TWI258286B - Methods for intrusion detection system (IDS) thwarting and mitigating network attacks - Google Patents

Abstract

Methods for intrusion detection system thwarting and mitigating network attacks are presented. After a server sends out a TCP SYN-ACK packet according to a source address of a TCP SYN packet, a half-open connection between the server and the source address is created. An intrusion detection system (IDS) substitutes the source address to create a TCP ACK packet transmitted to the server. Therefore, upon the program of TCP/IP not being changed, all of the half-open connection table will not be easily occupied by a TCP SYN flooding attack. Moreover, when the server does not receive a TCP ACK packet from the source address, the intrusion detection system proactively create a TCP RESET packet delivered to the server such that the invalid connection between the server and the source address can be reset.

Description

258286 V. OBJECT DESCRIPTION OF THE INVENTION (1) Technical Field of the Invention The present invention relates to a hiding method and a network attack decrementing method applied to an intrusion #测丰转, a network attack of a day==ff system prevents TCP from being performed. When SYN is attacking indiscriminately, the temple has an early link to the intrusion detection system when the hacker is able to prevent the servo from writing. @# 4 I The Fengkai Link Table is occupied. When the method is full and there are other TCP SYN-ACK reflection attacks or large-scale, =/ knife-style TCP SYN-ACK reflection attacks, the intrusion detection system uses the early connection method and active reset. The method can prevent the server from being used by the hacker to generate a magnifying attack effect for attacking the springboard. [Prior Art] In the information age, computers around the world can be connected via the Internet. Nowadays, enterprises and individuals have generally used the Internet to transmit or access data. Transmission Control Protocol

Protocol 'TCP' and Internet Protocol (IP) are standard communication protocols for the international Internet. These protocols are supported by WANs, regional networks, mainframes, and personal computers. When the client and the server want to communicate, TCP/IP must be used to enable both parties to transfer or exchange data. With the popularity of the Internet, cyber attacks have emerged and network security has become more and more important. Among the well-known network security mechanisms, an important role of Intrusion Detection Sy s t e m ' I D S -- is to monitor and analyze events occurring in the network or system. An excellent intrusion detection system can effectively increase the network system

12588twf-l.ptd Page 8 1258286 V. Inventions (2) Security. Intrusion detection systems can be divided into two categories: network type (N e t w 〇 r k - b a s e d ) and host type (Η o s t - b a s e d ) intrusion detection system. The network intrusion detection system is based on analyzing packets on the network to detect whether the host on the network is attacked. The advantage is that the network management is simple and the scope of protection is large, and only one computer can provide protection for multiple devices on the network. Generally, the network-based intrusion detection system can be further classified into a blocking and monitoring type intrusion detection system according to whether it has a blocking capability, such as FIG. 1 and FIG. 2 As shown in the figure, FIG. 1 is a schematic diagram showing a configuration of a monitoring type intrusion detection system under a general network architecture, and FIG. 2 is a schematic diagram showing a configuration of a blocking type intrusion detection system under a general network architecture. Please refer to FIG. 1 first, the interception type intrusion detection system 10 can detect whether the network packet transmitted between the internet 20 (internet) and the intranet 30 (the intranet) has illegal activities. A malicious alert (a 1 ert ) is issued, but the network packet being monitored cannot be directly blocked. Referring to FIG. 2, the blocking type intrusion detection system 1 1 has a filtering network packet in addition to detecting a network packet transmitted between the Internet 20 and the intranet 30 (intranet). The function. That is, when illegal activities are discovered, in addition to issuing warnings, network packets with malicious behavior can be blocked from passing. Please refer to FIG. 3, which illustrates a schematic diagram of a host type intrusion detection system configured under a general network architecture. The host type intrusion detection system 3 2 is installed, for example, on the host 31 located in the intranet 30 of the enterprise, mainly collecting and dividing.

12588twf-l.ptd Page 9 1258286 V. Description of invention (3) Analysis of the files, programs, files, etc. of a single host 3 1 and whether the network packets sent by the host 3 itself contain malicious behavior. When the host type intrusion detection system 3 2 is installed on the computer device to be protected (for example, the host 3 1 ), the login record and the user switch (such as the su command) in the local system record slot can be monitored at any time. Whether there are illegal activities such as system calls and network delivery packets executed by the pr 〇cess. When a client and a server use the TCP protocol to transmit a data packet, the client first establishes a TCP connection with the server. Please refer to FIG. 4, which shows a schematic diagram of a three-way handshaking of a general TCP protocol. When the client 110 wants to connect with a certain server 120, the client 110 first transmits a TCP SYN packet (TCP Synchronization packet) to the server 120 to request to establish a TCP connection; when the server 1 2 0 accepts the link When requested, the server 120 will reply the TCP SYN-ACK packet (TCP Synchronization - Acknowledgement packet) to the client 110 to form a half-open connection; when the client 110 receives the server 120, it returns In the case of the TCP SYN-ACK packet, if it responds to the TCP ACK packet (TCP Acknowledgement packet) to the server 120, it indicates that the TCP link has been successfully established and can start transmitting data. When the connection between the client 1 1 〇 and the server 1 2 0 is in a half-open connection state, the server 1 2 0 must record and maintain a half-open connection for a period of time, waiting for the client 1 1 to transmit the TCP ACK packet to Server 1 20. If the waiting time is exceeded, the servo 1 2 0 will cut off the half-open connection with the client 1 1 0. Please refer to FIG. 5, which shows the allocation of memory in a general server.

12588twf-l.ptd Page 10 1258286 V. INSTRUCTIONS (4) I. The server 1 2 〇 has a half-open connection table 丨3 〇 in its operating system core memory 140, used to record and maintain the information about the semi-open connection. Because half, the capacity of the connection table 130 is very limited and cannot be directly expanded. Even if the server has more than several million bytes of extended memory, it cannot be directly modified without modifying the operating system program. Expand the use of the semi-open link table 〇3 。. Therefore, as long as a large number of half-open connections are established between the plurality of client terminals 1 1 〇 and the server 1 2 短 in a short time, the half-open connection table 丨 3 〇 overflows, causing the server 120 to no longer communicate with the outside world. Established a new ^ link' and forced to block all TCP-based application services. "The characteristics of the above TCP links are common in all kinds of computer systems with connected network capabilities. Hackers use this feature to perform s YN > attack attacks on servers (τ c P s YN f丨〇〇d ) Please refer to Figure 6. First, the Ma Yuke 210 can fake the source address and source number of the TCP SYN packet. The source address of the counterfeit source is, for example, deliberately selected, randomly selected, or selected with the machine. Address, which may be the address of the computer that has been shut down or the location and address that does not exist at all. Then, the hacker 2 10 transmits the ^SYN packet of the fake source address and the source 埠 number to the server 2 2 0; When the server 2 2 0 accepts the ^ ^, it will send a TCP SYN-ACK packet to the hacker's specified ^ = requirement 2 3 0 to form a half-open link. The hacker 2 1 〇 only needs to transmit in a short time The TCP SYN packet of different source address or source 埠 number, and the server 2 2 0 that is subject to $ attack ^ @ can force the attacked server 2 2 to establish an eve connection "causing its half-open connection table to overflow" And the successful dysentery is attacked by the service device 2 2 0 service ability. Measuring system 240 detects TCP SYN flood attack Ji _ slaves 3 afternoon - and piece goods to

Page 11 1258286 V. INSTRUCTIONS (5) Whether the number of semi-open links is significantly abnormal. If the number of half-open links in progress exceeds a threshold value within a certain period of time, it is assumed that the server 22 is subjected to the TCp syN flood attack. The protection of the intrusion predicate system against the TCP SYN flood attack is to detect the attack first and the protection is taken as the type of the intrusion detection system. For the network monitoring type of intrusion detection system 24, the method of generating the T, cp reset packet to the server 2 2 0, resetting the half-open connection in progress, or resetting the next segment The newly formed half-open link in time. For host or network-blocked intrusion detection systems, TCP TCP packets sent to the server 2 2 0 are blocked for a period of time. Since the IP address is easy to be counterfeited and the design of the ^^^^ lacks the positive function of the source address, no matter what type of intrusion detection system can directly distinguish the legitimate user and the attacker from the TCP source bit, When the server is attacked by the TCP SYN, the intrusion detection system cannot select the half-open link or the new link requirement that the attacker has built. As a result, the protection adopted by the intrusion detection system is likely to reset the half-open link belonging to the legitimate user or block the Tcp SYN packet of the legitimate user, and the timing of the protection is always after the server 12 has suffered a significant attack. . In short, legitimate users are likely to be sacrificed, and the external service capabilities of the server will be significantly reduced. θ Another large-scale network attack related to TCP SYN flood attacks = Decentralized TCP SYN-ACK reflection attack, as shown in Figure 8. This kind of attack, hacker 4 1 〇 to the same attacked server 4 3 〇, while performing many k-speed low-cost TCP SYN-ACK reflection attacks. a TCp Syn-ACK reflection

12588twf-1.ptd Page 12 1258286 V. INSTRUCTIONS (6) Please refer to Figure 7 for the attack. In Figure 7, the hacker 3 1 spoofs the address of the server 307 to generate a TCPSYN packet, which is sent to the server 3 2 0 as a reflective attack springboard; when the server 3 2 0 accepts the TCP connection request The TCP SYN-ACK packet is sent to the attacked server 3 3 0; since the half-open link cannot be established, the server as the springboard 3 2 will resend the TCP SYN-ACK packet every once in a while. , about three times to send again, and then send a TCPRESET packet to the attacked server wq. In short, as long as the hacker 310 generates a TCP SYN packet, it will receive about five times the attack packet before and after the attack. ° ^ In Figure 8, when the hacker 410 performs a decentralized TCP SYN-ACK reflection attack on the same attacked server, the hacker 41 uses the server as a springboard for the reflection attack, and for each ^ The board 4 4 0 performs a slow low-cost TCP SYN-ACK reflection attack. Since the guest 410 performs many TCP SYN-ACK reflection attacks at the same time, and each reflection $ strike has an attack amplification effect, there will be a large number of attack packets aggregated and attacked by the server 430. There are many resources on the shovel network. It is convenient for hackers to find a large number of servers as a springboard for reflection attacks in short time. For example, various 3 engines can quickly find a large number of related web servers. ', However, the original intrusion detection system 3 4 0 can not protect the distributed τ [ p SYN-ACK reflection attack, because each servo as a springboard ^ is only subjected to a slow low-cost TCP SYN reflection attack Therefore, the effect of the bean is small, and the TCP SYN packet used is the general user query ^"" must be used, the lack of obvious anomalous features for the detection of the intrusion detection system 3 4 亦可 can also penetrate The firewall is blocked, so the intrusion detection system 34〇

- Invention Description (7) Still..., effective protection method. The network attack detection system 44 0 located in the attacked server 4 3 can only find a large number of TCP SYN-ACK packets sent to the ^ I 饲 饲 4 4 4 0 ' except for the traffic anomaly 'every TCP SYN_ACK 44 0%1 is connected to the legal feeding device address and service bee number 'intrusion detection system' / the total sample is difficult to properly block these attack packets, not to mention the attack has been ^ ^ The network bandwidth of the gateway of the network 4 must be..., k χ a large amount of consumption, and even the entire network is blocked. [Summary of the Invention] Detecting [ί路ί J:月] J-Ϊ is a method of providing a kind of attack, and the i τ snip blocking method is used to prepare the hacker under the TCP SYN. The existing TCP/IPM premise server half-opening = f, , and the first early connection method can prevent the attacked thousand open connection table from being occupied.

The cyber attack blocker = the second is to provide a flood attack for the intrusion detection system, the person \ 'even if the server suffers from the hacker to do TCP SYN legitimate users can still second, Z = link requirements will not be Blocking or resetting, the object of the present invention is to access a server attacked by a hacker. Network attack blocking ^ J is to provide a kind of attack detection system after the attack: so that the detection system does not have to wait for the server to drop, can be effective, the server's external service capabilities will not be obvious This hairpin = protect against TCP SYN attacks. The next four is to provide a system for intrusion extraction systems.

12588twf-l.ptd Page 14 1258286 V. Description of invention (8)

When the cyber attack prevents and attacks the SYN-ACK reflection attack, the server can be prevented from being corrupted by the server. When the hacker is performing distributed TCP, the active reset method of the intrusion detection system is used as the attack springboard. Amplifying the attack effectiveness _ " x Ming's above and other purposes, proposed a network attack blocking method applied to the field JP system. The client and the server use the 1 k message. First, the UE sends a TCP SYN packet to the server. The TCP SYN packet has a source address, and then the server will reach the TCP SYN-ACK packet according to the source address to form a packet. Half open link. It is characterized by a 'half-open connection to the server, and the intrusion detection system will actively generate and transmit the generation that conforms to the TCP protocol. The ACK packet is sent to the server so that the half-open link can be completed early and part of the space of the half-open link table located in the core memory of the operating system of the server can be released early. 0 To achieve the above and other purposes of the present invention, A method of network attack prevention and attack impairment applied to an intrusion detection system. The client and the server use TCP communication. First, the UE sends a TCP SYN packet to the server. The TCP SYN packet has a source address, and then the server sends a TCP SYN-ACK packet according to the source address. The utility model is characterized in that, for a half-open link belonging to the server, the intrusion detection system actively generates and transmits a TCP ACK packet conforming to the TCP communication protocol to the server, and after a period of time, if the server still does not receive the source When the TCP ACK packet is sent by the address, the intrusion detection system will actively generate a TCP RESET packet and transmit the TCP RESET packet to the server, thereby resetting the servo.

12588twf-l.ptd Page 15 1258286 V. Description of invention (9) Established between the device and the source address. As mentioned above, when the hacker is in; TCP SYN, 巳 攻 攻 主 主 Γ Γ ί ί ί ί ί 取 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常It is worth noting that t = can be 2 2 5 debt testing system protection TCP SYN >, has been attacked by the method, this is not necessary to wait until the servo 7 to enter? X ^ flJ ,,, ^ ^

c ν M w is outside § hacker in the large-scale division of the gold ★ Τ Γ D π # 1 reflection attack, if you choose to have the invention of the invasion 彳贞i 4 households:: protect the server as a reflection attack springboard detection : 糸 system effect. The above and other objects, features, and advantages of the present invention are more apparent and easy to understand. The following is a preferred embodiment, i cooperates with:实施 【 [Embodiment] The present invention provides a network attack and attack impairment method applied to an intrusion detection system, including an Early-Connecting method and a Proactively-resetting method. I will introduce in detail later.

1258286 V. Invention Description (ίο) In order to protect the server and achieve the target of attack prevention and attack impairment, the intrusion detection system must monitor and record all connection status and necessary information for the server to be protected, including: The server's IP address, communication port, IP packet identification code, TCP packet number, current connection status, etc., it can be seen that the amount of data recorded is very large. In order to avoid the overload of the intrusion detection system itself and the performance considerations, the user must be allowed to select the server to be protected. Therefore, the intrusion detection system needs to accept the user's designation of the protected servo, including a plurality of IP addresses, a plurality of IP addresses, or a combination thereof. The intrusion detection system then monitors, records, and provides protection against the TCP connections of the set servers. In addition, no matter what type of intrusion detection system (such as a monitor-type intrusion detection system, a blocking intrusion detection system, or a host-type intrusion detection system), this protection target can be achieved as long as the following embodiments can be implemented. The method can be. In the following embodiments, a monitoring type intrusion detection system is taken as an example for explanation. 1. Embodiment of Early Linking Method: Referring to Figures 9, 10, a schematic view of a preferred embodiment of the early joining method in accordance with the present invention is shown. By injecting the TCP ACK packet early by the intrusion detection system 530, the T C P half-open connection table 505 in the operating system core memory 504 of the server 52 0 can be protected from being overwritten. First, the server is set to be a protected server. At this time, the intrusion detection system 500 will monitor and record all TCP connections to the server 52. When the user terminal 510 issues a connection request for the TCP SYN packet to the server 520, the intrusion detection system 503 will monitor or collect the TCP SYN packet, and the session will be

12588twf-1.ptd Page 17 1258286 V. Description of the invention (11) Record the header data of the TCP SYN packet and the collection time of the packet. After that, the server 520 will reply the TCP SYN-ACK packet to the client 510 to complete the TCP half-open connection. At this time, the intrusion detection system 500 will monitor or collect the TCP SYN-ACK packet, and record the TCP. The header data of the SYN-ACK packet and the collection time of the packet. After detecting and recording the TCP SYN-ACK packet, the intrusion detection system 500 will immediately send a TCP ACK packet to the server 520 instead of the client 510, so that the server 502 can complete the TCP connection early. The TCP half-open connection table 5 5 0 in the operating system core memory 504 is released, and the intrusion detection system 530 continues to monitor and record the connection. This method is called early connection. method. Later, when the client 510 replies to the TCP ACK packet of the server 520, it indicates that the user terminal 5 10 is a normal user, and the intrusion detection system 530 can clear the client 510 to the server 52. 〇 连 ^ ^ 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Alternatively, when the intrusion detection system 530 collects the user terminal 51 or the server 520 sends the other party a Tcp RESET packet conforming to the TCP protocol, the intrusion detection system 5 3 0 can clear the client terminal 51 and the device. TCP connection information. t

^ If you can't wait for the TCP ACK packet from the client to reply to the server MO, it means that the client 51 is likely to be a hacker and is attacking the flood. However, in the above, it is still in compliance. The TCP half-open connection table 5 50 of the feeding device 5 2 0 is not maliciously attacked.

1258286 V. Description of invention (12) Full, that is, the goal of reaching the attack. The following will introduce another method and example to address and achieve the goal of attack impairment. 2: Embodiment of Active Reset Method: Referring to Figure 11, a schematic diagram of a preferred embodiment of an active reset method in accordance with the present invention is shown. As described above, if it is found that the TCP ACK packet of the server 520 is not received by the client 5 1 0, the intrusion detection system 530 actively replaces the client 5 1 after waiting for a certain period of time. A TCPRESET packet is sent to the server 520 to interrupt the TCP connection, and the intrusion detection system 530 also clears the TCP connection information belonging to the server 520. This method is called an active reset method. For the server 520, the system resources for processing the invalid connection can be released in this way; for the intrusion detection system 503, the user terminal 5 1 0 can also be cleared to the server 5 2 0 The connection records in order to move out of space to handle other TCP connections. The intrusion detection system of the present invention can protect against TCP SYN flood attacks and can mitigate the effects of TCP SYN-ACK reflection attacks, as described below.

A complete example of how to use the intrusion detection system of the present invention to protect against T C P S Y N flood attacks is described in Figure 12. The hacker 6 1 0 can fake multiple fake source addresses 6 3 0 to send a TCPSYN packet to the attacked server 6 2 0, and the server 6 2 0 receives the connection request of the hacker 6 1 0, and then replies τ CPSYN - ACK packet, complete TCP half-open link. At this time, the intrusion detection system 6 4 0 will immediately replace the fake source address 6 3 0 to reply to the TCP ACK packet, firstly avoiding the system half-open connection table of the attacked server 6 2 0 being occupied, and secondly, if the waiting time limit is exceeded Received TCP with source address field with fake source address 6 3 0

12588twf-l.ptd Page 19 1258286 V. Invention Description (13) ACK packet, the intrusion detection system 604 sends a TCPRESET packet to the attacked server 6 2 0, so as to clear the attacked server 6 2 The system resources for invalid connection; for the intrusion detection system, the related recording resources of the connection can also be cleared. Another complete example shows how to protect against TCp SYN-ACK reflection attacks. Please refer to Figure 13. The hacker 7 1 0 spoofs an attacked server 7 3 0 source address, sends a TCP SYN packet to the server 72 as a springboard, and the server 7 2 0 receives the connection request of the hacker 7 1 后, will reply τ c PSYN - ACK packet to the attacked server 703, complete the TCP half-open connection. At this time, in the normal case of no intrusion detection system protection, the server 7 2 will send a total of four TCP SYN-ACKs, and a TCP RESET packet to the attacked server 730 (because of the attacked server 730) Will not reply the TCP ACK packet to the server as a springboard 7 2 0, so the server 7 2 0 will resend the TCP SYN-ACK packet three times, and finally send the TCP RESET packet to clear the connection), so the hacker 7 1 0 as long as Sending a packet to the server 7 2 〇, the server 7 2 0 will generate five packets to the attacked server 7 3 〇, forming a fivefold attack amplification effect. However, in the case of the intrusion detection system 704 protection, after the server 7 2 replies to the TCP SYN-ACK packet to the attacked server 73, the intrusion detection system 74 0 will immediately replace the attacked servo. 73 〇 Reply Tcp ACK packet 'Firstly avoid the server 7 2 0 system half open connection table is full, and secondly after the waiting time limit, the intrusion detection system 7 4 will send a TCP reset packet, clear the server 72 0 system in the system without connection to the intrusion detection system 7 4 0, this time can also clear the connection of the line

12588twf-l.ptd Page 20 1258286 V. Description of invention (14) Recording resources. In this way, when the hacker 71 transmits a Tcp SYN packet to the server 7 2 0 as a springboard, the server as the springboard 7 2 传送 transmits only the TCP SYN-ACK packet to the attacked server 73Q. This can avoid the attack amplification effect generated by the hacker attacking the server 73 by the TCP SYN-ACK packet. So the hacker 7 1 0 must send more τ cps γ N packets to the server 7 2 0 as a springboard to fill the bandwidth of the attacked server 7 3 ,, and then attack Server 7 3 服务 service capabilities. Because the attack effect of the hacker 710 is degraded by 8入侵% by the intrusion detection system 74, its attack may not achieve the original effect, so the hacker 7 1 〇 may give up using the TCP SYN-ACK packet to attack the server. 73〇 thoughts. In addition, because of the large-scale distributed Tcp Syn-ACK reflection attack, the hacker 7 1 0 pairs the same attacked server γ 3 〇, while performing many slow low-cost TCPSYN-ACK reflection attacks, ie The guest γ 1 〇 utilizes a number of servers 720 as a springboard for the reflection attack, and performs a slow low-cost TCP SYN-ACK reflection attack on each of the servers 7 2 0 as a springboard. The intrusion detection system 7 4 that implements the method can effectively eliminate the attack amplification and effect, and greatly detract from the attack effect of the scattered STCP SYN-ACK reflection attack, and makes the hacker 71 0 more difficult to perform individual Tcp syn. - ACK reflection attack or large-scale distributed TCP SYN-ACK reflection attack. Conclusion In summary, the present invention has at least the following advantages: 1. The cyber attack prevention and attack mitigation method applied to the intrusion detection system of the present invention, when the hacker is in the rTCP SYN flood attack,

12588twf-l.ptd

Page 21 1258286 V. INSTRUCTIONS (15) The intrusion detection system prevents the half-open connection table of the server from being occupied. 2. The cyber attack prevention and attack mitigation method applied to the intrusion detection system of the present invention, even when the server is subjected to a TCP SYN flood attack by the hacker, the link request of the legitimate user is not blocked or reset. Legitimate users can still access the server attacked by the hacker. 3. The network attack prevention and attack impairment method applied to the intrusion detection system of the present invention enables the intrusion detection system to wait for the server to be attacked before the attack is started, and the server is subjected to TCP by the client. When the SYN flood attack occurs, the external service capability of the server will not be significantly reduced, and the TCP SYN flood attack can be effectively protected. 4. The network attack prevention and attack impairment method applied to the intrusion detection system of the present invention can avoid the effect of the amplification attack when the hacker performs a slow low-level reflection attack or a distributed reflection attack. While the present invention has been described above by way of a preferred embodiment, it is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of isolation is subject to the definition of the scope of the patent application.

12588twf-1.ptd Page 22 1258286 Schematic description of the diagram Figure 1 shows the schematic configuration of the monitor-type intrusion detection system under the general network architecture. Figure 2 is a schematic diagram showing the configuration of the blocking intrusion detection system in a general network architecture. Figure 3 shows the schematic diagram of the host-type intrusion detection system configured under the general network architecture. Figure 4 is a schematic diagram showing a Tcp link establishment method (three-way handshake) of a general TCP protocol. Figure 5 shows the distribution of memory in a general server. Figure 6 shows the hacker's method of performing a Tcp syn flood attack on the server. Figure 7 shows the hacker's method of slowing down the server to the SYN-ACK > 巳 > Figure 8 illustrates the hacker's method of performing a decentralized TCp syn-ACK reflection attack on the server. As shown in Fig. 9, there is shown a schematic diagram of a method for detecting an early connection in accordance with a preferred embodiment of the present invention. Figure 10 shows a schematic diagram of the distribution of memory in a general server. Fig. 1 is a schematic diagram showing an active reset method by an intrusion detection system according to a preferred embodiment of the present invention. FIG. 12 illustrates a method for protecting a hacker from a TCP SYN flood attack on a server in accordance with a preferred embodiment of the present invention. FIG. 13 illustrates a method for protecting a hacker from a TCP SYN-ACK flood attack on a server in accordance with a preferred embodiment of the present invention.

1258286 Schematic description of the diagram [illustration of the pattern] 1 〇: monitor type intrusion detection system 1 1 : blocking type intrusion detection system 2 0: Internet 3 0: enterprise internal network 31 · · host 3 2 ·· Host Intrusion Detection System 1 1 0 : Client 1 2 0 : Server 1 3 0 : Half Open Link Table 1 4 0 : Operating System Core Memory 2 1 0 : Hacker 2 2 0 ·• Attacked Server 2 3 0 : False source address 2 4 0 : Intrusion test system 3 1 0 : Hacker 3 2 0 : Server as a reflection attack springboard 3 3 0 : Attacked server 3 4 0 : Intrusion detection system 4 1 0 : Hacker 4 2 0 : Servo as a springboard 4 3 0 : Attacked server 510 : Client

12588twf-l.ptd Page 24 1258286

Schematic description 520 Server 530 Intrusion Detection System 540 Operating System Core Memory 550 Half Open Link Table 560 Application Available Memory 610 Hacker 620 Attacked Server 630 Fake Source Address 640 Intrusion Detection System 710 Hacker 720 Serve as a springboard 730 Attacked server 740 Intrusion Detection System 12588twf-l.ptd Page 25

Claims (1)

1258286 VI. Patent Application Range 1. A method for preventing network attack detection applied to an intrusion detection system, the method comprising: collecting a TCP communication data between a client and a protected server; recording the user And a TCP connection information between the terminal and the protected server; and if the protected server is in a half-open state, generating and transmitting a TCP ACK packet conforming to the TCP protocol to the protected server. 2. The network attack prevention method applied to the intrusion detection system according to claim 1, wherein the protected server is specified by a plurality of IP addresses and a plurality of IP addresses set by the user. The address range or a combination of them is reached. 3. The method for preventing network attack detection applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a host type intrusion detection system. 4. The method for preventing network attacks applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a network type listening mode intrusion detection system. 5. The method for preventing network attacks applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a network-type blocking mode intrusion detection system. 6. The method for preventing network attack applied to an intrusion detection system according to claim 1, wherein the TCP connection information is included by the user 12588twf-l.ptd Page 26 1258286 VI. The scope of the TCP SYN packet sent to the server and the collection time of the packet, and the TCP connection information also includes the TCP SYN for the server. The header data and the collection time of the packet sent back to the client for a TCP SYN-ACK packet. 7. The method for preventing network attack detection applied to an intrusion detection system according to claim 1, wherein the intrusion detection system collects a TCP SYN-ACK transmitted by the protected server to the client. After the packet is encapsulated, the intrusion detection system immediately generates and transmits a copy of the TCPACK packet to the protected server. 8. The network attack prevention method applied to the intrusion detection system according to claim 1, further comprising: if the user is collected, the TCP SYN-ACK packet is sent back to the protected server. And conforming to a TCP ACK packet specified by the TCP protocol, the TCP connection information between the client and the protected server is cleared. 9. The method for preventing network attack applied to an intrusion detection system according to claim 1, further comprising: if the user is collected or the protected server is sent to the other party to comply with the provisions of the TCP protocol A TCPRESET packet clears the TCP connection information between the client and the protected server. 10. A network attack prevention and attack applied to an intrusion detection system. The method of impairment includes at least: collecting a TCP communication data between a client and a protected server; 12588twf-1.ptd Page 27 1258286 VI. The patent application scope records a TCP connection information between the client and the protected server; if the protected server is in a half-open state, it is generated. And transmitting a TCP ACK packet conforming to the TCP protocol to the protected server; and after generating and transmitting the TCP ACK packet for a period of time, if the client has not collected the TCP response to the protected server The ACK packet generates and transmits a TCP RESET packet to the protected server for the TCP connection. 1 1 . The network attack prevention and attack impairment method applied to an intrusion detection system as described in claim 10, wherein the protected server is specified by a plurality of IP addresses set by a user. , a majority of IP address ranges or a combination of them. 1 2. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system includes a host type intrusion detection system. 1 3. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system includes a network type listening mode intrusion detection system. 1 4. The network attack prevention and attack impairment and attack impairment methods applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system comprises a network type blocking mode intrusion detection system. 1 5. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the TCP connection information 12588twf-l.ptd Page 28 1258286 VI. The patent application scope includes the header data of a T cp S γ N packet sent by the client to the server and the collection time of the packet, and the TCP connection information also includes The server collects header data and packet collection time of a TCP SYN-ACK packet sent back to the UE for the TCP SYN packet. 1 6 - The network attack prevention and attack impairment method applied to the intrusion detection system, as described in claim 1, wherein the intrusion detection system collects the transmitted by the protected server to the client After a TCP SYN_ACK packet, the intrusion detection system immediately generates and transmits a copy of the TCPACK packet to the protected server. 1 7 · The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, further comprising: if the user is collected, the TCPSYN-ACK packet is sent back to the TCPSYN-ACK packet The protected server conforms to a TCP ACK packet specified by the TCP protocol, and clears the connection between the client and the protected server (:^ link information. 1 8 · If the patent application scope is item 10 The network attack prevention and attack impairment method applied to the intrusion detection system further includes: if a TCP RESET packet is collected from the client or the protected server is sent to the other party and conforms to the TCP protocol, Clearing the TCP connection information between the client and the protected server. 1 9 · The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, The method further includes: after generating and transmitting the TCP RESET packet to the protected server, clearing the TCP connection between the client and the protected server 12588twf, l.ptd第29页