Nothing Special   »   [go: up one dir, main page]

TWI258286B - Methods for intrusion detection system (IDS) thwarting and mitigating network attacks - Google Patents

Methods for intrusion detection system (IDS) thwarting and mitigating network attacks Download PDF

Info

Publication number
TWI258286B
TWI258286B TW93103139A TW93103139A TWI258286B TW I258286 B TWI258286 B TW I258286B TW 93103139 A TW93103139 A TW 93103139A TW 93103139 A TW93103139 A TW 93103139A TW I258286 B TWI258286 B TW I258286B
Authority
TW
Taiwan
Prior art keywords
detection system
intrusion detection
tcp
server
packet
Prior art date
Application number
TW93103139A
Other languages
Chinese (zh)
Other versions
TW200522638A (en
Inventor
Xing-Kuo Weng
Shao-Xun Deng
Original Assignee
Chung Shan Inst Of Science
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chung Shan Inst Of Science filed Critical Chung Shan Inst Of Science
Priority to TW93103139A priority Critical patent/TWI258286B/en
Publication of TW200522638A publication Critical patent/TW200522638A/en
Application granted granted Critical
Publication of TWI258286B publication Critical patent/TWI258286B/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Methods for intrusion detection system thwarting and mitigating network attacks are presented. After a server sends out a TCP SYN-ACK packet according to a source address of a TCP SYN packet, a half-open connection between the server and the source address is created. An intrusion detection system (IDS) substitutes the source address to create a TCP ACK packet transmitted to the server. Therefore, upon the program of TCP/IP not being changed, all of the half-open connection table will not be easily occupied by a TCP SYN flooding attack. Moreover, when the server does not receive a TCP ACK packet from the source address, the intrusion detection system proactively create a TCP RESET packet delivered to the server such that the invalid connection between the server and the source address can be reset.

Description

!258286 五、發明說明(1) 【發明所屬之技術領域】 本發明是有關於運用於入侵#測丰轉的躲 方法與網路攻擊減損方法,日==f f統的網路攻擊阻止 進行TCP SYN犯濫攻擊時,寺^疋有關於一種當駭客在 方法可以防止伺服写之時半門猎拿由社入本侵偵測系統的提早連結 一 @ # A 4 I 丰開連結表被佔滿之方法及有關於 掇^ ^ ^ 別的TCP SYN—ACK反射攻擊或是大規 、=/刀政式TCP SYN-ACK反射攻擊時,藉由入侵偵測系統 田^早連結方法及主動重置方法可以避免伺服器被駭客利 用為攻擊跳板而產生放大攻擊效應。 【先前技術】 一在資訊時代透過網際網路可以連結全球各地之電腦, 現今不論是企業或是個人均已普遍利用網際網路來傳送或 存取資料。傳輸控制協定(Transmission Control258286 V. OBJECT DESCRIPTION OF THE INVENTION (1) Technical Field of the Invention The present invention relates to a hiding method and a network attack decrementing method applied to an intrusion #测丰转, a network attack of a day==ff system prevents TCP from being performed. When SYN is attacking indiscriminately, the temple has an early link to the intrusion detection system when the hacker is able to prevent the servo from writing. @# 4 I The Fengkai Link Table is occupied. When the method is full and there are other TCP SYN-ACK reflection attacks or large-scale, =/ knife-style TCP SYN-ACK reflection attacks, the intrusion detection system uses the early connection method and active reset. The method can prevent the server from being used by the hacker to generate a magnifying attack effect for attacking the springboard. [Prior Art] In the information age, computers around the world can be connected via the Internet. Nowadays, enterprises and individuals have generally used the Internet to transmit or access data. Transmission Control Protocol

Protocol ’TCP)與網際網路協定(internet Protocol, I P)已是國際網際網路的標準通訊協定,不論是廣域網 路、區域網路、大型主機、個人電腦都支援這種通訊協 定。當用戶端與祠服器欲進行通訊時,必須利用TCP/ I P才 能使雙方進行資料傳輸或交換。 隨著網路的普及化,網路攻擊事件曾出不窮,網路安 全愈來愈受到重視。在大家所熟知的網路安全機制中,一 個很重要的角色 入知偵測系統(Intrusion Detection S y s t e m ’ I D S )--主要在監視且分析網路或系統所發生的 事件。一個優良的入侵偵測系統可以有效地增加網路系統Protocol 'TCP' and Internet Protocol (IP) are standard communication protocols for the international Internet. These protocols are supported by WANs, regional networks, mainframes, and personal computers. When the client and the server want to communicate, TCP/IP must be used to enable both parties to transfer or exchange data. With the popularity of the Internet, cyber attacks have emerged and network security has become more and more important. Among the well-known network security mechanisms, an important role of Intrusion Detection Sy s t e m ' I D S -- is to monitor and analyze events occurring in the network or system. An excellent intrusion detection system can effectively increase the network system

12588twf-l.ptd 第8頁 1258286 五、發明說明(2) 的安全性。 入侵偵測系統可分為兩類:網路型(N e t w 〇 r k - b a s e d ) 和主機型(Η o s t - b a s e d )入侵偵測系統。網路型入侵偵測系 統是以分析網路上的封包為基礎,偵測網路上的主機是否 受到攻擊。其優點在於網路管理簡單且防護範圍較大,只 需要一台電腦就可以為網路上多台設備提供防護。 一般來說網路型入侵偵測系統依照其是否具備阻絕 (block)能力可再區分為阻絕型(blocking)與監聽型 (1 i steni ng)入侵偵測系統,如第1圖及第2圖所示,第1圖 係繪示監聽型入侵偵測系統配置在一般網路架構下的示意 圖,第2圖係繪示阻絕型入侵偵測系統配置在一般網路架 構下的不意圖。 請先參照第1圖,監聽型入侵偵測系統1 0可以偵測網 際網路20(internet)與企業内部網路30(intranet)之間所 傳送的網路封包是否有不法活動,當發現有惡意行為時就 發出警訊(a 1 e r t ),但無法直接阻絕所監聽的網路封包。 請參照第2圖,阻絕型入侵偵測系統1 1除了可以偵測 網際網路20(internet)與企業内部網路30(intranet)之間 所傳送的網路封包外,還具有過濾網路封包的功能。即當 發現非法活動時,除發出警訊外,還可對具惡意行為的網 路封包予以阻攔,不讓其通過。 請參照第3圖,其繪示主機型入侵偵測系統配置在一 般網路架構下的示意圖。主機型入侵偵測系統3 2比如是安 裝在位於企業内部網路30中的主機31上,主要是收集與分12588twf-l.ptd Page 8 1258286 V. Inventions (2) Security. Intrusion detection systems can be divided into two categories: network type (N e t w 〇 r k - b a s e d ) and host type (Η o s t - b a s e d ) intrusion detection system. The network intrusion detection system is based on analyzing packets on the network to detect whether the host on the network is attacked. The advantage is that the network management is simple and the scope of protection is large, and only one computer can provide protection for multiple devices on the network. Generally, the network-based intrusion detection system can be further classified into a blocking and monitoring type intrusion detection system according to whether it has a blocking capability, such as FIG. 1 and FIG. 2 As shown in the figure, FIG. 1 is a schematic diagram showing a configuration of a monitoring type intrusion detection system under a general network architecture, and FIG. 2 is a schematic diagram showing a configuration of a blocking type intrusion detection system under a general network architecture. Please refer to FIG. 1 first, the interception type intrusion detection system 10 can detect whether the network packet transmitted between the internet 20 (internet) and the intranet 30 (the intranet) has illegal activities. A malicious alert (a 1 ert ) is issued, but the network packet being monitored cannot be directly blocked. Referring to FIG. 2, the blocking type intrusion detection system 1 1 has a filtering network packet in addition to detecting a network packet transmitted between the Internet 20 and the intranet 30 (intranet). The function. That is, when illegal activities are discovered, in addition to issuing warnings, network packets with malicious behavior can be blocked from passing. Please refer to FIG. 3, which illustrates a schematic diagram of a host type intrusion detection system configured under a general network architecture. The host type intrusion detection system 3 2 is installed, for example, on the host 31 located in the intranet 30 of the enterprise, mainly collecting and dividing.

12588twf-l.ptd 第9頁 1258286 五、發明說明(3) 析單一主機3 1的檔案、程序、曰誌檔等資料及主機3丨本身 所收送的網路封包是否含有惡意行為。當主機型入侵偵測 糸統3 2安裝在欲防護的電腦設備(比如是主機3 1 )上時,可 以隨時監測本機系統紀錄槽中的登入紀錄、使用者切換 (如s u 指令)紀錄、行程(p r 〇 c e s s )所執行的系統呼叫、及 網路收送封包等是否有不法活動。 當一用戶端和一伺服器利用TCP 協定在傳送資料封包 之前,用戶端會先和伺服器進行TCP連結的建立程序。請 參照第4圖,其繪示一般TCP協定之三方握手交流 (three-way handshaking)的示意圖。當用戶端110欲與某 一伺服器120連結時,用戶端110會先傳送TCP SYN封包 (TCP Synchronization packet)給祠月艮器 120 ,以要求建 立TCP 連結;當伺服器1 2 0接受該連結要求時,伺服器 120 會回覆TCP SYN-ACK 封包(TCP Synchronization -Acknowledgement packet)給用戶端110 ,以形成一個半 開連結(half-open connection);當用戶端110收到伺月艮 器120送回的TCP SYN-ACK封包時,若是再回應TCP ACK封 包(TCP Acknowledgement packet)給伺月艮器 120 ,貝表示 該TCP連結已建立成功,可以開始傳送資料。當用戶端1 1 〇 與伺服器1 2 0之間的連結係處於半開連結狀態時,伺服器 1 2 0必須記錄與維護半開連結一段時間,以等待用戶端1 1 〇 傳送該TCP ACK封包給伺服器1 20。若是超過等待時間,伺 服器1 2 0會切斷與用戶端1 1 0之間的半開連結。 請參照第5圖,其繪示一般伺服器内記憶體之分配示12588twf-l.ptd Page 9 1258286 V. Description of invention (3) Analysis of the files, programs, files, etc. of a single host 3 1 and whether the network packets sent by the host 3 itself contain malicious behavior. When the host type intrusion detection system 3 2 is installed on the computer device to be protected (for example, the host 3 1 ), the login record and the user switch (such as the su command) in the local system record slot can be monitored at any time. Whether there are illegal activities such as system calls and network delivery packets executed by the pr 〇cess. When a client and a server use the TCP protocol to transmit a data packet, the client first establishes a TCP connection with the server. Please refer to FIG. 4, which shows a schematic diagram of a three-way handshaking of a general TCP protocol. When the client 110 wants to connect with a certain server 120, the client 110 first transmits a TCP SYN packet (TCP Synchronization packet) to the server 120 to request to establish a TCP connection; when the server 1 2 0 accepts the link When requested, the server 120 will reply the TCP SYN-ACK packet (TCP Synchronization - Acknowledgement packet) to the client 110 to form a half-open connection; when the client 110 receives the server 120, it returns In the case of the TCP SYN-ACK packet, if it responds to the TCP ACK packet (TCP Acknowledgement packet) to the server 120, it indicates that the TCP link has been successfully established and can start transmitting data. When the connection between the client 1 1 〇 and the server 1 2 0 is in a half-open connection state, the server 1 2 0 must record and maintain a half-open connection for a period of time, waiting for the client 1 1 to transmit the TCP ACK packet to Server 1 20. If the waiting time is exceeded, the servo 1 2 0 will cut off the half-open connection with the client 1 1 0. Please refer to FIG. 5, which shows the allocation of memory in a general server.

12588twf-l.ptd 第10頁 1258286 五、發明說明(4) 一 意圖。伺服器1 2 〇具有一半開連結表丨3 〇在其作業系統核心 記憶體1 4 0内,用以記錄與維護半開連結之相關資料。因 為半,連結表1 3 0的容量十分有限且無法直接擴充,即使 祠服器1 2 0有數百萬位元組以上的延伸記憶體,也無法在 不修改作業系統程式的前提下,直接將半開連結表丨3 〇擴 大使用。因此只要在短時間内多個用戶端1 1 〇與伺服器1 2 〇 之間建立大量的半開連結,便會使得半開連結表丨3 〇滿溢 (overflow),導致伺服器120無法再與外界建立新的了^連 結’而迫使阻斷所有以TCP連結為基礎的應用服務。 “ 上述TCP連結的特性普遍存在各類有連接網路能力的 電腦系統中。駭客因而利用該特性,對伺服器進行 s Y N >巳濫攻擊(τ c P s Y N f丨〇 〇 d )。請參照第6圖,首先,馬歹 客210可假冒TCP SYN封包之來源位址及來源埠號碼,其^ 被假冒的來源位址比如是刻意挑選的、隨意或隨"機選取、 位址,其可能是已關機電腦之位址或是根本不存在之位、 址。接著,駭客2 1 0將已假冒來源位址及來源埠號碼之^ SYN封包傳送給伺服器2 2 0 ;當伺服器2 2 0接受該^ ^ 時’會送出TCP SYN-ACK封包至駭客所指定之^ =要求 2 3 0,以形成半開連結。駭客2 1 〇只要在短時間内傳送夕 具有不同來源位址或來源埠號碼的TCP SYN封包、給受$攻^ @ 的伺服器2 2 0,便可以迫使受攻擊之伺服器2 2 〇建立夕 開連結’導致其半開連結表滿溢’而成功靡疾受攻擊 ^ 服器2 2 0的服務能力。 司 目前入侵偵測系統2 4 0偵測TCP SYN氾濫攻墼_奴3 午—又疋以12588twf-l.ptd Page 10 1258286 V. INSTRUCTIONS (4) I. The server 1 2 〇 has a half-open connection table 丨3 〇 in its operating system core memory 140, used to record and maintain the information about the semi-open connection. Because half, the capacity of the connection table 130 is very limited and cannot be directly expanded. Even if the server has more than several million bytes of extended memory, it cannot be directly modified without modifying the operating system program. Expand the use of the semi-open link table 〇3 。. Therefore, as long as a large number of half-open connections are established between the plurality of client terminals 1 1 〇 and the server 1 2 短 in a short time, the half-open connection table 丨 3 〇 overflows, causing the server 120 to no longer communicate with the outside world. Established a new ^ link' and forced to block all TCP-based application services. "The characteristics of the above TCP links are common in all kinds of computer systems with connected network capabilities. Hackers use this feature to perform s YN > attack attacks on servers (τ c P s YN f丨〇〇d ) Please refer to Figure 6. First, the Ma Yuke 210 can fake the source address and source number of the TCP SYN packet. The source address of the counterfeit source is, for example, deliberately selected, randomly selected, or selected with the machine. Address, which may be the address of the computer that has been shut down or the location and address that does not exist at all. Then, the hacker 2 10 transmits the ^SYN packet of the fake source address and the source 埠 number to the server 2 2 0; When the server 2 2 0 accepts the ^ ^, it will send a TCP SYN-ACK packet to the hacker's specified ^ = requirement 2 3 0 to form a half-open link. The hacker 2 1 〇 only needs to transmit in a short time The TCP SYN packet of different source address or source 埠 number, and the server 2 2 0 that is subject to $ attack ^ @ can force the attacked server 2 2 to establish an eve connection "causing its half-open connection table to overflow" And the successful dysentery is attacked by the service device 2 2 0 service ability. Measuring system 240 detects TCP SYN flood attack Ji _ slaves 3 afternoon - and piece goods to

第11頁 1258286 五、發明說明(5) 半開連結的數量是否顯著異常為依據。若在一定的時間 内’正在進行中的半開連結個數超過一臨界值 value),則認定伺服器22〇受到TCp syN氾濫攻擊。入侵谓 測系統對於TCP SYN氾濫攻擊之防護,為先偵測出該攻擊 再採取防護作為,而所採取的防護作為與入侵偵測系統的 類型有關。對於網路監聽型的入侵偵測系統24〇會以產生 T、cp reset封包送給伺服器2 2 0的方式,重置(reset)正在 進行^之半開連結,或是會重置接下來一段時間内所新形 成之半開連結。對於主機型或網路阻絕型的入侵偵測系統 會阻絕後續送給伺服器2 2 0之TCP SYN封包一段時間。 由於IP位址容易被假冒而^!^^的設計又缺乏來源位 址的認1正功能,不論何類型的入侵偵測系統皆無法由TCP 來源位j止直接分辨合法用戶與攻擊者,以致於當伺服器 2 2 0遭文TCP SYN氾濫攻擊時,入侵偵測系統無從挑選出屬 於攻擊者所建的半開連結或新連結要求。結果入侵偵測系 統所採取的防護作為很可能重置了屬於合法用戶的半開連 結或是阻絕了合法用戶的Tcp SYN封包,而且採取防護的 時機總是f伺服器2 2 0已遭受明顯攻擊之後。總之,合法 用戶很可能因此被犧牲掉,而伺服器2 2 〇的對外服務能力 也會明顯下降。 θ另外一種與TCP SYN氾濫攻擊有關的大規模網路攻擊 =分散式TCP SYN-ACK反射攻擊,如第8圖所示。這種攻擊 疋,駭客4 1 〇對同一個受攻擊之伺服器4 3 〇,同時進行許多 的k速低量TCP SYN-ACK反射攻擊。一個TCp Syn-ACK反射Page 11 1258286 V. INSTRUCTIONS (5) Whether the number of semi-open links is significantly abnormal. If the number of half-open links in progress exceeds a threshold value within a certain period of time, it is assumed that the server 22 is subjected to the TCp syN flood attack. The protection of the intrusion predicate system against the TCP SYN flood attack is to detect the attack first and the protection is taken as the type of the intrusion detection system. For the network monitoring type of intrusion detection system 24, the method of generating the T, cp reset packet to the server 2 2 0, resetting the half-open connection in progress, or resetting the next segment The newly formed half-open link in time. For host or network-blocked intrusion detection systems, TCP TCP packets sent to the server 2 2 0 are blocked for a period of time. Since the IP address is easy to be counterfeited and the design of the ^^^^ lacks the positive function of the source address, no matter what type of intrusion detection system can directly distinguish the legitimate user and the attacker from the TCP source bit, When the server is attacked by the TCP SYN, the intrusion detection system cannot select the half-open link or the new link requirement that the attacker has built. As a result, the protection adopted by the intrusion detection system is likely to reset the half-open link belonging to the legitimate user or block the Tcp SYN packet of the legitimate user, and the timing of the protection is always after the server 12 has suffered a significant attack. . In short, legitimate users are likely to be sacrificed, and the external service capabilities of the server will be significantly reduced. θ Another large-scale network attack related to TCP SYN flood attacks = Decentralized TCP SYN-ACK reflection attack, as shown in Figure 8. This kind of attack, hacker 4 1 〇 to the same attacked server 4 3 〇, while performing many k-speed low-cost TCP SYN-ACK reflection attacks. a TCp Syn-ACK reflection

12588twf-1.ptd 第12頁 1258286 五、發明說明(6) 攻擊的作法請先參照第7圖。在第7圖中,駭客3 1 〇假冒伺 服器3 3 0的位址而產生T C P S Y N封包,送給作為反射攻擊跳 板之伺服器3 2 0 ;當伺服器3 2 0接受該TCP連結要求時,會 送出TCP SYN-ACK封包至受攻擊之伺服器3 3 0 ;因為該半開 連結一直無法被建立完成,作為跳板之伺服器3 2 〇便會每 隔一段時間重送一次TCP SYN-ACK封包,約重送三次1, 再送出一次T C P R E S E T封包給受攻擊之祠服器w q。總之, 駭客310只要產生送出一份TCP SYN封包,受攻擊之^ 哭 3 3 0前後會收到約五倍的攻擊封包。 ° ^ 在第8圖中,當駭客410對同一個受攻擊之伺服器 進行分散式TCP SYN-ACK反射攻擊時,駭客41〇會利用 伺服器作為反射攻擊的跳板,且對每一個作為^板之^ f 器4 2 0進行一個慢速低量的TCP SYN-ACK反射攻擊。由於 客410同時進行許多TCP SYN-ACK反射攻擊,且每個反射$ 擊皆有攻擊放大效應,故將會有大量的攻擊封包集結攻^ 伺服器4 3 0。目剷網路上有許多資源方便骇客在短'時間 尋找到大量的伺服器作為反射攻擊的跳板,比如各種3 引擎可以快速的找到大量相關的網頁伺服器。 ’、 然而’目刚的入侵偵測系統3 4 0尚無法防護分散式τ [ p SYN-ACK反射攻擊,其原因在於每個作為跳板之伺服^ 僅受到一個慢速低量的TCP SYN反射攻擊,故豆影響& 小,而所用的TCP SYN封包又是一般用戶查詢^司‘ “ 必須用到的,缺乏明顯的異常特徵可供入侵偵測系統3 4 〇 的偵測’亦可穿透防火牆的阻擋,因此入侵偵測系統34〇12588twf-1.ptd Page 12 1258286 V. INSTRUCTIONS (6) Please refer to Figure 7 for the attack. In Figure 7, the hacker 3 1 spoofs the address of the server 307 to generate a TCPSYN packet, which is sent to the server 3 2 0 as a reflective attack springboard; when the server 3 2 0 accepts the TCP connection request The TCP SYN-ACK packet is sent to the attacked server 3 3 0; since the half-open link cannot be established, the server as the springboard 3 2 will resend the TCP SYN-ACK packet every once in a while. , about three times to send again, and then send a TCPRESET packet to the attacked server wq. In short, as long as the hacker 310 generates a TCP SYN packet, it will receive about five times the attack packet before and after the attack. ° ^ In Figure 8, when the hacker 410 performs a decentralized TCP SYN-ACK reflection attack on the same attacked server, the hacker 41 uses the server as a springboard for the reflection attack, and for each ^ The board 4 4 0 performs a slow low-cost TCP SYN-ACK reflection attack. Since the guest 410 performs many TCP SYN-ACK reflection attacks at the same time, and each reflection $ strike has an attack amplification effect, there will be a large number of attack packets aggregated and attacked by the server 430. There are many resources on the shovel network. It is convenient for hackers to find a large number of servers as a springboard for reflection attacks in short time. For example, various 3 engines can quickly find a large number of related web servers. ', However, the original intrusion detection system 3 4 0 can not protect the distributed τ [ p SYN-ACK reflection attack, because each servo as a springboard ^ is only subjected to a slow low-cost TCP SYN reflection attack Therefore, the effect of the bean is small, and the TCP SYN packet used is the general user query ^"" must be used, the lack of obvious anomalous features for the detection of the intrusion detection system 3 4 亦可 can also penetrate The firewall is blocked, so the intrusion detection system 34〇

-發明說明(7) 尚…、有效防護方法。而位於受攻擊之伺服器4 3 〇所在網路 ^ ^侵偵測系統44 0僅能發現大量的TCP SYN-ACK封包送給 ^ I ΐ之饲服器4 3 0 ’除了流量異常外’每個TCP SYN_ACK 44 0%1皆接有合法的飼服器位址及服務蜂號碼’入侵偵測系統 時/总樣難以正確的阻絕這些攻擊封包,更何況受攻擊 然已^ ί擊之飼服器4 3 〇所在網路之出入口的網路頻寬必 …、k χ大量的佔用消耗,甚至整個網路皆壅塞癱瘓。 【發明内容】 偵測【ί 路ί J:月” J-Ϊ是提供-種運用於入侵 濫攻擊時,i τ 擊阻止方法,备駭客在進行TCP SYN氾 下,藉由入Π艮器既有的TCP/IPM的前提 伺服器之半開逯=f、、、先的提早連結方法可以防止受攻擊的 千開連結表被佔滿。- Invention Description (7) Still..., effective protection method. The network attack detection system 44 0 located in the attacked server 4 3 can only find a large number of TCP SYN-ACK packets sent to the ^ I 饲 饲 4 4 4 0 ' except for the traffic anomaly 'every TCP SYN_ACK 44 0%1 is connected to the legal feeding device address and service bee number 'intrusion detection system' / the total sample is difficult to properly block these attack packets, not to mention the attack has been ^ ^ The network bandwidth of the gateway of the network 4 must be..., k χ a large amount of consumption, and even the entire network is blocked. [Summary of the Invention] Detecting [ί路ί J:月] J-Ϊ is a method of providing a kind of attack, and the i τ snip blocking method is used to prepare the hacker under the TCP SYN. The existing TCP/IPM premise server half-opening = f, , and the first early connection method can prevent the attacked thousand open connection table from being occupied.

網路攻擊阻止方=二就是提供一種運用於入侵偵測系統的 氾濫攻擊時,人\ ’即使在伺服器遭受到駭客做TCP SYN 合法用戶仍可二、Z =的連結要求並不會被阻絕或重置, 本發明目的=存取受駭客攻擊之伺服器。 網路攻擊阻止^ J三就是提供一種運用於入侵偵測系統的 遭受到攻擊後才 :以使^钕偵測系統不必等到伺服器 降,可以有效時,伺服器對外的服務能力不會明顯下 本發ΐ =護TCP SYN犯濫攻擊。…下 之四就是提供一種運用於入侵摘測系統的The cyber attack blocker = the second is to provide a flood attack for the intrusion detection system, the person \ 'even if the server suffers from the hacker to do TCP SYN legitimate users can still second, Z = link requirements will not be Blocking or resetting, the object of the present invention is to access a server attacked by a hacker. Network attack blocking ^ J is to provide a kind of attack detection system after the attack: so that the detection system does not have to wait for the server to drop, can be effective, the server's external service capabilities will not be obvious This hairpin = protect against TCP SYN attacks. The next four is to provide a system for intrusion extraction systems.

12588twf-l.ptd 第14頁 1258286 五、發明說明(8)12588twf-l.ptd Page 14 1258286 V. Description of invention (8)

網路攻擊阻止與攻擊 SYN-ACK反射攻擊時 可以避免伺服器被駭 應0 滅損方法,當駭客在進行分散式TCP 藉由入侵偵測系統的主動重置方法 客利用為攻擊跳板而產生放大攻擊效 _ " x明之上述及其他之目的,提出一種運用於 田J P糸統的網路攻擊阻止方法。用戶端與伺服器係利 用1 k訊’首先用戶端會送出TCP SYN封包給伺服器,其 中TCP SYN封包具有來源位址,之後伺服器會依照來源位 址达出TCP SYN-ACK封包,以形成半開連結。其特徵在 於’對$於伺服器的半開連結,入侵偵測系統會主動產生 及傳送符合TCP通訊協定規定的代? ACK封包給伺服器,使 得該半開連結可以提早完成連結而且位於伺服器之作業系 統核心記憶體内之半開連結表的部分空間可以提早釋放出 來0 為達成本發明之上述及其他之目的,還提出一種運用 於入侵偵測系統的網路攻擊阻止與攻擊減損方法。用戶端 與伺服器係利用TCP通訊,首先用戶端會送出TCP SYN封包 給該伺服器,其中TCP SYN封包具有來源位址,之後伺服 器會依照來源位址送出TCP SYN-ACK封包。其特徵在於, 對屬於伺服器的半開連結,入侵偵測系統會主動產生及傳 送符合TCP通訊協定規定的TCP ACK封包給伺服器,之後在 經歷一段時間後,若伺服器仍未收到由來源位址送出之 TCP ACK封包時,入侵偵測系統會主動產生TCP RESET封 包,並將TCP RESET封包傳送至伺服器,藉以重置掉伺服When the cyber attack prevents and attacks the SYN-ACK reflection attack, the server can be prevented from being corrupted by the server. When the hacker is performing distributed TCP, the active reset method of the intrusion detection system is used as the attack springboard. Amplifying the attack effectiveness _ " x Ming's above and other purposes, proposed a network attack blocking method applied to the field JP system. The client and the server use the 1 k message. First, the UE sends a TCP SYN packet to the server. The TCP SYN packet has a source address, and then the server will reach the TCP SYN-ACK packet according to the source address to form a packet. Half open link. It is characterized by a 'half-open connection to the server, and the intrusion detection system will actively generate and transmit the generation that conforms to the TCP protocol. The ACK packet is sent to the server so that the half-open link can be completed early and part of the space of the half-open link table located in the core memory of the operating system of the server can be released early. 0 To achieve the above and other purposes of the present invention, A method of network attack prevention and attack impairment applied to an intrusion detection system. The client and the server use TCP communication. First, the UE sends a TCP SYN packet to the server. The TCP SYN packet has a source address, and then the server sends a TCP SYN-ACK packet according to the source address. The utility model is characterized in that, for a half-open link belonging to the server, the intrusion detection system actively generates and transmits a TCP ACK packet conforming to the TCP communication protocol to the server, and after a period of time, if the server still does not receive the source When the TCP ACK packet is sent by the address, the intrusion detection system will actively generate a TCP RESET packet and transmit the TCP RESET packet to the server, thereby resetting the servo.

12588twf-l.ptd 第15頁 1258286 五、發明說明(9) 器與來源位址之間所建立。 如上所述,當駭客在進;TCP SYN、;巳街攻敏主 ί, Γίί SYN^AVe^ . 正常f取受駭客攻擊之伺服器。值得注意的t =可以 二2 5债測系統防護TCP SYN >、已濫攻擊之方法,本备明之 佼偵測糸統不必等到伺服 7以使入 ? ; X ^ flJ ,,, ^ ^12588twf-l.ptd Page 15 1258286 V. Description of invention (9) Established between the device and the source address. As mentioned above, when the hacker is in; TCP SYN, 巳 攻 攻 主 主 Γ Γ ί ί ί ί ί 取 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常 正常It is worth noting that t = can be 2 2 5 debt testing system protection TCP SYN >, has been attacked by the method, this is not necessary to wait until the servo 7 to enter? X ^ flJ ,,, ^ ^

c ν M w 乃外 §骇客在進行大規模的分者金★ Τ Γ D π # 1反射攻擊時,若是選擇具有本發明入侵彳貞i 4 戶::護之伺服器作為反射攻擊跳板偵:糸統 效應。 θ <战敌大攻擊 顧层i讓i發明之上述和其他目❸、特徵、和優點能更明 顯易懂,下文特舉較佳實施例,i配合所 :更明 說明如下: M八 作砰細 【實施方式】 本發明提供一種運用於入侵偵測系統的網路攻 與攻擊減損方法,其中包括提早連結方法 止 (Early-Connecting method)及主動重置方法 (Proactively-resetting method),在後文中將詳細介c ν M w is outside § hacker in the large-scale division of the gold ★ Τ Γ D π # 1 reflection attack, if you choose to have the invention of the invasion 彳贞i 4 households:: protect the server as a reflection attack springboard detection : 糸 system effect. The above and other objects, features, and advantages of the present invention are more apparent and easy to understand. The following is a preferred embodiment, i cooperates with:实施 【 [Embodiment] The present invention provides a network attack and attack impairment method applied to an intrusion detection system, including an Early-Connecting method and a Proactively-resetting method. I will introduce in detail later.

1258286 五、發明說明(ίο) 入侵偵測系統為了保護伺服器,達成攻擊阻止與攻擊 減損的目標,必須監測並記錄對欲保護伺服器的所有連線 狀態與必要資訊,其中包括:用戶端與伺服器的I P位址、 通訊埠、I P封包識別碼、TCP封包序號、目前連線狀態… 等,由此可知這個記錄的資料量是非常龐大的。為了避免 入侵偵測系統本身處理能量的過載,以及執行效能的考 量,必須可以讓使用者選擇欲保護的伺服器。因此入侵偵 測系統需可以接受使用者對受保護伺機器的指定,包括多 數個I P位址、多數個I P位址範圍或其組合。然後入侵偵測 系統就針對設定的伺服器之TCP連線,予以監測及記錄並 提供防護。此外不論何種型式的入侵偵測系統(比如是監 聽型入侵偵測系統、阻絕型入侵偵測系統或主機型入侵偵 測系統等),都可以達成此防護目標,只要能實作後述實 施例的方法即可。在接下來的實施例中係以監聽型入侵偵 測系統為例做說明。 1.提早連結方法之實施例: 請參照第9、1 0圖,其繪示依照本發明之提早連結方 法的較佳實施例之示意圖。藉由入侵偵測系統5 3 0提早送 出TCP ACK封包,可以保護伺服器52 0的作業系統核心記憶 體5 4 0中的T C P半開連結表5 5 0不被佔滿。 首先設定伺服器5 2 0為受保護伺服器,此時入侵偵測 系統5 3 0會監測及記錄所有對伺服器5 2 0的TCP連線。當用 戶端510對伺服器5 2 0發出TCP SYN封包之連線要求時,入 侵偵測系統5 3 0會監聽或收集到此TCP SYN封包,並且會紀1258286 V. Invention Description (ίο) In order to protect the server and achieve the target of attack prevention and attack impairment, the intrusion detection system must monitor and record all connection status and necessary information for the server to be protected, including: The server's IP address, communication port, IP packet identification code, TCP packet number, current connection status, etc., it can be seen that the amount of data recorded is very large. In order to avoid the overload of the intrusion detection system itself and the performance considerations, the user must be allowed to select the server to be protected. Therefore, the intrusion detection system needs to accept the user's designation of the protected servo, including a plurality of IP addresses, a plurality of IP addresses, or a combination thereof. The intrusion detection system then monitors, records, and provides protection against the TCP connections of the set servers. In addition, no matter what type of intrusion detection system (such as a monitor-type intrusion detection system, a blocking intrusion detection system, or a host-type intrusion detection system), this protection target can be achieved as long as the following embodiments can be implemented. The method can be. In the following embodiments, a monitoring type intrusion detection system is taken as an example for explanation. 1. Embodiment of Early Linking Method: Referring to Figures 9, 10, a schematic view of a preferred embodiment of the early joining method in accordance with the present invention is shown. By injecting the TCP ACK packet early by the intrusion detection system 530, the T C P half-open connection table 505 in the operating system core memory 504 of the server 52 0 can be protected from being overwritten. First, the server is set to be a protected server. At this time, the intrusion detection system 500 will monitor and record all TCP connections to the server 52. When the user terminal 510 issues a connection request for the TCP SYN packet to the server 520, the intrusion detection system 503 will monitor or collect the TCP SYN packet, and the session will be

12588twf-1.ptd 第17頁 1258286 五、發明說明(11) 錄此TCP SYN封包的表頭資料及封包的收集時間。之後, 伺服器5 2 0會回覆TCP SYN-ACK封包至用戶端510 ,以完成 TCP半開連結,此時入侵偵測系統5 3 0會監聽或收集到此 TCP SYN-ACK封包,並紀錄此TCP SYN-ACK封包的表頭資料 及封包的收集時間。 入侵偵測系統5 3 0在偵測到並紀錄此TCP SYN-ACK封包 後,會立刻代替用戶端510向伺服器5 2 0發出TCP ACK封 包,讓伺服器5 2 0提早完成TCP連結,以促使釋放伺服器 5 2 0作業系統核心記憶體5 4 0中的TCP半開連結表5 5 0,此時 入侵偵測系統5 3 0仍持續監測及記錄該連線,這個方法稱 之為提早連結方法。 稍後當用戶端510回覆給伺服器5 2 0的TCP ACK封包送 達時’表示用戶端5 1 0是正常的用戶,這時入侵偵測系統 5 3 0可以清除該筆用戶端510對伺服器52〇的連線記錄^以 便挪出空間處理其他tcp連線’至於對伺服器52〇而十,不 過是將重覆收到的TCP ACK封包丟棄,不會對伺服器°52〇造 成影響。或者,當入侵偵測系統5 30收集到用戶端51〇或伺 服器520送給對方符合TCP通訊協定規定的一Tcp RESET封 包時’入侵偵測系統5 3 0可以清除用戶端51〇與 〇 之間的TCP連結資訊。 t12588twf-1.ptd Page 17 1258286 V. Description of the invention (11) Record the header data of the TCP SYN packet and the collection time of the packet. After that, the server 520 will reply the TCP SYN-ACK packet to the client 510 to complete the TCP half-open connection. At this time, the intrusion detection system 500 will monitor or collect the TCP SYN-ACK packet, and record the TCP. The header data of the SYN-ACK packet and the collection time of the packet. After detecting and recording the TCP SYN-ACK packet, the intrusion detection system 500 will immediately send a TCP ACK packet to the server 520 instead of the client 510, so that the server 502 can complete the TCP connection early. The TCP half-open connection table 5 5 0 in the operating system core memory 504 is released, and the intrusion detection system 530 continues to monitor and record the connection. This method is called early connection. method. Later, when the client 510 replies to the TCP ACK packet of the server 520, it indicates that the user terminal 5 10 is a normal user, and the intrusion detection system 530 can clear the client 510 to the server 52. 〇 连 ^ ^ 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 以便 ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ Alternatively, when the intrusion detection system 530 collects the user terminal 51 or the server 520 sends the other party a Tcp RESET packet conforming to the TCP protocol, the intrusion detection system 5 3 0 can clear the client terminal 51 and the device. TCP connection information. t

^ 若遲遲等不到用戶端回覆給伺服器MO的TCP ACK封包時,表示用戶端51〇很可能是駭客,在進 氾濫攻擊,不過儘管如此,在前述的做法中,依然保 遵了饲服器5 2 0的TCP半開連結表5 50,不被惡意攻擊佔’、^ If you can't wait for the TCP ACK packet from the client to reply to the server MO, it means that the client 51 is likely to be a hacker and is attacking the flood. However, in the above, it is still in compliance. The TCP half-open connection table 5 50 of the feeding device 5 2 0 is not maliciously attacked.

1258286 五、發明說明(12) 滿,即達成攻擊阻止的目標。後續將介紹另一種方法與實 例,以處理及達成攻擊減損的目標。 2 ·主動重置方法之實施例: 請參照第1 1圖,其繪示依照本發明之主動重置方法的 較佳實施例之示意圖。延續之前所述,若發現遲遲等不到 用戶端5 1 0回覆給伺服器5 2 0的T C P A C K封包,則入侵偵測 系統5 3 0在等待一定時間後,就主動代替用戶端5 1 〇對伺服 器5 2 0發出T C P R E S E T封包,中斷該條T C P連線,並且入侵 偵測系統5 3 0還會清除屬於伺服器5 2 0的TCP連結資訊,這 個方法就稱之為主動重置方法。對伺服器5 2 0而言,如此 可以釋放為了處理該無效連線的系統資源;對入侵偵測系 統5 3 0而言,這時亦可清除該筆用戶端5 1 0對伺服器5 2 0的 連線記錄,以便挪出空間處理其他TCP連線。 藉由本發明之入侵偵測系統可以防護TCP SYN汜濫攻 擊及可以減緩TCP SYN-ACK反射攻擊之效應,如下所述。1258286 V. Description of invention (12) Full, that is, the goal of reaching the attack. The following will introduce another method and example to address and achieve the goal of attack impairment. 2: Embodiment of Active Reset Method: Referring to Figure 11, a schematic diagram of a preferred embodiment of an active reset method in accordance with the present invention is shown. As described above, if it is found that the TCP ACK packet of the server 520 is not received by the client 5 1 0, the intrusion detection system 530 actively replaces the client 5 1 after waiting for a certain period of time. A TCPRESET packet is sent to the server 520 to interrupt the TCP connection, and the intrusion detection system 530 also clears the TCP connection information belonging to the server 520. This method is called an active reset method. For the server 520, the system resources for processing the invalid connection can be released in this way; for the intrusion detection system 503, the user terminal 5 1 0 can also be cleared to the server 5 2 0 The connection records in order to move out of space to handle other TCP connections. The intrusion detection system of the present invention can protect against TCP SYN flood attacks and can mitigate the effects of TCP SYN-ACK reflection attacks, as described below.

茲舉一個完整的例子說明如何利用本發明之入侵偵測 系統防護T C P S Y N氾濫攻擊,請參照第1 2圖。駭客6 1 0可以 偽冒多個假來源位址6 3 0對受攻擊伺服器6 2 0發出T C P S Y N 封包,伺服器6 2 0收到駭客6 1 0的連線要求後,會回覆τ C P S Y N - A C K封包,完成T C P半開連結。此時入侵偵測系統6 4 0 會立刻代替假來源位址6 3 0回覆TCP ACK封包,先避免受攻 擊之伺服器6 2 0的系統半開連結表被佔滿,其次若超過等 待時限仍未收到來源位址欄位具有假來源位址6 3 0的T C PA complete example of how to use the intrusion detection system of the present invention to protect against T C P S Y N flood attacks is described in Figure 12. The hacker 6 1 0 can fake multiple fake source addresses 6 3 0 to send a TCPSYN packet to the attacked server 6 2 0, and the server 6 2 0 receives the connection request of the hacker 6 1 0, and then replies τ CPSYN - ACK packet, complete TCP half-open link. At this time, the intrusion detection system 6 4 0 will immediately replace the fake source address 6 3 0 to reply to the TCP ACK packet, firstly avoiding the system half-open connection table of the attacked server 6 2 0 being occupied, and secondly, if the waiting time limit is exceeded Received TCP with source address field with fake source address 6 3 0

12588twf-l.ptd 第19頁 1258286 五、發明說明(13) A C K封包,則入侵偵測系統6 4 0對受攻擊之伺服器6 2 0,會 發出T C P R E S E T封包,藉以清除受攻擊之伺服器6 2 〇中關於 無效連線的系統資源;對入侵偵測系統6 4 〇而言,這時亦 可清除該筆連線的相關記錄資源。 另舉一個完整的例子說明如何防護TCp SYN-ACK反射 攻擊’請參照第1 3圖。駭客7 1 0偽冒一受攻擊之伺服器7 3 0 來源位址,對作為跳板之伺服器72〇發出TCP SYN封包,伺 服器7 2 0收到駭客7 1 〇的連線要求後,會回覆τ c P S Y N - A C K 封包給受攻擊之伺服器7 3 0,完成TCP半開連結。此時若在 無入侵積測系統防護之一般情況下,伺服器7 2 〇會總共送 出四次TCP SYN-ACK,以及一次TCP RESET封包給受攻擊之 伺服器730(因為受攻擊之伺服器730不會回覆TCP ACK封包 給作為跳板之伺服器7 2 0,故伺服器7 2 0會重送T C P SYN-ACK封包三次,最後再送出TCP RESET封包清除連 線),如此駭客7 1 0只要發出一個封包給伺服器7 2 〇,伺服 器7 2 0就會產生五個封包到受攻擊之伺服器7 3 〇,形成五倍 的攻擊放大效應。 但是在有入侵偵測系統7 4 0防護的情況下,伺服器7 2 〇 在回覆TCP SYN-ACK封包給受攻擊之伺服器73〇後,入侵偵 測系統74 0會立刻代替受攻擊之伺服器73〇回覆Tcp ACK封 包’先避免伺服器7 2 0的系統半開連結表被佔滿,其次在 超過等待時限之後,入侵偵測系統7 4 〇會對伺 發出TCP reset封包,清除祠服器72 0系統中的服無連線動 對入侵偵測系統7 4 0而言,這時亦可清除該筆連線的相關12588twf-l.ptd Page 19 1258286 V. Invention Description (13) ACK packet, the intrusion detection system 604 sends a TCPRESET packet to the attacked server 6 2 0, so as to clear the attacked server 6 2 The system resources for invalid connection; for the intrusion detection system, the related recording resources of the connection can also be cleared. Another complete example shows how to protect against TCp SYN-ACK reflection attacks. Please refer to Figure 13. The hacker 7 1 0 spoofs an attacked server 7 3 0 source address, sends a TCP SYN packet to the server 72 as a springboard, and the server 7 2 0 receives the connection request of the hacker 7 1 后, will reply τ c PSYN - ACK packet to the attacked server 703, complete the TCP half-open connection. At this time, in the normal case of no intrusion detection system protection, the server 7 2 will send a total of four TCP SYN-ACKs, and a TCP RESET packet to the attacked server 730 (because of the attacked server 730) Will not reply the TCP ACK packet to the server as a springboard 7 2 0, so the server 7 2 0 will resend the TCP SYN-ACK packet three times, and finally send the TCP RESET packet to clear the connection), so the hacker 7 1 0 as long as Sending a packet to the server 7 2 〇, the server 7 2 0 will generate five packets to the attacked server 7 3 〇, forming a fivefold attack amplification effect. However, in the case of the intrusion detection system 704 protection, after the server 7 2 replies to the TCP SYN-ACK packet to the attacked server 73, the intrusion detection system 74 0 will immediately replace the attacked servo. 73 〇 Reply Tcp ACK packet 'Firstly avoid the server 7 2 0 system half open connection table is full, and secondly after the waiting time limit, the intrusion detection system 7 4 will send a TCP reset packet, clear the server 72 0 system in the system without connection to the intrusion detection system 7 4 0, this time can also clear the connection of the line

12588twf-l.ptd 第20頁 1258286 五、發明說明(14) 記錄資源。如此一來,當駭客71〇傳送一次Tcp SYN封包給 作為跳板之伺服器7 2 0時,作為跳板之伺服器7 2 〇僅會傳送 一次TCP SYN-ACK封包給受攻擊之伺服器73Q,這樣可以避 免駭客以TCP SYN-ACK封包攻擊伺服器73〇所產生之攻擊放 大效果。如此駭客7 1 0必須要送出更多的τ c p s γ N封包給作 為跳板之伺服裔7 2 0,才能佔滿連結至受攻擊之祠服器7 3 〇 的頻寬,進而癱瘓受攻擊之伺服器7 3 〇的服務能力。因為 駭客710的攻擊效果被入侵偵測系統74〇減損了8〇%,其攻 擊可能會達不到原來的效果,故駭客7 1 〇可能會放棄利用 TCP SYN-ACK封包來攻擊伺服器73〇的念頭。 此外,又因為大規模的分散式Tcp Syn —ACK反射攻擊 是由駭客7 1 0對同一個受攻擊之伺服器γ 3 〇 ,同時進行許多 的慢速低量T C P S Y N - A C K反射攻擊,即駭客γ 1 〇利用許多伺 服器7 2 0作為反射攻擊的跳板,且對每一個作為跳板之伺 服器7 2 0進行一個慢速低量的TCP SYN-ACK反射攻擊。因實 施本方法的入侵偵測系統7 4 〇可以有效的消除其攻擊放大、 效應,而大幅減損了分散STCP SYN-ACK反射攻擊的攻擊 效果,也使得駭客71 0更不易進行個別的Tcp syn-ACK反射 攻擊或是大規模的分散式TCP SYN-ACK反射攻擊。 結論 綜上所述’本發明至少具有下列優點: 1 ·本發明之運用於入侵偵測系統的網路攻擊阻止與攻 擊減損方法,當駭客在進rTCP SYN氾濫攻擊時,藉由入12588twf-l.ptd Page 20 1258286 V. Description of invention (14) Recording resources. In this way, when the hacker 71 transmits a Tcp SYN packet to the server 7 2 0 as a springboard, the server as the springboard 7 2 传送 transmits only the TCP SYN-ACK packet to the attacked server 73Q. This can avoid the attack amplification effect generated by the hacker attacking the server 73 by the TCP SYN-ACK packet. So the hacker 7 1 0 must send more τ cps γ N packets to the server 7 2 0 as a springboard to fill the bandwidth of the attacked server 7 3 ,, and then attack Server 7 3 服务 service capabilities. Because the attack effect of the hacker 710 is degraded by 8入侵% by the intrusion detection system 74, its attack may not achieve the original effect, so the hacker 7 1 〇 may give up using the TCP SYN-ACK packet to attack the server. 73〇 thoughts. In addition, because of the large-scale distributed Tcp Syn-ACK reflection attack, the hacker 7 1 0 pairs the same attacked server γ 3 〇, while performing many slow low-cost TCPSYN-ACK reflection attacks, ie The guest γ 1 〇 utilizes a number of servers 720 as a springboard for the reflection attack, and performs a slow low-cost TCP SYN-ACK reflection attack on each of the servers 7 2 0 as a springboard. The intrusion detection system 7 4 that implements the method can effectively eliminate the attack amplification and effect, and greatly detract from the attack effect of the scattered STCP SYN-ACK reflection attack, and makes the hacker 71 0 more difficult to perform individual Tcp syn. - ACK reflection attack or large-scale distributed TCP SYN-ACK reflection attack. Conclusion In summary, the present invention has at least the following advantages: 1. The cyber attack prevention and attack mitigation method applied to the intrusion detection system of the present invention, when the hacker is in the rTCP SYN flood attack,

12588twf-l.ptd12588twf-l.ptd

第21頁 1258286 五、發明說明(15) 侵偵測系統可以防止伺服器之半開連結表被佔滿。 2 .本發明之運用於入侵偵測系統的網路攻擊阻止與攻 擊減損方法,即使在伺服器遭受到駭客做TCP SYN氾濫攻 擊時,合法用戶的連結要求並不會被阻絕或重置,合法用 戶仍可以正常存取受駭客攻擊之伺服器。 3. 本發明之運用於入侵偵測系統的網路攻擊阻止與攻 擊減損方法,可以使入侵偵測系統不必等到伺服器遭受到 攻擊後才開始進行防護,且伺服器在遭受到駭客做TCP SYN氾濫攻擊時,伺服器對外的服務能力不會明顯下降, 可以有效的防護TCP SYN氾濫攻擊。 4. 本發明之運用於入侵偵測系統的網路攻擊阻止與攻 擊減損方法,可以避免當駭客在進行慢速低量反射攻擊或 分散式反射攻擊時,產生放大攻擊之效應。 雖然本發明已以較佳實施例揭露如上,然其並非用以 限定本發明,任何熟習此技藝者,在不脫離本發明之精神 和範圍内,當可作各種之更動與潤飾,因此本發明之隔離 範圍當視後附之申請專利範圍所界定者為準。Page 21 1258286 V. INSTRUCTIONS (15) The intrusion detection system prevents the half-open connection table of the server from being occupied. 2. The cyber attack prevention and attack mitigation method applied to the intrusion detection system of the present invention, even when the server is subjected to a TCP SYN flood attack by the hacker, the link request of the legitimate user is not blocked or reset. Legitimate users can still access the server attacked by the hacker. 3. The network attack prevention and attack impairment method applied to the intrusion detection system of the present invention enables the intrusion detection system to wait for the server to be attacked before the attack is started, and the server is subjected to TCP by the client. When the SYN flood attack occurs, the external service capability of the server will not be significantly reduced, and the TCP SYN flood attack can be effectively protected. 4. The network attack prevention and attack impairment method applied to the intrusion detection system of the present invention can avoid the effect of the amplification attack when the hacker performs a slow low-level reflection attack or a distributed reflection attack. While the present invention has been described above by way of a preferred embodiment, it is not intended to limit the invention, and the present invention may be modified and modified without departing from the spirit and scope of the invention. The scope of isolation is subject to the definition of the scope of the patent application.

12588twf-1.ptd 第22頁 1258286 圖式簡單說明 第1圖繪示監聽型入侵偵測系統配置在一般網路架構 下的示意圖。 第2圖繪示阻絕型入侵偵測系統配置在一般網路架構 下的示意圖。 弟3圖緣示主機型入侵偵測系統配置在一般網路架構 下的示意圖。 第4圖繪示一般TCP協定之Tcp連結建立方法(三方握手 交流)之示意圖。 ,5圖繪示一般伺服器内記憶體之分配示意圖。 第6圖繪示駭客對伺服器進行Tcp syn氾濫攻擊之方 法。 、 第7圖繪示駭客對伺服器進行慢速低量的了^ SYN —ACK >巳 >監攻擊之方法。 第8圖繪示駭客對伺服器進行分散式TCp syn-ACK反射 攻擊之方法。 ^ 第9圖所示,其繪示依照本發明一較佳實施例之以入 知:偵測系統進行提早連結方法之示意圖。 第1 0圖繪示一般伺服器内記憶體之分配示意圖。 第1 1圖繪不依知本發明一較佳實施例之以入侵4貞測糸 統進行主動重置方法之示意圖。 、 抑第1 2圖繪示依照本發明一較佳實施例之防護駭客對伺 服器進行TCP SYN氾濫攻擊之方法。、 第1 3圖繪示依照本發明一較佳實施例之防護駭客對伺 服器進行TCP SYN-ACK氾濫攻擊之方法。12588twf-1.ptd Page 22 1258286 Schematic description of the diagram Figure 1 shows the schematic configuration of the monitor-type intrusion detection system under the general network architecture. Figure 2 is a schematic diagram showing the configuration of the blocking intrusion detection system in a general network architecture. Figure 3 shows the schematic diagram of the host-type intrusion detection system configured under the general network architecture. Figure 4 is a schematic diagram showing a Tcp link establishment method (three-way handshake) of a general TCP protocol. Figure 5 shows the distribution of memory in a general server. Figure 6 shows the hacker's method of performing a Tcp syn flood attack on the server. Figure 7 shows the hacker's method of slowing down the server to the SYN-ACK > 巳 > Figure 8 illustrates the hacker's method of performing a decentralized TCp syn-ACK reflection attack on the server. As shown in Fig. 9, there is shown a schematic diagram of a method for detecting an early connection in accordance with a preferred embodiment of the present invention. Figure 10 shows a schematic diagram of the distribution of memory in a general server. Fig. 1 is a schematic diagram showing an active reset method by an intrusion detection system according to a preferred embodiment of the present invention. FIG. 12 illustrates a method for protecting a hacker from a TCP SYN flood attack on a server in accordance with a preferred embodiment of the present invention. FIG. 13 illustrates a method for protecting a hacker from a TCP SYN-ACK flood attack on a server in accordance with a preferred embodiment of the present invention.

1258286 圖式簡單說明 【圖式標示說明】 1 〇 :監聽型入侵偵測系統 1 1 :阻絕型入侵偵測系統 2 0 :網際網路 3 0 :企業内部網路 31 ··主機 3 2 ··主機型入侵偵測系統 1 1 0 :用戶端 1 2 0 :伺服器 1 3 0 :半開連結表 1 4 0 :作業系統核心記憶體 2 1 0 :駭客 2 2 0 ·•受攻擊之伺服器 2 3 0 :假來源位址 2 4 0 :入侵债測系統 3 1 0 :駭客 3 2 0 :作為反射攻擊跳板之伺服器 3 3 0 :受攻擊之伺服器 3 4 0 :入侵偵測系統 4 1 0 :駭客 4 2 0 :作為跳板之伺服器 4 3 0 :受攻擊之伺服器 510 :用戶端1258286 Schematic description of the diagram [illustration of the pattern] 1 〇: monitor type intrusion detection system 1 1 : blocking type intrusion detection system 2 0: Internet 3 0: enterprise internal network 31 · · host 3 2 ·· Host Intrusion Detection System 1 1 0 : Client 1 2 0 : Server 1 3 0 : Half Open Link Table 1 4 0 : Operating System Core Memory 2 1 0 : Hacker 2 2 0 ·• Attacked Server 2 3 0 : False source address 2 4 0 : Intrusion test system 3 1 0 : Hacker 3 2 0 : Server as a reflection attack springboard 3 3 0 : Attacked server 3 4 0 : Intrusion detection system 4 1 0 : Hacker 4 2 0 : Servo as a springboard 4 3 0 : Attacked server 510 : Client

12588twf-l.ptd 第24頁 125828612588twf-l.ptd Page 24 1258286

圖式簡單說明 520 伺 服 器 530 入 侵 偵 測 系 統 540 作 業 系 統 核 心 記 憶 體 550 半 開 連 結 表 560 應 用 程 式 可 用 記 憶 體 610 駭 客 620 受 攻 擊 之 伺 服 器 630 假 來 源 位 址 640 入 侵 偵 測 系 統 710 駭 客 720 作 為 跳 板 之 伺 服 器 730 受 攻 擊 之 伺 服 器 740 入 侵 偵 測 系 統 12588twf-l.ptd 第25頁Schematic description 520 Server 530 Intrusion Detection System 540 Operating System Core Memory 550 Half Open Link Table 560 Application Available Memory 610 Hacker 620 Attacked Server 630 Fake Source Address 640 Intrusion Detection System 710 Hacker 720 Serve as a springboard 730 Attacked server 740 Intrusion Detection System 12588twf-l.ptd Page 25

Claims (1)

1258286 六、申請專利範圍 1 . 一種運用於入侵偵測系統的網路攻擊阻止方法,該 方法至少包含: 收集一用戶端與一受保護伺服器之間所往來的一TCP 通訊資料; 記錄該用戶端與該受保護伺服器之間所往來的一TCP 連結資訊;以及 若是該受保護伺服器處在半開連結的狀態下,則產生 及傳送符合TCP通訊協定規定的一TCP ACK封包給該受保護 伺服器。 2. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中該受保護伺服器的指定係藉由 使用者設定的多數個I P位址、多數個I P位址範圍或其組合 所達成。 3. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中該入侵偵測系統包括主機型的 入侵偵測系統。 4. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中該入侵偵測系統包括網路型監 聽模式入侵偵測系統。 5. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中該入侵偵測系統包括網路型阻 絕模式入侵偵測系統。 6. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中該TCP連結資訊包括由該用戶1258286 VI. Patent Application Range 1. A method for preventing network attack detection applied to an intrusion detection system, the method comprising: collecting a TCP communication data between a client and a protected server; recording the user And a TCP connection information between the terminal and the protected server; and if the protected server is in a half-open state, generating and transmitting a TCP ACK packet conforming to the TCP protocol to the protected server. 2. The network attack prevention method applied to the intrusion detection system according to claim 1, wherein the protected server is specified by a plurality of IP addresses and a plurality of IP addresses set by the user. The address range or a combination of them is reached. 3. The method for preventing network attack detection applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a host type intrusion detection system. 4. The method for preventing network attacks applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a network type listening mode intrusion detection system. 5. The method for preventing network attacks applied to an intrusion detection system according to claim 1, wherein the intrusion detection system comprises a network-type blocking mode intrusion detection system. 6. The method for preventing network attack applied to an intrusion detection system according to claim 1, wherein the TCP connection information is included by the user 12588twf-l.ptd 第26頁 1258286 六、申請專利範圍 端送給該伺服器的一TCP SYN封包的表頭資料及封包的收 集時間,並且該TCP連結資訊還包括由該伺服器針對該TCP SYN封包回送給該用戶端的一TCP SYN-ACK封包的表頭資料 及封包的收集時間。 7. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,其中在該入侵偵測系統收集到由該 受保護伺服器傳送至該用戶端的一TCP SYN-ACK封包之 後,該入侵偵測系統係立即產生及傳送一份該T C P A C K封 包給該受保護伺服器。 8. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,進一步包括: 若有收集到該用戶端,針對該TCP SYN-ACK封包回送 給該受保護伺服器且符合TCP通訊協定規定的一TCP ACK封 包,則清除往來該用戶端與該受保護伺服器之間的該T C P 連結資訊。 9. 如申請專利範圍第1項所述之運用於入侵偵測系統 的網路攻擊阻止方法,進一步包括: 若有收集到該用戶端或該受保護伺服器送給對方符合 T C P通訊協定規定的一 T C P R E S E T封包,則清除往來該用戶 端與該受保護伺服器之間的該TCP連結資訊。 10. —種運用於入侵偵測系統的網路攻擊阻止與攻擊 •減損方法,該方法至少包含: 收集一用戶端與一受保護伺服器之間所往來的一TCP 通訊資料;12588twf-l.ptd Page 26 1258286 VI. The scope of the TCP SYN packet sent to the server and the collection time of the packet, and the TCP connection information also includes the TCP SYN for the server. The header data and the collection time of the packet sent back to the client for a TCP SYN-ACK packet. 7. The method for preventing network attack detection applied to an intrusion detection system according to claim 1, wherein the intrusion detection system collects a TCP SYN-ACK transmitted by the protected server to the client. After the packet is encapsulated, the intrusion detection system immediately generates and transmits a copy of the TCPACK packet to the protected server. 8. The network attack prevention method applied to the intrusion detection system according to claim 1, further comprising: if the user is collected, the TCP SYN-ACK packet is sent back to the protected server. And conforming to a TCP ACK packet specified by the TCP protocol, the TCP connection information between the client and the protected server is cleared. 9. The method for preventing network attack applied to an intrusion detection system according to claim 1, further comprising: if the user is collected or the protected server is sent to the other party to comply with the provisions of the TCP protocol A TCPRESET packet clears the TCP connection information between the client and the protected server. 10. A network attack prevention and attack applied to an intrusion detection system. The method of impairment includes at least: collecting a TCP communication data between a client and a protected server; 12588twf-1.ptd 第27頁 1258286 六、申請專利範圍 記錄該用戶端與該受保護伺服器之間所往來的一TCP 連結資訊; 若是該受保護伺服器處在半開連結的狀態下,則產生 及傳送符合TCP通訊協定規定的一TCP ACK封包給該受保護 伺服器;以及 在產生及傳送該TCP ACK封包一段時間之後,若仍未 收集到該用戶端回應給該受保護伺服器之一TCP ACK封 包,則針對該TCP連結產生及傳送一TCP RESET封包給該受 保護伺服器。 1 1 .如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,其中該受保護伺服器 的指定係藉由使用者設定的多數個I P位址、多數個I P位址 範圍或其組合所達成。 1 2.如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,其中該入侵偵測系統 包括主機型的入侵偵測系統。 1 3.如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,其中該入侵偵測系統 包括網路型監聽模式入侵偵測系統。 1 4.如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損與攻擊減損方法,其中該入 侵偵測系統包括網路型阻絕模式入侵偵測系統。 1 5.如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,其中該TCP連結資訊12588twf-1.ptd Page 27 1258286 VI. The patent application scope records a TCP connection information between the client and the protected server; if the protected server is in a half-open state, it is generated. And transmitting a TCP ACK packet conforming to the TCP protocol to the protected server; and after generating and transmitting the TCP ACK packet for a period of time, if the client has not collected the TCP response to the protected server The ACK packet generates and transmits a TCP RESET packet to the protected server for the TCP connection. 1 1 . The network attack prevention and attack impairment method applied to an intrusion detection system as described in claim 10, wherein the protected server is specified by a plurality of IP addresses set by a user. , a majority of IP address ranges or a combination of them. 1 2. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system includes a host type intrusion detection system. 1 3. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system includes a network type listening mode intrusion detection system. 1 4. The network attack prevention and attack impairment and attack impairment methods applied to the intrusion detection system as described in claim 10, wherein the intrusion detection system comprises a network type blocking mode intrusion detection system. 1 5. The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, wherein the TCP connection information 12588twf-l.ptd 第28頁 1258286 六、申請專利範圍 包括由該用戶端送給該伺服器的一 T c p S γ N封包的表頭資 料及封包的收集時間,並且該TCP連結資訊還包括由該伺 服器針對該TCP SYN封包回送給該用戶端的一TCP SYN-ACK 封包的表頭資料及封包的收集時間。 1 6 ·如申請專利範圍第1 〇項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,其中在該入侵偵測系 統收集到由該受保護伺服器傳送至該用戶端的一TCP S Y N _ A C K封包之後’該入侵偵測系統係立即產生及傳送一 份該T C P A C K封包給該受保護伺服器。 1 7 ·如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,進一步包括: 若有收集到該用戶端,針對該T C P S Y N - A C K封包回送 給該受保護伺服器且符合TCP通訊協定規定的一TCP ACK封 包,則清除往來該用戶端與該受保護伺服器之間的該了(:^ 連結資訊。 1 8 ·如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,進一步包括: 若有收集到該用戶端或該受保護伺服器送給對方且符 合TCP通訊協定規定的一TCP RESET封包,則清除往來該用 戶端與該受保護伺服器之間的該TCP連結資訊。 1 9 ·如申請專利範圍第1 0項所述之運用於入侵偵測系 統的網路攻擊阻止與攻擊減損方法,進一步包括: 在產生及傳送該TCP RESET封包給該受保護伺服器之 後,清除往來該用戶端與該受保護伺服器之間的該T C P連12588twf-l.ptd Page 28 1258286 VI. The patent application scope includes the header data of a T cp S γ N packet sent by the client to the server and the collection time of the packet, and the TCP connection information also includes The server collects header data and packet collection time of a TCP SYN-ACK packet sent back to the UE for the TCP SYN packet. 1 6 - The network attack prevention and attack impairment method applied to the intrusion detection system, as described in claim 1, wherein the intrusion detection system collects the transmitted by the protected server to the client After a TCP SYN_ACK packet, the intrusion detection system immediately generates and transmits a copy of the TCPACK packet to the protected server. 1 7 · The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, further comprising: if the user is collected, the TCPSYN-ACK packet is sent back to the TCPSYN-ACK packet The protected server conforms to a TCP ACK packet specified by the TCP protocol, and clears the connection between the client and the protected server (:^ link information. 1 8 · If the patent application scope is item 10 The network attack prevention and attack impairment method applied to the intrusion detection system further includes: if a TCP RESET packet is collected from the client or the protected server is sent to the other party and conforms to the TCP protocol, Clearing the TCP connection information between the client and the protected server. 1 9 · The network attack prevention and attack impairment method applied to the intrusion detection system as described in claim 10, The method further includes: after generating and transmitting the TCP RESET packet to the protected server, clearing the TCP connection between the client and the protected server 12588twf,l.ptd 第29頁12588twf, l.ptd第29页
TW93103139A 2003-12-26 2004-02-11 Methods for intrusion detection system (IDS) thwarting and mitigating network attacks TWI258286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW93103139A TWI258286B (en) 2003-12-26 2004-02-11 Methods for intrusion detection system (IDS) thwarting and mitigating network attacks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
TW92136977 2003-12-26
TW93103139A TWI258286B (en) 2003-12-26 2004-02-11 Methods for intrusion detection system (IDS) thwarting and mitigating network attacks

Publications (2)

Publication Number Publication Date
TW200522638A TW200522638A (en) 2005-07-01
TWI258286B true TWI258286B (en) 2006-07-11

Family

ID=37765222

Family Applications (1)

Application Number Title Priority Date Filing Date
TW93103139A TWI258286B (en) 2003-12-26 2004-02-11 Methods for intrusion detection system (IDS) thwarting and mitigating network attacks

Country Status (1)

Country Link
TW (1) TWI258286B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
US8117658B2 (en) 2008-09-04 2012-02-14 Hon Hai Precision Industry Co., Ltd. Access point, mobile station, and method for detecting attacks thereon

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8117658B2 (en) 2008-09-04 2012-02-14 Hon Hai Precision Industry Co., Ltd. Access point, mobile station, and method for detecting attacks thereon
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN101789947B (en) * 2010-02-21 2012-10-03 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks

Also Published As

Publication number Publication date
TW200522638A (en) 2005-07-01

Similar Documents

Publication Publication Date Title
US10097578B2 (en) Anti-cyber hacking defense system
US6816910B1 (en) Method and apparatus for limiting network connection resources
Cambiaso et al. Slow DoS attacks: definition and categorisation
US8245300B2 (en) System and method for ARP anti-spoofing security
US7478429B2 (en) Network overload detection and mitigation system and method
Cambiaso et al. Taxonomy of slow DoS attacks to web applications
US20130219502A1 (en) Managing a ddos attack
US9253153B2 (en) Anti-cyber hacking defense system
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
JP2005135420A (en) Host based network intrusion detection system and method, and computer-readable medium
Ricciulli et al. TCP SYN flooding defense
Mittal et al. A review of DDOS attack and its countermeasures in TCP based networks
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
US20040250158A1 (en) System and method for protecting an IP transmission network against the denial of service attacks
Xiao et al. A novel approach to detecting DDoS attacks at an early stage
Yuvaraj et al. Some investigation on DDOS attack models in mobile networks
Singh et al. Analysis of Botnet behavior using Queuing theory
Safa et al. A collaborative defense mechanism against SYN flooding attacks in IP networks
Rana et al. A Study and Detection of TCP SYN Flood Attacks with IP spoofing and its Mitigations
Wang et al. A multi-layer framework for puzzle-based denial-of-service defense
Balaban Denial-of-service attack
Al-Duwairi et al. Distributed packet pairing for reflector based DDoS attack mitigation
Chen et al. DAW: A distributed antiworm system
TWI258286B (en) Methods for intrusion detection system (IDS) thwarting and mitigating network attacks
Chen et al. An Internet-worm early warning system

Legal Events

Date Code Title Description
MK4A Expiration of patent term of an invention patent