CN111970308A - Method, device and equipment for protecting SYN Flood attack - Google Patents
Method, device and equipment for protecting SYN Flood attack Download PDFInfo
- Publication number
- CN111970308A CN111970308A CN202010916034.0A CN202010916034A CN111970308A CN 111970308 A CN111970308 A CN 111970308A CN 202010916034 A CN202010916034 A CN 202010916034A CN 111970308 A CN111970308 A CN 111970308A
- Authority
- CN
- China
- Prior art keywords
- message
- client
- packet
- sequence number
- received
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/34—Flow control; Congestion control ensuring sequence integrity, e.g. using sequence numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses a method for protecting SYN Flood attack, which comprises the steps of discarding a first message when the first message sent by a client is received; judging whether a second message sent by the client side is received within a specified time period after the first message is discarded; if so, generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client; when a third message sent by the client according to the rebound message is received, obtaining a confirmation sequence number according to the third message; judging whether the confirmation sequence number is equal to a preset confirmation sequence number or not; if so, generating a response data packet corresponding to the third message and sending the response data packet to the client; the method can effectively solve the problem that hackers use legal IP to carry out SYN Flood attack, improves the attack protection capability of the system and ensures the normal operation of the system. The application also discloses a device, a system and a computer readable storage medium for protecting against the SYN Flood attack, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of communication security technologies, and in particular, to a method for protecting against a SYN Flood attack, and further, to an apparatus, a system, and a computer-readable storage medium for protecting against a SYN Flood attack.
Background
SYN Flood is one of the most popular DoS (Denial of Service) and DdoS (Distributed Denial of Service) methods, and is an attack method that uses TCP protocol defects to send a large number of forged TCP connection requests, thereby exhausting resources of an attacked party (e.g., CPU full load or insufficient memory).
The existing attack protection system mainly performs flow cleaning aiming at a false source IP when dealing with SYN Flood attack, but does not solve the behavior that a hacker performs SYN Flood attack through a legal IP, and the granularity of a filtering condition of the legal IP is too coarse, so that the hacker can easily use a leak to attack the system.
Therefore, how to effectively solve the problem of using a legal IP by a hacker to perform SYN Flood attack, improve the attack protection capability of the system, and ensure the normal operation of the system is a problem to be urgently solved by those skilled in the art.
Disclosure of Invention
The method for preventing the SYN Flood attack can effectively solve the problem that a hacker uses a legal IP to carry out the SYN Flood attack, further improves the attack protection capability of a system and ensures the normal operation of the system; it is another object of the present application to provide an apparatus, a system, and a computer-readable storage medium for protecting against a SYN Flood attack, which also have the above-mentioned advantages.
In a first aspect, the present application provides a method for protecting against a SYN Flood attack, including:
when a first message sent by a client is received, discarding the first message;
judging whether a second message sent by the client side is received within a specified time period after the first message is discarded;
if so, generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client;
when a third message sent by the client according to the rebound message is received, acquiring a confirmation sequence number according to the third message;
judging whether the confirmation sequence number is equal to the preset confirmation sequence number or not;
and if so, generating a response data packet corresponding to the third message and sending the response data packet to the client.
Preferably, before discarding the first packet, the method further includes:
judging whether the client hits a white list or not according to the first message;
if so, sending the first message to a server;
if not, executing the step of discarding the first message.
Preferably, the determining whether the client hits the white list according to the first packet includes:
extracting the IP information and the port information of the client according to the first message;
carrying out hash operation on the IP information and the port information to obtain a source hash value;
judging whether the source hash value hits the white list or not;
if yes, confirming that the client hits the white list;
if not, the client side is determined not to hit the white list.
Preferably, the discarding the first packet includes:
judging whether the client hits a message hash table according to the first message;
if not, discarding the first message.
Preferably, the determining whether the client hits in the packet hash table according to the first packet includes:
extracting the IP signal and the port information of the client, the IP signal and the port information of the destination terminal and the transmission protocol information according to the first message;
performing hash operation on the IP signal and the port information of the client, the IP signal and the port information of the destination and the transmission protocol information to obtain a message hash value;
judging whether the message hash value hits the message hash table;
if yes, confirming that the client hits the message hash table;
if not, the client side is determined not to hit the message hash table.
Preferably, the obtaining the confirmation sequence number according to the third packet includes:
extracting packet header information of the third message;
and calculating to obtain the confirmation sequence number according to the packet header information.
In a second aspect, the present application further discloses an apparatus for protecting against SYN Flood attack, including:
the message discarding module is used for discarding a first message sent by a client when the first message is received;
the message judging module is used for judging whether a second message sent by the client side is received within a specified time period after the first message is discarded;
the message feedback module is used for generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client if the second message is received in the specified time period;
a sequence number extraction module, configured to, when a third packet sent by the client according to the rebound packet is received, obtain a confirmation sequence number according to the third packet;
a serial number judgment module, configured to judge whether the confirmation serial number is equal to the preset confirmation serial number;
and the message response module is used for generating a response data packet corresponding to the third message and sending the response data packet to the client if the confirmation sequence number is equal to the preset confirmation sequence number.
In a third aspect, the present application further discloses a system for protecting against SYN Flood attack, including:
a memory for storing a computer program;
a processor for executing the computer program to implement any of the steps of the method for protecting against a SYN Flood attack as described above.
Preferably, the system for protecting against the SYN Flood attack is specifically an Anti-DDoS system.
In a fourth aspect, the present application also discloses a computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, is adapted to carry out the steps of any of the methods for protecting against a SYN Flood attack as described above.
The method for protecting the SYN Flood attack comprises the steps that when a first message sent by a client is received, the first message is discarded; judging whether a second message sent by the client side is received within a specified time period after the first message is discarded; if so, generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client; when a third message sent by the client according to the rebound message is received, acquiring a confirmation sequence number according to the third message; judging whether the confirmation sequence number is equal to the preset confirmation sequence number or not; and if so, generating a response data packet corresponding to the third message and sending the response data packet to the client.
Therefore, the method for protecting against SYN Flood attack provided by the application filters false client connection requests of received messages in a first packet discarding and real source authentication mode, namely, filters false attack sources, discarding the first packet can greatly reduce the number of rebound messages, real source authentication can effectively guarantee authenticity of the client, compared with the prior art, the implementation mode is more suitable for preventing SYN Flood attack initiated by hackers by utilizing legal IP, effectively improves attack protection capability of a system, and further guarantees normal operation and normal data communication of the system.
The device, the system and the computer readable storage medium for protecting against the SYN Flood attack provided by the application all have the beneficial effects, and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the prior art and the embodiments of the present application, the drawings that are needed to be used in the description of the prior art and the embodiments of the present application will be briefly described below. Of course, the following description of the drawings related to the embodiments of the present application is only a part of the embodiments of the present application, and it will be obvious to those skilled in the art that other drawings can be obtained from the provided drawings without any creative effort, and the obtained other drawings also belong to the protection scope of the present application.
Fig. 1 is a schematic flow chart illustrating a method for protecting against SYN Flood attack according to the present invention;
FIG. 2 is a schematic flow chart illustrating another method for protecting against a SYN Flood attack according to the present invention;
fig. 3 is a schematic structural diagram of an apparatus for protecting against SYN Flood attack according to the present invention;
fig. 4 is a schematic structural diagram of a system for protecting against SYN Flood attack according to the present invention.
Detailed Description
The core of the application is to provide a method for protecting SYN Flood attack, which can effectively solve the problem that hackers use legal IP to carry out SYN Flood attack, further improve the attack protection capability of the system and ensure the normal operation of the system; at the other core of the present application, there is provided an apparatus, a system and a computer-readable storage medium for protecting against a SYN Flood attack, which also have the above-mentioned advantages.
In order to more clearly and completely describe the technical solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a method for protecting against a SYN Flood attack according to the present application, where the method for protecting against a SYN Flood attack may include:
s101: when a first message sent by a client is received, discarding the first message;
the step aims to realize the first packet discarding function, namely discarding the first message sent by the client, so that the first message is discarded when the first message sent by the client is received. Referring to the TCP protocol, the reliability of TCP is guaranteed in a timeout and retransmission mechanism besides connection oriented (three-way/four-way handshake), which requires that a sender starts a timer and waits for acknowledgement information every time it sends a message, and if the timer does not receive an acknowledgement before timeout, the message is retransmitted, but if the sender is an illegal client, the message is not retransmitted. Therefore, the first packet discarding function is to use the timeout retransmission mechanism of the TCP to prevent the SYN Flood attack system from directly discarding the first SYN packet received, and then observe whether the client retransmits the SYN packet, and if the client retransmits the SYN packet, perform source authentication on the retransmitted SYN packet, i.e. bounce the SYN-ACK packet, thereby effectively filtering part of illegal attack sources and greatly reducing the number of bounce packets.
As a preferred embodiment, the discarding the first packet may include: judging whether the client hits a message hash table or not according to the first message; if not, the first message is discarded.
The preferred embodiment provides a more specific method for discarding the first packet, which can determine whether the received packet is the first packet sent by the client through matching the form of the packet hash table, and if so, directly discard the received packet, otherwise, enter the subsequent process. Specifically, a message hash table may be pre-established and used for storing a hash value of information related to a message sent by a client, so that, when a message is received, the hash value of the message may be calculated and matched with the message hash table to determine whether the client sending the message sends the message before the current time node, if so, it is indicated that the message received by the current time node hits the message hash table, and the message is not the first message sent by the client, at this time, the message does not need to be discarded, and the subsequent time determination may be directly performed, otherwise, it is indicated that the message received by the current time node does not hit the message hash table, that is, the message is the first message sent by the client, and at this time, the message is discarded.
As a preferred embodiment, the determining whether the client hits in the packet hash table according to the first packet may include: extracting an IP signal and port information of a client, an IP signal and port information of a destination and transmission protocol information according to the first message; carrying out hash operation on the IP signal and the port information of the client, the IP signal and the port information of the destination and the transmission protocol information to obtain a message hash value; judging whether the message hash value hits a message hash table or not; if yes, confirming that the client hits a message hash table; if not, the client side is confirmed to miss the message hash table.
The preferred embodiment provides a more specific matching method for a packet hash table, and the hash value in the packet hash table can be specifically obtained by calculation according to various kinds of related information in the packet, where the related information of the packet includes, but is not limited to, the IP signal and port information of the client, the IP signal and port information of the destination, and the transmission protocol information. Therefore, after the first message is received, the various information can be extracted to carry out the operation of the hash value, and the hash value is further utilized to realize the matching of the message hash table.
S102: judging whether a second message sent by the client side is received within a specified time period after the first message is discarded; if yes, executing S103;
the step aims to realize the judgment of the message receiving time. Specifically, since the system has discarded the first packet, which is equivalent to no response being made to the first packet, for a normal client, timing is started after initiating the first packet, for example, if response information of the system is not received within a certain time period, a packet is re-initiated, that is, the second packet, but most of the illegal clients do not re-initiate the second packet, therefore, for the system, timing is started after discarding the first packet, and it is determined whether the second packet initiated by the client is received within a specified time period after discarding the first packet, if so, it is determined that the client may be a legal client, and subsequent processes may be continued, otherwise, the client is an illegal client and no other processing is required. The specific value of the specified time period is set by a technician according to the actual situation, and the specific value is not limited in the application.
S103: generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client;
this step is intended to implement message response. Specifically, after receiving the second packet within the specified time period, the bounce packet may be generated based on the second packet and the preset acknowledgement sequence number, specifically, the preset acknowledgement sequence number may be added to the second packet, where the preset acknowledgement sequence number is mainly used to implement source end authentication. Further, after the rebound message is generated, the rebound message is sent to the client.
For the source authentication, referring to a TCP protocol, the principle of the source authentication is that a protection attack system replaces a server to respond to a SYN-ACK message to a client, the SYN-ACK message has a correct acknowledgement sequence number, when a real client receives the SYN-ACK message with the correct acknowledgement sequence number, the ACK message is sent to the server, and a false source does not respond to the SYN-ACK message with the correct acknowledgement sequence number when receiving the SYN-ACK message. Therefore, the protection attack system can judge the authenticity of the client by observing the response condition of the client.
S104: when a third message sent by the client according to the rebound message is received, obtaining a confirmation sequence number according to the third message;
the present step is intended to realize extraction of the acknowledgement sequence number in the third packet, where the third packet is a packet sent by the client based on the acquired rebound packet, and includes corresponding acknowledgement sequence number information, so as to implement source end authentication through acknowledgement sequence number verification.
As a preferred embodiment, the obtaining the confirmation sequence number according to the third packet may include: extracting the packet header information of the third message; and calculating to obtain the confirmation sequence number according to the packet header information.
The preferred embodiment provides a more specific method for extracting the confirmation sequence number, that is, the method is implemented based on the header information. Specifically, after receiving the third packet, the packet header information of the third packet is first extracted, and then the confirmation sequence number is obtained through calculation according to the packet header information.
S105: judging whether the confirmation sequence number is equal to a preset confirmation sequence number or not; if yes, executing S106;
s106: and generating a response data packet corresponding to the third message and sending the response data packet to the client.
The above steps are intended to implement source end authentication by checking the acknowledgement sequence number, specifically, for the system end, after generating the rebound packet, the system end can store the preset acknowledgement sequence number in its own storage space, so that after extracting the acknowledgement sequence number from the third packet, the preset acknowledgement sequence number of the system end can be adjusted to check the acknowledgement sequence number, and determine whether the two are equal, if so, the source end authentication is passed, and the client end is determined to be a legal client end, and at this time, a correct data packet can be responded to the third packet, that is, a response data packet corresponding to the third packet is generated and sent to the client end, otherwise, the client end is an illegal client end without any response to the client end.
As a preferred embodiment, before discarding the first packet, the method may further include: judging whether the client hits a white list or not according to the first message; if so, sending the first message to a server; if not, executing the step of discarding the first message.
In the preferred embodiment, whether the first message is legal or not is determined by a white list matching method, so as to further improve the operation and maintenance efficiency, wherein the white list stores relevant information of a client which does not exceed the aging time and is legal, and certainly, the storage content is updated in real time. Specifically, before discarding the first packet, it is first determined whether the first packet hits a white list, if so, it may be directly described that the client sending the first packet is a valid client, and it is not necessary to perform subsequent first packet discarding and source authentication procedures, and the first packet is directly sent to the server for normal data communication. In addition, for the legal client which passes the subsequent first packet discarding and source end authentication process, the information of the legal client can be added into the white list, and the relevant information of the client which exceeds the preset aging time is deleted, so that the white list is updated. Of course, the specific value of the preset aging time is set by a technician according to the actual situation, and the application does not limit the value.
As a preferred embodiment, the determining whether the client hits in the white list according to the first message may include: extracting the IP information and the port information of the client according to the first message; carrying out hash operation on the IP information and the port information to obtain a source hash value; judging whether the source hash value hits a white list or not; if yes, confirming that the client hits a white list; if not, the client side is determined not to hit the white list.
The preferred embodiment provides a more specific white list matching method, and for the client information in the white list, the client information can be obtained by calculation according to various kinds of related information in the message as well. Therefore, after the first message is received, the information can be extracted to be matched with the white list in a hit mode.
Therefore, the method for protecting against SYN Flood attack provided by the application filters false client connection requests of received messages in a first packet discarding and real source authentication mode, namely, filters false attack sources, discarding the first packet can greatly reduce the number of rebound messages, real source authentication can effectively guarantee authenticity of the client, compared with the prior art, the implementation mode is more suitable for preventing SYN Flood attack initiated by hackers by utilizing legal IP, effectively improves attack protection capability of a system, and further guarantees normal operation and normal data communication of the system.
Based on the foregoing embodiments, the preferred embodiment provides a more specific method for protecting against SYN Flood attack by taking TCP protocol communication as an example, and fig. 2 is a schematic flow chart of another method for protecting against SYN Flood attack provided by the present application, in combination with fig. 2.
Firstly, an Anti-DdoS system is adopted in the SYN Flood attack protection system in the embodiment of the application, specifically, Anti-DdoS flow cleaning provides fine DdoS attack resistance for user internet application through professional DdoS protection equipment, such as UDP Flood attack, SYN Flood attack, CC attack and the like, a user can configure relevant parameters according to a service scene, so that an attack and defense state can be monitored, and the service can be guaranteed to run safely and normally in real time.
Further, based on the Anti-DdoS system, the specific implementation flow of the method for protecting the SYN Flood attack provided by the embodiment of the application is as follows:
1. creating a hash table (message hash table) named synchash, and matching hash values by taking a quintuple consisting of a source IP, a destination IP, a source port, a destination port and a protocol type as a key;
2. creating a hash table (white list hash table) named as whitelist, matching the hash values by taking a binary group formed by a source IP and a source port as a key, and setting the aging time t0 of the table entry;
3. after receiving the SYN message, performing hash operation by taking a source IP and a source port as a binary group and matching the hash operation with a whitelist hash table, if the matching is successful, releasing the message, and if the matching is unsuccessful, executing the step 4;
4. taking a source IP, a destination IP, a source port, a destination port and a protocol type as a quintuple to carry out hash operation and match with a synhash hash table, if the matching is unsuccessful, executing a step 5, and if the matching is successful, executing a step 6;
5. when the hash value is not matched in the synhash table, the SYN message is indicated to be connected for the first time, the SYN packet is discarded, and the current time t1 is taken as a key value to be stored in the synhash table;
6. when the hash value is matched in the synhash table, the SYN message is retransmitted after the time is out, the key value t1 matched in the synhash table is summed with the aging time t0 to obtain S, and the S is compared with the current time t2 when the SYN packet is received;
7. when S < t2, the retransmitted SYN message exceeds the aging time t0 set by the Anti-DDoS system, at the moment, the SYN message is discarded, and t2 is updated to a synhash table;
8. when S > t2, the retransmitted SYN message meets the aging time set by an Anti-DDoS system, and the Anti-DDoS system replaces a TCP server to respond to the SYN message and sends a SYN + ACK message (a rebound message) with a sequence number which is a cookie value (a preset acknowledgement sequence number) and is correct in acknowledgement sequence number to the client;
9. after receiving an ACK message returned by the client, calculating a cookie according to packet header information, and comparing self-stored confirmation sequence numbers;
10. if the calculated cookie value is the same as the self-confirmation sequence number, the source is a real source, the source IP and the source port of the message are added into a white list, the current time t3 is added into a sync hash table, and meanwhile, a correct RST packet (response data packet) is responded to the ACK message;
11. if the calculated cookie value is different from the self confirmation sequence number, the source is a false source, and the ACK message is discarded.
It can be seen that, in the method for protecting against SYN Flood attack provided in the embodiment of the present application, false client connection requests are filtered out from received messages in a manner of discarding the first packet and authenticating the true source, i.e., false attack sources are filtered out, the number of the rebounded messages can be greatly reduced by discarding the first packet, and the authenticity of the client can be effectively ensured by authenticating the true source.
To solve the above technical problem, the present application further provides a SYN Flood attack protection device, please refer to fig. 3, where fig. 3 is a schematic structural diagram of the SYN Flood attack protection device provided in the present application, and the SYN Flood attack protection device may include:
the message discarding module 1 is used for discarding a first message when the first message sent by a client is received;
the message judging module 2 is used for judging whether a second message sent by the client is received within a specified time period after the first message is discarded;
the message feedback module 3 is used for generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client if the second message is received within a specified time period;
the sequence number extraction module 4 is used for obtaining a confirmation sequence number according to a third message when the third message sent by the client according to the rebound message is received;
a serial number judgment module 5, configured to judge whether the confirmation serial number is equal to a preset confirmation serial number;
and the message response module 6 is configured to generate a response data packet corresponding to the third message and send the response data packet to the client if the confirmation sequence number is equal to the preset confirmation sequence number.
It can be seen that the SYN Flood attack protection device provided in the embodiment of the present application filters out false client connection requests for received messages by means of first packet discarding and real source authentication, i.e., filters out false attack sources, discarding the first packet can greatly reduce the number of bounce messages, and real source authentication can effectively ensure the authenticity of the client.
As a preferred embodiment, the apparatus for protecting against SYN Flood attack may further include a white list matching module, configured to determine whether the client hits the white list according to the first message before the first message is discarded; if so, sending the first message to a server; if not, executing the step of discarding the first message.
As a preferred embodiment, the white list matching module may be specifically configured to, before the first packet is discarded, extract, according to the first packet, IP information and port information of the client; carrying out hash operation on the IP information and the port information to obtain a source hash value; judging whether the source hash value hits a white list or not; if so, sending the first message to a server; if not, executing the step of discarding the first message.
As a preferred embodiment, the message discarding module 1 may include:
the message hash table matching unit is used for judging whether the client hits the message hash table according to the first message;
and the message discarding unit is used for discarding the first message if the client side does not hit the message hash table.
As a preferred embodiment, the packet hash table matching unit may be specifically configured to extract, according to the first packet, an IP signal and port information of the client, an IP signal and port information of the destination, and transmission protocol information; carrying out hash operation on the IP signal and the port information of the client, the IP signal and the port information of the destination and the transmission protocol information to obtain a message hash value; judging whether the message hash value hits a message hash table or not; if yes, confirming that the client hits a message hash table; if not, the client side is confirmed to miss the message hash table.
As a preferred embodiment, the sequence number extracting module 4 may be specifically configured to, when receiving a third packet sent by the client according to the bounce packet, extract packet header information of the third packet; and calculating to obtain the confirmation sequence number according to the packet header information.
For the introduction of the apparatus provided in the present application, please refer to the above method embodiments, which are not described herein again.
To solve the above technical problem, the present application further provides a system for protecting SYN Flood attack, please refer to fig. 4, where fig. 4 is a schematic structural diagram of the system for protecting SYN Flood attack provided by the present application, and the system for protecting SYN Flood attack may include:
a memory 10 for storing a computer program;
the processor 20, when executing the computer program, may implement any of the steps of the method for protecting against a SYN Flood attack described above.
As a preferred embodiment, the system for protecting against SYN Flood attack may be specifically an Anti-DDoS system.
For the introduction of the system provided by the present application, please refer to the above method embodiment, which is not described herein again.
To solve the above problem, the present application further provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program can implement any of the steps of the method for protecting against a SYN Flood attack.
The computer-readable storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
For the introduction of the computer-readable storage medium provided in the present application, please refer to the above method embodiments, which are not described herein again.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The technical solutions provided by the present application are described in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, without departing from the principle of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall into the protection scope of the present application.
Claims (10)
1. A method of protecting against a SYN Flood attack, the method comprising:
when a first message sent by a client is received, discarding the first message;
judging whether a second message sent by the client side is received within a specified time period after the first message is discarded;
if so, generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client;
when a third message sent by the client according to the rebound message is received, acquiring a confirmation sequence number according to the third message;
judging whether the confirmation sequence number is equal to the preset confirmation sequence number or not;
and if so, generating a response data packet corresponding to the third message and sending the response data packet to the client.
2. The method of claim 1, wherein before discarding the first packet, further comprising:
judging whether the client hits a white list or not according to the first message;
if so, sending the first message to a server;
if not, executing the step of discarding the first message.
3. The method of claim 2, wherein said determining whether the client hits in a white list according to the first packet comprises:
extracting the IP information and the port information of the client according to the first message;
carrying out hash operation on the IP information and the port information to obtain a source hash value;
judging whether the source hash value hits the white list or not;
if yes, confirming that the client hits the white list;
if not, the client side is determined not to hit the white list.
4. The method of claim 1, wherein said discarding the first packet comprises:
judging whether the client hits a message hash table according to the first message;
if not, discarding the first message.
5. The method of claim 4, wherein the determining whether the client hits in a packet hash table according to the first packet comprises:
extracting the IP signal and the port information of the client, the IP signal and the port information of the destination terminal and the transmission protocol information according to the first message;
performing hash operation on the IP signal and the port information of the client, the IP signal and the port information of the destination and the transmission protocol information to obtain a message hash value;
judging whether the message hash value hits the message hash table;
if yes, confirming that the client hits the message hash table;
if not, the client side is determined not to hit the message hash table.
6. The method of claim 1, wherein obtaining the acknowledgement sequence number according to the third packet comprises:
extracting packet header information of the third message;
and calculating to obtain the confirmation sequence number according to the packet header information.
7. An apparatus for protecting against a SYN Flood attack, comprising:
the message discarding module is used for discarding a first message sent by a client when the first message is received;
the message judging module is used for judging whether a second message sent by the client side is received within a specified time period after the first message is discarded;
the message feedback module is used for generating a rebound message according to the second message and a preset confirmation sequence number and sending the rebound message to the client if the second message is received in the specified time period;
a sequence number extraction module, configured to, when a third packet sent by the client according to the rebound packet is received, obtain a confirmation sequence number according to the third packet;
a serial number judgment module, configured to judge whether the confirmation serial number is equal to the preset confirmation serial number;
and the message response module is used for generating a response data packet corresponding to the third message and sending the response data packet to the client if the confirmation sequence number is equal to the preset confirmation sequence number.
8. A system for protecting against a SYN Flood attack, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the steps of the method of protecting against a SYN Flood attack according to any of claims 1 to 6.
9. The system for protecting against SYN Flood attacks according to claim 8, wherein the system for protecting against SYN Flood attacks is specifically an Anti-DDoS system.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, is adapted to carry out the steps of the method of protecting against a SYN Flood attack according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010916034.0A CN111970308A (en) | 2020-09-03 | 2020-09-03 | Method, device and equipment for protecting SYN Flood attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010916034.0A CN111970308A (en) | 2020-09-03 | 2020-09-03 | Method, device and equipment for protecting SYN Flood attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111970308A true CN111970308A (en) | 2020-11-20 |
Family
ID=73391887
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010916034.0A Pending CN111970308A (en) | 2020-09-03 | 2020-09-03 | Method, device and equipment for protecting SYN Flood attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111970308A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112087464A (en) * | 2020-09-17 | 2020-12-15 | 北京知道创宇信息技术股份有限公司 | SYN Flood attack cleaning method and device, electronic device and readable storage medium |
| CN112702358A (en) * | 2021-01-04 | 2021-04-23 | 北京金山云网络技术有限公司 | SYN Flood attack protection method and device, electronic device and storage medium |
| CN113179247A (en) * | 2021-03-23 | 2021-07-27 | 杭州安恒信息技术股份有限公司 | Denial-of-service attack protection method, electronic device and storage medium |
| CN114124489A (en) * | 2021-11-11 | 2022-03-01 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
| CN114513365A (en) * | 2022-02-28 | 2022-05-17 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
| CN114567484A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN116866055A (en) * | 2023-07-26 | 2023-10-10 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010042200A1 (en) * | 2000-05-12 | 2001-11-15 | International Business Machines | Methods and systems for defeating TCP SYN flooding attacks |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| CN107395632A (en) * | 2017-08-25 | 2017-11-24 | 北京神州绿盟信息安全科技股份有限公司 | SYN Flood means of defences, device, cleaning equipment and medium |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109639712A (en) * | 2018-12-29 | 2019-04-16 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and system for protecting DDOS attack |
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
| CN111314358A (en) * | 2020-02-21 | 2020-06-19 | 深圳市腾讯计算机***有限公司 | Attack protection method, device, system, computer storage medium and electronic equipment |
-
2020
- 2020-09-03 CN CN202010916034.0A patent/CN111970308A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20010042200A1 (en) * | 2000-05-12 | 2001-11-15 | International Business Machines | Methods and systems for defeating TCP SYN flooding attacks |
| CN103347016A (en) * | 2013-06-28 | 2013-10-09 | 天津汉柏汉安信息技术有限公司 | Attack defense method |
| CN107395632A (en) * | 2017-08-25 | 2017-11-24 | 北京神州绿盟信息安全科技股份有限公司 | SYN Flood means of defences, device, cleaning equipment and medium |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109639712A (en) * | 2018-12-29 | 2019-04-16 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and system for protecting DDOS attack |
| CN110233838A (en) * | 2019-06-06 | 2019-09-13 | 东软集团股份有限公司 | A kind of defence method, device and the equipment of pulsed attack |
| CN111314358A (en) * | 2020-02-21 | 2020-06-19 | 深圳市腾讯计算机***有限公司 | Attack protection method, device, system, computer storage medium and electronic equipment |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112087464A (en) * | 2020-09-17 | 2020-12-15 | 北京知道创宇信息技术股份有限公司 | SYN Flood attack cleaning method and device, electronic device and readable storage medium |
| CN112702358A (en) * | 2021-01-04 | 2021-04-23 | 北京金山云网络技术有限公司 | SYN Flood attack protection method and device, electronic device and storage medium |
| CN113179247A (en) * | 2021-03-23 | 2021-07-27 | 杭州安恒信息技术股份有限公司 | Denial-of-service attack protection method, electronic device and storage medium |
| CN113179247B (en) * | 2021-03-23 | 2023-05-23 | 杭州安恒信息技术股份有限公司 | Denial of service attack protection method, electronic device and storage medium |
| CN114124489A (en) * | 2021-11-11 | 2022-03-01 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
| CN114124489B (en) * | 2021-11-11 | 2024-04-05 | 中国建设银行股份有限公司 | Method, cleaning device, equipment and medium for preventing flow attack |
| CN114513365A (en) * | 2022-02-28 | 2022-05-17 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
| CN114567484A (en) * | 2022-02-28 | 2022-05-31 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN114513365B (en) * | 2022-02-28 | 2023-06-30 | 北京启明星辰信息安全技术有限公司 | Detection and defense method for SYN Flood attack |
| CN114567484B (en) * | 2022-02-28 | 2024-03-12 | 天翼安全科技有限公司 | Message processing method and device, electronic equipment and storage medium |
| CN116866055A (en) * | 2023-07-26 | 2023-10-10 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
| CN116866055B (en) * | 2023-07-26 | 2024-02-27 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111970308A (en) | Method, device and equipment for protecting SYN Flood attack | |
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| CA2565409C (en) | Preventing network reset denial of service attacks using embedded authentication information | |
| US7536552B2 (en) | Upper-level protocol authentication | |
| US8800001B2 (en) | Network authentication method, method for client to request authentication, client, and device | |
| CN109639712B (en) | Method and system for preventing DDOS attack | |
| CN101594269B (en) | Method, device and gateway device for detecting abnormal connection | |
| US20110131646A1 (en) | Apparatus and method for preventing network attacks, and packet transmission and reception processing apparatus and method using the same | |
| US20010042200A1 (en) | Methods and systems for defeating TCP SYN flooding attacks | |
| CN110784464B (en) | Client verification method, device and system for flooding attack and electronic equipment | |
| US20090144806A1 (en) | Handling of DDoS attacks from NAT or proxy devices | |
| EP1433076A1 (en) | Protecting against distributed denial of service attacks | |
| WO2004079497A2 (en) | Using tcp to authenticate ip source addresses | |
| EP3568784B1 (en) | Method and system for detecting and mitigating a denial of service attack | |
| CN112187793B (en) | Protection method and device for ACK Flood attack | |
| Zuquete | Improving the functionality of SYN cookies | |
| CN106357666A (en) | Method and system for cleaning SYN FLOOD attack | |
| CN107454065B (en) | Method and device for protecting UDP Flood attack | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| CN108418844B (en) | Application layer attack protection method and attack protection terminal | |
| EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
| CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
| CN102291378B (en) | Distributed deny of service (DDoS) attack defense method and device | |
| CN113810398B (en) | Attack protection method, device, equipment and storage medium | |
| CN113497789A (en) | Detection method, detection system and equipment for brute force cracking attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201120 |
|
| RJ01 | Rejection of invention patent application after publication |