CN107547503B - Session table item processing method and device, firewall equipment and storage medium - Google Patents

Session table item processing method and device, firewall equipment and storage medium Download PDF

Info

Publication number
CN107547503B
CN107547503B CN201710439697.6A CN201710439697A CN107547503B CN 107547503 B CN107547503 B CN 107547503B CN 201710439697 A CN201710439697 A CN 201710439697A CN 107547503 B CN107547503 B CN 107547503B
Authority
CN
China
Prior art keywords
session table
address
session
entry
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710439697.6A
Other languages
Chinese (zh)
Other versions
CN107547503A (en
Inventor
易勇平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201710439697.6A priority Critical patent/CN107547503B/en
Publication of CN107547503A publication Critical patent/CN107547503A/en
Application granted granted Critical
Publication of CN107547503B publication Critical patent/CN107547503B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a method and a device for processing a session table entry, which are applied to firewall equipment, wherein the method comprises the following steps: detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; the time difference is the time difference between the current time and the receiving time of the last message matched with the session table item; if the first session table entry exists, judging whether the connection corresponding to the first session table entry is illegal; if the connection is illegal, detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value; and if the first session table entry is not larger than the second threshold, deleting the first session table entry. By applying the embodiment of the application, the memory occupied by the session table entry corresponding to the illegal connection can be quickly released, and the influence on the service processing efficiency is reduced.

Description

Session table item processing method and device, firewall equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a session entry, a firewall device, and a storage medium.
Background
The Flood attack is an attack mode that uses a TCP (Transmission Control Protocol) defect to send a large number of forged TCP connection requests (such as SYN (synchronization) messages and ACK (acknowledgement) messages) so as to exhaust resources of an attacked party.
Networking is shown in fig. 1, and comprises a client 100, a firewall device 200 and a server 300; the client 100 needs to establish a connection with the server 300 before communicating with the server 300. Specifically, the method comprises the following steps: 1. client 100 sends a SYN message to server 300 through firewall device 200 based on TCP; 2. after receiving the SYN message, server 300 sends a SYN/ACK message to client 100 through firewall device 200; 3. after receiving the SYN/ACK message, the client 100 sends an ACK message to the server 300 through the firewall device 200; 4. after the server 300 receives the ACK packet, the connection between the client 100 and the server 300 is established.
The message sent by the client 100 to the server 300 is referred to as a forward message, such as the SYN message and the ACK message; the message sent by server 300 to client 100 is referred to as a reverse message, such as the SYN/ACK message described above.
In practical applications, after receiving the SYN packet or the ACK packet, the firewall device 200 may further establish a session entry including a source IP (Internet Protocol) address of the received packet, where the session entry corresponds to the connection, and when receiving a packet matching the session entry, send the packet to the client 100 or the server 300 through the connection. Based on this principle, when the networking is attacked by Flood (e.g., SYN Flood attack, i.e., synchronous flooding attack), the firewall device 200 may receive a large number of SYN messages and/or ACK messages, and establish a large number of session entries corresponding to illegal connections, where the session entries corresponding to the illegal connections occupy a large amount of memory of the firewall device 200, and affect the processing efficiency of the firewall device 200 on the service.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for processing a session entry, a firewall device, and a storage medium, so as to quickly release a memory occupied by a session entry corresponding to an illegal connection, thereby reducing an influence on a service processing efficiency. The specific technical scheme is as follows:
on one hand, the embodiment of the application discloses a session table item processing method, which is applied to firewall equipment and comprises the following steps:
detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; the time difference is the time difference between the current time and the receiving time of the last message matched with the session table item;
if the first session table entry exists, judging whether the connection corresponding to the first session table entry is illegal;
if the connection is illegal, detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value;
and if the first session table entry is not larger than the second threshold, deleting the first session table entry.
In a second aspect, an embodiment of the present application discloses a session table entry processing apparatus, which is applied to a firewall device, and the apparatus includes:
the first detection unit is used for detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every first time length; the time difference is the time difference between the current time and the receiving time of the last message matched with the session table item;
the judging unit is used for judging whether the connection corresponding to the first session table entry is illegal connection or not when the detection result of the first detecting unit is yes;
the second detection unit is used for detecting whether the number of the forward messages matched with the first session table item is greater than a second threshold value or not when the judgment result of the judgment unit is yes;
and the first deleting unit is used for deleting the first session table entry when the detection result of the second detecting unit is negative.
In three aspects, the embodiment of the application discloses firewall equipment, which comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory finish mutual communication through the communication bus;
a memory for storing a computer program;
a processor for executing the program stored in the memory to implement the steps of the session entry processing method as claimed in the claims.
In a fourth aspect, an embodiment of the present application discloses a readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the steps of the session table entry processing method described above are implemented.
In the embodiment of the application, the time length consumed for completing the connection establishment is less than or equal to a first threshold; the firewall device detects whether a first session table entry with an absolute value of a time difference value exceeding a first threshold exists in the session table entries every first time interval, if the first session table entry is detected, it is determined that connection establishment corresponding to the first session table entry is completed, and at this time, if it is determined that the connection corresponding to the first session table entry is illegal and the number of forward messages matched with the first session table entry is not greater than a second threshold, that is, it is determined that an attack corresponding to the first session table entry is a non-continuous attack, and the first session table entry is deleted. Therefore, in the embodiment of the application, the firewall device detects the session table entry at regular time, and can timely find and delete the session table entry corresponding to the illegal connection, so that the memory occupied by the session table entry corresponding to the illegal connection is quickly released, and the influence on the service processing efficiency is reduced. Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a networking;
fig. 2 is a first flowchart illustrating a session entry processing method according to an embodiment of the present application;
fig. 3 is a second flowchart illustrating a session entry processing method according to an embodiment of the present application;
fig. 4 is a third flowchart illustrating a session entry processing method according to an embodiment of the present application;
fig. 5 is a fourth flowchart illustrating a session entry processing method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a session entry processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a firewall device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The words appearing in the embodiments of the present application are explained below.
Conversation table item: the session table entry is used for guiding the forwarding of the message, and comprises: the source IP address, the source port, the destination IP address, the destination port, the number of processed messages and the like are used for guiding the forwarding information of the messages; the source IP address included in the session table entry in the firewall equipment is the source IP address of the forward message; the processed message is matched with the session table item;
forward message: a message sent by a client to a server, such as a SYN message and an ACK message sent by the client to the server;
reverse message: a message sent by the server to the client, such as a SYN/ACK message sent by the server to the client.
At present, when a networking is attacked by Flood, an attacker can send a large amount of SYN messages and/or ACK messages to a server through firewall equipment, establish illegal connection and occupy server resources.
In addition, when receiving a large number of SYN messages and/or ACK messages sent by an attacker, the firewall device may establish a large number of session table entries corresponding to illegal connections, and the session table entries corresponding to the illegal connections occupy a large amount of memory of the firewall device, thereby affecting the processing efficiency of the firewall device on services.
In order to quickly release a memory occupied by a session table entry corresponding to an illegal connection and reduce the influence on the service processing efficiency, embodiments of the present application provide a session table entry processing method and apparatus applied to a firewall device, the firewall device, and a storage medium.
Referring to fig. 2, fig. 2 is a first flowchart illustrating a session entry processing method according to an embodiment of the present application, applied to a firewall device, where the method includes:
s201: detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; if the first session entry exists, executing S202; otherwise, ending the processing;
and the time difference value is the time difference value between the current time and the receiving time of the last message matched with the session table item. Here, the message matched with the session entry is the message processed by the firewall device.
For example: the firewall equipment stores a session table item 1 and a session table item 2, the receiving time of the last message X1 matched with the session table item 1 is 10:00:00, and the receiving time of the last message X2 matched with the session table item 2 is 10:00: 03; if the firewall device detects that the current time is 10:00:06, it may be determined that the time difference value corresponding to the session table entry 1 is 10:00:06-10:00:00 ═ 6s, and 10:00:06-10:00:03 ═ 3 s; and if the first threshold is 5s, 6s >5s and 3s <5s, determining that the first session table entry is session table entry 1.
It should be noted that the first threshold is greater than or equal to the time length consumed for completing the connection establishment, and if the time difference between the current time and the receiving time of the last message matched with the session entry exceeds the first threshold, it can be understood that the connection established corresponding to the session entry is completed; if the time difference between the current time and the receiving time of the last message matched with the session entry does not exceed the first threshold, it can be understood that the connection corresponding to the session entry is not established and is completed, and at this time, the session entry may not be processed.
In an embodiment of the present application, a polling timer with a first duration as a time interval may be preset in the firewall device, so that after the polling timer is started, the firewall device may detect, according to the polling timer, every first duration, whether there is a first session entry in the session entries whose absolute value of a time difference exceeds a first threshold.
S202: judging whether the connection corresponding to the first session table entry is illegal; if the connection is illegal, S203 is executed; otherwise, the process is ended.
In an embodiment of the present application, the firewall device may determine whether a connection corresponding to the first session entry is an illegal connection by detecting a type of a packet matched with the first session entry.
Specifically, detecting whether a message matched with a first session table item only has a forward message; if only the forward message exists, it can be determined that the connection corresponding to the first session entry is an illegal connection. For example, if it is detected that the message matching the first session entry only includes a SYN message, it is determined that the connection corresponding to the first session entry is an illegal connection. For another example, if it is detected that the message matched with the first session entry only has an ACK message, it is determined that the connection corresponding to the first session entry is an illegal connection.
In addition, whether the messages matched with the first session table item only have SYN messages and SYN/ACK messages is detected; if only the SYN message and the SYN/ACK message exist, it may be determined that the connection corresponding to the first session entry is an illegal connection.
In addition to the above-mentioned case of determining the illegal connection, the connection corresponding to the first session entry may be considered as a legal connection.
It should be noted that, when the firewall device receives multiple SYN messages matching the same session entry, the firewall device will receive only one SYN/ACK message matching the session entry. In this case, the detecting step detects whether the message matched with the first session table item only has the SYN message and the SYN/ACK message, that is, detects whether the message matched with the first session table item only has the SYN message and the SYN/ACK message, and the number of the SYN/ACK messages is 1; if so, the connection corresponding to the first session entry may be determined to be an illegal connection.
In an embodiment of the present application, in order to facilitate determining the type of the packet processed by the firewall device, that is, to facilitate determining the type of the packet matched with the session entry, 3 bits may be added to the session entry, where one bit is used to identify that the SYN packet is matched with the session entry, one bit is used to identify that the ACK packet is matched with the session entry, and one bit is used to identify that the SYN/ACK packet is matched with the session entry. In addition, if the firewall device processes other kinds of packets, for example, processes a FIN (finish) packet for terminating a connection, all of the 3 bits added are cleared to 0.
S203: detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value; if not, executing S204;
under the condition that the connection corresponding to the first session table entry is determined to be illegal, the forward message matched with the first session table entry is an attack message sent by an attacker, if the number of the forward messages matched with the first session table entry is detected to be not more than a second threshold value, the attack (namely the attack corresponding to the first session table entry) at this time can be determined to be non-continuous attack, and S204 is executed; otherwise, determining that the attack corresponding to the first session table entry is a continuous attack.
In one embodiment of the present application, the second threshold may be 1. At this time, if the number of the forward messages matched with the first session table entry is 1, determining that the attack corresponding to the first session table entry is a non-continuous attack; otherwise, determining that the attack corresponding to the first session table entry is a continuous attack.
S204: and deleting the first session table entry.
Therefore, when the attack corresponding to the first session entry is a non-persistent attack, the first session entry is deleted, and the firewall device releases the memory occupied by the first session entry, thereby reducing the influence on the service processing efficiency.
In an embodiment of the present application, if the attack corresponding to the session entry is a persistent attack, after deleting the session entry, the firewall device reestablishes the session entry after receiving the forward packet (i.e., the attack packet) matching the session entry, and sends the forward packet to the server for processing, which occupies resources of the server and affects forwarding performance of the firewall device.
In this case, in order to avoid occupying resources of the server and affecting the forwarding performance of the firewall device, referring to a second flowchart of the session entry processing method shown in fig. 3, based on fig. 2, if S203 detects that the number of forward packets matched with the first session entry is greater than a second threshold, that is, when it is determined that the attack corresponding to the first session entry is a persistent attack, the method may further include:
s205: and configuring a discarding identification for the first session table entry.
And the discarding mark is used for indicating the firewall equipment to discard the message matched with the first session table item.
Therefore, if the firewall equipment receives the forward message (namely the attack message) matched with the first session table item, the forward message can be discarded according to the discarding identification, and the firewall equipment is prevented from sending the forward message matched with the first session table item to a server for processing after the first session table item is deleted, so that occupied server resources are effectively reduced, and meanwhile, the influence on the forwarding performance of the firewall equipment is effectively reduced.
In an embodiment of the present application, in order to facilitate determining a current attack situation, referring to a third flowchart of the session entry processing method shown in fig. 4, based on fig. 2, after deleting the first session entry in S204, the method may further include:
s206: detecting whether a source IP address included in a first session table item exists in IP addresses included in the suspicious list; if not, executing S207; if so, go to S208;
the suspicious list is used for storing the IP addresses generating the attacks, so that a user can know the IP addresses currently generating the attacks through the suspicious list.
S207: adding the source IP address into the suspicious list, configuring aging duration for the source IP address in the suspicious list, and executing S209;
the source IP address is added to the suspect list to facilitate the user in viewing the IP address currently generating the attack. In addition, before the aging duration is over time, if there is deletion of a session entry that is the same as the source IP address included in the first session entry, the aging duration of the source IP address in the suspicious list is reset, and S209 is continuously performed.
S208: resetting the aging duration of the source IP address in the suspicious list, and executing S209;
before the aging duration is over, if there is deletion of the session entry that is the same as the source IP address included in the first session entry, the aging duration of the source IP address in the suspicious list is reset again, and S209 is continued.
S209: and when the aging duration is overtime, deleting the source IP address from the suspicious list.
If the aging duration is overtime, the firewall device does not delete the session table entry which is the same as the source IP address included in the first session table entry in the aging duration, at this time, the attack corresponding to the first session table entry can be considered as being caused by network abnormity or the attack is stopped, the source IP address is deleted from the suspicious list, and the memory of the firewall device is saved.
In another embodiment of the present application, referring to the fourth flowchart of the session entry processing method shown in fig. 5, based on fig. 2, after deleting the first session entry in S204, the method may further include:
s210: detecting whether a source IP address included in a first session table item exists in IP addresses included in the suspicious list; if not, go to S211; if so, go to S212;
the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment. Here, the number of references of the IP address is the number of times that an attacker initiates a connection with the IP address. Specifically, if the IP address is an IP address generating an attack, the number of times that an attacker initiates a connection with the IP address is: the number of times the attacker launches the attack with that IP address.
S211: adding the source IP address into a suspicious list, and setting the reference times of the source IP address in the suspicious list as 1;
here, the number of references of the source IP address in the suspicious list is set to 1, that is, within the second duration before the current time, the attacker initiates 1 connection with the source IP address, that is, the source IP address generates one attack.
S212: adding 1 to the number of references of the source IP address in the suspicious list;
here, the number of references of the source IP address in the suspicious list is added by 1, that is, the number of attacks generated by the source IP address is added by 1 in the second duration before the current time.
For example, the second duration is 100s, if the firewall device adds the IP1 to the suspicious list at 10:00:00, at this time, the reference times in 100s of 9:58:20 to 10:00:00 of the IP1 are 1; at 10:00:10, the firewall device deletes a session table entry with a source IP address of IP1, and adds 1 to the reference times of IP1 in the suspicious list, wherein at this time, the reference times in 100s of 9:58:30-10:00:10 of IP1 is 2; if the firewall device deletes a session table entry with a source IP address of IP1 at 10:02:00, adding 1 to the reference times of IP1 in the suspicious list, wherein the reference times in 100s of 10:00:20-10:02:00 of IP1 is 1.
In this case, the method may further include:
s213: detecting whether a first IP address with the reference frequency larger than a third threshold exists in the suspicious list every third time length; if the first IP address exists, executing S214; otherwise, ending the processing;
here, the detected number of citations is the number of citations in the second duration before the current time.
In an embodiment of the present application, a polling timer with a third duration as a time interval may be preset in the firewall device, so that after the polling timer is started, the firewall device may detect whether the first IP address whose reference number is greater than the third threshold exists in the suspicious list every third duration according to the polling timer.
S214: an alarm log including the first IP address is output.
The alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time, so that a user can timely detect problems in the network, and network risks are reduced.
It should be noted that the embodiments shown in fig. 2 to 5 may be used in combination, and the embodiments of the present application are not limited thereto.
Taking the networking shown in fig. 1 as an example, the embodiments provided by the present application may be applied to the following scenarios:
scene 1: the client 100 is an attacker, and the client 100 forges a large number of ACK messages of different source IP addresses and sends the ACK messages to the server 300 through the firewall device 200; in this case, the server 300 is busy in querying the connection corresponding to the ACK message after receiving the ACK message, but cannot find the corresponding connection, so that the server does not feed back the message to the client 100;
at this time, the firewall device 200 may generate a large number of session entries triggered and established by one ACK message (forward message); the firewall device 200 may determine that the connection corresponding to the session entry is an illegal connection and the corresponding attack is a non-persistent attack by periodically detecting the number and the messages matched with the session entry, and then delete the session entry and release the occupied memory.
Scene 2: the client 100 is an attacker, and the client 100 forges a small number of ACK messages of different source IP addresses and sends the ACK messages to the server 300 through the firewall device 200; in this case, the server 300 is busy in querying the connection corresponding to the ACK message after receiving the ACK message, but cannot find the corresponding connection, so that the server does not feed back the message to the client 100;
at this time, the firewall device 200 may establish a small number of session entries, each session entry corresponds to a plurality of ACK messages, and the firewall device 200 may determine that the connection corresponding to such session entries is an illegal connection and the corresponding attack is a persistent attack by periodically detecting the number of messages matched with the session entries, and further configure a discard identifier for such session entries, so that the firewall device 200 discards the messages matched with such session entries, and avoids that the messages are sent to the server 300, occupy resources of the server 300, and affect the forwarding performance of the firewall device 200.
Scene 3: the client 100 is an attacker, and the client 100 forges a large number of SYN messages of different source IP addresses and sends the SYN messages to the server 300 through the firewall device 200; in the same scenario 1, the difference is that the server 300 receives the SYN packet, establishes a connection with the client 100, and feeds back the SYN/ACK packet to the server;
at this time, the firewall device 200 may establish a large number of session table entries, where each session table entry corresponds to one SYN message and one SYN/ACK message; the firewall device 200 may determine that the connection corresponding to the session entry is an illegal connection and the corresponding attack is a non-persistent attack by periodically detecting the number and the messages matched with the session entry, and then delete the session entry and release the occupied memory.
Scene 4: the client 100 is an attacker, and the client 100 forges a small number of SYN messages of different source IP addresses and sends the SYN messages to the server 300 through the firewall device 200; in the same scenario 3, the difference is that the firewall device 200 establishes a small number of session entries, and each session entry corresponds to a plurality of SYN messages and a SYN/ACK message;
at this time, the firewall device 200 may determine that the connection corresponding to the session entry is an illegal connection and the corresponding attack is a persistent attack by periodically detecting the number and the packets matched with the session entry, and further configure a discard identifier for the session entry, so that the firewall device 200 discards the packets matched with the session entry.
Scene 5: the client 100 is an attacker, and the client 100 forges a large number of SYN messages of different source IP addresses and sends the SYN messages to a nonexistent server through the firewall device 200;
at this time, the firewall device 200 may generate a large number of session entries triggered and established by one SYN message; the firewall device 200 may determine that the connection corresponding to the session entry is an illegal connection and the corresponding attack is a non-persistent attack by periodically detecting the number and the messages matched with the session entry, and then delete the session entry and release the occupied memory.
By applying the embodiments, the time length consumed for completing the connection establishment is less than or equal to the first threshold; the firewall device detects whether a first session table entry with an absolute value of a time difference value exceeding a first threshold exists in the session table entries every first time interval, if the first session table entry is detected, it is determined that connection establishment corresponding to the first session table entry is completed, and at this time, if it is determined that the connection corresponding to the first session table entry is illegal and the number of forward messages matched with the first session table entry is not greater than a second threshold, that is, it is determined that an attack corresponding to the first session table entry is a non-continuous attack, and the first session table entry is deleted. Therefore, in the embodiment of the application, the firewall device detects the session table entry at regular time, and can timely find and delete the session table entry corresponding to the illegal connection, so that the memory occupied by the session table entry corresponding to the illegal connection is quickly released, and the influence on the service processing efficiency is reduced.
