CN109040046A - network access method and device - Google Patents

network access method and device Download PDF

Info

Publication number
CN109040046A
CN109040046A CN201810827488.3A CN201810827488A CN109040046A CN 109040046 A CN109040046 A CN 109040046A CN 201810827488 A CN201810827488 A CN 201810827488A CN 109040046 A CN109040046 A CN 109040046A
Authority
CN
China
Prior art keywords
address
message
network
list item
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810827488.3A
Other languages
Chinese (zh)
Other versions
CN109040046B (en
Inventor
王阳
廖以顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201810827488.3A priority Critical patent/CN109040046B/en
Publication of CN109040046A publication Critical patent/CN109040046A/en
Application granted granted Critical
Publication of CN109040046B publication Critical patent/CN109040046B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Present disclose provides Network Access Methods and device.In the disclosure, when detect purpose IP address that unauthenticated first terminal is at the appointed time sent in section be the network of the first IP address access message quantity it is equal with the first preset threshold when, whether check has other terminals to send the network that purpose IP address is the first IP address in designated time period accesses message, message is accessed when there are other terminals to send the network that purpose IP address is the first IP address, determine that the first IP address is legal, allow to access message by the network that the purpose IP address that each terminal authenticated is sent is the first IP address and pass through, realizing both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy, the message of normal access Web proxy server will not mistakenly be blocked, prevent Portal certification and web proxy phase In conjunction with network organizing in lead to because of guarding network attack proper network access failure.

Description

Network Access Method and device
Technical field
This disclosure relates to network communication technology, in particular to Network Access Method and device.
Background technique
Entrance (Portal) certification, also referred to as web authentication, before terminal is not authenticated by Portal, terminal cannot be real Realize network access, after terminal is authenticated by Portal, terminal may have access to authorized network to obtain network resource information.
Web proxy refers to that each terminal access network of web server proxy to obtain network resource information, can protect in this way Card network access is not attacked by external network.
The network organizing that Fig. 1 shows Portal certification and web proxy combines.As shown in Figure 1, terminal 101 accesses net HTTP message is issued when network.HTTP message reaches Broadband Remote Access Server by switching equipment 102, switching equipment 103 (BRAS:Broadband Remote Access Server).BRAS receives HTTP message, and discovery issues the end of the HTTP message End 101 is not authenticated by Portal, then forces terminal 101 to access BRAS certificate server and carry out Portal certification, when terminal 101 After being authenticated by Portal, the business that terminal 101 accesses network is redirected to Web server and goes to act as agent.
Summary of the invention
Present disclose provides Network Access Methods and device, with the network for preventing Portal certification and web proxy from combining Lead to proper network access failure in networking because of guarding network attack.
Technical solution provided by the present disclosure includes:
A kind of Network Access Method, this method are applied to BRAS, comprising:
Counting first terminal, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses message Message amount, the first terminal is one of terminal that the certificate server not connected by this BRAS authenticates;
Whether if the message amount is equal with the first preset threshold, checking has other terminals in the designated time period It sends the network that purpose IP address is the first IP address and accesses message;
There are other terminals to send the network visit that purpose IP address is the first IP address in the designated time period when checking Ask message, it is determined that first IP address is legal, allows to send by other each terminals that the certificate server authenticates Purpose IP address be the first IP address network access message pass through.
A kind of network access device, the device are applied to BRAS, comprising:
Statistic unit is the first IP address for counting the purpose IP address that first terminal is at the appointed time sent in section Network accesses the message amount of message, and the first terminal is wherein one that the certificate server not connected by this BRAS authenticates A terminal;
Inspection unit, for checking in the designated time period when the message amount is equal with the first preset threshold Whether there are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for having other terminals hair when the inspection unit checks in the designated time period The network that purpose IP address is the first IP address is sent to access message, it is determined that first IP address is legal, allows to have passed through institute The purpose IP address for stating other each terminals transmissions of certificate server certification accesses message for the network of the first IP address and passes through.
As can be seen from the above technical solutions, in the disclosure, when detecting unauthenticated first terminal when specified Between the purpose IP address that sends in section be the first IP address network access message quantity it is equal with the first preset threshold when, meeting Whether check has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, when Checking has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, then really Fixed first IP address is legal, and the purpose IP address for allowing to have passed through each terminal transmission of certification is the network of the first IP address Access message passes through, and realizing both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy, The message (network access message) of normal access Web proxy server will not mistakenly be blocked, it is therefore prevented that Portal certification and Lead to proper network access failure in the network organizing that web proxy combines because of guarding network attack.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure Example, and together with specification for explaining the principles of this disclosure.
Fig. 1 is Portal certification and the network organizing schematic diagram that web proxy combines;
Fig. 2 is the method flow diagram that the disclosure provides;
Fig. 3 is the embodiment networking schematic diagram that the disclosure provides;
Fig. 4 is the apparatus structure schematic diagram that the disclosure provides;
Fig. 5 is the hardware structural diagram for Fig. 4 shown device that the disclosure provides.
Specific embodiment
In the network organizing that Portal certification and web proxy combine, Portal certification is triggered based on HTTP message , and HTTP message, it may be possible to it is guarding network attack for network attack, BRAS can locally configure attack protection list item, The purpose of attack protection list item is: when the HTTP message for accessing a certain purpose IP address reaches given threshold, forbidding accessing the mesh The HTTP message of IP address continue to access.But the network organizing combined applied to Portal certification and web proxy, Web The purpose IP address of each terminal access network of server agent, each terminal access all-network is all the IP address of Web server (being denoted as IP100), once this will lead to the number for the HTTP message that purpose IP address is IP100 (IP address of Web server) Amount reaches given threshold, is based on attack protection list item, and subsequent all terminals can not all access Web proxy server, cause to have passed through The terminal of Portal certification can not normally access network.
Cause just in the network organizing that Portal certification and web proxy combine in order to prevent because of guarding network attack Normal network access failure, this application provides processes shown in Fig. 2.
Referring to fig. 2, Fig. 2 is the method flow diagram that the disclosure provides.The process is applied to BRAS.As shown in Fig. 2, the process It can comprise the following steps that
Step 201, the purpose IP address that statistics first terminal is at the appointed time sent in section is the network of the first IP address Access the message amount of message.
In the disclosure, first terminal, the first IP address, the first preset threshold only carry out for ease of description here Name, is not intended to limit.Wherein, the first terminal is certificate server (such as the Portal not connected by this BRAS Certificate server) certification one of terminal, the first IP address be any network ip address.First preset threshold is according to reality Demand is customized, by means of (life when at the appointed time message amount reaches the threshold value of configuration in section of existing attack protection list item strategy At attack protection list item), then the first preset threshold here, which is less than the threshold value configured in existing attack protection list item strategy, (can be denoted as the Two preset thresholds), it can hereafter specifically describe, wouldn't repeat here.
In the disclosure, as one embodiment, network access message here can be HTTP message, and certification here is Refer to Portal certification.
Step 202, whether if the message amount is equal with the first preset threshold, checking in the designated time period has Other terminals send the network that purpose IP address is the first IP address and access message, when checking in the designated time period there is it His terminal sends the network that purpose IP address is the first IP address and accesses message, it is determined that first IP address is legal, allows It is reported by the network access that the purpose IP address that other each terminals that the certificate server authenticates are sent is the first IP address Text passes through.
In the disclosure, when check in the designated time period do not have other terminals send purpose IP address be the first IP The network of address accesses message, then is used as one embodiment, attack protection list item is locally generated, according to the attack protection list item Forbid the network that purpose IP address is the first purpose IP address to access message to pass through;Alternatively, continuing in the designated time period Counting the purpose IP address that the first terminal is sent is that the network of the first IP address accesses the message amount of message, until described Attack protection list item is locally generated when the message amount is equal with the second preset threshold in designated time period, according to described anti- Attack list item forbids the network access message that purpose IP address is the first purpose IP address to pass through, and second preset threshold is greater than First preset threshold, to forbid the network that purpose IP address is the first purpose IP address to access according to the attack protection list item Message passes through.
In the disclosure, when more than one terminal accesses same IP address (with the first above-mentioned IP in same amount of time For address), then illustrate that the first IP address is likely to be the IP address of Web proxy server, is the IP address of normal legal, this When, no matter at the appointed time whether to reach above-mentioned second default for the quantity of the network access message of the first IP address of access in section Threshold value will not all issue attack protection list item in the disclosure for the first IP address, but determine that first IP address is closed Method allows to pass through by the network access message that the purpose IP address that each terminal authenticated is sent is the first IP address, this reality Having showed both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy, will not wrong ground resistance The message (network access message) of disconnected normal access Web proxy server, the net for preventing Portal certification and web proxy from combining Lead to proper network access failure in network networking because of guarding network attack.
So far, process shown in Fig. 2 is completed.
It can be seen that in the disclosure by process shown in Fig. 2, when detecting unauthenticated first terminal when specified Between the purpose IP address that sends in section be the first IP address network access message quantity it is equal with the first preset threshold when, meeting Whether check has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, when Checking has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, then really Fixed first IP address is legal, and the purpose IP address for allowing to have passed through each terminal transmission of certification is the network of the first IP address Access message passes through, and realizing in the network organizing that Portal certification and web proxy combine attacked both execution guarding network It hits, will not mistakenly block the message (network access message) of normal access Web proxy server, it is therefore prevented that Portal certification Lead to proper network access failure in the network organizing combined with web proxy because of guarding network attack.
In the disclosure, as one embodiment, statistics first terminal is at the appointed time sent in section in above-mentioned steps 201 Purpose IP address be the first IP address network access message message amount can include: received in the designated time period When the purpose IP address sent to the first terminal is that the network of the first IP address accesses message, local counting messages table is checked In whether there is the first counting messages list item comprising the following contents: source IP address, purpose IP address are respectively received network Source IP address, the purpose IP address of message are accessed, if so, the message amount in the first counting messages list item is increased default Value;If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.Eventually by First counting messages list item realizes statistics first terminal, and at the appointed time the interior purpose IP address sent of section is the first IP address Network access message message amount.It should be noted that above-mentioned preset value can be such as 1 or other values, the application is simultaneously It does not limit specifically.
How above-mentioned only description counts purpose IP address that first terminal is at the appointed time sent in section for the first IP The message amount of the network access message of location, at the appointed time the interior network sent of section accesses message to other each unverified terminals The statistical method of message amount is similar, be based on this, will exist in the counting messages table of the local BRAS each unverified terminal (including First terminal) counting messages list item.
Based on local counting messages table, whether in step 202, checking in the designated time period has other terminals to send mesh IP address be the first IP address network access message include:
From other counting messages list items in addition to the first counting messages list item that local counting messages table includes Search other counting messages list items comprising the following contents: purpose IP address is first IP address;
If finding, it is determined that having other terminals to send purpose IP address in the designated time period is the first IP address Network accesses message;
If not finding, it is determined that do not there is other terminals to send purpose IP address for the first IP in the designated time period The network of location accesses message.
In this application, when check in the designated time period have other terminals send purpose IP address for the first IP The network of location accesses message, then as step 202 describes, it is legal to directly determine first IP address, allow pass through described in The purpose IP address that other each terminals of certificate server certification are sent is that the network access message of the first IP address passes through, such as This, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses message to the first terminal of current statistic Message amount (equal with the first preset threshold) just it is useless, for save resource, can delete current statistic first eventually The end message amount that at the appointed time the interior purpose IP address sent of section accesses message for the network of the first IP address is (pre- with first If threshold value is equal).Based on above-mentioned counting messages table, then the first above-mentioned counting messages list item can be deleted.
The disclosure is described below by a specific embodiment:
Referring to Fig. 3, Fig. 3 is the embodiment application networking diagram that the disclosure provides.In Fig. 3, the IP address of terminal 301 is 10.1.1.2, the IP address of terminal 302 is 10.1.1.3, and the IP address of terminal 303 is 10.1.1.4, Web proxy server IP address is 20.1.1.2.
In Fig. 3, BRAS is configured with attack protection list item strategy.Attack protection list item strategy refers to: at the appointed time visiting in section Ask the attack protection table that the corresponding IP address is generated when the message amount of a certain IP address reaches the second preset threshold (for 100) ?.
BRAS is provided with the first preset threshold (by taking the 80% of the second preset threshold i.e. 80 as an example).First preset threshold Effect is described below, and wouldn't describe here.
In Fig. 3, the network access message that BRAS at the appointed time receives the transmission of terminal 301 in section (is denoted as message a1).The source IP address of message a1 is the IP address 10.1.1.2 of terminal 301, and purpose IP address is the IP of Web proxy server Location 20.1.1.2.BRAS has found that the corresponding terminal 301 of IP address 10.1.1.2 is not authenticated by Portal also, then checks local report Whether there is the counting messages list item comprising the following contents in literary statistical form: source IP address, purpose IP address are respectively message a1 Source IP address, purpose IP address, if it is not, then in local counting messages table increase include the following contents counting messages table : message amount is preset value, and source IP address, purpose IP address are respectively the source IP address of message a1, purpose IP address.Here Preset value by value be 1 for, table 1 shows increased counting messages list item:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 1
Table 1
BRAS at the appointed time receives network access message (being denoted as message a2) of the transmission of terminal 302 in section.Message a2 Source IP address be terminal 302 IP address 10.1.1.3, purpose IP address 50.1.1.2.BRAS has found IP address 10.1.1.3 corresponding terminal 302 also not by Portal authenticate, then check in local counting messages table with the presence or absence of comprising with The counting messages list item of lower content: source IP address, purpose IP address are respectively the source IP address of message a2, purpose IP address, if It is no, then increase in local counting messages table include the following contents counting messages list item: message amount is preset value, source IP Location, purpose IP address are respectively the source IP address of message a2, purpose IP address.Here preset value by value be 1 for, in conjunction with Table 1, table 2 show increased counting messages list item:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 1
2 10.1.1.3 50.1.1.2 1
Table 2
BRAS at the appointed time receives network access message (being denoted as message a3) of the transmission of terminal 303 in section.Message a3 Source IP address be terminal 303 IP address 10.1.1.4, purpose IP address 20.1.1.2.BRAS has found IP address 10.1.1.4 corresponding terminal 303 also not by Portal authenticate, then check in local counting messages table with the presence or absence of comprising with The counting messages list item of lower content: source IP address, purpose IP address are respectively the source IP address of message a3, purpose IP address, if It is no, then increase in local counting messages table include the following contents counting messages list item: message amount is preset value, source IP Location, purpose IP address are respectively the source IP address of message a3, purpose IP address.Here preset value by value be 1 for, in conjunction with Table 2, table 3 show increased counting messages list item:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 1
2 10.1.1.3 50.1.1.2 1
3 10.1.1.4 20.1.1.2 1
Table 3
If in designated time period after experience a period of time, BRAS at the appointed time receives the transmission of terminal 301 in section Network accesses message (being denoted as message a4).The source IP address of message a4 is the IP address 10.1.1.2 of terminal 301, purpose IP address For the IP address 20.1.1.2 of Web proxy server.The corresponding terminal 301 of BRAS discovery IP address 10.1.1.2 does not pass through also Portal certification, then check there is the counting messages list item comprising the following contents: source IP address, purpose in local counting messages table IP address is respectively the source IP address of message a1, purpose IP address, then the message amount in the counting messages list item that will be present increases Add preset value.Here for preset value by taking value is 1 as an example, table 3 is updated to table 4:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 2
2 10.1.1.3 50.1.1.2 1
3 10.1.1.4 20.1.1.2 1
Table 4
And so on, then in designated time period after experience a period of time, final local counting messages table is as shown in table 5:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 20
2 10.1.1.3 50.1.1.2 30
3 10.1.1.4 20.1.1.2 40
Table 5
If table 5 is updated to table 6 after experienced a period of time again in designated time period:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.2 20.1.1.2 80
2 10.1.1.3 50.1.1.2 35
3 10.1.1.4 20.1.1.2 55
Table 6
In table 6, message amount is in the counting messages list item (being denoted as counting messages list item 1) that index (Index) is 1 80, it is just the first preset threshold (80), then it represents that the purpose IP address that terminal 301 is sent is the IP of Web proxy server The message amount of the network access message of location 20.1.1.2 is equal with the first preset threshold (80), at this point, BRAS unites according to message Purpose IP address, that is, Web proxy server IP address 20.1.1.2 of meter list item 1 reversely searches counting messages table, is to search It is no that there are also purpose IP address, that is, Web proxy servers that the purpose IP address of other counting messages list items is counting messages list item 1 IP address 20.1.1.2.The purpose IP address for the counting messages list item (being denoted as counting messages list item 3) that BRAS discovery index is 3 It is identical as purpose IP address, that is, Web proxy server IP address 20.1.1.2 of counting messages list item 1, indicate terminal 303 with Terminal 301 at the appointed time has the IP address 20.1.1.2 of access Web proxy server in section, then it is assumed that web proxy service The IP address 20.1.1.2 of device is legal, and the network that subsequent destination ip addresses are the IP address 20.1.1.2 of Web proxy server is visited It asks that message all allows to pass through, and deletes counting messages list item 1 from local IP access statistical form.Table 6 is updated to table 7:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.3 50.1.1.2 35
2 10.1.1.4 20.1.1.2 55
Table 7
If experienced a period of time in designated time period again, table 7 is updated to table 8:
It indexes (Index) Source IP address Purpose IP address Message amount
1 10.1.1.3 50.1.1.2 80
2 10.1.1.4 20.1.1.2 55
Table 8
In table 8, indexing message amount in the counting messages list item for 1 is 80, is just the first preset threshold (80), then Indicate the message amount and the first preset threshold of the network access message that the purpose IP address that terminal 302 is sent is 50.1.1.2 (80) equal, at this point, BRAS reversely searches counting messages table according to purpose IP address 50.1.1.2, to search whether that there are also other The purpose IP address of counting messages list item is 50.1.1.2.As a result, it has been found that in counting messages table other counting messages list items purpose IP address is not 50.1.1.2, at this point, then in the disclosure, can confirm that 50.1.1.2 is illegal, BRAS exists as one embodiment It is local to generate attack protection list item, to forbid purpose IP address to access message for the network of 50.1.1.2 according to the attack protection list item Pass through, and deletes the counting messages list item that the index is 1.As another embodiment, in the disclosure, BRAS is not first in local life At attack protection list item, but wait, once the purpose IP address that terminal 302 is sent in designated time period is the network of 50.1.1.2 The message amount for accessing message is 100, is just the second preset threshold (100), then attack protection list item is locally generated, with foundation The attack protection list item forbids the network access message that purpose IP address is 50.1.1.2 to pass through, and deletes the report that the index is 1 Text statistics list item.
So far, the description of the embodiment of the present disclosure is completed.
Description through this embodiment can be seen that in the disclosure, once at the appointed time the interior access of section is same for terminal The message amount of the network access message of purpose IP address is equal with the first preset threshold, then when the more than one terminal access mesh IP address when, it is determined that the purpose IP address is legal address, be effectively ensured Portal certification and web proxy combine Network organizing in both make to execute guarding network attack, will not mistakenly block the message of normal access Web proxy server (network access message), it is therefore prevented that in Portal certification and the network organizing that combines of web proxy because guarding network attack and Lead to proper network access failure, ensures the network access of all users.
The method provided above the disclosure is described, and the device provided below the disclosure is described:
Referring to fig. 4, Fig. 4 is the structure drawing of device that the disclosure provides.The device is applied to BRAS, comprising:
Statistic unit is the first IP address for counting the purpose IP address that first terminal is at the appointed time sent in section Network accesses the message amount of message, and the first terminal is wherein one that the certificate server not connected by this BRAS authenticates A terminal;
Inspection unit, for checking in the designated time period when the message amount is equal with the first preset threshold Whether there are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for having other terminals hair when the inspection unit checks in the designated time period The network that purpose IP address is the first IP address is sent to access message, it is determined that first IP address is legal, allows to have passed through institute The purpose IP address for stating other each terminals transmissions of certificate server certification accesses message for the network of the first IP address and passes through.
As one embodiment, the NS software unit checks the designated time period in the inspection unit When there are not inside other terminals to send the network access message that purpose IP address is the first IP address, it is further locally generated anti-attack List item is hit, forbids the network that purpose IP address is the first purpose IP address to access message according to the attack protection list item and passes through.
As another embodiment, the NS software unit checks the specified time in the inspection unit When there are not other terminals to send the network access message that purpose IP address is the first IP address in section, continue in the specified time The purpose IP address that the statistics first terminal is sent in section accesses the message amount of message for the network of the first IP address, until Attack protection list item is locally generated when the message amount is equal with the second preset threshold in the designated time period, according to institute Stating attack protection list item forbids the network access message that purpose IP address is the first purpose IP address to pass through, second preset threshold Greater than first preset threshold, the network that purpose IP address is the first purpose IP address is forbidden to visit according to the attack protection list item Ask that message passes through.
As one embodiment, the statistic unit counts the first terminal at the appointed time interior purpose IP address sent of section For the first IP address network access message message amount include:
The net that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period When network accesses message, checking in local counting messages table whether there is the first counting messages list item comprising the following contents: source IP Address, purpose IP address are respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is Preset value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
As one embodiment, the statistic unit is also used to check in the designated time period in the inspection unit When there are other terminals to send the network access message that purpose IP address is the first IP address, institute is deleted from local counting messages table State the first counting messages list item.
So far, the structure chart of Fig. 4 shown device is completed.
Accordingly, the disclosure also provides the hardware structure diagram of Fig. 4 shown device.As shown in figure 5, the hardware configuration can wrap It includes: machine readable storage medium and processor, in which:
Machine readable storage medium: store instruction code.
Processor: communicating with machine readable storage medium, read and execute stored in machine readable storage medium it is described Instruction code realizes Network Access Method disclosed in disclosure above-mentioned example.
So far, the hardware structure diagram of Fig. 5 shown device is completed.
In the disclosure, machine readable storage medium can be any electronics, magnetism, optics or other physical stores dress It sets, may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that RAM (Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage driving Device (such as hard disk drive), solid state hard disk, any kind of storage dish (such as CD, dvd) or similar storage medium, Or their combination.
Device, module or the unit that above-described embodiment illustrates can specifically be realized, Huo Zheyou by computer chip or entity Product with certain function is realized.A kind of typically to realize that equipment is computer, the concrete form of computer can be a People's computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media player, navigation It is any several in equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment The combination of kind equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when open.
It should be understood by those skilled in the art that, embodiment of the disclosure can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the disclosure Apply the form of example.Moreover, it wherein includes computer usable program code that the embodiment of the present disclosure, which can be used in one or more, The computer implemented in computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of program product.
The disclosure is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present disclosure Figure and/or block diagram describe.It is generally understood that being realized by computer program instructions each in flowchart and/or the block diagram The combination of process and/or box in process and/or box and flowchart and/or the block diagram.It can provide these computer journeys Sequence instruct to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with A machine is generated, so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for Realize the dress for the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram It sets.
Moreover, these computer program instructions also can store be able to guide computer or other programmable datas processing set In standby computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates Manufacture including command device, the command device are realized in one process of flow chart or multiple processes and/or block diagram one The function of being specified in a box or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing devices, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer Or the instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram The step of function of being specified in one box or multiple boxes.
The foregoing is merely the preferred embodiments of the disclosure, not to limit the disclosure, all essences in the disclosure Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of disclosure protection.

Claims (10)

1. a kind of Network Access Method, which is characterized in that this method is applied to Broadband Remote Access Server BRAS, comprising:
Counting first terminal, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses the report of message Literary quantity, the first terminal are not by one of terminal of this BRAS certificate server certification connected;
Whether if the message amount is equal with the first preset threshold, checking in the designated time period has the transmission of other terminals Purpose IP address is that the network of the first IP address accesses message;
There are other terminals to send the network access report that purpose IP address is the first IP address in the designated time period when checking Text, it is determined that first IP address is legal, allows the mesh sent by other each terminals that the certificate server authenticates IP address be the first IP address network access message pass through.
2. the method according to claim 1, wherein when checking there are not other terminals in the designated time period It sends the network that purpose IP address is the first IP address and accesses message, this method comprises:
It is locally generated attack protection list item, is the first purpose IP address to forbid purpose IP address according to the attack protection list item Network access message passes through.
3. the method according to claim 1, wherein when checking there are not other terminals in the designated time period It sends the network that purpose IP address is the first IP address and accesses message, this method comprises:
Continue to count the network that the purpose IP address that the first terminal is sent is the first IP address in the designated time period The message amount of message is accessed, until in local when the message amount is equal with the second preset threshold in the designated time period Attack protection list item is generated, to forbid the network access report that purpose IP address is the first purpose IP address according to the attack protection list item Text passes through, and second preset threshold is greater than first preset threshold.
4. method according to any one of claims 1 to 3, which is characterized in that the statistics first terminal at the appointed time section The purpose IP address of interior transmission is that the message amount of the network access message of the first IP address includes:
The network that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period to visit When asking message, checking whether there is the first counting messages list item comprising the following contents in local counting messages table: source IP address, Purpose IP address is respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
5. according to the method described in claim 4, it is characterized in that, having other terminals hair in the designated time period when checking The network that purpose IP address is the first IP address is sent to access message, this method further comprises: deleting from local counting messages table Except the first counting messages list item.
6. according to the method described in claim 4, it is characterized in that, described check in the designated time period whether there is other ends End sends the network access message that purpose IP address is the first IP address
It is searched from other counting messages list items in addition to the first counting messages list item that local counting messages table includes Other counting messages list items comprising the following contents: purpose IP address is first IP address;
If finding, it is determined that there is other terminals to send the network that purpose IP address is the first IP address in the designated time period Access message;
If not finding, it is determined that not having other terminals to send purpose IP address in the designated time period is the first IP address Network accesses message.
7. a kind of network access device, which is characterized in that the device is applied to Broadband Remote Access Server BRAS, comprising:
Statistic unit, for counting the network that the purpose IP address that first terminal is at the appointed time sent in section is the first IP address The message amount of message is accessed, the first terminal is not by the one of whole of this BRAS certificate server certification connected End;
Inspection unit, for when the message amount is equal with the first preset threshold, check in the designated time period whether There are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for thering are other terminals to send mesh when the inspection unit checks in the designated time period IP address be the first IP address network access message, it is determined that first IP address is legal, allow pass through described in recognize The purpose IP address for demonstrate,proving other each terminals transmissions of server authentication accesses message for the network of the first IP address and passes through.
8. device according to claim 7, which is characterized in that the NS software unit is examined in the inspection unit When finding the network access message for not thering are other terminals to send purpose IP address as the first IP address in the designated time period, into One step is locally generated attack protection list item, alternatively, continuing to count the mesh that the first terminal is sent in the designated time period IP address be the first IP address network access message message amount, until the designated time period in the message amount Attack protection list item is locally generated when equal with the second preset threshold, to forbid the purpose IP address to be according to the attack protection list item The network access message of first purpose IP address passes through, and second preset threshold is greater than first preset threshold;
Forbid the network that purpose IP address is the first purpose IP address to access message according to the attack protection list item to pass through.
9. device according to claim 7 or 8, which is characterized in that the statistic unit statistics first terminal is when specified Between the purpose IP address that sends in section be that the network of the first IP address accesses the message amount of message and includes:
The network that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period to visit When asking message, checking whether there is the first counting messages list item comprising the following contents in local counting messages table: source IP address, Purpose IP address is respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
10. device according to claim 9, which is characterized in that the statistic unit is also used to examine in the inspection unit When finding the network access message for thering are other terminals to send purpose IP address as the first IP address in the designated time period, from this The first counting messages list item is deleted in ground counting messages table.
CN201810827488.3A 2018-07-25 2018-07-25 Network access method and device Active CN109040046B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810827488.3A CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810827488.3A CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Publications (2)

Publication Number Publication Date
CN109040046A true CN109040046A (en) 2018-12-18
CN109040046B CN109040046B (en) 2021-01-26

Family

ID=64645221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810827488.3A Active CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Country Status (1)

Country Link
CN (1) CN109040046B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090217354A1 (en) * 2008-02-27 2009-08-27 International Business Machines Corporation Controlling access of a client system to access protected remote resources supporting relative urls
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
CN101873332A (en) * 2010-07-15 2010-10-27 杭州华三通信技术有限公司 WEB authentication method and equipment based on proxy server
US20120166662A1 (en) * 2010-12-22 2012-06-28 Pradeep Iyer HTTP Proxy based Captive Portal
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106453119A (en) * 2016-11-18 2017-02-22 杭州华三通信技术有限公司 Authentication control method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090217354A1 (en) * 2008-02-27 2009-08-27 International Business Machines Corporation Controlling access of a client system to access protected remote resources supporting relative urls
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
CN101873332A (en) * 2010-07-15 2010-10-27 杭州华三通信技术有限公司 WEB authentication method and equipment based on proxy server
US20120166662A1 (en) * 2010-12-22 2012-06-28 Pradeep Iyer HTTP Proxy based Captive Portal
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106453119A (en) * 2016-11-18 2017-02-22 杭州华三通信技术有限公司 Authentication control method and device

Also Published As

Publication number Publication date
CN109040046B (en) 2021-01-26

Similar Documents

Publication Publication Date Title
US9183383B1 (en) System and method of limiting the operation of trusted applications in presence of suspicious programs
US9531746B2 (en) Generating accurate preemptive security device policy tuning recommendations
CN103607385B (en) Method and apparatus for security detection based on browser
CN105635126B (en) Malice network address accesses means of defence, client, security server and system
Viswanath et al. Canal: Scaling social network-based Sybil tolerance schemes
ES2808954T3 (en) Procedure and device for use in risk management of application information
Johnson Cyber crime, security and digital intelligence
CN105874464B (en) System and method for introducing variation in subsystem output signal to prevent device-fingerprint from analyzing
US10135785B2 (en) Network security system to intercept inline domain name system requests
US11165792B2 (en) System and method for generating heuristic rules for identifying spam emails
US20210099431A1 (en) Synthetic identity and network egress for user privacy
CN108476222A (en) The detection and mitigation of phishing attack
CN105100070A (en) Method and device for preventing malicious attacks to interface service
RU2691228C2 (en) Cancellation protection of possible confidential data elements
CN104426740A (en) System and method for managing tunneled endpoints
CN107743118A (en) A kind of stagewise network safety protection method and device
US20130145474A1 (en) Concealing and revealing message data
US20190052672A1 (en) System and methods for active brute force attack protection
CN104967594A (en) Stolen account identification method and apparatus
US20170270561A1 (en) Method, terminal and server for monitoring advertisement exhibition
US9742769B2 (en) Method and system for determining trusted wireless access points
CN114138590A (en) Operation and maintenance processing method and device for Kubernetes cluster and electronic equipment
CN104580108A (en) Information prompting method and system as well as server
CN105187399A (en) Resource processing method and device
CN106102059B (en) For the method and apparatus for the owner for determining hotspot

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230626

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right