CN101494639A - Method and apparatus for preventing aggression in packet communication system - Google Patents
Method and apparatus for preventing aggression in packet communication system Download PDFInfo
- Publication number
- CN101494639A CN101494639A CNA2008100070225A CN200810007022A CN101494639A CN 101494639 A CN101494639 A CN 101494639A CN A2008100070225 A CNA2008100070225 A CN A2008100070225A CN 200810007022 A CN200810007022 A CN 200810007022A CN 101494639 A CN101494639 A CN 101494639A
- Authority
- CN
- China
- Prior art keywords
- message
- data
- error message
- characteristic information
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an attack preventing method of a packet communicating system, which comprises the following steps: an error message sent by a host when unexpected data packages are received and carries characteristic information of the data packages is obtained; corresponding shielding rules are generated according to the characteristic information; and subsequent data packages are filtered by the shielding rules. The invention further provides a corresponding device. The attack preventing method and the device of the packet communicating system can notify network to shield malicious data streams when packet sub-domain terminals receive external malicious attack, thus greatly reducing the safety risk of the terminals, saving network resources, avoiding user payment for junk data, and saving the power source consumption of the terminals, especially mobile terminals.
Description
Technical field
The present invention relates to network communications technology field, specifically, relate to and prevent method and the device attacked in the packet communication system.
Background technology
Along with development of telecom technology, except the basic service of circuit domain such as original voice, note, the service of packet domain development is also very fast, can be divided into fixing access two classes that insert and move according to access way, fixedly access is often referred to broadband access, comprises wireless lan (wlan); Mobile access then comprises the packet domain service that various mobile communications networks provide, as the SAE network of GPRS/UMTS and following evolution, and cdma network, TD-SCDMA network, WiMax network or the like.
Terminal (mobile or fixing) is set up link with data gateway and is connected, and from data gateway or IP address of other IP address management node distribution, and carrying out business by the opposite end on this IP address and the business network, business data flow transmits between terminal and professional opposite end through data gateway.
A kind of technical solution that prior art provides is as follows:
In fixed network, means that prevent to attack commonly used are installed firewall software exactly on terminal, and along with the attack at portable terminal is more and more general, the firewall software that uses on the portable terminal also constantly occurs.But firewall software is installed on terminal can only be partly solved the above-mentioned harm that utilizes the leak generation of terminal; To other harm, this scheme is powerless.And firewall software itself also can be accelerated the power consumption of portable terminal.
Because fixed broadband inserts charge mode such as mostly adopting monthly payment at present, as long as firewall software can ensure the safety of data, the user not too takes notice of the bandwidth that additionally takies, and fixed terminal is also insensitive to power consumption.And for the mobile network, above-mentioned other harm need be taken seriously.
Can predict in addition, because the P2P business has taken the many more bandwidth of network at present, later also very might change the charge mode that monthly payment and charge on traffic combine into to fixed network operators, the user of fixed network also is subjected to rubbish and attacks the additional charges influence that data produce like this.
In addition, the another kind of technical solution that provides of prior art is as follows:
Usually, dispose fire compartment wall between data gateway and business network (or internet), wherein fire compartment wall is regarded the network of terminal one side as internal network, i.e. the safety zone; Regard business network one side as external network, be non-safety zone.Data from external network all will not get clogged if meet corresponding permission rule on fire compartment wall.And on fire compartment wall, generate to allow rule need terminal internally network at first send a packet, in this packet information according to this packet when the fire compartment wall, IP five-tuple (source IP address normally, purpose IP address, upper-layer protocol type, source port number, the destination slogan) and some other additional informations, generate this and allow rule.
But the assailant still has the way firewall-penetrating that terminal is attacked, and " charging is overflowed " attack means (Overbilling) of a kind of being called as is for example arranged at present.
This shows that the terminal that existing technical scheme still can not solve packet communication system well effectively prevents the problem of attacking.
Summary of the invention
In view of this, the embodiment of the invention provides and prevents method and the device attacked in the packet communication system.
The embodiment of the invention provides and prevents the method for attacking in a kind of packet communication system, comprising:
Obtain the error message from main frame, described error message carries the characteristic information of described packet, and described error message sends when described main frame receives not the desired data bag;
Generate corresponding shielding rules according to described characteristic information;
Utilize described shielding rules to filter follow-up data message.
The embodiment of the invention provides a kind of device of attacking of preventing, comprising:
Receiving element is used to receive the error message that main frame sends, and described error message carries the correlated characteristic information of data message;
Monitoring means is used for the error message that the described receiving element of monitoring and statistics receives;
Screen unit is used to generate corresponding shielding rules, and described shielding rules is used for the follow-up data message is filtered;
Described error message sends when receiving not the desired data message at main frame.
The embodiment of the invention also provides a kind of terminal equipment, comprising:
Receiving element is used to receive packet and from the message of network side;
The characteristic information extraction unit is used to extract the characteristic information of received data packet;
Transmitting element, the error message that when receiving desired data bag not, sends, this error message carries the characteristic information of described packet.
In the technical scheme that the embodiment of the invention provides, by obtain the error message that main frame sends when receiving desired data bag not, and generate corresponding shielding rules according to described characteristic information, when the described error message quantity that receives in a period of time reaches predetermined value or the described error message that receives continuously reaches predetermined quantity, utilize described shielding rules to filter follow-up data message, like this when the packet domain terminal is received malicious external attack, can shield malicious data flow by informing network, reduce the security risk of terminal greatly, conserve network resources, avoiding the user is that junk data is paid, and saves the electrical source consumption of terminal, particularly portable terminal.
Description of drawings
The method flow schematic diagram of Fig. 1 for preventing from the first embodiment of the invention to attack;
Figure 2 shows that the general format of the unreachable error message of ICMP;
The method flow schematic diagram of Fig. 3 for preventing from the second embodiment of the invention to attack.
Embodiment
In packet domain, because it is a kind of open business model that terminal is linked into common service network such as internet, therefore, the terminal of packet domain may be subjected to the attack from internet, the assailant obtains or guesses the IP address of terminal by certain approach, and to this IP address transmission data bag, these malicious data bags both may be the TCP data of seeking the terminal leak, also may be not have other intention, only be that transmission a large amount of junk datas in mischief ground take the network bandwidth and then stop up terminal.The harm that malicious attack brings to terminal has:
May utilize the harm of the leak generation of terminal, as revealing user's account number, password, classified papers, individual privacy etc.; Lot of data has taken the bandwidth of user and network, has reduced the performance of network, and interference user normally uses business; Generally on data gateway, finish owing to charge, so the user also to pay for the data flow of these rubbish even malicious attack; For portable terminal, junk data has more been accelerated battery consumption, has reduced stand-by time.
For this reason, the embodiment of the invention provides a kind of method of attacking of preventing, solves the problem that terminal in the packet communication network (may also be referred to as main frame) is attacked by malicious data.By the error message that terminal sends, on data gateway or fire compartment wall, generate the shielding rules of corresponding malicious attack data flow, thereby the protection terminal no longer is subjected to the attack of follow-up malicious data flow.
In typical packet communication network-the Internet, the mode of desired data stream back transmission error message has following several main frame receiving not:
Regulation according to the standard ICP/IP protocol, when a main frame is received a UDP message message, and main frame is not when monitoring the destination interface of this UDP message correspondence, main frame can return an ICMP (ICMP, Internet Control Message Protocol) the unreachable error message of port (ICMP Port Unreachable) to transmit leg.The IP stem and the UDP stem of the UDP message message that causes that this is wrong have been carried in this error message.
When a main frame receives a tcp data message, and main frame is not monitored the five-tuple of this TCP message, it is source IP address, purpose IP address, upper-layer protocol type (TCP), source port number, the destination slogan is pairing when connecting, and (what receive for main frame is the TCP connection message, only needing to judge purpose IP address, upper-layer protocol type (TCP) and destination slogan) main frame is to opposite end TCP of transmission message that resets, and comprised the five-tuple information of the tcp data message that causes that this is wrong in this message that resets.
Terminal can be a portable terminal, it also can be a TCP/IP main frame, usually, do not monitor malicious attack data flow corresponding port on the terminal, therefore, when receiving the data flow of malicious attack, also can trigger the transmission error message, be on duty when misrepresenting deliberately literary composition through data gateway or fire compartment wall, if data gateway and fire compartment wall count on the transmission of the error message that flows at certain external data in a period of time too frequent, can judge that then current terminal may correspondingly be generated the shielding rules to the malicious attack data flow by malicious attack, block the malicious attack data flow.
In addition, terminal is when receiving the data flow of oneself not wishing to receive, can give data gateway by explicitly, fire compartment wall or other third party's logic entity send message, carry the characteristic information (as five-tuple) of the external data stream of oneself wishing shielding in the message, on data gateway or fire compartment wall, generate shielding rules then, block the malicious attack data flow corresponding malicious attack data flow.
Judge whether on the terminal to wish to receive data standard can by its go up pre-configured rule automatically error message send (unreachable, or the trigger condition of TCP reset message) as above-mentioned ICMP port, also can be by inquiring that the user judge affirmation by the user.
For making principle of the present invention, characteristic and advantage clearer, be described below in conjunction with specific embodiment.
Embodiment 1
In the present embodiment, data gateway judges that by surveying the TCP/IP error message that terminal sends the current external data stream of receiving of terminal is for the malicious attack data, with its shielding.
Because blocking the function of malicious attack message in the embodiment of the invention both can be on data gateway have been realized, also can on the fire compartment wall between data gateway and the external business network, realize, even data gateway can be integrated with fire compartment wall, therefore, for ease of describing, following description does not limit concrete physical entity.
With reference to Fig. 1, prevent in the packet communication system that the embodiment of the invention provides that the method step of attacking is as follows:
Step S101, terminal receives the not desired data bag from the outside;
The external attack source sends the malicious attack data to terminal, the attack source firewall-penetrating, and by the data gateway incoming terminal, because the service message of other type generally can be shielded by fire compartment wall, the malicious attack data may be the UDP message usually, also may be the TCP messages;
Step S102, the error message that when receiving desired data bag not, sends, this error message carries the characteristic information of described packet;
Owing to do not monitor not desired data corresponding port of outside on the terminal, terminal sends error message to outside attack source, if outside not desired data is the UDP message, terminal sends the ICMP port unreachable message to the external data transmitting terminal, has carried the IP stem and the UDP header message that cause wrong external data in the message;
In the Internet, all TCP, UDP, ICMP and IGMP data are all with IP datagram form transmission, and each part IP datagram all comprises source IP address and purpose IP address, COS (TOS) field.
UDP is the transition layer protocol of a simple datagram-oriented, and the UDP message message is packaged into the form of a IP datagram literary composition, and the IP datagram literary composition comprises IP stem, UDP stem and UDP message.The IP stem comprises source IP address and purpose IP address, and the UDP stem comprises source port number, destination slogan.
Icmp packet exchanges between main frame, and without the destination slogan, UDP datagram then is to send to another particular port from a particular port.
The general format of the unreachable error message of ICMP as shown in Figure 2.The unreachable error message of ICMP comprises the datagram IP stem that generates this error message, also comprises preceding 8 bytes of following data in the former IP datagram literary composition of this IP stem back usually at least.At this, follow the stem that comprises UDP in preceding 8 bytes of IP stem back.
According to the rule of UDP, destination interface is being monitored without any upper level applications if receive a UDP datagram, and UDP returns a unreachable message of ICMP port so.
If the outside that receives not desired data is the TCP message, terminal sends the TCP reset message, has also carried characteristic information---the five-tuple information that causes wrong external data in this message, it is source IP address, purpose IP address, upper-layer protocol type (TCP), source port number, destination slogan.
Step S103, the characteristic information of the described packet that carries according to described error message generates corresponding shielding rules;
Generating corresponding shielding rules specifically comprises: receive the Report of Discrepancy of terminal in terminal after, allow rules to compare all that have generated on the characteristic information of corresponding data flow and the data gateway, if certain bar allows rule to conform to the characteristic information of this malicious attack data flow, it is invalid then should to allow rule to be changed to.This allow rule be changed to invalid after, follow-up malicious attack data flow just can't be by the filtration of data gateway, incoming terminal again.
In addition, when decision data stream is the malicious attack data flow, according to the characteristic information of data flow Shield Flag is set at data gateway, the subsequent external attack source continues to send not desired data bag to terminal, because it has identical characteristic information, mate described shielding rules, data gateway carries out corresponding masking operation according to the indication of Shield Flag to packet then.
The error message that terminal sends arrives data gateway, it is the terminal error message that the data gateway analytic message is judged, from error message, extract the characteristic information (as five-tuple) that triggers this error message, if data gateway is to receive the error message of terminal pins to this external data bag first, then generate the filtering rule of a packet, and opening entry is received the error message of terminal at this packet according to this characteristic information.
Data gateway can be selected it is continued to be forwarded to external data source according to strategy after receiving the terminal error message, also it can be abandoned.
Send the mass data bag in short time because the malicious attack packet is generally understood, thereby triggering terminal sends a plurality of error messages.If it is too frequent to the error message of certain packet that data gateway receives terminal in a period of time, surpass pre-configured thresholding, can judge that then terminal may just be subjected to malicious attack, then carries out masking operation to this malicious attack data flow;
Perhaps, the error message quantity of receiving continuously from terminal surpasses predetermined quantity, can judge that then terminal may just be subjected to malicious attack, then carries out masking operation to this malicious attack data flow.
Carry out masking operation in the malicious attack data flow and can take different forms, for example, when judging that this data flow is the malicious attack data flow, all that have generated on characteristic information of this data flow that data gateway will write down (as five-tuple) and the data gateway allow rules to compare, if certain bar allows rule (for example to conform to the characteristic information of this malicious attack data flow, " charging is overflowed " attacks the permission rule that the malice terminal generates on data gateway by connection malicious server initiation business in the example), it is invalid then should to allow rule to be changed to.Because for can be by the filtration of data gateway, the malicious attack server must use the characteristic information (as five-tuple) consistent with this permission rule to send the malicious attack data flow, this allow rule be changed to invalid after, follow-up malicious attack data flow just can't be by the filtration of data gateway, incoming terminal again.
Certainly, another masking operation implementation method is, when data gateway is the malicious attack data flow at decision data stream, according to the characteristic information of data flow Shield Flag is set at data gateway, the subsequent external attack source continues to send not desired data bag to terminal, because it has identical characteristic information, mates described shielding rules, data gateway carries out corresponding masking operation according to the indication of Shield Flag to packet then.
Need to prove that the mode of operation of above-mentioned shielding malicious data flow is to close the situation of establishing with data gateway and fire compartment wall to illustrate.
As mentioned above, data gateway can separate setting with fire compartment wall, under the situation of separating, can independently finish above-mentioned work by fire compartment wall, promptly the error message that reports is discerned and added up at fire compartment wall, and after decision data stream is the malicious attack data flow, on one's body this malicious attack data flow is being shielded certainly; Also can still on data gateway, discern and add up the error message that reports, and after decision data stream is for the malicious attack data flow, send message to fire compartment wall, carry the data flow characteristic information (as five-tuple) that needs shielding in the message, fire compartment wall shields data stream according to this characteristic information.
Step S104 utilizes described shielding rules to filter follow-up data message.
The external attack source continues to send not desired data bag to terminal, not conductively-closed behind the desired data bag arrival data gateway, and the means of shielding can be to abandon multiple means such as speed limit.
Embodiment 2
In the present embodiment, a logical network entity-security policy manager entity is set in packet communication system, terminal sends a piece of news to the security policy manager entity when receiving the external data of not expecting, this external data stream of request shielding.
With reference to Fig. 3, prevent in the packet communication system that present embodiment provides that the method step of attacking is as follows:
Step S301, terminal is established to the link of data gateway, obtains the address that reports of security policy manager entity.
The address that reports of security policy manager entity can be configured in the terminal; Or on data gateway configuration security policy manager entity report the address, when terminal is connected to network, the address that reports that obtains the security policy manager entity alternately with described gateway; Perhaps other network element gets access to and sends to terminal after this reports the address in the network, as, at mobile management entity (MME, Mobile Management Entity)/Serving GPRS Support Node (SGSN, Serving GPRS Supporting Node) is gone up configuration, and this reports the address or obtains from the HSS subscription data and pass to terminal after this reports the address.
Data gateway and security policy manager entity interaction consult to obtain corresponding strategies information;
Step S302, the external attack source sends the malicious attack data to terminal, the attack source firewall-penetrating, by the data gateway incoming terminal, the malicious attack data may be the UDP messages, also may be the messages of TCP message or other type;
Step S303, the received packet of terminal judges are not the messages that expectation receives, and report Report of Discrepancy to the security policy manager entity, carry the characteristic information of the external data that triggers Report of Discrepancy in the report, as IP message five-tuple.
Whether the terminal judges data are to expect that the message that receives can be (unreachable as above-mentioned ICMP port by the automatic transmission of rule error message pre-configured on it, or the trigger condition of TCP reset message), also can judge affirmation by the user by on terminal, showing an interface inquiry user.It can be by a signaling message that terminal reports the mode of Report of Discrepancy to the security policy manager entity, short message or other feasible mode;
Step S304 after the security policy manager entity receives the Report of Discrepancy of terminal, generates shielding rules, and this shielding rules is handed down to data gateway;
After the security policy manager entity receives the Report of Discrepancy of terminal, allow rules to compare all that have generated on the characteristic information of corresponding data flow and the data gateway, if certain bar allows rule to conform to the characteristic information of this malicious attack data flow, it is invalid then should to allow rule to be changed to.This allow rule be changed to invalid after, follow-up malicious attack data flow just can't be by the filtration of data gateway, incoming terminal again.
In addition, when decision data stream is the malicious attack data flow, according to the characteristic information of data flow Shield Flag is set at data gateway, the subsequent external attack source continues to send not desired data bag to terminal, because it has identical characteristic information, mate described shielding rules, data gateway carries out corresponding masking operation according to the indication of Shield Flag to packet then.
Step S305 writes down shielding rules on the data gateway;
Step S306, the external attack source continues to send packet to terminal, conductively-closed behind the packet arrival data gateway, the means of shielding can be to abandon multiple means such as speed limit.
Security policy manager entity in the present embodiment is a logic entity, when specifically disposing, can close with data gateway or fire compartment wall and establish, and also can dispose separately, and is mutual by interface and data gateway or fire compartment wall.
The embodiment of the invention also provides a kind of device of attacking of preventing, comprising:
Receiving element is used for the error message that receiving terminal sends;
Monitoring means is used for the error message that the described receiving element of monitoring and statistics receives;
Screen unit is used to generate corresponding shielding rules, and according to described shielding rules the data message is filtered;
Described receiving element receives the error message of the correlated characteristic information that carries described data message that main frame sends when desired data message not;
According to described shielding rules follow-up data message is filtered.
The error message that when terminal receives desired data bag not, sends, this error message carries the characteristic information of described packet;
Owing to do not monitor not desired data corresponding port of outside on the terminal, terminal sends error message to outside attack source, if outside not desired data is the UDP message, terminal feedback ICMP port unreachable message is given the external data transmitting terminal, has carried the IP stem and the UDP header message that cause wrong external data in the message;
This characteristic information that can prevent the described packet that the device attacked carries according to described error message generates corresponding shielding rules;
Generating corresponding shielding rules specifically comprises: receive the Report of Discrepancy of terminal in terminal after, allow rules to compare all that have generated on the characteristic information of corresponding data flow and the data gateway, if certain bar allows rule to conform to the characteristic information of this malicious attack data flow, it is invalid then should to allow rule to be changed to.This allow rule be changed to invalid after, follow-up malicious attack data flow just can't be by the filtration of data gateway, incoming terminal again.
In addition, when decision data stream is the malicious attack data flow, according to the characteristic information of data flow Shield Flag is set at data gateway, the subsequent external attack source continues to send not desired data bag to terminal, because it has identical characteristic information, mate described shielding rules, data gateway carries out corresponding masking operation according to the indication of Shield Flag to packet then.
The error message that terminal sends arrives this can prevent the device attacked, this can prevent the device analytic message of attacking and extract the characteristic information (as five-tuple) that triggers this error message from error message, if data gateway is to receive the error message of terminal pins to this external data bag first, then generate the filtering rule of a packet, and opening entry is received the error message of terminal at this packet according to this characteristic information.
This device that can prevent to attack can be selected it is continued to be forwarded to external data source according to strategy after receiving the terminal error message, also it can be abandoned.
Send the mass data bag in short time because the malicious attack packet is generally understood, thereby triggering terminal sends a plurality of error messages.If it is too frequent to the error message of certain packet that data gateway receives terminal in a period of time, surpass pre-configured thresholding, can judge that then terminal may just be subjected to malicious attack, then carries out masking operation to this malicious attack data flow;
Perhaps, the error message quantity of receiving continuously from terminal surpasses predetermined quantity, can judge that then terminal may just be subjected to malicious attack, then carries out masking operation to this malicious attack data flow.
If described not desired data message is the UDP message, described error message is the unreachable error message of ICMP port;
The characteristic information that carries described data message comprises the IP header message and the UDP header message of described UDP message message.
If described not desired data message is the TCP message, described error message is the TCP message that resets;
Described error message can also be the explicit signaling message that reports.
The embodiment of the invention also provides a kind of terminal equipment, terminal equipment can be that the cable network terminal also can be a wireless network terminal, terminal equipment is when receiving the external data of not expecting, send a piece of news to the security policy manager entity, this external data stream of request shielding, this message is carried the characteristic information of the external data that is received, and this terminal equipment comprises:
Receiving element is used to receive packet and from the message of network side;
The characteristic information extraction unit is used to extract the characteristic information of received data packet;
Transmitting element, the error message that when receiving desired data bag not, sends, this error message carries the characteristic information of described packet.
In terminal equipment, dispose the address that reports of security policy manager entity; Or
Described security policy manager entity report address configuration on data gateway, when terminal is connected to network, the address that reports that obtains described security policy manager entity alternately with described gateway.
In the network the described security policy manager entity of network element configuration report the address, or network element obtains this and reports the address in the network from the HSS subscription data;
Terminal receives the address that reports of described security policy manager entity that described network element sends.
Terminal equipment is preserved the address of the security policy manager entity that is received.
Terminal is obtained the address that reports of security policy manager entity when receiving the external data of not expecting, send a piece of news to the security policy manager entity,
The received packet of terminal judges is not the message that expectation receives, and reports Report of Discrepancy to the security policy manager entity, and this external data stream of request shielding carries the characteristic information of the external data that triggers Report of Discrepancy, as IP message five-tuple in this report.
Whether the terminal judges data are to expect that the message that receives can be (unreachable as above-mentioned ICMP port by the automatic transmission of rule error message pre-configured on it, or the trigger condition of TCP reset message), also can judge affirmation by the user by on terminal, showing an interface inquiry user.It can be by a signaling message that terminal reports the mode of Report of Discrepancy to the security policy manager entity, short message or other feasible mode.
A kind of security strategy controlled entity that the embodiment of the invention also provides reports the address can be configured in the terminal; Or on data gateway configuration security policy manager entity report the address, when terminal is connected to network, the address that reports that obtains the security policy manager entity alternately with described gateway; Perhaps other network element gets access to and sends to terminal after this reports the address in the network, as, at mobile management entity (MME, Mobile Management Entity)/Serving GPRS Support Node (SGSN, Serving GPRSSupporting Node) is gone up configuration, and this reports the address or obtains from the HSS subscription data and pass to terminal after this reports the address.The security strategy controlled entity that the embodiment of the invention provides comprises:
Receiving element is received in the Report of Discrepancy message that sends when receiving desired data bag not, and this Report of Discrepancy message carries the characteristic information of described packet; Described Report of Discrepancy message can be signaling message, short message.
The shielding rules generation unit, the characteristic information of the described packet that carries according to described Report of Discrepancy message generates corresponding shielding rules, and according to described shielding rules the data message is filtered;
After receiving the Report of Discrepancy of terminal, the shielding rules generation unit allows rules to compare all that have generated on the characteristic information of corresponding data flow and the data gateway, if certain bar allows rule to conform to the characteristic information of this malicious attack data flow, it is invalid then should to allow rule to be changed to.This allow rule be changed to invalid after, follow-up malicious attack data flow just can't be by the filtration of data gateway, incoming terminal again.
In addition, when decision data stream is the malicious attack data flow, the shielding rules generation unit is provided with Shield Flag according to the characteristic information of data flow, the subsequent external attack source continues to send not desired data bag to terminal, because it has identical characteristic information, mate described shielding rules, data gateway carries out corresponding masking operation according to the indication of Shield Flag to packet then.
Transmitting element sends to data gateway with described shielding rules.
Security policy manager entity in the present embodiment is a logic entity, when specifically disposing, can close with data gateway or fire compartment wall and establish, and also can dispose separately, and is mutual by interface and data gateway or fire compartment wall.
Described Report of Discrepancy message can be signaling message, short message.It will be appreciated by those skilled in the art that, all or part of module in the foregoing description or each step are to instruct related hardware to realize by program, described program can be stored in the computer read/write memory medium, and described storage medium is as ROM/RAM, disk, laser disc etc.Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The foregoing description is used for description and interpretation principle of the present invention.Be appreciated that the specific embodiment of the present invention is not limited thereto.To those skilled in the art, various changes of carrying out under the prerequisite that does not break away from the spirit and scope of the invention and modification all are encompassed within protection scope of the present invention.
Claims (15)
1, prevent the method for attacking in a kind of packet communication system, it is characterized in that, comprising:
Obtain the error message from main frame, described error message carries the characteristic information of described packet, and described error message sends when described main frame receives not the desired data bag;
Generate corresponding shielding rules according to described characteristic information;
Utilize described shielding rules to filter follow-up data message.
2, the method for claim 1 is characterized in that, described not desired data bag is the UDP message, and described error message is the unreachable error message of ICMP port;
The characteristic information of described data message comprises the IP header message and the UDP header message of described UDP message message.
3, the method for claim 1 is characterized in that,
Described not desired data bag is the TCP message, and described error message is the TCP message that resets;
The characteristic information of described data message comprises the five-tuple information of this tcp data message.
4, the method for claim 1 is characterized in that,
Described error message is the explicit signaling message that reports.
5, the method for claim 1, it is characterized in that, be provided with the security policy manager entity in the described packet communication system, the address that reports of described security policy manager entity is pre-configured on the described main frame, and described error message sends by following step:
According to the described address that reports described error message is sent to the security policy manager entity.
6, the method for claim 1 is characterized in that, is provided with the security policy manager entity in the described packet communication system, described security policy manager entity report address configuration on data gateway, described error message sends by following step:
Described main frame and described data gateway obtain the address that reports of described security policy manager entity alternately,
According to the described address that reports described error message is sent to the security policy manager entity.
7, a kind of device of attacking of preventing is characterized in that, comprising:
Receiving element is used to receive the error message that main frame sends, and described error message carries the correlated characteristic information of data message;
Monitoring means is used for the error message that the described receiving element of monitoring and statistics receives;
Screen unit is used to generate corresponding shielding rules, and described shielding rules is used for the follow-up data message is filtered;
Described error message sends when receiving not the desired data message at main frame.
8, device as claimed in claim 7 is characterized in that, also comprises:
Processing unit filters follow-up data message according to described shielding rules.
9, device as claimed in claim 7 is characterized in that, also comprises:
Transmitting element sends to data gateway with described shielding rules, and described data gateway filters follow-up data message according to described shielding rules.
10, device as claimed in claim 7 is characterized in that, described not desired data message is the UDP message, and described error message is the unreachable error message of ICMP port;
The characteristic information that carries described data message comprises the IP header message and the UDP header message of described UDP message message.
11, device as claimed in claim 7 is characterized in that,
Described not desired data message is the TCP message, and described error message is the TCP message that resets;
The characteristic information of described data message comprises the five-tuple information of this tcp data message.
12, device as claimed in claim 7 is characterized in that,
Described error message is the explicit signaling message that reports.
13, a kind of terminal equipment is characterized in that, comprising:
Receiving element is used to receive packet and from the message of network side;
The characteristic information extraction unit is used to extract the characteristic information of received data packet;
Transmitting element, the error message that when receiving desired data bag not, sends, this error message carries the characteristic information of described packet.
14, terminal equipment as claimed in claim 13 is characterized in that, also comprises:
The unit is set, is used to be provided with the address that reports of security policy manager entity;
When described transmitting element receives not the desired data bag at receiving element, report Report of Discrepancy to the security policy manager entity according to the described address that reports.
15, terminal equipment as claimed in claim 13 is characterized in that, also comprises:
Memory cell is used to preserve the address that described receiving element receives the security policy manager entity that network side sends;
When described transmitting element receives not the desired data bag at receiving element, report Report of Discrepancy to the security policy manager entity according to the described address that reports.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100070225A CN101494639A (en) | 2008-01-25 | 2008-01-25 | Method and apparatus for preventing aggression in packet communication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100070225A CN101494639A (en) | 2008-01-25 | 2008-01-25 | Method and apparatus for preventing aggression in packet communication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101494639A true CN101494639A (en) | 2009-07-29 |
Family
ID=40925045
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100070225A Pending CN101494639A (en) | 2008-01-25 | 2008-01-25 | Method and apparatus for preventing aggression in packet communication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101494639A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101917450A (en) * | 2010-08-31 | 2010-12-15 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN102231748A (en) * | 2011-08-02 | 2011-11-02 | 杭州迪普科技有限公司 | Method and device for verifying client |
| CN103457773A (en) * | 2013-09-03 | 2013-12-18 | 无锡贝利珠计算机科技有限公司 | Method and device for terminal customer experience management |
| CN104079545A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method, device and system for extracting data package filtering rules |
| CN105611561A (en) * | 2016-01-07 | 2016-05-25 | 中国联合网络通信集团有限公司 | Link failure processing method, device and system |
| CN107113280A (en) * | 2014-12-31 | 2017-08-29 | 华为技术有限公司 | A kind of network control method and virtual switch |
| WO2017166047A1 (en) * | 2016-03-29 | 2017-10-05 | 华为技术有限公司 | Method and device for transmitting network attack defense policy and method and device for defending against network attack |
| CN107800724A (en) * | 2017-12-08 | 2018-03-13 | 北京百度网讯科技有限公司 | Cloud main frame anti-crack method, system and processing equipment |
| CN108366436A (en) * | 2012-06-29 | 2018-08-03 | 华为技术有限公司 | Information processing method, forwarding surface equipment and control plane equipment |
| CN115086056A (en) * | 2022-06-27 | 2022-09-20 | 北京经纬恒润科技股份有限公司 | Vehicle-mounted Ethernet firewall classification statistical method, device and equipment |
-
2008
- 2008-01-25 CN CNA2008100070225A patent/CN101494639A/en active Pending
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011110079A1 (en) * | 2010-08-31 | 2011-09-15 | 华为技术有限公司 | Message forwarding method for avoiding network attacks and gateway |
| CN101917450B (en) * | 2010-08-31 | 2013-08-07 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN101917450A (en) * | 2010-08-31 | 2010-12-15 | 华为技术有限公司 | Message forwarding method for preventing network attack and gateway |
| CN102231748A (en) * | 2011-08-02 | 2011-11-02 | 杭州迪普科技有限公司 | Method and device for verifying client |
| CN102231748B (en) * | 2011-08-02 | 2014-12-24 | 杭州迪普科技有限公司 | Method and device for verifying client |
| CN108366436A (en) * | 2012-06-29 | 2018-08-03 | 华为技术有限公司 | Information processing method, forwarding surface equipment and control plane equipment |
| CN108366436B (en) * | 2012-06-29 | 2023-05-16 | 华为技术有限公司 | Information processing method, forwarding plane device and control plane device |
| CN104079545A (en) * | 2013-03-29 | 2014-10-01 | 西门子公司 | Method, device and system for extracting data package filtering rules |
| CN103457773A (en) * | 2013-09-03 | 2013-12-18 | 无锡贝利珠计算机科技有限公司 | Method and device for terminal customer experience management |
| CN107113280A (en) * | 2014-12-31 | 2017-08-29 | 华为技术有限公司 | A kind of network control method and virtual switch |
| CN105611561A (en) * | 2016-01-07 | 2016-05-25 | 中国联合网络通信集团有限公司 | Link failure processing method, device and system |
| CN105611561B (en) * | 2016-01-07 | 2019-08-27 | 中国联合网络通信集团有限公司 | A kind of link failure processing method, device and system |
| CN107710680A (en) * | 2016-03-29 | 2018-02-16 | 华为技术有限公司 | Network attack defence policies are sent, the method and apparatus of network attack defence |
| US10798060B2 (en) | 2016-03-29 | 2020-10-06 | Huawei Technologies Co., Ltd. | Network attack defense policy sending method and apparatus, and network attack defending method and apparatus |
| WO2017166047A1 (en) * | 2016-03-29 | 2017-10-05 | 华为技术有限公司 | Method and device for transmitting network attack defense policy and method and device for defending against network attack |
| CN107800724A (en) * | 2017-12-08 | 2018-03-13 | 北京百度网讯科技有限公司 | Cloud main frame anti-crack method, system and processing equipment |
| US10944718B2 (en) | 2017-12-08 | 2021-03-09 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Anti-cracking method and system for a cloud host, as well as terminal device |
| US11470043B2 (en) | 2017-12-08 | 2022-10-11 | Beijing Baidu Netcom Science And Technology Co., Ltd. | Anti-cracking method and system for a cloud host, as well as terminal device |
| CN115086056A (en) * | 2022-06-27 | 2022-09-20 | 北京经纬恒润科技股份有限公司 | Vehicle-mounted Ethernet firewall classification statistical method, device and equipment |
| CN115086056B (en) * | 2022-06-27 | 2023-07-14 | 北京经纬恒润科技股份有限公司 | Method, device and equipment for classifying and counting vehicle-mounted Ethernet firewall |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101494639A (en) | Method and apparatus for preventing aggression in packet communication system | |
| KR100509935B1 (en) | System and method for subdividing data service charge in mobile communication network | |
| CN101299660B (en) | Method, system and equipment for executing security control | |
| EP1977561B1 (en) | Techniques for network protection based on subscriber-aware application proxies | |
| US7224699B2 (en) | Wireless local area network access gateway and method for ensuring network security therewith | |
| US7620808B2 (en) | Security of a communication system | |
| EP2521385B1 (en) | Policy and charging control method, gateway and mobile terminal thereof | |
| EP2888835B1 (en) | Advanced service-aware policy and charging control methods, network nodes, and computer programs | |
| EP1804465A1 (en) | Collaborative communication traffic control network | |
| KR20080057161A (en) | Intrusion protection device and intrusion protection method for point-to-point tunneling protocol | |
| CN113906771A (en) | Communication flow control using domain names | |
| US8948019B2 (en) | System and method for preventing intrusion of abnormal GTP packet | |
| KR20040057257A (en) | System and method for protecting from ddos, and storage media having program thereof | |
| CN100542094C (en) | A kind of statistical method of Internet protocol message | |
| EP3366017B1 (en) | Detection method against charging fraud | |
| EP4068824A1 (en) | Security enforcement and assurance utilizing policy control framework and security enhancement of analytics function in communication network | |
| CN105449863A (en) | Network communication safety and stability method of intelligent substation | |
| CN103813409A (en) | Policy control method, apparatus, and system of fixed network mobile convergence | |
| Kang et al. | A practical attack on mobile data network using IP spoofing | |
| EP2800407B1 (en) | Method and system for identifying application detection control function mode | |
| CN102057622A (en) | Improved credit authorization in a core network | |
| EP3358865B1 (en) | Charging methods, forwarding plane network element and charging system | |
| CN101005401A (en) | Network data analysis and control system and method | |
| CN105208023A (en) | Central controller protection method, device and system | |
| Ergenç et al. | Tsnzeek: An open-source intrusion detection system for ieee 802.1 time-sensitive networking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090729 |