CN101321173A - Method, system and device for preventing network attack - Google Patents

Method, system and device for preventing network attack Download PDF

Info

Publication number
CN101321173A
CN101321173A CNA2008101322420A CN200810132242A CN101321173A CN 101321173 A CN101321173 A CN 101321173A CN A2008101322420 A CNA2008101322420 A CN A2008101322420A CN 200810132242 A CN200810132242 A CN 200810132242A CN 101321173 A CN101321173 A CN 101321173A
Authority
CN
China
Prior art keywords
attack
data flow
policy control
control equipment
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2008101322420A
Other languages
Chinese (zh)
Inventor
张喆
吴平
王胤宗
朱玉辉
陈斌
赵武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2008101322420A priority Critical patent/CN101321173A/en
Publication of CN101321173A publication Critical patent/CN101321173A/en
Pending legal-status Critical Current

Links

Abstract

Embodiment of the invention provides a method, system and device for preventing from network attacks. The method thereof comprises: receiving a reverse inhibition strategy, which is generated by an integrated strategy control device according to characteristic information of an attack data stream obtained by the integrated strategy control device, from the integrated strategy control device; filtering the data stream sent to a core network signalling process device according to the reverse inhibition strategy to perform the reverse inhibition. The method, system and device for preventing from network attacks provided by embodiment of the invention are capable of effectively inhibiting the attack data stream from continuously entering into the core network signalling process device so as to implement effectual protection for signalling core network.

Description

A kind of method, system and device that prevent network attack
Technical field
The present invention relates to communication technical field, particularly relate to a kind of method, system and device that prevent network attack.
Background technology
Be accompanied by communication network IP (Internet Protocol, Internet protocol) trend development of Huaing, the communication network safety problem is on the rise, the various attacks that are present on the conventional the Internet engender (the Voice Over IP at VOIP, the ip voice technology), and adapt to according to the characteristics of IPization communication network, the latest development has appearred.With reference to TCP (Transmission Control Protocol, transmission control protocol)/and the IP network layering, the attack data flow by the TCP/IP network layer structure is from top to bottom successively in the communication network of IPization: operation layer is attacked data flow, application layer attack data flow, transport layer attack data flow, network layer attacks data flow and link layer is attacked data flow.
At the attack data flow of Link layer/network layer/transport layer, traditional firewall can provide protective capacities preferably, but at the attack data flow of operation layer and application layer, existing firewall technology can't perception.
A kind of method of attacking data flow of containing that prior art provides is a prior art one related to the present invention: the preposition Xin Lingdaili equipment of signaling core net, data stream is carried out preliminary treatment, filter Signaling Layer facial deformity message, signaling flooding (flood) message and network/transport layer attack etc.
But above-mentioned containment is attacked the method for data flow and is had following shortcoming: the network complexity that has increased the VOIP solution, requiring preposition Xin Lingdaili equipment to provide resolves the application layer of signaling message, require this Xin Lingdaili equipment to remove powerful NP (Network Processor is provided, network processing unit) outside the disposal ability, also require to use CPU (Central Processing Unit, CPU) disposal ability is resolved signaling data and is recombinated, cause this Xin Lingdaili equipment to become potential bottleneck, and increased network delay; And also there is the risk that causes collapse because of signaling deformity message in this preposition Xin Lingdaili equipment, and service layer is attacked can not effectively provide protection.And do not meet VOIP networking development trend yet, according to TISPAN (Telecommunication and Internetconverged Services and Protocols for Advanced Networking, the converged services of telecommunications and the Internet and protocol) the relevant criterion definition, should there be other Xin Lingdaili equipment in core network signalling processing node front.
The method that data flow is attacked in the another kind containment that prior art provides is: core network signalling treatment facility and SBC (Session Border Controller, Session Border Controller) the integrated realization of equipment, this such scheme method helps P-CSCF (Proxy-Call Session Control Function, Proxy Call Session Control Function) marginalisation is disposed, and can walk around the situation that SBC attacks P-CSCF and effectively contain attacking data flow.
But, there is following shortcoming in said method: at IMS (IP Multimedia Subsystem, IP Multimedia System) the commercial initial stage, the networking mode of P-CSCF marginalisation is not very big to the attraction of telecom operators, and this implementation method for example requires P-CSCF equipment and other network elements: I-CSCF (Interrogating-Call Session Control Function, the query call conversation control function), S-CSCF (Serving-Call Session Control Function, service call conversation control function) uses different implementations, strengthened the development cost of IMS solution.
The method that data flow is attacked in another containment that prior art provides is: utilize preposition SBC signaling NAT (Network Address Translation, network address translation) equipment or firewall box that protection is provided.
The inventor finds in realizing process of the present invention, there is following defective at least in prior art: working in the fire compartment wall of network/transport layer or SBC can not the aware application layer and the data of operation layer, for SIP (Session Initiation Protocol, conversation initialized protocol) abnormal packet attack and utilize the attack of service logic that effective protection can not be provided.
The different business logic has different SIP traffic characteristics, fire compartment wall or the SBC protection by threshold values under can not the situation of perception service may cause more serious wrong report, cause the reduction of solution performance and QoS, and may cause failing to report to a certain degree, cause attacking data flow and system under test (SUT) is caused kill and wound.
Summary of the invention
The embodiment of the invention provides a kind of method, system and device that prevent network attack, detects attacking data flow to be implemented in application/service layer, and distributed attack is oppositely contained.
For achieving the above object, the embodiment of the invention proposes a kind of method that prevents network attack on the one hand, may further comprise the steps:
Receive the reverse containment strategy that integrated policy control equipment sends, the characteristic information generation of the attack data flow that described reverse containment strategy is obtained according to described integrated policy control equipment by described integrated policy control equipment;
According to described reverse containment strategy the data flow that sends to the core network signalling treatment facility is carried out filtration treatment, oppositely contain.
The embodiment of the invention also proposes a kind of network system on the one hand, comprises core network signalling treatment facility, integrated policy control equipment, attacks safeguard; Wherein,
Described integrated policy control equipment is used to obtain the characteristic information of attacking data flow, generates oppositely containment strategy according to described characteristic information, and described reverse containment strategy is sent to described attack safeguard;
Described attack safeguard is used to receive the reverse containment strategy from described integrated policy control equipment, according to described reverse containment strategy the data flow that sends to described core network signalling treatment facility is carried out filtration treatment, oppositely contains;
The core network signalling treatment facility is used to receive the data from the process filtration treatment of described attack safeguard.
The embodiment of the invention also proposes a kind of network equipment on the one hand, comprises acquisition module, tactful generation module, sending module; Wherein,
Described acquisition module is used to obtain the characteristic information of attacking data flow;
Described tactful generation module, the characteristic information that is used for obtaining according to described acquisition module generate specific reverse containment strategy;
Described sending module is used for the reverse containment strategy that described tactful generation module generates is sent to the attack safeguard.
The embodiment of the invention also proposes a kind of network equipment on the one hand, comprising:
Receiver module is used to receive the reverse containment strategy from integrated policy control equipment, and described reverse containment strategy is generated by the characteristic information of the attack data flow that described integrated policy control equipment obtains according to described integrated policy control equipment;
Oppositely the containment module is used for according to the reverse containment strategy that described receiver module receives the data flow that sends to the core network signalling treatment facility being carried out filtration treatment, oppositely contains.
Compared with prior art, the embodiment of the invention has the following advantages: pass through the embodiment of the invention, integrated policy control equipment is according to the characteristic information of the attack data flow of obtaining, generate oppositely containment strategy, attack safeguard and the data flow that sends to the core network signalling treatment facility is carried out filtration treatment according to the reverse containment strategy that integrated policy control equipment generates, oppositely contain, thereby realized effective protection the signaling core net.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 prevents the system configuration schematic diagram of network attack for the embodiment of the invention;
Fig. 2 prevents the method flow schematic diagram of network attack for the embodiment of the invention;
Fig. 3 is embodiment of the invention VOIP signaling core net application layer/operation layer attack detecting and guard system configuration diagram;
Fig. 4 provides the networking schematic diagram of protection for the preposition SBC equipment of embodiment of the invention VOIP signaling core net;
Fig. 5 is an embodiment of the invention DEC/RPT communication means schematic diagram;
Fig. 6 provides the networking schematic diagram of protection for the preposition fire compartment wall of embodiment of the invention VOIP signaling core net;
Fig. 7 is the structure chart of a kind of network equipment of embodiment of the invention proposition;
Fig. 8 is the structure chart of the another kind of network equipment of embodiment of the invention proposition.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail:
The attack data flow of the embodiment of the invention comprises: SIP deformity message data stream, SIP-flooding attack data flow, UDP (User Datagram Protocol, User Datagram Protoco (UDP))-flooding attacks data flow, service logic aspect attack data flow etc.
The embodiment of the invention provides a kind of network system, as shown in Figure 1, comprising: attack safeguard 102, integrated policy control equipment 104 and core network signalling treatment facility 106,
Wherein,
Described attack safeguard 102 is used for according to described reverse containment strategy the data flow that sends to described core network signalling treatment facility 106 being carried out filtration treatment, oppositely contains.The type of described attack safeguard 102 comprises fire compartment wall and Session Border Controller SBC etc.
Described integrated policy control equipment 104 is used to obtain the characteristic information of attacking data flow, generates specific reverse containment strategy according to described characteristic information, and described reverse containment strategy is sent to specific attack safeguard 102.The characteristic information of this attack data flow can comprise: the source address of attack data flow and attack type etc.Wherein, this attack type can be abnormal packet attack or flooding attack etc.
Core network signalling treatment facility 106 is used to receive the data from the process filtration treatment of attacking safeguard 102, and its type can be: the CSCF among switch or the IMS (Call Session ControlFunction, CSCF) entity etc.
Described core network signalling treatment facility 106 can carry out serial or parallel with described integrated policy control equipment 104 and described attack safeguard 102 and be connected, when the mode by serial connects, described integrated policy control equipment 104 can place the front end of described core network signalling treatment facility 106, and described attack safeguard 102 places the front end of described integrated policy control equipment 104.
This system can further include memory cell 108, is used to write down the attack of described attack data flow.This memory cell 108 specifically can be a security log equipment etc.
Above-mentioned network system, integrated policy control equipment 104 is according to the characteristic information of the attack data flow of obtaining, generate specific reverse containment strategy, and will be somebody's turn to do the reverse tactful specific attack safeguard 102 that sends to of containing, by attacking safeguard 102 according to carrying out filtration treatment to the data flow that sends to core network signalling treatment facility 106 by reverse containment strategy, oppositely contain, thereby realized effective protection the signaling core net.
The embodiment of the invention also provides a kind of method that prevents network attack, as shown in Figure 2, may further comprise the steps:
Step S201, integrated policy control equipment 104 obtain the characteristic information of attacking data flow.Described attack data flow comprises: conference initiation agreement SIP deformity message data stream, SIP-flooding attack data flow, UDP-flooding attacks data flow, service logic aspect attack data flow etc.The characteristic information of this attack data flow comprises: the source address of attack data flow and attack type etc.Wherein, this attack type can be abnormal packet attack or flooding attack etc.
Step S202, integrated policy control equipment 104 generates specific reverse containment strategy according to described characteristic information, and will contain oppositely that strategy sends to specific attack safeguard 102.The type of described attack safeguard 102 can comprise fire compartment wall and Session Border Controller SBC etc.
In this step, describedly generate specific reverse containment strategy according to characteristic information and be specifically as follows:
The source address of carrying according to described attack data flow is judged the access network segment of described attack data flow, when having SBC signaling NAT device between this access network segment and the core net, characteristic information according to described attack data flow generates specific reverse containment strategy, described reverse containment strategy is sent to described specific SBC, and described specific reverse containment strategy can comprise the information such as Internet protocol IP address, source, purpose IP address and transport layer protocol type of attacking data flow; When having firewall box between the described access network segment and the core net, characteristic information according to described attack data flow generates specific reverse containment strategy, described reverse containment strategy is sent to described fire compartment wall, and described specific reverse containment strategy can be to comprise network address translation NAT mapping table number information etc.
And described described reverse containment strategy is sent to attacked before the safeguard 102, can also comprise: integrated policy control equipment 104 receives the characteristic information of described attack data flow by the interface of the attack data flow of the particular type that sets in advance, and generates described reverse containment strategy according to the characteristic information of described attack data flow.
Step S203, described attack safeguard 102 is carried out filtration treatment according to described reverse containment strategy to the data flow that sends to core network signalling treatment facility 106, oppositely contains.
Step S204 attacks safeguard 102 filtered data stream is sent to core network signalling treatment facility 106.
In the present embodiment, integrated policy control equipment 104 also with the attack information stores of the described attack data flow of described attack safeguard 102 feedbacks to memory cell 108 (for example: security log equipment etc.), to write down the attack of described attack data flow.
The above-mentioned method that prevents network attack, integrated policy control equipment 104 is according to the characteristic information of the attack data flow of obtaining, generate specific reverse containment strategy, attack safeguard 102 and the data flow that sends to core network signalling treatment facility 106 is carried out filtration treatment according to the reverse containment strategy that integrated policy control equipment 104 generates, oppositely contain, thereby realized effective protection the signaling core net.
The embodiment of the invention provides a kind of method and system that prevents network attack, with VOIP (Voiceover IP, IP phone) network is that example describes, wherein concrete system realizes schematic diagram as shown in Figure 3, device among Fig. 3 can be an independent devices, and perhaps the form with module or unit is integrated in another device.Be described below in conjunction with concrete application scenarios that (part of devices wherein can be an independent devices, also can one device be integrated in another device with the form of module or unit), the VOIP telecommunications core network can be to be the signaling process agreement with SIP; Present embodiment proposes the preposition fire compartment wall of signaling core net and preposition SBC signaling NAT device is attacked preventing mechanism for two kinds, wherein attacks data flow and comprises: SIP deformity message data stream, SIP-flooding attack data flow, UDP-flooding attack data flow, the service logic aspect is attacked data flow etc.
System shown in Figure 3 comprises:
Attack-detection-device 302 is used for detecting the attack data flow of the sip message of reception.This attack-detection-device 302 comprises:
Sip message parsing module 3020 is used for the sip message that receives is resolved;
SIP deformity message detection module 3022 is used for after the sip message of 3020 pairs of receptions of sip message parsing module is resolved, and detects the SIP deformity message in the sip message;
SIP-flooding detection module 3024 is used for after the sip message of 3020 pairs of receptions of sip message parsing module is resolved, and detects the SIP-flooding message in the sip message;
UDP-flooding detection module 3026 is used for after the sip message of 3020 pairs of receptions of sip message parsing module is resolved, and detects the UDP-flooding message in the sip message;
Service logic attack detection module 3028 is used for after the sip message of 3020 pairs of receptions of sip message parsing module is resolved, and detects the service logic attack message in the sip message.
System shown in Figure 3 also comprises:
Integrated policy control equipment 104, be used to obtain the characteristic information of attack-detection-device 302 detected attack data flow, generate oppositely containment strategy according to this characteristic information, and will contain oppositely that strategy sends to attack safeguard 102, among Fig. 3, attacking safeguard 102 is fire compartment wall 312 and SBC 314.In the present embodiment, integrated policy control equipment 104 sends to fire compartment wall 312 by the reverse containment strategy that firewall interface 306 will generate, and the reverse containment strategy that will generate by SBC interface 308 sends to SBC 314.
Integrated policy control equipment 104 also is used for the attack information with the attack data flow of fire compartment wall 312 or SBC 314 feedbacks, stores security log equipment 310 into by security log interface 304, attacks the attack of data flow with record.
System shown in Figure 3 also comprises:
Core network signalling treatment facility 106 is used to receive the data from the process filtration treatment of fire compartment wall 312 or SBC 314, and its type can be: the CSCF entity among switch or the IMS etc.
Integrated policy control equipment 104 in the embodiment of the invention and the interface between fire compartment wall 312 or the SBC 314 fully support the networking of different VOIP signaling core net SIP deformity message data stream, SIP-flooding to be attacked the attack protection requirements of data flow, UDP-flooding attack data flow, service logic aspect attack data flow, the major function in networking according to fire compartment wall 312 or SBC 314---comprise legacy network or transport layer firewall functionality and SBC signaling nat feature, design interface is as follows respectively:
1, SBC signaling NAT attack data flow is oppositely contained interface
As shown in Figure 4, signaling core net 402 comprises P-CSCF 4020, S-CSCF 4022 and I-CSCF 4024, uses the SIP signaling to communicate between P-CSCF 4020, S-CSCF 4022 and the I-CSCF 4024.Signaling core net 402 preposition SBC equipment 404 provide signaling NAT or functions such as Media proxy or fire compartment wall.The user is connected to LSW (LocalTelephony Switch, local call switch) 408 by user access network 406, inserts SBC equipment 404 by LSW 408.
SBC equipment 404 built-in NAT mapping items, with the network layer or the transport layer map addresses that satisfy the predefine rule, be derived from the sip message of private net terminal is public network address, and be the public network port with the private network port mapping in the sip message, public network address after will shining upon then and public network port are stored in the NAT mapping item, afterwards this sip message is mail to P-CSCF 4020 and handle, the sip message that P-CSCF 4020 mails to this user also can be changed by this NAT mapping item.
Communicate by COPS (Common Open PolicyService, general open policy service protocol) link between signaling core net 402 and the SBC equipment 404, realize the keepalive feature of signaling NAT mapping item.Initiate initial registration before succeed in registration the user; SBC equipment 404 has been realized less keep-alive duration for this user's NAT mapping item; after the user successfully registers; signaling core net 402 is provided with the keep-alive duration of this user NAT mapping item with reference to user's registration time length; issue DEC (Decision by the COPS link; the COPS decision-making) message is given SBC equipment 404; SBC equipment 404 is received the keep-alive duration of revising this NAT mapping item after the DEC message; and with RPT (Report; status report) message responds, as shown in Figure 5.
According to the networking structure of Fig. 4, SBC equipment 404 provides signaling nat feature and basic firewall functionality, and basic security protection ability can be provided.Communication mechanism between definition signaling core net 402 and the SBC equipment 404 utilizes NAT mapping ID unique identification SBC-NAT list item, enables the dynamic opening of NAT mapping item and closes, and definition is based on the communication mechanism of decision-making/report (DEC/RPT):
Definition DEC message data structure is as follows:
Struct?sbc_DEC{
VOS_UINT32 nat_mapping_id; The specific NAT mapping item ID of // definition, the specific NAT list item of unique identification on SBC
VOS_UINT32 aliVe_time; The survival duration of the current mapping item of // definition
VOS_UINT32?block_type=0;
// definition attack type is only supported following 4 kinds/* at present
If block_type=0, SBC do not carry out blacklist and handle.
If block_type puts 1, indicate that VOIP access server judgement UE is carrying out the SIP abnormal packet attack;
If block_type puts 2, indicate that VOIP access server judgement UE is carrying out SIP flood and attacking;
If block_type puts 3, indicate that VOIP access server judgement UE is carrying out UDP flood and attacking;
If block_type puts 4, indicate that VOIP access server judgement UE is carrying out service logic and attacking;
*/
}
Definition RPT message data structure is as follows:
Struct?sbc_RPT{
VOS_UINT32 nat_mapping_id; This field of //RPT message and corresponding DEC message are consistent
TIPTuple UE_src_IP; The real IP of //UE before SBC signaling NAT mapping
VOS_UINT16 UE_src_PORT; The real ports of //UE before SBC signaling NAT mapping then puts 0 as if meaningless
Char*access_interface; // be set to attack the interface that data flow enters SBC
}
2, definition fire compartment wall attack data flow is oppositely contained interface
As shown in Figure 6, signaling core net 602 comprises P-CSCF 6020, S-CSCF 6022 and I-CSCF 6024, uses the SIP signaling to communicate between P-CSCF 6020, S-CSCF 6022 and the I-CSCF 6024.Signaling core net 602 preposition independent fire compartment walls 604 provide protection, realize that signaling and the effective of medium separate.Terminal is connected to LSW 608 by user access network 606, inserts SBC equipment 604 by LSW608.
Signaling core net 602 preposition fire compartment walls 604 by ACL (Access Control Lists, Access Control List) five-tuple definition filtering rule, provide protection according to filtering rule, and acl rule mainly comprises:
<src_IP, src_PORT, dst_IP, dst_PORT, transport_type 〉/* customization particular source/source port to the legitimate traffic * of the specific transport layer protocol type of destination address/destination interface of VOIP core net access server/;
<src_network_segment, src_PORT, dst_IP, dst_PORT, transport_type 〉/* definition particular source scope particular port to the legitimate traffic * of the specific transport layer protocol type of VOIP core net access server destination address/destination interface/;
<dst_IP, dst_PORT, transport_type 〉/* be defined into the legitimate traffic * of the specific transport layer protocol type of VOIP core net access server destination address/destination interface/.
By the definition of acl rule on different grain size, fire compartment wall 604 provides the data flow security protection mechanism to VOIP core net access server on network/transport layer.
In addition, suppose when definition fire compartment wall 604 attack data flow are oppositely contained interface: fire compartment wall 604 supports dynamic acl rule to load and two kinds of attack protection strategies of blacklist.
And the detection of setting fire compartment wall 604 attack protection is in proper order: forgery of source address detection-flooding attacks protection-application layer attack protection.
Aspect the attack protection, fire compartment wall 604 main ACL filtering rule, traffic control rule and the blacklist mechanisms of adopting provide security protection, attack four big class application layers/operation layers such as data flow, UDP-flooding attack data flow, service logic aspect attack data flow attacks for SIP deformity message data stream, SIP-flooding, fire compartment wall 604 self can not provide abundant protection, needs core network signalling treatment facility 106 according to the aware notification fire compartment wall of attacking 604 is piped off specific attack data flow.
Struct?firewall_DEC{
TIPTuple UE_src_IP; The source IP of // attack data flow
VOS_UINT16 UE_src_PORT; // attack the source port of data flow, handle in insignificant situation underlying 0
TIPTuple UE_dst_IP; // attack data flow purpose IP
VOS_UINT16 UE_dst_PORT; // attack the data flow destination interface, handle in insignificant situation underlying 0
VOS_UINT8 transport_type; // transport layer protocol type: according to IP protocol field value
VOS_UINT32?block_type=0;
// definition attack type is only supported following 4 kinds/* at present
If block_type=0, SBC do not carry out blacklist and handle.
If block_type puts 1, indicate that VOIP access server judgement UE is carrying out the SIP abnormal packet attack;
If block_type puts 2, indicate that VOIP access server judgement UE is carrying out SIP flood and attacking;
If block_type puts 3, indicate that VOIP access server judgement UE is carrying out UDP flood and attacking;
If block_type puts 4, indicate that VOIP access server judgement UE is carrying out service logic and attacking;
*/
}
Struct?firewall-RPT{
TIPTuple UE_src_IP; // definition is the same
VOS_UINT16 UE_src_PORT; // definition is the same
TIPTuple UE_dst_IP; // definition is the same
VOS_UINT16 UE_dst_PORT; // definition is the same
VOS_UINT8 transport_type; // definition is the same
Char*access_interface; // be set to attack the interface that data flow enters fire compartment wall
}
In the embodiment of the invention relevant for the generation of the attack detecting strategy of integrated policy control equipment with to issue design as follows:
After different attack detection module is found to attack and is reported integrated policy control equipment 104, the attack source data stream is analyzed and obtained to integrated policy control equipment 104, and the type of definite its attack safeguard 102 (fire compartment wall/SBC), according to dissimilar attack safeguards 102, call different interfaces and issue and attack data flow and oppositely contain strategy.The generation of attack detecting strategy is discussed respectively and the false code that issues designs following four kinds of situations according to different attack signatures:
1), SIP deformity message detects the strategy generation and issues
Struct?firewall_DEC?fw_DEC_core;
Initialization fw_DEC_core;
fw_DEC_core.block_type=0;
Struct?sbc_DEC?sbc_DEC_core;
Initialization sbc_DEC_core;
fw_DEC_core.block_type=0;
If (VOIP access server Session Initiation Protocol stack is found a large amount of SIP deformity messages when carrying out the sip message decoding)
Determine to insert the network segment according to lopsided message data stream source address;
If (having SBC signaling NAT device between this access network segment and the core net)
Determine the NAT mapping item numbering of this deformity message data stream correspondence;
Give sbc_DEC_core.sbc_DEC_core with this NAT mapping item numbering assignment;
sbc_DEC_core.alive_time=65535;
sbc_DEC_core.block_type=1;
Generate DEC message and be handed down to SBC;
}
else
If (having firewall box between this access network segment and the core net)
Fw_DEC_core.UE_src_IP=attacks datastream source IP;
fw_DEC_core.UE_src_PORT=0;
Fw_DEC_core.UE_dst_IP=attacks data flow purpose IP;
fw_DEC_core.UE_dst_PORT=0;
Fw_DEC_core.transport_type=attacks data flow transmission layer protocol type;
fw_DEC_core.block_type=1;
Generate DEC message and be handed down to fire compartment wall;
}
}
2), SIP-flooding detects the strategy generation and issues
Struct?firewall_DEC?fw_DEC_core;
Initialization fw_DEC_core;
fw_DEC_core.block_type=0;
struct?sbc_DEC?sbc_DEC_core;
Initialization sbc_DEC_core;
fw_DEC_core.block_type=0;
If (VOIP access server Session Initiation Protocol stack finds that when carrying out the sip message decoding SIPflooding attacks)
Attack the datastream source address according to SIP flooding and determine to insert the network segment;
If (having SBC signaling NAT device between this access network segment and the core net)
Determine the NAT mapping item numbering of this SIP flooding data flow correspondence;
Give sbc_DEC_core.sbc_DEC_core with this NAT mapping item numbering assignment;
sbc_DEC_core.alive_time=65535;
sbc_DEC_core.block_type=2;
Generate DEC message and be handed down to SBC;
}
else
If (having firewall box between this access network segment and the core net)
Fw_DEC_core.UE_src_IP=attacks datastream source IP;
fw_DEC_core.UE_src_PORT=0;
Fw_DEC_core.UE_dst_IP=attacks data flow purpose IP;
fw_DEC_core.UE_dst_PORT=0;
Fw_DEC_core.transport_type=attacks data flow transmission layer protocol type;
fw_DEC_core.block_type=2;
Generate DEC message and be handed down to fire compartment wall;
}
}
3), application layer does not have the UDP-flooding detection strategy generation of effective SIP data and issues
Struct?firewall_DEC?fw_DEC_core;
Initialization fw_DEC_core;
fw_DEC_core.block_type=0;
Struct?sbc_DEC?sbc_DEC_core;
Initialization sbc_DEC_core;
fw_DEC_core.block_type=0;
If (VOIP access server Session Initiation Protocol stack discovery application layer when carrying out the sip message decoding does not have the UDP flooding of effective SIP data)
Determine to insert the network segment according to attacking the datastream source address;
If (having SBC signaling NAT device between this access network segment and the core net)
Determine to attack the NAT mapping item numbering of data flow correspondence;
Give sbc_DEC_core.sbc_DEC_core with this NAT mapping item numbering assignment;
sbc_DEC_core.alive_time=65535;
sbc_DEC_core.block_type=3;
Generate DEC message and be handed down to SBC;
}
else
If (having firewall box between this access network segment and the core net)
Fw_DEC_core.UE_src_IP=attacks datastream source IP;
fw_DEC_core.UE_src_PORT=0;
Fw_DEC_core.UE_dst_IP=attacks data flow purpose IP;
fw_DEC_core.UE_dst_PORT=0;
Fw_DEC_core.transport_type=attacks data flow transmission layer protocol type;
fw_DEC_core.block_type=3;
Generate DEC message and be handed down to fire compartment wall;
}
}
4), service logic aspect attack detecting strategy generates and issues
Struct?firewall_DEC?fw_DEC_core;
Initialization fw_DEC_core;
fw_DEC_core.block_type=0;
Struct?sbc_DEC?sbc_DEC_core;
Initialization sbc_DEC_core;
fw_DEC_core.block_type=0;
If (the VOIP access server is found to attack based on the service logic of SIP)
Determine to insert the network segment according to attacking the datastream source address;
If (having SBC signaling NAT device between this access network segment and the core net)
Determine to attack the NAT mapping item numbering of data flow correspondence;
Give sbc_DEC_core.sbc_DEC_core with this NAT mapping item numbering assignment;
sbc_DEC_core.alive_time=65535;
sbc_DEC_core.block_type=4;
Generate DEC message and be handed down to SBC;
}
else
If (having firewall box between this access network segment and the core net)
Fw_DEC_core.UE_src_IP=attacks datastream source IP;
fw_DEC_core.UE_src_PORT=0;
Fw_DEC_core.UE_dst_IP=attacks data flow purpose IP;
fw_DEC_core.UE_dst_PORT=0;
Fw_DEC_core.transport_type=attacks data flow transmission layer protocol type;
fw_DEC_core.block_type=4;
Generate DEC message and be handed down to fire compartment wall;
}
}
Above-mentioned 1) to 4) in, integrated policy control equipment 104 need obtain system configuration information, the sip message network layer source address received and pre-configured source address scope are mated, and judging the Access Network that is connected with the core network signalling treatment facility successively is fire compartment wall or SBC.
The fire compartment wall DEC message that sends to wherein comprises (source IP, purpose IP and the transport layer protocol type of attacking data flow) at least, the DEC that sends to SBC comprises NAT mapping table numbering, integrated policy control equipment can obtain information to fire compartment wall from SIP parsing module and detection module, but further mutual with signaling processing module to the informational needs of SBC.
The attack containment method of fire compartment wall/SBC in the embodiment of the invention is as follows:
According to the attack detecting strategy that core network signalling treatment facility 106 issues, fire compartment wall/SBC carries out the chokes operation to attacking data.
1), fire compartment wall is to attacking the stream of holding back of data
Struct?firewall_DEC?fw_DEC_1;
Initialization fw_DEC_1;
If(fw_DEC_1.block_type!=0){
If(fw_DEC_1.UE_src_PORT!=0?&?&?fw_DEC_1.UE_dst_PORT!=0){
According to five-tuple<fw_DEC_1.UE_src_IP, fw_DEC_1.UE_src_PORT, fw_DEC_1.UE_dst_IP, fw_DEC_1.UE dst_PORT, fw_DEC_1.transport_type〉will attack data flow and insert blacklist;
}
Else?if(fw_DEC_1.UE_dst_PORT!=0){
According to four-tuple<fw_DEC_1.UE_src_IP, fw_DEC_1.UE_dst_IP, fw_DEC_1.UE_dst_PORT, fw_DEC_1.transport_type〉will attack data flow and insert blacklist;
}
Else{
According to tlv triple<fw_DEC_1.UE_src_IP, fw_DEC_1.UE_dst_IP, fw_DEC_1.transport_type〉will attack data flow and insert blacklist;
}
Generation RPT message also reports;
}
2), SBC is to attacking the chokes of data flow
Struct?sbc_DEC?sbc_DEC_1;
Initialization sbc_DEC_1;
If(sbc_DEC_1.alive_time==65535){
If(sbc_DEC_1.block_type!=0){
Before in the NAT mapping table, searching list item and being numbered the list item of sbc_DEC_1.nat_mapping_id and obtaining its NAT mapping<source IP, source port 〉;
IP pipes off with this source;
Generation RPT message also reports;
}
According to this DEC message<source IP address, source port〉two tuples carry out burin-in process to corresponding NAT mapping item;
}
In embodiments of the present invention, integrated policy control equipment 104 is according to the characteristic information of the attack data flow of obtaining, generate oppositely containment strategy, attack safeguard 102 and the data flow that sends to core network signalling treatment facility 106 is carried out filtration treatment according to the reverse containment strategy that integrated policy control equipment 104 generates, oppositely contain, thereby realized effective protection the signaling core net.
As shown in Figure 7, the structure chart of a kind of network equipment that proposes for the embodiment of the invention, the network equipment 7 comprises:
Acquisition module 71 is used to obtain the characteristic information of attacking data flow.With reference to figure 3, the sip message of 3020 pairs of receptions of sip message parsing module of attack-detection-device 302 is resolved, and then, each detection module of attack-detection-device 302 detects the attack data flow in this sip message.And then acquisition module 71 can obtain the characteristic information of attack-detection-device 302 detected attack data flow.
Strategy generation module 72, the characteristic information that is used for obtaining according to acquisition module 71 generate oppositely containment strategy.The characteristic information of this attack data flow can comprise: the source address of attack data flow and attack type etc.Wherein, this attack type can be abnormal packet attack or flooding attack etc.Be specifically as follows:
The source address of carrying according to described attack data flow is judged the access network segment of described attack data flow, when having SBC signaling NAT device between this access network segment and the core net, characteristic information according to described attack data flow generates specific reverse containment strategy, and described specific reverse containment strategy can comprise the information such as Internet protocol IP address, source, purpose IP address and transport layer protocol type of attacking data flow; When having firewall box between the described access network segment and the core net, the reverse containment strategy specific according to the characteristic information generation of described attack data flow, described specific reverse containment strategy can be to comprise network address translation NAT mapping table number information etc.
Sending module 73 is used for the reverse containment strategy that tactful generation module 22 generates is sent to attack safeguard 102.
Further, this network equipment 7 can also comprise:
Output module 74, the attack information that is used for attacking the attack data flow of safeguard 102 feedbacks outputs to memory cell 108.
The type of this network equipment can be: integrated policy control equipment 104 etc.
The above-mentioned network equipment, the characteristic information that strategy generation module 72 obtains according to acquisition module 71 generates oppositely containment strategy, sending module 73 sends to the attack safeguard with the reverse containment strategy that tactful generation module 22 generates, for attacking safeguard 102 according to carrying out filtration treatment to the data flow that sends to core network signalling treatment facility 106 by reverse containment strategy, oppositely contain, realized effective protection the signaling core net.
As shown in Figure 8, the structure chart of the another kind of network equipment that proposes for the embodiment of the invention, this network equipment specifically can be to attack safeguard, comprising:
Receiver module 81 is used to receive the reverse containment strategy from integrated policy control equipment 104, and this reverse containment strategy is generated by the characteristic information of the attack data flow that integrated policy control equipment 104 these integrated policy control equipment 104 of basis obtain;
Oppositely containment module 82 is used for according to the reverse containment strategy that receiver module 81 receives the data flow that sends to core network signalling treatment facility 106 being carried out filtration treatment, oppositely contains.
Further, this attack safeguard can also comprise:
Feedback module 83 is used for the attack information to integrated policy control equipment feedback attack data flow.
The type of the attack safeguard of the embodiment of the invention comprises firewall box or SBC etc.
The above-mentioned network equipment, oppositely containment module 82 is carried out filtration treatment according to the reverse containment strategy that receiver module 81 receives to the data flow that sends to core network signalling treatment facility 106, oppositely contain, effectively contained the attack data flow, realized effective protection the signaling core net.
The embodiment of the invention provides a kind of method, system and device that prevent network attack, integrated policy control equipment is according to the characteristic information of the attack data flow of obtaining, generate oppositely containment strategy, attack safeguard and the data flow that sends to the core network signalling treatment facility is carried out filtration treatment according to the reverse containment strategy that integrated policy control equipment generates, oppositely contain, thereby realized effective protection the signaling core net.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, also can realize based on such understanding by the mode that software adds necessary general hardware platform, technical scheme of the present invention can embody with the form of software product, it (can be CD-ROM that this software product can be stored in a non-volatile memory medium, USB flash disk, portable hard drive etc.) in, comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.

Claims (15)

1, a kind of method that prevents network attack is characterized in that, comprising:
Reception is from the reverse containment strategy of integrated policy control equipment, and described reverse containment strategy is generated by the characteristic information of the attack data flow that described integrated policy control equipment obtains according to described integrated policy control equipment;
According to described reverse containment strategy the data flow that sends to the core network signalling treatment facility is carried out filtration treatment, oppositely contain.
2, the method for claim 1 is characterized in that, the type of described attack data flow comprises:
Conference initiation agreement SIP deformity message data stream or attack data flow SIP-flooding or user datagram protocol UDP-flooding attack data flow or the service logic aspect is attacked data flow.
3, the method for claim 1 is characterized in that, the characteristic information of the attack data flow that described reverse containment strategy is obtained according to described integrated policy control equipment by described integrated policy control equipment generates and comprises:
The source address that described integrated policy control equipment carries according to described attack data flow is discerned the access network segment of described attack data flow;
When having Session Border Controller SBC signaling network address transition NAT device between the described access network segment and the core net, described reverse containment strategy is generated by the characteristic information of described integrated policy control equipment according to described attack data flow.
As any described method of claim 1 to 3, it is characterized in that 4, described reverse containment strategy comprises: Internet protocol IP address, source or purpose IP address or the transport layer protocol type information of attacking data flow.
5, the method for claim 1 is characterized in that, the characteristic information of the attack data flow that described reverse containment strategy is obtained according to described integrated policy control equipment by described integrated policy control equipment generates and comprises:
The source address that described integrated policy control equipment carries according to described attack data flow is judged the access network segment of described attack data flow;
When having firewall box between the described access network segment and the core net, described reverse containment strategy is generated by the characteristic information of described integrated policy control equipment according to described attack data flow.
6, method as claimed in claim 5 is characterized in that, described reverse containment strategy comprises: network address translation NAT mapping table number information.
7, the method for claim 1 is characterized in that, also comprises before the reverse containment strategy of described reception from integrated policy control equipment:
The special interface of the attack data flow of described integrated policy control equipment by presetting particular type receives the characteristic information of described attack data flow, generates oppositely containment strategy according to the characteristic information of described attack data flow.
8, the method for claim 1 is characterized in that, also comprises: the attack information stores that described integrated policy control equipment will be attacked the described attack data flow of safeguard feedback arrives security log equipment, to write down the attack of described attack data flow.
9, a kind of network system is characterized in that, comprises core network signalling treatment facility, integrated policy control equipment, attacks safeguard; Wherein,
Described integrated policy control equipment is used to obtain the characteristic information of attacking data flow, generates oppositely containment strategy according to described characteristic information, and described reverse containment strategy is sent to described attack safeguard;
Described attack safeguard is used to receive the reverse containment strategy from described integrated policy control equipment, according to described reverse containment strategy the data flow that sends to described core network signalling treatment facility is carried out filtration treatment, oppositely contains;
The core network signalling treatment facility is used to receive the data from the process filtration treatment of described attack safeguard.
10, system as claimed in claim 9 is characterized in that, also comprises memory cell, is used to store the attack information of described attack data flow.
11, a kind of network equipment is characterized in that, comprises acquisition module, tactful generation module, sending module; Wherein,
Described acquisition module is used to obtain the characteristic information of attacking data flow;
Described tactful generation module, the characteristic information that is used for obtaining according to described acquisition module generate specific reverse containment strategy;
Described sending module is used for the reverse containment strategy that described tactful generation module generates is sent to the attack safeguard.
12, as the network equipment as described in the claim 11, it is characterized in that, also comprise:
Output module is used for the attack information of the attack data flow of described attack safeguard feedback is outputed to security log equipment.
13, a kind of network equipment is characterized in that, comprising:
Receiver module is used to receive the reverse containment strategy from integrated policy control equipment, and described reverse containment strategy is generated by the characteristic information of the attack data flow that described integrated policy control equipment obtains according to described integrated policy control equipment;
Oppositely the containment module is used for according to the reverse containment strategy that described receiver module receives the data flow that sends to the core network signalling treatment facility being carried out filtration treatment, oppositely contains.
14, as the network equipment as described in the claim 13, it is characterized in that, also comprise:
Feedback module is used for the attack information to described integrated policy control equipment feedback attack data flow.
15, as the network equipment as described in the claim 13, it is characterized in that the type of the described network equipment comprises firewall box or Session Border Controller SBC.
CNA2008101322420A 2008-07-21 2008-07-21 Method, system and device for preventing network attack Pending CN101321173A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2008101322420A CN101321173A (en) 2008-07-21 2008-07-21 Method, system and device for preventing network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2008101322420A CN101321173A (en) 2008-07-21 2008-07-21 Method, system and device for preventing network attack

Publications (1)

Publication Number Publication Date
CN101321173A true CN101321173A (en) 2008-12-10

Family

ID=40180992

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2008101322420A Pending CN101321173A (en) 2008-07-21 2008-07-21 Method, system and device for preventing network attack

Country Status (1)

Country Link
CN (1) CN101321173A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010145181A1 (en) * 2009-10-10 2010-12-23 中兴通讯股份有限公司 Method for defending network attack, service control node and access node thereof
CN102724166A (en) * 2011-03-29 2012-10-10 国基电子(上海)有限公司 Attack-defensive network connection system and router
CN103312693A (en) * 2013-05-08 2013-09-18 华迪计算机集团有限公司 Video and audio access control gateway equipment
CN104092623A (en) * 2013-04-01 2014-10-08 株式会社日立制作所 Method and device used for carrying out overload protection on network node or server
CN104378373A (en) * 2014-11-14 2015-02-25 北京邮电大学 SBC-oriented malformation SIP message detection method and system
CN104539590A (en) * 2014-12-10 2015-04-22 深圳市共进电子股份有限公司 Message processing method and device
CN108123789A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Analyze the method and apparatus of security attack
CN109104399A (en) * 2017-11-23 2018-12-28 新华三信息安全技术有限公司 A kind of security strategy rule configuration method and device

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010145181A1 (en) * 2009-10-10 2010-12-23 中兴通讯股份有限公司 Method for defending network attack, service control node and access node thereof
CN102045302A (en) * 2009-10-10 2011-05-04 中兴通讯股份有限公司 Network attack preventing method, service control node and access node
CN102724166A (en) * 2011-03-29 2012-10-10 国基电子(上海)有限公司 Attack-defensive network connection system and router
CN102724166B (en) * 2011-03-29 2015-02-04 国基电子(上海)有限公司 Attack-defensive network connection system and router
CN104092623A (en) * 2013-04-01 2014-10-08 株式会社日立制作所 Method and device used for carrying out overload protection on network node or server
CN103312693A (en) * 2013-05-08 2013-09-18 华迪计算机集团有限公司 Video and audio access control gateway equipment
CN103312693B (en) * 2013-05-08 2017-04-19 华迪计算机集团有限公司 Video and audio access control gateway equipment
CN104378373A (en) * 2014-11-14 2015-02-25 北京邮电大学 SBC-oriented malformation SIP message detection method and system
CN104539590A (en) * 2014-12-10 2015-04-22 深圳市共进电子股份有限公司 Message processing method and device
CN108123789A (en) * 2016-11-28 2018-06-05 中国移动通信有限公司研究院 Analyze the method and apparatus of security attack
CN109104399A (en) * 2017-11-23 2018-12-28 新华三信息安全技术有限公司 A kind of security strategy rule configuration method and device

Similar Documents

Publication Publication Date Title
CN101321173A (en) Method, system and device for preventing network attack
US7684317B2 (en) Protecting a network from unauthorized access
US9077685B2 (en) Systems and methods for implementing a protocol-aware network firewall
US7920548B2 (en) Intelligent switching for secure and reliable voice-over-IP PBX service
US7472411B2 (en) Method for stateful firewall inspection of ICE messages
EP1737189B1 (en) Apparatus and method for mitigating denial of service attacks on communication appliances
EP1676370B1 (en) Method and media gateway for per-session network address translation (NAT) learning and firewall filtering in media gateway
EP2095224B1 (en) Systems, methods, media, and means for hiding network topology
ES2596528T3 (en) Method and system for filtering multimedia traffic based on IP address links
US8191119B2 (en) Method for protecting against denial of service attacks
CN1905555B (en) Fire wall controlling system and method based on NGN service
CN100550912C (en) The system and method that invalid header field is detected and filters
KR100738567B1 (en) System and method for dynamic network security
CN101064712B (en) System and method for realizing Linux inner core based dual-channel through multistage NAT and fireproof wall
CN102045218B (en) Loop detection method and firewall device
CN1496642A (en) Firewall with index to access rule
JP2007200323A (en) Method for protecting sip-based application
Kantola 6g network needs to support embedded trust
CN101047509B (en) Session attack detection system and method
El-Mousa et al. The design of a secure SIP-based architecture for broadband service providers
JP5752014B2 (en) Gateway device and data transmission method
Boucadair et al. SIP and IPv6–Migration Considerations, Complications, and Deployment Scenarios
CN106559508A (en) A kind of automatic switching method of server public affairs private network IP address
CN100452769C (en) System of soft exchange network passing through firewall based on ALG+MP and its method
Meng A preliminary research on security issues in ip Multimedia Subsystem

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
WD01 Invention patent application deemed withdrawn after publication

Open date: 20081210

C02 Deemed withdrawal of patent application after publication (patent law 2001)