CN101102323A - Method and device for preventing DOS attack - Google Patents

Method and device for preventing DOS attack Download PDF

Info

Publication number
CN101102323A
CN101102323A CNA2007101405289A CN200710140528A CN101102323A CN 101102323 A CN101102323 A CN 101102323A CN A2007101405289 A CNA2007101405289 A CN A2007101405289A CN 200710140528 A CN200710140528 A CN 200710140528A CN 101102323 A CN101102323 A CN 101102323A
Authority
CN
China
Prior art keywords
data message
incoming interface
interface information
sampled
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007101405289A
Other languages
Chinese (zh)
Other versions
CN101102323B (en
Inventor
赵志旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2007101405289A priority Critical patent/CN101102323B/en
Publication of CN101102323A publication Critical patent/CN101102323A/en
Priority to PCT/CN2008/071461 priority patent/WO2009018737A1/en
Application granted granted Critical
Publication of CN101102323B publication Critical patent/CN101102323B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The method comprises: according to the counts of lost packets made by CAR resource for the data message; when counts of the lost packet of the data message is over a threshold, extracting the incoming interface information of said data message; according to the incoming interface information, making the traffic control for the data of the incoming interface. The invention also reveals a network device thereof.

Description

Prevent the method and apparatus of dos attack
Technical field
The present invention relates to networking technology area, relate in particular to the method and apparatus that prevents dos attack.
Background technology
Development along with Internet, network environment is increasingly sophisticated, thing followed network attack is also frequent day by day, especially with DOS (Denial Of Service, Denial of Service attack) class is attacked and (is comprised that DDOS attacks (Distributed Deny Of Service, distributed denial of service attack)) the most common, also maximum to the harmfulness of the network equipment.In the dos attack, the assailant uses mass data bag or lopsided message at short notice, constantly initiates to connect or the request response to the network equipment, causes the network equipment can not handle legitimate tasks owing to overload, the situation of service exception even equipment paralysis occurs.
Prior art provides following two kinds of schemes to be used to prevent dos attack:
Prior art one
Carry out dos attack by flow limiting technology and take precautions against, send the data traffic of equipment on promptly in the restricted unit time, to reach the purpose of protection equipment.
The inventor can effectively be alleviated the influence that dos attack brings the network equipment though find prior art one by analysis, because the traditional manual traffic-limiting feature of setting of its simple dependence is protected the network equipment, therefore still has following deficiency:
The setting in case 1 limited flow rate value is fixed, the network equipment continue possibly to abandon the regular traffic message, thereby cause regular traffic to be affected after abandoning abnormal flow.Under normal conditions, the attack of a certain quasi-protocol can cause the unusual of device level business, make the disabled user reach the purpose of dos attack, suppress, can not dwindle the influence that attack causes the business of the network equipment effectively and rely on manual limited flow rate value to carry out firing area merely.
2, attack when taking place, only, can not attack and trace to the source by the mode protecting network equipment of packet loss.
Prior art two
Carry out the equipment traffic sampling by disposing NETSTREAM (network traffics sampling) relevant device, and sampled data is analyzed to realize that DOS traces to the source, reach the purpose of taking precautions against dos attack.
The inventor finds that there is following weak point in prior art two by analysis:
1, needs are disposed equipment such as NETSTREM server, and cost is higher.
2, the network equipment can cause bigger influence to equipment performance after opening the NETSTREAM sampling.In addition, need take the physical port Connection Service device of equipment, the waste Internet resources.
3,, therefore in the operation maintenance management, manage the many of difficulty than single equipment owing to server, the network equipment are different equipment.
Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that prevents dos attack, traces to the source in order to attack, and guarantees the network equipment most professional normal operations under the situation of being attacked to greatest extent.
The embodiment of the invention provides a kind of method that prevents dos attack, and this method comprises:
According to one-level CAR resource the data message is carried out the packet loss counting;
When the packet loss of determining described data message outnumbers first threshold, extract the incoming interface information of described data message;
According to described incoming interface information, the data message by described incoming interface is carried out flow control.
The embodiment of the invention also provides a kind of network equipment, comprising:
Counting module is used for according to one-level CAR resource the data message being carried out the packet loss counting;
Extraction module is used for extracting the incoming interface information of described data message when the packet loss of determining described data message outnumbers first threshold;
Control module is used for according to described incoming interface information the data message by described incoming interface being carried out flow control.
In the embodiment of the invention, the data message is carried out the packet loss counting according to one-level CAR resource; When the packet loss of determining described data message outnumbers first threshold, can determine that described data message is the dos attack data message; And then attack by the incoming interface information of extracting described data message and to trace to the source, provide foundation for preventing dos attack; Only need further according to described incoming interface information, data message by described incoming interface is carried out flow control, and need not all data messages of network device processing are carried out flow control, thereby locking Flow Control target, dwindle the Flow Control scope, guarantee the network equipment most professional normal operations under the situation of being attacked to greatest extent; In addition, adopt embodiment of the invention method, the network equipment self can realize preventing the function of dos attack, and need not to dispose special server, and carry out alternately to prevent dos attack with server, make that operation cost reduces, maintenance management is simple, and further saved Internet resources.
Description of drawings
Fig. 1 is for preventing the process chart of dos attack in the embodiment of the invention;
Fig. 2 is for preventing the process chart of the instantiation of dos attack in the embodiment of the invention;
Fig. 3 A, Fig. 3 B, Fig. 3 C, Fig. 3 D, Fig. 3 E are the structural representation of the network equipment in the embodiment of the invention.
Embodiment
Below in conjunction with Figure of description embodiment of the invention method is elaborated.
As shown in Figure 1, in the embodiment of the invention, a kind ofly prevent that the handling process of dos attack is as follows:
Step 11, the data message is carried out packet loss counting according to one-level CAR (Committed Access Rate, the access rate of promise) resource.
When the packet loss of step 12, specified data message outnumbers first threshold, extract the incoming interface information of data message.
Step 13, according to the incoming interface information of extracting, the data message by this incoming interface is carried out flow control.
In step 11, first threshold can be provided with according to the one-level CAR resource that issues.In step 12, the incoming interface information of extracting data message can comprise: the data message is sampled, sampled data is analyzed; According to analysis, extract the incoming interface information of data message to sampled data.
Among the embodiment, after the data message sampled, sampled data can be stored in this locality.Can store by specified format, as sampled data being stored in this locality by Ethereal (ether) form.Sampled data can also be stored to local RAM (Random Access Memory, random access memory), one of them or combination in any of NVRAM (Non Volatile Random Access Memory, nonvolatile RAM), Compact Flash, FLASH (flash memory).
In step 13, according to the incoming interface information of extracting, data message by this incoming interface is carried out flow control can be comprised: start secondary CAR according to the incoming interface information of extracting, promptly carry out the CAR refinement at this type of data message, realization is based on the CAR of incoming interface information and data message information, and further issues secondary CAR resource; According to the secondary CAR resource that issues the data message by this incoming interface is carried out flow control.Among the embodiment, can second threshold value be set according to the secondary CAR of original one-level CAR and follow-up startup, when the flow of determining the data message by this incoming interface is no more than second threshold value, can reclaim the secondary CAR resource that issues, so that when being attacked once more, reuse secondary CAR resource.
As shown in Figure 2, in the instantiation, prevent that the handling process of dos attack is as follows:
Step 21, the CAR scheme that apparatus arrangement is traditional are promptly carried out CAR resource allocation (one-level CAR resource) according to business classification or strategy or the business that does not have at least one common trait.
Step 22, device start supervisory control system are carried out one-level CAR and are abandoned counting monitoring in real time, find that in supervisory control system a large amount of packet losses have taken place certain quasi-protocol message, and have surpassed the first threshold of setting, and show that dos attack has taken place this type of business.
Step 23, detect when attack taking place in supervisory control system, trigger equipment starts study mechanism, carries out the study of this type of message characteristic information than in Preset Time according to the sampling of setting.Learning information can comprise: incoming interface information (as VLAN, PORT etc.), message content information etc.
Step 24, learning time stop study after reaching set point, and store according to the form of appointment.Specified format comprises Ethereal form etc., and storage area comprises the RAM/NVRAM/CF card/FLASH of equipment etc.Among the embodiment, equipment can provide interactive means to carry out the sampled data inquiry, and equipment can provide manual triggering of interactive means to learn in addition.
Step 25, equipment carry out the data characteristics analysis according to learning content; and start secondary CAR according to the incoming interface information of this type of message; promptly carry out the CAR refinement at this type of protocol massages; realization is based on the CAR of sub-interface and protocol information; guaranteed that like this dos attack only influences the incoming interface scope business of attacking the place when taking place, other interface business of equipment can normally recover running.
Step 26, equipment continue monitoring dos attack situation, as find that this type of dos attack does not exist, and promptly number of dropped packets is no more than second threshold value, then reclaim the secondary CAR resource that intelligence issues, and system continues operation according to original one-level CAR scheme.When equipment is attacked once more, can reuse secondary CAR resource once more.
Based on same inventive concept, the embodiment of the invention also provides a kind of network equipment, and its structure comprises as shown in Figure 3A: counting module 31, extraction module 32, control module 33; Wherein, counting module 31 is used for according to one-level CAR resource the data message being carried out the packet loss counting; Extraction module 32 is used for when the packet loss of specified data message outnumbers first threshold, extracts the incoming interface information of data message; Control module 33 is used for according to the incoming interface information of extracting the data message by this incoming interface being carried out flow control.
Shown in Fig. 3 B, among the embodiment, the extraction module 32 shown in Fig. 3 A may further include: sampling unit 321, analytic unit 322, extraction unit 323; Wherein, sampling unit 321 is used for the data message is sampled; Analytic unit 322 is used for sampled data is analyzed; Extraction unit 323 is used for extracting the incoming interface information of data message according to the analysis to sampled data.
Shown in Fig. 3 C, among the embodiment, the extraction module 32 shown in Fig. 3 B may further include: memory cell 324 is used for sampled data is stored in this locality.
Memory cell 324 can be further used for by the Ethereal form sampled data being stored in this locality.
Memory cell 324 can also be further used for sampled data is stored to local RAM, NVRAM, CF card, FLASH one of them or combination in any.
Shown in Fig. 3 D, among the embodiment, the control module 33 shown in Fig. 3 A may further include: issue unit 331, control unit 332; Wherein, issue unit 331, be used for issuing secondary CAR resource according to incoming interface information; Control unit 332 is used for according to secondary CAR resource the data message by this incoming interface being carried out flow control.
Shown in Fig. 3 E, among the embodiment, the network equipment shown in Fig. 3 D may further include: recycling module 34 is used for reclaiming the resource of the secondary CAR that issues when the flow of determining the data message by this incoming interface is no more than second threshold value.
One of ordinary skill in the art will appreciate that all or part of step in the foregoing description method is to instruct relevant hardware to finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
In the embodiment of the invention, the data message is carried out the packet loss counting according to one-level CAR resource; When the packet loss of determining described data message outnumbers first threshold, can the specified data message be the dos attack data message; And then attack by the incoming interface information of extracting data message and to trace to the source, provide foundation for preventing dos attack; Only need further according to incoming interface information, data message by this incoming interface is carried out flow control, and need not all data messages of network device processing are carried out flow control, thereby locking Flow Control target, dwindle the Flow Control scope, guarantee the network equipment most professional normal operations under the situation of being attacked to greatest extent; In addition, adopt embodiment of the invention method, the network equipment self can realize preventing the function of dos attack, and need not to dispose special server, and carry out alternately to prevent dos attack with server, make that operation cost reduces, maintenance management is simple, and further saved Internet resources.
In the embodiment of the invention, can under the situation that the network equipment is attacked, carry out data sampling and carry out this locality storage, for attacking the use of tracing to the source; Can produce dynamic, intelligent CAR function more among a small circle according to the Data Source scope by classification of Data analysis that sampling is traced to the source, attack intelligence and suppress, take precautions against dos attack effectively; When attacking removal, the network equipment can reclaim the CAR resource that intelligence issues, and uses when being attacked for next time.
The situation that just is provided with secondary CAR that the embodiment of the invention provides as required, also can be provided with three grades or more multistage CAR and realize refinement control, can reach the technique effect of the embodiment of the invention equally.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (14)

1, a kind of method that prevents dos attack is characterized in that, this method comprises:
According to one-level CAR resource the data message is carried out the packet loss counting;
When the packet loss of determining described data message outnumbers first threshold, extract the incoming interface information of described data message;
According to described incoming interface information, the data message by described incoming interface is carried out flow control.
2, the method for claim 1 is characterized in that, the incoming interface information of extracting described data message comprises: described data message is sampled, sampled data is analyzed; According to analysis, extract the incoming interface information of described data message to sampled data.
3, method as claimed in claim 2 is characterized in that, after described data message is sampled, sampled data is stored in this locality.
4, method as claimed in claim 3 is characterized in that, by the Ethereal form sampled data is stored in this locality.
5, method as claimed in claim 3 is characterized in that, sampled data is stored to local RAM, NVRAM, CF card, FLASH one of them or combination in any.
6, as each described method of claim 1 to 5, it is characterized in that,, the data message by described incoming interface carried out flow control comprise according to described incoming interface information:
Issue secondary CAR resource according to described incoming interface information;
According to described secondary CAR resource the data message by described incoming interface is carried out flow control.
7, method as claimed in claim 6 is characterized in that, this method further comprises:
When the flow of determining the data message by described incoming interface is no more than second threshold value, reclaim described secondary CAR resource.
8, a kind of network equipment is characterized in that, comprising:
Counting module is used for according to one-level CAR resource the data message being carried out the packet loss counting;
Extraction module is used for extracting the incoming interface information of described data message when the packet loss of determining described data message outnumbers first threshold;
Control module is used for according to described incoming interface information the data message by described incoming interface being carried out flow control.
9, equipment as claimed in claim 8 is characterized in that, described extraction module further comprises:
Sampling unit is used for described data message is sampled;
Analytic unit is used for sampled data is analyzed;
Extraction unit is used for extracting the incoming interface information of described data message according to the analysis to sampled data.
10, equipment as claimed in claim 9 is characterized in that, described extraction module further comprises:
Memory cell is used for sampled data is stored in this locality.
11, equipment as claimed in claim 10 is characterized in that, described memory cell is further used for by the Ethereal form sampled data being stored in this locality.
12, equipment as claimed in claim 10 is characterized in that, described memory cell is further used for sampled data is stored to local RAM, NVRAM, CF card, FLASH one of them or combination in any.
13, as each described equipment of claim 8 to 12, it is characterized in that described control module further comprises:
Issue the unit, be used for issuing secondary CAR resource according to described incoming interface information;
Control unit is used for according to described secondary CAR resource the data message by described incoming interface being carried out flow control.
14, equipment as claimed in claim 13 is characterized in that, described equipment further comprises:
Recycling module is used for reclaiming described secondary CAR resource when the flow of determining the data message by described incoming interface is no more than second threshold value.
CN2007101405289A 2007-08-09 2007-08-09 Method and device for preventing DOS attack Expired - Fee Related CN101102323B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN2007101405289A CN101102323B (en) 2007-08-09 2007-08-09 Method and device for preventing DOS attack
PCT/CN2008/071461 WO2009018737A1 (en) 2007-08-09 2008-06-27 Method and network device for preventing dos attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007101405289A CN101102323B (en) 2007-08-09 2007-08-09 Method and device for preventing DOS attack

Publications (2)

Publication Number Publication Date
CN101102323A true CN101102323A (en) 2008-01-09
CN101102323B CN101102323B (en) 2011-04-20

Family

ID=39036414

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007101405289A Expired - Fee Related CN101102323B (en) 2007-08-09 2007-08-09 Method and device for preventing DOS attack

Country Status (2)

Country Link
CN (1) CN101102323B (en)
WO (1) WO2009018737A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009018737A1 (en) * 2007-08-09 2009-02-12 Huawei Technologies Co., Ltd. Method and network device for preventing dos attacks
CN101299765B (en) * 2008-06-19 2012-02-08 中兴通讯股份有限公司 Method for defending against DDOS attack
CN102420825A (en) * 2011-11-30 2012-04-18 北京星网锐捷网络技术有限公司 Network attack defense and detection method and system thereof
CN101415000B (en) * 2008-11-28 2012-07-11 中国移动通信集团四川有限公司 Method for preventing Dos aggression of business support system
CN104243471A (en) * 2014-09-12 2014-12-24 汉柏科技有限公司 Protection method and device against network attack
CN104852862A (en) * 2015-05-28 2015-08-19 杭州华三通信技术有限公司 Method and device for limiting speed of network
CN108632270A (en) * 2018-05-03 2018-10-09 河海大学常州校区 Anti- low rate TCP DoS attack methods based on software defined network
CN112217777A (en) * 2019-07-12 2021-01-12 上海云盾信息技术有限公司 Attack backtracking method and equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113268B (en) * 2019-04-26 2022-04-08 新华三技术有限公司合肥分公司 Flow control method and device and server

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100356750C (en) * 2002-08-10 2007-12-19 华为技术有限公司 Flow control method for synchronous digital system network transmission data business
CN1156125C (en) * 2002-09-29 2004-06-30 清华大学 Flow control method based on feedback of client terminal
US7996544B2 (en) * 2003-07-08 2011-08-09 International Business Machines Corporation Technique of detecting denial of service attacks
US7436770B2 (en) * 2004-01-21 2008-10-14 Alcatel Lucent Metering packet flows for limiting effects of denial of service attacks
CN1719829A (en) * 2004-07-09 2006-01-11 北京航空航天大学 Implementing flow control and defensing DOS attack by using MPLS display route
US8423645B2 (en) * 2004-09-14 2013-04-16 International Business Machines Corporation Detection of grid participation in a DDoS attack
CN101102323B (en) * 2007-08-09 2011-04-20 华为技术有限公司 Method and device for preventing DOS attack

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009018737A1 (en) * 2007-08-09 2009-02-12 Huawei Technologies Co., Ltd. Method and network device for preventing dos attacks
CN101299765B (en) * 2008-06-19 2012-02-08 中兴通讯股份有限公司 Method for defending against DDOS attack
CN101415000B (en) * 2008-11-28 2012-07-11 中国移动通信集团四川有限公司 Method for preventing Dos aggression of business support system
CN102420825A (en) * 2011-11-30 2012-04-18 北京星网锐捷网络技术有限公司 Network attack defense and detection method and system thereof
CN102420825B (en) * 2011-11-30 2014-07-02 北京星网锐捷网络技术有限公司 Network attack defense and detection method and system thereof
CN104243471A (en) * 2014-09-12 2014-12-24 汉柏科技有限公司 Protection method and device against network attack
CN104852862A (en) * 2015-05-28 2015-08-19 杭州华三通信技术有限公司 Method and device for limiting speed of network
CN104852862B (en) * 2015-05-28 2018-08-24 新华三技术有限公司 A kind of network speed limit method and device
CN108632270A (en) * 2018-05-03 2018-10-09 河海大学常州校区 Anti- low rate TCP DoS attack methods based on software defined network
CN108632270B (en) * 2018-05-03 2020-07-24 河海大学常州校区 Low-rate TCP DoS attack prevention method based on software defined network
CN112217777A (en) * 2019-07-12 2021-01-12 上海云盾信息技术有限公司 Attack backtracking method and equipment

Also Published As

Publication number Publication date
WO2009018737A1 (en) 2009-02-12
CN101102323B (en) 2011-04-20

Similar Documents

Publication Publication Date Title
CN101102323B (en) Method and device for preventing DOS attack
CN100471172C (en) Method for implementing black sheet
US9130983B2 (en) Apparatus and method for detecting abnormality sign in control system
CN103139184B (en) Intelligent network firewall device and network attack protection method
CN101547187B (en) Network attack protection method for broadband access equipment
CN101018121B (en) Log convergence processing method and convergence processing device
CN111200605B (en) Malicious identification defense method and system based on Handle system
CN102882881B (en) Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service
CN101465855B (en) Method and system for filtrating synchronous extensive aggression
CN108600003B (en) Intrusion detection method, device and system for video monitoring network
CN103856470A (en) Distributed denial of service attack detection method and device
US10701076B2 (en) Network management device at network edge for INS intrusion detection based on adjustable blacklisted sources
CN103023924A (en) Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform
CN105554016A (en) Network attack processing method and device
CN101286996A (en) Storm attack resisting method and apparatus
CN105471835A (en) Method and system for improving processing performance of firewall
CN101572609A (en) Method and device for detecting and refusing service attack
CN103916387A (en) DDOS attack protection method and system
CN110768946A (en) Industrial control network intrusion detection system and method based on bloom filter
CN102882894A (en) Method and device for identifying attack
CN103916379A (en) CC attack identification method and system based on high frequency statistics
CN116781315A (en) Attack detection method based on EGD protocol
CN108712365B (en) DDoS attack event detection method and system based on flow log
KR101488271B1 (en) Apparatus and method for ids false positive detection
CN104917757A (en) Event-triggered MTD protection system and method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110420

Termination date: 20170809

CF01 Termination of patent right due to non-payment of annual fee