CN101018156A - Method, device and system for preventing the broadband rejection service attack - Google Patents
Method, device and system for preventing the broadband rejection service attack Download PDFInfo
- Publication number
- CN101018156A CN101018156A CNA2007100799052A CN200710079905A CN101018156A CN 101018156 A CN101018156 A CN 101018156A CN A2007100799052 A CNA2007100799052 A CN A2007100799052A CN 200710079905 A CN200710079905 A CN 200710079905A CN 101018156 A CN101018156 A CN 101018156A
- Authority
- CN
- China
- Prior art keywords
- bandwidth
- message flow
- control
- inlet
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The disclosed method for preventing bandwidth-type DOS attack comprises: detecting the occupies bandwidth of every IP address based message orienting self network or only passing from external network; comparing former result with a threshold, and hereby determining control strategy to control the bandwidth not less than the threshold. This invention needs only low cost device with common performance to prevent DOS attack.
Description
Technical field
The present invention relates to networking technology area, relate in particular to the method, equipment and the system that prevent bandwidth type Denial of Service attack.
Background technology
At present, network security has become a significant obstacle that influences network development.The target of network attack is single client device from network, spread to whole network gradually, network infrastructure is subjected to unprecedented influence, and this influence is owing to relate to the availability of network self, and involve widely, will cause network provider and network user to face tremendous loss.
In the diverse network attack means, DOS (Denial Of Service, Denial of Service attack) class is attacked by making a large amount of illegitimate traffic, to consume the goal systems resource, to tie up the network bandwidth.Because this type of attack technology threshold is low, defend theory and measure to lack, and therefore is able to wide-scale distribution, has a strong impact on the operation and the use of network.Botnet (Botnet) and DDOS (Distributed Deny Of Service, distributed denial of service attack) the new attack pattern that combines and produce particularly, because of its huge terminal equipment of controlling the size, it is very considerable to attack the illegitimate traffic that produces.This type of is attacked, and energy is huge, harm is more and more serious, not only influences the user and uses network, also threatens the availability of network self.
Dos attack can be divided into applied dos attack and the dos attack of bandwidth type, wherein, applied dos attack utilizes TCP (Transmission Control Protocol, transmission control protocol), HTTP (HyperTextTransfer Protocol, HTTP) some characteristic of contour level agreement or application system, by illegally occupying, reach legitimate traffic is handled in prevention by target of attack purpose by the limited resources of target of attack.For example, certain is paralysed when the TCP that is subjected to the 1M flow half connects attack with the web main frame of 100M bandwidth access network, and this dos attack can be described as applied dos attack.
The dos attack of bandwidth type is by sending huge network traffics, causes being taken place on network path by target of attack congested, exhausts the network bandwidth, thereby can't receive legal message.For example, above-mentioned web main frame is subjected to the UDP invalid packet of hundreds of M even several G flows and attacks, even the safety means that this moment, this web main frame had a desirable 100M can accurately identify rogue attacks message and legitimate traffic message, but because the network bandwidth before the safety means is tied up by invalid packet, legal message still can't arrive this web main frame or arrive the probability of this web main frame very low.This dos attack can be described as the dos attack of bandwidth type.Reason owing to networking structure, when the dos attack of bandwidth type takes place, affected is not only by target of attack, consult shown in Figure 1, when the flow attacking that is subjected to by target of attack greater than 1000M, in network equipment S subordinate's the network branches all are with being affected per family, and can think that network self has been subjected to attack, attacks extendedization this moment.
For the application layer dos attack, as long as equipment can identify attack, all can pass through existing fire compartment wall, IPS technology such as (Intrusion Prevention System, intrusion prevention systems) is taken precautions against; For the dos attack of bandwidth type, provide the multiple implementation that prevents dos attack in the prior art, the harm that alleviation dos attack in various degree causes.The implementation that prevents the dos attack of bandwidth type in the prior art has multiple, generally is divided into two classes:
Implementation one: carry out depth detection earlier with identification DOS malicious attack, again attack traffic is handled.Specifically can be divided into multiplely on implementation, the deployment way according to treatment facility is divided into two classes here:
1, online (in-line) deployment mode
Consult shown in Figure 2ly, the safety means of handling unusual attack traffic are serially connected on the network, all flows of network are implemented to detect, in case detect DOS malicious attack flow, trigger protection mechanism then, blocking-up DOS malicious attack flow allows normal discharge to pass through.The safety means here can be equipment such as fire compartment wall, IPS intrusion prevention system.
2, off-line (off-line) deployment mode
Consult shown in Figure 3ly, checkout equipment and treatment facility are separated, and the safety means of handling unusual attack traffic are not connected in series but are attempted by on the network.Checkout equipment is deployed in shielded objective network by the mode of physics beam split or mirror image, in case detect DOS malicious attack flow, trigger protection mechanism then, notifier processes equipment.Treatment facility will mail to by the DOS malicious attack flow and the legitimate traffic of target of attack and be attracted to self, and the flow of these mixing is implemented to detect, and with the filtering of DOS malicious attack flow, legitimate traffic be beamed back by target of attack by tunneling technique.
The deficiency of implementation one is in the prior art, can't avoid the dos attack of bandwidth type.Handle again after mixed traffic introduced network internal, attack traffic has had influence on network before processing, when attack traffic surpasses the disposal ability of treatment facility, target of attack can't be protected, and the dos attack of bandwidth type does not have theoretical upper limit, and its bandwidth is considerably beyond the disposal ability of depth detection equipment; Even without attacking, when surpassing on the bandwidth of target, legitimate traffic prescribes a time limit, except causing the target overload, also may involve other parts of network.In addition, since need carry out complicated depth detection identifying attack traffic to the mixed traffic of legitimate traffic and illegitimate traffic, and detect and can erroneous judgement inevitably occur, particularly dark more complicated more to the detection level of message, the possibility that erroneous judgement occurs is high more, the easy more service disconnection that causes.And; complicated depth detection not only can cause the cost of checkout equipment and treatment facility too high; limited the face of its deployment and protection on the one hand; also will reduce the various performance parameters indexs such as throughput (bandwidth), time delay, shake, packet loss and availability of network on the other hand, influence the use of network.
Implementation two: do not carry out depth detection, only on network level, carry out current limliting, as CAR (Committed Access Rate, the access rate of the promise) technology of one of flow limiting technology according to flowing the flow of feature to overshoot.As shown in Figure 4, enable the CAR technology on the interconnect interface of the network equipment 1 and the network equipment 2, it is certain numerical value that regulation mails to certain specific flow by target of attack, in case find that flow exceeds standard, no matter then these flows are legal or illegal, all abandon the partial discharge that exceeds.
The deficiency of implementation two is in the prior art; because decreased performance when the network equipment is transmitted; can not dispose too many object of protection; can't protect large-scale target of attack; and be only applicable to protect specific minority target of attack; therefore, this implementation can't dispose on core egress router at a high speed, particularly can't adopt on the metropolitan area network egress router.In addition, because the uncertain often minority target of target of bandwidth type dos attack, and no matter whether target of attack is subjected to bandwidth type DOS flow attacking in this implementation, all need the static configuration control strategy, promptly specify the shared message flow bandwidth in specific minority IP address in advance, thereby can't dynamically adjust flexibly.
Summary of the invention
The embodiment of the invention provides a kind of method, equipment and system that prevents bandwidth type Denial of Service attack, in order under the situation lower to the cost of the network equipment and performance requirement, prevents in the network that the IP address suffers the dos attack of bandwidth type arbitrarily.
A kind of method that prevents the dos attack of bandwidth type, the method comprising the steps of:
Measurement is mail to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through;
Respectively described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, determine control strategy, control the message flow that described bandwidth is not less than the bandwidth threshold value according to comparative result.
A kind of network equipment comprises:
Be used to measure by external network and mail to and/or the unit of the bandwidth that the message flow based on each IP destination address of the present networks of flowing through is shared;
Be used for unit that described bandwidth and the corresponding bandwidth threshold value that sets in advance are compared;
Be used for unit according to the comparative result export control policy.
A kind of network equipment comprises:
Be used to receive the unit of the control strategy of controlling message flow;
Be used for mailing to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through is not less than the unit of the message flow of bandwidth threshold value according to the control of described control strategy.
A kind of network system comprises:
Checkout equipment, be used to measure by external network and mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, and according to the comparative result export control policy;
Control appliance is used for controlling the message flow that described bandwidth is not less than the IP address of bandwidth threshold value according to described control strategy.
In the embodiment of the invention, measurement is mail to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, determine control strategy according to comparative result, control the message flow that described bandwidth is not less than the IP address of bandwidth threshold value, can prevent that any IP address suffers the dos attack of bandwidth type in the network, and, owing to only on network level, detect, therefore realize simply, not high to the cost and the performance requirement of the network equipment.
Description of drawings
Fig. 1 is the schematic diagram of bandwidth type dos attack in the background technology;
Fig. 2 is for preventing the schematic diagram of the online deployment mode that the dos attack of bandwidth type is adopted in the background technology;
Fig. 3 is for preventing the schematic diagram of the off-line deployment mode that the dos attack of bandwidth type is adopted in the background technology;
Fig. 4 is for preventing the schematic diagram of the CAR technology that the dos attack of bandwidth type is adopted in the background technology;
Fig. 5 is the structural representation of network system in the embodiment of the invention;
Fig. 6 is the structural representation of checkout equipment in the embodiment of the invention;
Fig. 7 periodically detects the schematic diagram of each link packet flow bandwidth in turn for checkout equipment in the embodiment of the invention;
Fig. 8 is the structural representation of control appliance in the embodiment of the invention;
The structural representation of system when Fig. 9 is former Web portal equipment for control appliance in the embodiment of the invention;
The structural representation of system when Figure 10, Figure 11 are newly added equipment for control appliance in the embodiment of the invention;
Figure 12 is for preventing the process chart of bandwidth type dos attack in the embodiment of the invention.
Embodiment
In the embodiment of the invention, measurement is mail to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, determine control strategy according to comparative result, control the message flow that described bandwidth is not less than the bandwidth threshold value, in order under the situation lower, prevent in the network bandwidth type dos attack that IP address arbitrarily suffers to the cost of the network equipment and performance requirement.
The structure of a kind of network system in the embodiment of the invention comprises as shown in Figure 5: checkout equipment 500, control appliance 501; Wherein, checkout equipment 500 is used to measure by external network and mails to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, and according to the comparative result export control policy; Control appliance 501 is used for being not less than according to described control strategy control bandwidth the message flow of bandwidth threshold value.
The structure of a kind of checkout equipment in the embodiment of the invention comprises as shown in Figure 6: measuring unit 600, comparing unit 601, output unit 602; Wherein, measuring unit 600 is used to measure by external network and mails to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through; Comparing unit 601 is used for described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance; Described output unit 602 is used for according to the comparative result export control policy.
Checkout equipment can be provided with a measuring period, and periodic the measurement by external network mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through.Present networks is meant any network entity of clear and definite boundary definition, and external network and present networks are comparatively speaking, and external network and present networks interconnect by network boundary, can be any network entity.Present networks refers generally to terminal Netz tubnet, and (message flow that enters present networks can not be forwarded to other networks, the message flow that sends from present networks all is derived from present networks), also can be to penetrate network Transitnet (message flow that enters present networks may be forwarded to other networks, and the message flow that sends from present networks may be derived from other networks).
Checkout equipment can be arranged on the Web portal between external network and the present networks, measures by external network to mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through.The Web portal here can be for a plurality of, and checkout equipment can periodically take turns to measure based on the shared bandwidth of the message flow of each IP destination address at each inlet.Each Web portal here can have a plurality of links, and checkout equipment is periodically measured based on the shared bandwidth of the message flow of each IP destination address at each link in turn.An instantiation as shown in Figure 7, since at present metropolitan area network to go into port band width increasing, a metropolitan area network often has a plurality of Web portals, and each ingress router all has the high-speed optical link of a plurality of 10G, by present disposal ability, a checkout equipment generally can detect the high-speed optical link of a 10G, if will monitor whole high-speed optical link, then need a plurality of checkout equipments, this moment is in order to realize the low-cost purpose that detects, can adopt a checkout equipment respectively each high-speed optical link to be detected, as periodically detecting in each high-speed optical link in turn.Checkout equipment can oneself be finished the function that detects in turn, one light path selector that is independent of checkout equipment also can be set carry out the selection of high-speed optical link, the high-speed optical link that is detected this light path selector selection by checkout equipment detects, certainly, here, light path selector can be selected each high-speed optical link periodically in turn, also can select high-speed optical link with Else Rule.
Checkout equipment statistics is mail to by external network and/or the message flow based on each IP destination address of the present networks of flowing through, after a measuring period, calculate shared bandwidth, need further search the bandwidth threshold value that sets in advance of each IP address bandwidth correspondence, so that message flow bandwidth and bandwidth threshold value are compared.
The bandwidth threshold value here is the bandwidth higher limit that allows the message flow bandwidth to reach on the basis of reference bandwidth of IP address correspondence.Wherein, the reference bandwidth of IP address correspondence can be the corresponding respectively reference bandwidth in IP address legal arbitrarily in the network, that need be notified to external network by Routing Protocol.The reference bandwidth here can be the path minimum bandwidth from the inlet/outlet of network boundary to the IP destination address, general, this reference bandwidth can be a physics, physical standard bandwidth as ADSL user can be 512Kbps, also can arrange, insert metropolitan area network as certain individual line subscriber by the 10M Ethernet, but only bought the 5M bandwidth, then Yue Ding reference bandwidth is 5Mbps.For Operation Networks such as metropolitan area networks, because the address space of number of users and network is huge, can has OSS such as BSS by routine interface with operator now and dock, thereby obtain the reference bandwidth of IP address correspondence.Certainly, can selectively obtain the reference bandwidth of the IP address correspondence that partly needs protection, other IP addresses are not then considered yet.
In the general network, the reference bandwidth of IP address correspondence has following several situation:
For public users IP POOL address space: most of metropolitan area network users adopt PPPOE (Point toPoint Protocol over Ethernet, Point-to-Point Protocol over Ethernet) address of distributing IP POOL, user's reference bandwidth is exactly the wideband link bandwidth that inserts metropolitan area network, be generally 512Kbps~2Mbps, this type of user has occupied maximum address spaces.
For NAT POOL (Network Address Transfer Pool, pond, the network address) address space: subnetwork is because the address space deficiency, adopt the NAT technology that private net address is converted to public network address,, can know the upstream bandwidth of each NATPOOL according to the strategy of NAT.
For special line static IP user address space: Virtual network operator can be known the broadband and the address realm of each individual line subscriber accurately.
For network interconnection address and loopback (loop-back address) address space: generally be the address of network management device, small number, but be exactly attack to network management device to the attack of these addresses.
Concrete, for the bandwidth higher limit that on the basis of reference bandwidth, allows the message flow bandwidth to reach, can take all factors into consideration reference bandwidth according to the structure of network and performance, each IP address correspondence, each IP address user information corresponding etc. is provided with, for example, according to the structure of network and the ratio value of a definite reference bandwidth such as performance, each IP address user information corresponding, reference bandwidth and corresponding ratio value are multiplied each other, thereby the bandwidth higher limit is set.An instantiation is as shown in the table, wherein be provided with yellow thresholding, orange thresholding and red thresholding in the corresponding relation of IP address and bandwidth threshold value, these threshold values are meant the ratio value of corresponding reference bandwidth, be in violation of rules and regulations yellow when 1~1.5 times of reference bandwidth flow, 1.5 be orange violation in the time of~2 times, be in violation of rules and regulations red more than 2 times.Certainly, these ratio values can be adjusted with performance, different user profile according to the structure of heterogeneous networks.The user profile here can be for operator, the type service that the user orders, user's information such as rate grade.
| Address space | Address style | Reference bandwidth | Yellow thresholding | Orange thresholding | Red thresholding |
| X.X.X.X/20 A.A.A.A/25 | Public users IP POOL address space | 1Mbps (the exception user regards individual line subscriber as and treats) | 1 (adjustable) | (1.5 adjustable) | 2 (adjustable) |
| Y.Y.Y.Y/28 | The NATPOOL address space | 100Mbps | 1 (adjustable) | (1.5 adjustable) | 2 (adjustable) |
| a.b.c.d/30 c.c.c.c/32 | Special line static IP user address space | 5Mbps | 1 (adjustable) | (1.5 adjustable) | 2 (adjustable) |
| Z.Z.Z.Z/26 | Network interconnection address and loopback address space | 10Mbps | 1 (adjustable) | (1.5 adjustable) | 2 (adjustable) |
| Other | Do not advise class | Undefined, prison | 1 (adjustable) | (1.5 adjustable) | 2 (adjustable) |
| Control, alarm do not limit |
Checkout equipment is measured by external network and is mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, and respectively bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, and according to the comparative result export control policy.Here, concrete implementation has multiple, can pass through mirror image or beam splitting system as checkout equipment, the flow of high-speed link is assigned to a plurality of low speed chain circuits according to the IP destination address, be diverted to different low-speed detection unit as the all-network flow that will enter present networks by destination address, also can directly accept the output of mirror image or beam splitting system by the high speed detection unit, detecting unit compares message flow bandwidth and bandwidth threshold value, and according to the comparative result export control policy, the comparative result here can comprise that the message flow bandwidth is not less than the situation of bandwidth threshold value less than bandwidth threshold value or message flow bandwidth, when the message flow bandwidth is not less than the bandwidth threshold value, the control strategy that is disposed according to this IP address, export the characteristic identifying parameter (as the IP address) and the concrete punishment measure of this message flow, as log, reduce credit grade, add blacklist until limited flow.Here, control strategy that can be different according to different IP address configuration.Careful generally speaking enforcement current limliting strategy, by bandwidth threshold value and reference bandwidth, can guarantee to implement the reasonability and the necessity of flow control, in addition, whether checkout equipment can also continue to issue control strategy according to the control ability decision of control appliance at every turn.
Checkout equipment can detect inbound traffics in violation of rules and regulations, promptly mails to the message flow bandwidth of certain IP destination address.As above example in the table, can be divided in violation of rules and regulations yellow in violation of rules and regulations, orange violation and red Three Estate in violation of rules and regulations, when inbound traffics when being 1~1.5 times of metered flow in violation of rules and regulations yellow, be orange violation in the time of 1.5~2 times, be red violation more than 2 times.Here detectable situation can comprise the monitoring messages that sends to network equipment control plane, and promptly the IP destination address is the message flow bandwidth of network interconnection address and loopback address space.Checkout equipment can also detect flow in violation of rules and regulations, promptly is derived from the message flow bandwidth of certain IP address, and this kind situation is often because this address is emitted institute extremely by puppet.
The structure of a kind of control appliance in the embodiment of the invention comprises as shown in Figure 8: receiving element 800, control unit 801; Wherein, receiving element 800 is used to receive the control strategy of the control message flow of detecting unit output; Control unit 801 is used for being not less than according to described control strategy control bandwidth the message flow of bandwidth threshold value.
Control appliance is behind the control strategy that receives the checkout equipment transmission, and control bandwidth is not less than the message flow of bandwidth threshold value.Here, same with checkout equipment, control appliance can be arranged on Web portal, controls the message flow that described bandwidth is not less than the bandwidth threshold value, reduces flow rate in violation of rules and regulations, makes it close rule at network level, avoids network is impacted.For example, certain access band is the user of 10M, when the flow that mails to this user arrives 100M, is that 10M or 20M do not wait according to control strategy with flow restriction just in the metropolitan area network porch.Here, why limiting at Web portal is that these messages will be dropped in the somewhere of network internal, and can influence other parts of network because when does not limit the porch.With flow restriction is that 20M considers in the embodiment of the invention to prevent may also have other safety systems after the bandwidth type dos attack system, can increase the ratio that legal message arrives, and this ratio is that certain limit is adjustable.
Control appliance can be controlled the message flow that described bandwidth is not less than the bandwidth threshold value according to the control strategy of checkout equipment configuration.Checkout equipment after detecting the violation flow, lands control appliance by modes such as telnet, SSH, SNMP according to the bandwidth threshold value of IP address correspondence, carries out the configuration of control message flows such as CAR.When the shared bandwidth traffic of message flow of control appliance control falls back in the bandwidth threshold value, then checkout equipment is removed the control strategy to message flow, control appliance is removed the control to this message flow, can introduce for fear of frequent configuration change here to postpone to wait the strategy of cancelling control.
The flow control parameter of checkout equipment configuration can be adapted to devices from different manufacturers, and institute's configured strategy quantity can be adapted to the specification of devices from different manufacturers, is standard not influence forwarding.Policy configurations quantity is as the criterion with the devices from different manufacturers disposal ability.Checkout equipment can be introduced back-pressure mechanism, reaches on the ability at control appliance and prescribes a time limit, and for avoiding the control appliance overload, does not issue control strategy.
The embodiment of the invention provides the pattern that the network system that prevents dos attack can take when specific implementation as follows:
Pattern one, control appliance are former Web portal equipment
The Web portal here can be for a plurality of, control appliance is that former Web portal equipment is a plurality of, be arranged at each inlet respectively, as shown in Figure 9, Web portal is two, i.e. R1 and R2, when the message flow of each IP destination address enters network by an inlet in Network Based, as the attack traffic of going to certain IP destination address enters from R1 or R2, and the control strategy of the message flow that control appliance issues R1 or R2 respectively according to checkout equipment is controlled message flow.When the message flow of each IP destination address enters network by a plurality of inlets in Network Based, the bandwidth threshold value is distributed at each inlet, according to the bandwidth threshold value after distributing the message flow of each inlet is controlled, here, can the bandwidth threshold value be distributed at each inlet in the shunting ratio of each inlet, as shown in Figure 9, when message flow simultaneously from R1, when R2 enters, checkout equipment is according to flow not in violation of rules and regulations the time, the R1 that learns, the shunting ratio of R2, in proportion the bandwidth threshold value is assigned to R1, R2, and sending flow rate control strategy, control appliance is according to this policy control message flow.Certainly, checkout equipment also can be assigned to respectively inlet with the bandwidth threshold value according to the network actual conditions, is reference bandwidth as bandwidth threshold value that each inlet distribution can be set, the reasonability of handling during with assurance control.The flow control strategy needs careful issuing generally speaking, under the situation of multiple entry, reasonability and necessity in order to ensure control, the general bandwidth threshold value of each inlet that requires is not less than fiducial value, and be not less than the situation of bandwidth threshold value for measured value, grade according to situation of exceeding standard and user can issue multiple progressive control strategy respectively, as log, reduce credit grade, add blacklist until last flow restriction, thereby well balance network and user's interests, balance control yardstick and control ability.
Pattern two, control appliance are device newly-increased in the network
Same, similar with pattern one, when Web portal when being a plurality of, control appliance is positioned at Web portal, according to the message flow of corresponding each inlet of bandwidth threshold value control of each inlet, wherein, for each inlet distributes corresponding bandwidth threshold value, here, can the bandwidth threshold value be distributed at each inlet, also can the bandwidth threshold value be assigned to each inlet according to the network actual conditions in the shunting ratio of each inlet.Control appliance can be imported the message flow of each inlet after the control by former inlet.Another kind of possible implementation is, a plurality of inlets status equity of hypothetical network, need not rely on the other side mutually and arrive address under fire, then each control appliance can pass through the message flow of each inlet after the control other inlet input, promptly when the message flow of each IP destination address in the network enters network by an inlet, message flow to this inlet is controlled, and the message flow after will controlling is by another inlet input.In the network configuration as shown in figure 10, attack traffic enters from R1, checkout equipment is to R1 configuring static route, with the attack traffic control appliance TR that leads, TR is according to the flow control strategy that issues of checkout equipment, attack traffic is implemented current limliting, again the flow after the current limliting is led back R2 by static routing, walk normal route by R2 and be dealt into the IP destination address.If flow enters from R2, then handling process is similar with the handling process that enters from R1; Initial condition TR has two default routes to point to R1, R2 respectively among Figure 10.
When the message flow of each IP destination address in the network entered network by a plurality of inlets, control appliance was controlled the respectively message flow of inlet that mixes at an inlet, and the mixed traffic after the control is imported by other inlet.In the network configuration as shown in figure 10, attack traffic enters from R1, R2 simultaneously, the processing procedure of R1 water conservancy diversion and above-mentioned the attack traffic only processing procedure when R1 enters are identical, R2 is then according to the instruction collocation strategy route of checkout equipment, do not look into routing table and directly flow is imported R1, R1 mixes the back with the two-way flow and imports TR, and TR implements Current limited Control to mixed traffic, the message flow guiding R2 of last TR after with current limliting walks normal route by R2 and is dealt into the IP destination address.
In the network configuration shown in Figure 10, only be provided with a newly-increased control appliance flow is handled, a plurality of control appliances also can be set here be positioned at each Web portal, message flow is controlled at Web portal.In the network configuration as shown in figure 11, control appliance TR1, TR2 control the flow that enters from R1, R2 respectively, the flow that enters from R1, R2 is directed to TR1, TR2 respectively control after, import from R2, R1 respectively.
In the embodiment of the invention, the handling process that prevents the dos attack of bandwidth type as shown in figure 12:
In the embodiment of the invention, measurement is mail to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, respectively described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, determine control strategy according to comparative result, control the message flow that described bandwidth is not less than the bandwidth threshold value, can implement Current limited Control flexibly to the violation flow, make any flow that enters network controlled, fundamentally avoid the impact of bandwidth type dos attack network.Not high during the system specific implementation to the cost and the performance requirement of the network equipment; can not change the existing network framework; give full play to the core router disposal ability; do not increase the burden of nucleus equipment; do not influence the nucleus equipment security of operation; avoid systems such as other safety of rear end, dos attack depth detection by too much flow attack, the preceding segment protect that can be used as various existing dos attack guard technologies is implemented.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (23)
1, a kind of method that prevents the dos attack of bandwidth type is characterized in that the method comprising the steps of:
Measurement is mail to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through;
Described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, determine control strategy, control the message flow that described bandwidth is not less than the bandwidth threshold value according to comparative result.
2, the method for claim 1 is characterized in that, according to one of the reference bandwidth of the structure of network and performance, each IP address correspondence, each IP address user information corresponding described bandwidth threshold value is set at least.
3, method as claimed in claim 2 is characterized in that, described bandwidth threshold value is the bandwidth higher limit that allows described flow to reach on the basis of the reference bandwidth of described IP address correspondence.
4, method as claimed in claim 3 is characterized in that, determines the ratio value of described reference bandwidth at least according to one of the structure of network and performance, each IP address user information corresponding, by described reference bandwidth and described ratio value described bandwidth higher limit is set.
5, the method for claim 1 is characterized in that, measures by external network at the Web portal of present networks and mails to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through.
6, method as claimed in claim 5 is characterized in that, when described Web portal is a plurality of, periodically measures described based on the shared bandwidth of the message flow of each IP destination address at each inlet in turn.
7, method as claimed in claim 5 is characterized in that, when described Web portal has a plurality of link, periodically measures described based on the shared bandwidth of the message flow of each IP destination address at each link in turn.
8, the method for claim 1 is characterized in that, also determines described control strategy according to the control ability of IP destination address and control appliance.
9, as each described method of claim 1 to 8, it is characterized in that, control the message flow that described bandwidth is not less than the IP address of bandwidth threshold value at the Web portal of present networks.
10, method as claimed in claim 9 is characterized in that, when described Web portal is a plurality of, the bandwidth threshold value is distributed at each inlet, according to the message flow of each inlet of bandwidth threshold value control after distributing.
11, method as claimed in claim 10 is characterized in that, the message flow after the control is imported by former inlet or other inlet.
12, method as claimed in claim 9 is characterized in that, when described Web portal is a plurality of, controls after the inlet mixing of message flow importing with each inlet, and the mixed traffic after the control is passed through other input that enters the mouth.
13, the method for claim 1 is characterized in that, in the shared bandwidth of message flow of control when falling back in the bandwidth threshold value, removes control to this message flow according to the strategy of controlled IP address.
14, a kind of network equipment is characterized in that, comprising:
Be used to measure by external network and mail to and/or the unit of the bandwidth that the message flow based on each IP destination address of the present networks of flowing through is shared;
Be used for unit that described bandwidth and the corresponding bandwidth threshold value that sets in advance are compared;
Be used for unit according to the comparative result export control policy.
15, a kind of network equipment is characterized in that, comprising:
Be used to receive the unit of the control strategy of controlling message flow;
Be used for mailing to by external network and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through is not less than the unit of the message flow of bandwidth threshold value according to the control of described control strategy.
16, a kind of network system is characterized in that, comprising:
Checkout equipment, be used to measure by external network and mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through, described bandwidth is compared with the corresponding bandwidth threshold value that sets in advance, and according to the comparative result export control policy;
Control appliance is used for controlling the message flow that described bandwidth is not less than the IP address of bandwidth threshold value according to described control strategy.
17, system as claimed in claim 16 is characterized in that, described checkout equipment is arranged on the Web portal of present networks.
18, system as claimed in claim 17, it is characterized in that, when described Web portal was a plurality of, described checkout equipment was periodically measured by external network at each inlet in turn and is mail to and/or the shared bandwidth of the message flow based on each IP destination address of the present networks of flowing through.
19, as claim 16,17 or 18 described systems, it is characterized in that described control appliance is arranged on the Web portal of present networks.
20, system as claimed in claim 19 is characterized in that, when described Web portal was a plurality of, described control appliance was a plurality of, is arranged at each inlet respectively, and each control appliance is according to the message flow of each inlet of bandwidth threshold value control that distributes for each inlet.
21, system as claimed in claim 20 is characterized in that, the message flow of each inlet after each control appliance will be controlled is by former inlet or other inlet input.
22, system as claimed in claim 19 is characterized in that, when described Web portal was a plurality of, described control appliance was controlled the respectively message flow of inlet that mixes at an inlet, and the mixed traffic after the control is imported by other inlet.
23, system as claimed in claim 16 is characterized in that, described control appliance is in the shared bandwidth of message flow of control when falling back in the bandwidth threshold value, removes control to this message flow according to the strategy of controlled IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100799052A CN101018156A (en) | 2007-02-16 | 2007-02-16 | Method, device and system for preventing the broadband rejection service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100799052A CN101018156A (en) | 2007-02-16 | 2007-02-16 | Method, device and system for preventing the broadband rejection service attack |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101018156A true CN101018156A (en) | 2007-08-15 |
Family
ID=38726923
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100799052A Pending CN101018156A (en) | 2007-02-16 | 2007-02-16 | Method, device and system for preventing the broadband rejection service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101018156A (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009129706A1 (en) * | 2008-04-23 | 2009-10-29 | 成都市华为赛门铁克科技有限公司 | Flooding attack detection method and the means thereof |
| WO2009152702A1 (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Flow control method, system and bearer layer equipment thereof |
| CN102255910A (en) * | 2011-07-11 | 2011-11-23 | 北京天融信科技有限公司 | Method and device for testing performance of intrusion prevention product |
| CN101478540B (en) * | 2008-12-31 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN101212302B (en) * | 2007-12-21 | 2012-09-12 | 华中科技大学 | Method of defense against DDoS attacks in P2P stream media system |
| CN103051612A (en) * | 2012-12-13 | 2013-04-17 | 华为技术有限公司 | Firewall and method for preventing network attack |
| CN103312631A (en) * | 2013-05-29 | 2013-09-18 | 深圳市普联技术有限公司 | Bandwidth control method and router |
| CN102045308B (en) * | 2009-10-10 | 2014-04-30 | 中兴通讯股份有限公司 | Method and device for preventing denial of service (DoS) attacks |
| CN104038409A (en) * | 2014-05-30 | 2014-09-10 | 汉柏科技有限公司 | Method and device for email security management |
| CN104137503A (en) * | 2012-12-19 | 2014-11-05 | 华为技术有限公司 | Method, apparatus and network device for monitoring network |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
| WO2016041346A1 (en) * | 2014-09-19 | 2016-03-24 | 中兴通讯股份有限公司 | Network data traffic control method and device |
| WO2016150253A1 (en) * | 2015-03-24 | 2016-09-29 | 华为技术有限公司 | Sdn-based ddos attack prevention method, device and system |
| CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
| CN106209745A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The shunt method of a kind of flow and equipment |
| CN109005164A (en) * | 2018-07-20 | 2018-12-14 | 深圳市网心科技有限公司 | A kind of network system, equipment, network data exchange method and storage medium |
| CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| WO2020177263A1 (en) * | 2019-03-01 | 2020-09-10 | 烽火通信科技股份有限公司 | Traffic management method and system and fabric network processor |
| CN112995229A (en) * | 2021-05-17 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network attack flow detection method, device, equipment and computer readable storage medium |
-
2007
- 2007-02-16 CN CNA2007100799052A patent/CN101018156A/en active Pending
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212302B (en) * | 2007-12-21 | 2012-09-12 | 华中科技大学 | Method of defense against DDoS attacks in P2P stream media system |
| US8429747B2 (en) | 2008-04-23 | 2013-04-23 | Huawei Technologies Co., Ltd. | Method and device for detecting flood attacks |
| WO2009129706A1 (en) * | 2008-04-23 | 2009-10-29 | 成都市华为赛门铁克科技有限公司 | Flooding attack detection method and the means thereof |
| US8990936B2 (en) | 2008-04-23 | 2015-03-24 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method and device for detecting flood attacks |
| WO2009152702A1 (en) * | 2008-06-19 | 2009-12-23 | 华为技术有限公司 | Flow control method, system and bearer layer equipment thereof |
| CN101478540B (en) * | 2008-12-31 | 2012-04-25 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for defending and challenge collapsar attack |
| CN102045308B (en) * | 2009-10-10 | 2014-04-30 | 中兴通讯股份有限公司 | Method and device for preventing denial of service (DoS) attacks |
| CN102255910B (en) * | 2011-07-11 | 2017-03-22 | 北京天融信科技有限公司 | Method and device for testing performance of intrusion prevention product |
| CN102255910A (en) * | 2011-07-11 | 2011-11-23 | 北京天融信科技有限公司 | Method and device for testing performance of intrusion prevention product |
| CN103051612A (en) * | 2012-12-13 | 2013-04-17 | 华为技术有限公司 | Firewall and method for preventing network attack |
| CN103051612B (en) * | 2012-12-13 | 2015-09-30 | 华为技术有限公司 | Fire compartment wall and prevent method of network attack |
| CN104137503A (en) * | 2012-12-19 | 2014-11-05 | 华为技术有限公司 | Method, apparatus and network device for monitoring network |
| CN103312631A (en) * | 2013-05-29 | 2013-09-18 | 深圳市普联技术有限公司 | Bandwidth control method and router |
| CN103312631B (en) * | 2013-05-29 | 2016-05-18 | 普联技术有限公司 | A kind of band width control method and router |
| CN104038409A (en) * | 2014-05-30 | 2014-09-10 | 汉柏科技有限公司 | Method and device for email security management |
| WO2016041346A1 (en) * | 2014-09-19 | 2016-03-24 | 中兴通讯股份有限公司 | Network data traffic control method and device |
| CN105490954A (en) * | 2014-09-19 | 2016-04-13 | 中兴通讯股份有限公司 | Method and device for controlling network data flow |
| CN105991509B (en) * | 2015-01-27 | 2019-07-09 | 杭州迪普科技股份有限公司 | Conversation processing method and device |
| CN105991509A (en) * | 2015-01-27 | 2016-10-05 | 杭州迪普科技有限公司 | Session processing method and apparatus |
| WO2016150253A1 (en) * | 2015-03-24 | 2016-09-29 | 华为技术有限公司 | Sdn-based ddos attack prevention method, device and system |
| US11394743B2 (en) | 2015-03-24 | 2022-07-19 | Huawei Technologies Co., Ltd. | SDN-based DDoS attack prevention method, apparatus, and system |
| US10630719B2 (en) | 2015-03-24 | 2020-04-21 | Huawei Technologies Co., Ltd. | SDN-based DDOS attack prevention method, apparatus, and system |
| CN106209745A (en) * | 2015-05-07 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The shunt method of a kind of flow and equipment |
| CN106209745B (en) * | 2015-05-07 | 2019-09-03 | 阿里巴巴集团控股有限公司 | A kind of shunt method and equipment of flow |
| CN105337970A (en) * | 2015-10-20 | 2016-02-17 | 上海斐讯数据通信技术有限公司 | Router, server and router-server-cooperative network access control method |
| CN109005164A (en) * | 2018-07-20 | 2018-12-14 | 深圳市网心科技有限公司 | A kind of network system, equipment, network data exchange method and storage medium |
| WO2020177263A1 (en) * | 2019-03-01 | 2020-09-10 | 烽火通信科技股份有限公司 | Traffic management method and system and fabric network processor |
| CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
| CN110225037B (en) * | 2019-06-12 | 2021-11-30 | 广东工业大学 | DDoS attack detection method and device |
| CN110505249A (en) * | 2019-09-30 | 2019-11-26 | 怀来斯达铭数据有限公司 | The recognition methods of ddos attack and device |
| CN112995229A (en) * | 2021-05-17 | 2021-06-18 | 金锐同创(北京)科技股份有限公司 | Network attack flow detection method, device, equipment and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
| EP3253025B1 (en) | Sdn-based ddos attack prevention method, device and system | |
| CN101431449B (en) | Network flux cleaning system | |
| US8181240B2 (en) | Method and apparatus for preventing DOS attacks on trunk interfaces | |
| CN104954367B (en) | A kind of cross-domain ddos attack means of defence of internet omnidirectional | |
| CN101626381B (en) | Frame forwarding apparatus | |
| US7710887B2 (en) | Network protection via embedded controls | |
| CN100435513C (en) | Method of linking network equipment and invading detection system | |
| CN105991637B (en) | The means of defence and device of network attack | |
| CN105516184A (en) | Increment deployment SDN network-based method for defending link flooding attack | |
| KR100882809B1 (en) | DDoS PROTECTION SYSTEM AND METHOD IN PER-FLOW BASED PACKET PROCESSING SYSTEM | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| CN103210609A (en) | Electronic device for communication in a data network including a protective circuit for identifying unwanted data | |
| CN110213214A (en) | A kind of attack guarding method, system, device and storage medium | |
| CN105429974B (en) | A kind of intrusion prevention system and method towards SDN | |
| Luo et al. | SDN/NFV-based security service function tree for cloud | |
| Hadley et al. | Software-defined networking redefines performance for ethernet control systems | |
| Xuan et al. | A Gateway-based Defense System for Distributed Denial-of-Service Attacks in High-Speed Networks | |
| RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS | |
| US8286244B2 (en) | Method and system for protecting a computer network against packet floods | |
| Hariri et al. | Quality-of-protection (QoP)-an online monitoring and self-protection mechanism | |
| JP2006067078A (en) | Network system and attack defense method | |
| CN106357661A (en) | Switch-rotation-based distributed denial of service attach defending method | |
| CN101300807B (en) | Network access node computer for a communication network, communication system and method for operating a communications system | |
| CN1819548A (en) | Port re-enabling by monitoring link status |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |