CN106131036A - Processing method, device and the terminal that CC attacks - Google Patents
Processing method, device and the terminal that CC attacks Download PDFInfo
- Publication number
- CN106131036A CN106131036A CN201610586483.7A CN201610586483A CN106131036A CN 106131036 A CN106131036 A CN 106131036A CN 201610586483 A CN201610586483 A CN 201610586483A CN 106131036 A CN106131036 A CN 106131036A
- Authority
- CN
- China
- Prior art keywords
- attack
- packet
- attacks
- syn
- sends
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 230000004044 response Effects 0.000 claims abstract description 51
- 230000005540 biological transmission Effects 0.000 claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 35
- 238000012545 processing Methods 0.000 claims description 20
- 238000004140 cleaning Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 9
- 230000001360 synchronised effect Effects 0.000 description 131
- 230000000977 initiatory effect Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 238000012790 confirmation Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 4
- 230000006698 induction Effects 0.000 description 4
- 238000013508 migration Methods 0.000 description 4
- 230000005012 migration Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000001629 suppression Effects 0.000 description 2
- 230000009885 systemic effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009792 diffusion process Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 238000005406 washing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application discloses a kind of CC attack processing method, device and terminal, described method includes: receive CC attack end after the SYN packet that destination host sends, to described CC attack end transmission the 2nd SYN packet;Receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends;Abandon and terminate responding described CC and attack any packet that end sends, so that described CC attack end is attacked bounce-back to the CC that described destination host sends and attacked end to described CC.Implement the application, CC can be consumed and attack the socket resource of end, and then can effectively suppress CC to attack the CC attack that end is initiated while the effectively defence CC attack end harm to destination host.
Description
Technical field
The application relates to network communication technology field, particularly relates to processing method, device and terminal that CC attacks.
Background technology
Along with the development of network technology, the user side of access network and various application server are more and more, simultaneously
Along with the diffusion of network attack, increasing network application is by the most serious security threat, and DDoS based on the page
Attacking (CC attack) and be increasingly becoming the Main Means of network attack, harm is also gradually increased.
CC attacks, general big to destination host initiation by attacker such as proxy server or other control system
Amount HTTP connects.In order to defend CC to attack, the client sending request can be carried out confirmation code checking, if sending the visitor of request
Family end is used by natural person, then confirm the page to described client push, and natural person obviously can the correct recognition and verification page
In confirmation code, it is also possible to input correct confirmation code.So, can allow to access protected destination host.If it is and objective
Family end is attacker, such as agency or wooden horse, owing to current technology cannot make attacker the most correctly identify really
Recognizing code, therefore, attacker is difficult to the checking to confirmation code, and then the most just cannot really access destination host.
Above-mentioned CC attack defense method, although CC can be defendd to a certain extent to attack the harm to destination host, but
The client initiating CC attack will not be had any impact, it is difficult to effectively suppression client initiation CC attacks.
Summary of the invention
The application provides processing method, device and the terminal that CC attacks, and is difficult to have solving existing CC attack defense method
Effect suppression client initiates the problem that CC attacks.
First aspect according to the embodiment of the present application, it is provided that the processing method that a kind of CC attacks, comprises the following steps:
Receive CC attack end after the SYN packet that destination host sends, to described CC attack end transmission second
SYN packet;
Receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends;
Abandon and terminate responding described CC and attack any packet that end sends, so that described CC attacks end to described target
The CC that main frame sends attacks bounce-back and attacks end to described CC.
In one embodiment, described method also includes:
When receiving a described SYN packet, starting preset timer, the timing length of described preset timer is little
In or equal to described CC attack end retransmit a SYN packet overtime duration;
The described step to described CC attack end transmission the 2nd SYN packet is held after described preset timer time-out
OK.
In one embodiment, described method also includes:
Receiving client after the SYN packet that described destination host sends, request CC attacks checking side to institute
State client and carry out CC attack checking;
Receive described CC and attack the result that end returns;
If described the result represents that described client does not attacks checking by described CC, it is determined that described client is CC
Attack end;
The described step to described CC attack end transmission the 2nd SYN packet is being determined that described client is that CC attacks end
Rear execution.
In one embodiment, described method also includes:
Request hook is intercepted and captured described CC and is attacked the SYN packet that end sends to described destination host, and described hook is pacified
It is contained in the agent side of described destination host;
Receive the described SYN packet that described hook sends;
The described step to described CC attack end transmission the 2nd SYN packet is receiving described the first of described hook transmission
Perform after SYN packet.
In one embodiment, described after described CC attacks end transmission the 2nd SYN packet, described method also includes:
Receive described CC and attack the response data bag that end sends;
If described response data bag is SYN/ACK packet, then terminates responding described CC and attack any data that end sends
Bag, so that described CC attack end is attacked bounce-back to the CC that described destination host sends and is attacked end to described CC;
If described response data bag is the ack msg bag that described CC attacks that end is forged, then request flow cleaning side is to described
CC attacks the packet of end transmission and is carried out processing.
In one embodiment, if described response data bag is the ack msg bag that described CC attacks that end is forged, described method
Also include:
Attack end to described CC and send the packet spoof for responding a described SYN packet.
Second aspect according to the embodiment of the present application, it is provided that the processing means that a kind of CC attacks, including:
Packet sending module, for receive CC attack end after the SYN packet that destination host sends, to
Described CC attacks end and sends the 2nd SYN packet;
Packet-receiving module, attacks, for receiving described CC, the SYN/ACK that the described 2nd SYN packet of end response sends
Packet;
Attack processing module, attack, for abandoning and terminating responding described CC, any packet that end sends, so that described
CC attacks end and attacks bounce-back to described CC attack end to the CC that described destination host sends.
In one embodiment, described device also includes:
Time block, for when receiving a described SYN packet, starts preset timer, described presetting time
The timing length of device is attacked end less than or equal to described CC and is retransmitted the overtime duration of a SYN packet;
Described packet sending module is additionally operable to described after the preset timer time-out of described time block to described
CC attacks end and sends the 2nd SYN packet.
In one embodiment, described device also includes:
Attack checking request module, for receiving the SYN packet that client sends to described destination host
After, request CC attacks checking side and described client carries out CC attack checking;
The result receiver module, attacks, for receiving described CC, the result that end returns;
Attack side and determine module, for representing that described client does not attacks checking by described CC at described the result
Time, determine that described client is that CC attacks end;
Described packet sending module is additionally operable to determine that in described attack side module determines that described client is that CC attacks end
After by described to described CC attack end send the 2nd SYN packet.
In one embodiment, described device also includes:
Intercept and capture request module, attack, for asking hook to intercept and capture described CC, the SYN that end sends to described destination host
Packet, described hook is arranged on the agent side of described destination host;
Intercept and capture result receiver module, for receiving the described SYN packet that described hook sends;
Described packet sending module is additionally operable to receive described in the transmission of described hook at described intercepting and capturing result receiver module
Attack end to described CC after oneth SYN packet and send the 2nd SYN packet.
In one embodiment, described device also includes:
Response data bag receiver module, attacks, for receiving described CC, the response data bag that end sends;
Attack processes submodule, for when described response data bag is SYN/ACK packet, terminates responding described CC and attacks
Hit any packet that end sends, so that described CC attack end is attacked bounce-back to the CC that described destination host sends and attacked to described CC
Hit end;
Cleaning treatment request module, during at described response data bag being the ack msg bag of described CC attack end forgery,
Described CC is attacked the packet of end transmission and is carried out processing by request flow cleaning side.
In one embodiment, described device also includes:
Forge responding module, for when described response data bag is the ack msg bag that described CC attacks end forgery, to institute
State CC and attack end transmission for the packet spoof responding a described SYN packet.
The third aspect according to the embodiment of the present application, it is provided that a kind of terminal, it is characterised in that including:
Processor;
For storing the memorizer of described processor executable;
Wherein, described processor is configured to:
Receive CC attack end after the SYN packet that destination host sends, to described CC attack end transmission second
SYN packet;
Receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends;
Abandon and terminate responding described CC and attack any packet that end sends, so that described CC attacks end to described target
The CC that main frame sends attacks bounce-back and attacks end to described CC.
Application the embodiment of the present application, receive CC attack end after the SYN packet that destination host sends, to described
CC attacks end and sends the 2nd SYN packet;Receive described CC and attack the SYN/ACK that the described 2nd SYN packet of end response sends
After packet, abandon and terminate responding described CC and attack any packet that end sends, CC can be made to attack end response described second
SYN packet send SYN/ACK data include laggard enter SYN_RCVD state, it is closed after socket, enters FIN_ successively
WAIT_1 state, FIN_WAIT_2 state and TIME_WAIT state, under these states, CC attacks the resource continuous quilt of socket of end
Take, and CC can be attacked the packet that end sends to destination host and all rebound himself, consume CC and attack end self
Socket resource, finally making CC attack end does not has enough resources to send CC attack.Accordingly, it is capable to attack end pair at effectively defence CC
While the harm of destination host, consume CC and attack the socket resource of end, and then can effectively suppress CC to attack the CC that end is initiated
Attack.
It should be appreciated that it is only exemplary and explanatory, not that above general description and details hereinafter describe
The application can be limited.
Accompanying drawing explanation
Accompanying drawing herein is merged in description and constitutes the part of this specification, it is shown that meet the enforcement of the application
Example, and for explaining the principle of the application together with description.
Fig. 1 is the application scenarios schematic diagram that the embodiment of the present application realizes the process that CC attacks;
Fig. 2 is the state transition graph that the TCP in the embodiment of the processing method that the application CC attacks connects;
Fig. 3 is an embodiment flow chart of the processing method that the application CC attacks;
Fig. 4 is another embodiment flow chart of the processing method that the application CC attacks;
Fig. 5 is a kind of hardware structure diagram of the processing means place terminal that the application CC attacks;
Fig. 6 is an embodiment block diagram of the processing means that the application CC attacks;
Fig. 7 is another embodiment block diagram of the processing means that the application CC attacks.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Explained below relates to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they are only with the most appended
The example of the apparatus and method that some aspects that described in detail in claims, the application are consistent.
It is only merely for describing the purpose of specific embodiment at term used in this application, and is not intended to be limiting the application.
" a kind of ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps
Any or all containing one or more projects of listing being associated may combination.
Although should be appreciated that in the application possible employing term first, second, third, etc. to describe various information, but this
A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.Such as, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depend on linguistic context, word as used in this " if " can be construed to " ... time " or " when ...
Time " or " in response to determining ".
Referring to Fig. 1, Fig. 1 is the application scenarios schematic diagram that the embodiment of the present application realizes the process that CC attacks.
Application scenarios schematic diagram shown in Fig. 1, the terminal including client 120, being equiped with client 120 and as target
The server 140 of main frame, described terminal is connected by wireless network or cable network with server 140, and connects based on network
Carry out information transmission between with mutual.Described terminal can include smart mobile phone, desktop computer, notebook, individual digital
At least one in the terminal unit such as assistant, panel computer.It is understood that the destination host of the present embodiment is only with server
As a example by illustrate, it is also possible to be the intelligent terminal such as PC (Personal Computer, personal computer) or panel computer.
Server 140, runs oriented client 120 and provides the service end of various service, this service end can by network to
Client 120 provides various service, such as FTP (File Transfer Protocol, file transfer protocol (FTP)), game port, chats
It room, webpage forum etc..Service end provides before service to client 120, needs client 120 by its place terminal and clothes
A link set up by business device 140, and this link is normally based on the TCP link that Transmission Control Protocol is set up, and the state of TCP link turns
Changing as in figure 2 it is shown, the foundation of TCP link can be referred to simply as three-way handshake, the termination of TCP link then can be called four times holds
Hands.
Be briefly described as follows shown in Fig. 2 TCP link state migration procedure:
First the thick line in lower Fig. 2 of explanation, i.e. the state migration procedure of client 120: under CLOSED state, client
120 initiate link to destination server 140, i.e. send SYN k packet to server 140, and namely client 120 have invoked
Connect function, subsequently into SYN_SENT state, if now waiting for server 140 returns the ACK number to SYN k packet
According to bag time-out, then client 120 reenters CLOSED state, if client 120 have received what server 140 return came on time
Ack msg bag and the SYN j packet of oneself (i.e. returning SYN/ACK packet), client 120 is first to server 140
Send the ack msg bag answering SYN j packet back to, subsequently into ESTABLISHED state, say, that client 120 and service
Device 140 successful connection.In this case, client 120 communicates normally with server 140.
If sign off, client 120 sends FIN packet to server 140, and namely client 120 have invoked
Close function, then client 120 enters FIN_WAIT_1 state and waits for server 140 and respond FIN packet
Ack msg bag, after receiving the ack msg bag that server 140 return comes, client 120 enters FIN_WAIT_2 state, because of
Being both-end for communication, so server 140 also can send FIN packet to client 120, (namely server 140 is also adjusted
With close function), at this moment client 120 sends back the ack msg bag answering FIN packet to server 140, carries out simultaneously
Enter TIME_WAIT state.After TIME_WAIT state continues 2MSL (MSL the longest merogenesis vital stage), enter CLOSED state, also
With regard to socket, (two programs on network realize the exchange of data, this one end connected by a two-way communication connection
It is referred to as a socket) formally close.Why between WAIT_2 and CLOSED, add a TIME_WAIT state and maintenance
2MSL, is in order at two purposes, 1) termination of TCP full duplex, such as: when FIN_WAIT_2 state, client 120 are guaranteed
Being shut off after complete ack msg bag, and now this ack msg bag is sent out and be lost, this will cause server 140 can not receive
It is responded the ack msg bag of FIN packet and cannot close.2) guarantee the packet that last link produces, upper the most again
The most all disappear before secondary link, not on linking generation impact next time.
Secondly the dotted line in the lower Fig. 2 of explanation, the i.e. state migration procedure of server 140: server 140 is in LISTEN shape
During state, namely server 140 have invoked listen and accept function, and now server 140 have received client 120 and sends
The connection request come, namely SYN k packet, it is then returned to the synchronization packets SYN j packet of client 120 oneself
With the ACK k+1 packet (that is, replying SYN/ACK packet) that the SYN k packet of client 120 is responded.Now
Server 140 enters SYS_RCVD state, waits for client 120 and returns the ACK that ACK j+1 packet carries out respond confirmation
Packet, if having received this ack msg bag, server 140 enters ESTABLISHED state, also can repeat to send out if not receiving
Give (if upper figure does not mark client 120 after server 140 has sent SYN J ACK k+1 packet and delays the state after machine,
Typically have a retransmission mechanism).The socket closing process of server 140 differs a bit with the closing process of client 120
Sample, because server 140 is to be forced to close, now server 140 receives the FIN packet that client 120 is sent, then to visitor
Family end 120 returns responds, to FIN packet, the ack msg bag confirmed, and enters CLOSE_WAIT state, in this case, and clothes
After data in oneself socket are disposed by business device 140, send FIN packet to client 120 equally and namely adjust
Using close function, now server 140 enters LAST_ACK state, and receiving, the ack msg bag from client 120 is laggard
Enter final CLOSED state.
Fine rule in the lower Fig. 2 of finally explanation, fine rule represents client 120 and server 140 is opened simultaneously and simultaneously closes off
Time, the state of TCP link changes, and opens after i.e. client 120 have sent SYN packet simultaneously, and server 140 is sent out the most just
Send SYN packet to the same port of client 120;Simultaneously close off after i.e. client 120 have sent FIN packet,
Server 140 have sent the FIN packet same port to client 120 the most just.Both states in reality almost
Do not occur, even if occurring also to typically occur between two servers, because they are necessarily required to know the port value of the other side.
RST in Fig. 2 is the another kind of mode closing link, and application program should may determine that the verity of RST bag, i.e.
Whether it is abort.
The processing method that the CC of the embodiment of the present application attacks, can initiate CC in client 120 and attack server 140
Time, the state migration procedure linked based on above-described TCP, utilize synchronization opening between client 120 with server 140
State, is receiving client 120 after server 140 sends a SYN packet, is sending the 2nd SYN number to client 120
According to bag, after receiving the SYN/ACK packet that client 120 is replied, no longer reply any packet of client 120, can make
Client 120 responds described 2nd SYN packet transmission SYN/ACK data and includes the continuous entrance in hinterland SYN_RCVD state, and it closes
After closing socket, enter FIN_WAIT_1 state, FIN_WAIT_2 and TIME_WAIT state successively.So that client 120
Subsequent performance just look like self be server 140 as, all linking request for server 140 (SYN packet) all by
Bounce-back gives oneself, thus consumes the socket resource of himself.Accordingly, it is capable in effectively defence client 120 to server 140
CC attack, consume the socket resource of client 120 simultaneously, and then can effectively suppress the CC attack that client 120 initiates.
The processing method that the CC of the embodiment of the present application attacks can directly run on server 140, it is possible to runs on server
The agent side of 140 front ends, agent side such as nginx (high performance HTTP and Reverse Proxy) etc..Below in conjunction with accompanying drawing 1
With Fig. 2, the embodiment of the present application is described in detail.
See the embodiment flow chart that Fig. 3, Fig. 3 are the processing methods that the application CC attacks, comprise the following steps
301-303:
Step 301: receive CC attack end after the SYN packet that destination host sends, to described CC attack end
Send the 2nd SYN packet.
Understanding refering to Fig. 2, SYN (synchronous) is that TCP/IP sets up the handshake used when connecting, in client
With when setting up the connection of normal TCP network between server, first client sends a SYN packet, and server uses SYN
With ack msg bag (SYN/ACK packet) response, representing and have received this SYN packet, last client is again with ACK number
According to bag response.The most just can set up reliable TCP to connect, data message just can be client
Transmit between end and server.But, attack end in client as CC, when server is initiated CC attack, ssyn attack is
The common a kind of attacking ways being easiest to again be utilized, utilizes Transmission Control Protocol defect, and client is forged at short notice and do not deposited in a large number
IP address, constantly send a substantial amounts of SYN packet to server, a SYN packet be forge packet,
If server is replied confirms packet, and waiting the confirmation of client, owing to source address is non-existent, server needs constantly
Repeating transmission confirm bag until time-out, these forge SYN packets be not connected with queue by taking for a long time, normal SYN
Packet is dropped, and the goal systems that server is corresponding is run slowly, and severe patient causes network blockage even systemic breakdown.
After oneth SYN packet of the client transmission receiving initiation CC attack in order to avoid server, reply and confirm
Packet also waits the confirmation initiating the client that CC attacks, and causes the goal systems that server is corresponding to be run slowly, even draws
Play network blockage even systemic breakdown, can not return after receiving the SYN packet initiating the client transmission that CC attacks
Confirm packet again, but send described 2nd SYN packet to the client (i.e. CC attacks end) initiating CC attack, be equal to
The client initiating CC attack is in open mode simultaneously with server, and induction is initiated the client of CC attack and replied second
The confirmation packet of SYN packet, and etc. to be confirmed.
The described 2nd SYN packet of the embodiment of the present application is to initiating the client transmission that CC attacks, not affecting initiation
The client of normal linking request, is receiving client after the SYN packet that described destination host sends, can priori
Card sends whether the client of a SYN packet carries out CC attack to destination host, sends described the to client the most again
One SYN packet.
In some application scenarios, the processing method that the CC of the embodiment of the present application attacks is applied to the agency of destination host
End, when whether the client of checking transmission the oneth SYN packet carries out CC attack to destination host, can ask CC to attack checking side
Described client is carried out CC and attacks checking, then receive described CC and attack the result that end returns, if described the result
Represent that described client does not attacks checking by described CC, it is determined that described client is that CC attacks end, by described to described CC
The step attacking end transmission the 2nd SYN packet is determining that described client is to perform after CC attacks end.If described the result
Represent that described client has been passed through described CC and attacked checking, it is determined that described client is not that CC attacks end, continues transmission described
Oneth SYN packet is to described destination host.
During actual application, above-mentioned attack checking side, can be that the CC associated with destination host attacks checking equipment, Ke Yishi
The CC that CC in destination host attacks authentication module, can also is that in flow cleaning equipment attacks authentication module, therefore in this Shen
Embodiment please need to carry out described client CC when attacking checking, the agent side of destination host can directly invoke in destination host
CC attack authentication module described client is carried out CC attack checking, or, ask described CC attack checking equipment or described
Flow cleaning equipment carries out CC and attacks checking described client.
The processing method attacked for the CC of the above-mentioned agent side being applied to destination host, if CC attacks end to destination host
The SYN packet sent, it is not necessary to agent side forwards, then the hook that the embodiment of the present application can ask agent side to be installed cuts
Obtain described CC and attack the SYN packet that end sends to described destination host, receive the described SYN that described hook sends
Packet, then attacks end to described CC and sends the 2nd SYN packet.
In some example, CC attack end is after destination host sends a SYN packet, if receiving not in preset period of time
To response data bag, time delay can retransmit a described SYN packet, CC attacks the operating system of end, retransmission time and repeating transmission time
Number difference, such as, windows system can be retransmitted 3 times, and retransmission time is 3s for the first time, if 3s after sending a SYN packet
Inside not receiving response data bag, then retransmit a described SYN packet for the first time, retransmission time is 6s for the second time, for the third time
Retransmission time is 12s, and overtime return after retransmitting for three times, time-out time is 21s;Linux system typically retransmits 5 times, for the first time
Retransmission time is 2s, and retransmission time is 4s for the second time, and retransmission time is 8s for the third time, and the 4th time retransmission time is 16s, the 5th time
Retransmission time is 32s, and overtime return after retransmitting for five times, time-out time is 62s.
Attack the socket resource of end to exhaust CC, CC can be made to attack, and end is as much as possible carries out time delay repeating transmission, therefore,
The processing method that the CC of the embodiment of the present application attacks, when receiving a described SYN packet, starts preset timer, institute
The timing length stating preset timer attacks the overtime duration of end repeating transmission the oneth SYN packet, by institute less than or equal to described CC
State the step to described CC attack end transmission the 2nd SYN packet to perform after described preset timer time-out.Described CC attacks
End is retransmitted the overtime duration of a SYN packet and is attacked the operating system decision of end by CC, can be above-mentioned 21s or 62s.
By the startup of above-mentioned intervalometer, the embodiment of the present application postpones the transmission of the 2nd SYN packet, makes CC attack end and exists
SYN_SENT state carries out repeatedly time delay and retransmits a SYN packet, consumes the sokcet resource of self.Such as, for multi-thread
The CC of journey attacks, and the embodiment of the present application is by the transmission of start delay the 2nd SYN packet of intervalometer, each company of maximizing
The time delay connect, all blocks all of thread, it is possible to quickly reduces client and sends the frequency that cc attacks;Asynchronous for using
The CC connected attacks, and the embodiment of the present application, by the transmission of start delay the 2nd SYN packet of intervalometer, can delay each
Individual link set up number, so, the TCP resource of client is in SYN_SENT, SYN_RCVD and FIN_WAIT_ by substantial amounts of
1 state, until break the bank.
Step 302: receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends.
In the embodiment of the present application, after receiving CC attack end transmission SYN/ACK packet, the most successfully induction CC attack end enters
Entering SYN_RCVD state, CC attacks after the socket of end closes, can sequentially enter FIN_WAIT_1 state, FIN_WAIT_2 and
TIME_WAIT state.The subsequent performance that CC can be made to attack end just looks like self to be that destination host is the same, all for destination host
Linking request (packet) be all repelled and give oneself, thus consume the socket resource of himself.
Step 303: abandon and terminate responding described CC and attack any packet that end sends so that described CC attack end to
The CC that described destination host sends attacks bounce-back and attacks end to described CC.
The embodiment of the present application, after receiving CC attack end transmission SYN/ACK packet first, the most successfully induction CC attacks
End enters SYN_RCVD state, is in the time of each tcp state in order to extend CC attack end as far as possible, abandons and no longer respond
Described CC attacks any packet that end sends, and is i.e. not responding to CC and attacks any request of end, does not reply any data.Such as:
Repeat to receive CC and attack the SYN packet that end sends, do not reply SYN/ACK packet;Repeat to receive CC and attack end
The SYN/ACK packet sent, does not the most reply ack msg bag.
After induction CC attacks the described 2nd SYN packet transmission SYN/ACK packet entrance SYN_RCVD state of end response,
CC attacks the data that end returns in order to avoid destination host and the bandwidth of self is blocked and can close socket, or long-term receipt is not
The packet replied to destination host, time-out can close socket, after it closes socket, enters FIN_WAIT_1 shape successively
State, FIN_WAIT_2 state and TIME_WAIT state, under these states, the socket of CC attack end is resource continuous occupied, and
And CC can be attacked the packet that end sends to destination host all rebound himself, consume CC and attack the socket money of end self
Source, finally making CC attack end does not has enough resources to send CC attack.Accordingly, it is capable to attack end to destination host at effectively defence CC
Harm, simultaneously consume CC attack end socket resource, can effectively suppress CC attack end initiate CC attack, it is to avoid CC attack
Cause the consumption of destination host side bandwidth, and then the operation cost of destination host side can be reduced.
Additionally, the embodiment of the present application for initiate malice high frequency CC attack CC attack end, it is not necessary to consume destination host or
The resource of the agent side of destination host, more efficiently can attack CC end and rebound it certainly to destination host transmission packet
Body, consumes CC more quickly and attacks the socket resource of end self.
From above-described embodiment, the embodiment of the present application can make described CC attack the end CC to the transmission of described destination host
Attacking bounce-back and attack end to described CC, premise is CC to be induced to attack the described 2nd SYN packet of end response send SYN/ACK number
SYN_RCVD state is entered according to bag.And in some application scenarios, CC attacks end (using the client attacking software dossim) meeting
Walk around protocol stack, packet spoof, oneself complete to set up the three-way handshake needed for TCP link, it is impossible in correct response the application
State the 2nd SYN packet in embodiment, and then CC attacks end and will not be induced to enter SYN_RCVD state.Apply for such
CC in scene attacks the CC attack that end is initiated, and can Direct Recognition be carried out, and specifically can be found in Fig. 4, Fig. 4 is that the application CC attacks
Another embodiment flow chart of the processing method hit, comprises the following steps 401-404:
Step 401: receive CC attack end after the SYN packet that destination host sends, to described CC attack end
Send the 2nd SYN packet.
The implementation of this step can be found in the implementation of step 301 in above-described embodiment.
Step 402: receive described CC and attack the response data bag that end sends.
In the embodiment of the present application, if protocol stack is not walked around in the CC attack that CC attacks end initiation, then response data bag can be
SYN/ACK packet, if protocol stack has been walked around in the CC attack that CC attacks end initiation, then response data bag can be the ACK forged
Packet.
Step 403: if described response data bag is SYN/ACK packet, then terminate responding described CC and attack what end sent
Any packet, so that described CC attacks end and attacks bounce-back to described CC attack end to the CC that described destination host sends.
Step 404: if described response data bag is the ack msg bag that described CC attacks that end is forged, then ask flow cleaning
Described CC is attacked the packet of end transmission and is carried out processing by side.
In the embodiment of the present application, the ack msg bag of forgery is unsatisfactory for the consensus standard of protocol stack, is used for realizing CC and attacks end
Complete to set up the three-way handshake needed for TCP link.
Above-mentioned flow cleaning side, can be associate with destination host flow cleaning equipment, can be destination host in
Flow cleaning module, the packet therefore needing flow cleaning side that described CC attacks end transmission in the embodiment of the present application is carried out clearly
When washing process, the agent side of destination host can directly invoke what described client was sent by the flow cleaning module in destination host
Packet is carried out, or, CC is attacked the packet that end sends and is sent to the flow cleaning equipment that associates with destination host
It is carried out.
Additionally, aware that it is the most identified to prevent CC from attacking end, the embodiment of the present application can be at described response data bag
When being the ack msg bag that described CC attacks end forgery, attack end to described CC and send for responding a described SYN packet
Packet spoof, completes camouflage response.
From above-described embodiment: the CC using protocol stack to initiate CC attack both can be attacked end to target master by the application
The packet that machine sends all rebounds himself, consumes CC and attacks the socket resource of end self, finally makes CC attack end and does not has
Have enough resources to send CC to attack.Therefore can consume CC and attack while effectively defence CC attacks the end harm to destination host
Hit the socket resource of end, and then can effectively suppress CC to attack the CC attack that end is initiated.The application can also directly clean and walk around
The CC that protocol stack is initiated attacks, it is not necessary to application layer judges that CC attacks the effectiveness of the request that end is initiated, and can save significantly on target master
The cpu resource of machine.
Corresponding with the embodiment of the processing method that aforementioned CC attacks, present invention also provides the processing means of CC attack
Embodiment.
The embodiment of the processing means that the application CC attacks can be applied in terminal.Device embodiment can pass through software
Realize, it is also possible to realize by the way of hardware or software and hardware combining.As a example by implemented in software, as on a logical meaning
Device, in be the processor by its place terminal read computer program instructions corresponding in nonvolatile memory
Deposit what middle operation was formed.For hardware view, as it is shown in figure 5, the one of the processing means place terminal attacked for the application CC
Plant hardware structure diagram, except the processor 510 shown in Fig. 5, network interface 520, internal memory 530 and nonvolatile memory 540
Outside, in embodiment, the terminal at device place is generally according to the actual functional capability of this terminal, it is also possible to include other hardware, to this not
Repeat again.
Seeing the embodiment block diagram that Fig. 6, Fig. 6 are the processing meanss that the application CC attacks, this device comprises the steps that data
Bag sending module 610, packet-receiving module 620 and attack processing module 630.
Wherein, packet sending module 610, for receiving the SYN number that CC attack end sends to destination host
After bag, attack end to described CC and send the 2nd SYN packet.
Packet-receiving module 620, attacks, for receiving described CC, the SYN/ that the described 2nd SYN packet of end response sends
Ack msg bag.
Attack processing module 630, attack, for abandoning and terminating responding described CC, any packet that end sends, so that institute
State CC attack end and attack bounce-back to described CC attack end to the CC that described destination host sends.
In an optional implementation, described device also includes (not shown in Fig. 6):
Time block, for when receiving a described SYN packet, starts preset timer, described presetting time
The timing length of device is attacked end less than or equal to described CC and is retransmitted the overtime duration of a SYN packet.
Packet sending module 610 is additionally operable to described after the preset timer time-out of described time block to described CC
Attack end and send the 2nd SYN packet.
In another optional implementation, described device also includes (not shown in Fig. 6):
Attack checking request module, for receiving the SYN packet that client sends to described destination host
After, request CC attacks checking side and described client carries out CC attack checking.
The result receiver module, attacks, for receiving described CC, the result that end returns.
Attack side and determine module, for representing that described client does not attacks checking by described CC at described the result
Time, determine that described client is that CC attacks end.
Packet sending module 610 is additionally operable to determine that in described attack side module determines that described client is after CC attacks end
End transmission the 2nd SYN packet is attacked to described CC by described.
In another optional implementation, described device also includes (not shown in Fig. 6):
Intercept and capture request module, attack, for asking hook to intercept and capture described CC, the SYN that end sends to described destination host
Packet, described hook is arranged on the agent side of described destination host.
Intercept and capture result receiver module, for receiving the described SYN packet that described hook sends.
Packet sending module 610 is additionally operable to receive that described hook sends at described intercepting and capturing result receiver module described the
Attack end to described CC after one SYN packet and send the 2nd SYN packet.
Seeing another embodiment block diagram that Fig. 7, Fig. 7 are the processing meanss that the application CC attacks, this device comprises the steps that number
Submodule 730 and cleaning treatment request module 740 is processed according to bag sending module 710, response data bag receiver module 720, attack.
Wherein, packet sending module 710, for receiving the SYN number that CC attack end sends to destination host
After bag, attack end to described CC and send the 2nd SYN packet.
Response data bag receiver module 720, attacks, for receiving described CC, the response data bag that end sends.
Attack processes submodule 730, for when described response data bag is SYN/ACK packet, terminates response described
CC attacks any packet that end sends, so that described CC attacks end and attacks bounce-back to described to the CC that described destination host sends
CC attacks end.
Cleaning treatment request module 740, at described response data bag being the ack msg bag of described CC attack end forgery
Time, described CC is attacked the packet of end transmission and is carried out processing by request flow cleaning side.
In an optional implementation, described device also includes (not shown in Fig. 7):
Forge responding module, for when described response data bag is the ack msg bag that described CC attacks end forgery, to institute
State CC and attack end transmission for the packet spoof responding a described SYN packet.
In said apparatus, the function of modules and the process that realizes of effect specifically refer to corresponding step in said method
Realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so relevant part sees method in fact
The part executing example illustrates.Device embodiment described above is only schematically, wherein said as separating component
The module illustrated can be or may not be physically separate, and the parts shown as module can be or can also
It not physical module, i.e. may be located at a place, or can also be distributed on multiple mixed-media network modules mixed-media.Can be according to reality
Need to select some or all of module therein to realize the purpose of the application scheme.
Those of ordinary skill in the art, in the case of not paying creative work, are i.e. appreciated that and implement.This area
Technical staff, after considering description and putting into practice invention disclosed herein, will readily occur to other embodiment of the application.This
Application is intended to any modification, purposes or the adaptations of the application, and these modification, purposes or adaptations are abided by
Follow the general principle of the application and include the undocumented common knowledge in the art of the application or conventional techniques means.
Description and embodiments is considered only as exemplary, and the true scope of the application and spirit are pointed out by claim below.
It should be appreciated that the application is not limited to precision architecture described above and illustrated in the accompanying drawings, and
And various modifications and changes can carried out without departing from the scope.Scope of the present application is only limited by appended claim.
Claims (13)
1. the processing method that a CC attacks, it is characterised in that comprise the following steps:
Receive CC attack end after the SYN packet that destination host sends, to described CC attack end transmission the 2nd SYN number
According to bag;
Receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends;
Abandon and terminate responding described CC and attack any packet that end sends, so that described CC attacks end to described destination host
The CC sent attacks bounce-back and attacks end to described CC.
Method the most according to claim 1, it is characterised in that described method also includes:
When receiving a described SYN packet, start preset timer, the timing length of described preset timer less than or
Attack end equal to described CC and retransmit the overtime duration of a SYN packet;
The described step to described CC attack end transmission the 2nd SYN packet is performed after described preset timer time-out.
Method the most according to claim 1, it is characterised in that described method also includes:
Receiving client after the SYN packet that described destination host sends, request CC attacks checking side to described visitor
Family end carries out CC and attacks checking;
Receive described CC and attack the result that end returns;
If described the result represents that described client does not attacks checking by described CC, it is determined that described client is that CC attacks
End;
Determining that described client is to hold after CC attacks end by described to the step of described CC attack end transmission the 2nd SYN packet
OK.
Method the most according to claim 1, it is characterised in that described method also includes:
Request hook is intercepted and captured described CC and is attacked the SYN packet that end sends to described destination host, and described hook is arranged on
The agent side of described destination host;
Receive the described SYN packet that described hook sends;
The described step described SYN in reception described hook transmission attacking end transmission the 2nd SYN packet to described CC
Perform after packet.
Method the most according to any one of claim 1 to 4, it is characterised in that described attack end to described CC and send the
After two SYN packets, described method also includes:
Receive described CC and attack the response data bag that end sends;
If described response data bag is SYN/ACK packet, then terminates responding described CC and attack any packet that end sends, with
Make described CC attack end and attack bounce-back to described CC attack end to the CC that described destination host sends;
If described response data bag is the ack msg bag that described CC attacks that end is forged, then described CC is attacked by request flow cleaning side
The packet hitting end transmission is carried out processing.
Method the most according to claim 4, it is characterised in that if described response data bag is described CC attacks end forgery
Ack msg bag, described method also includes:
Attack end to described CC and send the packet spoof for responding a described SYN packet.
7. the processing means that a CC attacks, it is characterised in that including:
Packet sending module, for receive CC attack end after the SYN packet that destination host sends, to described
CC attacks end and sends the 2nd SYN packet;
Packet-receiving module, attacks, for receiving described CC, the SYN/ACK data that the described 2nd SYN packet of end response sends
Bag;
Attack processing module, attack any packet that end sends, so that described CC attacks for abandoning and terminating responding described CC
Hit and hold the CC sent to described destination host to attack bounce-back to described CC attack end.
Device the most according to claim 7, it is characterised in that described device also includes:
Time block, for when receiving a described SYN packet, starts preset timer, described preset timer
Timing length is attacked end less than or equal to described CC and is retransmitted the overtime duration of a SYN packet;
Described packet sending module is additionally operable to after the preset timer time-out of described time block attack described to described CC
Hit end and send the 2nd SYN packet.
Device the most according to claim 7, it is characterised in that described device also includes:
Attack checking request module, for receiving client after the SYN packet that described destination host sends, please
Ask CC to attack checking side and described client is carried out CC attack checking;
The result receiver module, attacks, for receiving described CC, the result that end returns;
Attack side and determine module, be used for when described the result represents that described client does not attacks checking by described CC, really
Fixed described client is that CC attacks end;
Described packet sending module is additionally operable to determine that in described attack side module determines that described client is will after CC attacks end
Described to described CC attack end transmission the 2nd SYN packet.
Device the most according to claim 7, it is characterised in that described device also includes:
Intercept and capture request module, attack, for asking hook to intercept and capture described CC, the SYN data that end sends to described destination host
Bag, described hook is arranged on the agent side of described destination host;
Intercept and capture result receiver module, for receiving the described SYN packet that described hook sends;
Described packet sending module is additionally operable to receive described the first of described hook transmission at described intercepting and capturing result receiver module
Attack end to described CC after SYN packet and send the 2nd SYN packet.
11. according to the device according to any one of claim 7 to 10, it is characterised in that described device also includes:
Response data bag receiver module, attacks, for receiving described CC, the response data bag that end sends;
Attack processes submodule, for when described response data bag is SYN/ACK packet, terminates responding described CC and attacks end
Any packet sent, so that described CC attack end is attacked bounce-back to the CC that described destination host sends and is attacked to described CC
End;
Cleaning treatment request module, for when described response data bag is the ack msg bag that described CC attacks end forgery, asking
Described CC is attacked the packet of end transmission and is carried out processing by flow cleaning side.
12. devices according to claim 11, it is characterised in that described device also includes:
Forge responding module, for when described response data bag is the ack msg bag that described CC attacks end forgery, to described CC
Attack end and send the packet spoof for responding a described SYN packet.
13. 1 kinds of terminals, it is characterised in that including:
Processor;
For storing the memorizer of described processor executable;
Wherein, described processor is configured to:
Receive CC attack end after the SYN packet that destination host sends, to described CC attack end transmission the 2nd SYN number
According to bag;
Receive described CC and attack the SYN/ACK packet that the described 2nd SYN packet of end response sends;
Abandon and terminate responding described CC and attack any packet that end sends, so that described CC attacks end to described destination host
The CC sent attacks bounce-back and attacks end to described CC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610586483.7A CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610586483.7A CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106131036A true CN106131036A (en) | 2016-11-16 |
| CN106131036B CN106131036B (en) | 2019-05-07 |
Family
ID=57290576
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610586483.7A Active CN106131036B (en) | 2016-07-22 | 2016-07-22 | Processing method, device and the terminal of CC attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106131036B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336815A (en) * | 2019-07-04 | 2019-10-15 | 深圳前海微众银行股份有限公司 | Block chain-based attack defense method, device, equipment and readable storage medium |
| CN111431942A (en) * | 2020-06-10 | 2020-07-17 | 杭州圆石网络安全技术有限公司 | CC attack detection method and device and network equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040153669A1 (en) * | 2002-07-18 | 2004-08-05 | Yong Yang | Method for preventing transmission control protocol synchronous package flood attack |
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defense method based on connection request verification |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | A denial of service attack protection method, network system and proxy server |
| CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing CC attack |
| US20140283000A1 (en) * | 2013-03-14 | 2014-09-18 | Cisco Technology, Inc. | Proxy that Switches from Light-Weight Monitor Mode to Full Proxy |
-
2016
- 2016-07-22 CN CN201610586483.7A patent/CN106131036B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040153669A1 (en) * | 2002-07-18 | 2004-08-05 | Yong Yang | Method for preventing transmission control protocol synchronous package flood attack |
| CN1630248A (en) * | 2003-12-19 | 2005-06-22 | 北京航空航天大学 | SYN flooding attack defense method based on connection request verification |
| CN101175013A (en) * | 2006-11-03 | 2008-05-07 | 飞塔信息科技(北京)有限公司 | A denial of service attack protection method, network system and proxy server |
| CN102413105A (en) * | 2010-09-25 | 2012-04-11 | 杭州华三通信技术有限公司 | Method and device for preventing CC attack |
| US20140283000A1 (en) * | 2013-03-14 | 2014-09-18 | Cisco Technology, Inc. | Proxy that Switches from Light-Weight Monitor Mode to Full Proxy |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110336815A (en) * | 2019-07-04 | 2019-10-15 | 深圳前海微众银行股份有限公司 | Block chain-based attack defense method, device, equipment and readable storage medium |
| CN110336815B (en) * | 2019-07-04 | 2024-06-07 | 深圳前海微众银行股份有限公司 | Block chain-based attack defense method, device, equipment and readable storage medium |
| CN111431942A (en) * | 2020-06-10 | 2020-07-17 | 杭州圆石网络安全技术有限公司 | CC attack detection method and device and network equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106131036B (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101390064B (en) | Preventing Network Reset Denial of Service Attacks Using Embedded Authentication Information | |
| CN109639712B (en) | Method and system for preventing DDOS attack | |
| CN101175013B (en) | Refused service attack protection method, network system and proxy server | |
| AU2004217318B2 (en) | Using TCP to authenticate IP source addresses | |
| CN105827646B (en) | SYN attack protection method and device | |
| KR100431231B1 (en) | Method and system for defeating tcp syn flooding attacks | |
| US7990866B2 (en) | Server device, method for controlling a server device, and method for establishing a connection using the server device | |
| US20120227088A1 (en) | Method for authenticating communication traffic, communication system and protective apparatus | |
| CN110266678B (en) | Security attack detection method and device, computer equipment and storage medium | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| CN110198293A (en) | Attack guarding method, device, storage medium and the electronic device of server | |
| CN101771695A (en) | Transmission control protocol (TCP) connection processing method and system and synchronization (SYN) agent equipment | |
| CN109005194A (en) | Portless shadow communication means and computer storage medium based on KCP agreement | |
| CN101247261A (en) | Method and apparatus for preventing DDos attack | |
| CN104618404A (en) | Processing method, device and system for preventing network attack to Web server | |
| EP2176989B1 (en) | Method of preventing tcp-based denial-of-service attacks on mobile devices | |
| US11689564B2 (en) | Method and apparatus for processing data in cleaning device | |
| CN106453373A (en) | Efficient SYN Flood attack identification and disposal method | |
| CN109246057A (en) | Message forwarding method, device, repeater system, storage medium and electronic equipment | |
| CN105610852A (en) | Method and device for processing ACK (Acknowledgement) flooding attack | |
| EP1154610A2 (en) | Methods and system for defeating TCP Syn flooding attacks | |
| CN106131036A (en) | Processing method, device and the terminal that CC attacks | |
| CN106131039A (en) | The processing method and processing device of SYN flood attack | |
| Saini et al. | Evaluating the stream control transmission protocol using uppaal | |
| US20130055349A1 (en) | Method and apparatus for releasing tcp connections in defense against distributed denial of service attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |