Search

US-12627682-B2 - Method for identifying source address of packet and apparatus

US12627682B2US 12627682 B2US12627682 B2US 12627682B2US-12627682-B2

Abstract

This application discloses a method for identifying a source address of a packet and an apparatus, and pertains to the field of network security. A protecting device intercepts a packet whose destination address is an IP address of a protected device, where the protected device provides a service according to the QUIC protocol. The protecting device sends a retry packet to a source address of the packet in response to that the packet is an initial packet. The protecting device identifies the source address of the packet as an attack source address if the protecting device receives no response packet corresponding to the retry packet. The protecting device determines the source address of the intercepted initial packet to identify an attack source address used by an attacker, and subsequently prevents only packets from the attack source address from being sent to the protected device.

Inventors

  • Bo Wu

Assignees

  • HUAWEI TECHNOLOGIES CO., LTD.

Dates

Publication Date
20260512
Application Date
20240319
Priority Date
20211015

Claims (20)

  1. 1 . A method for identifying a source address of a packet, comprising: intercepting, by a protecting device, a first packet whose destination address is an internet protocol (IP) address of a protected device, wherein the protected device provides a service according to a quick user datagram protocol internet connections (QUIC) protocol; sending, by the protecting device, a first retry packet to a source address of the first packet in response to determining that the first packet is an initial packet, wherein the first retry packet is sent carrying a first indication; identifying, by the protecting device, the source address of the first packet as a normal source address in response to when the protecting device receives a response packet corresponding to the first retry packet, wherein the response packet is a packet whose source address is the source address of the first packet, whose destination address is the IP address of the protected device, and that carries the first indication; and identifying, by the protecting device, the source address of the first packet as an attack source address in accordance with when the protecting device receives no response packet corresponding to the first retry packet.
  2. 2 . The method according to claim 1 , wherein identifying the source address of the first packet as the attack source address comprises: updating, by the protecting device, a verification failure count corresponding to the source address of the first packet in accordance with when the protecting device receives no response packet corresponding to the first retry packet; and identifying, by the protecting device, the source address of the first packet as the attack source address in accordance with when the updated verification failure count reaches a threshold.
  3. 3 . The method according to claim 1 , wherein before sending the first retry packet to the source address of the first packet, the method further comprises: generating, by the protecting device, the first indication based on a current timestamp.
  4. 4 . The method according to claim 1 , further comprising: sending, by the protecting device, a connection close packet to the source address of the first packet, wherein the connection close packet indicates to end a current connection for a device sending the first packet to resend the initial packet to the protected device when the device needs to access the protected device.
  5. 5 . The method according to claim 1 , wherein sending the first retry packet to the source address of the first packet in response to determining that the first packet is the initial packet comprises: sending, by the protecting device, the first retry packet to the source address of the first packet in response to determining that the source address of the first packet is an unknown address and the first packet is the initial packet.
  6. 6 . The method according to claim 5 , further comprising: intercepting, by the protecting device, a second packet whose destination address is the IP address of the protected device; and discarding, by the protecting device, the second packet in response to determining that a source address of the second packet is an unknown address and the second packet is not an initial packet.
  7. 7 . The method according to claim 1 , wherein before sending the first retry packet to the source address of the first packet, the method further comprises: generating, by the protecting device, the first indication based on a random number.
  8. 8 . The method according to claim 7 , wherein the response packet is an initial packet.
  9. 9 . The method according to claim 7 , wherein the first indication is in each of a token field of the first retry packet and a token field of the response packet.
  10. 10 . The method according to claim 1 , wherein before sending the first retry packet to the source address of the first packet, the method further comprises: generating, by the protecting device, the first indication based on target field content in a packet header of the first packet.
  11. 11 . The method according to claim 10 , wherein generating the first indication based on the target field content in the packet header of the first packet comprises: performing, by the protecting device, a target operation on the target field content to obtain the first indication, wherein the target operation comprises one or more of a summation operation, an exclusive OR operation, or a hash operation.
  12. 12 . The method according to claim 11 , further comprising: after receiving a packet whose source address is the source address of the first packet and whose destination address is the IP address of the protected device, performing, by the protecting device, the target operation on the target field content in a packet header of the packet to obtain a second indication; and in accordance with when a specified field of the packet carries the second indication, determining that the response packet is received, wherein the specified field is a pre-agreed field in which the response packet needs to carry the first indication.
  13. 13 . The method according to claim 10 , wherein the target field content comprises one or more of a source IP address, a source port number, a destination IP address, a destination port number, a source connection identifier, or a destination connection identifier.
  14. 14 . The method according to claim 1 , wherein before intercepting the first packet whose destination address is the IP address of the protected device, the method further comprises: determining, by the protecting device, that the protected device is under a traffic attack.
  15. 15 . A protecting device, comprising: at least one processor; and a memory configured to store program instructions, which when executed by the at least one processor, cause the protecting device to perform operations, the operations comprising: intercepting a first packet whose destination address is an internet protocol (IP) address of a protected device, wherein the protected device provides a service according to a quick user datagram protocol internet connections (QUIC) protocol; sending a first retry packet to a source address of the first packet in response to determining that the first packet is an initial packet, wherein the first retry packet is sent carrying a first indication; identifying, by the protecting device, the source address of the first packet as a normal source address in response to when the protecting device receives a response packet corresponding to the first retry packet, wherein the response packet is a packet whose source address is the source address of the first packet, whose destination address is the IP address of the protected device, and that carries the first indication; and identifying the source address of the first packet as an attack source address in accordance with when the protecting device receives no response packet corresponding to the first retry packet.
  16. 16 . The protecting device according to claim 15 , wherein the operations further comprise: updating a verification failure count corresponding to the source address of the first packet if the protecting device receives no response packet corresponding to the first retry packet; and identifying the source address of the first packet as the attack source address if the updated verification failure count reaches a threshold.
  17. 17 . The protecting device according to claim 15 , wherein before sending the first retry packet to the source address of the first packet, the operations further comprise: generating, by the protecting device, the first indication based on a current timestamp.
  18. 18 . The protecting device according to claim 15 , wherein the operations further comprise: sending a connection close packet to the source address of the first packet, wherein the connection close packet indicates to end a current connection for a device sending the first packet to resend the initial packet to the protected device when the device needs to access the protected device.
  19. 19 . The protecting device according to claim 15 , wherein the operations further comprise: sending the first retry packet to the source address of the first packet in response to determining that the source address of the first packet is an unknown address and the first packet is the initial packet.
  20. 20 . A non-transitory computer-readable storage medium having instructions stored therein, which when executed by a processor, cause a protecting device to perform operations, the operations comprising: intercepting a first packet whose destination address is an internet protocol (IP) address of a protected device, wherein the protected device provides a service according to a quick user datagram protocol internet connections (QUIC) protocol; sending a first retry packet to a source address of the first packet in response to determining that the first packet is an initial packet, wherein the first retry packet is sent carrying a first indication; identifying, by the protecting device, the source address of the first packet as a normal source address in response to when the protecting device receives a response packet corresponding to the first retry packet, wherein the response packet is a packet whose source address is the source address of the first packet, whose destination address is the IP address of the protected device, and that carries the first indication; and identifying the source address of the first packet as an attack source address in accordance with when the protecting device receives no response packet corresponding to the first retry packet.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a continuation of International Application No. PCT/CN2022/091003, filed on May 5, 2022, which claims priority to Chinese Patent Application No. 202111203775.5, filed on Oct. 15, 2021. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties. TECHNICAL FIELD This application relates to the field of network security, and in particular, to a method for identifying a source address of a packet and an apparatus. BACKGROUND A denial of service (DOS) attack is a network attack method. A principle of the DoS attack is that an attacker (also referred to as a hacker) controls a controlled computer to send a large quantity of packets to an attack target, so that the attack target is busy processing the packets from the attacker, thereby exhausting system resources such as a computing resource and a network resource of the attack target. As a result, the attack target cannot respond to service requests from normal users. A manner in which the attacker uses two or more controlled computers in a network to launch the DOS attack is referred to as a distributed denial of service (DDOS) attack. A user datagram protocol (UDP) flood (UDP flood) attack is a type of DDOS attack that has great harm and is difficult to defend against. The attacker launches the UDP flood attack by sending a large quantity of UDP packets to the attack target. The conventional UDP flood attack defense solution depends on a rate limiting mechanism of a firewall. Specifically, the firewall uses an internet protocol (IP) address of a protected server as a statistical object, and collects statistics on a transmission rate of a packet whose destination address is the IP address. If the transmission rate exceeds a threshold, the firewall discards a subsequent packet that accesses the protected server. However, in the foregoing manner, the firewall cannot identify whether the packet is a normal packet from a normal client or an attack packet from an attacker. As a result, the normal packet may also be discarded by the firewall, thereby damaging the normal service. SUMMARY This application provides a method for identifying a source address of a packet and an apparatus, to resolve a current problem that a normal service may be damaged by inability to identify whether a packet is from a normal client or an attacker. According to a first aspect, a method for identifying a source address of a packet is provided. A protecting device intercepts a first packet whose destination address is an IP address of a protected device, and the protected device provides a service according to the quick UDP internet connections (QUIC) protocol. In response to that the first packet is an initial packet, the protecting device sends a first retry packet to a source address of the first packet. If the protecting device receives no response packet corresponding to the first retry packet, the protecting device identifies the source address of the first packet as an attack source address. In the QUIC protocol, when a client wants to access the protected device, the client first needs to establish a communication connection to the protected device. In a process of establishing the communication connection, the client sends an initial packet to the protected device. In an embodiment, the protecting device intercepts a packet sent to the protected device, and sends a retry packet to the source address of the intercepted initial packet. For a normal client, if the normal client receives the retry packet, the normal client responds to the retry packet, that is, sends a response packet corresponding to the retry packet. For an attacker, the attacker uses a forged source IP address to send a packet to the protected device, and therefore, the attacker does not respond to the retry packet. Based on this, in an embodiment, the protecting device can determine, based on whether the response packet corresponding to the retry packet is received, whether the source address of the intercepted initial packet is an attack source address or a normal source address. In this way, the source address of the packet is effectively identified. Further, the protecting device determines a packet from the attack source address as an attack packet, and then prevents the attack packet from being sent to the protected device. In addition, the protecting device determines a packet from the normal source address as a normal packet and then sends the normal packet to the protected device. This can not only effectively defend against an attack, but also ensure normal service running, thereby improving normal service running reliability. In an embodiment, if the protecting device receives no response packet corresponding to the first retry packet, the protecting device updates a verification failure count corresponding to the source address of the first packet. If the updated verification failure count corresp