WO2021244449A1 - Procédé et appareil de traitement de données - Google Patents

Procédé et appareil de traitement de données Download PDF

Info

Publication number
WO2021244449A1
WO2021244449A1 PCT/CN2021/096986 CN2021096986W WO2021244449A1 WO 2021244449 A1 WO2021244449 A1 WO 2021244449A1 CN 2021096986 W CN2021096986 W CN 2021096986W WO 2021244449 A1 WO2021244449 A1 WO 2021244449A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
port number
source
address
verification code
Prior art date
Application number
PCT/CN2021/096986
Other languages
English (en)
Chinese (zh)
Inventor
江伟玉
刘冰洋
郑秀丽
王闯
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2021244449A1 publication Critical patent/WO2021244449A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • This application relates to the field of communications, and in particular to a data processing method and device.
  • DRDoS Distributed Reflection Denial of Service
  • black hole technology or traffic cleaning technology is usually used to defend against DRDoS attacks.
  • network equipment uses black hole technology to direct both illegal traffic and legal traffic to black holes, and cannot distinguish between legal traffic and illegal traffic.
  • traffic cleaning technology it takes a long time to distinguish legal traffic from illegal traffic. Therefore, how to quickly distinguish legitimate traffic from illegal traffic when defending against DRDoS attacks is an urgent problem to be solved.
  • This application provides a data processing method and device, which solves the problem of how to quickly distinguish legitimate traffic from illegal traffic when defending against DRDoS attacks.
  • this application provides a data processing method, which can be applied to a network device, or the method can be applied to a communication device that can support the network device to implement the method, for example, the communication device includes a chip system, and the method includes: After the network device receives the first data packet, it determines that the first data packet is a traffic from the reflection device according to the transport layer protocol number and the first port number, extracts the first verification code from the destination port field, and then according to the key and waiting The authentication information generates a second verification code, and it is determined whether the first data packet is legal according to the first verification code and the second verification code. If the first data packet is legal, the network device forwards the first data packet to the protected device.
  • the network device replaces the destination port number with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device.
  • the first data packet is illegal, it means that the first data packet is illegal, and the first data packet is discarded, so that a large amount of forged attack traffic can be filtered out.
  • the first data packet includes the transport layer protocol number, the first source port number and the destination port number.
  • the reflection device is the device that sends the DRDoS attack.
  • a reflection device is a device capable of being used by an attacker to send DRDoS attack traffic.
  • the reflection device can be a domain name system device, a network time protocol device, or a simple network management protocol device.
  • the information to be authenticated includes the source Internet Protocol (IP) address, and the source IP address is the IP address of the reflection device.
  • IP Internet Protocol
  • the network device may also generate a second verification code in advance based on the key and the information to be authenticated, and save the correspondence between the information to be authenticated and the second verification code. After the network device determines that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first source port number, it can also look up the table according to the information to be authenticated to obtain the second verification code associated with the information to be authenticated.
  • the data processing method provided by the embodiment of the application uses the port field included in the header of the transmission layer in the data packet to carry the verification code. Packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial-of-service attacks. Compared with the black hole technology, the data processing method provided in the embodiments of the present application can ensure that legal traffic is forwarded, avoid legal traffic being discarded by the black hole, and the network device filters most of the DRDoS attack traffic. Compared with the traffic cleaning technology, the data processing method provided in the embodiments of the present application can reduce the delay in processing legal traffic caused by deep protocol analysis.
  • verifiable identifier can be embedded in the destination port field, network devices do not need to process application layer data, and can directly filter at the transport layer, reducing the cost of defending against DRDoS attacks, and does not rely on cross-domain cooperation.
  • determining that the first data packet is a traffic from the reflection device according to the transport layer protocol number and the first source port number includes: determining that the reflection type protocol port feature set includes the first source port number and the transport layer Protocol number, and the transport layer protocol number is a User Data Protocol (UDP) number or a Transmission Control Protocol (Transfer Control Protocol, TCP) number, then the first data packet is a flow from the reflection device.
  • UDP User Data Protocol
  • TCP Transmission Control Protocol
  • the information to be authenticated further includes at least one of the destination IP address, the first source port number, and the transport layer protocol number included in the first data packet.
  • the destination IP address is the IP address of the protected device, and the protected device is the device that is attacked by DRDoS.
  • the information to be authenticated further includes at least one of a port index and a time parameter, and the port index is used to identify an application.
  • the destination port number also includes a port index.
  • the method before replacing the destination port number with the second source port number, the method further includes: determining that the legal flow table includes the 5-tuple of the first data packet, and obtaining the first data packet from the legal flow table
  • the quintuple corresponds to the second source port number.
  • the quintuple of the first data packet is used to uniquely identify a piece of network traffic.
  • the quintuple of the first data packet includes the source IP address, destination IP address, transport layer protocol number, The first source port number and destination port number.
  • this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method.
  • the communication device includes a chip system, and the method includes: After the network device receives the first data packet, it determines that the first data packet is a traffic sent to the reflection device according to the transport layer protocol number and the destination port number, and then replaces the first source port number with the second source port number to obtain the second data Packet, send the second data packet.
  • the first data packet includes the transport layer protocol number, the first source port number and the destination port number.
  • the second source port number includes a verification code, the verification code is determined based on the key and the information to be authenticated, the information to be authenticated includes the destination IP address, and the destination IP address is the IP address of the reflection device.
  • the data processing method provided by the embodiments of the present application uses the port field included in the header of the transmission layer in the data packet to carry the verification code, so that after the network device receives the data packet from the reflection device, the verification code can verify the legal data packet and Illegal data packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial of service attacks.
  • determining that the first data packet is a traffic sent to the reflection device according to the transport layer protocol number and the destination port number includes: determining the reflection type protocol port feature set including the destination port number and the transport layer protocol number, And the transport layer protocol number is UDP number or TCP number, then the first data packet is a flow sent to the reflection device.
  • the information to be authenticated further includes at least one of the source IP address, the destination port number, and the transport layer protocol number contained in the first data packet, and/or at least one of the first port index and the time parameter ;
  • the source IP address is the IP address of the source device, and the source device is a protected device that suffers from a DRDoS attack.
  • the first port index is used to identify an application.
  • the second source port number also includes the first port index.
  • the method before replacing the first source port number with the second source port number, the method further includes: determining that the legal flow table includes the quintuple of the first data packet, and obtaining the first data packet from the legal flow table.
  • the quintuple of the data packet corresponds to the second source port number.
  • the quintuple of the first data packet is used to uniquely identify a piece of network traffic.
  • the quintuple of the first data packet includes the source IP address, the destination IP address, and the transport layer protocol. Number, first source port number and destination port number.
  • the method further includes: determining whether the legal flow table includes the four-tuple of the first data packet except for the first source port number; If the legal flow table does not include the four-tuple except the first source port number in the first data packet, the first port index is generated; if the legal flow table includes the four-tuple except the first source port number in the first data packet, update The second port index corresponding to the quadruple obtains the first port index.
  • this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method, for example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device determines that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first port number. Replace the destination port number contained in the first data packet with the second source port number to obtain the second data packet; forward the second data packet to the protected device.
  • the first data packet includes a transport layer protocol number, a first source port number and a destination port number
  • the destination port number includes a verification code.
  • this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method.
  • the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device extracts the first verification code from the destination port field contained in the first data packet, and generates a second verification code according to the key and the information to be authenticated, and according to the first verification code and the second verification code The code determines whether the first data packet is legal. If the first data packet is legal, the network device forwards the first data packet to the protected device. Or, the network device replaces the destination port number with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device.
  • the reflection device is a device that sends a DRDoS attack.
  • the information to be authenticated includes the source IP address included in the first data packet, and the source IP address is the IP address of the reflection device.
  • this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method, for example, the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device replaces the first source port number included in the first data packet with the second source port number to obtain the second data packet, and then sends the second data packet.
  • the second source port number includes a verification code
  • the verification code is determined according to the key and the information to be authenticated
  • the information to be authenticated includes the destination IP address included in the first data packet
  • the destination IP address is the IP address of the reflection device.
  • this application provides a data processing method, which can be applied to network equipment, or the method can be applied to a communication device that can support network equipment to implement the method.
  • the communication device includes a chip system, and the method includes: After receiving the first data packet, the network device replaces the destination port number contained in the first data packet with the second source port number to obtain the second data packet; and forwards the second data packet to the protected device.
  • the first data packet includes a transport layer protocol number, a first source port number and a destination port number, and the destination port number includes a verification code.
  • the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the first aspect and will not be repeated here.
  • the communication device has a function of realizing the behavior in the method example of the first aspect or the fourth aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the communication device includes: a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is configured to receive a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number, and the destination port number includes a first verification code.
  • the processing unit is configured to determine that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first source port number.
  • the processing unit is further configured to generate a second verification code according to the key and the information to be authenticated.
  • the information to be authenticated includes the source IP address contained in the first data packet, and the source IP address is the IP address of the reflection device.
  • the processing unit is further configured to determine whether the first data packet is legal according to the first verification code and the second verification code.
  • the processing unit is further configured to replace the destination port number with the second source port number to obtain the second data packet.
  • the sending unit is configured to forward the first data packet or the second data packet to the protected device, where the second data packet includes the second source port number.
  • the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the second aspect and will not be repeated here.
  • the communication device has the function of realizing the behavior in the method example of the second aspect or the fifth aspect described above.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the communication device includes: a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is configured to receive a first data packet, where the first data packet includes a transport layer protocol number, a first source port number, and a destination port number.
  • the processing unit is configured to determine that the first data packet is a flow sent to the reflection device according to the transport layer protocol number and the destination port number.
  • the processing unit is further configured to replace the first source port number with the second source port number to obtain a second data packet, the second source port number includes a verification code, the verification code is determined according to the key and the information to be authenticated, and the information to be authenticated
  • the destination IP address included in the first data packet is included, and the destination IP address is the IP address of the reflection device.
  • the sending unit is used to send the second data packet.
  • the embodiments of the present application also provide a communication device, and the beneficial effects can be referred to the description of the third aspect and will not be repeated here.
  • the communication device has the function of realizing the behavior in the method example of the third aspect or the sixth aspect.
  • the functions can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the communication device includes: a receiving unit, a processing unit, and a sending unit.
  • the receiving unit is used to receive the first data packet; the processing unit is used to determine that the first data packet is a flow from the reflection device according to the transport layer protocol number and the first port number; the processing unit is also used to use the second source The port number replaces the destination port number to obtain the second data packet.
  • the sending unit is used to forward the second data packet to the protected device.
  • the first data packet includes the transport layer protocol number, the first source port number, and the destination port number, and the destination port number includes the first verification code.
  • a communication device may be the network device in the foregoing method embodiment, or a chip set in the network device.
  • the communication device includes an interface circuit, a processor, and optionally, a memory.
  • the memory is used to store a computer program or instruction, and the processor is coupled with the memory and an interface circuit.
  • the processor executes the computer program or instruction
  • the communication device executes the method executed by the network device in the foregoing method embodiment.
  • a computer program product comprising: computer program code, when the computer program code is running, make the above-mentioned method of the first to sixth aspects executed by the network device Be executed.
  • the present application provides a chip system, which includes a processor, and is configured to implement the functions of the network device in the methods of the foregoing aspects.
  • the chip system further includes a memory for storing program instructions and/or data.
  • the chip system can be composed of chips, and can also include chips and other discrete devices.
  • the present application provides a computer-readable storage medium that stores a computer program, and when the computer program is run, it is executed by a network device in the first to sixth aspects above. Methods.
  • Figure 1 is an example diagram of a DRDoS attack provided by the prior art
  • FIG. 2 is an example diagram of the architecture of a communication system provided by an embodiment of this application.
  • FIG. 3 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 4 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 5 is a schematic diagram of the structure of an IPv4 data packet provided by an embodiment of this application.
  • FIG. 6 is a schematic structural diagram of a source port number provided by an embodiment of this application.
  • FIG. 7 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 8 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 9 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 10 is a flowchart of a data processing method provided by an embodiment of this application.
  • FIG. 11 is a flowchart of a data processing method provided by an embodiment of the application.
  • FIG. 12 is a schematic structural diagram of a data processing device provided by an embodiment of the application.
  • FIG. 13 is a schematic structural diagram of a data processing device provided by an embodiment of the application.
  • the difference between the Distributed Reflection Denial of Service (DRDoS) attack and the Distributed Denial of Service (DDoS) attack is that the attacker does not need to occupy a large number of controlled devices before the attack.
  • the user uses very few resources to send data packets whose source Internet Protocol (IP) address is the IP address of the protected device to the controlled device, and the controlled device makes a large number of responses to the protected device, thus successfully attacking the protected device. equipment.
  • IP Internet Protocol
  • FIG. 1 is a schematic diagram of the principle of a DRDoS attack provided by an embodiment of the application.
  • Controlled equipment refers to equipment directly controlled by the attacking equipment.
  • the attacking device knows the IP address of the protected device (such as the server), it can control multiple controlled devices to use the IP address of the protected device IP VIC as the source IP address, and the IP address of the reflecting device IP n as the destination address , Send the data packet with the forged source address to the reflection device, that is, send a service request to a large number of distributed deployment reflection devices.
  • each reflecting device receives the service request from the controlled device, it can send a data packet for attacking the protected device to the protected device.
  • the utilized reflection devices By sending a small amount of attack traffic requests to the distributed and available reflection devices, the utilized reflection devices amplify the traffic by dozens of times or even hundreds of thousands of times and return it to the protected device, and a large amount of amplified reflected traffic is aggregated to the protected device , Causing the resources of the protected equipment to be exhausted and unable to provide services to normal users, forming a DRDOS attack.
  • the data packets sent by the reflection device to the protected device include not only data packets used to attack the protected device, but may also include legitimate data that is not used to attack the protected device Packets, such as a response data packet sent by the reflection device in response to a service request from a protected device, and a request data packet actively sent by the reflection device to request the protected device to provide it with a specific service.
  • the so-called protected device can be understood as a device that may be attacked by an attacker.
  • the protected device can be an application server, a router, or a device in the Internet of Things (IoT).
  • IoT Internet of Things
  • the IoT device may be a fire alarm device or the like. If the fire alarm equipment is attacked, it will not be able to detect the fire and make an alarm, so that it will not be able to send out alarm messages, which will pose a serious security threat.
  • the protected device is an application server as an example.
  • the reflection device is the device that sends the DRDoS attack.
  • a reflection device is a device capable of being used by an attacker to send DRDoS attack traffic.
  • reflection devices include, but are not limited to, Domain Name System (DNS) servers, Network Time Protocol (NTP) servers, Simple Service Discovery Protocol (SSDP) servers, and simple network management Protocol (SNMP, simple network management protocol) server, lightweight directory access protocol (LDAP, lightweight directory access protocol) server, Charge server and Memcached server, etc.
  • DNS Domain Name System
  • NTP Network Time Protocol
  • SSDP Simple Service Discovery Protocol
  • SNMP simple network management Protocol
  • LDAP lightweight directory access protocol
  • Charge server and Memcached server etc.
  • DRDoS Due to the low cost of DRDos attacks and strong attack capabilities, for example, the Memcached server has a strong reflection amplification capability (amplified by hundreds of thousands of times, and the traffic of a single attack can reach 1.94Tbps [50 thousand times]), and both the DNS server and the NTP server can Amplification of traffic dozens of times makes the DRDoS attack method endow the attacker with the ability to make a lot of money. Therefore, DRDoS is the usual means for most DRDoS attacks on the booter service in the black market.
  • the current solution has no way to make the network device on the front side of the protected device have the ability to quickly distinguish between the reflected attack traffic and the legal traffic at the network layer or the transport layer.
  • FIG. 2 shows an example diagram of the architecture of a communication system that can be applied to the embodiments of the present application.
  • the communication system includes at least one terminal 201, an internet network, and a data center.
  • the Internet can be an Internet Service Provider (ISP) network.
  • An ISP can be a telecom operator that provides comprehensive Internet access services, information services, and value-added services to a large number of users.
  • the internet includes at least one network device (for example, network device 202 and network device 203).
  • network devices can be routers, switches, load balancers, or dedicated firewalls.
  • the network device 202 is a network device deployed on a telecommunication operator network close to a data center.
  • the network device 203 is a network device deployed at the exit of the data center.
  • the network device 203 is an egress router in a cloud data center, or it may be a network device on a link between the high defense center of the cloud data center and the operator's network.
  • the Internet also includes a reflection device 204, which is a device that can easily be used by hackers to send DRDoS attacks.
  • the data center includes at least one application server 205. Multiple application servers can be independent and different physical devices, or they can integrate the functions of multiple application servers on the same physical device (such as multiple application servers within the jurisdiction of a cloud service provider), or Some application server functions are integrated on a physical device.
  • Each application server can run one or more services (such as game services). Services can also be called applications.
  • the terminal 201 is connected to the network device in a wireless or wired manner.
  • the network devices will be connected wirelessly or wiredly.
  • the network device is connected to the application server 205 in a wireless or wired manner.
  • the terminal can be a fixed location, or it can be movable.
  • FIG. 2 is only a schematic diagram, and the communication system may also include other devices, such as wireless relay devices and wireless backhaul devices, which are not shown in FIG. 2.
  • the embodiments of the present application do not limit the number of terminals, network devices, and application servers included in the communication system.
  • the terminal (Terminal) 201 may also be referred to as a terminal device or a user equipment (user equipment,
  • the terminal 401 may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (Augmented Reality, AR) terminal device, an industrial control (industrial control) Wireless terminals in ), wireless terminals in self-driving, wireless terminals in remote medical surgery, wireless terminals in smart grid, and wireless terminals in transportation safety Terminals, wireless terminals in smart cities, wireless terminals in smart homes, etc.
  • the embodiment of the present application does not limit the specific technology and specific device form adopted by the terminal.
  • the terminal 201 and the application server 205 transmit data by sending data packets.
  • the data packet includes five-tuples.
  • the five-tuple can distinguish different sessions, and the corresponding session is unique.
  • the five-tuple includes source IP address, destination IP address, transport layer protocol number, source port number, and destination port number.
  • a device with an IP address of 192.168.1.1 uses TCP to connect to a device with an IP address of 121.14.88.76 and a port of 80 through port 10000 to transmit data.
  • the protocol number of TCP is 6.
  • the quintuple is 192.168.1.1 10000 6 121.14.88.76 80.
  • transport layer protocol number is the protocol number of TCP or the protocol number of UDP.
  • protocol number of UDP is 17.
  • a network device When a network device (such as network device 203 or network device 202) receives a data packet from the application server 205, it judges whether the data packet is sent to the reflection device 204 through the transport layer protocol and the destination port number, if it is sent to For the data packet of the reflection device 204, the second source port number is used to replace the first source port number contained in the data packet, that is, the second source port number is used to replace the port number indicating the application server 205 is running.
  • the second source port number is Embed verification code. In the generation algorithm of the verification code, the header information of the data packet is bound, for example, the source IP address and the destination IP address.
  • a network device such as the network device 203 or the network device 202 receives a data packet sent to the application server 205, it judges whether the data packet is a data packet from the reflection device 204 through the transport layer protocol and the first source port number . If it is a data packet from the reflection device 204, the information to be authenticated is extracted from the data packet, and the first verification code is extracted from the destination port number, and the second verification code is generated using the key and the information to be authenticated. The verification code and the first verification code determine whether the data packet is legal.
  • the information to be authenticated includes source IP address and destination IP address, etc.
  • the second source port Replace the port number with the port number of the application server 205.
  • the port number indicates the protocol of the application layer, and can also indicate a certain thread of the application program.
  • the port number is mainly used to indicate the process or thread that processes the data of the upper application.
  • the network device receives the first data packet sent to the reflection device, it replaces the first source port number contained in the first data packet with the second source port number, and the replaced second source port number does not indicate processing
  • the process or thread of the data of the upper-layer application indicates the information that carries the verification code.
  • the second source port number further includes a port index.
  • the port index is used to distinguish different services and specifically indicates a service, that is, a service supported by the application server 205 and the reflection device 204 to run.
  • the network device extracts the verification code from the destination port number contained in the second data packet to verify whether the second data packet is legal. If the second data packet is legal, forward the first data packet. Second data packet; if the second data packet is illegal, discard the second data packet. It should be understood that the second data packet is the response data packet of the first data packet, and the content filled in the destination port field in the second data packet is the content filled in the source port field in the first data packet, that is, the destination port contained in the second data packet The number is the same as the second source port number contained in the first data packet.
  • 3 is a flowchart of a data processing method provided by an embodiment of the application.
  • the network device 203 transmits the data of the first service between the reflection device 204 and the application server 205 as an example for description.
  • the method may include:
  • the application server 205 sends a first data packet to the network device 203, where the first data packet includes a transport layer protocol number, a first source port number, and a first destination port number.
  • the network device 203 receives the first data packet from the application server 205.
  • the transport layer protocol number is UDP number or TCP number.
  • the first source port number indicates the process or thread in the application server 205 that processes the data of the first service.
  • the first destination port number indicates the process or thread in the reflection device 204 that processes the data of the first service.
  • the network device 203 determines that the first data packet is a traffic sent to the reflection device 204 according to the transport layer protocol number and the first destination port number.
  • the network device 203 After receiving the first data packet, the network device 203 extracts the transport layer protocol number and the first destination port number from the header of the first data packet, and determines whether the reflective protocol port feature set includes the first destination port number and the transport layer protocol number , In order to determine whether the first data packet is a traffic sent to the reflection device 204.
  • S303 includes the following detailed steps.
  • the network device 203 judges whether the transport layer protocol number is a UDP number or a TCP number.
  • the network device 203 determines that the transport layer protocol number is a UDP number or a TCP number, execute S3032; if the network device 203 determines that the transport layer protocol number is not a UDP number or a TCP number, it means that the first data packet is not a traffic sent to the reflection device 204 , Go to S306.
  • the network device 203 determines whether the reflective protocol port feature set includes the first destination port number.
  • the network device 203 determines that the reflective protocol port feature set includes the first destination port number, it means that the first data packet is a traffic sent to the reflective device 204, and S304 is executed; if the network device 203 determines that the reflective protocol port feature set does not include The first destination port number indicates that the first data packet is not a traffic sent to the reflection device 204, and S306 is executed.
  • the device indicated by the transport layer protocol number and port number included in the reflection-type protocol port feature set is a device that can send DRDoS attacks.
  • the network device 203 may maintain a protocol port number relationship.
  • the so-called protocol port number relationship may refer to the corresponding relationship between the transport layer protocol and the port number.
  • the protocol port number relationship can be presented in the form of a table.
  • the network device 203 may store a protocol port number relationship table, and the protocol port number relationship table includes at least one correspondence relationship between a transport layer protocol and a port number. For example, as shown in Table 1, the corresponding relationship between the protocol port numbers is presented.
  • Table 1 only shows the storage form of the protocol port number relationship in the storage device in the form of a table, and does not limit the storage form of the protocol port number relationship in the storage device.
  • the protocol port number relationship is stored in the storage device.
  • the storage form in the device may also be stored in other forms, which is not limited in the embodiment of the present application.
  • the network device 203 replaces the first source port number with the second source port number to obtain the second data packet.
  • the second source port number includes the first verification code. It is understandable that the second source port number is set in the source port field in the first data packet.
  • the second source port number is set in the destination port field in the data packet.
  • the network device 203 it is convenient for the network device 203 to verify whether the data packet from the reflection device 204 is legal according to the first verification code included in the second source port number. Therefore, the second source port number can be regarded as a verifiable identification, and does not indicate a process or thread for processing the data of the upper-layer application.
  • FIG. 5 shows an example of the structure of an IPv4 data packet.
  • the IPv4 data packet includes a basic header and a data part.
  • the data part can be called payload (payload) or net load.
  • the basic header of IPv4 can also be referred to as the header of IPv4.
  • the IPV4 header can include the following fields in turn: version number, header length, service type, total length of data packet, reassembly identifier, flag, segment offset, time to live, protocol code, header checksum, source IP address , Destination IP address and optional options.
  • FIG. 5 (b) it is a diagram of an example of the structure of a TCP data packet.
  • the TCP data packet is contained in the data part of the IP data packet.
  • the TCP data packet includes the TCP header and the data part of the TCP data packet.
  • the TCP header includes source port (source port), destination port (destination port), sequence number (sequence number), acknowledgment number (acknowledgment number), data offset (header length), reservation (resv), emergency (UGR), confirmation (ACK), push (PSH), reset (RST), synchronization (SYN), termination (FIN), window (window size), checksum (checksum), urgent pointer (urgent pointer) and options (options).
  • the first source port number included in the first data packet is set in the source port field. After the network device 203 replaces the first source port number with the second source port number, the source port field includes the second source port number.
  • the second source port number also includes the first port index (portindex).
  • the first port index is used to identify the first service run by the application server 205.
  • the second source port number satisfies the following formula (1).
  • SrcLoc' represents the second source port number.
  • PID represents the first port index.
  • code represents the first verification code.
  • means a connector.
  • FIG. 6 it is a schematic diagram of the composition of the second source port number in the first data packet provided by this embodiment of the application.
  • the first port index occupies the first 4 bits (bit) in the source port field
  • the first verification code occupies the last 12 bits in the source port field.
  • the first verification code is determined according to the key and the information to be authenticated.
  • the information to be authenticated includes the first destination IP address included in the first data packet, and the first destination IP address is the IP address of the reflection device 204.
  • the information to be authenticated further includes at least one of the first source IP address, the first destination port number, and the transport layer protocol number included in the first data packet.
  • the first source IP address is the IP address of the application server 205, and the application server 205 is a device that suffers from a DRDoS attack.
  • the first verification code is determined based on the key, the first destination IP address, and the first source IP address. It is understandable that the network device 203 uses the key to encrypt the first destination IP address and the first source IP address to obtain the first verification code.
  • the first verification code satisfies the following formula (2).
  • code represents the first verification code.
  • IP R represents the first destination IP address.
  • IP S represents the first source IP address.
  • the first verification code is determined based on the key, the first destination IP address, the first source IP address, and the first destination port number. It is understandable that the network device 203 encrypts the first destination IP address, the first source IP address, and the first destination port number by using the key to obtain the first verification code.
  • the first verification code is determined based on the key, the first destination IP address, the first source IP address, the first destination port number, and the transport layer protocol number. It is understandable that the network device 203 uses a key to encrypt the first destination IP address, the first source IP address, the first destination port number, and the transport layer protocol number to obtain the first verification code.
  • the information to be authenticated further includes at least one of the first port index and the time parameter.
  • the time parameter may refer to the moment when the first data packet is received, and the time parameter may be a relatively coarse-grained time unit.
  • the information to be authenticated includes a time parameter
  • the time when the network device 203 receives the data packet from the application server 205 is the same as the time when the data packet from the reflection device 204 is received.
  • the first verification code is determined according to the key, the first destination IP address, the first source IP address, and the first port index. It is understandable that the network device 203 encrypts the first destination IP address, the first source IP address, and the first port index by using the key to obtain the first verification code.
  • the first verification code satisfies the following formula (3).
  • code represents the first verification code.
  • IP R represents the first destination IP address.
  • IP S represents the first source IP address.
  • F() represents a cryptographic algorithm.
  • the cryptographic algorithm uses a hash algorithm with a key, for example, a hash-based message authentication code (Hash-based Message Authentication Code, HMAC) related to the key.
  • HMAC hash-based message authentication code
  • the cryptographic algorithm is a hash algorithm based on symmetric block ciphers.
  • key is the key.
  • Code can be part of the output result of a cryptographic algorithm. For example, the 12-bit part of the output result of a cryptographic algorithm.
  • the network device 203 may generate the flow table according to the information to be authenticated and the first verification code. It is understandable that the flow table contains multiple entries. Each performance represents the corresponding relationship between a piece of information to be authenticated and a verification code. Therefore, after receiving the data packet, the network device 203 queries the flow table according to the information to be authenticated to obtain the verification code associated with the information to be authenticated, and verifies whether the verification code contained in the data packet is the same as the verification code obtained by querying the flow table, and then determines Whether the data packet is legal.
  • the network device 203 sends the second data packet to the reflection device 204.
  • the network device 203 forwards the first data packet.
  • the network device 203 before replacing the first source port number with the second source port number, that is, S304, the network device 203 first obtains the first port index, specifically the following detailed steps.
  • the network device 203 judges whether the legal flow table includes the quintuple of the first data packet.
  • the network device 203 maintains a service port correspondence for each service.
  • the so-called service port correspondence may refer to the correspondence between the port index, the quintuple corresponding to the port index, and the new source port number.
  • the service port correspondence can be presented in the form of a table.
  • the new source port is the number indicating the second source port including the first verification code.
  • the network device 203 may store a legal flow table, and the legal flow table includes at least one service port correspondence. For example, as shown in Table 2, the corresponding relationship between service ports is presented.
  • serial numbers represent traffic information of different services.
  • the serial number 1 represents the information of flow 1.
  • the serial number 3 represents the information of the flow rate 3.
  • the device with IP address 192.168.1.1 uses port 10000 and uses TCP to connect with the device with IP address 121.14.88.76 and port 80 to transmit data.
  • the protocol number of TCP is 6.
  • the quintuple is 192.168.1.1 10000 6 121.14.88.76 80.
  • the second record represented by sequence number 2 shows that the device with IP address 192.168.1.1 uses port 5000 to connect with the device with IP address 121.14.88.76 and port 80 through TCP. data.
  • the quintuple is 192.168.1.1 5000 6 121.14.88.76 80.
  • the third record represented by sequence number 3 shows that the device with IP address 192.168.1.1 uses port 3000 and uses TCP to connect with the device with IP address 121.14.88.76 and port 100, and transmit data.
  • the quintuple is 192.168.1.1 3000 6 121.14.88.76 100.
  • the information of flow 1 and the information of flow 2 include the same four-tuple, which means that flow 1 and flow 2 are from the same source device to the same destination device The traffic of different services sent.
  • the port index is used to distinguish the traffic of different services.
  • different port indexes can be used to distinguish different flows.
  • the initial value of the port index is 1, so as to prevent the new source port number from falling into the 0-4096 range of commonly used port numbers.
  • Table 2 only shows the storage form of the service port correspondence in the storage device in the form of a table, and does not limit the storage form of the service port correspondence in the storage device.
  • the service port correspondence is stored in the storage device.
  • the storage form in the device may also be stored in other forms, which is not limited in the embodiment of the present application.
  • the legal flow table includes the quintuple of the first data packet, it means that the network device 203 has sent data to the reflection device 204, and the network device 203 has stored the quintuple information of the first data packet, go to S308; if the legal flow table does not
  • the five-tuple including the first data packet indicates that the network device 203 has not sent data to the reflection device 204, and S309 is executed.
  • the five-tuple of the first data packet is used to uniquely identify the network traffic of the first service.
  • the five-tuple of the first data packet includes a first source IP address, a first destination IP address, a transport layer protocol number, a first source port number, and a first destination port number.
  • the network device 203 obtains the second source port number corresponding to the quintuple of the first data packet from the legal flow table.
  • the quintuple of the first data packet includes information about flow 1, and the second source port number is 23101.
  • the network device 203 judges whether the legal flow table includes the quadruple except the first source port number in the first data packet.
  • the legal flow table does not include the four-tuple except the first source port number in the first data packet, it means that the network device 203 has not sent data to the reflection device 204, and S310 is executed; if the legal flow table includes the first data packet except for the first data packet A four-tuple of a source port number indicates that the network device 203 has sent data to the reflection device 204, but the network device 203 has not sent the data of the first service to the reflection device 204, and S311 is executed.
  • the network device 203 generates a first port index.
  • the network device 203 adds a new record in the legal flow table, sets the quintuple of the first data packet, and sets the first port index to 1. Go to S312.
  • the network device 203 updates the second port index corresponding to the quadruple to obtain the first port index.
  • the second port index is used to indicate the data of the non-first service sent by the network device 203 to the reflection device 204.
  • the second port index may be updated to obtain the first port index. For example, the network device 203 adds a new record in the legal flow table, sets the quintuple of the first data packet, and sets the first port index to the second port index plus 1. Go to S312.
  • the network device 203 generates a first verification code according to the key and the information to be authenticated, and generates a second source port number according to the first verification code.
  • the network device 203 After the network device 203 receives the data packet from the reflection device 204, it can verify the legitimacy of the received data packet according to the first verification code, thereby filtering illegal traffic. As shown in FIG. 8, for details, refer to the detailed description of S313 to S318 below.
  • the network device 203 receives a third data packet, where the third data packet includes a transport layer protocol number, a third source port number, and a second destination port number.
  • the network device 203 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.
  • the source port number indicates the process or thread in which the source device processes the data of the service.
  • the destination port number indicates the process or thread in which the destination device processes the data of the service.
  • the third source port number indicates the process or thread in the reflection device 204 that processes the data of the first service.
  • the network device 203 sends the second data packet to the reflection device 204, the first source port number is replaced with the second source port number.
  • the second source port number is set in the destination port field in the third data packet, that is, the second destination port number can be understood as the second source port number.
  • the second destination port number includes the first verification code.
  • the first verification code is a component of the destination port field included in the third data packet.
  • the second destination port number also includes the first port index.
  • the composition of the second destination port number can be referred to as shown in FIG. 6, where the first port index occupies the first 4 bits in the destination port field, and the first verification code occupies the last 12 bits in the destination port field.
  • the network device 203 After receiving the third data packet, the network device 203 extracts the transport layer protocol number and the third source port number from the header of the third data packet, and determines whether the reflective protocol port feature set includes the third source port number and the transport layer protocol number , In order to determine whether the third data packet is a flow from the reflection device 204.
  • step S314 includes the following detailed steps.
  • the network device 203 judges whether the transport layer protocol number is a UDP number or a TCP number.
  • the network device 203 determines that the transport layer protocol number is a UDP number or a TCP number, execute S3142; if the network device 203 determines that the transport layer protocol number is not a UDP number or a TCP number, it means that the third data packet is not a flow from the reflection device 204. Perform S319.
  • the network device 203 determines whether the reflective protocol port feature set includes the third source port number.
  • the network device 203 determines that the reflection-type protocol port feature set includes the third source port number, it means that the third data packet is a traffic from the reflection device 204, and the network device 203 obtains the second verification code according to the information to be authenticated, for example, the network device 203 executes S315, or obtains the second verification code associated with the information to be authenticated; if the network device 203 determines that the reflective protocol port feature set does not include the third source port number, it means that the third data packet is not a traffic from the reflective device 204 , Go to S319.
  • the reflection-type protocol port feature set please refer to the description of S302 above, and will not be repeated.
  • the second destination port number indicates the process or thread of the first service run by the application server 205, that is, the application server 205 indicates through the second destination port number
  • the port receives the data of the first service.
  • the second destination port number includes the first verification code.
  • the second destination port number does not indicate the process or thread of the first service run by the application server 205, but is a verifiable identification used to distinguish legitimate traffic from illegal traffic.
  • the network device 203 generates a second verification code according to the key and the information to be authenticated.
  • the information to be authenticated includes the second source IP address, and the second source IP address is the IP address of the reflection device 204.
  • the information to be authenticated further includes at least one of the second destination IP address, the third source port number, and the transport layer protocol number included in the third data packet.
  • the second destination IP address is the IP address of the application server 205.
  • the information to be authenticated further includes at least one of the first port index and the time parameter.
  • the network device 203 may obtain the first port index from the second destination port number, that is, obtain the first 4 bits of data in the second destination port number, that is, the first port index. Alternatively, the network device 203 may obtain the first port index corresponding to the quintuple of the third data packet from the legal flow table.
  • the method for generating the second verification code is the same as the method for generating the first verification code, so as to ensure that the first verification code and the second verification code are the same.
  • the specific method of generating the second verification code please refer to the description of generating the first verification code in S303, which will not be repeated.
  • the network device 203 generates the second verification code according to the key and the information to be authenticated. It can be understood that the network device 203 receives the third data packet and determines that the third data packet is a flow from the reflection device 204, and then generates the second verification in real time. code.
  • the sequence of the steps of the data processing method provided in the embodiments of the present application can be appropriately adjusted.
  • the network device 203 pre-generates the second verification code according to the key and the information to be authenticated, and saves the correspondence between the information to be authenticated and the second verification code.
  • the information to be authenticated is, for example, a five-tuple, and the network device 203 pre-stores the relationship between the five-tuple and the second verification code.
  • the network device 203 After the network device 203 receives the third data packet and determines that the third data packet is a flow from the reflection device 204, the network device 203 can obtain the second verification code associated with the information to be authenticated according to the information to be authenticated. For example, the network device 203 may store the association relationship between the information to be authenticated and the second verification code in the form of a table. After obtaining the information to be authenticated, the network device 203 checks the flow table according to the information to be authenticated, and obtains the second verification code associated with the information to be authenticated.
  • the network device 203 may not store the information to be authenticated, the flow table does not contain the entry of the information to be authenticated, and the network device 203 searches according to the information to be authenticated. Table, the second verification code associated with the information to be authenticated cannot be obtained. Therefore, the network device 203 considers that the third data packet is an illegal data packet from the reflection device 204, and discards the third data packet.
  • the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device is indicated in the form of a table, not the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device Limited, of course, the storage form of the association relationship between the information to be authenticated and the second verification code in the storage device may also be stored in other forms, which is not limited in the embodiment of the present application.
  • the network device 203 determines whether the third data packet is legal according to the first verification code and the second verification code.
  • the network device 203 may obtain the first verification code from the second destination port number, that is, obtain the last 12 bits of data in the second destination port number, that is, the first verification code.
  • the network device 203 may compare the first verification code and the second verification code, and if the first verification code and the second verification code are the same, determine that the third data packet is legal; if the first verification code and the second verification code are different, determine The third data packet is illegal.
  • the third data packet is an illegal data packet from the reflection device 204
  • the second destination port number does not include the first verification code, or the first verification code is not included. It is not obtained by the reflection device 204 by receiving the second data packet from the network device 203, and may be created by the attacker.
  • the second verification code generated by the network device 203 is different from the first verification code, so that most illegal traffic is filtered by verifying the value of the destination port field of the transport layer.
  • the network device 203 replaces the second destination port number with the first source port number to obtain the fourth data packet.
  • the network device 203 replaces the second source port number with the first source port number to obtain the fourth data packet.
  • the IP address of the reflection device 204 is 121.14.88.76
  • the IP address of the application server 205 is 192.168.1.1
  • the port for the application server 205 to send and receive the data of the first service is 10000
  • the reflection device 204 sends and receives the first service.
  • the port of the service data is 80.
  • the first source IP address is 192.168.1.1
  • the first destination IP address is 121.14.88.76
  • the transport layer protocol TCP and the first source port number Is 10000
  • the first destination port number is 80.
  • the source port field is set to 23101, and the second data packet is obtained.
  • the second source IP address is the IP address of the reflection device 204, which is 121.14.88.76
  • the second destination IP address is the IP address of the application server 205, which is 192.168 1.1
  • the transport layer protocol TCP the second source port number is 80 for the outgoing port of the reflection device 204 to send the data of the first service
  • the second destination port number is the second source port number, that is, 23101.
  • the network device 203 forwards the fourth data packet to the application server 205.
  • the network device 203 forwards the third data packet.
  • the network device 203 before replacing the second source port number with the first source port number, that is, S317, the network device 203 first obtains the first source port number, specifically the following detailed steps.
  • the network device 203 determines that the legal flow table includes the quintuple of the third data packet, and obtains the first source port number corresponding to the quintuple of the third data packet from the legal flow table.
  • the network device 203 sends the second data packet to the reflection device 204, the five-tuple information for the data exchange of the first service between the reflection device 204 and the application server 205 has been generated in the legal flow table.
  • the record also includes the first port index and the second source port number used to replace the first source port number. Therefore, the network device 203 can obtain the corresponding first source port according to the quintuple of the first data packet No.
  • the second source IP address in the third data packet is the first destination IP address in the first data packet, and the second source IP address corresponds to the destination IP recorded in the legal flow table.
  • the second destination IP address in the third data packet is the first source IP address in the first data packet, and the second destination IP address corresponds to the source IP recorded in the legal flow table.
  • the transport layer protocol number in the third data packet and the transport layer protocol number in the first data packet both correspond to the transport layer protocol number recorded in the legal flow table.
  • the third source port number in the third data packet is the first destination port number in the first data packet, and the third source port number corresponds to the destination port number recorded in the legal flow table.
  • the second destination port number in the third data packet is the second source port number after replacing the first source port number in the first data packet, and the second destination port number corresponds to the new source port number recorded in the legal flow table.
  • the network device 203 can use the five-tuple contained in the third data packet, that is, the second source IP address, the second destination IP address, the transport layer protocol number, the third source port number, and the second destination port number, from the legal flow table. Get the first source port number corresponding to the quintuple of the third data packet, that is, the new source port number corresponding to the quintuple of the third data packet in the legal flow table, and replace the third source port number with the new source port number in the legal flow table The second destination port number in the data packet obtains the fourth data packet.
  • FIG. 11 is a flowchart of a data processing method provided by an embodiment of the present application.
  • the data of the first service is transmitted between the reflection device 204 and the application server 205, and the network device 203 performs processing on the source port number in the data packet from the application server 205 Alternatively, the network device 202 verifies the data packet sent to the application server 205 as an example for description.
  • the method may include:
  • the application server 205 sends a first data packet to the network device 203, where the first data packet includes a transport layer protocol number, a first source port number, and a first destination port number.
  • the network device 203 receives the first data packet from the application server 205.
  • the network device 203 determines that the first data packet is a traffic sent to the reflection device 204 according to the transport layer protocol number and the first destination port number.
  • the network device 203 replaces the first source port number with the second source port number to obtain the second data packet.
  • the network device 203 sends a second data packet to the reflection device 204.
  • the network device 202 receives a third data packet.
  • the third data packet includes a transport layer protocol number, a third source port number, and a second destination port number, and the second destination port number includes the first verification code.
  • the network device 202 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.
  • the network device 202 generates a second verification code according to the key and the information to be authenticated.
  • the network device 203 shares the key used to generate the first verification code with the network device 202, so that the network device 202 generates the second verification code according to the shared key and the information to be authenticated.
  • the network device 203 shares the correspondence between the information to be authenticated and the second verification code with the network device 202, so that the network device 202 obtains the second verification code associated with the information to be authenticated according to the shared information to be authenticated.
  • the network device 202 may look up a table according to the information to be authenticated, and obtain the second verification code associated with the information to be authenticated.
  • the network device 202 determines whether the third data packet is legal according to the first verification code and the second verification code.
  • the network device 202 forwards the third data packet.
  • the network device 203 receives the third data packet.
  • the network device 203 determines that the third data packet is a flow from the reflection device 204 according to the transport layer protocol number and the third source port number.
  • the network device 203 determines that the legal flow table includes the quintuple of the third data packet, and obtains the first source port number corresponding to the quintuple of the third data packet from the legal flow table.
  • the network device 203 replaces the second destination port number with the first source port number to obtain the fourth data packet.
  • the network device 203 forwards the fourth data packet to the application server 205.
  • the data processing method provided in the embodiments of the present application uses the port field included in the transport layer header in the data packet to carry the verifiable mark. After the network device receives the data packet from the reflection device, the verifiable mark is verified against the legitimate data packet and Illegal data packets are identified, and only legitimate data packets will be forwarded, which can deal with most reflection-type denial of service attacks.
  • the data processing method provided in the embodiments of the present application can ensure that legal traffic is forwarded, avoid legal traffic being discarded by the black hole, and the network device filters most of the DRDoS attack traffic.
  • the data processing method provided in the embodiments of the present application can reduce the delay in processing legal traffic caused by deep protocol analysis.
  • the network device since the verifiable identifier can be embedded in the destination port field, the network device does not need to process application layer data, and can directly filter at the transport layer, reducing the cost of defending against DRDoS attacks, and does not rely on cross-domain cooperation.
  • the network device includes hardware structures and/or software modules corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application scenarios and design constraints of the technical solution.
  • FIG. 12 and FIG. 13 are schematic structural diagrams of possible data processing apparatuses provided by embodiments of this application. These data processing apparatuses can be used to implement the functions of the network equipment in the foregoing method embodiments, and therefore can also achieve the beneficial effects of the foregoing method embodiments.
  • the data processing apparatus may be the network device 202 or the network device 203 as shown in FIG. 2, and may also be a module (such as a chip) applied to the network device.
  • the data processing device 1200 includes a receiving unit 1210, a processing unit 1220, and a sending unit 1230.
  • the data processing apparatus 1200 is used to implement the function of the network device in the method embodiment shown in FIG. 3, FIG. 4, FIG. 7, FIG. 8, FIG. 9, FIG. 10, or FIG. 11.
  • the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S303 and S304; and the sending unit 1230 is used to perform S305.
  • the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S3031, S3032, and S304; and the sending unit 1230 is used to perform S305 and S306.
  • the receiving unit 1210 is used to perform S302; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312; Unit 1230 is used to execute S305 and S306.
  • the receiving unit 1210 is used to perform S302 and S313; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S314 to S317; the sending unit 1230 is used to execute S305, S306, and S318.
  • the receiving unit 1210 is used to perform S302 and S313; the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S3141, S3142 to S317; the sending unit 1230 is used to execute S305, S306, S318, and S319.
  • the receiving unit 1210 is used to perform S302 and S313;
  • the processing unit 1220 is used to perform S3031, S3032, and S304, and S307 to S312 , And S3141, S3142 to S317, and S320;
  • the sending unit 1230 is used to execute S305, S306, S318, and S319.
  • the receiving unit 1210 is used to execute S1102 and S1111; the processing unit 1220 is used to execute S1103, S1104, S1112, S1113, and S1114;
  • the sending unit 1230 is used to execute S1105 and S1115.
  • the receiving unit 1210 is used to perform S1106; the processing unit 1220 is used to perform S1107 to S1109; and the sending unit 1230 is used to perform S1110.
  • the data processing device 1300 includes a processor 1310 and an interface circuit 1320.
  • the processor 1310 and the interface circuit 1320 are coupled with each other.
  • the interface circuit 1320 may be a transceiver or an input/output interface.
  • the data processing apparatus 1300 may further include a memory 1330 for storing instructions executed by the processor 1310 or storing input data required by the processor 1310 to run the instructions or storing data generated after the processor 1310 runs the instructions.
  • FIG. 3 When the data processing device 1300 is used to implement the method shown in FIG. 3, FIG. 4, FIG. 7, FIG. 8, FIG. 9, FIG. 10, or FIG. It is used to perform the functions of the receiving unit 1210 and the sending unit 1230 described above.
  • the processor in the embodiments of the present application may be a central processing unit (Central Processing Unit, CPU), or may be other general-purpose processors, digital signal processors (Digital Signal Processors, DSPs), or application specific integrated circuits. (Application Specific Integrated Circuit, ASIC), Field Programmable Gate Array (Field Programmable Gate Array, FPGA) or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof.
  • the general-purpose processor may be a microprocessor or any conventional processor.
  • the method steps in the embodiments of the present application can be implemented by hardware, and can also be implemented by a processor executing software instructions.
  • Software instructions can be composed of corresponding software modules, which can be stored in Random Access Memory (RAM), Flash memory, Read-Only Memory (ROM), Programmable ROM (Programmable ROM) , PROM), Erasable Programmable Read-Only Memory (Erasable PROM, EPROM), Electrically Erasable Programmable Read-Only Memory (Electrically EPROM, EEPROM), register, hard disk, mobile hard disk, CD-ROM or well-known in the art Any other form of storage medium.
  • An exemplary storage medium is coupled to the processor, so that the processor can read information from the storage medium and can write information to the storage medium.
  • the storage medium may also be an integral part of the processor.
  • the processor and the storage medium may be located in the ASIC.
  • the ASIC can be located in a network device or a terminal device.
  • the processor and the storage medium may also exist as discrete components in the network device or the terminal device.
  • the computer program product includes one or more computer programs or instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, network equipment, user equipment, or other programmable devices.
  • the computer program or instruction may be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium.
  • the computer program or instruction may be downloaded from a website, computer, The server or data center transmits to another website site, computer, server or data center through wired or wireless means.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center that integrates one or more available media.
  • the usable medium may be a magnetic medium, such as a floppy disk, a hard disk, and a magnetic tape; it may also be an optical medium, such as a digital video disc (digital video disc, DVD); and it may also be a semiconductor medium, such as a solid state drive (solid state drive). , SSD).
  • “at least one” refers to one or more, and “multiple” refers to two or more.
  • “And/or” describes the association relationship of the associated object, indicating that there can be three relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone, where A, B can be singular or plural.
  • the character “/” generally indicates that the associated objects before and after are an “or” relationship; in the formula of this application, the character “/” indicates that the associated objects before and after are a kind of "division” Relationship.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Un procédé et un appareil de traitement de données sont divulgués, se rapportant au domaine des communications et résolvant le problème de distinguer rapidement le trafic légitime du trafic illégitime lors d'une défense contre une attaque DRDoS. Le procédé comprend les étapes suivantes : après réception d'un premier paquet de données à partir d'un dispositif de réflexion, un dispositif de réseau détermine que le premier paquet de données est un trafic provenant du dispositif de réflexion selon un numéro de protocole de couche de transport et un premier numéro de port de source, le premier paquet de données comprenant un numéro de port de destination, et le numéro de port de destination étant un troisième numéro de port de source lorsqu'un deuxième numéro de port de source est remplacé lorsque le dispositif de réseau envoie un paquet de données au dispositif de réflexion ; l'extraction d'un code de vérification à partir du numéro de port de destination, et la vérification du code de vérification ; si un troisième paquet de données réussit la vérification, indiquant que le troisième paquet de données est légitime, le remplacement du numéro de port de destination avec le deuxième numéro de port source, et la transmission d'un quatrième paquet de données ; et si le troisième paquet de données ne passe pas de vérification, l'indication que le troisième paquet de données est illégitime, et l'abandon du troisième paquet de données. Par conséquent, une grande quantité de trafic d'attaque forgé peut être filtrée.
PCT/CN2021/096986 2020-05-30 2021-05-28 Procédé et appareil de traitement de données WO2021244449A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010480846.5A CN113746788A (zh) 2020-05-30 2020-05-30 一种数据处理方法及装置
CN202010480846.5 2020-05-30

Publications (1)

Publication Number Publication Date
WO2021244449A1 true WO2021244449A1 (fr) 2021-12-09

Family

ID=78727760

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/096986 WO2021244449A1 (fr) 2020-05-30 2021-05-28 Procédé et appareil de traitement de données

Country Status (2)

Country Link
CN (1) CN113746788A (fr)
WO (1) WO2021244449A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726930A (zh) * 2022-03-30 2022-07-08 深信服科技股份有限公司 一种数据包跟踪方法、系统、装置及可读存储介质
CN116866055A (zh) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 数据泛洪攻击的防御方法、装置、设备及介质
CN117240599A (zh) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 安全防护方法、装置、设备、网络及存储介质

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115379027B (zh) * 2022-04-27 2023-08-01 国家计算机网络与信息安全管理中心 Dns报文解析改进方法、装置、改进设备及存储介质
CN115175177B (zh) * 2022-06-16 2024-04-16 烽火通信科技股份有限公司 一种报文传输方法及装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281336A (zh) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 网络入侵检测方法
CN104883362A (zh) * 2015-05-11 2015-09-02 北京交通大学 异常访问行为控制方法及装置
US20170257386A1 (en) * 2016-03-02 2017-09-07 Electronics And Telecommunications Research Institute Apparatus and method of detecting distributed reflection denial of service attack based on flow information
CN107786521A (zh) * 2016-08-30 2018-03-09 中兴通讯股份有限公司 防御分布式反射拒绝服务攻击的方法、装置及交换机

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281336A (zh) * 2013-06-19 2013-09-04 上海众恒信息产业股份有限公司 网络入侵检测方法
CN104883362A (zh) * 2015-05-11 2015-09-02 北京交通大学 异常访问行为控制方法及装置
US20170257386A1 (en) * 2016-03-02 2017-09-07 Electronics And Telecommunications Research Institute Apparatus and method of detecting distributed reflection denial of service attack based on flow information
CN107786521A (zh) * 2016-08-30 2018-03-09 中兴通讯股份有限公司 防御分布式反射拒绝服务攻击的方法、装置及交换机

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114726930A (zh) * 2022-03-30 2022-07-08 深信服科技股份有限公司 一种数据包跟踪方法、系统、装置及可读存储介质
CN116866055A (zh) * 2023-07-26 2023-10-10 中科驭数(北京)科技有限公司 数据泛洪攻击的防御方法、装置、设备及介质
CN116866055B (zh) * 2023-07-26 2024-02-27 中科驭数(北京)科技有限公司 数据泛洪攻击的防御方法、装置、设备及介质
CN117240599A (zh) * 2023-11-07 2023-12-15 国家工业信息安全发展研究中心 安全防护方法、装置、设备、网络及存储介质
CN117240599B (zh) * 2023-11-07 2024-02-20 国家工业信息安全发展研究中心 安全防护方法、装置、设备、网络及存储介质

Also Published As

Publication number Publication date
CN113746788A (zh) 2021-12-03

Similar Documents

Publication Publication Date Title
WO2021244449A1 (fr) Procédé et appareil de traitement de données
US11570098B2 (en) Systems, apparatuses and methods for cooperating routers
US8224976B2 (en) Using a server's capability profile to establish a connection
CN107409125B (zh) 用于服务-用户平面方法的使用网络令牌的高效策略实施
US8499146B2 (en) Method and device for preventing network attacks
US8745723B2 (en) System and method for providing unified transport and security protocols
US8879388B2 (en) Method and system for intrusion detection and prevention based on packet type recognition in a network
US7653938B1 (en) Efficient cookie generator
CN109005175B (zh) 网络防护方法、装置、服务器及存储介质
EP3720100A1 (fr) Procédé et dispositif de traitement de demande de service
KR20140030307A (ko) 정보 중심 네트워크를 위한 일반화된 듀얼 모드 데이터 포워딩 플레인
CN108173812A (zh) 防止网络攻击的方法、装置、存储介质和设备
CN110213224B (zh) 数据包异步转发方法和系统、数据处理系统及共识节点终端
US20220174085A1 (en) Data Processing Method and Apparatus
WO2023174143A1 (fr) Procédé de transmission de données, dispositif, support et produit
Cao et al. 0-rtt attack and defense of quic protocol
CN113114649B (zh) 拒绝服务攻击的解决方法、装置、设备及介质
CN111245858A (zh) 网络流量拦截方法、系统、装置、计算机设备和存储介质
TW201132055A (en) Routing device and related packet processing circuit
US11218449B2 (en) Communications methods, systems and apparatus for packet policing
EP3073701B1 (fr) Entité de protection de réseau et procédé de protection d'un réseau de communication contre des messages frauduleux
EP2953311B1 (fr) Procédé d'identification de paquet et dispositif de protection
US11863535B2 (en) Methods, devices, and systems for secure communications over a network
Malekzadeh et al. Protected control packets to prevent denial of services attacks in IEEE 802.11 wireless networks
US11044197B2 (en) System and method for protecting resources using network devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21818679

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21818679

Country of ref document: EP

Kind code of ref document: A1