[go: up one dir, main page]

CN101465855A - Method and system for filtrating synchronous extensive aggression - Google Patents

Method and system for filtrating synchronous extensive aggression Download PDF

Info

Publication number
CN101465855A
CN101465855A CNA2008102474401A CN200810247440A CN101465855A CN 101465855 A CN101465855 A CN 101465855A CN A2008102474401 A CNA2008102474401 A CN A2008102474401A CN 200810247440 A CN200810247440 A CN 200810247440A CN 101465855 A CN101465855 A CN 101465855A
Authority
CN
China
Prior art keywords
data packet
weight queue
current state
state
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2008102474401A
Other languages
Chinese (zh)
Other versions
CN101465855B (en
Inventor
肖军
张永铮
云晓春
戴磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN2008102474401A priority Critical patent/CN101465855B/en
Publication of CN101465855A publication Critical patent/CN101465855A/en
Application granted granted Critical
Publication of CN101465855B publication Critical patent/CN101465855B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明涉及一种同步泛洪攻击的过滤方法及系统,方法包括:步骤1,配置高低权重队列转发数据包的比例;步骤2,接收数据包,确定当前状态,判断当前状态是否为正常状态,如果是,则数据包进入高权重队列,否则,执行步骤3;步骤3,根据数据包的类型,用于记录连接的连接状态表和用于记录合法IP地址的合法地址表,判断数据包是否合法,如果是,则数据包进入高权重队列,否则,数据包进入低权重队列;并更新连接状态表和合法地址表;步骤4,在当前状态为正常状态时,转发高权重队列中数据包,在当前状态为攻击状态时,按比列转发低权重队列和高权重队列中的数据包。本发明能够有效缓解、过滤和防御针对网络信息系统的大规模同步泛洪攻击。

The present invention relates to a filtering method and system for synchronous flooding attacks. The method includes: step 1, configuring the ratio of high and low weight queues to forward data packets; step 2, receiving data packets, determining the current state, and judging whether the current state is a normal state, If yes, then the data packet enters the high-weight queue, otherwise, step 3 is performed; step 3, according to the type of the data packet, the connection state table for recording the connection and the legal address table for recording the legal IP address determine whether the data packet is Legal, if yes, then the data packet enters the high-weight queue, otherwise, the data packet enters the low-weight queue; and updates the connection state table and the legal address table; step 4, when the current state is normal, forward the data packet in the high-weight queue , when the current state is the attack state, forward the data packets in the low weight queue and the high weight queue in proportion. The invention can effectively mitigate, filter and defend large-scale synchronous flooding attacks aimed at network information systems.

Description

一种同步泛洪攻击的过滤方法及系统 A filtering method and system for synchronous flooding attack

技术领域 technical field

本发明涉及网络安全监控领域,具体涉及一种同步泛洪攻击的过滤方法及系统。The invention relates to the field of network security monitoring, in particular to a filtering method and system for synchronous flooding attacks.

背景技术 Background technique

近年来,DDoS(分布式拒绝服务)攻击的频繁发生给重要信息系统以及运营网络的安全带来的严重影响,因此得到了社会各界的广泛关注。在DDoS攻击中,Syn Flood(同步泛洪)攻击是最为常见的一种攻击方式,它主要利用TCP(传输控制协议)协议栈为保存半连接状态而消耗内存这一设计上的漏洞来达到攻击的目的,攻击者往往通过向攻击目标发送大量TCP连接请求的方法,消耗系统内存以实现对目标系统的拒绝服务攻击。目前,针对Syn Flood攻击的过滤、防御方法研究主要包括基于Syn Proxy(同步代理)、基于History-IP(历史网络协议)、基于Hop-Count(跳数)、以及基于标签等4类方法。In recent years, the frequent occurrence of DDoS (Distributed Denial of Service) attacks has seriously affected the security of important information systems and operational networks, and thus has received widespread attention from all walks of life. In DDoS attacks, Syn Flood (synchronous flooding) attack is the most common attack method. It mainly uses the design loophole of the TCP (Transmission Control Protocol) protocol stack to consume memory to save the semi-connected state to achieve the attack. Attackers often send a large number of TCP connection requests to the target to consume system memory to achieve a denial of service attack on the target system. At present, research on filtering and defense methods for Syn Flood attacks mainly includes four methods based on Syn Proxy (synchronous proxy), History-IP (historical network protocol), Hop-Count (hop count), and label.

一种为基于Syn Proxy(包括Syn Cookie)的方法。主要利用代替服务器进行TCP连接三次握手的方法来过滤攻击报文。该类方法的缺点是代替服务器进行三次握手需要消耗一定的系统资源,当攻击流量过大时,过滤系统自身容易崩溃。A method based on Syn Proxy (including Syn Cookie). It mainly uses the method of performing three-way handshake of TCP connection instead of the server to filter attack packets. The disadvantage of this type of method is that the three-way handshake instead of the server needs to consume certain system resources. When the attack traffic is too large, the filtering system itself is prone to collapse.

另一种为基于History-IP(包括黑、白名单)的方法。该类方法维护一个常见用户数据库或者列表,在攻击发生时,允许源地址在表中的数据包通过。该类方法的缺点是如果攻击地址采取了合法的IP地址,则过滤系统完全丧失了对目标系统的保护能力,而且合法用户的源地址如果不在常见用户表中,也会被阻止访问服务器,并且此方法需要一段时间的学习才能建立用户数据库或列表。The other is a method based on History-IP (including blacklist and whitelist). This type of method maintains a common user database or list, and when an attack occurs, the data packets whose source address is in the table are allowed to pass. The disadvantage of this type of method is that if the attack address uses a legal IP address, the filtering system will completely lose the ability to protect the target system, and if the source address of the legitimate user is not in the common user table, it will also be blocked from accessing the server, and This method takes a while to learn to build a user database or list.

另一种为基于Hop-Count的方法。该类方法维护一个常见用户的跳数数据库,在攻击发生时,检查数据包的跳数是否与数据库中相应记录的跳数相同,如果相同,则允许通过。该类方法的缺点是当合法用户的路由改变时,合法用户也会被禁止进入系统,并且该类方法需要一段时间的学习来建立跳数数据库。Another method is based on Hop-Count. This type of method maintains a hop count database of common users. When an attack occurs, check whether the hop count of the data packet is the same as the corresponding record in the database. If they are the same, they are allowed to pass through. The disadvantage of this type of method is that when the route of the legitimate user changes, the legitimate user will also be prohibited from entering the system, and this type of method requires a period of learning to establish the hop count database.

另一种基于标签的方法。该类方法主要通过在边界路由器上对流出子网的Syn数据包加注基于源子网编号的标签的方法来辨别Syn包的真伪,从而过滤伪造源地址的Syn Flood攻击。该类方法的缺点是不能过滤真实源地址的SynFlood攻击,同时如果采取伪造子网源地址的攻击方式,该类方法也会丧失防御能力。Another label-based approach. This type of method mainly identifies the authenticity of the Syn packet by adding a label based on the source subnet number to the Syn data packet flowing out of the subnet on the border router, thereby filtering the Syn Flood attack of forging the source address. The disadvantage of this type of method is that it cannot filter the SynFlood attack of the real source address. At the same time, if the attack method of forging the source address of the subnet is adopted, this type of method will also lose its defense capability.

发明内容 Contents of the invention

为了解决上述的技术问题,提供了一种同步泛洪攻击的过滤方法及系统,能够有效缓解、过滤和防御针对网络信息系统的大规模Syn Flood攻击。In order to solve the above-mentioned technical problems, a filtering method and system for syn flooding attacks are provided, which can effectively alleviate, filter and defend against large-scale Syn Flood attacks aimed at network information systems.

本发明公开了一种同步泛洪攻击的过滤方法,包括:The invention discloses a filtering method for synchronous flood attack, including:

步骤1,配置高低权重队列转发数据包的比例;Step 1, configure the ratio of high and low weight queues to forward packets;

步骤2,接收数据包,确定当前状态,判断所述当前状态是否为正常状态,如果是,则所述数据包进入高权重队列,否则,执行步骤3;Step 2, receiving the data packet, determining the current state, and judging whether the current state is a normal state, if yes, the data packet enters the high weight queue, otherwise, execute step 3;

步骤3,根据所述数据包的类型,用于记录连接的连接状态表和用于记录合法IP地址的合法地址表,判断所述数据包是否合法,如果是,则所述数据包进入所述高权重队列,否则,所述数据包进入低权重队列;并更新所述连接状态表和所述合法地址表;Step 3, according to the type of the data packet, the connection state table for recording the connection and the legal address table for recording the legal IP address, judge whether the data packet is legal, if so, then the data packet enters the High weight queue, otherwise, the data packet enters the low weight queue; and update the connection state table and the legal address table;

步骤4,在当前状态为正常状态时,转发所述高权重队列中数据包,在当前状态为攻击状态时,按所述高低权重队列转发数据包的比列转发所述低权重队列和所述高权重队列中的数据包。Step 4, when the current state is a normal state, forward the data packet in the high-weight queue, and when the current state is an attack state, forward the low-weight queue and the Packets in high weight queues.

所述步骤1还包括,配置检测时隙,初始化计时器为0,初始化用于记录当前状态的当前状态变量为正常;The step 1 also includes configuring the detection time slot, initializing the timer to 0, and initializing the current state variable for recording the current state as normal;

所述步骤2中确定当前状态进一步为:Determining the current state in the step 2 is further as follows:

步骤21,接收数据包后,判断所述计时器的值是否小于所述检测时隙,如果是,则确定当前状态为所述当前状态变量中记录的状态,否则,将所述计时器置为0,执行步骤22;Step 21, after receiving the data packet, judge whether the value of the timer is less than the detection time slot, if yes, then determine that the current state is the state recorded in the current state variable, otherwise, set the timer to 0, go to step 22;

所述步骤22,判断是否发生攻击,如果是,则更新所述当前状态变量为攻击状态,确定所述当前状态为攻击状态,否则,更新所述当前状态变量为正常状态,确定所述当前状态为正常状态。The step 22 is to determine whether an attack occurs, and if so, update the current state variable to be an attack state, and determine that the current state is an attack state, otherwise, update the current state variable to be a normal state, and determine the current state to normal state.

所述步骤2还包括,在执行完步骤22,确定所述当前状态为正常状态时,将所述连接状态表和所述合法地址表清空。The step 2 further includes, after step 22 is executed and it is determined that the current state is a normal state, clearing the connection state table and the legal address table.

所述步骤1还包括配置同步数据包阈值;Said step 1 also includes configuring a synchronization packet threshold;

所述步骤22中判断是否发生攻击进一步为In the step 22, judging whether an attack occurs is further

步骤41,判断在所述计时器的计时时间内统计的同步包数量除以所述计时器的值所得值是否大于等于所述同步数据包阈值,如果是,则判定发生攻击,所述,判定为正常。Step 41, judging whether the number of synchronization packets counted within the time counted by the timer divided by the value of the timer is greater than or equal to the synchronization data packet threshold, if yes, then determine that an attack occurs, and determine as normal.

所述步骤3进一步为,The step 3 is further as follows,

步骤51,在所述数据包为同步包时,确定所述数据包不合法,所述数据包进入低权重队列,并更新所述连接状态表;Step 51, when the data packet is a synchronization packet, determine that the data packet is illegal, enter the low weight queue, and update the connection state table;

步骤52,在所述数据包为同步/确认包时,如果所述数据包在所述连接状态表中存在对应记录,则所述数据包合法,所述数据包进入高权重队列,更新所述连接状态表和所述合法地址表,否则,所述数据包不合法,所述数据包进入低权重队列;Step 52, when the data packet is a synchronization/acknowledgment packet, if the data packet has a corresponding record in the connection state table, the data packet is legal, the data packet enters the high weight queue, and the Connect the state table and the legal address table, otherwise, the data packet is illegal, and the data packet enters a low-weight queue;

步骤53,在所述数据包为其他类型时,如果所述数据包在所述合法地址表中存在对应记录,则确定所述数据包合法,所述数据包进入高权重队列,否则,所述数据包不合法,所述数据包进入低权重队列。Step 53, when the data packet is of other types, if the data packet has a corresponding record in the legal address table, it is determined that the data packet is legal, and the data packet enters a high-weight queue, otherwise, the The data packet is invalid, and the data packet enters the low-weight queue.

所述步骤51中更新所述连接状态表进一步为,Updating the connection state table in the step 51 is further as follows:

步骤61,在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包对应连接的标识添加到所述连接状态表中。Step 61: Search the connection status table for the identifier of the connection corresponding to the data packet, if not found, add the identifier of the connection corresponding to the data packet to the connection status table.

所述步骤52进一步为,The step 52 is further as follows,

步骤71,在所述数据包为同步/确认包时,在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则所述数据包进入低权重队列,如果查找到,则执行步骤72;Step 71, when the data packet is a synchronization/acknowledgment packet, search the connection status table for the identification of the connection corresponding to the data packet, if not found, then the data packet enters the low weight queue, if found , then execute step 72;

所述步骤72,将所述数据包对应的连接的标识从所述连接状态表中删除,将所述数据包的源IP地址添加到所述和合法地址表中,确定所述数据包合法,所述数据包进入所述高权重队列。The step 72 is to delete the identification of the connection corresponding to the data packet from the connection state table, add the source IP address of the data packet to the legal address table, and determine that the data packet is legal, The data packet enters the high weight queue.

所述步骤53进一步为在所述数据包为其他类型时,在所述合法地址表中查找所述数据包的源IP地址,如果查找到,则确定所述数据包合法,所述数据包进入高权重队列,否则,所述数据包进入所述低权重队列。The step 53 is further to search the source IP address of the data packet in the legal address table when the data packet is of other types, if found, then determine that the data packet is legal, and the data packet enters high weight queue, otherwise, the data packet enters the low weight queue.

所述标识为所述连接的同步数据包的五源组,所述五源组由源IP地址、源端口号、目的IP地址、目的端口号和序列号组成。The identification is a five-source group of the synchronous data packet of the connection, and the five-source group is composed of source IP address, source port number, destination IP address, destination port number and sequence number.

所述步骤2和所述步骤3中所述数据包进入高权重队列进一步为,The step 2 and the step 3 in which the data packet enters the high-weight queue are further as follows:

判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;Judging whether the high-weight queue is full, if so, discarding the data packet, otherwise adding the data packet to the high-weight queue;

所述步骤3中所述数据包进入低权重队列进一步为,The data packet in the step 3 entering the low weight queue is further as follows:

判断所述低权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述低权重队列。Judging whether the low-weight queue is full, if so, discarding the data packet, otherwise adding the data packet to the low-weight queue.

本发明还公开了一种同步泛洪攻击的过滤系统,包括:检测模块、过滤模块、缓冲区模块和转发模块,The invention also discloses a filter system for synchronous flood attack, including: a detection module, a filter module, a buffer module and a forwarding module,

所述缓冲区模块包含低权重队列和高权重队列;The buffer module includes a low-weight queue and a high-weight queue;

所述初始化模块,用于配置高低权重队列转发数据包的比例;The initialization module is used to configure the ratio of high and low weight queues to forward data packets;

所述检测模块,用于接收数据包,确定当前状态,判断所述当前状态是否为正常状态,如果是,则将所述数据包加入到所述高权重队列,否则,将所述数据包传给所述过滤模块;The detection module is used to receive data packets, determine the current state, and judge whether the current state is a normal state, if so, add the data packets to the high-weight queue, otherwise, transmit the data packets to to the filter module;

所述过滤模块,用于根据所述数据包的类型,用于记录连接的连接状态表和用于记录合法IP地址的合法地址表,判断所述数据包是否合法,如果是,则将所述数据包加入所述高权重队列,否则,将所述数据包加入所述低权重队列;并更新所述连接状态表和所述合法地址表;The filter module is used to judge whether the data packet is legal according to the type of the data packet, the connection state table used to record the connection and the legal address table used to record the legal IP address, and if so, the The data packet is added to the high weight queue, otherwise, the data packet is added to the low weight queue; and the connection state table and the legal address table are updated;

所述转发模块,用于在当前状态为正常状态时,转发所述高权重队列中数据包,在当前状态为攻击状态时,按所述高低权重队列转发数据包的比列转发所述低权重队列和所述高权重队列中的数据包。The forwarding module is configured to forward the data packets in the high-weight queue when the current state is a normal state, and forward the low-weight queue according to the ratio of forwarding data packets in the high-weight queue when the current state is an attack state queues and packets in the high weight queues.

所述初始化模块还用于配置检测时隙,初始化计时器为0,初始化用于记录当前状态的当前状态变量为正常;The initialization module is also used to configure the detection time slot, the initialization timer is 0, and the initialization of the current state variable used to record the current state is normal;

所述检测模块在确定当前状态时进一步用于接收到数据包后,判断所述计时器的值是否小于所述检测时隙,如果是,则确定当前状态为所述当前状态变量中记录的状态;否则,将所述计时器置为0,判断是否发生攻击,如果是,则更新所述当前状态变量为攻击状态,确定所述当前状态为攻击状态,否则,更新所述当前状态变量为正常状态,确定所述当前状态为正常状态。The detection module is further used to determine whether the value of the timer is less than the detection time slot after receiving the data packet when determining the current state, and if so, determine that the current state is the state recorded in the current state variable ; Otherwise, the timer is set to 0, and it is judged whether an attack occurs, and if so, the current state variable is updated to be an attack state, and the current state is determined to be an attack state, otherwise, the current state variable is updated to be normal state, determining that the current state is a normal state.

所述检测模块还用在通过判断未发生攻击确定所述当前状态为正常状态后,将所述连接状态表和所述合法地址表清空。The detection module is further configured to clear the connection state table and the legal address table after determining that the current state is a normal state by judging that no attack has occurred.

所述初始化模块还用于配置同步数据包阈值;The initialization module is also used to configure the synchronization data packet threshold;

所述检测模块在判断是否发生攻击时进一步用于判断在所述计时器的计时时间内统计的同步包数量除以所述计时器的值所得值是否大于等于所述同步数据包阈值,如果是,则判定发生攻击,所述,判定为正常。When determining whether an attack occurs, the detection module is further used to determine whether the value obtained by dividing the number of synchronization packets counted within the timing time of the timer by the value of the timer is greater than or equal to the synchronization data packet threshold, if yes , it is determined that an attack has occurred, and the above is determined to be normal.

所述过滤模块进一步用于在所述数据包为同步包时,确定所述数据包不合法,将所述数据包加入所述低权重队列,并更新所述连接状态表;在所述数据包为同步/确认包时,如果所述数据包在所述连接状态表中存在对应记录,则所述数据包合法,将所述数据包加入所述高权重队列,更新所述连接状态表和所述合法地址表,否则,所述数据包不合法,将所述数据包加入所述低权重队列;在所述数据包为其他类型时,如果所述数据包在所述合法地址表中存在对应记录,则确定所述数据包合法,将所述数据包加入所述高权重队列,否则,所述数据包不合法,将所述数据包加入所述低权重队列。The filtering module is further used for determining that the data packet is illegal when the data packet is a synchronous packet, adding the data packet to the low-weight queue, and updating the connection state table; When it is a synchronization/acknowledgment packet, if the data packet has a corresponding record in the connection state table, the data packet is legal, the data packet is added to the high weight queue, and the connection state table and the connection state table are updated. Otherwise, the data packet is illegal, and the data packet is added to the low-weight queue; when the data packet is of other types, if the data packet has a corresponding record, it is determined that the data packet is legal, and the data packet is added to the high-weight queue; otherwise, the data packet is illegal, and the data packet is added to the low-weight queue.

所述过滤模块在所述数据包为同步包的情况下更新所述连接状态表时进一步用于在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包对应连接的标识添加到所述连接状态表中。When the filtering module updates the connection state table in the case that the data packet is a synchronous packet, it is further used to search the connection state table for the identification of the connection corresponding to the data packet, if not found, the The identifier of the connection corresponding to the data packet is added to the connection state table.

所述过滤模块在所述数据包为同步/确认包的情况下进一步用于在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包加入所述低权重队列,如果查找到,则将所述数据包对应的连接的标识从所述连接状态表中删除,将所述数据包的源IP地址添加到所述和合法地址表中,确定所述数据包合法,将所述数据包加入所述高权重队列。When the data packet is a synchronization/acknowledgment packet, the filter module is further used to search the connection state table for the identification of the connection corresponding to the data packet, and if not found, add the data packet to the The low-weight queue, if found, deletes the connection identifier corresponding to the data packet from the connection state table, adds the source IP address of the data packet to the legal address table, and determines the If the data packet is legal, add the data packet to the high-weight queue.

所述过滤模块在所述数据包为其他类型的情况下进一步用于在所述合法地址表中查找所述数据包的源IP地址,如果查找到,则确定所述数据包合法,将所述数据包加入所述高权重队列,否则,将所述数据包加入所述低权重队列。The filter module is further used to search the source IP address of the data packet in the legal address table when the data packet is of other types, if found, then determine that the data packet is legal, and the The data packet is added to the high-weight queue, otherwise, the data packet is added to the low-weight queue.

所述标识为所述连接的同步数据包的五源组,所述五源组由源IP地址、源端口号、目的IP地址、目的端口号和序列号组成。The identification is a five-source group of the synchronous data packet of the connection, and the five-source group is composed of source IP address, source port number, destination IP address, destination port number and sequence number.

所述检测模块在将所述数据包加入所述高权重队列时进一步用于判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;The detection module is further used to judge whether the high-weight queue is full when adding the data packet to the high-weight queue, and if so, discard the data packet; otherwise, add the data packet to the high-weight queue. weight queue;

所述过滤模块在将所述数据包加入所述高权重队列时进一步用于判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;The filtering module is further used to judge whether the high-weight queue is full when adding the data packet to the high-weight queue, and if so, discard the data packet; otherwise, add the data packet to the high-weight queue. weight queue;

所述过滤模块在将所述数据包加入所述低权重队列时进一步用于判断所述低权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述低权重队列。The filtering module is further used to judge whether the low-weight queue is full when adding the data packet to the low-weight queue, and if so, discard the data packet; otherwise, add the data packet to the low-weight queue. weight queue.

本发明的有益效果在于可有效缓解、过滤和防御针对网络信息系统的大规模Syn Flood攻击;不需要预先对流量特性或用户行为进行学习,即插即用;不需要对已有设备进行任何修改,不需要增加其他额外设备;不需要代替服务器进行TCP三次握手,不需要发送验证包,提高了过滤系统的处理效率,降低了过滤系统以及网络资源的消耗,有效解决了在大流量攻击下过滤系统自身的崩溃问题;对伪造源IP和真实源IP的Syn Flood攻击都具备有效的防御能力。The beneficial effect of the present invention is that it can effectively mitigate, filter and defend against large-scale Syn Flood attacks on network information systems; it does not need to learn traffic characteristics or user behavior in advance, plug and play; it does not require any modification to existing equipment , no need to add other additional equipment; no need to replace the server for TCP three-way handshake, no need to send verification packets, which improves the processing efficiency of the filtering system, reduces the consumption of filtering system and network resources, and effectively solves the problem of filtering under large traffic attacks The problem of the system's own collapse; it has effective defense capabilities against Syn Flood attacks of fake source IP and real source IP.

附图说明 Description of drawings

图1是本发明同步泛洪攻击的过滤方法的流程图;Fig. 1 is the flowchart of the filtering method of synchronous flooding attack of the present invention;

图2是Bloom Filter的组织结构图;Figure 2 is the organization chart of Bloom Filter;

图3是本发明同步泛洪攻击的过滤系统的部署连接图;Fig. 3 is the deployment connection diagram of the filtering system of synchronous flooding attack of the present invention;

图4是本发明同步泛洪攻击的过滤系统的结构图。FIG. 4 is a structural diagram of a filtering system for synchronous flooding attacks in the present invention.

具体实施方式 Detailed ways

下面结合附图,对本发明做进一步的详细描述。The present invention will be described in further detail below in conjunction with the accompanying drawings.

过滤方法的流程如图1所示,过滤方法的具体实施步骤如下:The flow process of filtering method is as shown in Figure 1, and the specific implementation steps of filtering method are as follows:

步骤S101,初始化参数。Step S101, initialize parameters.

配置高低权重队列转发包数的比例为r;配置检测时隙为s,单位为秒;配置Syn包(同步包)数阈值为n,单位为每秒包数;初始化当前状态变量为正常状态,当前状态变量包括攻击状态和正常状态;初始化计时器为0。Configure the ratio of high and low weight queue forwarding packets as r; configure the detection time slot as s, and the unit is second; configure the threshold of the number of Syn packets (synchronous packets) as n, and the unit is the number of packets per second; initialize the current state variable as normal state, The current state variables include attack state and normal state; the initialization timer is 0.

系统中高权重队列的长度和低权重队列的长度,分别表示低权重队列和高权重队列的缓存空间,由过滤系统的处理能力决定,在一具体实施方式中,高权重队列的长度大于低权重队列的长度;转发总速率为v,单位为每秒包数,由被保护的网络信息系统的处理能力决定。The length of the high-weight queue and the length of the low-weight queue in the system represent the cache space of the low-weight queue and the high-weight queue respectively, and are determined by the processing capacity of the filtering system. In a specific embodiment, the length of the high-weight queue is greater than that of the low-weight queue length; the total forwarding rate is v, the unit is the number of packets per second, which is determined by the processing capability of the protected network information system.

步骤S102,接收一个数据包。Step S102, receiving a data packet.

步骤S103,判断计时器是否小于s,如果是,则执行步骤S108;否则,执行步骤S104。Step S103, judging whether the timer is less than s, if yes, execute step S108; otherwise, execute step S104.

步骤S104,将计时器置为0,判断当前状态是否发生攻击,如果是,则执行步骤S107,否则,执行步骤S105。Step S104, set the timer to 0, judge whether an attack occurs in the current state, if so, execute step S107, otherwise, execute step S105.

计时器从0开始计时到当前的时间内统计到的Syn包数为N,当前计时器时间为t,如果N/t大于或等于阈值n,则判定为是发生了攻击,否则N/t小于n时,判定为没有发生攻击。The number of Syn packets counted by the timer from 0 to the current time is N, and the current timer time is t. If N/t is greater than or equal to the threshold n, it is determined that an attack has occurred, otherwise N/t is less than n, it is determined that no attack has occurred.

步骤S105,将用于记录连接的连接状态表和用于记录合法IP地址的合法地址表清空,确定当前状态为正常状态,更新当前状态变量为正常状态。Step S105, clear the connection status table for recording connections and the legal address table for recording legal IP addresses, determine that the current status is a normal status, and update the current status variable to be a normal status.

步骤S106,判断缓冲区中的高权重队列是否已满,如果已满则丢弃该数据包,否则将数据包加入到高权重队列。Step S106, judging whether the high-weight queue in the buffer is full, discarding the data packet if it is full, otherwise adding the data packet to the high-weight queue.

其中高权重队列采用先进先出方式(FIFO方式)。Among them, the high-weight queue adopts the first-in-first-out method (FIFO method).

步骤S107,确定当前状态为攻击状态,更新当前状态变量为攻击状态,执行步骤S109。Step S107, determine that the current state is the attack state, update the current state variable to be the attack state, and execute step S109.

步骤S108,确定当前状态变量记录的当前状态,如果当前状态为正常,则执行步骤S106,否则,执行步骤S109。Step S108, determine the current state of the current state variable record, if the current state is normal, execute step S106, otherwise, execute step S109.

步骤S109,确定数据包的类型,如果数据包为Syn包,则执行步骤S110,如果数据包为Syn/Ack包(同步/确认包),则执行步骤S111,如果数据包为其他类型,则执行步骤S112。Step S109, determine the type of packet, if the packet is a Syn packet, then execute step S110, if the packet is a Syn/Ack packet (synchronization/confirmation packet), then execute step S111, if the packet is other types, then execute Step S112.

步骤S110,在连接状态表中查找该数据包的五元组,如果没找到,则将该五元组加入到连接状态表中;执行步骤S113。Step S110, look up the quintuple of the data packet in the connection state table, if not found, add the quintuple into the connection state table; execute step S113.

数据包的五元组由源IP,源端口,目的IP,目的端口,序列号组成,连接的Syn包的五元组为该连接的标识,记录在连接状态表中。The quintuple of the data packet is composed of source IP, source port, destination IP, destination port, and serial number. The quintuple of the connected Syn packet is the identification of the connection and is recorded in the connection status table.

步骤S111,在连接状态表中查找该数据包对应连接的标识,如果没找到,则执行步骤S113,否则,则执行步骤S114。Step S111, look up the identifier of the connection corresponding to the data packet in the connection state table, if not found, execute step S113, otherwise, execute step S114.

Syn/Ack数据包对应连接的标识为该连接的Syn数据的五元组,该五元组等于Syn/Ack数据包的源IP,源端口,目的IP,目的端口,和序列号减去1的值。The identification of the connection corresponding to the Syn/Ack packet is the quintuple of the Syn data of the connection, which is equal to the source IP, source port, destination IP, destination port, and sequence number of the Syn/Ack packet minus 1 value.

步骤S112,在合法地址表中查找该数据包的源IP,如果找到了,则执行步骤S106,否则,执行步骤S113。Step S112, look up the source IP of the data packet in the valid address table, if found, execute step S106, otherwise, execute step S113.

步骤S113,判断缓冲区中的低权重队列是否已满,如果已满则丢弃该数据包,否则将数据包加入到低权重队列。Step S113, judging whether the low-weight queue in the buffer is full, discarding the data packet if it is full, otherwise adding the data packet to the low-weight queue.

其中低权重队列采用先进先出方式(FIFO方式)。Among them, the low-weight queue adopts the first-in-first-out method (FIFO method).

步骤S114,在连接状态表中删去该连接的标识,五元组,并将该源IP加入到合法地址表中,执行步骤S106。Step S114, delete the connection identifier and quintuple from the connection state table, and add the source IP into the legal address table, and then execute step S106.

步骤S115,在执行上述步骤的同时,进行数据包的转发。Step S115, while performing the above steps, forwarding the data packet.

判断当前状态,如果是攻击状态,缓冲区中有数据包,则分别按r*v/(r+1)和v/(r+1)的速率将高权重队列、低权重队列中的数据包不停地转发出去;如果不是攻击状态,那么如果高权重队列中有数据包,则按v速率将这些数据包不停地转发出去。Judging the current state, if it is an attack state and there are data packets in the buffer, then the data packets in the high-weight queue and low-weight queue will be sent at the rate of r*v/(r+1) and v/(r+1) respectively. Keep forwarding; if it is not in the attack state, then if there are data packets in the high-weight queue, these data packets will be forwarded continuously at the v rate.

其中连接状态表和合法地址表均采用一种已公开的Bloom Filter技术来实现,Bloom Filter的组织结构如图2所示,由k个相互独立的哈希函数和一个长度为m的哈希表组成,其中k和m由配置确定,其主要操作的基本过程如下:The connection state table and the legal address table are both implemented using a publicly available Bloom Filter technology. The organizational structure of Bloom Filter is shown in Figure 2, which consists of k mutually independent hash functions and a hash table with a length of m. Composed of, where k and m are determined by the configuration, the basic process of its main operation is as follows:

查找操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,查看哈希表中该组哈希值对应的一组桶的数值是否全为1,如果是,则返回查找成功,否则,返回查找失败;Search operation: use each hash function to hash the input data items separately to generate a set of hash values, and check whether the values of a set of buckets corresponding to the set of hash values in the hash table are all 1, if so , it will return the search success, otherwise, it will return the search failure;

加入操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,将哈希表中该组哈希值对应的一组桶的数值均置为1,返回。Join operation: Use each hash function to hash the input data items to generate a set of hash values, set the value of a set of buckets corresponding to the set of hash values in the hash table to 1, and return.

删除操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,查看哈希表中该组哈希值对应的一组桶的数值是否全为1,如果是,则全部置为0,返回,否则返回。Delete operation: use each hash function to hash the input data items separately to generate a set of hash values, check whether the values of a group of buckets corresponding to the set of hash values in the hash table are all 1, if so , then set all to 0 and return, otherwise return.

本发明公开的过滤系统具有网络信息系统的Syn Flood攻击过滤和防御能力,主要部署于接入路由器与被保护网络信息系统之间,具体的部署连接方式可参见图3所示。过滤系统可以连接在接入路由器和交换机之间,接入路由器和出口路由器之间,或者接入路由器和受保护的服务器之间。The filtering system disclosed in the present invention has the ability to filter and defend against Syn Flood attacks of the network information system, and is mainly deployed between the access router and the protected network information system. The specific deployment and connection methods can be referred to in FIG. 3 . The filtering system can be connected between the access router and the switch, between the access router and the egress router, or between the access router and the protected server.

过滤系统结构与处理流程如图4所示,过滤系统400包括初始化模块401、检测模块402、过滤模块403、缓冲区模块404和转发模块405。Filtering System Structure and Processing Flow As shown in FIG. 4 , the filtering system 400 includes an initialization module 401 , a detection module 402 , a filtering module 403 , a buffer module 404 and a forwarding module 405 .

具体实施步骤如下:The specific implementation steps are as follows:

缓冲区模块404包括低权重队列441和高权重队列442。The buffer module 404 includes a low weight queue 441 and a high weight queue 442 .

其中,低权重队列441采用先进先出方式(FIFO方式)。Wherein, the low-weight queue 441 adopts a first-in-first-out mode (FIFO mode).

其中,高权重队列442采用先进先出方式(FIFO方式)。Wherein, the high-weight queue 442 adopts a first-in-first-out mode (FIFO mode).

高权重队列442的长度和低权重队列441的长度,由过滤系统的处理能力决定。The length of the high-weight queue 442 and the low-weight queue 441 are determined by the processing capability of the filtering system.

初始化模块401,用于配置检测时隙为s;配置Syn包数阈值为n;配置高低权重队列转发包数的比例为r;初始化当前状态变量为正常状态;初始化计时器为0。The initialization module 401 is used to configure the detection time slot as s; configure the Syn packet number threshold as n; configure the ratio of high and low weight queue forwarding packets as r; initialize the current state variable as a normal state; initialize the timer as 0.

检测模块402用于从系统入口获取一个数据包,判断计时器是否小于s,如果小于s,那么如果当前状态为正常状态,则判断缓冲区模块404中的高权重队列442是否已满,如果已满则丢弃该数据包,否则将该数据包加入到高权重队列442;如果当前状态为攻击状态,将该数据包传给过滤模块403;如果计时器大于或等于s,则将计时器置0,判断是否发生了攻击,如果发生了攻击,则将当前状态修改为攻击状态,并将数据包传给过滤模块403;如果没有发生攻击,则将连接状态表和合法地址表清空,将当前状态更新为正常状态,判断缓冲区模块404中的高权重队列442是否已满,如果已满则丢弃该数据包,否则将该数据包加入到高权重队列442。The detection module 402 is used to obtain a data packet from the system entrance, and judges whether the timer is less than s, if less than s, if the current state is a normal state, then judge whether the high weight queue 442 in the buffer module 404 is full, if If the packet is full, the packet is discarded, otherwise the packet is added to the high weight queue 442; if the current state is an attack state, the packet is passed to the filtering module 403; if the timer is greater than or equal to s, then the timer is set to 0 , to determine whether an attack has occurred, if an attack occurs, the current state is modified to the attack state, and the data packet is passed to the filter module 403; if no attack occurs, the connection state table and the legal address table are cleared, and the current state Update to a normal state, judge whether the high-weight queue 442 in the buffer module 404 is full, if full, discard the data packet, otherwise add the data packet to the high-weight queue 442.

其中判断是否发生攻击的具体方法如下:The specific method for judging whether an attack has occurred is as follows:

计时器从0开始计时到当前的时间内统计到的Syn包数为N,当前计时器时间为t,如果N/t大于或等于阈值n,则判定为是发生了攻击,否则N/t小于n时,判定为没有发生攻击。The number of Syn packets counted by the timer from 0 to the current time is N, and the current timer time is t. If N/t is greater than or equal to the threshold n, it is determined that an attack has occurred, otherwise N/t is less than n, it is determined that no attack has occurred.

过滤模块403收到检测模块402转给的一个数据包,考察数据包的类型,如果是Syn包,则在连接状态表中查找该数据包对应连接的标识,该标识为该Syn包的五元组<源IP,源端口,目的IP,目的端口,序列号>,如果没找到,则将该五元组加入到连接状态表中,判断缓冲区模块404中的低权重队列441是否已满,如果已满则丢弃该数据包,否则将该数据包加入到低权重队列441;如果是Syn/Ack包,则在连接状态表中查找该数据包对应的连接的标识,该标识等于该Syn/Ack包的源IP,源端口,目的IP,目的端口,序列号减1的值,如果没找到,则判断缓冲区模块404中的低权重队列441是否已满,如果已满则丢弃该数据包,否则将该数据包加入到低权重队列441;如果找到,则在连接状态表中删去该五元组,并将该源IP加入到合法地址表中,判断缓冲区模块404中的高权重队列442是否已满,如果已满则丢弃该数据包,否则将该数据包加入到高权重队列442;如果不是上述两种数据包,则在合法地址表中查找该数据包的源IP,如果找到了,则判断缓冲区模块404中的高权重队列442是否已满,如果已满则丢弃该数据包,否则将该数据包加入到高权重队列442,如果没有找到,则判断缓冲区模块404中的低权重队列441是否已满,如果已满则丢弃该数据包,否则将该数据包加入到低权重队列441。The filtering module 403 receives a data packet that the detection module 402 transfers to, investigates the type of the data packet, if it is a Syn packet, then searches for the identification of the corresponding connection of the data packet in the connection state table, and this identification is the quintuple of the Syn packet Group <source IP, source port, purpose IP, purpose port, sequence number>, if not found, then this five-tuple is added in the connection state table, judges whether the low weight queue 441 in the buffer module 404 is full, If full then discard this packet, otherwise this packet is added to the low weight queue 441; If it is a Syn/Ack packet, then search the identifier of the connection corresponding to this packet in the connection state table, this identifier is equal to this Syn/Ack The source IP of the Ack packet, the source port, the destination IP, the destination port, the value of the sequence number minus 1, if not found, then judge whether the low weight queue 441 in the buffer module 404 is full, if it is full, then discard the packet , otherwise the packet is added to the low weight queue 441; if found, the five-tuple is deleted in the connection state table, and the source IP is added to the legal address table to determine the high weight in the buffer module 404 Whether queue 442 is full, if full then discard this packet, otherwise this packet is added to high weight queue 442; If not above-mentioned two kinds of packets, then search the source IP of this packet in legal address table, if Found, then judge whether the high-weight queue 442 in the buffer module 404 is full, if full then discard this packet, otherwise this packet is added to the high-weight queue 442, if not found, then judge the buffer module 404 Whether the low-weight queue 441 in is full, if it is full, then discard the packet, otherwise the packet is added to the low-weight queue 441.

其中连接状态表和合法地址表均采用一种已公开的Bloom Filter技术来实现,Bloom Filter的组织结构如图2所示,由k个相互独立的哈希函数和一个长度为m的哈希表组成,(其中k和m由用户来确定),其主要操作的基本过程如下:The connection state table and the legal address table are both implemented using a publicly available Bloom Filter technology. The organizational structure of Bloom Filter is shown in Figure 2, which consists of k mutually independent hash functions and a hash table with a length of m. Composition, (where k and m are determined by the user), the basic process of its main operation is as follows:

查找操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,查看哈希表中该组哈希值对应的一组桶的数值是否全为1,如果是,则返回查找成功,否则,返回查找失败;Search operation: use each hash function to hash the input data items separately to generate a set of hash values, and check whether the values of a set of buckets corresponding to the set of hash values in the hash table are all 1, if so , it will return the search success, otherwise, it will return the search failure;

加入操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,将哈希表中该组哈希值对应的一组桶的数值均置为1,返回。Join operation: Use each hash function to hash the input data items to generate a set of hash values, set the value of a set of buckets corresponding to the set of hash values in the hash table to 1, and return.

删除操作:用每个哈希函数分别对输入的数据项进行哈希,生成一组哈希值,查看哈希表中该组哈希值对应的一组桶的数值是否全为1,如果是,则全部置为0,返回,否则返回。Delete operation: use each hash function to hash the input data items separately to generate a set of hash values, check whether the values of a group of buckets corresponding to the set of hash values in the hash table are all 1, if so , then set all to 0 and return, otherwise return.

转发模块405,用于与上述处理过程同时进行,判断当前状态,如果是攻击状态,那么如果缓冲区中有数据包,则分别按r*v/(r+1)和v/(r+1)的速率将高权重队列442、低权重队列441中的数据包不停地从系统出口转发出去;如果不是攻击状态,那么如果高权重队列442中有数据包,则按v速率将这些数据包不停地从系统出口转发出去。Forwarding module 405, is used for carrying out simultaneously with above-mentioned process, judges current state, if attack state, if there is data packet in the buffer zone, then press r*v/(r+1) and v/(r+1 respectively ) the data packets in the high-weight queue 442 and the low-weight queue 441 are continuously forwarded from the system exit; Keep forwarding from the system exit.

转发总速率为v,单位为每秒包数,由被保护的网络信息系统的处理能力决定。The total forwarding rate is v, the unit is the number of packets per second, which is determined by the processing capability of the protected network information system.

本领域的技术人员在不脱离权利要求书确定的本发明的精神和范围的条件下,还可以对以上内容进行各种各样的修改。因此本发明的范围并不仅限于以上的说明,而是由权利要求书的范围来确定的。Various modifications can be made to the above contents by those skilled in the art without departing from the spirit and scope of the present invention defined by the claims. Therefore, the scope of the present invention is not limited to the above description, but is determined by the scope of the claims.

Claims (20)

1.一种同步泛洪攻击的过滤方法,其特征在于,包括:1. A method for filtering synchronous flooding attacks, comprising: 步骤1,配置高低权重队列转发数据包的比例;Step 1, configure the ratio of high and low weight queues to forward packets; 步骤2,接收数据包,确定当前状态,判断所述当前状态是否为正常状态,如果是,则所述数据包进入高权重队列,否则,执行步骤3;Step 2, receiving the data packet, determining the current state, and judging whether the current state is a normal state, if yes, the data packet enters the high weight queue, otherwise, execute step 3; 步骤3,根据所述数据包的类型,用于记录连接的连接状态表和用于记录合法IP地址的合法地址表,判断所述数据包是否合法,如果是,则所述数据包进入所述高权重队列,否则,所述数据包进入低权重队列;并更新所述连接状态表和所述合法地址表;Step 3, according to the type of the data packet, the connection state table for recording the connection and the legal address table for recording the legal IP address, judge whether the data packet is legal, if so, then the data packet enters the High weight queue, otherwise, the data packet enters the low weight queue; and update the connection state table and the legal address table; 步骤4,在当前状态为正常状态时,转发所述高权重队列中数据包,在当前状态为攻击状态时,按所述高低权重队列转发数据包的比列转发所述低权重队列和所述高权重队列中的数据包。Step 4, when the current state is a normal state, forward the data packet in the high-weight queue, and when the current state is an attack state, forward the low-weight queue and the Packets in high weight queues. 2.如权利要求1所述的同步泛洪攻击的过滤方法,其特征在于,2. the filtering method of synchronous flood attack as claimed in claim 1, is characterized in that, 所述步骤1还包括,配置检测时隙,初始化计时器为0,初始化用于记录当前状态的当前状态变量为正常;The step 1 also includes configuring the detection time slot, initializing the timer to 0, and initializing the current state variable for recording the current state as normal; 所述步骤2中确定当前状态进一步为:Determining the current state in the step 2 is further as follows: 步骤21,接收数据包后,判断所述计时器的值是否小于所述检测时隙,如果是,则确定当前状态为所述当前状态变量中记录的状态,否则,将所述计时器置为0,执行步骤22;Step 21, after receiving the data packet, judge whether the value of the timer is less than the detection time slot, if yes, then determine that the current state is the state recorded in the current state variable, otherwise, set the timer to 0, go to step 22; 所述步骤22,判断是否发生攻击,如果是,则更新所述当前状态变量为攻击状态,确定所述当前状态为攻击状态,否则,更新所述当前状态变量为正常状态,确定所述当前状态为正常状态。The step 22 is to determine whether an attack occurs, and if so, update the current state variable to be an attack state, and determine that the current state is an attack state, otherwise, update the current state variable to be a normal state, and determine the current state to normal state. 3.如权利要求2所述的同步泛洪攻击的过滤方法,其特征在于,3. the filtering method of synchronous flood attack as claimed in claim 2, is characterized in that, 所述步骤2还包括,在执行完步骤22,确定所述当前状态为正常状态时,将所述连接状态表和所述合法地址表清空。The step 2 further includes, after step 22 is executed and it is determined that the current state is a normal state, clearing the connection state table and the legal address table. 4.如权利要求2所述的同步泛洪攻击的过滤方法,其特征在于,4. the filtering method of synchronous flood attack as claimed in claim 2 is characterized in that, 所述步骤1还包括配置同步数据包阈值;Said step 1 also includes configuring a synchronization packet threshold; 所述步骤22中判断是否发生攻击进一步为In the step 22, judging whether an attack occurs is further 步骤41,判断在所述计时器的计时时间内统计的同步包数量除以所述计时器的值所得值是否大于等于所述同步数据包阈值,如果是,则判定发生攻击,所述,判定为正常。Step 41, judging whether the number of synchronization packets counted within the time counted by the timer divided by the value of the timer is greater than or equal to the synchronization data packet threshold, if yes, then determine that an attack occurs, and determine as normal. 5.如权利要求1所述的同步泛洪攻击的过滤方法,其特征在于,5. the filtering method of synchronous flood attack as claimed in claim 1, is characterized in that, 所述步骤3进一步为,The step 3 is further as follows, 步骤51,在所述数据包为同步包时,确定所述数据包不合法,所述数据包进入低权重队列,并更新所述连接状态表;Step 51, when the data packet is a synchronization packet, determine that the data packet is illegal, enter the low weight queue, and update the connection state table; 步骤52,在所述数据包为同步/确认包时,如果所述数据包在所述连接状态表中存在对应记录,则所述数据包合法,所述数据包进入高权重队列,更新所述连接状态表和所述合法地址表,否则,所述数据包不合法,所述数据包进入低权重队列;Step 52, when the data packet is a synchronization/acknowledgment packet, if the data packet has a corresponding record in the connection state table, the data packet is legal, the data packet enters the high weight queue, and the Connect the state table and the legal address table, otherwise, the data packet is illegal, and the data packet enters a low-weight queue; 步骤53,在所述数据包为其他类型时,如果所述数据包在所述合法地址表中存在对应记录,则确定所述数据包合法,所述数据包进入高权重队列,否则,所述数据包不合法,所述数据包进入低权重队列。Step 53, when the data packet is of other types, if the data packet has a corresponding record in the legal address table, it is determined that the data packet is legal, and the data packet enters a high-weight queue, otherwise, the The data packet is invalid, and the data packet enters the low-weight queue. 6.如权利要求5所述的同步泛洪攻击的过滤方法,其特征在于,6. the filtering method of synchronous flood attack as claimed in claim 5 is characterized in that, 所述步骤51中更新所述连接状态表进一步为,Updating the connection state table in the step 51 is further as follows: 步骤61,在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包对应连接的标识添加到所述连接状态表中。Step 61: Search the connection status table for the identifier of the connection corresponding to the data packet, if not found, add the identifier of the connection corresponding to the data packet to the connection status table. 7.如权利要求6所述的同步泛洪攻击的过滤方法,其特征在于,7. the filtering method of synchronous flood attack as claimed in claim 6 is characterized in that, 所述步骤52进一步为,The step 52 is further as follows, 步骤71,在所述数据包为同步/确认包时,在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则所述数据包进入低权重队列,如果查找到,则执行步骤72;Step 71, when the data packet is a synchronization/acknowledgment packet, search the connection status table for the identification of the connection corresponding to the data packet, if not found, then the data packet enters the low weight queue, if found , then execute step 72; 所述步骤72,将所述数据包对应的连接的标识从所述连接状态表中删除,将所述数据包的源IP地址添加到所述和合法地址表中,确定所述数据包合法,所述数据包进入所述高权重队列。The step 72 is to delete the identification of the connection corresponding to the data packet from the connection state table, add the source IP address of the data packet to the legal address table, and determine that the data packet is legal, The data packet enters the high weight queue. 8.如权利要求7所述的同步泛洪攻击的过滤方法,其特征在于,8. the filtering method of synchronous flood attack as claimed in claim 7 is characterized in that, 所述步骤53进一步为在所述数据包为其他类型时,在所述合法地址表中查找所述数据包的源IP地址,如果查找到,则确定所述数据包合法,所述数据包进入高权重队列,否则,所述数据包进入所述低权重队列。The step 53 is further to search the source IP address of the data packet in the legal address table when the data packet is of other types, if found, then determine that the data packet is legal, and the data packet enters high weight queue, otherwise, the data packet enters the low weight queue. 9.如权利要求6、7或8所述的同步泛洪攻击的过滤方法,其特征在于,9. The filtering method of synchronous flood attack as claimed in claim 6, 7 or 8, is characterized in that, 所述标识为所述连接的同步数据包的五源组,所述五源组由源IP地址、源端口号、目的IP地址、目的端口号和序列号组成。The identification is a five-source group of the synchronous data packet of the connection, and the five-source group is composed of source IP address, source port number, destination IP address, destination port number and sequence number. 10.如权利要求1所述的同步泛洪攻击的过滤方法,其特征在于,10. the filtering method of synchronous flood attack as claimed in claim 1, is characterized in that, 所述步骤2和所述步骤3中所述数据包进入高权重队列进一步为,The step 2 and the step 3 in which the data packet enters the high-weight queue are further as follows: 判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;Judging whether the high-weight queue is full, if so, discarding the data packet, otherwise adding the data packet to the high-weight queue; 所述步骤3中所述数据包进入低权重队列进一步为,The data packet in the step 3 entering the low weight queue is further as follows: 判断所述低权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述低权重队列。Judging whether the low-weight queue is full, if so, discarding the data packet, otherwise adding the data packet to the low-weight queue. 11.一种同步泛洪攻击的过滤系统,其特征在于,包括:检测模块、过滤模块、缓冲区模块和转发模块,11. A filtering system for synchronous flooding attack, comprising: a detection module, a filtering module, a buffer module and a forwarding module, 所述缓冲区模块包含低权重队列和高权重队列;The buffer module includes a low-weight queue and a high-weight queue; 所述初始化模块,用于配置高低权重队列转发数据包的比例;The initialization module is used to configure the ratio of high and low weight queues to forward data packets; 所述检测模块,用于接收数据包,确定当前状态,判断所述当前状态是否为正常状态,如果是,则将所述数据包加入到所述高权重队列,否则,将所述数据包传给所述过滤模块;The detection module is used to receive data packets, determine the current state, and judge whether the current state is a normal state, if so, add the data packets to the high-weight queue, otherwise, transmit the data packets to to the filter module; 所述过滤模块,用于根据所述数据包的类型,用于记录连接的连接状态表和用于记录合法IP地址的合法地址表,判断所述数据包是否合法,如果是,则将所述数据包加入所述高权重队列,否则,将所述数据包加入所述低权重队列;并更新所述连接状态表和所述合法地址表;The filter module is used to judge whether the data packet is legal according to the type of the data packet, the connection state table used to record the connection and the legal address table used to record the legal IP address, and if so, the The data packet is added to the high weight queue, otherwise, the data packet is added to the low weight queue; and the connection state table and the legal address table are updated; 所述转发模块,用于在当前状态为正常状态时,转发所述高权重队列中数据包,在当前状态为攻击状态时,按所述高低权重队列转发数据包的比列转发所述低权重队列和所述高权重队列中的数据包。The forwarding module is configured to forward the data packets in the high-weight queue when the current state is a normal state, and forward the low-weight queue according to the ratio of forwarding data packets in the high-weight queue when the current state is an attack state queue and the packets in the high weight queue. 12.如权利要求11所述的同步泛洪攻击的过滤系统,其特征在于,12. The filtering system of synchronous flood attack as claimed in claim 11, is characterized in that, 所述初始化模块还用于配置检测时隙,初始化计时器为0,初始化用于记录当前状态的当前状态变量为正常;The initialization module is also used to configure the detection time slot, the initialization timer is 0, and the initialization of the current state variable used to record the current state is normal; 所述检测模块在确定当前状态时进一步用于接收到数据包后,判断所述计时器的值是否小于所述检测时隙,如果是,则确定当前状态为所述当前状态变量中记录的状态;否则,将所述计时器置为0,判断是否发生攻击,如果是,则更新所述当前状态变量为攻击状态,确定所述当前状态为攻击状态,否则,更新所述当前状态变量为正常状态,确定所述当前状态为正常状态。The detection module is further used to determine whether the value of the timer is less than the detection time slot after receiving the data packet when determining the current state, and if so, determine that the current state is the state recorded in the current state variable ; Otherwise, the timer is set to 0, and it is judged whether an attack occurs, and if so, the current state variable is updated to be an attack state, and the current state is determined to be an attack state, otherwise, the current state variable is updated to be normal state, determining that the current state is a normal state. 13.如权利要求12所述的同步泛洪攻击的过滤系统,其特征在于,13. The filtering system of synchronous flood attack as claimed in claim 12, is characterized in that, 所述检测模块还用在通过判断未发生攻击确定所述当前状态为正常状态后,将所述连接状态表和所述合法地址表清空。The detection module is further configured to clear the connection state table and the legal address table after determining that the current state is a normal state by judging that no attack has occurred. 14.如权利要求12所述的同步泛洪攻击的过滤系统,其特征在于,14. The filtering system of synchronous flood attack as claimed in claim 12, is characterized in that, 所述初始化模块还用于配置同步数据包阈值;The initialization module is also used to configure the synchronization data packet threshold; 所述检测模块在判断是否发生攻击时进一步用于判断在所述计时器的计时时间内统计的同步包数量除以所述计时器的值所得值是否大于等于所述同步数据包阈值,如果是,则判定发生攻击,所述,判定为正常。When determining whether an attack occurs, the detection module is further used to determine whether the value obtained by dividing the number of synchronization packets counted within the timing time of the timer by the value of the timer is greater than or equal to the synchronization data packet threshold, if yes , it is determined that an attack has occurred, and the above is determined to be normal. 15.如权利要求11所述的同步泛洪攻击的过滤系统,其特征在于,15. The filtering system of synchronous flood attack as claimed in claim 11, is characterized in that, 所述过滤模块进一步用于在所述数据包为同步包时,确定所述数据包不合法,将所述数据包加入所述低权重队列,并更新所述连接状态表;在所述数据包为同步/确认包时,如果所述数据包在所述连接状态表中存在对应记录,则所述数据包合法,将所述数据包加入所述高权重队列,更新所述连接状态表和所述合法地址表,否则,所述数据包不合法,将所述数据包加入所述低权重队列;在所述数据包为其他类型时,如果所述数据包在所述合法地址表中存在对应记录,则确定所述数据包合法,将所述数据包加入所述高权重队列,否则,所述数据包不合法,将所述数据包加入所述低权重队列。The filtering module is further used for determining that the data packet is illegal when the data packet is a synchronous packet, adding the data packet to the low-weight queue, and updating the connection state table; When it is a synchronization/acknowledgment packet, if the data packet has a corresponding record in the connection state table, the data packet is legal, the data packet is added to the high weight queue, and the connection state table and the connection state table are updated. Otherwise, the data packet is illegal, and the data packet is added to the low-weight queue; when the data packet is of other types, if the data packet has a corresponding record, it is determined that the data packet is legal, and the data packet is added to the high-weight queue; otherwise, the data packet is illegal, and the data packet is added to the low-weight queue. 16.如权利要求15所述的同步泛洪攻击的过滤系统,其特征在于,16. The filtering system of synchronous flood attack as claimed in claim 15, is characterized in that, 所述过滤模块在所述数据包为同步包的情况下更新所述连接状态表时进一步用于在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包对应连接的标识添加到所述连接状态表中。When the filtering module updates the connection state table in the case that the data packet is a synchronous packet, it is further used to search the connection state table for the identification of the connection corresponding to the data packet, if not found, the The identifier of the connection corresponding to the data packet is added to the connection state table. 17.如权利要求16所述的同步泛洪攻击的过滤系统,其特征在于,17. The filtering system of synchronous flood attack as claimed in claim 16, is characterized in that, 所述过滤模块在所述数据包为同步/确认包的情况下进一步用于在所述连接状态表中查找所述数据包对应连接的标识,如果未查找到,则将所述数据包加入所述低权重队列,如果查找到,则将所述数据包对应的连接的标识从所述连接状态表中删除,将所述数据包的源IP地址添加到所述和合法地址表中,确定所述数据包合法,将所述数据包加入所述高权重队列。When the data packet is a synchronization/acknowledgment packet, the filter module is further used to search the connection state table for the identification of the connection corresponding to the data packet, and if not found, add the data packet to the The low-weight queue, if found, deletes the connection identifier corresponding to the data packet from the connection state table, adds the source IP address of the data packet to the legal address table, and determines the If the data packet is legal, add the data packet to the high-weight queue. 18.如权利要求17所述的同步泛洪攻击的过滤系统,其特征在于,18. The filtering system of synchronous flood attack as claimed in claim 17, is characterized in that, 所述过滤模块在所述数据包为其他类型的情况下进一步用于在所述合法地址表中查找所述数据包的源IP地址,如果查找到,则确定所述数据包合法,将所述数据包加入所述高权重队列,否则,将所述数据包加入所述低权重队列。The filter module is further used to search the source IP address of the data packet in the legal address table when the data packet is of other types, if found, then determine that the data packet is legal, and the The data packet is added to the high-weight queue, otherwise, the data packet is added to the low-weight queue. 19.如权利要求16、17或18所述的同步泛洪攻击的过滤系统,其特征在于,19. The filtering system of synchronous flood attack as claimed in claim 16, 17 or 18, is characterized in that, 所述标识为所述连接的同步数据包的五源组,所述五源组由源IP地址、源端口号、目的IP地址、目的端口号和序列号组成。The identification is a five-source group of the synchronous data packet of the connection, and the five-source group is composed of source IP address, source port number, destination IP address, destination port number and sequence number. 20.如权利要求11所述的同步泛洪攻击的过滤系统,其特征在于,20. The filtering system of synchronous flood attack as claimed in claim 11, is characterized in that, 所述检测模块在将所述数据包加入所述高权重队列时进一步用于判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;The detection module is further used to judge whether the high-weight queue is full when adding the data packet to the high-weight queue, and if so, discard the data packet; otherwise, add the data packet to the high-weight queue. weight queue; 所述过滤模块在将所述数据包加入所述高权重队列时进一步用于判断所述高权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述高权重队列;The filtering module is further used to judge whether the high-weight queue is full when adding the data packet to the high-weight queue, and if so, discard the data packet; otherwise, add the data packet to the high-weight queue. weight queue; 所述过滤模块在将所述数据包加入所述低权重队列时进一步用于判断所述低权重队列是否已满,如果是,则丢弃所述数据包,否则将所述数据包加入所述低权重队列。The filtering module is further used to judge whether the low-weight queue is full when adding the data packet to the low-weight queue, and if so, discard the data packet; otherwise, add the data packet to the low-weight queue. weight queue.
CN2008102474401A 2008-12-31 2008-12-31 A filtering method and system for synchronous flooding attack Expired - Fee Related CN101465855B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2008102474401A CN101465855B (en) 2008-12-31 2008-12-31 A filtering method and system for synchronous flooding attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2008102474401A CN101465855B (en) 2008-12-31 2008-12-31 A filtering method and system for synchronous flooding attack

Publications (2)

Publication Number Publication Date
CN101465855A true CN101465855A (en) 2009-06-24
CN101465855B CN101465855B (en) 2011-11-23

Family

ID=40806217

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008102474401A Expired - Fee Related CN101465855B (en) 2008-12-31 2008-12-31 A filtering method and system for synchronous flooding attack

Country Status (1)

Country Link
CN (1) CN101465855B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102075535A (en) * 2011-01-12 2011-05-25 中国科学院计算技术研究所 Distributed denial-of-service attack filter method and system for application layer
CN101778101B (en) * 2009-12-31 2012-10-03 卓望数码技术(深圳)有限公司 Message transmission method and message transmission system
CN101778055B (en) * 2009-12-31 2013-03-13 卓望数码技术(深圳)有限公司 Message processing method and network entity
CN103491061A (en) * 2012-06-13 2014-01-01 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103746918A (en) * 2014-01-06 2014-04-23 深圳市星盾网络技术有限公司 Message forwarding system and message forwarding method
CN105100024A (en) * 2014-05-21 2015-11-25 腾讯科技(深圳)有限公司 UDP data packet safety detection method and device
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN107634971A (en) * 2017-10-26 2018-01-26 杭州迪普科技股份有限公司 A kind of method and device for detecting flood attack
CN108037983A (en) * 2017-11-22 2018-05-15 链家网(北京)科技有限公司 Method for scheduling task and distributed scheduling system in distributed scheduling system
CN108737447A (en) * 2018-06-22 2018-11-02 腾讯科技(深圳)有限公司 User Datagram Protocol traffic filtering method, apparatus, server and storage medium
CN112714129A (en) * 2020-12-30 2021-04-27 西安交通大学 Internal and external network access control method for network security chip and network security chip
CN113709105A (en) * 2021-07-20 2021-11-26 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101217547B (en) * 2008-01-18 2012-05-09 南京邮电大学 A flood request attaching filtering method based on the stateless open source core
CN101267313B (en) * 2008-04-23 2010-10-27 成都市华为赛门铁克科技有限公司 Flooding attack detection method and detection device
CN101282209A (en) * 2008-05-13 2008-10-08 杭州华三通信技术有限公司 Method and apparatus for preventing DNS request message from flooding attack

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778101B (en) * 2009-12-31 2012-10-03 卓望数码技术(深圳)有限公司 Message transmission method and message transmission system
CN101778055B (en) * 2009-12-31 2013-03-13 卓望数码技术(深圳)有限公司 Message processing method and network entity
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN101789947B (en) * 2010-02-21 2012-10-03 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102075535A (en) * 2011-01-12 2011-05-25 中国科学院计算技术研究所 Distributed denial-of-service attack filter method and system for application layer
CN102075535B (en) * 2011-01-12 2013-01-30 中国科学院计算技术研究所 Application layer distributed denial of service attack filtering method and system
CN103491061B (en) * 2012-06-13 2017-02-15 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103491061A (en) * 2012-06-13 2014-01-01 华为技术有限公司 Attack mitigation method, serial number providing method and equipment
CN103746918A (en) * 2014-01-06 2014-04-23 深圳市星盾网络技术有限公司 Message forwarding system and message forwarding method
CN103746918B (en) * 2014-01-06 2018-01-12 深圳市星盾网络技术有限公司 Message forwarding system and message forwarding method
CN105100024A (en) * 2014-05-21 2015-11-25 腾讯科技(深圳)有限公司 UDP data packet safety detection method and device
CN105100024B (en) * 2014-05-21 2017-12-12 腾讯科技(深圳)有限公司 UDP message bag safety detection method and device
CN105991632A (en) * 2015-04-20 2016-10-05 杭州迪普科技有限公司 Network security protection method and device
CN107634971A (en) * 2017-10-26 2018-01-26 杭州迪普科技股份有限公司 A kind of method and device for detecting flood attack
CN108037983A (en) * 2017-11-22 2018-05-15 链家网(北京)科技有限公司 Method for scheduling task and distributed scheduling system in distributed scheduling system
CN108737447A (en) * 2018-06-22 2018-11-02 腾讯科技(深圳)有限公司 User Datagram Protocol traffic filtering method, apparatus, server and storage medium
CN108737447B (en) * 2018-06-22 2020-07-17 腾讯科技(深圳)有限公司 User datagram protocol flow filtering method, device, server and storage medium
CN112714129A (en) * 2020-12-30 2021-04-27 西安交通大学 Internal and external network access control method for network security chip and network security chip
CN112714129B (en) * 2020-12-30 2022-06-03 西安交通大学 Internal and external network access control method for network security chip and network security chip
CN113709105A (en) * 2021-07-20 2021-11-26 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter
CN113709105B (en) * 2021-07-20 2023-08-29 深圳市风云实业有限公司 SYN Flood attack detection method based on counting type bloom filter

Also Published As

Publication number Publication date
CN101465855B (en) 2011-11-23

Similar Documents

Publication Publication Date Title
CN101465855B (en) A filtering method and system for synchronous flooding attack
Mankin et al. On design and evaluation of" intention-driven" ICMP traceback
US9935974B2 (en) Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
CN112615818B (en) SDN-based DDOS attack protection method, device and system
WO2017148263A1 (en) Prevention and control method, apparatus and system for network attack
CN101083563B (en) Method and apparatus for preventing distributed refuse service attack
CN112134894A (en) A moving target defense method for DDoS attack
US20050278779A1 (en) System and method for identifying the source of a denial-of-service attack
CN101383812A (en) IP spoofing DDoS attack defense method based on active IP records
Mahajan et al. DDoS attack prevention and mitigation techniques-a review
Huang et al. FSDM: Fast recovery saturation attack detection and mitigation framework in SDN
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
JP5178573B2 (en) Communication system and communication method
CN106357661B (en) A Distributed Denial of Service Attack Defense Method Based on Switch Rotation
Santhanam et al. Active cache based defense against dos attacks in wireless mesh network
Lu et al. A novel path‐based approach for single‐packet IP traceback
Chen et al. TRACK: A novel approach for defending against distributed denial-of-service attacks
Lin et al. Collaborative distributed intrusion detection system
Liu et al. StopIt: Mitigating DoS flooding attacks from multi-million botnets
KR20050098603A (en) Method for defending distributed denial of service using active router
Ali et al. Packet filtering based on source router marking and hop-count
He et al. An efficient and practical defense method against DDoS attack at the source-end
Lv et al. Towards spoofing prevention based on hierarchical coordination model
He et al. Efficient and beneficial defense against DDoS direct attack and reflector attack
CN106060045B (en) Filtering position selection method facing bandwidth consumption type attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20111123

Termination date: 20201231

CF01 Termination of patent right due to non-payment of annual fee