A message attack defense method and device

Abstract

The application relates to the field of anti-message attack, particularly to a message anti-attack method and a message anti-attack device, wherein the method comprises the following steps of: monitoring the number of the first messages received in a first preset time length and carrying a same first target parameter; if the number of the first messages reaches a preset first threshold, adding thefirst target parameter into a preset anti-attack blacklist, and deleting the plurality of quintuple information with the first target parameter in the anti-attack blacklist, wherein the first targetparameter includes at least one of the five parameters corresponding to the quintuple information of the messages, and the deleted quintuple information in the anti-attack blacklist is added into theanti-attack blacklist when the number of the second messages received in a second preset time length and carrying the quintuple information reaches a second preset threshold. The application is capable of saving the blacklist resources on the basis of effectively defending against the message attacks.

Description

technical field [0001] The present application relates to the technical field of message attacks, and in particular, relates to a method and device for preventing message attacks. Background technique [0002] Transmission Control Protocol Denial of Service Attack (TCP SYN FLOOD) is a common attack method in the network. Its principle is to use the Transmission Control Protocol (Transmission Control Protocol, TCP) protocol to mark a large number of Synchronize Sequence Numbers (SYN) at position 1 The packets are sent to the interface of the network device or server (hereinafter referred to as the device) to impact the main control CPU of the device through a large number of SYN messages, so that the processing resources of the main control CPU of the device are exhausted, resulting in the failure to establish normal services. Therefore, most existing devices need to defend against TCP SYN FLOOD attacks. [0003] In the prior art, the defense method against the TCP SYN FLOOD...

AI Technical Summary

Problems solved by technology

[0004] However, the resources of the blacklist in the device are limited, and in actual situations, TCP SYN FLOOD attacks may constantly change the source port or the interconnection protocol (Internet Protocol, IP) address between the source networks, and in this case Compared with the number of attack packets whose quintuple information remains unchanged, the number of attack packets under the following conditions increases exponentially, so it is easy to fill up the blacklist resources in the device. When the blacklist resources are full, no longer The attack packets in the blacklist will either no longer be restricted by the blacklist and directly impact the host, or will be speed-limited together with other normal packets, affecting the establishment of normal business

Images