CN1735045A - Detecting method for preventing SYN flooding attack of network - Google Patents
Detecting method for preventing SYN flooding attack of network Download PDFInfo
- Publication number
- CN1735045A CN1735045A CN 200410035551 CN200410035551A CN1735045A CN 1735045 A CN1735045 A CN 1735045A CN 200410035551 CN200410035551 CN 200410035551 CN 200410035551 A CN200410035551 A CN 200410035551A CN 1735045 A CN1735045 A CN 1735045A
- Authority
- CN
- China
- Prior art keywords
- syn
- data packet
- nodes
- network
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000001514 detection method Methods 0.000 claims abstract description 37
- 230000002159 abnormal effect Effects 0.000 claims description 9
- 238000001914 filtration Methods 0.000 claims description 9
- 230000009191 jumping Effects 0.000 claims description 6
- 230000002265 prevention Effects 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000012790 confirmation Methods 0.000 claims description 3
- 230000007423 decrease Effects 0.000 abstract 1
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides detection method to prevent SYN attack for network according to overtime record time and quantity to automatic alarm. This method can detect parameter according to network environment and customs port range to be monitored and improves IDS effect and decreases false alarm rate for SYN scanning. This method adds SYN attack detection module to existing IDS to affirm whether be attacked and change to alarm module for treatment.
Description
Technical Field
The invention relates to a network security detection method aiming at SYN flood attacks.
Background
With the popularization and application of the internet in social economy and daily life, people are increasingly unable to leave information and service platforms provided by the network. The greater the dependency on the network, the more important the security performance of the network itself becomes.
Aiming at the development of malicious attack technology, at present, each large website is provided with a network intrusion detection system, so that the malicious hacker attack of a monitored network can be detected and recorded, and a network administrator can play a role in timely missing and filling in defects by specially monitoring the running dynamic state of the network. Under the present circumstances, denial of service attack techniques are applied and used as a main attack means for network hackers. Under the attack of the denial of service attack technology, all large websites fall down in succession, including websites adopting stricter security measures such as yahoo and new waves.
The majority of targets attacked by the denial of service attack are WWW servers, the service is based on the TCP protocol, and for the service based on the TCP protocol, it is difficult to prevent the service by using SYN flood (synflood) attack technology, and at present, the SYN flood attack becomes the most widely used denial of service attack method. SYN flooding attacks maliciously refuse to respond to the last ack acknowledgement of a three-way handshake to a server, mainly by sending multiple SYN connection requests to the system server, so that the server waits for this ack acknowledgement until it times out, thereby generating a large number of such semi-open connections at the server side, eventually exhausting system resources, resulting in a system denial of service.
The current network intrusion detection system can not well detect SYN flood attack, can not distinguish SYN flood attack from SYN scanning, and often generates false alarm. The main reason for false alarms is that current network intrusion detection systems usually only count syn connection requests simply, and this technique does not distinguish between normal and abnormal syn connections. Thus, network intrusion detection systems often report false alarms when the monitored network is subjected to syn scanning or has large access traffic.
Disclosure of Invention
The invention provides a method for automatically confirming an alarm according to overtime recording time and quantity, aiming at solving the problems and the defects. The method can flexibly set detection parameters according to the network environment and can customize the range of the port needing to be monitored, thereby improving the efficiency of a network intrusion detection system and effectively reducing the false alarm rate of syn scanning.
A normal TCP connection comprises a three-way handshake process, firstly, a client sends a syn connection request to a server, the server receives the syn + ack data packet which is responded to the client, and then the client sends an ack response to the server. This time a TCP connection is established.
In view of the above TCP connection features, the existing SYN flood control does not respond to the server with the last ack packet. The server waits for the ack acknowledgment until it times out, and the server forms a semi-open connection. The method is not only the key point of SYN flood attack, but also the design key point of the detection method for preventing SYN flood attack of the network.
Aiming at the characteristics of the SYN flood attack, the SYN flood attack prevention detection method of the network is to add a SYN flood attack detection module in the existing network intrusion detection system to confirm whether the SYN flood attack is received and transfer the SYN flood attack detection module for processing.
The SYN flood attack detection module establishes an ID tracking linked list whether a response packet exists for a SYN connection request packet submitted to a server. The data group structure of the linked list is:
| id | time_t | *next |
wherein,
id (unsigned short id), which is the id value of the IP packet. The SYN flood attack detection module may detect the id number to distinguish the SYN connection packet from the SYN + ACK response packet. Because of a normal TCP three-way handshake, the id value of its SYN + ACK response packet is the id value +1 of the corresponding SYN connection packet. By matching the recorded id numbers, the detection module can distinguish normal SYN connections from abnormal SYN connections;
time _ t (time _ t time) is used for recording the arrival time of the SYN connection request packet, and the detection module judges whether the connection request is overtime or not;
next (struct _ IN _ TIME next) is a pointer to the next SYN connection node.
The operation of the ID tracking linked list adopts a general mode, namely, the head pointer and the tail pointer of the linked list are reserved, the linked list can be directly connected to the tail when a new data set is added, and the detection module judges deletion according to the ID value when the linked list is deleted.
The SYN flood attack detection module dynamically monitors the target port of the SYN connection request packet and establishes the abnormal port tracking linked list, and the data group structure of the linked list is as follows:
| Port | long count | *timeptr | *next |
wherein,
a port (unscheduled short port), which is a port value connected to the SYN connection request packet, and the detection module classifies the SYN request packet according to the destination port value;
a long count (signaled long count) indicating the value of the abnormal SYN packet arriving at the port, and the detection module determining whether the abnormal SYN packet reaches the alarm threshold value according to the value and performing subsequent processing by the alarm module;
timestre (IN _ TIME timestre) is the head pointer of the SYN connection node chain under the port;
next (struct _ SYNINFO next), is a pointer to the next port node.
The operation of tracking the linked list by the abnormal port adopts a general mode, namely, the head pointer and the tail pointer of the linked list are reserved, the linked list can be directly connected to the tail when a new data set is added, and the detection module is completely cleared and deleted when the linked list is deleted.
By applying the SYN flood attack detection module, the control flow of the detection method for preventing the SYN flood attack by the network is as follows:
firstly, analyzing and filtering a SYN connection data packet and an ACK response data packet in a target network;
and step two, if the data packet is a SYN data packet, jumping to step four to execute. If the packet is an ACK acknowledgement packet, jumping to the third step;
step three, traversing SYN data packets in all nodes, matching relevant information, judging whether the ACK confirmation packet is a response to the SYN data packet, if so, clearing the SYN data packet from the nodes, and returning to the step one.
If no SYN data packet is matched, directly returning to the first step;
fourthly, filtering out SYN data packets needing to be monitored according to the set port range;
step five, classifying the SYN data packet obtained by filtering into different nodes according to different destination ports, and simultaneously recording the arrival time of the SYN data packet;
and step six, traversing all the nodes, and checking whether the SYN data packet stored in the nodes is overtime or not according to the set overtime time.
If the time is out, adding 1 to the counter of the node, judging whether the counter of the node reaches the set threshold value, if the counter reaches the threshold value, alarming to a console, simultaneously emptying all the nodes, resetting the counter, and returning to the first step; otherwise, executing downwards;
and seventhly, judging whether the protection time is overtime or not according to the set protection time, clearing all nodes if the protection time is overtime, resetting the counter, and returning to the first step. Otherwise, directly returning to the first step.
The above is the main content of the method for detecting the network anti-SYN flood attack according to the present invention.
The method for detecting SYN flood attack prevention of the network has the following advantages and beneficial effects:
1. because the SYN data packet in the target network is classified and counted according to the target port, synflood and SYN scanning can be strictly distinguished, and the misinformation of an intrusion detection system is greatly reduced.
2. The port to be monitored can be customized by the user, so that the load of the intrusion detection system is obviously reduced.
3. Because the user can customize the connection timeout time and the alarm threshold, the method can flexibly adapt to the environment of the monitored network.
4. Due to the protection time setting, the intrusion detection system has stronger anti-impact capability when detecting synflood attack, and meanwhile, the abnormal SYN connection accumulated by the target network under the normal condition is eliminated, and the false alarm rate of the intrusion detection system is further reduced.
Drawings
FIG. 1 is a block diagram of a network intrusion detection system;
fig. 2 is a control flow diagram of the detection method for preventing SYN flood attack in the network.
Detailed Description
As shown in fig. 1, the method for detecting a SYN flood attack in a network described above is to add a SYN flood attack detection module to an existing network intrusion detection system to determine whether an attack is received and to transfer the attack to an alarm module for processing.
After a network interface acquires a SYN data packet, a SYN flood attack detection module establishes a dynamic SYN + ACK response packet and an abnormal port tracking, and judges whether an overtime SYN data packet of a certain node reaches a threshold value and whether overtime time reaches set protection time.
If yes, the alarm module is turned, all the nodes are emptied, and the counter is reset.
As shown in fig. 2, the control flow of the method for detecting a SYN flood attack by a network is as follows:
firstly, analyzing and filtering a SYN connection data packet and an ACK response data packet in a target network;
and step two, if the data packet is a SYN data packet, jumping to step four to execute. If the packet is an ACK acknowledgement packet, jumping to the third step;
step three, traversing SYN data packets in all nodes, matching relevant information, judging whether the ACK confirmation packet is a response to the SYN data packet, if so, clearing the SYN data packet from the nodes, and returning to the step one.
If no SYN data packet is matched, directly returning to the first step;
fourthly, filtering out SYN data packets needing to be monitored according to the set port range;
step five, classifying the SYN data packet obtained by filtering into different nodes according to different destination ports, and simultaneously recording the arrival time of the SYN data packet;
and step six, traversing all the nodes, and checking whether the SYN data packet stored in the nodes is overtime or not according to the set overtime time.
If the time is out, adding 1 to the counter of the node, judging whether the counter of the node reaches the set threshold value, if the counter reaches the threshold value, alarming to a console, simultaneously emptying all the nodes, resetting the counter, and returning to the first step; otherwise, executing downwards;
and seventhly, judging whether the protection time is overtime or not according to the set protection time, clearing all nodes if the protection time is overtime, resetting the counter, and returning to the first step. Otherwise, directly returning to the first step.
Claims (2)
1. A method for detecting SYN flood attack prevention of a network is characterized in that: and adding a SYN flood attack detection module in the network intrusion detection system to confirm whether the attack is received and transmitting the attack to an alarm module for processing.
After a network interface acquires a SYN data packet, a SYN flood attack detection module establishes a dynamic SYN + ACK response packet and an abnormal port tracking, and judges whether an overtime SYN data packet of a certain node reaches a threshold value and whether overtime time reaches set protection time.
If yes, the alarm module is turned, all the nodes are emptied, and the counter is reset.
2. The method according to claim 1, wherein the control flow of the method is as follows:
firstly, analyzing and filtering a SYN connection data packet and an ACK response data packet in a target network;
step two, if the data packet is a SYN data packet, jumping to step four to execute; if the packet is an ACK acknowledgement packet, jumping to the third step;
step three, traversing SYN data packets in all nodes, matching relevant information, judging whether the ACK confirmation packet is a response to the SYN data packet, if so, clearing the SYN data packet from the nodes, and returning to the step one; if no SYN data packet is matched, directly returning to the first step;
fourthly, filtering out SYN data packets needing to be monitored according to the set port range;
step five, classifying the SYN data packet obtained by filtering into different nodes according to different destination ports, and simultaneously recording the arrival time of the SYN data packet;
step six, traversing all the nodes, and checking whether the SYN data packet stored in the nodes is overtime according to the set overtime time; if the time is out, adding 1 to the counter of the node, judging whether the counter of the node reaches the set threshold value, if the counter reaches the threshold value, alarming to a console, simultaneously emptying all the nodes, resetting the counter, and returning to the first step; otherwise, executing downwards;
seventhly, judging whether the protection time is overtime or not according to the set protection time, emptying all nodes if the protection time is overtime, resetting the counter, and returning to the first step; otherwise, directly returning to the first step.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100355518A CN100484043C (en) | 2004-08-12 | 2004-08-12 | Detecting method for preventing SYN flooding attack of network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100355518A CN100484043C (en) | 2004-08-12 | 2004-08-12 | Detecting method for preventing SYN flooding attack of network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1735045A true CN1735045A (en) | 2006-02-15 |
| CN100484043C CN100484043C (en) | 2009-04-29 |
Family
ID=36077253
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100355518A Expired - Fee Related CN100484043C (en) | 2004-08-12 | 2004-08-12 | Detecting method for preventing SYN flooding attack of network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100484043C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010048838A1 (en) * | 2008-10-27 | 2010-05-06 | 成都市华为赛门铁克科技有限公司 | Network authentication method, client end requiring authentication method, client end and device |
| CN101917309A (en) * | 2010-08-27 | 2010-12-15 | 电子科技大学 | Denial of service attack detection method for public service number under softswitch platform |
| CN101018233B (en) * | 2007-03-20 | 2011-08-24 | 杭州华三通信技术有限公司 | Session control method and control device |
| CN101478537B (en) * | 2008-12-31 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Network security protection method and apparatus in uni-direction environment |
| CN112532961A (en) * | 2020-12-04 | 2021-03-19 | 上海影创信息科技有限公司 | Delay detection safety prompting method and system of VR glasses and VR glasses |
-
2004
- 2004-08-12 CN CNB2004100355518A patent/CN100484043C/en not_active Expired - Fee Related
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018233B (en) * | 2007-03-20 | 2011-08-24 | 杭州华三通信技术有限公司 | Session control method and control device |
| WO2010048838A1 (en) * | 2008-10-27 | 2010-05-06 | 成都市华为赛门铁克科技有限公司 | Network authentication method, client end requiring authentication method, client end and device |
| US8453208B2 (en) | 2008-10-27 | 2013-05-28 | Chengdu Huawei Symantec Technologies Co., Ltd. | Network authentication method, method for client to request authentication, client, and device |
| US8800001B2 (en) | 2008-10-27 | 2014-08-05 | Huawei Technologies Co., Ltd. | Network authentication method, method for client to request authentication, client, and device |
| CN101478537B (en) * | 2008-12-31 | 2012-01-04 | 成都市华为赛门铁克科技有限公司 | Network security protection method and apparatus in uni-direction environment |
| CN101917309A (en) * | 2010-08-27 | 2010-12-15 | 电子科技大学 | Denial of service attack detection method for public service number under softswitch platform |
| CN112532961A (en) * | 2020-12-04 | 2021-03-19 | 上海影创信息科技有限公司 | Delay detection safety prompting method and system of VR glasses and VR glasses |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100484043C (en) | 2009-04-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4083747B2 (en) | System and method for detecting and tracking DoS attacks | |
| CN109660539B (en) | Method and device for identifying defect-losing equipment, electronic equipment and storage medium | |
| CN101572701B (en) | Security gateway system for resisting DDoS attack for DNS service | |
| CA2821126C (en) | Detection of infected network devices via analysis of responseless outgoing network traffic | |
| US7624447B1 (en) | Using threshold lists for worm detection | |
| EP2532121B1 (en) | Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions | |
| US7757285B2 (en) | Intrusion detection and prevention system | |
| CN102487339B (en) | Attack preventing method for network equipment and device | |
| US20040111531A1 (en) | Method and system for reducing the rate of infection of a communications network by a software worm | |
| CN1492328A (en) | Statistic method for detecting TCP, SYN flood type attacks | |
| US20040044912A1 (en) | Determining threat level associated with network activity | |
| US20060236401A1 (en) | System, method and program product to identify a distributed denial of service attack | |
| CN1713593A (en) | Security system and method for application server security law and network security law | |
| CN1771708A (en) | Network attack signature generation | |
| US20110239301A1 (en) | Technique of detecting denial of service attacks | |
| CN1697404A (en) | System and method for detecting network worm in interactive mode | |
| CN1175621C (en) | A Method for Detecting and Monitoring Malicious User Host Attacks | |
| CN1885765A (en) | Packet transmission equipment and packet transmission system | |
| CN108449218A (en) | The network security situation sensing system of next-generation key message infrastructure | |
| Dabbagh et al. | Slow port scanning detection | |
| CN1822593A (en) | Network safety protective method for preventing reject service attack event | |
| US20070150955A1 (en) | Event detection system, management terminal and program, and event detection method | |
| US11792151B2 (en) | Detection of threats based on responses to name resolution requests | |
| KR20200109875A (en) | Harmful ip determining method | |
| CN1735045A (en) | Detecting method for preventing SYN flooding attack of network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: HAIXIN GROUP CO., LTD. Free format text: FORMER OWNER: HAIXIN GROUP CO., LTD.; APPLICANT Effective date: 20071214 |
|
| C10 | Entry into substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20071214 Address after: 151, Zhuzhou Road, Laoshan District, Shandong City, Qingdao Province, China: 266100 Applicant after: HISENSE Co.,Ltd. Address before: Zip code 11, Jiangxi Road, Qingdao, Shandong, China: 266071 Applicant before: HISENSE Co.,Ltd. Co-applicant before: Beijing Hisense Digi-Tech Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090429 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |