CN109639712A - A kind of method and system for protecting DDOS attack - Google Patents
A kind of method and system for protecting DDOS attack Download PDFInfo
- Publication number
- CN109639712A CN109639712A CN201811640337.3A CN201811640337A CN109639712A CN 109639712 A CN109639712 A CN 109639712A CN 201811640337 A CN201811640337 A CN 201811640337A CN 109639712 A CN109639712 A CN 109639712A
- Authority
- CN
- China
- Prior art keywords
- server
- client
- message
- cleaning equipment
- syn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of method and system for protecting DDOS attack, this method, which includes client, sends SYN request message to server by intermediate cleaning equipment retransmitting interval time, the first five-tuple information and First ray information in intermediate cleaning equipment record SYN request message, after the SYN confirmation message with correct confirmation number for the transmission for receiving server, determine whether current connection request is overtime, if not, then confirmation message is sent to server by intermediate cleaning equipment, intermediate cleaning equipment verifies client according to confirmation message, and it will confirm that message is sent to server after being verified, to establish TCP connection with the server.[SYN, ACK] the message behavior of error check number is not responding to since there is no client or client is not responding to be broken two kinds of behaviors of TCP connection by opposite end, is realizing the normal communication for guaranteeing normal client and server while protecting DDOS attack.
Description
Technical field
The present embodiments relate to DDOS (Distributed Denial of Service, distributed denial of service) to attack
Hit protection technology field more particularly to a kind of method and system for protecting DDOS attack.
Background technique
SYN (Synchronize Sequence Numbers, synchronizing sequence number) (general) attack of Flood is most common
One of DDoS mode, it is pseudo- by the loophole using TCP (Transmission Control Protocol, transmission control protocol)
A large amount of TCP connection request is made, to achieve the purpose that exhaust by attacker's resource.In order to defend SYN Flood to attack, currently
There are mainly two types of for the protectiving scheme of mainstream:
The first is as shown in Figure 1, from figure 1 it appears that the program is to be asked using intermediate cleaning equipment receiving SYN
After seeking message, one can be replied with error check number [SYN, ACK (confirmation)] message, normal client is under normal circumstances
RST message can be returned to break the connection and re-initiate three-way handshake, to verify by intermediate cleaning equipment, subsequent direct kimonos
Business device is communicated;Attacker is interactive due to being unable to supported protocol, and SYN Flood message is caused to be intercepted by intermediate cleaning equipment,
To realize safeguard function.In this scenario, client is to set up TCP by three-way handshake and intermediate cleaning equipment first to connect
Connect, just can by intermediate cleaning equipment verify, that is to say, that client initiate TCP connection be not established with server, and
It is to carry out alternative server using intermediate cleaning equipment to establish TCP connection.
Second as shown in Fig. 2, from figure 2 it can be seen that the program is to receive SYN report using intermediate cleaning equipment
Wen Hou, can reply one with correct confirmation number [SYN, ACK] message, normal client can reply an ACK message and
Intermediate cleaning equipment establishes TCP connection, and intermediate cleaning equipment can reply RST (reset) message at this time and block the connection, visitor
Family end can be attached request again under normal circumstances, to verify by intermediate cleaning equipment, directly be led to server
Letter;Attacker causes the message of SYN Flood to be intercepted by intermediate cleaning equipment, is prevented with realizing due to being unable to supported protocol interaction
Protective function.In the program, client is also to establish TCP connection by three-way handshake and intermediate cleaning equipment first, then intermediate
Cleaning equipment again verifies client by way of disconnecting, and is equally to carry out alternative service using intermediate cleaning equipment
Device establishes TCP connection.
With the increasingly sharp increase of network attack, current many normal clients especially pay the client of class, exist
Such agreement behavior: first is that being not responding to mistake [SYN, ACK] message of server return;Second is that for the TCP connection of foundation,
It is no longer responded after breaking connection by intermediate cleaning equipment.When being protected using existing SYN Flood protection algorithm,
Since the client with both agreement behaviors is no longer responded, to block the client using both agreement behaviors
The normal communication at end, influences regular traffic.
Summary of the invention
The embodiment of the present invention provides a kind of method and system for protecting DDOS attack, to realize the feelings of protection DDOS attack
Under condition, guarantee the normal traffic communication of client.
A kind of method for protecting DDOS attack provided in an embodiment of the present invention, comprising:
Client is retransmitting interval time by intermediate cleaning equipment to server transmission SYN request message, and the SYN is asked
Seeking message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment after receiving the client and being sent to the SYN request message of the server,
The first five-tuple information and the First ray information are recorded, and the SYN request message is transmitted to the service
Device, so that the server sends SYN confirmation message;
The client is after receiving the SYN confirmation message with correct confirmation number of the transmission of the server, really
Whether settled preceding connection request is overtime;
If it is not, then the client by the intermediate cleaning equipment to the server send confirmation message, it is described really
Recognizing message includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment after receiving the client and being sent to the confirmation message of the server, according to
The second five-tuple information and the second sequence number information verify the client, and will be described true after being verified
Recognize message and be transmitted to the server, so that the client and the server complete the foundation of TCP connection.
In above-mentioned technical proposal, client is after the SYN confirmation message for receiving server transmission, if current connection request
It has not timed out, runs past intermediate cleaning equipment to server and send confirmation message, intermediate cleaning equipment is tested to client
It demonstrate,proves and the confirmation message is sent to server after passing through, establish TCP connection with server to realize, there is no clients not to ring
[SYN, ACK] the message behavior of error check number or client is answered to be not responding to be broken two kinds of behaviors of TCP connection by opposite end,
It ensure that client and the direct normal communication of server while protecting DDOS attack, can be very good adaptation payment class or shifting
Dynamic class client solves the problems, such as the normal traffic communication that existing SYN Flood protectiving scheme blocks normal client.Together
When, since intermediate cleaning equipment is the verifying realized during client and server establish TCP connection to client, and
It does not need client and intermediate cleaning equipment first establishes TCP connection, improve client and server establishes the effect of TCP connection
Rate saves system resource.
Optionally, further includes:
If the client determines that the current connection request time-out, the client pass through the intermediate cleaning equipment
RST message is sent to the server, the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment after receiving the client and being sent to the RST message of the server, according to
The third five-tuple information and the third sequence number information verify the client, and by institute after being verified
It states RST message and is transmitted to the server;
The client sends TCP connection request to the server, establishes the TCP connection with the server, and
It is communicated.
In above-mentioned technical proposal, client is after the SYN confirmation message for receiving server transmission, if current connection request
It has not timed out, so that it may send confirmation message to server by intermediate cleaning equipment, intermediate cleaning equipment is according in confirmation message
The second five-tuple information and the second sequence number information the confirmation message is sent to clothes after being verified to client
Be engaged in device, if current connection request time-out, just send RST message to server by intermediate cleaning equipment, centre cleaning is set
Standby third five-tuple information and third sequence number information according in RST message should after being verified to client
RST message is sent to server, establishes TCP connection with server to realize, there is no clients to be not responding to error check number
The behavior of [SYN, ACK] message or client be not responding to be broken two kinds of behaviors of TCP connection by opposite end.In protection DDOS attack
While ensure that the normal communication of normal client and server, can be very good adaptation payment class or mobile class client,
Solve the problems, such as that existing SYN Flood protectiving scheme blocks regular traffic.Simultaneously as intermediate cleaning equipment is in client
The verifying to client is realized during establishing TCP connection with server, does not need client and intermediate cleaning equipment is first
TCP connection is established, client is improved and server establishes the efficiency of TCP connection, save system resource.
Optionally, after the confirmation message is transmitted to the server by the intermediate cleaning equipment, the client
End is directly communicated with the server.
In the above-mentioned technical solutions, after intermediate cleaning equipment will confirm that message is transmitted to server, at this moment client with
Server completes the foundation of TCP connection, and client is not necessarily in the verifying by intermediate cleaning equipment, directly can be with service
Device is communicated.
Optionally, the intermediate cleaning equipment is before receiving the SYN request message that client is sent, further includes:
The intermediate cleaning equipment statistics is sent to the SYN message of server, reaches the SYN of same destination address in confirmation
When message is more than threshold value, into protection state.
Correspondingly, the embodiment of the invention also provides a kind of systems for protecting DDOS attack, comprising: client, centre are clear
Wash equipment and server;
The client, for sending SYN request message to server by intermediate cleaning equipment in re-transmission interval time,
The SYN request message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment, in the SYN request message for receiving the client and being sent to the server
Later, it records the first five-tuple information and the First ray information, and the SYN request message is transmitted to described
Server, so that the server sends SYN confirmation message;
The client is also used in the SYN confirmation report with correct confirmation number for receiving the transmission of the server
Wen Hou determines whether current connection request is overtime;And it if it is not, is then sent by the intermediate cleaning equipment to the server
Confirmation message, the confirmation message include the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment, be also used to receive the client be sent to the server confirmation message it
Afterwards, the client is verified according to the second five-tuple information and the second sequence number information, and after being verified
The confirmation message is transmitted to the server, so that the client and the server complete transmission control protocol TCP
Establishment of connection.
Optionally, the client is also used to if it is determined that the current connection request time-out, then pass through the intermediate cleaning
Equipment sends RST message to the server, and the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment, be also used to receive the client be sent to the server RST message it
Afterwards, the client is verified according to the third five-tuple information and the third sequence number information, and logical in verifying
Later the RST message is transmitted to the server;
The client is also used to send TCP connection request to the server, establishes the TCP with the server
Connection, and communicated.
Optionally, the client is also used to:
After the confirmation message is transmitted to the server by the intermediate cleaning equipment, directly with the server
It is communicated.
Optionally, the intermediate cleaning equipment is also used to:
Before receiving the SYN request message that client is sent, statistics is sent to the SYN message of server, reaches in confirmation
To same destination address SYN message be more than threshold value when, into protection state.
Correspondingly, the embodiment of the invention also provides a kind of computer readable storage medium, the computer-readable storage
Media storage has computer executable instructions, and the computer executable instructions are for making the computer execute above-mentioned protection
The method of DDOS attack.
Correspondingly, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned protection according to the program of acquisition for calling the program instruction stored in the memory
The method of DDOS attack.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this
For the those of ordinary skill in field, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is a kind of schematic diagram of SYN Flood attack defending scheme provided in an embodiment of the present invention;
Fig. 2 is a kind of schematic diagram of SYN Flood attack defending scheme provided in an embodiment of the present invention;
Fig. 3 is a kind of schematic diagram of system architecture provided in an embodiment of the present invention;
Fig. 4 is a kind of flow diagram of method for protecting DDOS attack provided in an embodiment of the present invention;
Fig. 5 is a kind of schematic diagram of method for protecting DDOS attack provided in an embodiment of the present invention;
Fig. 6 is a kind of structural schematic diagram of system for protecting DDOS attack provided in an embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
It is described in detail to one step, it is clear that described embodiments are only a part of the embodiments of the present invention, rather than whole implementation
Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts
All other embodiment, shall fall within the protection scope of the present invention.
The system architecture that Fig. 3 is applicable in by the embodiment of the present invention.Refering to what is shown in Fig. 3, the system architecture may include client
End 100, intermediate cleaning equipment 200 and server 300.
The intermediate cleaning equipment 200 is between the client 100 and the server 300, for SYN
Flood attack is intercepted, and is verified to client.
It should be noted that above-mentioned structure shown in Fig. 3 is only a kind of example, it is not limited in the embodiment of the present invention.
Based on foregoing description, Fig. 4 illustratively shows a kind of side for protecting DDOS attack provided in an embodiment of the present invention
The process of method, the process can be executed by the system of protection DDOS attack, will pass through client, intermediate cleaning equipment kimonos below
The interactive mode of device be engaged in describe the process of protection DDOS attack.
As shown in figure 4, the specific steps of the process comprises:
Step 401, client sends SYN request message to intermediate cleaning equipment.
The SYN request message includes the first five-tuple information and First ray information, the first five-tuple information and the
One sequence number information verifies client after the message that subsequently received client is sent for intermediate cleaning equipment, tests
Demonstrate,prove whether client is normal client.The SYN request message was sent in re-transmission interval time, due to being the report retransmitted
First message that text, the SYN request message i.e. user end to server are sent, therefore, it is 1 that sequence number, which is equivalent to,.By
Protection state has been carried out in intermediate cleaning equipment at this time, all SYN request messages can all have been verified, therefore, client
The SYN request message that end is sent for the first time can be washed by intermediate cleaning equipment, that is, refusal asks the SYN that first time sends
It asks message to be transmitted to server, prevents SYN Flood from attacking to realize.Therefore, client does not receive in re-transmission interval time
After the response of server, a SYN request message is just retransmitted, when intermediate cleaning equipment receives SYN request message again
When, it can just let pass to the SYN request message.
In embodiments of the present invention, re-transmission interval time is made into (being empirically arranged) that can be adapted to, to reach accurate
Matching client traffic SYN washes the SYN Flood message of forgery while retransmitting interval, or is reached by other means
To the purpose of cleaning SYN Flood message.
It should be noted that intermediate cleaning equipment can count the service of being sent to before client sends SYN request message
The SYN message of device, when the SYN message that confirmation reaches same destination address is more than threshold value, into protection state, with realization pair
The protection of SYN Flood attack.The threshold value can be empirically arranged.
Step 402, intermediate cleaning equipment records the first five-tuple information and First ray information.
It includes that the first five-tuple is believed that the client that intermediate cleaning equipment receives, which is sent in the SYN request message of server,
Breath and First ray information, intermediate cleaning equipment will record the first five-tuple information and First ray information, so as to
Client is verified in subsequent interaction, verifies whether the client is normal client.
Step 403, intermediate cleaning equipment sends SYN request message to server.
When intermediate cleaning equipment have recorded the first five-tuple information in SYN request message and First ray information it
Afterwards, so that it may the SYN request message be let pass, which is sent to server, so that server is sent out to client
Send SYN confirmation message.
Step 404, server sends SYN confirmation message to client.
Server will send SYN confirmation report after the SYN request message for receiving client transmission to client
Text, the SYN confirmation message are the SYN confirmation messages with correct confirmation number, and what is sent to client due to server is to have
The SYN confirmation message of correct confirmation number, so that it may guarantee to be not responding to have the client of the SYN confirmation message of error check number can
With normal communication, the confirmation message for being not responding to that there is the client of the SYN confirmation message of error check number to send will not be carried out
It intercepts.
Step 405, whether overtime client judges current connection request, if so, being transferred to step 410, is otherwise transferred to step
Rapid 406.
Client needs first to judge after receiving the SYN confirmation message with correct confirmation number of server transmission
Whether current connection request is overtime, and time-out here refers to that this establishes whether TCP connection can be more than TCP connection settling time,
If it does, meaning that time-out, can abandon establishing this TCP connection.If be no more than, mean that client is returning to confirmation
After message, it not will cause TCP connection and establish time-out.
Step 406, client sends confirmation message to intermediate cleaning equipment.
When client confirms that current connection request has not timed out in step 405, so that it may continue to send confirmation to server
Message, since intermediate cleaning equipment does not also verify the client, which still can be blocked by intermediate cleaning equipment
It cuts, therefore, the confirmation message that user end to server is sent at this time can first pass through intermediate cleaning equipment.The confirmation message be used for
The foundation of server completion TCP connection.Include the second five-tuple information and the second sequence number information in the confirmation message, with
The client is verified according to the second five-tuple information and the second sequence number information in intermediate equipment.
Step 407, intermediate cleaning equipment verifies client.
Intermediate cleaning equipment is after the confirmation message for receiving client transmission, according to the two or five yuan in the confirmation message
Group information and the second sequence number information verify client, and specific: intermediate cleaning equipment compares the first of the client
Five-tuple information and First ray information and the second five-tuple information and the second sequence number information, if the two is consistent, confirmation
The client is normal client, will be verified, after being verified, intermediate cleaning equipment would not intercept client again
Communication message between end and server, lets pass to the communication between client and server, until the client and clothes
Until the TCP connection established between business device disconnects.
If at this time client send the second five-tuple information and the second sequence number information not over verifying, show with
The the first five-tuple information and First ray information of client are inconsistent, can also indicate that the client is likely to be DDOS and attacks
The person of hitting, intermediate cleaning equipment can intercept confirmation message herein, and the confirmation message will not be let pass, be sent to service
Device, to play the purpose of protection DDOS attack.
Be not responding to [SYN, ACK] the message behavior of error check number since there is no client or client be not responding to by
Opposite end breaks two kinds of behaviors of TCP connection, ensure that client is directly normal with server while protecting DDOS attack
Communication can be very good adaptation payment class or mobile class client, solve existing SYN Flood protectiving scheme and block positive regular guest
The problem of normal traffic communication at family end.Simultaneously as intermediate cleaning equipment is to establish TCP connection in client and server
The verifying to client is realized in the process, does not need client and intermediate cleaning equipment first establishes TCP connection, improve client
The efficiency of TCP connection is established at end with server, saves system resource.
Step 408, intermediate cleaning equipment sends confirmation message to server.
Intermediate cleaning equipment just will confirm that message is sent to server, so that client after passing through to client validation
TCP connection is set up with server.
Step 409, client and server establish TCP connection.
After client and server establish TCP connection, client can directly be communicated with server, no longer need to through
Cross the interception of intermediate cleaning equipment.
Step 410, client sends RST message to intermediate cleaning equipment.
In above-mentioned steps 405, when client confirms current connection request time-out, client can be sent to server
RST message, with the process for establishing TCP connection with server restarting.It include third five-tuple letter in the RST message
Breath and third sequence number information, so that intermediate cleaning equipment is according to the third five-tuple information and third sequence number information to client
It is verified at end.
Step 411, intermediate cleaning equipment verifies client.
Intermediate cleaning equipment is after receiving client and being sent to the RST message of server, according to the third in RST message
Five-tuple information and third sequence number information verify client, and specific: intermediate cleaning equipment compares the client
First five-tuple information and First ray information and third five-tuple information and third sequence number information, if the two is consistent,
Confirm that the client is normal client, will be verified, after being verified, intermediate cleaning equipment would not intercept again
Communication message between client and server lets pass to the communication between client and server, subsequent client with
Server re-establishes TCP connection, until the TCP connection established between the client and server disconnects.
If at this time client send third five-tuple information and third sequence number information not over verifying, show with
The the first five-tuple information and First ray information of client are inconsistent, can also indicate that the client is likely to be DDOS and attacks
The person of hitting, intermediate cleaning equipment can intercept confirmation message herein, and the confirmation message will not be let pass, be sent to service
Device, to play the purpose of protection DDOS attack.Simultaneously it is also ensured that will not be disconnected by intermediate cleaning equipment, also
It ensure that the normal client and the direct normal communication of server for being not responding to that opposite end disconnects, that is to say, that centre cleaning
Equipment will not intercept this message for being not responding to the client that opposite end disconnects, and be to continue with sender's progress to the message
Verifying.The scheme of the prior art is that intermediate cleaning equipment can intercept this message for being not responding to opposite end and disconnecting, to influence
Normal client and the direct normal communication of server.
Simultaneously as intermediate cleaning equipment is to realize during client and server establish TCP connection to client
The verifying at end, does not need client and intermediate cleaning equipment first establishes TCP connection, improves client and server is established
The efficiency of TCP connection, saves system resource.
Step 412, intermediate cleaning equipment sends RST message to server.
Intermediate cleaning equipment will let pass to the RST message after passing through to client validation, which is sent
To server, server not will do it response after receiving the RST message at this time, only needs to wait for client and issues TCP company again
Connect foundation request.
Step 413, user end to server sends the first SYN request message.
After intermediate cleaning equipment is verified client in step 411, after client would not being intercepted again
The message that supervention is sent, at this point, client directly sends the first SYN request message to server.
Step 414, server sends the first SYN confirmation message to client.
Server sends the first SYN confirmation report after the first SYN request message for receiving client transmission, to client
Text.
Step 415, user end to server sends the first confirmation message.
Client is after the first SYN confirmation message for receiving server transmission, so that it may send first to server
Confirmation message, to complete the foundation of TCP connection.
By the three-way handshake between the client and server of step 413 to step 415, client and server can be with
It is successfully established TCP connection, realizes TCP communication.
Above-described embodiment shows client after the SYN confirmation message for receiving server transmission, if current connection request
It has not timed out, so that it may send confirmation message to server by intermediate cleaning equipment, intermediate cleaning equipment is according in confirmation message
The second five-tuple information and the second sequence number information the confirmation message is sent to clothes after being verified to client
Be engaged in device, if current connection request time-out, just send RST message to server by intermediate cleaning equipment, centre cleaning is set
Standby third five-tuple information and third sequence number information according in RST message should after being verified to client
RST message is sent to server, establishes TCP connection with server to realize, there is no clients to be not responding to error check number
The behavior of [SYN, ACK] message or client be not responding to be broken two kinds of behaviors of TCP connection by opposite end.In protection DDOS attack
While ensure that the normal communication of normal client and server, can be very good adaptation payment class or mobile class client,
Solve the problems, such as that existing SYN Flood protectiving scheme blocks regular traffic.Simultaneously as intermediate cleaning equipment is in client
The verifying to client is realized during establishing TCP connection with server, does not need client and intermediate cleaning equipment is first
TCP connection is established, client is improved and server establishes the efficiency of TCP connection, save system resource.
Embodiment in order to preferably explain the present invention will describe protection DDOS attack by specific real-time scene below
Process.
Process as shown in Figure 5, firstly, attacker, which can forge a large amount of SYN Flood construction message, is sent to server,
Then SYN Flood message is counted by intermediate cleaning equipment, intermediate clear more than the SYN message threshold value being arranged by protection server
It washes equipment and enters protection state.Intermediate cleaning equipment carries out subsequently received SYN Flood message by certain means
Cleaning is intercepted, is made into and can be adapted to for example, SYN retransmits interval, while reaching that precisely matching client traffic SYN retransmits interval
The SYN Flood message of forgery is washed, or achievees the purpose that clean SYN Flood message by other means.
In entire attack process, since server is on intermediate cleaning equipment by guard mode, then for normal
Client access server, have the following steps process flow:
(1), client sends SYN message request and server carries out TCP connection.
(2), intermediate cleaning equipment receives weight in re-transmission interval time after intercepting first SYN request message of client
The SYN request message of biography, records the message five-tuple and sequence number information of SYN request message, and lets off the message.
(3), after server receives SYN message, correct [SYN, an ACK] message can be returned to client.Client
It, can in two kinds of situation after receiving message: the first, the TCP connection request timed out at this time;Second, the TCP connection is not super at this time
When.
(4) if, the connection request does not have a time-out at this time, client can return an ACK message, and intermediate cleaning equipment can basis
The five-tuple information and sequence number of ACK message are a normal clients to verify, and after verifying, and let off the message
Server, subsequent client and server are sent to regard to directly being communicated.
(5) if, test connection request time-out, client can return a RST message, and intermediate cleaning equipment can basis
The message five-tuple and sequence number of RST message are a normal clients to verify, and after verifying, RST message is sent to
Server, breaks the connection, and client can carry out TCP connection request again, and the connection that can directly let pass of intermediate cleaning equipment is asked
It asks and subsequent message interaction, client and server is directly communicated.
The scheme for the protection DDOS attack that the embodiment of the present invention proposes, the protection side SYN Flood relative to existing mainstream
Case can not only guarantee the normal communication between normal client end and server, but also can while cleaning SYN Flood message
To guarantee to be not responding to [SYN, ACK] message of mistake, or it is not responding between the client and server that opposite end disconnects
Normal communication.The embodiment of the present invention has been adapted to payment class client and mobile client well at present, solves existing SYN
Flood protectiving scheme blocks the problem of regular traffic.
Based on the same technical idea, Fig. 6 illustratively shows a kind of protection DDOS provided in an embodiment of the present invention and attacks
The structure for the system hit, the system can execute the process of protection DDOS attack.
As shown in fig. 6, the system specifically includes: client 601, intermediate cleaning equipment 602 and server 603;
The client 601, for sending SYN to server 603 by intermediate cleaning equipment 602 in re-transmission interval time
Request message, the SYN request message include the first five-tuple information and First ray information;
The intermediate cleaning equipment 602, in the SYN for receiving the client 601 and being sent to the server 603
After request message, the first five-tuple information and the First ray information are recorded, and the SYN request message is turned
The server 603 is issued, so that the server 603 sends SYN confirmation message;
The client 601 is also used in the SYN with correct confirmation number for receiving the transmission of the server 603
After confirmation message, determine whether current connection request is overtime;And if it is not, then by the intermediate cleaning equipment 602 to described
Server 603 sends confirmation message, and the confirmation message includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment 602 is also used to be sent to the server 603 receiving the client 601
After confirmation message, the client 601 is verified according to the second five-tuple information and the second sequence number information, and
The confirmation message is transmitted to the server 603 after being verified, so that the client 601 and the server
603 complete the foundation of TCP connection.
Optionally, the client 601 is also used to if it is determined that the current connection request time-out, then pass through the centre
Cleaning equipment 602 sends RST message to the server 603, and the RST message includes third five-tuple information and third sequence
Number information;
The intermediate cleaning equipment 602 is also used to be sent to the server 603 receiving the client 601
After RST message, the client 601 is tested according to the third five-tuple information and the third sequence number information
Card, and the RST message is transmitted to the server 603 after being verified;
The client 601 is also used to send TCP connection request to the server 603, build with the server 603
The TCP connection is found, and is communicated.
Optionally, the client 601 is also used to:
After the confirmation message is transmitted to the server 603 by the intermediate cleaning equipment 602, directly with it is described
Server 603 is communicated.
Optionally, the intermediate cleaning equipment 602 is also used to:
Before receiving the SYN request message that client 601 is sent, statistics is sent to the SYN message of server 603,
When the SYN message that confirmation reaches same destination address is more than threshold value, into protection state.
Based on the same technical idea, the embodiment of the invention also provides a kind of computer readable storage medium, the meters
Calculation machine readable storage medium storing program for executing is stored with computer executable instructions, and the computer executable instructions are for holding the computer
The method of the above-mentioned protection DDOS attack of row.
Based on the same technical idea, the embodiment of the invention also provides a kind of calculating equipment, comprising:
Memory, for storing program instruction;
Processor executes above-mentioned protection according to the program of acquisition for calling the program instruction stored in the memory
The method of DDOS attack.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of method for protecting distributed Denial of Service (DDOS) attack characterized by comprising
Client sends synchronizing sequence number SYN request message to server by intermediate cleaning equipment in re-transmission interval time,
The SYN request message includes the first five-tuple information and First ray information;
The intermediate cleaning equipment is after receiving the client and being sent to the SYN request message of the server, record
The first five-tuple information and the First ray information, and the SYN request message is transmitted to the server, with
The server is set to send SYN confirmation message;
The client after receiving the SYN confirmation message with correct confirmation number of the transmission of the server, work as by determination
Whether preceding connection request is overtime;
If it is not, then the client by the intermediate cleaning equipment to server transmission confirmation message, report by the confirmation
Text includes the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment is after receiving the client and being sent to the confirmation message of the server, according to described
Second five-tuple information and the second sequence number information verify the client, and report the confirmation after being verified
Text is transmitted to the server, so that the client and the server complete transmission control protocol TCP establishment of connection.
2. the method as described in claim 1, which is characterized in that further include:
If the client determines that the current connection request time-out, the client pass through the intermediate cleaning equipment to institute
It states server and sends and reset RST message, the RST message includes third five-tuple information and third sequence number information;
The intermediate cleaning equipment is after receiving the client and being sent to the RST message of the server, according to described
Third five-tuple information and the third sequence number information verify the client, and will be described after being verified
RST message is transmitted to the server;
The client sends TCP connection request to the server, establishes the TCP connection with the server, and carry out
Communication.
3. the method as described in claim 1, which is characterized in that be transmitted to the confirmation message in the intermediate cleaning equipment
After the server, the client is directly communicated with the server.
4. method as described in any one of claims 1 to 3, which is characterized in that the intermediate cleaning equipment is receiving client
Before the SYN request message of transmission, further includes:
The intermediate cleaning equipment statistics is sent to the SYN message of server, reaches the SYN message of same destination address in confirmation
When more than threshold value, into protection state.
5. a kind of system for protecting distributed Denial of Service (DDOS) attack characterized by comprising client, intermediate cleaning are set
Standby and server;
The client, for sending synchronizing sequence number SYN to server by intermediate cleaning equipment in re-transmission interval time
Request message, the SYN request message include the first five-tuple information and First ray information;
The intermediate cleaning equipment, for after receiving the client and being sent to the SYN request message of the server,
The first five-tuple information and the First ray information are recorded, and the SYN request message is transmitted to the service
Device, so that the server sends SYN confirmation message;
The client is also used to after receiving the SYN confirmation message with correct confirmation number of the transmission of the server,
Determine whether current connection request is overtime;And confirm if it is not, then being sent by the intermediate cleaning equipment to the server
Message, the confirmation message include the second five-tuple information and the second sequence number information;
The intermediate cleaning equipment is also used to after receiving the client and being sent to the confirmation message of the server,
The client is verified according to the second five-tuple information and the second sequence number information, and by institute after being verified
It states confirmation message and is transmitted to the server, connect so that the client completes transmission control protocol TCP with the server
Foundation.
6. system as claimed in claim 5, which is characterized in that the client is also used to if it is determined that the current connection is asked
Time-out is sought, then is sent by the intermediate cleaning equipment to the server and resets RST message, the RST message includes third
Five-tuple information and third sequence number information;
The intermediate cleaning equipment is also used to after receiving the client and being sent to the RST message of the server, root
The client is verified according to the third five-tuple information and the third sequence number information, and will after being verified
The RST message is transmitted to the server;
The client is also used to send TCP connection request to the server, establishes the TCP connection with the server,
And it is communicated.
7. system as claimed in claim 5, which is characterized in that the client is also used to:
After the confirmation message is transmitted to the server by the intermediate cleaning equipment, directly carried out with the server
Communication.
8. such as the described in any item systems of claim 5 to 7, which is characterized in that the intermediate cleaning equipment is also used to:
Before receiving the SYN request message that client is sent, statistics is sent to the SYN message of server, reaches same in confirmation
When the SYN message of one destination address is more than threshold value, into protection state.
9. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage has computer can
It executes instruction, the computer executable instructions are according to any one of claims 1 to 4 for executing the computer
Method.
10. a kind of calculating equipment characterized by comprising
Memory, for storing program instruction;
Processor, for calling the program instruction stored in the memory, according to acquisition program execute as claim 1 to
Method described in any one of 4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811640337.3A CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811640337.3A CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109639712A true CN109639712A (en) | 2019-04-16 |
CN109639712B CN109639712B (en) | 2021-09-10 |
Family
ID=66054647
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811640337.3A Active CN109639712B (en) | 2018-12-29 | 2018-12-29 | Method and system for preventing DDOS attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109639712B (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111526126A (en) * | 2020-03-29 | 2020-08-11 | 杭州迪普科技股份有限公司 | Data security transmission method, data security device and system |
CN111970308A (en) * | 2020-09-03 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for protecting SYN Flood attack |
CN112055028A (en) * | 2020-09-11 | 2020-12-08 | 北京知道创宇信息技术股份有限公司 | Network attack defense method and device, electronic equipment and storage medium |
CN112615866A (en) * | 2020-12-22 | 2021-04-06 | 杭州易安联科技有限公司 | Pre-authentication method, device and system for TCP connection |
CN112702358A (en) * | 2021-01-04 | 2021-04-23 | 北京金山云网络技术有限公司 | SYN Flood attack protection method and device, electronic device and storage medium |
CN113726757A (en) * | 2021-08-24 | 2021-11-30 | 杭州迪普科技股份有限公司 | Verification method and device for HTTPS (hypertext transfer protocol secure) protocol client |
CN114124489A (en) * | 2021-11-11 | 2022-03-01 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
CN114640704A (en) * | 2022-05-18 | 2022-06-17 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
CN114697088A (en) * | 2022-03-17 | 2022-07-01 | 神州绿盟成都科技有限公司 | Method and device for determining network attack and electronic equipment |
CN115499216A (en) * | 2022-09-15 | 2022-12-20 | 中国电信股份有限公司 | Attack defense method and device, storage medium and electronic equipment |
CN110995612B (en) * | 2019-11-25 | 2023-08-29 | 浙江中控技术股份有限公司 | Message processing method, system and communication equipment |
CN117579233A (en) * | 2024-01-15 | 2024-02-20 | 杭州优云科技股份有限公司 | Message retransmission method and device |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599957A (en) * | 2009-06-04 | 2009-12-09 | 东软集团股份有限公司 | A kind of defence method of SYN flood attack and device |
CN104683293A (en) * | 2013-11-27 | 2015-06-03 | 杭州迪普科技有限公司 | SYN attack defense method based on logic device |
CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
US9742732B2 (en) * | 2012-03-12 | 2017-08-22 | Varmour Networks, Inc. | Distributed TCP SYN flood protection |
CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
-
2018
- 2018-12-29 CN CN201811640337.3A patent/CN109639712B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101599957A (en) * | 2009-06-04 | 2009-12-09 | 东软集团股份有限公司 | A kind of defence method of SYN flood attack and device |
US9742732B2 (en) * | 2012-03-12 | 2017-08-22 | Varmour Networks, Inc. | Distributed TCP SYN flood protection |
CN104683293A (en) * | 2013-11-27 | 2015-06-03 | 杭州迪普科技有限公司 | SYN attack defense method based on logic device |
CN105827646A (en) * | 2016-05-17 | 2016-08-03 | 浙江宇视科技有限公司 | SYN attack protecting method and device |
CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995612B (en) * | 2019-11-25 | 2023-08-29 | 浙江中控技术股份有限公司 | Message processing method, system and communication equipment |
CN111526126B (en) * | 2020-03-29 | 2022-11-01 | 杭州迪普科技股份有限公司 | Data security transmission method, data security device and system |
CN111526126A (en) * | 2020-03-29 | 2020-08-11 | 杭州迪普科技股份有限公司 | Data security transmission method, data security device and system |
CN111970308A (en) * | 2020-09-03 | 2020-11-20 | 杭州安恒信息技术股份有限公司 | Method, device and equipment for protecting SYN Flood attack |
CN112055028A (en) * | 2020-09-11 | 2020-12-08 | 北京知道创宇信息技术股份有限公司 | Network attack defense method and device, electronic equipment and storage medium |
CN112055028B (en) * | 2020-09-11 | 2023-08-08 | 北京知道创宇信息技术股份有限公司 | Network attack defense method, device, electronic equipment and storage medium |
CN112615866A (en) * | 2020-12-22 | 2021-04-06 | 杭州易安联科技有限公司 | Pre-authentication method, device and system for TCP connection |
CN112702358A (en) * | 2021-01-04 | 2021-04-23 | 北京金山云网络技术有限公司 | SYN Flood attack protection method and device, electronic device and storage medium |
CN113726757A (en) * | 2021-08-24 | 2021-11-30 | 杭州迪普科技股份有限公司 | Verification method and device for HTTPS (hypertext transfer protocol secure) protocol client |
CN114124489A (en) * | 2021-11-11 | 2022-03-01 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
CN114124489B (en) * | 2021-11-11 | 2024-04-05 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
CN114697088A (en) * | 2022-03-17 | 2022-07-01 | 神州绿盟成都科技有限公司 | Method and device for determining network attack and electronic equipment |
CN114697088B (en) * | 2022-03-17 | 2024-03-15 | 神州绿盟成都科技有限公司 | Method and device for determining network attack and electronic equipment |
CN114640704B (en) * | 2022-05-18 | 2022-08-19 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
CN114640704A (en) * | 2022-05-18 | 2022-06-17 | 山东云天安全技术有限公司 | Communication data acquisition method, system, computer equipment and readable storage medium |
CN115499216A (en) * | 2022-09-15 | 2022-12-20 | 中国电信股份有限公司 | Attack defense method and device, storage medium and electronic equipment |
CN115499216B (en) * | 2022-09-15 | 2024-03-19 | 中国电信股份有限公司 | Attack defending method and device, storage medium and electronic equipment |
CN117579233A (en) * | 2024-01-15 | 2024-02-20 | 杭州优云科技股份有限公司 | Message retransmission method and device |
CN117579233B (en) * | 2024-01-15 | 2024-04-23 | 杭州优云科技股份有限公司 | Message retransmission method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109639712B (en) | 2021-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109639712A (en) | A kind of method and system for protecting DDOS attack | |
CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
CN101390064B (en) | Preventing network reset denial of service attacks using embedded authentication information | |
CN1316369C (en) | Secret hashing for SYN/FIN correspondence | |
CN104426837B (en) | The application layer message filtering method and device of FTP | |
CN103347016A (en) | Attack defense method | |
CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
CN104883360B (en) | A kind of the fine granularity detection method and system of ARP deceptions | |
CN112994892A (en) | Cross-chain interaction method, device and system and electronic equipment | |
CN108809923A (en) | The system and method for traffic filtering when detecting ddos attack | |
CN110099027A (en) | Transmission method and device, storage medium, the electronic device of service message | |
CN102026199B (en) | The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof | |
Kavisankar et al. | A mitigation model for TCP SYN flooding with IP spoofing | |
CN111314381A (en) | Safety isolation gateway | |
CN107204965A (en) | The hold-up interception method and system of a kind of password cracking behavior | |
CN107800723A (en) | CC attack guarding methods and equipment | |
CN103391226B (en) | A kind of ppp link detects maintaining method and system | |
CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
Rana et al. | A Study and Detection of TCP SYN Flood Attacks with IP spoofing and its Mitigations | |
CN109005164A (en) | A kind of network system, equipment, network data exchange method and storage medium | |
CN109936543A (en) | Means of defence, device, equipment and the medium of ACK Flood attack | |
CN109688136A (en) | A kind of detection method, system and the associated component of spoofed IP attack | |
CN110831009A (en) | Wireless AP (access point) wireless DOS (direction of arrival) attack prevention test method and test system | |
CN106341413A (en) | Portal authentication method and device | |
CN110035082A (en) | A kind of interchanger admission authentication method, interchanger and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |