CN101184095B - Network anti-attack method and system based on strategy control listing of CPU - Google Patents
Network anti-attack method and system based on strategy control listing of CPU Download PDFInfo
- Publication number
- CN101184095B CN101184095B CN2007101788869A CN200710178886A CN101184095B CN 101184095 B CN101184095 B CN 101184095B CN 2007101788869 A CN2007101788869 A CN 2007101788869A CN 200710178886 A CN200710178886 A CN 200710178886A CN 101184095 B CN101184095 B CN 101184095B
- Authority
- CN
- China
- Prior art keywords
- acl
- cpu
- network equipment
- port
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to an anti-attack method for the network based on the strategy control list of the CPU, comprising: a first step, allocating the ACL rule and the corresponding QoS movement of the rule; a second step, the allocated ACL rule and the corresponding QoS movement of the rule are sent to the ACL/QoS processing module of the network equipment of the message processing chip of the network equipment; a third step, the ACL/QoS processing module of the network equipment applies the rule in the port connected with the CPU to prevent from the attack of the network. The invention has the advantages of achieving the extraction of any message according to the flexible allocation of the ACL and the matching of the information of the second floor, the third floor and the fourth floor of the message, avoiding the limitation of a plurality of limited anti-attack registers provided by the chip hardware, simultaneously providing abundant QoS functions of the ACL, and effectively monitoring and protection of the CPU port.
Description
Technical field
The present invention relates to network safety filed, relate in particular to network anti-attack method and system based on the policy control listing of CPU.
Background technology
Along with the high speed development of internet, IP network becomes necessary tool in people's routine work and the life gradually, and the network attack at the internet also increases gradually simultaneously, and wherein especially serious for the attack harm of the network equipment at this, harm is also maximum.And it is all most of the equipment CPU of the object of attacking in to the attack of network at this based on network, because CPU is in core position in the network equipment, be mainly used in the purpose of handling some the important protocol massages and the network equipment and search failure (DLF) message, especially first kind of this type of message, for network and important, if these protocol massages are lost because of certain reason, cause the concussion of the route of network at least, make network paralysis at most, can't normally E-Packet.So at present on the network at the attack of the CPU of the network equipment mainly by sending a large amount of messages that needs CPU to handle, cause CPU to be in the excess load running, thereby make CPU can't correctly handle the protocol massages of normal process, and the DLF message, network is threatened.
So how the CPU of protecting network equipment is immune against attacks, and becomes the previous problem that must face of all-network provider face that is placed on.
At present for network equipment vendor, for the network attack of this type of malice, mainly so that two kinds of prevention methods to be provided:
1, by some device chip manufacturers carry register, for some simple attacks, (such as DOS) attacks and to protect; Or provide some simply to handle based on the processing queue speed limit of CPU, avoid the too fast transmitted to CPU of some attack messages.
2, by the ACL (policy control listing) based on port is provided next port for the place, attack source, grasp the information of attack source, according to the message characteristic of attack source, issue ACL and abandon this kind message, to reach protection to CPU.
For first method, owing to be the register functions that chip itself provides, generally the attack type that can take precautions against is fairly simple, single, and limitation is bigger, underaction.And handling based on the processing queue speed limit of CPU of providing, also can only be to being in the restriction that plays of different queue, and be difficult to distinguish restriction for the message of the formation that is in identical priority level.
Though second method is compared with first method, in flexibility, be greatly improved, but exist a bigger defective to be exactly, situation for some multiple spots attacks, such as sending on a lot of attack messages on a lot of ports, need on each port, issue the ACL filtering rule, and for some attacks based on four layers of TCP/UDP port, need issue many then at these four layers of ports, waste acl entry limited on the network equipment so greatly.Simultaneously second method is difficult to accomplish the speed-limiting protection at the attack of CPU of first method, is used for limiting the speed of the message of CPU, and is difficult to realize that the message source information characteristics (such as IP, SMAC) control the attack protection of CPU by change at random.
Patent application " a kind of method that improves internet security of handling by message " (application number is " 200510080164 ") provides a kind of method of taking precautions against attack; but discern which message and need transmitted to CPU; and how to distinguish priority level and need waste too much resource; guard method to CPU is more single; underaction; for the malicious attack of forging normal users; this moment, attack message can be walked same formation with the message that normal CPU handles; be in so same formation message since attack message too much on give, also can be dropped.
Application number be " US2006282893 " though the disclosed technical scheme intelligence of patent application, but the diversity that lacks flexibility, popularity and anti-attack method, only be suitable for some attack source features and the more single attack method of attack method, and emphasis is placed on the aspect of application.
Summary of the invention
In order to solve above-mentioned technical problem, network anti-attack method and system based on the policy control listing of CPU are provided, its purpose is, a kind of flexible, changeable protection and method for supervising and system to network equipment CPU are provided.
The invention provides network anti-attack method, comprising based on the policy control listing of CPU:
Step 1, the QoS action of configuration acl rule and this rule correspondence;
Step 2, the QoS action of the acl rule that disposed and this rule correspondence is issued to the network equipment ACL/QoS processing module of network equipment message process chip, described network equipment ACL/QoS processing module is by the physical port transceive data of described network equipment message process chip, and mutual by the port and the CPU that are connected with CPU;
Step 3, network equipment ACL/QoS processing module to the port that is connected with CPU, is used to prevent network attack with rule application.
Described acl rule is outlet ACL list item, and in the step 2, the QoS action of described outlet ACL list item and correspondence thereof is issued to network equipment ACL/QoS processing module by the physical port of network equipment message process chip.
In the step 2, also cpu port is issued to network equipment ACL/QoS processing module, this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
Described acl rule is inlet ACL list item, and in the step 2, the QoS action of described inlet ACL list item and correspondence thereof is issued to network equipment ACL/QoS processing module by the physical port of network equipment message process chip; The port that the ACL list item that also enters the mouth is used is set at least two physical ports of network equipment message process chip, and issues the cpu port of occurrence matching message, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
Cpu port is the pci bus mouth.
The invention provides network anti-attack system, comprise CPU and network equipment message process chip, also comprise based on the policy control listing of CPU:
Configuration module, the QoS action that is used to dispose acl rule and this rule correspondence;
The data distributing module, the QoS action that is used for the acl rule that will be disposed and this rule correspondence is issued to the network equipment ACL/QoS processing module of network equipment message process chip;
Network equipment ACL/QoS processing module, described network equipment ACL/QoS processing module is by the physical port transceive data of described network equipment message process chip, and mutual by the port and the CPU that are connected with CPU, be used for rule application to the port that is connected with CPU, to prevent network attack.
Described acl rule is outlet ACL list item; The data distributing module is issued to network equipment ACL/QoS processing module with described outlet ACL list item and corresponding QoS action thereof.
The data distributing module also will export the cpu port that acl rule is applied to and be issued to network equipment ACL/QoS processing module, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
Described acl rule is inlet ACL list item; The data distributing module also is issued to network equipment ACL/QoS processing module with described inlet ACL list item and corresponding QoS action thereof; The port that the ACL list item that also enters the mouth is used is set at least two physical ports of network equipment message process chip, and the destination interface that issues the occurrence matching message is cpu port, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
The present invention can dispose flexibly by ACL, and by two layers of matching messages, three layers, information such as four layers realize any message is extracted, and avoid being subjected to limited several attack protections that chip hardware provides
Description of drawings
Fig. 1 is based on the network anti-attack system construction drawing of the policy control listing of CPU;
Fig. 2 is based on the network anti-attack method flow chart of the policy control listing of CPU.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The network anti-attack system of the policy control listing based on CPU provided by the invention comprises network equipment message process chip 101, network equipment CPU 100, and other network processes chips 104 as shown in Figure 1.Network equipment message process chip 101 comprises: the physical port 103 of a plurality of chips, network equipment ACL/QoS processing module 102, PCI (peripheral element extension interface) bus mouth 105 and chip chamber interconnection mouth 106.Network equipment ACL/QoS processing module 102 is by physical port 103 transceive data of chip, and it is mutual with network equipment CPU 100 to pass through PCI line mouth 105, and mutual with other network processes chips by chip chamber interconnection mouth 106.
Realize comprising protection and monitoring thereof to network equipment CPU by issuing ACL based on CPU based on the network anti-attack method of the policy control listing of CPU:
Steps A, configuration pin is to the acl rule of dissimilar (at two layers, three layers, four layers are waited message) on the software platform of the network equipment, the field that rule herein can be mated, can be by at present popular port ACL matching field down, such as five-tuple information, and the Ethernet protocol of relatively using always at present number, IP protocol number, and four layers of fields such as port, use TCAM matching process flexibly, the part coupling of field is provided.This rule can be according to user's different demands, flexible configuration.
Step B, according to demand, configuration pin is to the QoS action (comprising abandoning speed limit, traffic mirroring, other function of mark local first level herein) of the correspondence of this rule.
To corresponding cpu port, may there be a plurality of CPUs in step C for the multiple step format system with rule application, moves by the order specified rule of user platform and is applied to CPU, reaches the protection to corresponding CPU.
The network anti-attack method of 2 pairs of policy control listings based on CPU provided by the invention describes with reference to the accompanying drawings.This method can be passed through two kinds of scheme implementations, and a kind of is that this method comprises by outlet acl:
Another kind can be implemented by inlet ACL, and this method comprises:
Steps A 1 when the list item that issues ACL from user interface to network equipment ACL/QoS processing module 102 time, issues inlet ACL list item to network equipment ACL/QoS processing module 102, and what support at present to enter the mouth ACL is the basic demand of the network equipment.
Step B1, the ACL list item that will enter the mouth is issued to network equipment ACL/QoS processing module, network equipment ACL/QoS processing module is applied to all ports with the ACL list item, present main device chip provider, mostly with port mask, or the physical port index of chip, realize the physical port that this rule is applied to; Be set to all physical ports 103 by the interface that is applied to, reach all messages that enter from physical port 103 of coupling, (this destination interface is after message enters chip and handles to issue the destination interface of occurrence matching message simultaneously, the next outgoing interface of this chip that arrives) is corresponding cpu port 105, to reach the purpose of rule application to cpu port.
Step C1 arrives network equipment ACL/QoS processing module 102 by the QoS action (comprising abandoning speed limit, traffic mirroring, priority level mark etc. herein) that issues the ACL correspondence on rule, implements the control to the message of last CPU 100.
The bright scheme that provides of we solves the defective that can solve first kind of prevention method mentioning in the background technology, for example we can dispose flexibly by ACL, by two layers of matching messages, three layers, information such as four layers realize any message is extracted, avoid being subjected to the restriction of limited several attack protection registers that chip hardware provides, the qos feature of the ACL that enriches is provided simultaneously, reach monitoring and protection to cpu port, for example: can be by issuing image feature, come the message of transmitted to CPU on the watch-dog, thereby understand the situation of the handled message of CPU of equipment more accurately; Some malicious attack messages for known features abandon action by issuing ACL, abandon this type of message, reach the message of the attack of CPU; For some features be not too significantly or feature (such as source SIP, SMAC) change at random malicious attack message can limit the speed of these malice messages transmitted to CPU, thereby avoid cpu overload work by issuing ductility limit speed function; Priority level mark function by QoS; reach the transmitted to CPU priority of messages is not controlled; it is other to reduce the malice priority of messages, it is reduced on the processing rank of CPU, thereby reach the protection of the normal message that need handle CPU in the network.
The deficiency of second kind of prevention method that scheme provided by the invention also can the remedy technology background be mentioned:
Mention in present second kind of prevention method based on some physical ports or empty port (virtual LAN VLAN, port trunking) ACL, this port be difficult to judge enter this port message which need CPU to handle, which is not need CPU to handle, some in addition can't distinguish with second kind of common prevention method.Then do not have this restriction among the present invention, have only to the message of this CPU and just handle,, can not handle, saved the step of distinguishing through this ACL without the message that this CPU handles through this ACL;
Message for the multiple spot attack, when entering the network equipment and attack from a plurality of ports of the network equipment (port comprises that real port and some need port here) such as attack message, second kind of prevention method need issue rule at message characteristic on each port of these ports; If network attack is attacked from 24 physical ports of the external interface of a network equipment, according to second kind of prevention method mentioning in the technical background, need to issue the rule that rule=24 * each port issues on the chip, for some empty ports, such as VLAN interface, rule on the continuous VLAN mouth, be difficult to accomplish that rule merges, so regular number under regular number=VLAN interface * each VLAN interface that needs to issue on chip, the regular number that might issue like this is more, will slattern limited hardware ACL list item.The present invention does not need then to be concerned about the attack source from which port enters, a rule that need issue at attack message only, so under worst case, the rule that chip issues is a rule that port issues at shared list item, so just saved hardware ACL list item resource greatly;
Under the situation of the feature that can't distinguish attack message, present second kind of prevention method is for the attack to CPU, such as unknown unicast, only issue some portability functions of this kind message relatively at port, and along with these attack messages, the increase of the source port of being attacked, suppressing effect also will be worse and worse, have only inhibition parameter to reach by adjusting each port, the present invention then only need be at the disposal ability of CPU, issue a speed limit rule on CPU, no matter how the attack source changes, and CPU can not be affected.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.
Claims (10)
1. based on the network anti-attack method of the policy control listing of CPU, it is characterized in that, comprising:
Step 1, the QoS action of configuration acl rule and this rule correspondence;
Step 2, the QoS action of the acl rule that disposed and this rule correspondence is issued to the network equipment ACL/QoS processing module of network equipment message process chip, described network equipment ACL/QoS processing module is by the physical port transceive data of described network equipment message process chip, and mutual by the port and the CPU that are connected with CPU;
Step 3, network equipment ACL/QoS processing module to the port that is connected with CPU, is used to prevent network attack with rule application.
2. network anti-attack method as claimed in claim 1, it is characterized in that, described acl rule is outlet ACL list item, and in the step 2, the QoS action of described outlet ACL list item and correspondence thereof is issued to network equipment ACL/QoS processing module by the physical port of network equipment message process chip.
3. network anti-attack method as claimed in claim 2 is characterized in that, in the step 2, also cpu port is issued to network equipment ACL/QoS processing module, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
4. network anti-attack method as claimed in claim 1, it is characterized in that, described acl rule is inlet ACL list item, and in the step 2, the QoS action of described inlet ACL list item and correspondence thereof is issued to network equipment ACL/QoS processing module by the physical port of network equipment message process chip; The port that the ACL list item that also enters the mouth is used is set at least two physical ports of network equipment message process chip, and issues the cpu port of occurrence matching message, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
5. as claim 3 or 4 described network anti-attack methods, it is characterized in that cpu port is the pci bus mouth.
6. based on the network anti-attack system of the policy control listing of CPU, comprise CPU and network equipment message process chip, it is characterized in that, also comprise:
Configuration module, the QoS action that is used to dispose acl rule and this rule correspondence;
The data distributing module, the QoS action that is used for the acl rule that will be disposed and this rule correspondence is issued to the network equipment ACL/QoS processing module of network equipment message process chip;
Network equipment ACL/QoS processing module, described network equipment ACL/QoS processing module is by the physical port transceive data of described network equipment message process chip, and mutual by the port and the CPU that are connected with CPU, be used for rule application to the port that is connected with CPU, to prevent network attack.
7. network anti-attack as claimed in claim 6 system is characterized in that, described acl rule is outlet ACL list item; The data distributing module is issued to network equipment ACL/QoS processing module with described outlet ACL list item and corresponding QoS action thereof.
8. network anti-attack as claimed in claim 7 system, it is characterized in that, the data distributing module also will export the cpu port that acl rule is applied to and be issued to network equipment ACL/QoS processing module, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
9. network anti-attack as claimed in claim 6 system is characterized in that, described acl rule is inlet ACL list item; The data distributing module also is issued to network equipment ACL/QoS processing module with described inlet ACL list item and corresponding QoS action thereof the pci bus by network equipment message process chip; The port that the ACL list item that also enters the mouth is used is set at least two physical ports of network equipment message process chip, and the destination interface that issues the occurrence matching message is cpu port, and this cpu port is the port that network equipment ACL/QoS processing module is connected with CPU.
10. network anti-attack system as claimed in claim 8 or 9 is characterized in that cpu port is the pci bus mouth.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101788869A CN101184095B (en) | 2007-12-06 | 2007-12-06 | Network anti-attack method and system based on strategy control listing of CPU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101788869A CN101184095B (en) | 2007-12-06 | 2007-12-06 | Network anti-attack method and system based on strategy control listing of CPU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101184095A CN101184095A (en) | 2008-05-21 |
| CN101184095B true CN101184095B (en) | 2011-09-21 |
Family
ID=39449177
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101788869A Expired - Fee Related CN101184095B (en) | 2007-12-06 | 2007-12-06 | Network anti-attack method and system based on strategy control listing of CPU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101184095B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337890B (en) * | 2014-07-16 | 2019-03-15 | 杭州迪普科技股份有限公司 | A kind of control strategy generation method and device |
| CN110995586B (en) * | 2019-11-15 | 2022-07-15 | 锐捷网络股份有限公司 | BGP message processing method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005067532A2 (en) * | 2004-01-14 | 2005-07-28 | Riverstone Networks, Inc. | Managing processing utilization in a network node |
| CN1728679A (en) * | 2004-07-31 | 2006-02-01 | 华为技术有限公司 | Method for configuring routers |
| WO2006124009A2 (en) * | 2004-03-26 | 2006-11-23 | Cisco Technology, Inc. | Hardware filtering support for denial-of-service attacks |
| CN1889510A (en) * | 2005-06-30 | 2007-01-03 | 华为技术有限公司 | Method for raising network security via message processing |
-
2007
- 2007-12-06 CN CN2007101788869A patent/CN101184095B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2005067532A2 (en) * | 2004-01-14 | 2005-07-28 | Riverstone Networks, Inc. | Managing processing utilization in a network node |
| WO2006124009A2 (en) * | 2004-03-26 | 2006-11-23 | Cisco Technology, Inc. | Hardware filtering support for denial-of-service attacks |
| CN1728679A (en) * | 2004-07-31 | 2006-02-01 | 华为技术有限公司 | Method for configuring routers |
| CN1889510A (en) * | 2005-06-30 | 2007-01-03 | 华为技术有限公司 | Method for raising network security via message processing |
Non-Patent Citations (1)
| Title |
|---|
| CN 1889510 A,全文. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101184095A (en) | 2008-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101330464B (en) | Network interface system, data packet transmission method and computer system | |
| EP2790382B1 (en) | Protection method and device against attacks | |
| CN100558089C (en) | A kind of content filtering gateway implementation method of filter Network Based | |
| KR100609170B1 (en) | system of network security and working method thereof | |
| TW414876B (en) | Firewall security method and apparatus | |
| CN102447711B (en) | Protocol massages sending method and device | |
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| CN102006246B (en) | Trusted separate gateway | |
| CN101083563A (en) | Method and apparatus for preventing distributed refuse service attack | |
| Apiecionek et al. | Quality of services method as a DDoS protection tool | |
| EA004423B1 (en) | System, device and method for rapid packet filtering and processing | |
| JP2005252808A (en) | Unauthorized access preventing method, device, system and program | |
| CN101911648A (en) | Facilitating defense against MAC table overflow attacks | |
| JPWO2006095438A1 (en) | Access control method, access control system, and packet communication apparatus | |
| CN101257379B (en) | Collocating method for preventing attack of network, method and apparatus for preventing attack | |
| CN104333549A (en) | Data package filtering method applied to distributive firewall system | |
| CN100384158C (en) | Safety protecting method for digital user line cut-in multiplexing device | |
| CN104735071A (en) | Network access control implementation method between virtual machines | |
| CN105939294A (en) | Message control method and device | |
| CN103067384A (en) | Threat processing method, system, linkage client, safety equipment and host | |
| CN101184095B (en) | Network anti-attack method and system based on strategy control listing of CPU | |
| US20180241723A1 (en) | Interconnection device, management device, resource-disaggregated computer system, method, and medium | |
| CN101741570A (en) | Method for controlling reverse data connection based on honeynet | |
| CN106790310A (en) | Distributed denial of service attack protects the method and system integrated with load balancing | |
| JP2004140618A (en) | Packet filter device and illegal access detection device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110921 Termination date: 20141206 |
|
| EXPY | Termination of patent right or utility model |