ACK Flood attack protection method and intermediate protection device

Abstract

The invention discloses an ACK Flood attack protection method and an intermediate protection device for improving the ACK Flood attack protection effect while ensuring a non-interrupted connection between clients and target servers. The method comprises the steps that the intermediate protection device generates corresponding detection messages based on to-be-processed ACK messages respectively, discards the to-be-processed ACK messages, respectively returns the detection messages to corresponding clients, whether the clients returning detection response messages are legal clients, and to-be-processed ACK messages retransmitted by the legal clients are sent to corresponding target servers; and the clients that do not return the detection response messages are determines as illegal clients. In this way, the intermediate protection device can identify the illegal clients while ensuring the non-interrupted connection between clients and target servers so as to improve the ACK Flood attack protection effect.

Description

technical field [0001] The invention relates to the technical field of attack defense, in particular to a protection method and an intermediate protection device for ACK Flood attacks. Background technique [0002] Before transmitting data, a connection needs to be established between the client and the target server, which is the so-called three-way handshake. After the three-way handshake is completed, the client and the target server can transmit data through an Acknowledgment (ACK) message. . During data transmission, after the target server receives the ACK message sent by the client, it will judge whether the source Internet Protocol (Internet Protocol, IP) address and source port carried in the ACK message are stored in the local session table, and determine If it is not stored in the local session table, it is determined that the ACK message is an illegal ACK message, and the illegal ACK message is directly discarded. [0003] Usually, the attacker will attack the ...

AI Technical Summary

Problems solved by technology

[0009] (1) For the above-mentioned first protection method, although the illegal client is identified, the connection between the legitimate client and the target server is also interrupted, which affects most services of the legitimate client (such as games, calls, etc.) normal business), which in turn affects the user experience

[0010] (2) For the above-mentioned second protection method, the illegal client is likely to break through the TCP retransmission mechanism. If the retransmission of the ACK message is realized within a fixed time range, the intermediate protection device will not be able to identify the illegal client , the target server will still be attacked

[0011] (3) For the above-mentioned third protection method, after receiving the second ACK message, it is necessary to search the session table for a speculative message that matches the second message information carried by the second ACK message In this way, because there are too many ACK messages received, when the intermediate protection device processes these ACK messages, it will not only occupy a large amount of memory to record these speculative message information, but also consume a large amount of processing resources for matching, thus The performance of the intermediate protective device is reduced, which in turn affects the protective effect

Images