[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115694853A - Attack protection method and device, electronic equipment and storage medium - Google Patents

Attack protection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115694853A
CN115694853A CN202110849679.1A CN202110849679A CN115694853A CN 115694853 A CN115694853 A CN 115694853A CN 202110849679 A CN202110849679 A CN 202110849679A CN 115694853 A CN115694853 A CN 115694853A
Authority
CN
China
Prior art keywords
access
attack
access data
server
plug
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110849679.1A
Other languages
Chinese (zh)
Inventor
王爱科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Tencent Computer Systems Co Ltd
Original Assignee
Shenzhen Tencent Computer Systems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Tencent Computer Systems Co Ltd filed Critical Shenzhen Tencent Computer Systems Co Ltd
Priority to CN202110849679.1A priority Critical patent/CN115694853A/en
Publication of CN115694853A publication Critical patent/CN115694853A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an attack protection method, an attack protection device, electronic equipment and a storage medium, and relates to the technical field of networks. The method and the device for detecting the attack of the access data in the server receive at least one piece of access data based on an original interface, the original interface is located in a user space of the server, attack protection detection is conducted on the at least one piece of access data in the user space, a protection detection result is obtained, and a target access source is determined from access sources corresponding to the at least one piece of access data according to the protection detection result. The method is different from the method that the attack protection detection of the access data is realized by directly hanging a piece of hardware, but the attack protection detection is carried out on at least one piece of access data in the user space of the server, so that the operability is improved, the cost is reduced, and in addition, the performance of the attack protection detection processing of the access data is greatly improved as the method operates in the user space.

Description

Attack protection method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of network technologies, and in particular, to an attack protection method and apparatus, an electronic device, and a storage medium.
Background
A denial-of-service (DoS) attack is a network attack in which an attacker attempts to make a computer or network resource unavailable to its intended user by temporarily or indefinitely disrupting the services of a host connected to the network. Denial-of-service attacks are typically implemented by injecting redundant requests into a target host or resource, which can overload the system and prevent some or all legitimate requests from being satisfied.
In a distributed denial-of-service attack (DDoS), attack traffic of DDoS comes from different sources, and an existing DDoS protection scheme is generally to hang a dedicated DDoS protection device beside a network intermediate device, such as a core switch, that is, to hang a hardware to implement protection of the core switch.
However, this protection scheme has several limitations:
one is that the operability is not strong, because the network architecture is intrusive, the client to perform network layer protection and the server provider providing the cloud service network are usually two parties, and it is difficult for the client to deploy such a set of network layer protection equipment in the cloud service network environment of others.
Secondly, the coverage is insufficient, and for some cloud servers, virtual hosts or edge computing centers with smaller scale, the servers of the types are difficult to cover, because the cost of the DDoS protection equipment for deploying the network layer is huge, and the DDoS protection equipment is irrevocably deployed in the scenes.
Disclosure of Invention
In order to solve the problems in the prior art, embodiments of the present invention provide an attack protection method and apparatus, an electronic device, and a storage medium. The technical scheme is as follows:
in a first aspect, an attack protection method is provided, where the method includes:
receiving at least one access data based on the raw interface; the original interface is positioned in a user space of the server;
carrying out attack protection detection on at least one access data in a user space to obtain a protection detection result;
and determining a target access source from the access sources corresponding to the at least one access data according to the protection detection result.
In a second aspect, there is provided an attack-prevention device, the device comprising:
a data receiving unit for receiving at least one access data based on an original interface; the original interface is positioned in a user space of the server;
the protection detection unit is used for carrying out attack protection detection on at least one access data in a user space to obtain a protection detection result;
and the access source determining unit is used for determining a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result.
In a third aspect, a computer-readable storage medium is provided, in which at least one instruction or at least one program is stored, and the at least one instruction or the at least one program is loaded and executed by a processor to implement the attack protection method according to the first aspect.
In a fourth aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, so that the computer device executes the attack protection method provided in the first aspect.
The method and the device for detecting the attack of the access data in the server receive at least one piece of access data based on the original interface, the original interface is located in a user space of the server, attack protection detection is conducted on the at least one piece of access data in the user space, a protection detection result is obtained, and a target access source is determined from an access source corresponding to the at least one piece of access data according to the protection detection result. The method is different from the method that the attack protection detection of the access data is realized by directly hanging a piece of hardware, but the attack protection detection is carried out on at least one piece of access data in the user space of the server, so that the operability is improved, the cost is reduced, and in addition, the performance of the attack protection detection processing of the access data is greatly improved as the method operates in the user space.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a schematic diagram of an implementation environment provided by embodiments of the invention;
FIG. 2 is a schematic diagram of an implementation environment provided by embodiments of the invention;
fig. 3 is a schematic flowchart of an attack protection method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of performing attack protection detection according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a process for performing attack protection detection according to an embodiment of the present invention
Fig. 6 is a block diagram of an attack protection device according to an embodiment of the present invention;
fig. 7 is a block diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Referring to fig. 1, a schematic diagram of an implementation environment according to an embodiment of the present invention is shown, where the implementation environment is a conventional server network architecture and may include a server 10 and an access source 11. As shown in fig. 1, the server 10 may include a service processing device 101 for processing a service request from the access source 11. Alternatively, when the service processing device 101 is located in the server 10, the service processing device can be regarded as a service processing module in the server 10. The access source 11 may be a gateway device, such as a router, a switch, etc., and on one side of the access source 11, the server 10 may be connected, and on the other side, the client may be connected.
Optionally, the server 10 may further comprise a raw interface 102 connecting the service processing device 101 and the access source 11. The server 10 receives a service request from the access source 11 based on the original interface 102 and transmits the service request to the service processing apparatus 101 through the original interface 102.
The original interface is operated in the kernel space of the server and is a virtual interface in a kernel state. Specifically, the server 10 may be a public cloud server, a virtual network card driver is disposed in a kernel space of the public cloud server, the public cloud server may identify an original interface through the virtual network card driver, receive a data packet (a service request) based on the original interface located in the kernel space, and send the service request to the service processing device, and when the service processing device determines feedback data based on the service request, the server 10 may feed the feedback data back to the access source 11 through the original interface.
However, when such a conventional server network architecture encounters a denial-of-service attack (DoS) or a distributed denial-of-service attack (DDoS), an attacker may disable the service of a host connected to the network by temporarily or indefinitely rendering the server unavailable to its intended users.
In the embodiment of the present application, a denial-of-service (DoS) attack refers to an attacker wanting to make an attacker (e.g., a target server) stop providing services. The expendable attack on the network bandwidth is only a small part of the denial of service attack, and the denial of service attack belongs to the attack as long as the trouble can be caused to the attacked, so that some services on the attacked are suspended, even the target host is halted.
In the embodiment of the present application, distributed denial-of-service attack (DDoS) is a type of attack mode generated based on a conventional DoS attack. The single DoS attack generally adopts a one-to-one mode to attack, and when the performance indexes of the CPU on an attacker, such as low speed, small memory or small network bandwidth, are not high, the attack effect of the DoS attack is obvious. However, as the computer and network technology develops, for example, the processing capacity of the computer increases rapidly, the memory increases greatly, and the gigabit-class network also appears, which makes the DoS attack more difficult. For example, an attacker can send 3,000 attack packets per second, but the attacker (target server) and network bandwidth can handle 10,000 attack packets per second, so the attack does not have any significant effect. At this time, the distributed denial of service attack DDoS is generated, and compared with a single DoS attack, one attacker corresponds to one attacked, the distributed denial of service attack DDoS provides different attackers, for example, attack on the attacked by larger scale attack software, so that the attack effect suffered by the current target host is also obvious.
There are many ways of denial of service attack DoS and distributed denial of service attack DDoS, and flood attack SYNFLOOD is a common attack way among the ways of denial of service attack DoS and distributed denial of service attack DDoS. SYNFLOOD is an attack method for transmitting a large number of fake TCP connection requests by utilizing a Transmission Control Protocol (TCP) defect to exhaust resources (full load or insufficient memory of a CPU) of an attacked party (target host).
The process of the SYN Flood attack is called Three-way Handshake (Three-way Handshake) in the TCP protocol, and the SYN Flood denial of service attack is implemented by Three-way Handshake, generally, the steps of the Three-way Handshake in the normal case are as follows:
the visitor sends a TCP message containing SYN flag, SYN (synchronization), i.e. a synchronization message, to the server. The sync message will indicate the port used by the client and the initial sequence number of the TCP connection, when the visitor and the server establish a first handshake.
After receiving SYN message of the visitor, the server returns a SYN + ACK message to indicate that the request of the visitor is accepted, and meanwhile, the TCP sequence number is added by one, wherein ACK (acknowledgement) is confirmation information, so that the visitor and the server establish a second handshake.
The visitor also returns an acknowledgement message ACK to the server, and the same TCP sequence number is incremented by one until this TCP connection is completed and the three-way handshake is completed.
However, when the three-way handshake of the TCP connection is established under the circumstances of an attacker and an attacker, assuming that an attacker suddenly crashes or drops after sending a SYN message to the server, the server cannot receive an ACK message of the attacker after sending a SYN + ACK response message (the third handshake cannot be completed), in which case the server typically retries (sends SYN + ACK to the attacker again) and discards the incomplete connection after waiting for a while. The length of this time, which we call SYN Timeout, is typically on the order of minutes (approximately 30 seconds to 2 minutes); it is not a big problem for a visitor to go out of order causing a thread of the server to wait 1 minute, but if there is a malicious attacker that heavily simulates the situation (forging IP addresses), the server will consume a lot of resources in order to maintain a very large semi-connection list. Even a simple save and walk consumes a lot of CPU time and memory, and there is a constant retry of SYN + ACK for the IP in this list. In fact, if the TC P/IP stack of the server is not powerful enough, the net result is often a stack overflow crash — even if the server's system is powerful enough, the server will be busy processing the TCP connection requests forged by attackers and ignoring the client's normal requests (after all the client's normal request rate is very small), at which point the server loses response from the normal client's perspective, which is called: the server side is attacked by the SYN Flood, i.e. the SYN Flood.
Based on this, the embodiment of the application provides a server network architecture capable of performing attack protection to protect the distributed denial of service attack DDoS. Referring to fig. 2, a schematic diagram of an implementation environment according to an embodiment of the present invention is shown, where the implementation environment may include a server 20 and an access source 21. As shown in fig. 2, the server 20 may include a service processing device 201 for processing a service request from the access source 21. Alternatively, when the service processing device 201 is located in the server 20, the service processing device 201 may be regarded as a service processing module in the server 20. The access source 21 may be a gateway device, such as a router, a switch, etc., and on one side of the access source 21, the server 20 may be connected, and on the other side, the client (not shown in fig. 2) may be connected.
The server 20 may further include an interaction module 202, and the interaction module 202 may be generated based on a plug-in loading software provided in the server 20. The interaction module 202 may include an attack protection module 204, the attack protection module 204 may be generated by loading a protection plug-in using plug-in loading software, and the attack protection module 204 in operation may perform protection attack detection on at least one access data in a user space to obtain a protection detection result.
Optionally, the server 20 may further comprise a raw interface 203 connecting the switching module 202 and the access source 21. The original interface 203 is to load a preset takeover plug-in by using plug-in loading software, so that the preset takeover plug-in can take over an original interface (such as the original interface in the kernel state shown in fig. 1) whose historical time is located in the kernel space, and obtain the original interface whose current time is located in the user space.
Optionally, the server 20 may further include a virtual interface 205 connecting the service processing device 205 and the interaction module, where the virtual interface 205 is created by using the started plug-in loading software, and the virtual interface is located in the kernel space.
Specifically, the server 20 may receive at least one access data based on an original interface, where the original interface is located in a user space of the server, and perform attack protection detection on the at least one access data in the user space to obtain a protection detection result. Finally, the server can determine a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result.
In some possible embodiments, the server 10 shown in fig. 2 and the server 20 shown in fig. 2 may be an independent physical server, may also be a server cluster or a distributed system formed by a plurality of physical servers, and may also be a cloud server that provides basic cloud computing services such as cloud service, cloud database, cloud computing, cloud function, cloud storage, network service, cloud communication, middleware service, domain name service, security service, CDN, and big data and artificial intelligence platform, which is not limited herein.
In the embodiment of the present application, cloud computing (cloud computing) is a computing mode, which distributes computing tasks on a resource pool formed by a large number of computers, so that various application systems can obtain computing power, storage space and information services as required. The network that provides the resources is called the "cloud". Resources in the "cloud" appear to the user as being infinitely expandable and available at any time, available on demand, expandable at any time, and paid for on-demand. The cloud computing resource pool mainly comprises computing equipment (which is a virtualization machine and comprises an operating system), storage equipment and network equipment, and according to logic function division, a Platform as a Service (Platform as a Service) layer can be deployed on an IaaS (Infrastructure as a Service) layer, and a Software as a Service (SaaS) layer can be deployed on the PaaS layer.
In the embodiment of the present application, cloud storage (cloud storage) is a new concept extended and developed on a cloud computing concept, and a distributed cloud storage system (hereinafter referred to as a storage system) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network through functions such as cluster application, a grid technology, and a distributed storage file system, and cooperates with each other through application software or an application interface to provide a data storage function and a service access function to the outside.
At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, stores the data on a file system, the file system divides the data into a plurality of parts, each part is an object, the object includes not only the data but also additional information such as data identification (ID, ID entry), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided in advance into stripes according to a group of capacity measures of objects stored in a logical volume (the measures often have a large margin with respect to the capacity of the actual objects to be stored) and Redundant Array of Independent Disks (RAID), and one logical volume can be understood as one stripe, thereby allocating physical storage space to the logical volume.
In this embodiment, the cloud server may include a public cloud and a private cloud, where the public cloud generally refers to a cloud that can be used by a third party provider for a user, the public cloud may be generally used through the Internet, and may be free or low-cost, and a core attribute of the public cloud is a shared resource service. There are many instances of such a cloud that can provide services throughout today's open public network. The private cloud is created by cloud infrastructure and software and hardware resources in a firewall so that all departments in an organization or an enterprise can share resources in a data center. A private cloud is created, typically with cloud equipment as a Service (IaaS) software in addition to hardware resources.
The private cloud computing also comprises three layers of cloud hardware, a cloud platform and cloud service. In contrast, the cloud hardware is the user's own personal computer or server, not the cloud computing vendor's data center. Cloud computing vendors build data centers to provide public cloud services for millions of users, and therefore need to have tens of millions of servers. Private cloud computing serves only friends and family for an individual, and only employees of the enterprise and customers and providers for the enterprise, so that the personal computer or server of the individual or enterprise is sufficient to provide cloud services.
Referring to fig. 3, fig. 3 is a schematic flow chart illustrating an attack protection method according to an embodiment of the present invention, where the method can be applied to the system shown in fig. 2. It is noted that the present specification provides method steps as described in the examples or flowcharts, but may include more or less steps based on routine or non-inventive efforts. The order of steps recited in the embodiments is merely one manner of performing the steps in a multitude of sequences, and does not represent a unique order of performance. In actual system or product execution, sequential execution or parallel execution (e.g., parallel processor or multi-threaded environment) may be possible according to the embodiments or methods shown in the figures. Specifically, as shown in fig. 3, the method may include:
in step S301, receiving at least one access data based on an original interface; the original interface is located in the user space of the server.
In the embodiment of the present application, the server may be based on at least one access data located after an original interface section in a user space of the server, and the at least one access data may be sent by at least one access source.
Optionally, the server may be a Cloud server, and may also be referred to as a Cloud Virtual Machine (CVM).
Wherein, the cloud server can be presented in a block chain mode. The blockchain is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. A block chain (Blockchain), which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product service layer, and an application service layer.
The block chain underlying platform can comprise processing modules such as user management, basic service, intelligent contract and operation monitoring. The user management module is responsible for identity information management of all blockchain participants, and comprises the steps of maintaining public and private key generation (account management), key management, user real identity and blockchain address corresponding relation maintenance (authority management) and the like, and under the authorized condition, supervising and auditing the transaction condition of some real identities, and providing rule configuration (wind control audit) of risk control; the basic service module is deployed on all block chain node equipment and used for verifying the validity of the service request, recording the service request to storage after consensus on the valid request is completed, for a new service request, the basic service firstly performs interface adaptation analysis and authentication processing (interface adaptation), then encrypts service information (consensus management) through a consensus algorithm, transmits the service information to a shared account (network communication) completely and consistently after encryption, and performs recording and storage; the intelligent contract module is responsible for registering and issuing contracts, triggering the contracts and executing the contracts, developers can define contract logics through a certain programming language, issue the contract logics to a block chain (contract registration), call keys or other event triggering and executing according to the logics of contract clauses, complete the contract logics and simultaneously provide the function of upgrading and canceling the contracts; the operation monitoring module is mainly responsible for deployment, configuration modification, contract setting, cloud adaptation in the product release process, and visual output of real-time status in product operation, for example: alarm, monitoring network conditions, monitoring node equipment health status, and the like.
The platform product service layer provides basic capability and an implementation framework of typical application, and developers can complete block chain implementation of business logic based on the basic capability and the characteristics of the superposed business. The application service layer provides the application service based on the block chain scheme for the business participants to use.
In an embodiment of obtaining an original interface located in the user space, the server may start a plug-in loading software provided in the server before receiving at least one access data based on the original interface, where the plug-in loading software includes a preset takeover plug-in. After the plug-in loading software is started, the server may load the preset takeover plug-in by using the started plug-in loading software, and take over an original interface (an original interface located in the kernel state as shown in fig. 1) whose historical time is located in the kernel space based on the preset takeover plug-in, so as to obtain an original interface (an original interface located in the user state as shown in fig. 2) whose current time is located in the user space.
Optionally, the historical time may be the time when the preset takeover plug-in is not loaded, and the current time may be the time when the preset takeover plug-in is loaded.
Alternatively, the plug-in loading software may be vector packet processing framework (VPP) software. In the embodiment of the application, the VPP software is a fast and extensible 2-4 layer multi-platform network protocol stack which can run in a plurality of Linux user spaces. In application, the capability of VPP software is continuously enhanced by the widespread use of plug-ins. Among them, a Data Plane Development Kit (DPDK) is a good example, and the DPDK plug-in provides some important features and drivers for the VPP.
Optionally, the preset takeover plug-in may be a preset interface takeover plug-in, and the preset interface takeover plug-in may be implemented by a data platform development kit DPDK plug-in.
In an alternative embodiment, in the case that the plug-in loading software is vector packet processing framework VPP software and the pre-connection plug-in is a DPDK plug-in, the server may start the VPP software provided in the server, and after the VPP software is started, a VPP virtual switch (i.e., the switch module shown in fig. 2) may be generated. Subsequently, the server may load the DPDK plug-in by using the started plug-in loading software, and drive the network card in the takeover server (such as the cloud server CVM) by using the polling mode corresponding to the DPDK plug-in. Thus, a network card named gigabit ethernet may appear in the server, where the interface corresponding to the network card may be the original interface located in the user space. In other words, the server takes over the original interface with the historical time in the kernel space (the original interface in the kernel state shown in fig. 1) through the DPDK plug-in, and makes the original interface with the current time in the user space (the original interface in the user state shown in fig. 2). Optionally, the driver may be a virtual-interface driver.
Optionally, the plug-in loading software is vector packet processing framework VPP software, and it is only an optional implementation that the preset takeover plug-in is a DPDK plug-in, and other software with the same function may be used in this application.
In this embodiment of the present application, the DPDK plug-in is a data plane development toolset provided by a network, and provides support of library functions and drivers for efficient data packet processing in a user space under an Intel Architecture (IA). In general, it is a software library for accelerating packet data processing.
The DPDK plug-in is designed for versatility unlike the Linux system, but focuses on high performance processing of packets in network applications. The method is specifically embodied in that a DPDK application program runs on a user space (user mode), and a data plane library provided by the DPDK application program is used for receiving and transmitting data packets, so that the processing process of a Linux kernel protocol stack (kernel mode) on the data packets is bypassed. Just because it bypasses the kernel protocol stack (kernel state), the whole scheme can be operated in the user space when detecting and processing the attack protection by bypassing the kernel protocol network stack, so that the performance of data processing can be greatly improved.
In step S303, attack protection detection is performed on at least one access data in the user space to obtain a protection detection result.
In the embodiment of the application, the server can perform attack protection detection on at least one access data in the user space to obtain a protection detection result. Fig. 4 is a schematic flowchart of a process for performing attack protection detection according to an embodiment of the present invention, where the process includes:
in step S3031, the protection plug-in is loaded using the plug-in loading software.
In this embodiment, when the plug-in loading software is the VPP software, after the VPP software is started, a VPP virtual switch (i.e., the switch module shown in fig. 2) may be generated in the server. The server may then load the protection plug-in with the booted plug-in loading software.
In step S3033, attack protection detection is performed on at least one access data in the user space based on the running protection plugin, so as to obtain a protection detection result.
Since the DPDK application runs in the user space (user mode), and receives and transmits the data packet by using the data plane library provided by the DPDK application, the process of processing the data packet by the Linux kernel protocol stack (kernel mode) is bypassed, and thus, the process of performing attack protection detection on at least one access data by the server based on the protection plug-in runs in the user space.
In this embodiment of the present application, a server may perform attack protection detection on at least one access data in a user space based on a running protection plug-in, and fig. 5 is a schematic diagram illustrating a flow for performing attack protection detection according to an embodiment of the present invention, where the flow includes:
in step S501, an interception node is generated based on the running protection plug-in, and the interception node is located in the user space.
Optionally, the above-mentioned intercepting node may be syncokinie, and based on this, the server may obtain the syncokinie located in the user space based on the running protection plug-in.
In step S503, receiving at least one access data with an interception node; each of the at least one access datum includes an access source identification.
Optionally, the access data may be a SYN message based on a TCP protocol, a UDP protocol, or an IP protocol. The embodiments of the present application will be described in conjunction with a SYN Flood attack, and thus, a three-way handshake in the TCP protocol will be described.
The server may receive at least one access data using SYNCOOKIE, where the at least one access data may include a SYN message sent by a normal access source or a SYN message sent by an abnormal access source (attacker). Wherein each access data may include an access source identification.
In step S505, first determination information is sent to the access source based on the interception node; the access source identifies the corresponding access source for each access source contained in the access data.
The server may determine each access source based on the access source identifier included in each access data, and send the first determination information to the access source by using syncokie, where the state of the connection may be referred to as a semi-connection. The first confirmation message may be a returned SYN + ACK message.
Since the access source corresponding to at least one piece of access data may be a normal access source or an abnormal access source (attacker), after the server sends the first determination information to the abnormal access source by using the syncokie, the server may not receive the second determination information (i.e., the acknowledgement message ACK) returned by the abnormal access source. If the server has not received the second determination information (such as lost in the link), the server retransmits the first determination information after timeout, and if the second determination information has not been received after a plurality of times of retransmission timeout, the server recycles the resource and closes the semi-connection as if the previous access data (SYN message) sent by the abnormal access source has never been received.
In step S507, a protection detection result is obtained according to the second determination information fed back by the access source; the second determination information is determined based on the first determination information.
Optionally, the server may obtain the protection detection result according to the second determination information fed back by the access source, that is, the server determines that the access source that receives only the second determination information (including the access source that receives the first determination information after first sending and the access source that receives the first determination information through retransmission) is detected through attack protection.
In step S305, a target access source is determined from the access sources corresponding to the at least one access data according to the protection detection result.
Optionally, the server may determine, according to the second determination information, target access data from the at least one access data, and determine an access source corresponding to the target access data as the target access source.
Optionally, the second determination information may carry identification information of the access source, and the server may determine the target access source from the access source corresponding to the at least one access data according to the identification information of the access source carried in the second determination information.
And in at least one access source corresponding to the access data, after the target access source is removed, the rest access sources can be considered as attack access sources.
Optionally, the server may add the identification information of the target access source to the white list, add the identification information of the attack access source to the black list, and delete the access data transmitted by the attack access source.
In this embodiment of the present application, the server may create a virtual interface by using the started plug-in loading software, where the virtual interface is located in the kernel space, and the identification information of the virtual interface is the same as the identification information of the original interface located in the kernel space at the historical time.
Alternatively, the server may create a virtual interface based on the identification information of the original interface shown in fig. 1. The virtual interface may be a channel between the service processing device and the interaction module.
In some possible embodiments, the identification information of the original interface may be a media access control Address (MAC), an Internet Protocol Address (IP), or other character strings that may be used to identify the information of the original interface.
In particular, the virtual interface that the server can create may be a tap type interface. The mac address of the virtual interface coincides with the mac address of the original interface shown in fig. 1. The optional type of the original interface is veth, and the effect is consistent with the tap type.
In some optional specific embodiments, in order to ensure the connection between the original interface, the virtual interface and the interaction module (VPP virtual switch) shown in fig. 2, the server may create a bridge domain (bridge domain) in the exchange module, and connect the bridge domain to the original interface and the virtual interface, respectively. In the practical application function, the process of inserting two network wires into the switch can be similar.
Continuing with the above, the following has been referred to above: the server can add the identification information of the target access source to a white list, add the identification information of the attack access source to a black list, and delete the access data transmitted by the attack access source, after that, the SYNCOOKIE can send a reset information (reset information) to the target access source, the reset information is used for disconnecting the current connection with the SYNCOOKIE to the target access source and restarting the connection of the three-way handshake, when the target access source restarts the access data, namely the SYN message, the SYNCOOKIE extracts the identification information of the access source carried by the SYN message and finds that the identification information is in the white list, at this moment, the SYNCOOKIE forwards the access data, namely the SYN message, to the server, so that the server establishes the connection with the target access source through the three-way handshake and prepares for subsequently receiving the service request of the target access source. Optionally, the service request may be a type of request sent by the target access source, and may also receive other types of requests sent by the target access source, for other types of requests, the service request will be described here as an example, and other requests may be processed according to an actual situation.
In an optional embodiment, after the server determines the target access source from the access sources corresponding to the at least one access data according to the protection detection result, that is, after the access data is cleaned, the method further includes: and if the service request sent by the target access source is received based on the original interface, the server sends the service request to the service processing equipment based on the virtual interface positioned in the kernel space. In addition, if the feedback data sent by the service processing device is received based on the virtual interface, and the feedback data is determined based on the service request, the server may feed back the feedback data to the target access source based on the original interface.
Thus, the above embodiment completes the first process of performing attack protection detection on the access data in the user space to obtain the target access source, and also completes the second process of completing transmission of the service request and the feedback data generated based on the service request through the original interface located in the user space and the virtual interface located in the kernel space.
In the embodiment of the present application, before the foregoing steps S301 to S305, after the system framework shown in fig. 2 is established, the following steps are further included:
assuming that the target server provides a web query service externally, when first access data from the client is sent to the target server via an access source (gateway device), the gateway device does not know which server of the multiple servers is the target server, and therefore the gateway device needs to have a corresponding arp forwarding table to correctly send the access data to the target server.
The passage through which the access source (gateway device) learns the cloud server MAC address and writes to the arp table is described in detail herein. First the gateway device will cache the access data (user request) and send an arp broadcast (arp with full f target mac) request to each interface. After receiving the arp request, the cloud server connected to the gateway device may send an arp response message if it is determined that the target IP is its own IP, that is, the target server is itself. Other cloud servers do not respond to the broadcast because it is determined that the target IP is not their own IP. After receiving the arp response, the gateway writes the mac address of the target IP into the arp table, then sends the access data to the target server, and the subsequent access request or service request can be directly forwarded.
In the above scenario, the server side of the VPP virtual switch with specific attack protection detection function (or the VPP virtual switch containing the attack protection module) does similar things as the gateway device. After receiving the arp broadcast packet from the original interface, the VPP virtual switch may query a local fib forwarding table (the gateway generally performs layer-3 forwarding, that is, forwarding according to the arp table, where the VPP virtual switch is used as a layer-two forwarding device, the layer-two device performs forwarding according to the fib table, and the fib table entry includes a mac address and a corresponding interface number), and then performs flooding if the table entry does not exist (flooding is a layer-two concept, and is different from arp broadcasting, and the VPP virtual switch does not know a layer-three protocol, and does not change the target mac of the received packet to full f and then sends the target mac of the received packet to all interfaces other than the received packet. The virtual interface receives the flooded arp message, the kernel protocol stack can send out the arp response message from the virtual interface because the virtual interface is taken over by a linux kernel driver, the VPP virtual switch learns the mac address corresponding to the virtual interface and writes the mac address into a fib table after receiving the arp response, and then the arp response message is sent to the gateway equipment through the original interface. Subsequent VPPs can be forwarded directly without flooding.
In the embodiment of the application, after receiving an access request sent by a gateway device, a VPP virtual switch corresponding to VPP software executes a security protection logic, discards access data of malicious attacks, and forwards normal service traffic (including normal access data and service data) to a virtual interface. For the virtual interface, malicious traffic cannot be sensed, and only normal traffic needs to be responded.
In some related technologies, a host layer DDoS protection scheme based on an expression Data Path (XDP) is also included, where XDP refers to an eBPF-based high performance Data Path that has been merged in the Linux kernel since version 4.8. According to the scheme, an XDP technology is used, a DDoS protection code is injected into a Linux kernel, message detection and protection can be carried out after a network card receives a packet, and then normal flow is released to a Linux kernel protocol stack.
However, this approach has three major drawbacks:
firstly, the mode needs specific kernel support, and only the Linux kernel with the version greater than 4.8 supports the operation of the XDP program, so that many low-version kernels cannot use the mode, and thus, the application and popularization of the mode may be further caused by the compatibility problem of the versions.
Second, because the Linux kernel places many restrictions on XDP, there are limited things that can be done. By extension, XDP runs in kernel space, as opposed to VPP software running in user space, which can optionally apply for support of resources in user space. Since the security requirement of kernel space is more strict than that of user space, the Linux kernel imposes many restrictions on XDP, and there are many restrictions on resource provisioning, which ultimately results in limited functionality of the host layer DDoS protection scheme based on XDP.
Thirdly, the performance problem exists, and the Linux kernel receives the packet to generate interruption, so that the interruption can greatly reduce the processing efficiency of the data plane. Specifically, besides processing an XDP-based host layer DDoS protection scheme, the Linux kernel also has other processes, and different processes all need kernel allocation resources to process. Therefore, when the DDoS protection scheme is processed, the process of interruption and recovery of other processes occurs, which finally results in a result of reducing the processing efficiency of the data plane.
In the application, the VPP software is used for starting the DPDK plug-in which runs on a user space (user mode) and receives and transmits the data packet by using a data plane library provided by the DPDK plug-in, and the data packet is processed by bypassing a Linux kernel protocol stack (kernel mode). The whole scheme can run in the user space during the attack protection detection processing just because the core protocol stack (core state) is bypassed, and the network stack of the core protocol is bypassed, so that the performance of data processing can be greatly improved.
In some related technologies, a machine may be added to a service server for load balancing, and at the same time, DDoS protection software is deployed on a ProxyServer, and the cleaned traffic is forwarded to the service host. However, because of the particularity of the network architecture, many cloud service providers do not provide the network architecture, and need clients to build the ProxyServer by themselves, which is very costly. In addition, the ProxyServer can only forward in a small two-layer network, and cannot forward across regions, so that the utilization rate of the built network architecture is not high.
In some related technologies, a dedicated DDoS protection device may be hung by a network intermediate device, such as a core switch, and an attack traffic is pulled to the protection device, and then the cleaned traffic is injected back to the core switch. However, since the client who needs to perform the network layer protection and the server provider who provides the cloud service network are usually two parties, it is difficult for the client to deploy such a set of network layer protection devices in the cloud service network environment of others.
In summary, the embodiment of the present application uses the VPP software, replaces the above hardware device, does not need special network support, has no kernel limitation, and can avoid interruption of a process in a kernel by attack protection detection in a user space, thereby having an optimal performance. Secondly, the VPP software can be directly operated on a physical host or a cloud host, so that the business is not invaded and is not perceived, the method is more suitable for different application scenes, and the popularization is facilitated. Moreover, DPDK software and PMD drivers support most types of network cards and virtual network cards, and VPP software is software independent of kernel version operating system version, so the scheme can be operated on most cloud servers.
Optionally, the embodiment of the application can be applied to DDoS security protection scenes such as cloud security service, host security protection, edge computing, overseas games and the like. When a third-party cloud server is used and a proprietary DDoS protective device cannot be deployed, the scheme can be used for realizing the DDoS protection of a host layer. In addition, in some edge calculation scenes, due to the fact that the number of the service servers is large and distributed, and the cost for deploying special DDoS protection equipment is too high, the scheme can be adopted to conduct host layer DDoS protection.
Please refer to fig. 6, which is a schematic structural diagram illustrating an attack protection apparatus according to an embodiment of the present invention, where the apparatus has a function of implementing the attack protection method in the foregoing method embodiment, and the function may be implemented by hardware or by hardware executing corresponding software. As shown in fig. 6, the apparatus may include:
a data receiving unit 601, configured to receive at least one access data based on an original interface; the original interface is positioned in a user space of the server;
a protection detection unit 602, configured to perform attack protection detection on at least one access data in a user space to obtain a protection detection result;
an access source determining unit 603, configured to determine, according to the guard detection result, a target access source from access sources corresponding to the at least one access data.
As a possible implementation, the apparatus further comprises:
the starting unit is used for starting the plug-in loading software;
the loading unit is used for loading the preset takeover plug-in by using the started plug-in loading software;
the takeover unit is used for taking over the original interface of which the historical time is in the kernel space based on a preset takeover plug-in unit to obtain the original interface of which the current time is in the user space;
the historical time is the time when the preset pipe connection plug-in unit is not loaded, and the current time is the time when the preset pipe connection plug-in unit is loaded.
As a possible implementation, the guard detection unit is configured to:
loading a protection plug-in by using plug-in loading software;
and carrying out attack protection detection on at least one access data in a user space based on the running protection plug-in to obtain a protection detection result.
As a possible implementation, the guard detection unit is configured to:
generating an interception node based on the running protection plug-in; the interception node is positioned in the user space;
receiving at least one access data with an interception node; each of the at least one access datum comprises an access source identification;
sending first determination information to an access source based on an interception node; the access source identifies a corresponding access source for each access source contained in the access data;
obtaining a protection detection result according to second determination information fed back by the access source; the second determination information is determined based on the first determination information.
As a possible implementation, the guard detection unit is configured to:
determining target access data from the at least one access data according to the second determination information;
and determining an access source corresponding to the target access data as a target access source.
As a possible embodiment, the apparatus further comprises:
the creating unit is used for creating a virtual interface by using the started plug-in loading software; the virtual interface is positioned in the kernel space;
the identification information of the virtual interface is the same as the identification information of the original interface located in the kernel space at the historical time.
As a possible embodiment, the apparatus further comprises:
and the data transmission unit is used for sending the service request to the service processing equipment based on the virtual interface positioned in the kernel space if the service request sent by the target access source is received based on the original interface.
As a possible embodiment, the apparatus further comprises:
the data feedback unit receives feedback data sent by the service processing equipment based on the virtual interface; the feedback data is determined based on the service request; and feeding back feedback data to the target access source based on the original interface.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
An embodiment of the present invention provides an electronic device, where the electronic device includes a processor and a memory, where the memory stores at least one instruction or at least one program, and the at least one instruction or the at least one program is loaded and executed by the processor to implement the attack protection method provided by the above method embodiment.
The memory may be used to store software programs and modules, and the processor may execute various functional applications and attack protection by executing the software programs and modules stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system, application programs needed by functions and the like; the storage data area may store data created according to use of the apparatus, and the like. Further, the memory may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory may also include a memory controller to provide the processor access to the memory.
The method provided by the embodiment of the invention can be executed in a computer terminal, a server or a similar operation device. Fig. 7 is a block diagram of a hardware structure of an electronic device that runs an attack protection method according to an embodiment of the present invention, and as shown in fig. 7, an internal structure of the electronic device may include, but is not limited to: a processor, a network interface, and a memory. The processor, the network interface, and the memory in the electronic device may be connected through a bus or in other ways, and fig. 7 shown in the embodiment of the present specification is exemplified as being connected through a bus.
The processor (or CPU) is a computing core and a control core of the electronic device. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI, mobile communication interface, etc.). A Memory (Memory) is a Memory device in an electronic device for storing programs and data. It is understood that the memory herein may be a high-speed RAM storage device, or may be a non-volatile storage device (non-volatile memory), such as at least one magnetic disk storage device; optionally, at least one memory device located remotely from the processor. The memory provides a storage space that stores an operating system of the electronic device, which may include, but is not limited to: a Windows system (an operating system), a Linux system (an operating system), an Android system, an IOS system, etc., which are not limited in the present invention; also, one or more instructions, which may be one or more computer programs (including program code), are stored in the memory space and are adapted to be loaded and executed by the processor. In this embodiment of the present specification, the processor loads and executes one or more instructions stored in the memory to implement the attack protection method provided by the above-described method embodiment.
Embodiments of the present invention also provide a computer-readable storage medium, which may be disposed in an electronic device to store at least one instruction or at least one program for implementing an attack protection method, where the at least one instruction or the at least one program is loaded and executed by the processor to implement the attack protection method provided by the foregoing method embodiments.
Embodiments of the present invention also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to execute the attack protection method provided in the above-mentioned various alternative implementations.
Optionally, in this embodiment, the storage medium may include but is not limited to: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
It should be noted that: the precedence order of the above embodiments of the present invention is only for description, and does not represent the merits of the embodiments. And specific embodiments thereof have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (11)

1. An attack protection method, characterized in that the method comprises:
receiving at least one access data based on the raw interface; the original interface is positioned in a user space of the server;
carrying out attack protection detection on the at least one access data in the user space to obtain a protection detection result;
and determining a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result.
2. The attack protection method according to claim 1, wherein before receiving at least one access data based on the original interface, the method further comprises:
starting the plug-in loading software;
loading a preset connection-taking plug-in by using the started plug-in loading software;
taking over an original interface with historical time in a kernel space based on the preset taking-over plug-in, and obtaining the original interface with current time in the user space;
the historical time is the time when the preset pipe connection plug-in unit is not loaded, and the current time is the time when the preset pipe connection plug-in unit is loaded.
3. The attack protection method according to claim 2, wherein the performing attack protection detection on the at least one access data in the user space to obtain a protection detection result comprises:
loading a protection plug-in by using the plug-in loading software;
and carrying out attack protection detection on the at least one access data in the user space based on the running protection plug-in to obtain a protection detection result.
4. The attack protection method according to claim 3, wherein the performing attack protection detection on the at least one access data in the user space based on the running protection plug-in obtains a protection detection result, and includes:
generating an interception node based on the protection plug-in operation; the interception node is located in the user space;
receiving, with the intercept node, the at least one access data; each of the at least one access datum comprises an access source identification;
sending first determination information to an access source based on the interception node; the access source identifies a corresponding access source for the access source contained in each piece of access data;
obtaining the protection detection result according to second determination information fed back by the access source; the second determination information is determined based on the first determination information.
5. The attack protection method according to claim 4, wherein the determining a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result includes:
determining target access data from the at least one access data according to the second determination information;
and determining an access source corresponding to the target access data as the target access source.
6. The attack protection method according to claim 2, further comprising:
creating a virtual interface by using the started plug-in loading software; the virtual interface is located in the kernel space;
the identification information of the virtual interface is the same as the identification information of the original interface located in the kernel space at the historical time.
7. The attack protection method according to claim 6, wherein after determining a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result, the method further comprises:
and if the service request sent by the target access source is received based on the original interface, sending the service request to service processing equipment based on the virtual interface positioned in the kernel space.
8. The attack protection method according to claim 7, wherein after sending the service request to a service processing device based on the virtual interface located in the kernel space, the method further comprises:
receiving feedback data sent by the service processing equipment based on the virtual interface; the feedback data is determined based on the service request;
and feeding back the feedback data to the target access source based on the original interface.
9. An attack-protection device, the device comprising:
a data receiving unit for receiving at least one access data based on an original interface; the original interface is positioned in a user space of the server;
the protection detection unit is used for carrying out attack protection detection on the at least one access data in the user space to obtain a protection detection result;
and the access source determining unit is used for determining a target access source from the access sources corresponding to the at least one piece of access data according to the protection detection result.
10. An electronic device, comprising a processor and a memory, wherein at least one instruction or at least one program is stored in the memory, and the at least one instruction or the at least one program is loaded by the processor and executed to implement the attack protection method according to any one of claims 1 to 8.
11. A computer-readable storage medium, in which at least one instruction or at least one program is stored, the at least one instruction or the at least one program being loaded and executed by a processor to implement the attack protection method according to any one of claims 1 to 8.
CN202110849679.1A 2021-07-27 2021-07-27 Attack protection method and device, electronic equipment and storage medium Pending CN115694853A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110849679.1A CN115694853A (en) 2021-07-27 2021-07-27 Attack protection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110849679.1A CN115694853A (en) 2021-07-27 2021-07-27 Attack protection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115694853A true CN115694853A (en) 2023-02-03

Family

ID=85058788

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110849679.1A Pending CN115694853A (en) 2021-07-27 2021-07-27 Attack protection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115694853A (en)

Similar Documents

Publication Publication Date Title
US11902120B2 (en) Synthetic data for determining health of a network security system
US10091238B2 (en) Deception using distributed threat detection
US11847500B2 (en) Systems and methods for providing management of machine learning components
EP2716003B1 (en) System and method for authenticating components in a network
CN107623663B (en) Method and device for processing network flow
US10404747B1 (en) Detecting malicious activity by using endemic network hosts as decoys
US20150058983A1 (en) Revival and redirection of blocked connections for intention inspection in computer networks
CN107347047B (en) Attack protection method and device
US10904288B2 (en) Identifying and deceiving adversary nodes and maneuvers for attack deception and mitigation
US11252196B2 (en) Method for managing data traffic within a network
US9749354B1 (en) Establishing and transferring connections
KR102155262B1 (en) Elastic honeynet system and method for managing the same
Shringarputale et al. Co-residency attacks on containers are real
CN115051836B (en) SDN-based APT attack dynamic defense method and system
Xu et al. Network intrusion detection system as a service in openstack cloud
WO2023193513A1 (en) Honeypot network operation method and apparatus, device, and storage medium
JP6403803B2 (en) Routing method for transferring task instructions between computer systems, computer network infrastructure, and computer program
CN111818081A (en) Virtual encryption machine management method and device, computer equipment and storage medium
CN112491896B (en) Trusted access authentication system based on virtualization network
EP3618396B1 (en) Protection method and system for http flood attack
CN115694853A (en) Attack protection method and device, electronic equipment and storage medium
Majhi et al. An authentication framework for securing virtual machine migration
CN115314231A (en) Network attack information processing method and device, electronic equipment and storage medium
KR20220070875A (en) Smart home network system based on sdn/nfv
WO2024139775A1 (en) Security service processing method and apparatus, device, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination