CN112235329A - Method, device and network equipment for identifying authenticity of SYN message - Google Patents
Method, device and network equipment for identifying authenticity of SYN message Download PDFInfo
- Publication number
- CN112235329A CN112235329A CN202011494385.3A CN202011494385A CN112235329A CN 112235329 A CN112235329 A CN 112235329A CN 202011494385 A CN202011494385 A CN 202011494385A CN 112235329 A CN112235329 A CN 112235329A
- Authority
- CN
- China
- Prior art keywords
- syn
- source
- message
- ttl
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 235000014510 cooky Nutrition 0.000 claims abstract description 72
- 238000004364 calculation method Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 9
- 238000006243 chemical reaction Methods 0.000 claims description 5
- 239000000284 extract Substances 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012790 confirmation Methods 0.000 description 3
- 235000008694 Humulus lupulus Nutrition 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method, a device and network equipment for identifying the authenticity of a SYN message, which are carried out based on the following principles: when the firewall performs SYN Reset authentication, the TTL information in the SYN message is recorded into the Cookie; the firewall receives the Reset message, and verifies the TTL information obtained from the Cookie and the TTL information obtained from the Reset message to identify whether the Reset message and the previous SYN message are sent by the same sender or not; when TTL fails, the source IP can be considered to be unable to pass SYN Reset authentication if the Reset message and the previous SYN message are determined not to be sent by the same sender. The method can greatly reduce the probability that an attacker forges the real active IP on the Internet to bypass the SYN Reset authentication of the firewall, and improve the identification accuracy of the firewall to the forged source IP.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method, a device and network equipment for identifying the authenticity of a SYN message.
Background
Abbreviations and key term definitions:
TCP (Transmission Control Protocol) is a transport Protocol specifically designed to provide a reliable end-to-end byte stream over an unreliable internet network. During TCP communication, three-way handshaking (three messages of SYN, SYN-ACK and ACK) is required to be carried out firstly, and a data packet can be sent only after a TCP connection is established.
A firewall refers to a set of network security devices that detect, alarm, and protect against network attacks. The method is generally deployed at an entrance of an IDC machine room, performs real-time detection on the entering flow, timely finds abnormal flow including DDoS attack, cleans the abnormal attack flow on the premise of not influencing normal service, and ensures that a server in the machine room is not attacked and the service normally and stably runs.
TTL (Time To Live) refers To the maximum number of hops allowed To be forwarded before the IP packet is discarded by the router. The initial value is usually 64, 128 or 255, and different initial values of the operating systems may be different, and are set by the message sender, and the TTL value of the message is reduced by 1 and then forwarded after passing through each router. If the TTL of an IP packet is reduced to 0 before reaching the destination IP, the packet is discarded. The hop count of the message after being transmitted from the source can be calculated through the TTL value in the message, and if the TTL in the received message is 230, the message reaches the receiving device after being transmitted from the source device and after 25 hops.
Background of the invention:
SYN Flood attacks, also known as semi-open connectivity attacks. There is a three-way handshake process whenever we make a standard TCP connection, whereas the SYN Flood has only the first two steps in its implementation. Thus, the server may be in a state of waiting for reception of the requester ACK message for a certain time. Because the available TCP connections of a server are limited, if a malicious attacker forges a large number of source IP addresses and sends such connection requests in a quick and continuous manner, the available TCP connection queues of the server will be blocked quickly, system resources and available bandwidth will drop sharply, and normal network services cannot be provided, thereby causing denial of service.
The core technology for defending against the SYN Flood attack is to identify and intercept the SYN message forged by an attacker, and simultaneously identify and release the SYN message of a real client.
In the prior art, a pull-type (bypass-type) firewall usually adopts a SYN Reset authentication mode to identify a forged SYN message.
When a client sends a SYN message and creates a TCP connection, a firewall intercepts the message firstly, and simulates a server to respond a SYN-ACK message to the client, wherein an acknowledgement serial number (ACK number) in the message is not generated according to the protocol specification, but is a Cookie value calculated by a specific algorithm, and the value is inconsistent with the expected value of the client.
When the client side which normally requests receives the SYN-ACK message, the confirmation sequence number is found to be inconsistent with the expected value, and then a Reset message with the sequence number of Cookie is responded to the server to terminate the connection. The firewall acquires the Cookie information in the Reset message, verifies the Cookie information with the pre-recorded Cookie information, if the verification is passed, the Reset message is considered to be authentic, the connection is also authentic, then the client IP is recorded into the device white list, and the subsequent messages of the client IP can directly pass through, and the implementation principle is as shown in figure 1.
When forging the source IP, an attacker cannot receive the SYN-ACK message sent by the firewall and cannot reply the Reset message with an accurate Cookie value, so that the attacker cannot pass SYN Reset authentication, and cannot establish connection with the server to cause attack. The principle of implementation is shown in figure 2.
However, when an attacker forges a large number of IPs to send SYN messages to the firewall as the source address to establish a connection, part of the IP address may be the IP address of a device that is truly present and online on the internet. After receiving a SYN-ACK message which is sent by a firewall and has a special algorithm to generate a Cookie, the protocol stack responds to the firewall with a Reset message carrying a correct Cookie value, so that the Reset can pass SYN Reset authentication of the firewall, the IP address is added into a white list by the firewall, and an attacker forges that the message with the IP as a source address can pass the firewall subsequently.
Disclosure of Invention
The invention provides a method, a device and network equipment for identifying the authenticity of a SYN message, which are used for solving the problem that when an attacker forges a real and active IP on the Internet as a source address and initiates the SYN message to a firewall, equipment where the real IP address is positioned responds to the Reset message and bypasses the SYN Reset authentication of the firewall.
The first aspect of the invention provides a method for identifying the authenticity of a SYN message, which is applied to the authentication process of a firewall SYN Reset and comprises the following steps:
s1, the firewall receives the SYN request of the non-calibrated source IP, extracts and records the route and port information from the SYN message, the route and port information at least comprises a first TTL value, the source IP and the source port information;
s2, generating Cookie, wherein the Cookie at least comprises the first TTL value and check bit information, and the check bit information is generated based on a preset algorithm;
s3, the firewall responds to the source IP and the source port of the SYN message with a SYN-ACK message, and the confirmed sequence number value in the SYN-ACK message is the Cookie generated in the step S2;
s4, the firewall receives the Reset message of the source IP, and at least extracts the serial number value, the source IP and the second TTL value of the Cookie from the Reset message; if it is not
The first TTL value and the second TTL value contained in the serial number value are consistent, and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, and then the source IP is judged to pass SYN Reset authentication; otherwise, the source IP is judged not to pass SYN Reset authentication.
Further, the non-labeled source IP includes a source IP that is neither within a firewall blacklist nor within a firewall whitelist.
Optionally, in step S2, the length of the generated Cookie is 32 bits, where the upper 8 bits are the first TTL value, and the lower 24 bits are the check bits.
Optionally, in step S2, the generated Cookie has a length of 32 bits, where the upper 6 bits are a first TTL value, and the first TTL value is the actual hop count of the converted packet based on the original TTL value; the remaining 26 bits in the Cookie are check bits.
Further, the conversion rule for converting the actual hop count of the packet based on the original TTL value is as follows:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is 64-TTL1;
2) TTL if value of original TTL field2Greater than or equal to 64 and less than 128, the actual hop count of the message is 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is 255-TTL3。
Further, in steps S2 and S4, the calculating the check digit information based on the preset algorithm specifically includes:
and setting all or part of bit values of the calculation result obtained after calculation as check bit information based on all or part of element combinations of the secret key, the source IP, the source port and/or the time stamp information.
Further, the method further comprises:
s5, if the source IP passes SYN Reset authentication, adding the source IP into a white list, and enabling the subsequent message of the source IP to pass through a firewall; if the source IP is judged not to pass SYN Reset authentication, the source IP is added into a blacklist, and the message of the subsequent source IP cannot pass through the firewall.
A second aspect of the present invention provides an apparatus for identifying authenticity of a SYN message, configured in a firewall to perform authentication of authenticity of the SYN message in a SYN Reset authentication process, including:
the system comprises an information extraction module, a firewall and a server, wherein the information extraction module is used for extracting and recording routing and port information from a SYN message of an unmarked source IP received by the firewall, and the routing and port information at least comprises a first TTL value, a source IP and source port information;
the Cookie generating module is used for generating Cookie, the Cookie at least comprises a first TTL value and check bit information, and the check bit information is generated based on a preset algorithm;
the message sending module is used for responding to a SYN-ACK message to a source IP and a source port of the SYN message, and the acknowledgement sequence number value in the SYN-ACK message is the Cookie generated by the Cookie generating module;
and the identification judgment module is used for at least extracting the serial number value, the source IP and the second TTL value of which the contents are Cookie from the Reset message of the source IP received by the firewall and executing the following identification judgment:
if the first TTL value and the second TTL value contained in the serial number value are consistent and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, the source IP is judged to pass SYN Reset authentication; otherwise, the source IP is judged not to pass SYN Reset authentication.
Further, the non-labeled source IP includes a source IP that is neither within a firewall blacklist nor within a firewall whitelist.
Optionally, the length of the Cookie generated by the Cookie generation module is 32 bits, where the upper 8 bits are the first TTL value, and the lower 24 bits are the check bits.
Optionally, the length of the Cookie generated by the Cookie generating module is 32 bits, wherein the upper 6 bits are a first TTL value, and the first TTL value is the actual hop count of the converted message based on the original TTL value; the remaining 26 bits in the Cookie are check bits.
Further, the conversion rule of the Cookie generation module for converting the actual hop count of the packet based on the original TTL value is as follows:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is stored as 64-TTL1;
2) TTL if value of original TTL field2If the actual hop count is greater than or equal to 64 and less than 128, the actual hop count of the message is stored as 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is stored as 255-TTL3。
Further, the calculation of the check bit information by the Cookie generation module and the identification and determination module based on a preset algorithm specifically includes:
and setting all or part of bit values of the calculation result obtained after calculation as check bit information based on all or part of element combinations of the secret key, the source IP, the source port and/or the time stamp information.
Further, the identification determination module is further configured to add the source IP determined to pass the SYN Reset authentication to a firewall white list, and add the source IP determined not to pass the SYN Reset authentication to a firewall black list.
A third aspect of the invention provides a network device comprising a readable storage medium and a processor;
wherein the readable storage medium is configured to store machine executable instructions;
the processor is configured to read the machine executable instructions on the readable storage medium and execute the instructions to implement the method according to the first aspect of the present invention.
The invention has the beneficial technical effects that:
because the actual route from the attacker to the firewall is different from the path from the forged source IP to the firewall, the TTL from the message sent by the attacker to the firewall is inconsistent with the TTL from the message sent by the real device where the forged source IP is located to the firewall with a high probability; the invention identifies most of SYN messages which forge real and active IP as source IP by carrying TTL information in Cookie and comparing TTL values in SYN and Reset messages. Compared with the prior art, the method and the device can greatly reduce the probability that an attacker forges the real active IP on the Internet to bypass the SYN Reset authentication of the firewall, and improve the identification accuracy of the firewall to the forged source IP.
Drawings
Fig. 1 is a schematic diagram illustrating a firewall recognizing a normal requesting client by using SYN Reset authentication in the prior art.
Fig. 2 is a schematic diagram illustrating a firewall recognizing and blocking a forged source IP by using SYN Reset authentication in the prior art.
Fig. 3 is a flowchart illustrating an embodiment of a method for identifying the authenticity of a SYN packet according to the present invention.
Fig. 4 is a schematic block diagram of an apparatus for identifying the authenticity of a SYN message according to an embodiment of the present invention.
Fig. 5 is a schematic diagram of a hardware structure of an embodiment of the network device of the present invention.
Detailed Description
For a further understanding of the invention, reference will now be made to the preferred embodiments of the invention by way of example, and it is to be understood that the description is intended to further illustrate features and advantages of the invention, and not to limit the scope of the claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 3, a first illustrative embodiment of the present invention provides a method for identifying the authenticity of a SYN message, which is applied to a firewall SYN Reset authentication process, and includes the following steps:
s1, the firewall receives the SYN request of the non-calibrated source IP, and extracts and records the route and port information from the SYN message.
Wherein the source IP that is not identified comprises a source IP that is not in a firewall blacklist or a firewall whitelist. The routing and port information at least comprises a first TTL value, a source IP and source port information.
S2, the firewall generates a Cookie, wherein the Cookie at least comprises the first TTL value and check bit information, and the check bit information is generated based on a preset algorithm.
In an alternative embodiment, the generated Cookie has a length of 32 bits, wherein the upper 8 bits are the first TTL value and the lower 24 bits are the check bits.
Because the actual hop count of the message on the internet is generally less than 64, the storage length of the TTL in the Cookie can be compressed to 6 bits, and at the moment, the original TTL is not stored in the Cookie, but the actual hop count of the message is stored.
Based on this, in another optional implementation, the generated Cookie length is 32 bits, where the high 6 bits are the first TTL value, and the first TTL value is the actual hop count of the packet converted based on the original TTL value according to the following conversion rule:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is 64-TTL1;
2) TTL if value of original TTL field2Greater than or equal to 64 and less than 128, the actual hop count of the message is 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is 255-TTL3。
In this scheme, the remaining 26 bits in the Cookie are check bits, which can increase security compared to 24 bits.
In one or more optional embodiments, the calculating the check bit information based on the preset algorithm specifically includes:
and setting all or part of bit values of the calculation result obtained after calculation as check bit information based on all or part of element combinations of the secret key, the source IP, the source port and/or the time stamp information.
It should be noted that each firewall manufacturer can configure itself for the preset algorithm for generating the check bit information, and the related algorithms are all not public, so as to prevent the attacker from breaking and bypassing. On the other hand, the pre-defined algorithm can be chosen in many ways, such as taking the lower 24 bits after (key ^ source IP + source port), or as mentioned in the embodiments below (key ^ source IP followed by 24 bits ^ source port). In addition, the timestamp, like the port, may also be a parameter to participate in the calculation. The timestamp is a 32-bit integer, such as 2020-12-0410: 57:03, with a hexadecimal value of 1607050623, namely 0x5FC9a57F, and the upper 24-bit value (shift the timestamp by 8 bits to the right) can be taken to obtain 0x5FC9A5 (with 256 seconds precision), which is used as a parameter for the Cookie operation.
It should be understood by those skilled in the art that the specific form of the preset algorithm does not affect the implementation of the technical solution of the present invention, and therefore, is not limited in detail herein.
S3, the firewall responds SYN-ACK message to the source IP and source port of the SYN message, and the confirmed sequence number value in the SYN-ACK message is the Cookie generated in the step S2.
S4, if the firewall receives the Reset message returned by the source IP, at least extracting the serial number value, the source IP and the second TTL value of which the contents are Cookie from the Reset message, and comparing and judging as follows:
if the first TTL value and the second TTL value contained in the serial number value are consistent and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, the source IP is judged to pass SYN Reset authentication; otherwise, the source IP is judged not to pass SYN Reset authentication.
Further, the method further comprises:
s5, if the source IP passes SYN Reset authentication, adding the source IP into a white list, and enabling the subsequent message of the source IP to pass through a firewall; if the source IP is judged not to pass SYN Reset authentication, the source IP is added into a blacklist, and the message of the subsequent source IP cannot pass through the firewall.
The method for identifying the authenticity of the SYN message provided by the present application is described in detail below by way of a specific example.
1) The firewall receives the SYN message, wherein the source IP port: 1.1.1.1:20000, destination IP port: 2.2.2.2:80, TTL 115, sequence number: 1;
2) the firewall checks whether the source IP 1.1.1.1 is in a firewall white list, if so, the source IP directly passes through the firewall white list, and if so, the source IP is directly discarded;
3) if the source IP is not in the blacklist or the white list, extracting the source IP port information and the TTL information in the SYN message, discarding the SYN message, and starting SYN Reset authentication;
4) generating Cookie, wherein the upper 8 bits are TTL values 115, and the hexadecimal is 0x 73; the lower 24 bits are generated according to a preset algorithm. Assuming that a preset algorithm is (after the IP of the key ^ source, 24 bits ^ source port), when the key is 0x123456, the lower 24 bits are 0x123456^0x10101^0x4E20=0x137B77, and the Cookie is 0x73137B77;
5) the firewall responds to a SYN-ACK message to a source IP 1.1.1.1 and a port number 20000, and the confirmation sequence number in the message is 0x73137B77;
6) the firewall receives a Reset message of 20000 port numbers of the source IP 1.1.1.1, and acquires a TTL value, a source IP value, a source port value and a sequence number value from the message:
if the TTL value in the message is 115 and the serial number value is 0x73137B77, the TTL value 115 is converted into the hexadecimal value of 0x73, and the hexadecimal value is matched with the upper 8 bits of the serial number value of 0x73137B77 in the message; the extracted source IP value and source port value are calculated to be 0x137B77 through a preset algorithm (the key ^ source IP is followed by 24 bits ^ source port), the result is matched with the lower 24 bits of the sequence number value 0x73137B77 in the message,
the source IP 1.1.1.1 is considered to pass SYN Reset authentication, the source IP is added into a white list, and the subsequent message of the source IP can pass through a firewall;
if the TTL value in the message is 58 and the serial number value is 0x73137B77, and the 8-bit value of the extracted serial number value is 0x73, which is not matched with TTL 58, the source IP is considered to have failed SYN Reset authentication, the source IP is added to the blacklist, and the subsequent messages of the source IP cannot pass through the firewall.
It should be noted that, in general, the firewall will only start SYN Reset authentication when it is attacked by SYN Flood, and when the firewall starts/stops SYN Reset authentication, as well as the effective time of the blacklist, whitelist and other further identification algorithms are not within the scope of the present invention.
Referring to fig. 4, a second illustrative embodiment of the present invention provides an apparatus for identifying authenticity of a SYN message, which may be configured in a firewall to perform the identification of authenticity of the SYN message in the SYN Reset authentication process, and includes the following modules:
the information extraction module 101 is configured to extract and record routing and port information from a SYN packet of an untagged source IP received by a firewall. Wherein the un-labeled source IPs include source IPs that are neither in a firewall blacklist nor in a firewall whitelist. The routing and port information at least comprises information such as a first TTL value, a source IP and a source port.
The Cookie generating module 102 is configured to generate a Cookie, and the Cookie at least includes a first TTL value and check bit information, where the check bit information is generated based on a preset algorithm. Optionally, the length of the generated Cookie is 32 bits, where the upper 8 bits are the first TTL value, and the lower 24 bits are the check bits. Or, the generated Cookie has a length of 32 bits, wherein the high 6 bits are a first TTL value, and the first TTL value is the actual hop count of the converted message based on the original TTL value; the remaining 26 bits in the Cookie are check bits. The transformation may be performed based on the following rules:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is stored as 64-TTL1;
2) TTL if value of original TTL field2If the actual hop count is greater than or equal to 64 and less than 128, the actual hop count of the message is stored as 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is stored as 255-TTL3。
The message sending module 103 is configured to respond to the SYN-ACK message to the source IP and the source port of the SYN message, where a confirmation sequence number value in the SYN-ACK message is a Cookie generated by the Cookie generating module.
And an identification determination module 104, configured to extract at least a serial number value, a source IP, and a second TTL value, whose contents are cookies, from the Reset message of the source IP received by the firewall, and perform the following identification determination:
if the first TTL value contained in the second serial number value is consistent with the second TTL value and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, the source IP is judged to pass SYN Reset authentication and added into a firewall white list; otherwise, judging that the source IP fails SYN Reset authentication, and adding the source IP into a firewall blacklist.
Referring to fig. 5, a third illustrative embodiment of the present invention provides a network device comprising: a communication interface 501, a processor 502, a machine-readable storage medium 503, and a bus 504; wherein the communication interface 501, the processor 502 and the machine-readable storage medium 503 are in communication with each other via a bus 504. The processor 502 may perform the above-described method of identifying the authenticity of a SYN message by reading and executing machine-executable instructions in the machine-readable storage medium 503 corresponding to control logic for identifying the authenticity of a SYN message.
The machine-readable storage medium 403 referred to herein may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: volatile memory, non-volatile memory, or similar storage media. In particular, the machine-readable storage medium 403 may be a RAM (random Access Memory), a flash Memory, a storage drive (e.g., a hard disk drive), a solid state disk, any type of storage disk (e.g., a compact disk, a DVD, etc.), or similar storage medium, or a combination thereof.
The implementation processes of the functions and actions of each unit in the apparatus and the network device are specifically described in the implementation processes of the corresponding steps in the method, and are not described herein again.
The above description of the embodiments is only intended to facilitate the understanding of the method of the invention and its core idea. It should be noted that, for those skilled in the art, it is possible to make various improvements and modifications to the present invention without departing from the principle of the present invention, and those improvements and modifications also fall within the scope of the claims of the present invention.
Claims (15)
1. A method for identifying the authenticity of a SYN message is applied to the authentication process of a firewall SYN Reset, and comprises the following steps:
s1, the firewall receives the SYN request of the non-calibrated source IP, extracts and records the route and port information from the SYN message, the route and port information at least comprises a first TTL value, the source IP and the source port information;
s2, generating Cookie, wherein the Cookie at least comprises the first TTL value and check bit information, and the check bit information is generated based on a preset algorithm;
s3, the firewall responds to the source IP and the source port of the SYN message with a SYN-ACK message, and the confirmed sequence number value in the SYN-ACK message is the Cookie generated in the step S2;
s4, the firewall receives the Reset message of the source IP, and at least extracts the serial number value, the source IP and the second TTL value of the Cookie from the Reset message; if it is not
The first TTL value and the second TTL value contained in the serial number value are consistent, and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, and then the source IP is judged to pass SYN Reset authentication; otherwise, the source IP is judged not to pass SYN Reset authentication.
2. The method for identifying the authenticity of a SYN message according to claim 1, wherein the non-nominal source IP comprises a source IP that is neither in a firewall blacklist nor in a firewall whitelist.
3. The method for identifying the authenticity of a SYN message according to claim 1, wherein in step S2, the generated Cookie has a length of 32 bits, wherein the upper 8 bits are the first TTL value and the lower 24 bits are the check bits.
4. The method for identifying the authenticity of the SYN packet according to claim 1, wherein in step S2, the generated Cookie has a length of 32 bits, wherein the upper 6 bits are the first TTL value, and the first TTL value is the actual hop count of the packet after being converted based on the original TTL value; the remaining 26 bits in the Cookie are check bits.
5. The method for identifying the authenticity of the SYN message according to claim 1, wherein the conversion rule for converting the actual hop count of the message based on the original TTL value is:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is 64-TTL1;
2) TTL if value of original TTL field2Greater than or equal to 64 and less than 128, the actual hop count of the message is 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is 255-TTL3。
6. The method for identifying the authenticity of the SYN message according to claim 1, wherein the steps S2 and S4, the calculating the check bit information based on the predetermined algorithm specifically includes:
and setting all or part of bit values of the calculation result obtained after calculation as check bit information based on all or part of element combinations of the secret key, the source IP, the source port and/or the time stamp information.
7. The method for identifying the authenticity of a SYN message according to any of claims 1-6, further comprising:
s5, if the source IP passes SYN Reset authentication, adding the source IP into a white list, and enabling the subsequent message of the source IP to pass through a firewall; if the source IP is judged not to pass SYN Reset authentication, the source IP is added into a blacklist, and the message of the subsequent source IP cannot pass through the firewall.
8. An apparatus for identifying the authenticity of a SYN message, configured in a firewall for performing the authenticity identification of the SYN message in a SYN Reset authentication process, comprising:
the system comprises an information extraction module, a firewall and a server, wherein the information extraction module is used for extracting and recording routing and port information from a SYN message of an unmarked source IP received by the firewall, and the routing and port information at least comprises a first TTL value, a source IP and source port information;
the Cookie generating module is used for generating Cookie, the Cookie at least comprises a first TTL value and check bit information, and the check bit information is generated based on a preset algorithm;
the message sending module is used for responding to a SYN-ACK message to a source IP and a source port of the SYN message, and the acknowledgement sequence number value in the SYN-ACK message is the Cookie generated by the Cookie generating module;
and the identification judgment module is used for at least extracting the serial number value, the source IP and the second TTL value of which the contents are Cookie from the Reset message of the source IP received by the firewall and executing the following identification judgment:
if the first TTL value and the second TTL value contained in the serial number value are consistent and the check bit information contained in the serial number value is verified to be legal according to the preset algorithm, the source IP is judged to pass SYN Reset authentication; otherwise, the source IP is judged not to pass SYN Reset authentication.
9. The apparatus for identifying the authenticity of a SYN message according to claim 8, wherein the non-nominal source IP comprises a source IP that is neither in a firewall blacklist nor in a firewall whitelist.
10. The apparatus for identifying the authenticity of the SYN packet according to claim 8, wherein the Cookie length generated by the Cookie generation module is 32 bits, wherein the upper 8 bits are the first TTL value, and the lower 24 bits are the check bits.
11. The apparatus for identifying the authenticity of the SYN packet according to claim 8, wherein the Cookie length generated by the Cookie generation module is 32 bits, wherein the upper 6 bits are a first TTL value, and the first TTL value is an actual hop count of the packet converted based on the original TTL value; the remaining 26 bits in the Cookie are check bits.
12. The apparatus for identifying the authenticity of the SYN packet according to claim 8, wherein the Cookie generating module converts the conversion rule of the actual hop count of the packet based on the original TTL value into:
1) TTL if value of original TTL field1If the actual hop count of the message is less than 64, the actual hop count of the message is stored as 64-TTL1;
2) TTL if value of original TTL field2If the actual hop count is greater than or equal to 64 and less than 128, the actual hop count of the message is stored as 128-TTL2;
3) TTL if value of original TTL field3More than or equal to 128 and less than or equal to 255, the actual hop count of the message is stored as 255-TTL3。
13. The apparatus for identifying the authenticity of the SYN packet according to claim 8, wherein the calculating of the check bit information by the Cookie generating module and the identification determining module based on a preset algorithm specifically comprises:
and setting all or part of bit values of the calculation result obtained after calculation as check bit information based on all or part of element combinations of the secret key, the source IP, the source port and/or the time stamp information.
14. The apparatus for identifying the authenticity of a SYN message according to any of claims 8-13, wherein the identification determination module is further configured to add the source IP determined to pass SYN Reset authentication to a firewall white list, and to add the source IP determined not to pass SYN Reset authentication to a firewall black list.
15. A network device, comprising a readable storage medium and a processor;
wherein the readable storage medium is configured to store machine executable instructions;
the processor configured to read the machine executable instructions on the readable storage medium and execute the instructions to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011494385.3A CN112235329A (en) | 2020-12-17 | 2020-12-17 | Method, device and network equipment for identifying authenticity of SYN message |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011494385.3A CN112235329A (en) | 2020-12-17 | 2020-12-17 | Method, device and network equipment for identifying authenticity of SYN message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112235329A true CN112235329A (en) | 2021-01-15 |
Family
ID=74124746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011494385.3A Pending CN112235329A (en) | 2020-12-17 | 2020-12-17 | Method, device and network equipment for identifying authenticity of SYN message |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112235329A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114827086A (en) * | 2022-06-28 | 2022-07-29 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting IP discovery |
| TWI828347B (en) * | 2021-10-14 | 2024-01-01 | 美商F5公司 | Methods for mitigating ddos attack using hardware device and devices thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5920705A (en) * | 1996-01-31 | 1999-07-06 | Nokia Ip, Inc. | Method and apparatus for dynamically shifting between routing and switching packets in a transmission network |
| CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
| CN101764799A (en) * | 2008-12-24 | 2010-06-30 | 丛林网络公司 | Using a server's capability profile to establish a connection |
| US7921282B1 (en) * | 2007-08-20 | 2011-04-05 | F5 Networks, Inc. | Using SYN-ACK cookies within a TCP/IP protocol |
-
2020
- 2020-12-17 CN CN202011494385.3A patent/CN112235329A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5920705A (en) * | 1996-01-31 | 1999-07-06 | Nokia Ip, Inc. | Method and apparatus for dynamically shifting between routing and switching packets in a transmission network |
| CN1954545A (en) * | 2003-03-03 | 2007-04-25 | 思科技术公司 | Using TCP to authenticate IP source addresses |
| US7921282B1 (en) * | 2007-08-20 | 2011-04-05 | F5 Networks, Inc. | Using SYN-ACK cookies within a TCP/IP protocol |
| CN101764799A (en) * | 2008-12-24 | 2010-06-30 | 丛林网络公司 | Using a server's capability profile to establish a connection |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI828347B (en) * | 2021-10-14 | 2024-01-01 | 美商F5公司 | Methods for mitigating ddos attack using hardware device and devices thereof |
| CN114827086A (en) * | 2022-06-28 | 2022-07-29 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and storage medium for detecting IP discovery |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7979694B2 (en) | Using TCP to authenticate IP source addresses | |
| US8453208B2 (en) | Network authentication method, method for client to request authentication, client, and device | |
| CN101390064B (en) | Preventing Network Reset Denial of Service Attacks Using Embedded Authentication Information | |
| KR101054705B1 (en) | Method and apparatus for detecting port scans with counterfeit source addresses | |
| EP1433076B1 (en) | Protecting against distributed denial of service attacks | |
| CN1316369C (en) | Secret hashing for SYN/FIN correspondence | |
| US7536552B2 (en) | Upper-level protocol authentication | |
| CN102014110A (en) | Method for authenticating communication flows, communication system and protective device | |
| CN110784464B (en) | Client verification method, device and system for flooding attack and electronic equipment | |
| US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| CN101299668A (en) | A communication establishment method, system and device | |
| Zuquete | Improving the functionality of SYN cookies | |
| Cao et al. | 0-rtt attack and defense of quic protocol | |
| CN100541437C (en) | Prevent network reset denial of service attacks | |
| KR101263381B1 (en) | Method and apparatus for defending against denial of service attack in tcp/ip networks | |
| CN112235329A (en) | Method, device and network equipment for identifying authenticity of SYN message | |
| CN108965309B (en) | Data transmission processing method, device, system and equipment | |
| JP2006033472A (en) | Unauthorized access detection device | |
| Kiesel | On the use of cryptographic cookies for transport layer connection establishment | |
| CN117395023A (en) | Network equipment identification method and device for encryption gateway | |
| CN115694993A (en) | Network attack identification method and related device | |
| CN111526126A (en) | Data security transmission method, data security device and system | |
| JP2005005994A (en) | Network attack prevention device, network attack prevention method, network attack prevention program, and recording medium recording the program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210115 |