CN102098298B - Method for preventing filtering resource from being exhausted and network access equipment - Google Patents
Method for preventing filtering resource from being exhausted and network access equipment Download PDFInfo
- Publication number
- CN102098298B CN102098298B CN201010613140.8A CN201010613140A CN102098298B CN 102098298 B CN102098298 B CN 102098298B CN 201010613140 A CN201010613140 A CN 201010613140A CN 102098298 B CN102098298 B CN 102098298B
- Authority
- CN
- China
- Prior art keywords
- resource
- residual capacity
- life cycle
- information
- filtering
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for preventing a filtering resource from being exhausted and network access equipment. The method comprises the following steps of: detecting the residual capacity of the filtering resource within a detection period; and if the residual capacity is less than or equal to a preset value, clearing the filtering resource according to the idle time and/or life cycle of each piece of information in the filtering resource. The network access equipment comprises a detection module and a clearing module. In the scheme provided by the invention, the residual capacity of the filtering resource is detected within the detection period, and the filtering resource is cleared once the residual capacity is less than the preset value, so that the filtering resource is prevented from being exhausted and access of legal users is ensured.
Description
Technical field
The embodiment of the present invention relates to networking technology area, relates in particular to a kind of method and network access equipment that prevents from filtering resource exhaustion.
Background technology
Along with developing rapidly of Internet technology, due to various disabled users' existence, the safety problem of the Internet is day by day serious.For example, disabled user can use any source Internet Protocol (Internet Protocol, referred to as: IP) launch a offensive in address, destroys network billing and management etc. based on source IP address.In order to prevent this attack based on source IP, in prior art, source IP address is corresponded to media interviews address (Media Access Control, referred to as: MAC), can identify attack source, thereby get rid of rapidly network attack.
At present, network access equipment generally all supports user's IP address, and MAC Address and access interface information write filters in resource.Filter resource and be used for identifying legal data message, filter invalid data message.Filter resource can manual configuration in network access equipment, also can be obtained by network access equipment dynamic learning.The process of network access equipment dynamic learning is mainly the message by monitoring specified protocol, and the user profile of carrying in the message of specified protocol is recorded to and is filtered in resource.If disabled user has grasped the rule of network access equipment monitoring specified protocol message, just be easy to the filtration resource of network access equipment to launch a offensive, send the message of a large amount of specified protocol, making to filter resource is occupied full rapidly, other validated user information cannot be by network access equipment record, thereby causes the data message of validated user to be dropped.The user profile of filtering in the middle of resource has a life cycle, only has under normal circumstances etc. after life cycle finishes, and whether network access equipment just can active detecting user renew a contract, thereby in resource, deletes the no longer user profile of renewed treaty filtering.Even if certain user is not malicious attack network access equipment, also can make the filtration resource of network access equipment occupied by free subscriber because of for a long time not using network, new validated user cannot be recorded by network access equipment and become disabled user.
At present, filter resource exhaustion for network access equipment and attack, mainly by protocol massages speed limit, restrictive ports access customer number with these three kinds of methods of client certificate are processed.But, the quantity that restriction protocol massages sends to network access equipment CPU processing each second to protocol massages speed limit, send the protocol massages speed of CPU to fix, CPU burden is little, filtering resource also can avoid the short time to be occupied full, but from longer a period of time, filtering resource still can be depleted.Meanwhile, to protocol massages speed limit, cannot avoid a large amount of free subscribers to occupy for a long time the problem of resource.The method of restrictive ports access customer number on network access equipment, for mininet or the single network of user type has certain effect, but for large-scale network or the various network of user type, in limited filtration resource, for each this work of ports-settings access customer number is huge, once network topology change, corresponding configuration change also can bring huge workload to network manager, can not really solve and attack user to filtering the exhaustion attacks of resource simultaneously.When restrictive ports access customer number, more easily exhaust Local resource concerning assailant, the problem that while free subscriber occupies resource for a long time still cannot solve.For client certificate, need certificate server, increase the cost of the networking, increase network manager's configuration effort amount.After authenticated user certification, do not use the filtration resource of network access equipment, the problem that free subscriber occupies filtration resource for a long time still exists.
Summary of the invention
The embodiment of the present invention provides a kind of method and network access equipment that prevents from filtering resource exhaustion, the problem that cannot access in order to solve validated user that filtration resource exhaustion of the prior art brings.
The embodiment of the present invention provides a kind of method that prevents from filtering resource exhaustion, comprising:
In a sense cycle, detect the residual capacity of filtering resource;
If described residual capacity is less than or equal to preset value, described filtration resource is cleared up according to the free time of each information in described filtration resource and/or life cycle.
The embodiment of the present invention also provides a kind of network access equipment, comprising:
Detection module, in a sense cycle, detects the residual capacity of filtering resource;
Cleaning module, if be less than or equal to preset value for described residual capacity, clears up described filtration resource according to the free time of each information in described filtration resource and/or life cycle.
What the embodiment of the present invention provided prevents from filtering method and the network access equipment of resource exhaustion, by detect the residual capacity of filtering resource in a sense cycle, once residual capacity is less than or equal to preset value, will clear up filtering resource, depleted to prevent filtering resource, ensure the access of validated user.Clear up and safeguard filtering resource according to the free time of information and/or life cycle, whether idlely can judge filtration resource information, once there is situation idle and that exist the follow-up new user of impact to reach the standard grade, free subscriber is deleted, but can not affect long-term online old user, by such processing, no matter it is information free time or the information free time that is not intended to cause that malicious attack causes, can identifiedly discharge, really solve the problem of filtering the depleted attack of resource, limited filtration resource is fully utilized.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The method flow diagram that prevents from filtering resource exhaustion that Fig. 1 provides for the embodiment of the present invention;
Fig. 2 is the first implementation method flow chart of step 102 in Fig. 1;
Fig. 3 is the second implementation method flow chart of step 102 in Fig. 1;
Fig. 4 is the third implementation method flow chart of step 102 in Fig. 1;
Fig. 5 is the 4th kind of implementation method flow chart of step 102 in Fig. 1;
Fig. 6 is the 5th kind of implementation method flow chart of step 102 in Fig. 1;
The schematic network structure that Fig. 7 provides for the embodiment of the present invention;
The structural representation of the network access equipment that Fig. 8 provides for the embodiment of the present invention.
Embodiment
For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The method flow diagram that prevents from filtering resource exhaustion that Fig. 1 provides for the embodiment of the present invention, as shown in Figure 1, the method comprises:
Step 101: in a sense cycle, detect the residual capacity of filtering resource.
Wherein, sense cycle is to check each the cycle whether information is idle in resource of filtering, and this cycle can be in seconds.
Residual capacity is for the total capacity of filtering resource, filter that the total capacity of resource specifically refers to be the maximum information numbers that can hold, residual capacity refers to filter the information number not used in resource.
Step 102: if the residual capacity detecting is less than or equal to preset value, clear up filtering resource according to free time and/or the life cycle of filtering each information in resource.
Wherein, free time specifically refers to: time when every information is used to current detection action generation from the last time in filtration resource, unit can be second.The initial value of free time is generally 0, if certain the information free time of filtering in resource is initial value, illustrates that this information was never used.
Life cycle refers to: every the information in resource of filtering just starts the time of calculating from creating beginning.Life cycle can comprise life cycle and remaining life cycle two parts of use.In the time that the life cycle of an information finishes, if the user of this information representative renews a contract, life cycle recalculates; If the user of this information representative does not renew a contract, this information is deleted from filter resource.The life cycle of every information can produce by monitoring protocol interaction process, and the concrete time can be with reference to relevant agreement regulation.The IP address of for example applying for by DHCP, life cycle is defaulted as 86400 seconds, successively decreases by second, be that a life cycle finishes until be kept to 0.If the life cycle of a certain information is by reclocking, free time is also reset to initial value.
Concrete, step 102 can realize by following several modes:
First kind of way, can be referred to as the screening conditions of initial stage, is for after setting up in information, the information that the long period was not all used and remaining life cycle is shorter with respect to whole life cycle.Specifically as shown in Figure 2:
102A1: to obtain free time in resource be initial value filtering, never by used information, and the remaining life cycle percentage that accounts for whole life cycle is less than the full detail of the first default percentage; The first default percentage here can determine according to the real surplus capacity that filters resource, if real surplus capacity is also a lot, first to preset percentage can be lower value, and for example 10%, 5% etc.
102A2: judge whether to delete the full detail obtaining in 102A1?
If so, carry out 102A3;
If not, carry out 102A4.
Wherein, according to the total number that obtains full detail in 102A1, whether can make the residual capacity of filtering resource be greater than preset value if full detail is deleted in judgement, if not, need to delete the full detail obtaining; If so, likely do not need to delete the full detail obtaining.
102A3: full detail is deleted from filter resource;
If after full detail is deleted from filter resource, the residual capacity of filtering resource is still less than or equal to preset value, can adjust (value that for example increases the first default percentage) to obtain the filtration resource information that more meets deletion condition to the first default percentage, also can use the follow-up additive method providing further to clear up filtering resource.
102A4: start to delete from the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
Utilize above-mentioned first kind of way to filter the cleaning of resource, can relatively abundance, carry out in the residual capacity of filtering resource, the manner of cleaning up of this filtration resource can be used as regular maintenance and filters the usual way of resource, is a kind of relatively " gentle " maintenance mode.
If after adopting first kind of way to safeguard filtration resource, the residual capacity of filtering resource is still less than preset value, can further adopt the second way, for first kind of way, the second way can be deleted relatively some more filtration resource informations.The cleaning that certainly, also can adopt separately the second way to filter resource is safeguarded.Specifically as shown in Figure 3:
102B1: obtain the full detail that percentage that free time accounts for whole life cycle exceedes the second default percentage in resource filtering;
102B2: judge whether to delete the full detail obtaining in 102B1?
If so, carry out 102B3;
If not, carry out 102B4.
Wherein, according to the total number that obtains full detail in 102B1, whether can make the residual capacity of filtering resource be greater than preset value if full detail is deleted in judgement, if not, need to delete the full detail obtaining; If so, likely do not need to delete the full detail obtaining.
102B3: full detail is deleted from filter resource;
If after full detail is deleted from filter resource, the residual capacity of filtering resource is still less than or equal to preset value, can obtain the filtration resource information that more meets deletion condition to the second default percentage adjustment, also can use the first and the follow-up additive method providing further to clear up filtering resource.
102B4: delete since the information that free time is the longest, be greater than preset value until filter the residual capacity of resource.
The second way can be fallen filtering the information deletion that in resource, free time is grown, safeguard and filter resource by the second way, the user profile of long-term free time can be deleted, it is no matter the information free time that the information that causes of malicious attack is idle or be not intended to cause, can identifiedly then discharge, solved the depleted problem of resource of filtering.
If after adopting first two mode to safeguard filtration resource, the residual capacity of filtering resource is still less than preset value, can further adopt the third mode, for first two mode, the third mode can be deleted relatively some more filtration resource informations respectively.The cleaning that certainly, also can adopt separately the third mode to filter resource is safeguarded.Specifically as shown in Figure 4:
102C1: obtaining free time in filtration resource is initial value, and remaining life cycle is less than the full detail of the first Preset Time value;
102C2: judge whether to delete the full detail obtaining in 102C1?
If so, carry out 102C3;
If not, carry out 102C4.
Wherein, according to the total number that obtains full detail in 102C1, whether can make the residual capacity of filtering resource be greater than preset value if full detail is deleted in judgement, if not, need to delete the full detail obtaining; If so, likely do not need to delete the full detail obtaining.
102C3: full detail is deleted from filter resource;
If after full detail is deleted from filter resource, the residual capacity of filtering resource is still less than or equal to preset value, can adjust to obtain the filtration resource information that more meets deletion condition to the first Preset Time value, also can use first two and the follow-up additive method providing further to clear up filtering resource.
102C4: start to delete from the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
The third mode can delete the information not used and remaining life cycle is less than the first Preset Time value, filter the maintenance of resource by the third mode, for first two " relative " mode, it is a kind of " absolute " processing mode, stricter with respect to " relative " mode, but for filter the maintenance effects of resource more obvious with get instant result.
If after adopting first three kind mode to safeguard filtration resource, the residual capacity of filtering resource is still less than preset value, can further adopt the 4th kind of mode, for first three kind mode, the 4th kind of mode can be deleted relatively some more filtration resource informations respectively.The cleaning that certainly, also can adopt separately the 4th kind of mode to filter resource is safeguarded.Specifically as shown in Figure 5:
102D1: obtain the full detail that free time exceedes the second Preset Time value in filtration resource;
102D2: judge whether to delete the full detail obtaining in 102D1?
If so, carry out 102D3;
If not, carry out 102D4.
Wherein, according to the total number that obtains full detail in 102D1, whether can make the residual capacity of filtering resource be greater than preset value if full detail is deleted in judgement, if not, need to delete the full detail obtaining; If so, likely do not need to delete the full detail obtaining.
102D3: full detail is deleted from filter resource;
If after full detail is deleted from filter resource, the residual capacity of filtering resource is still less than or equal to preset value, can adjust to obtain the filtration resource information that more meets deletion condition to the second Preset Time value, also can use first three kind and the follow-up additive method providing further to clear up filtering resource.
102D4: delete since the message that free time is the longest, be greater than preset value until filter the residual capacity of resource.
The 4th kind of mode can delete the information not used in certain hour, filter the maintenance of resource by the 4th kind of mode, for first three kind mode, whether idlely can judge filtration resource information, once idle and exist the follow-up new user of impact to reach the standard grade situation, by its deletion, but can not have influence on long-term online old user, no matter it is information free time or the information free time that is not intended to cause that malicious attack causes, can identifiedly discharge, really solve the depleted problem of resource of filtering, limited filtration resource is fully utilized.
If after adopting front four kinds of modes to safeguard filtration resource, the residual capacity of filtering resource is still less than preset value, can further adopt the 5th kind of mode, for front four kinds of modes, the 5th kind of mode can be deleted relatively some more filtration resource informations respectively.The cleaning that certainly, also can adopt separately the 5th kind of mode to filter resource is safeguarded.Specifically as shown in Figure 6:
102E1: obtain the full detail that free time is greater than a sense cycle in filtration resource;
Can use an access times counter that filters resource information, the number of times that filtration resource information is used carries out record.Network access equipment often receives a data message, and this data message meets and filter the user profile recording in resource, and this access times counter that filters resource information adds 1, and acquiescence initial value is 0.If the value of the access times counter of certain information is 20, illustrate that this information, from founding in the time period of detecting action executing, has been used 20 times altogether.
By means of the access times timer that filters resource information, can obtain the full detail that free time is greater than a sense cycle, concrete preparation method is: the value that the access times timer that filters resource information is detected at this is compared with the value that last sense cycle detects, if identical, illustrate that this information was not used in this sense cycle.
Certainly,, because the value of sense cycle can be known in advance, also can directly judge whether the value of free time is greater than the value of sense cycle.
102E2: judge whether to need to delete the full detail obtaining?
If so, carry out 102E3;
If not, carry out 102E4.
Wherein, according to the total number that obtains full detail in 102E1, whether can make the residual capacity of filtering resource be greater than preset value if full detail is deleted in judgement, if not, need to delete the full detail obtaining; If so, likely do not need to delete the full detail obtaining.
102E3: full detail is deleted from filter resource;
If after full detail is deleted from filter resource, the residual capacity of filtering resource is still less than or equal to preset value, can use front four kinds of methods that provide further to clear up filtering resource.
102E4: start to delete from the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
The 5th kind of mode can delete the information not used in the short time, filter the maintenance of resource by the 5th kind of mode, for the first five kind mode, whether idlely can judge rapidly filtration resource information, once idle and exist the follow-up new user of impact to reach the standard grade situation, by its deletion, but can not have influence on long-term online old user, no matter it is information free time or the information free time that is not intended to cause that malicious attack causes, can identifiedly discharge, really solve the depleted problem of resource of filtering, that limited filtration resource is fully utilized.
The embodiment of the present invention provides a kind of method that prevents from filtering resource exhaustion, filter the residual capacity of resource by detection, once residual capacity is less than preset value, will clear up filtering resource, depleted to prevent filtering resource, ensure the access of validated user.
Prevent that to provided by the invention the method for filtering resource exhaustion is described in detail taking DHCP Snooping function as background below.
Schematic network structure as shown in Figure 7, customer end A, B and C are respectively to Dynamic Host Configuration Protocol server application IP address, on network access equipment, open DHCP Snooping function, spy upon the process of client to Dynamic Host Configuration Protocol server application IP address, after the success of client applied address, network access equipment is recorded user profile, and user profile can be, but not limited to as shown in table 1:
Table 1
| Port | Mac | Ip | Life cycle | Free time | Counting statistics |
| Port one | MacA | IpA | 86400 | 0 | 0 |
| Port 2 | MacB | IpB | 2145 | 3s | 5864 |
| Port 3 | MacC | IpC | 180 | 85s | 69 |
Wherein, when every filtration resource information is initially set up, life cycle is defaulted as 86400s (24h).The filtration resource capacity of hypothetical network access device is 100 information, and hypothesis to filter the residual capacity of resource be 50%~80% to be low threat section, 30%~50% is middle threat section, and 10%~30% is that time high threat section and 0%~10% is the high section that threatens.The sense cycle that filtration resource is set is 60s.Above-mentioned numerical value only uses for explanation, does not limit the protection range of the present embodiment.
What the embodiment of the present invention provided prevents that the method for filtering resource exhaustion from can comprise:
1, in the time filtering the residual capacity of resource in low threat section:
A) search and filter the percentage that remaining life cycle in resource accounts for whole life cycle and be less than 50% (being 43200s, 12h), and free time be still all information of initial value 0s, it is all deleted;
If the residual capacity of b) filtering resource through above-mentioned steps a is still in low threat section, search and filter percentage that free time in resource accounts for whole life cycle to be greater than 50% (be 43200s, all information 12h), all delete it;
If c) through aforesaid operations step b, even if the residual capacity of filtering resource, still in low threat section (20-50), also no longer judges processing, finish the judgement in this cycle, wait for next sense cycle.
2, in the time filtering the residual capacity of resource in middle threat section:
A) search and filter percentage that remaining life cycle in resource accounts for whole life cycle and be less than 60% (being 51840s, 14.4h) and free time still for all information of initial value 0s, it is all deleted;
If b) through aforesaid operations step a, filter the residual capacity of resource still in middle threat section, search and filter all information that percentage that free time in resource accounts for whole life cycle is greater than 40% (being 34560s, 9.6h), it is all deleted;
If c) through aforesaid operations step a and b, filter the residual capacity of resource still in middle threat section, search and filter percentage that remaining life cycle in resource accounts for whole life cycle to be less than 70% (be 60480s, 16.8h) and free time be still all information of initial value 0s, it is all deleted;
If d) through aforesaid operations step a, b and c, filter the residual capacity of resource still in middle threat section, search and filter all information that percentage that free time in resource accounts for whole life cycle is greater than 30% (being 25920s, 7.2h), it is all deleted;
If e) through aforesaid operations step a, b, c and d, filter the residual capacity of resource still in middle threat section, search and filter percentage that remaining life cycle in resource accounts for whole life cycle to be less than 80% (be 69120s, 19.2h), and free time is still all information of initial value 0s, and it is all deleted;
If f) through aforesaid operations step a, b, c, d and e, filter the residual capacity of resource still in middle threat section, search and filter percentage that free time in resource accounts for whole life cycle to be greater than 20% (be 17280s, all information 4.8h), all delete it;
If through aforesaid operations step a, b, c, d, e and f, even if the residual capacity of filtering resource, still in middle threat section, also no longer judges processing, finish the judgement in this cycle, wait for next sense cycle.
3, in the time filtering the residual capacity of resource in inferior high threat section:
A) search and filter that percentage that remaining life cycle in resource accounts for whole life cycle is less than 90% (being 77760s, 21.6) and free time is still all information of initial value 0s.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to the remaining life cycle of information, remain fewer, deleted at first, until filter the residual capacity of resource not at inferior high threat section, otherwise it is all deleted.
If b) through aforesaid operations step a, filter the residual capacity of resource still in inferior high threat section, search all information that percentage that free time in resource accounts for whole life cycle is greater than 10% (being 8640s, 2.4h) of filtering.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to information free time, free time is longer, deleted at first, until filter the residual capacity of resource not at inferior high threat section, otherwise it is all deleted.
If c) through aforesaid operations step a and b, filter the residual capacity of resource still in inferior high threat section, search and filter remaining life cycle in resource to be less than 79200s (being 22h) and free time be still all information of initial value 0s.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to the remaining life cycle of information, remain fewer, deleted at first, until filter the residual capacity of resource not at inferior high threat section, otherwise it is all deleted;
If d) through aforesaid operations step a, b and c, filter the residual capacity of resource still in inferior high threat section, search and filter free time in resource and exceed all information of 2400s (being 40m).If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to information free time, free time is longer, deleted at first, until filter the residual capacity of resource not at inferior high threat section, otherwise it is all deleted.
If e) through aforesaid operations step a, b, c and d, even if the residual capacity of filtering resource, still in inferior high threat section, also no longer judges processing, finish the judgement in this cycle, wait for next sense cycle.
4, when the residual capacity of filtering resource is in the time that height threatens section:
A) search and filter remaining life cycle in resource to be less than 82800s (being 23h) and free time be still all information of initial value 0s.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to the remaining life cycle of information, remain fewer, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If b) through aforesaid operations step a, the residual capacity of filtering resource still threatens section in height, searches to filter free time in resource and exceed all information of 1800s (being 30m).If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, according to information free time, free time is longer so, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If c) through aforesaid operations step a and b, the residual capacity of filtering resource still threatens section in height, searches to filter remaining life cycle in resource to be less than 84600s (being 23.5h) and free time be still all information of initial value 0s.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to the remaining life cycle of information, remain fewer, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If d) through aforesaid operations step a, b and c, the residual capacity of filtering resource still threatens section in height, searches to filter free time in resource and exceed all information of 600s (being 10m).If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, according to information free time, free time is longer so, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If e) through aforesaid operations step a, b, c and d, the residual capacity of filtering resource still threatens section in height, searches to filter remaining life cycle in resource to be less than 85320s (being 23.7h) and free time be still all information of initial value 0s.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, so according to the remaining life cycle of information, remain fewer, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If f) through aforesaid operations step a, b, c, d and e, the residual capacity of filtering resource still threatens section in height, searches to filter free time in resource and exceed all information of 300s (being 5m).If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, according to information free time, free time is longer so, deleted at first, do not threaten section at height until filter the residual capacity of resource, otherwise it is all deleted;
If g) through aforesaid operations step a, b, c, d, e and f, the residual capacity of filtering resource still threatens section in height, obtains all information that free time exceedes a sense cycle.If screened go out information do not need all to delete and just can make the residual capacity of filtering resource not at threat section, according to the remaining life cycle of information, remain more, deleted at first so, do not threaten section at height until filter the residual capacity of resource, otherwise all delete.
If h) through aforesaid operations step a, b, c, d, e, f and g, still threaten section in height even if filter the residual capacity of resource, also no longer judgement is processed, and finishes the judgement in this cycle, waits for next sense cycle.
In fact between the various implementations of step 102, can intert use, only enumerate several limited occupation modes above, but be not limited to protection scope of the present invention.
The structural representation of the network access equipment that Fig. 8 provides for the embodiment of the present invention, as shown in Figure 8, this network access equipment comprises: detection module 801 and cleaning module 802.Wherein, detection module 801, in a sense cycle, detects the residual capacity of filtering resource; If cleaning module 802 is less than or equal to preset value for residual capacity, clear up filtering resource according to filtering in resource the free time in each information and/or life cycle.
Under a kind of execution mode, cleaning module 802 comprises: obtain unit, judging unit and cleaning unit.Wherein, obtain unit for to obtain free time be initial value filtering resource, and the remaining life cycle percentage that accounts for whole life cycle is less than the full detail of the first default percentage; Judging unit is for judging whether to delete the full detail that this acquisition unit obtains; If cleaning unit is no for the judged result of judging unit, delete the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
Under another kind of execution mode, cleaning module 802 comprises: obtain unit, judging unit and cleaning unit.Wherein, obtain unit for obtaining the full detail that percentage that free time accounts for whole life cycle exceedes the second default percentage filtering resource; Judging unit is for judging whether to delete the full detail that obtains unit acquisition; If cleaning unit is no for the judged result of judging unit, delete the longest information of free time, be greater than preset value until filter the residual capacity of resource.
Under another execution mode, cleaning module 802 comprises: obtain unit, judging unit and cleaning unit.Wherein, obtaining unit is initial value for obtaining free time in filtration resource, and remaining life cycle is less than the full detail of the first Preset Time value; Judging unit is for judging whether to delete the full detail that obtains unit acquisition; If cleaning unit is no for the judged result of judging unit, delete the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
Under another execution mode, cleaning module 802 comprises: obtain unit, judging unit and cleaning unit.Wherein, obtain unit for obtaining in filtration resource the full detail that free time exceedes the second Preset Time value; Judging unit is for judging whether to delete the full detail that obtains unit acquisition; If cleaning unit is no for the judged result of judging unit, delete the longest information of free time, be greater than preset value until filter the residual capacity of resource.
Under another execution mode, cleaning module 802 comprises: obtain unit, judging unit and cleaning unit.Wherein, obtain unit for obtaining in filtration resource the full detail that free time is greater than a sense cycle; Judging unit is for judging whether to delete the full detail that obtains unit acquisition; If cleaning unit is no for the judged result of judging unit, delete the shortest information of remaining life cycle, be greater than preset value until filter the residual capacity of resource.
The embodiment of the present invention provides a kind of network access equipment, filters the residual capacity of resource by detection, once residual capacity is less than preset value, will clear up filtering resource, depleted to prevent filtering resource, has ensured the access of validated user.
Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these amendments or replacement do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.
Claims (2)
1. a method that prevents from filtering resource exhaustion, is characterized in that, comprising:
In a sense cycle, detect the residual capacity of filtering resource;
If described residual capacity is less than or equal to preset value, described filtration resource is cleared up according to the free time of each information in described filtration resource and life cycle, describedly described filtration resource is cleared up according to the free time of each information in described filtration resource and life cycle, comprising:
In described filtration resource, obtaining free time is initial value, and the remaining life cycle percentage that accounts for whole life cycle is less than the full detail of the first default percentage;
Judge whether to delete described full detail;
If not, delete the shortest information of described remaining life cycle, until the residual capacity of described filtration resource is greater than preset value;
Or comprise:
In described filtration resource, obtain the full detail that percentage that free time accounts for whole life cycle exceedes the second default percentage;
Judge whether to delete described full detail;
If not, delete the longest information of described free time, until the residual capacity of described filtration resource is greater than preset value;
Or comprise:
In described filtration resource, obtaining free time is initial value, and remaining life cycle is less than the full detail of the first Preset Time value;
Judge whether to delete described full detail;
If not, delete the shortest information of described remaining life cycle, until the residual capacity of described filtration resource is greater than preset value;
Above-mentioned three kinds of modes of described filtration resource being cleared up according to the free time of each information in described filtration resource and life cycle are interted and are used, when adopting wherein any mode to filtering after resource safeguards, when the residual capacity of filtration resource is still less than preset value, further adopt any another kind of mode.
2. a network access equipment, is characterized in that, comprising:
Detection module, in a sense cycle, detects the residual capacity of filtering resource;
Cleaning module, if be less than or equal to preset value for described residual capacity, clears up described filtration resource according to the free time of each information in described filtration resource and life cycle, and described cleaning module comprises:
Obtaining unit, is initial value for obtaining free time in described filtration resource, and the remaining life cycle percentage that accounts for whole life cycle is less than the full detail of the first preset value;
Judging unit, for judging whether to delete the full detail that described acquisition unit obtains;
Cleaning unit, if be no for the judged result of described judging unit, deletes the shortest information of described remaining life cycle, until the residual capacity of described filtration resource is greater than preset value;
Or comprise:
Obtain unit, exceed the full detail of the second preset value for obtain percentage that free time accounts for whole life cycle in described filtration resource;
Judging unit, for judging whether to delete the full detail that described acquisition unit obtains;
Cleaning unit, if be no for the judged result of described judging unit, deletes the longest information of described free time, until the residual capacity of described filtration resource is greater than preset value;
Or comprise:
Obtaining unit, be initial value, and remaining life cycle is less than the full detail of the first Preset Time value for obtaining free time in described filtration resource;
Judging unit, for judging whether to delete the full detail that described acquisition unit obtains;
Cleaning unit, if be no for the judged result of described judging unit, deletes the shortest information of described remaining life cycle, until the residual capacity of described filtration resource is greater than preset value;
Above-mentioned three kinds of cleaning modules are interted and are used, and when using wherein any cleaning module to filtering after resource safeguards, when the residual capacity of filtering resource is still less than preset value, further adopt another kind of cleaning module arbitrarily.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010613140.8A CN102098298B (en) | 2010-12-29 | 2010-12-29 | Method for preventing filtering resource from being exhausted and network access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010613140.8A CN102098298B (en) | 2010-12-29 | 2010-12-29 | Method for preventing filtering resource from being exhausted and network access equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102098298A CN102098298A (en) | 2011-06-15 |
| CN102098298B true CN102098298B (en) | 2014-07-30 |
Family
ID=44131162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010613140.8A Active CN102098298B (en) | 2010-12-29 | 2010-12-29 | Method for preventing filtering resource from being exhausted and network access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102098298B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1215681C (en) * | 2003-07-31 | 2005-08-17 | 港湾网络有限公司 | CPU message flow control method of distributed exchange router system |
| CN101582051A (en) * | 2009-06-10 | 2009-11-18 | 腾讯科技(深圳)有限公司 | Method and device for adjusting memory |
| CN101626313A (en) * | 2009-08-10 | 2010-01-13 | 中兴通讯股份有限公司 | Network management system client and performance data display method thereof |
| CN101917444A (en) * | 2010-08-25 | 2010-12-15 | 福建星网锐捷网络有限公司 | Method and device for creating IP source address binding list item, and switch |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7617303B2 (en) * | 2004-04-27 | 2009-11-10 | At&T Intellectual Property Ii, L.P. | Systems and method for optimizing access provisioning and capacity planning in IP networks |
| CN100433724C (en) * | 2006-03-15 | 2008-11-12 | 华为技术有限公司 | Method and equipment of ageing treatment for header compressed list items of context in Internet protocol |
| CN101662812B (en) * | 2008-08-28 | 2012-04-25 | 华为技术有限公司 | Method and device for handling overtime access of user equipment |
| CN101651693B (en) * | 2009-09-15 | 2012-10-03 | 成都市华为赛门铁克科技有限公司 | Aged rule maintenance method and equipment |
-
2010
- 2010-12-29 CN CN201010613140.8A patent/CN102098298B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1215681C (en) * | 2003-07-31 | 2005-08-17 | 港湾网络有限公司 | CPU message flow control method of distributed exchange router system |
| CN101582051A (en) * | 2009-06-10 | 2009-11-18 | 腾讯科技(深圳)有限公司 | Method and device for adjusting memory |
| CN101626313A (en) * | 2009-08-10 | 2010-01-13 | 中兴通讯股份有限公司 | Network management system client and performance data display method thereof |
| CN101917444A (en) * | 2010-08-25 | 2010-12-15 | 福建星网锐捷网络有限公司 | Method and device for creating IP source address binding list item, and switch |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102098298A (en) | 2011-06-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7843827B2 (en) | Method and device for configuring a network device | |
| CN101309150B (en) | Distributed service attack refusing defense method, apparatus and system | |
| WO2017088397A1 (en) | Ddos attack protection method and system for cdn server group | |
| CN100518076C (en) | Journal accounting method and system | |
| CN108282376B (en) | LDDoS simulation method based on lightweight virtualization | |
| CN104065657A (en) | Method for dynamically controlling user behavior based on IP access and system thereof | |
| CN107786681B (en) | Method, device and system for scheduling IP address resources | |
| CN106506513A (en) | Firewall policy data analysis set-up and method based on network traffics | |
| US20130055373A1 (en) | Protocol rate filtering at edge device | |
| CN102014109A (en) | Flood attack prevention method and device | |
| CN101106512A (en) | A processing method and device for QinQ termination configuration | |
| CN101447996A (en) | Defending method for distributed service-refusing attack and system and device thereof | |
| CN106254379B (en) | The processing system and processing method of network security policy | |
| CN104683346A (en) | P2P botnet detection device and method based on flow analysis | |
| CN108737447A (en) | User Datagram Protocol traffic filtering method, apparatus, server and storage medium | |
| CN107566359A (en) | A kind of intelligent fire-proofing wall system and means of defence | |
| CN107229660A (en) | A kind of method and apparatus of data deduplication | |
| CN102868669A (en) | Protection method and device aiming to attacks continuously changing prefix domain name | |
| CN104243237A (en) | P2P flow detection method and device | |
| CN103167049B (en) | Demand assigned method for network address translation, equipment and system | |
| CN103188162A (en) | Load balancing method and system | |
| CN105007175A (en) | Openflow-based flow depth correlation analysis method and system | |
| CN103501252B (en) | The method and device of cloud terminal authentication | |
| CN104348749B (en) | A kind of flow control methods, apparatus and system | |
| CN109002354A (en) | A kind of computing resource cubic elasticity telescopic method and system based on OpenStack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee after: RUIJIE NETWORKS Co.,Ltd. Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd. |