TWI397286B - Router and method for protecting tcp ports - Google Patents

Router and method for protecting tcp ports Download PDF

Info

Publication number
TWI397286B
TWI397286B TW98136588A TW98136588A TWI397286B TW I397286 B TWI397286 B TW I397286B TW 98136588 A TW98136588 A TW 98136588A TW 98136588 A TW98136588 A TW 98136588A TW I397286 B TWI397286 B TW I397286B
Authority
TW
Taiwan
Prior art keywords
tcp
remote computer
packet
computer
connection
Prior art date
Application number
TW98136588A
Other languages
Chinese (zh)
Other versions
TW201115984A (en
Inventor
Jong Chang Chen
Original Assignee
Hon Hai Prec Ind Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hon Hai Prec Ind Co Ltd filed Critical Hon Hai Prec Ind Co Ltd
Priority to TW98136588A priority Critical patent/TWI397286B/en
Publication of TW201115984A publication Critical patent/TW201115984A/en
Application granted granted Critical
Publication of TWI397286B publication Critical patent/TWI397286B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Description

路由器及TCP埠防禦方法 Router and TCP埠 defense method

本發明涉及一種電腦安全管理裝置及方法,尤其涉及一種路由器及TCP(Transmission Control Protocol,傳輸控制協議)埠防禦方法。 The present invention relates to a computer security management apparatus and method, and more particularly to a router and a TCP (Transmission Control Protocol) defense method.

當本地電腦藉由路由器以及網路與遠端電腦或主機、伺服器等相連時,若一台或多台遠端電腦向本地電腦發出多個TCP封包以請求建立TCP連接時,路由器便無法為其他的遠端電腦轉發正常的封包。如此,可能會導致路由器中充斥著大量的垃圾封包,而無法正常連接網路。例如,本地電腦可能遭到埠掃描、病毒攻擊等,使得路由器無法正常工作。 When a local computer is connected to a remote computer or host, server, etc. via a router and a network, if one or more remote computers send multiple TCP packets to the local computer to request a TCP connection, the router cannot Other remote computers forward normal packets. As a result, the router may be flooded with a large number of garbage packets and cannot be connected to the network. For example, a local computer may be subject to scans, virus attacks, etc., making the router unable to work properly.

鑒於以上內容,有必要提供一種路由器及TCP埠防禦方法,可解決埠掃描的間題以及防禦利用TCP連接發起的攻擊。 In view of the above, it is necessary to provide a router and TCP 埠 defense method, which can solve the problem of 埠 scanning and defend against attacks initiated by using TCP connection.

一種路由器,該路由器連接本地電腦與遠端電腦,所述路由器包括:設置模組,用於設置第一時間段與第二時間段,以及設置遠端電腦允許連接所述本地電腦次數的最大值;接收模組,用於接收TCP封包,所述TCP封包包括SYN(Synchronize,同步)封包;時鐘模組,用於計時以及記錄所述本地電腦接收每一個TCP封包的時間戳;計數模組,用於在接收到一個SYN封包時,根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之 前的第一時間段內與所述本地電腦建立了TCP連接但未傳送資料的次數;及識別模組,用於在所述計數模組計算的次數超過了所設置的最大值時識別該遠端電腦為攻擊者,並在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 A router connecting a local computer and a remote computer, the router comprising: a setting module, configured to set a first time period and a second time period, and set a maximum number of times the remote computer allows to connect the local computer a receiving module, configured to receive a TCP packet, the TCP packet includes a SYN (Synchronize) packet, a clock module, configured to time and record a timestamp of the local computer receiving each TCP packet; and a counting module, For receiving a SYN packet, calculating, according to the timestamp of the SYN packet, the remote computer that sends the SYN packet at the timestamp The number of times that the TCP connection is established with the local computer but the data is not transmitted during the first period of time; and the identification module is configured to identify the far time when the number of times calculated by the counting module exceeds the set maximum value The end computer is an attacker, and all TCP packets sent by the remote computer are discarded during the second time period starting from the time stamp of the SYN packet.

一種TCP埠防禦方法,應用於路由器中,該路由器連接本地電腦與遠端電腦,該方法包括:設置第一時間段與第二時間段,以及設置遠端電腦允許連接所述本地電腦次數的最大值;所述本地電腦接收一個從遠端電腦發出的SYN封包;記錄接收該SYN封包的時間戳;根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之前的第一時間段內與所述本地電腦建立了TCP連接但未傳送資料的次數;及當所計算的次數超過了所設置的最大值時,識別該遠端電腦為攻擊者,並在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 A TCP埠 defense method is applied to a router, the router is connected to a local computer and a remote computer, and the method includes: setting a first time period and a second time period, and setting a maximum number of times the remote computer allows to connect the local computer The local computer receives a SYN packet sent from the remote computer; records the timestamp of receiving the SYN packet; and calculates, according to the timestamp of the SYN packet, the first computer that sends the SYN packet before the timestamp The number of times the TCP connection is established with the local computer but the data is not transmitted during the time period; and when the calculated number exceeds the set maximum value, the remote computer is identified as an attacker and is encapsulated by the SYN. All TCP packets sent by the remote computer are discarded during the second time period in which the timestamp is used as the starting point.

相較於習知技術,所述的路由器及TCP埠防禦方法,可解決埠掃描的問題以及防禦利用TCP連接發起的攻擊。 Compared with the prior art, the router and the TCP 埠 defense method can solve the problem of 埠 scanning and defend against attacks initiated by using a TCP connection.

如圖1所示,是本發明路由器的較佳實施方式的運行環境圖。多個遠端電腦6(圖1中僅畫出一個遠端電腦6)可藉由網路5、調變解調器4以及路由器1與本地電腦3建立連接。本發明的目的在於防止遠端電腦6對本地電腦3的傳輸控制協定(Transmission Control Protocol,TCP)埠30進行掃描或進行攻擊。 As shown in FIG. 1, it is an operational environment diagram of a preferred embodiment of the router of the present invention. A plurality of remote computers 6 (only one remote computer 6 is shown in FIG. 1) can establish a connection with the local computer 3 via the network 5, the modem 4, and the router 1. The purpose of the present invention is to prevent the remote computer 6 from scanning or attacking the Transmission Control Protocol (TCP) 30 of the local computer 3.

為實現該目的,在本較佳實施方式中,所述的路由器1用於識別所述遠端電腦6是否對所述本地電腦3的TCP埠30進行掃描或進行攻擊。 In order to achieve the object, in the preferred embodiment, the router 1 is configured to identify whether the remote computer 6 scans or attacks the TCP port 30 of the local computer 3.

所述網路5,可以是網際網路(Internet),還可以是其他類型的通訊網路。 The network 5 can be an Internet or other types of communication networks.

如圖2所示,是本發明路由器的較佳實施方式的功能模組圖。在本較佳實施方式中,所述的路由器1包括處理器10以及記憶體12。所述處理器10用於執行所述路由器1中安裝或嵌入的各類軟體。所述的記憶體12用於存儲各類資料,例如,各類配置參數等。 2 is a functional block diagram of a preferred embodiment of the router of the present invention. In the preferred embodiment, the router 1 includes a processor 10 and a memory 12. The processor 10 is configured to execute various types of software installed or embedded in the router 1. The memory 12 is used to store various types of materials, for example, various configuration parameters and the like.

在本較佳實施方式中,所述的路由器1還包括多個功能模組,分別是:設置模組20、接收模組21、時鐘模組22、計數模組23以及識別模組24。 In the preferred embodiment, the router 1 further includes a plurality of functional modules, namely: a setting module 20, a receiving module 21, a clock module 22, a counting module 23, and an identification module 24.

所述的設置模組20,用於設置第一時間段與第二時間段,以及設置遠端電腦6允許連接所述本地電腦3次數的最大值。所述第一時間段與第二時間段的用途將在下文作詳細介紹。 The setting module 20 is configured to set a first time period and a second time period, and set a maximum value of the number of times the remote computer 6 is allowed to connect to the local computer 3. The use of the first time period and the second time period will be described in detail below.

所述的接收模組21,用於接收各種類型的TCP封包。例如,在所述遠端電腦6與所述本地電腦3建立TCP連接前需完成三向交握(Three-way Handshake)。如圖3所示的TCP連接示意圖,首先,所述遠端電腦6先傳送SYN封包至所述本地電腦3,表示要和所述本地電腦3通訊埠建立聯機。如果所述本地電腦3的TCP埠30有開放,則所述本地電腦3會返回SYN ACK封包至所述遠端電腦6。然後,所 述遠端電腦6會再送出ACK封包至所述本地電腦3表示TCP連接已經成功。在TCP連接建立後,所述遠端電腦6與所述本地電腦3即可發送資料封包以實現資料的交換。如果所述本地電腦3的TCP埠30沒有開放,則會返回RST封包至所述遠端電腦6。 The receiving module 21 is configured to receive various types of TCP packets. For example, a three-way handshake is required before the remote computer 6 establishes a TCP connection with the local computer 3. As shown in FIG. 3, the remote computer 6 first transmits a SYN packet to the local computer 3, indicating that it is to communicate with the local computer 3 to establish an online connection. If the TCP port 30 of the local computer 3 is open, the local computer 3 will return a SYN ACK packet to the remote computer 6. Then, The remote computer 6 will send an ACK packet to the local computer 3 to indicate that the TCP connection has succeeded. After the TCP connection is established, the remote computer 6 and the local computer 3 can send data packets to exchange data. If the TCP port 30 of the local computer 3 is not open, the RST packet is returned to the remote computer 6.

此外,若需斷開TCP連接,也仍需傳送多次封包以作確認。 In addition, if you need to disconnect the TCP connection, you still need to send multiple packets for confirmation.

所述的時鐘模組22,用於計時以及記錄所述本地電腦3接收每一個TCP封包的時間戳。 The clock module 22 is configured to time and record the time stamp of the local computer 3 to receive each TCP packet.

若所述的遠端電腦6需要與本地電腦3建立TCP連接,所述遠端電腦6先發送一個SYN封包,所述的接收模組21接收該SYN封包,所述的時鐘模組22記錄接收該SYN封包的時間戳。 If the remote computer 6 needs to establish a TCP connection with the local computer 3, the remote computer 6 first sends a SYN packet, the receiving module 21 receives the SYN packet, and the clock module 22 records and receives. The timestamp of the SYN packet.

所述的計數模組23,用於根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之前的第一時間段內與所述本地電腦3建立了TCP連接但未傳送資料的次數,即計算出有多少個TCP連接在所述遠端電腦6與本地電腦3完成三向交握後並未傳送任何資料封包。 The counting module 23 is configured to calculate, according to the timestamp of the SYN packet, that the remote computer that sends the SYN packet establishes a TCP connection with the local computer 3 in the first time period before the time stamp but does not transmit The number of times of data, that is, how many TCP connections are calculated, does not transmit any data packets after the remote computer 6 and the local computer 3 complete the three-way handshake.

例如,所述的第一時間段設置為10秒,接收該SYN封包的時間戳是9點5分12秒,則所述的計數模組23將計算9點5分2秒至9點5分12秒之間該遠端電腦6與所述本地電腦3之間建立了TCP連接但未傳送資料的次數。 For example, if the first time period is set to 10 seconds, and the time stamp for receiving the SYN packet is 9:5:12, the counting module 23 will calculate 9 points, 5 minutes, 2 seconds, and 9:5 minutes. The number of times that the remote computer 6 and the local computer 3 established a TCP connection but did not transmit data between 12 seconds.

所述的識別模組24,用於在所述計數模組23計算的次數超過了所設置的最大值時識別該遠端電腦6為攻擊者,並 在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦6發送的所有TCP封包丟棄。例如,設置模組20所設置的遠端電腦6允許連接所述本地電腦3次數的最大值為20個,所設置的第二時間段為10分鐘,若計數模組23所計算的次數超過了20個,則識別模組24確認該遠端電腦6為攻擊者,則從接收該SYN封包的時間戳9點5分12秒起的10分鐘內,將該遠端電腦6所發送的所有TCP封包丟棄。 The identification module 24 is configured to identify the remote computer 6 as an attacker when the number of times calculated by the counting module 23 exceeds the set maximum value, and All TCP packets sent by the remote computer 6 are discarded during the second time period starting with the timestamp of the SYN packet. For example, the remote computer 6 provided by the setting module 20 allows the maximum number of times of connecting the local computer 3 to 20, and the set second time period is 10 minutes. If the number of times calculated by the counting module 23 exceeds 20, the identification module 24 confirms that the remote computer 6 is an attacker, and all the TCPs sent by the remote computer 6 within 10 minutes from the time stamp of receiving the SYN packet from 9:5:12. The packet is discarded.

在其他實施方式中,所述的路由器1還包括封包計數器25、計時器26以及連線計數器27。 In other embodiments, the router 1 further includes a packet counter 25, a timer 26, and a connection counter 27.

所述的設置模組20,還用於設置一個時間閥值及TCP封包傳送的最小數目以判斷遠端電腦6與本地電腦3之間的TCP連接是否處於閒置狀態,並設置一個閒置連線限制數目。 The setting module 20 is further configured to set a time threshold and a minimum number of TCP packet transmissions to determine whether the TCP connection between the remote computer 6 and the local computer 3 is idle, and set an idle connection limit. number.

所述的計時器26,用於在遠端電腦6與本地電腦3建立TCP連接後即開始計時,若所述本地電腦3利用該TCP連接從該遠端電腦6接收到TCP封包後,則所述計時器清零並再次開始計時。詳細流程可參考下文針對圖5與圖6的流程說明。 The timer 26 is configured to start timing after the remote computer 6 establishes a TCP connection with the local computer 3. If the local computer 3 receives the TCP packet from the remote computer 6 by using the TCP connection, The timer is cleared and the timing is started again. For a detailed procedure, reference may be made to the flow descriptions of FIG. 5 and FIG. 6 below.

所述的封包計數器25,用於計算所述本地電腦3與該遠端電腦6建立TCP連接後所接收的TCP封包數量,而所述本地電腦3與該遠端電腦6建立TCP連接前的三向交握時傳送的封包數量不計算在內。 The packet counter 25 is configured to calculate the number of TCP packets received by the local computer 3 after establishing a TCP connection with the remote computer 6, and the local computer 3 establishes a TCP connection with the remote computer 6 The number of packets sent to the handshake is not counted.

所述的識別模組24,還用於當所述計時器26計算的時間 達到所設置的時間閥值並且所述封包計數器25計算的TCP封包數量小於或等於所設置的最小數目時,確認該TCP連接處於閒置狀態。 The identification module 24 is further configured to calculate the time when the timer 26 is calculated. When the set time threshold is reached and the number of TCP packets calculated by the packet counter 25 is less than or equal to the set minimum number, it is confirmed that the TCP connection is in an idle state.

所述的連線計數器27,用於計算該遠端電腦6與所述本地電腦3之間處於閒置狀態的TCP連接數量。 The connection counter 27 is configured to calculate the number of TCP connections that are in an idle state between the remote computer 6 and the local computer 3.

所述的識別模組24,進一步用於當所述連線計數器27計算的處於閒置狀態的TCP連接數量超過所設置的閒置連線限制數目時,識別該遠端電腦6為攻擊者,並在識別後的第二時間段內將該遠端電腦6發送的所有TCP封包丟棄。 The identification module 24 is further configured to identify the remote computer 6 as an attacker when the number of TCP connections in the idle state calculated by the connection counter 27 exceeds the set number of idle connection limits, and All TCP packets sent by the remote computer 6 are discarded during the second period after the identification.

實際應用中,往往有多個遠端電腦6與所述本地電腦3相連接,因此,封包計數器25、計時器26及連線計數器27的數量可以是一個以分別計算每個遠端電腦6與所述本地電腦3之間的TCP連接數量、封包傳送數量及相應的時間,也可以是多個以對應於所述遠端電腦6的數量。 In practical applications, a plurality of remote computers 6 are often connected to the local computer 3. Therefore, the number of the packet counter 25, the timer 26, and the connection counter 27 can be one to calculate each remote computer 6 and The number of TCP connections, the number of packet transmissions, and the corresponding time between the local computers 3 may also be plural to correspond to the number of the remote computers 6.

如圖4所示,是本發明TCP埠防禦方法的第一實施方式的流程圖。首先,步驟S2,所述的設置模組20設置第一時間段與第二時間段。 As shown in FIG. 4, it is a flowchart of the first embodiment of the TCP埠 defense method of the present invention. First, in step S2, the setting module 20 sets a first time period and a second time period.

步驟S4,所述的設置模組20設置遠端電腦6允許連接所述本地電腦3次數的最大值。 In step S4, the setting module 20 sets the maximum value of the number of times the remote computer 6 is allowed to connect to the local computer 3.

步驟S6,所述的接收模組21從遠端電腦6處接收一個SYN封包。 In step S6, the receiving module 21 receives a SYN packet from the remote computer 6.

步驟S8,所述的時鐘模組22記錄接收該SYN封包的時間戳。 In step S8, the clock module 22 records the timestamp of receiving the SYN packet.

步驟S10,所述的計數模組23根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之前的第一時間段內與所述本地電腦3建立了TCP連接但未傳送資料的次數,即計算出有多少個TCP連接在所述遠端電腦6與本地電腦3完成三向交握後並未傳送任何資料封包。 Step S10, the counting module 23 calculates, according to the timestamp of the SYN packet, that the remote computer that sends the SYN packet establishes a TCP connection with the local computer 3 in the first time period before the timestamp but does not transmit. The number of times of data, that is, how many TCP connections are calculated, does not transmit any data packets after the remote computer 6 and the local computer 3 complete the three-way handshake.

步驟S12,所述的識別模組24判斷所述計數模組23計算的次數是否超過所設置的最大值。若該計算的次數未超過所設置的最大值,則流程返回步驟S6。 In step S12, the identification module 24 determines whether the number of times calculated by the counting module 23 exceeds the set maximum value. If the number of calculations does not exceed the set maximum value, the flow returns to step S6.

若該計算的次數超過了所設置的最大值,於步驟S14,所述的識別模組24識別該遠端電腦6為攻擊者。 If the number of calculations exceeds the set maximum value, the identification module 24 identifies the remote computer 6 as an attacker in step S14.

步驟S16,所述的識別模組24在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦6發送的所有TCP封包丟棄,並結束本流程。 In step S16, the identification module 24 discards all the TCP packets sent by the remote computer 6 in the second time period starting from the time stamp of the SYN packet, and ends the process.

如圖5所示,是本發明TCP埠防禦方法的第二實施方式的閒置連接確認流程圖。首先,步驟S20,所述的設置模組20設置一個時間閥值及TCP封包傳送的最小數目以判斷遠端電腦6與本地電腦3之間的TCP連接是否處於閒置狀態。 As shown in FIG. 5, it is a flowchart of the idle connection confirmation of the second embodiment of the TCP埠 defense method of the present invention. First, in step S20, the setting module 20 sets a time threshold and a minimum number of TCP packet transmissions to determine whether the TCP connection between the remote computer 6 and the local computer 3 is idle.

步驟S22,所述的設置模組20設置一個閒置連線限制數目。 In step S22, the setting module 20 sets an idle connection limit number.

步驟S24,所述的封包計數器25在遠端電腦6與所述本地電腦3建立了TCP連接後啟動。 In step S24, the packet counter 25 is started after the remote computer 6 establishes a TCP connection with the local computer 3.

步驟S26,所述的計時器26也在建立了TCP連接後啟動以開始計時。 In step S26, the timer 26 is also started after the TCP connection is established to start timing.

步驟S28,所述的接收模組22判斷是否接收到TCP封包。若接收到TCP封包,則流程返回至步驟S26,重新啟動計時器26,即清零後重新開始計時。 In step S28, the receiving module 22 determines whether a TCP packet is received. If a TCP packet is received, the flow returns to step S26, and the timer 26 is restarted, that is, the timer is restarted after being cleared.

若沒有接收到TCP封包,於步驟S30,所述的識別模組24判斷所述計時器26計算的時間是否達到所設置的時間閥值。若未達到所設置的時間閥值,則流程返回步驟S28。 If the TCP packet is not received, in step S30, the identification module 24 determines whether the time calculated by the timer 26 has reached the set time threshold. If the set time threshold is not reached, the flow returns to step S28.

若達到所設置的時間閥值,於步驟S32,所述的識別模組24判斷所述封包計數器25計算的TCP封包數量是否小於或等於所設置的最小數目。若計算的TCP封包數量大於所設置的最小數目,則流程結束。 If the set time threshold is reached, in step S32, the identification module 24 determines whether the number of TCP packets calculated by the packet counter 25 is less than or equal to the set minimum number. If the calculated number of TCP packets is greater than the minimum number set, the process ends.

若計算的TCP封包數量小於或等於所設置的最小數目,於步驟S34,所述的識別模組24確認該TCP連接處於閒置狀態,然後結束本流程。 If the calculated number of TCP packets is less than or equal to the set minimum number, in step S34, the identification module 24 confirms that the TCP connection is in an idle state, and then ends the process.

如圖6所示,是本發明TCP埠防禦方法的第二實施方式的流程圖。首先,步驟S40,所述的連線計數器27在遠端電腦6與所述本地電腦3建立了TCP連接後啟動。 As shown in FIG. 6, it is a flowchart of the second embodiment of the TCP埠 defense method of the present invention. First, in step S40, the connection counter 27 is started after the remote computer 6 establishes a TCP connection with the local computer 3.

步驟S42,所述的識別模組24判斷所述連線計數器27計算的該遠端電腦6與所述本地電腦3之間處於閒置狀態的TCP連接數量是否超過所設置的閒置連線限制數目。若所述連線計數器27計算的閒置狀態的TCP連接數量沒有超過所設置的閒置連線限制數目,則流程返回至步驟40。 In step S42, the identification module 24 determines whether the number of TCP connections in the idle state between the remote computer 6 and the local computer 3 calculated by the connection counter 27 exceeds the set number of idle connection limits. If the number of TCP connections in the idle state calculated by the connection counter 27 does not exceed the set number of idle connection limits, the flow returns to step 40.

若所述連線計數器27計算的閒置狀態的TCP連接數量超過所設置的閒置連線限制數目,於步驟S44,所述的識別模組24識別該遠端電腦6為攻擊者。 If the number of TCP connections in the idle state calculated by the connection counter 27 exceeds the set number of idle connection limits, the identification module 24 identifies the remote computer 6 as an attacker in step S44.

步驟S46,所述的識別模組24在識別後的第二時間段內將該遠端電腦6發送的所有TCP封包丟棄,然後結束本流程。 In step S46, the identification module 24 discards all the TCP packets sent by the remote computer 6 in the second time period after the identification, and then ends the process.

綜上所述,本發明符合發明專利要件,爰依法提出專利申請。惟,以上所述者僅為本發明之較佳實施例,本發明之範圍並不以上述實施例為限,舉凡熟悉本案技藝之人士援依本發明之精神所作之等效修飾或變化,皆應涵蓋於以下申請專利範圍內。 In summary, the present invention complies with the requirements of the invention patent and submits a patent application according to law. The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited to the above-described embodiments, and equivalent modifications or variations made by those skilled in the art in light of the spirit of the present invention are It should be covered by the following patent application.

1‧‧‧路由器 1‧‧‧ router

10‧‧‧處理器 10‧‧‧ processor

12‧‧‧記憶體 12‧‧‧ memory

20‧‧‧設置模組 20‧‧‧Setup module

21‧‧‧接收模組 21‧‧‧ receiving module

22‧‧‧時鐘模組 22‧‧‧clock module

23‧‧‧計數模組 23‧‧‧Counting module

24‧‧‧識別模組 24‧‧‧ Identification module

25‧‧‧封包計數器 25‧‧‧Packing counter

26‧‧‧計時器 26‧‧‧Timer

27‧‧‧連線計數器 27‧‧‧Connected counter

3‧‧‧本地電腦 3‧‧‧Local computer

30‧‧‧TCP埠 30‧‧‧TCP埠

4‧‧‧調變解調器 4‧‧‧Modulation demodulator

5‧‧‧網路 5‧‧‧Network

6‧‧‧遠端電腦 6‧‧‧Remote computer

圖1是本發明路由器的較佳實施方式的運行環境圖。 1 is a diagram showing the operating environment of a preferred embodiment of a router of the present invention.

圖2是本發明路由器的較佳實施方式的功能模組圖。 2 is a functional block diagram of a preferred embodiment of the router of the present invention.

圖3是本發明路由器的較佳實施方式的建立TCP連接示意圖。 3 is a schematic diagram of establishing a TCP connection of a preferred embodiment of a router of the present invention.

圖4是本發明TCP埠防禦方法的第一實施方式的流程圖。 4 is a flow chart of a first embodiment of a TCP埠 defense method of the present invention.

圖5是本發明TCP埠防禦方法的第二實施方式的閒置連接確認流程圖。 FIG. 5 is a flow chart of the idle connection confirmation of the second embodiment of the TCP埠 defense method of the present invention.

圖6是本發明TCP埠防禦方法的第二實施方式的流程圖。 6 is a flow chart of a second embodiment of the TCP埠 defense method of the present invention.

1‧‧‧路由器 1‧‧‧ router

10‧‧‧處理器 10‧‧‧ processor

12‧‧‧記憶體 12‧‧‧ memory

20‧‧‧設置模組 20‧‧‧Setup module

21‧‧‧接收模組 21‧‧‧ receiving module

22‧‧‧時鐘模組 22‧‧‧clock module

23‧‧‧計數模組 23‧‧‧Counting module

24‧‧‧識別模組 24‧‧‧ Identification module

25‧‧‧封包計數器 25‧‧‧Packing counter

26‧‧‧計時器 26‧‧‧Timer

27‧‧‧連線計數器 27‧‧‧Connected counter

Claims (9)

一種路由器,該路由器連接本地電腦與遠端電腦,所述路由器包括:設置模組,用於設置第一時間段與第二時間段,以及設置遠端電腦允許連接所述本地電腦次數的最大值;接收模組,用於接收傳輸控制協議(Transmission Control Protocol,TCP)封包,所述TCP封包包括同步(Synchronize,SYN)封包;時鐘模組,用於計時以及記錄所述本地電腦接收每一個TCP封包的時間戳;計數模組,用於在接收到一個SYN封包時,根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之前的第一時間段內與所述本地電腦建立了TCP連接但未傳送資料的次數;及識別模組,用於在所述計數模組計算的次數超過了所設置的最大值時識別該遠端電腦為攻擊者,並在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 A router connecting a local computer and a remote computer, the router comprising: a setting module, configured to set a first time period and a second time period, and set a maximum number of times the remote computer allows to connect the local computer a receiving module, configured to receive a Transmission Control Protocol (TCP) packet, the TCP packet includes a Synchronize (SYN) packet, and a clock module for timing and recording, the local computer receives each TCP a timestamp of the packet; the counting module is configured to calculate, according to the timestamp of the SYN packet, the remote computer that sends the SYN packet in the first time period before the timestamp and the local time when receiving a SYN packet The number of times the computer establishes a TCP connection but does not transmit data; and the identification module is configured to identify the remote computer as an attacker when the number of times the counting module calculates exceeds the set maximum value, and use the SYN All TCP packets sent by the remote computer are discarded during the second period of time when the timestamp of the packet is used as the starting point. 如申請專利範圍第1項所述的路由器,其中:所述的路由器還包括計時器與封包計數器;所述的設置模組還用於設置一個時間閥值及TCP封包傳送的最小數目以判斷遠端電腦與本地電腦之間的TCP連接是否處於閒置狀態;所述的計時器用於在遠端電腦與本地電腦建立TCP連接後開始計時,若所述本地電腦利用該TCP連接從該遠端電腦 接收到TCP封包後,則所述計時器清零並再次開始計時;所述的封包計數器用於計算所述本地電腦與該遠端電腦建立TCP連接後所接收的TCP封包數量;及所述的識別模組還用於當所述計時器計算的時間達到所設置的時間閥值並且所述封包計數器計算的TCP封包數量小於或等於所設置的最小數目時,確認該TCP連接處於閒置狀態。 The router of claim 1, wherein: the router further includes a timer and a packet counter; and the setting module is further configured to set a time threshold and a minimum number of TCP packet transmissions to determine the far Whether the TCP connection between the end computer and the local computer is idle; the timer is used to start timing after the remote computer establishes a TCP connection with the local computer, if the local computer uses the TCP connection from the remote computer After receiving the TCP packet, the timer is cleared and starts timing again; the packet counter is used to calculate the number of TCP packets received by the local computer after establishing a TCP connection with the remote computer; The identification module is further configured to confirm that the TCP connection is in an idle state when the time calculated by the timer reaches the set time threshold and the number of TCP packets calculated by the packet counter is less than or equal to the set minimum number. 如申請專利範圍第2項所述的路由器,其中:所述的路由器還包括連線計數器;所述的設置模組還用於設置一個閒置連線限制數目;所述的連線計數器用於計算該遠端電腦與所述本地電腦之間處於閒置狀態的TCP連接數量;及所述的識別模組還用於當所述連線計數器計算的處於閒置狀態的TCP連接數量超過所設置的閒置連線限制數目時,識別該遠端電腦為攻擊者,並在識別後的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 The router of claim 2, wherein: the router further includes a connection counter; the setting module is further configured to set an idle connection limit number; and the connection counter is used for calculating The number of TCP connections in the idle state between the remote computer and the local computer; and the identification module is further configured to: when the connection counter calculates the number of idle TCP connections exceeds the set idle connection When the number of lines is limited, the remote computer is identified as an attacker, and all TCP packets sent by the remote computer are discarded in the second time period after the identification. 如申請專利範圍第1項所述的路由器,所述本地電腦與遠端電腦藉由三向交握建立TCP連接。 The router of claim 1, wherein the local computer and the remote computer establish a TCP connection by three-way handshake. 一種傳輸控制協議(Transmission Control Protocol,TCP)埠防禦方法,應用於路由器中,該路由器連接本地電腦與遠端電腦,該方法包括:設置第一時間段與第二時間段,以及設置遠端電腦允許連接所述本地電腦次數的最大值;所述本地電腦接收一個從遠端電腦發出的同步(Synchronize,SYN)封包;記錄接收該SYN封包的時間戳; 根據該SYN封包的時間戳計算發送該SYN封包的遠端電腦在該時間戳之前的第一時間段內與所述本地電腦建立了TCP連接但未傳送資料的次數;及當所計算的次數超過了所設置的最大值時,識別該遠端電腦為攻擊者,並在以該SYN封包的時間戳作為起點的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 A Transmission Control Protocol (TCP) defense method is applied to a router, and the router is connected to a local computer and a remote computer, and the method includes: setting a first time period and a second time period, and setting a remote computer The maximum number of times the local computer is allowed to connect; the local computer receives a Synchronize (SYN) packet sent from the remote computer; and records the timestamp of receiving the SYN packet; Calculating, according to a timestamp of the SYN packet, a number of times that a remote computer that sends the SYN packet establishes a TCP connection with the local computer but does not transmit data in a first time period before the timestamp; and when the calculated number of times exceeds When the set maximum value is reached, the remote computer is identified as an attacker, and all TCP packets sent by the remote computer are discarded during the second time period starting from the time stamp of the SYN packet. 如申請專利範圍第5項所述的TCP埠防禦方法,該方法還包括:設置一個時間閥值及TCP封包傳送的最小數目以判斷遠端電腦與本地電腦之間的TCP連接是否處於閒置狀態;在遠端電腦與本地電腦建立TCP連接後啟動封包計數器;啟動計時器開始計時;判斷所述本地電腦是否從該遠端電腦接收到TCP封包;若本地電腦未從該遠端電腦接收到TCP封包,則判斷所述計時器計算的時間是否達到所設置的時間閥值;若所述計時器計算的時間達到所設置的時間閥值,則判斷所述封包計數器計算的TCP封包數量是否小於或等於所設置的最小數目;及若所述封包計數器計算的TCP封包數量小於或等於所設置的最小數目,則確認該TCP連接處於閒置狀態。 For example, the TCP/defense method described in claim 5, the method further includes: setting a time threshold and a minimum number of TCP packet transmissions to determine whether the TCP connection between the remote computer and the local computer is idle; Starting a packet counter after the remote computer establishes a TCP connection with the local computer; starting a timer to start timing; determining whether the local computer receives a TCP packet from the remote computer; if the local computer does not receive a TCP packet from the remote computer And determining whether the time calculated by the timer reaches a set time threshold; if the time calculated by the timer reaches the set time threshold, determining whether the number of TCP packets calculated by the packet counter is less than or equal to The minimum number set; and if the number of TCP packets calculated by the packet counter is less than or equal to the set minimum number, then the TCP connection is confirmed to be idle. 如申請專利範圍第6項所述的TCP埠防禦方法,該方法還包括:設置一個閒置連線限制數目;在所述本地電腦與遠端電腦建立TCP連接後啟動連線計數器;當所述連線計數器計算的處於閒置狀態的TCP連接數量超 過所設置的閒置連線限制數目時,識別該遠端電腦為攻擊者,並在識別後的第二時間段內將該遠端電腦發送的所有TCP封包丟棄。 The TCP/defense method according to claim 6, wherein the method further comprises: setting an idle connection limit number; and starting a connection counter after the local computer establishes a TCP connection with the remote computer; The number of TCP connections in the idle state calculated by the line counter is super When the number of idle connection restrictions is set, the remote computer is identified as an attacker, and all TCP packets sent by the remote computer are discarded in the second time period after the identification. 如申請專利範圍第6項所述的TCP埠防禦方法,該方法還包括:若本地電腦從該遠端電腦接收到TCP封包,則所述計時器清零並重新開始計時。 The TCP/defense method of claim 6, wherein the method further comprises: if the local computer receives the TCP packet from the remote computer, the timer is cleared and the timing is restarted. 如申請專利範圍第5項所述的TCP埠防禦方法,所述本地電腦與遠端電腦藉由三向交握建立TCP連接。 For example, in the TCP/defense method described in claim 5, the local computer and the remote computer establish a TCP connection by three-way handshake.
TW98136588A 2009-10-28 2009-10-28 Router and method for protecting tcp ports TWI397286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW98136588A TWI397286B (en) 2009-10-28 2009-10-28 Router and method for protecting tcp ports

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW98136588A TWI397286B (en) 2009-10-28 2009-10-28 Router and method for protecting tcp ports

Publications (2)

Publication Number Publication Date
TW201115984A TW201115984A (en) 2011-05-01
TWI397286B true TWI397286B (en) 2013-05-21

Family

ID=44934658

Family Applications (1)

Application Number Title Priority Date Filing Date
TW98136588A TWI397286B (en) 2009-10-28 2009-10-28 Router and method for protecting tcp ports

Country Status (1)

Country Link
TW (1) TWI397286B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6427161B1 (en) * 1998-06-12 2002-07-30 International Business Machines Corporation Thread scheduling techniques for multithreaded servers
TW200422629A (en) * 2002-12-20 2004-11-01 Zarlink Semiconductor Vn Inc Apparatus for link failure detection on high availability ethernet backplane
US7114182B2 (en) * 2002-05-31 2006-09-26 Alcatel Canada Inc. Statistical methods for detecting TCP SYN flood attacks
TW200741504A (en) * 2006-04-17 2007-11-01 Winnow Technologies Inc Malicious attack detection system and an associated method of use
US7490235B2 (en) * 2004-10-08 2009-02-10 International Business Machines Corporation Offline analysis of packets

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6427161B1 (en) * 1998-06-12 2002-07-30 International Business Machines Corporation Thread scheduling techniques for multithreaded servers
US7114182B2 (en) * 2002-05-31 2006-09-26 Alcatel Canada Inc. Statistical methods for detecting TCP SYN flood attacks
TW200422629A (en) * 2002-12-20 2004-11-01 Zarlink Semiconductor Vn Inc Apparatus for link failure detection on high availability ethernet backplane
US7490235B2 (en) * 2004-10-08 2009-02-10 International Business Machines Corporation Offline analysis of packets
TW200741504A (en) * 2006-04-17 2007-11-01 Winnow Technologies Inc Malicious attack detection system and an associated method of use

Also Published As

Publication number Publication date
TW201115984A (en) 2011-05-01

Similar Documents

Publication Publication Date Title
US9628441B2 (en) Attack defense method and device
CN101378395B (en) Method and apparatus for preventing reject access aggression
US7571479B2 (en) Denial of service defense by proxy
US7234161B1 (en) Method and apparatus for deflecting flooding attacks
De Vivo et al. Internet vulnerabilities related to TCP/IP and T/TCP
CA2565409C (en) Preventing network reset denial of service attacks using embedded authentication information
US7711790B1 (en) Securing an accessible computer system
KR101442020B1 (en) Method and apparatus for preventing transmission control protocol flooding attacks
US20120227088A1 (en) Method for authenticating communication traffic, communication system and protective apparatus
CN102045251B (en) Router and TCP (Transmission Control Protocol) port defense method
EP2357771A1 (en) Trusted network connect handshake method based on tri-element peer authentication
CN101636968A (en) Method for preventing denial of service attacks using transmission control protocol state transition
WO2010048838A1 (en) Network authentication method, client end requiring authentication method, client end and device
CN103347016A (en) Attack defense method
WO2014040292A1 (en) Protection method and device against attacks
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
CN106230587B (en) Long connection anti-replay attack method
CN104426837A (en) Application specific packet filter method and device of file transfer protocol
Simpson TCP cookie transactions (TCPCT)
AU2005206754B2 (en) Preventing network reset denial of service attacks
US7634655B2 (en) Efficient hash table protection for data transport protocols
CN104023036A (en) TCP (transmission control protocol) bypass blocking method and device
TWI397286B (en) Router and method for protecting tcp ports
CN110445809B (en) Network attack detection method, device, system, electronic equipment and storage medium
CN102291378B (en) Distributed deny of service (DDoS) attack defense method and device

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees