[go: up one dir, main page]

CN100420197C - A Method for Realizing Attack Defense of Network Equipment - Google Patents

A Method for Realizing Attack Defense of Network Equipment Download PDF

Info

Publication number
CN100420197C
CN100420197C CNB200410044215XA CN200410044215A CN100420197C CN 100420197 C CN100420197 C CN 100420197C CN B200410044215X A CNB200410044215X A CN B200410044215XA CN 200410044215 A CN200410044215 A CN 200410044215A CN 100420197 C CN100420197 C CN 100420197C
Authority
CN
China
Prior art keywords
message
connection
user
connections
source
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CNB200410044215XA
Other languages
Chinese (zh)
Other versions
CN1697397A (en
Inventor
朱克楚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB200410044215XA priority Critical patent/CN100420197C/en
Publication of CN1697397A publication Critical patent/CN1697397A/en
Application granted granted Critical
Publication of CN100420197C publication Critical patent/CN100420197C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明公开了一种实现网络设备防攻击的方法,该方法为:网络设备在接收到报文时根据报文中相关信息查找对应的连接表项,如果找到连接表项,则按相应的转发表项转发报文;否则根据报文中的源IP地址获得发送所述报文的用户已建立的连接数量并判是否小于预定值,如果是则为用户建立连接表项和转发表项并进行业务处理,将已存储于统计表中的所述源IP地址对应的连接数量更新;否则丢弃所述报文。本发明通过限制同一用户的连接数目来防止攻击,并在同一用户的连接数目超过规定值时,将该用户的新的连接报文丢弃,这样就可以保证在遭到网络风暴攻击时系统的资源不会耗尽,而且还能提供正常的业务,从而提高系统防攻击的能力。

The invention discloses a method for realizing network equipment attack prevention. The method is as follows: when a network equipment receives a message, it searches for the corresponding connection table item according to the relevant information in the message, and if the connection table item is found, it presses the corresponding switch Post item to forward the message; otherwise, according to the source IP address in the message, obtain the number of connections established by the user who sent the message and judge whether it is less than a predetermined value, if so, establish a connection table item and a forwarding table item for the user and perform Business processing, updating the number of connections corresponding to the source IP address stored in the statistics table; otherwise, discarding the packet. The invention prevents attacks by limiting the number of connections of the same user, and discards the new connection message of the user when the number of connections of the same user exceeds a specified value, so that the resources of the system can be guaranteed when being attacked by a network storm It will not be exhausted, and it can also provide normal services, thereby improving the system's ability to defend against attacks.

Description

一种实现网络设备防攻击的方法 A Method for Realizing Attack Defense of Network Equipment

技术领域 technical field

本发明涉及网络技术,尤其涉及一种实现网络设备防攻击的方法。The invention relates to network technology, in particular to a method for realizing network equipment attack prevention.

背景技术 Background technique

近年来网络的应用在迅速普及,网络在快速发展的过程也遗留下了大量的系统和协议漏洞,用户在享受网络带来的便捷性的同时,也要面临它带来的威胁。以下是一些常用的攻击手段和原理:In recent years, the application of the network has been popularized rapidly, and the rapid development of the network has left a large number of system and protocol loopholes. While enjoying the convenience brought by the network, users also face the threats it brings. The following are some commonly used attack methods and principles:

TCP SYN Flood:当用户进行一次标准的传输控制协议(TCP)连接时,会有一个3次握手过程。首先是请求服务方发送一个同步消息,服务方收到同步消息后,会向请求方回送一个同步确认消息表示确认,当请求方收到同步确认消息后,再次向服务方发送一个接收确认消息,这样,一次TCP连接建立成功。TCP-SYN flood的攻击原理为:在实现过程中只进行前两个步骤,当请求方收到服务方的同步确认消息后,请求方停止向服务方发送接收确认消息,服务方将会在一定时间处于等待接收请求方接收确认消息的状态。对于某台服务器来说,可用的TCP连接是有限的,如果恶意攻击方快速连续地发送此类连接请求,该服务器可用的TCP连接队列将很快被阻塞,系统可用资源急剧减少,网络可用带宽迅速缩小,长此下去,网络将无法向用户提供正常的服务。TCP SYN Flood: When a user makes a standard Transmission Control Protocol (TCP) connection, there will be a 3-way handshake process. The first is to request the server to send a synchronization message. After receiving the synchronization message, the server will send a synchronization confirmation message back to the requester to indicate confirmation. When the requester receives the synchronization confirmation message, it will send a reception confirmation message to the server again. In this way, a TCP connection is established successfully. The attack principle of TCP-SYN flood is: in the implementation process, only the first two steps are carried out. When the requester receives the synchronization confirmation message from the server, the requester stops sending the confirmation message to the server, and the server will The time spent waiting to receive an acknowledgment message from the requester. For a certain server, the available TCP connections are limited. If a malicious attacker sends such connection requests in rapid succession, the available TCP connection queue of the server will be blocked quickly, and the available resources of the system will decrease sharply. If it shrinks rapidly, if things go on like this, the network will not be able to provide normal services to users.

UDP Flood:由于用户数据包协议(UDP)在网络中的应用比较广泛,基于UDP攻击种类也较多。如今在因特上提供上网浏览和电子邮件等服务设备通常是使用Unix的服务器,它们默认一些被恶意利用的UDP服务,如echo和chargen服务,它会显示接收到的每一个数据包,而原本作为测试功能的chargen服务会在收到每一个数据包时随机反馈一些字符,如果恶意攻击者将这两个UDP服务互指,则网络可用带宽将很快耗尽。UDP Flood: Since the User Datagram Protocol (UDP) is widely used in the network, there are many types of attacks based on UDP. Nowadays, devices that provide services such as Internet browsing and e-mail usually use Unix servers, and they default to some UDP services that are maliciously used, such as echo and chargen services, which will display every data packet received, while the original The chargen service used as a test function will randomly feed back some characters when receiving each data packet. If a malicious attacker points these two UDP services to each other, the available network bandwidth will be exhausted quickly.

为了预防TCP SYN Flood攻击通常采用以下两种方法:第一种是缩短服务方的等待删除时间(SYN Timeout)时间,由于SYN Flood攻击的效果取决于服务器上保持的半连接数,这个值=攻击的频度*SYN Timeout,所以通过缩短从接收到同步报文到确定这个报文无效并丢弃改连接的时间,例如设置为20秒以下(过低的SYN Timeout设置可能会影响客户的正常访问),可以成倍的降低服务器的负荷。第二种方法是设置SYN Cookie,就是给每一个请求连接的IP地址分配一个Cookie,如果短时间内连续受到某个IP的重复SYN报文,就认定是受到了攻击,以后从这个IP地址发来的所有包都被丢弃。In order to prevent TCP SYN Flood attacks, the following two methods are usually adopted: the first is to shorten the server’s waiting deletion time (SYN Timeout), because the effect of SYN Flood attacks depends on the number of half-connections maintained on the server, this value = attack The frequency * SYN Timeout, so by shortening the time from receiving the synchronization message to confirming that the message is invalid and discarding the connection, for example, set it to less than 20 seconds (too low SYN Timeout setting may affect the normal access of customers) , can reduce the server load exponentially. The second method is to set a SYN cookie, which is to assign a cookie to each IP address that requests a connection. If you receive repeated SYN messages from a certain IP in a short period of time, it is considered to be under attack. All incoming packets are dropped.

为了预防UDP Flood的攻击通常采用以下方法,第一种是关闭某些不使用的UDP端口,不提供Echo和Chargen服务,在需要使用该功能的时候再使用命令打开此功能;第二种是采用流量控制技术,把流量限制在一定范围内,一旦超过该流量新来的报文都将被丢弃,这样可以保证系统的其他服务还是正常的。In order to prevent UDP Flood attacks, the following methods are usually adopted. The first method is to close some unused UDP ports, do not provide Echo and Chargen services, and then use commands to enable this function when this function is needed; the second method is to use The flow control technology limits the flow within a certain range, and once the flow exceeds the new packet will be discarded, so as to ensure that other services of the system are still normal.

另外,也可以利用防火墙来保护网络的安全。在组网的时候,在各个网络设备之间分别加上一个防火墙,并在防火墙上定义什么是合法的连接,并阻止非法用户的入侵。防火墙根据这些预定义的规则,就可以识别这些攻击所采用的攻击方法,并将攻击包阻挡在外。许多商业防火墙可以通过设置,及时表明攻击迹象。可以向设备管理部门提供防火墙的详细记录,信息越详细,他们就可以越快地把数据包过滤掉,防止这些攻击数据包进入网络。这些信息同时也有利于追踪攻击者。In addition, firewalls can also be used to protect the security of the network. When networking, add a firewall between each network device, and define what is a legal connection on the firewall, and prevent illegal users from invading. According to these predefined rules, the firewall can identify the attack methods used by these attacks and block the attack packets. Many commercial firewalls can be configured to promptly indicate signs of an attack. Detailed records of the firewall can be provided to the device management department. The more detailed the information, the faster they can filter out the data packets and prevent these attack data packets from entering the network. This information is also useful for tracking attackers.

虽然上述方法可以在一定程序上起到防攻击的作用,但存在以下缺点:Although the above method can play a role in preventing attacks in a certain program, it has the following disadvantages:

对付TCP SYN Flood的两种方法只能对付比较原始的SYN Flood攻击,缩短SYN Timeout时间仅在对方攻击频度不高的情况下生效,而在攻击频度高的情况下效果较差。The two methods to deal with TCP SYN Flood can only deal with relatively primitive SYN Flood attacks. Shortening the SYN Timeout time is only effective when the attack frequency of the other party is not high, and the effect is poor when the attack frequency is high.

为了预防UDP Flood攻击把UDP的相关端口关闭,同时也屏蔽了该端口提供的正常功能,如果采用流量控制技术,只是在异常情况下保证系统可以不死机,因为一旦超过设置的流量,系统将同时丢弃很多正常的报文,可能导致不可预测的问题。In order to prevent UDP Flood attacks, the relevant UDP ports are closed, and the normal functions provided by the ports are also shielded. If the flow control technology is used, it is only to ensure that the system does not crash under abnormal circumstances, because once the set flow rate is exceeded, the system will be blocked at the same time. Discarding many normal packets may cause unpredictable problems.

使用防火墙可以有效的防止各种攻击,但是需要运营商在组网时额外购买防火墙,增加了成本和网络的复杂性。Using a firewall can effectively prevent various attacks, but operators need to purchase additional firewalls during networking, which increases the cost and complexity of the network.

发明内容 Contents of the invention

本发明的目的在于提供一种实现网络设备防攻击的方法,以解决现有的防攻击方法中存在防攻击力较差和影响正常业务的问题。The purpose of the present invention is to provide a method for realizing network equipment attack defense, so as to solve the problems of poor attack defense and normal business impact in the existing attack defense methods.

实现本发明的技术方案:Realize the technical scheme of the present invention:

一种实现网络设备防攻击的方法,在于网络设备在接收到报文时进行下述步骤:A method for realizing network device attack defense is that the network device performs the following steps when receiving a message:

A、根据报文中相关信息查找对应的连接表项,如果找到连接表项,则按相应的转发表项转发报文;否则进行步骤B;A. Find the corresponding connection table item according to the relevant information in the message, if the connection table item is found, then forward the message according to the corresponding forwarding table item; otherwise, proceed to step B;

B、至少根据报文中的源IP地址获得发送所述报文的用户已建立的连接数量;B. Obtain the number of connections established by the user sending the message at least according to the source IP address in the message;

C、判断所述连接数量是否小于预定值,如果是则为用户建立连接表项和转发表项并进行业务处理,将已存储于统计表中的所述源IP地址对应的连接数量更新;否则丢弃所述报文。C. Judging whether the number of connections is less than a predetermined value, if so, establishing a connection entry and a forwarding entry for the user and performing business processing, and updating the number of connections corresponding to the source IP address stored in the statistics table; otherwise The message is discarded.

其中:in:

若用户断开已建立的连接,则更新所述统计表中存储的源IP地址对应的连接数量。If the user disconnects the established connection, the number of connections corresponding to the source IP address stored in the statistical table is updated.

所述相关信息为能够唯一确定一个连接的五元组信息。The relevant information is five-tuple information that can uniquely determine a connection.

所述报文为传输控制协议(TCP)报文或用户数据报协议(UDP)报文,所述连接为传输控制协议(TCP)或用户数据报协议(UDP)连接。The message is a Transmission Control Protocol (TCP) message or a User Datagram Protocol (UDP) message, and the connection is a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) connection.

本发明通过对同一用户的连接报文的限制,能有效的防止攻击,增强网络设备对攻击的防范能力,抵御来自网络中的攻击,确保设备在受到攻击的时候还能提供正常的业务,维护网络秩序。The invention can effectively prevent attacks by restricting the connection messages of the same user, enhance the ability of network equipment to prevent attacks, resist attacks from the network, and ensure that the equipment can still provide normal services when being attacked. network order.

附图说明 Description of drawings

图1为本发明的流程图。Fig. 1 is a flowchart of the present invention.

具体实施方式 Detailed ways

本发明通过限制每个用户的传输控制协议/用户数据报协议(TCP/UDP)连接数来防止TCP SYN Flood和UDP Flood的攻击。The invention prevents the attacks of TCP SYN Flood and UDP Flood by limiting the number of transmission control protocol/user datagram protocol (TCP/UDP) connections of each user.

网络风暴(SYN Flood)攻击是攻击者将大量的首包报文SYN发送给服务器,服务器收到每个首包报文后会发送首包响应报文SYN ACK,并建立传输控制协议(TCP)半开连接,然后等待客户侧发来的回应报文ACK。但攻击者不会发送服务器等待的回应报文ACK,导致服务器充满了半开连接。由于服务器不断地向外发送得不到任何回应的首包响应报文SYN ACK,使服务器处于异常繁忙的状态,使正常的连接请求很难被处理,最终造成正常业务中断。The network storm (SYN Flood) attack is that the attacker sends a large number of first packet packets SYN to the server, and the server will send the first packet response packet SYN ACK after receiving each first packet packet, and establish the transmission control protocol (TCP) Half-open the connection, and then wait for the response message ACK from the client side. But the attacker will not send the response message ACK that the server is waiting for, causing the server to be full of half-open connections. Because the server keeps sending out the first packet response message SYN ACK without any response, the server is in an abnormally busy state, making it difficult to process normal connection requests, and eventually causing normal business interruption.

由于传输控制协议是面向连接的,而用户数据报协议(UDP)是面向非连接,但是交换/路由设备在收到客户端的UDP报文后,仍然要为该客户分配资源,因而大量的没有后UDP报文的第一、第二个报文将会占用大量的资源。Since the transmission control protocol is connection-oriented, while the user datagram protocol (UDP) is connection-oriented, but the switching/routing device still needs to allocate resources for the client after receiving the UDP message from the client, so a large number of resources are not available. The first and second packets of the UDP packet will occupy a lot of resources.

网络设备在受到TCP SYN Flood和UDP Flood的攻击而异常是因为系统中TCP/UDP连接数太多,占用了太多的系统资源所致。因此,系统限制每个用户只能建立一定数量的TCP/UDP连接,一旦发现某个用户使用的连接数超过预定值,系统就禁止新连接的建立,除非原来占用的连接断开,才可以建立新连接。这样就可以在一定程度上限制了系统中TCP/UDP连接的数量。所述预定值设定为一个用户正常上网连接数量的两倍。The abnormality of network devices under the attack of TCP SYN Flood and UDP Flood is because there are too many TCP/UDP connections in the system, which occupy too many system resources. Therefore, the system restricts each user to establish a certain number of TCP/UDP connections. Once it is found that the number of connections used by a user exceeds the predetermined value, the system prohibits the establishment of new connections unless the original connection is disconnected. new connection. This can limit the number of TCP/UDP connections in the system to a certain extent. The predetermined value is set to twice the number of normal Internet connections of a user.

一条连接是由五元组即源IP地址、目的IP地址、源端口号、目的端口号和协议类型所决定,一个用户访问不同的网站可能要在网络设备上建立不同的连接,即使访问相同的网站里面不同的内容都可能要建立不同的连接。虽然这些连接的目的IP地址,目的端口号和协议类型可能不同,但是源IP地址是相同的,因此建立一个统计(IP_CON)表,该表的表项记录系统中每个用户已经建立的连接数量,以用户的源IP地址为索引。A connection is determined by the quintuple of source IP address, destination IP address, source port number, destination port number and protocol type. A user may need to establish different connections on the network device to visit different websites, even if they visit the same Different content in the website may require different connections. Although the destination IP addresses, destination port numbers and protocol types of these connections may be different, the source IP addresses are the same, so a statistical (IP_CON) table is established, and the entries of this table record the number of connections established by each user in the system , indexed by the user's source IP address.

当用户新建一个连接或断开一个已建立的连接后,更新统计表中该用户的连接数量。When the user creates a new connection or disconnects an established connection, update the number of connections of the user in the statistics table.

参阅图1所示,对报文的处理流程如下:Referring to Figure 1, the processing flow of the message is as follows:

步骤10:网络设备接收到一个报文。Step 10: The network device receives a message.

步骤20:根据报文中能够确定唯一连接的五元组信息判断是否有该用户对应的已经建立的连接表项,如果有则进行步骤30;否则进行步骤40。Step 20: Determine whether there is an established connection entry corresponding to the user according to the quintuple information in the message that can determine the unique connection, and if so, proceed to step 30; otherwise, proceed to step 40.

五元组信息包括源IP地址、源端口号、目的IP地址、目的端口号和协议类型,当然其中的源端口号和目的端口号也可是源MAC地址和目的MAC地址。The five-tuple information includes source IP address, source port number, destination IP address, destination port number and protocol type, of course, the source port number and destination port number can also be source MAC address and destination MAC address.

步骤30:根据连接表项对应的转发表项转发收到的报文。Step 30: Forward the received message according to the forwarding entry corresponding to the connection entry.

由于能够查找到连接表项,说明以前转发过类似的报文,因此,可以找到这条连接的转发表项,然后直接对报文进行业务处理并转发。Since the connection table entry can be found, it means that a similar message has been forwarded before. Therefore, the forwarding table entry of this connection can be found, and then the message is directly processed and forwarded.

步骤40:根据报文中的源IP地址获取该用户已建立的连接数量。Step 40: Obtain the number of connections established by the user according to the source IP address in the message.

没有找到这条连接的连接表项,说明这是一个新的TCP或UDP连接,网络设备需要把该报文送到控制平台处理,由控制平台的处理模块检查该用户已经有多少条连接。If the connection entry of this connection is not found, it means that this is a new TCP or UDP connection, and the network device needs to send the message to the control platform for processing, and the processing module of the control platform checks how many connections the user has.

步骤50:判断该用户已建立连接的数量是否超过预定值,如果是则进行步骤60,否则进行步骤70。Step 50: Judging whether the number of connections established by the user exceeds a predetermined value, if yes, go to step 60, otherwise go to step 70.

步骤60:丢弃收到的报文,并结束对该报文的处理。Step 60: Discard the received message, and end the processing of the message.

步骤70:为该连接建立相应的连接表项和转发表项,表项建立成功后根据用户的源IP地址查找IP_CON表,如果找到对应的表项,则直接更新已经建立的连接数量,否则为该用户新建一条表项,同时设置其对应的连接数量为1。Step 70: Create a corresponding connection entry and forwarding entry for the connection. After the entry is established successfully, search the IP_CON table according to the user's source IP address. If the corresponding entry is found, directly update the number of connections that have been established, otherwise it is The user creates a table entry, and sets the corresponding connection quantity to 1 at the same time.

在建立连接表项和转发表项后,该连接上来的后续的报文就直接根据连接表项和转发表项进行处理。After the connection table entry and the forwarding table entry are established, the subsequent messages from the connection are directly processed according to the connection table entry and the forwarding table entry.

本发明通过限制同一用户的连接数目来防止攻击,并在同一用户的连接数目超过规定值时,将该用户的新的连接报文丢弃,这样就可以保证在遭到网络风暴攻击时系统的资源不会耗尽,而且还能提供正常的业务,从而提高系统防攻击的能力。The invention prevents attacks by limiting the number of connections of the same user, and discards the new connection message of the user when the number of connections of the same user exceeds the specified value, so that the resources of the system can be guaranteed when being attacked by a network storm It will not be exhausted, and it can also provide normal services, thereby improving the system's ability to defend against attacks.

Claims (6)

1. a method that realizes preventing network equipment from attacking is characterized in that, the network equipment carries out following step when receiving message:
A, search corresponding connection list item,, then E-Packet by corresponding forwarding-table item if find the connection list item according to relevant information in the message; Otherwise carry out step B;
B, to send the number of connection that the user of described message has set up according to the source IP address in the message;
C, whether judge described number of connection less than predetermined value, if then be engaged in handling for user's list item and forwarding-table item industry of going forward side by side that connects, the number of connection that will be stored in the described source IP address correspondence in the statistical form upgrades; Otherwise abandon described message.
2. the method for claim 1 is characterized in that, if the user disconnects the connection of having set up, then upgrades the number of connection of the source IP address correspondence of storing in the described statistical form.
3. the method for claim 1 is characterized in that, described relevant information is can unique five-tuple information of determining a connection.
4. method as claimed in claim 3 is characterized in that, described five-tuple information comprises source IP address, purpose IP address, source port number, destination slogan and protocol type.
5. the method for claim 1 is characterized in that, described predetermined value is set at normally the surf the Net twice of number of connection of user.
6. as the arbitrary described method of claim 1 to 5, it is characterized in that described message is transmission control protocol TCP message or User Datagram Protoco (UDP) UDP message, describedly be connected to that transmission control protocol TCP connects or User Datagram Protoco (UDP) UDP connects.
CNB200410044215XA 2004-05-13 2004-05-13 A Method for Realizing Attack Defense of Network Equipment Expired - Lifetime CN100420197C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200410044215XA CN100420197C (en) 2004-05-13 2004-05-13 A Method for Realizing Attack Defense of Network Equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200410044215XA CN100420197C (en) 2004-05-13 2004-05-13 A Method for Realizing Attack Defense of Network Equipment

Publications (2)

Publication Number Publication Date
CN1697397A CN1697397A (en) 2005-11-16
CN100420197C true CN100420197C (en) 2008-09-17

Family

ID=35349933

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200410044215XA Expired - Lifetime CN100420197C (en) 2004-05-13 2004-05-13 A Method for Realizing Attack Defense of Network Equipment

Country Status (1)

Country Link
CN (1) CN100420197C (en)

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100454839C (en) * 2005-11-24 2009-01-21 华为技术有限公司 A device and method for user-based attack defense
CN101202742B (en) * 2006-12-13 2011-10-26 中兴通讯股份有限公司 Method and system for preventing refusal service attack
CN101001249A (en) * 2006-12-31 2007-07-18 华为技术有限公司 Method and device for preventing IGMP message attack
CN101022458B (en) * 2007-03-23 2010-10-13 杭州华三通信技术有限公司 Conversation control method and control device
CN101034975B (en) * 2007-04-05 2010-05-26 华为技术有限公司 Method and device for preventing small packet attack
CN100583835C (en) * 2007-06-28 2010-01-20 华为技术有限公司 Message forwarding method and network device
CN101355419B (en) * 2008-08-22 2011-01-05 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN101854333B (en) * 2009-03-30 2013-06-05 华为技术有限公司 Method and device for detecting incomplete session attack
CN101969637A (en) * 2009-07-28 2011-02-09 华为技术有限公司 Network connection management method and related device
CN102045331B (en) * 2009-10-22 2014-01-22 成都市华为赛门铁克科技有限公司 Method, device and system for processing inquiry request message
CN101743966B (en) * 2009-12-29 2012-10-31 华南农业大学 Insecticide mixed with tea saponin and acaricide
CN101800707B (en) * 2010-04-22 2011-12-28 华为技术有限公司 Method for establishing stream forwarding list item and data communication equipment
CN103685329B (en) * 2012-08-30 2017-11-21 华耀(中国)科技有限公司 Advanced access control system and method based on load balancing
CN102882894A (en) * 2012-10-30 2013-01-16 杭州迪普科技有限公司 Method and device for identifying attack
CN103384221A (en) * 2013-06-26 2013-11-06 汉柏科技有限公司 Method for optimizing service precedence message fast forwarding
CN104363176A (en) * 2014-10-24 2015-02-18 杭州华三通信技术有限公司 Message control method and equipment
CN104601542A (en) * 2014-12-05 2015-05-06 国云科技股份有限公司 A DDOS active protection method suitable for virtual machines
CN104580225B (en) * 2015-01-14 2017-11-03 南京烽火星空通信发展有限公司 A kind of cloud platform security protection encryption device and method
CN110071939B (en) * 2019-05-05 2021-06-29 江苏亨通工控安全研究院有限公司 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998034384A1 (en) * 1997-01-30 1998-08-06 At & T Corp. Communications protocol with improved security
US20040054924A1 (en) * 2002-09-03 2004-03-18 Chuah Mooi Choo Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
CN1152517C (en) * 2002-04-23 2004-06-02 华为技术有限公司 Method of guarding network attack
CN1265598C (en) * 2002-10-25 2006-07-19 英特尔公司 Dynamic network security device and method for network processor

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998034384A1 (en) * 1997-01-30 1998-08-06 At & T Corp. Communications protocol with improved security
CN1152517C (en) * 2002-04-23 2004-06-02 华为技术有限公司 Method of guarding network attack
US20040054924A1 (en) * 2002-09-03 2004-03-18 Chuah Mooi Choo Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
CN1265598C (en) * 2002-10-25 2006-07-19 英特尔公司 Dynamic network security device and method for network processor

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于策略系统的SYN Flooding 攻击防御机制. 仇小锋,陈鸣,蒋序平.电信科学. 2004 *
网络安全检测与监控系统总体设计. 孙修善.信息技术,第27卷第11期. 2003 *

Also Published As

Publication number Publication date
CN1697397A (en) 2005-11-16

Similar Documents

Publication Publication Date Title
CN100420197C (en) A Method for Realizing Attack Defense of Network Equipment
US6973040B1 (en) Method of maintaining lists of network characteristics
Kargl et al. Protecting web servers from distributed denial of service attacks
US6816910B1 (en) Method and apparatus for limiting network connection resources
US7246376B2 (en) Method and apparatus for security management in a networked environment
CN101175013B (en) Refused service attack protection method, network system and proxy server
CN101589595B (en) Pinning mechanism for potentially contaminated end systems
US7478429B2 (en) Network overload detection and mitigation system and method
US8650631B2 (en) Server protection from distributed denial of service attacks
CN101834875B (en) Method, device and system for defending DDoS (Distributed Denial of Service) attacks
CN108173812B (en) Method, device, storage medium and equipment for preventing network attack
CN100589489C (en) Defense method and device for DDOS attack on web server
US20010042200A1 (en) Methods and systems for defeating TCP SYN flooding attacks
US20050060535A1 (en) Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments
US20040236966A1 (en) Queuing methods for mitigation of packet spoofing
US7930740B2 (en) System and method for detection and mitigation of distributed denial of service attacks
CN105827646A (en) SYN attack protecting method and device
JP2004507978A (en) System and method for countering denial of service attacks on network nodes
JP2005073272A (en) Method and apparatus for defending against distributed denial-of-service attack due to tcp stateless hog on tcp server
Arafat et al. A practical approach and mitigation techniques on application layer DDoS attack in web server
WO2016177131A1 (en) Method, apparatus, and system for preventing dos attacks
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN106487790B (en) A cleaning method and system for ACK FLOOD attack
Nagai et al. Design and implementation of an openflow-based tcp syn flood mitigation
Boppana et al. Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term

Granted publication date: 20080917

CX01 Expiry of patent term