CN102143143A - Method and device for defending network attack, and router - Google Patents
Method and device for defending network attack, and router Download PDFInfo
- Publication number
- CN102143143A CN102143143A CN2010105123758A CN201010512375A CN102143143A CN 102143143 A CN102143143 A CN 102143143A CN 2010105123758 A CN2010105123758 A CN 2010105123758A CN 201010512375 A CN201010512375 A CN 201010512375A CN 102143143 A CN102143143 A CN 102143143A
- Authority
- CN
- China
- Prior art keywords
- attack
- interface plate
- message
- distributed interface
- carries out
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses a method and device for defending network attack, and a router. The method comprises the steps of: carrying out local attack detection and filtration on flow of a distributed port board by the distributed port board, carrying out mode statistic analysis based on three- to seven-layer application or content and reporting statistic information for a service board; and carrying out global attack judgment and management on the statistic information reported by the distributed port board by the service board. Therefore, attack detection and defense effects, especially attack to an application layer, can be better achieved.
Description
Technical field
The present invention relates to communication technical field, relate in particular to a kind of means of defence, device and router of network attack.
Background technology
Along with the various application of network are enriched constantly, network security becomes more and more urgent demand, because the assailant adopts more senior technological means and more advanced equipment, makes that attack is more hidden and attacking ability is stronger, traditional firewall equipment has been difficult to meet the demands gradually.In recent years, at the attack of application layer (as recreation) agreement, utilize Botnet to carry out ddos attack, super-flow is attacked the principal mode that (send super-flow and occupy network and server bandwidth) becomes attack, and traditional firewall can not play good protection effect because analysis ability and handling property are limit to this type of attack.
Can take precautions against this type of large-scale attack preferably by integrated fire compartment wall of router and anti-DDoS characteristic, and can reduce investment outlay and maintenance cost, be a good selection.Router comprises device types such as customer service gateway and business router, is in individual/enterprise customer and inserts edge, data center's inlet, perhaps is used to connect metropolitan area, backbone network, and different internetworking, can handle all flows that pass through.Because the disposal ability of router is very strong, can carry out multi-level flow control and management, and therefore all processing procedures are carried out the ddos attack defence by router and are possessed better real-time property and validity based on finishing at linear flow rate.Present many router device manufacturer has realized anti-DDoS function at its product, mainly by a service board that possesses fire compartment wall/anti-ddos attack ability, to be redirected to this service board by the flow that router is transmitted veneer and carry out attack detecting and cleaning, the flow of finishing processing forwards again.
In realizing process of the present invention, the inventor finds that there are the following problems at least in the prior art: because also there is the restriction of disposal ability in service board, can not satisfy the flow of a plurality of forwarding veneers is handled, be difficult in network, carry out comprehensive arrangement, therefore can not really satisfy customer requirement.Carry out the method for pattern statistical analysis identification ddos attack flow in the prior art, also there are a lot of defectives in its analytic statistics amount, can not find the attack of application-specific or content more accurately.
Summary of the invention
Embodiments of the invention provide a kind of means of defence, device and router of network attack, to reach the attack of attack detecting and protection effect, particularly application layer better.
The means of defence of a kind of network attack that the embodiment of the invention provides comprises:
The distributed interface plate carries out local attack to this plate current amount and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
The statistical information that business board reports according to described distributed interface plate is carried out the attack of the overall situation and is judged and management.
The protector of a kind of network attack that the embodiment of the invention provides comprises:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
A kind of router that the embodiment of the invention provides comprises:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
The beneficial effect that embodiment of the invention technical scheme is brought: reach the attack of attack detecting and protection effect, particularly application layer better, adopt router integrated, can handle, fully satisfy the arrangement requirement to all flows.
Description of drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the invention, the accompanying drawing of required use is done to introduce simply in will describing embodiment below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
The flow chart of the means of defence of a kind of network attack that Fig. 1 provides for one embodiment of the invention;
The schematic diagram of a kind of distributed two-stage attack protection framework that Fig. 2 provides for one embodiment of the invention;
Fig. 3 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 4 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 5 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 6 provides a kind of schematic diagram of router for one embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
As shown in Figure 1, the means of defence of the network attack that the embodiment of the invention provides, comprise: the distributed interface plate carries out local attack to this plate current amount and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information; The statistical information that business board reports according to described distributed interface plate is carried out the attack of the overall situation and is judged and management.Thereby can reach the attack of attack detecting and protection effect, particularly application layer better.
For ease of understanding, will be elaborated to the implementation procedure of the embodiment of the invention in concrete application process below to the embodiment of the invention.
The means of defence of the network attack that the embodiment of the invention provides comprises:
S1, distributed interface plate carry out local attack to this plate current amount and detect and filter, and carry out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
This step specifically comprises:
The distributed interface plate detects DPI based on deep message and carries out the fingerprint filtration, abandons the attack message that comprises the illegal fingerprint feature;
The distributed interface plate is respectively with source IP address, purpose IP address search blacklist table, and the flow of particular source or purpose IP address is abandoned;
The distributed interface plate is searched dynamic access control tabulation ACL, and the message that hits dynamic ACL belongs to attack traffic, will handle according to the action of dynamic access control tabulation ACL (abandon or speed limit etc.);
Described distributed interface plate carries out the processing based on stream, comprises and searches five-tuple stream table, and action is handled according to the business of stream table, does not exist if look into the stream table, then message up sending is carried out first packet analysis and search strategy to set up the stream table to described business board.
And the distributed interface plate carries out the processing based on stream, specifically also comprises:
All stream table list items are traveled through, and whether each list item inspection is wanted the operation mode statistical analysis, and (so-called pattern is added up: the raw statistical data of preserving a stream in the stream table, comprise quantity, packet byte quantity, specific protocol or message bag quantity (as TCP syn/fin/RST bag quantity, DNS request message bag quantity, HTTP request message bag quantity etc.), the user disposes the template strategy that need carry out pattern analysis, template type is based on the message five-tuple, also can comprise VPN ID, user ID etc., be including but not limited to shown in the table 1:
Template 1: purpose IP+ destination interface
+ protocol number
Template 2: source IP+ destination interface+
Protocol number
Template 3: destination interface+protocol number
Template 4: purpose IP+ protocol number
Template 5: source IP+ protocol number
Template 6: protocol number
Table 1
The implication of pattern statistical analysis is meant according to the primary statistics value in the stream table of reality, according to setting up aggregated flow with cope match-plate pattern, wherein preserve the adding up and carry out various calculating (as calculating packet rate, connecting sum etc.) of statistical value of the stream of all same alike results, check then whether result of calculation exceeds corresponding threshold value;
Such as template 1, the statistical value of many streams with identical purpose IP, destination interface, protocol number is added up, and whether computation rate surpassed the threshold value for preparing in advance, surpass threshold value and think unusual generation.),
If, the aggregation processing of adding up then according to corresponding modes, and the corresponding statistic that will calculate (as the bag Mean Speed) baseline threshold corresponding with the pattern of preserving compare, and thinks when surpassing threshold value to report described statistic and anomalous event to arrive business board by Traffic Anomaly.
The statistical information that S2, business board report according to the distributed interface plate is carried out the attack of the overall situation and is judged and management.
Concrete, the dynamic access control tabulation ACL that business board is searched business board carries out overall situation filtration or speed limit, the flow that passes through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched (DPI of interface board only does the inspection of common feature), the message of matching characteristic is dropped, otherwise the stream processing of building of carrying out normal message (is searched subscriber policy and is obtained the processing action, initiate to set up the stream table of interface board then, wherein carry the processing action of current stream).
The statistic that business board reports according to the described distributed interface plate of difference, generation is based on the flow baseline threshold (comprising the threshold value of the overall situation and the threshold value of the local usefulness of distinct interface plate) of time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; The anomalous event that described business board reports according to described distributed interface plate is carried out the analysis of the overall situation, and judges the action processing of carrying out (comprising dynamic adding/deletion blacklist, generation/dynamic ACL of deletion etc.).
As shown in Figure 2, anti-ddos attack framework of the present invention is divided into two levels: outer protection is handled respectively by each interface board, each interface board can comprise the local module of an attack protection, the local module of each attack protection can be handled applications/illegal feature identification, based on the pattern statistical analysis of application (L3 to L7 layer); The internal layer protection is handled by business board; can there be polylith in business board; can carry out the flow load sharing processing between the polylith business board and carry out redundancy protecting; attack protection central processing module on the business board can be collected the information on the total interface plate on the equipment; can carry out the attack of the overall situation judges and management; the baseline threshold that comprises the various attack template is managed and is dynamically issued, and belongs to centralized control centre, and all analyses can be carried out based on using (L3-L7).
The major function of outer protection and internal layer protection comprises:
Outer protection (distributed, L3~L7):
L3 handles: look into the black and white lists table based on source IP and purpose IP, obtain black and white lists information, belong to the then direct dropping packets of blacklist, belong to white list and then no longer this message is done safety inspection.
L4 handles: dynamic ACL carries out local filter according to this locality, local dynamically ACL produces by (surpassing local corresponding template threshold value) after the local attack identification, can issue generation by the local module generation of attack protection or by business board, local dynamically ACL deleted after attack stopped.
L5~L7 handles: (action comprise abandon, pass through, current limliting, modification dispatching priority etc.) controlled in action according to the stream table, and the stream table carries out DPI identification by business board according to first packet and is issued to interface board afterwards.
Condition code (attack fingerprint) is filtered: carry out the message deep layer by the local module of attack protection and detect DPI, the message that matches corresponding fingerprint characteristic carries out corresponding actions (as abandoning).
Statistics and convergence based on pattern: interface board ergodic flow table, carry out the statistics and convergence analysis according to the raw statistical data in the stream table based on different mode, find after the polymerization that statistic surpasses baseline threshold, promptly detect Traffic Anomaly, with deliver on the statistics business board attack judge and search strategy with clear and definite corresponding actions, and generate corresponding dynamic black and white lists table and dynamically ACL be issued to interface board.
The internal layer protection (centralized control/load balancing, L3~L7)
L3 handles: 1. preserve the black and white lists strategy, issue the black and white lists list item to interface board.
2. suspicious IP is carried out source address detection/authentication (request message that sends respective protocol checks to source address whether it returns response message, if do not return, thinks to palm off IP, and the source address authentication result is not for passing through).
L4: 1. business board confirms whether to find attack according to the pattern statistic analysis result, attack if confirm, then generate the overall situation dynamically the ACL forwarding plane that is issued to this plate and decompose dynamic ACL and be issued to the local dynamically ACL that interface board generates this interface board so that the data message is controlled.Business board is confirming to attack the local dynamically ACL that stops overall dynamically ACL of back deletion and relevant interface board.
Carry out strong safeguard measure according to strategy when 2. finding to attack, promptly the flow of setting up TCP is handled by TCP agency (TCP proxy).
(TCP proxy function:
A TCP establishment of connection needs three-way handshake process: the promoter of connection sends the packet of a TCP to the other side, and this packet comprises an initial sequence number, and the SYN flag bit set of TCP; The recipient receives after this packet, should respond a tcp data bag, and comprised recipient's oneself initial sequence number therein, and, show the request of having received SYN and ask TCP to connect to the sender simultaneously these two flag bits set simultaneously of SYN, ACK.The sender who connects connects in order to finish this, must reply recipient's SYN bag, promptly returns the tcp data bag of an ACK set.Through three-way handshake process, the TCP connection is set up successfully, can transmit data.
TCP proxy process: before a TCP request package arrived destination server, router/attack protection module representative server was replied to the requesting party and is partly carried out three-way handshake.And have only after three-way handshake is finished, router/attack protection module just can be connected setting up second with server, connect finish after, router/attack protection module is merged into one to transmit data by the conversion to sequence number with two connections.)
L5~L7 handles: 1. first packet is carried out DPI identification, distinguish the whether attack or carry out associated safety and handle of different application protocol detection, as the http protocol message being carried out url filtering, carrying out state-detection (state is inconsistent then thinks illegal, Botnet related protocol (as the chat agreement) analyzed recognize control command that whether the corpse effector sends etc. to using agreement.
2. by the DPI technology message is carried out condition code (fingerprint) coupling, recognize the message that possesses individual features and abandon.
Dynamic threshold management: attack the statistics that template and interface board report according to difference, generation is based on the flow baseline threshold (comprising the threshold value of the overall situation and the threshold value of the local usefulness of distinct interface plate) of time period, baseline threshold is constantly adjusted according to long-term statistics, can monitor the real-time condition of the flow that each interface board reports in addition, and be issued to interface board to carry out local attack identification by the local threshold value that different weights generate each interface board.
The embodiment of the invention can reach the attack of attack detecting and protection effect, particularly application layer better.
As shown in Figure 3, another embodiment of the present invention also provides a kind of protector of network attack, comprising:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
As shown in Figure 4, the protector of a kind of network attack that another embodiment of the present invention provides has distributed interface plate and business board shown in Figure 3, and wherein, the distributed interface plate specifically comprises:
The fingerprint filtering module is used for detecting DPI based on deep message and carries out the fingerprint filtration, abandons the attack message that comprises the illegal fingerprint feature;
The blacklist table handing module is used for respectively with source IP address, purpose IP address search blacklist table, and the flow of particular source or purpose IP address is abandoned;
Dynamic access control tabulation processing module is used to search dynamic access control tabulation ACL, and the message that hits dynamic ACL belongs to attack traffic, will handle according to the action of dynamic access control tabulation ACL;
The stream table handing module is used to search five-tuple stream table, carry out handling based on the business action of stream, and if be used for looking into the stream table and do not exist, then message up sending is carried out first packet analysis and search strategy to set up the stream table to described business board.
Further, described stream table handing module, specifically be used for all stream table list items are traveled through, and whether each list item inspection wanted the operation mode statistical analysis, if the then aggregation processing of adding up according to corresponding modes, and the corresponding statistic that will the calculate baseline threshold corresponding with the pattern of preservation compares, think when surpassing threshold value and report described statistic and anomalous event to business board by Traffic Anomaly.
As shown in Figure 5, the protector of a kind of network attack that another embodiment of the present invention provides has distributed interface plate and business board shown in Figure 3, and wherein, business board specifically comprises:
Overall situation processing module, the dynamic access control tabulation ACL that is used to search described business board carries out overall situation filtration or speed limit, the flow that passes through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, and the message of matching characteristic is dropped, and flows processing otherwise carry out building of normal message.
Further, described overall processing module, specifically be used for the statistic that reports according to the described distributed interface plate of difference, generation is based on the flow baseline threshold of time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; And specifically be used for carrying out overall analysis, and judge the action processing of carrying out according to the anomalous event that described distributed interface plate reports.
The embodiment of the invention can reach the attack of attack detecting and protection effect, particularly application layer better.
As shown in Figure 6, another embodiment of the present invention also provides a kind of router, comprising:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
The embodiment of the invention can reach the attack of attack detecting and protection effect, particularly application layer better, adopts router integrated, can handle all flows, fully satisfies the arrangement requirement.
Contents such as concrete signal processing, implementation between each part of said apparatus and since with the inventive method embodiment based on same conception, can repeat no more referring to the narration of the inventive method embodiment herein.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (10)
1. the means of defence of a network attack is characterized in that, comprising:
The distributed interface plate carries out local attack to this plate current amount and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
The statistical information that business board reports according to described distributed interface plate is carried out the attack of the overall situation and is judged and management.
2. method according to claim 1 is characterized in that, the distributed interface plate carries out local attack to this plate current amount and detects and filter, and carries out specifically comprising based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information:
Described distributed interface plate detects DPI based on deep message and carries out the fingerprint filtration, abandons the attack message that comprises the illegal fingerprint feature;
Described distributed interface plate is respectively with source IP address, purpose IP address search blacklist table, and the flow of particular source or purpose IP address is abandoned;
Described distributed interface plate is searched dynamic access control tabulation ACL, and the message that hits dynamic ACL belongs to attack traffic, will handle according to the action of dynamic access control tabulation ACL;
Described distributed interface plate carries out the processing based on stream, comprises and searches five-tuple stream table, and action is handled according to the business of stream table, does not exist if look into the stream table, then message up sending is carried out first packet analysis and search strategy to set up the stream table to described business board.
3. method according to claim 1 is characterized in that, attack judgement and management that the statistical information that described business board reports according to described distributed interface plate is carried out the overall situation specifically comprise:
The dynamic access control tabulation ACL that described business board is searched described business board carries out overall situation filtration or speed limit, the flow that passes through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, the message of matching characteristic is dropped, and flows processing otherwise carry out building of normal message.
4. method according to claim 2 is characterized in that, described distributed interface plate carries out the processing based on stream, specifically also comprises:
All stream table list items are traveled through, and whether each list item inspection wanted the operation mode statistical analysis, if, the aggregation processing of adding up then according to corresponding modes, and the corresponding statistic that will the calculate baseline threshold corresponding with the pattern of preservation compares, think when surpassing threshold value and report described statistic and anomalous event to business board by Traffic Anomaly.
5. method according to claim 4 is characterized in that, attack judgement and management that the statistical information that described business board reports according to described interface board is carried out the overall situation specifically comprise:
The statistic that described business board reports according to the described distributed interface plate of difference, generation is based on the flow baseline threshold of time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; The anomalous event that described business board reports according to described distributed interface plate is carried out the analysis of the overall situation, and judges the action processing of carrying out.
6. the protector of a network attack is characterized in that, comprising:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
7. protector according to claim 6 is characterized in that, described distributed interface plate specifically comprises:
The fingerprint filtering module is used for detecting DPI based on deep message and carries out the fingerprint filtration, abandons the attack message that comprises the illegal fingerprint feature;
The blacklist table handing module is used for respectively with source IP address, purpose IP address search blacklist table, and the flow of particular source or purpose IP address is abandoned;
Dynamic access control tabulation processing module is used to search dynamic access control tabulation ACL, and the message that hits dynamic ACL belongs to attack traffic, will handle according to the action of dynamic access control tabulation ACL;
The stream table handing module is used to search five-tuple stream table, carry out handling based on the business action of stream, and if be used for looking into the stream table and do not exist, then message up sending is carried out first packet analysis and search strategy to set up the stream table to described business board.
8. protector according to claim 6 is characterized in that, described business board specifically comprises:
Overall situation processing module, the dynamic access control tabulation ACL that is used to search described business board carries out overall situation filtration or speed limit, the flow that passes through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, and the message of matching characteristic is dropped, and flows processing otherwise carry out building of normal message.
9. protector according to claim 7, it is characterized in that, described stream table handing module, specifically be used for all stream table list items are traveled through, and whether each list item inspection is wanted the operation mode statistical analysis, if, the aggregation processing of adding up then according to corresponding modes, and the corresponding statistic that will the calculate baseline threshold corresponding with the pattern of preservation compare, and thinks when surpassing threshold value to report described statistic and anomalous event to business board by Traffic Anomaly.
10. a router is characterized in that, comprising:
The distributed interface plate is used for that this plate current amount is carried out local attack and detects and filter, and carries out based on the pattern statistical analysis of three to seven layers of application or content and to the business plate report statistical information;
Business board is used for carrying out according to the statistical information that described distributed interface plate reports the attack judgement and the management of the overall situation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010512375.8A CN102143143B (en) | 2010-10-15 | 2010-10-15 | Method and device for defending network attack, and router |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010512375.8A CN102143143B (en) | 2010-10-15 | 2010-10-15 | Method and device for defending network attack, and router |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102143143A true CN102143143A (en) | 2011-08-03 |
CN102143143B CN102143143B (en) | 2014-11-05 |
Family
ID=44410368
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201010512375.8A Expired - Fee Related CN102143143B (en) | 2010-10-15 | 2010-10-15 | Method and device for defending network attack, and router |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102143143B (en) |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
CN103685306A (en) * | 2013-12-20 | 2014-03-26 | 汉柏科技有限公司 | Method and device for integrating network safety equipment |
CN104283882A (en) * | 2014-10-11 | 2015-01-14 | 武汉烽火网络有限责任公司 | Intelligent safety protection method for router |
CN104468636A (en) * | 2015-01-09 | 2015-03-25 | 李忠 | SDN structure for DDoS threatening filtering and link reallocating and working method |
CN104486157A (en) * | 2014-12-16 | 2015-04-01 | 国家电网公司 | Information system performance detecting method based on deep packet analysis |
CN105207997A (en) * | 2015-08-19 | 2015-12-30 | 北京星网锐捷网络技术有限公司 | Anti-attack message forwarding method and system |
WO2015196908A1 (en) * | 2014-06-24 | 2015-12-30 | 华为技术有限公司 | Service processing method, terminal, server and system |
CN105897609A (en) * | 2016-04-01 | 2016-08-24 | 浙江宇视科技有限公司 | Method and device for monitoring data flow transmission |
CN106230781A (en) * | 2016-07-18 | 2016-12-14 | 杭州迪普科技有限公司 | The method and device preventing network attack of sing on web authentication techniques |
CN106330473A (en) * | 2015-06-15 | 2017-01-11 | 中兴通讯股份有限公司 | Gateway management method and device |
CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
CN106559395A (en) * | 2015-09-29 | 2017-04-05 | 北京东土军悦科技有限公司 | A kind of data message detection method and device based on industrial network |
WO2017088700A1 (en) * | 2015-11-27 | 2017-06-01 | 阿里巴巴集团控股有限公司 | Early-warning decision method, node and sub-system |
CN107508840A (en) * | 2017-09-29 | 2017-12-22 | 烽火通信科技股份有限公司 | A kind of method that monitoring DNS domain name based on DNS Proxy is attacked |
CN109561109A (en) * | 2019-01-16 | 2019-04-02 | 新华三技术有限公司 | A kind of message processing method and device |
CN109962898A (en) * | 2017-12-26 | 2019-07-02 | 哈尔滨安天科技股份有限公司 | The detection method and device of Botnet control node |
CN110213214A (en) * | 2018-06-06 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of attack guarding method, system, device and storage medium |
CN110933111A (en) * | 2019-12-18 | 2020-03-27 | 北京浩瀚深度信息技术股份有限公司 | DDoS attack identification method and device based on DPI |
CN112583850A (en) * | 2020-12-27 | 2021-03-30 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN112615818A (en) * | 2015-03-24 | 2021-04-06 | 华为技术有限公司 | SDN-based DDOS attack protection method, device and system |
CN112769740A (en) * | 2019-11-06 | 2021-05-07 | 中盈优创资讯科技有限公司 | Metropolitan area network traffic analysis method and system |
CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
CN113626736A (en) * | 2021-08-10 | 2021-11-09 | 迈普通信技术股份有限公司 | URL feature learning method and device, electronic equipment and computer readable storage medium |
CN114024768A (en) * | 2021-12-01 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Security protection method and device based on DDoS attack |
CN114465742A (en) * | 2020-11-10 | 2022-05-10 | 华为技术有限公司 | Network security protection method and protection equipment |
CN114490473A (en) * | 2021-12-07 | 2022-05-13 | 深圳市三旺通信股份有限公司 | IO (input/output) interface system of edge computing gateway and IO interface calling method |
CN114978563A (en) * | 2021-02-26 | 2022-08-30 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
WO2022183794A1 (en) * | 2021-03-03 | 2022-09-09 | 华为技术有限公司 | Traffic processing method and protection system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050039104A1 (en) * | 2003-08-14 | 2005-02-17 | Pritam Shah | Detecting network denial of service attacks |
CN1859178A (en) * | 2005-11-07 | 2006-11-08 | 华为技术有限公司 | Network safety control method and system |
CN101141458A (en) * | 2007-10-12 | 2008-03-12 | 网经科技(苏州)有限公司 | Network data pipelining type analysis process method |
CN101277302A (en) * | 2008-05-06 | 2008-10-01 | 华为技术有限公司 | Apparatus and method for safety centralized protection of distributed network equipment |
-
2010
- 2010-10-15 CN CN201010512375.8A patent/CN102143143B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050039104A1 (en) * | 2003-08-14 | 2005-02-17 | Pritam Shah | Detecting network denial of service attacks |
CN1859178A (en) * | 2005-11-07 | 2006-11-08 | 华为技术有限公司 | Network safety control method and system |
CN101141458A (en) * | 2007-10-12 | 2008-03-12 | 网经科技(苏州)有限公司 | Network data pipelining type analysis process method |
CN101277302A (en) * | 2008-05-06 | 2008-10-01 | 华为技术有限公司 | Apparatus and method for safety centralized protection of distributed network equipment |
Cited By (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067192A (en) * | 2011-10-20 | 2013-04-24 | 北京天行网安信息技术有限责任公司 | Analytic system and method of network flow |
CN103067192B (en) * | 2011-10-20 | 2016-03-16 | 北京天行网安信息技术有限责任公司 | A kind of analytical system of network traffics and method |
CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
CN103685306A (en) * | 2013-12-20 | 2014-03-26 | 汉柏科技有限公司 | Method and device for integrating network safety equipment |
WO2015196908A1 (en) * | 2014-06-24 | 2015-12-30 | 华为技术有限公司 | Service processing method, terminal, server and system |
CN104283882B (en) * | 2014-10-11 | 2018-01-12 | 武汉烽火网络有限责任公司 | A kind of intelligent safety protection method of router |
CN104283882A (en) * | 2014-10-11 | 2015-01-14 | 武汉烽火网络有限责任公司 | Intelligent safety protection method for router |
CN104486157A (en) * | 2014-12-16 | 2015-04-01 | 国家电网公司 | Information system performance detecting method based on deep packet analysis |
CN104468636A (en) * | 2015-01-09 | 2015-03-25 | 李忠 | SDN structure for DDoS threatening filtering and link reallocating and working method |
US11394743B2 (en) | 2015-03-24 | 2022-07-19 | Huawei Technologies Co., Ltd. | SDN-based DDoS attack prevention method, apparatus, and system |
CN112615818B (en) * | 2015-03-24 | 2021-12-03 | 华为技术有限公司 | SDN-based DDOS attack protection method, device and system |
CN112615818A (en) * | 2015-03-24 | 2021-04-06 | 华为技术有限公司 | SDN-based DDOS attack protection method, device and system |
CN106330473A (en) * | 2015-06-15 | 2017-01-11 | 中兴通讯股份有限公司 | Gateway management method and device |
CN105207997A (en) * | 2015-08-19 | 2015-12-30 | 北京星网锐捷网络技术有限公司 | Anti-attack message forwarding method and system |
CN105207997B (en) * | 2015-08-19 | 2018-11-09 | 北京星网锐捷网络技术有限公司 | A kind of message forwarding method and system of attack protection |
CN106559395B (en) * | 2015-09-29 | 2019-12-03 | 北京东土军悦科技有限公司 | A kind of data message detection method and device based on industrial network |
CN106559395A (en) * | 2015-09-29 | 2017-04-05 | 北京东土军悦科技有限公司 | A kind of data message detection method and device based on industrial network |
WO2017088700A1 (en) * | 2015-11-27 | 2017-06-01 | 阿里巴巴集团控股有限公司 | Early-warning decision method, node and sub-system |
US11102240B2 (en) | 2015-11-27 | 2021-08-24 | Alibaba Group Holding Limited | Early-warning decision method, node and sub-system |
CN105897609B (en) * | 2016-04-01 | 2019-04-09 | 浙江宇视科技有限公司 | A kind of method and apparatus for supervising data stream transmitting |
CN105897609A (en) * | 2016-04-01 | 2016-08-24 | 浙江宇视科技有限公司 | Method and device for monitoring data flow transmission |
CN106230781A (en) * | 2016-07-18 | 2016-12-14 | 杭州迪普科技有限公司 | The method and device preventing network attack of sing on web authentication techniques |
CN106411934A (en) * | 2016-11-15 | 2017-02-15 | 平安科技(深圳)有限公司 | DoS(denial of service)/DDoS(distributed denial of service) attack detection method and device |
CN107508840A (en) * | 2017-09-29 | 2017-12-22 | 烽火通信科技股份有限公司 | A kind of method that monitoring DNS domain name based on DNS Proxy is attacked |
CN107508840B (en) * | 2017-09-29 | 2020-01-07 | 烽火通信科技股份有限公司 | DNS Proxy-based method for monitoring DNS domain name attack |
CN109962898A (en) * | 2017-12-26 | 2019-07-02 | 哈尔滨安天科技股份有限公司 | The detection method and device of Botnet control node |
CN109962898B (en) * | 2017-12-26 | 2022-04-01 | 安天科技集团股份有限公司 | Detection method and device for botnet control node |
CN110213214A (en) * | 2018-06-06 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of attack guarding method, system, device and storage medium |
CN109561109A (en) * | 2019-01-16 | 2019-04-02 | 新华三技术有限公司 | A kind of message processing method and device |
CN112769740A (en) * | 2019-11-06 | 2021-05-07 | 中盈优创资讯科技有限公司 | Metropolitan area network traffic analysis method and system |
CN112769740B (en) * | 2019-11-06 | 2023-11-03 | 中盈优创资讯科技有限公司 | Method and system for analyzing network traffic of metropolitan area network |
CN110933111A (en) * | 2019-12-18 | 2020-03-27 | 北京浩瀚深度信息技术股份有限公司 | DDoS attack identification method and device based on DPI |
CN114465742A (en) * | 2020-11-10 | 2022-05-10 | 华为技术有限公司 | Network security protection method and protection equipment |
CN112583850A (en) * | 2020-12-27 | 2021-03-30 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN112583850B (en) * | 2020-12-27 | 2023-02-24 | 杭州迪普科技股份有限公司 | Network attack protection method, device and system |
CN114978563A (en) * | 2021-02-26 | 2022-08-30 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
CN114978563B (en) * | 2021-02-26 | 2024-05-24 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
WO2022183794A1 (en) * | 2021-03-03 | 2022-09-09 | 华为技术有限公司 | Traffic processing method and protection system |
CN113422783A (en) * | 2021-07-09 | 2021-09-21 | 深圳市高德信通信股份有限公司 | Network attack protection method |
CN113626736A (en) * | 2021-08-10 | 2021-11-09 | 迈普通信技术股份有限公司 | URL feature learning method and device, electronic equipment and computer readable storage medium |
CN113626736B (en) * | 2021-08-10 | 2023-11-17 | 迈普通信技术股份有限公司 | URL feature learning method, device, electronic equipment and computer readable storage medium |
CN114024768A (en) * | 2021-12-01 | 2022-02-08 | 北京天融信网络安全技术有限公司 | Security protection method and device based on DDoS attack |
CN114490473A (en) * | 2021-12-07 | 2022-05-13 | 深圳市三旺通信股份有限公司 | IO (input/output) interface system of edge computing gateway and IO interface calling method |
CN114490473B (en) * | 2021-12-07 | 2024-05-03 | 深圳市三旺通信股份有限公司 | Edge computing gateway IO interface system and IO interface calling method |
Also Published As
Publication number | Publication date |
---|---|
CN102143143B (en) | 2014-11-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102143143B (en) | Method and device for defending network attack, and router | |
CN101431449B (en) | Network flux cleaning system | |
KR101231975B1 (en) | Method of defending a spoofing attack using a blocking server | |
CN101175078B (en) | Identification of potential network threats using a distributed threshold random walk | |
Gao et al. | A dos resilient flow-level intrusion detection approach for high-speed networks | |
CN102271068A (en) | Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack | |
CA2540802A1 (en) | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network | |
CN106302371A (en) | A kind of firewall control method based on subscriber service system and system | |
Foroushani et al. | TDFA: traceback-based defense against DDoS flooding attacks | |
CN1906905B (en) | Service disabling attack protecting system, and service disabling attack protecting method | |
CN102571738A (en) | Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof | |
Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
CN103095730A (en) | Information security risk assessment method based on fault tree and system thereof | |
CN102984031A (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
Mi et al. | Ml-pushback: Machine learning based pushback defense against ddos | |
CN108667804B (en) | DDoS attack detection and protection method and system based on SDN architecture | |
CN1152517C (en) | Method of guarding network attack | |
CN101605093A (en) | Utilize IP Option to realize the method for information transparent transmission | |
CN101141396B (en) | Packet processing method and network appliance | |
Singh et al. | Performance analysis of agent based distributed defense mechanisms against DDOS attacks | |
CN113422783A (en) | Network attack protection method | |
Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
Chen et al. | MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks | |
CN101771575A (en) | Method, device and system for processing IP partitioned message | |
CN1838607A (en) | High-speed detection and control mechanism for preventing network DoS attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C53 | Correction of patent of invention or patent application | ||
CB02 | Change of applicant information |
Address after: 100085 Beijing, Haidian District on the road, No. 3 Applicant after: Beijing Huawei Digital Technology Co.,Ltd. Address before: 100085 Beijing, Haidian District on the road, No. 3 Applicant before: Huawei Digit Technology Co., Ltd. |
|
COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: HUAWEI DIGIT TECHNOLOGY CO., LTD. TO: BEIJING HUAWEI DIGITAL TECHNOLOGY CO., LTD. |
|
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141105 Termination date: 20191015 |