[go: up one dir, main page]

WO2009059504A1 - Method and system for defending against tcp attack - Google Patents

Method and system for defending against tcp attack Download PDF

Info

Publication number
WO2009059504A1
WO2009059504A1 PCT/CN2008/071259 CN2008071259W WO2009059504A1 WO 2009059504 A1 WO2009059504 A1 WO 2009059504A1 CN 2008071259 W CN2008071259 W CN 2008071259W WO 2009059504 A1 WO2009059504 A1 WO 2009059504A1
Authority
WO
WIPO (PCT)
Prior art keywords
tcp
stream
attack
type
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/071259
Other languages
French (fr)
Chinese (zh)
Inventor
Jihong Mei
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2009059504A1 publication Critical patent/WO2009059504A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/20Network management software packages
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for defending against a TCP (Transmission Control Protocol) attack.
  • TCP Transmission Control Protocol
  • Netstream is a technology that extracts and analyzes message information on network devices and provides statistics, monitoring, and analysis of network traffic.
  • Netstream technology is based on the concept of "streaming".
  • a stream is a set of four messages that meet the following characteristics: The same source and destination Internet Protocol (IP) addresses, the same source and destination protocol port numbers, have the same In and out interfaces, the same protocol type, and the same service type (ToS).
  • IP Internet Protocol
  • ToS the same service type
  • the Netstream stream can record information such as Who, What, When, Where, How in the network. Today, network security is gaining more and more attention. Netstream is also increasingly used to detect and defend against network attacks.
  • TCP attacks are a way of cyberattacks.
  • the relatively low-tech content is more difficult to prevent. It is a common method used by network attackers.
  • the basic principle of a TCP attack is: The attacker uses some hosts that have been compromised (including temporary intrusion) to bypass the firewall and make a large number of TCP connection requests to the destination server, so that the destination server is busy responding to these. The request consumes a large amount of storage resources and is exhausted, causing the destination server to refuse execution of normal service requests within the network to achieve the purpose of the attack. Due to this nature of TCP attacks, it is often referred to as a TCP Flood attack.
  • NetStream technology can detect the key information of where the TCP attack traffic comes from and where it goes, effectively defending against attacks by network attackers.
  • the flag of the Netstream-stream is the result of bitwise OR of the flag bit field in all TCP headers. If a TCP message with a flag reset (RST) or a sender byte end (FIN) is received, the stream is aged immediately. When a network attacker sends If a large number of packets are sent to the RST or FIN TCP packets, a packet will be created and aging will occur immediately. A large number of traffic aging and reconstruction will waste the resources of the forwarding engine. Moreover, since Netstream merges the flag bit fields in all the packets, it is impossible to distinguish the specific TCP attack type, which is difficult to meet the requirements of network fine management. Summary of the invention
  • the technical problem to be solved by the present invention is to provide a method and system for defending against TCP attacks.
  • the location information and attack type of TCP attacks on the network can be accurately located by collecting the flag information of TCP packets through NetStream.
  • the embodiment of the present invention provides a method for defending against a TCP attack, the method comprising: the source Internet protocol IP address, the destination IP address, the source protocol port number, the destination protocol port number, the inbound interface, The outgoing interface, the protocol type, the service type, and the packet with the same flag field of the TCP packet of the Transmission Control Protocol are the same as a flow; the type of the TCP attack is determined by the flag bit field of the flow; Type, defend against the TCP attack.
  • the embodiment of the present invention further provides a system for defending against TCP attacks.
  • the system includes a network flow sampling device and a network flow analysis processing device.
  • the network flow sampling device is configured to collect network traffic, and the source IP address, the destination IP address, the source protocol port number, the destination protocol port number, the inbound interface, the outbound interface, the protocol type, the service type, and the identifier of the TCP packet.
  • the network flow analysis processing device is configured to process the flow information collected by the network flow sample device, analyze the type of the TCP attack, and defend the TCP attack according to the type of the TCP attack.
  • the embodiment of the present invention can accurately locate the location and attack type of the TCP attack in the network, and specifically defend against the TCP attack, thereby avoiding the impact of such attacks on the performance of the network device and the consumption of resources; Linkage, realizing the dynamic defense against the attack source.
  • FIG. 1 is a schematic flowchart of a method for defending against a TCP attack according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a system for defending against TCP attacks according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart diagram of a method for defending against a TCP attack according to an embodiment of the present invention. As shown in Figure 1, the method includes:
  • S101 The traffic of the network device is sampled.
  • the following TCP packet with the same information is used as a Netstream stream:
  • the flag bits of the TCP ⁇ text are as follows:
  • URG indicates that the emergency pointer field is valid
  • PSH indicates that this segment requests a push operation
  • SYN indicates serial number synchronization
  • RST indicates connection reset
  • FIN Indicates the end of the sender byte stream.
  • flag bit field is URG or PSH, execute S104; if the flag bit field is ACK or SYN, execute S105; if the flag bit field is RST or FIN, execute S106.
  • S104 The network device stops processing the TCP packet to block the attack source.
  • S105 The network device collects statistics on the number of TCP connections and the number of semi-connections, limits the number of TCP connections and the number of semi-connections, or stops processing the TCP packets.
  • S106 determining the activity level of the Netstream stream, if the inactive time is less than the set value, executing S107; if the inactive time is greater than the set value, executing S108;
  • S108 delay the time t2, aging the stream.
  • the embodiment of the present invention does not immediately aging it, but delays it for a period of time, and then ages the stream.
  • the inactivity time is used to control the flow aging.
  • the inactive time refers to the time interval from the last discovery of the session to the present time.
  • the inactive time is small, indicating that the flow is active.
  • the delay time of the active stream is longer than the delay time of the inactive stream, that is, the delay time t1 is greater than the delay time t2.
  • FIG. 2 is a schematic structural diagram of a system for defending against TCP attacks according to an embodiment of the present invention. As shown in FIG. 2, the system includes a network flow sampling device 1, a network flow collection device 2, and a network flow analysis processing device 3.
  • the Netstream flow information includes: a source/destination IP address, a source/destination port number, an in/out interface, a protocol type, a service type, and a flag bit field of a TCP packet.
  • the network stream collecting device 2 receives the Netstream stream information sent by the network stream sampling device 1 and stores it.
  • the network flow analysis processing device 3 obtains the collected Netstream flow information from the network flow collection device 2, and after analyzing the Netstream flow information, the location and type of the TCP attack source can be obtained, and the network attack device is obtained. Issue rules/policies that defend against the TCP attack.
  • the network traffic analysis processing device 3 sends a rule/policy for blocking the attack source to the network device 4, that is, the network device 4 stops processing the TCP packet.
  • the network traffic analysis processing device 3 sends a rule/policy for counting the number of connections to the network device 4, that is, the number of TCP connections and the number of semi-connections of the network device 4 Statistics are performed to limit the number of TCP connections and the number of semi-connections.
  • the network device 4 can also send rules/policies that block the attack source, that is, the network device 4 stops processing the TCP packets.
  • the network traffic analysis processing device 3 sends a delay aging rule/policy to the network device 4, that is, the NetStream stream is not immediately aging, but is delayed for a period of time. After that, the Netstream stream is aged.
  • the technical solution of the embodiment of the present invention can not only accurately locate the location and attack type of the TCP attack in the network, block the attack source, but also prevent the attacker from using the TCP-RST or TCP-FIN text to attack.
  • a large number of rapid aging and re-establishment of the Netstream stream reduces the impact of such attacks on the performance of the network device and the consumption of resources.
  • the linkage with the network flow analysis processing device is implemented. Dynamic defense against attack sources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method and system for defending against the TCP attack are provided, and the method includes: regarding the messages which have the same source internet protocol IP address, destination IP address, source protocol port number, destination protocol port number, input interface, output interface, protocol type and the flag bit field of transfer control protocol TCP messages as a flow; determining the TCP attack's type by the flag bit field of the flow; and based on the TCP attack's type, defending against the TCP attack. The position and the type of the TCP attack in the network can be located accurately by using the method, and itcan be implemented to dynamically defend against the attack source by interacting with the Netflow analysis process device.

Description

一种防御 TCP攻击的方法和系统 技术领域  Method and system for defending against TCP attacks

本发明涉及通信技术领域, 特别涉及一种防御 TCP ( Transmission Control Protocol, 传输控制协议) 攻击的方法和系统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a method and system for defending against a TCP (Transmission Control Protocol) attack. Background technique

近年来随着互联网技术的飞速发展, 网络业务日益丰富, 网络流量增长迅 速。 传统的粗放式流量统计管理已经远远不能满足当前业务发展对网络流量监 控、 网络安全管理、 以及网络监控和分析等方面的需求。 网流( Netstream )技 术的出现, 为流量的精细化管理提供了重要的基础数据平台。  In recent years, with the rapid development of Internet technology, network services have become increasingly abundant, and network traffic has grown rapidly. Traditional extensive traffic statistics management is far from meeting the needs of current business development for network traffic monitoring, network security management, and network monitoring and analysis. The emergence of NetStream technology provides an important basic data platform for the fine management of traffic.

Netstream是一种釆样、 提取和分析网络设备上报文信息的技术, 可以提供 对网络流量进行统计、 监控和分析的功能。 Netstream技术基于 "流" 的概念, 一个流即一组符合下列特征的 4艮文: 相同的源和目的英特网协议 (Internet Protocol, IP )地址、 相同的源和目的协议端口号、 有相同的入和出接口、 相同 的协议类型、 以及相同的服务类型(ToS )。 通过 Netstream流可以记录下网络中 Who, What, When, Where, How等信息。 在网络安全越来越受到人们重视的 今天, Netstream在检测和防御网络攻击方面的应用也越来越多。  Netstream is a technology that extracts and analyzes message information on network devices and provides statistics, monitoring, and analysis of network traffic. Netstream technology is based on the concept of "streaming". A stream is a set of four messages that meet the following characteristics: The same source and destination Internet Protocol (IP) addresses, the same source and destination protocol port numbers, have the same In and out interfaces, the same protocol type, and the same service type (ToS). The Netstream stream can record information such as Who, What, When, Where, How in the network. Today, network security is gaining more and more attention. Netstream is also increasingly used to detect and defend against network attacks.

TCP 攻击是网络攻击的一种方式, 技术含量相对较低却更难于防范, 是网 络攻击者较常釆用的手段。 TCP 攻击的基本原理是: 攻击者利用一些曾经被入 侵过(包括临时实现入侵) 的主机(傀儡机), 绕过防火墙的检查, 向目的服务 器提出大量的 TCP连接请求, 使得目的服务器忙于回应这些请求, 消耗了大量 存储资源甚至耗尽, 导致目的服务器对于网络内部的正常服务请求拒绝执行, 以达到攻击的目的。由于 TCP攻击的这种特性,人们也常常把它称为 TCP Flood (洪水式)攻击。  TCP attacks are a way of cyberattacks. The relatively low-tech content is more difficult to prevent. It is a common method used by network attackers. The basic principle of a TCP attack is: The attacker uses some hosts that have been compromised (including temporary intrusion) to bypass the firewall and make a large number of TCP connection requests to the destination server, so that the destination server is busy responding to these. The request consumes a large amount of storage resources and is exhausted, causing the destination server to refuse execution of normal service requests within the network to achieve the purpose of the attack. Due to this nature of TCP attacks, it is often referred to as a TCP Flood attack.

当网络受到 TCP攻击、 流量出现异常时, 釆用 Netstream技术可以检测出 TCP攻击流量来自何方、 去向何处等关键信息, 有效防御网络攻击者的攻击。  When the network is attacked by TCP and the traffic is abnormal, NetStream technology can detect the key information of where the TCP attack traffic comes from and where it goes, effectively defending against attacks by network attackers.

但是, 在现有技术中, Netstream—条流的标志位是所有 TCP报文头中标 志位字段按位或 (OR ) 的结果。 如果接收到标志位是连接复位(RST )或者发 送方字节流结束(FIN ) 的 TCP报文, 会立即老化这一条流。 当网络攻击者发 送大量的标志位是 RST或者 FIN的 TCP报文时,会导致每个报文都要建一条流 并立即老化,大量的流老化和重建将浪费转发引擎的资源。并且,由于 Netstream 将所有报文中的标志位字段进行了合并, 将无法区分具体的 TCP攻击类型, 这 难以满足网络精细化管理的要求。 发明内容 However, in the prior art, the flag of the Netstream-stream is the result of bitwise OR of the flag bit field in all TCP headers. If a TCP message with a flag reset (RST) or a sender byte end (FIN) is received, the stream is aged immediately. When a network attacker sends If a large number of packets are sent to the RST or FIN TCP packets, a packet will be created and aging will occur immediately. A large number of traffic aging and reconstruction will waste the resources of the forwarding engine. Moreover, since Netstream merges the flag bit fields in all the packets, it is impossible to distinguish the specific TCP attack type, which is difficult to meet the requirements of network fine management. Summary of the invention

本发明所要解决的技术问题在于, 提供一种防御 TCP攻击的方法和系统。 通过 Netstream釆集 TCP报文的标志位信息,可以准确定位网络中 TCP攻击的 位置和攻击类型。  The technical problem to be solved by the present invention is to provide a method and system for defending against TCP attacks. The location information and attack type of TCP attacks on the network can be accurately located by collecting the flag information of TCP packets through NetStream.

为了解决上述技术问题, 本发明实施例提出了一种防御 TCP攻击的方法, 该方法包括: 将源英特网协议 IP地址、 目的 IP地址、 源协议端口号、 目的协议 端口号、 入接口、 出接口、 协议类型、 服务类型以及传输控制协议 TCP报文的 标志位字段都相同的报文作为一条流; 通过所述流的标志位字段确定所述 TCP 攻击的类型; 根据所述 TCP攻击的类型, 防御所述 TCP攻击。  In order to solve the above technical problem, the embodiment of the present invention provides a method for defending against a TCP attack, the method comprising: the source Internet protocol IP address, the destination IP address, the source protocol port number, the destination protocol port number, the inbound interface, The outgoing interface, the protocol type, the service type, and the packet with the same flag field of the TCP packet of the Transmission Control Protocol are the same as a flow; the type of the TCP attack is determined by the flag bit field of the flow; Type, defend against the TCP attack.

相应的, 本发明实施例还提出了一种防御 TCP攻击的系统,  Correspondingly, the embodiment of the present invention further provides a system for defending against TCP attacks.

该系统包括网流釆样设备和网流分析处理设备,  The system includes a network flow sampling device and a network flow analysis processing device.

所述网流釆样设备用于釆集网络流量, 将源 IP地址、 目的 IP地址、 源协议 端口号、 目的协议端口号、 入接口、 出接口、 协议类型、 服务类型以及 TCP报 文的标志位字段都相同的报文作为一条流;  The network flow sampling device is configured to collect network traffic, and the source IP address, the destination IP address, the source protocol port number, the destination protocol port number, the inbound interface, the outbound interface, the protocol type, the service type, and the identifier of the TCP packet. A message with the same bit field as a stream;

所述网流分析处理设备用于处理所述网流釆样设备釆集的流信息, 分析得 到所述 TCP攻击的类型, 根据所述 TCP攻击的类型防御所述 TCP攻击。  The network flow analysis processing device is configured to process the flow information collected by the network flow sample device, analyze the type of the TCP attack, and defend the TCP attack according to the type of the TCP attack.

实施本发明实施例, 可以准确定位网络中 TCP攻击的位置和攻击类型, 有 针对性的防御 TCP攻击,避免了此类攻击对网络设备性能的影响和资源的消耗; 通过与网流分析处理设备联动, 实现了对攻击源的动态防御。 附图说明  The embodiment of the present invention can accurately locate the location and attack type of the TCP attack in the network, and specifically defend against the TCP attack, thereby avoiding the impact of such attacks on the performance of the network device and the consumption of resources; Linkage, realizing the dynamic defense against the attack source. DRAWINGS

图 1为本发明实施例的防御 TCP攻击的方法的流程示意图;  1 is a schematic flowchart of a method for defending against a TCP attack according to an embodiment of the present invention;

图 2为本发明实施例的防御 TCP攻击的系统的结构示意图。 具体实施方式 为使本发明实施例的目的、 技术方案以及优点更加清楚明白, 以下参照附 图并举实施例, 对本发明实施例做进一步的详细说明。 FIG. 2 is a schematic structural diagram of a system for defending against TCP attacks according to an embodiment of the present invention. detailed description In order to make the objects, the technical solutions and the advantages of the embodiments of the present invention more clearly, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings.

图 1为本发明实施例的防御 TCP攻击的方法的流程示意图。 如图 1所示, 该方法包括:  FIG. 1 is a schematic flowchart diagram of a method for defending against a TCP attack according to an embodiment of the present invention. As shown in Figure 1, the method includes:

S101 : 对网络设备的流量进行釆样。 将如下信息相同的 TCP报文作为一条 Netstream流:  S101: The traffic of the network device is sampled. The following TCP packet with the same information is used as a Netstream stream:

源 /目的 IP地址;  Source/destination IP address;

源 /目的端口号;  Source/destination port number;

入 /出接口;  In/out interface;

协议类型;  agreement type;

服务类型;  Service type;

TCP 文的标志位字段。  The flag bit field of the TCP text.

S 102: 存储 Netstream流信息。  S102: Store the Netstream stream information.

S103: 分析 Netstream流信息, 提取该流的标志位字段信息。  S103: Analyze the Netstream flow information, and extract the flag bit field information of the flow.

TCP ^艮文的标志位字段有以下几种:  The flag bits of the TCP ^艮 text are as follows:

URG: 表示紧急指针字段有效;  URG: indicates that the emergency pointer field is valid;

PSH: 表示本报文段请求推(push )操作;  PSH: indicates that this segment requests a push operation;

ACK: 表示确认字段有效;  ACK: indicates that the confirmation field is valid;

SYN: 表示序号同步;  SYN: indicates serial number synchronization;

RST: 表示连接复位;  RST: indicates connection reset;

FIN: 表示发送方字节流结束。  FIN: Indicates the end of the sender byte stream.

若标志位字段为 URG或者 PSH, 执行 S104; 若标志位字段为 ACK或者 SYN, 执行 S105; 若标志位字段为 RST或者 FIN, 执行 S106。  If the flag bit field is URG or PSH, execute S104; if the flag bit field is ACK or SYN, execute S105; if the flag bit field is RST or FIN, execute S106.

S104: 网络设备停止处理该 TCP报文, 实现对攻击源的阻断。  S104: The network device stops processing the TCP packet to block the attack source.

S105: 网络设备对 TCP连接数和半连接数进行统计, 对 TCP连接数和半连 接数进行限制, 或者停止处理该 TCP报文。  S105: The network device collects statistics on the number of TCP connections and the number of semi-connections, limits the number of TCP connections and the number of semi-connections, or stops processing the TCP packets.

S106:判断 Netstream流的活跃程度,若非活跃时间小于设定值,执行 S107; 若非活跃时间大于设定值, 执行 S108;  S106: determining the activity level of the Netstream stream, if the inactive time is less than the set value, executing S107; if the inactive time is greater than the set value, executing S108;

S107: 延迟时间 tl , 将该流老化;  S107: delay time tl, aging the flow;

S108: 延迟时间 t2, 将该流老化。 对于标志位是 RST或者 FIN的 TCP报文,本发明实施例并不是立即将其老 化, 而是延迟一段时间, 再将该流老化。 具体是通过非活跃时间来控制流老化, 非活跃时间是指自会话最后一次发现到现在的时间间隔; 非活跃时间小, 说明 流比较活跃。 活跃的流的延迟时间要比不活跃的流的延迟时间要长, 即延迟时 间 tl大于延迟时间 t2。 S108: delay the time t2, aging the stream. For the TCP packet whose flag is RST or FIN, the embodiment of the present invention does not immediately aging it, but delays it for a period of time, and then ages the stream. Specifically, the inactivity time is used to control the flow aging. The inactive time refers to the time interval from the last discovery of the session to the present time. The inactive time is small, indicating that the flow is active. The delay time of the active stream is longer than the delay time of the inactive stream, that is, the delay time t1 is greater than the delay time t2.

图 2为本发明实施例的防御 TCP攻击的系统的结构示意图。 如图 2所示, 该系统包括网流釆样设备 1、 网流流釆集设备 2和网流分析处理设备 3。  FIG. 2 is a schematic structural diagram of a system for defending against TCP attacks according to an embodiment of the present invention. As shown in FIG. 2, the system includes a network flow sampling device 1, a network flow collection device 2, and a network flow analysis processing device 3.

当网络设备 4受到 TCP报文的攻击时, 网流釆样设备 1对网络设备 4中的 异常流量进行釆样, 并把釆集到的 Netstream流信息发送到网流流釆集设备 2。 所述 Netstream流信息包括: 源 /目的 IP地址、 源 /目的端口号、 入 /出接口、 协议 类型、 服务类型和 TCP报文的标志位字段。  When the network device 4 is attacked by the TCP packet, the network streaming device 1 samples the abnormal traffic in the network device 4, and sends the collected Netstream flow information to the network flow collecting device 2. The Netstream flow information includes: a source/destination IP address, a source/destination port number, an in/out interface, a protocol type, a service type, and a flag bit field of a TCP packet.

网流流釆集设备 2接收所述网流釆样设备 1发送的 Netstream流信息, 并进 行存储。  The network stream collecting device 2 receives the Netstream stream information sent by the network stream sampling device 1 and stores it.

网流分析处理设备 3从所述网流流釆集设备 2中获取收集到的 Netstream流 信息, 经过对所述 Netstream流信息的分析, 可以得到 TCP攻击源的位置和类 型, 向网络设备 4下发防御所述 TCP攻击的规则 /策略。  The network flow analysis processing device 3 obtains the collected Netstream flow information from the network flow collection device 2, and after analyzing the Netstream flow information, the location and type of the TCP attack source can be obtained, and the network attack device is obtained. Issue rules/policies that defend against the TCP attack.

若所述 Netstream流的标志位字段为 URG或者 PSH, 则网流分析处理设备 3向网络设备 4下发阻断攻击源的规则 /策略,即: 网络设备 4停止处理所述 TCP 报文。  If the flag bit field of the NetStream stream is URG or PSH, the network traffic analysis processing device 3 sends a rule/policy for blocking the attack source to the network device 4, that is, the network device 4 stops processing the TCP packet.

若所述 Netstream流的标志位字段为 ACK或者 SY , 则网流分析处理设备 3向所述网络设备 4下发统计连接数的规则 /策略, 即: 网络设备 4对 TCP连接 数和半连接数进行统计, 对 TCP连接数和半连接数进行限制; 网络设备 4也可 以下发阻断攻击源的规则 /策略, 即: 网络设备 4停止处理所述 TCP报文。  If the flag bit field of the NetStream stream is ACK or SY, the network traffic analysis processing device 3 sends a rule/policy for counting the number of connections to the network device 4, that is, the number of TCP connections and the number of semi-connections of the network device 4 Statistics are performed to limit the number of TCP connections and the number of semi-connections. The network device 4 can also send rules/policies that block the attack source, that is, the network device 4 stops processing the TCP packets.

若所述 Netstream流的标志位字段为 RST或者 FIN, 则网流分析处理设备 3 向网络设备 4下发延迟老化的规则 /策略,即:不是立即将所述 Netstream流老化, 而是延迟一段时间之后, 再将所述 Netstream流老化。  If the flag bit field of the NetStream stream is RST or FIN, the network traffic analysis processing device 3 sends a delay aging rule/policy to the network device 4, that is, the NetStream stream is not immediately aging, but is delayed for a period of time. After that, the Netstream stream is aged.

可见, 釆用了本发明实施例的技术方案, 不仅可以准确定位出网络中 TCP 攻击的位置和攻击类型, 阻断攻击源, 还能避免当攻击者利用 TCP-RST 或者 TCP-FIN 文进行攻击时 Netstream 流的大量快速老化和重建,降低了此类攻击 对网络设备性能的影响和资源的消耗; 通过与网流分析处理设备联动, 实现了 对攻击源的动态防御。 It can be seen that the technical solution of the embodiment of the present invention can not only accurately locate the location and attack type of the TCP attack in the network, block the attack source, but also prevent the attacker from using the TCP-RST or TCP-FIN text to attack. A large number of rapid aging and re-establishment of the Netstream stream reduces the impact of such attacks on the performance of the network device and the consumption of resources. The linkage with the network flow analysis processing device is implemented. Dynamic defense against attack sources.

以上所揭露的仅为本发明的较佳实施例, 当然不能以此来限定本发明之权 利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的范围。  The above are only the preferred embodiments of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

Claims

权 利 要 求 Rights request 1、 一种防御 TCP攻击的方法, 其特征在于:  A method for defending against TCP attacks, characterized in that: 所述方法包括: 将源英特网协议 IP地址、 目的 IP地址、 源协议端口号、 目 的协议端口号、 入接口、 出接口、 协议类型、 服务类型以及传输控制协议 TCP 报文的标志位字段都相同的报文作为一条流; 通过所述流的标志位字段确定所 述 TCP攻击的类型; 根据所述 TCP攻击的类型, 防御所述 TCP攻击。  The method includes: a source Internet protocol IP address, a destination IP address, a source protocol port number, a destination protocol port number, an inbound interface, an outbound interface, a protocol type, a service type, and a flag field of a transmission control protocol TCP packet. The same message is used as a stream; the type of the TCP attack is determined by the flag bit field of the stream; and the TCP attack is defended according to the type of the TCP attack. 2、 根据权利要求 1所述的方法, 其特征在于: 2. The method of claim 1 wherein: 所述 TCP报文的标志位字段包括: 紧急指针字段有效 URG、 本报文段请求 推操作 PSH、 确认字段有效 ACK、 序号同步 SYN、 连接复位 RST以及发送方 字节流结束 FIN。  The flag field of the TCP packet includes: an urgent pointer field valid URG, a segment request push operation PSH, an acknowledge field valid ACK, a sequence number synchronization SYN, a connection reset RST, and a sender byte stream end FIN. 3、 根据权利要求 2所述的方法, 其特征在于:  3. The method of claim 2, wherein: 若所述流的标志位字段为 URG、 PSH、 ACK或者 SYN, 停止处理所述 TCP 报文。  If the flag bit field of the stream is URG, PSH, ACK or SYN, the TCP message is stopped. 4、 根据权利要求 2所述的方法, 其特征在于: 4. The method of claim 2, wherein: 若所述流的标志位字段为 ACK或者 SY , 限制 TCP连接数和半连接数。  If the flag bit field of the stream is ACK or SY, the number of TCP connections and the number of semi-joins are limited. 5、 根据权利要求 2所述的方法, 其特征在于: 5. The method of claim 2, wherein: 若所述流的标志位字段为 RST或者 FIN, 延迟一段时间后, 将所述流老化。  If the flag bit field of the stream is RST or FIN, the flow is aged after being delayed for a period of time. 6、 根据权利要求 5所述的方法, 其特征在于: 6. The method of claim 5, wherein: 对于活跃的流, 所述延迟的时间比不活跃的流延迟的时间长。  For an active stream, the delay is longer than the inactive stream delay. 7、 根据权利要求 6所述的方法, 其特征在于: 7. The method of claim 6 wherein: 活跃的流是非活跃时间小于设定值的流, 不活跃的流是指非活跃时间大于 设定值的流。 An active stream is a stream whose inactive time is less than a set value, and an inactive stream is a stream whose inactive time is greater than a set value. 8、 一种防御 TCP攻击的系统, 其特征在于: 8. A system for defending against TCP attacks, characterized by: 所述系统包括网流釆样设备和网流分析处理设备,  The system includes a network flow sampling device and a network flow analysis processing device. 所述网流釆样设备用于釆集网络流量, 将源 IP地址、 目的 IP地址、 源协议 端口号、 目的协议端口号、 入接口、 出接口、 协议类型、 服务类型以及 TCP报 文的标志位字段都相同的报文作为一条流;  The network flow sampling device is configured to collect network traffic, and the source IP address, the destination IP address, the source protocol port number, the destination protocol port number, the inbound interface, the outbound interface, the protocol type, the service type, and the identifier of the TCP packet. A message with the same bit field as a stream; 所述网流分析处理设备用于处理所述网流釆样设备釆集的流信息, 分析得 到所述 TCP攻击的类型, 根据所述 TCP攻击的类型防御所述 TCP攻击。  The network flow analysis processing device is configured to process the flow information collected by the network flow sample device, analyze the type of the TCP attack, and defend the TCP attack according to the type of the TCP attack. 9、 根据权利要求 8所述的系统, 其特征在于: 9. The system of claim 8 wherein: 所述系统还包括网流流釆集设备, 用于存储所述网流釆样设备釆集的流信 息, 并将所述流信息转发给所述网流分析处理设备。  The system further includes a network flow collection device, configured to store the flow information collected by the network flow sample device, and forward the flow information to the network flow analysis processing device.
PCT/CN2008/071259 2007-11-08 2008-06-11 Method and system for defending against tcp attack Ceased WO2009059504A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710124444.6 2007-11-08
CN200710124444A CN100579003C (en) 2007-11-08 2007-11-08 A method and system for defending against TCP attacks using netflow technology

Publications (1)

Publication Number Publication Date
WO2009059504A1 true WO2009059504A1 (en) 2009-05-14

Family

ID=39390884

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071259 Ceased WO2009059504A1 (en) 2007-11-08 2008-06-11 Method and system for defending against tcp attack

Country Status (2)

Country Link
CN (1) CN100579003C (en)
WO (1) WO2009059504A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114329156A (en) * 2022-01-07 2022-04-12 挂号网(杭州)科技有限公司 Network information query method and device and electronic equipment

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100579003C (en) * 2007-11-08 2010-01-06 华为技术有限公司 A method and system for defending against TCP attacks using netflow technology
CN102014110A (en) * 2009-09-08 2011-04-13 华为技术有限公司 Method for authenticating communication flows, communication system and protective device
CN103023887B (en) * 2012-11-26 2016-05-25 大唐移动通信设备有限公司 A kind of method and apparatus based on File Transfer Protocol transfer files
CN103001958B (en) * 2012-11-27 2016-03-16 北京百度网讯科技有限公司 Abnormal T CP message processing method and device
CN107135185A (en) * 2016-02-26 2017-09-05 华为技术有限公司 A kind of attack processing method, equipment and system
TWI784938B (en) * 2017-01-24 2022-12-01 香港商阿里巴巴集團服務有限公司 Message cleaning method and device
CN108200088B (en) * 2018-02-02 2020-11-06 杭州迪普科技股份有限公司 Attack protection processing method and device for network traffic
CN109286630B (en) * 2018-10-15 2021-11-19 深信服科技股份有限公司 Method, device and equipment for processing equal insurance and storage medium
CN110535861B (en) * 2019-08-30 2022-01-25 杭州迪普信息技术有限公司 Method and device for counting SYN packet number in SYN attack behavior identification
CN110740144B (en) * 2019-11-27 2022-09-16 腾讯科技(深圳)有限公司 Method, device, equipment and storage medium for determining attack target
CN111131180B (en) * 2019-12-05 2022-04-22 成都西维数码科技有限公司 Distributed deployed HTTP POST (hyper text transport protocol) interception method in large-scale cloud environment
CN115103000B (en) * 2022-06-20 2023-09-26 北京鼎兴达信息科技股份有限公司 Method for restoring and analyzing business session of railway data network based on NetStream
CN120567726A (en) * 2025-07-25 2025-08-29 杭州优云科技股份有限公司 Network performance testing method, message interception method, device and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1822593A (en) * 2006-03-20 2006-08-23 赵洪宇 Network safety protective method for preventing reject service attack event
US7251692B1 (en) * 2000-09-28 2007-07-31 Lucent Technologies Inc. Process to thwart denial of service attacks on the internet
CN101170402A (en) * 2007-11-08 2008-04-30 华为技术有限公司 A method and system for defending against TCP attacks using netflow technology

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7251692B1 (en) * 2000-09-28 2007-07-31 Lucent Technologies Inc. Process to thwart denial of service attacks on the internet
CN1822593A (en) * 2006-03-20 2006-08-23 赵洪宇 Network safety protective method for preventing reject service attack event
CN101170402A (en) * 2007-11-08 2008-04-30 华为技术有限公司 A method and system for defending against TCP attacks using netflow technology

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHEN HAO: "Theory of Netflow and it's application in the Netflow analysis in the internet", CHINA DOCTOR/MASTER 'S DISSERTATIONS FULL-TEXT DATABASE, 24 January 2007 (2007-01-24), pages 2 - 4 *
LI XIN: "Netflow technique and it's appliacation in the network management", GUANG XI COMMUNICATION TECHNOLOGY, 30 September 2005 (2005-09-30), pages 38 - 41 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114329156A (en) * 2022-01-07 2022-04-12 挂号网(杭州)科技有限公司 Network information query method and device and electronic equipment

Also Published As

Publication number Publication date
CN101170402A (en) 2008-04-30
CN100579003C (en) 2010-01-06

Similar Documents

Publication Publication Date Title
WO2009059504A1 (en) Method and system for defending against tcp attack
US7266754B2 (en) Detecting network denial of service attacks
EP2158740B1 (en) Processing packet flows
Yang et al. A DoS-limiting network architecture
US7636305B1 (en) Method and apparatus for monitoring network traffic
CN102025483B (en) Wireless router and method for preventing malicious scanning by using same
US6973040B1 (en) Method of maintaining lists of network characteristics
CN105282169B (en) Ddos attack method for early warning based on SDN controller threshold values and its system
WO2002021302A1 (en) Monitoring network traffic denial of service attacks
WO2002021297A1 (en) Architecture to thwart denial of service attacks
WO2002021296A1 (en) Statistics collection for network traffic
WO2002021278A1 (en) Coordinated thwarting of denial of service attacks
WO2002021771A1 (en) Device to protect victim sites during denial of service attacks
WO2002021279A1 (en) Thwarting source address spoofing-based denial of service attacks
WO2007099507A2 (en) Operating a network monitoring entity
CN107018084A (en) DDOS attack defending against network security system and method based on SDN frameworks
WO2011131076A1 (en) Method and data communication device for building a flow forwarding table item
US8964763B2 (en) Inter-router communication method and module
WO2008080324A1 (en) A method and apparatus for preventing igmp message attack
CN108011865A (en) SDN flow paths method for tracing, apparatus and system based on flowing water print and stochastical sampling
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
CN101141396B (en) Packet processing method and network device
Phaal et al. RFC3176: InMon Corporation's sFlow: A method for monitoring traffic in switched and routed networks
CN100454895C (en) A Method of Improving Network Security Through Packet Processing
Vanderavero et al. The HoneyTank: a scalable approach to collect malicious Internet traffic

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757670

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757670

Country of ref document: EP

Kind code of ref document: A1