CN114826634B - Message detection method, electronic equipment and storage medium - Google Patents
Message detection method, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114826634B CN114826634B CN202110117289.5A CN202110117289A CN114826634B CN 114826634 B CN114826634 B CN 114826634B CN 202110117289 A CN202110117289 A CN 202110117289A CN 114826634 B CN114826634 B CN 114826634B
- Authority
- CN
- China
- Prior art keywords
- message
- tcp
- received
- fragment
- tcp message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 claims abstract description 71
- 239000012634 fragment Substances 0.000 claims description 93
- 230000002159 abnormal effect Effects 0.000 claims description 24
- 230000001360 synchronised effect Effects 0.000 claims description 15
- 230000006798 recombination Effects 0.000 claims description 13
- 238000005215 recombination Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 11
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 10
- 230000011218 segmentation Effects 0.000 claims description 10
- 230000003139 buffering effect Effects 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 6
- 238000013467 fragmentation Methods 0.000 claims description 2
- 238000006062 fragmentation reaction Methods 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 8
- 230000005291 magnetic effect Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000003672 processing method Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 101100368149 Mus musculus Sync gene Proteins 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000005294 ferromagnetic effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a message detection method, electronic equipment and a storage medium. The method comprises the following steps: caching a first TCP message; the first TCP message is a received TCP message which indicates that the received representation does not contain an attack; and when the retransmission data packet of the first TCP message is received within a first set time period, replacing the retransmission data packet with the cached first TCP message.
Description
Technical Field
The present application relates to the field of firewall detection technologies, and in particular, to a message detection method, an electronic device, and a storage medium.
Background
The firewall can separate the internal network from the public network, and can identify and discard messages which exist in the public network and possibly attack the internal network, so that the safety of the internal network is ensured. The firewall can identify the attack message by a retransmission packet detection mode, and in the related art, the retransmission packet detection has the problem of low accuracy of identifying the attack.
Disclosure of Invention
Therefore, a main objective of the embodiments of the present application is to provide a method for detecting a packet, an electronic device, and a storage medium, so as to solve the technical problem of low accuracy of recognition attack in detecting a retransmission packet.
In order to achieve the above object, the technical solution of the embodiment of the present application is as follows:
the embodiment of the application provides a message detection method, which comprises the following steps:
Buffering a first transmission control protocol (TCP, transmission Control Protocol) message; the first TCP message is a received TCP message which indicates that the received representation does not contain an attack;
And when the retransmission data packet of the first TCP message is received within a first set time period, replacing the retransmission data packet with the cached first TCP message.
The embodiment of the application also provides another message detection method, which comprises the following steps:
pre-judging whether the server executes discarding operation or not if the received segmented message is sent to the server; if the server is judged not to execute the discarding operation in advance, determining that the corresponding segmented message is not an confusing message;
And carrying out message recombination on the determined segmented messages which are not the confusing messages, and carrying out attack characteristic detection based on the recombined messages.
By judging whether the server can execute discarding operation on the received segmented message in advance and recombining the segmented message which is determined not to be the confusing message, carrying out attack characteristic detection on the recombined message, firstly screening out the message with abnormal field, detecting the message recombined from the message with normal field, and further determining whether the message is attacked or not, thereby improving the accuracy of the attack detection of the message.
The embodiment of the application also provides electronic equipment, which is characterized by comprising: a processor and a memory for storing a computer program capable of running on the processor,
Wherein the processor is configured to execute the steps of any of the methods described above when the computer program is run.
The embodiment of the application also provides a storage medium, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the steps of any of the methods described above.
In the embodiment of the application, the first TCP message is cached; the first TCP message is a received TCP message which represents that the attack is not contained; when the retransmission data packet of the first TCP message is received within the first set time period, the retransmission data packet is replaced by the cached first TCP message, so that the data packet forwarded to the server is not the retransmission data packet carrying the attack, the server is prevented from being attacked by the retransmission data packet, and the accuracy of detecting and identifying the attack by the retransmission data packet is improved.
Drawings
Fig. 1 is a schematic implementation flow chart of a message detection method according to an embodiment of the present application;
FIG. 2a shows a detection deployment scenario commonly used in practical applications;
FIG. 2b illustrates another commonly used detection deployment scenario in practical applications;
FIG. 3 is a schematic diagram of an implementation flow of another message detection method according to an embodiment of the present application;
fig. 4 is a schematic diagram of a header structure of an IP packet according to an embodiment of the present application;
Fig. 5 is a schematic diagram of a header structure of a TCP packet according to an embodiment of the present application;
fig. 6 is a schematic implementation flow chart of another message detection method according to an embodiment of the present application;
fig. 7 is a schematic implementation flow chart of another message detection method according to an embodiment of the present application;
fig. 8 is a schematic diagram of a structure of an electronic device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the accompanying drawings and examples.
Timeout retransmission is an important mechanism for ensuring the reliability of data by the TCP protocol, starting a timer after sending a data, and retransmitting the data until receiving an acknowledgement for the data if no acknowledgement for the data is received within a certain time.
The TCP retransmission packet refers to a TCP message with the same sequence number and the same length which is repeatedly sent, the reliability of the TCP protocol is guaranteed by a timeout retransmission mechanism, but an attacker can repeatedly send a message with the consistent sequence number and inconsistent content by using the timeout retransmission mechanism, so that confusion is caused. In the related art, a firewall directly forwards a message to a server without detecting whether the content of the message is consistent, and when a retransmission message with consistent sequence numbers but inconsistent content is an attack message, the server may be attacked after receiving the message. That is, in the related art, the detection of the retransmission packet cannot effectively identify and intercept the attack packet.
Based on the above, the embodiment of the application provides a message detection method, electronic equipment and a storage medium, wherein when a retransmission data packet of a first TCP message is received in a first set time by caching the first TCP message, the retransmission data packet is replaced by the cached first TCP message, so that the fact that the data packet forwarded to a server is not the retransmission data packet carrying the attack is ensured, the server is prevented from being attacked by the retransmission data packet, and the accuracy of detecting and identifying the attack of the retransmission data packet is improved.
Fig. 1 is a schematic implementation flow chart of a message detection method according to an embodiment of the present application. As shown in fig. 1, the method includes:
step 101: caching a first TCP message; the first TCP message is a received TCP message which indicates that the received representation does not contain an attack.
Here, when the received TCP packet is detected to not include an attack, the received TCP packet is buffered as a first TCP packet for subsequent retransmission.
Step 102: and when the retransmission data packet of the first TCP message is received within a first set time period, replacing the retransmission data packet with the cached first TCP message.
Here, when receiving the retransmission packet of the first TCP packet, the retransmission packet is not directly forwarded to the server, but the received retransmission packet is discarded and the buffered first TCP packet is used to replace the retransmission packet and sent to the server. Therefore, even if the retransmission data packet is attacked, the server is not affected, so that the server is prevented from being attacked by the retransmission data packet.
In order to implement the method according to the embodiment of the present application, fig. 2a and fig. 2b show a detection deployment scenario commonly used in practical applications. Figure 2a shows that a firewall is built at the entrance of an internet network, and when external traffic passes through the firewall, the firewall detects and intercepts the attack traffic, preventing hacking. FIG. 2b shows that the firewall is deployed in a bypass mode, the interface of the firewall connected with the switch is set to be in a mirror mode, all traffic flowing through the switch is duplicated and put into the firewall for detection, or policy routing is configured in the switch, the traffic is guided into the firewall for detection, and after the traffic sent to the firewall is detected by the firewall, if the traffic is abnormal, the abnormality is marked in the firewall.
In the embodiment of the application, the first TCP message is cached; the first TCP message is a received TCP message which represents that the attack is not contained; when the retransmission data packet of the first TCP message is received within the first set time, the retransmission data packet is replaced by the cached first TCP message, so that the data packet forwarded to the server is not the retransmission data packet carrying the attack, the server is prevented from being attacked by the retransmission data packet, and the accuracy of detecting and identifying the attack of the retransmission data packet is improved.
In addition, in the embodiment of the application, it can be assumed that the first received TCP packet is a TCP packet that does not include an attack, and the first received TCP packet is buffered to replace a subsequent TCP packet. The scheme is also in the protection scope of the application, the method avoids executing attack characteristic detection, can improve the operation efficiency of equipment such as a firewall and the like, and saves memory resources.
In an embodiment, the method further comprises:
Under the condition that a second TCP message is received, releasing the cached first TCP message; the second TCP message characterizes a confirmation message which is returned by the server and is related to the first TCP message after the first TCP message is sent to the server;
And/or the number of the groups of groups,
Discarding the third TCP message under the condition that the third TCP message is received after the second TCP message is received; and the sequence number of the third TCP message is smaller than that of the second TCP message.
And replacing the retransmission data packet of the first TCP message with the cached first TCP message, and then sending the replaced first TCP message to a server. After receiving the first TCP message, the server returns a confirmation message related to the first TCP message, wherein the confirmation message indicates that the sent first TCP message has been confirmed to be received without errors. Therefore, when receiving the acknowledgement message sent by the server based on the first TCP message, the acknowledgement message indicates that the first TCP message has been successfully received, and the retransmission process has been successful, so that the buffered first TCP message is released, and buffer overflow is avoided, thereby ensuring that the first TCP message sent subsequently can be continuously received.
In addition, the retransmission process continues until the acknowledgement message of the server is received, the first TCP message is continuously sent to the server, and in time sequence, the first TCP message sent first to the server will receive the acknowledgement message of the server first, the first TCP message sent last to the server will receive the acknowledgement message last, and after the acknowledgement message about the first TCP message returned by the server is received for the first time, it represents that retransmission has been successfully performed, and the retransmission process ends. After the retransmission process is finished, when a message with a sequence number smaller than that of the confirmation message sent by the server is received, the message is directly discarded, so that repeated confirmation is avoided.
Fig. 3 is a schematic flow chart of another implementation of a message detection method, please refer to fig. 3, wherein the method includes:
In an embodiment, before the buffering the first TCP packet, the method further includes:
detecting the header field of the received IP fragment, and determining the received IP fragment as an confusion message under the condition that the detection result accords with at least one of the following:
the time-to-live TTL of the IP fragments is smaller than a set threshold value;
the routing path of the IP fragment is not a set routing path;
The route address of the last hop of the IP fragment is a set route address; the set routing address characterizes the address of the firewall;
the checksum of the IP fragment has errors;
the timestamp option of the IP fragment has errors;
And carrying out message recombination on the determined IP fragments which are not the confusing messages to obtain TCP messages, wherein the TCP messages are used for subsequent attack detection.
Fig. 4 shows a schematic diagram of a Header structure of an IP packet, please refer to fig. 4, version indicates a version number of an IP Protocol, IHL indicates a Header Length, type of Service indicates a Service Type, total Length indicates a Total Length, identification indicates a flag, flags indicates a flag, fragments Offset indicates a slice Offset, time to Live indicates a lifetime, protocol indicates a Protocol, header check sum indicates a Header Checksum, source Address indicates a Source IP Address, destination Address indicates a destination IP Address, options indicates an option, and Padding indicates Padding.
Here, the TTL is the maximum hop count that an IP fragment can forward in a computer network, and the TTL value is decremented by one each time the IP fragment is forwarded. When the firewall receives a mixed message with extremely small TTL and then receives an attack message with the same field but normal TTL, if the firewall does not detect whether the TTL of the message is abnormal, the message with small TTL and the message with normal TTL are directly put into IP fragment recombination, so that the attack can not be detected.
In general, in a session, a network device through which a message passes is basically stable, no large fluctuation occurs in TTL, if a very small TTL value suddenly occurs, for example, the TTL value suddenly changes to 1 or even changes to 0, the message is likely to be a mixed message, and there is a behavior of bypassing firewall detection, so that a message with a TTL value smaller than a set threshold is determined to be a mixed message, and after the message is determined to be the mixed message, the message can be directly discarded.
In the mixed message, illegal strict route is used, for example, the next hop address of the route is 127.0.0.1 of the local machine address special for test or 0.0.0.0 representing all host IP addresses, or when the firewall receives the message, the route address of the message is not in the route address set by the firewall, and the message can bypass the firewall detection. Thus, if a routing path is defined as a- > B- > C- > D, as defined in RFC971 for strict routing, then each hop must be a strictly corresponding address, e.g., a's next hop routing address must be B and B's next hop routing address must be C. Therefore, the firewall detects that the routing path of the routing option in the IP fragment is not a set routing path, and specifically comprises that the next-hop routing address is not the routing address in the set routing path; or when the routing address of the last hop of the message is detected to be the address of the firewall, determining the messages with abnormal routing addresses as confusion messages, and directly discarding the confusion messages.
The purpose of the checksum is to check whether the message is tampered in the message transmission process, if the checksum of the IP fragments is detected to have errors, the IP fragments are possibly tampered, so that the IP fragments with the errors in the checksum are determined to be confusion messages, and the confusion messages are directly discarded.
If the error of the time stamp option of the IP fragment is detected, the IP fragment is determined to be a confusing message, and the IP fragment is discarded. Through detecting TTL, routing address, checksum and timestamp options of the header field of the IP fragment, the message is directly discarded when abnormality is detected in the header field detection process of the IP fragment, so that the abnormal message can be prevented from entering a subsequent detection process to cause attack, and the accuracy rate of the header field detection of the IP fragment is also improved.
In an embodiment, before step 101, the method further comprises:
in the case that there is an overlap of the offsets of at least two IP fragments, covering the overlapping portion of the first IP fragment offset to the overlapping portion of the second IP fragment offset; wherein,
The reception time of the first IP fragment is before the reception time of the second IP fragment.
An IP packet may need to travel through multiple different physical networks from a source host to a destination host, and because each network has a maximum transmission unit (MTU, maximum Transmission Unit) for a frame of data, the IP packet is broken into many small enough fragments to be transmitted over the destination link when the size of the packet exceeds the maximum transmission unit of the egress link. These IP fragments repackage an IP packet for independent transmission and are reassembled when reaching the target host.
The IP Fragment reassembly refers to that when a message is received, if fragments are indicated in the Flags of the IP header, the fragments are spliced and assembled into a complete message according to Fragment Offset.
In the case where there is an overlap or inclusion of the offsets of the respective IP fragments, for example, there is an overlap between the contents of the second half of the IP fragment ① and the first half of the IP fragment ②, the processing of the overlapping portions of the contents is inconsistent with the processing method of the different server operating systems, some of the operating systems overlap the overlapping portion of the IP fragment ② to the overlapping portion of the IP fragment ①, and some of the operating systems overlap the overlapping portion of the IP fragment ① to the overlapping portion of the IP fragment ②, so that the attacker uses the difference in processing to make the firewall receive the confusion message, thereby bypassing the detection of the firewall. In the embodiment of the application, the content of the first received IP fragment is the default, when the IP fragment with overlapped content is received, the overlapped part of the first received IP fragment offset is covered to the overlapped part of the second IP fragment offset received later, for example, the second half of the IP fragment ① and the first half of the content of the IP fragment ② are overlapped, the overlapped part of the IP fragment ① is covered to the overlapped part of the IP fragment ②, the receiving time of the IP fragment ① is before the receiving time of the IP fragment ②, and the unified processing is performed on the overlapped part of the IP fragment offset, so that the message received by the server and the message detected in the firewall are ensured to be consistent, and the attacker is prevented from making an attack by using the IP fragment reassembling process.
In an embodiment, the method further comprises:
performing TCP header field detection on a received TCP message, and determining that the TCP message is a mixed message under the condition that a detection result accords with at least one of the following conditions:
The checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The emergency flag bit of the TCP message is not null, and a payload exists;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the established session;
setting option fields of the TCP message have errors;
And carrying out message recombination on the TCP message which is determined not to be the confusion message to obtain an application layer message, wherein the application layer message is used for subsequent attack detection.
Fig. 5 shows a schematic diagram of a header structure of a TCP packet, please refer to fig. 5, in which source Port is a source Port, destination Port is a Destination Port, sequence Number is a Sequence Number of a first byte in a transmission packet, acknowledgment Number is an acknowledgement Sequence Number, and Data Offset is a Data Offset. The URG is an emergency flag bit, the ACK is an acknowledge flag bit, the PSH is a push bit, the RST is a reset flag, the SYN is a sync sequence number, and the FIN is an end flag. Window represents free space in the receive buffer, checksum, urgent Pointers is an urgent pointer, which is only meaningful if the URG flag is set, indicating an offset of urgent data from the value of the Sequence Number (Sequence Number) field.
The purpose of the checksum is to check whether the message is tampered in the message transmission process, if the checksum of the TCP message is detected to have errors, the TCP message is likely to be tampered, so that the TCP message with the error checksum is determined to be an confusion message, and the confusion message is directly discarded.
Here, when all flag bits of the TCP packet are detected to be null values, the TCP packet is discarded. All the flag bits are null, which means that there is no flag of SYN/ACK/PSH/FIN/RST/URG, according to RFC793 specification, other messages must have ACK flag bits except the SYN message which is originally sent, and under the condition that all the flag bits of the message are null, the message is likely to be a confusing message, therefore, the TCP message with all the flag bits being null is determined to be the confusing message, and is directly discarded.
When all the flag bits of the TCP message are detected to be not null, if each flag bit of the SYN/ACK/PSH/FIN/RST/URG has a value, the server cannot know the meaning which the message wants to express, so that the TCP message with all the flag bits not null is determined to be a confusing message, and the confusing message is directly discarded.
When the urgent flag bit of the TCP message is detected to be not null, the operation system usually only takes one byte of the urgent message to process the urgent message, and does not process other bytes, so that whether other bytes have payloads or not needs to be detected, and when the detection result shows that the payloads of other messages exist, the TCP message with the urgent flag bit not being null and the payloads is determined to be an confusion message, and the confusion message is directly discarded.
When detecting that the TCP message repeatedly sends a SYN mark on the session of the established connection, sending the SYN mark indicates that a new TCP connection session is to be established, and repeatedly sending the TCP message with the SYN mark on the session of the established connection causes confusion to the firewall, and the connection is reinitialized, so that the TCP message is determined to be a confusion message, and the TCP message is discarded.
The options of the TCP message include a maximum message length (MSS, max Segment Size) option, a window expansion factor option, a selective acknowledgement (SACK, SELECTIVE ACKNOWLEDGEMENT) option, a time stamp option and a custom option, the processing method of the different network protocols on the abnormal TCP option is different, the option is ignored, the message is discarded, and in order to enable all the servers to receive the same message, the firewall directly corrects the correctable option errors into correct option values when detecting the correctable option errors in the TCP message, such as the window expansion factor option and the MSS option.
When detecting that the option field of the TCP message header field has uncorrectable errors, determining the message as a mixed message for uncorrectable option errors such as time stamp, SACK and custom options, and directly discarding the TCP message with uncorrectable option errors.
By detecting the TCP header fields of the TCP messages, the messages which possibly exist in the TCP header fields and cause confusion attack are effectively identified and discarded, so that the attack behaviors existing in the TCP header field detection are avoided, and the accuracy of identifying the attack is improved.
In an embodiment, before step 101, the method further comprises:
When the contents of at least two received TCP messages are overlapped, overlapping parts of the contents of the TCP messages received at the first moment are covered to overlapping parts of the contents of the TCP messages received at the second moment; wherein,
The first time is before the second time.
And under the condition that the contents of the messages of the at least two TCP are overlapped, defaulting to the content of the TCP message received first, and when another TCP message with overlapped contents is received, covering the overlapped part of the content of the TCP message received at the first moment to the overlapped part of the content of the TCP message received at the second moment, wherein the first moment is before the second moment. If the second half of the message ① and the first half of the message ② are overlapped, the overlapped part of the message ① is covered to the overlapped part of the message ②, and the receiving time of the message ① is before the receiving time of the message ②, so that the message received by the server and the message detected in the firewall are ensured to be consistent, and the attack behavior in the process of recombining the TCP stream is avoided.
In an embodiment, after step 102, the method further comprises:
Detecting a message transmitted to an application layer, performing matching detection with the content of the message by using a feature library such as a vulnerability, an attack fingerprint and the like or a grammar semantic engine, and if the message can be matched with the vulnerability or the attack fingerprint, considering that the message is attacked and intercepting the message. By detecting the message of the application layer, the attack behavior of the application layer is avoided.
Fig. 6 is a flowchart of another message detection method according to an embodiment of the present application, referring to fig. 6, in an embodiment, the method further includes:
Step 601: pre-judging whether the server executes discarding operation or not if the received segmented message is sent to the server; if the server is not judged to execute the discarding operation in advance, determining that the corresponding segmented message is not the confusing message.
Here, it is determined in advance whether the server performs a discard operation if the received segment message is transmitted to the server. Typically, the server performs a discard operation when receiving a segmented message with field anomalies.
If the discarding operation is not executed, the segmented message is not a message with abnormal field, and the segmented message is determined not to be a confusing message.
If the judgment result shows that the server can execute the discarding operation, the segmented message is a message with abnormal field, and the segmented message is determined to be a confusing message.
Step 602: and carrying out message recombination on the determined segmented messages which are not the confusing messages, and carrying out attack characteristic detection based on the recombined messages.
Here, after determining that the message is not an obfuscated message, performing message reassembly on the determined message, and performing attack feature on the reassembled message, that is, further detection on the reassembled message is required, so as to determine whether the reassembled message is an attack message.
By judging whether the server can execute discarding operation on the received segmented message in advance and recombining the segmented message which is determined not to be the confusing message, carrying out attack characteristic detection on the recombined message, firstly screening out the message with abnormal field, detecting the message recombined from the message with normal field, and further determining whether the message is attacked or not, thereby improving the accuracy of the attack detection of the message.
The pre-judgment operation here does not represent that whether it is necessary to perform the discarding operation by communicating with the server, and it is possible to determine whether the discarding operation is performed by the server with a high probability by RFC documents or the like, and is merely a pre-judgment, and the pre-judgment result may be inconsistent with the actual operation of the server.
In an embodiment, the step 601 further includes:
Detecting whether the head field of the segmented message meets a set condition;
if the head field of the segmented message is detected to meet the set condition, determining that the server can execute the discarding operation.
Here, whether the server performs the discarding operation is determined by detecting whether the header field of the segment message satisfies a set condition. The setting condition may be that an exception exists in the header field of the segmented message. And if the abnormality of the message header field of the segmented message is detected, determining that the server can execute the discarding operation.
Whether the server executes discarding operation or not is judged by detecting whether the segmented message meets the set condition, so that judging efficiency is improved.
In an embodiment, the segmented message includes an IP fragment; the setting condition includes at least one of:
the time-to-live TTL of the IP fragments is smaller than a set threshold value;
the routing path of the IP fragment is not a set routing path;
The route address of the last hop of the IP fragment is a set route address; the set routing address characterizes the address of the firewall;
the checksum of the IP fragment has errors;
there is an error in the timestamp option of the IP fragment.
The TTL, the routing address, the checksum and the timestamp options of the header field of the segmented message are detected, and the message is directly discarded when the abnormality is detected in the header field detection process of the IP segmentation, so that the attack caused by the abnormal message entering the subsequent detection process can be prevented, and the accuracy rate of the header field detection of the IP segmentation is also improved. In an embodiment, the segmented message comprises a TCP message; the setting condition includes at least one of:
the checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The urgent flag bit of the TCP message is not null value, and there is payload;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the session of the established connection;
There is an error in the set option field of the TCP message.
By detecting the TCP header fields of the TCP messages, the messages which possibly exist in the TCP header fields and cause confusion attack are effectively identified and discarded, so that the attack behaviors existing in the TCP header field detection are avoided, and the accuracy of identifying the attack is improved.
In an embodiment, the set option field is an option field that cannot correct an error;
The method further comprises the steps of:
And if the TCP message comprises the option field capable of correcting the error, correcting the option field capable of correcting the error into a correct field.
Here, because the processing methods of the different network protocols on the abnormal TCP option fields are different, some are neglecting options, some are discarding messages, in order to make all the servers receive the same message, when detecting that there are correctable option errors in the TCP message, such as window enlarging factor options and MSS options, the firewall directly corrects these correctable option errors to correct option values.
When detecting that the option field of the TCP message header field has uncorrectable errors, determining the message as a mixed message for uncorrectable option errors such as time stamps, SACK and custom options, and directly discarding the TCP message with uncorrectable option errors.
By detecting the option field of the TCP message, the message which possibly exists in the TCP option field and causes the confusion attack is effectively identified and discarded, so that the attack behavior existing in the TCP option field detection is avoided, and the accuracy of identifying the attack is improved.
In an embodiment, the method further comprises:
when the segmentation recombination is carried out, when the received content of the at least two segmentation messages is overlapped, overlapping parts of the content of the segmentation messages received at the first moment are covered to overlapping parts of the content of the segmentation messages received at the second moment; wherein the first time is before the second time;
and when the attack characteristic is not detected based on the recombined message, sending each covered segmented message to a server.
Here, if no attack feature is detected in the reassembled message, it indicates that the reassembled message is a normal message, so that the segmented message after the overlay operation is executed is sent to the server, thereby ensuring that the segmented message received by the server is consistent with the segmented message detected in the firewall, and avoiding the attack behavior in the reassembly process.
In one embodiment, the message comprises a TCP message; the method further comprises the steps of:
caching the determined TCP message which is not the attack message;
when receiving a retransmission data packet of the TCP message, replacing the retransmission data packet with a corresponding cached TCP message;
and sending the replaced retransmission data packet to a server.
Here, if no attack characteristic is detected in the reassembled message, it indicates that the reassembled message is a normal message, so that the retransmission data packet after the replacement operation is performed is sent to the server, thereby ensuring that the server receives the retransmission data packet which does not contain attack content, and avoiding the attack behavior in the retransmission process. In an embodiment, the method further comprises:
Under the condition that a second TCP message is received, releasing the cached first TCP message; the second TCP message characterizes a confirmation message which is returned by the server and is related to the first TCP message after the first TCP message is sent to the server;
And/or the number of the groups of groups,
Discarding the third TCP message under the condition that the second TCP message is received and then the third TCP message is received; and the sequence number of the third TCP message is smaller than the sequence number of the two TCP messages.
By releasing the cached first TCP message, buffer overflow can be avoided, so that the first TCP message sent subsequently can be continuously received.
After the retransmission process is finished, when a message with a sequence number smaller than that of the confirmation message sent by the server is received, the message is directly discarded, so that repeated confirmation is avoided.
Fig. 7 is a schematic implementation flow diagram of another packet detection method provided by the embodiment of the present application, please refer to fig. 7, wherein the reassembled packet is an application layer packet, and the method further includes:
Determining an abnormal level of the application layer message based on application layer protocol analysis when the attack characteristic is not detected based on the application layer message;
and determining whether to execute interception based on the abnormal level of the application layer message and whether the corresponding messages of the TCP layer and the IP layer have confusion.
Specifically, under the condition that the abnormal grade of the application layer message analyzed based on the application layer protocol is a first set grade, intercepting the application layer message;
determining the abnormal level of the corresponding message based on TCP/IP layer protocol analysis under the condition that the abnormal level of the application layer message based on the application layer protocol analysis is not the first set level;
Intercepting a corresponding message based on TCP/IP layer protocol analysis under the condition that the abnormal level of the corresponding message is a first set level;
Intercepting a corresponding message based on TCP/IP layer protocol analysis under the condition that the abnormal level of the corresponding message is a second set level and the corresponding message is an attack message;
releasing the corresponding message under the condition that the abnormal level of the corresponding message analyzed based on the TCP/IP layer protocol is a third set level; wherein,
The first set level is higher than the second set level, and the second set level is higher than the third set level.
Here, the anomaly level of the application layer packet is determined based on the application layer protocol parsing, and the anomaly level may be classified according to the influence degree of the anomaly of the application layer packet.
By classifying the messages analyzed by the application layer and the TCP/IP layer protocols, the messages with the anomalies can be intercepted more conveniently and intuitively, and the efficiency of identifying the abnormal messages is improved.
In order to realize the method of the embodiment of the application, the embodiment of the application also provides electronic equipment. Fig. 8 is a schematic diagram of a hardware composition structure of an electronic device according to an embodiment of the present application, where, as shown in fig. 8, the electronic device includes:
A communication interface 801 capable of information interaction with other devices such as a network device and the like;
And a processor 802, connected to the communication interface 801, for implementing information interaction with other devices, and configured to execute, when running a computer program, a method provided by one or more technical solutions on the electronic device side. And the computer program is stored on the memory 803.
Specifically, the processor 802 is configured to cache a first TCP packet; the first TCP message is a received TCP message which indicates that the received representation does not contain an attack; and when the retransmission data packet of the first TCP message is received within a first set time period, replacing the retransmission data packet with the cached first TCP message.
In an embodiment, the processor 802 is further configured to release the buffered first TCP packet when receiving a second TCP packet; the second TCP message characterizes a confirmation message which is returned by the server and is related to the first TCP message after the first TCP message is sent to the server;
And/or the number of the groups of groups,
Discarding the third TCP message under the condition that the second TCP message is received and then the third TCP message is received; and the sequence number of the third TCP message is smaller than the sequence number of the two TCP messages.
In an embodiment, before the first TCP packet is received, the processor 802 is further configured to detect a header field of the received IP fragment, and determine that the received IP fragment is an obfuscated packet if the detection result meets at least one of the following:
the time-to-live TTL of the IP fragments is smaller than a set threshold value;
the routing path of the IP fragment is not a set routing path;
The route address of the last hop of the IP fragment is a set route address; the set routing address characterizes the address of the firewall;
the checksum of the IP fragment has errors;
the timestamp option of the IP fragment has errors;
And carrying out message recombination on the determined IP fragments which are not the confusing messages to obtain TCP messages, wherein the TCP messages are used for subsequent attack detection.
In an embodiment, the processor 802 is further configured to, before the buffering the first TCP packet, cover an overlapping portion of the first IP fragment offset to an overlapping portion of the second IP fragment offset in a case where there is an overlap of offsets of at least two IP fragments; wherein,
The reception time of the first IP fragment is before the reception time of the second IP fragment.
In an embodiment, the processor 802 is further configured to perform TCP header field detection on the received TCP packet, and determine that the TCP packet is an obfuscated packet if the detection result meets at least one of the following:
The checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The emergency flag bit of the TCP message is not null, and a payload exists;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the established session;
setting option fields of the TCP message have errors;
And carrying out message recombination on the TCP message which is determined not to be the confusion message to obtain an application layer message, wherein the application layer message is used for subsequent attack detection.
In an embodiment, the processor 802 is further configured to, before the buffering the first TCP packet, cover an overlapping portion of the content of the received TCP packet at the first time to an overlapping portion of the content of the received TCP packet at the second time when there is an overlap between the content of the received at least two TCP packets;
wherein,
The first time is before the second time.
In an embodiment, the processor 802 is further configured to predict whether the server will perform a discard operation if the received segmented message is sent to the server; if the server is judged not to execute the discarding operation in advance, determining that the corresponding segmented message is not an confusing message;
And carrying out message recombination on the determined segmented messages which are not the confusing messages, and carrying out attack characteristic detection based on the recombined messages.
In an embodiment, the processor 802 is further configured to detect whether a header field of the segmented message meets a set condition;
if the head field of the segmented message is detected to meet the set condition, determining that the server can execute the discarding operation.
In one embodiment, the message comprises an IP fragment message; the setting conditions include at least the following
And (3) a step of: the TTL of the IP message is smaller than a set threshold value;
The routing path of the IP fragment message is not a set routing path;
the route address of the last hop of the IP fragment message is a set route address; the set routing address characterizes the address of the firewall;
The checksum of the IP fragmentation message has errors;
The timestamp option of the IP fragment message is in error.
In one embodiment, the message comprises a TCP message; the setting condition includes at least one of:
the checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The urgent flag bit of the TCP message is not null value, and there is payload;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the session of the established connection;
There is an error in the set option field of the TCP message.
In an embodiment, the set option field is an option field that cannot correct an error; the processor 802 is further configured to correct the error-correctable option field to a correct field if the TCP packet includes the error-correctable option field.
In an embodiment, the processor 802 is further configured to, when the contents of the received at least two segment messages overlap, cover an overlapping portion of the contents of the segment message received at the first time to an overlapping portion of the contents of the segment message received at the second time when the segment reassembly is performed; wherein the first time is before the second time;
and when the attack characteristic is not detected based on the recombined message, sending each covered segmented message to a server.
In one embodiment, the message comprises a TCP message; the processor 802 is further configured to cache the determined TCP packet that is not an attack packet;
when receiving a retransmission data packet of the TCP message, replacing the retransmission data packet with a corresponding cached TCP message;
and sending the replaced retransmission data packet to a server.
In an embodiment, the reassembled packet is an application layer packet, and the processor 802 is further configured to determine, based on an application layer protocol parsing, an abnormal level of the application layer packet when no attack feature is detected based on the application layer packet;
and determining whether to execute interception based on the abnormal level of the application layer message and whether the corresponding messages of the TCP layer and the IP layer have confusion.
Of course, in actual practice, the various components in the electronic device are coupled together by a bus system 804. It is to be appreciated that the bus system 804 is employed to enable connected communications between these components. The bus system 804 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus system 804 in fig. 8.
The memory 803 in the embodiment of the present application is used to store various types of data to support the operation of the electronic device. Examples of such data include: any computer program for operating on an electronic device.
It is to be appreciated that memory 803 can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. The non-volatile Memory may be, among other things, a Read Only Memory (ROM), a programmable Read Only Memory (PROM, programmable Read-Only Memory), erasable programmable Read-Only Memory (EPROM, erasable Programmable Read-Only Memory), electrically erasable programmable Read-Only Memory (EEPROM, ELECTRICALLY ERASABLE PROGRAMMABLE READ-Only Memory), Magnetic random access Memory (FRAM, ferromagnetic random access Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk-Only (CD-ROM, compact Disc Read-Only Memory); The magnetic surface memory may be a disk memory or a tape memory. The volatile memory may be random access memory (RAM, random Access Memory) which acts as external cache memory. By way of example and not limitation, many forms of RAM are available, such as static random access memory (SRAM, static Random Access Memory), synchronous static random access memory (SSRAM, synchronous Static Random Access Memory), dynamic random access memory (DRAM, dynamic Random Access Memory), synchronous dynamic random access memory (SDRAM, synchronous Dynamic Random Access Memory), and, Double data rate synchronous dynamic random access memory (DDRSDRAM, double Data Rate Synchronous Dynamic Random Access Memory), enhanced synchronous dynamic random access memory (ESDRAM, enhanced Synchronous Dynamic Random Access Memory), synchronous link dynamic random access memory (SLDRAM, syncLink Dynamic Random Access Memory), Direct memory bus random access memory (DRRAM, direct Rambus Random Access Memory). the memory 803 described in the embodiments of the present application is intended to comprise, without being limited to, these and any other suitable types of memory.
The method disclosed in the above embodiment of the present application may be applied to the processor 802, or implemented by the processor 802. The processor 802 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the methods described above may be performed by integrated logic circuitry in hardware or instructions in software in the processor 802. The processor 802 described above may be a general purpose processor, DSP, or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 802 may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the application can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium in the memory 803 and the processor 802 reads the program in the memory 803 to perform the steps of the method in combination with its hardware.
The processor 802 implements the corresponding flow in the various methods of the embodiments of the application when executing the programs.
In an exemplary embodiment, the present application also provides a storage medium, i.e., a computer storage medium, in particular a computer readable storage medium, for example, including a memory 803 storing a computer program executable by the processor 802 to perform the steps of the aforementioned method. The computer readable storage medium may be FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus, terminal and method may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
Or the above-described integrated units of the application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present application may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing an electronic device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A method for detecting messages, applied to a firewall, the method comprising:
Caching a first Transmission Control Protocol (TCP) message; the first TCP message is a received TCP message which indicates that the received representation does not contain an attack;
when a retransmission data packet of the first TCP message is received within a first set time period, replacing the retransmission data packet with the cached first TCP message;
and sending the replaced retransmission data packet to a server.
2. The method for detecting a message according to claim 1, further comprising:
Under the condition that a second TCP message is received, releasing the cached first TCP message; the second TCP message characterizes a confirmation message which is returned by the server and is related to the first TCP message after the first TCP message is sent to the server;
And/or the number of the groups of groups,
Discarding the third TCP message under the condition that the third TCP message is received after the second TCP message is received; and the sequence number of the third TCP message is smaller than that of the second TCP message.
3. The method for packet detection according to claim 1, wherein prior to said buffering the first TCP packet, the method further comprises:
detecting the header field of the received IP fragment, and determining the received IP fragment as an confusion message under the condition that the detection result accords with at least one of the following:
the time-to-live TTL of the IP fragments is smaller than a set threshold value;
the routing path of the IP fragment is not a set routing path;
The route address of the last hop of the IP fragment is a set route address; the set routing address characterizes the address of the firewall;
the checksum of the IP fragment has errors;
the timestamp option of the IP fragment has errors;
And carrying out message recombination on the determined IP fragments which are not the confusing messages to obtain TCP messages, wherein the TCP messages are used for subsequent attack detection.
4. A method for detecting a message according to any of claims 1-3, wherein before said buffering the first TCP message, the method further comprises:
in the case that there is an overlap of the offsets of at least two IP fragments, covering the overlapping portion of the first IP fragment offset to the overlapping portion of the second IP fragment offset; wherein,
The reception time of the first IP fragment is before the reception time of the second IP fragment.
5. A method for detecting a message according to any one of claims 1-3, wherein the method further comprises:
performing TCP header field detection on a received TCP message, and determining that the TCP message is a mixed message under the condition that a detection result accords with at least one of the following conditions:
The checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The emergency flag bit of the TCP message is not null, and a payload exists;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the established session;
setting option fields of the TCP message have errors;
And carrying out message recombination on the TCP message which is determined not to be the confusion message to obtain an application layer message, wherein the application layer message is used for subsequent attack detection.
6. A method for detecting a message according to any of claims 1-3, wherein before said buffering the first TCP message, the method further comprises:
When the contents of at least two received TCP messages are overlapped, overlapping parts of the contents of the TCP messages received at the first moment are covered to overlapping parts of the contents of the TCP messages received at the second moment; wherein,
The first time is before the second time.
7. A method for detecting messages, applied to a firewall, the method comprising:
pre-judging whether the server executes discarding operation or not if the received segmented message is sent to the server; if the server is judged not to execute the discarding operation in advance, determining that the corresponding segmented message is not an confusing message;
Carrying out message recombination on the determined segmented messages which are not the confusing messages, and carrying out attack characteristic detection based on the recombined messages;
the segmented message comprises a TCP message; the method further comprises the steps of:
caching the determined TCP message which is not the attack message;
when receiving a retransmission data packet of the TCP message, replacing the retransmission data packet with a corresponding cached TCP message;
and sending the replaced retransmission data packet to a server.
8. The method for detecting a message according to claim 7, wherein the predicting whether the server will perform a discard operation if the received segmented message is sent to the server comprises:
Detecting whether the head field of the segmented message meets a set condition;
if the head field of the segmented message is detected to meet the set condition, determining that the server can execute the discarding operation.
9. The method for detecting a message according to claim 8, wherein the segmented message comprises an IP fragment message; the setting condition includes at least one of:
the time-to-live TTL of the IP fragment message is smaller than a set threshold value;
The routing path of the IP fragment message is not a set routing path;
the route address of the last hop of the IP fragment message is a set route address; the set routing address characterizes the address of the firewall;
The checksum of the IP fragmentation message has errors;
The timestamp option of the IP fragment message is in error.
10. The method for detecting a message according to claim 8 or 9, wherein the segmented message comprises a TCP message; the setting condition includes at least one of:
the checksum of the TCP message has errors;
all the flag bits of the TCP message are null values;
all the flag bits of the TCP message are not null values;
The urgent flag bit of the TCP message is not null value, and there is payload;
the TCP message repeatedly sends a synchronous sequence number SYN mark on the session of the established connection;
There is an error in the set option field of the TCP message.
11. The message detection method according to claim 10, wherein the set option field is an option field that cannot correct an error;
The method further comprises the steps of:
And if the TCP message comprises the option field capable of correcting the error, correcting the option field capable of correcting the error into a correct field.
12. The method for detecting a message as recited in claim 7, further comprising:
When the segmentation recombination is carried out, when the contents of at least two received segmentation messages are overlapped, overlapping parts of the contents of the segmentation messages received at the first moment are covered to overlapping parts of the contents of the segmentation messages received at the second moment; wherein the first time is before the second time;
and when the attack characteristic is not detected based on the recombined message, sending each covered segmented message to a server.
13. The method for detecting a message according to any one of claims 7 to 9, wherein the reassembled message is an application layer message; the method further comprises the steps of:
Determining an abnormal level of the application layer message based on application layer protocol analysis when the attack characteristic is not detected based on the application layer message;
and determining whether to execute interception based on the abnormal level of the application layer message and whether the corresponding messages of the TCP layer and the IP layer have confusion.
14. An electronic device, comprising: a processor and a memory for storing a computer program capable of running on the processor,
Wherein the processor is adapted to perform the steps of the method of any of claims 1-13 when the computer program is run.
15. A storage medium having stored thereon a computer program, which when executed by a processor performs the steps of the method according to any of claims 1-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110117289.5A CN114826634B (en) | 2021-01-28 | 2021-01-28 | Message detection method, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110117289.5A CN114826634B (en) | 2021-01-28 | 2021-01-28 | Message detection method, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826634A CN114826634A (en) | 2022-07-29 |
| CN114826634B true CN114826634B (en) | 2024-08-27 |
Family
ID=82525690
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110117289.5A Active CN114826634B (en) | 2021-01-28 | 2021-01-28 | Message detection method, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826634B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116866055B (en) * | 2023-07-26 | 2024-02-27 | 中科驭数(北京)科技有限公司 | Method, device, equipment and medium for defending data flooding attack |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102510385A (en) * | 2011-12-12 | 2012-06-20 | 汉柏科技有限公司 | Method for preventing fragment attack of IP (Internet Protocol) datagram |
| CN107465625A (en) * | 2016-06-06 | 2017-12-12 | 普天信息技术有限公司 | The transmission method and device of transmission control protocol |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7529187B1 (en) * | 2004-05-04 | 2009-05-05 | Symantec Corporation | Detecting network evasion and misinformation |
| CN106788911A (en) * | 2015-11-25 | 2017-05-31 | 华为技术有限公司 | A kind of method and apparatus of message retransmission |
| CN109768991B (en) * | 2019-03-04 | 2021-04-27 | 杭州迪普科技股份有限公司 | Message replay attack detection method and device and electronic equipment |
| CN110213254A (en) * | 2019-05-27 | 2019-09-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method and apparatus that Internet protocol IP packet is forged in identification |
| CN110719256A (en) * | 2019-09-04 | 2020-01-21 | 贵阳忆联网络有限公司 | IP fragment attack defense method and device and network attack defense equipment |
-
2021
- 2021-01-28 CN CN202110117289.5A patent/CN114826634B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102510385A (en) * | 2011-12-12 | 2012-06-20 | 汉柏科技有限公司 | Method for preventing fragment attack of IP (Internet Protocol) datagram |
| CN107465625A (en) * | 2016-06-06 | 2017-12-12 | 普天信息技术有限公司 | The transmission method and device of transmission control protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826634A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ong et al. | An introduction to the stream control transmission protocol (SCTP) | |
| US8155108B2 (en) | In-line content analysis of a TCP segment stream | |
| US7764694B2 (en) | System, method, and apparatus for prioritizing network traffic using deep packet inspection (DPI) | |
| EP1474889B1 (en) | Semi-reliable arq method and device thereof | |
| JP2005529523A (en) | Gigabit Ethernet adapter supporting ISCSI and IPSEC protocols | |
| EP1686718A2 (en) | Method of CRC residue error detection and handling | |
| US20040264366A1 (en) | System and method for optimizing link throughput in response to non-congestion-related packet loss | |
| US8533834B1 (en) | Antivirus intelligent flow framework | |
| CN108683606B (en) | IPsec anti-replay method, device, network equipment and readable storage medium | |
| CN114826634B (en) | Message detection method, electronic equipment and storage medium | |
| US8984619B2 (en) | Methods, systems, and computer readable media for adaptive assignment of an active security association instance in a redundant gateway configuration | |
| US20150181004A1 (en) | Mechanism for processing network event protocol messages | |
| RU2358395C2 (en) | Method of reducing transmission time of run file through test point | |
| West et al. | TCP/IP field behavior | |
| US7573872B2 (en) | Selective forwarding of damaged packets | |
| CN112333850B (en) | Method for preventing downlink desynchronization, communication device and readable storage medium | |
| CN111385158B (en) | Communication method and communication device | |
| CN115714991A (en) | Method, apparatus and storage medium for transmitting time-resolved network packets | |
| Ong et al. | RFC3286: An Introduction to the Stream Control Transmission Protocol (SCTP) | |
| WO2005050935A1 (en) | Intrusion detection device and method thereof | |
| CN113746786A (en) | Network attack detection method, device, equipment and storage medium | |
| JP4391455B2 (en) | Unauthorized access detection system and program for DDoS attack | |
| Hinden et al. | RFC 9268: IPv6 Minimum Path MTU Hop-by-Hop Option | |
| KR100457825B1 (en) | Early warning and alerts-based automated software installation and patch management system, its implementation methods, and the storage media containing the aforementioned program codes and the methods thereof | |
| Zhi | Ipv6 network intrusion detection protocol analysis techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |