CN113992370B - Flow forwarding control method and trapping node based on flow forwarding control - Google Patents

Flow forwarding control method and trapping node based on flow forwarding control Download PDF

Info

Publication number
CN113992370B
CN113992370B CN202111213468.5A CN202111213468A CN113992370B CN 113992370 B CN113992370 B CN 113992370B CN 202111213468 A CN202111213468 A CN 202111213468A CN 113992370 B CN113992370 B CN 113992370B
Authority
CN
China
Prior art keywords
flow
attack
forwarding
temporary container
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111213468.5A
Other languages
Chinese (zh)
Other versions
CN113992370A (en
Inventor
吴建亮
胡鹏
林鼎钧
祝振宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jeeseen Network Technologies Co Ltd
Original Assignee
Guangzhou Jeeseen Network Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jeeseen Network Technologies Co Ltd filed Critical Guangzhou Jeeseen Network Technologies Co Ltd
Priority to CN202111213468.5A priority Critical patent/CN113992370B/en
Publication of CN113992370A publication Critical patent/CN113992370A/en
Application granted granted Critical
Publication of CN113992370B publication Critical patent/CN113992370B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/29Flow control; Congestion control using a combination of thresholds

Abstract

The invention provides a flow forwarding control method and a trapping node based on flow forwarding control, and belongs to the technical field of network security. After the attack flow enters the trapping node, the attack flow is analyzed, a data analysis result with a source IP address and various fields of the attack flow as auxiliary is obtained, the attack source IP address is used as a flow identifier, a corresponding temporary container is established to store the attack flow, and the flow forwarding rate of the temporary container to the honeypot is determined according to the current total flow of each temporary container, a preset flow control threshold value and the capacity of the temporary container. The method and the device identify the flow entering the trapping node, establish the corresponding container for temporary storage, and control the flow of the attack flow forwarded to the honeypot, so that the attack flow does not occupy excessive bandwidth, and the influence on the normal service operation of the intranet is avoided.

Description

Flow forwarding control method and trapping node based on flow forwarding control
Technical Field
The invention relates to the technical field of network security, in particular to a flow forwarding control method and a trapping node based on flow forwarding control.
Background
The trapping nodes are mainly used for conducting flow, are deployed in a real network environment in a software or hardware mode, trap the nodes, conduct the attacker to a honeypot in a honeynet scene by utilizing the transparent agent, and sense and early warn intranet attack in real time.
The trapping node is used as a front-end agent of the honeypot in a real network environment, belongs to a lightweight forwarding node, hardly generates any influence on the real intranet environment, does not actively detect intranet hosts such as a service server and the like, and can trigger the action only under the condition that an attacker touches the intranet hosts.
The trapping node is used as an entrance of the honey net trap and can map the honey net environment into a real network. Once the attacker touches the trap node, the attacker can enter the honeynet environment and cannot perceive the existence of the trap node. Generally, the more trap nodes are deployed in a client network, the wider the deployment range is, the more remarkable the effect is played, and the recruitment of attackers is almost inevitable.
The existing drainage strategy for trapping nodes is to receive attack traffic in real time and forward the attack traffic in real time, and when a large amount of attacks occur at a certain moment, a large amount of bandwidth of a user network is probably occupied, and the normal operation of a service system is influenced. After the existing trapping nodes are deployed, when the attack traffic reaches the trapping nodes, the same forwarding rate is uniformly adopted, and the method for controlling the forwarding rate of the trapping nodes on different attack traffic in a fine-grained manner is unavailable.
The prior art has at least the following disadvantages:
1. the existing trapping node forwards attack traffic in real time, and when a large amount of attacks occur, a large amount of bandwidth is occupied, and normal service is influenced.
2. After the existing trapping nodes are deployed, the forwarding flow of each trapping node cannot be controlled in a fine-grained manner.
Disclosure of Invention
In order to solve the technical problems in the prior art, the invention provides a flow forwarding control method and a trapping node based on flow forwarding control, after attack flow enters the trapping node, the attack flow is analyzed to obtain a data analysis result with a source IP address and various fields of the attack flow as auxiliary, the attack source IP address is used as a flow identifier, a corresponding temporary container is established to store the attack flow, and the flow forwarding rate of each temporary container to a honeypot is determined according to the current total flow of each temporary container, a preset flow control threshold and the capacity of the temporary container. The method and the device identify the flow entering the trapping node, create the corresponding container for temporary storage, and control the forwarding of the attack flow to the honeypot, so that the attack flow does not occupy excessive bandwidth, the influence on the normal service operation of an intranet is avoided, and the flow in the temporary container is not overflowed to cause the loss of the attack flow.
The invention provides a flow forwarding control method, which comprises the following steps:
identifying attack traffic entering a trapping node by using attack source information;
creating a temporary container corresponding to the attack source;
judging whether the attack of the attack source is finished or not, and if the attack is not finished, introducing the flow into a corresponding temporary container; if the attack is finished, introducing the flow into the corresponding temporary container, and recovering the temporary container after the flow of the corresponding temporary container is forwarded;
judging the size of the attack flow entering the temporary container, and determining whether to forward and limit the speed of the attack flow;
determining the flow forwarding rate of the temporary container to the honeypot by adopting a preset flow control algorithm according to whether the attack flow needs to be limited, and forwarding the flow to the honeypot according to the forwarding rate; factors considered in determining the traffic forwarding rate in the flow control algorithm include: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
Preferably, the attack traffic is continuously marked by taking the attack source IP address as a unique identifier in the identification process.
Preferably, by determining whether the long connection exists or not and determining whether the attack is over,
if the long link exists, the attack is not finished;
if no long connection exists, the attack is over.
Preferably, when the attack traffic exceeds a preset threshold, the attack traffic forwarding needs to limit the speed; and when the attack flow is less than or equal to the preset threshold, the attack flow is forwarded without limiting the speed.
Preferably, a speed limit field is added to the attack traffic needing speed limit, and whether the attack traffic needs speed limit is judged according to whether the additional speed limit field is included when the traffic is forwarded.
Preferably, the determining, by using a preset flow control algorithm, a flow forwarding rate of the temporary container to the honeypot includes:
when the current total flow of the temporary container is smaller than a preset flow control threshold value, forwarding the flow of the temporary container at a first preset rate;
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field for the attack flow, and forwarding the flow of the temporary container at a second preset speed;
when the current total flow of the temporary container is larger than the flow overrun early warning value and smaller than the capacity of the temporary container, forwarding the flow of the temporary container at a first preset speed;
the second predetermined rate is less than the first predetermined rate.
The invention provides a trapping node based on flow forwarding control, which utilizes the flow forwarding control method to comprise a trapping node flow controller, wherein the trapping node flow controller comprises a flow identification module, a flow size judgment module, a container creation module and a flow distribution module;
the flow identification module analyzes the attack flow after the attack flow enters the trapping node, acquires information for identifying the attack flow and identifies the attack flow;
the container creating module is used for creating a temporary container corresponding to the attack flow according to the identifier of the attack flow;
the flow size judging module judges the attack flow size according to a preset flow size judging rule;
the flow distribution module is used for determining the flow forwarding rate of the temporary container to the honeypot according to a preset flow control algorithm and forwarding the attack flow to the honeypot at the determined flow forwarding rate, wherein the factors considered in the flow control algorithm comprise: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
Preferably, the traffic identification module specifically performs the following operations:
and obtaining the IP address of the attacker source through the statistical analysis of the mapping relation of the network ports, the protocol type and the attack behavior characteristics, and identifying the corresponding attack flow by the IP address of the attacker source.
Preferably, the flow size judging module performs the following operations:
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field to the attack flow, and introducing the flow into a flow-limiting distribution container;
and when the current total flow of the temporary container is smaller than a preset flow control threshold value or larger than a flow overrun early warning value and smaller than the capacity of the temporary container, introducing the flow into the non-flow-limiting distribution container.
Preferably, the traffic distribution module specifically performs the following operations:
forwarding the flow in the non-flow-limiting distribution container with the speed-limiting field at a first preset speed;
forwarding the flow of the temporary container at a second preset speed to the flow in the flow-limiting distribution container without the additional speed-limiting field;
the second predetermined rate is less than the first predetermined rate.
Preferably, the system further comprises a trapping module for inducing an attacker to attack and realize the binding with the honeypot.
Compared with the prior art, the invention has the following beneficial effects:
1. the trapping node marks the flow according to the attack flow source IP, creates a corresponding temporary container for temporarily storing the flow, and controls the flow forwarding rate of the attack flow in the temporary container, so that the situation that a large amount of attacks occupy the bandwidth of an intranet and influence the normal service operation is prevented;
2. the method and the device perform flow forwarding control according to the current total flow, the flow control threshold value and the flow early warning value set according to the service requirement and the capacity of the temporary container, dynamically adjust the flow forwarding rate, ensure the normal service bandwidth requirement of the intranet environment, and simultaneously prevent the attack flow temporarily stored in the temporary container from overflowing to cause the loss of the attack flow.
Drawings
Fig. 1 is a flow chart of a traffic forwarding control method according to an embodiment of the present invention;
fig. 2 is a flow chart of a traffic forwarding control method according to another embodiment of the present invention;
figure 3 is a schematic diagram of a trap node deployment based on traffic forwarding control according to an embodiment of the present invention;
fig. 4 is a schematic flow diagram of the trap node work flow based on the flow forwarding control according to one embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings.
The invention provides a flow forwarding control method, which comprises the following steps:
identifying attack traffic entering a trapping node by using attack source information;
creating a temporary container corresponding to the attack source;
each temporary container is used for temporarily storing the attack traffic of the attack source entering the trapping node, so different containers need to be created for different attack sources, the size of the created temporary container is controlled by a system preset value when the temporary container is created, the attack traffic or a first data packet does not need to be referred, the size of the temporary container is set according to history for analyzing the attack traffic, excessive space is not occupied, and the attack traffic is not overflowed.
Judging whether the attack of the attack source is finished or not, and if the attack is not finished, introducing the flow into a corresponding temporary container; if the attack is finished, introducing the flow into the corresponding temporary container, and recovering the temporary container after the flow of the corresponding temporary container is forwarded;
judging the size of the attack flow entering the temporary container, and determining whether to forward and limit the speed of the attack flow;
determining the flow forwarding rate of the temporary container to the honeypot by adopting a preset flow control algorithm according to whether the attack flow needs to be limited, and forwarding the flow to the honeypot according to the forwarding rate; factors considered in determining the traffic forwarding rate in the flow control algorithm include: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
According to a specific embodiment of the invention, attack traffic is continuously marked by taking an attack source IP address as a unique identifier in the identification process. The method can bear a part of flow analysis function while controlling the flow, and obtains a data analysis result with an attacker source IP address as a unique identifier and a plurality of fields as auxiliary data analysis results through statistical analysis of a network port mapping relation, a protocol type and attack behavior characteristics, wherein the attacker source IP address is used for representing the attack flow, and the plurality of fields comprise a device id (device feature code), a social id (social network account number) and the like and are used for assisting in distinguishing the flows of different attackers.
The port mapping relation comprises an original port of an attacker and a mapped port; the type of protocol used by the attack comprises ssh, Telnet, http, https, rdp or ftp and the like; attack behavior characteristics including, for example, weak password blasting, command injection, etc.
The same attacker may attack from different devices and there may be multiple attackers on the same device. Therefore, only the attack source IP address is used as the unique identifier of the attack traffic, and fields such as the device id and the social id are used as auxiliary fields to assist in distinguishing the attacker traffic.
According to one embodiment of the present invention, the termination of the attack is determined by determining whether a long connection exists,
if the long link exists, the attack is not finished;
if no long connection exists, the attack is over.
According to a specific embodiment of the invention, when the attack flow exceeds a preset threshold, the attack flow forwarding needs to limit the speed; and when the attack flow is less than or equal to the preset threshold, the attack flow is forwarded without limiting the speed.
According to a specific embodiment of the invention, a speed limit field is added to the attack traffic needing speed limit, and whether the attack traffic needs speed limit is judged according to whether the additional speed limit field is included during traffic forwarding.
According to a specific embodiment of the present invention, the determining, by using a preset flow control algorithm, a flow forwarding rate of the temporary container to the honeypot includes:
when the current total flow of the temporary container is smaller than a preset flow control threshold value, forwarding the flow of the temporary container at a first preset speed;
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field for the attack flow, and forwarding the flow of the temporary container at a second preset speed;
when the current total flow of the temporary container is larger than the flow overrun early warning value and smaller than the capacity of the temporary container, forwarding the flow of the temporary container at a first preset speed;
the second predetermined rate is less than the first predetermined rate.
The invention provides a trapping node based on flow forwarding control, which utilizes the flow forwarding control method to comprise a trapping node flow controller, wherein the trapping node flow controller comprises a flow identification module, a flow size judgment module, a container creation module and a flow distribution module;
the flow identification module analyzes the attack flow after the attack flow enters the trapping node, acquires information for identifying the attack flow and identifies the attack flow;
the container creating module is used for creating a temporary container corresponding to the attack flow according to the identifier of the attack flow;
the flow size judging module judges the attack flow size according to a preset flow size judging rule; the preset flow is set by the system according to historical experience values, the unit can be metering units such as KB, MB and the like, the configuration parameter can be informed of being modified according to the value, and the value can be defaulted to 1 MB;
the flow distribution module is used for determining the flow forwarding rate of the temporary container to the honeypot according to a preset flow control algorithm and forwarding the attack flow to the honeypot at the determined flow forwarding rate, wherein the factors considered in the flow control algorithm comprise: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
According to a specific embodiment of the present invention, the traffic identification module specifically performs the following operations:
and obtaining the IP address of the attacker source through the statistical analysis of the mapping relation of the network ports, the protocol type and the attack behavior characteristics, and identifying the corresponding attack flow by the IP address of the attacker source.
According to a specific embodiment of the present invention, the traffic size determination module performs the following operations:
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field to the attack flow, and introducing the flow into a flow-limiting distribution container;
and when the current total flow of the temporary container is smaller than a preset flow control threshold value or larger than a flow overrun early warning value and smaller than the capacity of the temporary container, introducing the flow into the non-flow-limiting distribution container.
According to a specific embodiment of the present invention, the traffic distribution module specifically performs the following operations:
forwarding the flow in the non-flow-limiting distribution container with the speed-limiting field at a first preset speed;
forwarding the flow of the temporary container at a second preset speed to the flow in the flow-limiting distribution container without the additional speed-limiting field;
the second predetermined rate is less than the first predetermined rate. The flow control threshold value, the flow overrun early warning value, the first preset rate and the second preset rate can be interactively set with the page through an interface according to the service requirement; it may also be provided in the bottom layer.
Data traffic distribution may be in either of two ways, fixed container size and fixed traffic size, the above description being based on fixed traffic, which here means whether the meaning is preset, i.e. the preset rate or the size of the preset distribution container.
Fixing the size of the container: that is, no matter how large the first packet or the total flow into the trap node is, a fixed-size distribution container is created according to the size of a preset distribution container;
fixing the flow size: i.e. the flow of the milk of the dispensing container is forwarded according to a preset rate (comprising a first preset rate and a second preset rate) regardless of the first data packet or the total flow into the mousetrap node.
According to a specific embodiment of the invention, the system further comprises a trapping module for inducing an attacker to attack and realize the binding with the honeypot.
Example 1
Referring to the drawings, a traffic forwarding control method provided by the present invention is described in detail according to an embodiment of the present invention.
The invention provides a flow forwarding control method, which comprises the following steps:
identifying attack traffic entering a trapping node by using attack source information;
creating a temporary container corresponding to the attack source;
judging whether the attack of the attack source is finished or not, and if the attack is not finished, introducing the flow into a corresponding temporary container; if the attack is finished, introducing the flow into the corresponding temporary container, and recovering the temporary container after the flow of the corresponding temporary container is forwarded;
judging the size of the attack flow entering the temporary container, and determining whether to forward and limit the speed of the attack flow;
determining the flow forwarding rate of the temporary container to the honeypot by adopting a preset flow control algorithm according to whether the attack flow needs to be limited, and forwarding the flow to the honeypot according to the forwarding rate; factors considered in determining the traffic forwarding rate in the flow control algorithm include: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
Example 2
Referring to the drawings, a traffic forwarding control method provided by the present invention is described in detail according to an embodiment of the present invention.
The invention provides a flow forwarding control method, which comprises the following steps:
identifying attack traffic entering a trapping node by using attack source information; in the identification process, the attack source IP address is used as a unique identification to continuously mark attack flow;
creating a temporary container corresponding to the attack source;
judging whether the attack of the attack source is finished or not, and if the attack is not finished, introducing the flow into a corresponding temporary container; if the attack is finished, introducing the flow into the corresponding temporary container, and recovering the temporary container after the flow of the corresponding temporary container is forwarded;
whether the attack is finished or not is judged by judging whether the long connection exists or not,
if the long link exists, the attack is not finished;
if no long connection exists, the attack is over.
Judging the size of the attack flow entering the temporary container, and determining whether to forward and limit the speed of the attack flow; when the attack flow exceeds a preset threshold value, the attack flow forwarding needs to limit the speed; when the attack flow is less than or equal to the preset threshold, the attack flow is forwarded without limiting the speed; adding a speed limit field to the attack flow needing speed limit, and judging whether the attack flow needs speed limit according to whether the additional speed limit field is included during flow forwarding;
determining the flow forwarding rate of the temporary container to the honeypot by adopting a preset flow control algorithm according to whether the attack flow needs to be limited, and forwarding the flow to the honeypot according to the forwarding rate; factors considered in determining the traffic forwarding rate in the flow control algorithm include: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
The method specifically comprises the following steps:
when the current total flow of the temporary container is smaller than a preset flow control threshold value, forwarding the flow of the temporary container at a first preset speed; at the moment, the flow is very small and the flow control is not carried out;
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field for the attack flow, and forwarding the flow of the temporary container at a second preset speed; at this time, the traffic is large, but the traffic does not exceed the traffic overrun warning value, and at this time, if the attack traffic forwarding is continued at a high forwarding rate, a large bandwidth may be occupied, which affects the operation of normal services.
When the current total flow of the temporary container is larger than the flow overrun early warning value and smaller than the capacity of the temporary container, forwarding the flow of the temporary container at a first preset speed; at this time, the flow rate exceeds the flow rate over-limit early warning value, if the flow rate is still forwarded at a low rate, the attack flow rate in the temporary container is overflowed, the attack flow rate is lost, and the honeypot cannot perform attack behavior analysis according to the incomplete attack flow rate, so that the significance is lost. Therefore, at this time, the normal forwarding rate needs to be restored again for forwarding, so as to forward the traffic in the temporary container to the honeypot as soon as possible, and avoid the attack traffic in the temporary container from being lost.
The second predetermined rate is less than the first predetermined rate.
The preset flow control threshold value is smaller than the flow overrun early warning value, and the flow overrun early warning value is smaller than the capacity of the temporary container when the flow control threshold value is smaller than the flow overrun early warning value
Example 3
Referring to the drawings, the trap node based on the flow forwarding control provided by the invention is described in detail according to an embodiment of the invention, and the trap node is bound with honeypots and accesses to a honeynet and is controlled by a central honeypot system.
The invention provides a trapping node based on flow forwarding control, and the flow forwarding control method comprises a trapping node flow controller and a trapping module; the trapping node flow controller comprises a flow identification module, a flow size judgment module, a container creation module and a flow distribution module;
the flow identification module analyzes the attack flow after the attack flow enters the trapping node, acquires information for identifying the attack flow and identifies the attack flow;
the container creating module is used for creating a temporary container corresponding to the attack flow according to the identifier of the attack flow;
the flow size judging module judges the attack flow size according to a preset flow size judging rule;
the flow distribution module is used for determining the flow forwarding rate of the temporary container to the honeypot according to a preset flow control algorithm and forwarding the attack flow to the honeypot at the determined flow forwarding rate, wherein the factors considered in the flow control algorithm comprise: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
And the trapping module is used for inducing an attacker to attack and realizing the binding with the honeypots.
As shown in fig. 3, there are an attacker a and an attacker B, and the traffic of both is different in size, but different traffic control measures are taken to perform flow limitation on the traffic of the attacker a and not to perform flow limitation on the traffic of the attacker B.
Example 4
Referring to the attached drawings, the trapping node based on the flow forwarding control provided by the invention is described in detail according to an embodiment of the invention, the trapping node is bound with honeypots and is connected into a honeynet, and the central honeypot system controls the trapping node to forward attack flow.
After entering an intranet environment, an attacker is captured by the trapped node and induced to continuously attack the honeypot; the disguised operating system or the business application system of the honeypot has easily utilized loopholes; the trap node may utilize a transparent proxy to drain the attacker into the honeypots in the honeynet scene, and at the same time, the trap node also has the functions as described below.
The invention provides a trapping node based on flow forwarding control, which utilizes the flow forwarding control method to comprise a trapping node flow controller and a trapping module; the trapping node flow controller comprises a flow identification module, a flow size judgment module, a container creation module and a flow distribution module;
the flow identification module analyzes the attack flow after the attack flow enters the trapping node, acquires information for identifying the attack flow and identifies the attack flow;
the flow identification module specifically executes the following operations:
and obtaining the IP address of the attacker source through the statistical analysis of the mapping relation of the network ports, the protocol type and the attack behavior characteristics, and identifying the corresponding attack flow by the IP address of the attacker source.
The container creating module is used for creating a temporary container corresponding to the attack flow according to the identifier of the attack flow;
the flow size judging module judges the attack flow size according to a preset flow size judging rule;
the flow size judging module executes the following operations:
when the current total flow of the temporary container is greater than a preset flow control threshold value and smaller than a flow overrun early warning value, adding a speed limit field to attack flow, and introducing the flow into a flow-limiting distribution container;
and when the current total flow of the temporary container is smaller than a preset flow control threshold value or larger than a flow overrun early warning value and smaller than the capacity of the temporary container, introducing the flow into the non-flow-limiting distribution container.
The flow size judging module can be provided with a size judging container for judging the flow size;
the flow distribution module is used for determining the flow forwarding rate of the temporary container to the honeypot according to a preset flow control algorithm and forwarding the attack flow to the honeypot at the determined flow forwarding rate, wherein the factors considered in the flow control algorithm comprise: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
The flow distribution module specifically executes the following operations:
forwarding the flow in the non-flow-limiting distribution container with the speed-limiting field at a first preset speed;
forwarding the flow of the temporary container at a second preset speed to the flow in the flow-limiting distribution container without the additional speed-limiting field;
the second predetermined rate is less than the first predetermined rate.
And the trapping module is used for inducing an attacker to attack and realizing the binding with the honeypots.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (9)

1. A traffic forwarding control method is characterized by comprising the following steps:
identifying attack traffic entering a trapping node by using attack source information;
creating a temporary container corresponding to the attack source;
judging whether the attack of the attack source is finished or not, and if the attack is not finished, introducing the flow into a corresponding temporary container; if the attack is finished, introducing the flow into the corresponding temporary container, and recovering the temporary container after the flow of the corresponding temporary container is forwarded;
judging the size of the attack flow entering the temporary container, and determining whether to forward and limit the speed of the attack flow;
determining the flow forwarding rate of the temporary container to the honeypot by adopting a preset flow control algorithm according to whether the attack flow needs to be limited, and forwarding the flow to the honeypot according to the flow forwarding rate; factors considered in determining the traffic forwarding rate in the flow control algorithm include: the current total flow of the temporary container, a preset flow control threshold value and the capacity of the temporary container; the method for determining the flow forwarding rate from the temporary container to the honeypot by adopting the preset flow control algorithm comprises the following steps:
when the current total flow of the temporary container is smaller than a preset flow control threshold value, forwarding the flow of the temporary container at a first preset speed;
when the current total flow of the temporary container is greater than a preset flow control threshold value and smaller than a flow overrun early warning value, adding a speed limit field for the attack flow, and forwarding the flow of the temporary container at a second preset rate;
when the current total flow of the temporary container is larger than the flow overrun early warning value and smaller than the capacity of the temporary container, forwarding the flow of the temporary container at a first preset rate;
the second predetermined rate is less than the first predetermined rate.
2. The traffic forwarding control method according to claim 1, wherein attack traffic is continuously marked with an attack source IP address as a unique identifier.
3. The traffic forwarding control method according to claim 1, wherein the determination of whether the attack is over is performed by determining whether a long connection exists,
if long connection exists, attack is not finished;
if no long connection exists, the attack is over.
4. The traffic forwarding control method according to claim 1, wherein when the attack traffic exceeds a preset threshold, the attack traffic forwarding needs to be speed-limited; and when the attack flow is less than or equal to the preset threshold, the attack flow is forwarded without limiting the speed.
5. The traffic forwarding control method according to claim 4, wherein a rate-limiting field is added to the attack traffic requiring rate limiting, and whether the attack traffic requires rate limiting is determined according to whether the additional rate-limiting field is included during traffic forwarding.
6. A trap node based on traffic forwarding control, characterized in that, the traffic forwarding control method of any one of claims 1 to 5 is used, and the trap node traffic controller comprises a traffic identification module, a traffic size judgment module, a container creation module and a traffic distribution module;
the flow identification module analyzes the attack flow after the attack flow enters the trapping node, acquires information for identifying the attack flow and identifies the attack flow;
the container creating module is used for creating a temporary container corresponding to the attack flow according to the identifier of the attack flow;
the flow size judging module judges the attack flow size according to a preset flow size judging rule;
the flow distribution module is used for determining the flow forwarding rate of the temporary container to the honeypot according to a preset flow control algorithm and forwarding the attack flow to the honeypot at the determined flow forwarding rate, wherein the factors considered in the flow control algorithm comprise: the current total flow of the temporary container, a preset flow control threshold, and the capacity of the temporary container.
7. The traffic forwarding control based trap node of claim 6, wherein the traffic identification module performs in particular the following operations:
and obtaining an attack source IP address through statistical analysis of the mapping relation of the network ports, the protocol types and the attack behavior characteristics so as to identify the corresponding attack flow by the attack source IP address.
8. The traffic forwarding control based trap node of claim 6, wherein the traffic size determination module performs the following operations:
when the current total flow of the temporary container is greater than a preset flow control threshold and less than a flow overrun early warning value, adding a speed limit field to the attack flow, and introducing the flow into a flow-limiting distribution container;
and when the current total flow of the temporary container is smaller than a preset flow control threshold value or larger than a flow overrun early warning value and smaller than the capacity of the temporary container, introducing the flow into the non-flow-limiting distribution container.
9. The traffic forwarding control based mousetrap node of claim 8, wherein the traffic distribution module specifically performs the following operations:
forwarding the flow in the non-flow-limiting distribution container with the speed-limiting field at a first preset speed;
forwarding the flow of the temporary container at a second preset speed to the flow in the flow-limiting distribution container without the additional speed-limiting field;
the second predetermined rate is less than the first predetermined rate.
CN202111213468.5A 2021-10-19 2021-10-19 Flow forwarding control method and trapping node based on flow forwarding control Active CN113992370B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111213468.5A CN113992370B (en) 2021-10-19 2021-10-19 Flow forwarding control method and trapping node based on flow forwarding control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111213468.5A CN113992370B (en) 2021-10-19 2021-10-19 Flow forwarding control method and trapping node based on flow forwarding control

Publications (2)

Publication Number Publication Date
CN113992370A CN113992370A (en) 2022-01-28
CN113992370B true CN113992370B (en) 2022-06-17

Family

ID=79739225

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111213468.5A Active CN113992370B (en) 2021-10-19 2021-10-19 Flow forwarding control method and trapping node based on flow forwarding control

Country Status (1)

Country Link
CN (1) CN113992370B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979562A (en) * 2016-10-21 2018-05-01 北京计算机技术及应用研究所 A kind of mixed type honey jar Dynamic Deployment System based on cloud platform
CN112422481B (en) * 2019-08-22 2021-10-26 华为技术有限公司 Trapping method, system and forwarding equipment for network threats
CN111314276A (en) * 2019-11-09 2020-06-19 北京长亭未来科技有限公司 Method, device and system for detecting multiple attack behaviors
US11265346B2 (en) * 2019-12-19 2022-03-01 Palo Alto Networks, Inc. Large scale high-interactive honeypot farm
CN111198900B (en) * 2019-12-31 2023-06-09 成都烽创科技有限公司 Data caching method and device for industrial control network, terminal equipment and medium
CN112788034B (en) * 2021-01-13 2023-04-07 泰康保险集团股份有限公司 Processing method and device for resisting network attack, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN113992370A (en) 2022-01-28

Similar Documents

Publication Publication Date Title
US10931711B2 (en) System of defending against HTTP DDoS attack based on SDN and method thereof
CN103650436B (en) Service path distribution method, router and business perform entity
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
KR20170106351A (en) METHOD, APPARATUS AND SYSTEM FOR PROVIDING ATTACK DATA DATA
EP2136526A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
EP2482497B1 (en) Data forwarding method, data processing method, system and device thereof
US20150281085A1 (en) Method and system of large flow control in communication networks
JP2007235341A (en) Apparatus and network system for performing protection against anomalous communication
CN108737217B (en) Packet capturing method and device
CN113037731B (en) Network flow control method and system based on SDN architecture and honey network
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN113098894A (en) SDN IP address hopping method based on randomization algorithm
JP2013070325A (en) Communication system, communication apparatus, server, and communication method
CN107690004B (en) Method and device for processing address resolution protocol message
JP5178573B2 (en) Communication system and communication method
RU2576488C1 (en) METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS
CN113992370B (en) Flow forwarding control method and trapping node based on flow forwarding control
KR20170109949A (en) Method and apparatus for enhancing network security in dynamic network environment
CN110912853A (en) Method, equipment and system for checking anti-counterfeiting attack
Beitollahi et al. A four-steptechnique fortackling ddos attacks
KR101914831B1 (en) SDN to prevent an attack on the host tracking service and controller including the same
KR102056641B1 (en) Sdn controller for resolving arp poisoning attack and method for managing the same
Lotlikar et al. DoShield Through SDN for IoT Enabled Attacks
CN114710337B (en) Signaling firewall processing method, device, system, equipment and medium based on SCTP

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant