WO2011000304A1 - Procédé, dispositif et matériel de passerelle destinés à détecter des connexions anormales - Google Patents

Procédé, dispositif et matériel de passerelle destinés à détecter des connexions anormales Download PDF

Info

Publication number
WO2011000304A1
WO2011000304A1 PCT/CN2010/074660 CN2010074660W WO2011000304A1 WO 2011000304 A1 WO2011000304 A1 WO 2011000304A1 CN 2010074660 W CN2010074660 W CN 2010074660W WO 2011000304 A1 WO2011000304 A1 WO 2011000304A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
connection
address information
data packet
tcp connection
Prior art date
Application number
PCT/CN2010/074660
Other languages
English (en)
Chinese (zh)
Inventor
蒋武
杨莉
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Publication of WO2011000304A1 publication Critical patent/WO2011000304A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection

Definitions

  • the invention relates to a method for detecting abnormal connection, device and gateway device.
  • the application is submitted to the Chinese Patent Office on June 29, 2009, and the application number is 200910151032.0.
  • the invention name is "an abnormal connection detection method, device and gateway device" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference.
  • the present invention relates to the field of information security, and in particular, to a method, device, and gateway device for detecting abnormal connections.
  • the Distributed Denial of Service (DDOS) attack uses a reasonable service request to occupy too many service resources, so that the server cannot process the instructions of legitimate users.
  • the TCP full-connection attack in the DD0S attack is to continuously establish a large number of TCP connections with the server through many zombie hosts until the server's connection, memory and other resources are exhausted, causing the server to refuse service and making the server unable to process the instructions of the legitimate user.
  • the feature of the TCP full-connection attack is that it can bypass the protection of the general firewall and achieve the purpose of the attack. For a typical network service system, the number of acceptable TCP connections is limited. When subjected to a TCP full connection attack, the website access is very slow or even inaccessible.
  • a firewall or DD0S detection device detects the total number of connections of the protected server. If the total number of connections is greater than the number of connections, the TCP connection is considered abnormal.
  • the connection check module in the firewall or the DD0S detection device detects the TCP connection in the traffic that needs to be defended, and counts the number of successful handshake packets after the TCP connection is completed. After the time period arrives, the statistic value is obtained. When the statistic value is greater than the connection number threshold, the TCP connection is identified as an abnormal connection, that is, there is a full connection attack.
  • the inventor finds that the normal access traffic changes with time, and when the normal access traffic increases, the number of TCP connections in the traffic also increases, when a certain period of time When the number of TCP connections in the traffic exceeds the connection threshold, the normal TCP connection is recognized as an abnormal connection, that is, it is determined to be a full connection attack, thereby generating a false positive for the full connection attack.
  • An embodiment of the present invention provides a method for detecting an abnormal connection, including:
  • the TCP connection is identified as an abnormal connection
  • the data packet sent by the client is received within the set time, the data packet is verified according to the protocol packet, and if the verification succeeds, the TCP connection is identified as a normal connection, and if the verification fails, the identifier is identified.
  • the TCP connection is an abnormal connection.
  • the embodiment of the invention further provides an abnormal connection detecting device, comprising:
  • a transceiver module configured to receive a connection request message sent by the client, and establish with the client
  • a detecting module configured to detect whether a data packet sent by the client is received within a set time
  • a verification module configured to: when the detection result of the detection module is that the data packet sent by the client is received within a set time, verify the data packet according to the protocol packet; The detection result of the detecting module is that when the data packet sent by the client is not received within a set time, the TCP connection is identified as an abnormal connection, and when the verification module successfully verifies the data packet, the The TCP connection is a normal connection, or the TCP connection is identified as an abnormal connection when the verification module fails verification of the data packet.
  • the embodiment of the invention provides a gateway device, which comprises the above abnormal connection detecting device.
  • the data packet sent by the client is received within the set time, and the data packet received within the set time is verified according to the protocol packet, when the client initiates to the server.
  • the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting a full-connection attack.
  • FIG. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention
  • FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention
  • FIG. 4 is an abnormal connection according to Embodiment 4 of the present invention
  • FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention
  • FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention
  • FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention
  • FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention.
  • FIG. 1 is a flowchart of a method for detecting an abnormal connection according to Embodiment 1 of the present invention. As shown in FIG. 1, the method includes:
  • Step 1 01 Receive a connection request message sent by the client.
  • the connection request message may be a SYN message
  • the SYN (synchron i ze) message is a handshake signal used when the TCP/IP establishes a connection.
  • Step 1 02 Establish a TCP connection with the client. Specifically, after receiving the SYN message sent by the client, the client returns a SYN-ACK message, and the client sends an ACK message as a response, thereby completing the process of establishing a TCP connection. .
  • the SYN-ACK message is a response message to the SYN message
  • the ACK message is a response message to the SYN-ACK message.
  • the SYN message is not forwarded to the server, but a TCP connection is established with the client.
  • Step 1 03. Check whether the data packet sent by the client is received within the set time. If yes, go to step 1 04. Otherwise, go to step 1 06.
  • the set time can be any preset time period.
  • Step 1 04 Verify the data packet according to the protocol packet, and if the verification succeeds, execute the step. Step 105, if the verification fails, step 106 is performed;
  • the protocol packets may be h 1 p protocol packets, f t p protocol packets, and s sh protocol packets, depending on the actual application.
  • the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet does not match the protocol packet type, the verification fails.
  • Step 105 Identify the TCP connection as a normal connection
  • the received data packet is considered to be a normal data packet, and the TCP connection is a normal connection, that is, the client does not perform a full connection attack on the server.
  • Step 106 Identify that the TCP connection is an abnormal connection.
  • the TCP connection is identified as an abnormal connection, that is, the client performs a full connection attack on the server.
  • the TCP connection established with the client can be identified as an abnormal connection, thereby improving the accuracy of detecting the full connection attack.
  • FIG. 2 is a flowchart of a method for detecting an abnormal connection according to Embodiment 2 of the present invention. As shown in FIG. 2, the method includes:
  • Step 201 Receive a connection request message sent by the client, where the connection request message carries client address information.
  • the steps in this embodiment may be performed by the detecting device of the abnormal connection. Specifically, when the client sends a connection request message to the server, the detecting device of the abnormal connection receives the connection request message. Step 202, it is determined whether the set record table includes client address information, if yes, step 208 is performed, otherwise step 203 is performed;
  • the record table stores trusted client address information and untrusted (or malicious) client address information.
  • the trusted client address information is the authenticated client address information
  • the untrusted client address information is Unverified client address information.
  • the record table may include a whitelist and a blacklist.
  • the whitelist stores trusted client address information, and the list contains malicious client address information.
  • Step 203 Establish a TCP connection with the client.
  • the detecting device After the detecting device that the abnormal connection receives the connection request message sent by the client, if the client address information carried in the connection request message is determined to be unfamiliar address information according to the set record table, the detecting device replaces The server establishes a TCP connection with the client.
  • Step 204 detecting whether the data packet sent by the client is received within the set time, if yes, executing step 205, otherwise performing step 207;
  • the abnormal connection detection device in the case of a normal connection, after the abnormal connection detection device establishes a TCP connection with the client, the client sends a data packet to the abnormally connected detection device, and therefore, the abnormal connection detection device can detect whether it is set Check whether the data packet sent by the client is received within a certain period of time to initially determine whether the TCP connection is an abnormal connection.
  • Step 205 The data packet is verified according to the protocol packet. If the verification is successful, step 206 is performed. If the verification fails, step 207 is performed;
  • the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report are successful. The verification fails if the text is inconsistent. Step 206: Identify the TCP connection as a normal connection, store the client address information in the set record table, disconnect the TCP connection established with the client, and the process ends.
  • Step 207 Identify the TCP connection as an abnormal connection, store the client address information in the set record table, discard the TCP connection, and the process ends.
  • Step 208 Allow or deny the client to establish a TCP connection with the server, and the process ends.
  • the client when it is determined that the trusted client address information includes the client address information, that is, the client address information is trusted client address information, the client is allowed to establish a TCP connection with the server, and the abnormal connection is performed at this time.
  • the detecting device forwards the connection request message sent by the client to the server, so that the client establishes a TCP connection with the server; when it is determined that the malicious client address information includes the client address information, the client address information is a malicious client. In the address information, the client is denied a TCP connection with the server. At this time, the detecting device of the abnormal connection rejects the connection request of the client, thereby protecting the server from the TCP full connection attack.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • FIG. 3 is a flowchart of a method for detecting an abnormal connection according to Embodiment 3 of the present invention. As shown in FIG. 3, the method includes:
  • Step 301 Receive a connection request message sent by the client, where the connection request message carries port information and client address information.
  • Each step in this embodiment may be performed by an abnormally connected detecting device;
  • the port information may be an HTTPS port or the like, and the port information may use the default port information or the user-defined port information; the client address information may be the IP address of the client.
  • Step 302 Parse the protocol type from the port information carried in the connection request message.
  • the detecting device of the abnormal connection detects that the port is an HTTPS port according to the port information, so that the data packet is parsed into an HTTPS protocol type data packet, HTTPS.
  • the protocol is a network protocol built by SSL and HTTP protocol for encrypted transmission and identity authentication.
  • SSL is a protocol that encrypts and decrypts data in a secure connection between a client and an SSL-enabled server.
  • Step 303 Query whether the pre-configured protocol type to be detected includes the identified protocol type, if yes, go to step 304, otherwise go to step 313;
  • the pre-configured protocol type to be detected may include one or more protocols, it may be queried whether the identified protocol type of the data packet belongs to a range to be detected.
  • step 304 it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 305 is performed; if the whitelist includes the client address information, the process is performed. Step 313; If the blacklist includes client address information, step 314 is performed;
  • a whitelist and a blacklist can be set at the same time.
  • the client address information set in the whitelist is the client address information that is allowed to pass
  • the client address information set in the blacklist is the client address information that is rejected.
  • Step 305 establishing a TCP connection with the client, proceeds to step 306;
  • Step 306 detecting whether the data packet sent by the client is received within the set time, if yes, executing step 307, otherwise performing step 310;
  • Step 307 Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 308; if the verification fails, perform step 31 0;
  • the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
  • Step 308 identifying the TCP connection as a normal connection, proceeds to step 309;
  • Step 309 Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
  • the disconnect message can be an RST message.
  • Step 310 Identify the TCP connection as an abnormal connection, and proceed to step 31 1;
  • Step 311 Discard the TCP connection, dry the resources occupied by the TCP connection, and proceed to step 312.
  • Step 312 Add the client address information to the blacklist, and the process ends.
  • Step 31 Allow the client to establish a TCP connection with the server, and the process ends.
  • Step 314 Reject the client to establish a TCP connection with the server, and the process ends.
  • step 312 may be performed to add the client address information to the blacklist, and then step 311 is performed to discard the TCP connection, and the resources occupied by the TCP connection are released.
  • step 31 1 may be performed, the TCP connection is discarded, and the resources occupied by the TCP connection are released, and step 312 is not performed, that is, the client is not
  • the terminal address information is added to the blacklist.
  • the whitelist is not set, and the blacklist is not set.
  • step 31 the step of adding the client address information to the blacklist in step 312 is not performed. . In this way, when the client requests to establish a TCP connection again, each step in this embodiment needs to be performed to identify that the TCP connection of the client is an abnormal connection.
  • the detecting device of the abnormal connection needs to continuously establish a TCP connection with the client, and repeatedly performs a process of detecting that the TCP connection is an abnormal connection.
  • this situation is the case where the abnormally connected detection device replaces the server to withstand the client's initiation of a full connection attack.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • Embodiment 4 is a flowchart of a method for detecting an abnormal connection according to Embodiment 4 of the present invention. This embodiment is mainly applied to a case where the protocol type is the FTPS protocol. As shown in FIG. 4, the method includes:
  • Step 401 Receive a connection request message sent by the client, where the connection request message carries port information and client address information.
  • the steps in this embodiment can be performed by an abnormally connected detecting device.
  • Step 402 Parse the protocol type from the port information carried in the connection request message.
  • the protocol type is an FTPS protocol type.
  • FTPS is an enhanced TFP protocol that uses standard FTP protocols and commands at the Secure Sockets Layer to add SSL security to the FTP protocol and data channels.
  • FTPS is also known as "FTP-SSL” and "FTP-over-SSL”.
  • Step 403 Query whether the pre-configured protocol type includes the identified protocol type, if yes, execute step 404, otherwise perform step 415; In step 404, it is determined whether the client address information is included in the whitelist and the blacklist. If the client address information is not included in the whitelist and the blacklist, step 405 is performed; if the whitelist includes the client address information, Go to step 41 5; if the blacklist includes client address information, go to step 416;
  • Step 405 Establish a TCP connection with the client.
  • Step 406 Detect whether the data packet sent by the client is received in the silent time, if yes, go to step 412, otherwise go to step 407;
  • the silence time can be any set time.
  • the client After establishing a TCP connection with the client, during the set silence time, the client does not actively send any data packets to the abnormally connected detection device under normal conditions. Therefore, the silent time is passed in this step. It is also possible to determine whether the client that sent the packet is a trusted client by detecting whether the packet sent by the client is received.
  • Step 407 Send a version data packet to the client, and proceed to step 408;
  • the client does not send a data packet to the peer device (the peer device that establishes a TCP connection with the client) in the set silent time, but only receives the version sent by the peer device. After the data packet, the data packet will be sent to the peer device according to the version data packet.
  • the client needs to send a data packet to the abnormally connected detecting device, it needs to first receive the FTPS version data packet sent by the abnormally connected detecting device.
  • Step 408 Detect whether the data packet sent by the client is received within the set time, if yes, go to step 409; if otherwise, go to step 412;
  • Step 409 Perform verification on the data packet according to the protocol packet, if the verification is successful, execute step 41 0; if the verification fails, perform step 412;
  • the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet, the verification fails.
  • Step 410 Identify the TCP connection as a normal connection, and proceed to step 41 1;
  • Step 411 Add the client address information to the whitelist, and send a disconnect message to the client, and the process ends.
  • the disconnect message can be an RST message.
  • Step 412 Identify the TCP connection as an abnormal connection, and proceed to step 41 3;
  • Step 41 Discard the TCP connection and release the resources occupied by the TCP connection, and go to step 414.
  • Step 414 Add the client address information to the blacklist, and the process ends.
  • Step 415 Allow the client to establish a TCP connection with the server, and the process ends.
  • Step 416 Reject the client to establish a TCP connection with the server, and the process ends.
  • the TCP connection established with the client is recognized as an abnormal connection in time, thereby improving the accuracy and real-time performance of detecting the full connection attack.
  • the HTTPS protocol is a network protocol that can be encrypted and transmitted by SSL and the ht tp protocol.
  • the client is an HTTPS client
  • the server is an HTTPS server.
  • the process in this embodiment describes the connection request sent by the client.
  • the full connection attack detects and detects that the established TCP connection is a normal connection.
  • the detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection.
  • the detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection.
  • the gateway device is used as an example to describe the detection method of the abnormal connection.
  • FIG. 5 is a flowchart of a method for detecting an abnormal connection according to Embodiment 5 of the present invention. As shown in FIG. 5, the method includes:
  • Step 501 The client sends a SYN message to the gateway device, where the SYN message carries the HTTPS port information and the IP address of the HTTPS client.
  • Step 502 The gateway device parses the HTTPS port information carried by the SYN message from the HTTPS protocol, and queries the pre-configured protocol type to include the HTTPS protocol.
  • the identified HTTPS protocol belongs to the scope of full connectivity attack detection.
  • the HTTPS port information can be the default port 443 or user-defined port information.
  • Step 503 The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
  • Step 504 The gateway device sends a SYN-ACK message to the HTTPS client.
  • Step 505 The HTTPS client returns an ACK message to the gateway device.
  • HTTPS client establishes a TCP connection with the gateway device.
  • Step 506 Add an IP address of the HTTPS client to the aging table, and set an aging time, where the aging time is a set time.
  • Step 507 The gateway device receives the data packet sent by the HTTPS client in the aging time.
  • the HTTPS protocol packet may be the He in the HTTPS protocol. l lo message.
  • the gateway device can verify the received data packet according to the Hello message. If the data packet is consistent with the Hello message, the verification succeeds; if the data packet is inconsistent with the Hello message, the verification fails. In other words, in the case that the verification is successful, the data packet sent by the HTTPS client is the Hello message.
  • Step 509 the gateway device recognizes that the TCP connection is a normal connection, and adds the address information of the HTTPS client to the whitelist.
  • Step 510 The gateway device returns an RST message to the HTTPS client to disconnect the TCP connection with the HTTPS client.
  • Step 511 The HTTPS client sends a SYN message to the HTTPS server through the gateway device.
  • the gateway device queries the whitelist to include the IP address of the client carried in the SYN message, and then forwards the SYN message to the HTTPS server.
  • Step 512 The HTTPS server sends a SYN-ACK message to the HTTPS client through the gateway device.
  • Step 51 3. The HTTPS client returns an ACK message to the HTTPS server through the gateway device, thereby establishing a TCP connection with the HTTPS server.
  • Step 514 The HTTPS client performs HTTPS data transmission through the gateway device and the HTTPS server.
  • the gateway device if the gateway device verifies the data packet according to the HTTPS protocol and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist.
  • the gateway device When the HTTPS client re-directs When the HTTPS server sends a SYN message, the gateway device will refuse to establish a TCP connection between the HTTPS client and the HTTPS server.
  • the method for detecting the abnormal connection of the present invention is applied to the FTPS protocol in detail by using a specific embodiment.
  • the client is an FTPS client and the server is an FTPS server.
  • the process in this embodiment describes the client.
  • the connection request sent by the terminal performs a full connection attack check. Measure and detect the established TCP connection as a normal connection.
  • the detection of the full connection attack in the embodiment may be performed by the detecting device of the abnormal connection.
  • the detecting device of the abnormal connection may be deployed separately or in the gateway device. Therefore, in this embodiment, the detecting device includes the abnormal connection.
  • the gateway device is used as an example to describe the detection method of the abnormal connection.
  • FIG. 6 is a flowchart of a method for detecting an abnormal connection according to Embodiment 6 of the present invention. As shown in FIG. 6, the method includes:
  • Step 601 The FTPS client sends a SYN message to the gateway device, where the SYN message carries the FTPS port information and the IP address of the FTPS client.
  • Step 602 The gateway device parses the protocol type of the FTPS port information carried by the SYN message into the FTPS protocol, and queries the pre-configured protocol type to include the FTPS protocol.
  • the identified FTPS protocol belongs to the scope of full connectivity attack detection.
  • the FTPS port information can be the default port 21 or user-defined port information.
  • Step 603 The gateway device determines that the set whitelist and the blacklist do not include the IP address information of the client.
  • Step 604 The gateway device sends a SYN-ACK message to the FTPS client.
  • Step 605 The FTPS client returns an ACK message to the gateway device.
  • the FTPS client establishes a TCP connection with the gateway device.
  • Step 606 The gateway device adds the IP address of the FTPS client to the aging table, and sets the aging time, where the aging time is the silent time.
  • Step 607 The gateway device detects, in the aging time, that the data packet sent by the FTPS client is not received.
  • Step 608 The gateway device sends a version data packet f tp vers i on to the FTPS client.
  • Ftp ve rsi on is the data packet in the FTPS protocol;
  • Step 609 The gateway device presets a set time.
  • Step 610 The gateway device receives the data packet sent by the FTPS client within the set time.
  • Step 611 The gateway device verifies and verifies the data packet according to the FTPS protocol packet.
  • the FTPS protocol is used in the FTPS protocol. USER Command message;
  • the gateway device can verify the received data packet according to the USER Co and message. If the data packet is consistent with the USER Command message, the certificate is successful. If the data packet is inconsistent with the USER Command message, the verification fails. In other words, in the case of successful authentication, the packet sent by the FTPS client is the USER Command message.
  • Step 612 The gateway device identifies that the TCP connection is a normal connection, and adds the address information of the FTPS client to the whitelist.
  • Step 61 The gateway device returns an RST message to the FTPS client to disconnect the TCP connection with the HTTPS client.
  • Step 614 The FTPS client sends a SYN message to the FTPS server through the gateway device; the gateway device queries the whitelist including the IP address of the client carried in the SYN message.
  • the SYN message is forwarded to the FTPS server.
  • Step 615 The FTPS server sends a SYN-ACK message to the FTPS client through the gateway device.
  • Step 617 The FTPS client performs FTPS data transmission through the gateway device and the FTPS server.
  • the gateway device verifies the data packet according to the FTPS protocol packet and fails the verification, the TCP connection is identified as an abnormal connection, and the IP address of the client is added to the blacklist.
  • the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
  • the gateway device if the gateway device detects that the data packet sent by the FTPS client is received during the aging time (that is, the quiet time), the gateway device identifies the TCP connection as an abnormal connection, and adds the IP address of the client to the blacklist.
  • the gateway device will refuse to establish a TCP connection between the FTPS client and the FTPS server.
  • FIG. 7 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 7 of the present invention.
  • the abnormal connection detecting apparatus includes a transceiver module 111, a detecting module 112, a verifying module 11 3, and an identifying module 114, wherein :
  • the transceiver module 11 1 is configured to receive a connection request message sent by the client, and establish a connection request message with the client.
  • the transceiver module 11 1 sends a connection request message sent by the client, sends a connection response message to the client, and receives a response message returned by the client, and establishes a TCP connection with the client.
  • the connection request message may be a SYN message
  • the connection response message may be a SYN-ACK message
  • the response message may be an ACK message.
  • the detecting module 112 is configured to detect whether the data packet sent by the client is received in the set time; specifically, the detecting module 112 sends the detection result that detects the data packet sent by the client to the verification module 113, or The detection result of detecting that the data packet sent by the client is not received is sent to the identification module 114. It can be understood that the data packet sent by the client can be received by the transceiver module 111.
  • the verification module 11 3 is configured to: when the detection module 112 detects that the data packet is received, verify the received data packet according to the protocol packet; Specifically, the verification module 133 can verify whether the content of the data packet is consistent with the protocol packet type. If the content of the data packet is consistent with the protocol packet type, the verification succeeds. If the content of the data packet is inconsistent with the protocol packet type, The verification failed.
  • the identification module 114 is configured to identify that the TCP connection is an abnormal connection when the detection module 112 detects that the data packet is not received, and identify the TCP connection as a normal connection when the verification module 113 successfully verifies the data packet. Or identifying the TCP connection as an abnormal connection when the verification module 113 fails the verification of the data packet.
  • the identification module 114 may identify that the TCP connection is an abnormal connection according to the detection result of the detection module 112. It is also possible to identify whether the TCP connection is an abnormal connection according to the verification result of the verification module 113. Specifically, when the verification result of the verification module 112 is that the verification is successful, the TCP connection is identified as a normal connection, and when the verification module 1 13 is verified. The result is that the TCP connection is identified as an abnormal connection when the validation fails.
  • the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
  • FIG. 8 is a schematic structural diagram of an abnormal connection detecting apparatus according to Embodiment 8 of the present invention.
  • the abnormal connection detecting apparatus in this embodiment adds a judging module 115 to the embodiment in the figure.
  • the transceiver module 1 11 includes a first transceiver sub-module 1 11 1 and a second transceiver sub-module 1112
  • the judging module 115 includes a first judgment.
  • a submodule 1151 and a second judging submodule 1152 wherein:
  • the first transceiver sub-module 1111 is configured to receive a connection request message sent by the client, where the connection is requested
  • the message carries the client port number information and the client address information
  • a first judging sub-module 1151 configured to determine, according to the set record table, whether the protocol type of the connection request message is included in the protocol type to be detected, and if yes, triggering the second judging sub-module 1152, otherwise triggering the first processing module 116 ;
  • the protocol type of the connection request message can be obtained by parsing the client port number information carried in the connection request message.
  • the set record table contains protocol type information to be detected, trusted client address information, and untrusted client address information.
  • the second judging sub-module 1152 is configured to determine, according to the address information in the set record table, whether the client address information is included, if yes, the first processing module 116 is triggered, otherwise the second transceiver module 11 12 is triggered;
  • the record table stores trusted client address information and untrusted (or malicious) client address information, and the trusted client address information is authenticated client address information, and the untrusted client The address information is the client address information that has not been verified.
  • the record table may include a whitelist and/or a blacklist. The whitelist stores trusted client address information, and the blacklist stores malicious client address information.
  • a second transceiver module 1112 configured to establish a TCP connection with the client, and trigger a detection module
  • the detecting device of the abnormal connection replaces the server to establish a TCP connection with the client, thereby starting the full certificate process for the client.
  • the detecting module 112 is configured to detect whether the data packet sent by the client is received within the set time, and if yes, trigger the verification module 11 3, otherwise trigger the identification module 114;
  • the detecting device of the abnormal connection establishes a TCP with the client. After the connection, the client sends a data packet to the abnormally connected detecting device. Therefore, the detecting module 112 can determine whether the TCP connection is abnormally connected by detecting whether the data packet sent by the client is received within the set time.
  • the verification module 11 3 is configured to verify the data packet sent by the client within the set time according to the protocol packet.
  • the verification of the data packet according to the protocol 4 may be performed to verify whether the content of the data packet is consistent with the protocol packet. If the content of the data packet is consistent with the protocol packet, the verification succeeds, if the content of the data packet and the protocol report The verification fails if the text is inconsistent.
  • the identification module 114 is configured to verify the verification result of the module 11 3 and the detection result of the detection module 112 to identify whether the TCP connection is an abnormal connection, and trigger the second processing module 117;
  • the TCP connection is identified as an abnormal connection; when the verification result of the verification module 11 is a verification failure, the TCP connection is identified. For abnormal connection; when the verification result of the verification module 113 is that the verification is successful, the TCP connection is identified as a normal connection.
  • the first processing module 116 is configured to perform corresponding processing on the connection request message according to the determination result of the first determining sub-module 1 151 and the determination result of the second determining sub-module 1152;
  • the connection request message is sent to the server, so that the server establishes a TCP connection with the client;
  • the connection request message is sent to the server, so that the server establishes a TCP connection with the client;
  • the module 1 152 determines that the client address information is trusted client address information according to the set record table, the connection of the client is rejected. Ask for news.
  • the second processing module 1 is configured to: when the identification module 114 recognizes that the TCP connection is a normal connection, store the client address information in the set record table, and disconnect the TCP connection; when the identification module 11 recognizes When the TCP connection is abnormally connected, the client address information is stored in the set record table, and the TCP connection is discarded.
  • the RST message may be returned to the client, and the TCP connection of the client is rejected; when the TCP connection is identified as an abnormal connection, the TCP connection is discarded, thereby protecting the server from the server.
  • the client's full connection attack when the TCP connection is recognized as a normal connection, the RST message may be returned to the client, and the TCP connection of the client is rejected; when the TCP connection is identified as an abnormal connection, the TCP connection is discarded, thereby protecting the server from the server. The client's full connection attack.
  • the judging module 1 15 can also include only the second judging sub-module 1152.
  • the first processing module 116 and the second processing module 117 can be one module.
  • the detecting module 112 can further detect whether the data packet sent by the client is received in the silent time, and send the detection result of the data packet received in the silent time to the detection result.
  • the identification module 114 identifies that the TCP connection is an abnormal connection by the identification module 114; or the detection module 112 sends the detection result that the data packet is not received in the silent time to the transceiver module 111, and the transceiver module 11 1 sends the version data to the client.
  • the packet is detected by the detecting module 12 12 within a set time whether the data packet sent by the client is received.
  • the abnormal connection detecting device may detect whether the data packet sent by the client is received within a set time, and verify the data packet received within the set time according to the protocol packet, when the When the client initiates a full-connection attack to the server, the detecting device of the abnormal connection can recognize that the TCP connection established with the client is an abnormal connection, thereby improving the accuracy of detecting the full-connection attack.
  • Test including HTTP, HTTPS, FTP, FTPS or SSH protocol types.
  • the detecting device for abnormal connection in the embodiment of the present invention may be separately set or may be set in various gateway devices, such as a firewall, an anti-DDOS device, and a unified threat management (Uniformed Threa t Management, referred to as UTM).
  • UTM unified threat management
  • IPS Intrusion Prevention System
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Abstract

Un procédé, un dispositif et un matériel de passerelle destinés à détecter des connexions anormales sont décrits dans les modes de réalisation de la présente invention. Le procédé comprend les étapes suivantes consistant à : recevoir un message de demande de connexion envoyé par un client ; établir une connexion TCP (Protocole de Contrôle de Transmission) avec ledit client ; quand aucun paquet de données n'est reçu en provenance dudit client dans un temps prédéterminé, reconnaître ladite connexion TCP comme étant une connexion anormale ; quand un paquet de données est reçu en provenance dudit client dans le temps prédéterminé, valider ledit paquet de données selon des messages du protocole ; reconnaître ladite connexion TCP comme étant une connexion normale si la validation est réussie et reconnaître ladite connexion TCP comme étant une connexion anormale si la validation a échoué. Les modes de réalisation de la présente invention permettent de reconnaître les connexions TCP établies avec un client comme étant des connexions anormales lorsque ledit client lance des attaques de connexion complètes contre un serveur, en améliorant de ce fait le taux de précision de détection d'attaques de connexion complètes.
PCT/CN2010/074660 2009-06-29 2010-06-29 Procédé, dispositif et matériel de passerelle destinés à détecter des connexions anormales WO2011000304A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910151032.0A CN101594269B (zh) 2009-06-29 2009-06-29 一种异常连接的检测方法、装置及网关设备
CN200910151032.0 2009-06-29

Publications (1)

Publication Number Publication Date
WO2011000304A1 true WO2011000304A1 (fr) 2011-01-06

Family

ID=41408727

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/074660 WO2011000304A1 (fr) 2009-06-29 2010-06-29 Procédé, dispositif et matériel de passerelle destinés à détecter des connexions anormales

Country Status (2)

Country Link
CN (1) CN101594269B (fr)
WO (1) WO2011000304A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9052838B2 (en) * 2009-05-18 2015-06-09 Samsung Electronics Co., Ltd. Solid state drive device
CN106576286A (zh) * 2014-08-11 2017-04-19 瑞典爱立信有限公司 用于接入控制的方法和装置

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101594269B (zh) * 2009-06-29 2012-05-02 成都市华为赛门铁克科技有限公司 一种异常连接的检测方法、装置及网关设备
CN101771695A (zh) * 2010-01-07 2010-07-07 福建星网锐捷网络有限公司 Tcp连接的处理方法、系统及syn代理设备
CN102025746B (zh) * 2010-12-21 2013-04-17 北京星网锐捷网络技术有限公司 一种tcp连接的建立方法、装置及网络设备
CN102571473B (zh) * 2010-12-29 2015-12-16 中兴通讯股份有限公司 路径故障检测方法及装置
CN102263826B (zh) * 2011-08-11 2013-12-04 杭州华为企业通信技术有限公司 一种传输层建立连接的方法和装置
CN102347874A (zh) * 2011-11-10 2012-02-08 百度在线网络技术(北京)有限公司 ftp和ssh服务监控方法及系统
CN102647404B (zh) * 2011-11-14 2014-10-22 北京安天电子设备有限公司 抵御flood攻击的流汇聚方法及装置
CN102573111A (zh) * 2012-01-10 2012-07-11 中兴通讯股份有限公司 传输控制协议资源的释放方法及装置
ES2628613T3 (es) * 2012-09-17 2017-08-03 Huawei Technologies Co., Ltd. Método y dispositivo de protección contra ataques
WO2015035576A1 (fr) * 2013-09-11 2015-03-19 北京东土科技股份有限公司 Procédé, système et dispositif de transmission de données sécurisés basés sur ethernet industriel
CN103561025B (zh) * 2013-11-01 2017-04-12 中国联合网络通信集团有限公司 防dos攻击能力检测方法、装置和系统
CN105187359B (zh) * 2014-06-17 2018-06-08 阿里巴巴集团控股有限公司 检测攻击客户端的方法和装置
CN104394140B (zh) * 2014-11-21 2018-03-06 南京邮电大学 一种基于sdn的虚拟网络优化方法
CN107211011A (zh) * 2014-11-25 2017-09-26 恩西洛有限公司 用于恶意代码检测的系统及方法
CN104618404A (zh) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 防止网络攻击Web服务器的处理方法、装置及系统
CN106302347B (zh) * 2015-05-28 2019-11-05 阿里巴巴集团控股有限公司 一种网络攻击处理方法和装置
CN105049489A (zh) * 2015-06-25 2015-11-11 上海斐讯数据通信技术有限公司 一种在uboot上实现三次握手的方法
CN106656922A (zh) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 一种基于流量分析的网络攻击防护方法和装置
CN107666383B (zh) * 2016-07-29 2021-06-18 阿里巴巴集团控股有限公司 基于https协议的报文处理方法以及装置
CN107087007A (zh) * 2017-05-25 2017-08-22 腾讯科技(深圳)有限公司 一种网络攻击的防御方法、相关设备及系统
CN107438074A (zh) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 一种DDoS攻击的防护方法及装置
CN108234516B (zh) * 2018-01-26 2021-01-26 北京安博通科技股份有限公司 一种网络泛洪攻击的检测方法及装置
CN108881044A (zh) * 2018-05-23 2018-11-23 新华三信息安全技术有限公司 一种报文处理方法和装置
CN108810008B (zh) * 2018-06-28 2020-06-30 腾讯科技(深圳)有限公司 传输控制协议流量过滤方法、装置、服务器及存储介质
CN110830454B (zh) * 2019-10-22 2020-11-17 远江盛邦(北京)网络安全科技股份有限公司 基于alg协议实现tcp协议栈信息泄露的安防设备检测方法
CN111163114A (zh) * 2020-04-02 2020-05-15 腾讯科技(深圳)有限公司 用于检测网络攻击的方法和设备
CN111857302A (zh) * 2020-06-19 2020-10-30 浪潮电子信息产业股份有限公司 一种系统管理总线的复位方法、装置以及设备
CN113709130A (zh) * 2021-08-20 2021-11-26 江苏通付盾科技有限公司 基于蜜罐系统的风险识别方法及装置
CN114257416A (zh) * 2021-11-25 2022-03-29 中科创达软件股份有限公司 黑白名单的调整方法及装置
CN114500021A (zh) * 2022-01-18 2022-05-13 神州绿盟成都科技有限公司 一种攻击检测方法、装置、电子设备及存储介质
CN114338233A (zh) * 2022-02-28 2022-04-12 北京安帝科技有限公司 基于流量解析的网络攻击检测方法和系统
CN115022384B (zh) * 2022-05-05 2023-10-13 北京北方华创微电子装备有限公司 一种hsms通信连接方法和装置
CN115150449B (zh) * 2022-06-30 2023-08-08 苏州浪潮智能科技有限公司 网络共享拒绝异常连接的方法、系统、终端及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731784A (zh) * 2004-08-06 2006-02-08 华为技术有限公司 超文本传输协议服务的安全管理方法
US20060272018A1 (en) * 2005-05-27 2006-11-30 Mci, Inc. Method and apparatus for detecting denial of service attacks
CN101047697A (zh) * 2006-03-29 2007-10-03 华为技术有限公司 针对web服务器进行DDOS攻击的防御方法和设备
WO2008060009A1 (fr) * 2006-11-13 2008-05-22 Samsung Sds Co., Ltd. Procédé de prévention d'attaques de refus de service utilisant une transition d'état du protocole de contrôle de transmission
CN101436958A (zh) * 2007-11-16 2009-05-20 太极计算机股份有限公司 抵御拒绝服务攻击的方法
CN101594269A (zh) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 一种异常连接的检测方法、装置及网关设备

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905553B (zh) * 2005-07-28 2011-04-20 易星 在dos攻击或者设备过载时保障所选用户访问的方法
CN101175013B (zh) * 2006-11-03 2012-07-04 飞塔公司 一种拒绝服务攻击防护方法、网络系统和代理服务器
CN101202742B (zh) * 2006-12-13 2011-10-26 中兴通讯股份有限公司 一种防止拒绝服务攻击的方法和系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1731784A (zh) * 2004-08-06 2006-02-08 华为技术有限公司 超文本传输协议服务的安全管理方法
US20060272018A1 (en) * 2005-05-27 2006-11-30 Mci, Inc. Method and apparatus for detecting denial of service attacks
CN101047697A (zh) * 2006-03-29 2007-10-03 华为技术有限公司 针对web服务器进行DDOS攻击的防御方法和设备
WO2008060009A1 (fr) * 2006-11-13 2008-05-22 Samsung Sds Co., Ltd. Procédé de prévention d'attaques de refus de service utilisant une transition d'état du protocole de contrôle de transmission
CN101436958A (zh) * 2007-11-16 2009-05-20 太极计算机股份有限公司 抵御拒绝服务攻击的方法
CN101594269A (zh) * 2009-06-29 2009-12-02 成都市华为赛门铁克科技有限公司 一种异常连接的检测方法、装置及网关设备

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9052838B2 (en) * 2009-05-18 2015-06-09 Samsung Electronics Co., Ltd. Solid state drive device
CN106576286A (zh) * 2014-08-11 2017-04-19 瑞典爱立信有限公司 用于接入控制的方法和装置
EP3180944A4 (fr) * 2014-08-11 2018-01-17 Telefonaktiebolaget LM Ericsson (publ) Procédé et appareil de contrôle d'accès
US10313957B2 (en) 2014-08-11 2019-06-04 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for access controlling
CN106576286B (zh) * 2014-08-11 2020-07-21 瑞典爱立信有限公司 用于接入控制的方法和装置

Also Published As

Publication number Publication date
CN101594269A (zh) 2009-12-02
CN101594269B (zh) 2012-05-02

Similar Documents

Publication Publication Date Title
WO2011000304A1 (fr) Procédé, dispositif et matériel de passerelle destinés à détecter des connexions anormales
US8453208B2 (en) Network authentication method, method for client to request authentication, client, and device
CA2565409C (fr) Prevention d'attaques visant a l'interruption de service de reinitialisation de reseau au moyen d'information d'authentification integree
US8713666B2 (en) Methods and devices for enforcing network access control utilizing secure packet tagging
US8499146B2 (en) Method and device for preventing network attacks
US8413248B2 (en) Method for secure single-packet remote authorization
US8955090B2 (en) Session initiation protocol (SIP) firewall for IP multimedia subsystem (IMS) core
CN110784464B (zh) 泛洪攻击的客户端验证方法、装置、系统及电子设备
WO2008131667A1 (fr) Procédé, dispositif d'identification des flux de services et procédé, système de protection contre une attaque par déni de service
JP2006506853A (ja) 能動的ネットワーク防衛システム及び方法
WO2010031288A1 (fr) Procédé et système d'inspection de réseau de zombies
WO2009140889A1 (fr) Procédé de commande de transmission de données et appareil de commande de transmission de données
US8978138B2 (en) TCP validation via systematic transmission regulation and regeneration
KR101463873B1 (ko) 정보 유출 차단 장치 및 방법
US9686311B2 (en) Interdicting undesired service
KR101020470B1 (ko) 네트워크 침입차단 방법 및 장치
EP2007066A9 (fr) Point d'application de politiques et procédé et système de liaison pour système de détection d'intrus
CN114465744A (zh) 一种安全访问方法及网络防火墙系统
CN108494731B (zh) 一种基于双向身份认证的抗网络扫描方法
US20160337402A1 (en) Method of slowing down a communication in a network
FI126032B (en) Detection of threats in communication networks
CN117081768A (zh) 一种流量过滤方法、装置及存储介质
KR101166352B1 (ko) Ip 스푸핑 탐지 및 차단 방법
KR20100027829A (ko) 가상 프록시 서버를 이용한 에스아이피 공격탐지 시스템 및방법
CN115065494A (zh) 网络连接的建立方法、装置、设备及介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10793599

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 290512

122 Ep: pct application non-entry in european phase

Ref document number: 10793599

Country of ref document: EP

Kind code of ref document: A1