CN-122001656-A - Network attack protection method and device, electronic equipment and storage medium

Abstract

The application discloses a protection method, a device, electronic equipment and a storage medium for network attack, which relate to the technical field of computers and comprise the steps of dynamically monitoring the flow of a host according to a defense level, tracking a connection state by combining quadruple information and a timestamp, judging suspicious connection through combination of overtime and repeated counting double thresholds, releasing half-connection resources by adopting a temporary discarding strategy and setting automatic failure time (the problems of limitation of single-dimension monitoring and lack of a dynamic resource release mechanism are avoided), so that the technical effects of increasing the server resource exhaustion risk due to attack omission among internal virtual machines and lack of the dynamic resource release mechanism caused by adopting single-dimension flow monitoring in the prior art can be solved, the overall defense efficiency and service continuity of a system are influenced, and the problems of reducing the internal attack omission, releasing half-connection resources in time, reducing the resource exhaustion risk are achieved, and further the defense efficiency of the system and the service continuity are improved.

Inventors

• ZHANG ZHAOZENG

Assignees

• 济南浪潮数据技术有限公司

Dates

Publication Date

20260508

Application Date

20260210

Claims (10)

1. 1. A method for protecting against network attacks, comprising: Dynamically monitoring the physical network card inlet flow of the host machine where the target virtual machine is located according to the defense level configured by the user; Receiving a transmission control protocol message and identifying a preset field to obtain four-tuple information; dynamically updating a connection state record in a state database based on the four-tuple information and the timestamp of the first message; Periodically traversing the state database, and based on a preset timeout threshold and a repeated counting threshold, jointly judging that the connection which does not complete handshake is suspicious; and in response to the judgment of suspicious connection, positioning a target host of the suspicious connection, issuing a temporary discard strategy to the virtual switch to release semi-connection resources, and simultaneously setting the automatic failure time of the strategy and notifying a user.
2. 2. The method of claim 1, wherein dynamically monitoring the physical network card entry traffic of the host machine where the target virtual machine is located according to the defense level configured by the user further comprises: And monitoring the outlet flow of the virtual network card of all the virtual machines in response to the high defense level.
3. 3. The method of claim 1, wherein dynamically monitoring the physical network card entry traffic of the host machine where the target virtual machine is located according to the defense level configured by the user comprises: and responding to the low defending level, and monitoring and counting the messages in the host physical network card inlet flow.
4. 4. The method of claim 2, wherein monitoring virtual network card egress traffic for all virtual machines in response to the defense level being high comprises: monitoring and counting messages in the host machine physical network card inlet flow and all virtual machine virtual network card outlet flow; And carrying out source internet protocol, destination internet protocol and port exchange processing on the messages in the outlet flow so as to update the state database.
5. 5. The method of claim 1, wherein dynamically updating the connection state record in the state database based on the four tuple information and the timestamp of the first message comprises: When a message without a confirmation zone bit is received, if a corresponding quadruple record does not exist in the state database, the record is newly added, the count is initialized, and the timestamp of the first message is recorded; when a message with a confirmation flag bit is received, if the message is matched with a record in a state database, deleting the record; If the message comes from the virtual network card, the source internet protocol and the destination internet protocol are exchanged, and the source port and the destination port are matched again and the corresponding record is deleted.
6. 6. The method of claim 1, wherein the periodically traversing the state database, jointly determining that a connection that did not complete a handshake is a suspicious connection based on a preset timeout threshold and repetition count threshold comprises: if the time difference between the first time stamp recorded by a certain connection and the current time exceeds a preset time threshold, judging that the connection is overtime suspicious; If the count of a certain connection record reaches or exceeds a preset time threshold and a corresponding message is not received, the connection is judged to be the repeated suspicious connection.
7. 7. The method according to claim 1, wherein the method further comprises: when the source internet protocol address of the suspicious connection is detected to belong to an internet protocol white list configured by a user, a discarding strategy is not executed, the source internet protocol address is marked as exemption, and meanwhile, an exemption log is recorded and the user is notified.
8. 8. A network attack protection device, comprising: the monitoring unit is used for dynamically monitoring the physical network card inlet flow of the host machine where the target virtual machine is located according to the defense level configured by the user; the receiving unit is used for receiving the transmission control protocol message and identifying a preset field to obtain quadruple information; The updating unit is used for dynamically updating the connection state record in the state database based on the four-tuple information and the timestamp of the first message; The judging unit is used for periodically traversing the state database and jointly judging that the connection which does not complete the handshake is suspicious connection based on a preset timeout threshold and a repeated counting threshold; and the sending unit is used for responding to the judgment of suspicious connection, positioning a target host of the suspicious connection, issuing a temporary discarding strategy to the virtual switch to release semi-connection resources, setting the automatic failure time of the strategy and notifying a user.
9. 9. An electronic device, comprising: A memory for storing a computer program; Processor for implementing the steps of the method for protecting against network attacks according to any one of claims 1 to 7 when the computer program is executed.
10. 10. A computer readable storage medium, characterized in that a computer program is stored in the computer readable storage medium, wherein the computer program, when being executed by a processor, implements the steps of the network attack protection method according to any of claims 1 to 7.

Description

Network attack protection method and device, electronic equipment and storage medium Technical Field The present application relates to the field of computer technologies, and in particular, to a method and apparatus for protecting against network attacks, an electronic device, and a storage medium. Background SYN flood attack is taken as a typical means of distributed denial of service (DDoS) attack, and a large amount of server resources are occupied by forging TCP connection requests, so that the stable operation of key infrastructures such as a whole cabinet server is seriously threatened. In the related art, a SYN message monitoring mechanism based on the physical network card inlet flow is generally adopted, and the state detection and discarding strategies are combined to defend. Specifically, the technical system covers the whole process from message identification, state recording to strategy issuing, and comprises key links such as TCP protocol state tracking, firewall rule matching, network flow control and the like. In the prior art, a single-dimension flow monitoring mode is adopted, so that missed detection of attacks among internal virtual machines can be possibly caused, and the risk of server resource exhaustion is aggravated due to lack of a dynamic resource release mechanism, thereby affecting the overall defense efficiency and service continuity of the system. Disclosure of Invention The application provides a protection method, a device, electronic equipment and a storage medium for network attack, which at least solve the problem that the overall defense efficiency and service continuity of a system are affected due to the fact that the risk of server resource exhaustion is aggravated due to the lack of a dynamic resource release mechanism in the related technology. The application provides a protection method for network attack, which comprises the following steps: Dynamically monitoring the physical network card inlet flow of the host machine where the target virtual machine is located according to the defense level configured by the user; Receiving a transmission control protocol message and identifying a preset field to obtain four-tuple information; dynamically updating a connection state record in a state database based on the four-tuple information and the timestamp of the first message; Periodically traversing the state database, and based on a preset timeout threshold and a repeated counting threshold, jointly judging that the connection which does not complete handshake is suspicious; and in response to the judgment of suspicious connection, positioning a target host of the suspicious connection, issuing a temporary discard strategy to the virtual switch to release semi-connection resources, and simultaneously setting the automatic failure time of the strategy and notifying a user. Optionally, dynamically monitoring the physical network card entry flow of the host machine where the target virtual machine is located according to the defense level configured by the user further includes: And monitoring the outlet flow of the virtual network card of all the virtual machines in response to the high defense level. Optionally, dynamically monitoring the physical network card entry flow of the host machine where the target virtual machine is located according to the defense level configured by the user includes: and responding to the low defending level, and monitoring and counting the messages in the host physical network card inlet flow. Optionally, the monitoring the virtual network card exit traffic of all the virtual machines in response to the high defense level includes: monitoring and counting messages in the host machine physical network card inlet flow and all virtual machine virtual network card outlet flow; And carrying out source internet protocol, destination internet protocol and port exchange processing on the messages in the outlet flow so as to update the state database. Optionally, the dynamically updating the connection state record in the state database based on the four-tuple information and the timestamp of the first message includes: When a message without a confirmation zone bit is received, if a corresponding quadruple record does not exist in the state database, the record is newly added, the count is initialized, and the timestamp of the first message is recorded; when a message with a confirmation flag bit is received, if the message is matched with a record in a state database, deleting the record; If the message comes from the virtual network card, the source internet protocol and the destination internet protocol are exchanged, and the source port and the destination port are matched again and the corresponding record is deleted. Optionally, the periodically traversing the state database, based on a preset timeout threshold and a repetition count threshold, jointly determining that the connection with the incomplete handshake is a suspicious connectio