CN100428688C - Protective method for network attack - Google Patents
Protective method for network attack Download PDFInfo
- Publication number
- CN100428688C CN100428688C CNB2005100752536A CN200510075253A CN100428688C CN 100428688 C CN100428688 C CN 100428688C CN B2005100752536 A CNB2005100752536 A CN B2005100752536A CN 200510075253 A CN200510075253 A CN 200510075253A CN 100428688 C CN100428688 C CN 100428688C
- Authority
- CN
- China
- Prior art keywords
- message
- sampling
- exception
- port
- exception message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present invention provides a protective method for network attack, which is applied in a network device with a CPU. The method detects the port messages of the network device, when an exception message is found, a message form is established and an ACL access rule of the port is set, and then a sampling mechanism is started to sample the features of the exception message and compare the features with the preserved message form. When that the exception message does not exist is found, the set ACL rule is cancelled. By using the method provided by the present invention, the characters of hardware and the flexible control of software can be fully used, and the defect that only the hardware approach or the software approach is used to prevent the attack is better solved.
Description
Technical field
The present invention relates to a kind of means of defence of network attack, relate in particular to a kind of having the network attack protection method of the CPU network equipment.
Background technology
Online at present attack is frequent day by day, makes some network equipments such as low-end switch product more problem occur in network uses.In order to strengthen the particularly anti-attack ability of low side Ethernet switch product of the network equipment, make it possess stronger network-adaptive, need further strengthen the anti-attack performance of the network equipment.
The type of network attack mainly is divided into: to the flow attacking of network equipment CPU, to the attack of procotol, to several types such as the attack of the list item of equipment and other attacks.But dos attack more commonly on network at present, scanning and snooping attack, protocol message aggression etc., these attacks all show as can be at short notice with a large amount of message aggression CPU, because the CPU disposal ability is limited, can influence the reception of other agreements and data message, have influence on the connectedness of network simultaneously, professional continuity, manageability.Therefore, strengthen to the protection of CPU to improve the network equipment particularly the stability of switch product significance is arranged.
At present for the anti-existing method of attacking of CPU, mainly be divided into two types of the means of defences of hardware and software.For the hardware safety method, generally be to adopt to set in advance hardware access control tabulation (ACL, Access Control List) rule and come message is filtered; For the software protecting method, generally be to adopt special software is set in the network equipment, with this software limitations message rate, thereby the method that the message that realization receives the network equipment filters is resisted the attack to CPU.
Setting in advance the method for acl rule for hardware, is example with the switch, when the switch operate as normal, also takies the rule of ACL, consumes hardware resource.Lack the ability that automatic analysis and defence CPU attack simultaneously, can't finish setting automatically, or only under the user intervenes, just can finish the setting of chip, thereby can't in time respond attack message to chip.
For the method for software limitations message rate, need to use software that message characteristic is analyzed, the message of hypervelocity rate is carried out speed limit.But when being subjected to big flow message aggression, the method for software limitations message rate need be analyzed all messages that CPU receives, and can take more cpu resource.And attack message still can take the bandwidth of the hardware queue of port regular traffic message, and other service messages that can't avoid receiving formation with attack message at same hardware are caused the efficient of software analysis low by the situation that attack message floods.
Summary of the invention
Technical problem to be solved by this invention is carried out the network attack protection and is brought defective to solve the simple use hardware setting acl rule or the software limitations message rate method that exist in the above-mentioned prior art with regard to the means of defence that provides a kind of network attack.
For this reason, the invention provides a kind of means of defence of network attack, be applied in the network equipment with CPU, comprise the following steps:
(1) exception message that network equipment port is received extracts the exception message feature and preserves;
(2) according to described exception message feature the corresponding port is provided with access control list (ACL) regulations, only forbids the message that the port forwarding has described exception message feature;
(3) the described access control list (ACL) regulations port that is provided with is started the sampling task, the message that in the sampling period this port is received is sampled, and extracts the message characteristic of described reception message;
(4) message characteristic that described reception packet sampling is obtained and the exception message feature of preservation compare;
(5) if the exception message feature of message characteristic that described sampling obtains and preservation does not match, the access control list (ACL) regulations that then disappears and be provided with allows port to receive message.
Wherein, sampling described in the step (3) adopts the device with stream sampling sFlow function to realize that the specific implementation method is:
(33) in the described network equipment, adopt exchange chip with sFlow sampling function;
(34) the sampling task module is set in the described network equipment, the sFlow driver that is used for calling in the described exchange chip is realized sampling.
In addition, step (1) comprises before: whether detection port receives message is exception message, if exception message then execution in step (1), otherwise do not deal with.
Wherein, described exception message is that the described network equipment receives the message of the message rate of message above predetermined value.
In addition, described exception message feature is preserved with the message template way, and the step of setting up the message template comprises:
Set in advance the detection of the described exception message feature of network equipment port; Statistical counting to the characteristic value correspondence of described each detection of exception message of receiving adds 1; The characteristic value of detection as message characteristic, is carried out the sum statistics to the message with identical characteristic value; Surpass reservation threshold if having the message total of same characteristic features value under the described detection that counts, then the characteristic value that described statistics sum is surpassed under the pairing detection of message of reservation threshold is extracted as the message template, and preserves as global variable.
Wherein, described exception message template also has exception message template counter, and step further comprises in (5), if message characteristic that described sampling obtains and the exception message characteristic matching in the described message template then add up described exception message template counter.
In addition, this method also comprises the following steps:
A) when the sampling period finishes, if exception message template counter values greater than default value, then with the counter O reset of message template, and forwards step d) to;
B) if described exception message template counter values less than default value, then with the counter O reset of exception message template, is removed corresponding exception message template;
C) cancellation is according to the access control list (ACL) regulations of this exception message feature setting;
D) judge whether described port exists other exception message template, then return step (1) if having, otherwise cancel described sampling task.
More general, another aspect of the present invention provides a kind of means of defence of network attack, in the network equipment CPU flow attacking is difficult to the well problem of protection with solving, and this method may further comprise the steps:
(1) whether the message of detection network equipment port reception is unusual;
(2) detected exception message is forbidden transmitting, and start a sampling task that receives message at port;
(3) judge that whether the message that samples comprises exception message quantity less than predetermined numerical value;
(4) if the judged result of step (3) for being, is cancelled aforementioned forbidding and transmitted,, then keep forbidding transmitting if judged result is not.
Wherein, the described sampling task of step (2) is sampled to message according to variable sampling ratio, and described sampling ratio is inversely proportional to the current message rate that receives of port.
Wherein, the network equipment to the definition of exception message is: it is exception message that speed surpasses certain numerical value message.
Make full use of the characteristic of hardware and the flexible control of software among the present invention, setting and cancellation and software control such as sFlow (Flow Sampling with hardware setting such as acl rule, the stream sampling) application of Sampling techniques combines, the filtration of the acl rule realization of chip to message is set under the check and analysis of software automatically, and, judge and when attack end with the unusual for example attack message of hypervelocity of Sampling techniques analysis.Attack when finishing, recover the function of port, the acl rule that cancellation is provided with is to reach the anti-purpose of attacking of CPU.The present invention merges the hardware and software method that the anti-CPU of the network equipment attacks preferably, has therefore drawn the advantage that software and hardware prevents attack method.
When merging above-mentioned software, hardware approach advantage, the present invention has also well overcome the software and hardware of mentioning in the background technology that utilizes merely and has prevented the defective of network attack.As the method that dynamically arranges and delete ACL hardware rule-based filtering attack message that adopts among the present invention, can avoid same hardware queue message too much to cause the covered phenomenon of service message, and can be when the network equipment such as switch operate as normal, the rule of cancellation ACL is saved the ACL hardware resource.Simultaneously, the related software method that adopts among the present invention is particularly utilized the sFlow Sampling techniques to carry out packet sampling and is carried out software analysis, both can reduce the attack of message, and also can accomplish automatically attack message to be analyzed, improve response speed attack message to CPU.
Description of drawings
Fig. 1 is the flow chart of a kind of embodiment provided by the invention.
Embodiment
Core concept of the present invention is to make full use of the characteristic of hardware and the flexible control of software, the filtration of the acl rule of chip to message is set under the analysis of software automatically, and analyzes exception message with Sampling techniques, judges and when attacks end.Attack when finishing, recover the function of port, the acl rule that cancellation issues is to reach the anti-purpose of attacking of CPU.
Specifically, be that network packet receiving module in the bottom layer driving of the network equipment detects the message of receiving, if receive exception message, for example detect some ports in the short time and have big flow message, can think that then there is message aggression in this port, then send warning message, the prompting user, the while extracts message characteristic and sets up the message template of exception message in the message that under fire port receives.And port under attack is provided with acl rule according to message characteristic, be used for limiting normal handling such as the reception message forwarding operation of message characteristic value, but this port normal process such as still can transmit to the normal message that does not possess the exception message feature with exception message template.
To the port of acl rule is set, start sampling mechanism this port is sampled at regular intervals, and the message characteristic of storing in message characteristic that sampling is obtained and the message template compares.Sampling function among the present invention can be sampled to the exception message of acl rule restriction, and the sampling message can be divided into an independent hardware queue, prevents to influence the normal reception of the message of other hardware queues.Because what use is sampling mechanism, can not take excess CPU resources, has guaranteed the normal process of CPU to other messages.
Repeatedly after the sampling, if in the sampling message not with the message template in the exception message characteristic matching of storing message maybe the quantity of this kind message can ignore, illustrate in port is between sampling period and do not receive exception message, port is not under attack, thereby the original acl rule that is provided with of cancellation, the function of recovery port; If the message characteristic of message of sampling and the exception message characteristic matching in the message template illustrate that then port still receives exception message, then can not cancel acl rule, should continue to keep the port security guard mode.
Setting forth specific embodiment below in conjunction with Fig. 1 comes the present invention done further and specifies.Need to prove, in this embodiment, the realization present embodiment of sampling function is that example describes with the sFlow technology, this technology has defined the mechanism that a kind of supervision has switch or router network and has comprised three parts, be sFlow Agent, sFlow MIB and sFlow Analyzer (or claiming DCC), wherein sFlowAgent samples to institute's monitoring network, and the equipment that monitors is extracted traffic statistics information, and how many message collections at interval can be set once; SFlow MIB controls sFlow Agent.SFlow Agent is that DCC transmit with reference format to sFlow Analyzer with the data that sampling obtains.SFlowAnalyzer analyzes the data that transmit.The sFlow technology has detailed introduction in RFC3176, repeat no more.
In one embodiment of the present of invention; in related network device such as switch, router, adopted exchange chip with sFlow technology; particularly adopt and solidified the EX116/EX126 exchange chip of the function of sFlow as Marvell company of exchange chip manufacturer; but this concrete application mode can not constitute limiting the scope of the invention, and protection scope of the present invention reaches certainly in other mapping mode.
The flow process of this embodiment is described respectively as shown in Figure 1 below:
At step S10, receive the message of network equipment port, this can realize by the relevant bottom layer driving function that calls the network equipment such as switch, router port, to this, those skilled in the art can know that more ground implementation method is arranged in the prior art, repeat no more herein.
At step S20, judge by the entrained information of message whether message is the message that sampling obtains, such as on the exchange chip of marvell company, judging by CPU CODE.If not the message that obtains by sampling, enter step S30.Otherwise, enter step S40.Certainly, the judgement that this step is done was nonsensical before being not activated the sampling task, because the message that does not exist in the network equipment sampling to obtain this moment, but for for the purpose of the simple flow, in the present embodiment, judge that at first the type of message of receiving is to determine next step operating process.
At step S30, judge whether this port receives message unusual.In the present embodiment, the port message whether unusual Rule of judgment be whether the speed that receives message has surpassed certain numerical value that sets in advance.If message is hypervelocity not, illustrate that then port working is normal, needn't start any preventing mechanism, carry out the normal message handling process of this network equipment and get final product.If the port message unusually then enters step S31.
At step S31, this reception message is not that sampling obtains and this reception message hypervelocity, and can judge that this port has been subjected to attack this moment.By analyzing message content, extract the feature of message, as purpose MAC, source MAC, purpose IP, source IP etc.And these representative records are become the message template, this message template is preserved as global variable.
Here need to introduce in detail the method for building up of message template.
Set up basic principle that the message mould pulls and be in each field of header of proper network message and network equipment port and select at least one detection.For example can selection with network addressing and each layer protocol between the relevant field of addressing as detection, can also increase the physical port of the network equipment or logic port as detection.In this embodiment, select the detection of parts such as ethernet ip protocol massages target MAC (Media Access Control) address the most commonly used, source MAC, purpose IP address, source IP address for use as message characteristic, the arrival rate of monitoring network device processes message then, when arrival rate surpasses certain predetermined value, the network equipment is in preset detection in the cycle, the network equipment with the characteristic value of each detection in this message promptly the concrete numerical value pairing statistical counting of this detection in arriving message add 1.Then with the characteristic value of detection as message characteristic, the message with identical feature is carried out the sum statistics.
In cycle, if the statistical counting of each characteristic value all is no more than the predetermined attack threshold value under each detection, flow attacking does not then take place a preset detection; Otherwise promptly be that the network equipment detects flow attacking has taken place, and attack message be characterized as pairing this detection of message total that surpasses the predetermined attack threshold value with this characteristic value.Wherein the predetermined attack threshold value should be set according to the message flow that this network equipment is generally handled, and when the message flow of generally handling is big, should select higher value.
Wherein, in the message that some core network devices are handled, each detection may have very many characteristic values, and the network equipment need be added up respectively these characteristic values, can take more internal memory like this.Therefore,, can set the number N of the characteristic value of each detection preservation, only N maximum characteristic value of sum be added up the core network device and the little network equipment of some internal memories.
Feature with above-mentioned attack message promptly saves as the message template above the pairing characteristic value with this detection of this characteristic value of message total of predetermined attack threshold value then.Such message template can be set up a plurality of, and preserves as global variable.
For example, a switch is operated in the Ethernet, and the physical port of selecting source MAC, destination slogan, source port number and this switch is as detection, and it is 1 second that the predetermined detection cycle is set, the predetermined attack threshold value is 300, and the characteristic value number of preserving for each detection is 5.This switch starts attack detecting, and a predetermined detection week, the statistical counting result that obtains of after date was as shown in the table:
As seen, among the statistical counting result, the characteristic value of source MAC is that the message total of 00a6-4513-0011 is 330, the destination slogan is 3344 message total for being 325, physical port number is that 21 message total is 320, the statistical counting result of other detection characteristic values then detects attack message characteristics and has following feature less than 300:
Source MAC 00a6-4513-0011;
Destination slogan 3344;
From No. 21 physical ports.
Then these features will be extracted as attack message and touch plate, be used as global variable and store.
At step S32, prepare to be provided with acl rule.The feature of the message that extracts is stored in the data structure, sends the data structure pointer by message queue.And, chip ACL is set according to the message that receives.That need call in the said process that some bottom functions commonly used in the network equipment realize software is provided with acl rule automatically, will forbid that the corresponding port receives attack message after acl rule is set, but allow this port to receive other normal messages simultaneously.
At step S33, judge whether that this is that the network equipment is provided with acl rule for the first time to this port.If, then enter step S34, enable the sampling task.And on user interface, sending message, the prompting user notes.
Here need to prove, enable the sampling task after, this sampling task will continuously be handled, and until judging that last message template is cancelled, after the cancellation sampling task, just can stop the sampling task in the S49 step.In Fig. 1, do not show the specific implementation flow process of sampling step.Below detailed principle, the step of being sampled in the present embodiment is described below.
In the present embodiment, behind the startup sampling task Processing tasks, the sampling task will such as 1 second, be called bottom chip sFlow and drive according to the cycle that pre-sets, and start the sampling mechanism of this port.In sampling process, can carry out control corresponding to sampling process.
Here need to prove that sFlow mechanism provides two kinds of sample modes: trigger (Trigger) mode: can rewrite the sampling interval again after each sampling.(Continue) mode continuously: the new sampling interval is filled in according to setting in advance automatically in each sampling back.In concrete the application, adopt the Trigger mode more flexible, can rewrite the sampling interval again after promptly each sampling.The specific implementation method is to obtain sampling behind the message at every turn, all adjusts back the interval that corresponding software function is provided with chip sampling next time.All will reset the ratio of sampling next time when this software function is driven readjustment by bottom chip at every turn, for example the last time is 1/100 sample rate, may be 1/50 sampling ratio next time.After adopting the Trigger mode, can control by a kind of comparatively reasonably algorithm is set, also can handle by random function to being provided with of sampling ratio.After adopting the Trigger mode, biggest advantage is and can applies control preferably to sampling process, because under the Trigger mode, all can carry out alternately after the sampling of sFlow mechanism with upper layer software (applications), this moment, upper layer software (applications) can be provided with adjustment according to the parameter (as the sampling ratio) that is provided with sampling process in advance, so that adapt to the actual conditions that change more flexibly in the next sampling interval.In each sampling interval, message of sampling at random, and deliver processing.
In addition, in sampling process, message causes adverse influence to sampling in order to prevent to exceed the speed limit, such as message flow when excessive, even 1/1000 sample rate is set, will receive a large amount of sampling messages at short notice, thereby equipment is caused flow attacking, therefore can control the sampling message amount, to close sampling (ratio of will sampling is made as 0) such as (for example 30) after surpassing the appointment number at number of samples, illustrate that this port has been subjected to more intense message flow and has attacked this moment, so temporary close sampling function is filtered attack message.
Because consider that the sFlow sampling function of exchange chip can only be provided with the interval message amount of sampling, what promptly be provided with is the ratio of sampling, there is no the notion of time if decide like this.If directly use the sFlow sampling function of chip, only come the sampling message is controlled by the sampling ratio, for the situation that receives a large amount of attack messages in the short time, the ratio of sampling need be reduced, prevent CPU be subjected to the sampling attack of message.For the situation that receives a small amount of message in the short time, the sampling ratio need be strengthened, so that network condition is made reaction fast.The situation complexity that such design need be handled is difficult in time adjust the sampling ratio.
So in the present embodiment, preferably set in advance fixing sampling ratio (for example 1/100 sample rate), then sFlow sampling mechanism will be controlled message of extraction after whenever receiving 100 messages will be delivered processing.(for example 30) will close sampling (ratio of will sampling is made as 0) after number of samples surpasses the appointment number.After closing the sampling function, can be provided with,, in time recover sampling by the sampling task and get final product such as 5 seconds through certain cycle.
The flow process that logic determines after description is carried out packet sampling to the port that has issued ACL and received the sampling message is emphatically below handled:
As above step S20 is described, is the sampling message if judge the message that receives, and then enters into step S40.
At step S40, compare according to message template and the message that sampling obtains, judge whether the resulting message of sampling is exception message.The method of judging is this port sampling to be obtained the feature of message and all message templates of this port storage compare one by one, if the message characteristic that sampling obtains and the message template characteristic of certain storage are coincide, then explanation is an exception message, enter step S41, if and the feature of any one message template does not all meet, then explanation is not an exception message, enters into step S42.
At step S41, because each message template all has a counter.Therefore through relatively,, then message template counter is added up if message is an attack message.
At step S42, direct dropping packets.
At step S43, judge whether the sampling message reaches predetermined quantity, in the sampling process, software can be set judge according to certain rule, such as, whether the sampling message has reached 100 (supposing that predetermined value is 100), if reach, then enter step S44, otherwise return step S10.
At step S44, further judge, judge according to message template counter whether port is still under attack.Judge that port does not have method under attack is whether query message template counter is zero always between sampling period, certainly as required, also can set message template counter if the time smaller or equal to some numerical value, promptly can be considered the attack that this port is not subjected to message, thereby think that message template counter is zero.That is to say conversely when the numerical value of template counter greater than certain predetermined value such as 10 the time, illustrate that this port has been subjected to the attack of message between this sampling period, illustrate then that on the contrary this port be not subjected to message aggression between this sampling period or this message aggression can be ignored.In between sampling period, under attack if port continues, promptly the template counter enters step S45 greater than predetermined value; If port is no longer received the message of this category feature, promptly the template counter is zero or less than predetermined value, then also enters step S45.
At step S45, the operation of carrying out is the counter O reset with message template correspondence, at this moment no matter how many values of template counter is all will be carried out the operation of zero clearing, so that begin the next sampling period.Need to prove, judgement according to the rapid S44 of previous step, when if attack message template counter<=predetermined value is judged as not, then exception message has been received in explanation, can not remove the message template this moment, therefore with regard to skips steps S46, S47, directly enter into S48, otherwise directly enter into step S46.
At step S46,, remove corresponding message template because there is not exception message in port, and an information of cancellation message template sends to message queue, according to the message that receives, the relevant acl rule that calls in the network equipment bottom layer driving function is provided with function, enters step S47.
At step S47, by the relevant acl rule that calls in the network equipment bottom layer driving function function is set, the original corresponding A CL rule that is provided with of cancellation allows port to receive message.Can carry out normal packet sending and receiving with rear port, enter step S48 then.
At step S48, judge whether last message template has been cancelled.If cancellation is last message template, illustrate that CPU is no longer under attack.In order to save cpu resource, enter step S49.
At step S49, cancellation sampling task, and on user interface transmission information, the prompting user is no longer under attack.
More general, those skilled in the art can know that essential spirit of the present invention is that promptly the network equipment can surpass certain numerical value to the receiving velocity of exception message to the assurance of the exception message feature that adopts flow attacking network equipment CPU.For this reason, can simply forbid transmitting such message, whether disappear with such message of continuous inspection, if the then cancellation that disappears is similarly forbidden transmitting but start a sampling task simultaneously.
To sum up, another aspect of the present invention can be summarized as, and a kind of means of defence of network attack is provided, and this method may further comprise the steps:
(1) whether the message of detection network equipment port reception is unusual;
(2) detected exception message is forbidden transmitting, and start a sampling task that receives message at port;
(3) judge that whether the message that samples comprises exception message quantity less than predetermined numerical value;
(4) if the judged result of step (3) for being, is cancelled aforementioned forbidding and transmitted,, then keep forbidding transmitting if judged result is not.
Wherein, the described sampling task of step (3) is sampled to message according to variable sampling ratio, and described sampling ratio is inversely proportional to the current message rate that receives of port.
Wherein, the network equipment to the definition of exception message is: it is exception message that speed surpasses certain numerical value message.
This shows, adopt method provided by the invention, can make full use of the characteristic of hardware and the flexible control of software, and preferably resolve the defective that simple use hardware and software method is taken precautions against attack.
Claims (10)
1. the means of defence of a network attack is applied in the network equipment with CPU, it is characterized in that, comprises the following steps:
(1) exception message that network equipment port is received extracts the exception message feature and preserves;
(2) according to described exception message feature the corresponding port is provided with access control list (ACL) regulations, only forbids the message that the port forwarding has described exception message feature;
(3) the described access control list (ACL) regulations port that is provided with is started the sampling task, the message that this port receives is sampled, extract the message characteristic of described reception message;
(4) message characteristic that described reception packet sampling is obtained and the exception message feature of preservation compare;
(5) if the exception message feature of message characteristic that described sampling obtains and preservation does not match, then the access control list (ACL) regulations of cancellation setting allows port to receive message.
2. the method for claim 1 is characterized in that, sampling described in the step (3) adopts the device with stream sampling sFlow function to realize that the specific implementation method is:
(31) in the described network equipment, adopt exchange chip with sFlow sampling function;
(32) the sampling task module is set in the described network equipment, the sFlow driver that is used for calling in the described exchange chip is realized sampling.
3. the means of defence of network attack as claimed in claim 1 or 2 is characterized in that, step (1) comprises before: whether detection port receives message is exception message, if exception message then execution in step (1), otherwise do not deal with.
4. the means of defence of network attack as claimed in claim 3 is characterized in that, described exception message is that the described network equipment receives the message of the message rate of message above threshold values.
5. the means of defence of network attack as claimed in claim 1 or 2 is characterized in that, described exception message feature is preserved with the message template way, and the step of setting up the message template comprises:
Set in advance the detection of the described exception message feature of network equipment port;
Statistical counting to the characteristic value correspondence of described each detection of exception message of receiving adds 1;
The characteristic value of detection as message characteristic, is carried out the sum statistics to the message with identical characteristic value;
Surpass reservation threshold if having the message total of same characteristic features value under the described detection that counts, then the characteristic value that described statistics sum is surpassed under the pairing detection of message of reservation threshold is extracted as the message template, and preserves as global variable.
6. the means of defence of network attack as claimed in claim 5, it is characterized in that, described exception message template also has exception message template counter, step further comprises in (5), if message characteristic that described sampling obtains and the exception message characteristic matching in the described message template then add up described exception message template counter.
7. the means of defence of network attack as claimed in claim 6 is characterized in that, also comprises the following steps:
A) when the sampling period finishes, if exception message template counter values greater than default value, then with the counter O reset of message template, and forwards step d) to;
B) if described exception message template counter values less than default value, then with the counter O reset of exception message template, is removed corresponding exception message template;
C) cancellation is according to the access control list (ACL) regulations of this exception message feature setting;
D) judge whether described port exists other exception message template, then return step (1) if having, otherwise cancel described sampling task.
8. the means of defence of a network attack is characterized in that, may further comprise the steps:
(1) whether the message of detection network equipment port reception is unusual;
(2) detected exception message is forbidden transmitting, and start a sampling task that receives message at port;
(3) judge that whether the message that samples comprises exception message quantity less than predetermined numerical value;
(4) if the judged result of step (3) for being, is cancelled aforementioned forbidding and transmitted,, then keep forbidding transmitting if judged result is not.
9. the means of defence of network attack as claimed in claim 8 is characterized in that, the described sampling task of step (2) is sampled to message according to variable sampling ratio, and described sampling ratio is inversely proportional to the current message rate that receives of port.
10. the means of defence of network attack as claimed in claim 8 is characterized in that, the network equipment to the definition of exception message is: the message that speed surpasses certain numerical value is called exception message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100752536A CN100428688C (en) | 2005-06-09 | 2005-06-09 | Protective method for network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100752536A CN100428688C (en) | 2005-06-09 | 2005-06-09 | Protective method for network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1878082A CN1878082A (en) | 2006-12-13 |
| CN100428688C true CN100428688C (en) | 2008-10-22 |
Family
ID=37510391
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100752536A Active CN100428688C (en) | 2005-06-09 | 2005-06-09 | Protective method for network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100428688C (en) |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022343B (en) * | 2007-03-19 | 2010-09-08 | 杭州华三通信技术有限公司 | Network invading detecting/resisting system and method |
| CN101227287B (en) * | 2008-01-28 | 2010-12-08 | 华为技术有限公司 | Data message processing method and data message processing equipment |
| CN101267349B (en) * | 2008-04-29 | 2010-09-01 | 杭州华三通信技术有限公司 | Network traffic analysis method and device |
| CN101572691B (en) * | 2008-04-30 | 2013-10-02 | 华为技术有限公司 | Method, system and device for intrusion detection |
| CN101272254B (en) * | 2008-05-09 | 2010-09-29 | 华为技术有限公司 | Method for generating attack characteristic database, method for preventing network attack and device thereof |
| CN101442412B (en) * | 2008-12-18 | 2011-04-06 | 西安交通大学 | Method for prewarning aggression based on software defect and network aggression relation excavation |
| CN101662425B (en) * | 2009-09-17 | 2012-07-04 | 中兴通讯股份有限公司 | Method for detecting validity of access control list and device |
| WO2011053299A1 (en) * | 2009-10-29 | 2011-05-05 | Hewlett-Packard Development Company, L.P. | Switch that monitors for fingerprinted packets |
| CN102487339B (en) * | 2010-12-01 | 2015-06-03 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
| CN102333010B (en) * | 2011-10-10 | 2018-03-27 | 中兴通讯股份有限公司 | The method and system of one way link detection protection |
| CN102882895A (en) * | 2012-10-31 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying message attack |
| CN103200123B (en) * | 2013-03-06 | 2016-01-20 | 深圳市新格林耐特通信技术有限公司 | A kind of switch ports themselves method of controlling security |
| CN104079545A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method, device and system for extracting data package filtering rules |
| CN103457953A (en) * | 2013-09-11 | 2013-12-18 | 重庆大学 | Handling mechanism preventing 802.1X protocol attack under security access mode of port |
| CN103825812B (en) * | 2014-02-17 | 2017-11-14 | 新华三技术有限公司 | A kind of network speed limit device and method |
| EP3119052B1 (en) * | 2014-06-17 | 2018-05-16 | Huawei Technologies Co., Ltd. | Method, device and switch for identifying attack flow in a software defined network |
| CN104283882B (en) * | 2014-10-11 | 2018-01-12 | 武汉烽火网络有限责任公司 | A kind of intelligent safety protection method of router |
| CN104486207B (en) * | 2014-11-28 | 2018-11-27 | 新华三技术有限公司 | A kind of method of sampling and equipment of message |
| CN105429908A (en) * | 2015-11-09 | 2016-03-23 | 福建星网锐捷网络有限公司 | Message processing method and device |
| CN107046495B (en) * | 2016-02-06 | 2020-08-18 | 阿里巴巴集团控股有限公司 | Method, device and system for constructing virtual private network |
| CN107016284A (en) * | 2017-03-31 | 2017-08-04 | 武汉光迅科技股份有限公司 | A kind of data communications equipment CPU front ends dynamic protection method and system |
| CN108881193B (en) * | 2018-06-04 | 2021-08-13 | 中国建设银行股份有限公司 | Message generation method and device |
| CN110290124B (en) * | 2019-06-14 | 2022-09-30 | 杭州迪普科技股份有限公司 | Switch input port blocking method and device |
| CN112118271B (en) * | 2020-10-29 | 2023-06-27 | 杭州迪普科技股份有限公司 | Flow cleaning method, device, equipment and computer readable storage medium |
| CN112511527B (en) * | 2020-11-26 | 2022-10-21 | 杭州迪普科技股份有限公司 | Message transmission method and device |
| CN113225315A (en) * | 2021-04-08 | 2021-08-06 | 福建奇点时空数字科技有限公司 | MTD anti-network scanning method based on port fuzzy processing response |
| CN113472791B (en) * | 2021-06-30 | 2023-07-14 | 深信服科技股份有限公司 | Attack detection method and device, electronic equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| CN1416245A (en) * | 2002-06-05 | 2003-05-07 | 华为技术有限公司 | Protection method for controlling message safety based on message of border gateway protocol |
| JP2003283554A (en) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | Distributed denial of service attack preventing method, gate device, communication device, and program |
| CN1152517C (en) * | 2002-04-23 | 2004-06-02 | 华为技术有限公司 | Method of guarding network attack |
| CN1567810A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network security intrusion detecting system and method |
-
2005
- 2005-06-09 CN CNB2005100752536A patent/CN100428688C/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| JP2003283554A (en) * | 2002-03-22 | 2003-10-03 | Nippon Telegr & Teleph Corp <Ntt> | Distributed denial of service attack preventing method, gate device, communication device, and program |
| CN1152517C (en) * | 2002-04-23 | 2004-06-02 | 华为技术有限公司 | Method of guarding network attack |
| CN1416245A (en) * | 2002-06-05 | 2003-05-07 | 华为技术有限公司 | Protection method for controlling message safety based on message of border gateway protocol |
| CN1567810A (en) * | 2004-03-29 | 2005-01-19 | 四川大学 | Network security intrusion detecting system and method |
Non-Patent Citations (2)
| Title |
|---|
| 基于网络攻击的几种典型方式及其安全防范对策. 杨段生,王松.楚雄师范学院学报,第19卷第3期. 2004 |
| 基于网络攻击的几种典型方式及其安全防范对策. 杨段生,王松.楚雄师范学院学报,第19卷第3期. 2004 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1878082A (en) | 2006-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100428688C (en) | Protective method for network attack | |
| CN101640666B (en) | Device and method for controlling flow quantity facing to target network | |
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| KR20050081439A (en) | System of network security and working method thereof | |
| US7757285B2 (en) | Intrusion detection and prevention system | |
| CN101202742B (en) | Method and system for preventing refusal service attack | |
| EP1774716B1 (en) | Inline intrusion detection using a single physical port | |
| CN101083563A (en) | Method and apparatus for preventing distributed refuse service attack | |
| US20110113490A1 (en) | Techniques for preventing attacks on computer systems and networks | |
| US20100251370A1 (en) | Network intrusion detection system | |
| CN105991637A (en) | Network attack protection method and network attack protection device | |
| CN101064597B (en) | Network security device and method for processing packet data using the same | |
| CN101640594A (en) | Method and unit for extracting traffic attack message characteristics on network equipment | |
| EP2073457A1 (en) | A method and apparatus for preventing igmp message attack | |
| CN103916387A (en) | DDOS attack protection method and system | |
| CN107360182B (en) | Embedded active network defense system and defense method thereof | |
| CN106657126A (en) | Device and method for detecting and defending DDos attack | |
| CN100502356C (en) | Multilevel aggregation-based abnormal flow control method and system | |
| KR100614757B1 (en) | Apparatus and method for searching and cutting off abnormal traffic by packet header analysis | |
| CN101883054B (en) | Multicast message processing method and device and equipment | |
| US8286244B2 (en) | Method and system for protecting a computer network against packet floods | |
| JP2007259223A (en) | Defense system and method against illegal access on network, and program therefor | |
| CN100433641C (en) | Method for real-time detecting network worm virus | |
| CN108989275A (en) | A kind of attack prevention method and device | |
| CN101582880A (en) | Method and system for filtering messages based on audited object |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053, Zhejiang hi tech Industrial Development Zone, Hangzhou hi tech Industrial Park, No. six and No. 310 HUAWEI Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |