WO2021244449A1

WO2021244449A1 - Data processing method and apparatus

Info

Publication number: WO2021244449A1
Application number: PCT/CN2021/096986
Authority: WO
Inventors: 江伟玉; 刘冰洋; 郑秀丽; 王闯
Original assignee: 华为技术有限公司
Priority date: 2020-05-30
Filing date: 2021-05-28
Publication date: 2021-12-09
Also published as: CN113746788A

Abstract

Disclosed are a data processing method and apparatus, which relate to the field of communication, and solve the problem of how to quickly distinguish legitimate traffic from illegitimate traffic when defending against a DRDoS attack. The method comprises: after receiving a first data packet from a reflection device, a network device determining that the first data packet is traffic from the reflection device according to a transport layer protocol number and a first source port number, wherein the first data packet comprises a destination port number, and the destination port number is a third source port number after a second source port number is replaced when the network device sends a data packet to the reflection device; extracting a verification code from the destination port number, and verifying the verification code; if a third data packet passes verification, indicating that the third data packet is legitimate, replacing the destination port number with the second source port number, and forwarding a fourth data packet; and if the third data packet does not pass verification, indicating that the third data packet is illegitimate, and discarding the third data packet. Therefore, a large amount of forged attack traffic can be filtered out.

Description

Data processing method and device

This application claims the priority of the Chinese patent application filed with the State Intellectual Property Office on May 30, 2020, the application number is 202010480846.5, and the application name is "a data processing method and device", the entire content of which is incorporated into this application by reference middle.

Technical field

This application relates to the field of communications, and in particular to a data processing method and device.

Background technique

At present, Distributed Reflection Denial of Service (DRDoS) attacks are still a major factor that undermines network availability and causes network security problems. In traditional technologies, black hole technology or traffic cleaning technology is usually used to defend against DRDoS attacks. However, network equipment uses black hole technology to direct both illegal traffic and legal traffic to black holes, and cannot distinguish between legal traffic and illegal traffic. Although network equipment can distinguish legitimate traffic from illegal traffic using traffic cleaning technology, it takes a long time to distinguish legal traffic from illegal traffic. Therefore, how to quickly distinguish legitimate traffic from illegal traffic when defending against DRDoS attacks is an urgent problem to be solved.

Summary of the invention

This application provides a data processing method and device, which solves the problem of how to quickly distinguish legitimate traffic from illegal traffic when defending against DRDoS attacks.

In order to achieve the above objectives, this application adopts the following technical solutions:

In the first aspect, this application provides a data processing method, which can be applied to a network device, or the method can be applied to a communication device that can support the network device to implement the method, for example, the communication device includes a chip system, and the method includes: After the network device receives the first data packet, it determines that the first data packet is a traffic from the reflection device according to the transport layer protocol number and the first port number, extracts the first verification code from the destination port field, and then according to the key and waiting The authentication information generates a second verification code, and it is determined whether the first data packet is legal according to the first verification code and the second verification code. If the first data packet is legal, the network device forwards the first data packet to the protected device. Or, the network device replaces the destination port number with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device. If the first data packet is illegal, it means that the first data packet is illegal, and the first data packet is discarded, so that a large amount of forged attack traffic can be filtered out. Wherein, the first data packet includes the transport layer protocol number, the first source port number and the destination port number. The reflection device is the device that sends the DRDoS attack. For example, a reflection device is a device capable of being used by an attacker to send DRDoS attack traffic. The reflection device can be a domain name system device, a network time protocol device, or a simple network management protocol device. The information to be authenticated includes the source Internet Protocol (IP) address, and the source IP address is the IP address of the reflection device. Optionally, the network device may also generate a second verification code in advance based on the key and the information to be authenticated, and save the correspondence between the information to be authenticated and the second verification code. After the network device determines that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first source port number, it can also look up the table according to the information to be authenticated to obtain the second verification code associated with the information to be authenticated.

The data processing method provided by the embodiment of the application uses the port field included in the header of the transmission layer in the data packet to carry the verification code. Packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial-of-service attacks. Compared with the black hole technology, the data processing method provided in the embodiments of the present application can ensure that legal traffic is forwarded, avoid legal traffic being discarded by the black hole, and the network device filters most of the DRDoS attack traffic. Compared with the traffic cleaning technology, the data processing method provided in the embodiments of the present application can reduce the delay in processing legal traffic caused by deep protocol analysis. In addition, since the verifiable identifier can be embedded in the destination port field, network devices do not need to process application layer data, and can directly filter at the transport layer, reducing the cost of defending against DRDoS attacks, and does not rely on cross-domain cooperation.

In a possible design, determining that the first data packet is a traffic from the reflection device according to the transport layer protocol number and the first source port number includes: determining that the reflection type protocol port feature set includes the first source port number and the transport layer Protocol number, and the transport layer protocol number is a User Data Protocol (UDP) number or a Transmission Control Protocol (Transfer Control Protocol, TCP) number, then the first data packet is a flow from the reflection device.

In another possible design, the information to be authenticated further includes at least one of the destination IP address, the first source port number, and the transport layer protocol number included in the first data packet. The destination IP address is the IP address of the protected device, and the protected device is the device that is attacked by DRDoS.

Optionally, the information to be authenticated further includes at least one of a port index and a time parameter, and the port index is used to identify an application.

In another possible design, the destination port number also includes a port index.

In another possible design, before replacing the destination port number with the second source port number, the method further includes: determining that the legal flow table includes the 5-tuple of the first data packet, and obtaining the first data packet from the legal flow table The quintuple corresponds to the second source port number. The quintuple of the first data packet is used to uniquely identify a piece of network traffic. The quintuple of the first data packet includes the source IP address, destination IP address, transport layer protocol number, The first source port number and destination port number.

In the second aspect, this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method. For example, the communication device includes a chip system, and the method includes: After the network device receives the first data packet, it determines that the first data packet is a traffic sent to the reflection device according to the transport layer protocol number and the destination port number, and then replaces the first source port number with the second source port number to obtain the second data Packet, send the second data packet. Wherein, the first data packet includes the transport layer protocol number, the first source port number and the destination port number. The second source port number includes a verification code, the verification code is determined based on the key and the information to be authenticated, the information to be authenticated includes the destination IP address, and the destination IP address is the IP address of the reflection device.

The data processing method provided by the embodiments of the present application uses the port field included in the header of the transmission layer in the data packet to carry the verification code, so that after the network device receives the data packet from the reflection device, the verification code can verify the legal data packet and Illegal data packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial of service attacks.

In a possible design, determining that the first data packet is a traffic sent to the reflection device according to the transport layer protocol number and the destination port number includes: determining the reflection type protocol port feature set including the destination port number and the transport layer protocol number, And the transport layer protocol number is UDP number or TCP number, then the first data packet is a flow sent to the reflection device.

In another possible design, the information to be authenticated further includes at least one of the source IP address, the destination port number, and the transport layer protocol number contained in the first data packet, and/or at least one of the first port index and the time parameter ; The source IP address is the IP address of the source device, and the source device is a protected device that suffers from a DRDoS attack. The first port index is used to identify an application.

In another possible design, the second source port number also includes the first port index.

In another possible design, before replacing the first source port number with the second source port number, the method further includes: determining that the legal flow table includes the quintuple of the first data packet, and obtaining the first data packet from the legal flow table. The quintuple of the data packet corresponds to the second source port number. The quintuple of the first data packet is used to uniquely identify a piece of network traffic. The quintuple of the first data packet includes the source IP address, the destination IP address, and the transport layer protocol. Number, first source port number and destination port number.

In another possible design, if the legal flow table does not include the five-tuple of the first data packet, the method further includes: determining whether the legal flow table includes the four-tuple of the first data packet except for the first source port number; If the legal flow table does not include the four-tuple except the first source port number in the first data packet, the first port index is generated; if the legal flow table includes the four-tuple except the first source port number in the first data packet, update The second port index corresponding to the quadruple obtains the first port index.

In a third aspect, this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method, for example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device determines that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first port number. Replace the destination port number contained in the first data packet with the second source port number to obtain the second data packet; forward the second data packet to the protected device. Wherein, the first data packet includes a transport layer protocol number, a first source port number and a destination port number, and the destination port number includes a verification code.

In a fourth aspect, this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method. For example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device extracts the first verification code from the destination port field contained in the first data packet, and generates a second verification code according to the key and the information to be authenticated, and according to the first verification code and the second verification code The code determines whether the first data packet is legal. If the first data packet is legal, the network device forwards the first data packet to the protected device. Or, the network device replaces the destination port number with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device. If the first data packet is illegal, it means that the first data packet is illegal, and the first data packet is discarded, so that a large amount of forged attack traffic can be filtered out. Among them, the reflection device is a device that sends a DRDoS attack. The information to be authenticated includes the source IP address included in the first data packet, and the source IP address is the IP address of the reflection device.

In the fifth aspect, this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method, for example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device replaces the first source port number included in the first data packet with the second source port number to obtain the second data packet, and then sends the second data packet. Wherein, the second source port number includes a verification code, the verification code is determined according to the key and the information to be authenticated, the information to be authenticated includes the destination IP address included in the first data packet, and the destination IP address is the IP address of the reflection device.

In a sixth aspect, this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method. For example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device replaces the destination port number contained in the first data packet with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device. Wherein, the first data packet includes a transport layer protocol number, a first source port number and a destination port number, and the destination port number includes a verification code.

In the seventh aspect, the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here. The communication device has a function of realizing the behavior in the method example of the first aspect or the fourth aspect. The functions can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the communication device includes: a receiving unit, a processing unit, and a sending unit. The receiving unit is configured to receive a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number, and the destination port number includes a first verification code. The processing unit is configured to determine that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first source port number. The processing unit is further configured to generate a second verification code according to the key and the information to be authenticated. The information to be authenticated includes the source IP address contained in the first data packet, and the source IP address is the IP address of the reflection device. The processing unit is further configured to determine whether the first data packet is legal according to the first verification code and the second verification code. The processing unit is further configured to replace the destination port number with the second source port number to obtain the second data packet. The sending unit is configured to forward the first data packet or the second data packet to the protected device, where the second data packet includes the second source port number. These units can perform the corresponding functions in the method examples of the first aspect or the fourth aspect. For details, please refer to the detailed description in the method examples, which will not be repeated here.

In the eighth aspect, the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here. The communication device has the function of realizing the behavior in the method example of the second aspect or the fifth aspect described above. The functions can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the communication device includes: a receiving unit, a processing unit, and a sending unit. The receiving unit is configured to receive a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number. The processing unit is configured to determine that the first data packet is a flow sent to the reflection device according to the transport layer protocol number and the destination port number. The processing unit is further configured to replace the first source port number with the second source port number to obtain a second data packet, the second source port number includes a verification code, the verification code is determined according to the key and the information to be authenticated, and the information to be authenticated The destination IP address included in the first data packet is included, and the destination IP address is the IP address of the reflection device. The sending unit is used to send the second data packet. These modules can perform the corresponding functions in the method examples of the second aspect or the fifth aspect. For details, please refer to the detailed description in the method examples, which will not be repeated here.

In the ninth aspect, the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here. The communication device has the function of realizing the behavior in the method example of the third aspect or the sixth aspect. The functions can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions. In a possible design, the communication device includes: a receiving unit, a processing unit, and a sending unit. The receiving unit is used to receive the first data packet; the processing unit is used to determine that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first port number; the processing unit is also used to use the second source The port number replaces the destination port number to obtain the second data packet. The sending unit is used to forward the second data packet to the protected device. The first data packet includes the transport layer protocol number, the first source port number, and the destination port number, and the destination port number includes the first verification code. These modules can perform the corresponding functions in the method examples of the third aspect or the sixth aspect. For details, please refer to the detailed description in the method examples, which will not be repeated here.

In a tenth aspect, a communication device is provided. The communication device may be the network device in the foregoing method embodiment, or a chip set in the network device. The communication device includes an interface circuit, a processor, and optionally, a memory. The memory is used to store a computer program or instruction, and the processor is coupled with the memory and an interface circuit. When the processor executes the computer program or instruction, the communication device executes the method executed by the network device in the foregoing method embodiment.

In an eleventh aspect, there is provided a computer program product, the computer program product comprising: computer program code, when the computer program code is running, make the above-mentioned method of the first to sixth aspects executed by the network device Be executed.

In a twelfth aspect, the present application provides a chip system, which includes a processor, and is configured to implement the functions of the network device in the methods of the foregoing aspects. In a possible design, the chip system further includes a memory for storing program instructions and/or data. The chip system can be composed of chips, and can also include chips and other discrete devices.

In a thirteenth aspect, the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is run, it is executed by a network device in the first to sixth aspects above. Methods.

In this application, the names of the network equipment and the data processing device do not constitute a limitation on the equipment itself. In actual implementation, these equipment may appear under other names. As long as the function of each device is similar to that of this application, it falls within the scope of the claims of this application and its equivalent technologies.

Description of the drawings

Figure 1 is an example diagram of a DRDoS attack provided by the prior art;

FIG. 2 is an example diagram of the architecture of a communication system provided by an embodiment of this application;

FIG. 3 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 4 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 5 is a schematic diagram of the structure of an IPv4 data packet provided by an embodiment of this application;

FIG. 6 is a schematic structural diagram of a source port number provided by an embodiment of this application;

FIG. 7 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 8 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 9 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 10 is a flowchart of a data processing method provided by an embodiment of this application;

FIG. 11 is a flowchart of a data processing method provided by an embodiment of the application;

FIG. 12 is a schematic structural diagram of a data processing device provided by an embodiment of the application;

FIG. 13 is a schematic structural diagram of a data processing device provided by an embodiment of the application.

detailed description

The terms "first", "second", and "third" in the specification and claims of this application and the above-mentioned drawings are used to distinguish different objects, rather than to limit a specific order. In the embodiments of the present application, words such as "exemplary" or "for example" are used as examples, illustrations, or illustrations. Any embodiment or design solution described as "exemplary" or "for example" in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as "exemplary" or "for example" are used to present related concepts in a specific manner.

In order to be clear and concise in the description of the following embodiments, first, a brief introduction of related technologies is given:

The difference between the Distributed Reflection Denial of Service (DRDoS) attack and the Distributed Denial of Service (DDoS) attack is that the attacker does not need to occupy a large number of controlled devices before the attack. The user uses very few resources to send data packets whose source Internet Protocol (IP) address is the IP address of the protected device to the controlled device, and the controlled device makes a large number of responses to the protected device, thus successfully attacking the protected device. equipment.

FIG. 1 is a schematic diagram of the principle of a DRDoS attack provided by an embodiment of the application. Controlled equipment refers to equipment directly controlled by the attacking equipment. After the attacking device knows the IP address of the protected device (such as the server), it can control multiple controlled devices to use the IP address of the protected device IP _VIC as the source IP address, and the IP address of the reflecting device IP _n as the destination address , Send the data packet with the forged source address to the reflection device, that is, send a service request to a large number of distributed deployment reflection devices. After each reflecting device receives the service request from the controlled device, it can send a data packet for attacking the protected device to the protected device. By sending a small amount of attack traffic requests to the distributed and available reflection devices, the utilized reflection devices amplify the traffic by dozens of times or even hundreds of thousands of times and return it to the protected device, and a large amount of amplified reflected traffic is aggregated to the protected device , Causing the resources of the protected equipment to be exhausted and unable to provide services to normal users, forming a DRDOS attack. However, when a protected device is under a DRDOS attack, the data packets sent by the reflection device to the protected device include not only data packets used to attack the protected device, but may also include legitimate data that is not used to attack the protected device Packets, such as a response data packet sent by the reflection device in response to a service request from a protected device, and a request data packet actively sent by the reflection device to request the protected device to provide it with a specific service.

The so-called protected device can be understood as a device that may be attacked by an attacker. For example, in the embodiment of this application, the protected device can be an application server, a router, or a device in the Internet of Things (IoT). There is no restriction on this. For example, the IoT device may be a fire alarm device or the like. If the fire alarm equipment is attacked, it will not be able to detect the fire and make an alarm, so that it will not be able to send out alarm messages, which will pose a serious security threat. In the following, the protected device is an application server as an example.

Hackers often choose those services whose response packets are much larger than the request packets to use, so that smaller traffic can be exchanged for larger traffic, and an amplification effect of several times or even tens of times can be obtained. The reflection device is the device that sends the DRDoS attack. For example, a reflection device is a device capable of being used by an attacker to send DRDoS attack traffic. Generally speaking, reflection devices include, but are not limited to, Domain Name System (DNS) servers, Network Time Protocol (NTP) servers, Simple Service Discovery Protocol (SSDP) servers, and simple network management Protocol (SNMP, simple network management protocol) server, lightweight directory access protocol (LDAP, lightweight directory access protocol) server, Charge server and Memcached server, etc.

Due to the low cost of DRDos attacks and strong attack capabilities, for example, the Memcached server has a strong reflection amplification capability (amplified by hundreds of thousands of times, and the traffic of a single attack can reach 1.94Tbps [50 thousand times]), and both the DNS server and the NTP server can Amplification of traffic dozens of times makes the DRDoS attack method endow the attacker with the ability to make a lot of money. Therefore, DRDoS is the usual means for most DRDoS attacks on the booter service in the black market.

Since the source address in the reflected attack traffic is real, the current solution has no way to make the network device on the front side of the protected device have the ability to quickly distinguish between the reflected attack traffic and the legal traffic at the network layer or the transport layer.

The implementation of the embodiments of the present application will be described in detail below in conjunction with the accompanying drawings.

FIG. 2 shows an example diagram of the architecture of a communication system that can be applied to the embodiments of the present application. As shown in FIG. 2, the communication system includes at least one terminal 201, an internet network, and a data center. The Internet can be an Internet Service Provider (ISP) network. An ISP can be a telecom operator that provides comprehensive Internet access services, information services, and value-added services to a large number of users. The internet includes at least one network device (for example, network device 202 and network device 203). In this article, network devices can be routers, switches, load balancers, or dedicated firewalls. For example, the network device 202 is a network device deployed on a telecommunication operator network close to a data center. The network device 203 is a network device deployed at the exit of the data center. For example, the network device 203 is an egress router in a cloud data center, or it may be a network device on a link between the high defense center of the cloud data center and the operator's network. The Internet also includes a reflection device 204, which is a device that can easily be used by hackers to send DRDoS attacks. The data center includes at least one application server 205. Multiple application servers can be independent and different physical devices, or they can integrate the functions of multiple application servers on the same physical device (such as multiple application servers within the jurisdiction of a cloud service provider), or Some application server functions are integrated on a physical device. Each application server can run one or more services (such as game services). Services can also be called applications. Each service can be deployed on multiple application servers and supported by multiple application servers. The terminal 201 is connected to the network device in a wireless or wired manner. The network devices will be connected wirelessly or wiredly. The network device is connected to the application server 205 in a wireless or wired manner. The terminal can be a fixed location, or it can be movable. FIG. 2 is only a schematic diagram, and the communication system may also include other devices, such as wireless relay devices and wireless backhaul devices, which are not shown in FIG. 2. The embodiments of the present application do not limit the number of terminals, network devices, and application servers included in the communication system.

Among them, the terminal (Terminal) 201 may also be referred to as a terminal device or a user equipment (user equipment,

UE), mobile station (mobile station, MS), mobile terminal (mobile terminal, MT), etc. The terminal 401 may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (Augmented Reality, AR) terminal device, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical surgery, wireless terminals in smart grid, and wireless terminals in transportation safety Terminals, wireless terminals in smart cities, wireless terminals in smart homes, etc. The embodiment of the present application does not limit the specific technology and specific device form adopted by the terminal.

The terminal 201 and the application server 205 transmit data by sending data packets. The data packet includes five-tuples. The five-tuple can distinguish different sessions, and the corresponding session is unique. The five-tuple includes source IP address, destination IP address, transport layer protocol number, source port number, and destination port number. For example, a device with an IP address of 192.168.1.1 uses TCP to connect to a device with an IP address of 121.14.88.76 and a port of 80 through port 10000 to transmit data. The protocol number of TCP is 6. The quintuple is 192.168.1.1 10000 6 121.14.88.76 80.

It should be understood that the transport layer protocol number is the protocol number of TCP or the protocol number of UDP. The protocol number of UDP is 17.

When a network device (such as network device 203 or network device 202) receives a data packet from the application server 205, it judges whether the data packet is sent to the reflection device 204 through the transport layer protocol and the destination port number, if it is sent to For the data packet of the reflection device 204, the second source port number is used to replace the first source port number contained in the data packet, that is, the second source port number is used to replace the port number indicating the application server 205 is running. The second source port number is Embed verification code. In the generation algorithm of the verification code, the header information of the data packet is bound, for example, the source IP address and the destination IP address.

Furthermore, when a network device (such as the network device 203 or the network device 202) receives a data packet sent to the application server 205, it judges whether the data packet is a data packet from the reflection device 204 through the transport layer protocol and the first source port number . If it is a data packet from the reflection device 204, the information to be authenticated is extracted from the data packet, and the first verification code is extracted from the destination port number, and the second verification code is generated using the key and the information to be authenticated. The verification code and the first verification code determine whether the data packet is legal. For example, if the second verification code is the same as the first verification code, it is determined that the data packet is legal; if the second verification code is different from the first verification code, it is determined that the data packet is illegal, and the data packet is discarded. The information to be authenticated includes source IP address and destination IP address, etc.

Since the port number of the application server 205 has been replaced with the second source port number, when the network device receives the data packet sent to the application server 205, in order to prevent the network device from being unable to transmit the data packet to the application server 205, the second source port Replace the port number with the port number of the application server 205.

It should be noted that the port number indicates the protocol of the application layer, and can also indicate a certain thread of the application program. The port number is mainly used to indicate the process or thread that processes the data of the upper application. In this application, after the network device receives the first data packet sent to the reflection device, it replaces the first source port number contained in the first data packet with the second source port number, and the replaced second source port number does not indicate processing The process or thread of the data of the upper-layer application indicates the information that carries the verification code. Optionally, the second source port number further includes a port index. The port index is used to distinguish different services and specifically indicates a service, that is, a service supported by the application server 205 and the reflection device 204 to run.

Furthermore, after receiving the second data packet from the reflection device, the network device extracts the verification code from the destination port number contained in the second data packet to verify whether the second data packet is legal. If the second data packet is legal, forward the first data packet. Second data packet; if the second data packet is illegal, discard the second data packet. It should be understood that the second data packet is the response data packet of the first data packet, and the content filled in the destination port field in the second data packet is the content filled in the source port field in the first data packet, that is, the destination port contained in the second data packet The number is the same as the second source port number contained in the first data packet.

Next, the data processing method provided by this application will be described in detail. 3 is a flowchart of a data processing method provided by an embodiment of the application. Here, the network device 203 transmits the data of the first service between the reflection device 204 and the application server 205 as an example for description. As shown in Figure 3, the method may include:

S301. The application server 205 sends a first data packet to the network device 203, where the first data packet includes a transport layer protocol number, a first source port number, and a first destination port number.

S302. The network device 203 receives the first data packet from the application server 205.

Here, the transport layer protocol number is UDP number or TCP number. The first source port number indicates the process or thread in the application server 205 that processes the data of the first service. The first destination port number indicates the process or thread in the reflection device 204 that processes the data of the first service.

S303. The network device 203 determines that the first data packet is a traffic sent to the reflection device 204 according to the transport layer protocol number and the first destination port number.

After receiving the first data packet, the network device 203 extracts the transport layer protocol number and the first destination port number from the header of the first data packet, and determines whether the reflective protocol port feature set includes the first destination port number and the transport layer protocol number , In order to determine whether the first data packet is a traffic sent to the reflection device 204.

Specifically, as shown in FIG. 4, S303 includes the following detailed steps.

S3031. The network device 203 judges whether the transport layer protocol number is a UDP number or a TCP number.

If the network device 203 determines that the transport layer protocol number is a UDP number or a TCP number, execute S3032; if the network device 203 determines that the transport layer protocol number is not a UDP number or a TCP number, it means that the first data packet is not a traffic sent to the reflection device 204 , Go to S306.

S3032. The network device 203 determines whether the reflective protocol port feature set includes the first destination port number.

If the network device 203 determines that the reflective protocol port feature set includes the first destination port number, it means that the first data packet is a traffic sent to the reflective device 204, and S304 is executed; if the network device 203 determines that the reflective protocol port feature set does not include The first destination port number indicates that the first data packet is not a traffic sent to the reflection device 204, and S306 is executed. The device indicated by the transport layer protocol number and port number included in the reflection-type protocol port feature set is a device that can send DRDoS attacks.

In some embodiments, the network device 203 may maintain a protocol port number relationship. The so-called protocol port number relationship may refer to the corresponding relationship between the transport layer protocol and the port number. The protocol port number relationship can be presented in the form of a table. The network device 203 may store a protocol port number relationship table, and the protocol port number relationship table includes at least one correspondence relationship between a transport layer protocol and a port number. For example, as shown in Table 1, the corresponding relationship between the protocol port numbers is presented.

Table 1

传输层协议Transport layer protocol	端口号The port number
UDPUDP	5353
UDPUDP	123123
UDPUDP	19001900

It should be noted that Table 1 only shows the storage form of the protocol port number relationship in the storage device in the form of a table, and does not limit the storage form of the protocol port number relationship in the storage device. Of course, the protocol port number relationship is stored in the storage device. The storage form in the device may also be stored in other forms, which is not limited in the embodiment of the present application.

S304. The network device 203 replaces the first source port number with the second source port number to obtain the second data packet.

The second source port number includes the first verification code. It is understandable that the second source port number is set in the source port field in the first data packet. When the network device 203 receives a data packet from the reflection device 204, and the data packet is the traffic of the first service, the second source port number is set in the destination port field in the data packet. Thus, it is convenient for the network device 203 to verify whether the data packet from the reflection device 204 is legal according to the first verification code included in the second source port number. Therefore, the second source port number can be regarded as a verifiable identification, and does not indicate a process or thread for processing the data of the upper-layer application.

For example, Figure 5 shows an example of the structure of an IPv4 data packet. As shown in (a) in Figure 5, the IPv4 data packet includes a basic header and a data part. The data part can be called payload (payload) or net load. The basic header of IPv4 can also be referred to as the header of IPv4. The IPV4 header can include the following fields in turn: version number, header length, service type, total length of data packet, reassembly identifier, flag, segment offset, time to live, protocol code, header checksum, source IP address , Destination IP address and optional options.

As shown in Figure 5 (b), it is a diagram of an example of the structure of a TCP data packet. The TCP data packet is contained in the data part of the IP data packet. The TCP data packet includes the TCP header and the data part of the TCP data packet. The TCP header includes source port (source port), destination port (destination port), sequence number (sequence number), acknowledgment number (acknowledgment number), data offset (header length), reservation (resv), emergency (UGR), confirmation (ACK), push (PSH), reset (RST), synchronization (SYN), termination (FIN), window (window size), checksum (checksum), urgent pointer (urgent pointer) and options (options). Regarding the specific explanation of each field of the TCP data packet, reference may be made to the explanation of the prior art, and the details are not repeated.

The first source port number included in the first data packet is set in the source port field. After the network device 203 replaces the first source port number with the second source port number, the source port field includes the second source port number.

In a possible design, the second source port number also includes the first port index (portindex). The first port index is used to identify the first service run by the application server 205. For example, the second source port number satisfies the following formula (1).

SrcLoc′=PID||code (1)

Among them, SrcLoc' represents the second source port number. PID represents the first port index. code represents the first verification code. || means a connector.

As shown in FIG. 6, it is a schematic diagram of the composition of the second source port number in the first data packet provided by this embodiment of the application. Among them, the first port index occupies the first 4 bits (bit) in the source port field, and the first verification code occupies the last 12 bits in the source port field.

Wherein, the first verification code is determined according to the key and the information to be authenticated. The information to be authenticated includes the first destination IP address included in the first data packet, and the first destination IP address is the IP address of the reflection device 204.

Optionally, the information to be authenticated further includes at least one of the first source IP address, the first destination port number, and the transport layer protocol number included in the first data packet. The first source IP address is the IP address of the application server 205, and the application server 205 is a device that suffers from a DRDoS attack.

For example, the first verification code is determined based on the key, the first destination IP address, and the first source IP address. It is understandable that the network device 203 uses the key to encrypt the first destination IP address and the first source IP address to obtain the first verification code. The first verification code satisfies the following formula (2).

code=F _key (IP _R ,IP _S ) (2)

Among them, code represents the first verification code. IP _R represents the first destination IP address. IP _S represents the first source IP address.

For another example, the first verification code is determined based on the key, the first destination IP address, the first source IP address, and the first destination port number. It is understandable that the network device 203 encrypts the first destination IP address, the first source IP address, and the first destination port number by using the key to obtain the first verification code.

For another example, the first verification code is determined based on the key, the first destination IP address, the first source IP address, the first destination port number, and the transport layer protocol number. It is understandable that the network device 203 uses a key to encrypt the first destination IP address, the first source IP address, the first destination port number, and the transport layer protocol number to obtain the first verification code.

Optionally, the information to be authenticated further includes at least one of the first port index and the time parameter. The time parameter may refer to the moment when the first data packet is received, and the time parameter may be a relatively coarse-grained time unit.

It is understandable that if the information to be authenticated includes a time parameter, the time when the network device 203 receives the data packet from the application server 205 is the same as the time when the data packet from the reflection device 204 is received.

For another example, the first verification code is determined according to the key, the first destination IP address, the first source IP address, and the first port index. It is understandable that the network device 203 encrypts the first destination IP address, the first source IP address, and the first port index by using the key to obtain the first verification code.

The first verification code satisfies the following formula (3).

code=F _key (IP _R ,IP _S ,PID) (3)

F() represents a cryptographic algorithm. The cryptographic algorithm uses a hash algorithm with a key, for example, a hash-based message authentication code (Hash-based Message Authentication Code, HMAC) related to the key. The cryptographic algorithm is a hash algorithm based on symmetric block ciphers. key is the key. Code can be part of the output result of a cryptographic algorithm. For example, the 12-bit part of the output result of a cryptographic algorithm.

Optionally, after the network device 203 generates the first verification code according to the key and the information to be authenticated, it may generate the flow table according to the information to be authenticated and the first verification code. It is understandable that the flow table contains multiple entries. Each performance represents the corresponding relationship between a piece of information to be authenticated and a verification code. Therefore, after receiving the data packet, the network device 203 queries the flow table according to the information to be authenticated to obtain the verification code associated with the information to be authenticated, and verifies whether the verification code contained in the data packet is the same as the verification code obtained by querying the flow table, and then determines Whether the data packet is legal.

S305. The network device 203 sends the second data packet to the reflection device 204.

S306. The network device 203 forwards the first data packet.

In some embodiments, as shown in FIG. 7, before replacing the first source port number with the second source port number, that is, S304, the network device 203 first obtains the first port index, specifically the following detailed steps.

S307. The network device 203 judges whether the legal flow table includes the quintuple of the first data packet.

The network device 203 maintains a service port correspondence for each service. The so-called service port correspondence may refer to the correspondence between the port index, the quintuple corresponding to the port index, and the new source port number. The service port correspondence can be presented in the form of a table. The new source port is the number indicating the second source port including the first verification code. The network device 203 may store a legal flow table, and the legal flow table includes at least one service port correspondence. For example, as shown in Table 2, the corresponding relationship between service ports is presented.

Table 2

It can be seen from Table 2 that different serial numbers represent traffic information of different services. For example, the information of flow 1 indicated by the serial number 1. The serial number 2 represents the information of flow 2. The serial number 3 represents the information of the flow rate 3.

According to the information of flow 1, the device with IP address 192.168.1.1 uses port 10000 and uses TCP to connect with the device with IP address 121.14.88.76 and port 80 to transmit data. The protocol number of TCP is 6. The quintuple is 192.168.1.1 10000 6 121.14.88.76 80.

According to the information of flow 2, the second record represented by sequence number 2 shows that the device with IP address 192.168.1.1 uses port 5000 to connect with the device with IP address 121.14.88.76 and port 80 through TCP. data. The quintuple is 192.168.1.1 5000 6 121.14.88.76 80.

According to the information of flow 3, the third record represented by sequence number 3 shows that the device with IP address 192.168.1.1 uses port 3000 and uses TCP to connect with the device with IP address 121.14.88.76 and port 100, and transmit data. The quintuple is 192.168.1.1 3000 6 121.14.88.76 100.

Since only the source port number is different between the information of flow 1 and the information of flow 2, that is, the information of flow 1 and the information of flow 2 include the same four-tuple, which means that flow 1 and flow 2 are from the same source device to the same destination device The traffic of different services sent.

The port index is used to distinguish the traffic of different services. When the source IP address, destination IP address, transport layer protocol, and destination port number are the same, different port indexes can be used to distinguish different flows. The initial value of the port index is 1, so as to prevent the new source port number from falling into the 0-4096 range of commonly used port numbers.

It should be noted that Table 2 only shows the storage form of the service port correspondence in the storage device in the form of a table, and does not limit the storage form of the service port correspondence in the storage device. Of course, the service port correspondence is stored in the storage device. The storage form in the device may also be stored in other forms, which is not limited in the embodiment of the present application.

If the legal flow table includes the quintuple of the first data packet, it means that the network device 203 has sent data to the reflection device 204, and the network device 203 has stored the quintuple information of the first data packet, go to S308; if the legal flow table does not The five-tuple including the first data packet indicates that the network device 203 has not sent data to the reflection device 204, and S309 is executed. The five-tuple of the first data packet is used to uniquely identify the network traffic of the first service. The five-tuple of the first data packet includes a first source IP address, a first destination IP address, a transport layer protocol number, a first source port number, and a first destination port number.

S308. The network device 203 obtains the second source port number corresponding to the quintuple of the first data packet from the legal flow table.

For example, the quintuple of the first data packet includes information about flow 1, and the second source port number is 23101.

S309. The network device 203 judges whether the legal flow table includes the quadruple except the first source port number in the first data packet.

If the legal flow table does not include the four-tuple except the first source port number in the first data packet, it means that the network device 203 has not sent data to the reflection device 204, and S310 is executed; if the legal flow table includes the first data packet except for the first data packet A four-tuple of a source port number indicates that the network device 203 has sent data to the reflection device 204, but the network device 203 has not sent the data of the first service to the reflection device 204, and S311 is executed.

S310. The network device 203 generates a first port index.

It is understandable that the network device 203 adds a new record in the legal flow table, sets the quintuple of the first data packet, and sets the first port index to 1. Go to S312.

S311. The network device 203 updates the second port index corresponding to the quadruple to obtain the first port index.

It is understandable that the second port index is used to indicate the data of the non-first service sent by the network device 203 to the reflection device 204. In order to distinguish the first service from other services, the second port index may be updated to obtain the first port index. For example, the network device 203 adds a new record in the legal flow table, sets the quintuple of the first data packet, and sets the first port index to the second port index plus 1. Go to S312.

S312. The network device 203 generates a first verification code according to the key and the information to be authenticated, and generates a second source port number according to the first verification code.

For the specific method for generating the first verification code and the second source port number, reference may be made to the description of S304 above, which will not be repeated.

Further, after the network device 203 receives the data packet from the reflection device 204, it can verify the legitimacy of the received data packet according to the first verification code, thereby filtering illegal traffic. As shown in FIG. 8, for details, refer to the detailed description of S313 to S318 below.

S313. The network device 203 receives a third data packet, where the third data packet includes a transport layer protocol number, a third source port number, and a second destination port number.

S314. The network device 203 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.

Generally, the source port number indicates the process or thread in which the source device processes the data of the service. The destination port number indicates the process or thread in which the destination device processes the data of the service. Here, the third source port number indicates the process or thread in the reflection device 204 that processes the data of the first service.

It should be understood that when the network device 203 sends the second data packet to the reflection device 204, the first source port number is replaced with the second source port number. At this time, the second source port number is set in the destination port field in the third data packet, that is, the second destination port number can be understood as the second source port number. The second destination port number includes the first verification code.

Optionally, the first verification code is a component of the destination port field included in the third data packet. For example, the second destination port number also includes the first port index. The composition of the second destination port number can be referred to as shown in FIG. 6, where the first port index occupies the first 4 bits in the destination port field, and the first verification code occupies the last 12 bits in the destination port field.

After receiving the third data packet, the network device 203 extracts the transport layer protocol number and the third source port number from the header of the third data packet, and determines whether the reflective protocol port feature set includes the third source port number and the transport layer protocol number , In order to determine whether the third data packet is a flow from the reflection device 204.

Specifically, as shown in FIG. 9, step S314 includes the following detailed steps.

S3141. The network device 203 judges whether the transport layer protocol number is a UDP number or a TCP number.

If the network device 203 determines that the transport layer protocol number is a UDP number or a TCP number, execute S3142; if the network device 203 determines that the transport layer protocol number is not a UDP number or a TCP number, it means that the third data packet is not a flow from the reflection device 204. Perform S319.

S3142. The network device 203 determines whether the reflective protocol port feature set includes the third source port number.

If the network device 203 determines that the reflection-type protocol port feature set includes the third source port number, it means that the third data packet is a traffic from the reflection device 204, and the network device 203 obtains the second verification code according to the information to be authenticated, for example, the network device 203 executes S315, or obtains the second verification code associated with the information to be authenticated; if the network device 203 determines that the reflective protocol port feature set does not include the third source port number, it means that the third data packet is not a traffic from the reflective device 204 , Go to S319. For the explanation of the reflection-type protocol port feature set, please refer to the description of S302 above, and will not be repeated.

It should be noted that if the third data packet is not a flow from the reflection device 204, the second destination port number indicates the process or thread of the first service run by the application server 205, that is, the application server 205 indicates through the second destination port number The port receives the data of the first service.

If the third data packet is a flow from the reflection device 204, the second destination port number includes the first verification code. The second destination port number does not indicate the process or thread of the first service run by the application server 205, but is a verifiable identification used to distinguish legitimate traffic from illegal traffic.

S315. The network device 203 generates a second verification code according to the key and the information to be authenticated.

The information to be authenticated includes the second source IP address, and the second source IP address is the IP address of the reflection device 204.

Optionally, the information to be authenticated further includes at least one of the second destination IP address, the third source port number, and the transport layer protocol number included in the third data packet. The second destination IP address is the IP address of the application server 205.

Optionally, the information to be authenticated further includes at least one of the first port index and the time parameter.

The network device 203 may obtain the first port index from the second destination port number, that is, obtain the first 4 bits of data in the second destination port number, that is, the first port index. Alternatively, the network device 203 may obtain the first port index corresponding to the quintuple of the third data packet from the legal flow table.

It should be noted that the method for generating the second verification code is the same as the method for generating the first verification code, so as to ensure that the first verification code and the second verification code are the same. For the specific method of generating the second verification code, please refer to the description of generating the first verification code in S303, which will not be repeated.

In addition, the network device 203 generates the second verification code according to the key and the information to be authenticated. It can be understood that the network device 203 receives the third data packet and determines that the third data packet is a flow from the reflection device 204, and then generates the second verification in real time. code.

In another situation, the sequence of the steps of the data processing method provided in the embodiments of the present application can be appropriately adjusted. For example, before the network device 203 receives the third data packet, the network device 203 pre-generates the second verification code according to the key and the information to be authenticated, and saves the correspondence between the information to be authenticated and the second verification code. The information to be authenticated is, for example, a five-tuple, and the network device 203 pre-stores the relationship between the five-tuple and the second verification code. For the explanation of the information to be authenticated and the method of generating the second verification code, refer to the description of S315.

After the network device 203 receives the third data packet and determines that the third data packet is a flow from the reflection device 204, the network device 203 can obtain the second verification code associated with the information to be authenticated according to the information to be authenticated. For example, the network device 203 may store the association relationship between the information to be authenticated and the second verification code in the form of a table. After obtaining the information to be authenticated, the network device 203 checks the flow table according to the information to be authenticated, and obtains the second verification code associated with the information to be authenticated.

Optionally, if the third data packet is an illegal data packet from the reflection device 204, and the network device 203 may not store the information to be authenticated, the flow table does not contain the entry of the information to be authenticated, and the network device 203 searches according to the information to be authenticated. Table, the second verification code associated with the information to be authenticated cannot be obtained. Therefore, the network device 203 considers that the third data packet is an illegal data packet from the reflection device 204, and discards the third data packet.

It should be noted that the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device is indicated in the form of a table, not the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device Limited, of course, the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device may also be stored in other forms, which is not limited in the embodiment of the present application.

S316. The network device 203 determines whether the third data packet is legal according to the first verification code and the second verification code.

The network device 203 may obtain the first verification code from the second destination port number, that is, obtain the last 12 bits of data in the second destination port number, that is, the first verification code.

Specifically, the network device 203 may compare the first verification code and the second verification code, and if the first verification code and the second verification code are the same, determine that the third data packet is legal; if the first verification code and the second verification code are different, determine The third data packet is illegal.

If the third data packet is legal, perform S317; if the third data packet is illegal, discard the third data packet.

It is understandable that if the third data packet is an illegal data packet from the reflection device 204, since the attacker cannot obtain the first verification code, the second destination port number does not include the first verification code, or the first verification code is not included. It is not obtained by the reflection device 204 by receiving the second data packet from the network device 203, and may be created by the attacker. At this time, the second verification code generated by the network device 203 is different from the first verification code, so that most illegal traffic is filtered by verifying the value of the destination port field of the transport layer.

S317. The network device 203 replaces the second destination port number with the first source port number to obtain the fourth data packet.

It is understandable that the network device 203 replaces the second source port number with the first source port number to obtain the fourth data packet.

For example, suppose the IP address of the reflection device 204 is 121.14.88.76, the IP address of the application server 205 is 192.168.1.1, the port for the application server 205 to send and receive the data of the first service is 10000, and the reflection device 204 sends and receives the first service. The port of the service data is 80. In the five-tuple included in the first data packet sent by the application server 205 to the reflection device 204, the first source IP address is 192.168.1.1, the first destination IP address is 121.14.88.76, the transport layer protocol TCP, and the first source port number Is 10000, and the first destination port number is 80. After the network device 203 replaces the first source port number with the second source port number, the source port field is set to 23101, and the second data packet is obtained.

In the quintuple included in the third data packet received by the network device 203, the second source IP address is the IP address of the reflection device 204, which is 121.14.88.76, and the second destination IP address is the IP address of the application server 205, which is 192.168 1.1, the transport layer protocol TCP, the second source port number is 80 for the outgoing port of the reflection device 204 to send the data of the first service, and the second destination port number is the second source port number, that is, 23101. After the network device 203 replaces the second destination port number with the first source port number, the destination port field is set to 10000, and the fourth data packet is obtained.

S318: The network device 203 forwards the fourth data packet to the application server 205.

S319. The network device 203 forwards the third data packet.

In some embodiments, as shown in FIG. 10, before replacing the second source port number with the first source port number, that is, S317, the network device 203 first obtains the first source port number, specifically the following detailed steps.

S320. The network device 203 determines that the legal flow table includes the quintuple of the third data packet, and obtains the first source port number corresponding to the quintuple of the third data packet from the legal flow table.

It is understandable that before the network device 203 sends the second data packet to the reflection device 204, the five-tuple information for the data exchange of the first service between the reflection device 204 and the application server 205 has been generated in the legal flow table. Wherein, the record also includes the first port index and the second source port number used to replace the first source port number. Therefore, the network device 203 can obtain the corresponding first source port according to the quintuple of the first data packet No.

It should be noted that the second source IP address in the third data packet is the first destination IP address in the first data packet, and the second source IP address corresponds to the destination IP recorded in the legal flow table.

The second destination IP address in the third data packet is the first source IP address in the first data packet, and the second destination IP address corresponds to the source IP recorded in the legal flow table.

The transport layer protocol number in the third data packet and the transport layer protocol number in the first data packet both correspond to the transport layer protocol number recorded in the legal flow table.

The third source port number in the third data packet is the first destination port number in the first data packet, and the third source port number corresponds to the destination port number recorded in the legal flow table.

The second destination port number in the third data packet is the second source port number after replacing the first source port number in the first data packet, and the second destination port number corresponds to the new source port number recorded in the legal flow table.

The network device 203 can use the five-tuple contained in the third data packet, that is, the second source IP address, the second destination IP address, the transport layer protocol number, the third source port number, and the second destination port number, from the legal flow table. Get the first source port number corresponding to the quintuple of the third data packet, that is, the new source port number corresponding to the quintuple of the third data packet in the legal flow table, and replace the third source port number with the new source port number in the legal flow table The second destination port number in the data packet obtains the fourth data packet.

At this time, if the third data packet is valid, execute S320, and then execute S317.

The function of embedding the verification code in the source port number and the function of verifying whether the data packet is legal by using the content in the port field can be implemented in a network device (such as network device 202 or network device 203), or in Implemented in different network devices. FIG. 11 is a flowchart of a data processing method provided by an embodiment of the present application. Here, the data of the first service is transmitted between the reflection device 204 and the application server 205, and the network device 203 performs processing on the source port number in the data packet from the application server 205 Alternatively, the network device 202 verifies the data packet sent to the application server 205 as an example for description. As shown in Figure 11, the method may include:

S1101. The application server 205 sends a first data packet to the network device 203, where the first data packet includes a transport layer protocol number, a first source port number, and a first destination port number.

S1102. The network device 203 receives the first data packet from the application server 205.

S1103. The network device 203 determines that the first data packet is a traffic sent to the reflection device 204 according to the transport layer protocol number and the first destination port number.

S1104. The network device 203 replaces the first source port number with the second source port number to obtain the second data packet.

S1105. The network device 203 sends a second data packet to the reflection device 204.

For specific explanations of S1101 to S1105, please refer to the explanations of S301 to S305 above, and will not be repeated.

S1106. The network device 202 receives a third data packet. The third data packet includes a transport layer protocol number, a third source port number, and a second destination port number, and the second destination port number includes the first verification code.

S1107. The network device 202 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.

S1108. The network device 202 generates a second verification code according to the key and the information to be authenticated.

The network device 203 shares the key used to generate the first verification code with the network device 202, so that the network device 202 generates the second verification code according to the shared key and the information to be authenticated.

Optionally, the network device 203 shares the correspondence between the information to be authenticated and the second verification code with the network device 202, so that the network device 202 obtains the second verification code associated with the information to be authenticated according to the shared information to be authenticated. For example, the network device 202 may look up a table according to the information to be authenticated, and obtain the second verification code associated with the information to be authenticated. For specific explanation, please refer to the explanation of S315.

S1109. The network device 202 determines whether the third data packet is legal according to the first verification code and the second verification code.

If the third data packet is legal, perform S1110; if the third data packet is illegal, discard the third data packet.

For specific explanations of S1106 to S1109, please refer to the explanations of S313 to S316 above, and will not be repeated.

S1110. The network device 202 forwards the third data packet.

S1111, the network device 203 receives the third data packet.

S1112, the network device 203 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.

S1113. The network device 203 determines that the legal flow table includes the quintuple of the third data packet, and obtains the first source port number corresponding to the quintuple of the third data packet from the legal flow table.

S1114. The network device 203 replaces the second destination port number with the first source port number to obtain the fourth data packet.

For specific explanations of S1112 to S1114, please refer to the explanations of S314, S320, and S317, and will not be repeated.

S1115. The network device 203 forwards the fourth data packet to the application server 205.

The data processing method provided in the embodiments of the present application uses the port field included in the transport layer header in the data packet to carry the verifiable mark. After the network device receives the data packet from the reflection device, the verifiable mark is verified against the legitimate data packet and Illegal data packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial of service attacks. Compared with the black hole technology, the data processing method provided in the embodiments of the present application can ensure that legal traffic is forwarded, avoid legal traffic being discarded by the black hole, and the network device filters most of the DRDoS attack traffic. Compared with the traffic cleaning technology, the data processing method provided in the embodiments of the present application can reduce the delay in processing legal traffic caused by deep protocol analysis. In addition, since the verifiable identifier can be embedded in the destination port field, the network device does not need to process application layer data, and can directly filter at the transport layer, reducing the cost of defending against DRDoS attacks, and does not rely on cross-domain cooperation.

It can be understood that, in order to implement the functions in the foregoing embodiments, the network device includes hardware structures and/or software modules corresponding to each function. Those skilled in the art should easily realize that, in combination with the units and method steps of the examples described in the embodiments disclosed in the present application, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application scenarios and design constraints of the technical solution.

FIG. 12 and FIG. 13 are schematic structural diagrams of possible data processing apparatuses provided by embodiments of this application. These data processing apparatuses can be used to implement the functions of the network equipment in the foregoing method embodiments, and therefore can also achieve the beneficial effects of the foregoing method embodiments. In the embodiment of the present application, the data processing apparatus may be the network device 202 or the network device 203 as shown in FIG. 2, and may also be a module (such as a chip) applied to the network device.

As shown in FIG. 12, the data processing device 1200 includes a receiving unit 1210, a processing unit 1220, and a sending unit 1230. The data processing apparatus 1200 is used to implement the function of the network device in the method embodiment shown in FIG. 3, FIG. 4, FIG. 7, FIG. 8, FIG. 9, FIG. 10, or FIG. 11.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 3: the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S303 and S304; and the sending unit 1230 is used to perform S305.

When the data processing apparatus 1200 is used to implement the functions of the network device 203 in the method embodiment shown in FIG. 4: the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S3031, S3032, and S304; and the sending unit 1230 is used to perform S305 and S306.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 7: the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312; Unit 1230 is used to execute S305 and S306.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 8: the receiving unit 1210 is used to perform S302 and S313; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S314 to S317; the sending unit 1230 is used to execute S305, S306, and S318.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 9: the receiving unit 1210 is used to perform S302 and S313; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S3141, S3142 to S317; the sending unit 1230 is used to execute S305, S306, S318, and S319.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 10: the receiving unit 1210 is used to perform S302 and S313; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S3141, S3142 to S317, and S320; the sending unit 1230 is used to execute S305, S306, S318, and S319.

When the data processing apparatus 1200 is used to implement the function of the network device 203 in the method embodiment shown in FIG. 11: the receiving unit 1210 is used to execute S1102 and S1111; the processing unit 1220 is used to execute S1103, S1104, S1112, S1113, and S1114; The sending unit 1230 is used to execute S1105 and S1115.

When the data processing apparatus 1200 is used to implement the function of the network device 202 in the method embodiment shown in FIG. 11: the receiving unit 1210 is used to perform S1106; the processing unit 1220 is used to perform S1107 to S1109; and the sending unit 1230 is used to perform S1110.

For more detailed descriptions of the above-mentioned receiving unit 1210, processing unit 1220, and sending unit 1230, you can directly refer to the relevant description in the method embodiment shown in FIG. 3, FIG. 4, FIG. 7, FIG. 8, FIG. 9, FIG. 10, or FIG. 11. Get it, I won’t repeat it here.

As shown in FIG. 13, the data processing device 1300 includes a processor 1310 and an interface circuit 1320. The processor 1310 and the interface circuit 1320 are coupled with each other. It can be understood that the interface circuit 1320 may be a transceiver or an input/output interface. Optionally, the data processing apparatus 1300 may further include a memory 1330 for storing instructions executed by the processor 1310 or storing input data required by the processor 1310 to run the instructions or storing data generated after the processor 1310 runs the instructions.

When the data processing device 1300 is used to implement the method shown in FIG. 3, FIG. 4, FIG. 7, FIG. 8, FIG. 9, FIG. 10, or FIG. It is used to perform the functions of the receiving unit 1210 and the sending unit 1230 described above.

It is understandable that the processor in the embodiments of the present application may be a central processing unit (Central Processing Unit, CPU), or may be other general-purpose processors, digital signal processors (Digital Signal Processors, DSPs), or application specific integrated circuits. (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (Field Programmable Gate Array, FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof. The general-purpose processor may be a microprocessor or any conventional processor.

The method steps in the embodiments of the present application can be implemented by hardware, and can also be implemented by a processor executing software instructions. Software instructions can be composed of corresponding software modules, which can be stored in Random Access Memory (RAM), Flash memory, Read-Only Memory (ROM), Programmable ROM (Programmable ROM) , PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM or well-known in the art Any other form of storage medium. An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and can write information to the storage medium. Of course, the storage medium may also be an integral part of the processor. The processor and the storage medium may be located in the ASIC. In addition, the ASIC can be located in a network device or a terminal device. Of course, the processor and the storage medium may also exist as discrete components in the network device or the terminal device.

In the foregoing embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented by software, it can be implemented in the form of a computer program product in whole or in part. The computer program product includes one or more computer programs or instructions. When the computer program or instruction is loaded and executed on the computer, the process or function described in the embodiment of the present application is executed in whole or in part. The computer may be a general-purpose computer, a special-purpose computer, a computer network, network equipment, user equipment, or other programmable devices. The computer program or instruction may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer program or instruction may be downloaded from a website, computer, The server or data center transmits to another website site, computer, server or data center through wired or wireless means. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center that integrates one or more available media. The usable medium may be a magnetic medium, such as a floppy disk, a hard disk, and a magnetic tape; it may also be an optical medium, such as a digital video disc (digital video disc, DVD); and it may also be a semiconductor medium, such as a solid state drive (solid state drive). , SSD).

In each embodiment of this application, if there is no special description and logical conflict, the terms and/or descriptions between different embodiments are consistent and can be mutually cited. The technical features in different embodiments are based on their inherent Logical relationships can be combined to form new embodiments.

In this application, "at least one" refers to one or more, and "multiple" refers to two or more. "And/or" describes the association relationship of the associated object, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural. In the text description of this application, the character "/" generally indicates that the associated objects before and after are an "or" relationship; in the formula of this application, the character "/" indicates that the associated objects before and after are a kind of "division" Relationship.

It is understandable that the various numerical numbers involved in the embodiments of the present application are only for easy distinction for description, and are not used to limit the scope of the embodiments of the present application. The size of the sequence number of the above processes does not mean the order of execution, and the execution order of each process should be determined by its function and internal logic.

Claims

A data processing method, characterized in that it comprises:

Receiving a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number, and the destination port number includes a first verification code;

Determining, according to the transport layer protocol number and the first source port number, that the first data packet is a flow from a reflection device, and the reflection device is a device that sends a distributed reflection denial of service DRDoS attack;

Acquiring a second verification code according to the information to be authenticated, where the information to be authenticated includes a source Internet Protocol IP address included in the first data packet, and the source IP address is the IP address of the reflection device;

Determine whether the first data packet is legal according to the first verification code and the second verification code.
The method according to claim 1, wherein the obtaining the second verification code according to the information to be authenticated comprises:

The second verification code is generated according to the key and the information to be authenticated.
The method according to claim 1, wherein the obtaining the second verification code according to the information to be authenticated comprises:

Obtain the second verification code associated with the information to be authenticated.
The method according to claim 3, characterized in that, before the obtaining the second verification code associated with the information to be authenticated, the method further comprises:

Generating the second verification code according to the key and the information to be authenticated;

Generating a flow table according to the information to be authenticated and the second verification code;

The obtaining the second verification code associated with the information to be authenticated includes: querying the flow table according to the information to be authenticated to obtain the second verification code associated with the information to be authenticated.
The method according to any one of claims 1 to 4, wherein the determining that the first data packet is a flow from a reflection device according to the transport layer protocol number and the first source port number includes :

It is determined that the reflection type protocol port feature set includes the first source port number and the transport layer protocol number, and the transport layer protocol number is a User Datagram Protocol UDP number or a Transmission Control Protocol TCP number, then the first data A packet is a flow from the reflection device.
The method according to any one of claims 1-5, wherein the information to be authenticated further includes the destination IP address contained in the first data packet, the first source port number, and the transport layer At least one of the protocol number, and/or, at least one of the port index and the time parameter; the destination IP address is the IP address of the protected device, the protected device is a device that is attacked by DRDoS, and the port index is used for Identify an application.
The method according to any one of claims 1-6, wherein the destination port number further comprises a port index.
The method according to any one of claims 1-7, wherein if the first data packet is valid, the method further comprises:

Forward the first data packet to the protected device.
The method according to any one of claims 1-7, wherein if the first data packet is valid, the method further comprises:

Replace the destination port number with the second source port number to obtain the second data packet;

Forward the second data packet to the protected device.
The method according to claim 9, characterized in that, before the replacing the destination port number with the second source port number, the method further comprises:

It is determined that the legal flow table includes the quintuple of the first data packet, and the second source port number corresponding to the quintuple of the first data packet is obtained from the legal flow table, and the first data packet The quintuple of is used to uniquely identify a piece of network traffic, and the quintuple of the first data packet includes the source IP address, the destination IP address, the transport layer protocol number, the first source port number, and the Destination port number.
A data processing method, characterized in that it comprises:

Receiving a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number;

Determining, according to the transport layer protocol number and the destination port number, that the first data packet is a traffic sent to a reflection device, and the reflection device is a device that sends a distributed reflection denial of service DRDoS attack;

Replace the first source port number with a second source port number to obtain a second data packet. The second source port number includes a verification code. The verification code is determined based on the key and the information to be authenticated. The authentication information includes a destination Internet Protocol IP address included in the first data packet, and the destination IP address is the IP address of the reflection device;

Sending the second data packet.
The method according to claim 11, wherein the determining that the first data packet is a traffic sent to a reflection device according to the transport layer protocol number and the destination port number comprises:

It is determined that the reflection type protocol port feature set includes the destination port number and the transport layer protocol number, and the transport layer protocol number is the User Datagram Protocol UDP number or the Transmission Control Protocol TCP number, then the first data packet is A traffic sent to the reflecting device.
The method according to claim 11 or 12, wherein the information to be authenticated further includes at least one of the source IP address, the destination port number, and the transport layer protocol number contained in the first data packet, And/or, at least one of a first port index and a time parameter; the source IP address is the IP address of the source device, the source device is a protected device suffering from a DRDoS attack, and the first port index is used to identify one application.
The method according to any one of claims 11-13, wherein the second source port number further comprises a first port index.
The method according to any one of claims 11-14, wherein before the replacing the first source port number with a second source port number, the method further comprises:

It is determined that the legal flow table includes the quintuple of the first data packet, and the second source port number corresponding to the quintuple of the first data packet is obtained from the legal flow table, and the first data packet The quintuple of is used to uniquely identify a piece of network traffic, and the quintuple of the first data packet includes the source IP address, the destination IP address, the transport layer protocol number, the first source port number, and the Destination port number.
The method according to claim 15, wherein if the legal flow table does not include the 5-tuple of the first data packet, the method further comprises:

Judging whether the legal flow table includes a four-tuple other than the first source port number in the first data packet;

If the legal flow table does not include a four-tuple other than the first source port number in the first data packet, generate a first port index;

If the legal flow table includes a quadruple of the first data packet excluding the first source port number, update the second port index corresponding to the quadruple to obtain the first port index.
The method according to any one of claims 1-16, wherein the reflection device is a domain name system device, a network time protocol device, or a simple network management protocol device.
A data processing device, characterized in that it comprises:

A receiving unit, configured to receive a first data packet, the first data packet including a transport layer protocol number, a first source port number, and a destination port number, and the destination port number includes a first verification code;

The processing unit is configured to determine, according to the transport layer protocol number and the first source port number, that the first data packet is a flow from a reflection device, and the reflection device is a device that sends a distributed reflection denial of service DRDoS attack ；

The processing unit is further configured to obtain a second verification code according to the information to be authenticated, the information to be authenticated includes the source Internet Protocol IP address contained in the first data packet, and the source IP address is the IP of the reflection device address;

The processing unit is further configured to determine whether the first data packet is legal according to the first verification code and the second verification code.
The device according to claim 18, wherein when the processing unit obtains the second verification code according to the information to be authenticated, it is specifically configured to:

The second verification code is generated according to the key and the information to be authenticated.
The device according to claim 18, wherein when the processing unit obtains the second verification code according to the information to be authenticated, it is specifically configured to:

Obtain the second verification code associated with the information to be authenticated.
The device according to claim 20, wherein the processing unit is further configured to:

Generating the second verification code according to the key and the information to be authenticated;

Generating a flow table according to the information to be authenticated and the second verification code;

Obtaining the second verification code associated with the information to be authenticated by the processing unit includes: querying the flow table according to the information to be authenticated to obtain the second verification code associated with the information to be authenticated.
The device according to any one of claims 18-21, wherein the processing unit is specifically configured to:

It is determined that the reflection type protocol port feature set includes the first source port number and the transport layer protocol number, and the transport layer protocol number is a User Datagram Protocol UDP number or a Transmission Control Protocol TCP number, then the first data A packet is a flow from the reflection device.
The device according to any one of claims 18-22, wherein the information to be authenticated further includes the destination IP address contained in the first data packet, the first source port number, and the transport layer At least one of the protocol number, and/or, at least one of the port index and the time parameter; the destination IP address is the IP address of the protected device, the protected device is a device that is attacked by DRDoS, and the port index is used for Identify an application.
The device according to any one of claims 18-23, wherein the destination port number further comprises a port index.
The device according to any one of claims 18-24, wherein the device further comprises a sending unit, wherein, if the first data packet is valid,

The sending unit is configured to forward the first data packet to a protected device.
The device according to any one of claims 18-24, wherein:

The processing unit is further configured to replace the destination port number with a second source port number to obtain a second data packet;

The device further includes a sending unit, wherein, if the first data packet is legal,

The sending unit is configured to forward the second data packet to the protected device.
The device of claim 26, wherein:

The processing unit is further configured to determine that the legal flow table includes the quintuple of the first data packet, and obtain the second source port corresponding to the quintuple of the first data packet from the legal flow table Number, the five-tuple of the first data packet is used to uniquely identify a piece of network traffic, and the five-tuple of the first data packet includes the source IP address, the destination IP address, the transport layer protocol number, and the The first source port number and the destination port number.
A data processing device, characterized in that it comprises:

A receiving unit, configured to receive a first data packet, the first data packet including a transport layer protocol number, a first source port number, and a destination port number;

A processing unit, configured to determine, according to the transport layer protocol number and the destination port number, that the first data packet is a traffic sent to a reflection device, and the reflection device is a device that sends a distributed reflection denial of service DRDoS attack;

The processing unit is further configured to replace the first source port number with a second source port number to obtain a second data packet, where the second source port number includes a verification code, and the verification code is based on a key and a waiting code. If the authentication information is determined, the information to be authenticated includes a destination Internet Protocol IP address included in the first data packet, and the destination IP address is the IP address of the reflection device;

The sending unit is configured to send the second data packet.
The device according to claim 28, wherein the processing unit is specifically configured to:

It is determined that the reflection type protocol port feature set includes the destination port number and the transport layer protocol number, and the transport layer protocol number is the User Datagram Protocol UDP number or the Transmission Control Protocol TCP number, then the first data packet is A traffic sent to the reflecting device.
The device according to claim 28 or 29, wherein the information to be authenticated further includes at least one of the source IP address, the destination port number, and the transport layer protocol number contained in the first data packet, And/or, at least one of a first port index and a time parameter; the source IP address is the IP address of the source device, the source device is a protected device suffering from a DRDoS attack, and the first port index is used to identify one application.
The device according to any one of claims 28-30, wherein the second source port number further comprises a first port index.
The device according to any one of claims 28-31, wherein:

The processing unit is further configured to determine that the legal flow table includes the quintuple of the first data packet, and obtain the second source port corresponding to the quintuple of the first data packet from the legal flow table The quintuple of the first data packet is used to uniquely identify a piece of network traffic, and the quintuple of the first data packet includes the source IP address, the destination IP address, the transport layer protocol number, and the The first source port number and the destination port number.
The device according to claim 32, wherein if the legal flow table does not include the 5-tuple of the first data packet, the processing unit is further configured to:

Judging whether the legal flow table includes a four-tuple other than the first source port number in the first data packet;

If the legal flow table does not include a four-tuple other than the first source port number in the first data packet, generate a first port index;

If the legal flow table includes a quadruple of the first data packet excluding the first source port number, update the second port index corresponding to the quadruple to obtain the first port index.
A data processing device, characterized by comprising: at least one processor, a memory, and a bus, wherein the memory is used to store a computer program, so that when the computer program is executed by the at least one processor, the implementation is as claimed in the claims The data processing method according to any one of 1-10, or the data processing method according to any one of claims 11-17.
A computer-readable storage medium, characterized by comprising: computer software instructions;

When the computer software instruction runs in a computer device or a chip built into the computer device, the computer device is caused to execute the data processing method according to any one of claims 1-10, or as claimed in claims 11-17 The data processing method described in any one of.