WO2011000304A1 - Method, device and gateway equipment for detecting abnormal connections - Google Patents

Method, device and gateway equipment for detecting abnormal connections Download PDF

Info

Publication number
WO2011000304A1
WO2011000304A1 PCT/CN2010/074660 CN2010074660W WO2011000304A1 WO 2011000304 A1 WO2011000304 A1 WO 2011000304A1 CN 2010074660 W CN2010074660 W CN 2010074660W WO 2011000304 A1 WO2011000304 A1 WO 2011000304A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
connection
address information
data packet
tcp connection
Prior art date
Application number
PCT/CN2010/074660
Other languages
French (fr)
Chinese (zh)
Inventor
蒋武
杨莉
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2011000304A1 publication Critical patent/WO2011000304A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Definitions

  • the invention relates to a method for detecting abnormal connection, device and gateway device.
  • the application is submitted to the Chinese Patent Office on June 29, 2009, and the application number is 200910151032.0.
  • the invention name is "an abnormal connection detection method, device and gateway device" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference.
  • the present invention relates to the field of information security, and in particular, to a method, device, and gateway device for detecting abnormal connections.
  • the Distributed Denial of Service (DDOS) attack uses a reasonable service request to occupy too many service resources, so that the server cannot process the instructions of legitimate users.
  • the TCP full-connection attack in the DD0S attack is to continuously establish a large number of TCP connections with the server through many zombie hosts until the server's connection, memory and other resources are exhausted, causing the server to refuse service and making the server unable to process the instructions of the legitimate user.
  • the feature of the TCP full-connection attack is that it can bypass the protection of the general firewall and achieve the purpose of the attack. For a typical network service system, the number of acceptable TCP connections is limited. When subjected to a TCP full connection attack, the website access is very slow or even inaccessible.
  • a firewall or DD0S detection device detects the total number of connections of the protected server. If the total number of connections is greater than the number of connections, the TCP connection is considered abnormal.
  • the connection check module in the firewall or the DD0S detection device detects the TCP connection in the traffic that needs to be defended, and counts the number of successful handshake packets after the TCP connection is completed. After the time period arrives, the statistic value is obtained. When the statistic value is greater than the connection number threshold, the TCP connection is identified as an abnormal connection, that is, there is a full connection attack.
  • the inventor finds that the normal access traffic changes with time, and when the normal access traffic increases, the number of TCP connections in the traffic also increases, when a certain period of time When the number of TCP connections in the traffic exceeds the connection threshold, the normal TCP connection is recognized as an abnormal connection, that is, it is determined to be a full connection attack, thereby generating a false positive for the full connection attack.
  • An embodiment of the present invention provides a method for detecting an abnormal connection, including:
  • the TCP connection is identified as an abnormal connection
  • the data packet sent by the client is received within the set time, the data packet is verified according to the protocol packet, and if the verification succeeds, the TCP connection is identified as a normal connection, and if the verification fails, the identifier is identified.
  • the TCP connection is an abnormal connection.
  • the embodiment of the invention further provides an abnormal connection detecting device, comprising:
  • a transceiver module configured to receive a connection request message sent by the client, and establish with the client
  • a detecting module configured to detect whether a data packet sent by the client is received within a set time
  • a verification module configured to: when the detection result of the detection module is that the data packet sent by the client is received within a set time, verify the data packet according to the protocol packet; The detection result of the detecting module is that when the data packet sent by the client is not received within a set time, the TCP connection is identified as an abnormal connection, and when the verification module successfully verifies the data packet, the The TCP connection is a normal connection, or the TCP connection is identified as an abnormal connection when the verification module fails verification of the data packet.
  • the embodiment of the invention provides a gateway device, which comprises the above abnormal connection detecting device.
  • the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates to the server.
  • the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting a full-connection attack.
  • FIG. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention
  • FIG. 4 is an abnormal connection according to Embodiment 4 of the present invention
  • FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention
  • FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention
  • FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention
  • FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention.
  • FIG. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes:
  • Step 1 01 Receive a connection request message sent by the client.
  • the connection request message may be a SYN message
  • the SYN (synchron i ze) message is a handshake signal used when the TCP/IP establishes a connection.
  • Step 1 02 Establish a TCP connection with the client. Specifically, after receiving the SYN message sent by the client, the client returns a SYN-ACK message, and the client sends an ACK message as a response, thereby completing the process of establishing a TCP connection. .
  • the SYN-ACK message is a response message to the SYN message
  • the ACK message is a response message to the SYN-ACK message.
  • the SYN message is not forwarded to the server, but a TCP connection is established with the client.
  • Step 1 03. Check whether the data packet sent by the client is received within the set time. If yes, go to step 1 04. Otherwise, go to step 1 06.
  • the set time can be any preset time period.
  • Step 1 04 Verify the data packet according to the protocol packet, and if the verification succeeds, execute the step. Step 105, if the verification fails, step 106 is performed;
  • the protocol packets may be h 1 p protocol packets, f t p protocol packets, and s sh protocol packets, depending on the actual application.
  • the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet does not match the protocol packet type, the verification fails.
  • Step 105 Identify the TCP connection as a normal connection
  • the received data packet is considered to be a normal data packet, and the TCP connection is a normal connection, that is, the client does not perform a full connection attack on the server.
  • Step 106 Identify that the TCP connection is an abnormal connection.
  • the TCP connection is identified as an abnormal connection, that is, the client performs a full connection attack on the server.
  • the TCP connection established with the client can be identified as an abnormal connection, thereby improving the accuracy of detecting the full connection attack.
  • FIG. 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention. As shown in FIG. 2, the method includes:
  • Step 201 Receive a connection request message sent by the client, where the connection request message carries client address information.
  • the steps in this embodiment may be performed by the detecting device of the abnormal connection. Specifically, when the client sends a connection request message to the server, the detecting device of the abnormal connection receives the connection request message. Step 202, it is determined whether the set record table includes client address information, if yes, step 208 is performed, otherwise step 203 is performed;
  • the record table stores trusted client address information and untrusted (or malicious) client address information.
  • the trusted client address information is the authenticated client address information
  • the untrusted client address information is Unverified client address information.
  • the record table may include a whitelist and a blacklist.
  • the whitelist stores trusted client address information, and the list contains malicious client address information.
  • Step 203 Establish a TCP connection with the client.
  • the detecting device After the detecting device that the abnormal connection receives the connection request message sent by the client, if the client address information carried in the connection request message is determined to be unfamiliar address information according to the set record table, the detecting device replaces The server establishes a TCP connection with the client.
  • Step 204 detecting whether the data packet sent by the client is received within the set time, if yes, executing step 205, otherwise performing step 207;
  • the abnormal connection detection device in the case of a normal connection, after the abnormal connection detection device establishes a TCP connection with the client, the client sends a data packet to the abnormally connected detection device, and therefore, the abnormal connection detection device can detect whether it is set Check whether the data packet sent by the client is received within a certain period of time to initially determine whether the TCP connection is an abnormal connection.
  • Step 205 The data packet is verified according to the protocol packet. If the verification is successful, step 206 is performed. If the verification fails, step 207 is performed;
  • the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report are successful. The verification fails if the text is inconsistent. Step 206: Identify the TCP connection as a normal connection, store the client address information in the set record table, disconnect the TCP connection established with the client, and the process ends.
  • Step 207 Identify the TCP connection as an abnormal connection, store the client address information in the set record table, discard the TCP connection, and the process ends.
  • Step 208 Allow or deny the client to establish a TCP connection with the server, and the process ends.
  • the client when it is determined that the trusted client address information includes the client address information, that is, the client address information is trusted client address information, the client is allowed to establish a TCP connection with the server, and the abnormal connection is performed at this time.
  • the detecting device forwards the connection request message sent by the client to the server, so that the client establishes a TCP connection with the server; when it is determined that the malicious client address information includes the client address information, the client address information is a malicious client. In the address information, the client is denied a TCP connection with the server. At this time, the detecting device of the abnormal connection rejects the connection request of the client, thereby protecting the server from the TCP full connection attack.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention. As shown in FIG. 3, the method includes:
  • Step 301 Receive a connection request message sent by the client, where the connection request message carries port information and client address information.
  • Each step in this embodiment may be performed by an abnormally connected detecting device;
  • the port information may be an HTTPS port or the like, and the port information may use the default port information or the user-defined port information; the client address information may be the IP address of the client.
  • Step 302 Parse the protocol type from the port information carried in the connection request message.
  • the detecting device of the abnormal connection detects that the port is an HTTPS port according to the port information, so that the data packet is parsed into an HTTPS protocol type data packet, HTTPS.
  • the protocol is a network protocol built by SSL and HTTP protocol for encrypted transmission and identity authentication.
  • SSL is a protocol that encrypts and decrypts data in a secure connection between a client and an SSL-enabled server.
  • Step 303 Query whether the pre-configured protocol type to be detected includes the identified protocol type, if yes, go to step 304, otherwise go to step 313;
  • the pre-configured protocol type to be detected may include one or more protocols, it may be queried whether the identified protocol type of the data packet belongs to a range to be detected.
  • step 304 it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 305 is performed; if the whitelist includes the client address information, the process is performed. Step 313; If the blacklist includes client address information, step 314 is performed;
  • a whitelist and a blacklist can be set at the same time.
  • the client address information set in the whitelist is the client address information that is allowed to pass
  • the client address information set in the blacklist is the client address information that is rejected.
  • Step 305 establishing a TCP connection with the client, proceeds to step 306;
  • Step 306 detecting whether the data packet sent by the client is received within the set time, if yes, executing step 307, otherwise performing step 310;
  • Step 307 Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 308; if the verification fails, perform step 31 0;
  • the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
  • Step 308 identifying the TCP connection as a normal connection, proceeds to step 309;
  • Step 309 Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
  • the disconnect message can be an RST message.
  • Step 310 Identify the TCP connection as an abnormal connection, and proceed to step 31 1;
  • Step 311 Discard the TCP connection, dry the resources occupied by the TCP connection, and proceed to step 312.
  • Step 312 Add the client address information to the blacklist, and the process ends.
  • Step 31 Allow the client to establish a TCP connection with the server, and the process ends.
  • Step 314 Reject the client to establish a TCP connection with the server, and the process ends.
  • step 312 may be performed to add the client address information to the blacklist, and then step 311 is performed to discard the TCP connection, and the resources occupied by the TCP connection are released.
  • step 31 1 may be performed, the TCP connection is discarded, and the resources occupied by the TCP connection are released, and step 312 is not performed, that is, the client is not
  • the terminal address information is added to the blacklist.
  • the whitelist is not set, and the blacklist is not set.
  • step 31 the step of adding the client address information to the blacklist in step 312 is not performed. . In this way, when the client requests to establish a TCP connection again, each step in this embodiment needs to be performed to identify that the TCP connection of the client is an abnormal connection.
  • the detecting device of the abnormal connection needs to continuously establish a TCP connection with the client, and repeatedly performs a process of detecting that the TCP connection is an abnormal connection.
  • this situation is the case where the abnormally connected detection device replaces the server to withstand the client's initiation of a full connection attack.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • Embodiment 4 is a flowchart of a method for detecting an abnormal connection according to Embodiment 4 of the present invention. This embodiment is mainly applied to a case where the protocol type is the FTPS protocol. As shown in FIG. 4, the method includes:
  • Step 401 Receive a connection request message sent by the client, where the connection request message carries port information and client address information.
  • the steps in this embodiment can be performed by an abnormally connected detecting device.
  • Step 402 Parse the protocol type from the port information carried in the connection request message.
  • the protocol type is an FTPS protocol type.
  • FTPS is an enhanced TFP protocol that uses standard FTP protocols and commands at the Secure Sockets Layer to add SSL security to the FTP protocol and data channels.
  • FTPS is also known as "FTP-SSL” and "FTP-over-SSL”.
  • Step 403 Query whether the pre-configured protocol type includes the identified protocol type, if yes, execute step 404, otherwise perform step 415; In step 404, it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 405 is performed; if the whitelist includes the client address information, Go to step 41 5; if the blacklist includes client address information, go to step 416;
  • Step 405 Establish a TCP connection with the client.
  • Step 406 Detect whether the data packet sent by the client is received in the silent time, if yes, go to step 412, otherwise go to step 407;
  • the silence time can be any set time.
  • the client After establishing a TCP connection with the client, during the set silence time, the client does not actively send any data packets to the abnormally connected detection device under normal conditions. Therefore, the silent time is passed in this step. It is also possible to determine whether the client that sent the packet is a trusted client by detecting whether the packet sent by the client is received.
  • Step 407 Send a version data packet to the client, and proceed to step 408;
  • the client does not send a data packet to the peer device (the peer device that establishes a TCP connection with the client) in the set silent time, but only receives the version sent by the peer device. After the data packet, the data packet will be sent to the peer device according to the version data packet.
  • the client needs to send a data packet to the abnormally connected detecting device, it needs to first receive the FTPS version data packet sent by the abnormally connected detecting device.
  • Step 408 Detect whether the data packet sent by the client is received within the set time, if yes, go to step 409; if otherwise, go to step 412;
  • Step 409 Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 41 0; if the verification fails, perform step 412;
  • the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
  • Step 410 Identify the TCP connection as a normal connection, and proceed to step 41 1;
  • Step 411 Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
  • the disconnect message can be an RST message.
  • Step 412 Identify the TCP connection as an abnormal connection, and proceed to step 41 3;
  • Step 41 Discard the TCP connection and release the resources occupied by the TCP connection, and go to step 414.
  • Step 414 Add the client address information to the blacklist, and the process ends.
  • Step 415 Allow the client to establish a TCP connection with the server, and the process ends.
  • Step 416 Reject the client to establish a TCP connection with the server, and the process ends.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • the HTTPS protocol is a network protocol that can be encrypted and transmitted by SSL and the ht tp protocol.
  • the client is an HTTPS client
  • the server is an HTTPS server.
  • the process in this embodiment describes the connection request sent by the client.
  • the full connection attack detects and detects that the established TCP connection is a normal connection.
  • the detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection.
  • the detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection.
  • the gateway device is used as an example to describe the detection method of the abnormal connection.
  • FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention. As shown in FIG. 5, the method includes:
  • Step 501 The client sends a SYN message to the gateway device, where the SYN message carries the HTTPS port information and the IP address of the HTTPS client.
  • Step 502 The gateway device parses the HTTPS port information carried by the SYN message from the HTTPS protocol, and queries the pre-configured protocol type to include the HTTPS protocol.
  • the identified HTTPS protocol belongs to the scope of full connectivity attack detection.
  • the HTTPS port information can be the default port 443 or user-defined port information.
  • Step 503 The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
  • Step 504 The gateway device sends a SYN-ACK message to the HTTPS client.
  • Step 505 The HTTPS client returns an ACK message to the gateway device.
  • HTTPS client establishes a TCP connection with the gateway device.
  • Step 506 Add an IP address of the HTTPS client to the aging table, and set an aging time, where the aging time is a set time.
  • Step 507 The gateway device receives the data packet sent by the HTTPS client in the aging time.
  • the HTTPS protocol packet may be the He in the HTTPS protocol. l lo message.
  • the gateway device can verify the received data packet according to the Hello message. If the data packet is consistent with the Hello message, the verification succeeds; if the data packet is inconsistent with the Hello message, the verification fails. In other words, in the case that the verification is successful, the data packet sent by the HTTPS client is the Hello message.
  • Step 509 the gateway device recognizes that the TCP connection is a normal connection, and adds the address information of the HTTPS client to the whitelist.
  • Step 510 The gateway device returns an RST message to the HTTPS client to disconnect the TCP connection with the HTTPS client.
  • Step 511 The HTTPS client sends a SYN message to the HTTPS server through the gateway device.
  • the gateway device queries the whitelist to include the IP address of the client carried in the SYN message, and then forwards the SYN message to the HTTPS server.
  • Step 512 The HTTPS server sends a SYN-ACK message to the HTTPS client through the gateway device.
  • Step 51 3. The HTTPS client returns an ACK message to the HTTPS server through the gateway device, thereby establishing a TCP connection with the HTTPS server.
  • Step 514 The HTTPS client performs HTTPS data transmission through the gateway device and the HTTPS server.
  • the gateway device if the gateway device verifies the data packet according to the HTTPS protocol and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist.
  • the gateway device When the HTTPS client re-directs When the HTTPS server sends a SYN message, the gateway device will refuse to establish a TCP connection between the HTTPS client and the HTTPS server.
  • the method for detecting the abnormal connection of the present invention is applied to the FTPS protocol in detail by using a specific embodiment.
  • the client is an FTPS client and the server is an FTPS server.
  • the process in this embodiment describes the client.
  • the connection request sent by the terminal performs a full connection attack check. Measure and detect the established TCP connection as a normal connection.
  • the detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection.
  • the detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection.
  • the gateway device is used as an example to describe the detection method of the abnormal connection.
  • FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention. As shown in FIG. 6, the method includes:
  • Step 601 The FTPS client sends a SYN message to the gateway device, where the SYN message carries the FTPS port information and the IP address of the FTPS client.
  • Step 602 The gateway device parses the protocol type of the FTPS port information carried by the SYN message into the FTPS protocol, and queries the pre-configured protocol type to include the FTPS protocol.
  • the identified FTPS protocol belongs to the scope of full connectivity attack detection.
  • the FTPS port information can be the default port 21 or user-defined port information.
  • Step 603 The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
  • Step 604 The gateway device sends a SYN-ACK message to the FTPS client.
  • Step 605 The FTPS client returns an ACK message to the gateway device.
  • the FTPS client establishes a TCP connection with the gateway device.
  • Step 606 The gateway device adds the IP address of the FTPS client to the aging table, and sets the aging time, where the aging time is the silent time.
  • Step 607 The gateway device detects, in the aging time, that the data packet sent by the FTPS client is not received.
  • Step 608 The gateway device sends a version data packet f tp vers i on to the FTPS client.
  • Ftp ve rsi on is the data packet in the FTPS protocol;
  • Step 609 The gateway device presets a set time.
  • Step 610 The gateway device receives the data packet sent by the FTPS client within the set time.
  • Step 611 The gateway device verifies and verifies the data packet according to the FTPS protocol packet.
  • the FTPS protocol is used in the FTPS protocol. USER Command message;
  • the gateway device can verify the received data packet according to the USER Co and message. If the data packet is consistent with the USER Command message, the certificate is successful. If the data packet is inconsistent with the USER Command message, the verification fails. In other words, in the case of successful authentication, the packet sent by the FTPS client is the USER Command message.
  • Step 612 The gateway device identifies that the TCP connection is a normal connection, and adds the address information of the FTPS client to the whitelist.
  • Step 61 The gateway device returns an RST message to the FTPS client to disconnect the TCP connection with the HTTPS client.
  • Step 614 The FTPS client sends a SYN message to the FTPS server through the gateway device; the gateway device queries the whitelist including the IP address of the client carried in the SYN message.
  • the SYN message is forwarded to the FTPS server.
  • Step 615 The FTPS server sends a SYN-ACK message to the FTPS client through the gateway device.
  • Step 617 The FTPS client performs FTPS data transmission through the gateway device and the FTPS server.
  • the gateway device verifies the data packet according to the FTPS protocol packet and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist.
  • the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
  • the gateway device if the gateway device detects that the data packet sent by the FTPS client is received during the aging time (that is, the quiet time), the gateway device identifies the TCP connection as an abnormal connection, and adds the IP address of the client to the blacklist.
  • the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
  • FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention.
  • the abnormal connection detecting apparatus includes a transceiver module 111, a detecting module 112, a verifying module 11 3, and an identifying module 114, wherein :
  • the transceiver module 11 1 is configured to receive a connection request message sent by the client, and establish a connection request message with the client.
  • the transceiver module 11 1 sends a connection request message sent by the client, sends a connection response message to the client, and receives a response message returned by the client, and establishes a TCP connection with the client.
  • the connection request message may be a SYN message
  • the connection response message may be a SYN-ACK message
  • the response message may be an ACK message.
  • the detecting module 112 is configured to detect whether the data packet sent by the client is received in the set time; specifically, the detecting module 112 sends the detection result that detects the data packet sent by the client to the verification module 113, or The detection result of detecting that the data packet sent by the client is not received is sent to the identification module 114. It can be understood that the data packet sent by the client can be received by the transceiver module 111.
  • the verification module 11 3 is configured to: when the detection module 112 detects that the data packet is received, verify the received data packet according to the protocol packet; Specifically, the verification module 133 can verify whether the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet type, The verification failed.
  • the identification module 114 is configured to identify that the TCP connection is an abnormal connection when the detection module 112 detects that the data packet is not received, and identify the TCP connection as a normal connection when the verification module 113 successfully verifies the data packet. Or identifying the TCP connection as an abnormal connection when the verification module 113 fails the verification of the data packet.
  • the identification module 114 may identify that the TCP connection is an abnormal connection according to the detection result of the detection module 112. It is also possible to identify whether the TCP connection is an abnormal connection according to the verification result of the verification module 113. Specifically, when the verification result of the verification module 112 is that the verification is successful, the TCP connection is identified as a normal connection, and when the verification module 1 13 is verified. The result is that the TCP connection is identified as an abnormal connection when the validation fails.
  • the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
  • FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention.
  • the abnormal connection detecting apparatus in this embodiment adds a judging module 115 to the embodiment in the figure.
  • the transceiver module 1 11 includes a first transceiver sub-module 1 11 1 and a second transceiver sub-module 1112
  • the judging module 115 includes a first judgment.
  • a submodule 1151 and a second judging submodule 1152 wherein:
  • the first transceiver sub-module 1111 is configured to receive a connection request message sent by the client, where the connection is requested
  • the message carries the client port number information and the client address information
  • a first judging sub-module 1151 configured to determine, according to the set record table, whether the protocol type of the connection request message is included in the protocol type to be detected, and if yes, triggering the second judging sub-module 1152, otherwise triggering the first processing module 116 ;
  • the protocol type of the connection request message can be obtained by parsing the client port number information carried in the connection request message.
  • the set record table contains protocol type information to be detected, trusted client address information, and untrusted client address information.
  • the second judging sub-module 1152 is configured to determine, according to the address information in the set record table, whether the client address information is included, if yes, the first processing module 116 is triggered, otherwise the second transceiver module 11 12 is triggered;
  • the record table stores trusted client address information and untrusted (or malicious) client address information, and the trusted client address information is authenticated client address information, and the untrusted client The address information is the client address information that has not been verified.
  • the record table may include a whitelist and/or a blacklist. The whitelist stores trusted client address information, and the blacklist stores malicious client address information.
  • a second transceiver module 1112 configured to establish a TCP connection with the client, and trigger a detection module
  • the detecting device of the abnormal connection replaces the server to establish a TCP connection with the client, thereby starting the full certificate process for the client.
  • the detecting module 112 is configured to detect whether the data packet sent by the client is received within the set time, and if yes, trigger the verification module 11 3, otherwise trigger the identification module 114;
  • the detecting device of the abnormal connection establishes a TCP with the client. After the connection, the client sends a data packet to the abnormally connected detecting device. Therefore, the detecting module 112 can determine whether the TCP connection is abnormally connected by detecting whether the data packet sent by the client is received within the set time.
  • the verification module 11 3 is configured to verify the data packet sent by the client within the set time according to the protocol packet.
  • the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report The verification fails if the text is inconsistent.
  • the identification module 114 is configured to verify the verification result of the module 11 3 and the detection result of the detection module 112 to identify whether the TCP connection is an abnormal connection, and trigger the second processing module 117;
  • the TCP connection is identified as an abnormal connection; when the verification result of the verification module 11 is a verification failure, the TCP connection is identified. For abnormal connection; when the verification result of the verification module 113 is that the verification is successful, the TCP connection is identified as a normal connection.
  • the first processing module 116 is configured to perform corresponding processing on the connection request message according to the determination result of the first determining sub-module 1 151 and the determination result of the second determining sub-module 1152;
  • the connection request message is sent to the server, so that the server establishes a TCP connection with the client;
  • the connection request message is sent to the server, so that the server establishes a TCP connection with the client;
  • the module 1 152 determines that the client address information is trusted client address information according to the set record table, the connection of the client is rejected. Ask for news.
  • the second processing module 1 is configured to: when the identification module 114 recognizes that the TCP connection is a normal connection, store the client address information in the set record table, and disconnect the TCP connection; when the identification module 11 recognizes When the TCP connection is abnormally connected, the client address information is stored in the set record table, and the TCP connection is discarded.
  • the RST message may be returned to the client, and the TCP connection of the client is rejected; when the TCP connection is identified as an abnormal connection, the TCP connection is discarded, thereby protecting the server from the server.
  • the client's full connection attack when the TCP connection is recognized as a normal connection, the RST message may be returned to the client, and the TCP connection of the client is rejected; when the TCP connection is identified as an abnormal connection, the TCP connection is discarded, thereby protecting the server from the server. The client's full connection attack.
  • the judging module 1 15 can also include only the second judging sub-module 1152.
  • the first processing module 116 and the second processing module 117 can be one module.
  • the detecting module 112 can further detect whether the data packet sent by the client is received in the silent time, and send the detection result of the data packet received in the silent time to the detection result.
  • the identification module 114 identifies that the TCP connection is an abnormal connection by the identification module 114; or the detection module 112 sends the detection result that the data packet is not received in the silent time to the transceiver module 111, and the transceiver module 11 1 sends the version data to the client.
  • the packet is detected by the detecting module 12 12 within a set time whether the data packet sent by the client is received.
  • the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
  • Test including HTTP, HTTPS, FTP, FTPS or SSH protocol types.
  • the detecting device for abnormal connection in the embodiment of the present invention may be separately set or may be set in various gateway devices, such as a firewall, an anti-DDOS device, and a unified threat management (Uniformed Threa t Management, referred to as UTM).
  • UTM unified threat management
  • IPS Intrusion Prevention System
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method, device and gateway equipment for detecting abnormal connections is disclosed by the embodiments of the present invention. The method includes the following steps: receiving a connection request message sent by a client; establishing a TCP (Transmission Control Protocol) connection with said client; when no data packet is received from said client in a predetermined time, recognizing said TCP connection as an abnormal connection; when a data packet is received from said client in the predetermined time, validating said data packet according to protocol messages; recognizing said TCP connection as a normal connection if the validation is successful, and recognizing said TCP connection as an abnormal connection if the validation is failed. The embodiments of the present invention enable recognizing the TCP connections established with a client as abnormal connections when said client initiates full connection attacks against a server, thus improving accuracy rate for detecting full connection attacks.

Description

一种异常连接的检测方法、 装置及网关设备 本申请要求于 2009 年 6 月 29 曰提交中国专利局、 申请号为 200910151032.0.发明名称为"一种异常连接的检测方法、装置及网关设备" 的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  The invention relates to a method for detecting abnormal connection, device and gateway device. The application is submitted to the Chinese Patent Office on June 29, 2009, and the application number is 200910151032.0. The invention name is "an abnormal connection detection method, device and gateway device" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference.
技术领域 本发明涉及信息安全领域,特別涉及一种异常连接的检测方法、装置及网 关设备。 TECHNICAL FIELD The present invention relates to the field of information security, and in particular, to a method, device, and gateway device for detecting abnormal connections.
背景技术 Background technique
分布式拒绝服务(Di s tr ibuted Denial of Serv ice, 简称: DDOS )攻击 就是利用合理的服务请求来占用过多的服务资源,从而使服务器无法处理合法 用户的指令。 DD0S攻击中的 TCP全连接攻击是通过许多僵尸主机不断地与服 务器建立大量的 TCP连接, 直到服务器的连接、 内存等资源被耗尽, 从而造成 服务器拒绝服务, 使服务器无法处理合法用户的指令。 TCP全连接攻击的特点 是可以绕过一般防火墙的防护而达到攻击的目的。 对于通常的网络服务系统, 能接受的 TCP连接数是有限的, 当遭受 TCP全连接攻击时,会导致网站访问非 常緩慢甚至无法访问。 为实现对全连接攻击的检测,现有技术采用的是连接数阐值判断法。通常 防火墙或 DD0S检测设备会检测被保护服务器的连接总数, 如果检测出连接总 数大于连接数阈值, 则认为存在 TCP连接异常, 即存在全连接攻击。 具体做法 是防火墙或 DD0S检测设备中的连接检查模块会对需要防范的流量中的 TCP连 接进行检测, 统计 TCP连接三次握手完成后的握手成功报文的数量, 并在设定 的时间段到达后得出统计值,当统计值大于连接数阈值时识别出 TCP连接为异 常连接, 即存在全连接攻击。 The Distributed Denial of Service (DDOS) attack uses a reasonable service request to occupy too many service resources, so that the server cannot process the instructions of legitimate users. The TCP full-connection attack in the DD0S attack is to continuously establish a large number of TCP connections with the server through many zombie hosts until the server's connection, memory and other resources are exhausted, causing the server to refuse service and making the server unable to process the instructions of the legitimate user. The feature of the TCP full-connection attack is that it can bypass the protection of the general firewall and achieve the purpose of the attack. For a typical network service system, the number of acceptable TCP connections is limited. When subjected to a TCP full connection attack, the website access is very slow or even inaccessible. In order to realize the detection of the full connection attack, the prior art adopts the connection number judgment method. A firewall or DD0S detection device detects the total number of connections of the protected server. If the total number of connections is greater than the number of connections, the TCP connection is considered abnormal. The connection check module in the firewall or the DD0S detection device detects the TCP connection in the traffic that needs to be defended, and counts the number of successful handshake packets after the TCP connection is completed. After the time period arrives, the statistic value is obtained. When the statistic value is greater than the connection number threshold, the TCP connection is identified as an abnormal connection, that is, there is a full connection attack.
发明人在实现本发明的过程中,发现由于正常访问流量会随时间段的不同 而发生变化, 正常访问流量增大时, 流量中的 TCP连接的数量也会随之增加 , 当一定时间段内流量中的 TCP连接的数量超过连接数阈值时,正常的 TCP连接 会被识别为异常连接,即被判定为全连接攻击,从而产生对全连接攻击的误报。 发明内容  In the process of implementing the present invention, the inventor finds that the normal access traffic changes with time, and when the normal access traffic increases, the number of TCP connections in the traffic also increases, when a certain period of time When the number of TCP connections in the traffic exceeds the connection threshold, the normal TCP connection is recognized as an abnormal connection, that is, it is determined to be a full connection attack, thereby generating a false positive for the full connection attack. Summary of the invention
本发明的目的是提供一种异常连接的检测方法、 装置及网关设备,可以提 高检测全连接攻击的准确率。  It is an object of the present invention to provide an abnormal connection detection method, apparatus and gateway device, which can improve the accuracy of detecting a full connection attack.
本发明实施例提供了一种异常连接的检测方法, 包括:  An embodiment of the present invention provides a method for detecting an abnormal connection, including:
接收客户端发送的连接请求消息;  Receiving a connection request message sent by the client;
与所述客户端建立 TCP连接;  Establishing a TCP connection with the client;
当在设定时间内未接收到所^户端发送的数据包时,识别所述 TCP连接 为异常连接;  When the data packet sent by the terminal is not received within the set time, the TCP connection is identified as an abnormal connection;
当在设定时间内接收到所述客户端发送的数据包时,则根据协议报文对所 述数据包进行验证, 如果验证成功则识别所述 TCP连接为正常连接,如果验证 失败则识别所述 TCP连接为异常连接。  When the data packet sent by the client is received within the set time, the data packet is verified according to the protocol packet, and if the verification succeeds, the TCP connection is identified as a normal connection, and if the verification fails, the identifier is identified. The TCP connection is an abnormal connection.
本发明实施例还提供了一种异常连接的检测装置, 包括:  The embodiment of the invention further provides an abnormal connection detecting device, comprising:
收发模块, 用于接收客户端发送的连接请求消息, 并与所述客户端建立 a transceiver module, configured to receive a connection request message sent by the client, and establish with the client
TCP连接; TCP connection;
检测模块, 用于检测在设定时间内是否接收到所述客户端发送的数据包; 验证模块,用于当所述检测模块的检测结果为在设定时间内接收到所述客 户端发送的数据包时, 根据协议报文对所述数据包进行验证; 识别模块,用于当所述检测模块的检测结果为在设定时间内未接收到所述 客户端发送的数据包时,识别所述 TCP连接为异常连接, 当所述验证模块对所 述数据包验证成功时识别所述 TCP连接为正常连接、或者当所述验证模块对所 述数据包验证失败时识別所述 TCP连接为异常连接。 本发明实施例提供了一种网关设备, 包括上述异常连接的检测装置。 本发明实施例的技术方案中,在设定时间内检测是否接收到客户端发送的 数据包, 并根据协议报文对在设定时间内接收的数据包进行验证, 当该客户端 向服务器发起全连接攻击时,能够识别出与该客户端建立的 TCP连接为异常连 接, 从而提高了检测全连接攻击的准确率。 a detecting module, configured to detect whether a data packet sent by the client is received within a set time; a verification module, configured to: when the detection result of the detection module is that the data packet sent by the client is received within a set time, verify the data packet according to the protocol packet; The detection result of the detecting module is that when the data packet sent by the client is not received within a set time, the TCP connection is identified as an abnormal connection, and when the verification module successfully verifies the data packet, the The TCP connection is a normal connection, or the TCP connection is identified as an abnormal connection when the verification module fails verification of the data packet. The embodiment of the invention provides a gateway device, which comprises the above abnormal connection detecting device. In the technical solution of the embodiment of the present invention, it is detected whether the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates to the server. In the case of a full-connection attack, it is possible to recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting a full-connection attack.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述 中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付 出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明实施例一提供的异常连接的检测方法的流程图;  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention;
图 2为本发明实施例二提供的异常连接的检测方法的流程图; 图 3为本发明实施例三提供的异常连接的检测方法的流程图; 图 4为本发明实施例四提供的异常连接的检测方法的流程图; 图 5为本发明实施例五提供的异常连接的检测方法的流程图; 图 6为本发明实施例六提供的异常连接的检测方法的流程图; 图 7为本发明实施例七提供的异常连接的检测装置的结构示意图; 图 8为本发明实施例八提供的异常连接的检测装置的结构示意图。 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention; FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention; FIG. 4 is an abnormal connection according to Embodiment 4 of the present invention; FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention; FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention; FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention; FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention.
具体实施方式 detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清 楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是 全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造 性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。 图 1为本发明实施例一提供的异常连接的检测方法的流程图,如图 1所示, 该方法包括:  BRIEF DESCRIPTION OF THE DRAWINGS The technical solutions in the embodiments of the present invention will be described in detail below with reference to the accompanying drawings. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes:
步骤 1 01、 接收客户端发送的连接请求消息; 具体地,连接请求消息可以为 SYN消息, SYN ( synchron i ze )消息是 TCP/ IP 建立连接时使用的握手信号。  Step 1 01: Receive a connection request message sent by the client. Specifically, the connection request message may be a SYN message, and the SYN (synchron i ze) message is a handshake signal used when the TCP/IP establishes a connection.
步驟 1 02、 与客户端建立 TCP连接; 具体地,在接收到客户端发送的 SYN消息后,向客户端返回 SYN-ACK消息, 客户端再发送 ACK消息作为应答,从而完成建立 TCP连接的过程。其中, SYN-ACK 消息是对 SYN消息的应答消息, 而 ACK消息是对 SYN-ACK消息的响应消息。 本步骤中在接收到 SYN消息后并未将该 SYN消息转发给服务器,而是与客 户端建立 TCP连接。 步骤 1 03、 在设定时间内检测是否接收到客户端发送的数据包, 如果是则 执行步骤 1 04, 否则执行步骤 1 06 ; 其中设定时间可以为预先设定的任意时间段。  Step 1 02: Establish a TCP connection with the client. Specifically, after receiving the SYN message sent by the client, the client returns a SYN-ACK message, and the client sends an ACK message as a response, thereby completing the process of establishing a TCP connection. . The SYN-ACK message is a response message to the SYN message, and the ACK message is a response message to the SYN-ACK message. In this step, after receiving the SYN message, the SYN message is not forwarded to the server, but a TCP connection is established with the client. Step 1 03. Check whether the data packet sent by the client is received within the set time. If yes, go to step 1 04. Otherwise, go to step 1 06. The set time can be any preset time period.
步骤 1 04、 根据协议报文对所述数据包进行验证, 如果验证成功则执行步 骤 105 , 如果验证失败则执行步驟 106; Step 1 04: Verify the data packet according to the protocol packet, and if the verification succeeds, execute the step. Step 105, if the verification fails, step 106 is performed;
本实施例中协议报文根据实际应用的不同可以为 h 1 p协议报文、 f t p协 议报文、 s sh协议报文等。  In this embodiment, the protocol packets may be h 1 p protocol packets, f t p protocol packets, and s sh protocol packets, depending on the actual application.
具体地, 可以验证数据包的内容与协议报文类型是否一致,如果数据包的 内容与协议报文类型一致则验证成功,如果数据包的内容与协议报文类型不一 致则验证失败。  Specifically, the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet does not match the protocol packet type, the verification fails.
步骤 105、 识别 TCP连接为正常连接;  Step 105: Identify the TCP connection as a normal connection;
如果验证成功则认为接收的数据包是正常的数据包,该 TCP连接为正常连 接, 即该客户端未对服务器进行全连接攻击。  If the verification succeeds, the received data packet is considered to be a normal data packet, and the TCP connection is a normal connection, that is, the client does not perform a full connection attack on the server.
步骤 106、 识别 TCP连接为异常连接;  Step 106: Identify that the TCP connection is an abnormal connection.
如果在设定时间内没有接收到任何数据包, 则识別该 TCP 连接为异常连 接, 即该客户端对服务器进行全连接攻击。  If no packet is received within the set time, the TCP connection is identified as an abnormal connection, that is, the client performs a full connection attack on the server.
本实施例的技术方案中,在设定时间内检测是否接收到客户端发送的数据 包, 并根据协议报文对在设定时间内接收的数据包进行验证, 当该客户端向服 务器发起全连接攻击时, 能够识别出与该客户端建立的 TCP连接为异常连接, 从而提高了检测全连接攻击的准确率。  In the technical solution of the embodiment, it is detected whether the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates the full message to the server. When the connection is attacked, the TCP connection established with the client can be identified as an abnormal connection, thereby improving the accuracy of detecting the full connection attack.
图 2为本发明实施例二提供的异常连接的检测方法的流程图,如图 2所示, 该方法包括:  FIG. 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention. As shown in FIG. 2, the method includes:
步骤 201、 接收客户端发送的连接请求消息, 该连接请求消息中携带有客 户端地址信息;  Step 201: Receive a connection request message sent by the client, where the connection request message carries client address information.
本实施例中的各步骤可以由异常连接的检测装置执行,具体的, 当客户端 向服务器发送连接请求消息时, 异常连接的检测装置接收该连接请求消息。 步骤 202、 判断设置的记录表中是否包括客户端地址信息, 如果是则执行 步驟 208, 否则执行步骤 203; The steps in this embodiment may be performed by the detecting device of the abnormal connection. Specifically, when the client sends a connection request message to the server, the detecting device of the abnormal connection receives the connection request message. Step 202, it is determined whether the set record table includes client address information, if yes, step 208 is performed, otherwise step 203 is performed;
记录表中存储有可信的客户端地址信息和不可信的(或恶意的)客户端地 址信息,可信的客户端地址信息为通过验证的客户端地址信息, 不可信的客户 端地址信息为未通过验证的客户端地址信息。在实际应用中记录表中可以包括 白名单和黑名单, 白名单中存储有可信的客户端地址信息, 黒名单中存储有恶 意的客户端地址信息。  The record table stores trusted client address information and untrusted (or malicious) client address information. The trusted client address information is the authenticated client address information, and the untrusted client address information is Unverified client address information. In the actual application, the record table may include a whitelist and a blacklist. The whitelist stores trusted client address information, and the list contains malicious client address information.
步骤 203、 与客户端建立 TCP连接;  Step 203: Establish a TCP connection with the client.
具体的, 即异常连接的检测装置接收到客户端发送的连接请求消息后,如 果根据设置的记录表,判断该连接请求消息中携带的客户端地址信息为陌生的 地址信息, 则该检测装置代替服务器与客户端建立 TCP连接。  Specifically, after the detecting device that the abnormal connection receives the connection request message sent by the client, if the client address information carried in the connection request message is determined to be unfamiliar address information according to the set record table, the detecting device replaces The server establishes a TCP connection with the client.
步骤 204、 在设定时间内检测是否接收到客户端发送的数据包, 如果是则 执行步骤 205 , 否则执行步骤 207 ;  Step 204, detecting whether the data packet sent by the client is received within the set time, if yes, executing step 205, otherwise performing step 207;
具体的, 在正常连接的情况下, 在异常连接的检测装置与客户端建立 TCP 连接后, 客户端会向异常连接的检测装置发送数据包, 因此, 异常连接的检测 装置可以通过检测是否在设定时间内检测是否接收到客户端发送的数据包初 步判断该 TCP连接是否为异常连接。  Specifically, in the case of a normal connection, after the abnormal connection detection device establishes a TCP connection with the client, the client sends a data packet to the abnormally connected detection device, and therefore, the abnormal connection detection device can detect whether it is set Check whether the data packet sent by the client is received within a certain period of time to initially determine whether the TCP connection is an abnormal connection.
步骤 205、 根据协议报文对数据包进行验证, 如果验证成功则执行步骤 206 , 如果验证失败则执行步骤 207 ;  Step 205: The data packet is verified according to the protocol packet. If the verification is successful, step 206 is performed. If the verification fails, step 207 is performed;
具体地,根据协议 4艮文对数据包进行验证具体可以为验证数据包的内容与 协议报文是否一致, 如果数据包的内容与协议报文一致则验证成功,如果数据 包的内容与协议报文不一致则验证失败。 步骤 206、 识别 TCP连接为正常连接, 将客户端地址信息存储于设置的记 录表中, 断开与客户端建立的 TCP连接, 流程结束。 Specifically, the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report are successful. The verification fails if the text is inconsistent. Step 206: Identify the TCP connection as a normal connection, store the client address information in the set record table, disconnect the TCP connection established with the client, and the process ends.
具体地, 将客户端地址信息存储于记录表中的可信的客户端地址信息中。 步骤 207、 识别 TCP连接为异常连接, 将客户端地址信息存储于设置的记 录表中, 丟弃 TCP连接, 流程结束。  Specifically, the client address information is stored in the trusted client address information in the record table. Step 207: Identify the TCP connection as an abnormal connection, store the client address information in the set record table, discard the TCP connection, and the process ends.
具体地, 将客户端地址信息存储于记录表中的恶意的客户端地址信息中。 步骤 208、 允许或者拒绝客户端与服务器建立 TCP连接, 流程结束。  Specifically, the client address information is stored in the malicious client address information in the record table. Step 208: Allow or deny the client to establish a TCP connection with the server, and the process ends.
具体地, 当判断出可信的客户端地址信息中包括该客户端地址信息即该客 户端地址信息为可信的客户端地址信息时, 允许客户端与服务器建立 TCP 连 接,此时异常连接的检测装置将客户端发送的连接请求消息转发给服务器,使 客户端与服务器建立 TCP连接;当判断出恶意的客户端地址信息中包括该客户 端地址信息即该客户端地址信息为恶意的客户端地址信息时,拒绝客户端与服 务器建立 TCP连接, 此时异常连接的检测装置拒绝客户端的连接请求,从而保 护服务器免受 TCP全连接攻击。  Specifically, when it is determined that the trusted client address information includes the client address information, that is, the client address information is trusted client address information, the client is allowed to establish a TCP connection with the server, and the abnormal connection is performed at this time. The detecting device forwards the connection request message sent by the client to the server, so that the client establishes a TCP connection with the server; when it is determined that the malicious client address information includes the client address information, the client address information is a malicious client. In the address information, the client is denied a TCP connection with the server. At this time, the detecting device of the abnormal connection rejects the connection request of the client, thereby protecting the server from the TCP full connection attack.
本实施例的技术方案中,在设定时间内检测是否接收到客户端发送的数据 包, 并根据协议报文对在设定时间内接收的数据包进行验证, 当该客户端向服 务器发起全连接攻击时,能够及时识别出与该客户端建立的 TCP连接为异常连 接, 从而提高了检测全连接攻击的准确率和实时性。  In the technical solution of the embodiment, it is detected whether the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates the full message to the server. When the connection is attacked, the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
图 3为本发明实施例三提供的异常连接的检测方法的流程图,如图 3所示, 该方法包括:  FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention. As shown in FIG. 3, the method includes:
步骤 301、 接收客户端发送的连接请求消息, 该连接请求消息中携带端口 信息和客户端地址信息; 本实施例中各步骤可以由异常连接的检测装置来执行; Step 301: Receive a connection request message sent by the client, where the connection request message carries port information and client address information. Each step in this embodiment may be performed by an abnormally connected detecting device;
其中, 根据应用协议的不同, 端口信息可以为 HTTPS 端口等, 并且该端 口信息可以釆用默认端口信息,也可以釆用用户自定义的端口信息;客户端地 址信息可以为客户端的 I P地址信息。  The port information may be an HTTPS port or the like, and the port information may use the default port information or the user-defined port information; the client address information may be the IP address of the client.
步骤 302、 从连接请求消息携带的端口信息中解析出协议类型; 例如, 异常连接的检测装置根据端口信息检测该端口为 HTTPS端口,从而 可以解析出该数据包为 HTTPS协议类型的数据包, HTTPS协议是由 SSL与 HTTP 协议一起构建的可进行加密传输、 身份认证的网絡协议。 SSL是一个在客户机 和具有 SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。  Step 302: Parse the protocol type from the port information carried in the connection request message. For example, the detecting device of the abnormal connection detects that the port is an HTTPS port according to the port information, so that the data packet is parsed into an HTTPS protocol type data packet, HTTPS. The protocol is a network protocol built by SSL and HTTP protocol for encrypted transmission and identity authentication. SSL is a protocol that encrypts and decrypts data in a secure connection between a client and an SSL-enabled server.
步骤 303、 查询预先配置的待检测的协议类型中是否包括识别出的协议类 型, 如果是则执行步骤 304 , 否则执行步骤 313;  Step 303: Query whether the pre-configured protocol type to be detected includes the identified protocol type, if yes, go to step 304, otherwise go to step 313;
具体的, 由于预先配置的待检测的协议类型可以包括一种或者多种协议, 因此, 可以查询识别出的所述数据包的协议类型是否属于待检测的范围。  Specifically, because the pre-configured protocol type to be detected may include one or more protocols, it may be queried whether the identified protocol type of the data packet belongs to a range to be detected.
步骤 304、 判断设置的白名单和黑名单中是否包括客户端地址信息, 如果 白名单和黑名单中不包括该客户端地址信息, 则执行步骤 305; 如果白名单中 包括客户端地址信息则执行步骤 313; 如果黑名单中包括客户端地址信息则执 行步骤 314;  In step 304, it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 305 is performed; if the whitelist includes the client address information, the process is performed. Step 313; If the blacklist includes client address information, step 314 is performed;
具体的, 为提高检测质量, 可以同时设置白名单和黑名单。 白名单中设置 的客户端地址信息为允许通过的客户端地址信息,黑名单中设置的客户端地址 信息为拒绝通过的客户端地址信息。 当然, 本领域技术人员可以知道, 同时设 置白名单和黑名单只是一种较佳的实现方式,也可以只设置白名单或只设置黑 名单。 步骤 305、 与客户端建立 TCP连接, 进入步骤 306 ; Specifically, in order to improve the quality of the detection, a whitelist and a blacklist can be set at the same time. The client address information set in the whitelist is the client address information that is allowed to pass, and the client address information set in the blacklist is the client address information that is rejected. Of course, those skilled in the art can know that setting a whitelist and a blacklist at the same time is only a better implementation manner, and it is also possible to set only a whitelist or only a blacklist. Step 305, establishing a TCP connection with the client, proceeds to step 306;
步骤 306、 在设定时间内检测是否接收到客户端发送的数据包, 如果是则 执行步骤 307, 否则执行步骤 310 ;  Step 306, detecting whether the data packet sent by the client is received within the set time, if yes, executing step 307, otherwise performing step 310;
步骤 307、 根据协议报文对所述数据包进行验证, 如果验证成功则执行步 骤 308 ; 如果验证失败则执行步骤 31 0;  Step 307: Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 308; if the verification fails, perform step 31 0;
具体的, 可以验证数据包的内容与协议报文是否一致,如果数据包的内容 与协议报文一致则验证成功, 如果数据包的内容与协议报文不一致则验证失 败。  Specifically, the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
步骤 308、 识别 TCP连接为正常连接, 进入步骤 309 ;  Step 308, identifying the TCP connection as a normal connection, proceeds to step 309;
步骤 309、将客户端地址信息加入白名单,并向客户端发送断开连接消息, 流程结束。  Step 309: Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
其中, 断开连接消息可以为 RST消息。  The disconnect message can be an RST message.
步骤 310、 识别 TCP连接为异常连接, 进入步驟 31 1 ;  Step 310: Identify the TCP connection as an abnormal connection, and proceed to step 31 1;
步骤 311、 丢弃 TCP连接, 幹放 TCP连接占用的资源, 进入步骤 312 ; 步骤 312、 将客户端地址信息加入黑名单, 流程结束。  Step 311: Discard the TCP connection, dry the resources occupied by the TCP connection, and proceed to step 312. Step 312: Add the client address information to the blacklist, and the process ends.
步骤 31 3、 允许客户端与服务器建立 TCP连接, 流程结束。  Step 31 3. Allow the client to establish a TCP connection with the server, and the process ends.
步骤 314、 拒绝客户端与服务器建立 TCP连接, 流程结束。  Step 314: Reject the client to establish a TCP connection with the server, and the process ends.
可以理解的是, 本实施例中, 当识别出 TCP连接为异常连接后, 可以先执 行步骤 312将客户端地址信息加入黑名单, 再执行步骤 311丢弃 TCP连接, 并 释放 TCP连接占用的资源。  It can be understood that, in this embodiment, after the TCP connection is identified as being abnormally connected, step 312 may be performed to add the client address information to the blacklist, and then step 311 is performed to discard the TCP connection, and the resources occupied by the TCP connection are released.
本实施例中, 当识別出 TCP连接为异常连接后, 还可以仅执行步驟 31 1、 丢弃 TCP连接, 并释放 TCP连接占用的资源, 而不执行步骤 312 , 即不将客户 端地址信息加入黑名单; 或者, 本实施例中, 还可以仅设置白名单而不设置黑 名单,这样当执行步骤 31 1之后, 不用执行步驟 312中的将客户端地址信息加 入黑名单的步骤。 这样, 当该客户端再次请求建立 TCP连接时, 需要执行本实 施例中的各步骤以识别出该客户端的 TCP连接为异常连接。此种情况中,异常 连接的检测装置需要不断地与客户端建立 TCP连接, 并重复执行检测出该 TCP 连接为异常连接的过程。 实际上, 此种情况为异常连接的检测装置代替服务器 承受客户端发起全连接攻击的情况。 In this embodiment, after the TCP connection is identified as being abnormally connected, only step 31 1 may be performed, the TCP connection is discarded, and the resources occupied by the TCP connection are released, and step 312 is not performed, that is, the client is not The terminal address information is added to the blacklist. Alternatively, in this embodiment, the whitelist is not set, and the blacklist is not set. After the step 31 is performed, the step of adding the client address information to the blacklist in step 312 is not performed. . In this way, when the client requests to establish a TCP connection again, each step in this embodiment needs to be performed to identify that the TCP connection of the client is an abnormal connection. In this case, the detecting device of the abnormal connection needs to continuously establish a TCP connection with the client, and repeatedly performs a process of detecting that the TCP connection is an abnormal connection. In fact, this situation is the case where the abnormally connected detection device replaces the server to withstand the client's initiation of a full connection attack.
本实施例的技术方案中,在设定时间内检测是否接收到客户端发送的数据 包, 并根据协议报文对在设定时间内接收的数据包进行验证, 当该客户端向服 务器发起全连接攻击时,能够及时识别出与该客户端建立的 TCP连接为异常连 接, 从而提高了检测全连接攻击的准确率和实时性。  In the technical solution of the embodiment, it is detected whether the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates the full message to the server. When the connection is attacked, the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
图 4为本发明实施例四提供的异常连接的检测方法的流程图,本实施例主 要应用于协议类型为 FTPS协议的情况, 如图 4所示, 该方法包括:  4 is a flowchart of a method for detecting an abnormal connection according to Embodiment 4 of the present invention. This embodiment is mainly applied to a case where the protocol type is the FTPS protocol. As shown in FIG. 4, the method includes:
步骤 401、 接收客户端发送的连接请求消息, 该连接请求消息中携带端口 信息和客户端地址信息;  Step 401: Receive a connection request message sent by the client, where the connection request message carries port information and client address information.
本实施例中各步驟可以由异常连接的检测装置来执行。  The steps in this embodiment can be performed by an abnormally connected detecting device.
步骤 402、 从连接请求消息携带的端口信息中解析出协议类型; 具体的, 在本实施例中, 该协议类型为 FTPS协议类型。 FTPS是在安全套 接层使用标准的 FTP协议和指令的一种增强型 TFP协议,为 FTP协议和数据通 道增加了 SSL安全功能。 FTPS也称作 " FTP- SSL "和 " FTP- over-SSL " 。  Step 402: Parse the protocol type from the port information carried in the connection request message. Specifically, in this embodiment, the protocol type is an FTPS protocol type. FTPS is an enhanced TFP protocol that uses standard FTP protocols and commands at the Secure Sockets Layer to add SSL security to the FTP protocol and data channels. FTPS is also known as "FTP-SSL" and "FTP-over-SSL".
步骤 403、 查询预先配置的协议类型中是否包括识别出的协议类型, 如果 是则执行步驟 404 , 否则执行步驟 415 ; 步骤 404、 判断设置的白名单和黑名单中是否包括客户端地址信息, 如果 白名单和黑名单中都不包括该客户端地址信息, 则执行步骤 405 ; 如果白名单 中包括客户端地址信息则执行步驟 41 5 ; 如果黑名单中包括客户端地址信息则 执行步骤 416 ; Step 403: Query whether the pre-configured protocol type includes the identified protocol type, if yes, execute step 404, otherwise perform step 415; In step 404, it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 405 is performed; if the whitelist includes the client address information, Go to step 41 5; if the blacklist includes client address information, go to step 416;
步骤 405、 与客户端建立 TCP连接;  Step 405: Establish a TCP connection with the client.
步骤 406、 在静默时间内检测是否接收到客户端发送的数据包, 如果是则 执行步骤 412 , 否则执行步骤 407 ;  Step 406: Detect whether the data packet sent by the client is received in the silent time, if yes, go to step 412, otherwise go to step 407;
静默时间可以为任意设置的时间。 在 FTPS协议类型下, 在与客户端建立 TCP连接后, 在设置的静默时间内, 正常情况下客户端不会主动向异常连接的 检测装置发送任何数据包, 因此, 本步骤中通过在静默时间内检测是否接收到 客户端发送的数据包也可以判断发送该数据包的客户端是否为可信的客户端。  The silence time can be any set time. In the FTPS protocol type, after establishing a TCP connection with the client, during the set silence time, the client does not actively send any data packets to the abnormally connected detection device under normal conditions. Therefore, the silent time is passed in this step. It is also possible to determine whether the client that sent the packet is a trusted client by detecting whether the packet sent by the client is received.
步骤 407、 向客户端发送版本数据包, 进入步骤 408 ;  Step 407: Send a version data packet to the client, and proceed to step 408;
具体的, 在 FTPS 协议类型下, 在设置的静默时间内, 客户端不会向对端 设备 (与客户端建立 TCP连接的对端设备 )发送数据包, 只在收到对端设备发 送的版本数据包后才会根据该版本数据包向对端设备发送数据包。本实施例中 如果客户端需要向异常连接的检测装置发送数据包,则需要先收到异常连接的 检测装置发送的 FTPS版本数据包。  Specifically, under the FTPS protocol type, the client does not send a data packet to the peer device (the peer device that establishes a TCP connection with the client) in the set silent time, but only receives the version sent by the peer device. After the data packet, the data packet will be sent to the peer device according to the version data packet. In this embodiment, if the client needs to send a data packet to the abnormally connected detecting device, it needs to first receive the FTPS version data packet sent by the abnormally connected detecting device.
步骤 408、 在设定时间内检测是否接收到客户端发送的数据包, 如果是则 执行步骤 409 ; 如果否则执行步驟 412 ;  Step 408: Detect whether the data packet sent by the client is received within the set time, if yes, go to step 409; if otherwise, go to step 412;
具体的, 当异常连接的检测装置向客户端发送版本数据包后,在设定时间 内检测是否接收到客户端发送的数据包, 如果是则执行步骤 409 ; 如果否则执 行步骤 412。 步骤 409、 根据协议报文对所述数据包进行验证, 如果验证成功则执行步 骤 41 0; 如果验证失败则执行步驟 412 ; Specifically, after the abnormally connected detecting device sends the version data packet to the client, it detects whether the data packet sent by the client is received within the set time, and if yes, performs step 409; otherwise, step 412 is performed. Step 409: Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 41 0; if the verification fails, perform step 412;
具体的, 可以验证数据包的内容与协议报文是否一致,如果数据包的内容 与协议报文一致则验证成功, 如果数据包的内容与协议报文不一致则验证失 败。  Specifically, the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
步骤 410、 识別 TCP连接为正常连接, 进入步骤 41 1 ;  Step 410: Identify the TCP connection as a normal connection, and proceed to step 41 1;
步骤 411、将客户端地址信息加入白名单,并向客户端发送断开连接消息, 流程结束。  Step 411: Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
其中, 断开连接消息可以为 RST消息。  The disconnect message can be an RST message.
步骤 412、 识别 TCP连接为异常连接, 进入步骤 41 3 ;  Step 412: Identify the TCP connection as an abnormal connection, and proceed to step 41 3;
步驟 41 3、 丟弃 TCP连接, 并释放 TCP连接占用的资源, 执行步骤 414 ; 步骤 414、 将客户端地址信息加入黑名单, 流程结束。  Step 41 3. Discard the TCP connection and release the resources occupied by the TCP connection, and go to step 414. Step 414: Add the client address information to the blacklist, and the process ends.
步驟 415、 允许客户端与服务器建立 TCP连接, 流程结束。  Step 415: Allow the client to establish a TCP connection with the server, and the process ends.
步骤 416、 拒绝客户端与服务器建立 TCP连接, 流程结束。  Step 416: Reject the client to establish a TCP connection with the server, and the process ends.
本实施例的技术方案中,在设定时间内检测是否接收到客户端发送的数据 包, 并根据协议报文对在设定时间内接收的数据包进行验证, 当该客户端向服 务器发起全连接攻击时,能够及时识别出与该客户端建立的 TCP连接为异常连 接, 从而提高了检测全连接攻击的准确率和实时性。  In the technical solution of the embodiment, it is detected whether the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates the full message to the server. When the connection is attacked, the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
下面通过一个具体的实施例对本发明异常连接的检测方法应用于 HTTPS 协议进行详细说明, HTTPS协议是由 SSL与 ht t p协议一起构建的可进行加密 传输、 身份认证的网络协议。 本实施例中客户端为 HTTPS 客户端, 服务器为 HTTPS服务器, 本实施例中的流程描述的主要是对客户端发送的连接请求进行 全连接攻击检测并检测出建立的 TCP连接为正常连接的情况。本实施例中检测 全连接攻击的过程可以由异常连接的检测装置来执行,该异常连接的检测装置 可以单独部署,也可以设置于网关设备中, 因此本实施例中以包括异常连接的 检测装置的网关设备为例描述异常连接的检测方法。图 5为本发明实施例五提 供的异常连接的检测方法的流程图, 如图 5所示, 包括: The following describes the application of the abnormal connection detection method of the present invention to the HTTPS protocol by using a specific embodiment. The HTTPS protocol is a network protocol that can be encrypted and transmitted by SSL and the ht tp protocol. In this embodiment, the client is an HTTPS client, and the server is an HTTPS server. The process in this embodiment describes the connection request sent by the client. The full connection attack detects and detects that the established TCP connection is a normal connection. The detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection. The detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection. The gateway device is used as an example to describe the detection method of the abnormal connection. FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention. As shown in FIG. 5, the method includes:
步驟 501、 客户端向网关设备发送 SYN消息, 该 SYN消息中携带 HTTPS端 口信息和 HTTPS客户端的 IP地址;  Step 501: The client sends a SYN message to the gateway device, where the SYN message carries the HTTPS port information and the IP address of the HTTPS client.
步骤 502、 网关设备从 SYN消息携带的 HTTPS端口信息解析出协议类型为 HTTPS协议, 并查询出预先配置的协议类型中包括 HTTPS协议;  Step 502: The gateway device parses the HTTPS port information carried by the SYN message from the HTTPS protocol, and queries the pre-configured protocol type to include the HTTPS protocol.
即识別出的 HTTPS协议属于需要进行全连接攻击检测的范围。  That is, the identified HTTPS protocol belongs to the scope of full connectivity attack detection.
其中 HTTPS端口信息可以为默认的端口 443 , 也可以采用用户自定义的端 口信息。  The HTTPS port information can be the default port 443 or user-defined port information.
步骤 503、网关设备判断出设置的白名单和黑名单中均不包括客户端的 IP 地址信息;  Step 503: The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
步骤 504、 网关设备向 HTTPS客户端发送 SYN- ACK消息;  Step 504: The gateway device sends a SYN-ACK message to the HTTPS client.
步驟 505、 HTTPS客户端向网关设备返回 ACK消息;  Step 505: The HTTPS client returns an ACK message to the gateway device.
从而 HTTPS客户端与网关设备建立 TCP连接。  Thus the HTTPS client establishes a TCP connection with the gateway device.
步骤 506、 将 HTTPS客户端的 IP地址添加到老化表中, 并设定老化时间, 该老化时间即为设定时间;  Step 506: Add an IP address of the HTTPS client to the aging table, and set an aging time, where the aging time is a set time.
步骤 507、 网关设备在老化时间内接收到 HTTPS客户端发送的数据包; 步骤 508、 网关设备根据 HTTPS协议报文对数据包进行验证并验证成功; 该 HTTPS协议报文可以为 HTTPS协议中的 He l lo消息。 网关设备可根据 He l l o 消息对接收的数据包进行验证, 如果数据包与 He l lo消息一致,则验证成功; 如果数据包与 He l lo消息不一致,则验证失败。 换言之, 在验证成功的情况下, HTTPS客户端发送的数据包就是 Hel l o消息 步骤 509、 网关设备识别出 TCP连接为正常连接, 将 HTTPS客户端的地址 信息加入白名单; Step 507: The gateway device receives the data packet sent by the HTTPS client in the aging time. Step 508: The gateway device verifies and validates the data packet according to the HTTPS protocol packet. The HTTPS protocol packet may be the He in the HTTPS protocol. l lo message. The gateway device can verify the received data packet according to the Hello message. If the data packet is consistent with the Hello message, the verification succeeds; if the data packet is inconsistent with the Hello message, the verification fails. In other words, in the case that the verification is successful, the data packet sent by the HTTPS client is the Hello message. Step 509, the gateway device recognizes that the TCP connection is a normal connection, and adds the address information of the HTTPS client to the whitelist.
步骤 510、 网关设备向 HTTPS客户端返回 RST消息, 以断开与 HTTPS客户 端的 TCP连接;  Step 510: The gateway device returns an RST message to the HTTPS client to disconnect the TCP connection with the HTTPS client.
步骤 511、 HTTPS客户端通过网关设备向 HTTPS服务器发送 SYN消息; 网关设备查询出白名单中包括 SYN消息中携带的客户端的 IP地址, 则将 SYN消息转发给 HTTPS服务器。  Step 511: The HTTPS client sends a SYN message to the HTTPS server through the gateway device. The gateway device queries the whitelist to include the IP address of the client carried in the SYN message, and then forwards the SYN message to the HTTPS server.
步骤 512、 HTTPS服务器通过网关设备向 HTTPS客户端发送 SYN-ACK消息; 步骤 51 3、 HTTPS客户端向通过网关设备向 HTTPS服务器返回 ACK消息, 从而与 HTTPS服务器建立 TCP连接;  Step 512: The HTTPS server sends a SYN-ACK message to the HTTPS client through the gateway device. Step 51 3. The HTTPS client returns an ACK message to the HTTPS server through the gateway device, thereby establishing a TCP connection with the HTTPS server.
步骤 514、 HTTPS客户端通过网关设备与 HTTPS服务器进行 HTTPS数据传 输。  Step 514: The HTTPS client performs HTTPS data transmission through the gateway device and the HTTPS server.
在本实施例中,如果网关设备根据 HTTPS协议才艮文对数据包进行验证并验 证失败, 则识别出 TCP连接为异常连接, 并将客户端的 IP地址加入黑名单, 当该 HTTPS客户端重新向 HTTPS服务器发送 SYN消息时,网关设备将拒绝 HTTPS 客户端与 HTTPS服务器建立 TCP连接。  In this embodiment, if the gateway device verifies the data packet according to the HTTPS protocol and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist. When the HTTPS client re-directs When the HTTPS server sends a SYN message, the gateway device will refuse to establish a TCP connection between the HTTPS client and the HTTPS server.
下面通过一个具体的实施例对本发明异常连接的检测方法应用于 FTPS协 议进行详细说明, 本实施例中客户端为 FTPS客户端, 服务器为 FTPS服务器, 本实施例中的流程描述的主要是对客户端发送的连接请求进行全连接攻击检 测并检测出建立的 TCP连接为正常连接的情况。本实施例中检测全连接攻击的 过程可以由异常连接的检测装置来执行, 该异常连接的检测装置可以单独部 署,也可以设置于网关设备中, 因此本实施例中以包括异常连接的检测装置的 网关设备为例描述异常连接的检测方法。图 6为本发明实施例六提供的异常连 接的检测方法的流程图, 如图 6所示, 包括: The method for detecting the abnormal connection of the present invention is applied to the FTPS protocol in detail by using a specific embodiment. In this embodiment, the client is an FTPS client and the server is an FTPS server. The process in this embodiment describes the client. The connection request sent by the terminal performs a full connection attack check. Measure and detect the established TCP connection as a normal connection. The detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection. The detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection. The gateway device is used as an example to describe the detection method of the abnormal connection. FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention. As shown in FIG. 6, the method includes:
步骤 601、 FTPS客户端向网关设备发送 SYN消息,该 SYN消息中携带 FTPS 端口信息和 FTPS客户端的 IP地址;  Step 601: The FTPS client sends a SYN message to the gateway device, where the SYN message carries the FTPS port information and the IP address of the FTPS client.
步骤 602、 网关设备从 SYN消息携带的 FTPS端口信息解析出协议类型为 FTPS协议, 并查询出预先配置的协议类型中包括 FTPS协议;  Step 602: The gateway device parses the protocol type of the FTPS port information carried by the SYN message into the FTPS protocol, and queries the pre-configured protocol type to include the FTPS protocol.
即识別出的 FTPS协议属于需要进行全连接攻击检测的范围。  That is, the identified FTPS protocol belongs to the scope of full connectivity attack detection.
其中 FTPS端口信息可以为默认的端口 21 , 也可以采用用户自定义的端口 信息。  The FTPS port information can be the default port 21 or user-defined port information.
步骤 603、网关设备判断出设置的白名单和黑名单中均不包括客户端的 IP 地址信息;  Step 603: The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
步骤 604、 网关设备向 FTPS客户端发送 SYN-ACK消息;  Step 604: The gateway device sends a SYN-ACK message to the FTPS client.
步驟 605、 FTPS客户端向网关设备返回 ACK消息;  Step 605: The FTPS client returns an ACK message to the gateway device.
从而 FTPS客户端与网关设备建立 TCP连接。  Thus, the FTPS client establishes a TCP connection with the gateway device.
步骤 606、 网关设备将 FTPS客户端的 IP地址添加到老化表中, 并设定老 化时间, 该老化时间即为静默时间;  Step 606: The gateway device adds the IP address of the FTPS client to the aging table, and sets the aging time, where the aging time is the silent time.
步骤 607、 网关设备在老化时间内检测出未接收到 FTPS客户端发送的数 据包;  Step 607: The gateway device detects, in the aging time, that the data packet sent by the FTPS client is not received.
步骤 608、 网关设备向 FTPS客户端发送版本数据包 f tp vers i on; f t p ve r s i on为 FTPS协议中的数据包; Step 608: The gateway device sends a version data packet f tp vers i on to the FTPS client. Ftp ve rsi on is the data packet in the FTPS protocol;
步骤 609、 网关设备预先设置设定时间;  Step 609: The gateway device presets a set time.
步骤 610、 网关设备在设定时间内接收到 FTPS客户端发送的数据包; 步骤 611、 网关设备根据 FTPS协议报文对数据包进行验证并验证成功; 该 FTPS协议才艮文为 FTPS协议中的 USER Command消息;  Step 610: The gateway device receives the data packet sent by the FTPS client within the set time. Step 611: The gateway device verifies and verifies the data packet according to the FTPS protocol packet. The FTPS protocol is used in the FTPS protocol. USER Command message;
网关设备可根据 USER Co and消息对接收的数据包进行验证, 如果数据 包与 USER Command消息一致, 则 3 证成功; 如果数据包与 USER Command消息 不一致, 则验证失败。 换言之, 在验证成功的情况下, FTPS 客户端发送的数 据包就是 USER Command消息。  The gateway device can verify the received data packet according to the USER Co and message. If the data packet is consistent with the USER Command message, the certificate is successful. If the data packet is inconsistent with the USER Command message, the verification fails. In other words, in the case of successful authentication, the packet sent by the FTPS client is the USER Command message.
步骤 612、 网关设备识别出 TCP连接为正常连接, 将 FTPS客户端的地址 信息加入白名单;  Step 612: The gateway device identifies that the TCP connection is a normal connection, and adds the address information of the FTPS client to the whitelist.
步骤 61 3、 网关设备向 FTPS客户端返回 RST消息, 以断开与 HTTPS客户 端的 TCP连接;  Step 61: The gateway device returns an RST message to the FTPS client to disconnect the TCP connection with the HTTPS client.
步骤 614 FTPS客户端通过网关设备向 FTPS服务器发送 SYN消息; 网关设备查询出白名单中包括 SYN消息中携带的客户端的 IP地址 则将 Step 614: The FTPS client sends a SYN message to the FTPS server through the gateway device; the gateway device queries the whitelist including the IP address of the client carried in the SYN message.
SYN消息转发给 FTPS服务器。 The SYN message is forwarded to the FTPS server.
步骤 615 FTPS服务器通过网关设备向 FTPS客户端发送 SYN-ACK消息; 步骤 616 FTPS客户端向通过网关设备向 FTPS服务器返回 ACK消息, 从 而与 FTPS服务器建立 TCP连接;  Step 615: The FTPS server sends a SYN-ACK message to the FTPS client through the gateway device. Step 616: The FTPS client returns an ACK message to the FTPS server through the gateway device, so as to establish a TCP connection with the FTPS server.
步骤 617 FTPS客户端通过网关设备与 FTPS服务器进行 FTPS数据传输。 在本实施例中 如果网关设备根据 FTPS协议报文对数据包进行验证并验 证失败, 则识别出 TCP连接为异常连接, 并将客户端的 IP地址加入黑名单, 当该 FTPS客户端重新向 FTPS服务器发送 SYN消息时, 网关设备将拒绝 FTPS 客户端与 FTPS服务器建立 TCP连接。 Step 617: The FTPS client performs FTPS data transmission through the gateway device and the FTPS server. In this embodiment, if the gateway device verifies the data packet according to the FTPS protocol packet and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist. When the FTPS client sends a SYN message to the FTPS server again, the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
本实施例中, 如果网关设备在老化时间 (也就是静默时间)检测出接收到 FTPS客户端发送的数据包, 则网关设备识别该 TCP连接为异常连接, 并将客 户端的 IP地址加入黑名单, 当该 FTPS客户端重新向 FTPS服务器发送 SYN消 息时, 网关设备将拒绝 FTPS客户端与 FTPS服务器建立 TCP连接。  In this embodiment, if the gateway device detects that the data packet sent by the FTPS client is received during the aging time (that is, the quiet time), the gateway device identifies the TCP connection as an abnormal connection, and adds the IP address of the client to the blacklist. When the FTPS client resends the SYN message to the FTPS server, the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
图 7为本发明实施例七提供的异常连接的检测装置的结构示意图, 如图 7 所示, 异常连接的检测装置包括收发模块 111、 检测模块 112、 验证模块 11 3 和识別模块 114, 其中:  FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention. As shown in FIG. 7, the abnormal connection detecting apparatus includes a transceiver module 111, a detecting module 112, a verifying module 11 3, and an identifying module 114, wherein :
收发模块 11 1 , 用于接收客户端发送的连接请求消息, 并与该客户端建立 The transceiver module 11 1 is configured to receive a connection request message sent by the client, and establish a connection request message with the client.
TCP连接; TCP connection;
具体地,收发模块 11 1接收客户端发送的连接请求消息后向客户端发送连 接应答消息, 并接收客户端返回的应答消息, 与客户端建立 TCP连接。 其中连 接请求消息可以为 SYN消息、连接应答消息可以为 SYN-ACK消息,应答消息可 以为 ACK消息。  Specifically, the transceiver module 11 1 sends a connection request message sent by the client, sends a connection response message to the client, and receives a response message returned by the client, and establishes a TCP connection with the client. The connection request message may be a SYN message, the connection response message may be a SYN-ACK message, and the response message may be an ACK message.
检测模块 112 , 用于在设定时间内检测是否接收到客户端发送的数据包; 具体地,检测模块 112会将检测出接收到客户端发送的数据包的检测结果 发送给验证模块 113 , 或者将检测出未接收到客户端发送的数据包的检测结果 发送给识别模块 114。可以理解的是,客户端发送的数据包可以由收发模块 111 接收。  The detecting module 112 is configured to detect whether the data packet sent by the client is received in the set time; specifically, the detecting module 112 sends the detection result that detects the data packet sent by the client to the verification module 113, or The detection result of detecting that the data packet sent by the client is not received is sent to the identification module 114. It can be understood that the data packet sent by the client can be received by the transceiver module 111.
验证模块 11 3 , 用于在检测模块 112检测出接收到数据包时, 根据协议报 文对所接收的数据包进行验证; 具体地, 验证模块 11 3 可以验证该数据包的内容与协议报文类型是否一 致, 如果数据包的内容与协议报文类型一致, 则验证成功, 如果数据包的内容 与协议报文类型不一致, 则验证失败。 The verification module 11 3 is configured to: when the detection module 112 detects that the data packet is received, verify the received data packet according to the protocol packet; Specifically, the verification module 133 can verify whether the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet type, The verification failed.
识别模块 114, 用于当检测模块 112检测的结果为未接收到数据包时识别 TCP连接为异常连接, 当在所述验证模块 113对所述数据包验证成功时识别所 述 TCP连接为正常连接、或者在所述验证模块 113对所述数据包验证失败时识 别所述 TCP连接为异常连接。  The identification module 114 is configured to identify that the TCP connection is an abnormal connection when the detection module 112 detects that the data packet is not received, and identify the TCP connection as a normal connection when the verification module 113 successfully verifies the data packet. Or identifying the TCP connection as an abnormal connection when the verification module 113 fails the verification of the data packet.
具体地,识别模块 114可以根据检测模块 1 12的检测结果识别 TCP连接为 异常连接。还可以根据验证模块 11 3的验证结果识别所述 TCP连接是否为异常 连接,具体的, 当验证模块 1 1 3的验证结果为验证成功时识别 TCP连接为正常 连接, 当验证模块 1 13的验证结果为验证失败时识別 TCP连接为异常连接。  Specifically, the identification module 114 may identify that the TCP connection is an abnormal connection according to the detection result of the detection module 112. It is also possible to identify whether the TCP connection is an abnormal connection according to the verification result of the verification module 113. Specifically, when the verification result of the verification module 112 is that the verification is successful, the TCP connection is identified as a normal connection, and when the verification module 1 13 is verified. The result is that the TCP connection is identified as an abnormal connection when the validation fails.
本实施例的技术方案中,异常连接的检测装置可以在设定时间内检测是否 接收到客戶端发送的数据包,并根据协议报文对在设定时间内接收的数据包进 行验证, 当该客户端向服务器发起全连接攻击时,异常连接的检测装置能够识 别出与该客户端建立的 TCP连接为异常连接,从而提高了检测全连接攻击的准 确率。  In the technical solution of the embodiment, the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
图 8为本发明实施例八提供的异常连接的检测装置的结构示意图, 如图 8 所示,本实施例中的异常连接的检测装置在图 Ί中实施例的基础上增设了判断 模块 115、 第一处理模块 116和第二处理模块 117 , 具体的, 在本发明实施例 中, 收发模块 1 11包括第一收发子模块 1 11 1和第二收发子模块 1112 , 判断模 块 115包括第一判断子模块 1151和第二判断子模块 1152, 其中:  FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention. As shown in FIG. 8, the abnormal connection detecting apparatus in this embodiment adds a judging module 115 to the embodiment in the figure. The first processing module 116 and the second processing module 117. Specifically, in the embodiment of the present invention, the transceiver module 1 11 includes a first transceiver sub-module 1 11 1 and a second transceiver sub-module 1112, and the judging module 115 includes a first judgment. a submodule 1151 and a second judging submodule 1152, wherein:
第一收发子模块 1111 , 用于接收客户端发送的连接请求消息, 该连接请 求消息携带有客户端端口号信息和客户端地址信息; The first transceiver sub-module 1111 is configured to receive a connection request message sent by the client, where the connection is requested The message carries the client port number information and the client address information;
第一判断子模块 1151 , 用于根据设置的记录表判断待检测的协议类型中 是否包括所述连接请求消息的协议类型, 如果是, 则触发第二判断子模块 1152 , 否则触发第一处理模块 116 ;  a first judging sub-module 1151, configured to determine, according to the set record table, whether the protocol type of the connection request message is included in the protocol type to be detected, and if yes, triggering the second judging sub-module 1152, otherwise triggering the first processing module 116 ;
具体的,所述连接请求消息的协议类型可以通过解析所述连接请求消息中 携带的客户端端口号信息得到。该设置的记录表中包含有待检测的协议类型信 息、 可信的客户端地址信息以及不可信的客户端地址信息。  Specifically, the protocol type of the connection request message can be obtained by parsing the client port number information carried in the connection request message. The set record table contains protocol type information to be detected, trusted client address information, and untrusted client address information.
第二判断子模块 1152, 用于根据设置的记录表中的地址信息判断是否包 括所迷客户端地址信息, 如果是则触发第一处理模块 116, 否则触发第二收发 模块 11 12 ;  The second judging sub-module 1152 is configured to determine, according to the address information in the set record table, whether the client address information is included, if yes, the first processing module 116 is triggered, otherwise the second transceiver module 11 12 is triggered;
具体的, 记录表中存储有可信的客户端地址信息和不可信的 (或恶意的) 客户端地址信息, 可信的客户端地址信息为通过验证的客户端地址信息, 不可 信的客户端地址信息为未通过验证的客户端地址信息。在实际应用中记录表中 可以包括白名单和 /或黑名单, 白名单中存储的是可信的客户端地址信息, 黑 名单中存储的是恶意的客户端地址信息。  Specifically, the record table stores trusted client address information and untrusted (or malicious) client address information, and the trusted client address information is authenticated client address information, and the untrusted client The address information is the client address information that has not been verified. In the actual application, the record table may include a whitelist and/or a blacklist. The whitelist stores trusted client address information, and the blacklist stores malicious client address information.
第二收发模块 1112 , 用于与所述客户端建立 TCP连接, 并触发检测模块 a second transceiver module 1112, configured to establish a TCP connection with the client, and trigger a detection module
113 ; 113 ;
也就是说,此时, 由该异常连接的检测装置代替服务器与所述客户端建立 TCP连接, 从而启动对该客户端的全证过程。  That is to say, at this time, the detecting device of the abnormal connection replaces the server to establish a TCP connection with the client, thereby starting the full certificate process for the client.
检测模块 112 , 用于检测在设定时间内是否接收到客户端发送的数据包, 如果是, 则触发验证模块 11 3, 否则触发识别模块 114 ;  The detecting module 112 is configured to detect whether the data packet sent by the client is received within the set time, and if yes, trigger the verification module 11 3, otherwise trigger the identification module 114;
具体的, 在正常连接的情况下, 在异常连接的检测装置与客户端建立 TCP 连接后, 客户端会向异常连接的检测装置发送数据包, 因此, 检测模块 112 可以通过在设定时间内检测是否接收到客户端发送的数据包初步判断该 TCP 连接是否为异常连接。 Specifically, in the case of a normal connection, the detecting device of the abnormal connection establishes a TCP with the client. After the connection, the client sends a data packet to the abnormally connected detecting device. Therefore, the detecting module 112 can determine whether the TCP connection is abnormally connected by detecting whether the data packet sent by the client is received within the set time.
验证模块 11 3, 用于根据协议报文对客户端在设定时间内发送的数据包进 行验证  The verification module 11 3 is configured to verify the data packet sent by the client within the set time according to the protocol packet.
具体的,根据协议 4艮文对数据包进行验证具体可以为验证数据包的内容与 协议报文是否一致, 如果数据包的内容与协议报文一致则验证成功,如果数据 包的内容与协议报文不一致则验证失败。  Specifically, the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report The verification fails if the text is inconsistent.
识别模块 114, 用于验证模块 11 3的验证结果以及检测模块 112的检测结 果识别所述 TCP连接是否为异常连接 , 并触发第二处理模块 117 ;  The identification module 114 is configured to verify the verification result of the module 11 3 and the detection result of the detection module 112 to identify whether the TCP connection is an abnormal connection, and trigger the second processing module 117;
具体的,当检测结果 112结果为在设定时间内未接收到客户端发送的数据 包时,识别该 TCP连接为异常连接;当验证模块 11 3的验证结果为验证失败时, 识别该 TCP连接为异常连接; 当验证模块 11 3的验证结果为验证成功时,识别 该 TCP连接为正常连接。  Specifically, when the result of the detection result 112 is that the data packet sent by the client is not received within the set time, the TCP connection is identified as an abnormal connection; when the verification result of the verification module 11 is a verification failure, the TCP connection is identified. For abnormal connection; when the verification result of the verification module 113 is that the verification is successful, the TCP connection is identified as a normal connection.
第一处理模块 116 , 用于根据第一判断子模块 1 151 的判断结果和第二判 断子模块 1152的判断结果对该连接请求消息进行相应处理;  The first processing module 116 is configured to perform corresponding processing on the connection request message according to the determination result of the first determining sub-module 1 151 and the determination result of the second determining sub-module 1152;
具体的, 当第一判断子模块 1151根据设置的记录表判断该数据包的协议 类型不是待检测的协议类型时,将该连接请求消息发送给服务器,使服务器与 客户端建立 TCP连接; 当第二判断子模块 1152根据设置的记录表判断出该客 户端地址信息为可信的客户端地址信息时, 将该连接请求消息发送给服务器, 使服务器与客户端建立 TCP连接; 当第二判断子模块 1 152根据设置的记录表 判断出该客户端地址信息为可信的客户端地址信息时,拒绝该客户端的连接请 求消息。 Specifically, when the first determining sub-module 1151 determines, according to the set record table, that the protocol type of the data packet is not the protocol type to be detected, the connection request message is sent to the server, so that the server establishes a TCP connection with the client; When the second judgment sub-module 1152 determines that the client address information is trusted client address information according to the set record table, the connection request message is sent to the server, so that the server establishes a TCP connection with the client; When the module 1 152 determines that the client address information is trusted client address information according to the set record table, the connection of the client is rejected. Ask for news.
第二处理模块 1 Π ,用于当识别模块 114识别出该 TCP连接为正常连接时, 将该客户端地址信息存储于设置的记录表中, 并断开该 TCP连接; 当识别模块 11 识别出该 TCP连接为异常连接时, 将该客户端地址信息存储于设置的记录 表中, 并丟弃该 TCP连接。  The second processing module 1 is configured to: when the identification module 114 recognizes that the TCP connection is a normal connection, store the client address information in the set record table, and disconnect the TCP connection; when the identification module 11 recognizes When the TCP connection is abnormally connected, the client address information is stored in the set record table, and the TCP connection is discarded.
具体的,当识別出该 TCP连接为正常连接时,可以向客户端返回 RST消息, 拒绝客户端的 TCP连接;当识别出该 TCP连接为异常连接时,丢弃该 TCP连接, 从而使服务器免受该客户端的全连接攻击。  Specifically, when the TCP connection is recognized as a normal connection, the RST message may be returned to the client, and the TCP connection of the client is rejected; when the TCP connection is identified as an abnormal connection, the TCP connection is discarded, thereby protecting the server from the server. The client's full connection attack.
可以理解的是, 判断模块 1 15 中也可以只包括第二判断子模块 1152, 第 一处理模块 116和第二处理模块 117可以是一个模块。  It can be understood that the judging module 1 15 can also include only the second judging sub-module 1152. The first processing module 116 and the second processing module 117 can be one module.
可以理解的是, 对于 f tp类型数据包, 进一步地, 检测模块 112还可以在 静默时间内检测是否接收到客户端发送的数据包,并将在静默时间内接收到数 据包的检测结果发送给识别模块 114 , 由识别模块 114识别该 TCP连接为异常 连接;或者检测模块 112将在静默时间内未接收到数据包的检测结果发送给收 发模块 111 , 由收发模块 11 1向客户端发送版本数据包, 并由检测模块 1 12在 设定时间内检测是否接收到客户端发送的数据包。  It can be understood that, for the f tp type data packet, the detecting module 112 can further detect whether the data packet sent by the client is received in the silent time, and send the detection result of the data packet received in the silent time to the detection result. The identification module 114 identifies that the TCP connection is an abnormal connection by the identification module 114; or the detection module 112 sends the detection result that the data packet is not received in the silent time to the transceiver module 111, and the transceiver module 11 1 sends the version data to the client. The packet is detected by the detecting module 12 12 within a set time whether the data packet sent by the client is received.
本实施例的技术方案中,异常连接的检测装置可以在设定时间内检测是否 接收到客户端发送的数据包,并根据协议报文对在设定时间内接收的数据包进 行验证, 当该客户端向服务器发起全连接攻击时,异常连接的检测装置能够识 别出与该客户端建立的 TCP连接为异常连接,从而提高了检测全连接攻击的准 确率。  In the technical solution of the embodiment, the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
本发明实施例的技术方案可应用于对多种协议类型的全连接攻击进行检 测, 包括 HTTP、 HTTPS、 FTP、 FTPS或者 SSH等协议类型。 The technical solution of the embodiment of the present invention can be applied to detecting a full connection attack of multiple protocol types. Test, including HTTP, HTTPS, FTP, FTPS or SSH protocol types.
需要说明的是, 本发明实施例中的异常连接的检测装置可单独设置,也可 设置于各种网关设备中, 例如防火墙、 抗 DD0S设备、 统一威胁管理(Unif ied Threa t Management ,简称: UTM )设备或者入侵防御系统( Intrus ion Prevent ion Sys tem, 简称: IPS )设备等, 具体不再赘述。  It should be noted that the detecting device for abnormal connection in the embodiment of the present invention may be separately set or may be set in various gateway devices, such as a firewall, an anti-DDOS device, and a unified threat management (Uniformed Threa t Management, referred to as UTM). The device or the Intrusion Prevention System (IPS) device, etc., will not be described in detail.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程, 是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于计算机 可读取存储介质中, 该程序在执行时, 可包括如上述各方法的实施例的流程。 其中, 所述的存储介质可为磁碟、 光盘、 只读存储记忆体(Read- Only Memory, ROM )或随机存储记忆体 ( Random Access Memory, RAM )等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium. When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
最后应说明的是:以上实施例仅用以说明本发明的技术方案而非对其进行 限制,尽管参照较佳实施例对本发明进行了详细的说明, 本领域的普通技术人 员应当理解: 其依然可以对本发明的技术方案进行修改或者等同替换, 而这些 修改或者等同替换亦不能使修改后的技术方案脱离本发明技术方案的精神和 范围。  It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and are not intended to be limiting, although the present invention will be described in detail with reference to the preferred embodiments. The technical solutions of the present invention may be modified or equivalently substituted, and the modified technical solutions may not deviate from the spirit and scope of the technical solutions of the present invention.

Claims

权 利 要 求 Rights request
1、 一种异常连接的检测方法, 其特征在于, 包括:  A method for detecting an abnormal connection, comprising:
接收客户端发送的连接请求消息;  Receiving a connection request message sent by the client;
与所述客户端建立 TCP连接;  Establishing a TCP connection with the client;
当在设定时间内未接收到所 户端发送的数据包时,识别所述 TCP连接 为异常连接;  When the data packet sent by the client is not received within the set time, the TCP connection is identified as an abnormal connection;
当在设定时间内接收到所述客户端发送的数据包时,则根据协议报文对所 述数据包进行验证, 如果验证成功则识别所述 TCP连接为正常连接,如果验证 失败则识别所述 TCP连接为异常连接。  When the data packet sent by the client is received within the set time, the data packet is verified according to the protocol packet, and if the verification succeeds, the TCP connection is identified as a normal connection, and if the verification fails, the identifier is identified. The TCP connection is an abnormal connection.
2、 根据权利要求 1所述的方法, 其特征在于, 所述根据协议报文对所述 数据包进行验证包括:  2. The method according to claim 1, wherein the verifying the data packet according to the protocol packet comprises:
验证所述数据包的内容与协议报文是否一致,如果一致则验证成功, 否则 险证失败。  Verify that the content of the data packet is consistent with the protocol packet. If they are consistent, the verification succeeds. Otherwise, the insurance certificate fails.
3、 根据权利要求 1所述的方法, 其特征在于, 所述连接请求消息携带客 户端地址信息;  The method according to claim 1, wherein the connection request message carries client address information;
则所述接收客户端发送的连接请求消息之后还包括:  After the receiving the connection request message sent by the client, the method further includes:
判断设置的记录表中是否包括所述客户端地址信息;  Determining whether the client address information is included in the set record table;
当所述记录表中未包括所述客户端地址信息时,执行所述与所述客户端建 立 TCP连接的步驟; 或者,  When the client address information is not included in the record table, performing the step of establishing a TCP connection with the client; or
当所述记录表中包括所述客户端地址信息时, 则,如果根据所述记录表判 断所述客户端地址信息为可信的客户端地址信息,则将所述客户端的连接请求 消息发送给服务器,使所述客户端与服务器建立 TCP连接; 如果根据所述记录 表判断所述客户端地址信息为不可信的客户端地址信息,则拒绝所述客户端的 连接请求。 When the client address information is included in the record table, if the client address information is determined to be trusted client address information according to the record table, the connection request message of the client is sent to a server that causes the client to establish a TCP connection with the server; The table determines that the client address information is untrusted client address information, and rejects the connection request of the client.
4、 根据权利要求 3所述的方法, 其特征在于, 还包括:  4. The method according to claim 3, further comprising:
当识别所述 TCP连接为异常连接时,将所述客户端地址信息存储于所述记 录表中, 丟弃所述 TCP连接;  When the TCP connection is identified as being abnormally connected, the client address information is stored in the record table, and the TCP connection is discarded;
当识别所述 TCP连接为正常连接时,将所述客户端地址信息存储于所述记 录表中, 断开与所述客户端建立的 TCP连接。  When the TCP connection is identified as a normal connection, the client address information is stored in the record table, and the TCP connection established with the client is disconnected.
5、 根据权利要求 1所述的方法, 其特征在于, 所述连接请求消息携带端 口信息和客户端地址信息; 所述接收客户端发送的连接请求消息之后还包括: 从所述连接请求消息携带的端口信息中解析出协议类型;  The method according to claim 1, wherein the connection request message carries the port information and the client address information; the receiving the connection request message sent by the client further comprises: carrying the connection request message Parsing the protocol type in the port information;
查询预先配置的待检测的协议类型中是否包括解析出的协议类型, 如果 是, 则继续判断设置的记录表中是否包含所述客户端地址信息, 当所述记录表 镇南关未包括所述客户端地址信息时,执行所述与所述客户端建立 TCP连接的 步骤。  Query whether the pre-configured protocol type to be detected includes the parsed protocol type, and if yes, continue to determine whether the set record table includes the client address information, and when the record table Zhennanguan does not include the When the client address information is used, the step of establishing a TCP connection with the client is performed.
6、 一种异常连接的检测装置, 其特征在于, 包括:  6. An abnormally connected detecting device, comprising:
收发模块, 用于接收客户端发送的连接请求消息, 并与所述客户端建立 TCP连接;  a transceiver module, configured to receive a connection request message sent by the client, and establish a TCP connection with the client;
检测模块, 用于检测在设定时间内是否接收到所述客户端发送的数据包; 验证模块,用于当所述检测模块的检测结果为在设定时间内接收到所述客 户端发送的数据包时, 根据协议报文对所述数据包进行验证;  a detecting module, configured to detect whether a data packet sent by the client is received within a set time; and a verification module, configured to: when the detection result of the detecting module is received by the client within a set time In the case of a data packet, the data packet is verified according to the protocol packet;
识别模块,用于当所迷检测模块的检测结果为在设定时间内未接收到所述 客户端发送的数据包时,识别所述 TCP连接为异常连接, 当所述验证模块对所 述数据包验证成功时识别所述 TCP连接为正常连接、或者当所述验证模块对所 述数据包验证失败时识别所述 TCP连接为异常连接。 An identification module, configured to identify that the TCP connection is an abnormal connection when the detection result of the detection module is that the data packet sent by the client is not received within a set time, when the verification module is The TCP connection is identified as a normal connection when the packet verification is successful, or the TCP connection is identified as an abnormal connection when the verification module fails to verify the data packet.
7、 根据权利要求 6所述的装置, 其特征在于, 还包括判断模块; 所述收 发模块包括第一收发子模块和第二收发子模块;  The device according to claim 6, further comprising a judging module; the transceiver module comprises a first transceiver sub-module and a second transceiver sub-module;
所迷第一收发子模块,用于接收所述连接请求消息, 所述连接请求消息携 带客户端地址信息;  The first transceiver module is configured to receive the connection request message, where the connection request message carries client address information;
所述判断模块,用于判断设置的记录表中是否包括所述第一收发子模块接 收的连接请求消息携带的客户端地址信息,当所述记录表中未包括所述客户端 地址信息时, 触发所述第二收发子模块;  The determining module is configured to determine, in the set record table, whether the client address information carried by the connection request message received by the first transceiver submodule is included, and when the client address information is not included in the record table, Triggering the second transceiver submodule;
所迷第二收发子模块,用于当所述判断模块判断所述记录表中未包括客户 端地址信息的判断结果时, 与所迷客户端建立 TCP连接。  The second transceiver module is configured to establish a TCP connection with the client when the determining module determines that the determination result of the client address information is not included in the record table.
8、 根据权利要求 7所述的装置, 其特征在于, 还包括:  8. The device according to claim 7, further comprising:
第一处理模块,用于当所述判断模块判断所述记录表中包含所述客户端地 址信息时,如果根据所述记录表判断所述客户端地址信息为可信的客户端地址 信息, 则将所述客户端的连接请求消息发送给服务器,使所述客户端与服务器 建立 TCP连接;如果根据所述记录表判断所述客户端地址信息为不可信的客户 端地址信息, 则拒绝所述客户端的连接请求。  a first processing module, configured to: when the determining module determines that the client address information is included in the record table, if the client address information is determined to be trusted client address information according to the record table, Sending the connection request message of the client to the server, so that the client establishes a TCP connection with the server; if the client address information is determined to be untrusted client address information according to the record table, the client is rejected End connection request.
9、 根据权利要求 7所述的装置, 其特征在于, 还包括:  9. The device according to claim 7, further comprising:
第二处理模块, 用于当识别模块识别出所述 TCP连接为正常连接时,将该 客户端地址信息存储于设置的记录表中, 并断开该 TCP连接; 当识别模块识别 出所迷 TCP连接为异常连接时, 将该客户端地址信息存储于设置的记录表中, 并丢弃所述 TCP连接。 a second processing module, configured to: when the identification module recognizes that the TCP connection is a normal connection, store the client address information in the set record table, and disconnect the TCP connection; when the identification module identifies the TCP connection When the connection is abnormal, the client address information is stored in the set record table, and the TCP connection is discarded.
1 0、一种网关设备, 其特征在于, 包括: 权利要求 6至 9任一所述的异常 连接的检测装置。 A gateway device, comprising: the abnormal connection detecting device according to any one of claims 6 to 9.
PCT/CN2010/074660 2009-06-29 2010-06-29 Method, device and gateway equipment for detecting abnormal connections WO2011000304A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910151032.0 2009-06-29
CN200910151032.0A CN101594269B (en) 2009-06-29 2009-06-29 Method, device and gateway device for detecting abnormal connection

Publications (1)

Publication Number Publication Date
WO2011000304A1 true WO2011000304A1 (en) 2011-01-06

Family

ID=41408727

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/074660 WO2011000304A1 (en) 2009-06-29 2010-06-29 Method, device and gateway equipment for detecting abnormal connections

Country Status (2)

Country Link
CN (1) CN101594269B (en)
WO (1) WO2011000304A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9052838B2 (en) * 2009-05-18 2015-06-09 Samsung Electronics Co., Ltd. Solid state drive device
CN106576286A (en) * 2014-08-11 2017-04-19 瑞典爱立信有限公司 Method and apparatus for access controlling

Families Citing this family (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269B (en) * 2009-06-29 2012-05-02 成都市华为赛门铁克科技有限公司 Method, device and gateway device for detecting abnormal connection
CN101771695A (en) * 2010-01-07 2010-07-07 福建星网锐捷网络有限公司 Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment
CN102025746B (en) * 2010-12-21 2013-04-17 北京星网锐捷网络技术有限公司 Method, device and network equipment for establishing transmission control protocol (TCP) connection
CN102571473B (en) * 2010-12-29 2015-12-16 中兴通讯股份有限公司 Path failure detection method and device
CN102263826B (en) * 2011-08-11 2013-12-04 杭州华为企业通信技术有限公司 Method and device for establishing connection with transport layer
CN102347874A (en) * 2011-11-10 2012-02-08 百度在线网络技术(北京)有限公司 Ftp (file transfer protocol) and ssh (struts spring hibernate) service monitoring method and system
CN102647404B (en) * 2011-11-14 2014-10-22 北京安天电子设备有限公司 Flow converging method and device for resisting flood attack
CN102573111A (en) * 2012-01-10 2012-07-11 中兴通讯股份有限公司 Method and device for releasing transfer control protocol resources
WO2014040292A1 (en) * 2012-09-17 2014-03-20 华为技术有限公司 Protection method and device against attacks
WO2015035576A1 (en) * 2013-09-11 2015-03-19 北京东土科技股份有限公司 Secure data transmission method, system and device based on industrial ethernet
CN103561025B (en) * 2013-11-01 2017-04-12 中国联合网络通信集团有限公司 Method, device and system for detecting DOS attack prevention capacity
CN105187359B (en) * 2014-06-17 2018-06-08 阿里巴巴集团控股有限公司 The method and apparatus of detection attack client
CN104394140B (en) * 2014-11-21 2018-03-06 南京邮电大学 A kind of virtual network optimization method based on SDN
SG11201704059RA (en) * 2014-11-25 2017-06-29 Ensilo Ltd Systems and methods for malicious code detection accuracy assurance
CN104618404A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Processing method, device and system for preventing network attack to Web server
CN106302347B (en) * 2015-05-28 2019-11-05 阿里巴巴集团控股有限公司 A kind of network attack treating method and apparatus
CN105049489A (en) * 2015-06-25 2015-11-11 上海斐讯数据通信技术有限公司 Method for realizing three times handshake on a UBOOT (Universal Boot Loader)
CN106656922A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Flow analysis based protective method and device against network attack
CN107666383B (en) * 2016-07-29 2021-06-18 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol)
CN107087007A (en) * 2017-05-25 2017-08-22 腾讯科技(深圳)有限公司 A kind of defence method of network attack, relevant device and system
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack
CN108234516B (en) * 2018-01-26 2021-01-26 北京安博通科技股份有限公司 Method and device for detecting network flooding attack
CN108881044A (en) * 2018-05-23 2018-11-23 新华三信息安全技术有限公司 A kind of message processing method and device
CN108810008B (en) * 2018-06-28 2020-06-30 腾讯科技(深圳)有限公司 Transmission control protocol flow filtering method, device, server and storage medium
CN110830454B (en) * 2019-10-22 2020-11-17 远江盛邦(北京)网络安全科技股份有限公司 Security equipment detection method for realizing TCP protocol stack information leakage based on ALG protocol
CN111163114A (en) * 2020-04-02 2020-05-15 腾讯科技(深圳)有限公司 Method and apparatus for detecting network attacks
CN111857302A (en) * 2020-06-19 2020-10-30 浪潮电子信息产业股份有限公司 Reset method, device and equipment of system management bus
CN113709130A (en) * 2021-08-20 2021-11-26 江苏通付盾科技有限公司 Risk identification method and device based on honeypot system
CN114500021A (en) * 2022-01-18 2022-05-13 神州绿盟成都科技有限公司 Attack detection method and device, electronic equipment and storage medium
CN114338233A (en) * 2022-02-28 2022-04-12 北京安帝科技有限公司 Network attack detection method and system based on flow analysis
CN115022384B (en) * 2022-05-05 2023-10-13 北京北方华创微电子装备有限公司 HSMS communication connection method and device
CN115150449B (en) * 2022-06-30 2023-08-08 苏州浪潮智能科技有限公司 Method, system, terminal and storage medium for rejecting abnormal connection by network sharing

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731784A (en) * 2004-08-06 2006-02-08 华为技术有限公司 Safety management method for hyper text transport protocol service
US20060272018A1 (en) * 2005-05-27 2006-11-30 Mci, Inc. Method and apparatus for detecting denial of service attacks
CN101047697A (en) * 2006-03-29 2007-10-03 华为技术有限公司 Method and equipment for prevent DDOS offence to web server
WO2008060009A1 (en) * 2006-11-13 2008-05-22 Samsung Sds Co., Ltd. Method for preventing denial of service attacks using transmission control protocol state transition
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905553B (en) * 2005-07-28 2011-04-20 易星 Method for ensuring selected user access on DOS attacking or apparatus overload
CN101175013B (en) * 2006-11-03 2012-07-04 飞塔公司 Refused service attack protection method, network system and proxy server
CN101202742B (en) * 2006-12-13 2011-10-26 中兴通讯股份有限公司 Method and system for preventing refusal service attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731784A (en) * 2004-08-06 2006-02-08 华为技术有限公司 Safety management method for hyper text transport protocol service
US20060272018A1 (en) * 2005-05-27 2006-11-30 Mci, Inc. Method and apparatus for detecting denial of service attacks
CN101047697A (en) * 2006-03-29 2007-10-03 华为技术有限公司 Method and equipment for prevent DDOS offence to web server
WO2008060009A1 (en) * 2006-11-13 2008-05-22 Samsung Sds Co., Ltd. Method for preventing denial of service attacks using transmission control protocol state transition
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
CN101594269A (en) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 A kind of detection method of unusual connection, device and gateway device

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9052838B2 (en) * 2009-05-18 2015-06-09 Samsung Electronics Co., Ltd. Solid state drive device
CN106576286A (en) * 2014-08-11 2017-04-19 瑞典爱立信有限公司 Method and apparatus for access controlling
EP3180944A4 (en) * 2014-08-11 2018-01-17 Telefonaktiebolaget LM Ericsson (publ) Method and apparatus for access controlling
US10313957B2 (en) 2014-08-11 2019-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for access controlling
CN106576286B (en) * 2014-08-11 2020-07-21 瑞典爱立信有限公司 Method and apparatus for access control

Also Published As

Publication number Publication date
CN101594269A (en) 2009-12-02
CN101594269B (en) 2012-05-02

Similar Documents

Publication Publication Date Title
WO2011000304A1 (en) Method, device and gateway equipment for detecting abnormal connections
US8453208B2 (en) Network authentication method, method for client to request authentication, client, and device
CA2565409C (en) Preventing network reset denial of service attacks using embedded authentication information
US8713666B2 (en) Methods and devices for enforcing network access control utilizing secure packet tagging
US8499146B2 (en) Method and device for preventing network attacks
US8413248B2 (en) Method for secure single-packet remote authorization
US8955090B2 (en) Session initiation protocol (SIP) firewall for IP multimedia subsystem (IMS) core
CN110784464B (en) Client verification method, device and system for flooding attack and electronic equipment
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
JP2006506853A (en) Active network defense system and method
WO2010031288A1 (en) Botnet inspection method and system
WO2009140889A1 (en) Data transmission control method and data transmission control apparatus
US8978138B2 (en) TCP validation via systematic transmission regulation and regeneration
KR101020470B1 (en) Methods and apparatus for blocking network intrusion
KR101463873B1 (en) Method and apparatus for preventing data loss
US9686311B2 (en) Interdicting undesired service
EP2007066A2 (en) A policy enforcement point and a linkage method and system for intrude detection system
Deng et al. Advanced flooding attack on a SIP server
US10079857B2 (en) Method of slowing down a communication in a network
CN114465744A (en) Safety access method and network firewall system
CN108494731B (en) Anti-network scanning method based on bidirectional identity authentication
CN115865370B (en) Single-packet authorization verification method based on TCP options
FI126032B (en) Detection of a threat in a telecommunications network
CN117081768A (en) Flow filtering method, device and storage medium
KR101166352B1 (en) Internet protocol spoofing detection method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10793599

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 290512

122 Ep: pct application non-entry in european phase

Ref document number: 10793599

Country of ref document: EP

Kind code of ref document: A1