CN106131036B - Processing method, device and the terminal of CC attack - Google Patents
Processing method, device and the terminal of CC attack Download PDFInfo
- Publication number
- CN106131036B CN106131036B CN201610586483.7A CN201610586483A CN106131036B CN 106131036 B CN106131036 B CN 106131036B CN 201610586483 A CN201610586483 A CN 201610586483A CN 106131036 B CN106131036 B CN 106131036B
- Authority
- CN
- China
- Prior art keywords
- attack
- data packet
- syn
- sent
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 230000004044 response Effects 0.000 claims description 41
- 238000000034 method Methods 0.000 claims description 30
- 238000012545 processing Methods 0.000 claims description 28
- 230000005540 biological transmission Effects 0.000 claims description 26
- 238000004140 cleaning Methods 0.000 claims description 24
- 238000012795 verification Methods 0.000 claims description 17
- 230000001939 inductive effect Effects 0.000 claims 3
- 230000001360 synchronised effect Effects 0.000 description 133
- 238000012790 confirmation Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 230000000977 initiatory effect Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000006698 induction Effects 0.000 description 4
- 238000013508 migration Methods 0.000 description 4
- 230000005012 migration Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000003111 delayed effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000009885 systemic effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000005406 washing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses processing method, device and the terminals of a kind of CC attack, which comprises after receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end and sends the 2nd SYN data packet;It receives CC attack end and responds the SYN/ACK data packet that the 2nd SYN data packet is sent;It abandons and terminates and respond any data packet that CC attack end is sent, so that the CC attack rebound that CC attack end is sent to the destination host attacks end to the CC.Implement the application, can be while harm of the effectively attack end defence CC to destination host, the socket resource at consumption CC attack end, and then the CC attack that can effectively inhibit CC attack end to initiate.
Description
Technical field
This application involves processing method, device and terminals that network communication technology field more particularly to CC are attacked.
Background technique
With the continuous development of network technology, user terminal and the various application servers for accessing network are more and more, simultaneously
With the diffusion of network attack, more and more network applications are by the security threat got worse, and the DDoS based on the page
Attack (CC attack) is increasingly becoming the main means of network attack, and harm is also gradually increased.
CC attack is generally initiated by attacker such as proxy server or other control system to destination host big
Measure HTTP connection.In order to defend CC to attack, confirmation code verifying can be carried out to the client for sending request, if sending the visitor of request
Family end is used by natural person, then confirms the page to the client push, and natural person obviously can the correct recognition and verification page
In confirmation code, correct confirmation code can also be inputted.In this way, allowing the protected destination host of access.And if visitor
Family end is attacker, for example is agency or wooden horse, and since current technology can not make attacker, quickly correctly identification is true
Recognize code, therefore, attacker is difficult to realize the verifying to confirmation code, and then also just can not real access target host.
Above-mentioned CC attack defense method, although CC can be defendd to attack the harm to destination host to a certain extent,
It will not have any impact to the client for initiating CC attack, it is difficult to client effectively be inhibited to initiate CC attack.
Summary of the invention
The application provides CC processing method, device and the terminal of attack, has been difficult to solving existing CC attack defense method
The problem of effect inhibits client to initiate CC attack.
According to the embodiment of the present application in a first aspect, providing a kind of processing method of CC attack, comprising the following steps:
After receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end and sends second
SYN data packet;
It receives CC attack end and responds the SYN/ACK data packet that the 2nd SYN data packet is sent;
It abandons and terminates and respond any data packet that CC attack end is sent, so that the CC attacks end to the target
The CC attack rebound that host is sent attacks end to the CC.
In one embodiment, the method also includes:
When receiving the first SYN data packet, start preset timer, the timing length of the preset timer is small
The overtime duration of the first SYN data packet is retransmitted in or equal to CC attack end;
Described the step of sending the 2nd SYN data packet to CC attack end, is held after the preset timer time-out
Row.
In one embodiment, the method also includes:
After receiving the first SYN data packet that client is sent to the destination host, request CC attack verifying side is to institute
It states client and carries out CC attack verifying;
Receive the verification result that CC attack end returns;
If the verification result indicates that the client does not pass through the CC attack verifying, it is determined that the client is CC
Attack end;
Described the step of sending the 2nd SYN data packet to CC attack end, is being determined that the client is that CC attacks end
After execute.
In one embodiment, the method also includes:
Request hook intercepts and captures the first SYN data packet that CC attack end is sent to the destination host, the hook peace
Mounted in the agent side of the destination host;
Receive the first SYN data packet that the hook is sent;
Described the step of sending the 2nd SYN data packet to CC attack end, is receiving described the first of the hook transmission
It is executed after SYN data packet.
In one embodiment, after the 2nd SYN data packet of end transmission to CC attack, the method also includes:
Receive the response data packet that CC attack end is sent;
If the response data packet is SYN/ACK data packet, terminates and respond any data that CC attack end is sent
Packet, so that the CC attack rebound that CC attack end is sent to the destination host attacks end to the CC;
If the response data packet is the ack msg packet that CC attack end is forged, request flow cleaning side to described
The data packet that CC attack end is sent starts the cleaning processing.
In one embodiment, if the response data packet is the ack msg packet that CC attack end is forged, the method
Further include:
The packet spoof for responding the first SYN data packet is sent to CC attack end.
According to the second aspect of the embodiment of the present application, a kind of processing unit of CC attack is provided, comprising:
Packet sending module, for after receiving the first SYN data packet that sends to destination host of CC attack end, to
CC attack end sends the 2nd SYN data packet;
Packet-receiving module responds the SYN/ACK that the 2nd SYN data packet is sent for receiving CC attack end
Data packet;
Processing module is attacked, for abandoning and terminating any data packet for responding CC attack end and sending, so that described
The CC attack rebound that CC attack end is sent to the destination host attacks end to the CC.
In one embodiment, described device further include:
Timing module, for starting preset timer, when described presetting when receiving the first SYN data packet
The timing length of device is less than or equal to the overtime duration that the first SYN data packet is retransmitted at CC attack end;
The packet sending module is also used to described after the preset timer time-out of the timing module to described
CC attacks end and sends the 2nd SYN data packet.
In one embodiment, described device further include:
Checking request module is attacked, in the first SYN data packet for receiving client and sending to the destination host
Afterwards, request CC attack verifying side carries out CC attack verifying to the client;
Verification result receiving module, the verification result returned for receiving CC attack end;
Side determining module is attacked, for indicating that the client does not pass through the CC attack verifying in the verification result
When, determine that the client is that CC attacks end;
The packet sending module is also used to determine that the client is that CC attacks end in attack side determining module
The 2nd SYN data packet is sent to CC attack end by described afterwards.
In one embodiment, described device further include:
Request module is intercepted and captured, for requesting hook to intercept and capture the first SYN that CC attack end is sent to the destination host
Data packet, the hook are mounted on the agent side of the destination host;
Result receiving module is intercepted and captured, the first SYN data packet sent for receiving the hook;
The packet sending module is also used to receive described in the hook transmission in the intercepting and capturing result receiving module
The 2nd SYN data packet is sent to CC attack end after first SYN data packet.
In one embodiment, described device further include:
Response data packet receiving module, the response data packet sent for receiving CC attack end;
Attack processing submodule is attacked for when the response data packet is SYN/ACK data packet, terminating the response CC
Any data packet that end is sent is hit, so that the CC attack rebound that CC attack end is sent to the destination host is attacked to the CC
Hit end;
Cleaning treatment request module, for when the response data packet is the ack msg packet that CC attack end is forged,
The data packet that request flow cleaning side sends CC attack end starts the cleaning processing.
In one embodiment, described device further include:
Responding module is forged, for when the response data packet is the ack msg packet that CC attack end is forged, to institute
It states CC attack end and sends packet spoof for responding the first SYN data packet.
According to the third aspect of the embodiment of the present application, a kind of terminal is provided characterized by comprising
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to:
After receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end and sends second
SYN data packet;
It receives CC attack end and responds the SYN/ACK data packet that the 2nd SYN data packet is sent;
It abandons and terminates and respond any data packet that CC attack end is sent, so that the CC attacks end to the target
The CC attack rebound that host is sent attacks end to the CC.
Using the embodiment of the present application, after receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu
CC attacks end and sends the 2nd SYN data packet;It receives CC attack end and responds the SYN/ACK that the 2nd SYN data packet is sent
After data packet, any data packet for responding CC attack end transmission is abandoned and terminated, CC attack end response described second can be made
SYN data packet, which is sent after SYN/ACK data include, enters SYN_RCVD state, after closing socket, enters FIN_ successively
WAIT_1 state, FIN_WAIT_2 state and TIME_WAIT state, the resource continuous quilt of socket at CC attack end under these states
It occupies, and CC can be attacked to the data packet that end is sent to destination host and all rebounded to its own, consumption CC attack end itself
Socket resource finally makes CC attack end not have enough resources to send CC attack.Therefore, end pair can be attacked in effectively defence CC
While the harm of destination host, the socket resource at consumption CC attack end, and then the CC that can effectively inhibit CC attack end to initiate
Attack.
It should be understood that above general description and following detailed description be only it is exemplary and explanatory, not
The application can be limited.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the application
Example, and together with specification it is used to explain the principle of the application.
Fig. 1 is an application scenarios schematic diagram of the processing that the embodiment of the present application realizes CC attack;
Fig. 2 is the state transition graph of the TCP connection in the embodiment of the processing method of the application CC attack;
Fig. 3 is one embodiment flow chart of the processing method of the application CC attack;
Fig. 4 is another embodiment flow chart of the processing method of the application CC attack;
Fig. 5 is a kind of hardware structure diagram of terminal where the processing unit of the application CC attack;
Fig. 6 is one embodiment block diagram of the processing unit of the application CC attack;
Fig. 7 is another embodiment block diagram of the processing unit of the application CC attack.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
Referring to Fig. 1, Fig. 1 is an application scenarios schematic diagram of the processing that the embodiment of the present application realizes CC attack.
Application scenarios schematic diagram shown in Fig. 1 including client 120, is installed with the terminal of client 120 and as target
The server 140 of host, the terminal are connect with server 140 by wireless network or cable network, and based on network connection
Information transmission and interaction are carried out therebetween.The terminal may include smart phone, desktop computer, notebook, individual digital
At least one of terminal devices such as assistant, tablet computer.It is understood that the destination host of the present embodiment is only with server
For be illustrated, can also be the intelligent terminals such as PC (Personal Computer, personal computer) or tablet computer.
Server 140 runs oriented client 120 and provides the server-side of various services, the server-side can by network to
Client 120 provides various services, such as FTP (File Transfer Protocol, File Transfer Protocol), game port, chats
Its room, webpage forum etc..Before server-side provides service to client 120, client 120 is needed to pass through terminal where it and clothes
Business device 140 establishes a link, this link is normally based on the TCP link of Transmission Control Protocol foundation, and the state of TCP link turns
It changes as shown in Fig. 2, the foundation of TCP link can be referred to simply as three-way handshake, the suspension of TCP link, which can then be called four times, holds
Hand.
It is briefly described as follows the state migration procedure of TCP link shown in Fig. 2:
Illustrate the thick line in lower Fig. 2, the i.e. state migration procedure of client 120 first: under CLOSED state, client
120 initiate to link to destination server 140, i.e., send SYN k data packet to server 140, that is, client 120 has invoked
Connect function, subsequently into SYN_SENT state, if waiting for server 140 returns to the ACK number to SYN k data packet at this time
According to packet time-out, then client 120 reenters CLOSED state, if client 120 has received what the return of server 140 came on time
Ack msg packet and the SYN j data packet of oneself (i.e. return SYN/ACK data packet), client 120 is first sent out to server 140
The ack msg packet for answering SYN j data packet is sent back to, subsequently into ESTABLISHED state, that is to say, that client 120 and service
140 successful connection of device.In this case, client 120 is normally communicated with server 140.
If sign off, client 120 sends FIN data packet to server 140, that is, client 120 has invoked
Close function, then client 120 waits for the return of server 140 into FIN_WAIT_1 state to respond FIN data packet
Ack msg packet, after receiving the ack msg packet that the return of server 140 comes, client 120 enters FIN_WAIT_2 state, because
It is both-end for communication, so server 140 also can send FIN data packet to client 120, (namely server 140 is also adjusted
With close function), at this moment client 120 sends back the ack msg packet for answering FIN data packet to server 140, carries out simultaneously
Enter TIME_WAIT state.After TIME_WAIT state continues 2MSL (MSL longest merogenesis lifetime), into CLOSED state,
With regard to socket (exchange of two programs by a two-way communication connection realization data on network, one end of this connection
A referred to as socket) formally close.Why TIME_WAIT state and a maintenance are added between WAIT_2 and CLOSED
2MSL is for two purposes 1) ensure the termination of TCP full duplex, such as: in FIN_WAIT_2 state, client 120 is sent out
It is shut off after complete ack msg packet, and this ack msg packet hair is lost at this time, this will lead to server 140 and can not receive
Its respond FIN data packet ack msg packet and can not close.2) ensure the data packet that last link generates, next time again
It just all disappears, link next time is not had an impact before secondary link.
Secondly illustrate the dotted line in lower Fig. 2, the i.e. state migration procedure of server 140: server 140 is in LISTEN shape
When state, that is, server 140 has invoked listen and accept function, and server 140 has received the transmission of client 120 at this time
The connection request come, that is, SYN k data packet, are then returned to the synchronization packets SYN j data packet of client 120 oneself
The ACK k+1 data packet (that is, replying SYN/ACK data packet) responded with the SYN k data packet to client 120.At this time
Server 140 enters SYS_RCVD state, waits for client 120 and returns to the ACK for respond to ACK j+1 data packet confirmation
Data packet, if having received this ack msg packet, server 140 enters ESTABLISHED state, if not receiving can also repeat to send out
Give (if upper figure does not mark server 140 and has sent the state after 120 delay machine of client after SYN J ACK k+1 data packet,
Generally have a retransmission mechanism).The socket closing process of server 140 and the closing process of client 120 are a bit different
Sample, because server 140 is to be forced to close, server 140 receives the FIN data packet that client 120 is sent at this time, then to visitor
Family end 120 returns to the ack msg packet that confirmation is responded to FIN data packet, and enters CLOSE_WAIT state, in this case, clothes
After business device 140 finishes the data processing in oneself socket, FIN data packet equally is sent to client 120 and is namely adjusted
With close function, server 140 enters LAST_ACK state at this time, and receiving, the ack msg packet from client 120 is laggard
Enter final CLOSED state.
Finally illustrate the filament in lower Fig. 2, filament represents client 120 and server 140 is opened simultaneously and simultaneously closed off
When, the state transformation of TCP link opens simultaneously after i.e. client 120 has sent SYN data packet, the also hair just of server 140
Send SYN data packet to the same port of client 120;It simultaneously closes off after i.e. client 120 has sent FIN data packet,
Server 140 also has sent FIN data packet to the same port of client 120 just.Both states in reality almost
Do not occur, is typically occurred between two servers occurring, because they are necessarily required to know the port value of other side.
RST in Fig. 2 is another mode for closing link, and application program should may determine that the authenticity of RST packet, i.e.,
It whether is abort.
The processing method of the CC attack of the embodiment of the present application can will initiate server 140 CC attack in client 120
When, based on the state migration procedure of above-described TCP link, utilize the synchronous opening between client 120 and server 140
State sends the 2nd SYN number to client 120 after receiving client 120 and sending the first SYN data packet to server 140
According to packet, after the SYN/ACK data packet for receiving the reply of client 120, any data packet of client 120 is no longer replied, can be made
It includes that hinterland is continuous into SYN_RCVD state that client 120, which responds the 2nd SYN data packet and sends SYN/ACK data, is closed
After closing socket, enter FIN_WAIT_1 state, FIN_WAIT_2 and TIME_WAIT state successively.To make client 120
Subsequent performance just looks like as itself being server 140, all linking requests (SYN data packet) for server 140 all by
It rebounds to oneself, to consume the socket resource of its own.It therefore, can be in effectively defence client 120 to server 140
CC attack, the CC attack for while consuming the socket resource of client 120, and then client 120 capable of effectively being inhibited to initiate.
The processing method of the CC attack of the embodiment of the present application can directly run on server 140, also can run on server
The agent side of 140 front ends, agent side such as nginx (high performance HTTP and Reverse Proxy) etc..Below in conjunction with attached drawing 1
The embodiment of the present application is described in detail with Fig. 2.
It is one embodiment flow chart of the processing method of the application CC attack referring to Fig. 3, Fig. 3, includes the following steps
301-303:
Step 301: after receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end
Send the 2nd SYN data packet.
Refering to Fig. 2 it is found that SYN (synchronous) is that TCP/IP establishes the handshake used when connection, in client
When establishing normal TCP network connection between server, client issues a SYN data packet first, and server uses SYN
With ack msg packet (SYN/ACK data packet) response, expression has received this SYN data packet, and last client is again with ACK number
It is responded according to packet.Reliable TCP connection can just be set up between clients and servers in this way, data information just can be in client
It is transmitted between end and server.But end is attacked as CC in client, when initiating CC attack to server, ssyn attack is most
Common and be easiest to a kind of attacking ways being utilized, using Transmission Control Protocol defect, client is forged in a short time is not deposited largely
IP address, constantly send a large amount of first SYN data packet to server, the first SYN data packet is the data packet forged,
If server replys confirmation data packet, and waits the confirmation of client, since source address is not present, server needs continuous
Repeating transmission confirmation packet until time-out, these the first SYN data packets forged will occupy not connected queue, normal SYN for a long time
Data packet is dropped, and slowly, serious person causes network blockage even systemic breakdown to the corresponding goal systems operation of server.
After the first SYN data packet for receiving the client transmission for initiating CC attack in order to avoid server, confirmation is replied
Data packet simultaneously waits the confirmation for initiating the client of CC attack, leads to the corresponding goal systems operation of server slowly, or even draw
Network blockage even systemic breakdown is played, can not be returned after receiving the first SYN data packet that the client for initiating CC attack is sent
Data packet is confirmed again, but sends the 2nd SYN data packet to the client (i.e. CC attacks end) that CC is attacked is initiated, and is equal to
The client and server for initiating CC attack are in the state that opens simultaneously, and the client that CC attack is initiated in induction is replied to second
The confirmation data packet of SYN data packet, and wait to be confirmed.
The 2nd SYN data packet of the embodiment of the present application is sent to the client for initiating CC attack, does not influence to initiate
The client of normal linking request can priori after receiving the first SYN data packet that client is sent to the destination host
Whether the client that card sends the first SYN data packet carries out CC attack to destination host, if so, sending described the to client again
One SYN data packet.
In certain application scenarios, the processing method of the CC attack of the embodiment of the present application is applied to the agency of destination host
End when whether the client that verifying sends the first SYN data packet carries out CC attack to destination host, can request CC attack verifying side
CC attack verifying is carried out to the client, the verification result that CC attack end returns then is received, if the verification result
Indicate that the client does not pass through the CC attack verifying, it is determined that the client is that CC attacks end, by described to the CC
The step of attack end sends the 2nd SYN data packet is determining that the client is to execute after CC attacks end.If the verification result
Indicate that the client has passed through the CC attack verifying, it is determined that the client is not CC attack end, is continued described in transmission
First SYN data packet is to the destination host.
When practical application, side is verified in above-mentioned attack, be can be and is verified equipment with the associated CC attack of destination host, can be
CC attack authentication module in destination host can also be CC attack authentication module in flow cleaning equipment, therefore in this Shen
Please embodiment need to the client carry out CC attack verifying when, the agent side of destination host can call directly in destination host
CC attack authentication module CC attack verifying is carried out to the client, alternatively, requesting CC attack verifying equipment or described
Flow cleaning equipment carries out CC attack verifying to the client.
For the processing method of the CC attack of the above-mentioned agent side applied to destination host, if CC attacks end to destination host
Send the first SYN data packet, do not need agent side forwarding, then the embodiment of the present application can request agency end installation hook cut
The first SYN data packet that CC attack end is sent to the destination host is obtained, the first SYN that the hook is sent is received
Then data packet sends the 2nd SYN data packet to CC attack end.
In some examples, after the attack end CC sends the first SYN data packet to destination host, if being received not in preset period of time
To response data packet, it can be delayed and retransmit the first SYN data packet, CC attacks the operating system at end, retransmission time and repeating transmission time
Number is different, for example, windows system can be retransmitted 3 times, first time retransmission time is 3s, if the 3s after sending the first SYN data packet
Response data packet is not received inside, then retransmits the first SYN data packet for the first time, and second of retransmission time is 6s, third time
Retransmission time is 12s, and overtime return after retransmitting three times, time-out time is 21s;Linux system is generally retransmitted 5 times, for the first time
Retransmission time is 2s, and second of retransmission time is 4s, and third time retransmission time is 8s, and the 4th time retransmission time is 16s, the 5th time
Retransmission time is 32s, and overtime return after five repeating transmission, time-out time is 62s.
In order to exhaust the socket resource at CC attack end, CC can be made to attack, and end is as much as possible to carry out delay repeating transmission, therefore,
The processing method of the CC attack of the embodiment of the present application starts preset timer, institute when receiving the first SYN data packet
The timing length for stating preset timer is less than or equal to the overtime duration that the first SYN data packet is retransmitted at CC attack end, by institute
The step of stating to CC attack end the 2nd SYN data packet of transmission executes after the preset timer time-out.The CC attack
The overtime duration that the first SYN data packet is retransmitted at end is determined by the operating system at CC attack end, can be above-mentioned 21s or 62s.
By the starting of above-mentioned timer, the embodiment of the present application postpones the transmission of the 2nd SYN data packet, and CC attack end is made to exist
SYN_SENT state carries out repeatedly delay and retransmits the first SYN data packet, consumes the sokcet resource of itself.For example, for multi-thread
The CC of journey is attacked, transmission of the embodiment of the present application by the 2nd SYN data packet of start delay of timer, each company of maximizing
The delay connect all blocks all threads, so that it may quickly reduce the frequency that client sends cc attack;It is asynchronous for using
The CC of connection is attacked, and the embodiment of the present application can be delayed each by the transmission of the 2nd SYN data packet of start delay of timer
Number is established in a link, in this way, the TCP resource of client will largely be in SYN_SENT, SYN_RCVD and FIN_WAIT_
1 state, until break the bank.
Step 302: receiving CC attack end and respond the SYN/ACK data packet that the 2nd SYN data packet is sent.
In the embodiment of the present application, receive CC attack end send SYN/ACK data packet after, i.e., successfully induction CC attack end into
Enter SYN_RCVD state, after the socket that CC attacks end is closed, can sequentially enter FIN_WAIT_1 state, FIN_WAIT_2 and
TIME_WAIT state.Can make CC attack end subsequent performance just look like itself be that destination host is the same, it is all be directed to destination host
Linking request (data packet) be all repelled to oneself, to consume the socket resource of its own.
Step 303: abandon and terminate and respond any data packet that CC attack end is sent so that the CC attack end to
The CC attack rebound that the destination host is sent attacks end to the CC.
The embodiment of the present application, after receiving CC attack end for the first time and sending SYN/ACK data packet, i.e. successfully induction CC attack
End enters SYN_RCVD state, in order to which extend as far as possible CC attack end is in the time of each TCP state, abandons and no longer responds
Any data packet that CC attack end is sent, that is, be not responding to any request at CC attack end, do not reply any data.Such as:
Repetition receives the first SYN data packet that CC attack end is sent, and does not reply SYN/ACK data packet;Repetition receives CC attack end
The SYN/ACK data packet of transmission, does not reply ack msg packet yet.
After induction CC attack end response the 2nd SYN data packet transmission SYN/ACK data packet enters SYN_RCVD state,
CC, which attacks end, can close socket or long-term receipt not in order to avoid the data that destination host returns block the bandwidth of itself
The data packet replied to destination host overtime can close socket, after closing socket, enter FIN_WAIT_1 shape successively
State, FIN_WAIT_2 state and TIME_WAIT state, the socket at CC attack end is resource continuous occupied under these states, and
And CC can be attacked to the data packet that end is sent to destination host and all rebounded to its own, the socket at consumption CC attack end itself is provided
Source finally makes CC attack end not have enough resources to send CC attack.It therefore, can be at effectively defence CC attack end to destination host
Harm, while consume CC attack end socket resource, can effectively inhibit CC attack end initiate CC attack, avoid CC from attacking
The consumption of destination host side bandwidth is caused, and then the operation cost of destination host side can be reduced.
In addition, the embodiment of the present application for initiate malice high frequency CC attack CC attack end, without consume destination host or
CC more efficiently can be attacked end and arrive it certainly to destination host transmission data packet rebound by the resource of the agent side of destination host
Body consumes the socket resource at CC attack end itself more quickly.
As can be seen from the above embodiments, the embodiment of the present application can make the CC of transmission of the CC attack end to the destination host
Attack rebound attacks end to the CC, sends SYN/ACK number on condition that can induce CC attack end and respond the 2nd SYN data packet
Enter SYN_RCVD state according to packet.And in certain application scenarios, CC attacks end (using the client of attack software dossim) meeting
Around protocol stack, packet spoof oneself is completed three-way handshake needed for establishing TCP link, can not correctly be responded in the application
The 2nd SYN data packet in embodiment is stated, and then CC attack end will not be induced to enter SYN_RCVD state.For such application
In scene CC attack end initiate CC attack, can Direct Recognition cleaned, be that the application CC is attacked for details, reference can be made to Fig. 4, Fig. 4
Another embodiment flow chart for the processing method hit, includes the following steps 401-404:
Step 401: after receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end
Send the 2nd SYN data packet.
The implementation of this step can be found in the implementation of step 301 in above-described embodiment.
Step 402: receiving the response data packet that CC attack end is sent.
In the embodiment of the present application, if the CC attack that CC attack end is initiated does not bypass protocol stack, response data packet be can be
SYN/ACK data packet, if the CC attack that CC attack end is initiated has bypassed protocol stack, response data packet can be the ACK of forgery
Data packet.
Step 403: if the response data packet is SYN/ACK data packet, terminating what response CC attack end was sent
Any data packet, so that the CC attack rebound that CC attack end is sent to the destination host attacks end to the CC.
Step 404: if the response data packet is the ack msg packet that CC attack end is forged, requesting flow cleaning
The data packet that side sends CC attack end starts the cleaning processing.
In the embodiment of the present application, the ack msg packet of forgery is unsatisfactory for the consensus standard of protocol stack, attacks end for realizing CC
Complete three-way handshake needed for establishing TCP link.
Above-mentioned flow cleaning side, can be with the associated flow cleaning equipment of destination host, can be in destination host
Flow cleaning module, therefore carried out clearly in the data packet that the embodiment of the present application needs flow cleaning side to send CC attack end
When washing processing, the agent side of destination host can call directly what the flow cleaning module in destination host sent the client
Data packet is cleaned, alternatively, sending the data packet that CC attack end is sent to and the associated flow cleaning equipment of destination host
It is cleaned.
In addition, CC attacks end and is aware of it and has been identified in order to prevent, the embodiment of the present application can be in the response data packet
When being the ack msg packet that CC attack end is forged, Xiang Suoshu CC attacks end and sends for responding the first SYN data packet
Packet spoof completes camouflage response.
As can be seen from the above embodiments: the application both can attack end to target master to the CC for using protocol stack to initiate CC attack
The data packet that machine is sent all rebounds to its own, and the socket resource at consumption CC attack end itself there is not CC attack end
There are enough resources to send CC attack.Therefore can be while harm of the effectively attack end defence CC to destination host, consumption CC is attacked
The CC attack hit the socket resource at end, and then CC attack end can effectively be inhibited to initiate.The application can also be cleaned directly and be bypassed
The CC attack that protocol stack is initiated judges the validity for the request that CC attack end is initiated without application layer, can save significantly on target master
The cpu resource of machine.
Corresponding with the embodiment of processing method of aforementioned CC attack, present invention also provides the processing units of CC attack
Embodiment.
The embodiment of the processing unit of the application CC attack can be using at the terminal.Installation practice can pass through software
It realizes, can also be realized by way of hardware or software and hardware combining.Taking software implementation as an example, as on a logical meaning
Device, be in being read computer program instructions corresponding in nonvolatile memory by the processor of terminal where it
Deposit what middle operation was formed.For hardware view, as shown in figure 5, for one of terminal where the processing unit of the application CC attack
Kind hardware structure diagram, in addition to processor 510 shown in fig. 5, network interface 520, memory 530 and nonvolatile memory 540
Except, the terminal in embodiment where device can also include other hardware, not to this generally according to the actual functional capability of the terminal
It repeats again.
It is one embodiment block diagram of the processing unit of the application CC attack, the device can include: data referring to Fig. 6, Fig. 6
Packet sending module 610, packet-receiving module 620 and attack processing module 630.
Wherein, packet sending module 610, for receiving the first SYN number that sends to destination host of CC attack end
After packet, Xiang Suoshu CC attacks end and sends the 2nd SYN data packet.
Packet-receiving module 620 responds the SYN/ that the 2nd SYN data packet is sent for receiving CC attack end
Ack msg packet.
Processing module 630 is attacked, for abandoning and terminating any data packet for responding CC attack end and sending, so that institute
It states the CC attack rebound that CC attack end is sent to the destination host and attacks end to the CC.
In an optional implementation, described device further includes (being not shown in Fig. 6):
Timing module, for starting preset timer, when described presetting when receiving the first SYN data packet
The timing length of device is less than or equal to the overtime duration that the first SYN data packet is retransmitted at CC attack end.
Packet sending module 610 is also used to described after the preset timer time-out of the timing module to the CC
It attacks end and sends the 2nd SYN data packet.
In another optional implementation, described device further includes (being not shown in Fig. 6):
Checking request module is attacked, in the first SYN data packet for receiving client and sending to the destination host
Afterwards, request CC attack verifying side carries out CC attack verifying to the client.
Verification result receiving module, the verification result returned for receiving CC attack end.
Side determining module is attacked, for indicating that the client does not pass through the CC attack verifying in the verification result
When, determine that the client is that CC attacks end.
Packet sending module 610 is also used to determine that the client is after CC attacks end in attack side determining module
The 2nd SYN data packet is sent to CC attack end by described.
In another optional implementation, described device further includes (being not shown in Fig. 6):
Request module is intercepted and captured, for requesting hook to intercept and capture the first SYN that CC attack end is sent to the destination host
Data packet, the hook are mounted on the agent side of the destination host.
Result receiving module is intercepted and captured, the first SYN data packet sent for receiving the hook.
Packet sending module 610 be also used to receive that the hook sends in the intercepting and capturing result receiving module described the
The 2nd SYN data packet is sent to CC attack end after one SYN data packet.
It is another embodiment block diagram of the processing unit of the application CC attack, the device can include: number referring to Fig. 7, Fig. 7
According to packet sending module 710, response data packet receiving module 720, attack processing submodule 730 and cleaning treatment request module 740.
Wherein, packet sending module 710, for receiving the first SYN number that sends to destination host of CC attack end
After packet, Xiang Suoshu CC attacks end and sends the 2nd SYN data packet.
Response data packet receiving module 720, the response data packet sent for receiving CC attack end.
Attack processing submodule 730, for terminating described in response when the response data packet is SYN/ACK data packet
CC attacks any data packet that end is sent, so that the CC attack that CC attack end is sent to the destination host rebounds to described
CC attacks end.
Cleaning treatment request module 740, for being the ack msg packet that CC attack end is forged in the response data packet
When, the data packet that request flow cleaning side sends CC attack end starts the cleaning processing.
In an optional implementation, described device further includes (being not shown in Fig. 7):
Responding module is forged, for when the response data packet is the ack msg packet that CC attack end is forged, to institute
It states CC attack end and sends packet spoof for responding the first SYN data packet.
The function of modules and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.
Those of ordinary skill in the art can understand and implement without creative efforts.This field
Technical staff after considering the specification and implementing the invention disclosed here, will readily occur to other embodiments of the application.This
Application is intended to cover any variations, uses, or adaptations of the application, these variations, uses, or adaptations are abided by
Follow the general principle of the application and including the undocumented common knowledge or conventional techniques in the art of the application.
The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are indicated by the following claims.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.
Claims (13)
1. a kind of processing method of CC attack, which comprises the following steps:
After receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end and sends the 2nd SYN number
According to packet;The 2nd SYN data packet is for inducing CC attack end to enter SYN_RCVD state;
It receives CC attack end and responds the SYN/ACK data packet that the 2nd SYN data packet is sent;
After receiving the SYN/ACK data packet, any data packet for responding CC attack end transmission is abandoned and terminates, so that
After socket is closed at CC attack end, enter FIN_WAIT_1 state, FIN_WAIT_2 and TIME_WAIT state successively, it will
Its CC sent to the destination host attack rebound attacks end to the CC.
2. the method according to claim 1, wherein the method also includes:
When receiving the first SYN data packet, start preset timer, the timing length of the preset timer be less than or
Equal to the overtime duration that the first SYN data packet is retransmitted at CC attack end;
Described the step of sending the 2nd SYN data packet to CC attack end, is executed after the preset timer time-out.
3. the method according to claim 1, wherein the method also includes:
After receiving the first SYN data packet that client is sent to the destination host, request CC attack verifying side is to the visitor
Family end carries out CC attack verifying;
Receive the verification result that CC attack end returns;
If the verification result indicates that the client does not pass through the CC attack verifying, it is determined that the client is CC attack
End;
Described the step of sending the 2nd SYN data packet to CC attack end, is being determined that the client is to hold after CC attacks end
Row.
4. the method according to claim 1, wherein the method also includes:
Request hook intercepts and captures the first SYN data packet that CC attack end is sent to the destination host, and the hook is mounted on
The agent side of the destination host;
Receive the first SYN data packet that the hook is sent;
Described the step of sending the 2nd SYN data packet to CC attack end, is in the first SYN for receiving the hook transmission
It is executed after data packet.
5. method according to claim 1 to 4, which is characterized in that described to send the to CC attack end
After two SYN data packets, the method also includes:
Receive the response data packet that CC attack end is sent;
If the response data packet is SYN/ACK data packet, terminates and respond any data packet that CC attack end is sent, with
The CC attack rebound for sending CC attack end to the destination host attacks end to the CC;
If the response data packet is the ack msg packet that CC attack end is forged, flow cleaning side is requested to attack the CC
The data packet that end is sent is hit to start the cleaning processing.
6. according to the method described in claim 5, it is characterized in that, end is forged if the response data packet is the CC attack
Ack msg packet, the method also includes:
The packet spoof for responding the first SYN data packet is sent to CC attack end.
7. a kind of processing unit of CC attack characterized by comprising
Packet sending module, for after receiving the first SYN data packet that sends to destination host of CC attack end, Xiang Suoshu
CC attacks end and sends the 2nd SYN data packet;The 2nd SYN data packet is for inducing CC attack end to enter SYN_RCVD shape
State;
Packet-receiving module responds the SYN/ACK data that the 2nd SYN data packet is sent for receiving CC attack end
Packet;
Processing module is attacked, after receiving the SYN/ACK data packet, abandons and terminates response CC attack end transmission
Any data packet so that the CC attack end close socket after, successively enter FIN_WAIT_1 state, FIN_WAIT_2 and
TIME_WAIT state, the CC attack rebound that it is sent to the destination host attack end to the CC.
8. device according to claim 7, which is characterized in that described device further include:
Timing module, for starting preset timer when receiving the first SYN data packet, the preset timer
Timing length is less than or equal to the overtime duration that the first SYN data packet is retransmitted at CC attack end;
The packet sending module is also used to attack described to the CC after the preset timer time-out of the timing module
It hits end and sends the 2nd SYN data packet.
9. device according to claim 7, which is characterized in that described device further include:
Checking request module is attacked, for asking after receiving the first SYN data packet that client is sent to the destination host
CC attack verifying side is asked to carry out CC attack verifying to the client;
Verification result receiving module, the verification result returned for receiving CC attack end;
Side determining module is attacked, for when the verification result indicates that the client does not pass through the CC attack verifying, really
The fixed client is that CC attacks end;
The packet sending module is also used to will after attack side determining module determines that the client attacks end for CC
It is described to send the 2nd SYN data packet to CC attack end.
10. device according to claim 7, which is characterized in that described device further include:
Request module is intercepted and captured, for requesting hook to intercept and capture the first SYN data that CC attack end is sent to the destination host
Packet, the hook are mounted on the agent side of the destination host;
Result receiving module is intercepted and captured, the first SYN data packet sent for receiving the hook;
The packet sending module is also used to receive described first that the hook is sent in the intercepting and capturing result receiving module
The 2nd SYN data packet is sent to CC attack end after SYN data packet.
11. device according to any one of claims 7 to 10, which is characterized in that described device further include:
Response data packet receiving module, the response data packet sent for receiving CC attack end;
Attack processing submodule responds CC attack end for terminating when the response data packet is SYN/ACK data packet
Any data packet sent, so that the CC attack rebound that CC attack end is sent to the destination host is attacked to the CC
End;
Cleaning treatment request module, for requesting when the response data packet is the ack msg packet that CC attack end is forged
The data packet that flow cleaning side sends CC attack end starts the cleaning processing.
12. device according to claim 11, which is characterized in that described device further include:
Responding module is forged, for when the response data packet is the ack msg packet that CC attack end is forged, Xiang Suoshu CC
Attack end sends the packet spoof for responding the first SYN data packet.
13. a kind of terminal characterized by comprising
Processor;
For storing the memory of the processor-executable instruction;
Wherein, the processor is configured to:
After receiving the first SYN data packet that CC attack end is sent to destination host, Xiang Suoshu CC attacks end and sends the 2nd SYN number
According to packet;The 2nd SYN data packet is for inducing CC attack end to enter SYN_RCVD state;
It receives CC attack end and responds the SYN/ACK data packet that the 2nd SYN data packet is sent;
After receiving the SYN/ACK data packet, any data packet for responding CC attack end transmission is abandoned and terminates, so that
After socket is closed at CC attack end, enter FIN_WAIT_1 state, FIN_WAIT_2 and TIME_WAIT state successively, it will
Its CC sent to the destination host attack rebound attacks end to the CC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610586483.7A CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610586483.7A CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106131036A CN106131036A (en) | 2016-11-16 |
| CN106131036B true CN106131036B (en) | 2019-05-07 |
Family
ID=57290576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610586483.7A Active CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106131036B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336815B (en) * | 2019-07-04 | 2024-06-07 | 深圳前海微众银行股份有限公司 | Block chain-based attack defense method, device, equipment and readable storage medium |
| CN111431942B (en) * | 2020-06-10 | 2020-09-15 | 杭州圆石网络安全技术有限公司 | CC attack detection method and device and network equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing attack of challenge collapsar (CC) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1251446C (en) * | 2002-07-18 | 2006-04-12 | 华为技术有限公司 | Method of defending network transmission control protocol sync message from overflowing attack |
| US9197650B2 (en) * | 2013-03-14 | 2015-11-24 | Cisco Technology, Inc. | Proxy that switches from light-weight monitor mode to full proxy |
-
2016
- 2016-07-22 CN CN201610586483.7A patent/CN106131036B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defence method based on connection request authentication |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | Method, network system and proxy server for preventing denial of service attack |
| CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing attack of challenge collapsar (CC) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106131036A (en) | 2016-11-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | Defending against denial-of-service attacks with puzzle auctions | |
| CN105827646B (en) | The method and device of ssyn attack protection | |
| CN101390064B (en) | Preventing network reset denial of service attacks using embedded authentication information | |
| CN101729513B (en) | Network authentication method and device | |
| CN1954545B (en) | Method of authentication of communication flows and device | |
| KR100431231B1 (en) | Method and system for defeating tcp syn flooding attacks | |
| US20120227088A1 (en) | Method for authenticating communication traffic, communication system and protective apparatus | |
| US8661522B2 (en) | Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN101771695A (en) | Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment | |
| JP4373306B2 (en) | Method and apparatus for preventing distributed service denial attack against TCP server by TCP stateless hog | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| CN101247261A (en) | Method and apparatus for preventing DDos attack | |
| US11689564B2 (en) | Method and apparatus for processing data in cleaning device | |
| CN104618404A (en) | Processing method, device and system for preventing network attack to Web server | |
| Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
| CN110460412A (en) | Method and RDMA network interface card for data transmission | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| CN106453373A (en) | Efficient SYN Flood attack identification and disposal method | |
| CN105323259A (en) | Method and device for preventing synchronous packet attack | |
| CN106131036B (en) | Processing method, device and the terminal of CC attack | |
| US20230016035A1 (en) | Efficient connection processing | |
| Rana et al. | A Study and Detection of TCP SYN Flood Attacks with IP spoofing and its Mitigations | |
| Saini et al. | Evaluating the stream control transmission protocol using uppaal | |
| CN106131039A (en) | The processing method and processing device of SYN flood attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |