a TCP server is provided on a server as a receiving device. 404. In this embodiment, the virtual network card 502-1 is set as the anti-attack device on the TCP client to implement the pre-processing operation in the anti-attack transmission device; the virtual network card 502-2 is set on the TCP server as the defense The attack detection device implements an analysis operation in the above-described attack defense transmission device.

It should be noted that in this embodiment, this type is more like a link tunnel. The TCP client only needs to send data to the specified network card. The physical link changes are not perceived in the specific operation, and all communication with the external TCP protocol anti-attack detection device is represented by the virtual network card.

As another optional implementation manner, as shown in FIG. 6, the TCP protocol packet is taken as an example, and a TCP client is provided on the terminal as the transmitting device, and a TCP server is provided on the server as the receiving device. In this embodiment, the local gateway 602-1 is set at the TCP client as an anti-attack device to implement the pre-processing operation in the anti-attack transmission device; the local gateway 602-2 is set on the TCP server. As an attack detection device, an analysis operation in the above-described attack prevention transmission device is implemented.

It should be noted that, in this embodiment, the TCP client only needs to establish a communication relationship with the local gateway in this scenario. The local gateway is responsible for communicating with the external TCP protocol anti-attack detection device.

Through the embodiments provided by the present invention, the above-mentioned anti-attack data transmission is implemented through different devices to implement diversification of anti-attack control.

Example 5

An embodiment of the present invention may provide a computer terminal, which may be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the foregoing computer terminal may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device of the plurality of network devices of the computer network.

In this embodiment, the computer terminal may execute the code of the following steps in the vulnerability detection method of the application: S1, obtain a communication protocol message to be transmitted; S2, and information bits in the message header of the communication protocol message The data on the element is subjected to anti-attack pre-processing to generate processing information; S3, the processing information is stored in the extension bit of the communication protocol message in the header of the message, and the converted communication protocol message is obtained, wherein the communication protocol The message header of the message includes an information bit and an extension bit; S4, and the converted communication protocol message is sent to the receiving device.

A person skilled in the art can understand that all or part of the steps of the foregoing embodiments can be completed by using a program to instruct a terminal device related hardware, and the program can be stored in a computer readable storage medium, and the storage medium can be Including: flash memory, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disc.

Example 6

Embodiments of the present invention may provide a computer server, which may be any computer server device in a computer server group.

Optionally, in this embodiment, the computer server may be located in at least one network device of the plurality of network devices of the computer network.

In this embodiment, the computer terminal may execute the code of the following steps in the vulnerability detection method of the application: S1, receive the converted communication protocol message obtained after the anti-attack pre-processing; S2, according to the converted communication The protocol packet is located in the protocol packet, and the processing protocol information of the anti-attack pre-processing indicated by the extension bit indicated by the extension bit in the packet header is parsed; S3, the information bit located in the header of the packet in the converted communication protocol packet is obtained. The above information, wherein the message header of the communication protocol message includes an information bit and an extension bit.

A person skilled in the art can understand that all or part of the steps of the foregoing embodiments can be completed by using a program to instruct a terminal device related hardware, and the program can be stored in a computer readable storage medium, and the storage medium can be Including: flash memory, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disc.

Example 7

Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the storage medium may be used to save the code executed by the anti-attack data transmission method provided in the first embodiment.

Optionally, in this embodiment, the storage medium is configured to store a code for performing the following steps: S1, obtaining a communication protocol message to be transmitted; S2, information on a message header in the communication protocol message The data on the bit is subjected to anti-attack pre-processing to generate processing information; S3, the processing information is stored in the extension bit of the communication protocol message in the message header, and the converted communication protocol message is obtained, wherein the communication The message header of the protocol message includes an information bit and an extension bit; S4, and the converted communication protocol message is sent to the receiving device.

Optionally, in the embodiment, the storage medium may include, but is not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), and a mobile device. A variety of media that can store code, such as a hard disk, a disk, or a compact disc.

For example, the specific examples in this embodiment may refer to the examples described in Embodiment 1 and Embodiment 2, and details are not described herein again.

Example 8

Embodiments of the present invention also provide a storage medium. Optionally, in the embodiment, the storage medium may be used to save the code executed by the anti-attack data transmission method provided in the first embodiment.

Optionally, in this embodiment, the storage medium is configured to store a code for performing the following steps: S1, receiving the converted communication protocol message obtained after the anti-attack pre-processing; S2, according to the converted The communication protocol message in the communication protocol message is located in the packet header extension direction indicating the anti-attack pre-processing information and the converted communication protocol message; S3, obtaining the information bit located in the packet header of the converted communication protocol message The information on the meta-information, wherein the message header of the communication protocol message includes an information bit and an extension bit.

Optionally, in the embodiment, the storage medium may include, but is not limited to, a USB flash drive, a read-only memory (ROM), a random access memory (RAM), and a mobile device. A variety of media that can store code, such as a hard disk, a disk, or a compact disc.

For example, the specific examples in this embodiment may refer to the examples described in Embodiment 1 and Embodiment 2, and details are not described herein again.

The serial numbers of the embodiments of the present invention are merely for the description, and do not represent the advantages and disadvantages of the embodiments.

In the above-mentioned embodiments of the present invention, the descriptions of the various embodiments are different, and the parts that are not detailed in a certain embodiment can be referred to the related descriptions of other embodiments.

In the several embodiments provided by the present invention, it should be understood that the disclosed technical contents may be implemented in other manners. The device embodiments described above are only schematic. For example, the division of the unit may be a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or integrated. Go to another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, unit or module, and may be electrical or otherwise.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of a hardware or a software functional unit.

The integrated unit can be stored in a computer readable storage medium if it is implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention may contribute to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: USB flash drive, read-only memory (ROM), random access memory (RAM, Random Access Memory), mobile hard disk, disk or optical disk, and the like. The medium of the code.

The above description is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. It should be considered as the scope of protection of the present invention.

Claims (16)

 An anti-attack data transmission method, comprising: obtaining a communication protocol message to be transmitted; performing anti-attack pre-processing on the information bit located in the information bit of the message header in the communication protocol message, and generating processing information; Saving the processing information in the extension bit of the communication protocol message in the header of the message, to obtain the converted communication protocol message, wherein the message header of the communication protocol message includes the information bit And the extension bit; sending the converted communication protocol message to the receiving device.    The method of claim 1, wherein the anti-attack pre-processing of the data on the information bit located in the header of the communication protocol message comprises at least one of the following: adjusting the order of the information on the information bit Or compressing the data on the information bit in whole or in part, and filling the character into the compressed idle position; or encrypting the information on the information bit in whole or in part; or the information bit The information on the whole is signed in whole or in part.    The method of claim 1, wherein before the anti-attack pre-processing of the data in the information packet of the packet header, the method further includes: the packet in the communication protocol packet is located in the packet A partial byte of the header is set as the extension bit.    The method of claim 3, wherein setting a partial byte in the header of the communication protocol message to the extension bit includes: a sequence number and/or a confirmation number in the header of the message Some of the bytes are set to the extension bit.    The method of claim 1, wherein before the sending the converted communication protocol message to the receiving device, the method further comprises: determining whether the data flow of the current communication protocol message is greater than a predetermined threshold; If the threshold is greater than the predetermined threshold, the gateway type network device is configured in the transmission link before the receiving device, so that the gateway type network device proxy the receiving device forwards the converted communication protocol message to the first Three-party equipment processing.    The method of claim 1, wherein the device for performing anti-attack pre-processing on the information element of the communication protocol packet located in the information bit of the packet header comprises at least one of the following: a network card driver, a virtual network card or a local gate. Road.    An anti-attack data transmission method, comprising: receiving a converted communication protocol message obtained after an anti-attack pre-processing; and indicating, according to an extension bit in a message header of the converted communication protocol message The processing information of the anti-attack pre-processing parses the converted communication protocol message; and obtains the information of the converted communication protocol message located on the information bit of the header of the message, wherein the communication protocol message The message header includes the information bit and the extension bit.    The method of claim 7, wherein the converted communication protocol message is parsed according to the processing information of the anti-attack pre-processing indicated by the extension bit in the packet header of the converted communication protocol message. The device includes at least one of the following: a network card driver, a virtual network card, or a local gateway.    An anti-attack data transmission device, which is located in a transmitting device, the device includes: an acquiring unit, configured to acquire a communication protocol packet to be transmitted; and an anti-attack pre-processing unit, configured to be located in the communication protocol packet The data on the information bit of the header is subjected to anti-attack pre-processing to generate processing information; the saving unit is configured to save the processing information in the extension bit of the communication protocol message in the header of the message, The converted communication protocol message, wherein the message header of the communication protocol message includes the information bit and the extension bit, and the sending unit is configured to send the converted communication protocol message to the receiving device.    The device of claim 9, wherein the anti-attack pre-processing unit comprises at least one of: an adjustment module for adjusting an order of the information on the information bit; or a compression module for the information The data on the bit is compressed in whole or in part, and the character is filled to the compressed idle position; or the encryption module is used to encrypt the data on the information bit in whole or in part; or the signature module, Used to sign the data on the information bit in whole or in part.    The device of claim 9, further comprising: a setting unit, configured to report the communication protocol before performing anti-attack pre-processing on the information on the information bit located in the header of the communication protocol message A part of the byte located in the header of the message is set as the extension bit.    The device of claim 11, wherein the setting unit comprises: a setting module, configured to set a partial byte in the sequence number and/or the confirmation number in the message header as the extension bit.    The device of claim 9, further comprising: a determining unit, configured to determine whether the data flow of the current communication protocol message is greater than a predetermined threshold before transmitting the converted communication protocol message to the receiving device; a unit configured to: when the data flow amount is greater than the predetermined threshold, configure a gateway type network device in a transmission link before reaching the receiving device, so that the gateway type network device proxy the receiving device to convert the device The subsequent communication protocol message is forwarded to the third-party device for processing.    The device of claim 9, wherein the anti-attack pre-processing unit comprises at least one of: a network card driver, a virtual network card, or a local gateway.    An anti-attack data transmission device is characterized in that it is located in a receiving device, and the device comprises: a receiving unit, configured to receive a converted communication protocol message obtained after anti-attack pre-processing; and an analyzing unit, configured to perform, according to the conversion The processing information of the anti-attack pre-processing indicated by the extension bit in the header of the packet in the subsequent communication protocol packet parses the converted communication protocol packet; the obtaining unit is configured to obtain the converted communication protocol packet The information on the information bit at the head of the message, wherein the message header of the communication protocol message includes the information bit and the extension bit.    The device of claim 15, wherein the parsing unit comprises at least one of: a network card driver, a virtual network card, or a local gateway.