Corresponding to the method embodiment, the embodiment of the application also provides a session table item processing device.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a session entry processing apparatus according to an embodiment of the present application, applied to a firewall device, where the session entry processing apparatus includes:
a first detecting unit 601, configured to detect, every first time interval, whether there is a first session entry whose absolute value of a time difference exceeds a first threshold in the session entries; the time difference value is the time difference value between the current time and the receiving time of the last message matched with the session table item;
a determining unit 602, configured to determine whether a connection corresponding to the first session entry is an illegal connection when the detection result of the first detecting unit 601 is yes;
a second detecting unit 603, configured to detect, when the determination result of the determining unit 602 is yes, whether the number of the forward packets matched with the first session entry is greater than a second threshold;
a first deleting unit 604, configured to delete the first session entry when the detection result of the second detecting unit 603 is negative.
In an embodiment of the present application, the determining unit 602 may specifically be configured to:
detecting whether the message matched with the first session table item only has a forward message; or detecting whether the message matched with the first session table item only has a synchronous SYN message and a SYN/ACK message;
and if only the forward message is detected or only the SYN message and the SYN/ACK message are detected, determining that the connection corresponding to the first session table entry is illegal.
In an embodiment of the present application, the session entry processing apparatus may further include:
a third detecting unit (not shown in fig. 6) configured to detect, after deleting the first session entry, whether a source IP address included in the first session entry exists in the network protocol IP addresses included in the suspicious list; the suspicious list is used for storing the IP addresses generating the attacks and prompting the IP addresses generating the attacks;
a first processing unit (not shown in fig. 6), configured to, if the detection result of the third detecting unit is negative, add the source IP address to the suspicious list, and configure an aging duration for the source IP address in the suspicious list; the third detection unit is used for detecting whether the source IP address in the suspicious list is aged or not;
and a second deleting unit (not shown in fig. 6) configured to delete the source IP address from the suspicious list after the aging duration expires.
In an embodiment of the present application, the session entry processing apparatus may further include:
a fourth detecting unit (not shown in fig. 6), configured to detect, after deleting the first session entry, whether a source IP address included in the first session entry exists in the IP addresses included in the suspicious list; the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment;
a second processing unit (not shown in fig. 6), configured to, when the detection result of the fourth detecting unit is negative, add the source IP address to the suspicious list, and set the number of times of reference of the source IP address in the suspicious list to 1; if the detection result of the fourth detection unit is yes, adding 1 to the number of times of reference of the source IP address in the suspicious list;
a fifth detecting unit (not shown in fig. 6), configured to detect, every third duration, whether there is a first IP address in the suspicious list, where the reference number of times is greater than a third threshold;
an output unit (not shown in fig. 6) configured to output an alarm log including the first IP address when a detection result of the fifth detection unit is yes; the alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time.
In an embodiment of the present application, the session entry processing apparatus may further include:
a configuration unit (not shown in fig. 6), configured to configure a discard identifier for the first session entry if it is detected that the number of forward packets matched with the first session entry is greater than a second threshold; the discarding mark is used for indicating the firewall equipment to discard the message matched with the first session table entry.
By applying the embodiments, the time length consumed for completing the connection establishment is less than or equal to the first threshold; the firewall device detects whether a first session table entry with an absolute value of a time difference value exceeding a first threshold exists in the session table entries every first time interval, if the first session table entry is detected, it is determined that connection establishment corresponding to the first session table entry is completed, and at this time, if it is determined that the connection corresponding to the first session table entry is illegal and the number of forward messages matched with the first session table entry is not greater than a second threshold, that is, it is determined that an attack corresponding to the first session table entry is a non-continuous attack, and the first session table entry is deleted. Therefore, in the embodiment of the application, the firewall device detects the session table entry at regular time, and can timely find and delete the session table entry corresponding to the illegal connection, so that the memory occupied by the session table entry corresponding to the illegal connection is quickly released, and the influence on the service processing efficiency is reduced.
The embodiment of the present application further provides a firewall device, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704;
a memory 703 for storing a computer program;
the processor 701 is configured to implement the following steps when executing the program stored in the memory 703:
detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; the time difference value is the time difference value between the current time and the receiving time of the last message matched with the session table item;
if the first session table entry exists, judging whether the connection corresponding to the first session table entry is illegal;
if the connection is illegal, detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value;
and if the value is not larger than the second threshold value, deleting the first session table entry.
In an embodiment of the present application, the processor 701 may be specifically configured to:
detecting whether the message matched with the first session table item only has a forward message; or detecting whether the message matched with the first session table item only has a SYN message and a SYN/ACK message;
and if only the forward message is detected or only the SYN message and the SYN/ACK message are detected, determining that the connection corresponding to the first session table entry is illegal.
In an embodiment of the present application, the processor 701 may further be configured to:
after the first session table entry is deleted, detecting whether a source IP address included by the first session table entry exists in IP addresses included by the suspicious list; the suspicious list is used for storing the IP addresses generating the attacks and prompting the IP addresses generating the attacks;
if the source IP address does not exist, the source IP address is added into the suspicious list, and aging duration is configured for the source IP address in the suspicious list; if yes, resetting the aging duration of the source IP address in the suspicious list;
and when the aging duration is overtime, deleting the source IP address from the suspicious list.
In an embodiment of the present application, the processor 701 may further be configured to:
after the first session table entry is deleted, detecting whether a source IP address included by the first session table entry exists in IP addresses included by the suspicious list; the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment;
if the source IP address does not exist, the source IP address is added into the suspicious list, and the number of times of reference of the source IP address in the suspicious list is set to be 1; if yes, adding 1 to the number of references of the source IP address in the suspicious list;
in this case, the processor 701 may be further configured to:
detecting whether a first IP address with the reference frequency larger than a third threshold exists in the suspicious list every third time length;
if the first IP address exists, outputting an alarm log comprising the first IP address; the alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time.
In an embodiment of the present application, the processor 701 may further be configured to:
if the number of the forward messages matched with the first session table entry is detected to be larger than a second threshold value, configuring a discarding identifier for the first session table entry; the discarding mark is used for indicating the firewall equipment to discard the message matched with the first session table entry.
By applying the embodiments, the time length consumed for completing the connection establishment is less than or equal to the first threshold; the firewall device detects whether a first session table entry with an absolute value of a time difference value exceeding a first threshold exists in the session table entries every first time interval, if the first session table entry is detected, it is determined that connection establishment corresponding to the first session table entry is completed, and at this time, if it is determined that the connection corresponding to the first session table entry is illegal and the number of forward messages matched with the first session table entry is not greater than a second threshold, that is, it is determined that an attack corresponding to the first session table entry is a non-continuous attack, and the first session table entry is deleted. Therefore, in the embodiment of the application, the firewall device detects the session table entry at regular time, and can timely find and delete the session table entry corresponding to the illegal connection, so that the memory occupied by the session table entry corresponding to the illegal connection is quickly released, and the influence on the service processing efficiency is reduced.
The communication bus mentioned in the firewall device may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 7, but this is not intended to represent only one bus or type of bus.
The communication interface is used for communication between the firewall device and other devices.
The Memory may include a RAM (Random Access Memory) or an NVM (Non-Volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
An embodiment of the present application further provides a readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the following steps are implemented:
detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; the time difference value is the time difference value between the current time and the receiving time of the last message matched with the session table item;
if the first session table entry exists, judging whether the connection corresponding to the first session table entry is illegal;
if the connection is illegal, detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value;
and if the value is not larger than the second threshold value, deleting the first session table entry.
In an embodiment of the present application, the step of determining whether the connection corresponding to the first session entry is an illegal connection includes:
detecting whether the message matched with the first session table item only has a forward message; or detecting whether the message matched with the first session table item only has a SYN message and a SYN/ACK message;
and if only the forward message is detected or only the SYN message and the SYN/ACK message are detected, determining that the connection corresponding to the first session table entry is illegal.
In one embodiment of the application, the computer program, when executed by the processor, may further implement the steps of:
after the first session table entry is deleted, detecting whether a source IP address included by the first session table entry exists in IP addresses included by the suspicious list; the suspicious list is used for storing the IP addresses generating the attacks and prompting the IP addresses generating the attacks;
if the source IP address does not exist, the source IP address is added into the suspicious list, and aging duration is configured for the source IP address in the suspicious list; if yes, resetting the aging duration of the source IP address in the suspicious list;
and when the aging duration is overtime, deleting the source IP address from the suspicious list.
In one embodiment of the application, the computer program, when executed by the processor, may further implement the steps of:
after the first session table entry is deleted, detecting whether a source IP address included by the first session table entry exists in IP addresses included by the suspicious list; the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment;
if the source IP address does not exist, the source IP address is added into the suspicious list, and the number of times of reference of the source IP address in the suspicious list is set to be 1; if yes, adding 1 to the number of references of the source IP address in the suspicious list;
detecting whether a first IP address with the reference frequency larger than a third threshold exists in the suspicious list every third time length;
if the first IP address exists, outputting an alarm log comprising the first IP address; the alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time.
The computer program when executed by a processor in an embodiment of the application may further implement the steps of:
if the number of the forward messages matched with the first session table entry is detected to be larger than a second threshold value, configuring a discarding identifier for the first session table entry; the discarding mark is used for indicating the firewall equipment to discard the message matched with the first session table entry.
By applying the embodiments, the time length consumed for completing the connection establishment is less than or equal to the first threshold; the firewall device detects whether a first session table entry with an absolute value of a time difference value exceeding a first threshold exists in the session table entries every first time interval, if the first session table entry is detected, it is determined that connection establishment corresponding to the first session table entry is completed, and at this time, if it is determined that the connection corresponding to the first session table entry is illegal and the number of forward messages matched with the first session table entry is not greater than a second threshold, that is, it is determined that an attack corresponding to the first session table entry is a non-continuous attack, and the first session table entry is deleted. Therefore, in the embodiment of the application, the firewall device detects the session table entry at regular time, and can timely find and delete the session table entry corresponding to the illegal connection, so that the memory occupied by the session table entry corresponding to the illegal connection is quickly released, and the influence on the service processing efficiency is reduced.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus, the firewall device and the readable storage medium, since they are basically similar to the embodiments of the method, the description is simple, and the relevant points can be referred to the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (12)

1. A session table entry processing method is applied to a firewall device, and comprises the following steps:
detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every other first time interval; the time difference is the time difference between the current time and the receiving time of the last message matched with the session table item, and the first threshold is more than or equal to the time length required to be consumed when the connection establishment is completed;
if the first session table entry exists, judging whether the connection corresponding to the first session table entry is illegal;
if the connection is illegal, detecting whether the number of the forward messages matched with the first session table item is larger than a second threshold value;
and if the first session table entry is not larger than the second threshold, deleting the first session table entry.
2. The method of claim 1, wherein the step of determining whether the connection corresponding to the first session entry is an illegal connection comprises:
detecting whether the message matched with the first session table item only has a forward message; or detecting whether the message matched with the first session table item only has a synchronous SYN message and a SYN/ACK message;
and if only a forward message is detected or only a SYN message and a SYN/ACK message are detected, determining that the connection corresponding to the first session table entry is illegal.
3. The method of claim 1, wherein after deleting the first session entry, the method further comprises:
detecting whether a source IP address included in the first session table item exists in the network protocol IP addresses included in the suspicious list; the suspicious list is used for storing the IP addresses generating the attacks and prompting the IP addresses generating the attacks;
if the source IP address does not exist, adding the source IP address into the suspicious list, and configuring aging duration for the source IP address in the suspicious list; if so, resetting the aging duration of the source IP address in the suspicious list;
and when the aging duration is overtime, deleting the source IP address from the suspicious list.
4. The method of claim 1, wherein after deleting the first session entry, the method further comprises:
detecting whether a source IP address included in the first session table item exists in IP addresses included in a suspicious list; the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment;
if the source IP address does not exist, the source IP address is added into the suspicious list, and the reference times of the source IP address in the suspicious list are set to be 1; if yes, adding 1 to the number of references of the source IP address in the suspicious list;
the method further comprises the following steps:
detecting whether a first IP address with the reference frequency larger than a third threshold exists in the suspicious list every third time length;
if the first IP address exists, outputting an alarm log comprising the first IP address; the alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time.
5. The method of claim 1, further comprising:
if the number of the forward messages matched with the first session table entry is detected to be larger than the second threshold value, configuring a discarding identifier for the first session table entry; and the discarding identification is used for indicating the firewall equipment to discard the message matched with the first session table item.
6. A session table entry processing apparatus, applied to a firewall device, the apparatus comprising:
the first detection unit is used for detecting whether a first session table entry with the absolute value of the time difference value exceeding a first threshold exists in the session table entries every first time length; the time difference is the time difference between the current time and the receiving time of the last message matched with the session table item, and the first threshold is more than or equal to the time length required to be consumed when the connection establishment is completed;
the judging unit is used for judging whether the connection corresponding to the first session table entry is illegal connection or not when the detection result of the first detecting unit is yes;
the second detection unit is used for detecting whether the number of the forward messages matched with the first session table item is greater than a second threshold value or not when the judgment result of the judgment unit is yes;
and the first deleting unit is used for deleting the first session table entry when the detection result of the second detecting unit is negative.
7. The apparatus according to claim 6, wherein the determining unit is specifically configured to:
detecting whether the message matched with the first session table item only has a forward message; or detecting whether the message matched with the first session table item only has a synchronous SYN message and a SYN/ACK message;
and if only a forward message is detected or only a SYN message and a SYN/ACK message are detected, determining that the connection corresponding to the first session table entry is illegal.
8. The apparatus of claim 6, further comprising:
a third detecting unit, configured to detect, after deleting the first session entry, whether a source IP address included in the first session entry exists in network protocol IP addresses included in the suspicious list; the suspicious list is used for storing the IP addresses generating the attacks and prompting the IP addresses generating the attacks;
a first processing unit, configured to add the source IP address to the suspicious list and configure an aging duration for the source IP address in the suspicious list if the detection result of the third detecting unit is negative; the third detecting unit is further configured to reset the aging duration of the source IP address in the suspicious list if the detection result of the third detecting unit is yes;
and the second deleting unit is used for deleting the source IP address from the suspicious list after the aging duration is overtime.
9. The apparatus of claim 6, further comprising:
a fourth detecting unit, configured to detect whether a source IP address included in the first session entry exists in IP addresses included in the suspicious list after the first session entry is deleted; the suspicious list is used for storing the corresponding relation between the IP address generating the attack and the reference times in the second duration before the current moment;
a second processing unit, configured to, if the detection result of the fourth detecting unit is negative, add the source IP address to the suspicious list, and set the number of times of reference of the source IP address in the suspicious list to 1; if the detection result of the fourth detection unit is yes, adding 1 to the number of times of reference of the source IP address in the suspicious list;
a fifth detecting unit, configured to detect whether a first IP address whose reference frequency is greater than a third threshold exists in the suspicious list every third duration;
the output unit is used for outputting an alarm log comprising the first IP address when the detection result of the fifth detection unit is yes; the alarm log is used for prompting that the first IP address is an IP address which generates attacks for multiple times in a short time.
10. The apparatus of claim 6, further comprising:
a configuration unit, configured to configure a discard identifier for the first session entry if it is detected that the number of forward messages matched with the first session entry is greater than the second threshold; and the discarding identification is used for indicating the firewall equipment to discard the message matched with the first session table item.
11. The firewall equipment is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory are communicated with each other through the communication bus;
a memory for storing a computer program;
a processor for executing a program stored in the memory to perform the method steps of any of claims 1-5.
12. A readable storage medium, characterized in that a computer program is stored in the readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of the claims 1-5.
CN201710439697.6A 2017-06-12 2017-06-12 Session table item processing method and device, firewall equipment and storage medium Active CN107547503B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710439697.6A CN107547503B (en) 2017-06-12 2017-06-12 Session table item processing method and device, firewall equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710439697.6A CN107547503B (en) 2017-06-12 2017-06-12 Session table item processing method and device, firewall equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107547503A CN107547503A (en) 2018-01-05
CN107547503B true CN107547503B (en) 2020-12-25

Family

ID=60970148

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710439697.6A Active CN107547503B (en) 2017-06-12 2017-06-12 Session table item processing method and device, firewall equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107547503B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650334B (en) * 2018-08-02 2021-03-30 东软集团股份有限公司 Session failure setting method and device
CN110392034B (en) * 2018-09-28 2020-10-13 新华三信息安全技术有限公司 Message processing method and device
CN109617920B (en) * 2019-01-23 2021-07-20 新华三信息安全技术有限公司 Message processing method and device, router and firewall equipment
CN109922144B (en) * 2019-02-28 2022-09-16 北京百度网讯科技有限公司 Method and apparatus for processing data
CN111225019B (en) * 2019-10-29 2022-06-28 ***股份有限公司 Session control processing method, device, equipment and medium
CN113783857B (en) * 2021-08-31 2023-11-07 新华三信息安全技术有限公司 Anti-attack method, device, equipment and machine-readable storage medium
CN113965347B (en) * 2021-09-09 2024-03-15 山石网科通信技术股份有限公司 Firewall data processing method and device
WO2023070377A1 (en) * 2021-10-27 2023-05-04 Oppo广东移动通信有限公司 Block acknowledgment agreement deletion method and apparatus, and multi-link device and storage medium
CN114024887B (en) * 2021-11-10 2024-06-14 北京天融信网络安全技术有限公司 Processing method, device, equipment and storage medium of forwarding table item

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101170517A (en) * 2007-12-06 2008-04-30 杭州华三通信技术有限公司 Method and device for aging of control session table
CN101296071A (en) * 2007-04-25 2008-10-29 北京天融信网络安全技术有限公司 Retrogradation method of internal connection meter of fire wall chip
JP4475156B2 (en) * 2005-03-29 2010-06-09 日本電気株式会社 Network processing apparatus, network processing method, and network processing program
US8160080B1 (en) * 2006-05-08 2012-04-17 Marvell Israel (M.I.S.L.) Ltd. Implementation of reliable synchronization of distributed databases
CN102882894A (en) * 2012-10-30 2013-01-16 杭州迪普科技有限公司 Method and device for identifying attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4475156B2 (en) * 2005-03-29 2010-06-09 日本電気株式会社 Network processing apparatus, network processing method, and network processing program
US8160080B1 (en) * 2006-05-08 2012-04-17 Marvell Israel (M.I.S.L.) Ltd. Implementation of reliable synchronization of distributed databases
CN101296071A (en) * 2007-04-25 2008-10-29 北京天融信网络安全技术有限公司 Retrogradation method of internal connection meter of fire wall chip
CN101170517A (en) * 2007-12-06 2008-04-30 杭州华三通信技术有限公司 Method and device for aging of control session table
CN102882894A (en) * 2012-10-30 2013-01-16 杭州迪普科技有限公司 Method and device for identifying attack

Also Published As

Publication number Publication date
CN107547503A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
CN107547503B (en) Session table item processing method and device, firewall equipment and storage medium
WO2017088326A1 (en) Tcp connection processing method, device and system
CN107710680B (en) Method and device for sending network attack defense strategy and network attack defense
US7266754B2 (en) Detecting network denial of service attacks
CN109194680B (en) Network attack identification method, device and equipment
US10505952B2 (en) Attack detection device, attack detection method, and attack detection program
CN110519265B (en) Method and device for defending attack
CN110198293B (en) Attack protection method and device for server, storage medium and electronic device
CN107547507B (en) Anti-attack method and device, router equipment and machine readable storage medium
CN107395632B (en) SYN Flood protection method, device, cleaning equipment and medium
CN108965263B (en) Network attack defense method and device
CN109040140B (en) Slow attack detection method and device
CN112055956B (en) Apparatus and method for network security
US11695858B2 (en) Packet fragmentation control
US8301712B1 (en) System and method for protecting mail servers from mail flood attacks
CA2911989C (en) Method, system and apparatus for dectecting instant message spam
CN111431871A (en) Processing method and device of TCP (Transmission control protocol) semi-transparent proxy
CN107454065B (en) Method and device for protecting UDP Flood attack
CN111756713B (en) Network attack identification method and device, computer equipment and medium
CN108737344B (en) Network attack protection method and device
CN110661763B (en) DDoS reflection attack defense method, device and equipment
WO2019096104A1 (en) Attack prevention
CN106506270B (en) Ping message processing method and device
CN108471427B (en) Method and device for defending attack
CN101771575B (en) Method, device and system for processing IP partitioned message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant