Attack defense method and device

摘要

An attack defense method and device, which relate to the communications field and effectively defend against a Secure Socket Layer (SSL) denial of service (DoS) attack behavior. The method includes after a Transmission Control Protocol (TCP) connection to a client is established, the attack defense device receives a key negotiation request message sent by the client; when a session monitoring table of the client exists, the attack defense device determines whether a session identity exists in the session monitoring table of the client; when the session identity does not exist, the attack defense device records the session identity into the session monitoring table, and determines whether a quantity of session identities of the client is greater than a first preset value; and when the quantity of session identities of the client is greater than the first preset value, disconnects the TCP connection.

主权项

1. An attack defense method, comprising:
receiving a key negotiation request message from the client after a Transmission Control Protocol (TCP) connection to a client is established, wherein the key negotiation request message comprises a source internet protocol (IP) address, a user name that is a machine name associated with the client and used to distinguish an independent access source, and a session identity of the client; determining, according to the source IP address and the user name of the client, whether a session monitoring table of the client exists, wherein the session monitoring table is used to record the source IP address, the user name, and the session identity of the client that has performed key negotiation; determining whether the session identity exists in the session monitoring table of the client when the session monitoring table of the client exists; recording the session identity into the session monitoring table when the session identity does not exist in the session monitoring table; determining whether a quantity of the session identities of the client in the session monitoring table is greater than a first preset value; and disconnecting the TCP connection when the quantity of the session identities of the client in the session monitoring table is greater than the first preset value.