CN100579003C - Method and system for preventing TCP attack by utilizing network stream technology - Google Patents
Method and system for preventing TCP attack by utilizing network stream technology Download PDFInfo
- Publication number
- CN100579003C CN100579003C CN200710124444A CN200710124444A CN100579003C CN 100579003 C CN100579003 C CN 100579003C CN 200710124444 A CN200710124444 A CN 200710124444A CN 200710124444 A CN200710124444 A CN 200710124444A CN 100579003 C CN100579003 C CN 100579003C
- Authority
- CN
- China
- Prior art keywords
- stream
- tcp
- flag bit
- bit field
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 18
- 238000000034 method Methods 0.000 title claims abstract description 11
- 230000032683 aging Effects 0.000 claims description 17
- 238000005206 flow analysis Methods 0.000 claims description 12
- 230000001360 synchronised effect Effects 0.000 claims description 5
- 239000013256 coordination polymer Substances 0.000 claims description 4
- 238000004891 communication Methods 0.000 abstract description 2
- 230000007123 defense Effects 0.000 abstract 1
- 238000003483 aging Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000979 retarding effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/20—Network management software packages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to the communication technology field and discloses a method by adopting network flow technology to defend TCP attack. The invention solves the problem in the prior art that the TCP attack type can not be accurately detected. The method takes the same flag bit field of such messages as a source IP address, a destination IP address, a source protocol port number, a destination protocol port number, an input interface, an output interface, a protocol type, a service type and a TCP message as a flow; the TCP attack type is determined by the flag bit field of the flow; the TCP attack is defended in accordance with the TCP attack type. The invention is mainly applied for the network equipment attacked by the TCP. The invention also discloses a TCP attack defense system by adopting the network flow technology.
Description
Technical field
The present invention relates to communication technical field, the method and system that particularly a kind of employing network stream technology defence TCP (Transmission Control Protocol, transmission control protocol) attacks.
Background technology
Along with the develop rapidly of Internet technology, Network becomes increasingly abundant in recent years, and network traffics increase rapidly.Traditional extensive style flow statistical management can not satisfy the demand of current business development to aspects such as network flow monitoring, network security management and network monitoring and analyses far away.The appearance of net stream (Netstream) technology is for the fine-grained management of flow provides important basic data platform.
Netstream is the technology of message information on a kind of sampling, extraction and the phase-split network equipment, and the function that network traffics are added up, monitored and analyze can be provided.The Netstream technology is based on the notion of " stream ", and stream i.e. one group of message that meets following feature: identical source and destination IP address, identical source and destination protocol port number, have and identical go into and outgoing interface, identical protocol type and identical type of service (tos).Can note information such as Who in the network, What, When, Where, How by Netstream stream.More and more be subjected to today that people pay attention in network security, the application of Netstream aspect detection and defending against network attacks is also more and more.
It is a kind of mode of network attack that TCP attacks, and relatively low but more being difficult to of technology content takes precautions against, the means that the person that is the network attack more often adopts.The basic principle that TCP attacks is: the assailant utilizes some once invaded mistakes main frame (puppet's machine) of (comprising interim realization invasion), walk around the inspection of fire compartment wall, to destination server a large amount of TCP connection requests is proposed, make destination server be busy with responding these requests, consumed a large amount of storage resources even exhausted, cause destination server to be carried out, to reach the purpose of attack for the normal service request refusal of network internal.Because this specific character that TCP attacks, people also usually call TCP Flood (flood formula) to it and attack.
Attack when network is subjected to TCP, flow occurs when unusual, adopt the Netstream technology can detect the TCP attack traffic from where, where whereabouts wait key message, effectively defending against network attacks person's attack.
But in the prior art, the flag bit of a stream of Netstream is sign bit field step-by-step or result (OR) in all TCP headings.If receive flag bit is the TCP message of RST (connection resets) or FIN (end of transmit leg byte stream), can aging immediately this stream.When the network attack person sends a large amount of flag bits and is the TCP message of RST or FIN, can cause each message all will build a stream and aging immediately, a large amount of stream is aging and rebuild the resource that will waste forwarding engine.And, because Netstream merges the flag bit field in all messages, can't distinguish concrete TCP attack type, this is difficult to satisfy the requirement of network fine-grained management.
Summary of the invention
The invention provides a kind of method and system that adopts network stream technology defence TCP to attack.By the flag bit information of Netstream collection TCP message, to solve the problem that can't accurately detect the TCP attack type in the prior art.
A kind of method that adopts network stream technology defence TCP to attack may further comprise the steps: the message that the flag bit field of source IP address, purpose IP address, source protocol port numbers, purpose protocol port number, incoming interface, outgoing interface, protocol type, COS and TCP message is all identical is as a stream; Determine the type that described TCP attacks by the flag bit field of described stream; According to the type that described TCP attacks, defend described TCP to attack; The flag bit of described TCP message comprises: the effective URG of urgent pointer field, this message segment request push operation PSH, confirm the effective ACK of field, the synchronous SYN of sequence number, connect reset RST and transmit leg byte stream and finish FIN; Described type of attacking according to TCP defends described TCP to attack, and specifically comprises: if the flag bit field of described stream is URG or PSH, stop to handle described TCP message; If the flag bit field of described stream is ACK or SYN, restricted T CP linking number and half linking number; If it is the flag bit field of described stream is RST or FIN, after delay a period of time, that described stream is aging.
A kind of system that adopts network stream technology defence TCP to attack comprises net stream sample devices and net flow analysis treatment facility:
Net stream sample devices: be used for the collection network flow, the message that the flag bit field of source IP address, purpose IP address, source protocol port numbers, purpose protocol port number, incoming interface, outgoing interface, protocol type, COS and TCP message is all identical is as a stream;
Net flow analysis treatment facility: be used to handle the stream information that described net stream sample devices is gathered, analyze and obtain the type that described TCP attacks, defend described TCP to attack according to the type that TCP attacks; The flag bit of described TCP message comprises: the effective URG of urgent pointer field, this message segment request push operation PSH, confirm the effective ACK of field, the synchronous SYN of sequence number, connect reset RST and transmit leg byte stream and finish FIN; Described type of attacking according to TCP defends described TCP to attack, and specifically comprises: if the flag bit field of described stream is URG or PSH, stop to handle described TCP message; If the flag bit field of described stream is ACK or SYN, restricted T CP linking number and half linking number; If it is the flag bit field of described stream is RST or FIN, after delay a period of time, that described stream is aging.
Adopt the technical scheme of the embodiment of the invention, accurately position and the attack type that TCP attacks in the fixer network defends TCP to attack targetedly, avoided this type of to attack the influence of performance of network equipments and the consumption of resource.Simultaneously, by linking, realized dynamic security to the attack source with net flow analysis treatment facility.
Description of drawings
Fig. 1 is the inventive method preferred embodiment flow chart;
Fig. 2 is a preferred embodiment system construction drawing of the present invention;
Embodiment
For making purpose of the present invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
Basic thought of the present invention is with the flag bit field of the TCP message KEY value as a stream of Netstream, the message that be about to source IP address, purpose IP address, source port number, destination slogan, go into/outgoing interface, the flag bit field of protocol type, COS, TCP message is all identical is as a stream, can detect the TCP attack type exactly, carry out traffic statistics, thereby be on the defensive targetedly.
Fig. 1 is the inventive method preferred embodiment flow chart.As shown in Figure 1, may further comprise the steps:
Step 101: the flow to the network equipment is sampled.The TCP message that following information is identical will flow as a Netstream:
Source/purpose IP address;
Source/destination slogan;
Go into/outgoing interface;
Protocol type;
COS;
The flag bit field of TCP message.
Step 102: storage Netstream stream information.
Step 103: analyze the Netstream stream information, extract the flag bit field information of this stream.The flag bit field of TCP message has following several:
URG: expression urgent pointer field is effective;
PSH: represent that the request of this message segment pushes away (push) operation;
ACK: expression confirms that field is effective;
SYN: the expression sequence number is synchronous;
RST: the expression connection resets;
FIN: expression transmit leg byte stream finishes.
If the flag bit field is URG or PSH, execution in step 104; If the flag bit field is ACK or SYN, execution in step 105; If the flag bit field is RST or FIN, execution in step 106.
Step 104: the network equipment stops to handle described TCP message, realizes the blocking-up to the attack source.
Step 105: the network equipment is added up TCP linking number and half linking number, and TCP linking number and half linking number are limited, and perhaps stops to handle described TCP message.
Step 106: judge the active degree of Netstream stream, if not the time of enlivening less than set point, execution in step 107; If not the time of enlivening is greater than set point, execution in step 108;
Step 107: time of delay t1, should flow aging;
Step 108: time of delay t2, should flow aging.
For flag bit is the TCP message of RST or FIN, and the embodiment of the invention is not immediately that it is aging, but postpones a period of time, should flow aging again.Specifically be to wear out by the non-time control flows of enlivening, the non-time of enlivening is meant from session and is found to for the last time now at interval; Non-to enliven the time little, illustrates that stream is more active.The time of delay of active stream is longer than the time of delay of sluggish stream, and promptly time of delay, t1 was greater than t2 time of delay.
Fig. 2 is a preferred embodiment system construction drawing of the present invention.As shown in Figure 2, this system comprises net stream sample devices, net stream stream collecting device and net flow analysis treatment facility.
When the network equipment was subjected to the attack of TCP message, net stream sample devices was sampled to the abnormal flow in the network equipment, and the Netstream stream information that collects is sent to net stream stream collecting device.Described Netstream stream information comprises: source/purpose IP address, source/destination slogan, go into/outgoing interface, the flag bit field of protocol type, COS and TCP message.
Net stream stream collecting device receives the Netstream stream information that described net stream sample devices sends, and stores.
Net flow analysis treatment facility obtains the Netstream stream information of collecting from described net stream stream collecting device, through analysis to described Netstream stream information, can obtain the position and the type of TCP attack source, issue rule/strategy that the described TCP of defence attacks to the network equipment.
If the flag bit field of described Netstream stream is URG or PSH, then described net flow analysis treatment facility issues rule/strategy of blocking the attack source to the described network equipment, that is: the described network equipment stops to handle described TCP message.
If the flag bit field of described Netstream stream is ACK or SYN, then described net flow analysis treatment facility issues the rule/strategy of statistics linking number to the described network equipment, that is: the described network equipment is added up TCP linking number and half linking number, and TCP linking number and half linking number are limited; The described network equipment also can issue the rule/strategy of blocking-up attack source, that is: the described network equipment stops to handle described TCP message.
If the flag bit field of described Netstream stream is RST or FIN, then described net flow analysis treatment facility issues the rule/strategy of retarding ageing to the described network equipment, that is: not immediately that described Netstream stream is aging, but postpone after a period of time, again that described Netstream stream is aging.
As seen, adopted the technical scheme of the embodiment of the invention, not only can accurately orient TCP attacks in the network position and attack type, the blocking-up attack source, can also avoid a large amount of quick agings and the reconstruction of Netstream stream when the assailant utilizes TCP-RST or TCP-FIN message to attack, reduce this type of and attacked the influence of performance of network equipments and the consumption of resource.Simultaneously, by linking, realized dynamic security to the attack source with net flow analysis treatment facility.
Being preferred embodiment of the present invention only below, is not to be used to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (5)
1, a kind of method that adopts network stream technology defence TCP to attack is characterized in that: the message that the flag bit field of source IP address, purpose IP address, source protocol port numbers, purpose protocol port number, incoming interface, outgoing interface, protocol type, COS and TCP message is all identical is as a stream; Determine the type that described TCP attacks by the flag bit field of described stream; According to the type that described TCP attacks, defend described TCP to attack;
The flag bit of described TCP message comprises: the effective URG of urgent pointer field, this message segment request push operation PSH, confirm the effective ACK of field, the synchronous SYN of sequence number, connect reset RST and transmit leg byte stream and finish FIN;
Described type of attacking according to TCP defends described TCP to attack, and specifically comprises:
If the flag bit field of described stream is URG or PSH, stop to handle described TCP message;
If the flag bit field of described stream is ACK or SYN, restricted T CP linking number and half linking number;
If it is the flag bit field of described stream is RST or FIN, after delay a period of time, that described stream is aging.
2, method according to claim 1 is characterized in that:
Described flag bit field when described stream is RST or FIN, and is after delay a period of time that described stream is aging, specifically comprises:
For active stream, the time of the sluggish flow delay of time ratio of described delay is long;
Described active stream is meant the non-stream that enlivens the time less than set point, and described sluggish stream is meant the non-stream that enlivens the time greater than set point.
3, a kind of system that adopts network stream technology defence TCP to attack is characterized in that: comprise net stream sample devices and net flow analysis treatment facility:
Net stream sample devices: be used for the collection network flow, the message that the flag bit field of source IP address, purpose IP address, source protocol port numbers, purpose protocol port number, incoming interface, outgoing interface, protocol type, COS and TCP message is all identical is as a stream;
Net flow analysis treatment facility: be used to handle the stream information that described net stream sample devices is gathered, analyze and obtain the type that described TCP attacks, defend described TCP to attack according to the type that TCP attacks;
The flag bit of described TCP message comprises: the effective URG of urgent pointer field, this message segment request push operation PSH, confirm the effective ACK of field, the synchronous SYN of sequence number, connect reset RST and transmit leg byte stream and finish FIN;
Described type of attacking according to TCP defends described TCP to attack, and specifically comprises:
If the flag bit field of described stream is URG or PSH, stop to handle described TCP message;
If the flag bit field of described stream is ACK or SYN, restricted T CP linking number and half linking number;
If it is the flag bit field of described stream is RST or FIN, after delay a period of time, that described stream is aging.
4, system according to claim 3 is characterized in that: described flag bit field when described stream is RST or FIN, and is after delay a period of time that described stream is aging, specifically comprises:
For active stream, the time of the sluggish flow delay of time ratio of described delay is long;
Described active stream is meant the non-stream that enlivens the time less than set point, and described sluggish stream is meant the non-stream that enlivens the time greater than set point.
5, system according to claim 3 is characterized in that: also comprise net stream stream collecting device, be used to store the stream information that described net stream sample devices is gathered, and it is transmitted to described net flow analysis treatment facility.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710124444A CN100579003C (en) | 2007-11-08 | 2007-11-08 | Method and system for preventing TCP attack by utilizing network stream technology |
| PCT/CN2008/071259 WO2009059504A1 (en) | 2007-11-08 | 2008-06-11 | Method and system for defending against tcp attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710124444A CN100579003C (en) | 2007-11-08 | 2007-11-08 | Method and system for preventing TCP attack by utilizing network stream technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101170402A CN101170402A (en) | 2008-04-30 |
| CN100579003C true CN100579003C (en) | 2010-01-06 |
Family
ID=39390884
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200710124444A Expired - Fee Related CN100579003C (en) | 2007-11-08 | 2007-11-08 | Method and system for preventing TCP attack by utilizing network stream technology |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN100579003C (en) |
| WO (1) | WO2009059504A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI784938B (en) * | 2017-01-24 | 2022-12-01 | 香港商阿里巴巴集團服務有限公司 | Message cleaning method and device |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100579003C (en) * | 2007-11-08 | 2010-01-06 | 华为技术有限公司 | Method and system for preventing TCP attack by utilizing network stream technology |
| CN102014110A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Method for authenticating communication flows, communication system and protective device |
| CN103023887B (en) * | 2012-11-26 | 2016-05-25 | 大唐移动通信设备有限公司 | A kind of method and apparatus based on File Transfer Protocol transfer files |
| CN103001958B (en) * | 2012-11-27 | 2016-03-16 | 北京百度网讯科技有限公司 | Abnormal T CP message processing method and device |
| CN107135185A (en) * | 2016-02-26 | 2017-09-05 | 华为技术有限公司 | A kind of attack processing method, equipment and system |
| CN108200088B (en) * | 2018-02-02 | 2020-11-06 | 杭州迪普科技股份有限公司 | Attack protection processing method and device for network traffic |
| CN109286630B (en) * | 2018-10-15 | 2021-11-19 | 深信服科技股份有限公司 | Method, device and equipment for processing equal insurance and storage medium |
| CN110535861B (en) * | 2019-08-30 | 2022-01-25 | 杭州迪普信息技术有限公司 | Method and device for counting SYN packet number in SYN attack behavior identification |
| CN110740144B (en) * | 2019-11-27 | 2022-09-16 | 腾讯科技(深圳)有限公司 | Method, device, equipment and storage medium for determining attack target |
| CN111131180B (en) * | 2019-12-05 | 2022-04-22 | 成都西维数码科技有限公司 | Distributed deployed HTTP POST (hyper text transport protocol) interception method in large-scale cloud environment |
| CN114329156A (en) * | 2022-01-07 | 2022-04-12 | 挂号网(杭州)科技有限公司 | Network information query method and device and electronic equipment |
| CN115103000B (en) * | 2022-06-20 | 2023-09-26 | 北京鼎兴达信息科技股份有限公司 | Method for restoring and analyzing business session of railway data network based on NetStream |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7251692B1 (en) * | 2000-09-28 | 2007-07-31 | Lucent Technologies Inc. | Process to thwart denial of service attacks on the internet |
| CN100531213C (en) * | 2006-03-20 | 2009-08-19 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN100579003C (en) * | 2007-11-08 | 2010-01-06 | 华为技术有限公司 | Method and system for preventing TCP attack by utilizing network stream technology |
-
2007
- 2007-11-08 CN CN200710124444A patent/CN100579003C/en not_active Expired - Fee Related
-
2008
- 2008-06-11 WO PCT/CN2008/071259 patent/WO2009059504A1/en active Application Filing
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI784938B (en) * | 2017-01-24 | 2022-12-01 | 香港商阿里巴巴集團服務有限公司 | Message cleaning method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101170402A (en) | 2008-04-30 |
| WO2009059504A1 (en) | 2009-05-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100579003C (en) | Method and system for preventing TCP attack by utilizing network stream technology | |
| CN101505219B (en) | Method and protecting apparatus for defending denial of service attack | |
| Liu et al. | Efficient DDoS attacks mitigation for stateful forwarding in Internet of Things | |
| CN103856470B (en) | Detecting method of distributed denial of service attacking and detection device | |
| CN101341715A (en) | Methods and devices for defending a 3g wireless network against malicious attacks | |
| CN102263788A (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| CN107623685B (en) | Method and device for rapidly detecting SYN Flood attack | |
| CN102882894A (en) | Method and device for identifying attack | |
| CN101150586A (en) | CC attack prevention method and device | |
| CN103117946A (en) | Flow sharing method based on combined application of isolating device and isolation gateway | |
| CN101635720B (en) | Filtering method of unknown flow rate and bandwidth management equipment | |
| Gavaskar et al. | Three counter defense mechanism for TCP SYN flooding attacks | |
| CN107770113A (en) | A kind of accurate flood attack detection method for determining attack signature | |
| CN105429974B (en) | A kind of intrusion prevention system and method towards SDN | |
| CN105991632A (en) | Network security protection method and device | |
| CN110300085B (en) | Evidence obtaining method, device and system for network attack, statistical cluster and computing cluster | |
| CN106534111A (en) | Method for defending network attack for cloud platform based on flow rule | |
| CN103269337B (en) | Data processing method and device | |
| CN101795277A (en) | Flow detection method and equipment in unidirectional flow detection mode | |
| CN100479419C (en) | Method for preventing refusal service attack | |
| CN109936557A (en) | A kind of method and system based in ForCES framework using sFlow defending DDoS (Distributed Denial of Service) attacks | |
| CN107770120A (en) | A kind of flood attack detection method of distributed monitoring | |
| Wan et al. | A SIP DoS flooding attack defense mechanism based on priority class queue | |
| Sahu et al. | A performance analysis of network under SYN-flooding attack | |
| CN115664739B (en) | User identity attribute active detection method and system based on flow characteristic matching |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100106 |