CN100388684C - Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network - Google Patents
Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network Download PDFInfo
- Publication number
- CN100388684C CN100388684C CNB2005100330356A CN200510033035A CN100388684C CN 100388684 C CN100388684 C CN 100388684C CN B2005100330356 A CNB2005100330356 A CN B2005100330356A CN 200510033035 A CN200510033035 A CN 200510033035A CN 100388684 C CN100388684 C CN 100388684C
- Authority
- CN
- China
- Prior art keywords
- user
- point
- authentication
- attack
- broadband
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to a method for realizing the prevention of the point-to-point protocol authentication attack in a broadband access network, and information which can uniquely identify a point-to-point protocol user is selected as the unique identification information of the user. The length for tracking a user who fails the authentication is set in a broadband remote access server, and a threshold value is set, if in the set tracking length, the number that the user fails the authentication reaches the threshold value, the user to whom the unique identification information is corresponding is considered to be an illegal attacking user. Aiming at the illegal attacking user, alarm information is printed to inform an administrator or messages of the attacking user are filtered, and the illegal attack is restrained. The present invention overcomes the defect existing in the prior art that no effective means can be used to restrain the PPP authentication attack, can automatically identify the PPP authentication attacking user and filter attacking messages, and prevents that illegal online processes use identification messages to attack BRAS devices and the identification server.
Description
Technical field
The present invention relates to the broadband access network technical field, relate in particular to the implementation method that prevents in a kind of broadband access network that point-to point protocol recognization from attacking.
Background technology
Present broadband access network be one can run, manageable network.But the managerial ability of runing of broadband access network is to be based upon on user's the authentication and authorization technology, and the authentication mechanism of PPP (peer-peer protocol) is adopted in the authentication and authorization of broadband access network usually.Ppp protocol suggestion user reaches the standard grade and needs through three phases, i.e. link layer negotiation stage, authentication phase and network layer negotiation phase.When the user reaches the standard grade, arrive authentication phase, the message that then contains authentication information between user and the BRAS (Broadband Remote Access Server) alternately, BRAS can be finished user's authentication in this locality or authentication information is sent to certificate server by Radius (the remote validation user dials in service agreement) user is carried out authentication and authorization.The user only by the authentication after, could be in the good external network of the visit within the scope of authority resource of configured in advance.Generally adopt the networking model of on certificate server, finishing authentication and authorization.
Be illustrated in figure 1 as broadband access networking model schematic diagram, PPPoE (transmitting the PPP message on the Ethernet) and PPPoA (is to transmit the PPP message on the ATM Adaptation Layer 5 at AAL5) are the normally used PPP deriving technologies of present broadband access.The mode of carrying out the authentification of user access at ether online operation ppp protocol is called PPPoE, and the operation ppp protocol comes the mode of managing user authentication to be called PPPoA on ATM (asynchronous transfer mode) network.PPPoA is identical with effect with the principle of PPPoE, and the main distinction is to carry the link layer difference of ppp protocol message.
In broadband network operation process, the situation that the improper use of the access user PPP message identifying attacking network of part PPPoE or PPPoA usually occurs, be that the user uses wrong username and password request authentication, after such authentication request is rejected, the request authentication that the user does not still stop.The user who has in actual the use reaches 1,000,000 dial attempts every day.
Will cause BRAS equipment performance instability if there be more this type of to attempt the dial user in the network.If authentication is carried out on certificate server, then can consume the resource of certificate server, cause normal users to reach the standard grade, even can influence the accuracy of charging.
The user frequently sends the situation of wrong PPP message identifying consumption of network resources to BRAS and certificate server, be referred to as the PPP authentication and attack, and this class user is referred to as authentication and attacks the user.It is multiple to cause that reason that PPP authentication is attacked has, subscriber arrearage for example, and office side disposes on certificate server and forbids that the user reaches the standard grade, but ustomer premises access equipment is still attempted reaching the standard grade; Malicious user deliberately sends the message identifying attacking network; Malicious user deliberately sends message identifying and attempts to steal right user name and password.
Because the PPP authentication is attacked in broadband access network often occur, had a strong impact on the normal operation of broadband access network in certain areas, authenticate the influence of attacking network so must take effective means to suppress PPP.Be merely able on certificate server, the user of known users name be added up the number of times of authentification failure at present, if the user authentication failure frequency abnormality then notifies this user that dialing equipment (as modulator-demodulator or PC) is disconnected the generation that prevents to authenticate attack with being connected of network.
The shortcoming of prior art is:
1, office side can't initiatively prevent to authenticate the generation of attack.After finding rogue attacks, if the user does not initiatively disconnect and being connected of network, then attack still can continue to carry out.
2, effectively orientation authentication is attacked the user.Authentication is attacked when sending, and the user totem information that carries in the message identifying (as user name) may be to forge, and may frequently change.Therefore on certificate server, can't effectively add up, attack the user thereby also just can't be decided to be to the authentification failure number of times.
3, need manual intervention.When having located the user who attacks, need office side personnel and user communication to halt attacks by it, this need expend bigger manpower.
Summary of the invention
Technical problem to be solved by this invention is: overcoming prior art does not have effective means to suppress the deficiency that the PPP authentication is attacked, the implementation method that prevents in a kind of broadband access network that the PPP authentication from attacking is provided, thereby can discern the PPP authentication automatically and attack the user, and attack message filtered, prevent that illegal last line process from using the attack of message identifying to BRAS equipment and certificate server.
The present invention solves the problems of the technologies described above the technical scheme that is adopted to be:
Prevent the implementation method that point-to point protocol recognization is attacked in this broadband access network, may further comprise the steps:
A, choose can unique identification a peer-peer protocol user's information as this user's unique identification information;
B, the authentification failure track database is set in Broadband Remote Access Server, behind the user authentication failure, Broadband Remote Access Server adds user's unique identification information in the authentification failure track database, the duration of following the tracks of the authentification failure user is set on Broadband Remote Access Server, and a threshold value is set, if in the tracking duration of setting, the number of times of user authentication failure reaches this threshold value, thinks that then the user of this unique identification information correspondence illegally attacks the user;
C, to the rogue attacks user, print the alarm information noticing keeper, perhaps filter attacking user's message, suppress rogue attacks.
In the described steps A, the dial user for transmitting the peer-peer protocol message on the Ethernet can choose dialing equipment and send to the unique identification information of the Ethernet media access control address of Broadband Remote Access Server as this user.User for transmitting the peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer can choose the unique identification information of the Permanent Virtual Path link information of dialing equipment access band remote access server as this user.
Among the described step B,, then newly create a data list item,, then increase the cumulative number of this user authentication failure if this user profile exists in the described authentification failure track database if there is not described user's information in the described authentification failure track database.
Start a timer in described authentification failure track database described user is followed the tracks of, the triggered time of timer is set tracking duration.
If certain user's timer then triggers in the authentification failure track database, then take out the frequency of failure and preset threshold comparison of this user accumulative total, if greater than threshold value then think to attack the user; If less than threshold value then this user profile is deleted from authentification failure trace information storehouse.
When filtering among the described step C, for the dial user who transmits the peer-peer protocol message on the Ethernet, increase by a media access control address filter table at Broadband Remote Access Server, the dialing equipment media access control address that is designated authentication attack user is added in this table, Broadband Remote Access Server uses the address in source media access control address and the filter table to compare for the Ethernet message that receives, if identical then dropping packets.Attack the user for the authentication that transmits the peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer, Permanent Virtual Path connection to user's access band remote access server is provided with the packet loss sign, and Broadband Remote Access Server connects the message of receiving from this Permanent Virtual Path and will all abandon.
Described step C comprises step: the forbidding duration is set on Broadband Remote Access Server, when the user is identified as the attack user, starting a triggered time is the timer of forbidding duration, in the forbidding duration, all messages that this user sends are abandoned by Broadband Remote Access Server, when timer triggers, then stop filtration, make the user can carry out dialing authentication once more user's message.
Attacking the user by input command for authentication on Broadband Remote Access Server lifts a ban, for the user who transmits the peer-peer protocol message on the Ethernet, delete this user's media access control address from the media access control address filter table, perhaps, to transmitting the user of peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer, the Permanent Virtual Path of removing this user's correspondence connects list item dropping packets flag bit, thereby this user can be dialled again.
The access interface information that described warning information comprises user's unique identification information and is used for the consumer positioning office direction.
Beneficial effect of the present invention is: the present invention has overcome prior art can't prevent initiatively that the authentication attack from taking place, effectively orientation authentication is attacked the user, need deficiencies such as manual intervention, the implementation method that prevents in a kind of broadband access network that the PPP authentication from attacking is provided, thereby can discern the PPP authentication automatically and attack the user, can adopt and print the alarm information noticing keeper, perhaps filter attacking user's message, suppress rogue attacks, prevent that illegal last line process from using the attack of message identifying to BRAS equipment and certificate server.
The present invention can identify authentication exactly according to configuration and attack the user, provide the interface message that the user inserts BRAS and the MAC Address of the equipment of attack for PPPoE user, for the atm line information that PPPoA user provides the user to insert BRAS, help the concrete orientation of consumer positioning.The present invention discerns PPP authentication attack user automatically by authentification failure tracking duration and failure threshold value are set, and filters the authentication attack message by mac address filter table and PVC dropping packets flag bit.Insert side at BRAS and abandon the message of attacking the user, it is unaffected to protect BRAS to go up the user's message forwarding down of other interfaces, has avoided illegal message identifying to send to certificate server and causes attack to certificate server.
The present invention also provides and enables/forbids authenticating attack protection, automatic identification attack user, prints alarm, automatic or manual releasing to attacking user's multiple management means flexibly such as forbidding, makes this scheme can adapt to various maintenance needs.
Description of drawings
Fig. 1 is a broadband access networking model schematic diagram;
Fig. 2 is PPP authentication attack protection system construction drawing of the present invention.
Embodiment
With embodiment the present invention is described in further detail with reference to the accompanying drawings below:
The invention provides a kind of method that prevents that on BRAS (Broadband Remote Access Server) equipment the PPP authentication from attacking, can discern the PPP authentication automatically according to the decision condition of configuration and attack the user, and attack message filtered, thereby prevent that illegal last line process from using the attack of message identifying to BRAS equipment and certificate server.
The present invention is the scheme of a software and hardware combining, and whole proposal all realizes on BRAS.Be illustrated in figure 2 as PPP authentication attack protection system construction drawing, on BRAS equipment, increase authentication attack protection software module, authentification failure track database and attack the forbidding subscriber's meter, increase the mac address filter table at the hardware components that inserts side, and increase an attribute bit at PVC table: dropping packets flag bit, 1 of this mark position abandon corresponding message by strategy.The present invention is cooperatively interacted by PPP module, PPPoA module, PPPOE module, AAA module, hardware forwarding module, alarm module and authentication attack protection module and finishes the function that prevents to authenticate attack, wherein:
The AAA module is responsible for finishing user's authentication and authorization alternately with certificate server.
The PPP module is responsible for the processing of ppp protocol.
The PPPoE module is responsible for the processing of PPPoE agreement.In the present invention, also responsible interface message and the ethernet mac address that the user is reached the standard grade of PPPoE module reports the PPP module.
The PPPoA module is responsible for the processing of PPPoA agreement.In the present invention, also responsible PVC (Permanent Virtual Path connection) information that the user is reached the standard grade of PPPoA module reports the PPP module.
Alarm module is responsible for outputting alarm information and is write alarm log.
Authentication attack protection module is responsible for the identification authentication and is attacked the user, and by hardware table item is set, thereby reach the function that user's message filters is attacked in authentication.
The hardware forwarding module is responsible for the message that BRAS receives is transmitted.
At the attack of PPP authentication, need to solve two subject matters:
1, how to identify the user that illegal authentication is attacked;
If 2 identify the user that authentication is attacked, need provide effective means to suppress rogue attacks.
Specifically describe respectively below:
One, how to identify the user that illegal authentication is attacked
The present invention provides a kind of automatic identification illegally to authenticate the method for attack on BRAS.
1, PPP user of unique identification how
Discern an authentication and attack the user, at first will have certain information to come user of unique identification.Generally use user name to identify for the dial user at present, but authenticate when attacking, the disabled user is the attack of conversion user name trial property constantly.In order to identify the physical equipment of attack, need choose a kind of user and be difficult to information by configuration modification.
The mode that present BRAS goes up PPP access user mainly is PPPoE and PPPoA user.For the PPPoE dial user, can choose the ether MAC Address identifying user that dialing equipment sends to BRAS; For PPPoA user, can choose the PVC message identification user that dialing equipment inserts BRAS.
2, how discerning a PPP user is that the user is attacked in authentication
Define a PPP user and be illegal authentication and attack the user based on following two features:
1) user sends message identifying continually in a period of time;
2) authentication information that is contained in the message identifying can't be by authentication.
At above feature and consider that BRAS goes up the restriction of factors such as internal memory, disposal ability, adopts and a kind ofly follow the tracks of the mechanism that statistical threshold triggers and discern the attack user.
At first concrete condition of attacking according to various places authentications and the situation of considering the normal users misoperation are provided with the duration interval that follows the tracks of the authentification failure user on BRAS; A threshold value value is set simultaneously, if in the tracking duration of setting, the number of times of user authentication failure reaches threshold value, thinks that then this PPP user illegally attacks the user.Detailed process is as follows:
1) AAA module notice PPP module user authentication failure, then the PPP module is user's unique identification information (PPPoE:MAC address, PPPoA:PVC information) give authentication attack protection module, authentication attack protection module adds these information in the authentification failure track database.If database is this user's information not, illustrate that then this user is an authentification failure first, then newly to create a data list item, and start a timer this user is followed the tracks of, the triggered time of timer is exactly the tracking duration that is provided with.If this user profile of database exists, just increase the cumulative number of this user's failure.
2) if certain user's tracking timer then triggers in the authentification failure track database, the frequency of failure and preset threshold that authentication attack protection module is taken out this user's accumulative total compare, if greater than threshold value then think to attack the user, authentication attack protection module adds this user profile attacks the blocking information table, and user profile is passed to alarm module print alarm, from the authentification failure track database, delete then; For PPPoE user, user's MAC address adds the mac address filter table, for PPPoA user, the PVC list item dropping packets flag bit of this user's correspondence is set afterwards.If less than threshold value then this user profile is deleted from authentification failure trace information storehouse.Why no longer continue to follow the tracks of for the user less than threshold value, several considerations are arranged: at first the user may forget password, and he finds initiatively to disconnect connection after the password mistake in following the tracks of duration; Secondly, BRAS is a forwarding unit, and resource-constrained can not carry out long-term follow to all users that fails.
For example, tracking duration interval=30s is set, threshold value value=90 time.If if this PPP user is in the time of 30s so, fail 95 times, judge that then this user is that the user is attacked in authentication.
Two, the method that suppresses rogue attacks
Attack the user if identified authentication, the invention provides two kinds of measures and suppress to attack:
1, printing the alarm information noticing keeper gets involved.
Attack the user when authentication attack protection module recognizes an authentication, then can notify alarm module user profile, alarm module is responsible for printing alarm and writing alarm log at control desk.The keeper can judge the particular location that the user inserts according to warning information.The access interface information that warning information comprises user totem information and is used for the consumer positioning office direction.For PPPoE user, warning information comprises the ether MAC Address of dialing equipment, interface name (as fast-ethernet10/0/0), the VLAN ID (PPPoEoVLAN user) that the user inserts BRAS.For PPPoA user, warning information comprises that dialing equipment inserts interface name (as atm12/0/0), VPI, the VCI of BRAS, and these information help seat offence user's particular location.Warning information can write daily record, can long-time maintenance.
2, attacking user's message in the forwarding hardware that inserts side filters.
In the access side message that the attack user sends is abandoned, can protect the forwarding resource of BRAS and the resource of radius server effectively.
For PPPoE user, in the hardware that inserts side, increase by a mac address filter table, the dialing equipment MAC Address that is designated authentication attack user can be added in this table.The hardware forwarding module all can use the address in source MAC and the mac address filter table to compare for the Ethernet message that receives, if identical then dropping packets.
For PPPoA user, the PVC that authentication attack user inserts BRAS is provided with the packet loss sign at hardware view.The hardware forwarding module will all abandon from the message that this PVC receives, promptly attack all messages that the user sends to BRAS and all can be dropped.
Except that above major function, for the ease of using, the present invention also provides following function:
1, enables and closes authentication attack protection function.
Enable PPP authentication attack protection function, situation about inserting for PPPoE all will be compared with the address in the mac address filter table inserting all messages that enter BRAS of side, can reduce some forwarding performances like this.Therefore, attack for PPP authentication and to occur seldom or, can close PPP authentication attack protection function, thereby avoid the comparison process of MAC Address for the office point that forward efficiency is had relatively high expectations.
2, authentication is set and attacks the duration that user's message filters.
Attacking the user if in a single day the user is identified as, just need the artificial disabled status of removing, for attacking the more office point of user, is because subscriber arrearage causes that then keeper's workload can be very big and attack then.At analogue, the angle from protection BRAS and radius server can be provided with the forbidding duration on BRAS, and when the user was identified as the attack user, starting a triggered time was the timer of forbidding duration.In the forbidding duration, all messages that this user sends are abandoned by BRAS.Timer triggers, and then deletes this user profile from attack the forbidding subscriber's meter, simultaneously for PPPoE user, from mac address filter list deletion user's MAC address; For PPPoA user, remove the PVC list item dropping packets flag bit of this user's correspondence, so this user just can carry out dialing authentication once more.
3, manually lift a ban for the user who is identified as the authentication attack.
Under special circumstances, before the forbidding timer triggered, the keeper need remove forbidding for the user.The present invention provides order on BRAS, the keeper can be forbidden the user profile of deleting appointment the subscriber's meter from attacking by input command, simultaneously for PPPoE user, from mac address filter list deletion user's MAC address, for PPPoA user, remove the PVC list item dropping packets flag bit of this user's correspondence, thereby this user can be dialled again.The user profile of appointment is:
PPPoE user: the veneer groove of access number, pilot trench number, MAC Address.
PPPoA user: the interface name of access, VPI, VCI.
The present invention has overcome prior art can't prevent initiatively that the authentication attack from taking place, effectively orientation authentication is attacked the user, need deficiencies such as manual intervention, the implementation method that prevents in a kind of broadband access network that the PPP authentication from attacking is provided, thereby can discern the PPP authentication automatically and attack the user, and attack message filtered, prevent that illegal last line process from using the attack of message identifying to BRAS equipment and certificate server.
The present invention can identify authentication exactly according to configuration and attack the user, provide the interface message that the user inserts BRAS and the MAC Address of the equipment of attack for PPPoE user, for the atm line information that PPPoA user provides the user to insert BRAS, help the concrete orientation of consumer positioning.The present invention discerns PPP authentication attack user automatically by authentification failure tracking duration and failure threshold value are set, and filters the authentication attack message by mac address filter table and PVC dropping packets flag bit.Insert side at BRAS and abandon the message of attacking the user, it is unaffected to protect BRAS to go up the user's message forwarding down of other interfaces, has avoided illegal message identifying to send to certificate server and causes attack to certificate server.
The present invention also provides and enables/forbids authenticating attack protection, automatic identification attack user, prints alarm, automatic or manual releasing to attacking user's multiple management means flexibly such as forbidding, makes this scheme can adapt to various maintenance needs.
Those skilled in the art do not break away from essence of the present invention and spirit, can there be the various deformation scheme to realize the present invention, the above only is the preferable feasible embodiment of the present invention, be not so limit to interest field of the present invention, the equivalent structure that all utilizations specification of the present invention and accompanying drawing content are done changes, and all is contained within the interest field of the present invention.
Claims (11)
1. prevent the implementation method that point-to point protocol recognization is attacked in a broadband access network, it is characterized in that, may further comprise the steps:
A, choose can unique identification a peer-peer protocol user's information as this user's unique identification information;
B, the authentification failure track database is set in Broadband Remote Access Server, behind the user authentication failure, Broadband Remote Access Server adds user's unique identification information in the authentification failure track database, the duration of following the tracks of the authentification failure user is set on Broadband Remote Access Server, and a threshold value is set, if in the tracking duration of setting, the number of times of user authentication failure reaches this threshold value, thinks that then the user of this unique identification information correspondence illegally attacks the user;
C, to the rogue attacks user, print the alarm information noticing keeper, perhaps filter attacking user's message, suppress rogue attacks.
2. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 1, it is characterized in that: in the described steps A, dial user for transmitting the peer-peer protocol message on the Ethernet chooses dialing equipment and sends to the unique identification information of the Ethernet media access control address of Broadband Remote Access Server as this user.
3. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 1, it is characterized in that: in the described steps A, user for transmitting the peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer chooses the unique identification information of the Permanent Virtual Path link information of dialing equipment access band remote access server as this user.
4. according to the implementation method that prevents in claim 1, the 2 or 3 described broadband access networks that point-to point protocol recognization from attacking, it is characterized in that: among the described step B, if there is not described user's information in the described authentification failure track database, then newly create a data list item, if user's information exists described in the described authentification failure track database, then increase the cumulative number of this user authentication failure.
5. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 4, it is characterized in that: start a timer in described authentification failure track database described user is followed the tracks of, the triggered time of timer is set tracking duration.
6. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 5, it is characterized in that: if certain user's timer then triggers in the authentification failure track database, then take out the frequency of failure and preset threshold comparison of this user accumulative total, if greater than threshold value then think to attack the user; If less than threshold value then this user profile is deleted from authentification failure trace information storehouse.
7. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 6, it is characterized in that: when filtering among the described step C, for the dial user who transmits the peer-peer protocol message on the Ethernet, increase by a media access control address filter table at Broadband Remote Access Server, the dialing equipment media access control address that is designated authentication attack user is added in this table, Broadband Remote Access Server uses the address in source media access control address and the filter table to compare for the Ethernet message that receives, if identical then dropping packets.
8. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 6, it is characterized in that: when filtering among the described step C, attack the user for the authentication that transmits the peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer, Permanent Virtual Path connection to user's access band remote access server is provided with the packet loss sign, and Broadband Remote Access Server connects the message of receiving from this Permanent Virtual Path and will all abandon.
9. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 6, it is characterized in that: described step C comprises step: the forbidding duration is set on Broadband Remote Access Server, when the user is identified as the attack user, starting a triggered time is the timer of forbidding duration, in the forbidding duration, all messages that this user sends are abandoned by Broadband Remote Access Server, when timer triggers, then stop filtration, make the user can carry out dialing authentication once more user's message.
10. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 9, it is characterized in that: on Broadband Remote Access Server, attack the user for authentication and lift a ban by input command, for the user who transmits the peer-peer protocol message on the Ethernet, delete this user's media access control address from the media access control address filter table, perhaps, to transmitting the user of peer-peer protocol message on asynchronous transfer mode the 5th adaptation layer, the Permanent Virtual Path of removing this user's correspondence connects list item dropping packets flag bit, thereby this user can be dialled again.
11. prevent the implementation method that point-to point protocol recognization is attacked in the broadband access network according to claim 6, it is characterized in that: the access interface information that described warning information comprises user's unique identification information and is used for the consumer positioning office direction.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100330356A CN100388684C (en) | 2005-01-26 | 2005-01-26 | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100330356A CN100388684C (en) | 2005-01-26 | 2005-01-26 | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812340A CN1812340A (en) | 2006-08-02 |
| CN100388684C true CN100388684C (en) | 2008-05-14 |
Family
ID=36845046
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100330356A Expired - Fee Related CN100388684C (en) | 2005-01-26 | 2005-01-26 | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100388684C (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101068181B (en) * | 2007-06-27 | 2010-08-04 | 中兴通讯股份有限公司 | Wideband switch-in business protecting method |
| CN102185871A (en) * | 2011-06-09 | 2011-09-14 | 杭州华三通信技术有限公司 | Method and equipment for processing messages |
| CN108667853B (en) * | 2013-11-22 | 2021-06-01 | 华为技术有限公司 | Malicious attack detection method and device |
| CN103763144B (en) * | 2014-01-26 | 2017-04-05 | 杭州华三通信技术有限公司 | A kind of user continues to pay dues the method and apparatus reached the standard grade |
| CN105516987A (en) * | 2014-09-25 | 2016-04-20 | 中兴通讯股份有限公司 | Malicious attack detection method and terminal |
| CN104601560A (en) * | 2014-12-31 | 2015-05-06 | 北京华为朗新科技有限公司 | Broadband access device and user authentication method |
| CN104852974B (en) | 2015-04-29 | 2018-10-02 | 华为技术有限公司 | A kind of message processing method and relevant device in PPPoE verification process |
| CN105142146B (en) * | 2015-09-24 | 2021-01-08 | 台州市吉吉知识产权运营有限公司 | Authentication method, device and system for WIFI hotspot access |
| CN108270601B (en) * | 2016-12-30 | 2023-04-25 | 中兴通讯股份有限公司 | Mobile terminal, alarm information acquisition method and device and alarm information sending method and device |
| CN111756559B (en) * | 2019-03-26 | 2021-10-15 | 华为技术有限公司 | Method and device for acquiring tracking information |
| CN112600908A (en) * | 2020-12-07 | 2021-04-02 | 南京指掌易信息科技有限公司 | Method, device, equipment and storage medium for acquiring communication link |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494291A (en) * | 2002-11-02 | 2004-05-05 | 深圳市中兴通讯股份有限公司 | Method of preventing reject service attack using ether net point to point protocol |
-
2005
- 2005-01-26 CN CNB2005100330356A patent/CN100388684C/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494291A (en) * | 2002-11-02 | 2004-05-05 | 深圳市中兴通讯股份有限公司 | Method of preventing reject service attack using ether net point to point protocol |
Non-Patent Citations (2)
| Title |
|---|
| 中兴BRAS--网络安全的屏障. 梁冰,甘久斌.世界电信,第No.9期. 2004 |
| 中兴BRAS--网络安全的屏障. 梁冰,甘久斌.世界电信,第No.9期. 2004 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1812340A (en) | 2006-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100388684C (en) | Realizing method for preventing point-to point protocol recognization from being attacked in wideband cut-in network | |
| JP4127315B2 (en) | Device management system | |
| CN100499554C (en) | Network admission control method and network admission control system | |
| CN101188557B (en) | Method, client, server and system for managing user network access behavior | |
| US5940591A (en) | Apparatus and method for providing network security | |
| CN103929376B (en) | A kind of terminal admittance control method based on switch ports themselves management | |
| CN101102188B (en) | A method and system for mobile access to VLAN | |
| CN1855812B (en) | Method for preventing from fakery of MAC addresses and equipment | |
| CN100512109C (en) | Access authentication system and method by verifying safety of accessing host | |
| CN102123050B (en) | Network terminal management method | |
| EP0606401B1 (en) | Apparatus and method for providing network security | |
| CN101022340B (en) | Intelligent control method for realizing city Ethernet exchanger switch-in security | |
| CN101345743A (en) | Method and system for preventing network attack by utilizing address analysis protocol | |
| CN101018233B (en) | Session control method and control device | |
| CN106792684B (en) | Multi-protection wireless network safety protection system and protection method | |
| KR101252787B1 (en) | Security management system with multiple gateway servers and method thereof | |
| CN101567883B (en) | Realization method for preventing MAC address forgery | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| CN101547100A (en) | Method and system for multicast receiving control | |
| JP4720959B2 (en) | Device management system | |
| JP2008004110A (en) | Device management system | |
| CN103763119A (en) | Telnet/SSH-based network terminal management method | |
| CN102316119B (en) | Security control method and equipment | |
| CN112929387A (en) | Broadband network multiple authentication and encryption method applied to intelligent community | |
| CN102017538A (en) | Communication rate setting apparatus, method of controlling communication rate setting apparatus, content filtering system, communication rate setting apparatus control program, and computer-readable recording medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080514 Termination date: 20150126 |
|
| EXPY | Termination of patent right or utility model |