CN101102323A - Method and device for preventing DOS attack - Google Patents
Method and device for preventing DOS attack Download PDFInfo
- Publication number
- CN101102323A CN101102323A CNA2007101405289A CN200710140528A CN101102323A CN 101102323 A CN101102323 A CN 101102323A CN A2007101405289 A CNA2007101405289 A CN A2007101405289A CN 200710140528 A CN200710140528 A CN 200710140528A CN 101102323 A CN101102323 A CN 101102323A
- Authority
- CN
- China
- Prior art keywords
- data message
- incoming interface
- interface information
- sampled
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The method comprises: according to the counts of lost packets made by CAR resource for the data message; when counts of the lost packet of the data message is over a threshold, extracting the incoming interface information of said data message; according to the incoming interface information, making the traffic control for the data of the incoming interface. The invention also reveals a network device thereof.
Description
Technical field
The present invention relates to networking technology area, relate in particular to the method and apparatus that prevents dos attack.
Background technology
Development along with Internet, network environment is increasingly sophisticated, thing followed network attack is also frequent day by day, especially with DOS (Denial Of Service, Denial of Service attack) class is attacked and (is comprised that DDOS attacks (Distributed Deny Of Service, distributed denial of service attack)) the most common, also maximum to the harmfulness of the network equipment.In the dos attack, the assailant uses mass data bag or lopsided message at short notice, constantly initiates to connect or the request response to the network equipment, causes the network equipment can not handle legitimate tasks owing to overload, the situation of service exception even equipment paralysis occurs.
Prior art provides following two kinds of schemes to be used to prevent dos attack:
Prior art one
Carry out dos attack by flow limiting technology and take precautions against, send the data traffic of equipment on promptly in the restricted unit time, to reach the purpose of protection equipment.
The inventor can effectively be alleviated the influence that dos attack brings the network equipment though find prior art one by analysis, because the traditional manual traffic-limiting feature of setting of its simple dependence is protected the network equipment, therefore still has following deficiency:
The setting in case 1 limited flow rate value is fixed, the network equipment continue possibly to abandon the regular traffic message, thereby cause regular traffic to be affected after abandoning abnormal flow.Under normal conditions, the attack of a certain quasi-protocol can cause the unusual of device level business, make the disabled user reach the purpose of dos attack, suppress, can not dwindle the influence that attack causes the business of the network equipment effectively and rely on manual limited flow rate value to carry out firing area merely.
2, attack when taking place, only, can not attack and trace to the source by the mode protecting network equipment of packet loss.
Prior art two
Carry out the equipment traffic sampling by disposing NETSTREAM (network traffics sampling) relevant device, and sampled data is analyzed to realize that DOS traces to the source, reach the purpose of taking precautions against dos attack.
The inventor finds that there is following weak point in prior art two by analysis:
1, needs are disposed equipment such as NETSTREM server, and cost is higher.
2, the network equipment can cause bigger influence to equipment performance after opening the NETSTREAM sampling.In addition, need take the physical port Connection Service device of equipment, the waste Internet resources.
3,, therefore in the operation maintenance management, manage the many of difficulty than single equipment owing to server, the network equipment are different equipment.
Summary of the invention
The embodiment of the invention provides a kind of method and apparatus that prevents dos attack, traces to the source in order to attack, and guarantees the network equipment most professional normal operations under the situation of being attacked to greatest extent.
The embodiment of the invention provides a kind of method that prevents dos attack, and this method comprises:
According to one-level CAR resource the data message is carried out the packet loss counting;
When the packet loss of determining described data message outnumbers first threshold, extract the incoming interface information of described data message;
According to described incoming interface information, the data message by described incoming interface is carried out flow control.
The embodiment of the invention also provides a kind of network equipment, comprising:
Counting module is used for according to one-level CAR resource the data message being carried out the packet loss counting;
Extraction module is used for extracting the incoming interface information of described data message when the packet loss of determining described data message outnumbers first threshold;
Control module is used for according to described incoming interface information the data message by described incoming interface being carried out flow control.
In the embodiment of the invention, the data message is carried out the packet loss counting according to one-level CAR resource; When the packet loss of determining described data message outnumbers first threshold, can determine that described data message is the dos attack data message; And then attack by the incoming interface information of extracting described data message and to trace to the source, provide foundation for preventing dos attack; Only need further according to described incoming interface information, data message by described incoming interface is carried out flow control, and need not all data messages of network device processing are carried out flow control, thereby locking Flow Control target, dwindle the Flow Control scope, guarantee the network equipment most professional normal operations under the situation of being attacked to greatest extent; In addition, adopt embodiment of the invention method, the network equipment self can realize preventing the function of dos attack, and need not to dispose special server, and carry out alternately to prevent dos attack with server, make that operation cost reduces, maintenance management is simple, and further saved Internet resources.
Description of drawings
Fig. 1 is for preventing the process chart of dos attack in the embodiment of the invention;
Fig. 2 is for preventing the process chart of the instantiation of dos attack in the embodiment of the invention;
Fig. 3 A, Fig. 3 B, Fig. 3 C, Fig. 3 D, Fig. 3 E are the structural representation of the network equipment in the embodiment of the invention.
Embodiment
Below in conjunction with Figure of description embodiment of the invention method is elaborated.
As shown in Figure 1, in the embodiment of the invention, a kind ofly prevent that the handling process of dos attack is as follows:
When the packet loss of step 12, specified data message outnumbers first threshold, extract the incoming interface information of data message.
In step 11, first threshold can be provided with according to the one-level CAR resource that issues.In step 12, the incoming interface information of extracting data message can comprise: the data message is sampled, sampled data is analyzed; According to analysis, extract the incoming interface information of data message to sampled data.
Among the embodiment, after the data message sampled, sampled data can be stored in this locality.Can store by specified format, as sampled data being stored in this locality by Ethereal (ether) form.Sampled data can also be stored to local RAM (Random Access Memory, random access memory), one of them or combination in any of NVRAM (Non Volatile Random Access Memory, nonvolatile RAM), Compact Flash, FLASH (flash memory).
In step 13, according to the incoming interface information of extracting, data message by this incoming interface is carried out flow control can be comprised: start secondary CAR according to the incoming interface information of extracting, promptly carry out the CAR refinement at this type of data message, realization is based on the CAR of incoming interface information and data message information, and further issues secondary CAR resource; According to the secondary CAR resource that issues the data message by this incoming interface is carried out flow control.Among the embodiment, can second threshold value be set according to the secondary CAR of original one-level CAR and follow-up startup, when the flow of determining the data message by this incoming interface is no more than second threshold value, can reclaim the secondary CAR resource that issues, so that when being attacked once more, reuse secondary CAR resource.
As shown in Figure 2, in the instantiation, prevent that the handling process of dos attack is as follows:
Based on same inventive concept, the embodiment of the invention also provides a kind of network equipment, and its structure comprises as shown in Figure 3A: counting module 31, extraction module 32, control module 33; Wherein, counting module 31 is used for according to one-level CAR resource the data message being carried out the packet loss counting; Extraction module 32 is used for when the packet loss of specified data message outnumbers first threshold, extracts the incoming interface information of data message; Control module 33 is used for according to the incoming interface information of extracting the data message by this incoming interface being carried out flow control.
Shown in Fig. 3 B, among the embodiment, the extraction module 32 shown in Fig. 3 A may further include: sampling unit 321, analytic unit 322, extraction unit 323; Wherein, sampling unit 321 is used for the data message is sampled; Analytic unit 322 is used for sampled data is analyzed; Extraction unit 323 is used for extracting the incoming interface information of data message according to the analysis to sampled data.
Shown in Fig. 3 C, among the embodiment, the extraction module 32 shown in Fig. 3 B may further include: memory cell 324 is used for sampled data is stored in this locality.
Shown in Fig. 3 D, among the embodiment, the control module 33 shown in Fig. 3 A may further include: issue unit 331, control unit 332; Wherein, issue unit 331, be used for issuing secondary CAR resource according to incoming interface information; Control unit 332 is used for according to secondary CAR resource the data message by this incoming interface being carried out flow control.
Shown in Fig. 3 E, among the embodiment, the network equipment shown in Fig. 3 D may further include: recycling module 34 is used for reclaiming the resource of the secondary CAR that issues when the flow of determining the data message by this incoming interface is no more than second threshold value.
One of ordinary skill in the art will appreciate that all or part of step in the foregoing description method is to instruct relevant hardware to finish by program, this program can be stored in the computer-readable recording medium, and storage medium can comprise: ROM, RAM, disk or CD etc.
In the embodiment of the invention, the data message is carried out the packet loss counting according to one-level CAR resource; When the packet loss of determining described data message outnumbers first threshold, can the specified data message be the dos attack data message; And then attack by the incoming interface information of extracting data message and to trace to the source, provide foundation for preventing dos attack; Only need further according to incoming interface information, data message by this incoming interface is carried out flow control, and need not all data messages of network device processing are carried out flow control, thereby locking Flow Control target, dwindle the Flow Control scope, guarantee the network equipment most professional normal operations under the situation of being attacked to greatest extent; In addition, adopt embodiment of the invention method, the network equipment self can realize preventing the function of dos attack, and need not to dispose special server, and carry out alternately to prevent dos attack with server, make that operation cost reduces, maintenance management is simple, and further saved Internet resources.
In the embodiment of the invention, can under the situation that the network equipment is attacked, carry out data sampling and carry out this locality storage, for attacking the use of tracing to the source; Can produce dynamic, intelligent CAR function more among a small circle according to the Data Source scope by classification of Data analysis that sampling is traced to the source, attack intelligence and suppress, take precautions against dos attack effectively; When attacking removal, the network equipment can reclaim the CAR resource that intelligence issues, and uses when being attacked for next time.
The situation that just is provided with secondary CAR that the embodiment of the invention provides as required, also can be provided with three grades or more multistage CAR and realize refinement control, can reach the technique effect of the embodiment of the invention equally.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (14)
1, a kind of method that prevents dos attack is characterized in that, this method comprises:
According to one-level CAR resource the data message is carried out the packet loss counting;
When the packet loss of determining described data message outnumbers first threshold, extract the incoming interface information of described data message;
According to described incoming interface information, the data message by described incoming interface is carried out flow control.
2, the method for claim 1 is characterized in that, the incoming interface information of extracting described data message comprises: described data message is sampled, sampled data is analyzed; According to analysis, extract the incoming interface information of described data message to sampled data.
3, method as claimed in claim 2 is characterized in that, after described data message is sampled, sampled data is stored in this locality.
4, method as claimed in claim 3 is characterized in that, by the Ethereal form sampled data is stored in this locality.
5, method as claimed in claim 3 is characterized in that, sampled data is stored to local RAM, NVRAM, CF card, FLASH one of them or combination in any.
6, as each described method of claim 1 to 5, it is characterized in that,, the data message by described incoming interface carried out flow control comprise according to described incoming interface information:
Issue secondary CAR resource according to described incoming interface information;
According to described secondary CAR resource the data message by described incoming interface is carried out flow control.
7, method as claimed in claim 6 is characterized in that, this method further comprises:
When the flow of determining the data message by described incoming interface is no more than second threshold value, reclaim described secondary CAR resource.
8, a kind of network equipment is characterized in that, comprising:
Counting module is used for according to one-level CAR resource the data message being carried out the packet loss counting;
Extraction module is used for extracting the incoming interface information of described data message when the packet loss of determining described data message outnumbers first threshold;
Control module is used for according to described incoming interface information the data message by described incoming interface being carried out flow control.
9, equipment as claimed in claim 8 is characterized in that, described extraction module further comprises:
Sampling unit is used for described data message is sampled;
Analytic unit is used for sampled data is analyzed;
Extraction unit is used for extracting the incoming interface information of described data message according to the analysis to sampled data.
10, equipment as claimed in claim 9 is characterized in that, described extraction module further comprises:
Memory cell is used for sampled data is stored in this locality.
11, equipment as claimed in claim 10 is characterized in that, described memory cell is further used for by the Ethereal form sampled data being stored in this locality.
12, equipment as claimed in claim 10 is characterized in that, described memory cell is further used for sampled data is stored to local RAM, NVRAM, CF card, FLASH one of them or combination in any.
13, as each described equipment of claim 8 to 12, it is characterized in that described control module further comprises:
Issue the unit, be used for issuing secondary CAR resource according to described incoming interface information;
Control unit is used for according to described secondary CAR resource the data message by described incoming interface being carried out flow control.
14, equipment as claimed in claim 13 is characterized in that, described equipment further comprises:
Recycling module is used for reclaiming described secondary CAR resource when the flow of determining the data message by described incoming interface is no more than second threshold value.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101405289A CN101102323B (en) | 2007-08-09 | 2007-08-09 | Method and device for preventing DOS attack |
PCT/CN2008/071461 WO2009018737A1 (en) | 2007-08-09 | 2008-06-27 | Method and network device for preventing dos attacks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2007101405289A CN101102323B (en) | 2007-08-09 | 2007-08-09 | Method and device for preventing DOS attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101102323A true CN101102323A (en) | 2008-01-09 |
CN101102323B CN101102323B (en) | 2011-04-20 |
Family
ID=39036414
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2007101405289A Expired - Fee Related CN101102323B (en) | 2007-08-09 | 2007-08-09 | Method and device for preventing DOS attack |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101102323B (en) |
WO (1) | WO2009018737A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009018737A1 (en) * | 2007-08-09 | 2009-02-12 | Huawei Technologies Co., Ltd. | Method and network device for preventing dos attacks |
CN101299765B (en) * | 2008-06-19 | 2012-02-08 | 中兴通讯股份有限公司 | Method for defending against DDOS attack |
CN102420825A (en) * | 2011-11-30 | 2012-04-18 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
CN101415000B (en) * | 2008-11-28 | 2012-07-11 | 中国移动通信集团四川有限公司 | Method for preventing Dos aggression of business support system |
CN104243471A (en) * | 2014-09-12 | 2014-12-24 | 汉柏科技有限公司 | Protection method and device against network attack |
CN104852862A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for limiting speed of network |
CN108632270A (en) * | 2018-05-03 | 2018-10-09 | 河海大学常州校区 | Anti- low rate TCP DoS attack methods based on software defined network |
CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110113268B (en) * | 2019-04-26 | 2022-04-08 | 新华三技术有限公司合肥分公司 | Flow control method and device and server |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100356750C (en) * | 2002-08-10 | 2007-12-19 | 华为技术有限公司 | Flow control method for synchronous digital system network transmission data business |
CN1156125C (en) * | 2002-09-29 | 2004-06-30 | 清华大学 | Flow control method based on feedback of client terminal |
US7996544B2 (en) * | 2003-07-08 | 2011-08-09 | International Business Machines Corporation | Technique of detecting denial of service attacks |
US7436770B2 (en) * | 2004-01-21 | 2008-10-14 | Alcatel Lucent | Metering packet flows for limiting effects of denial of service attacks |
CN1719829A (en) * | 2004-07-09 | 2006-01-11 | 北京航空航天大学 | Implementing flow control and defensing DOS attack by using MPLS display route |
US8423645B2 (en) * | 2004-09-14 | 2013-04-16 | International Business Machines Corporation | Detection of grid participation in a DDoS attack |
CN101102323B (en) * | 2007-08-09 | 2011-04-20 | 华为技术有限公司 | Method and device for preventing DOS attack |
-
2007
- 2007-08-09 CN CN2007101405289A patent/CN101102323B/en not_active Expired - Fee Related
-
2008
- 2008-06-27 WO PCT/CN2008/071461 patent/WO2009018737A1/en active Application Filing
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2009018737A1 (en) * | 2007-08-09 | 2009-02-12 | Huawei Technologies Co., Ltd. | Method and network device for preventing dos attacks |
CN101299765B (en) * | 2008-06-19 | 2012-02-08 | 中兴通讯股份有限公司 | Method for defending against DDOS attack |
CN101415000B (en) * | 2008-11-28 | 2012-07-11 | 中国移动通信集团四川有限公司 | Method for preventing Dos aggression of business support system |
CN102420825A (en) * | 2011-11-30 | 2012-04-18 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
CN102420825B (en) * | 2011-11-30 | 2014-07-02 | 北京星网锐捷网络技术有限公司 | Network attack defense and detection method and system thereof |
CN104243471A (en) * | 2014-09-12 | 2014-12-24 | 汉柏科技有限公司 | Protection method and device against network attack |
CN104852862A (en) * | 2015-05-28 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and device for limiting speed of network |
CN104852862B (en) * | 2015-05-28 | 2018-08-24 | 新华三技术有限公司 | A kind of network speed limit method and device |
CN108632270A (en) * | 2018-05-03 | 2018-10-09 | 河海大学常州校区 | Anti- low rate TCP DoS attack methods based on software defined network |
CN108632270B (en) * | 2018-05-03 | 2020-07-24 | 河海大学常州校区 | Low-rate TCP DoS attack prevention method based on software defined network |
CN112217777A (en) * | 2019-07-12 | 2021-01-12 | 上海云盾信息技术有限公司 | Attack backtracking method and equipment |
Also Published As
Publication number | Publication date |
---|---|
WO2009018737A1 (en) | 2009-02-12 |
CN101102323B (en) | 2011-04-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101102323B (en) | Method and device for preventing DOS attack | |
CN100471172C (en) | Method for implementing black sheet | |
US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
CN103139184B (en) | Intelligent network firewall device and network attack protection method | |
CN101547187B (en) | Network attack protection method for broadband access equipment | |
CN101018121B (en) | Log convergence processing method and convergence processing device | |
CN111200605B (en) | Malicious identification defense method and system based on Handle system | |
CN102882881B (en) | Special data filtering method for eliminating denial-of-service attacks to DNS (domain name system) service | |
CN101465855B (en) | Method and system for filtrating synchronous extensive aggression | |
CN108600003B (en) | Intrusion detection method, device and system for video monitoring network | |
CN103856470A (en) | Distributed denial of service attack detection method and device | |
US10701076B2 (en) | Network management device at network edge for INS intrusion detection based on adjustable blacklisted sources | |
CN103023924A (en) | Content distribution network based DDoS (distributed denial of service) attack protecting method and content distribution network based DDoS attack protecting system for cloud distribution platform | |
CN105554016A (en) | Network attack processing method and device | |
CN101286996A (en) | Storm attack resisting method and apparatus | |
CN105471835A (en) | Method and system for improving processing performance of firewall | |
CN101572609A (en) | Method and device for detecting and refusing service attack | |
CN103916387A (en) | DDOS attack protection method and system | |
CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
CN102882894A (en) | Method and device for identifying attack | |
CN103916379A (en) | CC attack identification method and system based on high frequency statistics | |
CN116781315A (en) | Attack detection method based on EGD protocol | |
CN108712365B (en) | DDoS attack event detection method and system based on flow log | |
KR101488271B1 (en) | Apparatus and method for ids false positive detection | |
CN104917757A (en) | Event-triggered MTD protection system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110420 Termination date: 20170809 |
|
CF01 | Termination of patent right due to non-payment of annual fee |