Term " first ", " second ", " the 3rd " in description and claims of this specification and above-mentioned accompanying drawing, "The (if present)s such as four " are for distinguishing similar object, without for describing specific order or precedence.It should manageThe data that solution is so used can be exchanged in the appropriate case, so as to embodiments of the invention described herein for example can with exceptOrder beyond those for illustrating or describing herein is implemented.In addition, term " comprising " and " having " and theirs is anyDeformation, it is intended that covering is non-exclusive to be included, for example, containing the process of series of steps or unit, method, system, productionProduct or equipment are not necessarily limited to those steps clearly listed or unit, but may include not list clearly or for thisA little processes, method, product or the intrinsic other steps of equipment or unit.
It should be understood that the embodiment of the present invention is mainly used in the DDOS attack in network attack, and DDOS attack pattern hasMany kinds, wherein, a kind of common attack pattern is connection exhaustion attacks, and connection exhaustion attacks refer to that attacker passes through corpse netNetwork, initiates substantial amounts of transmission control protocol (Transmission Control Protocol, TCP) to server and connects, exhaustThe TCP connection resources of server.Connection, which exhausts typically, following several attack types:
The first is that attacker is completed after three-way handshake with server, and any message is not sent, maintains these TCP to connect alwaysConnect;
Second is that attacker and server are completed after three-way handshake, and termination (Finish, FIN) message or again is sent at oncePut ((Reset, RST) message, release local terminal connection, while quickly initiating new connection;
The third causes server TCP to be presented to the TCP window size of server end very little in attacker's connection procedureProtocol stack resource exhaustion;
4th kind is that attacker sends a large amount of TCP repeat requests, can be caused with the flow of very little up by attacking networkLink congestion.
And the present invention can resist the connection exhaustion attacks of attacker by adding guard system in server front end, preventProtecting system can only let pass safe client so that these clients can set up TCP with server and be connected.Referring to Fig. 1, figure1 is the Organization Chart of network attack defending system in the embodiment of the present invention, as illustrated, being deployed with network attack in server front endDefence installation, it is to be understood that the network attack defence installation can be deployed in front-end server, or with fire wallForm is deployed in the front end of server.Four clients in Fig. 1 are only a signal, and in actual applications, network attack is preventedImperial device can also be on the defensive for more or less clients.
Network attack defence installation can be combined by software and hardware equipment, constructed between clients and serversProtective barrier so that intrusion of the server from illegitimate client, network attack defence installation can by service access rule, testCard instrument, packet filtering and the part of application gateway 4 are constituted, the all-network communication of client inflow and outflow and packet be intended to throughCross this network attack defence installation.
In order to make it easy to understand, referring to Fig. 2, Fig. 2 is one interaction of defence method of network attack in the embodiment of the present inventionEmbodiment schematic diagram, as illustrated, being specially:
In step 101, client sends TCP connection requests to network attack defence installation, wherein, the TCP connection requestsIn carry the IP address of client, TCP connection requests are mainly used in indicating that client carries out three with network attack defence installationIt is secondary to shake hands, to set up TCP connections;
In step 102, network attack defence installation is set up TCP according to TCP connection requests and client and is connected, Ran HoujinOne step judges whether the IP address of the client is illegal IP address, if illegal IP address, then performs step 103, insteadIt, if legitimate ip address, then into step 104;
In step 103, if the IP address of client belongs to illegal IP address, the client cannot connect to serviceDevice, but only set up and connect with network attack defending device, the TCP connections for consuming client by network attack defence installation pleaseAsk;
In step 104, if the IP address of client belongs to legitimate ip address, network attack defence installation will let passThe client, is connected so that the client and then can set up TCP with server.
Below by from the angle of network attack defence installation, the defence method of network attack in the present invention is introduced,Referring to Fig. 3, defence method one embodiment of network attack includes in the embodiment of the present invention:
201st, the first TCP connection request that client is sent is received, wherein, the first TCP connection requestsThe middle iso-ip Internetworking protocol ISO-IP IP address for carrying client;
In the present embodiment, network attack defence installation receives the first TCP connection requests of client transmission first, wherein,The IP address of client is carried in first TCP connection requests.Network attack defence installation can be according to the first TCP connection requestsTCP three-way handshake is carried out with client, TCP connections are set up after shaking hands successfully.
202nd, whether the IP address according to corresponding to the reception condition of service message judges client is illegal IP address;
In the present embodiment, network attack defence installation is set up after TCP is connected with client, further according to business reportThe reception condition of text judges whether the corresponding IP address of the client belongs to legal IP address.Wherein, legitimate ip address refers toThere is no aggressive IP address, the IP address of attacker or the IP address of puppet's machine are exactly illegal IP address.
Service message contains the complete business information that will be sent, the message length of service message can with inconsistent,Length is not limited and variable.Message is also that can constantly be packaged into packet, bag or frame in the unit of network transmission, transmitting procedure to passDefeated, the mode of encapsulation is exactly to add some message segments, and those are exactly the data that heading is organized with certain format.Business reportBusiness information in text can also have a variety of, such as voice traffic information and inquiry business information etc..
If the 203, IP address is illegal IP address, is set up and communicated to connect according to the first TCP connection requests and client, andRefuse to send the first TCP connection requests to server.
In the present embodiment, if the IP address of client is illegal IP address, network attack defence installation and clientTCP connections are set up, without being let pass to the client.So that the client with illegal IP address can not be built with serverVertical TCP connections.
For the ease of introducing, referring to Fig. 4, Fig. 4 is to handle a flow of attack client in the embodiment of the present inventionSchematic diagram, as illustrated, being specially:
In step 301, attack client first to network attack defence installation send handshake (synchronous,SYN), hence into SYN_SEND states;
In step 302, network attack defence installation receives SYN, responds a SYN and shakes hands confirmation signal, hence intoSYN_RECV states;
In step 303, client is received after the SYN of network attack defence installation transmission, responds a confirmation signal(Acknowledgement, ACK), enters TCP connection state with this.
So far, after execution of step 301 to step 303, client and network attack defence installation are successfully set up connection,Can start to transmit data, but because attack client is will not to send real business datum, therefore, in client andNetwork attack defence installation is established after TCP connections, and will perform step 304, i.e. network attack defence installation prevents attack visitorFamily end is set up TCP with server and is connected.
It should be noted that network attack defence installation is using Transmission Control Protocol and client and server in this programmeCommunication connection is set up, in actual applications, the connection with client and server can also be set up using other communication protocols,And different agreement is it is possible that different interactive mode, for example, the Transmission Control Protocol in the present invention is using the logical of " three-way handshake "Letter mode.
There is provided a kind of defence method of network attack in the embodiment of the present invention, specially network attack defence installation is firstThe first TCP connection request that client is sent first is received, wherein, carry visitor in the first TCP connection requestsThe iso-ip Internetworking protocol ISO-IP IP address at family end, then the network attack defence installation client is judged according to the reception condition of service messageWhether the corresponding IP address in end is illegal IP address, if IP address is illegal IP address, then can be connected according to the first TCPConnect request and set up communication connection with client, and refuse to send the first TCP connection requests to server.By the above-mentioned means, netNetwork attack defending device can replace server first to be set up with client and communicate to connect as guard system, and according to service messageReception condition detect before the legitimacy of client ip address, detection IP address legitimacy without being configured to each IP addressConnect total amount threshold value or connect concurrent rate-valve value, so that allocative efficiency is improved, the flexibility of lifting scheme.
Alternatively, on the basis of the corresponding embodiments of above-mentioned Fig. 3, the defence of network attack provided in an embodiment of the present inventionIn first alternative embodiment of method, after judging whether the IP address corresponding to client is illegal IP address, it can also wrapInclude:
If IP address is legitimate ip address, the 2nd TCP connection requests that client is sent are received;
The 2nd TCP connection requests are sent to server, so that server is set up according to the 2nd TCP connection requests and clientCommunication connection.
In the present embodiment, if the IP address that network attack defence installation detects client is legitimate ip address, thenThe 2nd TCP connection requests of client transmission can be further received, then the 2nd TCP connection requests are forwarded to server, itsIn, the 2nd TCP connection requests are used to indicate that client is set up TCP with server and is connected.
It is understood that network attack defence installation is mainly the TCP connection requests of transparent transmission the 2nd, it is not necessary to secondTCP connection requests carry out any processing.For the ease of introduce, referring to Fig. 5, Fig. 5 be the embodiment of the present invention in handle safety-typeOne schematic flow sheet of client, specifically:
In step 401, safety-type client first sends the first SYN to network attack defence installation, hence into SYN_SEND states;
In step 402, network attack defence installation is received after the first SYN, is responded the first SYN and is shaken hands confirmation letterNumber, hence into SYN_RECV states;
In step 403, client is received after the first SYN of network attack defence installation transmission, responds one firstACK, enters TCP connection state with this;
In step 404, network attack defence installation detects whether to receive the business datum of client transmission, if receiving industryBusiness data, that is assured that the client is exactly safety-type client;
In step 405, network attack defence installation is being obtained after client belongs to safety-type client, can be to safety-typeClient, which is sent, resets connection request;
In step 406, safety-type client can directly be connected TCP connections according to connection request is reset with server, i.e.,Safety-type user end to server sends the 2nd SYN, hence into SYN_SEND states;
In step 407, server is received after the 2nd SYN, is responded the 2nd SYN and is shaken hands confirmation signal, hence intoSYN_RECV states;
In step 408, client is received after the 2nd SYN of server transmission, is responded the 2nd ACK, is set up with thisPlay the TCP connections between server and client.
Secondly, in the embodiment of the present invention, for legal IP address, network attack defence installation can directly receive clientThe 2nd TCP connection requests sent are held, then the 2nd TCP connection requests are forwarded to server, to cause server according to theTwo TCP connection requests are set up with client and communicated to connect.By the above-mentioned means, if client has legal IP address, thatNetwork attack defence installation just will be considered that the client is normal client, so that normal client will not be manslaughtered, but willThe TCP connection requests that normal client is sent are forwarded to server, also protect with this availability and business of serverContinuity.
Alternatively, on the basis of the corresponding one embodiment of above-mentioned Fig. 3 or Fig. 3, net provided in an embodiment of the present inventionIn second alternative embodiment of defence method of network attack, the IP according to corresponding to the reception condition of service message judges clientWhether address is illegal IP address, can be included:
Judge the service message that client is sent whether is received in preset time;
If not receiving the service message of client transmission in preset time, it is determined that IP address is illegal IP address;
If the service message of client transmission is received in preset time, it is determined that IP address is legitimate ip address, andLegitimate ip address is added to legitimate ip address list.
In the present embodiment, network attack defence installation will be specifically introduced and how to determine the legitimacy of client ip address.ToolBody, network attack defence installation first judges the service message of client transmission whether is received in preset time first, leads toIn the case of often, after client and network attack defence installation complete three-way handshake, it can start to send related to businessBusiness datum, if all not receiving the business datum of client transmission in preset time, it is possible to think the client onlyTCP connections are set up, without transmitting useful data, now, the IP address of the client belongs to illegal IP address.
If on the contrary, have received the business datum of client transmission in preset time, then it is assumed that the client is peaceHolotype client, and the IP address of the client belongs to legitimate ip address.It should be noted that preset time can be 15 pointsClock or other rational times, it is not construed as limiting herein.
A legitimate ip address list can be safeguarded in network attack defence installation, is stored with legitimate ip address listAt least one legal IP address, refers to table 1, and table 1 is legitimate ip address list.
Table 1
| Legitimate ip address |
| 119.137.92.133 |
| 11.111.45.25 |
| 172.16.0.0 |
| 218.24.166.12 |
| 58.34.188.0 |
Again, in the embodiment of the present invention, it is proposed that how to judge the whether legal method of the IP address of client, i.e. networkAttack defending device judges the service message that client is dealt into whether is received in preset time, if it is not, thinking thisThe IP address of client is exactly illegal IP address, whereas if having received the service message of client in preset time, thenThe IP address for thinking the client is legitimate ip address, so that legitimate ip address can also be added into legitimate ip address listIn.By the above-mentioned means, can reasonably determine whether client ip address is legal, distinguished just by the behavior for analyzing clientNormal client and attack client, so as to efficiently and accurately protect continuous attack.
Alternatively, on the basis of corresponding second embodiment of above-mentioned Fig. 3, network attack provided in an embodiment of the present inventionThe 3rd alternative embodiment of defence method in, can also include:
The 3rd TCP connection requests that client is sent are received, wherein, the 3rd TCP connection requests carry the to be checked of clientSurvey IP address;
Judge whether IP address to be detected is located in legitimate ip address list, connect if so, then sending the 3rd TCP to serverRequest is connect, is communicated to connect so that server is set up according to the 3rd TCP connection requests and client.
In the present embodiment, a legitimate ip address list is safeguarded in network attack defence installation, is sent out when receiving clientWhether the 3rd TCP connection requests sent, may determine that the IP address to be detected entrained by the 3rd TCP connection requests legal firstIP address list, if in legitimate ip address list, network attack defence installation is directly let pass to the client, i.e. networkAttack defending device or client directly can send the 3rd TCP connection requests to server, so that server is according to the 3rdTCP connection requests are set up with client and communicated to connect.
Further, in the embodiment of the present invention, network attack defence installation can also receive the 3rd TCP of client transmissionConnection request, wherein, the 3rd TCP connection requests carry the IP address to be detected of client, if whether IP address to be detected is located atIn legitimate ip address list, then network attack defence installation can send the 3rd TCP connection requests to server forwarding, so that serviceDevice is set up according to the 3rd TCP connection requests and client and communicated to connect.By the above-mentioned means, legitimate ip address list can be utilizedIt is directly whether legal to IP address to be detected to judge, so as to save client and network attack defence installation three-way handshakeTime, improve defence efficiency.
Alternatively, on the basis of the corresponding one embodiment of above-mentioned Fig. 3, network attack provided in an embodiment of the present inventionThe 4th alternative embodiment of defence method in, receive client send the 2nd TCP connection requests before, can also include:
Sent to client and reset connection request, wherein, resetting connection request is used to indicate that client sends the 2nd TCP and connectedConnect request.
In the present embodiment, if the IP address of client is legitimate ip address, then it is considered that the client is safetyType client, after safety-type client and network attack defence installation three-way handshake, actively to network attack defence installationTCP message is sent, wherein, the tcp flag fields of the TCP message do not have FIN and RST set.Then network attack defence installationTCP is disconnected according to TCP message and safety-type client to be connected.
Set up in safety-type client and server before TCP is connected, from network attack defence installation actively to safety-typeClient, which is sent, resets connection request, notifies safety-type client to send the 2nd TCP connection requests to server with this, i.e.,Network attack defence installation is directly let pass to safety-type client.
Wherein, RST messages can specifically be referred to by resetting connection request, and RST is one of 6 flag bits in TCP stems, is used forRepresent to reset connection or reset connection.
Again, in the embodiment of the present invention, network attack defence installation is receiving the 2nd TCP connection requests that client is sentBefore, it can also first be sent to client and reset connection request, wherein, resetting connection request is used to indicate that client sends secondTCP connection requests.By the above-mentioned means, can be with the practicality and operability of enhanced scheme.
Alternatively, on the basis of the corresponding embodiments of above-mentioned Fig. 3, the defence of network attack provided in an embodiment of the present invention, can be with before receiving the first TCP connection request that client is sent in the 5th alternative embodiment of methodIncluding:
Obtain the connection concurrency of target ip address;
The first TCP connection request that client is sent is received, can be included:
If the connection concurrency of target ip address is more than or equal to connection concurrency threshold value, client is sent the is receivedOne TCP connection requests.
In the present embodiment, network attack defence installation would generally trigger protection flow under certain condition.Network is attacked firstThe connection concurrency that defence installation obtains at least one target ip address is hit, target ip address is that network attack defence installation canThe IP address detected, once the connection concurrency of target ip address is more than or equal to connection concurrency threshold value, illustrates currently to depositIn the potential danger of malicious attack, then network attack defence installation needs opening protection function flow, and receives client transmissionFirst TCP connection requests.
Wherein, connection concurrency refers to disposal ability of the network attack defence installation to its business information stream, is that network is attackedHitting defence installation can be while the maximum number of the point-to-point connection handled, it reflects network attack defence installation network attackAccess control ability and connection status ability of tracking of the defence installation to multiple connections.The increase of connection concurrency means to beingThe consumption of system memory source, the increase of connection concurrency should take into full account the disposal ability of central processing unit.
Secondly, in the embodiment of the present invention, network attack defence installation needs first to obtain the connection concurrency of target ip address,If the connection concurrency of target ip address is more than or equal to connection concurrency threshold value, the first TCP companies that client is sent are receivedConnect request.By the above-mentioned means, can be before the first TCP connection requests that client is sent be received, according to current detection meshThe connection concurrency triggering connection exhaustion attacks preventing mechanism of IP address is marked, so that the practicality and feasibility of lifting scheme.
Above-described embodiment is that the defence method of network attack in the present invention is carried out from the angle of network attack defence installationIntroduce, the defence method of network attack in the present invention will be introduced with the angle of client below, referring to Fig. 6, this hairDefence method one embodiment of network attack includes in bright embodiment:
501st, the first TCP connection requests are sent to network attack defence installation, wherein, carried in the first TCP connection requestsThe IP address of client;
In the present embodiment, client sends the first TCP connection requests to network attack defence installation first, wherein, firstThe IP address of client is carried in TCP connection requests.Network attack defence installation can be according to the first TCP connection requests and visitorFamily end carries out TCP three-way handshake, and TCP connections are set up after shaking hands successfully.
502nd, the first feedback request that network attack defence installation is sent is received, and is refused according to the first feedback request to clothesBusiness device sends the 2nd TCP connection requests, wherein, the first feedback request is used to indicate that IP address is illegal IP address.
In the present embodiment, network attack defence installation is set up after TCP is connected with client, determines whether the clientHold whether corresponding IP address belongs to illegal IP address.If it is determined that the IP address corresponding to client is illegal IP address, thenClient is only set up TCP with network attack defence installation and is connected, and is connected without setting up TCP with server, that is, refuses to clothesBusiness device sends the 2nd TCP connection requests.
There is provided a kind of defence method of network attack in the embodiment of the present invention, specially client is first to network attackDefence installation sends the first TCP connection requests, wherein, the IP address of client is carried in the first TCP connection requests, if clientIt is illegal IP address to hold corresponding IP address, then refuses to send the 2nd TCP connection requests to server.By the above-mentioned means, withFamily replaces server illegalities with having without being configured one by one to illegalities IP address by network attack defence installationThe client of IP address sets up communication connection, and consuming these with this has aggressive connection request, so that effectively to connectionExhaustion attacks are intercepted, and can be flexibly applied to different business scenarios.
Alternatively, on the basis of the corresponding embodiments of above-mentioned Fig. 6, the defence of network attack provided in an embodiment of the present inventionIn first alternative embodiment of method, after sending the first TCP connection requests to network attack defence installation, it can also include:
2nd TCP connection requests are sent to server according to the second feedback request, wherein, the 2nd TCP connection requests are used forIndicate that client is set up with server to communicate to connect, the second feedback request is used to indicate that IP address is legitimate ip address.
In the present embodiment, if the IP address that network attack defence installation detects client is legitimate ip address, thenClient directly will send the 2nd TCP connection requests to server, and server is set up according to the 2nd TCP connection requests and clientTCP connections.It is understood that in actual applications, client can also be attacked to the 2nd TCP connection requests are sent into networkDefence installation is hit, the 2nd TCP connection requests are transmitted to server by network attack defence installation.
Secondly, in the embodiment of the present invention, for legal IP address, client can be directly to network attack defence installationThe 2nd TCP connection requests are sent, so that network attack defence installation forwards the 2nd TCP connection requests to server, wherein, secondTCP connection requests are used to indicate that client sets up communication connection with server.If by the above-mentioned means, client have it is legalIP address, then network attack defence installation just will be considered that the client be normal client, so that positive regular guest will not be manslaughteredFamily end, but the TCP connection requests that normal client is sent are forwarded to server, the availability of server is also protected with thisAnd the continuity of business.
Alternatively, on the basis of the corresponding one embodiment of above-mentioned Fig. 6, network attack provided in an embodiment of the present inventionSecond alternative embodiment of defence method in, to server send the 2nd TCP connection requests before, can also include:
Receive the replacement connection request that network attack defence installation is sent;
The 2nd TCP connection requests are sent to server, can be included:
2nd TCP connection requests are sent to network attack defence installation according to replacement connection request.
In the present embodiment, if the IP address of client is legitimate ip address, then it is considered that the client is safetyType client, sets up before TCP is connected in safety-type client and server, it is necessary to first be sent to network attack defence installationTCP message, the tcp flag fields of the TCP message do not have FIN and RST set.Then network attack defence installation is reported according to TCPIt is literary to be connected with safety-type client disconnection TCP.Then actively sent and reset to safety-type client from network attack defence installationConnection request, notifies safety-type client to send the 2nd TCP connection requests to server according to connection request is reset with this,I.e. network attack defence installation is directly let pass to safety-type client.
Wherein, RST messages can specifically be referred to by resetting connection request, and RST is one of 6 flag bits in TCP stems, is used forRepresent to reset connection or reset connection.
Again, in the embodiment of the present invention, client is sent to network attack defence installation before the 2nd TCP connection requests,The replacement connection request of network attack defence installation transmission can also be first received, then according to resetting connection request to network attackDefence installation sends the 2nd TCP connection requests.By the above-mentioned means, can be with the practicality and operability of enhanced scheme.
For ease of understanding, the process of defending against network attacks in the present invention can be carried out with a concrete application scene belowIt is described in detail, referring to Fig. 7, Fig. 7 is is directed to the defence schematic flow sheet of connection exhaustion attacks in application scenarios of the present invention, specificallyFor:
In step 601, network attack defence installation is specifically as follows guard system, and guard system detects IP address in real timeConnection concurrency, connection exhaustion attacks occur after, by attack IP connection concurrency will uprush;
In step 602, once there is the situation that IP connection concurrency is uprushed, the protection shape of guard system will be triggeredState;
In step 603, guard system triggering connection exhaustion attacks protection state after, guard system will replace server withNew client carries out three-way handshake and sets up TCP connections, i.e., not by the client in guard system addition trust list, its is newThe TCP connections built are unable to reach server, so as to reach that connection exhausts the purpose of protection;
In step 604, guard system is set up after TCP is connected with client, will detection client within a certain period of timeWhether data are actively sent, if it is not, then entering step 605, if so, then jumping to step 606;
In step 605, attack client is set up after TCP is connected with guard system, main will not be sent out to guard systemData are sent, now, guard system can disconnect the connection with client over the course of 15 mins;
In step 606, safety-type client is set up after TCP is connected with guard system, actively can be sent out to guard systemData are sent, now, guard system just will be considered that the corresponding IP address of the client is legitimate ip address, and the legitimate ip addressAdd and trust, while actively sending RST messages, allow client to reconnect;
In step 607, client is received after RST messages, and the TCP connections set up for the first time disconnect, then client weightNew to initiate TCP connections, guard system is directly let pass to the TCP connection requests.
The network attack defence installation in the present invention is described in detail below, referring to Fig. 8, in the embodiment of the present inventionNetwork attack defence installation 70 include:
First receiving module 701, the first TCP connection request for receiving client transmission, wherein,The iso-ip Internetworking protocol ISO-IP IP address of the client is carried in the first TCP connection requests;
First judge module 702, for judging whether the IP address corresponding to the client is illegal IP address;
Processing module 703, if judging to obtain the IP address for first judge module 702 as the illegal IPLocation, then the first TCP connection requests received according to first receiving module 701 set up communication link with the clientConnect, and refuse to send the first TCP connection requests to server.
In the present embodiment, the first transmission control protocol TCP connection that the first receiving module 701 receives client transmission pleaseAsk, wherein, the iso-ip Internetworking protocol ISO-IP IP address of the client, the first judge module are carried in the first TCP connection requests702 judge whether the IP address corresponding to the client is illegal IP address, if first judge module 702 judgesThe IP address is obtained for the illegal IP address, then processing module 703 is according to being received first receiving module 701First TCP connection requests are set up with the client and communicated to connect, and refuse to ask to server transmission the first TCP connectionsAsk.
It is specially that the network attack defence installation is first there is provided a kind of network attack defence installation in the embodiment of the present inventionThe first TCP connection request that client is sent first is received, wherein, carry visitor in the first TCP connection requestsThe iso-ip Internetworking protocol ISO-IP IP address at family end, then the network attack defence installation client is judged according to the reception condition of service messageWhether the corresponding IP address in end is illegal IP address, if IP address is illegal IP address, then can be connected according to the first TCPConnect request and set up communication connection with client, and refuse to send the first TCP connection requests to server.By the above-mentioned means, netNetwork attack defending device can replace server first to be set up with client and communicate to connect as guard system, and according to service messageReception condition detect before the legitimacy of client ip address, detection IP address legitimacy without being configured to each IP addressConnect total amount threshold value or connect concurrent rate-valve value, so that allocative efficiency is improved, the flexibility of lifting scheme.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Fig. 8, referring to Fig. 9, net provided in an embodiment of the present inventionIn another embodiment of network attack defending device 70,
The network attack defence installation 70 also includes:
Second receiving module 704, if judging to obtain the institute corresponding to the client for first judge module 702IP address is stated for legitimate ip address, then receives the 2nd TCP connection requests that the client is sent;
First sending module 705, for sending second receiving module 704 is received described second to the serverTCP connection requests, are communicated to connect so that the server is set up according to the 2nd TCP connection requests and the client.
Secondly, in the embodiment of the present invention, for legal IP address, network attack defence installation can directly receive clientThe 2nd TCP connection requests sent are held, then the 2nd TCP connection requests are forwarded to server, to cause server according to theTwo TCP connection requests are set up with client and communicated to connect.By the above-mentioned means, if client has legal IP address, thatNetwork attack defence installation just will be considered that the client is normal client, so that normal client will not be manslaughtered, but willThe TCP connection requests that normal client is sent are forwarded to server, also protect with this availability and business of serverContinuity.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Fig. 8 or Fig. 9, referring to Fig. 10, the embodiment of the present invention is carriedIn another embodiment of the network attack defence installation 70 of confession,
First judge module 702 includes:
Judging unit 7021, for judging the service message that the client is sent whether is received in preset time;
First determining unit 7022, if judging to obtain not receiving in the preset time for the judging unit 7021The service message sent to the client, it is determined that the IP address is the illegal IP address;
Second determining unit 7023, if judging to obtain receiving in the preset time for the judging unit 7021The service message that the client is sent, it is determined that the IP address is the legitimate ip address, and by the legal IPAddress is added to legitimate ip address list.
Again, in the embodiment of the present invention, it is proposed that how to judge the whether legal method of the IP address of client, that is, judgeThe service message that client is dealt into whether is received in preset time, if it is not, thinking the IP address of the client justIt is illegal IP address, whereas if having received the service message of client in preset time, then it is assumed that the IP of the clientAddress is legitimate ip address, so that legitimate ip address can also be added in legitimate ip address list.By the above-mentioned means, energyIt is enough reasonably to determine whether client ip address is legal, normal client and attack client are distinguished by the behavior for analyzing clientEnd, so as to efficiently and accurately protect continuous attack.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Figure 10, Figure 11 is referred to, it is provided in an embodiment of the present inventionIn another embodiment of network attack defence installation 70,
The network attack defence installation 70 also includes:
3rd receiving module 706, for receiving the 3rd TCP connection requests that the client is sent, wherein, the described 3rdTCP connection requests carry the IP address to be detected of the client;
Second judge module 707, for judging whether the IP address to be detected is located in the legitimate ip address list,If so, then the 3rd TCP connection requests that the 3rd receiving module 706 is received are sent to the server, so that describedServer is set up according to the 3rd TCP connection requests and the client and communicated to connect.
Further, in the embodiment of the present invention, network attack defence installation can also receive the 3rd TCP of client transmissionConnection request, wherein, the 3rd TCP connection requests carry the IP address to be detected of client, if whether IP address to be detected is located atIn legitimate ip address list, then network attack defence installation can send the 3rd TCP connection requests to server forwarding, so that serviceDevice is set up according to the 3rd TCP connection requests and client and communicated to connect.By the above-mentioned means, legitimate ip address list can be utilizedIt is directly whether legal to IP address to be detected to judge, so as to save client and network attack defence installation three-way handshakeTime, improve defence efficiency.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Fig. 9, Figure 12 is referred to, it is provided in an embodiment of the present inventionIn another embodiment of network attack defence installation 70,
The network attack defence installation 70 also includes:
Second sending module 708, the 2nd TCP companies that the client is sent are received for second receiving module 704Connect before request, sent to the client and reset connection request, wherein, the replacement connection request is used to indicate the clientEnd sends the 2nd TCP connection requests.
Again, in the embodiment of the present invention, network attack defence installation is receiving the 2nd TCP connection requests that client is sentBefore, it can also first be sent to client and reset connection request, wherein, resetting connection request is used to indicate that client sends secondTCP connection requests.By the above-mentioned means, can be with the practicality and operability of enhanced scheme.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Fig. 8, Figure 13 is referred to, it is provided in an embodiment of the present inventionIn another embodiment of network attack defence installation 70,
The network attack defence installation 70 also includes:
Acquisition module 709, the first transmission control protocol that client is sent is received for first receiving module 701Before TCP connection requests, the connection concurrency of target ip address is obtained;
First receiving module 701 includes:
Receiving unit 7011, if the connection concurrency for the target ip address is more than or equal to connection concurrency thresholdValue, then receive the first TCP connection requests that client is sent.
Secondly, in the embodiment of the present invention, network attack defence installation needs first to obtain the connection concurrency of target ip address,If the connection concurrency of target ip address is more than or equal to connection concurrency threshold value, the first TCP companies that client is sent are receivedConnect request.By the above-mentioned means, can be before the first TCP connection requests that client is sent be received, according to current detection meshThe connection concurrency triggering connection exhaustion attacks preventing mechanism of IP address is marked, so that the practicality and feasibility of lifting scheme.
The network attack defence installation in the present invention is described above, the client in the present invention will be entered belowRow is described in detail, and the client 80 referred in Figure 14, the embodiment of the present invention includes:
First sending module 801, please for sending the connection of the first transmission control protocol TCP to network attack defence installationAsk, wherein, the iso-ip Internetworking protocol ISO-IP IP address of client is carried in the first TCP connection requests;
Refuse module 802, for receiving the first feedback request that the network attack defence installation is sent, and according to describedFirst feedback request is refused to send the 2nd TCP connection requests to server, wherein, first feedback request is described for indicatingIP address is the illegal IP address.
In the present embodiment, the first sending module 801 sends the first transmission control protocol TCP to network attack defence installation and connectedRequest is connect, wherein, the iso-ip Internetworking protocol ISO-IP IP address of client is carried in the first TCP connection requests, network attack is receivedThe first feedback request that defence installation is sent, and refuse to send second to server according to the first feedback request refusal module 802TCP connection requests, wherein, the first feedback request is used to indicate that IP address is institute's illegal IP address.
There is provided a kind of client in the embodiment of the present invention, specially client is first sent to network attack defence installationFirst TCP connection requests, wherein, the IP address of client is carried in the first TCP connection requests, if the corresponding IP of clientLocation is illegal IP address, then refuses to send the 2nd TCP connection requests to server.By the above-mentioned means, user is without to illegalProperty IP address configured one by one, but by network attack defence installation replace server with illegalities IP address clientCommunication connection is set up at end, and consuming these with this has aggressive connection request, so as to effectively be carried out to connection exhaustion attacksIntercept, and different business scenarios can be flexibly applied to.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Figure 14, Figure 15 is referred to, it is provided in an embodiment of the present inventionIn another embodiment of client 80,
The client 80 also includes:
Second sending module 803, first is sent for first sending module 801 to the network attack defence installationAfter TCP connection request, the second feedback request that the reception network attack defence installation is sent, and according toSecond feedback request sends the 2nd TCP connection requests to the server, wherein, the 2nd TCP connection requestsCommunicated to connect for indicating that the client is set up with the server, second feedback request is used to indicate the IP addressFor the legitimate ip address.
Secondly, in the embodiment of the present invention, for legal IP address, client can be directly to network attack defence installationThe 2nd TCP connection requests are sent, so that network attack defence installation forwards the 2nd TCP connection requests to server, wherein, secondTCP connection requests are used to indicate that client sets up communication connection with server.If by the above-mentioned means, client have it is legalIP address, then network attack defence installation just will be considered that the client be normal client, so that positive regular guest will not be manslaughteredFamily end, but the TCP connection requests that normal client is sent are forwarded to server, the availability of server is also protected with thisAnd the continuity of business.
Alternatively, on the basis of the embodiment corresponding to above-mentioned Figure 15, Figure 16 is referred to, it is provided in an embodiment of the present inventionIn another embodiment of client 80,
The client 80 also includes:
Receiving module 804, sending the 2nd TCP connections to the server for second sending module 803 pleaseBefore asking, the replacement connection request that the network attack defence installation is sent is received;
Second sending module 803 includes:
Transmitting element 8031, for the replacement connection request that is received according to the receiving module to the network attackDefence installation sends the 2nd TCP connection requests.
Again, in the embodiment of the present invention, client is sent to network attack defence installation before the 2nd TCP connection requests,The replacement connection request of network attack defence installation transmission can also be first received, then according to resetting connection request to network attackDefence installation sends the 2nd TCP connection requests.By the above-mentioned means, can be with the practicality and operability of enhanced scheme.
Figure 17 is a kind of network attack defence installation structural representation provided in an embodiment of the present invention, network attack defenceDevice 900 can be produced than larger difference because of configuration or performance difference, can include one or more central processing units(central processing units, CPU) 922 (for example, one or more processors) and memory 932, oneOr (such as one or more mass memories are set the storage medium 930 of more than one storage application program 942 or data 944It is standby).Wherein, memory 932 and storage medium 930 can be of short duration storage or persistently storage.It is stored in the journey of storage medium 930Sequence can include one or more modules (diagram is not marked), and each module can include to a series of fingers in serverOrder operation.Further, central processing unit 922 could be arranged to communicate with storage medium 930, in network attack defence installationThe series of instructions operation in storage medium 930 is performed on 900.
Network attack defence installation 900 can also include one or more power supplys 926, and one or more are wiredOr radio network interface 950, one or more input/output interfaces 958, and/or, one or more operating systems941, such as Windows ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM etc..
It can be attacked in above-described embodiment as the step performed by network attack defence installation based on the network shown in the Figure 17Hit defence installation structure.
In embodiments of the present invention, the CPU 922 included by the network attack defence installation also has following functions:
The first TCP connection request that client is sent is received, wherein, the first TCP connection requestsThe middle iso-ip Internetworking protocol ISO-IP IP address for carrying the client;
Whether the IP address according to corresponding to the reception condition of service message judges the client is illegal IPLocation;
If the IP address is the illegal IP address, built according to the first TCP connection requests with the clientVertical communication connection, and refuse to send the first TCP connection requests to server.
Alternatively, CPU 922 is additionally operable to perform following steps:
If the IP address is legitimate ip address, the 2nd TCP connection requests that the client is sent are received;
The 2nd TCP connection requests are sent to the server, so that the server is according to the 2nd TCP connectionsRequest is set up with the client and communicated to connect.
Alternatively, CPU 922 is specifically for performing following steps:
Judge the service message that the client is sent whether is received in preset time;
If not receiving the service message that the client is sent in the preset time, it is determined that the IPLocation is the illegal IP address;
If receiving the service message that the client is sent in the preset time, it is determined that the IP addressFor the legitimate ip address, and the legitimate ip address is added to legitimate ip address list.
Alternatively, CPU 922 is additionally operable to perform following steps:
The 3rd TCP connection requests that the client is sent are received, wherein, the 3rd TCP connection requests carry describedThe IP address to be detected of client;
Judge whether the IP address to be detected is located in the legitimate ip address list, if so, then to the serverThe 3rd TCP connection requests are sent, so that the server is set up according to the 3rd TCP connection requests and the clientCommunication connection.
Alternatively, CPU 922 is additionally operable to perform following steps:
Sent to the client and reset connection request, wherein, the replacement connection request is used to indicate the clientSend the 2nd TCP connection requests.
Alternatively, CPU 922 is additionally operable to perform following steps:
Obtain the connection concurrency of target ip address;
CPU 922 is specifically for performing following steps:
If the connection concurrency of the target ip address is more than or equal to connection concurrency threshold value, receives client and sendThe first TCP connection requests.
The embodiment of the present invention additionally provides another client, as shown in figure 18, for convenience of description, illustrate only and thisThe related part of inventive embodiments, particular technique details is not disclosed, refer to present invention method part.The clientCan be to include mobile phone, tablet personal computer, personal digital assistant (Personal Digital Assistant, PDA), point-of-sale terminalAny terminal device such as (Point of Sales, POS), vehicle-mounted computer, so that client is mobile phone as an example:
Figure 18 is illustrated that the block diagram of the part-structure of the mobile phone related to terminal provided in an embodiment of the present invention.With reference to figure18, mobile phone includes:Radio frequency (Radio Frequency, RF) circuit 1010, memory 1020, input block 1030, display unit1040th, sensor 1050, voicefrequency circuit 1060, Wireless Fidelity (wireless fidelity, WiFi) module 1070, processorThe part such as 1080 and power supply 1090.It will be understood by those skilled in the art that the handset structure shown in Figure 18 is not constituted pairThe restriction of mobile phone, can include than illustrating more or less parts, either combine some parts or different part clothPut.
Each component parts of mobile phone is specifically introduced with reference to Figure 18:
RF circuits 1010 can be used for receive and send messages or communication process in, the reception and transmission of signal, especially, by base stationAfter downlink information is received, handled to processor 1080;In addition, being sent to base station by up data are designed.Generally, RF circuits1010 include but is not limited to antenna, at least one amplifier, transceiver, coupler, low-noise amplifier (Low NoiseAmplifier, LNA), duplexer etc..In addition, RF circuits 1010 can also be logical by radio communication and network and other equipmentLetter.Above-mentioned radio communication can use any communication standard or agreement, including but not limited to global system for mobile communications (GlobalSystem of Mobile communication, GSM), general packet radio service (General Packet RadioService, GPRS), CDMA (Code Division Multiple Access, CDMA), WCDMA(Wideband Code Division Multiple Access, WCDMA), Long Term Evolution (Long Term Evolution,LTE), Email, Short Message Service (Short Messaging Service, SMS) etc..
Memory 1020 can be used for storage software program and module, and processor 1080 is stored in memory by operation1020 software program and module, so as to perform various function application and the data processing of mobile phone.Memory 1020 can be ledTo include storing program area and storage data field, wherein, storing program area can be needed for storage program area, at least one functionApplication program (such as sound-playing function, image player function etc.) etc.;Storage data field can store the use institute according to mobile phoneData (such as voice data, phone directory etc.) of establishment etc..In addition, memory 1020 can include high random access storageDevice, can also include nonvolatile memory, and for example, at least one disk memory, flush memory device or other volatibility are solidState memory device.
Input block 1030 can be used for the numeral or character information for receiving input, and produce with the user of mobile phone set withAnd the relevant key signals input of function control.Specifically, input block 1030 may include contact panel 1031 and other inputsEquipment 1032.Contact panel 1031, also referred to as touch-screen, collect touch operation (such as user of the user on or near itUse the behaviour of any suitable object such as finger, stylus or annex on contact panel 1031 or near contact panel 1031Make), and corresponding attachment means are driven according to formula set in advance.Optionally, contact panel 1031 may include touch detectionTwo parts of device and touch controller.Wherein, touch detecting apparatus detects the touch orientation of user, and detects touch operation bandThe signal come, transmits a signal to touch controller;Touch controller receives touch information from touch detecting apparatus, and by itIt is converted into contact coordinate, then gives processor 1080, and the order sent of reception processing device 1080 and can be performed.In addition,Contact panel 1031 can be realized using polytypes such as resistance-type, condenser type, infrared ray and surface acoustic waves.Except touch surfacePlate 1031, input block 1030 can also include other input equipments 1032.Specifically, other input equipments 1032 can includeBut it is not limited in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc.It is one or more.
Display unit 1040 can be used for each of the information that is inputted by user of display or the information for being supplied to user and mobile phonePlant menu.Display unit 1040 may include display panel 1041, optionally, can use liquid crystal display (LiquidCrystal Display, LCD), the form such as Organic Light Emitting Diode (Organic Light-Emitting Diode, OLED)To configure display panel 1041.Further, contact panel 1031 can cover display panel 1041, when contact panel 1031 is detectedTo after the touch operation on or near it, processor 1080 is sent to determine the type of touch event, with preprocessor1080 provide corresponding visual output according to the type of touch event on display panel 1041.Although in figure 18, touch surfacePlate 1031 and display panel 1041 are input and the input function that mobile phone is realized as two independent parts, but some, can be by contact panel 1031 and the input that is integrated and realizing mobile phone of display panel 1041 and output function in embodiment.
Mobile phone may also include at least one sensor 1050, such as optical sensor, motion sensor and other sensors.Specifically, optical sensor may include ambient light sensor and proximity transducer, wherein, ambient light sensor can be according to ambient lightLight and shade adjust the brightness of display panel 1041, proximity transducer can close display panel when mobile phone is moved in one's ear1041 and/or backlight.As one kind of motion sensor, accelerometer sensor can detect in all directions (generally three axles) and addThe size of speed, can detect that size and the direction of gravity when static, application (the such as horizontal/vertical screen available for identification mobile phone postureSwitching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;As for mobile phone alsoThe other sensors such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor, will not be repeated here.
Voicefrequency circuit 1060, loudspeaker 1061, microphone 1062 can provide the COBBAIF between user and mobile phone.AudioElectric signal after the voice data received conversion can be transferred to loudspeaker 1061, is changed by loudspeaker 1061 by circuit 1060Exported for voice signal;On the other hand, the voice signal of collection is converted to electric signal by microphone 1062, by voicefrequency circuit 1060Voice data is converted to after reception, then after voice data output processor 1080 is handled, through RF circuits 1010 to be sent to ratioSuch as another mobile phone, or voice data is exported to memory 1020 so as to further processing.
WiFi belongs to short range wireless transmission technology, and mobile phone can help user's transceiver electronicses postal by WiFi module 1070Part, browse webpage and access streaming video etc., it has provided the user wireless broadband internet and accessed.Although Figure 18 is shownWiFi module 1070, but it is understood that, it is simultaneously not belonging to must be configured into for mobile phone, can not change as needed completelyBecome in the essential scope of invention and omit.
Processor 1080 is the control centre of mobile phone, using various interfaces and the various pieces of connection whole mobile phone,By operation or perform and be stored in software program and/or module in memory 1020, and call and be stored in memory 1020Interior data, perform the various functions and processing data of mobile phone, so as to carry out integral monitoring to mobile phone.Optionally, processor1080 may include one or more processing units;Optionally, processor 1080 can integrated application processor and modulation /demodulation processingDevice, wherein, application processor mainly handles operating system, user interface and application program etc., and modem processor is mainly locatedManage radio communication.It is understood that above-mentioned modem processor can not also be integrated into processor 1080.
Mobile phone also includes the power supply 1090 (such as battery) powered to all parts, and optionally, power supply can pass through power supplyManagement system and processor 1080 are logically contiguous, so as to realize management charging, electric discharge and power consumption pipe by power-supply management systemThe functions such as reason.
Although not shown, mobile phone can also include camera, bluetooth module etc., will not be repeated here.
In embodiments of the present invention, the processor 1080 included by the terminal also has following functions:
The first TCP connection request is sent to network attack defence installation, wherein, the first TCP connectsConnect the iso-ip Internetworking protocol ISO-IP IP address that client is carried in request;
If the network attack defence installation determines that the IP address of the client is according to the first TCP connection requestsIllegal IP address, then receive the first feedback request that the network attack defence installation is sent, and please according to the described first feedbackRefusal is asked to send the 2nd TCP connection requests to server, wherein, first feedback request is used to indicate that the IP address is instituteState illegal IP address.
Alternatively, processor 1080 is additionally operable to perform following steps:
If the IP address corresponding to the client is legitimate ip address, the network attack defence installation is receivedThe second feedback request sent, and the 2nd TCP connection requests are sent to the server according to second feedback request,Wherein, the 2nd TCP connection requests are used to indicate that the client sets up communication connection with the server, and described second is anti-Feedback request is used to indicate that the IP address is the legitimate ip address.
Alternatively, processor 1080 is additionally operable to perform following steps:
Receive the replacement connection request that the network attack defence installation is sent;
Processor 1080 is specifically for performing following steps:
The 2nd TCP connection requests are sent to the network attack defence installation according to the replacement connection request.
Figure 19 is referred to, Figure 19 is system of defense one embodiment schematic diagram of network attack in the embodiment of the present invention, itsIn, network attack defending system includes network attack defence installation 1101, client 1102 and server 1103, network attackSystem of defense includes:
Client 1102 sends the first TCP connection requests to network attack defence installation 1101, wherein, the first TCP connectionsThe iso-ip Internetworking protocol ISO-IP IP address of client 1102 is carried in request;
IP of the network attack defence installation 1101 according to corresponding to the reception condition of service message judges client 1102Whether location is illegal IP address;
If IP address is illegal IP address, network attack defence installation 1101 is according to the first TCP connection requests and clientCommunication connection is set up at end 1102, and refuses to send the first TCP connection requests to server.
It is specially that the network attack defence installation is first there is provided a kind of network attack defending system in the embodiment of the present inventionThe first TCP connection request that client is sent first is received, wherein, carry visitor in the first TCP connection requestsThe iso-ip Internetworking protocol ISO-IP IP address at family end, then the network attack defence installation client is judged according to the reception condition of service messageWhether the corresponding IP address in end is illegal IP address, if IP address is illegal IP address, then can be connected according to the first TCPConnect request and set up communication connection with client, and refuse to send the first TCP connection requests to server.By the above-mentioned means, netNetwork attack defending device can replace server first to be set up with client and communicate to connect as guard system, and according to service messageReception condition detect before the legitimacy of client ip address, detection IP address legitimacy without being configured to each IP addressConnect total amount threshold value or connect concurrent rate-valve value, so that allocative efficiency is improved, the flexibility of lifting scheme.
It is apparent to those skilled in the art that, for convenience and simplicity of description, the system of foregoing description,The specific work process of device and unit, may be referred to the corresponding process in preceding method embodiment, will not be repeated here.
In several embodiments provided by the present invention, it should be understood that disclosed system, apparatus and method can be withRealize by another way.For example, device embodiment described above is only schematical, for example, the unitDivide, only a kind of division of logic function there can be other dividing mode when actually realizing, such as multiple units or componentAnother system can be combined or be desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown orThe coupling each other discussed or direct-coupling or communication connection can be the indirect couplings of device or unit by some interfacesClose or communicate to connect, can be electrical, machinery or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unitThe part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multipleOn NE.Some or all of unit therein can be selected to realize the mesh of this embodiment scheme according to the actual needs's.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can alsoThat unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated listMember can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or usedWhen, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantiallyThe part contributed in other words to prior art or all or part of the technical scheme can be in the form of software productsEmbody, the computer software product is stored in a storage medium, including some instructions are to cause a computerEquipment (can be personal computer, server, or network equipment etc.) performs the complete of each embodiment methods described of the inventionPortion or part steps.And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (Read-Only Memory,ROM), random access memory (Random Access Memory, RAM), magnetic disc or CD etc. are various can be with storage programThe medium of code.
Described above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to beforeEmbodiment is stated the present invention is described in detail, it will be understood by those within the art that:It still can be to precedingState the technical scheme described in each embodiment to modify, or equivalent substitution is carried out to which part technical characteristic;And theseModification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of various embodiments of the present invention technical scheme.