CN109040046A - network access method and device - Google Patents
network access method and device Download PDFInfo
- Publication number
- CN109040046A CN109040046A CN201810827488.3A CN201810827488A CN109040046A CN 109040046 A CN109040046 A CN 109040046A CN 201810827488 A CN201810827488 A CN 201810827488A CN 109040046 A CN109040046 A CN 109040046A
- Authority
- CN
- China
- Prior art keywords
- address
- message
- network
- list item
- time period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Present disclose provides Network Access Methods and device.In the disclosure, when detect purpose IP address that unauthenticated first terminal is at the appointed time sent in section be the network of the first IP address access message quantity it is equal with the first preset threshold when, whether check has other terminals to send the network that purpose IP address is the first IP address in designated time period accesses message, message is accessed when there are other terminals to send the network that purpose IP address is the first IP address, determine that the first IP address is legal, allow to access message by the network that the purpose IP address that each terminal authenticated is sent is the first IP address and pass through, realizing both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy, the message of normal access Web proxy server will not mistakenly be blocked, prevent Portal certification and web proxy phase In conjunction with network organizing in lead to because of guarding network attack proper network access failure.
Description
Technical field
This disclosure relates to network communication technology, in particular to Network Access Method and device.
Background technique
Entrance (Portal) certification, also referred to as web authentication, before terminal is not authenticated by Portal, terminal cannot be real
Realize network access, after terminal is authenticated by Portal, terminal may have access to authorized network to obtain network resource information.
Web proxy refers to that each terminal access network of web server proxy to obtain network resource information, can protect in this way
Card network access is not attacked by external network.
The network organizing that Fig. 1 shows Portal certification and web proxy combines.As shown in Figure 1, terminal 101 accesses net
HTTP message is issued when network.HTTP message reaches Broadband Remote Access Server by switching equipment 102, switching equipment 103
(BRAS:Broadband Remote Access Server).BRAS receives HTTP message, and discovery issues the end of the HTTP message
End 101 is not authenticated by Portal, then forces terminal 101 to access BRAS certificate server and carry out Portal certification, when terminal 101
After being authenticated by Portal, the business that terminal 101 accesses network is redirected to Web server and goes to act as agent.
Summary of the invention
Present disclose provides Network Access Methods and device, with the network for preventing Portal certification and web proxy from combining
Lead to proper network access failure in networking because of guarding network attack.
Technical solution provided by the present disclosure includes:
A kind of Network Access Method, this method are applied to BRAS, comprising:
Counting first terminal, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses message
Message amount, the first terminal is one of terminal that the certificate server not connected by this BRAS authenticates;
Whether if the message amount is equal with the first preset threshold, checking has other terminals in the designated time period
It sends the network that purpose IP address is the first IP address and accesses message;
There are other terminals to send the network visit that purpose IP address is the first IP address in the designated time period when checking
Ask message, it is determined that first IP address is legal, allows to send by other each terminals that the certificate server authenticates
Purpose IP address be the first IP address network access message pass through.
A kind of network access device, the device are applied to BRAS, comprising:
Statistic unit is the first IP address for counting the purpose IP address that first terminal is at the appointed time sent in section
Network accesses the message amount of message, and the first terminal is wherein one that the certificate server not connected by this BRAS authenticates
A terminal;
Inspection unit, for checking in the designated time period when the message amount is equal with the first preset threshold
Whether there are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for having other terminals hair when the inspection unit checks in the designated time period
The network that purpose IP address is the first IP address is sent to access message, it is determined that first IP address is legal, allows to have passed through institute
The purpose IP address for stating other each terminals transmissions of certificate server certification accesses message for the network of the first IP address and passes through.
As can be seen from the above technical solutions, in the disclosure, when detecting unauthenticated first terminal when specified
Between the purpose IP address that sends in section be the first IP address network access message quantity it is equal with the first preset threshold when, meeting
Whether check has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, when
Checking has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, then really
Fixed first IP address is legal, and the purpose IP address for allowing to have passed through each terminal transmission of certification is the network of the first IP address
Access message passes through, and realizing both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy,
The message (network access message) of normal access Web proxy server will not mistakenly be blocked, it is therefore prevented that Portal certification and
Lead to proper network access failure in the network organizing that web proxy combines because of guarding network attack.
Detailed description of the invention
The drawings herein are incorporated into the specification and forms part of this specification, and shows the implementation for meeting the disclosure
Example, and together with specification for explaining the principles of this disclosure.
Fig. 1 is Portal certification and the network organizing schematic diagram that web proxy combines;
Fig. 2 is the method flow diagram that the disclosure provides;
Fig. 3 is the embodiment networking schematic diagram that the disclosure provides;
Fig. 4 is the apparatus structure schematic diagram that the disclosure provides;
Fig. 5 is the hardware structural diagram for Fig. 4 shown device that the disclosure provides.
Specific embodiment
In the network organizing that Portal certification and web proxy combine, Portal certification is triggered based on HTTP message
, and HTTP message, it may be possible to it is guarding network attack for network attack, BRAS can locally configure attack protection list item,
The purpose of attack protection list item is: when the HTTP message for accessing a certain purpose IP address reaches given threshold, forbidding accessing the mesh
The HTTP message of IP address continue to access.But the network organizing combined applied to Portal certification and web proxy, Web
The purpose IP address of each terminal access network of server agent, each terminal access all-network is all the IP address of Web server
(being denoted as IP100), once this will lead to the number for the HTTP message that purpose IP address is IP100 (IP address of Web server)
Amount reaches given threshold, is based on attack protection list item, and subsequent all terminals can not all access Web proxy server, cause to have passed through
The terminal of Portal certification can not normally access network.
Cause just in the network organizing that Portal certification and web proxy combine in order to prevent because of guarding network attack
Normal network access failure, this application provides processes shown in Fig. 2.
Referring to fig. 2, Fig. 2 is the method flow diagram that the disclosure provides.The process is applied to BRAS.As shown in Fig. 2, the process
It can comprise the following steps that
Step 201, the purpose IP address that statistics first terminal is at the appointed time sent in section is the network of the first IP address
Access the message amount of message.
In the disclosure, first terminal, the first IP address, the first preset threshold only carry out for ease of description here
Name, is not intended to limit.Wherein, the first terminal is certificate server (such as the Portal not connected by this BRAS
Certificate server) certification one of terminal, the first IP address be any network ip address.First preset threshold is according to reality
Demand is customized, by means of (life when at the appointed time message amount reaches the threshold value of configuration in section of existing attack protection list item strategy
At attack protection list item), then the first preset threshold here, which is less than the threshold value configured in existing attack protection list item strategy, (can be denoted as the
Two preset thresholds), it can hereafter specifically describe, wouldn't repeat here.
In the disclosure, as one embodiment, network access message here can be HTTP message, and certification here is
Refer to Portal certification.
Step 202, whether if the message amount is equal with the first preset threshold, checking in the designated time period has
Other terminals send the network that purpose IP address is the first IP address and access message, when checking in the designated time period there is it
His terminal sends the network that purpose IP address is the first IP address and accesses message, it is determined that first IP address is legal, allows
It is reported by the network access that the purpose IP address that other each terminals that the certificate server authenticates are sent is the first IP address
Text passes through.
In the disclosure, when check in the designated time period do not have other terminals send purpose IP address be the first IP
The network of address accesses message, then is used as one embodiment, attack protection list item is locally generated, according to the attack protection list item
Forbid the network that purpose IP address is the first purpose IP address to access message to pass through;Alternatively, continuing in the designated time period
Counting the purpose IP address that the first terminal is sent is that the network of the first IP address accesses the message amount of message, until described
Attack protection list item is locally generated when the message amount is equal with the second preset threshold in designated time period, according to described anti-
Attack list item forbids the network access message that purpose IP address is the first purpose IP address to pass through, and second preset threshold is greater than
First preset threshold, to forbid the network that purpose IP address is the first purpose IP address to access according to the attack protection list item
Message passes through.
In the disclosure, when more than one terminal accesses same IP address (with the first above-mentioned IP in same amount of time
For address), then illustrate that the first IP address is likely to be the IP address of Web proxy server, is the IP address of normal legal, this
When, no matter at the appointed time whether to reach above-mentioned second default for the quantity of the network access message of the first IP address of access in section
Threshold value will not all issue attack protection list item in the disclosure for the first IP address, but determine that first IP address is closed
Method allows to pass through by the network access message that the purpose IP address that each terminal authenticated is sent is the first IP address, this reality
Having showed both makes to execute guarding network attack in the network organizing that Portal certification is combined with web proxy, will not wrong ground resistance
The message (network access message) of disconnected normal access Web proxy server, the net for preventing Portal certification and web proxy from combining
Lead to proper network access failure in network networking because of guarding network attack.
So far, process shown in Fig. 2 is completed.
It can be seen that in the disclosure by process shown in Fig. 2, when detecting unauthenticated first terminal when specified
Between the purpose IP address that sends in section be the first IP address network access message quantity it is equal with the first preset threshold when, meeting
Whether check has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, when
Checking has other terminals to send the network that purpose IP address is the first IP address in the designated time period accesses message, then really
Fixed first IP address is legal, and the purpose IP address for allowing to have passed through each terminal transmission of certification is the network of the first IP address
Access message passes through, and realizing in the network organizing that Portal certification and web proxy combine attacked both execution guarding network
It hits, will not mistakenly block the message (network access message) of normal access Web proxy server, it is therefore prevented that Portal certification
Lead to proper network access failure in the network organizing combined with web proxy because of guarding network attack.
In the disclosure, as one embodiment, statistics first terminal is at the appointed time sent in section in above-mentioned steps 201
Purpose IP address be the first IP address network access message message amount can include: received in the designated time period
When the purpose IP address sent to the first terminal is that the network of the first IP address accesses message, local counting messages table is checked
In whether there is the first counting messages list item comprising the following contents: source IP address, purpose IP address are respectively received network
Source IP address, the purpose IP address of message are accessed, if so, the message amount in the first counting messages list item is increased default
Value;If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default
Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.Eventually by
First counting messages list item realizes statistics first terminal, and at the appointed time the interior purpose IP address sent of section is the first IP address
Network access message message amount.It should be noted that above-mentioned preset value can be such as 1 or other values, the application is simultaneously
It does not limit specifically.
How above-mentioned only description counts purpose IP address that first terminal is at the appointed time sent in section for the first IP
The message amount of the network access message of location, at the appointed time the interior network sent of section accesses message to other each unverified terminals
The statistical method of message amount is similar, be based on this, will exist in the counting messages table of the local BRAS each unverified terminal (including
First terminal) counting messages list item.
Based on local counting messages table, whether in step 202, checking in the designated time period has other terminals to send mesh
IP address be the first IP address network access message include:
From other counting messages list items in addition to the first counting messages list item that local counting messages table includes
Search other counting messages list items comprising the following contents: purpose IP address is first IP address;
If finding, it is determined that having other terminals to send purpose IP address in the designated time period is the first IP address
Network accesses message;
If not finding, it is determined that do not there is other terminals to send purpose IP address for the first IP in the designated time period
The network of location accesses message.
In this application, when check in the designated time period have other terminals send purpose IP address for the first IP
The network of location accesses message, then as step 202 describes, it is legal to directly determine first IP address, allow pass through described in
The purpose IP address that other each terminals of certificate server certification are sent is that the network access message of the first IP address passes through, such as
This, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses message to the first terminal of current statistic
Message amount (equal with the first preset threshold) just it is useless, for save resource, can delete current statistic first eventually
The end message amount that at the appointed time the interior purpose IP address sent of section accesses message for the network of the first IP address is (pre- with first
If threshold value is equal).Based on above-mentioned counting messages table, then the first above-mentioned counting messages list item can be deleted.
The disclosure is described below by a specific embodiment:
Referring to Fig. 3, Fig. 3 is the embodiment application networking diagram that the disclosure provides.In Fig. 3, the IP address of terminal 301 is
10.1.1.2, the IP address of terminal 302 is 10.1.1.3, and the IP address of terminal 303 is 10.1.1.4, Web proxy server
IP address is 20.1.1.2.
In Fig. 3, BRAS is configured with attack protection list item strategy.Attack protection list item strategy refers to: at the appointed time visiting in section
Ask the attack protection table that the corresponding IP address is generated when the message amount of a certain IP address reaches the second preset threshold (for 100)
?.
BRAS is provided with the first preset threshold (by taking the 80% of the second preset threshold i.e. 80 as an example).First preset threshold
Effect is described below, and wouldn't describe here.
In Fig. 3, the network access message that BRAS at the appointed time receives the transmission of terminal 301 in section (is denoted as message
a1).The source IP address of message a1 is the IP address 10.1.1.2 of terminal 301, and purpose IP address is the IP of Web proxy server
Location 20.1.1.2.BRAS has found that the corresponding terminal 301 of IP address 10.1.1.2 is not authenticated by Portal also, then checks local report
Whether there is the counting messages list item comprising the following contents in literary statistical form: source IP address, purpose IP address are respectively message a1
Source IP address, purpose IP address, if it is not, then in local counting messages table increase include the following contents counting messages table
: message amount is preset value, and source IP address, purpose IP address are respectively the source IP address of message a1, purpose IP address.Here
Preset value by value be 1 for, table 1 shows increased counting messages list item:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 1 |
Table 1
BRAS at the appointed time receives network access message (being denoted as message a2) of the transmission of terminal 302 in section.Message a2
Source IP address be terminal 302 IP address 10.1.1.3, purpose IP address 50.1.1.2.BRAS has found IP address
10.1.1.3 corresponding terminal 302 also not by Portal authenticate, then check in local counting messages table with the presence or absence of comprising with
The counting messages list item of lower content: source IP address, purpose IP address are respectively the source IP address of message a2, purpose IP address, if
It is no, then increase in local counting messages table include the following contents counting messages list item: message amount is preset value, source IP
Location, purpose IP address are respectively the source IP address of message a2, purpose IP address.Here preset value by value be 1 for, in conjunction with
Table 1, table 2 show increased counting messages list item:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 1 |
2 | 10.1.1.3 | 50.1.1.2 | 1 |
Table 2
BRAS at the appointed time receives network access message (being denoted as message a3) of the transmission of terminal 303 in section.Message a3
Source IP address be terminal 303 IP address 10.1.1.4, purpose IP address 20.1.1.2.BRAS has found IP address
10.1.1.4 corresponding terminal 303 also not by Portal authenticate, then check in local counting messages table with the presence or absence of comprising with
The counting messages list item of lower content: source IP address, purpose IP address are respectively the source IP address of message a3, purpose IP address, if
It is no, then increase in local counting messages table include the following contents counting messages list item: message amount is preset value, source IP
Location, purpose IP address are respectively the source IP address of message a3, purpose IP address.Here preset value by value be 1 for, in conjunction with
Table 2, table 3 show increased counting messages list item:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 1 |
2 | 10.1.1.3 | 50.1.1.2 | 1 |
3 | 10.1.1.4 | 20.1.1.2 | 1 |
Table 3
If in designated time period after experience a period of time, BRAS at the appointed time receives the transmission of terminal 301 in section
Network accesses message (being denoted as message a4).The source IP address of message a4 is the IP address 10.1.1.2 of terminal 301, purpose IP address
For the IP address 20.1.1.2 of Web proxy server.The corresponding terminal 301 of BRAS discovery IP address 10.1.1.2 does not pass through also
Portal certification, then check there is the counting messages list item comprising the following contents: source IP address, purpose in local counting messages table
IP address is respectively the source IP address of message a1, purpose IP address, then the message amount in the counting messages list item that will be present increases
Add preset value.Here for preset value by taking value is 1 as an example, table 3 is updated to table 4:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 2 |
2 | 10.1.1.3 | 50.1.1.2 | 1 |
3 | 10.1.1.4 | 20.1.1.2 | 1 |
Table 4
And so on, then in designated time period after experience a period of time, final local counting messages table is as shown in table 5:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 20 |
2 | 10.1.1.3 | 50.1.1.2 | 30 |
3 | 10.1.1.4 | 20.1.1.2 | 40 |
Table 5
If table 5 is updated to table 6 after experienced a period of time again in designated time period:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.2 | 20.1.1.2 | 80 |
2 | 10.1.1.3 | 50.1.1.2 | 35 |
3 | 10.1.1.4 | 20.1.1.2 | 55 |
Table 6
In table 6, message amount is in the counting messages list item (being denoted as counting messages list item 1) that index (Index) is 1
80, it is just the first preset threshold (80), then it represents that the purpose IP address that terminal 301 is sent is the IP of Web proxy server
The message amount of the network access message of location 20.1.1.2 is equal with the first preset threshold (80), at this point, BRAS unites according to message
Purpose IP address, that is, Web proxy server IP address 20.1.1.2 of meter list item 1 reversely searches counting messages table, is to search
It is no that there are also purpose IP address, that is, Web proxy servers that the purpose IP address of other counting messages list items is counting messages list item 1
IP address 20.1.1.2.The purpose IP address for the counting messages list item (being denoted as counting messages list item 3) that BRAS discovery index is 3
It is identical as purpose IP address, that is, Web proxy server IP address 20.1.1.2 of counting messages list item 1, indicate terminal 303 with
Terminal 301 at the appointed time has the IP address 20.1.1.2 of access Web proxy server in section, then it is assumed that web proxy service
The IP address 20.1.1.2 of device is legal, and the network that subsequent destination ip addresses are the IP address 20.1.1.2 of Web proxy server is visited
It asks that message all allows to pass through, and deletes counting messages list item 1 from local IP access statistical form.Table 6 is updated to table 7:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.3 | 50.1.1.2 | 35 |
2 | 10.1.1.4 | 20.1.1.2 | 55 |
Table 7
If experienced a period of time in designated time period again, table 7 is updated to table 8:
It indexes (Index) | Source IP address | Purpose IP address | Message amount |
1 | 10.1.1.3 | 50.1.1.2 | 80 |
2 | 10.1.1.4 | 20.1.1.2 | 55 |
Table 8
In table 8, indexing message amount in the counting messages list item for 1 is 80, is just the first preset threshold (80), then
Indicate the message amount and the first preset threshold of the network access message that the purpose IP address that terminal 302 is sent is 50.1.1.2
(80) equal, at this point, BRAS reversely searches counting messages table according to purpose IP address 50.1.1.2, to search whether that there are also other
The purpose IP address of counting messages list item is 50.1.1.2.As a result, it has been found that in counting messages table other counting messages list items purpose
IP address is not 50.1.1.2, at this point, then in the disclosure, can confirm that 50.1.1.2 is illegal, BRAS exists as one embodiment
It is local to generate attack protection list item, to forbid purpose IP address to access message for the network of 50.1.1.2 according to the attack protection list item
Pass through, and deletes the counting messages list item that the index is 1.As another embodiment, in the disclosure, BRAS is not first in local life
At attack protection list item, but wait, once the purpose IP address that terminal 302 is sent in designated time period is the network of 50.1.1.2
The message amount for accessing message is 100, is just the second preset threshold (100), then attack protection list item is locally generated, with foundation
The attack protection list item forbids the network access message that purpose IP address is 50.1.1.2 to pass through, and deletes the report that the index is 1
Text statistics list item.
So far, the description of the embodiment of the present disclosure is completed.
Description through this embodiment can be seen that in the disclosure, once at the appointed time the interior access of section is same for terminal
The message amount of the network access message of purpose IP address is equal with the first preset threshold, then when the more than one terminal access mesh
IP address when, it is determined that the purpose IP address is legal address, be effectively ensured Portal certification and web proxy combine
Network organizing in both make to execute guarding network attack, will not mistakenly block the message of normal access Web proxy server
(network access message), it is therefore prevented that in Portal certification and the network organizing that combines of web proxy because guarding network attack and
Lead to proper network access failure, ensures the network access of all users.
The method provided above the disclosure is described, and the device provided below the disclosure is described:
Referring to fig. 4, Fig. 4 is the structure drawing of device that the disclosure provides.The device is applied to BRAS, comprising:
Statistic unit is the first IP address for counting the purpose IP address that first terminal is at the appointed time sent in section
Network accesses the message amount of message, and the first terminal is wherein one that the certificate server not connected by this BRAS authenticates
A terminal;
Inspection unit, for checking in the designated time period when the message amount is equal with the first preset threshold
Whether there are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for having other terminals hair when the inspection unit checks in the designated time period
The network that purpose IP address is the first IP address is sent to access message, it is determined that first IP address is legal, allows to have passed through institute
The purpose IP address for stating other each terminals transmissions of certificate server certification accesses message for the network of the first IP address and passes through.
As one embodiment, the NS software unit checks the designated time period in the inspection unit
When there are not inside other terminals to send the network access message that purpose IP address is the first IP address, it is further locally generated anti-attack
List item is hit, forbids the network that purpose IP address is the first purpose IP address to access message according to the attack protection list item and passes through.
As another embodiment, the NS software unit checks the specified time in the inspection unit
When there are not other terminals to send the network access message that purpose IP address is the first IP address in section, continue in the specified time
The purpose IP address that the statistics first terminal is sent in section accesses the message amount of message for the network of the first IP address, until
Attack protection list item is locally generated when the message amount is equal with the second preset threshold in the designated time period, according to institute
Stating attack protection list item forbids the network access message that purpose IP address is the first purpose IP address to pass through, second preset threshold
Greater than first preset threshold, the network that purpose IP address is the first purpose IP address is forbidden to visit according to the attack protection list item
Ask that message passes through.
As one embodiment, the statistic unit counts the first terminal at the appointed time interior purpose IP address sent of section
For the first IP address network access message message amount include:
The net that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period
When network accesses message, checking in local counting messages table whether there is the first counting messages list item comprising the following contents: source IP
Address, purpose IP address are respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is
Preset value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
As one embodiment, the statistic unit is also used to check in the designated time period in the inspection unit
When there are other terminals to send the network access message that purpose IP address is the first IP address, institute is deleted from local counting messages table
State the first counting messages list item.
So far, the structure chart of Fig. 4 shown device is completed.
Accordingly, the disclosure also provides the hardware structure diagram of Fig. 4 shown device.As shown in figure 5, the hardware configuration can wrap
It includes: machine readable storage medium and processor, in which:
Machine readable storage medium: store instruction code.
Processor: communicating with machine readable storage medium, read and execute stored in machine readable storage medium it is described
Instruction code realizes Network Access Method disclosed in disclosure above-mentioned example.
So far, the hardware structure diagram of Fig. 5 shown device is completed.
In the disclosure, machine readable storage medium can be any electronics, magnetism, optics or other physical stores dress
It sets, may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that RAM
(Radom Access Memory, random access memory), volatile memory, nonvolatile memory, flash memory, storage driving
Device (such as hard disk drive), solid state hard disk, any kind of storage dish (such as CD, dvd) or similar storage medium,
Or their combination.
Device, module or the unit that above-described embodiment illustrates can specifically be realized, Huo Zheyou by computer chip or entity
Product with certain function is realized.A kind of typically to realize that equipment is computer, the concrete form of computer can be a
People's computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media player, navigation
It is any several in equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment
The combination of kind equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this
The function of each unit can be realized in the same or multiple software and or hardware when open.
It should be understood by those skilled in the art that, embodiment of the disclosure can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the disclosure
Apply the form of example.Moreover, it wherein includes computer usable program code that the embodiment of the present disclosure, which can be used in one or more,
The computer implemented in computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of program product.
The disclosure is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present disclosure
Figure and/or block diagram describe.It is generally understood that being realized by computer program instructions each in flowchart and/or the block diagram
The combination of process and/or box in process and/or box and flowchart and/or the block diagram.It can provide these computer journeys
Sequence instruct to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with
A machine is generated, so that the instruction generation executed by computer or the processor of other programmable data processing devices is used for
Realize the dress for the function of specifying in one or more flows of the flowchart and/or one or more blocks of the block diagram
It sets.
Moreover, these computer program instructions also can store be able to guide computer or other programmable datas processing set
In standby computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates
Manufacture including command device, the command device are realized in one process of flow chart or multiple processes and/or block diagram one
The function of being specified in a box or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing devices, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer
Or the instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram
The step of function of being specified in one box or multiple boxes.
The foregoing is merely the preferred embodiments of the disclosure, not to limit the disclosure, all essences in the disclosure
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of disclosure protection.
Claims (10)
1. a kind of Network Access Method, which is characterized in that this method is applied to Broadband Remote Access Server BRAS, comprising:
Counting first terminal, at the appointed time the interior purpose IP address sent of section is that the network of the first IP address accesses the report of message
Literary quantity, the first terminal are not by one of terminal of this BRAS certificate server certification connected;
Whether if the message amount is equal with the first preset threshold, checking in the designated time period has the transmission of other terminals
Purpose IP address is that the network of the first IP address accesses message;
There are other terminals to send the network access report that purpose IP address is the first IP address in the designated time period when checking
Text, it is determined that first IP address is legal, allows the mesh sent by other each terminals that the certificate server authenticates
IP address be the first IP address network access message pass through.
2. the method according to claim 1, wherein when checking there are not other terminals in the designated time period
It sends the network that purpose IP address is the first IP address and accesses message, this method comprises:
It is locally generated attack protection list item, is the first purpose IP address to forbid purpose IP address according to the attack protection list item
Network access message passes through.
3. the method according to claim 1, wherein when checking there are not other terminals in the designated time period
It sends the network that purpose IP address is the first IP address and accesses message, this method comprises:
Continue to count the network that the purpose IP address that the first terminal is sent is the first IP address in the designated time period
The message amount of message is accessed, until in local when the message amount is equal with the second preset threshold in the designated time period
Attack protection list item is generated, to forbid the network access report that purpose IP address is the first purpose IP address according to the attack protection list item
Text passes through, and second preset threshold is greater than first preset threshold.
4. method according to any one of claims 1 to 3, which is characterized in that the statistics first terminal at the appointed time section
The purpose IP address of interior transmission is that the message amount of the network access message of the first IP address includes:
The network that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period to visit
When asking message, checking whether there is the first counting messages list item comprising the following contents in local counting messages table: source IP address,
Purpose IP address is respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default
Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
5. according to the method described in claim 4, it is characterized in that, having other terminals hair in the designated time period when checking
The network that purpose IP address is the first IP address is sent to access message, this method further comprises: deleting from local counting messages table
Except the first counting messages list item.
6. according to the method described in claim 4, it is characterized in that, described check in the designated time period whether there is other ends
End sends the network access message that purpose IP address is the first IP address
It is searched from other counting messages list items in addition to the first counting messages list item that local counting messages table includes
Other counting messages list items comprising the following contents: purpose IP address is first IP address;
If finding, it is determined that there is other terminals to send the network that purpose IP address is the first IP address in the designated time period
Access message;
If not finding, it is determined that not having other terminals to send purpose IP address in the designated time period is the first IP address
Network accesses message.
7. a kind of network access device, which is characterized in that the device is applied to Broadband Remote Access Server BRAS, comprising:
Statistic unit, for counting the network that the purpose IP address that first terminal is at the appointed time sent in section is the first IP address
The message amount of message is accessed, the first terminal is not by the one of whole of this BRAS certificate server certification connected
End;
Inspection unit, for when the message amount is equal with the first preset threshold, check in the designated time period whether
There are other terminals to send the network that purpose IP address is the first IP address and accesses message;
NS software unit, for thering are other terminals to send mesh when the inspection unit checks in the designated time period
IP address be the first IP address network access message, it is determined that first IP address is legal, allow pass through described in recognize
The purpose IP address for demonstrate,proving other each terminals transmissions of server authentication accesses message for the network of the first IP address and passes through.
8. device according to claim 7, which is characterized in that the NS software unit is examined in the inspection unit
When finding the network access message for not thering are other terminals to send purpose IP address as the first IP address in the designated time period, into
One step is locally generated attack protection list item, alternatively, continuing to count the mesh that the first terminal is sent in the designated time period
IP address be the first IP address network access message message amount, until the designated time period in the message amount
Attack protection list item is locally generated when equal with the second preset threshold, to forbid the purpose IP address to be according to the attack protection list item
The network access message of first purpose IP address passes through, and second preset threshold is greater than first preset threshold;
Forbid the network that purpose IP address is the first purpose IP address to access message according to the attack protection list item to pass through.
9. device according to claim 7 or 8, which is characterized in that the statistic unit statistics first terminal is when specified
Between the purpose IP address that sends in section be that the network of the first IP address accesses the message amount of message and includes:
The network that the purpose IP address that the first terminal is sent is the first IP address is received in the designated time period to visit
When asking message, checking whether there is the first counting messages list item comprising the following contents in local counting messages table: source IP address,
Purpose IP address is respectively that received network accesses the source IP address of message, purpose IP address,
If so, the message amount in the first counting messages list item is increased preset value;
If it is not, increasing the first counting messages list item comprising the following contents in local counting messages table: message amount is default
Value, source IP address, purpose IP address are respectively the source IP address of received network access message, purpose IP address.
10. device according to claim 9, which is characterized in that the statistic unit is also used to examine in the inspection unit
When finding the network access message for thering are other terminals to send purpose IP address as the first IP address in the designated time period, from this
The first counting messages list item is deleted in ground counting messages table.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810827488.3A CN109040046B (en) | 2018-07-25 | 2018-07-25 | Network access method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810827488.3A CN109040046B (en) | 2018-07-25 | 2018-07-25 | Network access method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040046A true CN109040046A (en) | 2018-12-18 |
CN109040046B CN109040046B (en) | 2021-01-26 |
Family
ID=64645221
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810827488.3A Active CN109040046B (en) | 2018-07-25 | 2018-07-25 | Network access method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040046B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090217354A1 (en) * | 2008-02-27 | 2009-08-27 | International Business Machines Corporation | Controlling access of a client system to access protected remote resources supporting relative urls |
CN101702717A (en) * | 2009-11-24 | 2010-05-05 | 杭州华三通信技术有限公司 | Method, system and equipment for authenticating Portal |
CN101873332A (en) * | 2010-07-15 | 2010-10-27 | 杭州华三通信技术有限公司 | WEB authentication method and equipment based on proxy server |
US20120166662A1 (en) * | 2010-12-22 | 2012-06-28 | Pradeep Iyer | HTTP Proxy based Captive Portal |
CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
CN104852919A (en) * | 2015-05-14 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and apparatus for realizing portal authentication |
CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
-
2018
- 2018-07-25 CN CN201810827488.3A patent/CN109040046B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090217354A1 (en) * | 2008-02-27 | 2009-08-27 | International Business Machines Corporation | Controlling access of a client system to access protected remote resources supporting relative urls |
CN101702717A (en) * | 2009-11-24 | 2010-05-05 | 杭州华三通信技术有限公司 | Method, system and equipment for authenticating Portal |
CN101873332A (en) * | 2010-07-15 | 2010-10-27 | 杭州华三通信技术有限公司 | WEB authentication method and equipment based on proxy server |
US20120166662A1 (en) * | 2010-12-22 | 2012-06-28 | Pradeep Iyer | HTTP Proxy based Captive Portal |
CN102624729A (en) * | 2012-03-12 | 2012-08-01 | 北京星网锐捷网络技术有限公司 | Web authentication method, device and system |
CN104852919A (en) * | 2015-05-14 | 2015-08-19 | 杭州华三通信技术有限公司 | Method and apparatus for realizing portal authentication |
CN106453119A (en) * | 2016-11-18 | 2017-02-22 | 杭州华三通信技术有限公司 | Authentication control method and device |
Also Published As
Publication number | Publication date |
---|---|
CN109040046B (en) | 2021-01-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9183383B1 (en) | System and method of limiting the operation of trusted applications in presence of suspicious programs | |
US9531746B2 (en) | Generating accurate preemptive security device policy tuning recommendations | |
CN103607385B (en) | Method and apparatus for security detection based on browser | |
CN105635126B (en) | Malice network address accesses means of defence, client, security server and system | |
Viswanath et al. | Canal: Scaling social network-based Sybil tolerance schemes | |
ES2808954T3 (en) | Procedure and device for use in risk management of application information | |
Johnson | Cyber crime, security and digital intelligence | |
CN105874464B (en) | System and method for introducing variation in subsystem output signal to prevent device-fingerprint from analyzing | |
US10135785B2 (en) | Network security system to intercept inline domain name system requests | |
US11165792B2 (en) | System and method for generating heuristic rules for identifying spam emails | |
US20210099431A1 (en) | Synthetic identity and network egress for user privacy | |
CN108476222A (en) | The detection and mitigation of phishing attack | |
CN105100070A (en) | Method and device for preventing malicious attacks to interface service | |
RU2691228C2 (en) | Cancellation protection of possible confidential data elements | |
CN104426740A (en) | System and method for managing tunneled endpoints | |
CN107743118A (en) | A kind of stagewise network safety protection method and device | |
US20130145474A1 (en) | Concealing and revealing message data | |
US20190052672A1 (en) | System and methods for active brute force attack protection | |
CN104967594A (en) | Stolen account identification method and apparatus | |
US20170270561A1 (en) | Method, terminal and server for monitoring advertisement exhibition | |
US9742769B2 (en) | Method and system for determining trusted wireless access points | |
CN114138590A (en) | Operation and maintenance processing method and device for Kubernetes cluster and electronic equipment | |
CN104580108A (en) | Information prompting method and system as well as server | |
CN105187399A (en) | Resource processing method and device | |
CN106102059B (en) | For the method and apparatus for the owner for determining hotspot |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20230626 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
TR01 | Transfer of patent right |