Method for implementing fire wall chip participation in SYN proxy

A firewall and chip technology, applied in the network field, can solve the problems of accelerating chip system performance improvement, failure to reflect, and inability to make full use of chips, so as to achieve the effect of ensuring integrity, good scalability and flexibility

Active Publication Date: 2008-10-29
BEIJING TOPSEC NETWORK SECURITY TECH
View PDF0 Cites 14 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But this processing method has obvious disadvantages: for the server protected by the SYN agent, the legal normal communication also needs to be handled by the general-purpose CPU, which cannot make full use of the advantages of fast forwarding of the chip, and of course cannot reflect the performance of the accelerated chip on the system. promotion

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0019] The method of the present invention will be further described below in conjunction with specific examples.

[0020] For the convenience of description, hereinafter, the "firewall chip" is referred to as "chip" for short, and the "software running on a general-purpose CPU" is referred to as "software" for short.

[0021] A complete SYN agent is realized through the cooperation of the firewall chip and software, so as to make full use of the advantages of fast forwarding of the firewall chip.

[0022] First, the chip receives the SYN packet initiated by the client, extracts the message header information for judgment, and if it is found to be the first message of the TCP three-way handshake, it will be handed over to the software for processing;

[0023] Secondly, the software checks the firewall rules, and if the result of the check is that the access is allowed and the destination host of the access is protected by the SYN agent, the SYN agent processing flow is started...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method for realizing that a firewall chip takes part in SYN agent. The consultation process of the SYN agent is finished by software operating on a general CPU. After the consultation with a server is finished, the software operating on the general CPU registers the difference of TCP sequence numbers in the data structure of a connection table, and then the originally distributed special data structure of the SYN agent is cancelled; for normal communication, the connection of which is established, the firewall chip processes communication messages rapidly on the basis of transforming the TCP sequence numbers. In the method of the invention, complex processing consuming memory resources, such as the maintenance of TCP connection state and the retransmission of data packets, etc. is carried out by the software operating on the general CPU, thereby ensuring the completeness of the function of the SYN agent. When the method of the invention resists the attack of SYN Flood, the lawful and normal communication can still be transmitted rapidly by chips, thereby enhancing the performance of systems.

Description

technical field [0001] The invention belongs to the field of network technology, relates to network security and networking technology, in particular to a method for resisting synchronous flood (SYNflood) attack. Background technique [0002] SYN Flood is a widely used attack method, which uses the characteristics of the TCP protocol to complete the attack. Usually, the establishment of a TCP connection includes the following three steps: [0003] (1) The client sends a SYN packet to the server; [0004] (2) The server allocates certain resources to the connection, returns a SYN / ACK packet, and waits for the last ACK packet for connection establishment; [0005] (3) Finally, the client sends an ACK message to the server to complete the establishment of the TCP connection. [0006] The process of SYN Flood attack is to continuously send SYN packets without returning ACK packets, resulting in excessive occupation of server system resources, unable to respond to other operat...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L9/00
Inventor 吴亚飚
Owner BEIJING TOPSEC NETWORK SECURITY TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap