CN117714115A - Attack protection method, device, server and storage medium - Google Patents
Attack protection method, device, server and storage medium Download PDFInfo
- Publication number
- CN117714115A CN117714115A CN202311642703.XA CN202311642703A CN117714115A CN 117714115 A CN117714115 A CN 117714115A CN 202311642703 A CN202311642703 A CN 202311642703A CN 117714115 A CN117714115 A CN 117714115A
- Authority
- CN
- China
- Prior art keywords
- connection request
- connection
- request
- server
- source address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 74
- 230000008569 process Effects 0.000 claims abstract description 20
- 238000001514 detection method Methods 0.000 claims abstract description 17
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000004044 response Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 13
- 238000012545 processing Methods 0.000 abstract description 50
- 230000005540 biological transmission Effects 0.000 abstract description 10
- 230000006870 function Effects 0.000 description 31
- 238000010586 diagram Methods 0.000 description 14
- 238000012795 verification Methods 0.000 description 10
- 235000014510 cooky Nutrition 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application provides an attack protection method, an attack protection device, a server and a storage medium, which are used for improving attack protection efficiency. The method comprises the following steps: receiving a connection request from a client through an edge portal of a kernel network stack; performing state detection on the connection request, and determining the type of the connection request; and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request. According to the method and the device, after the connection request received by the edge entrance is determined to be a normal request, the connection request is sent to the kernel network stack for processing, so that protection can be completed in the earliest processing stage of the data packet of the connection request, unnecessary data packet transmission and processing are avoided, the overall performance can be improved, and the attack protection efficiency can be improved.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an attack protection method, an attack protection device, a server, and a storage medium.
Background
A transmission control protocol denial of service attack (Transmission Control Protocol Synchronize Sequence Numbers Flood, TCP SYN flood) is a common means of attack in networks. The current defense means for resisting the TCP SYN flood mainly comprises the steps of starting software protection on a target server, and achieving verification of the authenticity of a TCP source address and the like by using TCP SYN cookies for verification.
However, in the scheme of realizing the TCP SYN cookie by software, the generation of the cookie introduces encryption calculation, the encryption calculation consumes the calculation performance of the target server, and the protection efficiency of attack is low.
Disclosure of Invention
The application provides an attack protection method, an attack protection device, a server and a storage medium, which are used for improving the protection efficiency of attacks.
In a first aspect, an embodiment of the present application provides an attack protection method, applied to a server, where the method includes:
receiving a connection request from a client through an edge portal of a kernel network stack;
performing state detection on the connection request, and determining the type of the connection request;
and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
The method and the device directly acquire the connection request from the client from the edge entrance of the kernel network stack, and detect the state of the connection request, so that the connection request is processed at the kernel layer, attack protection is completed at the earliest processing stage of the data packet, unnecessary data packet transmission and processing can be avoided, and the TCP processing function with low delay, high throughput and high concurrency performance can be provided. In addition, the TCP processing function is moved to the XDP layer of the edge entry, so that the development processing difficulty of the kernel module and the high overhead of the kernel network stack can be reduced, and the protection efficiency of attack can be improved.
An optional implementation manner, the detecting the state of the connection request, determining the type of the connection request, includes:
determining whether a black-and-white list contains a source address of the connection request; the black-and-white list comprises a black list and a white list;
determining whether the black-and-white list does not contain the source address of the connection request or not, and determining whether the connection request is contained in the connection list or not;
when the connection table comprises the connection request, determining whether a flag bit of the connection request is matched with a connection state corresponding to the connection request in the connection table; if yes, determining the type of the connection request as the normal request; if not, determining that the type of the connection request is an abnormal type.
After the connection request is determined not to be in the black-and-white list, the flag bit carried in the message of the connection request can be matched with the connection state of the connection request recorded in the connection table, and whether the flag bit of the connection request accords with the protocol specification is determined to judge the type of the connection request, so that the reliability of attack protection can be improved.
In an alternative embodiment, when the connection table does not include the connection request, the method further includes:
recording a source address of the connection request and a connection state of the connection request in the connection table;
and sending a connection response to the client.
Because the connection request is not included in the connection table, namely, when the connection request is determined to be the connection request received for the first time, the connection response is sent to the client, and the source address of the connection request and the connection state thereof are recorded in the connection table, the client can continue to send the connection request after receiving the connection response, further, the state detection can be carried out on the subsequently received connection request of the source address, and the reliability and the safety of attack protection are ensured.
In an alternative embodiment, when the black-and-white list includes the source address, the method further includes:
When the source address of the connection request is in the white list, determining the type of the connection request as the normal request; or,
and when the source address of the connection request is in the blacklist, determining the type of the connection request as the abnormal request.
The type of the connection request can be determined according to the source address in the blacklist or the whitelist, so that the power consumption for judging the type of the connection request can be reduced, and the attack protection efficiency is improved.
In an alternative embodiment, the method further comprises:
and discarding the connection request when the type of the connection request is the abnormal request.
When the type of the connection request is determined to be the abnormal request, the connection request is directly discarded, so that the processing of the abnormal request by the kernel network stack can be avoided, unnecessary consumption is reduced, and the reliability and safety of attack protection can be improved.
An alternative embodiment is that before said determining whether the connection request is included in the connection table, the method further comprises:
defining the rate of the connection request according to a set threshold;
and when the number of the connection requests in the connection queue is determined to not reach the connection threshold, adding the connection requests into the connection queue.
The rate of the connection request is limited according to the set threshold value, so that the load can be reduced. In addition, when the connection request in the connection queue is determined to be not full, the connection request is added into the connection queue, so that the load and the resource consumption of the server can be controlled.
An alternative embodiment is that, after the sending the connection request to the kernel network stack, the method further includes:
and adding the source address of the connection request to a white list.
The source address of the connection request forwarded to the kernel protocol stack is added into the white list, so that after the request of the source address is subsequently received, the request can be sent to the kernel network stack for processing only through matching of the white list, repeated detection can be avoided, and overall performance is improved.
In a second aspect, embodiments of the present application provide an attack protection device, including:
the receiving unit is used for receiving a connection request from the client through an edge entry of the kernel network stack;
the detection unit is used for carrying out state detection on the connection request and determining the type of the connection request; and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
In a third aspect, an embodiment of the present application provides a server, including a memory and a processor, where the memory stores a computer program that can be executed on the processor, and when the computer program is executed by the processor, the attack protection method as described in the first aspect is implemented.
In a fourth aspect, embodiments of the present application further provide a computer storage medium having stored therein computer program instructions that, when executed on a computer, cause the computer to perform the attack protection method as set forth in the first aspect.
The technical effects caused by any implementation manner of the second aspect to the fourth aspect may refer to the technical effects caused by the corresponding implementation manner of the first aspect, and are not described herein.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an attack protection method provided in the embodiment of the present application;
FIG. 2 is a schematic diagram of an architecture of an attack protection system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an example of attack protection provided in an embodiment of the present application;
fig. 4 is a complete flow diagram of an attack protection method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an attack protection device according to an embodiment of the present application;
fig. 6 is a block diagram of a server according to an embodiment of the present application.
Detailed Description
For the purposes of clarity, technical solutions and advantages of the present application, the following description will be given in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
Some terms appearing hereinafter are explained:
(1) Synchronization sequence number (Synchronize Sequence Numbers, SYN): is a handshake signal used by the transmission control protocol (Transmission Control Protocol, TCP)/network interconnect protocol (Internet Protocol, IP) to establish a connection. When a normal TCP network connection is established between the client and the server, the client sends a SYN (synchronization) request, the server or the network device replies with a SYN-ACK (synchronization-acknowledgement), and finally the client sends an ACK (acknowledgement) to complete the connection establishment. In this way, a reliable TCP connection can be established between the client and the server, and data can be transferred between the client and the server.
(2) Transmission control protocol denial of service attack (Transmission Control Protocol Synchronize Sequence Numbers Flood, TCP SYN flood): the method utilizes loopholes in the three-way handshake process of the TCP protocol, and in the TCP SYN flood, an attacker sends a large number of forged SYN requests but does not send subsequent ACK, so that a target system cannot establish normal connection. Since each incomplete connection may occupy certain system resources, when an attacker sends a large number of SYN requests, the resources of the target system may be exhausted, and normal connection requests may not be processed.
(3) eBPF (extended Berkeley Packet Filter) procedure: the eBPF is an extension Berkeley Packet Filter program that can be executed in the Linux kernel. By writing and loading the eBPF program, processing logic for specific packets can be implemented, such as recording connection status, controlling whether packets are passing, redirecting packets, etc.
(4) XDP (eXpress Data Path) procedure: is a program executed in a network interface driver for fast processing of received data packets. The XDP program may write logic written in the eBPF language for intercepting and modifying data packets entering the network interface.
(5) Core network stack (kernel network stack): is the main component for processing network data packets. The XDP eBPF program may work in conjunction with the kernel network stack to intercept, modify and forward data packets.
(6) The eBPF Map is a high-efficiency Key/Value store which resides in the kernel space and comprises a plurality of types of maps, and the kernel realizes the functions of the maps. Is used as the medium for data exchange between the user layer and the kernel layer, and can share data between different programs.
The word "exemplary" is used hereinafter to mean "serving as an example, embodiment, or illustration. Any embodiment described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The terms "first," "second," and the like herein are used for descriptive purposes only and are not to be construed as either explicit or implicit relative importance or to indicate the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The existing defense means for resisting the TCP SYN flood mainly comprises the steps of starting software protection on a target server, and achieving verification of the authenticity of a TCP source address and the like by using TCP SYN cookies for verification. However, in the scheme of realizing the TCP SYN cookie by software, the generation of the cookie introduces encryption calculation, the encryption calculation consumes the calculation performance of the target server, and the protection efficiency of attack is low.
Based on the above problems, embodiments of the present application provide an attack protection method, an attack protection device, a server, and a storage medium. The method can be applied to servers, for example, the servers can be domain name system (Domain Name System, DNS) servers, and can also be Linux operating system servers with public network exposure surfaces. Wherein the method comprises the following steps: receiving a connection request from a client through an edge portal of a kernel network stack; detecting the state of the connection request, and determining the type of the connection request; and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request. Therefore, under the condition that the TCP SYN cookies module is not opened, high-performance attack protection can be realized, and fewer system resources occupy the attack protection, so that the attack protection efficiency can be improved.
As shown in fig. 1, the attack protection method provided in the embodiment of the present application includes the following steps:
s101: connection requests from clients are received through edge portals of the kernel network stack.
In some embodiments, the embodiments of the present application may intercept connection requests to the kernel network stack in the XDP layer. The connection request may be a TCP connection request. Illustratively, embodiments of the present application may intercept a TCP connection request received by an edge portal of a kernel network stack using an eBPF program.
As an example, the embodiment of the application may intercept a data packet in the XDP layer by an attack protection program loaded in the server, to obtain a connection request sent to the kernel network stack. Wherein, the attack protection program is an XDP eBPF program.
The embodiment of the application can load the attack protection program into the server through the following steps.
A1: an attack guard program based on an eBPF program is written by an appropriate programming language. For example, the programming language may be the C language.
In some embodiments, the attack protection program in the embodiments of the present application may be written into a program that can perform operations of intercepting, modifying and forwarding data packets at the XDP layer, and implement an attack protection function. For example, the attack guard may implement a TCP SYN flood guard function.
A2: the attack guard is compiled into a loadable binary file. Illustratively, embodiments of the present application may use a compiler and BPF toolchain to complete the compilation process. For example, the compiler may be a clang.
A3: and dynamically and thermally loading the generated binary file into the kernel of the server. Illustratively, embodiments of the present application may load the binary file of the attack guard into the BPF virtual machine of the kernel of the server using an appropriate tool or application programming interface (Application Programming Interface, API) and associate the attack guard with the XDP hook point of the server. After the server has loaded the attack guard, the attack guard may begin to intercept packets that have passed through the XDP of the server.
The embodiment of the application can process the connection request at the kernel layer of the server by utilizing the high-efficiency performance and the data packet processing capability of the XDP and eBPF technologies, thereby realizing high-performance protection.
S102: and detecting the state of the connection request, and determining the type of the connection request. The types of the connection request comprise normal requests and abnormal requests.
After the attack protection program loaded in the server acquires the connection request, the connection request can be detected in the following manner to determine the type of the connection request.
B1: and performing black-and-white list matching on the connection request.
In some embodiments, the black-and-white list may be loaded into the server from the configuration file or other means of the attack guard at the start-up of the attack guard. The attack protection program can also store the black and white list into the memory of the server through the eBPF map so as to process the black and white list later.
The attack guard may determine whether the black-and-white list contains the source address of the connection request. The black-and-white list comprises a black list and a white list, and the source address is the IP address of the client. The IP addresses in the blacklist are the IP addresses for prohibiting the connection of the servers, and the IP addresses in the whitelist are the IP addresses for allowing the connection of the servers.
Alternatively, when the black-and-white list contains the source address of the connection request, the attack protection program may determine the type of the connection request without continuing to detect the connection request. For example, when the source address is in the blacklist, the attack guard may determine that the type of connection request is an exception request. When the source address is in the whitelist, the attack guard may determine that the type of connection request is a normal request.
Alternatively, the attack guard may continue to execute B2 when the black-and-white list does not contain the source address of the connection request.
B2: the rate of connection requests is defined according to a set threshold.
In some embodiments, the attack guard may determine the rate of the connection request by tracking the number of SYN packets sent by the source address of the connection request. The embodiment of the application can also limit the rate of the connection request by setting a set threshold. When the rate of connection requests exceeds a set threshold, the attack guard may take a policy to discard or delay the response to relieve server load. Wherein the discard policy is to discard the received connection request such that the rate of the connection request is within a set threshold. The delayed response strategy refers to slowing down the detection speed.
B3: and adding the connection requests into the connection queue when the number of the connection requests in the connection queue is determined to not reach the connection threshold.
In some embodiments, after the connection request is placed in the connection queue, the connection queue management may be performed on the connection request. For example, embodiments of the present application may implement connection queue management in an attack guard to maintain a connection queue and limit the number of connection requests in the connection queue to a connection threshold. Wherein the connection threshold represents the maximum of the number of connections that the server can open at the same time.
For example, the attack guard may determine whether to accept, discard, or delay connection requests based on the number of connection requests in the connection queue. For example, when the number of connection requests in the connection queue does not reach the connection threshold, the embodiments of the present application add the connection request to the connection queue. For another example, when the number of connection requests in the connection queue reaches a connection threshold, embodiments of the present application may discard or delay new connection requests according to policies to control the load and resource consumption of the server.
B4: the connection status of the connection request is identified and tracked.
In some embodiments, the attack guard may determine whether a connection request is included in the connection table. The connection table comprises a source address of a connection request received by the server and a connection state of the connection request. The connection status of the connection request includes, but is not limited to: syn_send, syn_ RECEIVED, ESTABLISHED. Wherein syn_send indicates that the client has SENT a connection request (SYN), waiting for a server Acknowledgement (ACK); the syn_accepted indicates a state in which the server transmits an Acknowledgement (ACK) and waits for the Acknowledgement (ACK) of the client after receiving a connection request (SYN) of the client; ESTABLISHED indicates that a TCP connection has been ESTABLISHED.
As one example, when no connection request is contained in the connection table, the attack guard may determine that the connection request is a connection request sent by a client newly received by the server. The attack protection program can record the source address of the connection request and the connection state of the connection request in the connection table, and return a connection response to the client to complete the first handshake check of the client and the server. After receiving the connection response, the client can continue to send a connection request to the server until handshake verification is completed and connection is established with the server. For example, when the connection request is a TCP connection request, when the source address of the connection request is not included in the connection table, the attack guard program of the server may record the source address of the connection request and the connection state syn_send of the connection request in the connection table. After the attack guard of the server sends the connection response to the client, the attack guard may update the connection status to syn_accepted.
As another example, when a connection request is contained in the connection table, the attack guard may determine whether a flag bit of the connection request matches a connection state corresponding to the connection request in the connection table. Wherein, the flag bit of the connection request includes, but is not limited to: SYN, ACK, reset RST, terminate FIN. Illustratively, the flag bit ACK of the connection request matches the connection status syn_accepted of the connection request in the connection table.
Optionally, when the flag bit of the connection request matches with the connection state corresponding to the connection request in the connection table, the attack protection program may determine that the type of the connection request is a normal request, and further may determine that the connection requested to be established by the client is a normal connection.
Optionally, when the flag bit of the connection request does not match the connection state corresponding to the connection request in the connection table, the attack protection program may determine that the type of the connection request is an abnormal request, and further may determine that the connection requested to be established by the client is an abnormal connection.
The above state detection process shown in step S102 may be performed by the attack guard program to determine the type of the connection request by performing steps B1 to B4, directly by performing step B4 to determine the type of the connection request, or by performing steps B1 and B4 to determine the type of the connection request. In addition, the attack guard may determine the status of the connection request by other means, and is not limited herein.
In some embodiments, after determining the type of the connection request, the embodiments of the present application may perform subsequent processing on the connection request according to the determined type.
S103: and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
In some embodiments, when the type of connection request is a normal request, the attack guard may pass the connection request through to the kernel network stack. After receiving the connection request, the kernel network stack may perform a handshake check and connection establishment procedure. Illustratively, the server's kernel network stack returns TCP SYN ACK a request to the client after receiving the TCP SYN request. For another example, the kernel network stack of the server establishes a connection with the client after receiving the TCP ACK request from the client.
As an example, the attack protection program may further send a reset request to the client to disconnect and add the source address of the connection request to the whitelist when it is determined that the type of the connection request is a normal type through steps B2-B4. Further, the attack guard may also set a lifetime of the source address of the connection request in the whitelist. After receiving the reset request, the client may initiate the request to the server again through a reconnection mechanism. At this time, the attack guard in the server may match the source address of the request in the white list, determine that the type of the request is a normal request, and pass the request through to the kernel network stack of the server.
As another example, the attack guard may also add the source address of the connection request to the whitelist after sending the connection request to the kernel network stack. Therefore, after the attack protection program of the subsequent server receives the connection request of the source address, the connection request can be determined to be a normal legal request through black-and-white list matching, so that the attack protection efficiency can be improved.
In other embodiments, the attack guard may discard the connection request when it determines that the type of connection request is an exception request.
Based on the above embodiment, the server can realize attack protection by intercepting the connection request at the XDP layer and performing state detection on the connection request at the earliest processing stage of the connection request, thereby avoiding unnecessary data packet transmission and processing, and reducing the processing time of the connection request in the server core, so as to improve the overall performance and reduce the overall delay. Furthermore, XDP provides a flexible programming framework, and users can customize the processing logic of connection requests and load the connection requests to a server, so that the server can realize attack protection at the XDP layer. The user can customize the protection strategy according to specific requirements, and the protection function of the server can be conveniently expanded. Therefore, the attack protection function of the server can be optimized and adjusted according to the network environment and the application requirements, so that the flexibility and the expandability of attack protection can be improved.
Based on the content shown in the foregoing embodiment, the embodiment of the present application further provides an attack protection system. As shown in fig. 2, the attack protection system may include a client and a server.
The user layer of the server may include a protection management module and an application program, and the kernel layer may include an XDP, a kernel protocol stack, a protection module and a black and white list module.
In some embodiments, the protection module is responsible for handling data packets of TCP connection requests through the XDP layer of the server. The protection module can intercept, modify and forward TCP data packets by using an eBPF program to realize processing logic of a TCP protocol.
And the black-and-white list module is responsible for managing the IP address. The black-and-white list module can store a black-and-white list, and is realized by the eBPF map, so that the black-and-white list module can communicate with the protection module. The white list in the black-and-white list is the list of IP addresses allowed to pass through the protection module, and the black list is the list of IP addresses forbidden to pass through the protection module.
And the protection management module is responsible for configuring and monitoring protection strategies and integrating with other network infrastructures. By way of example, other network infrastructure may be iptables, network routing, and the like.
In some embodiments, the protection module may include, but is not limited to, the following functions:
and the connection state identifying and tracking function is used for identifying the newly-built connection and tracking the connection state of the connection. The protection module can store the connection state of the connection into the memory through the eBPF map so as to facilitate subsequent processing. For example, the guard module may determine whether the source address of the connection request is in the connection table, and determine whether it is a newly-built connection. When the connection table does not include the source address of the connection request, the protection module may add the source address of the connection request and the connection state corresponding to the connection request to the connection table.
And a black-and-white list matching function for checking whether the source address of the connection request is in the white list. If the matching is successful, the source address is trusted, and the protection module can transmit the connection request to the kernel protocol stack of the server. If the matching fails, continuing to match the blacklist, if the matching is successful, discarding the connection request, otherwise, replacing a kernel protocol stack of the server to send a connection response to the client, thereby playing a role in protection.
And the SYN packet flow control function is used for tracking the number of SYN packets sent by each source address and setting a set threshold value to limit the rate of connection requests. When the connection request exceeds a set threshold, the guard module may take a policy to discard or delay the response to relieve the load on the server.
And the connection queue management function is used for maintaining one connection request queue and limiting the number of the simultaneously opened connections. The protection module may place the connection request into a connection queue and manage the connection queue. When the connection queue is full, the protection module may discard or delay processing new connection requests according to policies to control the load and resource consumption of the server.
And the TCP state verification function is used for verifying the TCP state of each connection request so as to ensure that the establishment of the connection accords with the protocol specification. Illustratively, the guard module may check the correctness of the flag bits of SYN, ACK, RST, etc. in the connection request to filter out abnormal or illegal connection requests. The protection module only forwards the connection request passing the TCP state verification to the kernel protocol stack processing of the server.
And the dynamic black-and-white list updating function is used for adding the source address into the white list after the TCP three-way handshake verification is completed, sending a TCP RST data packet to the client and disconnecting the connection. In this way, the protection module can directly transmit the connection request of the same source address to the kernel protocol stack when the connection request of the same source address arrives next time, and SYN packet flow control, connection queue management and TCP state verification processing are not needed.
In some embodiments, the black and white list module may include, but is not limited to, the following functions:
and the black-and-white list management function is used for providing interfaces for adding, deleting and inquiring IP addresses in the black-and-white list. Illustratively, the user or the guard module may add a trusted IP address to the whitelist through the interface or delete an IP address from the whitelist that is no longer trusted.
And the black-and-white list verification function is used for informing the protection module that the IP address in the white list is released by default and the address in the black list is rejected by default.
In some embodiments, the guard management module may include, but is not limited to, the following functions:
and the protection strategy configuration function is used for configuring the protection strategy of the protection module. Illustratively, the user may configure the protection policy of the protection module through the protection policy configuration function of the protection management module. For example, the user may adjust the black-and-white list matching rule, add the black-and-white list rule, or adjust the protection level through the protection management module.
And the protection state monitoring function is used for monitoring the protection state of the attack protection system. The protection state includes indexes such as TCP connection number, attack traffic and the like. The protection management module may provide real-time monitoring charts or log records for administrators to learn the behavior of the attack protection system.
And the integrated function is used for integrating with other network infrastructures to realize a more comprehensive protection solution. The server can interact with other network infrastructures through the protection management module to cooperatively work, and stronger protection capability is provided.
Based on the content shown in fig. 2, the protection module, the black-and-white list module and the protection management module together form a system for implementing TCP SYN flood protection by using XDP eBPF technology. The protection module is responsible for intercepting and processing TCP data packets, the black-and-white list module manages a trusted IP address list, and the protection management module is used for configuring protection strategies and monitoring system states. Through the cooperative work of the modules, the attack protection system can realize efficient, customizable and flexible TCP SYN flood protection capability. In addition, the attack protection system can also work together with other network services and security mechanisms based on XDP and eBPF technologies, thereby providing a more comprehensive solution for users.
In some embodiments, as shown in fig. 3, the embodiments of the present application provide an attack protection example, including the following steps:
s301: the client initiates a connection request and sends a TCP SYN request to the server. The protection module of the server receives a TCP SYN request from the client.
When a client initiates a connection request, a protection module in a server intercepts a TCP SYN request from XDP. For example, the source address of a TCP SYN request may be 1.1.1.1: XXXX, destination address may be 2.2.2.2: YY.
S302: and the protection module of the server performs black-and-white list matching on the source address of the TCP SYN request through the black-and-white list module.
S303: and the black-and-white list module of the server sends the matching result to the protection module of the server.
In some embodiments, the matching result may be that the source address is in a white list, the source address is in a black list, or the source address is not in a black list.
S304: and the protection module of the server determines that the source address is not in the black-and-white list according to the matching result.
S305: the guard module of the server limits the rate of TCP SYN requests according to a set threshold.
In other embodiments, when the matching result is that the source address is in the whitelist, the protection module allows the connection request to pass through, and the message is transmitted to the kernel network stack of the server. When the matching result is that the source address is in the blacklist, the protection module discards the connection request and does not carry out subsequent processing.
S306: and when the protection module of the server determines that the number of the connection requests in the connection queue does not reach the connection threshold, adding the TCP SYN requests into the connection queue.
S307: and when the protection module of the server determines that the TCP SYN request is not included in the connection table, recording the source address of the TCP SYN request and the connection state corresponding to the TCP SYN request into the connection table.
In some embodiments, the guard module of the server determines whether the connection table includes a TCP SYN request by determining whether the source address in the connection table includes a source address of the TCP SYN request.
S308: the protection module of the server sends a TCP SYN-ACK request to the client. The client receives a TCP SYN-ACK request from the server. Wherein, the source address of the TCP SYN-ACK request is 2.2.2.2: YY, destination address may be 1.1.1.1: XXXX.
S309: the client sends a TCP ACK request to the server. The protection module of the server receives a TCP ACK request from the client.
S310: and the protection module of the server performs black-and-white list matching on the source address of the TCP SYN-ACK request through the black-and-white list module, and determines that the source address of the TCP SYN-ACK request is not in the black-and-white list.
S311: the guard module of the server limits the rate of TCP SYN-ACK requests according to a set threshold.
S312: and when the protection module of the server determines that the number of the connection requests in the connection queue does not reach the connection threshold, adding the TCP SYN-ACK request into the connection queue.
S313: when the protection module of the server determines that the connection table comprises the TCP SYN-ACK request, determining whether the flag bit of the TCP SYN-ACK request is matched with the connection state corresponding to the TCP SYN request in the connection table.
In some embodiments, the protection module of the server discards the TCP SYN-ACK request when the flag bit of the TCP SYN-ACK request does not match the connection state corresponding to the TCP SYN request in the connection table.
S314: when the flag bit of the TCP SYN-ACK request is matched with the connection state corresponding to the TCP SYN request in the connection table, the protection module of the server sends a TCP RST request to the client.
After receiving the TCP RST request, the client disconnects from the server.
S315: the protection module of the server adds the source address of the TCP SYN-ACK request to the white list in the black and white list module. Thus, the guard module may determine the source address 1.1.1.1: the white list of requests corresponding to XXXX is verified and the source address 1.1.1.1: the request corresponding to XXXX is directly transmitted to the kernel network stack.
In some embodiments, the detection of TCP connection requests at steps S302-S315 may be implemented by utilizing XDP and eBPF techniques.
S316: the client re-initiates the connection based on the reconnection mechanism, sending a TCP SYN request to the server. The protection module of the server receives a TCP SYN request from the client.
S317: the kernel network stack of the server sends a TCP SYN-ACK request to the client.
S318: the client sends a TCP ACK request to the server, and establishes connection with the server. And the kernel network stack of the server receives the TCP ACK request and establishes connection with the client.
S319: the client sends a data request to the server. The kernel network stack of the server receives the data request.
S320: the kernel network stack of the server sends a data response to the client.
S321: the client sends a TCP FIN request to the server.
In some embodiments, the client notifies the server that it is no longer transmitting data by sending a TCP FIN request to the server.
S322: the kernel network stack of the server sends a TCP FIN request to the client.
In some embodiments, the server's kernel network stack notifies the client that data is no longer being sent to it by sending a TCP FIN request to the client, and the server is disconnected from the client.
Based on the content shown in fig. 3, the server executes lightweight data packet processing before the kernel network stack processes the TCP request, and by moving the TCP processing function to the XDP layer, the development processing difficulty of the kernel module and the high overhead of the kernel network stack can be reduced, so that the protection efficiency of attack can be improved. And, the server processes the TCP protocol at the kernel layer by utilizing the high performance and packet processing capability of the XDP and eBPF technologies. This may provide low latency, high throughput and high concurrency TCP processing functionality, suitable for handling large amounts of network traffic and connections. The user can customize the logic and the strategy of TCP protocol processing according to the own requirements, customize and write the eBPF program and load the eBPF program to the XDP layer of the server, so that the attack protection method provided by the application can use different application scenes and requirements, and has high flexibility and programmability. In addition, the eBPF technology can be adopted to verify and limit the program loaded by the server, so that a certain degree of security guarantee is provided. In addition, moving the TCP protocol processing functions to the XDP level can provide better reliability, reducing reliance on and potential error in user state handlers.
As shown in fig. 4, an embodiment of the present application provides a complete flow diagram of an attack protection method, which includes the following steps:
s401: an attack guard loaded in a server receives a connection request from a client through an edge portal of a kernel network stack of the server.
S402: the attack protection program determines whether the black-and-white list contains the source address of the connection request; if not, executing step S403; if yes, go to step S414.
S403: the attack protection program limits the rate of connection requests according to a set threshold.
In some embodiments, the attack guard may track the number of SYN packets for the source address to which the connection request corresponds and define the rate of connection requests based on a set threshold. For example, when the rate of connection requests exceeds a set threshold, the attack guard may take a policy to discard or delay responses to relieve server load.
S404: the attack protection program determines whether the number of connection requests in the connection queue reaches a connection threshold; if yes, go to step S405; if not, step S406 is performed.
S405: the attack guard discards the connection request.
S406: the attack guard adds the connection request to the connection queue.
S407: the attack protection program determines whether the connection table comprises a connection request or not; if not, go to step S408; if yes, go to step S410.
In some embodiments, the attack guard may determine whether the connection request is included in the connection table by determining whether the source address of the connection request is included in the connection table.
S408: the attack protection program adds the source address of the connection request and the connection state corresponding to the connection request to the connection table.
S409: the attack guard sends a connection response to the client.
S410: the attack protection program determines whether the flag bit of the connection request is matched with the connection state corresponding to the connection request in the connection table; if yes, go to step S411; if not, step S413 is performed.
S411: the attack guard determines the type of connection request as a normal request.
S412: the attack protection program sends the connection request to the kernel network stack so that the kernel network stack processes the connection request.
S413: the attack guard determines the type of connection request as an exception request. Step S405 is subsequently performed.
S414: the attack protection program determines whether the white list contains the source address of the connection request; if yes, go to step S411; if not, step S405 is performed.
Based on the content shown in fig. 4, the server can acquire the connection request from the client through the attack protection program from the edge entry of the kernel network stack, process and forward the connection request, and process the connection request at the kernel layer, thereby completing attack protection at the earliest processing stage of the data packet, further avoiding unnecessary data packet transmission and processing, and providing TCP processing functions with low delay, high throughput and high concurrency performance. In addition, the TCP processing function is moved to the XDP layer of the edge entry, so that the development processing difficulty of the kernel module and the high overhead of the kernel network stack can be reduced, and the protection efficiency of attack can be improved.
Based on the same inventive concept, the embodiment of the application further provides an attack protection device, and because the principle of solving the problem of the device is similar to that of the attack protection method, the device can be implemented by referring to the embodiment of the method, and the repetition is omitted.
As shown in fig. 5, a structural block diagram of an attack protection device provided in an embodiment of the present application includes:
a receiving unit 501, configured to receive a connection request from a client through an edge portal of a kernel network stack;
A detecting unit 502, configured to perform state detection on the connection request, and determine a type of the connection request; and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
In an alternative embodiment, the detection unit 502 is specifically configured to:
determining whether a black-and-white list contains a source address of the connection request; the black-and-white list comprises a black list and a white list;
determining whether the black-and-white list does not contain the source address of the connection request or not, and determining whether the connection request is contained in the connection list or not;
when the connection table comprises the connection request, determining whether a flag bit of the connection request is matched with a connection state corresponding to the connection request in the connection table; if yes, determining the type of the connection request as the normal request; if not, determining that the type of the connection request is an abnormal type.
In an alternative embodiment, when the connection request is not included in the connection table, the detecting unit 502 is further configured to:
recording a source address of the connection request and a connection state of the connection request in the connection table;
And sending a connection response to the client.
In an alternative embodiment, when the black-and-white list contains the source address, the detecting unit 502 is further configured to:
when the source address of the connection request is in the white list, determining the type of the connection request as the normal request; or,
and when the source address of the connection request is in the blacklist, determining the type of the connection request as the abnormal request.
In an alternative embodiment, the detection unit 502 is further configured to:
and discarding the connection request when the type of the connection request is the abnormal request.
An alternative embodiment is that before determining whether the connection request is included in the connection table, the detecting unit 502 is further configured to:
defining the rate of the connection request according to a set threshold;
and when the number of the connection requests in the connection queue is determined to not reach the connection threshold, adding the connection requests into the connection queue.
In an alternative embodiment, after sending the connection request to the kernel network stack, the detecting unit 502 is further configured to:
and adding the source address of the connection request to a white list.
Corresponding to the embodiment of the attack protection method, the embodiment of the application also provides a server, such as the server shown in fig. 2.
The server includes at least a memory for storing data and a processor for data processing. Among them, for a processor for data processing, when performing processing, a microprocessor, a CPU, a GPU (Graphics Processing Unit, a graphics processing unit), a DSP, or an FPGA may be employed. For the memory, the memory stores operation instructions, which may be computer executable codes, to implement each step in the flow of the attack protection method according to the embodiment of the present application.
Fig. 6 is a schematic structural diagram of a server according to an embodiment of the present application; as shown in fig. 6, the server 100 in the embodiment of the present application includes: a processor 101, a display 102, a memory 103, an input device 106, a bus 105, and a communication module 104; the processor 101, memory 103, input device 106, display 102, and communication module 104 are all coupled via a bus 105, and the bus 105 is used to transfer data between the processor 101, memory 103, display 102, communication module 104, and input device 106.
The memory 103 may be used to store software programs and modules, such as program instructions/modules corresponding to the decoding method in the embodiments of the present application, and the processor 101 executes the software programs and modules stored in the memory 103, thereby performing various functional applications and data processing of the server 100, such as the decoding method provided in the embodiments of the present application. The memory 103 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program of at least one application, and the like; the storage data area may store data created according to the use of the server 100 (such as related data of a black-and-white list, etc.), and the like. In addition, memory 103 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 101 is a control center of the server 100, connects various parts of the entire server 100 using the bus 105 and various interfaces and lines, and performs various functions of the server 100 and processes data by running or executing software programs and/or modules stored in the memory 103, and calling data stored in the memory 103. Alternatively, the processor 101 may include one or more processing units, such as a CPU, GPU, digital processing unit, or the like.
The processor 101 may present the attack protection log to the user via the display 102.
The processor 101 may also transmit data to the client via the communication module 104, establish a connection, etc.
The input device 106 is mainly used to obtain input operations by the user.
The embodiment of the application also provides a computer readable storage medium aiming at the attack protection method, namely, the content is not lost after power failure. The storage medium has stored therein a software program comprising program code which, when executed on a computing device, implements aspects of any of the attack protection methods described above in embodiments of the present application when read and executed by one or more processors.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.
Claims (10)
1. An attack protection method, comprising:
receiving a connection request from a client through an edge portal of a kernel network stack;
performing state detection on the connection request, and determining the type of the connection request;
and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
2. The method of claim 1, wherein the performing the status detection on the connection request, determining the type of the connection request, comprises:
determining whether a black-and-white list contains a source address of the connection request; the black-and-white list comprises a black list and a white list;
determining whether the black-and-white list does not contain the source address of the connection request or not, and determining whether the connection request is contained in the connection list or not;
when the connection table comprises the connection request, determining whether a flag bit of the connection request is matched with a connection state corresponding to the connection request in the connection table; if yes, determining the type of the connection request as the normal request; if not, determining that the type of the connection request is an abnormal type.
3. The method of claim 2, wherein when the connection request is not included in the connection table, the method further comprises:
recording a source address of the connection request and a connection state of the connection request in the connection table;
and sending a connection response to the client.
4. The method of claim 2, wherein when the source address is included in the black-and-white list, the method further comprises:
When the source address of the connection request is in the white list, determining the type of the connection request as the normal request; or,
and when the source address of the connection request is in the blacklist, determining the type of the connection request as the abnormal request.
5. The method according to claim 4, wherein the method further comprises:
and discarding the connection request when the type of the connection request is the abnormal request.
6. The method of claim 2, wherein prior to said determining whether the connection request is included in the connection table, the method further comprises:
defining the rate of the connection request according to a set threshold;
and when the number of the connection requests in the connection queue is determined to not reach the connection threshold, adding the connection requests into the connection queue.
7. The method of any of claims 1-6, wherein after the sending the connection request to the kernel network stack, the method further comprises:
and adding the source address of the connection request to a white list.
8. An attack protection device, the device comprising:
The receiving unit is used for receiving a connection request from the client through an edge entry of the kernel network stack;
the detection unit is used for carrying out state detection on the connection request and determining the type of the connection request; and when the type of the connection request is a normal request, sending the connection request to the kernel network stack so that the kernel network stack processes the connection request.
9. A server comprising a memory and a processor, the memory having stored thereon a computer program executable on the processor, which when executed by the processor, implements the method of any of claims 1-7.
10. A computer readable storage medium having a computer program stored therein, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311642703.XA CN117714115A (en) | 2023-12-01 | 2023-12-01 | Attack protection method, device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311642703.XA CN117714115A (en) | 2023-12-01 | 2023-12-01 | Attack protection method, device, server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117714115A true CN117714115A (en) | 2024-03-15 |
Family
ID=90145373
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311642703.XA Pending CN117714115A (en) | 2023-12-01 | 2023-12-01 | Attack protection method, device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117714115A (en) |
-
2023
- 2023-12-01 CN CN202311642703.XA patent/CN117714115A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11601456B2 (en) | Transparent inspection of traffic encrypted with perfect forward secrecy (PFS) | |
| US11165869B2 (en) | Method and apparatus for dynamic destination address control in a computer network | |
| US8832820B2 (en) | Isolation and security hardening among workloads in a multi-tenant networked environment | |
| US9110703B2 (en) | Virtual machine packet processing | |
| US10270792B1 (en) | Methods for detecting malicious smart bots to improve network security and devices thereof | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| Drucker et al. | Selfie: reflections on TLS 1.3 with PSK | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| US8887280B1 (en) | Distributed denial-of-service defense mechanism | |
| WO2023005773A1 (en) | Message forwarding method and apparatus based on remote direct data storage, and network card and device | |
| JP2018528679A (en) | Device and method for establishing a connection in a load balancing system | |
| US10129292B2 (en) | Front-end protocol for server protection | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| US10904288B2 (en) | Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation | |
| US20150195358A1 (en) | Apparatus and methods for handling network file oerations over a fibre channel network | |
| CN111865996A (en) | Data detection method and device and electronic equipment | |
| CN109905352B (en) | Method, device and storage medium for auditing data based on encryption protocol | |
| CN117714115A (en) | Attack protection method, device, server and storage medium | |
| KR20150057498A (en) | System and method for transferring packet in network | |
| CN114024731A (en) | Message processing method and device | |
| CN115913583A (en) | Business data access method, device and equipment and computer storage medium | |
| US11496438B1 (en) | Methods for improved network security using asymmetric traffic delivery and devices thereof | |
| US20080289004A1 (en) | Method and Module for Protecting Against Attacks in a High-Speed Network | |
| US11831638B1 (en) | Single-packet authorization using proof of work | |
| CN114567484B (en) | Message processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |