CN101188607A - Method for preventing DSLAM device from protocol packet attack based on network processor - Google Patents
Method for preventing DSLAM device from protocol packet attack based on network processor Download PDFInfo
- Publication number
- CN101188607A CN101188607A CNA2006101458243A CN200610145824A CN101188607A CN 101188607 A CN101188607 A CN 101188607A CN A2006101458243 A CNA2006101458243 A CN A2006101458243A CN 200610145824 A CN200610145824 A CN 200610145824A CN 101188607 A CN101188607 A CN 101188607A
- Authority
- CN
- China
- Prior art keywords
- speed limit
- protocol
- data flow
- port
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method for preventing the protocol packet of a DSLAM device from being attacked. The invention utilizes a network processor to perform the capture of data flow and speed limiting of the data flow. The method comprises steps that the respective speed limiting thresholds of different protocol messages are analyzed and constituted according to the international /national standard of the protocol messages; the data flow is captured according to a protocol header characteristic field classification, and the speed limiting is processed according to the respective speed limiting threshold corresponding to different protocols. The self-defining capture and the processing rule of the method utilizes the network processor to perform the capture of the data flow and speed limiting of the data flow, can inhibit the vicious attack to the protocol messages based on a user port level, and ensures that the vicious attack can not to affect the other ordinary users on an identical line card; inhibition is respectively performed to the different protocol messages, to ensure that the vicious attack not to affect the other ordinary protocol services; the message processing load of the line card and upper layer device is reduced, the realization of other security policies can be concentrated; therefore the development difficulty of entire broadbands to be accessed into the system is decreased, and the reliability is improved.
Description
Technical field
The present invention relates to computer network and broadband access, what be specifically related to is the method that a kind of DSLAM equipment of processor Network Based prevents protocol packet attack.
Background technology
Current, because the diversified demand of broadband services, broadband access equipment need be supported more function, for this reason, need to handle the various protocols message, as point-to-point protocol The Point-to-Point Protocol OverEthernet, be called for short the PPPOE agreement, DHCP Dynamic Host ConfigurationProtocol, be called for short the DHCP agreement, igmpinternet Internet Group ManagementProtocol is called for short the IGMP agreement, or the like agreement, miscellaneous service is provided.Yet, because the network user's the increase and the expansion of network size, the transfer capability of broadband access equipment and the stability of a system have been subjected to harsh day by day challenge, if the procotol message is used to malicious attack, when the protocol package of carrying out high speed is impacted, broadband access equipment need continue to handle a large amount of protocol massages, a large amount of cpu resource and bandwidth have been taken, cause other normal business function to be subjected to very big influence, performance descends greatly, and abnormal user can have influence on other user on the same equipment, fault such as cause that normal users can't be reached the standard grade, and this has brought great inconvenience for user and even operator.
At present, the handling process of protocol massages in the DSLAM system roughly as shown in Figure 1, ply-yarn drill 2 is uploaded to master control borad 1 by service channel 31 after obtaining protocol massages, further handle by the top service device, master control borad 1 is handed down to ply-yarn drill 2 with corresponding response message by service channel 31, network processing unit is arranged in the ply-yarn drill 2, and network processing unit can be the asic chip or the fpga chip of customization, and ply-yarn drill 2 also sends information or receives the parameter setting to network management system by management channels 32.In order to support the realization of more security strategies, after the ply-yarn drill side is obtained protocol massages, also need to carry out some information extraction work, for this reason, ply-yarn drill need be caught some protocol massages, and sends to cpu and handle.So when protocol packet attack took place, the cpu of ply-yarn drill, ply-yarn drill be to the service channel bandwidth of master control borad, and resource such as upper layer device all will be impacted, and cause systematic function to descend.
At present, at the protocol packet attack problem, existing processing method mainly contains following several:
1, in the ply-yarn drill side, or claims user/business board side, adopt multiple algorithm that the message that sends to master control borad is carried out speed limit, such as adopting token bucket algorithm to carry out speed limit.This method can only limited security system snaps into the service channel between the master control borad, but can't protect the cpu resource of ply-yarn drill, simultaneously, can not distinguish the protocol massages type, can not accomplish other normal users protection of port level;
2, in ply-yarn drill is transmited and receive telegrams civilian task, the message that reports CPU is limited, and promptly CPU receives message rate-limiting, when the message that receives at CPU surpasses predetermined message amount, by the message that exceeds standard is carried out flow restriction or traffic shaping, protect cpu resource; This method can comprise the CPU of system to a certain extent, but because can't be to the processing of classifying of specific protocol message, can't be when suppressing certain malice protocol message aggression, guarantee the carrying out of other regular traffic, and can not distinguish problem port and normal port, cause the effect of being punished for being related to; Upper layer device can not be known relevant information under fire simultaneously, is unfavorable for the management work of operator;
1), can not effectively guarantee ply-yarn drill cpu resource and bandwidth resources by above analysis as can be known, there is following shortcoming in existing technology:; 2), can't be to different protocol massages difference speed limits; 3), can't carry out speed limit based on user port, an abnormal user can cause the broadband services of other user on same user's plate;
Along with development of internet technology, each main flow network processing unit Network Processor is called for short NP at present, can be the asic chip or the fpga chip of customization, and following function all is provided, and DSLAM equipment can be used for data stream is carried out more controls in view of the above;
1, supports the capturing function of data message, can catch the data type that needs special processing step of going forward side by side and handle;
2, strengthened the classification feature of data flow, and supported self-defining data stream, the user can carry out class definition by specific data frame particular piece of data;
3, support data stream is carried out speed limit, comprise specific data stream, broadcast data stream for example, unicast data stream, and multicast traffic stream carries out speed limit, supports simultaneously self-defining data flow is carried out speed limit.
Summary of the invention
The technical issues that need to address of the present invention provide the method that a kind of DSLAM equipment prevents protocol packet attack, can be at Digital Subscriber Line Access Multiplexer Digital Subscribe Loop AccessMultiplexer, be called for short on the DSLAM, utilize network processing unit that protocol massages is caught, and based on this to user's message pass through to limit and filter to stop protocol package at a high speed to impact DSLAM cause systematic function to descend.
Above-mentioned technical problem of the present invention solves like this, provides a kind of DSLAM equipment to prevent the method for protocol packet attack, utilizes network processing unit that the port data flow is caught and speed limit, may further comprise the steps:
1.1) formulate different agreement message speed limit thresholding separately according to the protocol massages world/domestic standard analysis;
1.2) define the independently port rule of correspondence: catch data flow by the protocol massages tagsort, and carry out the speed limit processing by the speed limit thresholding corresponding separately with different agreement;
1.3) network processing unit handles the data message of this port of flowing through by the described rule of correspondence.
According to method provided by the invention, described protocol massages feature can be the protocol header feature field, comprises protocol fields, TCP and UDP bag port numbers, ether packet protocol type, the protocol type of IP bag and specific IP etc.
According to method provided by the invention, described rule also comprises monitoring attacks when taking place, and network processing unit sends the information that comprises attack message type and attacked port to network management system.
According to method provided by the invention, described port can be each network layer data flow port of DSLAM equipment.
According to method provided by the invention, described port includes, but are not limited to the network interface of user port, bridge port and the network side of ply-yarn drill user side.
According to method provided by the invention, described speed limit processing is to send to the further analyzing and processing of cpu at the protocol massages that surpasses described speed limit thresholding speed, and perhaps the protocol massages that directly will exceed the speed limit abandons.
According to method provided by the invention, described speed limit handle be at the protocol massages that is lower than described speed limit thresholding speed allow by and send to the further analyzing and processing of cpu.
According to method provided by the invention, described speed limit includes, but are not limited to adopt any speed limit algorithm in SR2CM, TRTCM and the token bucket to carry out speed limit.
According to method provided by the invention, described speed limit thresholding includes, but are not limited to average speed limit thresholding and burst packet thresholding.
According to method provided by the invention, described network processing unit can be the asic chip or the fpga chip of customization.
According to method provided by the invention, described agreement includes, but are not limited to PPPOE, DHCP and IGMP agreement.
According to method provided by the invention, the described definition port rule of correspondence can be provided with by man-machine interface.
The DSLAM equipment of processor Network Based provided by the invention prevents the method for protocol packet attack, self-defined catching and processing rule, utilizing network processing unit to carry out data flow catches and the data flow speed limit, have the following advantages than existing methods: 1, can behavior suppress to the malice protocol message aggression based on the user port level, make malicious attack can not influence on the same ply-yarn drill other not normal users of initiation protocol message aggression; 2, various protocol massages is suppressed respectively, a kind of malicious attack of protocol massages can not influence other protocol service; 3, on the underlying device ply-yarn drill line of DSLAM equipment card, just the malicious attack protocol massages is terminated, protected the cpu resource on the ply-yarn drill line card and the bandwidth resources of the first line of a couplet on to greatest extent; In case certain is subjected to the malice protocol message aggression with the registered permanent residence 4 ply-yarn drill line card, the message information that can cease and attack to upper strata device report user's message under fire fast, upper layer device can be taked different measures according to these information, for the network operation monitoring provides active data.5, the upper layer device in the DSLAM equipment does not need unnecessary protocol massages is processed, and more helps its stability, and more resources can be used for quality services; 6, by the master control borad configuration, can be according to networking and business need, flexible configuration is to the different inhibition thresholding of variety of protocol message configuration, to adapt to rich and varied actual demand; Therefore, ply-yarn drill and upper layer device can reduce the message treating capacity, and can be absorbed in the realization of other security strategy, thereby have reduced the development difficulty of whole broadband access system and improved its reliability.
Description of drawings
Further the present invention is described in detail below in conjunction with the drawings and specific embodiments.
Fig. 1 is a DSLAM device processes protocol massages module.
Fig. 2 is the configuration flow figure that realizes embodiments of the invention.
Fig. 3 is the data flow diagram that realizes embodiments of the invention.
Embodiment
At first, core key of the present invention is described: utilize network processing unit to carry out data flow and catch and the data flow speed limit, promptly various protocols message on the broadband access equipment (is comprised PPPOE, DHCP, agreements such as IGMP) carrying out data message respectively catches, at the different agreement data flow, realize the different agreement message independence flow control function of user port level, to user's message pass through limit and filter.
Second step illustrated the inventive method, specifically may further comprise the steps:
Steps A. utilize network processing unit Network Processor, be called for short NP, specifically can be the asic chip or the fpga chip of customization, the packet capturing function that provides, according to different protocol massages the independent capture rule of association is set, comprise message characteristic and message capturing reprocessing behavior, and the stream data definition that will meet capture rule is specific data stream flowtype;
Step B. creates the limiter of speed of realizing based on stream flow, use standard formulation speed limit rule according to this protocol data, comprise the speed limit thresholding, burst packet thresholding or the like adopts the speed limit algorithm to carry out speed limit then, according to actual conditions, can adopt the double-colored mark Single of single-rate Rate Two ColorMarking, be called for short SR2CM, dual rate tricolor marker Two Rate Three Color Marking, be called for short TRTCM, speed limit algorithms such as token bucket.
Step C. creates message and handles rule of conduct, and the networking requirement different according to system specifies message to handle behavior, can be to give cpu further analyzing and processing at the protocol massages that exceeds the speed limit, perhaps directly with packet loss; Aspect control, when monitoring the attack generation, send the attack message type to network management system simultaneously, information such as attacked port provide management information;
Step D. is applied to limiter of speed the stream flowtype of user port and appointment; different protocol massages is according to different limiter of speed instantiations; and port and protocol data-flow are carried out speed limit according to different user's requests and consensus standard; the function of being supported according to NP (i.e. Ding Zhi asic chip) and FPGA; limiter of speed can be configured to each layer network port; according to the position that limiter of speed acted on; the message of hypervelocity will be dropped in each network layer; simultaneously from the angle of system resource protection; more early be dropped, the performance protection of system is safe more.
Step e. log-in protocol message rate-limiting device interrupt service routine, after receiving the data message that meets the speed limit rule when port, only in protocol massages speed below the speed limit thresholding, just by interrupt service routine message is sent to cpu and further handle, the protocol massages that surpasses the speed limit thresholding is dropped at limiter of speed.
In the 3rd step, the present invention will be further described in detail in conjunction with the instantiation example.
(1) speed limit thresholding:
At different protocol massages, corresponding standard is all arranged both at home and abroad, formulate rules such as protocol massages reciprocal process and retransmission mechanism, according to these standards, we can obtain the packet sending speed of normal protocol massages, thereby make the speed limit thresholding of different agreement message.
(2) be that example explanation data flow is caught and speed limit with the ply-yarn drill:
Because need the message of up-downgoing be intercepted, analyze, operation such as filtration, a kind of concrete implementation is to realize that on the ply-yarn drill of DSLAM data message catches and data message speed limit function.Such as in the background information introduction, arrest function and data flow speed limit function in conjunction with the data of network processing unit and realize the protocol massages speed limit.Below in conjunction with accompanying drawing, emphasis describes the implementation method on the ply-yarn drill.
As shown in Figure 2, realize that on ply-yarn drill data message is caught and to carry out the step of speed limit function as follows:
Steps A. create the limiter of speed rate limter that realizes based on flow, formulate speed limit rule Ratelimter profile, specify the speed limit thresholding;
Step B. creates message and handles speed limit rule of conduct rate limter action profile, specifies message to handle behavior, and the packet under the speed thresholding is allowed to pass through, and will abandon above the data of speed limit thresholding;
Step C. is the limiter of speed instantiation, and is applied to the data flow flowtype that will specifically define among user port and the step Dfilter;
Step D. is provided with filter rule and subrule, protocol massages is set catches feature and message processing behavior, according to different protocol massages, formulate different protocol header feature field as capture rule, it is ratelimter that message processing behavior is formulated, promptly send to limiter of speed and handle, simultaneously, the data flow that will meet capture rule is registered as limiter of speed data designated stream number flowtype;
Step e. log-in protocol message capturing interrupt service routine; after receiving the data message that meets the data message capture rule when port; to handle according to the rule of limiter of speed by interrupt service routine; the bag that is lower than the speed limit thresholding just extracts to be given ply-yarn drill cpu and further handles; the protocol massages that surpasses the speed limit thresholding will promptly be dropped at data Layer, protect the resource of cpu.
According to above-mentioned configuration, the handling process of protocol massages in ply-yarn drill as shown in Figure 3, after user port 21 is received the data flow that meets appointment among the filter in the ply-yarn drill 2, the interrupt function of data capture will be according to the thresholding that defines among the rate limter, only the cpu that will extract to ply-yarn drill 2 at the protocol massages below the speed limit thresholding further handles, and will send master control borad 2 to through bridge port 23 and service channel 31, thereby reduce the message treating capacity of upper layer device 4 by the protocol massages of agreement limiter of speed 22 speed limits.And when under attack, user port 21 of launching a offensive and the information such as protocol package type of attack are sent to network management system by management channels 32, for user management.
In the above step, data capture rule and speed limit rule support user flexibility to revise, and can realize separate configurations with the registered permanent residence and PVC port to different, these establishments, equipment, revising the man-machine interface that waits operation can pass through the configuration-system of broadband access equipment realizes, thereby the inventive method can be according to the independently speed limit scheme of networking actual conditions flexible configuration variety of protocol message, under the normal function situation that guarantees the variety of protocol business, stop various malice or insignificant protocol massages to impact, further strengthen the stability and the forwarding performance of two-layer switching equipment, improve the whole switching performance of DSLAM, and, further improve network equipment overall performance for upper layer device reduces the message treating capacity.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All according to claims of the present invention, any modification of being done, equivalent modifications, improvement etc. all should be included within the claimed scope of the present invention.
Claims (10)
1. a DSLAM equipment prevents the method for protocol packet attack, it is characterized in that, utilizes network processing unit that the port data flow is caught and speed limit, may further comprise the steps:
1.1) formulate different agreement message speed limit thresholding separately according to the protocol massages world/domestic standard analysis;
1.2) define the independently port rule of correspondence: catch data flow by the protocol massages tagsort, and carry out the speed limit processing by the speed limit thresholding corresponding separately with different agreement;
1.3) network processing unit handles the data message of this port of flowing through by the described rule of correspondence.
2. according to the described method of claim 1, it is characterized in that described rule also comprises monitoring attacks when taking place, network processing unit sends the information that comprises attack message type and attacked port to network management system.
3. according to the described method of claim 1, it is characterized in that described port can be each network layer data flow port of DSLAM equipment.
4. according to the described method of claim 1, it is characterized in that described speed limit processing is to send to the further analyzing and processing of cpu at the protocol massages that surpasses described speed limit thresholding speed, perhaps the protocol massages that directly will exceed the speed limit abandons.
5. according to claim 1 or 4 described methods, it is characterized in that, described speed limit handle be at the protocol massages that is lower than described speed limit thresholding speed allow by and send to the further analyzing and processing of cpu.
6. according to the described method of claim 1, it is characterized in that described speed limit can adopt any speed limit algorithm in SR2CM, TRTCM and the token bucket to carry out speed limit.
7. according to the described method of claim 1, it is characterized in that described speed limit thresholding comprises average speed limit thresholding and burst packet thresholding.
8. according to the described method of claim 1, it is characterized in that described network processing unit can be the asic chip or the fpga chip of customization.
9. according to the described method of claim 1, it is characterized in that described agreement comprises one or more in PPPOE, DHCP and the IGMP agreement.
10. according to the described method of claim 1, it is characterized in that the described definition port rule of correspondence can be provided with by man-machine interface.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101458243A CN101188607A (en) | 2006-11-17 | 2006-11-17 | Method for preventing DSLAM device from protocol packet attack based on network processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101458243A CN101188607A (en) | 2006-11-17 | 2006-11-17 | Method for preventing DSLAM device from protocol packet attack based on network processor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101188607A true CN101188607A (en) | 2008-05-28 |
Family
ID=39480796
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101458243A Pending CN101188607A (en) | 2006-11-17 | 2006-11-17 | Method for preventing DSLAM device from protocol packet attack based on network processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101188607A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223261A (en) * | 2011-05-17 | 2011-10-19 | 中兴通讯股份有限公司 | Method and device for sampling message |
| WO2012159337A1 (en) * | 2011-07-21 | 2012-11-29 | 华为技术有限公司 | Scheduling method, processing method and apparatus and routing device for protocol message |
| CN102882707A (en) * | 2012-09-04 | 2013-01-16 | 大唐移动通信设备有限公司 | Method and device for detecting and inhibiting Ethernet link storm |
| CN103036815A (en) * | 2012-12-06 | 2013-04-10 | 大唐移动通信设备有限公司 | Information and communication technology (ICT) fusion system |
| CN105939339A (en) * | 2016-03-22 | 2016-09-14 | 杭州迪普科技有限公司 | Protection method and device of attack protocol message flow |
| CN109379356A (en) * | 2018-10-16 | 2019-02-22 | 盛科网络(苏州)有限公司 | The method and device of automatic capture cpu attack message |
| CN110691045A (en) * | 2019-10-25 | 2020-01-14 | 新华三信息安全技术有限公司 | Protocol message forwarding method, line card board, network equipment and storage medium |
| CN113489656A (en) * | 2021-07-04 | 2021-10-08 | 芯河半导体科技(无锡)有限公司 | Method for realizing protocol message speed limit in network equipment |
-
2006
- 2006-11-17 CN CNA2006101458243A patent/CN101188607A/en active Pending
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102223261A (en) * | 2011-05-17 | 2011-10-19 | 中兴通讯股份有限公司 | Method and device for sampling message |
| WO2012159337A1 (en) * | 2011-07-21 | 2012-11-29 | 华为技术有限公司 | Scheduling method, processing method and apparatus and routing device for protocol message |
| CN103004153A (en) * | 2011-07-21 | 2013-03-27 | 华为技术有限公司 | Scheduling method, processing method and apparatus and routing device for protocol message |
| CN102882707A (en) * | 2012-09-04 | 2013-01-16 | 大唐移动通信设备有限公司 | Method and device for detecting and inhibiting Ethernet link storm |
| CN102882707B (en) * | 2012-09-04 | 2015-12-02 | 大唐移动通信设备有限公司 | The method and apparatus that a kind of Ethernet link storm detects and suppresses |
| CN103036815A (en) * | 2012-12-06 | 2013-04-10 | 大唐移动通信设备有限公司 | Information and communication technology (ICT) fusion system |
| CN103036815B (en) * | 2012-12-06 | 2016-02-17 | 大唐移动通信设备有限公司 | A kind of information technology and communication technology ICT emerging system |
| CN105939339A (en) * | 2016-03-22 | 2016-09-14 | 杭州迪普科技有限公司 | Protection method and device of attack protocol message flow |
| CN109379356A (en) * | 2018-10-16 | 2019-02-22 | 盛科网络(苏州)有限公司 | The method and device of automatic capture cpu attack message |
| CN110691045A (en) * | 2019-10-25 | 2020-01-14 | 新华三信息安全技术有限公司 | Protocol message forwarding method, line card board, network equipment and storage medium |
| CN110691045B (en) * | 2019-10-25 | 2022-02-11 | 新华三信息安全技术有限公司 | Protocol message forwarding method, line card board, network equipment and storage medium |
| CN113489656A (en) * | 2021-07-04 | 2021-10-08 | 芯河半导体科技(无锡)有限公司 | Method for realizing protocol message speed limit in network equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101193045A (en) | Method for capturing and limiting speed of data packets via line card | |
| CN101188607A (en) | Method for preventing DSLAM device from protocol packet attack based on network processor | |
| US11394743B2 (en) | SDN-based DDoS attack prevention method, apparatus, and system | |
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| DE602006000127T2 (en) | Recognition of denial of service attacks for the purpose of deducting energy in wireless networks | |
| EP2587755B1 (en) | Method, apparatus and system for implementing multicast | |
| WO2008141548A1 (en) | A method and device of preventing attack for network equipment | |
| CN101083563A (en) | Method and apparatus for preventing distributed refuse service attack | |
| CN101286996A (en) | Storm attack resisting method and apparatus | |
| CN103036733A (en) | Unconventional network access behavior monitoring system and monitoring method | |
| CN101018156A (en) | Method, device and system for preventing the broadband rejection service attack | |
| CN100454895C (en) | Method for raising network security via message processing | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
| EP1843624B1 (en) | Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board | |
| CN103200123A (en) | Safety control method of switchboard port | |
| CN107465567A (en) | A kind of data forwarding method of database fire wall | |
| TW201124876A (en) | System and method for guarding against dispersive blocking attacks | |
| CN101834785A (en) | Method and device for realizing stream filtration | |
| WO2017143897A1 (en) | Method, device, and system for handling attacks | |
| CN1394041A (en) | Method for implementing safety guard to Internet service provider | |
| CN102130792A (en) | Communication amount monitoring system | |
| Khanna et al. | Adaptive selective verification | |
| CN101355567A (en) | Method for protecting safety of route-exchanging device central processing unit | |
| CN101883050B (en) | A kind of system and method realizing business speed limit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080528 |