CN102111383A - Method for preventing DOS attack by utilizing priority queue - Google Patents
Method for preventing DOS attack by utilizing priority queue Download PDFInfo
- Publication number
- CN102111383A CN102111383A CN200910244259XA CN200910244259A CN102111383A CN 102111383 A CN102111383 A CN 102111383A CN 200910244259X A CN200910244259X A CN 200910244259XA CN 200910244259 A CN200910244259 A CN 200910244259A CN 102111383 A CN102111383 A CN 102111383A
- Authority
- CN
- China
- Prior art keywords
- queue
- packet
- priority
- invite
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a method for preventing DOS (Denial of Service) attack by utilizing a priority queue. The specific protection points comprises the following steps: (1) a waiting queue adopts the priority queue method to store different data packet in a classified manner; (2) a server treats a high priority queue at first and then treats a low priority queue when the high priority queue is empty; and (3) the data packets are treated by adopting a circular queue method in the low priority queue, which is realized in the way that the circular queue of an INVITE data packet is stored, a tail pointer pushes a head pointer to advance, the data packet forwardly directed by the head pointer is rejected, and the data packet recently entering the queue is stored at the tail of the queue. The invention also discloses a device utilizing the circular queue to relieve, and solves the problem of resource consumption due to SIP (Session Initiation Protocol) DOS attack.
Description
Technical field
The present invention relates to the cyber-defence technology, particularly a kind of method of utilizing priority query to prevent dos attack.
Background technology
As the Session Initiation Protocol of Multimedia session control signaling be according to simplify, the thinking design of easily expansion, rather than according to the thinking design of safety.Therefore aspect application safety, agreement has himself special characteristic.Agreement transmits with textual form, simultaneously, because some field that the intermediate server in using need read in the message is sent to correct destination to obtain information with bag, thus the transport process of message body between intermediate server not allow to encrypt fully also be to be modified at any time.And along with the rise gradually of agreement, increasing manufacturer, user wish that the wide variety of functions that agreement is supported uses in the daily productive life.At this moment, the safety of agreement just becomes a thorny inevitable problem again.
The SIP service terminal generally is to connect by acting server, also can act on the acting server so promptly can act on the terminal at the attack of SIP.
Attack at Session Initiation Protocol in recent years increases gradually, comprises the registration abduction, and bogus server is distorted message, the malice end session.But main attack means still is dos attack, comprises at the dos attack of terminal with at the dos attack of intermediate server, the flood attack of the INVITE newspaper that commonplace is exactly constantly sends.
This patent mainly is at the dos attack that sends INVITE.
Most of dos attacks are purpose with certain resource that exhausts server all, make server refuse all kinds of service requests of validated user owing to resource shortage.Concerning sip server, mainly comprise CPU, this three classes resource of internal memory and bandwidth.
And the main action principle that INVITE attacks is consistent with dos attack, and the assailant constantly sends the INVITE packet to user side, causes bandwidth to be stopped up, and makes other loss of data or can not arrive receiving terminal on time; The INVITE that internal memory will constantly be arrived fills up, and can not get in time clearing up buffer memory and causes reacting slack-off or deadlock.CPU will constantly handle INVITE, and all occupied the causing of cpu resource can not be handled other data.
When the INVITE flood attack takes place when, can want a large amount of INVITE requests to send and invite the user side participant session, the INVITE bag in the short time makes user side tired in risking one's life for these message of response, causes bandwidth to be stopped up, and the resource of user side is depleted.
Common defence SIP dos attack technology comprises at present: 1, sip server current business amount is provided with threshold value; 2, common queue control.Simply be described below:
Prior art one: sip server is to the predefined congestion threshold of current business amount
Principle: main method is that sip server detects its traffic carrying capacity when pre-treatment, when detecting when the traffic carrying capacity of pre-treatment reaches predefined congestion threshold, request message for its reception returns congested response message, the SIP requesting party handles accordingly according to congested response message, and these processing comprise the replacement address when utilizing other pre-configured sip server addresses as congested the generation; Different request messages is carried out different processing modes, for example when congested, BYE message is normally received, INVITE is returned congested control messages.
Whether sip server takes place congestedly to judge by detecting the sip server amount of managing business, when the traffic carrying capacity of sip server has reached ratio with himself maximum processing capability and has been certain value, it is congested to be set at generation, can be preestablished by operator or equipment vendor, perhaps the significance level difference according to sip server is provided with different P values.
Shortcoming: this scheme mainly contains following shortcoming:
1) this scheme is just being given feedback of request message when generation is congested, and its elsewhere or time-delay are sent a request message again, if this moment, sip server was subjected to dos attack, delays time or is forwarded to other servers and all can not deal with problems.Server will congestedly always go down forever can not the normal process request message.
2) if be subjected to dos attack, the attack plane constantly sends INVITE, because INVITE is a category-B message, server all can be handled each INVITE, if this moment server be in congested in, server will return congestion messages, and the INVITE attack is constantly to send the INVITE bag, server is constantly responded congested response message, constantly takies resource, has increased the weight of the degree of attacking on the contrary.
3) this scheme just can be when heavy traffic alleviate congestion pressure to a certain degree, can not when being subjected to dos attack, regulate automatically, eliminate the influence of dos attack to a certain extent.
Prior art two: use common queue to releive.
Principle: when legal INVITE packet and illegal INVITE packet all are full of in formation, when queue full, just formation is emptied, and then receive remaining packet.。
Shortcoming: with formation all clear sky, legally all be dropped with illegal packet, though legal still might be processed, but because illegal being in the great majority when dos attack, in the formation also major part be illegal INVITE bag, if dos attack is very serious, the legal bag that at every turn enters formation is seldom, if all nearly all can have little time processed just being emptied by formation at the formation afterbody abandons, and time-delay is very serious.
In sum, the attack protection function of prior art has all had crack method, and sip server can not normal service easily by dos attack.
Summary of the invention
A kind of method of utilizing priority query to prevent dos attack that the embodiment of the invention provides is in order to solve the problem that the DoS attack sip server causes information drop-out.
A kind of method that adopts priority query to prevent dos attack specifically comprises:
1) waits for that sequence adopts the different packet of method classification storage of priority query.
2) server is handled high-priority queue earlier, handles the technical method of Low Priority Queuing when high-priority queue is empty again.
3) method of the mode handle packet of employing round-robin queue in the Low Priority Queuing.Comprise: to the storing mode of INVITE packet round-robin queue; Tail pointer pushes away owner pointer and advances; Abandon the previous packet that points to of owner pointer, store and newly go into the packet of formation at tail of the queue.
The SIP DOS that prevents that the invention solves prior art causes the problem of resource consumption easily.
Description of drawings
Fig. 1 is the method schematic diagram of the invention process to the processing of SIP data message;
The external structural representation of a kind of processing that Fig. 2 provides for the embodiment of the invention;
Fig. 3 is an embodiment of the invention round-robin queue schematic diagram;
Fig. 4 is alleviated SIP dos attack method flow diagram for the embodiment of the invention.
Embodiment
The present invention is applied in the sip server receiving terminal, when receiving a packet, at first judge to be the INVITE packet, and then which formation decision enters, formation is divided into high-priority queue and Low Priority Queuing, have only the INVITE packet to enter Low Priority Queuing, the SIP bag of non-INVITE packet enters high-priority queue, sip server is at first handled the packet in the high-priority queue, when being sky, high-priority queue just begins to handle Low Priority Queuing, and Low Priority Queuing is designed to round-robin queue, promoting by tail pointer that owner pointer advances like this when being subjected to the INVITE dos attack can automatic packet loss, avoid congested thereby reach, reduce the effect of time delay.As shown in Figure 1, the method for the webpage word content anti-copy that provides of the embodiment of the invention comprises:
As shown in Figure 2, main device of the present invention is the part of the treatment S IP of priority query packet, is major part of the present invention to the processing of different pieces of information bag, and is maximum innovation to the processing of INVITE packet.
Sip server can be handled the data in the high-priority queue earlier, when being empty, just can handle high-priority queue the data in the Low Priority Queuing, when sip server or sip terminal are subjected to dos attack, attack the continuous INVITE of transmission of end and wrap server, when being subjected to serious dos attack, a large amount of INVITE bags constantly gush, taken bandwidth, other request message is difficult to or seldom can arrives server end, so will constantly handle the data in the Low Priority Queuing, so following is analyzed the interior disposition to the INVITE packet of Low Priority Queuing.
As shown in Figure 3, the INVITE bag of SIP enters Low Priority Queuing successively, the tail pointer of priority query is indicated initiate bag, the bag that the owner pointer indication will be handled, when round-robin queue less than the time, the INVITE that newly enters bag all can enter the waiting area of round-robin queue, when being subjected to dos attack, when the speed of handling is unable to catch up with entering the speed of packet of formation, tail pointer will catch up with owner pointer.Tail pointer will promote owner pointer and advance this moment, and the formation INVITE that had before been pointed to by owner pointer wraps and will be dropped.
Why adopt round-robin queue, the one,, round-robin queue abandons the old packet of owner pointer indication, and if general formation expired and can abandon initiate packet, new like this data all do not have processed chance.The 2nd,, adopt round-robin queue's data constantly to move forward, so just shortened the average delay of deal with data.
Deal with data flow process figure when as shown in Figure 4, embodiment of the invention sip server receives packet comprises the following steps:
Step 401: judge whether it is the INVITE packet to receiving total according to bag, can judge by the packet header special field of INVITE packet
Step 402: if the INVITE packet then enters Low Priority Queuing,, carry out 403,, carry out 404 if the low priority sequence then enters the low priority sequence if not enter high-priority queue.
Step 404: packet enters current tail pointer indication position, and tail pointer moves down a position.
Step 405: judge after tail pointer moves down a position whether to point to same position with owner pointer, if pointed to the packet that same position is lost the owner pointer indication, owner pointer moves down a position; Do not process if do not point to same position.
Step 406: round-robin queue's wait sip server is handled the data in the formation.
Step 407: after executing, all return step 404.
Step 403: high-priority queue is judged judge whether it is empty, if be not empty execution 408; If empty, carry out 409.
Step 408:SIP server is handled the data of high-priority queue earlier
Step 409: handle the INVITE packet in the Low Priority Queuing.
Step 410:409 after 408 execution, returns step 401
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential hardware platform, can certainly all implement, but the former is better execution mode under a lot of situation by hardware.Based on such understanding, all or part of can the embodying that technical scheme of the present invention contributes to background technology with the form of software product, this computer software product can be stored in the storage medium, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (5)
1. a method of utilizing priority query to prevent dos attack is characterized in that, this method comprises:
Adopt the different packet of method classification storage of priority query;
Server is handled high-priority queue earlier, handles the technical method of Low Priority Queuing when high-priority queue is empty again;
Adopt the method for the mode handle packet of round-robin queue in the Low Priority Queuing.Comprise: to the storing mode of INVITE packet round-robin queue; Tail pointer pushes away owner pointer and advances; Abandon the previous packet that points to of owner pointer, store and newly go into the packet of formation at tail of the queue.
2. the method for claim 1 is characterized in that, the different packet method of described employing priority query's classification storage comprises that method specifically comprises:
Decision data assure then be the INVITE packet;
Be applied in the sip server receiving terminal, at first judge to be the INVITE packet when receiving a packet, and then determine to enter which formation, formation is divided into high-priority queue and Low Priority Queuing;
Have only the INVITE packet to enter Low Priority Queuing, the SIP bag of non-INVITE packet enters high-priority queue;
The sip server that this requires indication includes but not limited to also comprise the server that is applied to other services with application server and acting server in the Session Initiation Protocol;
This requirement require decision criteria, include but not limited to the INVITE packet in the Session Initiation Protocol, also comprise the command element of Session Initiation Protocol definition such as CANCEL;
The rank of this requirement includes but not limited to high priority and low priority, also comprises multistage and priority level up and down.
3. the method for claim 1 is characterized in that, described server divides senior and rudimentary method of coming out to ask specifically to comprise:
Sip server is at first handled the packet in the high-priority queue, when being sky, high-priority queue just begins to handle Low Priority Queuing, and Low Priority Queuing is designed to round-robin queue, promoting by tail pointer that owner pointer advances like this when being subjected to the INVITE dos attack can automatic packet loss, avoid congested thereby reach, reduce the effect of time delay;
The sip server that this requires indication includes but not limited to also comprise the server that is applied to other services with application server and acting server in the Session Initiation Protocol;
This requirement require decision criteria, include but not limited to the INVITE packet in the Session Initiation Protocol, also comprise the command element of Session Initiation Protocol definition such as CANCEL;
The rank of this requirement includes but not limited to high priority and low priority, also comprises multistage and priority level up and down.
4. as claim 2 or 3 described methods, be characterised in that
The INVITE packet enters Low Priority Queuing successively, and the tail pointer of priority query is indicated initiate bag, the bag that the owner pointer indication will be handled;
When round-robin queue less than the time, the INVITE that newly enters bag all can enter the waiting area of round-robin queue, when being subjected to dos attack, when the speed of processing is unable to catch up with entering the speed of packet of formation, tail pointer will catch up with owner pointer.Tail pointer will promote owner pointer and advance this moment, and the formation INVITE that had before been pointed to by owner pointer wraps and will be dropped.
5. method as claimed in claim 4, wherein the operating feature of round-robin queue is " first in first out "; The storage organization of formation comprises queue chain and sequential queue; First in first out mainly is the use of head pointer, tail pointer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910244259XA CN102111383A (en) | 2009-12-28 | 2009-12-28 | Method for preventing DOS attack by utilizing priority queue |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910244259XA CN102111383A (en) | 2009-12-28 | 2009-12-28 | Method for preventing DOS attack by utilizing priority queue |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102111383A true CN102111383A (en) | 2011-06-29 |
Family
ID=44175413
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910244259XA Pending CN102111383A (en) | 2009-12-28 | 2009-12-28 | Method for preventing DOS attack by utilizing priority queue |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102111383A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231747A (en) * | 2011-07-18 | 2011-11-02 | 杭州华三通信技术有限公司 | Method and equipment for obtaining attack message |
| CN106130985A (en) * | 2016-06-24 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN107592284A (en) * | 2016-07-06 | 2018-01-16 | 华为技术有限公司 | The apparatus and method of anti-DoS/DDoS attacks |
| CN109586780A (en) * | 2018-11-30 | 2019-04-05 | 四川安迪科技实业有限公司 | The method for preventing message from blocking in satellite network |
| CN110597482A (en) * | 2019-08-30 | 2019-12-20 | 四川腾盾科技有限公司 | Method for searching valid data packet in FIFO (first in first out) by serial port |
| CN113411357A (en) * | 2020-03-16 | 2021-09-17 | 中国电信股份有限公司 | Session scheduling method, module and system |
| CN113742087A (en) * | 2021-09-22 | 2021-12-03 | 深圳市玄羽科技有限公司 | Protection method and system for industrial internet big data server |
| CN114040400A (en) * | 2021-10-22 | 2022-02-11 | 广西电网有限责任公司 | Method for preventing DOS attack for WAPI authentication server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1533977A1 (en) * | 2003-11-17 | 2005-05-25 | Alcatel | Detection of denial of service attacks against SIP (session initiation protocol) elements |
| CN1716868A (en) * | 2004-06-29 | 2006-01-04 | 华为技术有限公司 | Method for combatting rejection service attack |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
| US20080256623A1 (en) * | 2007-03-09 | 2008-10-16 | Worley William S | Method and system for protecting a computer system from denial-of-service attacks and other deleterious resource-draining phenomena related to communications |
-
2009
- 2009-12-28 CN CN200910244259XA patent/CN102111383A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1533977A1 (en) * | 2003-11-17 | 2005-05-25 | Alcatel | Detection of denial of service attacks against SIP (session initiation protocol) elements |
| CN1716868A (en) * | 2004-06-29 | 2006-01-04 | 华为技术有限公司 | Method for combatting rejection service attack |
| US20080256623A1 (en) * | 2007-03-09 | 2008-10-16 | Worley William S | Method and system for protecting a computer system from denial-of-service attacks and other deleterious resource-draining phenomena related to communications |
| CN101083563A (en) * | 2007-07-20 | 2007-12-05 | 杭州华三通信技术有限公司 | Method and apparatus for preventing distributed refuse service attack |
Non-Patent Citations (1)
| Title |
|---|
| 樊自甫等: "《基于优先级队列的SIP DoS洪泛攻击防御模型》", 《计算机工程与设计》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231747A (en) * | 2011-07-18 | 2011-11-02 | 杭州华三通信技术有限公司 | Method and equipment for obtaining attack message |
| CN106130985A (en) * | 2016-06-24 | 2016-11-16 | 杭州华三通信技术有限公司 | A kind of message processing method and device |
| CN106130985B (en) * | 2016-06-24 | 2019-09-06 | 新华三技术有限公司 | A kind of message processing method and device |
| CN107592284B (en) * | 2016-07-06 | 2020-06-02 | 华为技术有限公司 | Device and method for preventing DoS/DDoS attack |
| CN107592284A (en) * | 2016-07-06 | 2018-01-16 | 华为技术有限公司 | The apparatus and method of anti-DoS/DDoS attacks |
| CN109586780A (en) * | 2018-11-30 | 2019-04-05 | 四川安迪科技实业有限公司 | The method for preventing message from blocking in satellite network |
| CN110597482A (en) * | 2019-08-30 | 2019-12-20 | 四川腾盾科技有限公司 | Method for searching valid data packet in FIFO (first in first out) by serial port |
| CN110597482B (en) * | 2019-08-30 | 2021-11-16 | 四川腾盾科技有限公司 | Method for searching latest effective data packet in FIFO by serial port |
| CN113411357A (en) * | 2020-03-16 | 2021-09-17 | 中国电信股份有限公司 | Session scheduling method, module and system |
| CN113742087A (en) * | 2021-09-22 | 2021-12-03 | 深圳市玄羽科技有限公司 | Protection method and system for industrial internet big data server |
| CN113742087B (en) * | 2021-09-22 | 2023-12-12 | 深圳市玄羽科技有限公司 | Protection method and system for industrial Internet big data server |
| CN114040400A (en) * | 2021-10-22 | 2022-02-11 | 广西电网有限责任公司 | Method for preventing DOS attack for WAPI authentication server |
| CN114040400B (en) * | 2021-10-22 | 2023-12-29 | 广西电网有限责任公司 | Method for preventing DOS attack by WAPI authentication server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102111383A (en) | Method for preventing DOS attack by utilizing priority queue | |
| EP2772028B1 (en) | Control system, gateway and method for selectively delaying network data flows | |
| Fall et al. | Custody transfer for reliable delivery in delay tolerant networks | |
| CN101083563B (en) | Method and apparatus for preventing distributed refuse service attack | |
| CN102484609B (en) | Maximizing bandwidth utilization in networks with high latencies and packet drops using transmission control protocol | |
| CN102763384B (en) | Automatic adjusting of reputation thresholds | |
| US8812725B2 (en) | System and method for latency reduction in a network environment | |
| CN101277175B (en) | Method and device for improving conversation starting protocol server performance | |
| WO2016138786A1 (en) | Transmission control protocol data packet transmission method, transmission device and system | |
| US20120054362A1 (en) | Mechanism for autotuning mass data transfer from a sender to a receiver over parallel connections | |
| CN102075421B (en) | Service quality processing method and device | |
| GB2493129A (en) | Managing a SIP server | |
| CN101222431B (en) | Cable fastener device with strong service quality function and its design method | |
| US8892745B2 (en) | Redirection of a request for information | |
| CN101483883A (en) | Data processing method, apparatus and communication system | |
| CN106612284A (en) | Streaming data transport method and streaming data transport device | |
| CN101753546A (en) | Data packet transmission method and device | |
| JP4455520B2 (en) | Call control system and call control server apparatus and method | |
| CN101562567B (en) | Method and server for processing messages | |
| EP2245537B1 (en) | Network message management device and methods thereof | |
| JP4153201B2 (en) | Communication control method, communication system, and computer program | |
| Divakaran | A spike-detecting AQM to deal with elephants | |
| CN107070970A (en) | A kind of method for closing and device of transmission control protocol TCP connection | |
| JP2008167466A (en) | Communication control method, communication system, and computer program | |
| CN117201202B (en) | Reflection amplification Flood attack flow storage method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 100082, building 1, building 32, 612 North Main Street, Haidian District, Beijing, Xizhimen Applicant after: Beijing Safe-Code Technology Co., Ltd. Address before: 100876 No. 34 South College Road, Beijing, Haidian District Applicant before: Beijing Safe-Code Technology Co., Ltd. |
|
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Sun Jianwen Inventor after: Xu Qin Inventor after: Luo Shoushan Inventor after: Bao Yibing Inventor before: Sun Jianwen Inventor before: Xin Yang Inventor before: Luo Shoushan Inventor before: Bao Yibing |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: SUN JIANWEN XIN YANG LUO SHOUSHAN BAO YIBING TO: SUN JIANWEN XU QIN LUO SHOUSHAN BAO YIBING |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110629 |