CN109639712A - A kind of method and system for protecting DDOS attack - Google Patents

A kind of method and system for protecting DDOS attack Download PDF

Info

Publication number
CN109639712A
CN109639712A CN201811640337.3A CN201811640337A CN109639712A CN 109639712 A CN109639712 A CN 109639712A CN 201811640337 A CN201811640337 A CN 201811640337A CN 109639712 A CN109639712 A CN 109639712A
Authority
CN
China
Prior art keywords
server
client
message
cleaning equipment
syn
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811640337.3A
Other languages
Chinese (zh)
Other versions
CN109639712B (en
Inventor
贺艳
邓军
叶晓虎
何坤
张磊
袁玫
杨雪皎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201811640337.3A priority Critical patent/CN109639712B/en
Publication of CN109639712A publication Critical patent/CN109639712A/en
Application granted granted Critical
Publication of CN109639712B publication Critical patent/CN109639712B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of method and system for protecting DDOS attack, this method, which includes client, sends SYN request message to server by intermediate cleaning equipment retransmitting interval time, the first five-tuple information and First ray information in intermediate cleaning equipment record SYN request message, after the SYN confirmation message with correct confirmation number for the transmission for receiving server, determine whether current connection request is overtime, if not, then confirmation message is sent to server by intermediate cleaning equipment, intermediate cleaning equipment verifies client according to confirmation message, and it will confirm that message is sent to server after being verified, to establish TCP connection with the server.[SYN, ACK] the message behavior of error check number is not responding to since there is no client or client is not responding to be broken two kinds of behaviors of TCP connection by opposite end, is realizing the normal communication for guaranteeing normal client and server while protecting DDOS attack.

Description

A kind of method and system for protecting DDOS attack
Technical field
The present embodiments relate to DDOS (Distributed Denial of Service, distributed denial of service) to attack Hit protection technology field more particularly to a kind of method and system for protecting DDOS attack.
Background technique
SYN (Synchronize Sequence Numbers, synchronizing sequence number) (general) attack of Flood is most common One of DDoS mode, it is pseudo- by the loophole using TCP (Transmission Control Protocol, transmission control protocol) A large amount of TCP connection request is made, to achieve the purpose that exhaust by attacker's resource.In order to defend SYN Flood to attack, currently There are mainly two types of for the protectiving scheme of mainstream:
The first is as shown in Figure 1, from figure 1 it appears that the program is to be asked using intermediate cleaning equipment receiving SYN After seeking message, one can be replied with error check number [SYN, ACK (confirmation)] message, normal client is under normal circumstances RST message can be returned to break the connection and re-initiate three-way handshake, to verify by intermediate cleaning equipment, subsequent direct kimonos Business device is communicated;Attacker is interactive due to being unable to supported protocol, and SYN Flood message is caused to be intercepted by intermediate cleaning equipment, To realize safeguard function.In this scenario, client is to set up TCP by three-way handshake and intermediate cleaning equipment first to connect Connect, just can by intermediate cleaning equipment verify, that is to say, that client initiate TCP connection be not established with server, and It is to carry out alternative server using intermediate cleaning equipment to establish TCP connection.
Second as shown in Fig. 2, from figure 2 it can be seen that the program is to receive SYN report using intermediate cleaning equipment Wen Hou, can reply one with correct confirmation number [SYN, ACK] message, normal client can reply an ACK message and Intermediate cleaning equipment establishes TCP connection, and intermediate cleaning equipment can reply RST (reset) message at this time and block the connection, visitor Family end can be attached request again under normal circumstances, to verify by intermediate cleaning equipment, directly be led to server Letter;Attacker causes the message of SYN Flood to be intercepted by intermediate cleaning equipment, is prevented with realizing due to being unable to supported protocol interaction Protective function.In the program, client is also to establish TCP connection by three-way handshake and intermediate cleaning equipment first, then intermediate Cleaning equipment again verifies client by way of disconnecting, and is equally to carry out alternative service using intermediate cleaning equipment Device establishes TCP connection.
With the increasingly sharp increase of network attack, current many normal clients especially pay the client of class, exist Such agreement behavior: first is that being not responding to mistake [SYN, ACK] message of server return;Second is that for the TCP connection of foundation, It is no longer responded after breaking connection by intermediate cleaning equipment.When being protected using existing SYN Flood protection algorithm, Since the client with both agreement behaviors is no longer responded, to block the client using both agreement behaviors The normal communication at end, influences regular traffic.
Summary of the invention
The embodiment of the present invention provides a kind of method and system for protecting DDOS attack, to realize the feelings of protection DDOS attack Under condition, guarantee the normal traffic communication of client.
A kind of method for protecting DDOS attack provided in an embodiment of the present invention, comprising:
Client is retransmitting interval time by intermediate cleaning equipment to server transmission SYN request message, and the SYN is asked Seeking message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment after receiving the client and being sent to the SYN request message of the server, The first five-tuple information and the First ray information are recorded, and the SYN request message is transmitted to the service Device, so that the server sends SYN confirmation message;
The client is after receiving the SYN confirmation message with correct confirmation number of the transmission of the server, really Whether settled preceding connection request is overtime;
If it is not, then the client by the intermediate cleaning equipment to the server send confirmation message, it is described really Recognizing message includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment after receiving the client and being sent to the confirmation message of the server, according to The second five-tuple information and the second sequence number information verify the client, and will be described true after being verified Recognize message and be transmitted to the server, so that the client and the server complete the foundation of TCP connection.
In above-mentioned technical proposal, client is after the SYN confirmation message for receiving server transmission, if current connection request It has not timed out, runs past intermediate cleaning equipment to server and send confirmation message, intermediate cleaning equipment is tested to client It demonstrate,proves and the confirmation message is sent to server after passing through, establish TCP connection with server to realize, there is no clients not to ring [SYN, ACK] the message behavior of error check number or client is answered to be not responding to be broken two kinds of behaviors of TCP connection by opposite end, It ensure that client and the direct normal communication of server while protecting DDOS attack, can be very good adaptation payment class or shifting Dynamic class client solves the problems, such as the normal traffic communication that existing SYN Flood protectiving scheme blocks normal client.Together When, since intermediate cleaning equipment is the verifying realized during client and server establish TCP connection to client, and It does not need client and intermediate cleaning equipment first establishes TCP connection, improve client and server establishes the effect of TCP connection Rate saves system resource.
Optionally, further includes:
If the client determines that the current connection request time-out, the client pass through the intermediate cleaning equipment RST message is sent to the server, the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment after receiving the client and being sent to the RST message of the server, according to The third five-tuple information and the third sequence number information verify the client, and by institute after being verified It states RST message and is transmitted to the server;
The client sends TCP connection request to the server, establishes the TCP connection with the server, and It is communicated.
In above-mentioned technical proposal, client is after the SYN confirmation message for receiving server transmission, if current connection request It has not timed out, so that it may send confirmation message to server by intermediate cleaning equipment, intermediate cleaning equipment is according in confirmation message The second five-tuple information and the second sequence number information the confirmation message is sent to clothes after being verified to client Be engaged in device, if current connection request time-out, just send RST message to server by intermediate cleaning equipment, centre cleaning is set Standby third five-tuple information and third sequence number information according in RST message should after being verified to client RST message is sent to server, establishes TCP connection with server to realize, there is no clients to be not responding to error check number The behavior of [SYN, ACK] message or client be not responding to be broken two kinds of behaviors of TCP connection by opposite end.In protection DDOS attack While ensure that the normal communication of normal client and server, can be very good adaptation payment class or mobile class client, Solve the problems, such as that existing SYN Flood protectiving scheme blocks regular traffic.Simultaneously as intermediate cleaning equipment is in client The verifying to client is realized during establishing TCP connection with server, does not need client and intermediate cleaning equipment is first TCP connection is established, client is improved and server establishes the efficiency of TCP connection, save system resource.
Optionally, after the confirmation message is transmitted to the server by the intermediate cleaning equipment, the client End is directly communicated with the server.
In the above-mentioned technical solutions, after intermediate cleaning equipment will confirm that message is transmitted to server, at this moment client with Server completes the foundation of TCP connection, and client is not necessarily in the verifying by intermediate cleaning equipment, directly can be with service Device is communicated.
Optionally, the intermediate cleaning equipment is before receiving the SYN request message that client is sent, further includes:
The intermediate cleaning equipment statistics is sent to the SYN message of server, reaches the SYN of same destination address in confirmation When message is more than threshold value, into protection state.
Correspondingly, the embodiment of the invention also provides a kind of systems for protecting DDOS attack, comprising: client, centre are clear Wash equipment and server;
The client, for sending SYN request message to server by intermediate cleaning equipment in re-transmission interval time, The SYN request message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment, in the SYN request message for receiving the client and being sent to the server Later, it records the first five-tuple information and the First ray information, and the SYN request message is transmitted to described Server, so that the server sends SYN confirmation message;
The client is also used in the SYN confirmation report with correct confirmation number for receiving the transmission of the server Wen Hou determines whether current connection request is overtime;And it if it is not, is then sent by the intermediate cleaning equipment to the server Confirmation message, the confirmation message include the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment, be also used to receive the client be sent to the server confirmation message it Afterwards, the client is verified according to the second five-tuple information and the second sequence number information, and after being verified The confirmation message is transmitted to the server, so that the client and the server complete transmission control protocol TCP Establishment of connection.
Optionally, the client is also used to if it is determined that the current connection request time-out, then pass through the intermediate cleaning Equipment sends RST message to the server, and the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment, be also used to receive the client be sent to the server RST message it Afterwards, the client is verified according to the third five-tuple information and the third sequence number information, and logical in verifying Later the RST message is transmitted to the server;
The client is also used to send TCP connection request to the server, establishes the TCP with the server Connection, and communicated.
Optionally, the client is also used to:
After the confirmation message is transmitted to the server by the intermediate cleaning equipment, directly with the server It is communicated.
Optionally, the intermediate cleaning equipment is also used to:
Before receiving the SYN request message that client is sent, statistics is sent to the SYN message of server, reaches in confirmation To same destination address SYN message be more than threshold value when, into protection state.
Correspondingly, the embodiment of the invention also provides a kind of computer readable storage medium, the computer-readable storage Media storage has computer executable instructions, and the computer executable instructions are for making the computer execute above-mentioned protection The method of DDOS attack.
Correspondingly, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned protection according to the program of acquisition for calling the program instruction stored in the memory The method of DDOS attack.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing.
Fig. 1 is a kind of schematic diagram of SYN Flood attack defending scheme provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic diagram of SYN Flood attack defending scheme provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of method for protecting DDOS attack provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of method for protecting DDOS attack provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of system for protecting DDOS attack provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into It is described in detail to one step, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts All other embodiment, shall fall within the protection scope of the present invention.
The system architecture that Fig. 3 is applicable in by the embodiment of the present invention.Refering to what is shown in Fig. 3, the system architecture may include client End 100, intermediate cleaning equipment 200 and server 300.
The intermediate cleaning equipment 200 is between the client 100 and the server 300, for SYN Flood attack is intercepted, and is verified to client.
It should be noted that above-mentioned structure shown in Fig. 3 is only a kind of example, it is not limited in the embodiment of the present invention.
Based on foregoing description, Fig. 4 illustratively shows a kind of side for protecting DDOS attack provided in an embodiment of the present invention The process of method, the process can be executed by the system of protection DDOS attack, will pass through client, intermediate cleaning equipment kimonos below The interactive mode of device be engaged in describe the process of protection DDOS attack.
As shown in figure 4, the specific steps of the process comprises:
Step 401, client sends SYN request message to intermediate cleaning equipment.
The SYN request message includes the first five-tuple information and First ray information, the first five-tuple information and the One sequence number information verifies client after the message that subsequently received client is sent for intermediate cleaning equipment, tests Demonstrate,prove whether client is normal client.The SYN request message was sent in re-transmission interval time, due to being the report retransmitted First message that text, the SYN request message i.e. user end to server are sent, therefore, it is 1 that sequence number, which is equivalent to,.By Protection state has been carried out in intermediate cleaning equipment at this time, all SYN request messages can all have been verified, therefore, client The SYN request message that end is sent for the first time can be washed by intermediate cleaning equipment, that is, refusal asks the SYN that first time sends It asks message to be transmitted to server, prevents SYN Flood from attacking to realize.Therefore, client does not receive in re-transmission interval time After the response of server, a SYN request message is just retransmitted, when intermediate cleaning equipment receives SYN request message again When, it can just let pass to the SYN request message.
In embodiments of the present invention, re-transmission interval time is made into (being empirically arranged) that can be adapted to, to reach accurate Matching client traffic SYN washes the SYN Flood message of forgery while retransmitting interval, or is reached by other means To the purpose of cleaning SYN Flood message.
It should be noted that intermediate cleaning equipment can count the service of being sent to before client sends SYN request message The SYN message of device, when the SYN message that confirmation reaches same destination address is more than threshold value, into protection state, with realization pair The protection of SYN Flood attack.The threshold value can be empirically arranged.
Step 402, intermediate cleaning equipment records the first five-tuple information and First ray information.
It includes that the first five-tuple is believed that the client that intermediate cleaning equipment receives, which is sent in the SYN request message of server, Breath and First ray information, intermediate cleaning equipment will record the first five-tuple information and First ray information, so as to Client is verified in subsequent interaction, verifies whether the client is normal client.
Step 403, intermediate cleaning equipment sends SYN request message to server.
When intermediate cleaning equipment have recorded the first five-tuple information in SYN request message and First ray information it Afterwards, so that it may the SYN request message be let pass, which is sent to server, so that server is sent out to client Send SYN confirmation message.
Step 404, server sends SYN confirmation message to client.
Server will send SYN confirmation report after the SYN request message for receiving client transmission to client Text, the SYN confirmation message are the SYN confirmation messages with correct confirmation number, and what is sent to client due to server is to have The SYN confirmation message of correct confirmation number, so that it may guarantee to be not responding to have the client of the SYN confirmation message of error check number can With normal communication, the confirmation message for being not responding to that there is the client of the SYN confirmation message of error check number to send will not be carried out It intercepts.
Step 405, whether overtime client judges current connection request, if so, being transferred to step 410, is otherwise transferred to step Rapid 406.
Client needs first to judge after receiving the SYN confirmation message with correct confirmation number of server transmission Whether current connection request is overtime, and time-out here refers to that this establishes whether TCP connection can be more than TCP connection settling time, If it does, meaning that time-out, can abandon establishing this TCP connection.If be no more than, mean that client is returning to confirmation After message, it not will cause TCP connection and establish time-out.
Step 406, client sends confirmation message to intermediate cleaning equipment.
When client confirms that current connection request has not timed out in step 405, so that it may continue to send confirmation to server Message, since intermediate cleaning equipment does not also verify the client, which still can be blocked by intermediate cleaning equipment It cuts, therefore, the confirmation message that user end to server is sent at this time can first pass through intermediate cleaning equipment.The confirmation message be used for The foundation of server completion TCP connection.Include the second five-tuple information and the second sequence number information in the confirmation message, with The client is verified according to the second five-tuple information and the second sequence number information in intermediate equipment.
Step 407, intermediate cleaning equipment verifies client.
Intermediate cleaning equipment is after the confirmation message for receiving client transmission, according to the two or five yuan in the confirmation message Group information and the second sequence number information verify client, and specific: intermediate cleaning equipment compares the first of the client Five-tuple information and First ray information and the second five-tuple information and the second sequence number information, if the two is consistent, confirmation The client is normal client, will be verified, after being verified, intermediate cleaning equipment would not intercept client again Communication message between end and server, lets pass to the communication between client and server, until the client and clothes Until the TCP connection established between business device disconnects.
If at this time client send the second five-tuple information and the second sequence number information not over verifying, show with The the first five-tuple information and First ray information of client are inconsistent, can also indicate that the client is likely to be DDOS and attacks The person of hitting, intermediate cleaning equipment can intercept confirmation message herein, and the confirmation message will not be let pass, be sent to service Device, to play the purpose of protection DDOS attack.
Be not responding to [SYN, ACK] the message behavior of error check number since there is no client or client be not responding to by Opposite end breaks two kinds of behaviors of TCP connection, ensure that client is directly normal with server while protecting DDOS attack Communication can be very good adaptation payment class or mobile class client, solve existing SYN Flood protectiving scheme and block positive regular guest The problem of normal traffic communication at family end.Simultaneously as intermediate cleaning equipment is to establish TCP connection in client and server The verifying to client is realized in the process, does not need client and intermediate cleaning equipment first establishes TCP connection, improve client The efficiency of TCP connection is established at end with server, saves system resource.
Step 408, intermediate cleaning equipment sends confirmation message to server.
Intermediate cleaning equipment just will confirm that message is sent to server, so that client after passing through to client validation TCP connection is set up with server.
Step 409, client and server establish TCP connection.
After client and server establish TCP connection, client can directly be communicated with server, no longer need to through Cross the interception of intermediate cleaning equipment.
Step 410, client sends RST message to intermediate cleaning equipment.
In above-mentioned steps 405, when client confirms current connection request time-out, client can be sent to server RST message, with the process for establishing TCP connection with server restarting.It include third five-tuple letter in the RST message Breath and third sequence number information, so that intermediate cleaning equipment is according to the third five-tuple information and third sequence number information to client It is verified at end.
Step 411, intermediate cleaning equipment verifies client.
Intermediate cleaning equipment is after receiving client and being sent to the RST message of server, according to the third in RST message Five-tuple information and third sequence number information verify client, and specific: intermediate cleaning equipment compares the client First five-tuple information and First ray information and third five-tuple information and third sequence number information, if the two is consistent, Confirm that the client is normal client, will be verified, after being verified, intermediate cleaning equipment would not intercept again Communication message between client and server lets pass to the communication between client and server, subsequent client with Server re-establishes TCP connection, until the TCP connection established between the client and server disconnects.
If at this time client send third five-tuple information and third sequence number information not over verifying, show with The the first five-tuple information and First ray information of client are inconsistent, can also indicate that the client is likely to be DDOS and attacks The person of hitting, intermediate cleaning equipment can intercept confirmation message herein, and the confirmation message will not be let pass, be sent to service Device, to play the purpose of protection DDOS attack.Simultaneously it is also ensured that will not be disconnected by intermediate cleaning equipment, also It ensure that the normal client and the direct normal communication of server for being not responding to that opposite end disconnects, that is to say, that centre cleaning Equipment will not intercept this message for being not responding to the client that opposite end disconnects, and be to continue with sender's progress to the message Verifying.The scheme of the prior art is that intermediate cleaning equipment can intercept this message for being not responding to opposite end and disconnecting, to influence Normal client and the direct normal communication of server.
Simultaneously as intermediate cleaning equipment is to realize during client and server establish TCP connection to client The verifying at end, does not need client and intermediate cleaning equipment first establishes TCP connection, improves client and server is established The efficiency of TCP connection, saves system resource.
Step 412, intermediate cleaning equipment sends RST message to server.
Intermediate cleaning equipment will let pass to the RST message after passing through to client validation, which is sent To server, server not will do it response after receiving the RST message at this time, only needs to wait for client and issues TCP company again Connect foundation request.
Step 413, user end to server sends the first SYN request message.
After intermediate cleaning equipment is verified client in step 411, after client would not being intercepted again The message that supervention is sent, at this point, client directly sends the first SYN request message to server.
Step 414, server sends the first SYN confirmation message to client.
Server sends the first SYN confirmation report after the first SYN request message for receiving client transmission, to client Text.
Step 415, user end to server sends the first confirmation message.
Client is after the first SYN confirmation message for receiving server transmission, so that it may send first to server Confirmation message, to complete the foundation of TCP connection.
By the three-way handshake between the client and server of step 413 to step 415, client and server can be with It is successfully established TCP connection, realizes TCP communication.
Above-described embodiment shows client after the SYN confirmation message for receiving server transmission, if current connection request It has not timed out, so that it may send confirmation message to server by intermediate cleaning equipment, intermediate cleaning equipment is according in confirmation message The second five-tuple information and the second sequence number information the confirmation message is sent to clothes after being verified to client Be engaged in device, if current connection request time-out, just send RST message to server by intermediate cleaning equipment, centre cleaning is set Standby third five-tuple information and third sequence number information according in RST message should after being verified to client RST message is sent to server, establishes TCP connection with server to realize, there is no clients to be not responding to error check number The behavior of [SYN, ACK] message or client be not responding to be broken two kinds of behaviors of TCP connection by opposite end.In protection DDOS attack While ensure that the normal communication of normal client and server, can be very good adaptation payment class or mobile class client, Solve the problems, such as that existing SYN Flood protectiving scheme blocks regular traffic.Simultaneously as intermediate cleaning equipment is in client The verifying to client is realized during establishing TCP connection with server, does not need client and intermediate cleaning equipment is first TCP connection is established, client is improved and server establishes the efficiency of TCP connection, save system resource.
Embodiment in order to preferably explain the present invention will describe protection DDOS attack by specific real-time scene below Process.
Process as shown in Figure 5, firstly, attacker, which can forge a large amount of SYN Flood construction message, is sent to server, Then SYN Flood message is counted by intermediate cleaning equipment, intermediate clear more than the SYN message threshold value being arranged by protection server It washes equipment and enters protection state.Intermediate cleaning equipment carries out subsequently received SYN Flood message by certain means Cleaning is intercepted, is made into and can be adapted to for example, SYN retransmits interval, while reaching that precisely matching client traffic SYN retransmits interval The SYN Flood message of forgery is washed, or achievees the purpose that clean SYN Flood message by other means.
In entire attack process, since server is on intermediate cleaning equipment by guard mode, then for normal Client access server, have the following steps process flow:
(1), client sends SYN message request and server carries out TCP connection.
(2), intermediate cleaning equipment receives weight in re-transmission interval time after intercepting first SYN request message of client The SYN request message of biography, records the message five-tuple and sequence number information of SYN request message, and lets off the message.
(3), after server receives SYN message, correct [SYN, an ACK] message can be returned to client.Client It, can in two kinds of situation after receiving message: the first, the TCP connection request timed out at this time;Second, the TCP connection is not super at this time When.
(4) if, the connection request does not have a time-out at this time, client can return an ACK message, and intermediate cleaning equipment can basis The five-tuple information and sequence number of ACK message are a normal clients to verify, and after verifying, and let off the message Server, subsequent client and server are sent to regard to directly being communicated.
(5) if, test connection request time-out, client can return a RST message, and intermediate cleaning equipment can basis The message five-tuple and sequence number of RST message are a normal clients to verify, and after verifying, RST message is sent to Server, breaks the connection, and client can carry out TCP connection request again, and the connection that can directly let pass of intermediate cleaning equipment is asked It asks and subsequent message interaction, client and server is directly communicated.
The scheme for the protection DDOS attack that the embodiment of the present invention proposes, the protection side SYN Flood relative to existing mainstream Case can not only guarantee the normal communication between normal client end and server, but also can while cleaning SYN Flood message To guarantee to be not responding to [SYN, ACK] message of mistake, or it is not responding between the client and server that opposite end disconnects Normal communication.The embodiment of the present invention has been adapted to payment class client and mobile client well at present, solves existing SYN Flood protectiving scheme blocks the problem of regular traffic.
Based on the same technical idea, Fig. 6 illustratively shows a kind of protection DDOS provided in an embodiment of the present invention and attacks The structure for the system hit, the system can execute the process of protection DDOS attack.
As shown in fig. 6, the system specifically includes: client 601, intermediate cleaning equipment 602 and server 603;
The client 601, for sending SYN to server 603 by intermediate cleaning equipment 602 in re-transmission interval time Request message, the SYN request message include the first five-tuple information and First ray information;
The intermediate cleaning equipment 602, in the SYN for receiving the client 601 and being sent to the server 603 After request message, the first five-tuple information and the First ray information are recorded, and the SYN request message is turned The server 603 is issued, so that the server 603 sends SYN confirmation message;
The client 601 is also used in the SYN with correct confirmation number for receiving the transmission of the server 603 After confirmation message, determine whether current connection request is overtime;And if it is not, then by the intermediate cleaning equipment 602 to described Server 603 sends confirmation message, and the confirmation message includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment 602 is also used to be sent to the server 603 receiving the client 601 After confirmation message, the client 601 is verified according to the second five-tuple information and the second sequence number information, and The confirmation message is transmitted to the server 603 after being verified, so that the client 601 and the server 603 complete the foundation of TCP connection.
Optionally, the client 601 is also used to if it is determined that the current connection request time-out, then pass through the centre Cleaning equipment 602 sends RST message to the server 603, and the RST message includes third five-tuple information and third sequence Number information;
The intermediate cleaning equipment 602 is also used to be sent to the server 603 receiving the client 601 After RST message, the client 601 is tested according to the third five-tuple information and the third sequence number information Card, and the RST message is transmitted to the server 603 after being verified;
The client 601 is also used to send TCP connection request to the server 603, build with the server 603 The TCP connection is found, and is communicated.
Optionally, the client 601 is also used to:
After the confirmation message is transmitted to the server 603 by the intermediate cleaning equipment 602, directly with it is described Server 603 is communicated.
Optionally, the intermediate cleaning equipment 602 is also used to:
Before receiving the SYN request message that client 601 is sent, statistics is sent to the SYN message of server 603, When the SYN message that confirmation reaches same destination address is more than threshold value, into protection state.
Based on the same technical idea, the embodiment of the invention also provides a kind of computer readable storage medium, the meters Calculation machine readable storage medium storing program for executing is stored with computer executable instructions, and the computer executable instructions are for holding the computer The method of the above-mentioned protection DDOS attack of row.
Based on the same technical idea, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned protection according to the program of acquisition for calling the program instruction stored in the memory The method of DDOS attack.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (10)

1. a kind of method for protecting distributed Denial of Service (DDOS) attack characterized by comprising
Client sends synchronizing sequence number SYN request message to server by intermediate cleaning equipment in re-transmission interval time, The SYN request message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment is after receiving the client and being sent to the SYN request message of the server, record The first five-tuple information and the First ray information, and the SYN request message is transmitted to the server, with The server is set to send SYN confirmation message;
The client after receiving the SYN confirmation message with correct confirmation number of the transmission of the server, work as by determination Whether preceding connection request is overtime;
If it is not, then the client by the intermediate cleaning equipment to server transmission confirmation message, report by the confirmation Text includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment is after receiving the client and being sent to the confirmation message of the server, according to described Second five-tuple information and the second sequence number information verify the client, and report the confirmation after being verified Text is transmitted to the server, so that the client and the server complete transmission control protocol TCP establishment of connection.
2. the method as described in claim 1, which is characterized in that further include:
If the client determines that the current connection request time-out, the client pass through the intermediate cleaning equipment to institute It states server and sends and reset RST message, the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment is after receiving the client and being sent to the RST message of the server, according to described Third five-tuple information and the third sequence number information verify the client, and will be described after being verified RST message is transmitted to the server;
The client sends TCP connection request to the server, establishes the TCP connection with the server, and carry out Communication.
3. the method as described in claim 1, which is characterized in that be transmitted to the confirmation message in the intermediate cleaning equipment After the server, the client is directly communicated with the server.
4. method as described in any one of claims 1 to 3, which is characterized in that the intermediate cleaning equipment is receiving client Before the SYN request message of transmission, further includes:
The intermediate cleaning equipment statistics is sent to the SYN message of server, reaches the SYN message of same destination address in confirmation When more than threshold value, into protection state.
5. a kind of system for protecting distributed Denial of Service (DDOS) attack characterized by comprising client, intermediate cleaning are set Standby and server;
The client, for sending synchronizing sequence number SYN to server by intermediate cleaning equipment in re-transmission interval time Request message, the SYN request message include the first five-tuple information and First ray information;
The intermediate cleaning equipment, for after receiving the client and being sent to the SYN request message of the server, The first five-tuple information and the First ray information are recorded, and the SYN request message is transmitted to the service Device, so that the server sends SYN confirmation message;
The client is also used to after receiving the SYN confirmation message with correct confirmation number of the transmission of the server, Determine whether current connection request is overtime;And confirm if it is not, then being sent by the intermediate cleaning equipment to the server Message, the confirmation message include the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment is also used to after receiving the client and being sent to the confirmation message of the server, The client is verified according to the second five-tuple information and the second sequence number information, and by institute after being verified It states confirmation message and is transmitted to the server, connect so that the client completes transmission control protocol TCP with the server Foundation.
6. system as claimed in claim 5, which is characterized in that the client is also used to if it is determined that the current connection is asked Time-out is sought, then is sent by the intermediate cleaning equipment to the server and resets RST message, the RST message includes third Five-tuple information and third sequence number information;
The intermediate cleaning equipment is also used to after receiving the client and being sent to the RST message of the server, root The client is verified according to the third five-tuple information and the third sequence number information, and will after being verified The RST message is transmitted to the server;
The client is also used to send TCP connection request to the server, establishes the TCP connection with the server, And it is communicated.
7. system as claimed in claim 5, which is characterized in that the client is also used to:
After the confirmation message is transmitted to the server by the intermediate cleaning equipment, directly carried out with the server Communication.
8. such as the described in any item systems of claim 5 to 7, which is characterized in that the intermediate cleaning equipment is also used to:
Before receiving the SYN request message that client is sent, statistics is sent to the SYN message of server, reaches same in confirmation When the SYN message of one destination address is more than threshold value, into protection state.
9. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can It executes instruction, the computer executable instructions are according to any one of claims 1 to 4 for executing the computer Method.
10. a kind of calculating equipment characterized by comprising
Memory, for storing program instruction;
Processor, for calling the program instruction stored in the memory, according to acquisition program execute as claim 1 to Method described in any one of 4.
CN201811640337.3A 2018-12-29 2018-12-29 Method and system for preventing DDOS attack Active CN109639712B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811640337.3A CN109639712B (en) 2018-12-29 2018-12-29 Method and system for preventing DDOS attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811640337.3A CN109639712B (en) 2018-12-29 2018-12-29 Method and system for preventing DDOS attack

Publications (2)

Publication Number Publication Date
CN109639712A true CN109639712A (en) 2019-04-16
CN109639712B CN109639712B (en) 2021-09-10

Family

ID=66054647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811640337.3A Active CN109639712B (en) 2018-12-29 2018-12-29 Method and system for preventing DDOS attack

Country Status (1)

Country Link
CN (1) CN109639712B (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111526126A (en) * 2020-03-29 2020-08-11 杭州迪普科技股份有限公司 Data security transmission method, data security device and system
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN112615866A (en) * 2020-12-22 2021-04-06 杭州易安联科技有限公司 Pre-authentication method, device and system for TCP connection
CN112702358A (en) * 2021-01-04 2021-04-23 北京金山云网络技术有限公司 SYN Flood attack protection method and device, electronic device and storage medium
CN113726757A (en) * 2021-08-24 2021-11-30 杭州迪普科技股份有限公司 Verification method and device for HTTPS (hypertext transfer protocol secure) protocol client
CN114124489A (en) * 2021-11-11 2022-03-01 中国建设银行股份有限公司 Method, cleaning device, equipment and medium for preventing flow attack
CN114640704A (en) * 2022-05-18 2022-06-17 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium
CN114697088A (en) * 2022-03-17 2022-07-01 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment
CN115499216A (en) * 2022-09-15 2022-12-20 中国电信股份有限公司 Attack defense method and device, storage medium and electronic equipment
CN110995612B (en) * 2019-11-25 2023-08-29 浙江中控技术股份有限公司 Message processing method, system and communication equipment
CN117579233A (en) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 Message retransmission method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599957A (en) * 2009-06-04 2009-12-09 东软集团股份有限公司 A kind of defence method of SYN flood attack and device
CN104683293A (en) * 2013-11-27 2015-06-03 杭州迪普科技有限公司 SYN attack defense method based on logic device
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
US9742732B2 (en) * 2012-03-12 2017-08-22 Varmour Networks, Inc. Distributed TCP SYN flood protection
CN107770120A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of flood attack detection method of distributed monitoring

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101599957A (en) * 2009-06-04 2009-12-09 东软集团股份有限公司 A kind of defence method of SYN flood attack and device
US9742732B2 (en) * 2012-03-12 2017-08-22 Varmour Networks, Inc. Distributed TCP SYN flood protection
CN104683293A (en) * 2013-11-27 2015-06-03 杭州迪普科技有限公司 SYN attack defense method based on logic device
CN105827646A (en) * 2016-05-17 2016-08-03 浙江宇视科技有限公司 SYN attack protecting method and device
CN107770120A (en) * 2016-08-15 2018-03-06 台山市金讯互联网络科技有限公司 A kind of flood attack detection method of distributed monitoring

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995612B (en) * 2019-11-25 2023-08-29 浙江中控技术股份有限公司 Message processing method, system and communication equipment
CN111526126B (en) * 2020-03-29 2022-11-01 杭州迪普科技股份有限公司 Data security transmission method, data security device and system
CN111526126A (en) * 2020-03-29 2020-08-11 杭州迪普科技股份有限公司 Data security transmission method, data security device and system
CN111970308A (en) * 2020-09-03 2020-11-20 杭州安恒信息技术股份有限公司 Method, device and equipment for protecting SYN Flood attack
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN112055028B (en) * 2020-09-11 2023-08-08 北京知道创宇信息技术股份有限公司 Network attack defense method, device, electronic equipment and storage medium
CN112615866A (en) * 2020-12-22 2021-04-06 杭州易安联科技有限公司 Pre-authentication method, device and system for TCP connection
CN112702358A (en) * 2021-01-04 2021-04-23 北京金山云网络技术有限公司 SYN Flood attack protection method and device, electronic device and storage medium
CN113726757A (en) * 2021-08-24 2021-11-30 杭州迪普科技股份有限公司 Verification method and device for HTTPS (hypertext transfer protocol secure) protocol client
CN114124489A (en) * 2021-11-11 2022-03-01 中国建设银行股份有限公司 Method, cleaning device, equipment and medium for preventing flow attack
CN114124489B (en) * 2021-11-11 2024-04-05 中国建设银行股份有限公司 Method, cleaning device, equipment and medium for preventing flow attack
CN114697088A (en) * 2022-03-17 2022-07-01 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment
CN114697088B (en) * 2022-03-17 2024-03-15 神州绿盟成都科技有限公司 Method and device for determining network attack and electronic equipment
CN114640704B (en) * 2022-05-18 2022-08-19 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium
CN114640704A (en) * 2022-05-18 2022-06-17 山东云天安全技术有限公司 Communication data acquisition method, system, computer equipment and readable storage medium
CN115499216A (en) * 2022-09-15 2022-12-20 中国电信股份有限公司 Attack defense method and device, storage medium and electronic equipment
CN115499216B (en) * 2022-09-15 2024-03-19 中国电信股份有限公司 Attack defending method and device, storage medium and electronic equipment
CN117579233A (en) * 2024-01-15 2024-02-20 杭州优云科技股份有限公司 Message retransmission method and device
CN117579233B (en) * 2024-01-15 2024-04-23 杭州优云科技股份有限公司 Message retransmission method and device

Also Published As

Publication number Publication date
CN109639712B (en) 2021-09-10

Similar Documents

Publication Publication Date Title
CN109639712A (en) A kind of method and system for protecting DDOS attack
CN108551446B (en) Anti-attack SYN message processing method and device, firewall and storage medium
CN101390064B (en) Preventing network reset denial of service attacks using embedded authentication information
CN1316369C (en) Secret hashing for SYN/FIN correspondence
CN104426837B (en) The application layer message filtering method and device of FTP
CN103347016A (en) Attack defense method
CN107395632B (en) SYN Flood protection method, device, cleaning equipment and medium
CN104883360B (en) A kind of the fine granularity detection method and system of ARP deceptions
CN112994892A (en) Cross-chain interaction method, device and system and electronic equipment
CN108809923A (en) The system and method for traffic filtering when detecting ddos attack
CN110099027A (en) Transmission method and device, storage medium, the electronic device of service message
CN102026199B (en) The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
CN111314381A (en) Safety isolation gateway
CN107204965A (en) The hold-up interception method and system of a kind of password cracking behavior
CN107800723A (en) CC attack guarding methods and equipment
CN103391226B (en) A kind of ppp link detects maintaining method and system
CN108667829A (en) A kind of means of defence of network attack, device and storage medium
Rana et al. A Study and Detection of TCP SYN Flood Attacks with IP spoofing and its Mitigations
CN109005164A (en) A kind of network system, equipment, network data exchange method and storage medium
CN109936543A (en) Means of defence, device, equipment and the medium of ACK Flood attack
CN109688136A (en) A kind of detection method, system and the associated component of spoofed IP attack
CN110831009A (en) Wireless AP (access point) wireless DOS (direction of arrival) attack prevention test method and test system
CN106341413A (en) Portal authentication method and device
CN110035082A (en) A kind of interchanger admission authentication method, interchanger and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant after: NSFOCUS Technologies Group Co.,Ltd.

Applicant after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: NSFOCUS TECHNOLOGIES Inc.

GR01 Patent grant
GR01 Patent grant