WO2016197498A1 - Method and device for preventing network attack, and storage medium - Google Patents

Method and device for preventing network attack, and storage medium Download PDF

Info

Publication number
WO2016197498A1
WO2016197498A1 PCT/CN2015/092042 CN2015092042W WO2016197498A1 WO 2016197498 A1 WO2016197498 A1 WO 2016197498A1 CN 2015092042 W CN2015092042 W CN 2015092042W WO 2016197498 A1 WO2016197498 A1 WO 2016197498A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
tcp
information
client
tcp packet
Prior art date
Application number
PCT/CN2015/092042
Other languages
French (fr)
Chinese (zh)
Inventor
高飞
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016197498A1 publication Critical patent/WO2016197498A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to the field of network security, and in particular, to a method and device for preventing network attacks, and a storage medium.
  • the normal transmission control protocol (TCP) connection establishment process includes: the client sends a TCP packet including a handshake (SYN) flag to the access device, and the access device returns a handshake to the client after receiving the packet.
  • the subsequent TCP packet is sent to the access device.
  • the above process is called TCP three-way handshake.
  • the access device cannot receive a response after sending a TCP packet with the SYN+ACK set.
  • the TCP three-way handshake cannot be established.
  • the connection is a semi-join. Normally, the access device resends the TCP packet containing the SYN+ACK set after waiting for a period of time. If the access device waits for a period of time, the access device still cannot receive the packet sent by the client. After the TCP packet with the ACK is set, the access device will try to send again, and the access device discards the connection and releases the memory until the number of times the maximum number of transmissions is reached.
  • the maximum number of received TCP connections of the access device is set to 128, and the number of times the server attempts to resend SYN+ACK packets is set to 5.
  • the number of TCP packets processed per unit time is not limited.
  • the SYN flood attack is the third step of the TCP three-way handshake. "The client needs to return the TCP packet containing the ACK is set to the access device.” The so-called SYN flood attack is performed by the client.
  • the TCP connection request containing the TCP message forging the SYN flag then it is not surprising that a client has a half-connection as described above, causing the access device to wait for a timeout, but if there are tens of thousands of semi-connections in a short time It is a malicious attack.
  • a TCP connection initiated by a TCP packet containing a forged SYN flag will cause the access device's central processing unit (CPU) to run out of resources and the buffer to be filled. At this time, the connection request of the normal TCP packet cannot be processed in time, which affects the normal communication of the user.
  • CPU central processing unit
  • the embodiments of the present invention are directed to a method, a device, and a storage medium for preventing network attacks, which can effectively reduce SYN flood attacks and improve the efficiency of network attack prevention.
  • an embodiment of the present invention provides a method for preventing a network attack, where the method includes:
  • the information type includes valid information and invalid information
  • the connection trace is deleted.
  • the method further includes: setting the number of receiving TCP connections to m, where m is a natural number;
  • the first message including:
  • the TCP packet is discarded; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packet and going to the client Send the first message.
  • the k is 3, the first unit time is 1 second, and m is 1024.
  • the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
  • the first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
  • the second message is a TCP packet including the ACK being set.
  • an embodiment of the present invention further provides a device for preventing a network attack, where the device includes:
  • a module configured to set the number of times to resend the first message to k, where k is a natural number
  • the determining module is configured to obtain information about the TCP packet sent by the client, and determine the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
  • a sending module configured to establish a connection tracking for the TCP message of the invalid information, and send the first message to the client;
  • a receiving module configured to resend the first message if the second message sent by the client is not received in the second unit time; the number of resending times is greater than k and the sending by the client is still not received
  • the connection tracking is deleted when the second message is received.
  • the setting module is further configured to set the number of receiving TCP connections to be m, where m is a natural number;
  • the sending module is further configured to determine the number of currently received TCP connections
  • the configuration is further configured to: if the number of currently received TCP connections is greater than m, the TCP packet is sent. Discarding; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packet and sending a first message to the client.
  • the k is 3, the first unit time is 1 second, and m is 1024.
  • the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
  • the first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
  • the second message is a TCP packet including the ACK being set.
  • the method and device for preventing a network attack and the storage medium provided by the embodiment of the present invention obtain the information of the TCP packet sent by the client by setting the number of times of resending the first message to k, and determining the type of the information according to the connection tracking entry. And when the information type is invalid information, establish a connection tracking for the TCP message of the invalid information, and send the first message to the client, and when the client is not received in the second unit time When the second message is sent, the first message is resent; and when the number of retransmissions is greater than k and the second message sent by the client is still not received, the connection tracking is deleted, and the TCP is implemented.
  • the transmission control of the message thus, the SYN flood attack is effectively reduced, and the efficiency of the network attack prevention is improved.
  • Embodiment 1 is a flowchart of Embodiment 1 of a method for preventing a network attack according to an embodiment of the present invention
  • Embodiment 2 is a flowchart of Embodiment 2 of a method for preventing a network attack according to an embodiment of the present invention
  • FIG. 3 is a structural diagram of an apparatus for preventing a network attack according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of Embodiment 1 of a method for preventing a network attack according to an embodiment of the present invention, as shown in FIG. 1 As shown, the method can include:
  • Step 101 Set the number of times to resend the first message to k, where k is a natural number.
  • the step 101 may be specifically: setting the number of retransmissions of the first message to be k, and processing the number of transmission control protocol TCP packets in the first unit time to be n, where k and n are natural numbers.
  • the access device includes, but is not limited to, a data card, a customer premise equipment (CPE), and the like; on the access device, the number of times the first message is retransmitted, and the first unit time is processed and transmitted.
  • the number of TCP packets of the control protocol is set to a specific value, which lays a foundation for the subsequent SYN flood prevention.
  • the first message is a TCP packet containing the SYN+ACK is set, and the second message is set to contain the ACK.
  • the TCP packet after the bit is set.
  • the setting of the specific value of the parameter may be set before the access device leaves the factory, or the user may be dynamically set according to the specific usage scenario on the access device, and may be set according to actual needs. The settings are not limited herein.
  • Step 102 Obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry, where the information type includes valid information and invalid information.
  • the access device After receiving the TCP packet whose SYN field is set to 1, the access device extracts the information carried in the current TCP packet, and then determines the current TCP packet in the connection tracking entry of the access device. Whether the information is valid information or invalid information. If the information is valid, that is, the information of the current TCP packet exists in the connection tracking entry of the access device, the access device forwards the current TCP packet directly. The technique is not described here. If the information is invalid, that is, the information of the current TCP packet does not exist in the connection tracking entry of the access device, step 103 is performed.
  • the processing of the current TCP packet information by the access device specifically includes:
  • the access device extracts the source IP address, the destination IP address, the source port, the destination port, and the protocol in the information of the current TCP packet, and then corresponds to the current TCP packet according to the connection tracking entry in the access device.
  • Source IP address, destination IP address, source port, destination port, The protocol is compared. If the five elements match, the information of the current TCP packet can be determined as valid information. If any one of the five elements does not match, the information of the current TCP packet is determined to be invalid.
  • Step 103 Establish a connection tracking for the TCP message of the invalid information and send the first message to the client.
  • the access device establishes a new connection tracking in the access device for the TCP message of the invalid information, and sends a TCP packet including the SYN+ACK set to the client.
  • establishing a connection tracking for the TCP message of the invalid information and sending the first message to the client may further include:
  • the access device determines the number of currently received TCP connections
  • the access device discards the TCP packets; if the number of currently received TCP connections is less than or equal to m, the access device establishes connection tracking for the TCP packets. And sending a first message to the client, where m is a natural number.
  • Step 104 If the second message sent by the client is not received in the second unit time, resend the first message; the number of resends is greater than k and the second sent by the client is still not received. The connection trace is deleted when the message is received.
  • the access device if the access device does not receive the TCP packet from the client that includes the ACK set after the second unit time, the access device will resend the TCP including the SYN+ACK set. And the number of times of resending the TCP packet including the SYN+ACK is set, and if the number of retransmissions is less than or equal to the number of times set in step 101, the access device receives the packet sent by the client. After the ACK is set, the access device forwards the TCP packet; if the number of retransmissions is greater than the number of times set in step 101, the access device deletes the record of the connection tracking of the TCP packet. .
  • the first unit time and the second unit time may be It is set according to actual needs and is not limited here.
  • the method for preventing a network attack is to set a retransmission of the number of TCP packets including the SYN+ACK set to be k, and the number of TCP packets processed in the first unit time is n.
  • the number of received TCP connections is m, which controls the transmission of TCP packets during TCP packet transmission. This can effectively reduce SYN flood attacks, improve the efficiency of network attack defense, and reduce CPU resource exhaustion in access devices.
  • the connection request of the normal TCP packet can be processed in time to ensure normal communication of the user.
  • the method for preventing network attacks provided by the embodiment of the present invention, by setting the number of times of resending a TCP packet including the SYN+ACK set to be k, and processing the number of transmission control protocol TCP packets in the first unit time
  • the number of receiving TCP connections is m.
  • the access device determines the information type of the current TCP packet according to the connection tracking entry. After determining the invalid information, the access device determines whether it is the current TCP according to the number of currently received TCP connections.
  • the packet establishes a connection tracking, and sends a TCP packet including the SYN+ACK being set to the client; if the access device does not receive the TCP packet after the client sends the ACK that is set in the second unit time If the number of resends is greater than k and the number of resends is greater than k and the TCP packet containing the ACK is set is not received, the current connection trace is deleted. In this way, the SYN flood attack can be effectively reduced, and the efficiency of network attack prevention is improved. In addition, the problem that the CPU of the access device is exhausted and the buffer is filled is reduced, so that the connection request of the normal TCP packet can be processed in time to ensure normal communication of the user.
  • the embodiment of the invention further provides a computer readable storage medium, the storage medium comprising a set of instructions for performing the method for preventing a network attack as described above.
  • FIG. 2 is a flowchart of Embodiment 2 of a method for preventing a network attack according to an embodiment of the present invention. Such as shown in Figure 2, the method includes:
  • Step 201 Set a specific value of the parameter.
  • the reason for setting the reasonable parameters is to prevent the SYN flood attack.
  • the rationality of the parameter setting is very important.
  • the home gateway product is oriented to the common user. Therefore, the number of times the access device attempts to resend the SYN+ACK packet is set to 3.
  • the number of the TCP packets processed in the first unit time is set to be 10, and the number of the received TCP connections is set to 1024.
  • the specific parameters are specified. The values are exemplified in the embodiment, and can be set according to actual needs, and are not limited herein.
  • Step 202 Obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry, where the information type includes valid information and invalid information.
  • the access device After receiving the TCP packet with the SYN field set to 1, the access device extracts the information carried in the current TCP packet, and then determines that the current TCP packet information is valid information in the connection tracking entry of the access device. If the information is valid, that is, the information of the current TCP packet exists in the connection tracking entry of the access device, step 203 is performed; if the information is invalid, the information of the current TCP packet is on the access device. If the connection tracking entry does not exist, go to step 204.
  • the processing of the current TCP packet information by the access device is specifically as follows:
  • the access device extracts the source IP address, the destination IP address, the source port, the destination port, and the protocol in the information of the current TCP packet, and then corresponds to the current TCP packet according to the connection tracking entry in the access device.
  • the source IP address, the destination IP address, the source port, the destination port, and the protocol are compared. If the five elements match, the information of the current TCP packet can be determined as valid information; if any of the five elements is any one of the five elements If the information does not match, the information of the current TCP packet is determined to be invalid.
  • Step 203 Forward the current TCP packet directly.
  • Step 204 Determine whether the number of currently established TCP connections is greater than the receiving The number of TCP connections.
  • the access device performs step 205; if the number of currently established TCP connections is less than or equal to the number of the received TCP connections, the access device performs Step 206.
  • Step 205 Discard the currently established TCP connection.
  • Step 206 Establish a connection tracking for the TCP message of the invalid information, and send a TCP packet including the SYN+ACK set to the client.
  • Step 207 Determine whether a TCP packet sent by the client and containing the ACK is set is received in the second unit time.
  • the access device receives the TCP packet sent by the client and the ACK is set, the access device performs step 208; if the access device does not receive the second unit time The TCP packet sent by the client, including the ACK, is set, and the access device performs step 209.
  • Step 208 Determine that the TCP connection is normal.
  • Step 209 Resend the TCP packet including the SYN+ACK set.
  • Step 210 Determine whether the number of times of resending the TCP packet including the SYN+ACK being set is greater than 1024.
  • the process returns to step 207; if the number of times the TCP packet containing the SYN+ACK is set is greater than 1024, then the step is performed. 211.
  • Step 211 Delete the connection tracking of the current TCP packet.
  • the first unit time and the second unit time may be set according to actual requirements, and are not limited herein.
  • the method for preventing network attacks provided by the embodiment of the present invention reduces the number of unnecessary retransmission SYN+ACK packets while increasing the number of receiving TCP connections compared with the prior art. Control the number of TCP packets in a unit of time. By using the method of "1 increase and decrease", the SYN flood attack can be effectively reduced, and the efficiency of network attack prevention is improved. In addition, the CPU resources in the access device are depleted. When the buffer is filled, the connection request of the normal TCP packet can be processed in time to ensure the normal communication of the user.
  • FIG. 3 is a structural diagram of an apparatus for preventing a network attack according to an embodiment of the present invention.
  • the apparatus for preventing network attacks may include: a setting module 031, a determining module 032, a sending module 033, and a receiving module 034; among them,
  • the setting module 031 is configured to set the number of times of resending the first message to be k, where k is a natural number; in an actual application, the setting module 031 is configured to set the number of times of resending the first message to be k,
  • the number of TCP packets processed by the transmission control protocol in the first unit time is n, where k and n are natural numbers;
  • the determining module 032 is configured to obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
  • the sending module 033 is configured to establish a connection tracking for the TCP message of the invalid information and send the first message to the client.
  • the receiving module 034 is configured to resend the first message if the second message sent by the client is not received in the second unit time; the number of resends is greater than k and the client is still not received.
  • the connection tracking is deleted.
  • the setting module 031 is further configured to set the number of receiving TCP connections to be m, where m is a natural number;
  • the sending module 033 is further configured to determine the number of currently received TCP connections
  • the k is 3, the first unit time is 1 second, n is 10, and m is 1024.
  • the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
  • the first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
  • the second message is a TCP packet including the ACK being set.
  • the device in this embodiment may be used to implement the technical solution of the foregoing method embodiment, and the implementation principle and the technical effect are similar, and details are not described herein again.
  • the setting module 031, the determining module 032, the sending module 033, and the receiving module 034 may be a central processing unit (CPU), a microprocessor (MPU), and a digital signal processor (DSP) located on the access device. Or device implementation such as field programmable gate array (FPGA).
  • CPU central processing unit
  • MPU microprocessor
  • DSP digital signal processor
  • FPGA field programmable gate array
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer is readable and stored
  • the instructions in the reservoir produce an article of manufacture comprising an instruction device that implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
  • the embodiment of the present invention obtains the information of the TCP packet sent by the client by setting the number of times of resending the first message to k, and determines the type of the information according to the connection tracking entry.
  • the TCP message of the invalid information establishes a connection tracking and sends the first message to the client, and resends the first message when the second message sent by the client is not received within the second unit time a message; and when the number of retransmissions is greater than k and the second message sent by the client is still not received, the connection tracking is deleted, and the transmission control of the TCP packet is implemented; thus, the SYN is effectively reduced.
  • Flood attacks increase the efficiency of network attack prevention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a method for preventing a network attack, comprising: setting the number of times of resending a first message to be k, where k is a natural number; acquiring information about a TCP packet sent by a client, and determining the type of the information according to a connection tracking table entry, wherein the type of the information comprises valid information and invalid information; establishing connection tracking for the TCP packet of the invalid information, and sending the first message to the client; and if a second message sent by the client is not received within a second unit time, resending the first message, and if the number of times of resending is greater than k and the second message sent by the client is still not received, deleting the connection tracking. Also disclosed are a device for preventing a network attack, and a storage medium.

Description

一种防止网络攻击的方法及设备、存储介质Method, device and storage medium for preventing network attack 技术领域Technical field
本发明涉及网络安全领域,尤其涉及一种防止网络攻击的方法及设备、存储介质。The present invention relates to the field of network security, and in particular, to a method and device for preventing network attacks, and a storage medium.
背景技术Background technique
随着网络技术的普及,人们在享受丰富的网络资源的同时也面临着网络攻击的危险。With the popularity of network technology, people are faced with the danger of cyber attacks while enjoying rich network resources.
正常的传输控制协议(Transmission Control Protocol,TCP)连接建立过程包括:客户端向接入设备发送包含握手信号(Synchronous,SYN)标志的TCP报文,接入设备收到后向客户端返回包含握手信号SYN+确认字符(Acknowledgement,ACK)被置位后的TCP报文,表示接入设备收到了客户端发来的连接请求并且接入设备接受了客户端的请求,之后客户端返回包含ACK被置位后的TCP报文给接入设备,至此,正常的TCP连接过程建立,以上过程被称作TCP三次握手。The normal transmission control protocol (TCP) connection establishment process includes: the client sends a TCP packet including a handshake (SYN) flag to the access device, and the access device returns a handshake to the client after receiving the packet. The TCP message after the signal SYN+Acknowledgement (ACK) is set, indicating that the access device has received the connection request from the client and the access device accepts the client's request, and then the client returns that the ACK is set. The subsequent TCP packet is sent to the access device. At this point, the normal TCP connection process is established. The above process is called TCP three-way handshake.
假设客户端发送包含SYN标志的TCP报文后出现断电,则接入设备发出包含SYN+ACK被置位后的TCP报文后无法收到回应,TCP三次握手便无法建立,称这样的TCP连接为半连接。正常来讲,此时接入设备在等待一段时间后会重新发送包含SYN+ACK被置位后的TCP报文,若重新发送等待一段时间后接入设备仍然无法收到客户端发来的包含ACK被置位后的TCP报文则接入设备会尝试再次发送,直到发送次数达到最大值后接入设备丢弃该连接,释放内存。在RFC793协议的规定中,将接入设备的最大接收TCP连接个数设置为128、服务器尝试重发SYN+ACK报文次数设置为5,单位时间内处理TCP报文数量并未做限制。 Assuming that the client sends a power failure after sending a TCP packet containing the SYN flag, the access device cannot receive a response after sending a TCP packet with the SYN+ACK set. The TCP three-way handshake cannot be established. The connection is a semi-join. Normally, the access device resends the TCP packet containing the SYN+ACK set after waiting for a period of time. If the access device waits for a period of time, the access device still cannot receive the packet sent by the client. After the TCP packet with the ACK is set, the access device will try to send again, and the access device discards the connection and releases the memory until the number of times the maximum number of transmissions is reached. In the stipulations of the RFC793 protocol, the maximum number of received TCP connections of the access device is set to 128, and the number of times the server attempts to resend SYN+ACK packets is set to 5. The number of TCP packets processed per unit time is not limited.
SYN洪水攻击正是利用TCP三次握手的第三步“客户端需要向接入设备返回包含ACK被置位后的TCP报文”这一过程进行攻击的,所谓SYN洪水攻击是客户端通过发送大量的包含伪造SYN标志的TCP报文的TCP连接请求,那么,一个客户端出现如上所述的半连接造成接入设备超时等待不足为奇,但若在短时间内出现成千上万的半连接则属于恶意攻击,特别是一些包含伪造SYN标志的TCP报文发起的TCP连接,将会造成接入设备中央处理器(Central Processing Unit,CPU)的资源耗尽、缓冲区被填满。此时,正常TCP报文的连接请求也无法得到及时处理,影响用户的正常通信。The SYN flood attack is the third step of the TCP three-way handshake. "The client needs to return the TCP packet containing the ACK is set to the access device." The so-called SYN flood attack is performed by the client. The TCP connection request containing the TCP message forging the SYN flag, then it is not surprising that a client has a half-connection as described above, causing the access device to wait for a timeout, but if there are tens of thousands of semi-connections in a short time It is a malicious attack. In particular, a TCP connection initiated by a TCP packet containing a forged SYN flag will cause the access device's central processing unit (CPU) to run out of resources and the buffer to be filled. At this time, the connection request of the normal TCP packet cannot be processed in time, which affects the normal communication of the user.
发明内容Summary of the invention
有鉴于此,本发明实施例期望提供一种防止网络攻击的方法及设备、存储介质,能够有效地减少SYN洪水攻击,提高网络攻击防范的效率。In view of this, the embodiments of the present invention are directed to a method, a device, and a storage medium for preventing network attacks, which can effectively reduce SYN flood attacks and improve the efficiency of network attack prevention.
为达到上述目的,本发明实施例提供一种防止网络攻击的方法,所述方法包括:To achieve the above objective, an embodiment of the present invention provides a method for preventing a network attack, where the method includes:
设置重发第一消息的次数为k,其中,k为自然数;Set the number of times to resend the first message to k, where k is a natural number;
获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型;所述信息类型包括有效信息和无效信息;Obtaining information about the TCP packet sent by the client, and determining the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息;Establishing a connection tracking for the TCP message of the invalid information and sending the first message to the client;
若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪。If the second message sent by the client is not received in the second unit time, the first message is resent; the number of resends is greater than k and the second message sent by the client is still not received. When the connection trace is deleted.
上述方法中,所述方法还包括:设置接收TCP连接的数量为m,其中,m为自然数;In the above method, the method further includes: setting the number of receiving TCP connections to m, where m is a natural number;
所述为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所 述第一消息,包括:Establishing connection tracking for the TCP message of the invalid information and sending the solution to the client The first message, including:
确定当前接收TCP连接的数量;Determine the number of currently received TCP connections;
若所述当前接收TCP连接的数量大于m,则将所述TCP报文丢弃;若所述当前接收TCP连接的数量小于等于m,则为所述TCP报文建立连接跟踪并向所述客户端发送第一消息。If the number of the currently received TCP connections is greater than m, the TCP packet is discarded; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packet and going to the client Send the first message.
上述方法中,所述k为3,所述第一单位时间为1秒,m为1024。In the above method, the k is 3, the first unit time is 1 second, and m is 1024.
上述方法中,所述TCP报文的信息包括:源IP地址、目的IP地址、源端口、目的端口、协议;In the above method, the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
所述第一消息为包含握手信号SYN+确认字符ACK被置位后的TCP报文;The first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
所述第二消息为包含ACK被置位后的TCP报文。The second message is a TCP packet including the ACK being set.
此外,为实现上述目的,本发明实施例还提供一种防止网络攻击的设备,所述设备包括:In addition, to achieve the above object, an embodiment of the present invention further provides a device for preventing a network attack, where the device includes:
设置模块,配置为设置重发第一消息的次数为k,其中,k为自然数;Setting a module, configured to set the number of times to resend the first message to k, where k is a natural number;
确定模块,配置为获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型;所述信息类型包括有效信息和无效信息;The determining module is configured to obtain information about the TCP packet sent by the client, and determine the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
发送模块,配置为为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息;a sending module, configured to establish a connection tracking for the TCP message of the invalid information, and send the first message to the client;
接收模块,配置为若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪。a receiving module, configured to resend the first message if the second message sent by the client is not received in the second unit time; the number of resending times is greater than k and the sending by the client is still not received The connection tracking is deleted when the second message is received.
上述设备中,所述设置模块,还配置为设置接收TCP连接的数量为m,其中,m为自然数;In the above device, the setting module is further configured to set the number of receiving TCP connections to be m, where m is a natural number;
所述发送模块,还配置为确定当前接收TCP连接的数量;The sending module is further configured to determine the number of currently received TCP connections;
还配置为若所述当前接收TCP连接的数量大于m,则将所述TCP报文 丢弃;若所述当前接收TCP连接的数量小于等于m,则为所述TCP报文建立连接跟踪并向所述客户端发送第一消息。The configuration is further configured to: if the number of currently received TCP connections is greater than m, the TCP packet is sent. Discarding; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packet and sending a first message to the client.
上述设备中,所述k为3,所述第一单位时间为1秒,m为1024。In the above device, the k is 3, the first unit time is 1 second, and m is 1024.
上述设备中,所述TCP报文的信息包括:源IP地址、目的IP地址、源端口、目的端口、协议;The information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
所述第一消息为包含握手信号SYN+确认字符ACK被置位后的TCP报文;The first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
所述第二消息为包含ACK被置位后的TCP报文。The second message is a TCP packet including the ACK being set.
本发明实施例提供的防止网络攻击的方法及设备、存储介质,通过设置重发第一消息的次数为k,获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型,当所述信息类型为无效信息时,为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息,且当在第二单位时间内未接收到所述客户端发送的第二消息时,重新发送所述第一消息;且当重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪,实现对TCP报文的传输控制;如此,有效地减少了SYN洪水攻击,提高了网络攻击防范的效率。The method and device for preventing a network attack and the storage medium provided by the embodiment of the present invention obtain the information of the TCP packet sent by the client by setting the number of times of resending the first message to k, and determining the type of the information according to the connection tracking entry. And when the information type is invalid information, establish a connection tracking for the TCP message of the invalid information, and send the first message to the client, and when the client is not received in the second unit time When the second message is sent, the first message is resent; and when the number of retransmissions is greater than k and the second message sent by the client is still not received, the connection tracking is deleted, and the TCP is implemented. The transmission control of the message; thus, the SYN flood attack is effectively reduced, and the efficiency of the network attack prevention is improved.
附图说明DRAWINGS
图1为本发明实施例防止网络攻击的方法实施例一的流程图;1 is a flowchart of Embodiment 1 of a method for preventing a network attack according to an embodiment of the present invention;
图2为本发明实施例防止网络攻击的方法实施例二的流程图;2 is a flowchart of Embodiment 2 of a method for preventing a network attack according to an embodiment of the present invention;
图3为本发明实施例防止网络攻击的设备实施例的结构图。FIG. 3 is a structural diagram of an apparatus for preventing a network attack according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present invention will be clearly and completely described in the following with reference to the accompanying drawings.
图1为本发明实施例防止网络攻击的方法实施例一的流程图,如图1 所示,本方法可以包括:FIG. 1 is a flowchart of Embodiment 1 of a method for preventing a network attack according to an embodiment of the present invention, as shown in FIG. 1 As shown, the method can include:
步骤101、设置重发第一消息的次数为k,其中,k为自然数。Step 101: Set the number of times to resend the first message to k, where k is a natural number.
本实施例中,步骤101可以具体为设置重发第一消息的次数为k、第一单位时间内处理传输控制协议TCP报文的数量为n,其中,k、n为自然数。In this embodiment, the step 101 may be specifically: setting the number of retransmissions of the first message to be k, and processing the number of transmission control protocol TCP packets in the first unit time to be n, where k and n are natural numbers.
在本实施例中,接入设备包括但不仅限于数据卡、客户终端设备(Customer Premise Equipment,CPE)等;在接入设备上,将重发第一消息的次数、第一单位时间内处理传输控制协议TCP报文的数量都设定为特定值,为后续防止SYN洪水攻击打下基础;其中,第一消息为包含SYN+ACK被置位后的TCP报文,第二消息为包含ACK被置位后的TCP报文;在本实施例中,这些参数特定值的设置可以在接入设备出厂前就设置好、或在接入设备上也允许用户根据具体使用场景动态设置,可以根据实际需求进行设置,在此并不加以限定。In this embodiment, the access device includes, but is not limited to, a data card, a customer premise equipment (CPE), and the like; on the access device, the number of times the first message is retransmitted, and the first unit time is processed and transmitted. The number of TCP packets of the control protocol is set to a specific value, which lays a foundation for the subsequent SYN flood prevention. The first message is a TCP packet containing the SYN+ACK is set, and the second message is set to contain the ACK. The TCP packet after the bit is set. In this embodiment, the setting of the specific value of the parameter may be set before the access device leaves the factory, or the user may be dynamically set according to the specific usage scenario on the access device, and may be set according to actual needs. The settings are not limited herein.
步骤102、获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型,所述信息类型包括有效信息和无效信息。Step 102: Obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry, where the information type includes valid information and invalid information.
本步骤中,接入设备接收到当前包含有SYN字段被置为1的TCP报文后,提取当前TCP报文携带的信息,再在接入设备的连接跟踪表项中判断当前TCP报文的信息是有效信息还是无效信息,如果是有效信息,即当前TCP报文的信息在接入设备的连接跟踪表项中存在的话,接入设备直接对当前TCP报文进行转发(该步骤为现有技术,在此不加以赘述);如果是无效信息,即当前TCP报文的信息在接入设备的连接跟踪表项中不存在的话,执行步骤103。In this step, after receiving the TCP packet whose SYN field is set to 1, the access device extracts the information carried in the current TCP packet, and then determines the current TCP packet in the connection tracking entry of the access device. Whether the information is valid information or invalid information. If the information is valid, that is, the information of the current TCP packet exists in the connection tracking entry of the access device, the access device forwards the current TCP packet directly. The technique is not described here. If the information is invalid, that is, the information of the current TCP packet does not exist in the connection tracking entry of the access device, step 103 is performed.
其中,接入设备对当前TCP报文的信息的处理具体包括:The processing of the current TCP packet information by the access device specifically includes:
接入设备对当前TCP报文的信息中的源IP地址、目的IP地址、源端口、目的端口、协议进行提取,再根据在接入设备的连接跟踪表项中保存的与当前TCP报文对应的源IP地址、目的IP地址、源端口、目的端口、 协议进行比对,如果这五个要素都匹配,才能确定当前TCP报文的信息为有效信息;如果这五个要素中只要有任意一个不匹配,则确定当前TCP报文的信息为无效信息。The access device extracts the source IP address, the destination IP address, the source port, the destination port, and the protocol in the information of the current TCP packet, and then corresponds to the current TCP packet according to the connection tracking entry in the access device. Source IP address, destination IP address, source port, destination port, The protocol is compared. If the five elements match, the information of the current TCP packet can be determined as valid information. If any one of the five elements does not match, the information of the current TCP packet is determined to be invalid.
步骤103、为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息。Step 103: Establish a connection tracking for the TCP message of the invalid information and send the first message to the client.
这里,接入设备为所述无效信息的TCP报文在接入设备中建立一个新的连接跟踪,同时向客户端发送包含SYN+ACK被置位后的TCP报文。Here, the access device establishes a new connection tracking in the access device for the TCP message of the invalid information, and sends a TCP packet including the SYN+ACK set to the client.
在本步骤中,为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息,还可以具体包括:In this step, establishing a connection tracking for the TCP message of the invalid information and sending the first message to the client may further include:
设置接收TCP连接的数量为m,其中,m为自然数;Set the number of receiving TCP connections to m, where m is a natural number;
接入设备确定当前接收TCP连接的数量;The access device determines the number of currently received TCP connections;
若所述当前接收TCP连接的数量大于m,则接入设备将所述TCP报文丢弃;若所述当前接收TCP连接的数量小于等于m,则接入设备为所述TCP报文建立连接跟踪并向所述客户端发送第一消息,其中,m为自然数。If the number of the currently received TCP connections is greater than m, the access device discards the TCP packets; if the number of currently received TCP connections is less than or equal to m, the access device establishes connection tracking for the TCP packets. And sending a first message to the client, where m is a natural number.
步骤104、若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到客户端发送的所述第二消息时,删除所述连接跟踪。Step 104: If the second message sent by the client is not received in the second unit time, resend the first message; the number of resends is greater than k and the second sent by the client is still not received. The connection trace is deleted when the message is received.
这里,如果接入设备在第二单位时间内没有接收到从所述客户端发来的包含ACK被置位后的TCP报文,接入设备将重新发送包含SYN+ACK被置位后的TCP报文并记录重发包含SYN+ACK被置位后的TCP报文的次数,如果在重发次数小于等于在步骤101中设置好的k次内,接入设备收到客户端发来的包含ACK被置位后的TCP报文,则接入设备将该TCP报文转发;如果重发次数大于在步骤101中设置好的k次,接入设备将该TCP报文的连接跟踪的记录删除。Here, if the access device does not receive the TCP packet from the client that includes the ACK set after the second unit time, the access device will resend the TCP including the SYN+ACK set. And the number of times of resending the TCP packet including the SYN+ACK is set, and if the number of retransmissions is less than or equal to the number of times set in step 101, the access device receives the packet sent by the client. After the ACK is set, the access device forwards the TCP packet; if the number of retransmissions is greater than the number of times set in step 101, the access device deletes the record of the connection tracking of the TCP packet. .
这里需要说明的是,在本实施例中,第一单位时间与第二单位时间可 以根据实际需求进行设置,在此并不加以限定。It should be noted that, in this embodiment, the first unit time and the second unit time may be It is set according to actual needs and is not limited here.
本发明实施例提供的防止网络攻击的方法,通过设置重发包含SYN+ACK被置位后的TCP报文的次数为k、第一单位时间内处理传输控制协议TCP报文的数量为n、接收TCP连接的数量为m,在TCP报文传输过程中对TCP报文的传输进行控制;如此,可有效减少SYN洪水攻击,提高网络攻击防范的效率,降低接入设备中CPU的资源耗尽、缓冲区被填满情况的发生,使正常TCP报文的连接请求能够得到及时处理,保证了用户的正常通信。The method for preventing a network attack provided by the embodiment of the present invention is to set a retransmission of the number of TCP packets including the SYN+ACK set to be k, and the number of TCP packets processed in the first unit time is n. The number of received TCP connections is m, which controls the transmission of TCP packets during TCP packet transmission. This can effectively reduce SYN flood attacks, improve the efficiency of network attack defense, and reduce CPU resource exhaustion in access devices. When the buffer is filled, the connection request of the normal TCP packet can be processed in time to ensure normal communication of the user.
具体地,本发明实施例提供的防止网络攻击的方法,通过设置重发包含SYN+ACK被置位后的TCP报文的次数为k、第一单位时间内处理传输控制协议TCP报文的数量为n、接收TCP连接的数量为m;接入设备根据连接跟踪表项确定当前TCP报文的信息类型;确定为无效信息后,接入设备根据当前接收TCP连接的数量确定是否为当前的TCP报文建立连接跟踪,并向客户端发送包含SYN+ACK被置位后的TCP报文;接入设备如果在第二单位时间内未接收到客户端发送的包含ACK被置位后的TCP报文,则重新发送包含SYN+ACK被置位后的TCP报文;重新发送次数大于k且依然未接收到客户端发送的包含ACK被置位后的TCP报文时,删除当前的连接跟踪;如此,可以有效地减少SYN洪水攻击,提高网络攻击防范的效率。另外,能降低接入设备中CPU的资源耗尽、缓冲区被填满情况的发生,使得正常TCP报文的连接请求能够得到及时处理,保证了用户的正常通信。Specifically, the method for preventing network attacks provided by the embodiment of the present invention, by setting the number of times of resending a TCP packet including the SYN+ACK set to be k, and processing the number of transmission control protocol TCP packets in the first unit time The number of receiving TCP connections is m. The access device determines the information type of the current TCP packet according to the connection tracking entry. After determining the invalid information, the access device determines whether it is the current TCP according to the number of currently received TCP connections. The packet establishes a connection tracking, and sends a TCP packet including the SYN+ACK being set to the client; if the access device does not receive the TCP packet after the client sends the ACK that is set in the second unit time If the number of resends is greater than k and the number of resends is greater than k and the TCP packet containing the ACK is set is not received, the current connection trace is deleted. In this way, the SYN flood attack can be effectively reduced, and the efficiency of network attack prevention is improved. In addition, the problem that the CPU of the access device is exhausted and the buffer is filled is reduced, so that the connection request of the normal TCP packet can be processed in time to ensure normal communication of the user.
本发明实施例还提出一种计算机可读存储介质,该存储介质包括一组指令,所述指令用于执行以上所述的防止网络攻击的方法。The embodiment of the invention further provides a computer readable storage medium, the storage medium comprising a set of instructions for performing the method for preventing a network attack as described above.
为了更加体现出本发明的目的,在上述实施例的基础上,进一步的举例说明。图2为本发明实施例防止网络攻击的方法实施例二的流程图。如 图2所示,该方法包括:In order to further embodies the object of the present invention, further exemplification will be made on the basis of the above embodiments. FIG. 2 is a flowchart of Embodiment 2 of a method for preventing a network attack according to an embodiment of the present invention. Such as As shown in Figure 2, the method includes:
步骤201、设置参数的特定值。Step 201: Set a specific value of the parameter.
通过设置合理的参数完成防止SYN洪水攻击,参数设置的合理性很重要,在本实施例中针对家庭网关类产品面向普通用户,因此将接入设备尝试重发SYN+ACK报文次数设置为3,将第一单位时间内处理TCP报文的数量设置为每1秒可以处理10个,将接收TCP连接的数量设置为1024,这里需要说明的是,在本发明实施例中,以上参数的特定值在本实施例中为举例说明,可以根据实际需求进行设置,在此不加以限制。The reason for setting the reasonable parameters is to prevent the SYN flood attack. The rationality of the parameter setting is very important. In this embodiment, the home gateway product is oriented to the common user. Therefore, the number of times the access device attempts to resend the SYN+ACK packet is set to 3. The number of the TCP packets processed in the first unit time is set to be 10, and the number of the received TCP connections is set to 1024. Here, in the embodiment of the present invention, the specific parameters are specified. The values are exemplified in the embodiment, and can be set according to actual needs, and are not limited herein.
步骤202、获取客户端发送的TCP报文的信息,根据连接跟踪表项判断所述信息类型,所述信息类型包括有效信息和无效信息。Step 202: Obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry, where the information type includes valid information and invalid information.
接入设备接收到当前包含有SYN字段被置为1的TCP报文后,提取当前TCP报文携带的信息,再在接入设备的连接跟踪表项中判断当前TCP报文的信息是有效信息还是无效信息,如果是有效信息,即当前TCP报文的信息在接入设备的连接跟踪表项中存在的话,执行步骤203;如果是无效信息,即当前TCP报文的信息在接入设备的连接跟踪表项中不存在的话,执行步骤204。After receiving the TCP packet with the SYN field set to 1, the access device extracts the information carried in the current TCP packet, and then determines that the current TCP packet information is valid information in the connection tracking entry of the access device. If the information is valid, that is, the information of the current TCP packet exists in the connection tracking entry of the access device, step 203 is performed; if the information is invalid, the information of the current TCP packet is on the access device. If the connection tracking entry does not exist, go to step 204.
其中,接入设备对当前TCP报文的信息的处理具体为:The processing of the current TCP packet information by the access device is specifically as follows:
接入设备对当前TCP报文的信息中的源IP地址、目的IP地址、源端口、目的端口、协议进行提取,再根据在接入设备的连接跟踪表项中保存的与当前TCP报文对应的源IP地址、目的IP地址、源端口、目的端口、协议进行比对,如果这5个要素都匹配,才能确定当前TCP报文的信息为有效信息;如果这5个要素中只要有任意一个不匹配,则确定当前TCP报文的信息为无效信息。The access device extracts the source IP address, the destination IP address, the source port, the destination port, and the protocol in the information of the current TCP packet, and then corresponds to the current TCP packet according to the connection tracking entry in the access device. The source IP address, the destination IP address, the source port, the destination port, and the protocol are compared. If the five elements match, the information of the current TCP packet can be determined as valid information; if any of the five elements is any one of the five elements If the information does not match, the information of the current TCP packet is determined to be invalid.
步骤203、直接对所述当前TCP报文进行转发。Step 203: Forward the current TCP packet directly.
步骤204、判断当前已经建立的TCP连接的数量是否达大于所述接收 TCP连接的数量。Step 204: Determine whether the number of currently established TCP connections is greater than the receiving The number of TCP connections.
如果当前已经建立的TCP连接的数量已经大于所述接收TCP连接的数量,接入设备执行步骤205;如果当前已经建立的TCP连接的数量小于等于所述接收TCP连接的数量,则接入设备执行步骤206。If the number of currently established TCP connections is greater than the number of the received TCP connections, the access device performs step 205; if the number of currently established TCP connections is less than or equal to the number of the received TCP connections, the access device performs Step 206.
步骤205、将所述当前已经建立的TCP连接丢弃。Step 205: Discard the currently established TCP connection.
步骤206、为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送包含SYN+ACK被置位后的TCP报文。Step 206: Establish a connection tracking for the TCP message of the invalid information, and send a TCP packet including the SYN+ACK set to the client.
步骤207、判断在第二单位时间内是否接收到所述客户端发来的包含ACK被置位后的TCP报文。Step 207: Determine whether a TCP packet sent by the client and containing the ACK is set is received in the second unit time.
如果接入设备在第二单位时间内接收到所述客户端发来的包含ACK被置位后的TCP报文,接入设备执行步骤208;如果接入设备在第二单位时间内没有接收到所述客户端发来的包含ACK被置位后的TCP报文,接入设备执行步骤209。If the access device receives the TCP packet sent by the client and the ACK is set, the access device performs step 208; if the access device does not receive the second unit time The TCP packet sent by the client, including the ACK, is set, and the access device performs step 209.
步骤208、确定TCP连接正常。Step 208: Determine that the TCP connection is normal.
步骤209、重新发送包含SYN+ACK被置位后的TCP报文。Step 209: Resend the TCP packet including the SYN+ACK set.
步骤210、判断重新发送包含SYN+ACK被置位后的TCP报文的次数是否大于1024。Step 210: Determine whether the number of times of resending the TCP packet including the SYN+ACK being set is greater than 1024.
如果重新发送包含SYN+ACK被置位后的TCP报文的次数不大于1024,那么返回执行步骤207;如果重新发送包含SYN+ACK被置位后的TCP报文的次数大于1024,那么执行步骤211。If the number of resending the TCP packet including the SYN+ACK is not greater than 1024, the process returns to step 207; if the number of times the TCP packet containing the SYN+ACK is set is greater than 1024, then the step is performed. 211.
步骤211、删除所述当前TCP报文的连接跟踪。Step 211: Delete the connection tracking of the current TCP packet.
这里需要说明的是,在本发明实施例中,第一单位时间与第二单位时间可以根据实际需求进行设置,在此并不加以限定。It should be noted that, in the embodiment of the present invention, the first unit time and the second unit time may be set according to actual requirements, and are not limited herein.
本发明实施例提供的防止网络攻击的方法,与现有技术相比,在增大接收TCP连接的数量的同时减少了不必要的重发SYN+ACK报文次数并且 控制单位时间内处理TCP报文的数量,通过这样“1增2减”的方法能够有效的减少SYN洪水攻击,提高了网络攻击防范的效率,另外,降低了接入设备中CPU的资源耗尽、缓冲区被填满情况的发生,正常TCP报文的连接请求能够得到及时处理,保证了用户的正常通信。The method for preventing network attacks provided by the embodiment of the present invention reduces the number of unnecessary retransmission SYN+ACK packets while increasing the number of receiving TCP connections compared with the prior art. Control the number of TCP packets in a unit of time. By using the method of "1 increase and decrease", the SYN flood attack can be effectively reduced, and the efficiency of network attack prevention is improved. In addition, the CPU resources in the access device are depleted. When the buffer is filled, the connection request of the normal TCP packet can be processed in time to ensure the normal communication of the user.
图3为本发明实施例防止网络攻击的设备实施例的结构图,如图3所示,该防止网络攻击的设备03可以包括:设置模块031、确定模块032、发送模块033、接收模块034;其中,FIG. 3 is a structural diagram of an apparatus for preventing a network attack according to an embodiment of the present invention. As shown in FIG. 3, the apparatus for preventing network attacks may include: a setting module 031, a determining module 032, a sending module 033, and a receiving module 034; among them,
所述设置模块031,配置为设置重发第一消息的次数为k,其中,k为自然数;在实际应用中,所述设置模块031,具体配置为设置重发第一消息的次数为k、第一单位时间内处理传输控制协议TCP报文的数量为n,其中,k、n为自然数;The setting module 031 is configured to set the number of times of resending the first message to be k, where k is a natural number; in an actual application, the setting module 031 is configured to set the number of times of resending the first message to be k, The number of TCP packets processed by the transmission control protocol in the first unit time is n, where k and n are natural numbers;
所述确定模块032,配置为获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型;所述信息类型包括有效信息和无效信息;The determining module 032 is configured to obtain information about a TCP packet sent by the client, and determine the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
所述发送模块033,配置为为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息;The sending module 033 is configured to establish a connection tracking for the TCP message of the invalid information and send the first message to the client.
所述接收模块034,配置为若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪。The receiving module 034 is configured to resend the first message if the second message sent by the client is not received in the second unit time; the number of resends is greater than k and the client is still not received. When the second message is sent, the connection tracking is deleted.
进一步的,所述设置模块031,还配置为设置接收TCP连接的数量为m,其中,m为自然数;Further, the setting module 031 is further configured to set the number of receiving TCP connections to be m, where m is a natural number;
所述发送模块033,还配置为确定当前接收TCP连接的数量;The sending module 033 is further configured to determine the number of currently received TCP connections;
还配置为若所述当前接收TCP连接的数量大于m,则将所述TCP报文丢弃;若所述当前接收TCP连接的数量小于等于m,则为所述TCP报文建立连接跟踪并向所述客户端发送第一消息。And configuring, if the number of the currently received TCP connections is greater than m, discarding the TCP packets; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packets and The client sends the first message.
进一步的,所述k为3,所述第一单位时间为1秒,n为10,m为1024。 Further, the k is 3, the first unit time is 1 second, n is 10, and m is 1024.
进一步的,所述TCP报文的信息包括:源IP地址、目的IP地址、源端口、目的端口、协议;Further, the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
所述第一消息为包含握手信号SYN+确认字符ACK被置位后的TCP报文;The first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
所述第二消息为包含ACK被置位后的TCP报文。The second message is a TCP packet including the ACK being set.
本实施例的设备,可以用于执行上述方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The device in this embodiment may be used to implement the technical solution of the foregoing method embodiment, and the implementation principle and the technical effect are similar, and details are not described herein again.
在实际应用中,所述设置模块031、确定模块032、发送模块033、接收模块034可由位于接入设备上的中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)或现场可编程门阵列(FPGA)等器件实现。In practical applications, the setting module 031, the determining module 032, the sending module 033, and the receiving module 034 may be a central processing unit (CPU), a microprocessor (MPU), and a digital signal processor (DSP) located on the access device. Or device implementation such as field programmable gate array (FPGA).
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存 储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the computer is readable and stored The instructions in the reservoir produce an article of manufacture comprising an instruction device that implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention.
工业实用性Industrial applicability
本发明实施例通过设置重发第一消息的次数为k,获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型,当所述信息类型为无效信息时,为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息,且当在第二单位时间内未接收到所述客户端发送的第二消息时,重新发送所述第一消息;且当重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪,实现对TCP报文的传输控制;如此,有效地减少了SYN洪水攻击,提高了网络攻击防范的效率。 The embodiment of the present invention obtains the information of the TCP packet sent by the client by setting the number of times of resending the first message to k, and determines the type of the information according to the connection tracking entry. When the information type is invalid, The TCP message of the invalid information establishes a connection tracking and sends the first message to the client, and resends the first message when the second message sent by the client is not received within the second unit time a message; and when the number of retransmissions is greater than k and the second message sent by the client is still not received, the connection tracking is deleted, and the transmission control of the TCP packet is implemented; thus, the SYN is effectively reduced. Flood attacks increase the efficiency of network attack prevention.

Claims (9)

  1. 一种防止网络攻击的方法,所述方法包括:A method of preventing a network attack, the method comprising:
    设置重发第一消息的次数为k,其中,k为自然数;Set the number of times to resend the first message to k, where k is a natural number;
    获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型;所述信息类型包括有效信息和无效信息;Obtaining information about the TCP packet sent by the client, and determining the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
    为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息;Establishing a connection tracking for the TCP message of the invalid information and sending the first message to the client;
    若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪。If the second message sent by the client is not received in the second unit time, the first message is resent; the number of resends is greater than k and the second message sent by the client is still not received. When the connection trace is deleted.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:设置接收TCP连接的数量为m,其中,m为自然数;The method of claim 1, wherein the method further comprises: setting the number of receiving TCP connections to m, wherein m is a natural number;
    所述为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息,包括:Establishing a connection tracking for the TCP message of the invalid information and sending the first message to the client, including:
    确定当前接收TCP连接的数量;Determine the number of currently received TCP connections;
    若所述当前接收TCP连接的数量大于m,则将所述TCP报文丢弃;若所述当前接收TCP连接的数量小于等于m,则为所述TCP报文建立连接跟踪并向所述客户端发送第一消息。If the number of the currently received TCP connections is greater than m, the TCP packet is discarded; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packet and going to the client Send the first message.
  3. 根据权利要求2所述的方法,其中,所述k为3,所述第一单位时间为1秒,m为1024。The method of claim 2, wherein the k is 3, the first unit time is 1 second, and m is 1024.
  4. 根据权利要求1、2或3所述的方法,其中,所述TCP报文的信息包括:源IP地址、目的IP地址、源端口、目的端口、协议;The method according to claim 1, 2 or 3, wherein the information of the TCP packet comprises: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
    所述第一消息为包含握手信号SYN+确认字符ACK被置位后的TCP报文; The first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
    所述第二消息为包含ACK被置位后的TCP报文。The second message is a TCP packet including the ACK being set.
  5. 一种防止网络攻击的设备,所述设备包括:A device for preventing a network attack, the device comprising:
    设置模块,配置为设置重发第一消息的次数为k,其中,k为自然数;Setting a module, configured to set the number of times to resend the first message to k, where k is a natural number;
    确定模块,配置为获取客户端发送的TCP报文的信息,根据连接跟踪表项确定所述信息类型;所述信息类型包括有效信息和无效信息;The determining module is configured to obtain information about the TCP packet sent by the client, and determine the type of the information according to the connection tracking entry; the information type includes valid information and invalid information;
    发送模块,配置为为所述无效信息的TCP报文建立连接跟踪并向所述客户端发送所述第一消息;a sending module, configured to establish a connection tracking for the TCP message of the invalid information, and send the first message to the client;
    接收模块,配置为若在第二单位时间内未接收到所述客户端发送的第二消息,则重新发送所述第一消息;重新发送次数大于k且依然未接收到所述客户端发送的所述第二消息时,删除所述连接跟踪。a receiving module, configured to resend the first message if the second message sent by the client is not received in the second unit time; the number of resending times is greater than k and the sending by the client is still not received The connection tracking is deleted when the second message is received.
  6. 根据权利要求5所述的设备,其中,所述设置模块,还配置为设置接收TCP连接的数量为m,其中,m为自然数;The device according to claim 5, wherein the setting module is further configured to set the number of receiving TCP connections to be m, where m is a natural number;
    所述发送模块,还配置为确定当前接收TCP连接的数量;The sending module is further configured to determine the number of currently received TCP connections;
    还配置为若所述当前接收TCP连接的数量大于m,则将所述TCP报文丢弃;若所述当前接收TCP连接的数量小于等于m,则为所述TCP报文建立连接跟踪并向所述客户端发送第一消息。And configuring, if the number of the currently received TCP connections is greater than m, discarding the TCP packets; if the number of currently received TCP connections is less than or equal to m, establishing a connection tracking for the TCP packets and The client sends the first message.
  7. 根据权利要求6所述的设备,其中,所述k为3,所述第一单位时间为1秒,m为1024。The apparatus according to claim 6, wherein said k is 3, said first unit time is 1 second, and m is 1024.
  8. 根据权利要求5、6或7所述的设备,其中,所述TCP报文的信息包括:源IP地址、目的IP地址、源端口、目的端口、协议;The device according to claim 5, 6 or 7, wherein the information of the TCP packet includes: a source IP address, a destination IP address, a source port, a destination port, and a protocol;
    所述第一消息为包含握手信号SYN+确认字符ACK被置位后的TCP报文;The first message is a TCP packet including a handshake signal SYN+ confirming that the ACK is set;
    所述第二消息为包含ACK被置位后的TCP报文。The second message is a TCP packet including the ACK being set.
  9. 一种计算机可读存储介质,该存储介质包括一组指令,所述指令用于执行权利要求1至4任一项所述的防止网络攻击的方法。 A computer readable storage medium comprising a set of instructions for performing the method of preventing a network attack of any one of claims 1 to 4.
PCT/CN2015/092042 2015-06-10 2015-10-15 Method and device for preventing network attack, and storage medium WO2016197498A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510316924.7 2015-06-10
CN201510316924.7A CN106302361A (en) 2015-06-10 2015-06-10 A kind of method and apparatus preventing network attack

Publications (1)

Publication Number Publication Date
WO2016197498A1 true WO2016197498A1 (en) 2016-12-15

Family

ID=57502985

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/092042 WO2016197498A1 (en) 2015-06-10 2015-10-15 Method and device for preventing network attack, and storage medium

Country Status (2)

Country Link
CN (1) CN106302361A (en)
WO (1) WO2016197498A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN112087464A (en) * 2020-09-17 2020-12-15 北京知道创宇信息技术股份有限公司 SYN Flood attack cleaning method and device, electronic device and readable storage medium
CN115118628A (en) * 2022-06-28 2022-09-27 中国银行股份有限公司 Abnormal message processing method and device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936543A (en) * 2017-12-18 2019-06-25 中国移动通信集团辽宁有限公司 Means of defence, device, equipment and the medium of ACK Flood attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6725378B1 (en) * 1998-04-15 2004-04-20 Purdue Research Foundation Network protection for denial of service attacks
US6823387B1 (en) * 2000-06-23 2004-11-23 Microsoft Corporation System and method for enhancing a server's ability to withstand a “SYN flood” denial of service attack
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6725378B1 (en) * 1998-04-15 2004-04-20 Purdue Research Foundation Network protection for denial of service attacks
US6823387B1 (en) * 2000-06-23 2004-11-23 Microsoft Corporation System and method for enhancing a server's ability to withstand a “SYN flood” denial of service attack
CN1630248A (en) * 2003-12-19 2005-06-22 北京航空航天大学 SYN flooding attack defence method based on connection request authentication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANG, JIN: "Solution of Stateful Firewall's Iptables Overflow Caused by Attack", JOURNAL OF CHONGQING UNIVERSITY ( NATURAL SCIENCE EDITION, vol. 27, no. 6, 30 June 2004 (2004-06-30) *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN110071939B (en) * 2019-05-05 2021-06-29 江苏亨通工控安全研究院有限公司 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network
CN112087464A (en) * 2020-09-17 2020-12-15 北京知道创宇信息技术股份有限公司 SYN Flood attack cleaning method and device, electronic device and readable storage medium
CN115118628A (en) * 2022-06-28 2022-09-27 中国银行股份有限公司 Abnormal message processing method and device
CN115118628B (en) * 2022-06-28 2024-04-19 中国银行股份有限公司 Abnormal message processing method and device

Also Published As

Publication number Publication date
CN106302361A (en) 2017-01-04

Similar Documents

Publication Publication Date Title
US10498831B2 (en) Communication sessions at a CoAP protocol layer
JP6858749B2 (en) Devices and methods for establishing connections in load balancing systems
US9838353B2 (en) Communication across network address translation
US7990866B2 (en) Server device, method for controlling a server device, and method for establishing a connection using the server device
US9438702B2 (en) Techniques for protecting against denial of service attacks
WO2018121294A1 (en) Packet transmission method, terminal, network device, and communication system
US9491261B1 (en) Remote messaging protocol
US9516114B2 (en) Data packet transmission method and related device and system
US10530644B2 (en) Techniques for establishing a communication connection between two network entities via different network flows
JP6178932B2 (en) Method and apparatus for controlling handshaking in a packet transmission network
WO2016197498A1 (en) Method and device for preventing network attack, and storage medium
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
JP5185955B2 (en) Method for improving TCP data transmission process when physical transmission medium is interrupted
WO2011029357A1 (en) Method for authenticating communication traffic, communication system and protection apparatus
GB2519491A (en) Method and system for increasing data flow transmission
US20230016035A1 (en) Efficient connection processing
US11522979B2 (en) Transmission control protocol (TCP) acknowledgement (ACK) packet suppression
US8595477B1 (en) Systems and methods for reducing handshake delay in streaming protocol web requests
KR20130022089A (en) Method for releasing tcp connections against distributed denial of service attacks and apparatus for the same
JP2006148727A (en) Application monitor apparatus
KR101104599B1 (en) Apparatus and method for defending TCP SYN flooding attacks
KR102184363B1 (en) Communicating method between host and client with network connector, and network connector proceeding the same
CN114124489B (en) Method, cleaning device, equipment and medium for preventing flow attack
Wei Analysis and protection of SYN flood attack

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15894762

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15894762

Country of ref document: EP

Kind code of ref document: A1