CN102573111A - Method and device for releasing transfer control protocol resources - Google Patents
Method and device for releasing transfer control protocol resources Download PDFInfo
- Publication number
- CN102573111A CN102573111A CN2012100054549A CN201210005454A CN102573111A CN 102573111 A CN102573111 A CN 102573111A CN 2012100054549 A CN2012100054549 A CN 2012100054549A CN 201210005454 A CN201210005454 A CN 201210005454A CN 102573111 A CN102573111 A CN 102573111A
- Authority
- CN
- China
- Prior art keywords
- tcp
- bng
- message
- response message
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method and a device for releasing transfer control protocol (TCP) resources. The method comprises the steps as follows: after three times of handshake connection between a band net gate (BNG) and user equipment (UE), the BNG sends a detection message to the UE; the BNG acquires the receiving status of the response message from the UE, wherein the response message is the response message of the detection message; and the BNG releases the TCP resources occupied by the UE according to the acquired receiving status. By adopting the technical scheme provided by the invention, the technical problem that the WEB identification of a normal user is affected because a technical scheme for affectively releasing the TCP resources is unavailable in a relative technique is solved, so that limited TCP resources is effectively utilized, and the normal user can normally carry out WEB identification.
Description
Technical field
The present invention relates to the communications field, in particular to the method for releasing and the device of a kind of transmission control protocol (Transfer Control Protocol abbreviates TCP as) resource.
Background technology
The WEB authentication is widely used in current WLAN (Wireless Local Area Network abbreviates WLAN as) broadband access.As shown in Figure 1, the main course of work of WEB authentication is following:
The user of WLAN online obtains the IPv4 address from BNG earlier through access node (Access Node abbreviates AN as) accessing to wide band network gateway (Band Net Gate abbreviates BNG as), the still unverified not authority of access internet of user's this moment.
When the user needs internet usage professional; The user is through HTTP (Hypertext Transfer Protocol; Abbreviate HTTP as) visit any internet web page, the authentification of user WEB page that the HTTP that BNG intercepts and captures the user connects and the page of user capture is provided to operator through HTTP redirection.
The user inputs the user name password on the authentification of user WEB page that operator provides, after the Radius of operator server * (being the WEB certificate server) authentication was passed through, BNG opened the authority of access internet for this user, and the user can the normal access the Internet.
Http protocol is based on transmission control protocol (Transfer Control Protocol; Abbreviate TCP as) application layer protocol that connects; In the WEB authentication; When unverified user capture internet web page, BNG sets up TCP through TCP three-way handshake earlier with the user and is connected, and TCP connects asks to be redirected to the page of operator's appointment with any HTTP of user capture webpage after setting up.
Under the normal condition, BNG is redirected the process of HTTP request to the user: at first being TCP establishment of connection process, is the HTTP redirection process then: 1, the WEB authenticated is at first sent TCP SYN message to BNG; 2, BNG response TCP SYN ACK; 3, the WEB authenticated responds TCP ACK after receiving SYN ACK once more, and this moment, TCP connected foundation; 4, the WEB authenticated is sent HTTP GET and is asked BNG, BNG response WEB authenticated HTTP redirection message; 5, the WEB authenticating address after the visit of WEB authenticated is redirected.
Current network extensively exists the TCP Denial of Service attack, so this reciprocal process based on TCP of WEB authentication also can be easy to be subjected to the TCP Denial of Service attack.According to the WEB verification process, the Denial of Service attack that the Denial of Service attack that is subjected in the WEB verification process is divided into TCP before connect setting up is connected two kinds of Denial of Service attacks after the foundation with TCP:
The TCP Denial of Service attack that TCP connects before setting up can be made a large amount of invalid TCP half connection.TCP half connects and means; The TCP client can respond last TCP ACK message never; This moment, server can be waited for TCP client end response TCP ACK always, and kept this TCP semi-connection state and partly connect up to TCP and overtimely just discharge, and this time-out time possibly reach tens seconds.If user's malice TCP attacks; The user can send a large amount of TCP SYN requests to server and set up a large amount of TCP connections; Respond TCP ACK then never; This moment, server can keep that a large amount of TCP half connects and the TCP connection resource of BNG is limited, and this is embodied in the TCP that supports for HTTP service BNG and connects and set up speed to be connected sum with the TCP of foundation simultaneously be limited.The Denial of Service attack that TCP connects connects the TCP linking number that consumes BNG through setting up a large amount of invalid TCP half; BNG can keep these invalid TCP always and partly connect and take limited TCP linking number; When the TCP linking number of the HTTP of BNG service is all connected consumption by TCP half; Legal TCP connection is set up and can be failed, and then the normal WEB authentication business based on TCP of influence.
At present, can following mode defend the TCP Denial of Service attack:
1, adopt the same user's of restriction the TCP connection speed and the mode of linking number to protect the TCP resource of equipment, thereby it is unaffected that normal TCP is connected;
2, shorten TCP and partly connect ageing time, connect, discharge the TCP resource with in time aging TCP half.
This shows that the defence of current attack to the TCP denial of service is half of defence TCP and connects and attack, do not have effectively TCP is connected the protection that HTTP after having set up connects the TCP resource when unusual.Causing the unusual reason of this connection possibly be user's malicious attack, or network failure causes user's HTTP message can't deliver to BNG.
After TCP connected foundation entirely, promptly after BNG and UE set up TCP and be connected, BNG was after the HTTP request that is redirected the user under the normal condition; The user can finish TCP through TCP FIN and connect, and BNG can discharge this TCP resource, but TCP is not connected the protection that HTTP after not set up connects the TCP resource when unusual; Can have following situation: (1) subscriber equipment possibly not send HTTP request yet initiatively end TCP and connects after TCP connects foundation; This moment, BNG still can keep the TCP connection, and is up to tcp connect timeout, obvious; Also can take the limited TCP linking number of BNG this moment, and then the normal WEB authentication business based on TCP of influence.(2) when BNG uses WEB service; The user visits any webpage after obtaining the address; After BNG and the user's TCP three-way handshake success, the user does not send the HTTP message, causes the resource of server three-way handshake application before in time not discharge; Server resource will occur during a large number of users WEB authentication simultaneously and taken, influence the WEB authentication of normal users.
To the problems referred to above in the correlation technique, effective solution is not proposed as yet at present.
Summary of the invention
In correlation technique; After TCP connects foundation entirely; Thereby still do not have the technical problems such as WEB authentication that the technical scheme that effectively the TCP resource is discharged influences normal users, the invention provides a kind of method for releasing and device of TCP resource, to address the above problem at least.
According to an aspect of the present invention, a kind of method for releasing of TCP resource is provided, has comprised: carry out after three-way handshake connects at wideband network gateway BNG and subscriber equipment (User Equipment abbreviates UE as), BNG sends probe message to UE; Said BNG obtains the accepting state of the response message that comes from said UE, and wherein, said response message is the response message of said probe message; Said BNG discharges the TCP resource that said UE takies according to the said accepting state of obtaining.
Above-mentioned BNG discharges the TCP resource that UE takies according to the accepting state of obtaining, and comprising: in accepting state when not receiving response message, the TCP resource that BNG release UE takies.
Said method also comprises: arrive to send the preset transmission number of times of probe message, and sending when all not receiving response message after the probe message at every turn, BNG discharges the TCP resource.
Above-mentioned BNG discharges the TCP resource that UE takies according to the accepting state of obtaining, and comprising: when receiving response message, BNG is confirming after first predetermined amount of time does not receive the access request of UE, release TCP resource in accepting state.
Above-mentioned BNG is before UE sends probe message, and comprising: BNG confirms in the second Preset Time section, not receive the access request that comes from UE.
According to a further aspect in the invention, a kind of releasing device of TCP resource is provided, has comprised: sending module is used for carrying out sending probe message to said UE after three-way handshake is connected at wideband network gateway BNG and subscriber equipment (UE); Acquisition module is used to obtain the accepting state of the response message that comes from said UE, and wherein, said response message is the response message of said probe message; Release module is used for discharging the TCP resource that said UE takies according to the said accepting state of obtaining.
Above-mentioned release module also is used in accepting state discharging the TCP resource of its distribution when not receiving response message.
Above-mentioned release module also is used for arrive sending the preset transmission number of times of probe message, and sends when all not receiving response message after the probe message at every turn, discharges the TCP resource.
Above-mentioned release module also is used in accepting state confirming after first predetermined amount of time does not receive the access request of UE when receiving response message, discharges the TCP resource.
Said apparatus also comprises: determination module is used to confirm in the second Preset Time section, do not receive the access request that comes from UE.
Through the present invention; The technological means of the TCP resource that the accepting state control release UE of the response message of the probe message that employing BNG basis is obtained takies; Solved in the correlation technique, after connecting (three-way handshake connection) at TCP entirely and setting up, thereby still do not had the technical problems such as WEB authentication that the technical scheme that effectively the TCP resource is discharged influences normal users; And then reached and effectively utilize limited TCP resource, normal users can normally be carried out the effect of WEB authentication.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the web authentication interaction flow sketch map according to correlation technique;
Fig. 2 is the flow chart according to the method for releasing of the TCP resource of the embodiment of the invention;
Fig. 3 is the structured flowchart according to the releasing device of the TCP resource of the embodiment of the invention;
Fig. 4 is the structural representation of the releasing device of TCP resource according to the preferred embodiment of the invention;
Fig. 5 is the principle schematic according to the TCP protection of resources of the embodiment of the invention 1;
Fig. 6 is the schematic flow sheet according to the method for the TCP protection of resources of the embodiment of the invention 1;
Fig. 7 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 2;
Fig. 8 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 3;
Fig. 9 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 4.
Embodiment
Hereinafter will and combine embodiment to specify the present invention with reference to accompanying drawing.Need to prove that under the situation of not conflicting, embodiment and the characteristic among the embodiment among the application can make up each other.
Fig. 2 is the flow chart according to the method for releasing of the TCP resource of the embodiment of the invention.As shown in Figure 2, this method comprises:
Step S202 carries out after three-way handshake is connected at BNG and UE, and BNG sends probe message to said UE; In the specific implementation, above-mentioned probe message can be keep-alive (KeepLive) message.
Step S204, BNG obtain the accepting state of the response message that comes from said UE, and wherein, said response message is the response message of said probe message;
Step S206, BNG discharges the TCP resource that said UE takies according to the said accepting state of obtaining.
Through above-mentioned treatment step, provide a kind of after BNG and UE set up TCP and be connected, the technological means that the release of TCP resource is controlled, thus realize the WEB authentication of normal users being protected to after setting up TCP at BNG and UE and being connected.
In step S206, above-mentioned accepting state comprises and receives said response message and do not receive said response message, and when not receiving said response message, BNG directly discharges the TCP resource that said UE takies in above-mentioned accepting state.
In an embodiment of the present invention, when above-mentioned accepting state when not receiving said response message, can not discharge the TCP resource that UE takies immediately; The transmission number of times that for example can be arranged on above-mentioned probe message arrives when presetting thresholding; Just discharge the TCP resource, particularly, arrive the preset transmission number of times that sends said probe message; And send when all not receiving said response message after the said probe message, said BNG discharges said TCP resource at every turn.
As mentioned above; Above-mentioned accepting state also comprises and receives said response message, in such cases, promptly in said accepting state when receiving said response message; Said BNG is confirming after first predetermined amount of time does not receive the access request of said UE, is discharging said TCP resource.
Before step S202; Be that above-mentioned BNG is before said UE sends probe message; The condition of sending probe message can also be set, and to avoid waste of network resources, specifically comprise: BNG confirms in the second Preset Time section, not receive the access request that comes from said UE.
A kind of releasing device of TCP resource also is provided in the present embodiment; Be arranged in wideband network gateway BNG; This device is used to realize the foregoing description and preferred implementation, has carried out repeating no more of explanation, describes in the face of relating to module in this device down.As following employed, the combination of the software and/or the hardware of predetermined function can be realized in term " module ".Although the described device of following examples is preferably realized with software, hardware, perhaps the realization of the combination of software and hardware also maybe and be conceived.Fig. 3 is the structured flowchart according to the releasing device of the TCP resource of the embodiment of the invention.As shown in Figure 3, this device comprises:
Sending module 30 is connected to acquisition module 32, is used for carrying out sending probe message to UE after three-way handshake is connected at BNG and UE;
Preferably, above-mentioned release module 34 also is used in said accepting state discharging the TCP resource of its distribution when not receiving said response message.
In a preferred implementation of the present invention, above-mentioned release module 34 also is used for arrive sending the preset transmission number of times of said probe message, and sends when all not receiving said response message after the said probe message at every turn, discharges said TCP resource.
Above-mentioned release module 34 also is used in said accepting state confirming after first predetermined amount of time does not receive the access request of said UE when receiving said response message, discharges said TCP resource.
Preferably, as shown in Figure 4, said apparatus can also comprise: determination module 36, be connected to sending module 30, and be used to confirm in the second Preset Time section, do not receive the access request that comes from said UE.
Need to prove that the preferred implementation of each module in the said apparatus can repeat no more referring to the description of said method embodiment here.
In order to understand the foregoing description better, specify below in conjunction with specific embodiment and relevant drawings.
Embodiment 1
Present embodiment is based on the method for releasing and the device of above-mentioned TCP resource, and the method for carrying out HTTP TCP protection of resources when unusual under a kind of WEB authentication scene is provided.
Before the concrete steps of describing present embodiment, the principle of present embodiment is described earlier.Present embodiment is after WEB authenticated and BNG three-way handshake are set up TCP and be connected; Whether the HTTP keep-alive time that BNG is provided with is surveyed WEB authenticated TCP to after date BNG through the TCP keep-alive and connects active; If it is inactive that BNG judges that this TCP of this user connects, then BNG discharges the TCP resource of CU.Specifically can be referring to Fig. 5.
Among Fig. 5, IPSTACK is a module of handling the transmitting-receiving bag above the BNG, mainly is that its TCP little module is mutual with UE here; Carry out TCP three-way handshake; Three-way handshake is successfully received HTTP, and behind the GET message, it (is that BNG goes up the module that realization pushes away authentication function by force that tcp module can be given the Portal module this message; Be equivalent to Portal client); Can give UE the corresponding HTTP redirection message of URL information structuring of server after the Portal module is received, UE extracts the address and the server link setup of server again from message, and server is released the page according to URL to UE again.The establishment of TCP resource and release conditions are following in this process: 1, and in TCP three-way handshake reciprocal process, what take is the TCP controll block resource 2 of IPSTACK; After the TCP three-way handshake success, tcp module can notify Portal to create socket, takies the socket resource of Portal application; 3, receiving HTTP, behind the GET message; After Portal successfully constructs redirection message, the socket resource of creating before can discharging.Be all to have set the mechanism that resource discharges to all places that might take resource among Fig. 5.
Present embodiment is following to the key step that this attack of HTTP is on the defensive:
The WEB authenticated inserts BNG, obtains the address from BNG;
The WEB authenticated is visited any webpage, and BNG normally sets up TCP with the user through three-way handshake and is connected;
BNG is provided with the HTTP keep-alive time to the user who sets up the TCP connection; If the HTTP GET request that the keep-alive time expires and still do not receive the WEB authenticated, then whether the BNG KeepAlive message that can send TCP is brought in to TCP user and is surveyed this TCP and connect and enliven;
If the user does not respond this message, it is unusual that BNG thinks that this user TCP connects, the TCP resource of distributing before discharging.
In the present embodiment, HTTP keep-alive time and HTTP ageing time are by being provided with through configuration by BNG.
In the present embodiment, BNG can dispose number of times and the probe interval that TCP surveys, and after BNG can be provided with and need process how many times detection user not have response, discharges the TCP resource of CU again.
In the present embodiment, BNG can dispose the HTTP ageing time, when BNG surveys the user response is arranged, and the HTTP ageing time expires the user when still not sending HTTP GET, and BNG also can discharge the TCP resource of CU.
Such scheme in the present embodiment can be connected speed and numerical limitations with user TCP and cooperate, and reaches better attack defending effect.
In the present embodiment, such scheme can with TCP is set partly is connected ageing time and cooperates, reach better attack defending effect.
Technical scheme in the present embodiment can be applied in the WEB authentication of BNG, also is applicable to other application based on TCP such as FTP.
In order to understand present embodiment better, specify below in conjunction with Fig. 6.Fig. 6 is the schematic flow sheet according to the method for the TCP protection of resources of the embodiment of the invention 2.Need to prove that the user of the following stated can show as user terminal.As shown in Figure 6, this method comprises:
Step S602 receives TCP SYN request message;
Step S604, whether current total half linking number has surpassed maximum half linking number that allows, if change step S606, otherwise change step S608;
Step S606, packet loss;
Step S608 responds the SYN+ACK message, distribution T CP controll block, and total half linking number adds 1;
Step S610, ageing time arrives, and whether receives the ACK message of user response, if then change step S614, otherwise change step S612;
Step S612, the TCP resource of distributing before discharging, total half linking number subtracts 1;
Step S614, whether the linking number of the current foundation of this user surpasses the maximum number of connections that allows, if then change step S616, otherwise change step S618;
Step S616, the TCP resource of distributing before discharging, total half linking number subtracts 1;
Step S618 creates the socket resource, and the linking number of the current foundation of this user adds 1, starts keepalive mechanism and aging mechanism;
Step S620, ageing time arrives, and confirms not receive the HTTP+GET message that the user sends;
Step S622 discharges this socket resource, and the linking number of the current foundation of this user subtracts 1;
Step S624, the keep-alive time arrives, and confirms not receive the HTTP+GET message that the user sends.Need to prove that step S620 and step S622 can not have sequencing.
Step S626 sends TCP+Keep Alive message and gives the opposite end, and whether active, under the situation of denying, change step S628 if detecting this TCP connection;
Whether step S628 has reached keep-alive and has detected number of times, if, change step S630, otherwise, step S626 changeed;
Step S630, the socket resource of distributing before discharging, the linking number of the current foundation of this user subtracts 1.
Can find out by technique scheme; Present embodiment has been done good defence to this attack of not sending HTTP GET message after the TCP three-way handshake success; When can not receive user HTTP GET message; Can keep-alive time that BNG is provided with to situation under the system resource that takies before discharging, can effectively utilize limited TCP resource, the normal WEB that does not influence normal users pushes away authentication by force
Embodiment 2
In the present embodiment, the WEB authenticated is the malicious attack user, and after three-way handshake was set up the TCP connection, user's malice discharged the TCP connection and do not notify BNG.
Fig. 7 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 2.As shown in Figure 7, this method comprises:
Step S702, user successfully obtain the address and reach the standard grade, and promptly the WEB authenticated inserts BNG, obtains the address from BNG;
Step S704, user and BNG TCP three-way handshake success starts keepalive mechanism, and promptly the WEB authenticated is visited any webpage, and BNG and user normally set up TCP through three-way handshake and are connected and start keepalive mechanism;
Step S706, the keep-alive time arrives, and does not receive user's HTTP+GET message, i.e. user's HTTP GET message of not redispatching, the HTTP keep-alive time of BNG arrives, and does not receive user's HTTP+GET message;
Whether step S708 sends this TCP connection of TCP+KeepAlive message detection and enlivens, and promptly whether BNG is active to this TCP connection of KeepAlive message detection that this TCP connects transmission TCP;
Step S710, the user does not respond, and detects to inactive; Then discharge the TCP resource of distributing; Whether active, discharge if user TCP connects if promptly sending this TCP connection of TCP+KeepAlive message detection, then do not respond this message; This moment, BNG thought that this TCP connection is inactive, discharged the TCP resource of this CU.
Embodiment 3
In the present embodiment, after WEB authenticated three-way handshake was set up the TCP connection, HTTP GET message transmission procedure was dropped unusually, and user TCP connects still and keeps, and BNG is provided with the HTTP keep-alive time.
Fig. 8 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 3.As shown in Figure 8, this method comprises:
Step S802, user successfully obtain the address and reach the standard grade, and promptly the WEB authenticated inserts BNG, obtains the address from BNG;
Step S804, user and BNG TCP three-way handshake success starts keepalive mechanism, and promptly the WEB authenticated is visited any webpage, and BNG and user normally set up TCP through three-way handshake and are connected and start keepalive mechanism;
Step S806, the keep-alive time arrives, and does not receive user's HTTP+GET message, i.e. user's HTTP GET message of not redispatching, the HTTP keep-alive time of BNG arrives, and does not receive user's HTTP+GET message;
Whether step S808 sends this TCP connection of TCP+KeepAlive message detection and enlivens, and promptly whether BNG is active to this TCP connection of KeepAlive message detection that this TCP connects transmission TCP;
Step S810, user's response, ageing time arrives by the time; Discharge the TCP resource of distributing, promptly the user responds this message, and it is active that BNG thinks that this TCP connects; BNG does not discharge the TCP resource of CU immediately, but waits for that the overtime back of HTTP discharges the TCP resource of this CU.
Embodiment 4
In the present embodiment, the WEB authenticated is the malicious attack user, and after three-way handshake was set up the TCP connection, user's malice discharged the TCP connection and do not notify BNG, and user TCP connects still and keeps, and it is 3 times that BNG is provided with detection times, probe interval 1S.
Fig. 9 is the schematic flow sheet according to the method for releasing of the TCP resource of the embodiment of the invention 4.As shown in Figure 9, this method comprises:
Step S902, user successfully obtain the address and reach the standard grade, and promptly the WEB authenticated inserts BNG, obtains the address from BNG;
Step S904, user and BNG TCP three-way handshake success starts keepalive mechanism, and promptly the WEB authenticated is visited any webpage, and BNG and user normally set up TCP through three-way handshake and are connected and start keepalive mechanism;
Step S906, the keep-alive time arrives, and does not receive user's HTTP+GET message, i.e. user's HTTP GET message of not redispatching, the HTTP keep-alive time of BNG arrives, and does not receive user's HTTP+GET message;
Whether step S908 sends this TCP connection of TCP+KeepAlive message detection and enlivens, and promptly whether BNG is active to this TCP connection of KeepAlive message detection that this TCP connects transmission TCP;
Step S910, the user does not respond, and the detection times of BNG reaches preset thresholding, and the user does not have response, discharges the TCP resource.Be that user TCP connection discharges, do not respond this message, it is inactive that BNG thinks that this TCP connects; BNG is every to be surveyed once at a distance from predetermined time interval (for example 1S); In detection times during greater than predetermined threshold value (for example 3 is inferior), the user appoint do not have response after, BNG discharges the TCP resource of this CU.
In another embodiment, a kind of software is provided also, this software is used for carrying out the technical scheme that the foregoing description and preferred implementation are described.
In another embodiment, a kind of storage medium is provided also, has stored above-mentioned software in this storage medium, this storage medium includes but not limited to: CD, floppy disk, hard disk, scratch pad memory etc.
Obviously, it is apparent to those skilled in the art that above-mentioned each module of the present invention or each step can realize with the general calculation device; They can concentrate on the single calculation element; Perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element; Thereby; Can they be stored in the storage device and carry out, and in some cases, can carry out step shown or that describe with the order that is different from here by calculation element; Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is merely the preferred embodiments of the present invention, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. the method for releasing of a transmission control protocol TCP resource is characterized in that, comprising:
Carry out after three-way handshake is connected at wideband network gateway BNG and user equipment (UE), said BNG sends probe message to said UE;
Said BNG obtains the accepting state of the response message that comes from said UE, and wherein, said response message is the response message of said probe message;
Said BNG discharges the TCP resource that said UE takies according to the said accepting state of obtaining.
2. method according to claim 1 is characterized in that, said BNG discharges the TCP resource that said UE takies according to the said accepting state of obtaining, and comprising:
When not receiving said response message, said BNG discharges the TCP resource that said UE takies in said accepting state.
3. method according to claim 2 is characterized in that, also comprises:
Arrive to send the preset transmission number of times of said probe message, and sending when all not receiving said response message after the said probe message at every turn, said BNG discharges said TCP resource.
4. method according to claim 1 is characterized in that, said BNG discharges the TCP resource that said UE takies according to the said accepting state of obtaining, and comprising:
When receiving said response message, said BNG is confirming after first predetermined amount of time does not receive the access request of said UE, is discharging said TCP resource in said accepting state.
5. according to each described method of claim 1 to 4, it is characterized in that said BNG comprised before said UE sends probe message:
Said BNG confirms in the second Preset Time section, not receive the access request that comes from said UE.
6. the releasing device of a transmission control protocol TCP resource is arranged in wideband network gateway BNG, it is characterized in that, comprising:
Sending module is used for carrying out sending probe message to said UE after three-way handshake is connected at wideband network gateway BNG and user equipment (UE);
Acquisition module is used to obtain the accepting state of the response message that comes from said UE, and wherein, said response message is the response message of said probe message;
Release module is used for discharging the TCP resource that said UE takies according to the said accepting state of obtaining.
7. device according to claim 6 is characterized in that, said release module also is used in said accepting state discharging the TCP resource of its distribution when not receiving said response message.
8. device according to claim 6 is characterized in that, said release module also is used for arrive sending the preset transmission number of times of said probe message, and sends when all not receiving said response message after the said probe message at every turn, discharges said TCP resource.
9. device according to claim 6 is characterized in that, said release module also is used in said accepting state confirming after first predetermined amount of time does not receive the access request of said UE when receiving said response message, discharges said TCP resource.
10. according to each described device of claim 6 to 9, it is characterized in that, also comprise:
Determination module is used to confirm in the second Preset Time section, do not receive the access request that comes from said UE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100054549A CN102573111A (en) | 2012-01-10 | 2012-01-10 | Method and device for releasing transfer control protocol resources |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012100054549A CN102573111A (en) | 2012-01-10 | 2012-01-10 | Method and device for releasing transfer control protocol resources |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102573111A true CN102573111A (en) | 2012-07-11 |
Family
ID=46417260
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012100054549A Pending CN102573111A (en) | 2012-01-10 | 2012-01-10 | Method and device for releasing transfer control protocol resources |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102573111A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105592038A (en) * | 2015-07-13 | 2016-05-18 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| CN105991348A (en) * | 2015-05-20 | 2016-10-05 | 杭州迪普科技有限公司 | TCP (transmission control protocol) connection closing method and device |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
| CN106713454A (en) * | 2016-12-22 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Network connection method and device |
| CN110140410A (en) * | 2016-03-18 | 2019-08-16 | 华为技术有限公司 | Eliminate the TCP deadlock caused by across the technology switching of wireless device |
| CN110999257A (en) * | 2017-08-04 | 2020-04-10 | 诺基亚技术有限公司 | Delivery method selection for delivery of server notifications |
| CN113645256A (en) * | 2021-10-13 | 2021-11-12 | 成都数默科技有限公司 | Aggregation method without reducing TCP session data value density |
| WO2022037049A1 (en) * | 2020-08-18 | 2022-02-24 | 华为技术有限公司 | Method and apparatus for keeping user terminal alive |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
| CN101350763A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Resource management method, system and network appliance |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
-
2012
- 2012-01-10 CN CN2012100054549A patent/CN102573111A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030889A (en) * | 2007-04-18 | 2007-09-05 | 杭州华为三康技术有限公司 | Method and apparatus against attack |
| CN101350763A (en) * | 2007-07-16 | 2009-01-21 | 华为技术有限公司 | Resource management method, system and network appliance |
| CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
| CN101594269A (en) * | 2009-06-29 | 2009-12-02 | 成都市华为赛门铁克科技有限公司 | A kind of detection method of unusual connection, device and gateway device |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991348A (en) * | 2015-05-20 | 2016-10-05 | 杭州迪普科技有限公司 | TCP (transmission control protocol) connection closing method and device |
| CN105991348B (en) * | 2015-05-20 | 2019-03-15 | 杭州迪普科技股份有限公司 | TCP connection method for closing and device |
| CN105592038A (en) * | 2015-07-13 | 2016-05-18 | 杭州华三通信技术有限公司 | Portal authentication method and device |
| CN105592038B (en) * | 2015-07-13 | 2018-10-09 | 新华三技术有限公司 | Portal authentication method and device |
| CN110140410A (en) * | 2016-03-18 | 2019-08-16 | 华为技术有限公司 | Eliminate the TCP deadlock caused by across the technology switching of wireless device |
| CN110140410B (en) * | 2016-03-18 | 2021-04-09 | 华为技术有限公司 | Eliminating TCP deadlock caused by wireless device cross technology handover |
| CN106713454A (en) * | 2016-12-22 | 2017-05-24 | 腾讯科技(深圳)有限公司 | Network connection method and device |
| CN106657082A (en) * | 2016-12-27 | 2017-05-10 | 杭州盈高科技有限公司 | Fast HTTP redirection method |
| CN110999257A (en) * | 2017-08-04 | 2020-04-10 | 诺基亚技术有限公司 | Delivery method selection for delivery of server notifications |
| CN110999257B (en) * | 2017-08-04 | 2022-05-10 | 诺基亚技术有限公司 | Delivery method selection for delivery of server notifications |
| WO2022037049A1 (en) * | 2020-08-18 | 2022-02-24 | 华为技术有限公司 | Method and apparatus for keeping user terminal alive |
| CN113645256A (en) * | 2021-10-13 | 2021-11-12 | 成都数默科技有限公司 | Aggregation method without reducing TCP session data value density |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102573111A (en) | Method and device for releasing transfer control protocol resources | |
| US9628441B2 (en) | Attack defense method and device | |
| US7301899B2 (en) | Prevention of bandwidth congestion in a denial of service or other internet-based attack | |
| CN105635084B (en) | Terminal authentication apparatus and method | |
| Baitha et al. | Session hijacking and prevention technique | |
| RU2639696C2 (en) | Method, device and system for maintaining activity of access session on 802,1x standard | |
| JP6435695B2 (en) | Controller and its attacker detection method | |
| EP2986042B1 (en) | Client, server, and remote authentication dial in user service capability negotiation method and system | |
| CN105578463B (en) | A kind of method and device of dual link safety communication | |
| Hubballi et al. | A closer look into DHCP starvation attack in wireless networks | |
| CN110830516B (en) | Network access method, device, network control equipment and storage medium | |
| CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
| Hsu et al. | A client-side detection mechanism for evil twins | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| EP2239883B1 (en) | Method, device, system, client node, peer node and convergent point for preventing node from forging identity | |
| CN101547158B (en) | PADT message interaction method and device in PPPoE session | |
| EP1914960B1 (en) | Method for transmission of DHCP messages | |
| CN102185867A (en) | Method for realizing network security and star network | |
| Lu et al. | Detecting command and control channel of botnets in cloud | |
| JP2005122695A (en) | Authentication method, server computer, client computer, and program therefor | |
| JP2009217722A (en) | Authentication processing system, authentication device, management device, authentication processing method, authentication processing program and management processing program | |
| Al-Duwairi et al. | Distributed packet pairing for reflector based DDoS attack mitigation | |
| CN105792216A (en) | Wireless phishing access point detection method based on authentication | |
| Biagioni | Preventing udp flooding amplification attacks with weak authentication | |
| EP2109284A1 (en) | Protection mechanism against denial-of-service attacks via traffic redirection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120711 |