WO2021082834A1 - 报文处理方法、装置、设备及计算机可读存储介质 - Google Patents
报文处理方法、装置、设备及计算机可读存储介质 Download PDFInfo
- Publication number
- WO2021082834A1 WO2021082834A1 PCT/CN2020/117875 CN2020117875W WO2021082834A1 WO 2021082834 A1 WO2021082834 A1 WO 2021082834A1 CN 2020117875 W CN2020117875 W CN 2020117875W WO 2021082834 A1 WO2021082834 A1 WO 2021082834A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- fingerprint feature
- request message
- fingerprint
- access
- access request
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Definitions
- the present invention relates to the field of computer communication technology, in particular to a message processing method, a message processing device, a protection device and a computer-readable storage medium.
- a denial of service attack also known as a flood attack, is a network attack method whose purpose is to exhaust the network or system resources of the target computer, temporarily interrupt or stop the service, and make it inaccessible to normal users.
- a denial-of-Service attack When hackers use two or more compromised computers on the network as “zombies” to launch a "Denial-of-Service” attack against a specific target, it is called a distributed denial-of-service attack (DDoS attack) .
- DDoS attack distributed denial-of-service attack
- the services that are attacked by DDoS are generally HyperText Transfer Protocol (HTTP) global wide area network (Web) services.
- DDoS detection and cleaning vendors will detect the HTTP request message format when protecting against DDoS, such as To check whether it is a request initiated by a normal user (such as a browser), it is generally to look at the User-Agent field information in the HTTP request, which will indicate the browser version. If it is found to be an abnormal user (browser) request , It will block the current communication and achieve the purpose of mitigating DDoS attacks.
- HTTP attack messages are easy to forge, such as finding normal user request messages, and then completely copying them into the attack messages, hackers can easily evade attack detection.
- the embodiment of the application discloses a message processing method, a message processing device, and a protective device, which can solve the technical problem that hackers in the prior art can easily avoid attack detection and make the target service vulnerable to DDoS attacks.
- an embodiment of the present application provides a message processing method, and the method may include:
- the protection device receives a first access request message, where the first access request message includes a message sent based on the TCP/IP protocol, and the destination of the first access request message is a server protected by the protection device;
- the protection device extracts a first fingerprint feature from the transport layer and/or network layer header of the first access request message, and the first fingerprint feature corresponds to the terminal device that sent the first access request message
- the type of operating system
- the fingerprint feature library includes the operating system type of the terminal device that allows access to the server The corresponding fingerprint feature, or/and the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the fingerprint characteristics in the header of the transport layer and/or network layer are strongly related to the operating system type, and ordinary programs cannot be modified.
- modifying the OS means modifying the protocol stack of the OS, and the OS must be recompiled, and the original code of the OS Basically, the OS provider is private and confidential (especially for the current IoT system, more and more devices are developed by manufacturers themselves), so the difficulty and cost of recompilation are very high.
- Protection devices such as anti-DDoS (Anti-Distributed Denial of Service, Anti-DDoS) devices, can accurately identify whether they are legitimate and normal users by identifying the fingerprint characteristics in the transport layer and/or network layer header of the attack packet Access, and can block abnormal user access requests, so as to better prevent and mitigate DDoS attacks, and better avoid DDoS attacks.
- Anti-DDoS Anti-Distributed Denial of Service
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the first fingerprint feature is identified based on the fingerprint feature library to determine whether Allowing the first access request message to access the server includes:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the method before the receiving the first access request message, the method further includes:
- the protection device of the embodiment of the present application can automatically learn or analyze the fingerprint characteristics of the access request message in the normal business model at the transport layer and/or network layer through self-learning, and store it in the fingerprint feature database; or Developers or R&D personnel and other users configure the fingerprint characteristics of the access request message in the normal business model at the transport layer and/or network layer, then the protection device can receive the fingerprint characteristics and store them in the fingerprint characteristics database for The subsequent identification is based on the fingerprint features in the fingerprint feature database to identify whether it is a DDoS attack.
- the fingerprint characteristics of each different transport layer and/or network layer may correspond to different OS types, such as Window 7/8, Windows 10, Linux 2.4, Linux 4.1, and so on.
- users such as developers or R&D personnel can also directly configure the client OS type list, or automatically learn the OS type corresponding to the normal business model through self-learning to configure the client OS type list, the OS in the client OS type list
- the type can be the type of OS that is allowed to be accessed, so that the OS blocking strategy can be configured more flexibly, more quickly and efficiently, which can meet the needs of users for rapid response when facing changeable DDoS attacks, and achieve better prevention and mitigation of DDoS attacks. Better avoid the server from DDoS attacks.
- the fingerprint feature corresponding to the message that allows access to the server in the fingerprint feature library in advance, to identify whether the first fingerprint feature is included in the fingerprint feature library, and to decide whether to release or block the first access request message, it can be accurately Identify whether it is a legitimate normal user access, and can block abnormal user access requests, so as to achieve better prevention and mitigation of DDoS attacks, and better prevent servers from DDoS attacks.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the first fingerprint feature is identified based on the fingerprint feature library to determine Whether to allow the first access request message to access the server includes:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the method before the receiving the first access request message, the method further includes:
- the third access request message in the attack service model is analyzed to obtain fingerprint characteristics at the transmission layer and/or network layer, and the fingerprint characteristics obtained by the analysis are stored in the fingerprint characteristic library.
- the protection device of the embodiment of this application can automatically learn or analyze the fingerprint characteristics of the access request message in the attack service model at the transport layer and/or network layer through self-learning, and store it in the fingerprint feature database; or Developers or R&D personnel and other users configure the fingerprint characteristics of the access request message in the attack service model at the transport layer and/or network layer, then the protection device can receive the fingerprint characteristics and store it in the fingerprint signature database for The subsequent identification is based on the fingerprint features in the fingerprint feature database to identify whether it is a DDoS attack.
- the fingerprint characteristics of each different transport layer and/or network layer may correspond to different OS types, such as Window 7/8, Windows 10, Linux 2.4, Linux 4.1, and so on.
- users such as developers or R&D personnel can also directly configure the client OS type list, or automatically learn the OS type corresponding to the attack business model through self-learning to configure the client OS type list, the OS in the client OS type list
- the type can be the type of OS that is forbidden to access, so that the OS blocking strategy can be configured more flexibly and more quickly and efficiently. It can meet the needs of users for rapid response when facing changeable DDoS attacks, and achieve better prevention and mitigation of DDoS attacks. Better avoid the server from DDoS attacks.
- the fingerprint feature corresponding to the client whose access is forbidden in the fingerprint feature library in advance, to identify whether the fingerprint feature library contains the first fingerprint feature to determine whether to release or block the client's first access request message, which can accurately Identify whether it is a legitimate normal user access, and can block abnormal user access requests, so as to achieve better prevention and mitigation of DDoS attacks, and better prevent servers from DDoS attacks.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server,
- the identifying the first fingerprint feature based on the fingerprint feature database to determine whether to allow the first access request message to access the server includes:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the fingerprint feature library may include fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server.
- the fingerprint feature library contains the correspondence between the operating system type and the fingerprint feature.
- the fingerprint characteristics of each different transport layer and/or network layer can correspond to different OS types, such as Window 7/8, Windows 10, Linux 2.4, Linux 4.1, and so on. Then users such as developers or R&D personnel can also directly configure the client OS type list, or automatically learn the OS type corresponding to the attack business model through self-learning to configure the client OS type list.
- the first OS type list can be At least one OS type that is allowed to access the server is included; the second OS type list may include at least one OS type that is forbidden to access the server. Then, after identifying the operating system type corresponding to the first fingerprint feature based on the fingerprint feature database, it can be determined whether to allow the first access request message to access the server according to the first operating system type list or the second operating system type list.
- the OS blocking strategy can be configured more flexibly, more quickly and efficiently, and it can meet the needs of users for quick response in the face of changing DDoS attacks, achieve better prevention and mitigation of DDoS attacks, and better prevent servers from DDoS attacks. .
- the message processing method of the embodiment of the present application may also trigger the execution of the transmission layer from the first access request message when it is detected that the server has suffered a DDoS attack. / Or the step of extracting the first fingerprint feature from the network layer message header.
- the transmission delay of the access request message will be increased, and the access experience of normal users will be affected.
- the fingerprint feature extraction and identification are triggered, which can well balance the normal access efficiency and alleviate the problem of DDoS attacks.
- the first access request message in the embodiment of the present application includes a SYN message.
- the SYN message is the first request message sent by the client to the server when the TCP connection is established, the fingerprint feature of the SYN message is directly extracted and identified, so that whether the access request is a DDoS attack can be identified as quickly as possible. So as to achieve better prevention and mitigation of DDoS attacks, and better avoid DDoS attacks.
- an embodiment of the present application provides a message processing method, including:
- the protection device receives a first access request message, where the first access request message includes a message sent based on the TCP/IP protocol, and the destination of the access request message is a server protected by the protection device;
- the protection device extracts a first fingerprint feature from the transport layer and/or network layer header of the first access request message, and the first fingerprint feature corresponds to the terminal device that sent the first access request message
- the type of operating system
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the fingerprint feature database contains the correspondence between the operating system type and the fingerprint feature.
- the fingerprint characteristics of each different transport layer and/or network layer can correspond to different OS types, such as Window 7/8, Windows 10, Linux 2.4, Linux 4.1, and so on.
- users such as developers or R&D personnel can also directly configure the client OS type list, or automatically learn the OS type corresponding to the attack business model through self-learning to configure the client OS type list.
- the first OS type list can be Including at least one OS type that is allowed to access the server; the second OS type list may include at least one OS type that is forbidden to access the server, then after identifying the operating system type corresponding to the first fingerprint feature based on the fingerprint feature database, you can According to the first operating system type list or the second operating system type list, determine whether to allow the first access request message to access the server; thereby achieving more flexible, faster and more efficient configuration of OS blocking policies, and in the face of changing DDoS attacks can meet the needs of users for rapid response, achieve better prevention and mitigation of DDoS attacks, and better prevent servers from DDoS attacks.
- an embodiment of the present application provides a protective device, including a processor and a network interface, where:
- the network interface is configured to receive a first access request message, the first access request message including a message sent based on the TCP/IP protocol, and the destination of the first access request message is the protection device protection Server
- the processor is used to call a stored computer program to perform the following operations:
- the fingerprint feature library includes the operating system type of the terminal device that allows access to the server The corresponding fingerprint feature, or/and the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processor recognizes the first fingerprint feature based on the fingerprint feature library to The determining whether to allow the first access request message to access the server includes:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the protection device further includes an input device; the input device is configured to receive the input transport layer and/or network layer information before the network interface receives the first access request message. Fingerprint feature, save the input fingerprint feature in the fingerprint feature library; or,
- the processor is further configured to analyze the second access request message in the normal service model before the network interface receives the first access request message, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and The fingerprint features obtained by the analysis are stored in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processor recognizes the first fingerprint feature based on the fingerprint feature library To determine whether to allow the first access request message to access the server includes:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the protection device further includes an input device; the input device is configured to receive the input transport layer and/or network layer information before the network interface receives the first access request message. Fingerprint feature, save the input fingerprint feature in the fingerprint feature library; or,
- the processor is further configured to analyze the third access request message in the attack service model before the network interface receives the first access request message, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and The fingerprint features obtained by the analysis are stored in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server
- the processor identifying the first fingerprint feature based on the fingerprint feature library to determine whether to allow the first access request message to access the server includes:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the processor may also trigger the execution of the transport layer and/or network layer message from the first access request message when it is detected that the server has suffered a DDoS attack.
- the step of extracting the first fingerprint feature from the head may also trigger the execution of the transport layer and/or network layer message from the first access request message when it is detected that the server has suffered a DDoS attack.
- the first access request message in the embodiment of the present application includes a SYN message.
- an embodiment of the present application provides a protective device, which is characterized by including a processor and a network interface, wherein:
- the network interface is used to receive a first access request message; the first access request message includes a message sent based on the TCP/IP protocol; the destination of the first access request message is the protection device protection Server
- the processor is used to call a stored computer program to perform the following operations:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- an embodiment of the present application provides a message processing device, including:
- the message receiving unit is configured to receive a first access request message; the first access request message includes a message sent based on the TCP/IP protocol; the destination of the first access request message is the message The server protected by the processing device;
- the fingerprint feature extraction unit is configured to extract a first fingerprint feature from the transport layer and/or network layer header of the first access request message, and the first fingerprint feature corresponds to sending the first access request message
- the operating system type of the terminal equipment
- a processing unit configured to identify the first fingerprint feature based on a fingerprint feature library to determine whether to allow the first access request message to access the server, wherein the fingerprint feature library includes a terminal that is allowed to access the server The fingerprint feature corresponding to the operating system type of the device, or/and the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the processing unit releases the first access request message
- the processing unit blocks the first access request message.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processing unit is specifically configured to:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the device further includes:
- the first feature receiving unit is configured to receive the input fingerprint feature of the transport layer and/or the network layer before the message receiving unit receives the first access request message, and save the input fingerprint feature in the fingerprint Feature library; or
- the first feature analysis unit is configured to analyze the second access request message in the normal service model before the message receiving unit receives the first access request message, so as to obtain fingerprint features at the transport layer and/or network layer , Save the fingerprint feature obtained by the analysis in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processing unit is specifically configured to:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the device further includes:
- the second feature receiving unit is configured to receive the input fingerprint feature of the transport layer and/or the network layer before the message receiving unit receives the first access request message, and save the input fingerprint feature in the fingerprint Feature library; or
- the second feature analysis unit is configured to analyze the third access request message in the normal service model before the message receiving unit receives the first access request message, so as to obtain fingerprint features at the transport layer and/or network layer , Save the fingerprint feature obtained by the analysis in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server,
- the processing unit is specifically used for:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the fingerprint feature extraction unit may also trigger execution of the transmission layer and/or network layer from the first access request message when it is detected that the server has suffered a DDoS attack.
- the first access request message in the embodiment of the present application includes a SYN message.
- an embodiment of the present application provides a computer-readable storage medium that stores a program, where the program includes some or all of the steps used to execute any method of the first aspect Instructions.
- an embodiment of the present application provides a chip that includes at least one processor and an interface circuit, the processor is configured to execute a computer program stored in a memory after inputting a first access request message through the interface circuit The following steps:
- the first access request message includes a message sent based on the TCP/IP protocol, and the destination of the first access request message is the server protected by the chip;
- the fingerprint feature library includes the operating system type of the terminal device that allows access to the server The corresponding fingerprint feature, or the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processor recognizes the first fingerprint feature based on the fingerprint feature library to The determining whether to allow the first access request message to access the server specifically includes:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the processor before the input of the first access request message through the interface circuit, the processor is further configured to:
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processor recognizes the first fingerprint feature based on the fingerprint feature library To determine whether to allow the first access request message to access the server, which specifically includes:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the processor before the input of the first access request message through the interface circuit, the processor is further configured to:
- the third access request message in the attack service model is analyzed to obtain fingerprint characteristics at the transmission layer and/or network layer, and the fingerprint characteristics obtained by the analysis are stored in the fingerprint characteristic library.
- the processor may also trigger the execution of the transport layer and/or network layer message from the first access request message when it is detected that the server has suffered a DDoS attack.
- the step of extracting the first fingerprint feature from the head may also trigger the execution of the transport layer and/or network layer message from the first access request message when it is detected that the server has suffered a DDoS attack.
- the first access request message in the embodiment of the present application includes a SYN message.
- the embodiments of the present application provide a computer program product, which when the computer program product runs on a computer, causes the computer to execute part or all of the steps of any one of the methods in the first aspect.
- the first fingerprint feature and the fingerprint feature in the fingerprint feature library are transport layer fingerprint features;
- the transport layer fingerprint feature includes one or more of the following:
- the first fingerprint feature and the fingerprint features in the fingerprint feature library are network layer fingerprint features
- the network layer fingerprint features include one or more of the following:
- the fingerprint characteristics of the transport layer or network layer mentioned above are the inherent system fingerprint characteristics of each operating system when it follows or uses the TCP/IP protocol, and each operating system will be different, such as Windows/Linux/other IoT devices, etc.
- the general attack traffic will imitate the user's normal access characteristics, such as adding the version of a well-known browser to the User-Agent of the HTTP protocol, but will not modify the protocol stack, so by identifying the above-mentioned transport layer or network layer
- the fingerprint feature of the DDoS protection device realizes that the protocol stack that identifies the traffic on the DDoS protection device can block the obvious attack traffic, thereby preventing and mitigating DDoS attacks.
- FIG. 1 is a schematic diagram of an application scenario of a message processing method provided by an embodiment of the present application
- FIG. 2 is a schematic flowchart of a message processing method provided by an embodiment of the present application
- FIG. 3 is a schematic flowchart of a message processing method according to another embodiment of the present application.
- FIG. 4 is a schematic diagram of the principle of a message processing method provided by an embodiment of the present application.
- FIG. 5 is a schematic diagram of the principle of a message processing method according to another embodiment of the present application.
- FIG. 6 is a schematic diagram of one embodiment of the message processing flow provided by the present application.
- FIG. 7 is a schematic diagram of another embodiment of a message processing flow provided by the present application.
- FIG. 8 is a schematic diagram of fingerprint features corresponding to an operating system provided by an embodiment of the present application.
- FIG. 9 is a schematic diagram of fingerprint features corresponding to an operating system according to another embodiment of the present application.
- FIG. 10 is a schematic diagram of fingerprint features corresponding to an operating system according to another embodiment of the present application.
- FIG. 11 is a schematic diagram of fingerprint features corresponding to an operating system according to another embodiment of the present application.
- Figure 12 is a schematic structural diagram of a protective device provided by an embodiment of the present application.
- FIG. 13 is a schematic structural diagram of a message processing device provided by an embodiment of the present application.
- FIG. 14 is a schematic diagram of the structure of a chip provided by an embodiment of the present application.
- FIG. 1 is a schematic diagram of an application scenario of a message processing method provided by an embodiment of the application.
- the network to which the message processing method of the embodiment of the present application is applied includes at least one hacker.
- FIG. 1 takes a hacker as an example for illustration.
- the hacker refers to an attacker or an attacking device that initiates a DDoS attack or DoS attack.
- hackers can control a zombie host (bot) to launch a DoS attack to the server or control multiple bots to launch a DDoS attack to the server.
- bot zombie host
- Anti-DDoS devices or anti-DDoS devices are deployed in front of the server to provide cleaning of DDoS traffic for the server, which means that when a DDoS attack occurs, the received attack traffic is identified and blocked to Mitigating DDoS attacks or DoS attacks, thereby protecting normal users' normal access to the server.
- the anti-DDoS device or the anti-denial of service device is the protection device in the embodiment of this application, and the anti-DDoS device is taken as an example for illustration in FIG. 1.
- the bot in the embodiment of the present application may be a personal computer (PC) host of a traditional user, or an IoT network device capable of accessing the Internet, such as a camera, a router, and so on.
- PC personal computer
- IoT network device capable of accessing the Internet, such as a camera, a router, and so on.
- the server in the embodiment of the present application is a computer that provides normal services for a certain business, and the user terminal can establish a connection with the server through the Internet and access the business provided by the server.
- the server is a game server, which is used to access data of a certain game on the game server to run the game.
- the message processing method provided by the embodiment of the present application includes the following steps.
- Step S200 the zombie host or normal user terminal sends a first access request message to the server;
- the first access request message in the embodiment of the present application includes a message sent based on the TCP/IP protocol, and the first access request message is a message for establishing a TCP/IP connection with the server.
- a bot controlled by a hacker will send a first access request message to the server to request access to the service provided by the server; a normal user terminal can also send a first access request message to the server to request access to the service provided by the server.
- Step S202 The Anti-DDoS device receives the first access request message
- the Anti-DDoS device is a device deployed in front of the server.
- the Anti-DDoS device is triggered to execute step S204 only when the server detects that it has suffered a DDoS attack.
- the Anti-DDoS device can directly pass the received first access request message to the server.
- Step S204 The Anti-DDoS device extracts the first fingerprint feature from the transport layer and/or network layer header of the first access request message.
- the fingerprint characteristics of the transport layer in the embodiments of this application may include one or more of the following: TCP header or option ordering information in options, maximum segment size (Maximum Segment Size, MSS) information, window size (Windows size value) ) Information, window scale (Windows scale) information, etc.
- the fingerprint features of the network layer in the embodiments of this application may include one or more of the following: IP message time to live information (Time to live), data segment Payload length information, DF (Don't Fragment) flag and other IP header identification information and many more.
- the Anti-DDoS device performs fingerprint feature extraction on the transport layer and/or network layer header of the received first access request message, it can extract the transport layer and/or the first access request message.
- the first fingerprint feature of the network layer is the first fingerprint feature of the network layer.
- the fingerprint characteristics of the transport layer or the network layer in the embodiments of the present application are inherent system fingerprint characteristics when each operating system follows or uses the TCP/IP protocol, and each operating system has a difference. Therefore, the first fingerprint feature corresponds to the operating system type of the terminal device that sends the first access request message.
- Step S206 The Anti-DDoS device recognizes the first fingerprint feature based on the fingerprint feature database to determine whether to allow the first access request message to access the server.
- the fingerprint feature library is used to identify the extracted first fingerprint feature to determine whether to allow the access request of the first access request message.
- the Anti-DDoS device may generate a fingerprint feature database in advance. For example, it is possible to automatically learn or analyze access request messages in the normal business model through self-learning, so as to obtain fingerprint characteristics at the transport layer and/or network layer, or receive user input fingerprint characteristics at the transport layer and/or network layer , And then create and store it in the fingerprint feature database.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server.
- the Anti-DDoS device can also automatically learn or analyze the access request message in the attack service model through self-learning, so as to obtain fingerprint characteristics at the transport layer and/or network layer, or receive user input from the transport layer And/or the fingerprint characteristics of the network layer, and then establish and store in the fingerprint characteristic database.
- the fingerprint feature library includes the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server
- the fingerprint feature library contains the first fingerprint feature
- it indicates that the first access request message is permitted To access the server perform step S208; if it is determined that the fingerprint feature database does not contain the first fingerprint feature, it indicates that the first access request message is not allowed to access the server, and step S210 is performed.
- Step S208 The Anti-DDoS device releases the first access request message to the server
- Step S210 The Anti-DDoS device blocks the first access request message.
- the fingerprint feature library may include fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the fingerprint feature database also contains the corresponding relationship between the operating system type and the fingerprint feature; then step S206 may specifically be:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the fingerprint feature of the transport layer or the network layer in the embodiment of the present application is the inherent system fingerprint feature of each operating system when it follows or uses the TCP/IP protocol, and each operating system will have a difference. Then, the Anti-DDoS device can identify the operating system type corresponding to the first fingerprint feature based on the fingerprint feature database.
- the Anti-DDoS device can also pre-establish a first operating system type list or a second operating system type list; the first operating system type list includes at least one operating system type that allows access to the server, and the second operating system type list
- the type list includes at least one operating system type that is forbidden to access the server.
- the first operating system type list or the second operating system type may be the operating system type entered by the user for configuration as required.
- the first operating system type list can also be through self-learning, to automatically learn or analyze access request messages in the normal business model, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and then obtain the fingerprint characteristics corresponding The type of operating system.
- the second operating system type can also be through self-learning to automatically learn or analyze or attack the access request message in the business model to obtain the fingerprint feature at the transport layer and/or network layer, and then obtain the operation corresponding to the fingerprint feature System type.
- the Anti-DDoS device can determine that the operating system type corresponding to the first fingerprint feature is in the first operating system type list according to the first operating system type list, indicating that the first access request message is allowed to access the server, Step S208 is performed; if it is determined that the operating system type corresponding to the first fingerprint feature is not in the first operating system type list, it indicates that the first access request message is not allowed to access the server, and step S210 is performed.
- the Anti-DDoS device may determine that the operating system type corresponding to the first fingerprint feature is not in the second operating system type list according to the second operating system type list, indicating that the first access request message is allowed to access the server, Step S208 is performed; if it is determined that the operating system type corresponding to the first fingerprint feature is in the second operating system type list, it indicates that the first access request message is not allowed to access the server, and step S210 is performed.
- FIG. 3 shows a schematic flowchart of a message processing method according to another embodiment of the present application, illustrating how the Anti-DDoS device completes DDoS protection.
- the message processing method provided by the embodiment of the present application includes the following steps.
- Step S300 The zombie host or normal user terminal sends a first access request message to the server.
- Step S302 The Anti-DDoS device receives the first access request message.
- Step S304 The Anti-DDoS device extracts the first fingerprint feature from the transport layer and/or network layer header of the first access request message.
- steps S300-S304 can refer to the description of steps S200-S204 in the above embodiment of FIG. 2, which will not be repeated here.
- Step S306 The Anti-DDoS device identifies the operating system type corresponding to the first fingerprint feature based on the fingerprint feature database.
- the Anti-DDoS device may pre-generate a fingerprint feature database, for example, through self-learning, it may automatically learn or analyze access request messages in the normal business model, so as to obtain information at the transport layer and/or network layer.
- the fingerprint characteristics of the transport layer or the network layer in the embodiments of the present application are inherent system fingerprint characteristics that each operating system has when following or using the TCP/IP protocol, and each operating system will be different.
- the fingerprint feature database of the embodiment of the present application also includes the correspondence between the operating system type and the fingerprint feature, so the Anti-DDoS device can identify the operating system type corresponding to the first fingerprint feature based on the fingerprint feature database.
- Step S308 The Anti-DDoS device judges whether to allow the first access request message to access the server according to the first operating system type list or the second operating system type list.
- the Anti-DDoS device may also pre-establish a first operating system type list or a second operating system type list; the first operating system type list includes at least one operating system type allowed to access the server, and the second operation
- the system type list includes at least one operating system type that is forbidden to access the server.
- the first operating system type list or the second operating system type may be the operating system type entered by the user for configuration as required.
- the first operating system type list can also be through self-learning, to automatically learn or analyze access request messages in the normal business model, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and then obtain the fingerprint characteristics corresponding The type of operating system.
- the second operating system type can also be through self-learning to automatically learn or analyze or attack the access request message in the business model to obtain the fingerprint feature at the transport layer and/or network layer, and then obtain the operation corresponding to the fingerprint feature System type.
- the Anti-DDoS device can determine that the operating system type corresponding to the first fingerprint feature is in the first operating system type list according to the first operating system type list, indicating that the first access request message is allowed to access the server, Step S310 is performed; if it is determined that the operating system type corresponding to the first fingerprint feature is not in the first operating system type list, it indicates that the first access request message is not allowed to access the server, and step S312 is performed.
- the Anti-DDoS device may determine that the operating system type corresponding to the first fingerprint feature is not in the second operating system type list according to the second operating system type list, indicating that the first access request message is allowed to access the server, Step S310 is performed; if it is determined that the operating system type corresponding to the first fingerprint feature is in the second operating system type list, it indicates that the first access request message is not allowed to access the server, and step S312 is performed.
- Step S310 The Anti-DDoS device releases the first access request message to the server
- Step S312 The Anti-DDoS device blocks the first access request message.
- Fig. 4 shows a schematic diagram of the principle of the message processing method provided by the embodiment of the present application. From the perspective of the internal module of the protection device, how to process the received access request message is explained. It can be divided into early configuration management and late message identification. filter:
- the configuration management module can create a fingerprint feature database by manually inputting fingerprint features by the user, or it can acquire the fingerprint features of the access request message in a self-learning manner through the self-learning module to establish fingerprint features Database, you can also combine the two to build a fingerprint feature database.
- the fingerprint features stored in the fingerprint feature library can be upgraded or updated.
- the fingerprint feature can be regularly self-learned to update the fingerprint feature, or the fingerprint feature definition rule of the transmission layer and/or network layer can be updated, and the Re-establish the fingerprint feature database.
- the definition rules of the fingerprint features of the transport layer and/or the network layer can specifically be which transport layer and network layer fingerprint feature items are selected as the identification basis, and configure or self-learn the fingerprint features according to the selected fingerprint features to construct the fingerprint feature library , And extract the fingerprint feature of the first access request message according to the selected fingerprint feature items to identify whether to pass or block the message.
- the user can also configure the OS blocking strategy through the configuration management module according to their own needs.
- the fingerprint characteristics of each different transport layer and/or network layer can correspond to different OS types, such as Window 7/8, Windows 10, Linux 2.4, Linux 4.1, and so on.
- users such as developers or R&D personnel can also directly configure the client OS type list, or automatically learn the OS type corresponding to the normal business model or the attack business model through self-learning to configure the client OS type list, the client OS type
- the OS types in the list can be OS types that are allowed to be accessed or OS types that are forbidden to access, so that OS blocking strategies can be configured more flexibly, quickly and efficiently, and can meet the needs of users for rapid response in the face of changing DDoS attacks. Achieve better prevention and mitigation of DDoS attacks, and better prevent servers from DDoS attacks.
- the message receiving module will receive the access request message, and then the source OS identification module will identify the received access request message based on the fingerprint characteristics in the fingerprint feature library and extract the fingerprint. It can also identify the OS type corresponding to the access request message sent through the self-learning module. Then the OS blocking module analyzes whether to block the access request message based on the configured OS blocking policy. If the access request is allowed, the action processing module can send the access request message to the session management module, and the session management module triggers the message sending module to release the access request message to the server; if the access request is not allowed, then the action is processed The module can directly block the access request message.
- the fingerprint feature in the transport layer and/or network layer header is strongly related to the operating system type, and ordinary programs cannot be modified.
- Hackers often need to create a RAW Socket or modify the OS to achieve forgery.
- Modifying the OS means modifying the protocol stack of the OS, and the OS must be recompiled. And the original code of the OS is basically in the hands of the manufacturers (especially for the current IoT system, more and more devices are developed by the manufacturers themselves).
- Anti-DDoS equipment can accurately identify whether it is a legitimate normal user access by identifying the fingerprint characteristics of the transport layer and/or the network layer of the attack packet, and can block abnormal user access requests, thereby achieving better Prevent and mitigate DDoS attacks better, and better prevent servers from DDoS attacks.
- the process of generating the OS feature database you can first analyze the header and Option options of TCP SYN messages sent by popular OS, and then extract key fingerprint features or generate signatures, such as the option ordering information in the TCP options of the SYN message, TTL information, MSS information, Windows size value information, Windows scale information, or other options of IP packets.
- the extracted fingerprint features are formed into fixed features, and they are placed or updated in the fingerprint feature database.
- the fingerprint features can be released and updated to the Anti-DDoS device for use by the Anti-DDoS device engine.
- a schematic diagram of one of the embodiments of the message processing flow provided by the present application may include the following steps:
- Step S600 The Anti-DDoS device may first establish a legal OS type that is allowed to be accessed.
- the list of OS system types can be configured by the user. For example, the user manually configures the list of allowed client OS system types: Window 7/8, Windows 10; or it can be used by the Anti-DDoS device in normal operation. Self-learning is performed in the business model to automatically learn the list of legal (that is, allow access) client OS system types, such as Window 7/8, Windows 10.
- Step S602 After receiving the first handshake request message of the new session, that is, the SYN message, the Anti-DDoS device performs message header analysis, such as extracting Option information.
- Step S604 The Anti-DDoS device extracts fingerprint features, such as analyzing TCP options, and completes fingerprint feature extraction according to predefined rules.
- the defined rule is to extract option ordering information in TCP options, and TTL ( Time to live) information and Windows size value, then the fingerprint feature extraction of these three items is completed.
- Step S606 The Anti-DDoS device compares the extracted fingerprint features with the existing fingerprint feature library, and identifies the specific OS system type of the client (which sends the SYN message), such as Window 7/8 or Linux 2.4.
- adding the fingerprint feature configured with Window 7 includes the following three items:
- the sort order of TCP options is MSS (Maximum segment size), NOP (No-Operation), window scale , NOP, NOP, SACK Permitted;
- the TTL (Time to Live) of the IP header of the message is 128; and the Windows size value is 8192.
- the specific OS system type of the client is identified as Window 7, and the message is allowed to be accessed and released If the SYN message is not the same as the fingerprint characteristics of the above three items in the fingerprint signature database, it is recognized that the specific OS system type of the client is not Window 7, and after it is recognized that none of the OS types are allowed to be accessed, then That is, the SYN packet is blocked.
- Step S608 The Anti-DDoS device detects whether the identified client OS system type is in the list of allowed client OS system types according to the OS blocking policy.
- Step S610 If it is detected that it is in the list of allowed client OS system types, the SYN message is released; if it is detected that it is not in the list of allowed client OS system types, the SYN message is blocked or discarded.
- a schematic diagram of another embodiment of the message processing flow provided by the present application may include the following steps:
- Step S700 The anti-DDoS device may first establish an illegal OS type that is forbidden to access;
- the list of OS system types can be configured by the user. For example, the user manually configures a list of prohibited client OS system types: Window 7/8, Windows 10; or the system can be used in the attack business model Carry out self-learning, and automatically learn the list of OS system types of illegal (that is, access prohibited) clients, such as Window 7/8, Windows 10.
- Step S702 After receiving the first handshake request message of the new session, that is, the SYN message, the Anti-DDoS device performs message header analysis, such as extracting Option information.
- Step S704 The Anti-DDoS device extracts fingerprint features, such as analyzing TCP options, and completes fingerprint feature extraction according to predefined rules.
- the defined rule is to extract the option order information in TCP options and the value of each option, then it is completed Fingerprint feature extraction of these two items.
- Step S706 The Anti-DDoS device compares the extracted fingerprint features with the existing fingerprint feature library, and identifies the specific OS system type of the client (which sends the SYN message), such as Window 7/8 or Linux 2.4.
- Step S708 The Anti-DDoS device detects whether the identified client OS system type is in the list of prohibited client OS system types according to the OS blocking policy.
- Step S710 If it is detected that it is not in the list of prohibited client OS system types, the SYN message is released; if it is detected that it is in the list of prohibited client OS system types, the SYN message is blocked or discarded.
- the Anti-DDoS device engine can have 8 situations in the following table when processing packets:
- the Anti-DDoS device When detecting that the server has suffered a DDoS attack, the Anti-DDoS device will be triggered to perform fingerprint feature identification on all client OS types connected to the game server (specifically as described in the above embodiment), if the fingerprint identifies the client
- the end OS type is non-Windows 7/8, Windows 10 systems. If the Linux 2.4 system is identified, the SYN message is directly blocked, thereby blocking the client's access and mitigating DDoS attacks;
- the SYN message is released.
- the Anti-DDoS device When detecting that the application server has suffered a DDoS attack, the Anti-DDoS device will be triggered to perform fingerprint feature identification on all client OSs connected to the game server (specifically as described in the above embodiment), if the fingerprint identifies the client If the OS type is a non-iOS system, such as a Windows7 system, SYN packets will be directly blocked, thereby blocking the client's access and mitigating DDoS attacks;
- the SYN message is released.
- the fingerprint features of the transport layer and the fingerprint features of the network layer in the embodiments of this application belong to the inherent system fingerprints of the operating system. Different operating systems generally have the above-mentioned different fingerprint features, such as the fingerprints in the IP header and options/TCP header and options. Features, each operating system will be different.
- Figure 8 shows a schematic diagram of fingerprint characteristics corresponding to the operating system provided by the embodiment of the present application, taking the Windows 7 operating system as an example. It can be seen in Figure 8 that accesses issued based on Windows 7 in accordance with or following the TCP/IP protocol are extracted.
- the fingerprint characteristics of the request message have one or more of the following:
- TCP options MSS (Maximum segment size), NOP (No-Operation), window scale, NOP, NOP, SACK Permitted;
- the TTL (Time to Live) of the IP header of the message is 128;
- DF Don’t fragment
- ID Identity
- Fig. 9 shows a schematic diagram of fingerprint characteristics corresponding to the operating system in another embodiment of the present application, taking the Linux version 3.1 (CentOS 7.1) operating system as an example. It can be seen in Fig. 9 that the extraction is based on the Linux version 3.1 (CentOS 7.1)
- the fingerprint characteristics of the access request message sent according to or following the TCP/IP protocol have one or more of the following:
- TCP options MSS, SACK Permitted, Timestamp, NOP, Windows scale;
- the TTL (Time to Live) of the IP header of the message is 64;
- DF Don’t fragment
- a schematic diagram of fingerprint features corresponding to the operating system of another embodiment provided by this application is based on Linux 4.1 (Kali) operating system as an example.
- the fingerprint characteristics of the access request message sent according to or following the TCP/IP protocol have one or more of the following:
- TCP options MSS, SACK Permitted, Timestamp, NOP, Windows scale;
- the TTL of the IP header of the packet is 64;
- DF Don’t fragment
- a schematic diagram of fingerprint characteristics corresponding to the operating system of another embodiment provided by this application is taken as an example of the operating system of the Huawei USG6670 gateway device.
- the fingerprint characteristics extracted from the access request message sent by the Huawei USG6670 gateway device in accordance with or following the TCP/IP protocol have one or more of the following:
- the sort order of TCP options is MSS;
- the TTL of the IP header of the packet is 255;
- FIG. 12 shows a schematic structural diagram of a protective device provided by an embodiment of the present application.
- the protective device 120 may include:
- the processor 1210, the network interface 1220, the memory 1230, the input device 1250, and the display 1260 communicate with each other through the communication bus 1240.
- the input device 1250 can be a touch screen, a mouse, a keyboard, or other devices or components that can obtain user operations.
- the display 1260 can display some prompt information so that the user can interact with the protective device 120 according to the prompt information. For example, it can be blocked. The information of the access request message is displayed for the user to view.
- the memory 1230 includes, but is not limited to, random access memory (RAM) and read-only memory (ROM).
- the memory 1230 can store an operating system (program) 1232 and an application program 1234.
- the network interface 1220 is used to communicate with other devices; for example, receiving an access request message sent by a terminal device and sending the access request message to the server, and so on.
- the processor 1210 may be one or more central processing units (CPU for short). When the processor 1210 is a CPU, the CPU may be a single-core CPU or a multi-core CPU; the processor 1210 runs The operating system 1232 provides a software running environment. In the software running environment, the processor 1210 can call the application program 1234 to perform operations related to message processing; specifically:
- the network interface 1220 is configured to receive a first access request message; the first access request message includes a message sent based on the TCP/IP protocol; the destination of the first access request message is a server protected by the protective device ;
- the processor 1210 is used to call a stored computer program (such as an application program 1234) to perform the following operations:
- the first fingerprint feature corresponds to the operating system type of the terminal device that sends the first access request message Recognizing the first fingerprint feature based on the fingerprint feature library to determine whether to allow the first access request message to access the server, wherein the fingerprint feature library includes the operating system of the terminal device that allows access to the server The fingerprint feature corresponding to the type, or/and the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the protective device 120 in the embodiment of FIG. 12 is described by taking the memory 1230 as an example.
- the protection device 120 of the embodiment of the present application may also not include the memory 1230.
- the stored computer program may be stored on the cloud server in a cloud storage manner, and the stored computer program may be downloaded and executed to perform message processing related operations.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processor 1210 recognizes the first fingerprint feature based on the fingerprint feature library to determine whether to allow
- the first access request message to access the server may specifically include:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the input device 1250 may receive the fingerprint characteristics of the transport layer and/or the network layer input by the user, and save the input fingerprint characteristics in the Fingerprint feature database; or
- the processor 1210 is further configured to, before the network interface 1220 receives the first access request message, analyze the second access request message in the normal service model, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and analyze and obtain The fingerprint feature of is saved in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processor 1210 recognizes the first fingerprint feature based on the fingerprint feature library to determine whether Allowing the first access request message to access the server may specifically include:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the input device 1250 may receive the fingerprint characteristics of the transport layer and/or the network layer input by the user, and save the input fingerprint characteristics in the Fingerprint feature database; or
- the processor 1210 is further configured to, before the network interface 1220 receives the first access request message, analyze the third access request message in the attack service model, so as to obtain fingerprint characteristics at the transport layer and/or network layer, and analyze and obtain The fingerprint feature of is saved in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server. 1210
- the identification of the first fingerprint feature based on the fingerprint feature database to determine whether to allow the first access request message to access the server may specifically include:
- the processor 1210 identifies the operating system type corresponding to the first fingerprint feature based on the fingerprint feature library, and the fingerprint feature library contains the correspondence between the operating system type and the fingerprint feature;
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the processor 1210 may also trigger execution from the transport layer and/or network layer header of the first access request message when it detects that the server has suffered a DDoS attack. The step of extracting the first fingerprint feature.
- FIG. 13 shows a schematic structural diagram of a message processing apparatus provided by an embodiment of the present application.
- the message processing apparatus 13 may include: a message receiving unit 130, a fingerprint feature extraction unit 132, and a processing unit. Unit 134; where,
- the message receiving unit 130 is configured to receive a first access request message; the first access request message includes a message sent based on the TCP/IP protocol; the destination of the first access request message is the message The server protected by the processing device;
- the fingerprint feature extraction unit 132 is configured to extract a first fingerprint feature from the transport layer and/or network layer header of the first access request message, and the first fingerprint feature corresponds to sending the first access request message
- the operating system type of the terminal equipment
- the processing unit 134 is configured to identify the first fingerprint feature based on the fingerprint feature library to determine whether to allow the first access request message to access the server, wherein the fingerprint feature library includes terminals that are allowed to access the server The fingerprint feature corresponding to the operating system type of the device, or/and the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the processing unit releases the first access request message
- the processing unit blocks the first access request message.
- the fingerprint feature library may include fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processing unit 134 may be specifically configured to:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the message processing device 13 may further include:
- the first feature receiving unit is configured to receive the input fingerprint feature of the transport layer and/or the network layer before the message receiving unit 130 receives the first access request message, and save the input fingerprint feature in the fingerprint feature In the library; or
- the first feature analysis unit is configured to analyze the second access request message in the normal service model before the message receiving unit 130 receives the first access request message, so as to obtain fingerprint features at the transport layer and/or network layer,
- the fingerprint features obtained by the analysis are stored in the fingerprint feature library.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processing unit 134 may be specifically configured to:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the message processing device 13 may further include:
- the second feature receiving unit is configured to receive the input fingerprint feature of the transport layer and/or the network layer before the message receiving unit 130 receives the first access request message, and save the input fingerprint feature in the fingerprint feature In the library; or
- the second feature analysis unit is configured to analyze the third access request message in the normal service model before the message receiving unit 130 receives the first access request message, so as to obtain fingerprint features at the transport layer and/or network layer,
- the fingerprint features obtained by the analysis are stored in the fingerprint feature library.
- the fingerprint feature library may include fingerprint features corresponding to the operating system type of the terminal device that is allowed to access the server and fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server.
- the processing unit 134 may be specifically used for:
- the first operating system type list includes at least one operation that allows access to the server System type
- the second operating system type list includes at least one operating system type that is forbidden to access the server.
- the fingerprint feature extraction unit 132 may also trigger the execution of the transmission layer and/or network layer report from the first access request message when it is detected that the server has suffered a DDoS attack. The step of extracting the first fingerprint feature in the text header.
- the chip 14 may include: at least one processor 140 and an interface circuit 142; among them,
- the processor 140 is configured to, after inputting the first access request message through the interface circuit 142, execute the computer program stored in the memory to perform the following steps:
- the first access request message includes a message sent based on the TCP/IP protocol, and the destination of the first access request message is the server protected by the chip;
- the fingerprint feature library includes the operating system type of the terminal device that allows access to the server The corresponding fingerprint feature, or the fingerprint feature corresponding to the operating system type of the terminal device that is not allowed to access the server;
- the first access request message is allowed to access the server, then the first access request message is allowed;
- the first access request message is blocked.
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that allows access to the server, and the processor 140 recognizes the first fingerprint feature based on the fingerprint feature library to determine whether to allow
- the first access request message to access the server may specifically include:
- the first fingerprint feature is not included, it is determined that the first access request message is not allowed to access the server.
- the processor 140 may further execute:
- the fingerprint feature library includes fingerprint features corresponding to the operating system type of the terminal device that is not allowed to access the server, and the processor 140 recognizes the first fingerprint feature based on the fingerprint feature library to determine Whether to allow the first access request message to access the server may specifically include:
- the first fingerprint feature is not included, it is determined that the first access request message is allowed to access the server.
- the processor 140 may further execute:
- the third access request message in the attack service model is analyzed to obtain fingerprint characteristics at the transmission layer and/or network layer, and the fingerprint characteristics obtained by the analysis are stored in the fingerprint characteristic library.
- the processor 140 may also trigger execution from the transport layer and/or network layer header of the first access request message when it detects that the server has suffered a DDoS attack. In the step of extracting the first fingerprint feature.
- the first access request message in the embodiment of the present application includes a SYN message.
- the computer-readable medium may include a computer-readable storage medium, which corresponds to a tangible medium, such as a data storage medium, or a communication medium that includes any medium that facilitates the transfer of a computer program from one place to another (for example, according to a communication protocol) .
- a computer-readable medium may generally correspond to (1) a non-transitory tangible computer-readable storage medium, or (2) a communication medium, such as a signal or carrier wave.
- Data storage media may be any available media that can be accessed by one or more computers or one or more processors to retrieve instructions, codes, and/or data structures for implementing the techniques described in this application.
- the computer program product may include a computer-readable medium.
- such computer-readable storage media may include RAM, ROM, EEPROM, CD-ROM or other optical disk storage devices, magnetic disk storage devices or other magnetic storage devices, flash memory, or structures that can be used to store instructions or data Any other media that can be accessed by the computer in the form of desired program code. And, any connection is properly termed a computer-readable medium.
- any connection is properly termed a computer-readable medium.
- coaxial cable, fiber optic cable, twisted pair, digital subscriber line (DSL), or wireless technologies such as infrared, radio, and microwave to transmit instructions from a website, server, or other remote source
- coaxial cable Wire, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of media.
- the computer-readable storage media and data storage media do not include connections, carrier waves, signals, or other temporary media, but are actually directed to non-transitory tangible storage media.
- magnetic disks and optical disks include compact disks (CDs), laser disks, optical disks, digital versatile disks (DVD) and Blu-ray disks, where disks usually reproduce data magnetically, while optical disks use lasers to reproduce data optically data. Combinations of the above should also be included in the scope of computer-readable media.
- DSP digital signal processors
- ASIC application-specific integrated circuits
- FPGA field programmable logic arrays
- the term "processor” as used herein may refer to any of the foregoing structure or any other structure suitable for implementing the techniques described herein.
- the functions described by the various illustrative logical blocks, modules, and steps described herein may be provided in dedicated hardware and/or software modules configured for encoding and decoding, or combined Into the combined codec.
- the technology can be fully implemented in one or more circuits or logic elements.
- the technology of this application can be implemented in a variety of devices or devices, including wireless handsets, integrated circuits (ICs), or a set of ICs (for example, chipsets).
- ICs integrated circuits
- Various components, modules, or units are described in this application to emphasize the functional aspects of the device for implementing the disclosed technology, but they do not necessarily need to be implemented by different hardware units.
- various units can be combined with appropriate software and/or firmware in the codec hardware unit, or by interoperating hardware units (including one or more processors as described above). provide.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (18)
- 一种报文处理方法,其特征在于,包括:防护设备接收第一访问请求报文,所述第一访问请求报文包括基于TCP/IP协议发送的报文,所述第一访问请求报文的目的方是所述防护设备保护的服务器;所述防护设备从所述第一访问请求报文的传输层和/或网络层报文头中提取第一指纹特征,所述第一指纹特征对应发送所述第一访问请求报文的终端设备的操作系统类型;基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,其中,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,或/和不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征;若允许所述第一访问请求报文访问所述服务器,则放行所述第一访问请求报文;若不允许所述第一访问请求报文访问所述服务器,则阻断所述第一访问请求报文。
- 如权利要求1所述的方法,其特征在于,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:判断所述指纹特征库中是否包含所述第一指纹特征;如果包含所述第一指纹特征,则确定允许所述第一访问请求报文访问所述服务器;如果不包含所述第一指纹特征,则确定不允许所述第一访问请求报文访问所述服务器。
- 如权利要求2所述的方法,其特征在于,所述接收第一访问请求报文之前,还包括:接收输入的传输层和/或网络层的指纹特征,将所述输入的指纹特征保存在所述指纹特征库中;或者分析正常业务模型中的第二访问请求报文,从而获得在传输层和/或网络层的指纹特征,将分析得到的指纹特征保存在所述指纹特征库中。
- 如权利要求1所述的方法,其特征在于,所述指纹特征库包括不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:判断所述指纹特征库中是否包含所述第一指纹特征;如果包含所述第一指纹特征,则确定不允许所述第一访问请求报文访问所述服务器;如果不包含所述第一指纹特征,则确定允许所述第一访问请求报文访问所述服务器。
- 如权利要求4所述的方法,其特征在于,所述接收第一访问请求报文之前,还包括:接收输入的传输层和/或网络层的指纹特征,将所述输入的指纹特征保存在所述指纹特征库中;或者分析攻击业务模型中的第三访问请求报文,从而获得在传输层和/或网络层的指纹特征,将分析得到的指纹特征保存在所述指纹特征库中。
- 如权利要求1所述的方法,其特征在于,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征和不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:基于指纹特征库识别所述第一指纹特征对应的操作系统类型,所述指纹特征库中包含操作系统类型与指纹特征之间的对应关系;根据第一操作系统类型列表、或者第二操作系统类型列表判断是否允许所述第一访问请求报文访问所述服务器,所述第一操作系统类型列表中包括允许访问所述服务器的至少一个操作系统类型,所述第二操作系统类型列表中包括禁止访问所述服务器的至少一个操作系统类型。
- 如权利要求1-6任一项所述的方法,其特征在于,所述第一指纹特征和所述指纹特征库中的指纹特征为传输层指纹特征;所述传输层指纹特征包括以下一个或多个:TCP选项中的选项排序信息;最大分段大小信息;窗口大小信息;窗口比例信息;DF标志位信息。
- 如权利要求1-6任一项所述的方法,其特征在于,所述第一指纹特征和所述指纹特征库中的指纹特征为网络层指纹特征,所述网络层指纹特征包括以下一个或多个:IP报文存活时间信息;IP头部标识信息。
- 一种防护设备,其特征在于,包括处理器和网络接口,其中,所述网络接口用于接收第一访问请求报文,所述第一访问请求报文包括基于TCP/IP协议发送的报文,所述第一访问请求报文的目的方是所述防护设备保护的服务器;所述处理器用于调用存储的计算机程序执行如下操作:从所述第一访问请求报文的传输层和/或网络层报文头中提取第一指纹特征,所述第一指纹特征对应发送所述第一访问请求报文的终端设备的操作系统类型;基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,其中,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,或/和不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征;若允许所述第一访问请求报文访问所述服务器,则放行所述第一访问请求报文;若不允许所述第一访问请求报文访问所述服务器,则阻断所述第一访问请求报文。
- 如权利要求9所述的设备,其特征在于,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述处理器基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:所述处理器判断所述指纹特征库中是否包含所述第一指纹特征;如果包含所述第一指纹特征,则确定允许所述第一访问请求报文访问所述服务器;如果不包含所述第一指纹特征,则确定不允许所述第一访问请求报文访问所述服务器。
- 如权利要求10所述的设备,其特征在于,所述防护设备还包括输入设备;所述输入设备,用于在所述网络接口接收第一访问请求报文之前,接收输入的传输层和/或网络层的指纹特征,将所述输入的指纹特征保存在所述指纹特征库中;或者,所述处理器还用于,在所述网络接口接收第一访问请求报文之前,分析正常业务模型中的第二访问请求报文,从而获得在传输层和/或网络层的指纹特征,将分析得到的指纹特征保存在所述指纹特征库中。
- 如权利要求9所述的设备,其特征在于,所述指纹特征库包括不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述处理器基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:所述处理器判断所述指纹特征库中是否包含所述第一指纹特征;如果包含所述第一指纹特征,则确定不允许所述第一访问请求报文访问所述服务器;如果不包含所述第一指纹特征,则确定允许所述第一访问请求报文访问所述服务器。
- 如权利要求12所述的设备,其特征在于,所述防护设备还包括输入设备;所述输入设备,用于在所述网络接口接收第一访问请求报文之前,接收输入的传输层和/或网络层的指纹特征,将所述输入的指纹特征保存在所述指纹特征库中;或者,所述处理器还用于,在所述网络接口接收第一访问请求报文之前,分析攻击业务模型中的第三访问请求报文,从而获得在传输层和/或网络层的指纹特征,将分析得到的指纹特征保存在所述指纹特征库中。
- 如权利要求9所述的设备,其特征在于,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征和不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,所述处理器基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,包括:所述处理器基于指纹特征库识别所述第一指纹特征对应的操作系统类型,所述指纹特征库中包含操作系统类型与指纹特征之间的对应关系;根据第一操作系统类型列表、或者第二操作系统类型列表判断是否允许所述第一访问请求报文访问所述服务器,所述第一操作系统类型列表中包括允许访问所述服务器的至少一个操作系统类型,所述第二操作系统类型列表中包括禁止访问所述服务器的至少一个操作系统类型。
- 如权利要求9-14任一项所述的设备,其特征在于,所述第一指纹特征和所述指纹特征库中的指纹特征为传输层指纹特征;所述传输层指纹特征包括以下一个或多个:TCP选项中的选项排序信息;最大分段大小信息;窗口大小信息;窗口比例信息;DF标志位信息。
- 如权利要求9-14任一项所述的设备,其特征在于,所述第一指纹特征和所述指纹特征库中的指纹特征为网络层指纹特征,所述网络层指纹特征包括以下一个或多个:IP报文存活时间信息;IP头部标识信息。
- 一种报文处理装置,其特征在于,包括:报文接收单元,用于接收第一访问请求报文;所述第一访问请求报文包括基于TCP/IP协议发送的报文;所述第一访问请求报文的目的方是所述报文处理装置保护的服务器;指纹特征提取单元,用于从所述第一访问请求报文的传输层和/或网络层报文头中提取第一指纹特征,所述第一指纹特征对应发送所述第一访问请求报文的终端设备的操作系统类型;处理单元,用于基于指纹特征库对所述第一指纹特征进行识别以判断是否允许所述第一访问请求报文访问所述服务器,其中,所述指纹特征库包括允许访问所述服务器的终端设备的操作系统类型对应的指纹特征,或/和不允许访问所述服务器的终端设备的操作系统类型对应的指纹特征;若允许所述第一访问请求报文访问所述服务器,则所述处理单元放行所述第一访问请求报文;若不允许所述第一访问请求报文访问所述服务器,则所述处理单元阻断所述第一访问请求报文。
- 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有程序,所述程序当被处理器执行时使所述处理器执行如权利要求1-8任一项所述的方法。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022523404A JP7388613B2 (ja) | 2019-10-31 | 2020-09-25 | パケット処理方法及び装置、デバイス、並びに、コンピュータ可読ストレージ媒体 |
EP20883473.9A EP4044546A4 (en) | 2019-10-31 | 2020-09-25 | METHOD, DEVICE AND DEVICE FOR MESSAGE PROCESSING, AND COMPUTER-READABLE STORAGE MEDIUM |
CA3159619A CA3159619C (en) | 2019-10-31 | 2020-09-25 | Packet processing method and apparatus, device, and computer-readable storage medium |
US17/731,893 US20220263823A1 (en) | 2019-10-31 | 2022-04-28 | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911057490.8 | 2019-10-31 | ||
CN201911057490.8A CN112751815B (zh) | 2019-10-31 | 2019-10-31 | 报文处理方法、装置、设备及计算机可读存储介质 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/731,893 Continuation US20220263823A1 (en) | 2019-10-31 | 2022-04-28 | Packet Processing Method and Apparatus, Device, and Computer-Readable Storage Medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2021082834A1 true WO2021082834A1 (zh) | 2021-05-06 |
Family
ID=75645700
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2020/117875 WO2021082834A1 (zh) | 2019-10-31 | 2020-09-25 | 报文处理方法、装置、设备及计算机可读存储介质 |
Country Status (6)
Country | Link |
---|---|
US (1) | US20220263823A1 (zh) |
EP (1) | EP4044546A4 (zh) |
JP (1) | JP7388613B2 (zh) |
CN (1) | CN112751815B (zh) |
CA (1) | CA3159619C (zh) |
WO (1) | WO2021082834A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115242675A (zh) * | 2022-07-25 | 2022-10-25 | 北京天融信网络安全技术有限公司 | 一种物联网终端的类型识别方法及系统 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114710781A (zh) * | 2020-12-16 | 2022-07-05 | 华为技术有限公司 | 一种终端识别方法及装置 |
CN113505007A (zh) * | 2021-07-12 | 2021-10-15 | 北京鲸鲮信息系统技术有限公司 | 基于Linux系统的协议栈数据传输方法、计算机设备和存储介质 |
CN114465795B (zh) * | 2022-01-27 | 2024-03-29 | 杭州默安科技有限公司 | 一种干扰网络扫描器的方法及系统 |
CN115051977B (zh) * | 2022-06-24 | 2023-09-19 | 绿盟科技集团股份有限公司 | 一种Web机器人的识别方法、装置、设备和介质 |
CN116232767B (zh) * | 2023-05-06 | 2023-08-15 | 杭州美创科技股份有限公司 | DDoS防御方法、装置、计算机设备及存储介质 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241576A1 (en) * | 2015-02-13 | 2016-08-18 | Canon Kabushiki Kaisha | Detection of anomalous network activity |
CN106534068A (zh) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | 一种ddos防御系统中清洗伪造源ip的方法和装置 |
CN106789934A (zh) * | 2016-11-29 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | 一种网络设备识别方法及系统 |
CN107800668A (zh) * | 2016-09-05 | 2018-03-13 | 华为技术有限公司 | 一种分布式拒绝服务攻击防御方法、装置及系统 |
CN110113290A (zh) * | 2018-02-01 | 2019-08-09 | 华为技术有限公司 | 网络攻击的检测方法、装置、主机及存储介质 |
CN111565203A (zh) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | 业务请求的防护方法、装置、系统和计算机设备 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7949732B1 (en) * | 2003-05-12 | 2011-05-24 | Sourcefire, Inc. | Systems and methods for determining characteristics of a network and enforcing policy |
JP5011234B2 (ja) | 2008-08-25 | 2012-08-29 | 株式会社日立情報システムズ | 攻撃ノード群判定装置およびその方法、ならびに情報処理装置および攻撃対処方法、およびプログラム |
CN106549925A (zh) * | 2015-09-23 | 2017-03-29 | 阿里巴巴集团控股有限公司 | 防止跨站点请求伪造的方法、装置及系统 |
WO2017058966A1 (en) | 2015-09-28 | 2017-04-06 | Department 13, LLC | Unmanned aerial vehicle intrusion detection and countermeasures |
KR101859562B1 (ko) | 2016-11-11 | 2018-05-21 | 한국인터넷진흥원 | 취약점 정보 분석 방법 및 장치 |
JP2019022066A (ja) | 2017-07-14 | 2019-02-07 | 日本電信電話株式会社 | 検出システム、検出方法及び検出プログラム |
JP6866258B2 (ja) | 2017-08-14 | 2021-04-28 | 日本電信電話株式会社 | 端末識別装置、端末識別方法及びプログラム |
CN108600145B (zh) * | 2017-12-25 | 2020-12-25 | 北京神州绿盟信息安全科技股份有限公司 | 一种确定DDoS攻击设备的方法及装置 |
CN108521408B (zh) * | 2018-03-22 | 2021-03-12 | 平安科技(深圳)有限公司 | 抵抗网络攻击方法、装置、计算机设备及存储介质 |
-
2019
- 2019-10-31 CN CN201911057490.8A patent/CN112751815B/zh active Active
-
2020
- 2020-09-25 JP JP2022523404A patent/JP7388613B2/ja active Active
- 2020-09-25 WO PCT/CN2020/117875 patent/WO2021082834A1/zh unknown
- 2020-09-25 EP EP20883473.9A patent/EP4044546A4/en active Pending
- 2020-09-25 CA CA3159619A patent/CA3159619C/en active Active
-
2022
- 2022-04-28 US US17/731,893 patent/US20220263823A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160241576A1 (en) * | 2015-02-13 | 2016-08-18 | Canon Kabushiki Kaisha | Detection of anomalous network activity |
CN107800668A (zh) * | 2016-09-05 | 2018-03-13 | 华为技术有限公司 | 一种分布式拒绝服务攻击防御方法、装置及系统 |
CN106534068A (zh) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | 一种ddos防御系统中清洗伪造源ip的方法和装置 |
CN106789934A (zh) * | 2016-11-29 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | 一种网络设备识别方法及系统 |
CN110113290A (zh) * | 2018-02-01 | 2019-08-09 | 华为技术有限公司 | 网络攻击的检测方法、装置、主机及存储介质 |
CN111565203A (zh) * | 2020-07-16 | 2020-08-21 | 腾讯科技(深圳)有限公司 | 业务请求的防护方法、装置、系统和计算机设备 |
Non-Patent Citations (1)
Title |
---|
See also references of EP4044546A4 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115242675A (zh) * | 2022-07-25 | 2022-10-25 | 北京天融信网络安全技术有限公司 | 一种物联网终端的类型识别方法及系统 |
Also Published As
Publication number | Publication date |
---|---|
CA3159619A1 (en) | 2021-05-06 |
EP4044546A1 (en) | 2022-08-17 |
CN112751815B (zh) | 2021-11-19 |
EP4044546A4 (en) | 2022-11-02 |
JP7388613B2 (ja) | 2023-11-29 |
CA3159619C (en) | 2024-05-21 |
CN112751815A (zh) | 2021-05-04 |
US20220263823A1 (en) | 2022-08-18 |
JP2022554101A (ja) | 2022-12-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021082834A1 (zh) | 报文处理方法、装置、设备及计算机可读存储介质 | |
US10454953B1 (en) | System and method for separated packet processing and static analysis | |
US10855700B1 (en) | Post-intrusion detection of cyber-attacks during lateral movement within networks | |
KR101054705B1 (ko) | 위조 발생지 어드레스를 가진 포트 스캔을 탐지하기 위한 방법 및 장치 | |
US11831420B2 (en) | Network application firewall | |
US9800608B2 (en) | Processing data flows with a data flow processor | |
US9912678B2 (en) | Techniques for automatically mitigating denial of service attacks via attack pattern matching | |
CN111193719A (zh) | 一种网络入侵防护系统 | |
US20110213869A1 (en) | Processing data flows with a data flow processor | |
US20110231564A1 (en) | Processing data flows with a data flow processor | |
US20110238855A1 (en) | Processing data flows with a data flow processor | |
US10757135B2 (en) | Bot characteristic detection method and apparatus | |
JP2019021294A (ja) | DDoS攻撃判定システムおよび方法 | |
JP2010520566A (ja) | 外部デバイスとホスト・デバイスの間でデータおよびデバイスのセキュリティを提供するためのシステムおよび方法 | |
Kumar et al. | DDOS prevention in IoT | |
CN111565203B (zh) | 业务请求的防护方法、装置、系统和计算机设备 | |
Huang et al. | An authentication scheme to defend against UDP DrDoS attacks in 5G networks | |
JP6592196B2 (ja) | 悪性イベント検出装置、悪性イベント検出方法および悪性イベント検出プログラム | |
CN114726579B (zh) | 防御网络攻击的方法、装置、设备、存储介质及程序产品 | |
Patel et al. | A Snort-based secure edge router for smart home | |
US10182071B2 (en) | Probabilistic tracking of host characteristics | |
CN114553452B (zh) | 攻击防御方法及防护设备 | |
KR20180102884A (ko) | 방화벽 및 이의 패킷 처리 방법 | |
WO2022156197A1 (zh) | 攻击成功识别方法及防护设备 | |
Williams | Risk Access Spots (RAS) Common to Communication Networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20883473 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022523404 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 3159619 Country of ref document: CA |
|
ENP | Entry into the national phase |
Ref document number: 2020883473 Country of ref document: EP Effective date: 20220428 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |