CN101018233A - Session control method and control device - Google Patents

Session control method and control device Download PDF

Info

Publication number
CN101018233A
CN101018233A CNA2007100870866A CN200710087086A CN101018233A CN 101018233 A CN101018233 A CN 101018233A CN A2007100870866 A CNA2007100870866 A CN A2007100870866A CN 200710087086 A CN200710087086 A CN 200710087086A CN 101018233 A CN101018233 A CN 101018233A
Authority
CN
China
Prior art keywords
time
module
key exchange
internet key
partly
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2007100870866A
Other languages
Chinese (zh)
Other versions
CN101018233B (en
Inventor
徐庆伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou Huawei 3Com Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Huawei 3Com Technology Co Ltd filed Critical Hangzhou Huawei 3Com Technology Co Ltd
Priority to CN2007100870866A priority Critical patent/CN101018233B/en
Publication of CN101018233A publication Critical patent/CN101018233A/en
Application granted granted Critical
Publication of CN101018233B publication Critical patent/CN101018233B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The disclosed dialogue control method comprises: setting the overtime time according to Internet key exchange protocol negotiation mode; hereby detecting the duration time for built semi-connection dialogue; to the semi-connection over the time, releasing the occupied resource and connection number. This invention overcomes defects in prior art, and ensures the normal process on Internet key exchange protocol.

Description

The control method of session and control device
Technical field
The present invention relates to information security technology, particularly a kind of control method of session and control device belong to the communications field.
Background technology
Internet key exchange (Internet Key Exchange, be called for short IKE) be the general name of authentication and key protocol family, this protocol suite comprises that internet security related and IKMP (being called for short ISAKMP), key determine agreement (being called for short Oakley) and common the Internet security key exchange agreement (abbreviation SKEME).
The ISAKMP agreement is the core part of IKE, and it has defined and has comprised negotiation, foundation, revises and the overall process and the message format of deletion security association, for interchange key generates and identification authentication data has defined payload format.These forms are defined as cipher key delivery and authentication provides a fixed frame that is independent of key generation technique, cryptographic algorithm and identity identifying method.
ISAKMP provides the negotiation in two " stages ": in the phase I is that the passage that communicating pair is set up a safety is IKE security association (being called for short IKE SA), be used for protecting the safety of second stage interactive messages, IKE provides two kinds of patterns in this stage: holotype (Main Mode) and Aggressive Mode (AggressiveMode); In second stage is that IPsec sets up concrete IPsec security association (being called for short IPsec SA), is used for the data transmission security of communicating pair.
In the prior art, connect in the phase I negotiations process of setting up at IKE, the assailant can pretend to be validated user to send the IKE request message to communication equipment; After communication equipment is received assailant's request message, receive the response to the equipment transmission of its validated user of pretending to be, and keep the solicited status that the assailant sends, form semi-connection state.After the equipment of validated user receives that this receives the response, then do not abandon this and receive the response owing to send a request message.And this moment is if the equipment of this validated user also sends the IKE request message to described communication equipment, then this communication equipment was owing to before received request message and the present that the assailant pretends to be this validated user to send, then can abandon the request message of this time receiving, thereby cause the equipment of validated user and the normal ike negotiation of this communication equipment to carry out.
For example, as shown in Figure 1, gateway A and gateway B are two end points in the IPsec tunnel of mutual trust, and under normal circumstances gateway A can be set up the IPsec tunnel by ike negotiation with gateway B.If gateway A is desired to initiate ike negotiation to gateway B as the IPsec tunnel initiator now, but send in gateway A before first message of ike negotiation, assailant's the equipment gateway A that disguises oneself as has sent IKE request to gateway B, after then gateway B receives this IKE request, responding and giving second IKE message of gateway A is the IKE response message, and keep the solicited status that the assailant sends, form the IKE session of " half connects ".And because gateway A does not send first IKE request, so gateway A can abandon the IKE response message that gateway B sends to gateway A.If this moment, gateway A sent normal IKE request message to gateway B, then gateway B can't distinguish whether be the request that real gateway A sends after receiving this request, owing to before received that the assailant pretended to be the request that the address sent of gateway A, and handling this request, therefore can the request that real gateway A sends be abandoned, thereby cause gateway A and gateway B can't carry out ike negotiation.Above process just assailant is attacked by the denial of service to ike negotiation (being called for short DoS) of intermediate equipment realization, has caused normal ike negotiation not carry out.
In existing technical scheme, in order to alleviate this DoS attack, the IKE agreement has adopted " sweet cake " (Cookie) mechanism.Cookie is Hash (the being called for short Hash) value to some necessary informations, generally comprises IP address, port numbers, secret random number and the date and time etc. of communicating pair.Cookie mechanism is to use the Cookie that comprises in the IKE message to discern an IKE session, and sets the connection sum of IKE session.When the assailant initiates exchange request in a large number by IP address spoofing, system generates a Cookie to each request and receives the response, only in receiving message that the requesting party returns and this message, comprise the Cookie in the request message of previous transmission, and after verifying that this Cookie value is errorless, just carry out next step exchange, otherwise the refusal exchange.Concerning example above, sent the IKE Denial of Service attack of fixation of C ookie value as the assailant after, as long as the Cookie value that comprises in the IKE message of the Cookie value that comprises in the IKE message of the normal request that gateway A sends and assailant's transmission is different, gateway A just can be carried out normal ike negotiation with gateway B, sets up security association.
Above-mentioned Cookie mechanism has been introduced more serious Denial of Service attack problem when effectively avoiding the assailant to adopt identical Cookie to attack.On the one hand, according to Cookie mechanism, after the IKE request message that the assailant sends is received by system, this request is generated a Cookie receives the response, and this request has taken linking number in total linking number that Cookie mechanism limited, system waits for that always the assailant returns the message that comprises the Cookie in the receiveing the response that system sends, and up to the overtime ageing time that reaches IKE agreement regulation, just discharges the shared linking number of this request and other resource then.And on the other hand, under normal circumstances, the overtime ageing time of IKE agreement regulation is long, and is relevant with number of retransmissions and each time-out time, and the time-out time after each re-transmission increases with exponential form.Therefore, when the assailant frequently sends the IKE request that comprises different Cookie at short notice, can in the overtime ageing time of IKE agreement regulation, take the maximum number of connections that IKE mechanism is limited fully soon, cause other user to set up IKE and be connected, thereby caused the consequence of Denial of Service attack to increase the weight of with system.
With above application scenarios is example, when the assailant frequently sends attack message with the Cookie that changes, the IKE Total sessions that can be limited Cookie mechanism at short notice takes soon, thereby causes the gateway of other non-gateways A address to carry out normal ike negotiation with gateway B.
Summary of the invention
The control method and the control device that the purpose of this invention is to provide a kind of session can overcome the defective of above-mentioned prior art effectively, significantly reduce the influence of Denial of Service attack to system, guarantee the processing that normal internet key exchange is consulted.
For achieving the above object, the invention provides a kind of control method of session, comprising: the negotiation mode according to internet key exchange is provided with corresponding time-out time in advance; According to default detection time half duration that connects of the internet key exchange session of having set up being detected, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
In technique scheme, at the defective that can't detect the frequent IKE request message that comprises different Cookie that sends of assailant in the prior art according to the overtime ageing time of IKE agreement regulation in time, set in advance corresponding time-out time by negotiation mode (comprising holotype and Aggressive Mode) according to IKE, that is to say that the normal duration according to semi-connection state in the different negotiation modes sets in advance corresponding time-out time, and according to default detection time half connection of having set up being detected, duration is exceeded half of the described time-out time that sets in advance to be connected, discharge its resource that takies and linking number, thereby can overcome the defective of prior art effectively, half-and-half the duration of connection is controlled effectively by default time-out time, comprise that by transmission thereby the request message of different Cookie sets up half and connect when taking resource and IKE linking number the assailant, can discharge in time exceed time-out time partly connect shared resource and linking number, thereby can guarantee other user's the carrying out smoothly of normal ike negotiation.
Preferably, describedly according to the negotiation mode of internet key exchange corresponding time-out time is set in advance and can comprises: when the holotype of using internet key exchange is held consultation, in the computing time that the time and the opposite end of Network Transmission generate the D-H common value, corresponding time-out time is set according to message; When the Aggressive Mode that uses internet key exchange is held consultation, generate computing time of D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process according to message at time of Network Transmission, local terminal, corresponding time-out time is set.
For achieving the above object, the present invention also provides a kind of control device of session, comprising: module is set, is used for being provided with according to the negotiation mode of internet key exchange in advance the time-out time of correspondence; Detection module, with module be set be connected, be used for half duration that connects of the internet key exchange session of having set up being detected according to module default detection time is set, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
In technique scheme, by detecting the frequently defective of the IKE request message that comprises different Cookie of transmission of assailant in time at the overtime ageing time according to IKE agreement regulation in the prior art, by module sets in advance correspondence according to the negotiation mode (comprising holotype and Aggressive Mode) of IKE time-out time is set, that is to say by module is set and set in advance corresponding time-out time according to normal duration of semi-connection state in the different ike negotiation patterns, and by detection module according to default detection time half duration that connects of having set up being detected, duration is exceeded half of the described time-out time that sets in advance to be connected, discharge its resource that takies and linking number, thereby can overcome the defective of prior art effectively, half-and-half the duration of connection is controlled effectively by default time-out time, comprise that by transmission thereby the request message of different Cookie sets up half and connect when taking resource and IKE linking number the assailant, can discharge in time exceed time-out time partly connect shared resource and linking number, thereby can guarantee other user's the carrying out smoothly of normal ike negotiation.
Preferably, the described module that is provided with can comprise: holotype is provided with module, be used for when the holotype of using internet key exchange is held consultation, in the computing time that the time and the opposite end of Network Transmission generate the D-H common value, corresponding time-out time be set according to message; And/or Aggressive Mode is provided with module, be used for when the Aggressive Mode that uses internet key exchange is held consultation, generate computing time of D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process according to message at time of Network Transmission, local terminal, corresponding time-out time is set.
In sum, the present invention sets in advance time-out time by the duration that normally partly connects according to the ike negotiation pattern, be used for half duration that connects of being set up is controlled, by according to default detection time half duration that connects of being set up being detected, what thereby release duration exceeded described time-out time in time partly connects shared resource and linking number, therefore comprise by transmission that the assailant thereby the IKE request message of different Cookie sets up half and connect and exhaust under the situation of system resource and linking number, can discharge overtime shared resource and the linking number of partly connecting timely and effectively, significantly reduce of the influence of this Denial of Service attack, also guaranteed processing simultaneously other user's normal ike negotiation to system.
Description of drawings
Fig. 1 is the schematic diagram of existing Denial of Service attack blow mode;
Fig. 2 is the schematic flow sheet of the embodiment one of the control method of session of the present invention;
Fig. 3 is the schematic flow sheet of the embodiment two of the control method of session of the present invention;
Fig. 4 is the schematic flow sheet of the embodiment three of the control method of session of the present invention;
Fig. 5 is the structural representation of the embodiment one of the control device of session of the present invention;
Fig. 6 is the structural representation of the embodiment two of the control device of session of the present invention.
Embodiment
Below in conjunction with drawings and Examples, technical scheme of the present invention is described in further detail.
In the prior art, internet key exchange (being called for short IKE) adopts Cookie mechanism, uses the Cookie that comprises in the IKE message to discern an IKE session, and sets the connection sum of IKE session.Attempt to exhaust the Denial of Service attack of system resource though this Cookie mechanism can be resisted the assailant effectively by sending the IKE request message that comprises fixing Cookie value in a large number, can't resist the assailant exhausts system resource by the IKE request message that sends the Cookie value that comprises variation in a large number Denial of Service attack effectively.And, because the overtime ageing time of IKE agreement regulation itself is long, what the request message of this attack that can't be in time the assailant be sent was set up half connects and discharges resource, thereby makes the assailant utilize this attack can exhaust system resource very soon, and can't in time alleviate.
At above-mentioned the deficiencies in the prior art part, by the time-out time of correspondence is set according to the different negotiation modes (comprising holotype and Aggressive Mode) of IKE in advance, thereby what make that this time-out time can optimally embody normal IKE session in the different negotiation modes of IKE partly connects the duration, and according to this time-out time half duration that connects of being set up is controlled, overcome the long defective of overtime ageing time of IKE in the prior art, can screen effectively and half being connected of detecting that IKE request message that the assailant sends set up, and discharge detected shared resource and the linking number of partly connecting.Therefore, the conversation controlling method and the session control device that provide by this thinking, can either keep the Cookie mechanism of IKE can resist and attempt to exhaust the advantage of the Denial of Service attack of system resource, can resist the Denial of Service attack that exhausts system resource by the IKE request message that sends the Cookie value that comprises variation in a large number further again by sending the IKE request message that comprises fixing Cookie value in a large number.
Based on above-mentioned design, the invention provides a kind of conversation controlling method.Fig. 1 is the schematic flow sheet of the embodiment one of conversation controlling method of the present invention, and present embodiment one may further comprise the steps: at first in step 1, the negotiation mode according to internet key exchange is provided with corresponding time-out time in advance; Then in step 2, according to default detection time half duration that connects of the internet key exchange session of having set up being detected, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
In the present embodiment one, at the defective that can't detect the frequent IKE request message that comprises different Cookie that sends of assailant in the prior art according to the overtime ageing time of IKE agreement regulation in time, set in advance corresponding time-out time by negotiation mode (comprising holotype and Aggressive Mode) in step 1 according to IKE, that is to say that the normal duration according to semi-connection state in the different negotiation modes sets in advance corresponding time-out time, and by in step 2 according to half connecting and detect what set up default detection time, duration is exceeded half of the described time-out time that sets in advance to be connected, discharge its resource that takies and linking number, thereby can overcome the defective of prior art effectively, half-and-half the duration of connection is controlled effectively by default time-out time.
Therefore, present embodiment one has not only kept Cookie mechanism in the existing IKE agreement can resist by sending the IKE request message that comprises fixing Cookie value in a large number attempting to exhaust the advantage of the Denial of Service attack of system resource, can resist the Denial of Service attack that exhausts system resource by the IKE request message that sends the Cookie value that comprises variation in a large number further again.By the method that adopts present embodiment one to provide, comprise that by transmission thereby the request message of different Cookie sets up half and connect when taking resource and IKE linking number the assailant, can discharge in time exceed time-out time partly connect shared resource and linking number, thereby can significantly reduce the influence of Denial of Service attack, and guarantee other user's the carrying out smoothly of normal ike negotiation system.
The phase I of IKE session can be selected holotype or Aggressive Mode.
Holotype is made up of 6 message that exchange between initiator and the respondent.Wherein preceding two message consulting tacticals; Next two message Diffie-Hellman openly are worth (being called for short D-H openly is worth) and exchange necessary random number; Last two message identification datas also authenticate the Diffie-Hellman exchange.
Holotype is designed to key exchange message is separated with identity, authentication information.Identity information has effectively been protected in this separation, but has increased the expense of 3 information.The cipher key change of holotype comprises abundant negotiation ability, and the initiator provides a plurality of motions that comprise different cryptographic algorithm, hashing algorithm, authentication method and swarm parameter in article one message, and the response root is therefrom chosen a motion according to local feature and carried out.
Aggressive Mode is made up of the three-way handshake between initiator and the respondent.Preceding two message consulting tacticals, exchange Diffie-Hellman be value, random number and identity information openly.In addition, second message also authenticates the respondent.Article three, message authenticates the promoter, and the proof of identification of exchange participant is provided.
The advantage of Aggressive Mode is that its speed is fast.The authentication method if Aggressive Mode does not use public-key, exchange process is not supported identity confidentiality; And because message quantity only needs three, the negotiation ability has certain limitation.
For holotype, as long as receiving the 3rd message of IEK holotype negotiation, the IKE agreement just thinks that this process is a legal reciprocal process, the time shared in this process has:
A) message is in the time of Network Transmission, and this time comprises two times, and one is to send out the time that reaches the opposite end, and another is the time that the corresponding message in opposite end arrives local terminal;
B) opposite end generates the computing time of D-H common value.This time is depended on the opposite equip. performance.
Therefore, in the foregoing description one, when the holotype of using internet key exchange is held consultation, describedly according to the negotiation mode of internet key exchange corresponding time-out time is set in advance and can comprises: in the computing time that the time and the opposite end of Network Transmission generate D-H common value (calculative numerical value in the IKE conversation procedure), corresponding time-out time is set according to message.
For Aggressive Mode, as long as receiving the 3rd message of IEK Aggressive Mode negotiation, the IKE agreement just thinks that this process is a legal reciprocal process, the time shared in this process has:
A) message is in the time of Network Transmission, and this time comprises two times, and one is that the message that sends arrives opposite end institute elapsed time, and another is that the corresponding message in opposite end arrives local terminal institute elapsed time;
B) local terminal becomes the computing time of D-H common value.This time is depended on the local terminal equipment performance;
C) the 3rd needed time of message is encrypted in the opposite end, and this time is depended on the performance of opposite end.
Therefore, in the foregoing description one, when the Aggressive Mode that uses internet key exchange is held consultation, describedly according to the negotiation mode of internet key exchange corresponding time-out time is set in advance and can comprises: according to message in time of Network Transmission, computing time that local terminal generates the D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process, corresponding time-out time is set.
Those of ordinary skill in the art is to be understood that; can be provided with flexibly according to the demand of practical application scene and carry out described detection the default detection time described in the foregoing description one; for example can detect half duration that connects of the internet key exchange session of having set up according to preset period; also can carry out described detection or the like by stabbing service time, it all should be within technical solution of the present invention scope required for protection.In embodiment two, provided below and stabbed the embodiment of carrying out described detection service time.
Fig. 3 is the schematic flow sheet of the embodiment two of the control method of session of the present invention, present embodiment two is with the difference of the foregoing description one, step 2 specifically may further comprise the steps: in step 20, when setting up partly the connecting of each internet key exchange session, write down this half timestamp that connects when setting up; In step 21, when total linking number of internet key exchange session is depleted,, calculate half duration that connects of the internet key exchange session of having set up according to timestamp that is write down and current time of system; In step 22,, then discharge this and partly connect shared resource and linking number if detect half connection that the duration surpasses described time-out time.
Present embodiment two is on the basis of embodiment one, by being the timestamp of each half linkage record when setting up, and when total linking number of IKE session is depleted, just half connection of having set up being detected, but not above-mentioned half connection of having set up being detected according to preset period according to the timestamp that is write down.Present embodiment two comes down in that total linking number of IKE is depleted promptly might Denial of Service attack occur the time, start the mechanism of accelerated ageing, according to the timestamp that is write down half connection of having set up is detected, promote the aging of attack message, discharge shared resource and the linking number of attack message; If total linking number of IKE does not have the depleted phenomenon of yet promptly occur attacking, this half connection resource can with situation nextly do not enable accelerated ageing, still use the overtime ageing time of existing IKE agreement to carry out the half aging resource that promptly discharges that connects and handle.
Therefore, present embodiment two is when reaching the technique effect that the foregoing description one reached, with respect to the mode that detects according to preset period, can make detecting to Denial of Service attack more in time and handle, when not being subjected to Denial of Service attack, not detect the influence that then can reduce systematic function.
Preferably, discharge half connection resource of normal IKE session, detecting after the duration exceeds half of default time-out time and connect, can only discharge wherein that a part half connects, to satisfy the needs that other users carry out ike negotiation for avoiding mistake.In other words, in the foregoing description one and embodiment two, if described have the duration to surpass partly connecting of described time-out time, then discharging this partly connects shared resource and can comprise with linking number: surpass half of described time-out time and is connected if detect the duration, what then discharge predetermined number in detected half connection partly connects shared resource and linking number.
In the embodiment three of the control method of session of the present invention, further provide the concrete mode of logging timestamp described in the embodiment two below.Fig. 4 is the schematic flow sheet of embodiment three, present embodiment three is with the difference of the foregoing description two: described step 20 specifically comprises step 201 and step 202, in step 201, when setting up partly the connecting of each internet key exchange session, in the semi-connection state table, set up corresponding list item, and Cookie value that in this list item, comprises in the record request message and the timestamp when setting up; Then in step 202, receive this half connect comprise the 3rd message of the Cookie that is write down the time delete this list item.Described step 21 is specially step 210, promptly when total linking number of internet key exchange session is depleted, according to the timestamp and the current time of system of each list item in the semi-connection state table, calculate pairing half duration that connects of this list item.Described step 22 is specially step 220, if promptly detect half connection that the duration surpasses described time-out time, then delete detected half connect in predetermined number partly connect pairing list item, and discharge described predetermined number partly connect shared resource and linking number.
The embodiment that logging timestamp further is provided and has detected according to timestamp in the present embodiment three is about to partly connect the Cookie and the time corresponding stamp that comprise and is recorded in the list item of semi-connection state table correspondence; When the 3rd message receiving this half IKE session that connects (just initiating second message that the request end of IKE session sends), the list item that deletion is corresponding; Whether the timestamp and the difference of current time in system that detect each list item in the semi-connection state table when the total linking number of the IKE of system exhausts surpass default time-out time, and discharge the shared resource and the linking number of detected list item of predetermined number.Those of ordinary skill in the art should be appreciated that can be according to the demand of concrete application scenarios, the execution mode of selecting described logging timestamp flexibly and detecting according to timestamp, and it all should be within technical solution of the present invention scope required for protection.
Provided the sample table of the semi-connection state table described in the present embodiment three below in table 1, those of ordinary skill in the art should be appreciated that described semi-connection state tableau format can be set flexibly according to the demand of concrete application scenarios.
Table 1 semi-connection state table sample table
Cookie Timestamp
1 10
2 20
3 30
8 80
Based on above-mentioned design, the present invention also provides a kind of control device of session, Fig. 5 is the structural representation of the embodiment one of the control device of session of the present invention, present embodiment one comprises: module 51 is set, is used for being provided with according to the negotiation mode of internet key exchange in advance the time-out time of correspondence; Detection module 52, with module 51 be set be connected, be used for half duration that connects of the internet key exchange session of having set up being detected according to 51 default detection times of module are set, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
Among the embodiment one of the control device of the invention described above session, at the defective that can't detect the frequent IKE request message that comprises different Cookie that sends of assailant in the prior art according to the overtime ageing time of IKE agreement regulation in time, by module 51 sets in advance correspondence according to the negotiation mode (comprising holotype and Aggressive Mode) of IKE time-out time is set, that is to say by module 51 is set and set in advance corresponding time-out time according to normal duration of semi-connection state in the different ike negotiation patterns, and by detection module 52 according to default detection time half duration that connects of having set up being detected, duration exceeded half of time-out time that module 51 set in advance is set connects, discharge its resource that takies and linking number, thereby can overcome the defective of prior art effectively, half-and-half the duration of connection is controlled effectively by default time-out time, comprise that by transmission thereby the request message of different Cookie sets up half and connect when taking resource and IKE linking number the assailant, can discharge in time exceed time-out time partly connect shared resource and linking number, thereby can guarantee other user's the carrying out smoothly of normal ike negotiation.
Similarly, among the embodiment one of the control device of the invention described above session, at selectable different negotiation modes of the phase I of IKE session, when the holotype of using internet key exchange is held consultation, the described module 51 that is provided with can comprise that holotype is provided with module, be used for generating in time of Network Transmission and opposite end the computing time of D-H common value, corresponding time-out time is set according to message; When the Aggressive Mode that uses internet key exchange is held consultation, the described module 51 that is provided with can comprise that Aggressive Mode is provided with module, be used for generating computing time of D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process at time of Network Transmission, local terminal, corresponding time-out time is set according to message.Those of ordinary skill in the art can be according to practical situations, and the described module 51 that is provided with is set to flexibly that holotype is provided with module and/or Aggressive Mode is provided with module.
Those of ordinary skill in the art is to be understood that; the detection mode of the detection module 52 described in the embodiment one of control device of the invention described above session can be set flexibly according to the demand of practical application scene; for example detection module 52 can detect half duration that connects of the internet key exchange session of having set up according to preset period; also can carry out described detection or the like by stabbing service time, it all should be within technical solution of the present invention scope required for protection.
Therefore, among the embodiment one of the control device of the invention described above session, detection module 51 can comprise: the cycle detection module, and module is set is connected, and be used for half duration that connects of the internet key exchange session of having set up being detected according to the default cycle of module is set.
In the embodiment two of the control device of session of the present invention, provide detection module below and stabbed the embodiment of carrying out described detection 51 service times.
Fig. 6 is the structural representation of the embodiment two of the control device of session of the present invention, present embodiment two is with the difference of the embodiment one of the control device of the invention described above session: detection module 52 specifically comprises: timestamp record module 61, be used for when setting up partly the connecting of each internet key exchange session, write down this half timestamp that connects when setting up; Timestamp detection module 62, with timestamp record module 61 and module 51 is set is connected, be used for when total linking number of internet key exchange session is depleted, write down timestamp and the current time of system that module 61 is write down according to timestamp, calculate half duration that connects of the internet key exchange session of having set up, if have the duration to surpass to be provided with half of the set time-out time of module 51 to connect, then discharge this and partly connect shared resource and linking number.
Present embodiment two is on the basis of embodiment one, timestamp when setting up for each half linkage record by timestamp record module 61, and when total linking number of IKE session is depleted, just half connects and detect what set up, but not above-mentioned half connect and detect what set up according to preset period according to the timestamp that is write down by timestamp detection module 62.Present embodiment two comes down in that total linking number of IKE is depleted promptly might Denial of Service attack occur the time, start the mechanism of accelerated ageing, according to the timestamp that is write down half connection of having set up is detected, promote the aging of attack message, discharge shared resource and the linking number of attack message; If total linking number of IKE does not have the depleted phenomenon of yet promptly occur attacking, this half connection resource can with situation nextly do not enable accelerated ageing, still use the overtime ageing time of existing IKE agreement to carry out the half aging resource that promptly discharges that connects and handle.
Therefore, present embodiment two is when reaching the technique effect that the foregoing description one reached, with respect to the mode that detects according to preset period, can make detecting to Denial of Service attack more in time and handle, when not being subjected to Denial of Service attack, not detect the influence that then can reduce systematic function.
Preferably, discharge half connection resource of normal IKE session, detecting after the duration exceeds half of default time-out time and connect, can only discharge wherein that a part half connects, to satisfy the needs that other users carry out ike negotiation for avoiding mistake.In other words, among the embodiment one and embodiment two of the control device of the invention described above session, detection module 62 can comprise that also half connection burst size is provided with module, be used to set in advance and connect the quantity that discharges detected half, this quantity is used for detection module and is detecting the duration when surpassing partly connecting of described time-out time, and what discharges this quantity in detected half connection partly connects shared resource and linking number.
The concrete mode that in the embodiment three of the control device of session of the present invention, further provides record module 61 logging timestamps of timestamp described in the embodiment two and timestamp detection module 62 to detect below according to timestamp.
The embodiment three of the control device of session of the present invention is with the difference of the embodiment two of the control device of the invention described above session: timestamp record module 61 comprises that the semi-connection state list item sets up module and semi-connection state list item removing module; Described semi-connection state list item is set up module and is used for when setting up partly the connecting of each internet key exchange session, in the semi-connection state table, set up corresponding list item, and Cookie value that in this list item, comprises in the record request message and the timestamp when setting up; Described semi-connection state list item removing module be used for receive this half connect comprise the 3rd message of the Cookie that is write down the time delete this list item.Timestamp detection module 62 comprises semi-connection state list item detection module and partly connects release module; Described semi-connection state list item detection module is used for when total linking number of internet key exchange session is depleted, according to the timestamp and the current time of system of each list item in the semi-connection state table, calculate pairing half duration that connects of this list item; The described release module that partly connects is with described semi-connection state list item detection module and module is set is connected, detect the duration above half connection that the set time-out time of module is set if be used for described semi-connection state list item detection module, then delete detected half connect in predetermined number partly connect pairing list item, and discharge described predetermined number partly connect shared resource and linking number.
The embodiment that logging timestamp further is provided and has detected according to timestamp in the present embodiment three is promptly set up module by the semi-connection state list item Cookie and the time corresponding stamp that half connection comprises is recorded in the list item of semi-connection state table correspondence; When the 3rd message receiving this half IKE session that connects (just initiating second message that the request end of IKE session sends), by the corresponding list item of semi-connection state list item removing module deletion; When the total linking number of the IKE of system exhausts, whether the timestamp and the difference of current time in system that detect each list item in the semi-connection state table by semi-connection state list item detection module surpass default time-out time, and by partly connecting shared resource and the linking number of detected list item that release module discharges predetermined number.Those of ordinary skill in the art should be appreciated that can be according to the demand of concrete application scenarios, the execution mode of selecting described logging timestamp flexibly and detecting according to timestamp, and it all should be within technical solution of the present invention scope required for protection.
Above embodiment is only in order to illustrating technical scheme of the present invention, but not the present invention is made restrictive sense.Although the present invention is had been described in detail with reference to above-mentioned preferred embodiment, those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, and this modification or be equal to the spirit and scope that replacement does not break away from technical solution of the present invention.

Claims (12)

1, a kind of control method of session is characterized in that, comprising:
Negotiation mode according to internet key exchange is provided with corresponding time-out time in advance;
According to default detection time half duration that connects of the internet key exchange session of having set up being detected, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
2, method according to claim 1 is characterized in that, describedly according to the negotiation mode of internet key exchange corresponding time-out time is set in advance and comprises:
When the holotype of using internet key exchange is held consultation, in the computing time that the time and the opposite end of Network Transmission generate the D-H common value, corresponding time-out time is set according to message;
When the Aggressive Mode that uses internet key exchange is held consultation, generate computing time of D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process according to message at time of Network Transmission, local terminal, corresponding time-out time is set.
3, method according to claim 1, it is characterized in that, describedly comprise: half duration that connects of the internet key exchange session of having set up is detected according to preset period according to default detection time half duration that connects of the internet key exchange session of having set up being detected.
4, method according to claim 1 is characterized in that, describedly comprises according to default detection time half duration that connects of the internet key exchange session of having set up being detected:
When setting up partly the connecting of each internet key exchange session, write down this half timestamp that connects when setting up;
When total linking number of internet key exchange session is depleted,, calculate half duration that connects of the internet key exchange session of having set up according to timestamp that is write down and current time of system.
5, according to claim 3 or 4 described methods, it is characterized in that, if described have the duration to surpass partly connecting of described time-out time, then discharging this partly connects shared resource and comprise with linking number: surpass half of described time-out time and is connected if detect the duration, what then discharge predetermined number in detected half connection partly connects shared resource and linking number.
6, method according to claim 4 is characterized in that:
Described when setting up partly the connecting of each internet key exchange session, writing down this half timestamp that connects when setting up specifically comprises: when setting up partly the connecting of each internet key exchange session, in the semi-connection state table, set up corresponding list item, and Cookie value that in this list item, comprises in the record request message and the timestamp when setting up, and receive this half connect comprise the 3rd message of the Cookie that is write down the time delete this list item;
When described total linking number in the internet key exchange session is depleted, according to timestamp that is write down and current time of system, half duration that connects of calculating the internet key exchange session of having set up specifically comprises: when total linking number of internet key exchange session is depleted, according to the timestamp and the current time of system of each list item in the semi-connection state table, calculate pairing half duration that connects of this list item;
If described have the duration to surpass partly connecting of described time-out time, then discharging this partly connects shared resource and specifically comprises with linking number: surpass half of described time-out time and being connected if detect the duration, then delete detected half connect in predetermined number partly connect pairing list item, and discharge described predetermined number partly connect shared resource and linking number.
7, a kind of control device of session is characterized in that, comprising:
Module is set, is used for being provided with according to the negotiation mode of internet key exchange in advance the time-out time of correspondence;
Detection module, with module be set be connected, be used for half duration that connects of the internet key exchange session of having set up being detected according to module default detection time is set, connect if there is the duration to surpass half of described time-out time, then discharge this and partly connect shared resource and linking number.
8, device according to claim 7 is characterized in that, the described module that is provided with comprises:
Holotype is provided with module, is used for when the holotype of using internet key exchange is held consultation, and in the computing time that the time and the opposite end of Network Transmission generate the D-H common value, corresponding time-out time is set according to message; And/or
Aggressive Mode is provided with module, be used for when the Aggressive Mode that uses internet key exchange is held consultation, generate computing time of D-H common value and opposite end to the 3rd time that message is encrypted of ike negotiation process according to message at time of Network Transmission, local terminal, corresponding time-out time is set.
9, device according to claim 7, it is characterized in that, described detection module comprises: the cycle detection module, and module is set is connected, and be used for half duration that connects of the internet key exchange session of having set up being detected according to the default cycle of module is set.
10, device according to claim 7 is characterized in that, described detection module comprises:
Timestamp record module is used for writing down this half timestamp that connects when setting up when setting up partly the connecting of each internet key exchange session;
The timestamp detection module, with timestamp record module and module is set is connected, be used for when total linking number of internet key exchange session is depleted, according to timestamp that is write down and current time of system, calculate half duration that connects of the internet key exchange session of having set up, if there is the duration to surpass be set partly connecting of the set time-out time of module, then discharge this and partly connect shared resource and linking number.
11, according to claim 9 or 10 described devices, it is characterized in that, described detection module also comprises: partly connect burst size module is set, be used to set in advance and connect the quantity that discharges detected half, this quantity is used for detection module and is detecting the duration when surpassing partly connecting of described time-out time, and what discharges this quantity in detected half connection partly connects shared resource and linking number.
12, device according to claim 10 is characterized in that:
Described timestamp record module comprises that the semi-connection state list item sets up module and semi-connection state list item removing module; Described semi-connection state list item is set up module and is used for when setting up partly the connecting of each internet key exchange session, in the semi-connection state table, set up corresponding list item, and Cookie value that in this list item, comprises in the record request message and the timestamp when setting up; Described semi-connection state list item removing module be used for receive this half connect comprise the 3rd message of the Cookie that is write down the time delete this list item;
Described timestamp detection module comprises semi-connection state list item detection module and partly connects release module; Described semi-connection state list item detection module is used for when total linking number of internet key exchange session is depleted, according to the timestamp and the current time of system of each list item in the semi-connection state table, calculate pairing half duration that connects of this list item; The described release module that partly connects is with described semi-connection state list item detection module and module is set is connected, detect the duration above half connection that the set time-out time of module is set if be used for described semi-connection state list item detection module, then delete detected half connect in predetermined number partly connect pairing list item, and discharge described predetermined number partly connect shared resource and linking number.
CN2007100870866A 2007-03-20 2007-03-20 Session control method and control device Active CN101018233B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2007100870866A CN101018233B (en) 2007-03-20 2007-03-20 Session control method and control device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2007100870866A CN101018233B (en) 2007-03-20 2007-03-20 Session control method and control device

Publications (2)

Publication Number Publication Date
CN101018233A true CN101018233A (en) 2007-08-15
CN101018233B CN101018233B (en) 2011-08-24

Family

ID=38726989

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2007100870866A Active CN101018233B (en) 2007-03-20 2007-03-20 Session control method and control device

Country Status (1)

Country Link
CN (1) CN101018233B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355419B (en) * 2008-08-22 2011-01-05 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN101227485B (en) * 2008-02-04 2011-07-27 杭州华三通信技术有限公司 Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period
CN101867473B (en) * 2010-01-27 2012-01-04 南京大学 Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal
CN102694808A (en) * 2012-05-31 2012-09-26 汉柏科技有限公司 Processing system and method for internet key exchange (IKE) remote access
CN101741807B (en) * 2008-11-19 2012-12-05 中兴通讯股份有限公司 Method for consulting updating time in SIP session refreshing process
CN104601578A (en) * 2015-01-19 2015-05-06 福建星网锐捷网络有限公司 Recognition method and device for attack message and core device
CN106330911A (en) * 2016-08-25 2017-01-11 广东睿江云计算股份有限公司 CC (Challenge Collapsar) attack protection method and device
CN109547487A (en) * 2018-12-28 2019-03-29 北京奇安信科技有限公司 Message treatment method, apparatus and system
CN110445874A (en) * 2019-08-14 2019-11-12 京东数字科技控股有限公司 A kind of conversation processing method, device, equipment and storage medium
WO2021138777A1 (en) * 2020-01-06 2021-07-15 Oppo广东移动通信有限公司 Frequency point measurement relaxation method, electronic device, and storage medium
CN114301653A (en) * 2021-12-22 2022-04-08 山石网科通信技术股份有限公司 Method, device, storage medium and processor for resisting semi-connection attack

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299485C (en) * 2002-06-12 2007-02-07 华为技术有限公司 Method for setting waiting time for completely closing transmission control procotol connection
CN100484043C (en) * 2004-08-12 2009-04-29 海信集团有限公司 Detecting method for preventing SYN flooding attack of network

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227485B (en) * 2008-02-04 2011-07-27 杭州华三通信技术有限公司 Method and apparatus for negotiating internet cryptographic key exchanging safety coalition existence period
CN101355419B (en) * 2008-08-22 2011-01-05 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN101741807B (en) * 2008-11-19 2012-12-05 中兴通讯股份有限公司 Method for consulting updating time in SIP session refreshing process
CN101867473B (en) * 2010-01-27 2012-01-04 南京大学 Connection establishment method and access authentication system for blocking-attacking resistant shared media terminal
CN102694808A (en) * 2012-05-31 2012-09-26 汉柏科技有限公司 Processing system and method for internet key exchange (IKE) remote access
CN104601578A (en) * 2015-01-19 2015-05-06 福建星网锐捷网络有限公司 Recognition method and device for attack message and core device
CN106330911A (en) * 2016-08-25 2017-01-11 广东睿江云计算股份有限公司 CC (Challenge Collapsar) attack protection method and device
CN109547487A (en) * 2018-12-28 2019-03-29 北京奇安信科技有限公司 Message treatment method, apparatus and system
CN110445874A (en) * 2019-08-14 2019-11-12 京东数字科技控股有限公司 A kind of conversation processing method, device, equipment and storage medium
CN110445874B (en) * 2019-08-14 2020-09-01 京东数字科技控股有限公司 Session processing method, device, equipment and storage medium
WO2021138777A1 (en) * 2020-01-06 2021-07-15 Oppo广东移动通信有限公司 Frequency point measurement relaxation method, electronic device, and storage medium
CN114600496A (en) * 2020-01-06 2022-06-07 Oppo广东移动通信有限公司 Frequency point measurement relaxation method, electronic equipment and storage medium
CN114600496B (en) * 2020-01-06 2023-10-13 Oppo广东移动通信有限公司 Frequency point measurement relaxation method, electronic equipment and storage medium
CN114301653A (en) * 2021-12-22 2022-04-08 山石网科通信技术股份有限公司 Method, device, storage medium and processor for resisting semi-connection attack
CN114301653B (en) * 2021-12-22 2024-02-02 山石网科通信技术股份有限公司 Method, device, storage medium and processor for resisting half-connection attack

Also Published As

Publication number Publication date
CN101018233B (en) 2011-08-24

Similar Documents

Publication Publication Date Title
CN101018233B (en) Session control method and control device
CN101022458B (en) Conversation control method and control device
US7950053B2 (en) Firewall system and firewall control method
CN1833403B (en) Communication system, communication device and communication method
US8347383B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
EP1861946B1 (en) Authenticating an endpoint using a stun server
CN105516080B (en) The processing method of TCP connection, apparatus and system
US8370630B2 (en) Client device, mail system, program, and recording medium
US20150281177A1 (en) Attack Defense Method and Device
CN104426837B (en) The application layer message filtering method and device of FTP
CN101378395A (en) Method and apparatus for preventing reject access aggression
CN101248613A (en) Authentic device admission scheme for a secure communication network, especially a secure ip telephony network
WO2009082889A1 (en) A method for internet key exchange negotiation and device, system thereof
CN106230587B (en) A kind of method of long connection anti-replay-attack
CN102231748B (en) Method and device for verifying client
CN101984693A (en) Monitoring method and monitoring device for access of terminal to local area network (LAN)
CN111988289B (en) EPA industrial control network security test system and method
CN107277058A (en) A kind of interface authentication method and system based on BFD agreements
CN101188558B (en) Access control method, unit and network device
CN103812958A (en) Method for processing network address translation technology, NAT device and BNG device
CN105516062A (en) L2TP over IPsec access realizing method
CN102263826A (en) Method and device for establishing connection with transport layer
Touil et al. Secure and guarantee QoS in a video sequence: a new approach based on TLS protocol to secure data and RTP to ensure real-time exchanges
CN106790134A (en) The access control method and Security Policy Server of a kind of video monitoring system
CN104601578A (en) Recognition method and device for attack message and core device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.