CN102143143B - Method and device for defending network attack, and router - Google Patents

Method and device for defending network attack, and router Download PDF

Info

Publication number
CN102143143B
CN102143143B CN201010512375.8A CN201010512375A CN102143143B CN 102143143 B CN102143143 B CN 102143143B CN 201010512375 A CN201010512375 A CN 201010512375A CN 102143143 B CN102143143 B CN 102143143B
Authority
CN
China
Prior art keywords
attack
business board
interface plate
message
distributed interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201010512375.8A
Other languages
Chinese (zh)
Other versions
CN102143143A (en
Inventor
滕新东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Digital Technologies Chengdu Co Ltd
Beijing Huawei Digital Technologies Co Ltd
Huawei Digital Technologies Co Ltd
Original Assignee
Beijing Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huawei Digital Technologies Co Ltd filed Critical Beijing Huawei Digital Technologies Co Ltd
Priority to CN201010512375.8A priority Critical patent/CN102143143B/en
Publication of CN102143143A publication Critical patent/CN102143143A/en
Application granted granted Critical
Publication of CN102143143B publication Critical patent/CN102143143B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method and device for defending network attack, and a router. The method comprises the steps of: carrying out local attack detection and filtration on flow of a distributed port board by the distributed port board, carrying out mode statistic analysis based on three- to seven-layer application or content and reporting statistic information for a service board; and carrying out global attack judgment and management on the statistic information reported by the distributed port board by the service board. Therefore, attack detection and defense effects, especially attack to an application layer, can be better achieved.

Description

A kind of means of defence, device and router of network attack
Technical field
The present invention relates to communication technical field, relate in particular to a kind of means of defence, device and router of network attack.
Background technology
Along with the various application of network are enriched constantly, network security becomes more and more urgent demand, because assailant adopts more senior technological means and more advanced equipment, make that attack is more hidden and attacking ability is stronger, traditional firewall equipment has been difficult to meet the demands gradually.In recent years, for the attack of application layer (as game) agreement, utilize that Botnet carries out ddos attack, super-flow is attacked (send super-flow and occupy network and server bandwidth) becomes the principal mode of attack, and traditional firewall is due to analysis ability and treatability the subject of knowledge and the object of knowledge limit, can not play good protection effect to this type of attack.
Can take precautions against preferably this type of large-scale attack by router integrated fire proof wall and anti-DDoS characteristic, and can reduce investment outlay and maintenance cost, be a good selection.Router comprises the device types such as customer service gateway and business router, accesses edge, data center's entrance in individual/enterprise customer, or for connecting metropolitan area, backbone network, and different internetworking, can process all flows that pass through.Because the disposal ability of router is very strong, can carry out multi-level flow control and management, and all processing procedures are based on completing at linear flow rate, therefore carry out ddos attack defence by router and possess better real-time and validity.Current many router device manufacturer at its Realization of Product anti-DDoS function, mainly by a service board that possesses fire compartment wall/anti-ddos attack ability, the traffic redirect that forwards veneer by router is carried out to attack detecting and cleaning to this service board, and the flow that completes processing forwards again.
Realizing in process of the present invention, inventor finds that in prior art, at least there are the following problems: because service board also exists the restriction of disposal ability, can not meet the flow of multiple forwarding veneers is processed, be difficult to carry out comprehensive arrangement in network, therefore can not really meet customer requirement.The method of carrying out pattern statistical analysis identification ddos attack flow in prior art, also there are a lot of defects in its analytic statistics amount, can not find more accurately the attack of application-specific or content.
Summary of the invention
Embodiments of the invention provide a kind of means of defence, device and router of network attack, to reach better the attack of attack detecting and protection effect, particularly application layer.
The means of defence of a kind of network attack that the embodiment of the present invention provides, comprising:
Distributed interface plate carries out local attack detection and filtration to this plate current amount, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
The statistical information that business board reports according to described distributed interface plate is carried out overall attack judgement and management.
The protector of a kind of network attack that the embodiment of the present invention provides, comprising:
Distributed interface plate, for this plate current amount is carried out to local attack detection and filtration, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
Business board, carries out overall attack judgement and management for the statistical information reporting according to described distributed interface plate.
A kind of router that the embodiment of the present invention provides, comprising:
Distributed interface plate, for this plate current amount is carried out to local attack detection and filtration, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
Business board, carries out overall attack judgement and management for the statistical information reporting according to described distributed interface plate.
The beneficial effect that embodiment of the present invention technical scheme is brought: reach better the attack of attack detecting and protection effect, particularly application layer, adopt router integrated, can process all flows, fully meet arrangement requirement.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The flow chart of the means of defence of a kind of network attack that Fig. 1 provides for one embodiment of the invention;
The schematic diagram of a kind of distributed two-stage attack protection framework that Fig. 2 provides for one embodiment of the invention;
Fig. 3 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 4 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 5 provides a kind of schematic diagram of protector of network attack for one embodiment of the invention;
Fig. 6 provides a kind of schematic diagram of router for one embodiment of the invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
As shown in Figure 1, the means of defence of the network attack that the embodiment of the present invention provides, comprise: distributed interface plate carries out local attack detection and filtration to this plate current amount, carry out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information; The statistical information that business board reports according to described distributed interface plate is carried out overall attack judgement and management.Thereby can reach better the attack of attack detecting and protection effect, particularly application layer.
For ease of the understanding to the embodiment of the present invention, below by the embodiment of the present invention, the implementation procedure in concrete application process is elaborated.
The means of defence of the network attack that the embodiment of the present invention provides, comprising:
S1, distributed interface plate carry out local attack detection and filtration to this plate current amount, carry out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
This step specifically comprises:
Distributed interface plate detects DPI based on deep message and carries out fingerprint filtration, and discarded packets is containing the attack message of illegal fingerprint feature;
Distributed interface plate with source IP address, object IP address search blacklist table, abandons the flow of particular source or object IP address respectively;
Distributed interface plate is searched dynamic ACL ACL, and the message that hits dynamic ACL belongs to attack traffic, by processing according to the action of dynamic ACL ACL (abandon or speed limit etc.);
Described distributed interface plate carries out the processing based on stream, comprises and searches five-tuple stream table, processes according to the business action of stream table, does not exist if look into stream table, message up sending is carried out to first packet analysis and search strategy to set up stream table to described business board.
And distributed interface plate carries out the processing based on stream, specifically also comprise:
All stream table list items are traveled through, and whether each list item inspection is wanted to operation mode statistical analysis (so-called pattern statistics: the raw statistical data of preserving a stream in stream table, comprise quantity, packet byte quantity, specific protocol or message bag quantity (as TCP syn/fin/RST bag quantity, DNS request message bag quantity, HTTP request message bag quantity etc.), user configures the template strategy that need to carry out pattern analysis, template type is taking message five-tuple as basis, also can comprise VPN ID, user ID etc., be including but not limited to shown in table 1:
Template 1: object IP+ destination interface
+ protocol number
Template 2: source IP+ destination interface+
Protocol number
Template 3: destination interface+protocol number
Template 4: object IP+ protocol number
Template 5: source IP+ protocol number
Template 6: protocol number
Table 1
The implication of pattern statistical analysis refers to according to the primary statistics value in actual stream table, according to setting up aggregated flow with cope match-plate pattern, wherein preserve the stream of all same alike results statistical value add up and carry out various calculating (as calculate packet rate, connect sum etc.), then check whether result of calculation exceeds corresponding threshold value;
Such as template 1, the statistical value of many streams with identical object IP, destination interface, protocol number is added up, and whether computation rate exceed the threshold value preparing in advance, exceed threshold value and think abnormal generation.),
If, the polymerization processing of adding up according to corresponding modes, and the corresponding statistic calculating (as the bag Mean Speed) baseline threshold corresponding with the pattern of preserving contrasted, while exceeding threshold value, think and report described statistic and anomalous event to business board by Traffic Anomaly.
The statistical information that S2, business board report according to distributed interface plate is carried out overall attack judgement and management.
Concrete, the dynamic ACL ACL that business board is searched business board carries out overall situation filtration or speed limit, the flow passing through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched (DPI of interface board only does the inspection of common feature), the message of matching characteristic is dropped, otherwise the stream processing of building of carrying out normal message (is searched subscriber policy and is obtained processing action, then initiate to set up the stream table of interface board, wherein carry the processing action of current stream).
The statistic that business board reports according to the described distributed interface plate of difference, generate the flow baseline threshold (comprising the threshold value of the local use of overall threshold value and distinct interface plate) based on the time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; The anomalous event that described business board reports according to described distributed interface plate is carried out overall analysis, and the action processing carried out of judgement (comprise dynamically and add/delete blacklist, generation/delete dynamic ACL etc.).
As shown in Figure 2, anti-ddos attack framework of the present invention is divided into two levels: outer protection is processed respectively by each interface board, each interface board can comprise the local module of an attack protection, the local module of each attack protection, can process application/illegal feature identification, pattern statistical analysis based on applying (L3 to L7 layer); Internal layer protection is processed by business board; can there is polylith in business board; between polylith business board, can carry out flow load sharing processing and carry out redundancy protecting; attack protection central processing module on business board can be collected the information on total interface plate on equipment; can carry out overall attack judgement and management; comprise the baseline threshold management of various attack template and dynamically issue, belong to centralized control centre, all analyses can be carried out based on application (L3-L7).
The major function of outer protection and internal layer protection comprises:
Outer protection (distributed, L3~L7):
L3 processes: look into black and white lists table based on source IP and object IP, obtain black and white lists information, belong to direct dropping packets of blacklist, belong to white list and no longer this message is done to safety inspection.
L4 processes: according to this locality, dynamic ACL carries out local filter, (exceeding local corresponding template threshold value) generation after local dynamically ACL is identified by local attack, can be produced or be issued generation by business board by the local module of attack protection, after attack stops, local dynamically ACL deletes.
L5~L7 processes: according to stream table, (action comprise abandon, pass through, current limliting, amendment dispatching priority etc.) controlled in action, and stream table carries out DPI identification by business board according to first packet and is issued to interface board afterwards.
Condition code (attack fingerprint) is filtered: carry out message deep layer by the local module of attack protection and detect DPI, the message that matches corresponding fingerprint characteristic carries out corresponding actions (as abandoning).
Statistics and convergence based on pattern: interface board ergodic flow table, carry out statistics and convergence analysis according to the raw statistical data in stream table based on different mode, after polymerization, find that statistic exceedes baseline threshold, Traffic Anomaly detected, attack judgement and search strategy with clear and definite corresponding actions by delivering to business board in statistics, and generate corresponding dynamically black and white lists table and dynamically ACL be issued to interface board.
Internal layer protection (centralized control/load balancing, L3~L7)
L3 processes: 1. preserve black and white lists strategy, issue black and white lists list item to interface board.
2. suspicious IP is carried out to source address detection/certification (request message that sends respective protocol checks to source address whether it returns to response message, if do not returned, thinks to palm off IP, and source address authentication result is not for passing through).
L4: 1. business board is confirmed whether to find attack according to pattern statistic analysis result, attack if confirmed, generate the overall situation forwarding plane that dynamically ACL is issued to this plate so that data message is controlled, and decompose dynamic ACL and be issued to interface board and generate the dynamic ACL in this locality of this interface board.Business board is confirming to delete after attack stops the dynamic ACL in this locality of the dynamic ACL of the overall situation and corresponding interface board.
2. find to carry out strong safeguard measure according to strategy while attack, act on behalf of (TCP proxy) by TCP and process setting up the flow of TCP.
(TCP proxy function:
A TCP establishment of connection needs three-way handshake process: the promoter of connection sends the packet of a TCP to the other side, and this packet comprises an initial sequence number, and the SYN flag bit set of TCP; After recipient receives this packet, should respond a tcp data bag, and comprised therein recipient's oneself initial sequence number, and these two flag bits set simultaneously of SYN, ACK, show to receive the request of SYN and asked TCP to connect to sender simultaneously.The sender who connects connects in order to complete this, must reply recipient's SYN bag, returns to the tcp data bag of an ACK set.Through three-way handshake process, TCP connection is successfully established, and can transmit data.
TCP proxy process: before a TCP request bag arrives destination server, router/attack protection module representative server is replied and partly carried out three-way handshake to requesting party.And only have after three-way handshake completes, router/attack protection module just can set up second connection with server, and after having connected, router/attack protection module is by being merged into one to transmit data to the conversion of sequence number by two connections.)
L5~L7 processes: 1. first packet is carried out to DPI identification, distinguish the whether attack or carry out associated safety processing of different application protocol detection, as http protocol message carried out to url filtering, application protocol is carried out to state-detection, and (state is inconsistent thinks illegal, Botnet related protocol (as chat agreement) is analyzed and recognized control command that whether corpse effector sends etc.
2. by DPI technology, message is carried out to condition code (fingerprint) coupling, recognize the message that possesses individual features and abandon.
Dynamic threshold management: attack the statistics that template and interface board report according to difference, generate the flow baseline threshold (comprising the threshold value of the local use of overall threshold value and distinct interface plate) based on the time period, baseline threshold is constantly adjusted according to long-term statistics, can monitor in addition the real-time condition of the flow that each interface board reports, and be issued to interface board to carry out local attack identification by the local threshold value that different weights generate each interface board.
The embodiment of the present invention can reach the attack of attack detecting and protection effect, particularly application layer better.
As shown in Figure 3, another embodiment of the present invention also provides a kind of protector of network attack, comprising:
Distributed interface plate, for this plate current amount is carried out to local attack detection and filtration, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
Business board, carries out overall attack judgement and management for the statistical information reporting according to described distributed interface plate.
As shown in Figure 4, the protector of a kind of network attack that another embodiment of the present invention provides, has distributed interface plate and the business board shown in Fig. 3, and wherein, distributed interface plate specifically comprises:
Fingerprint filtering module, carries out fingerprint filtration for detecting DPI based on deep message, and discarded packets is containing the attack message of illegal fingerprint feature;
Blacklist table handing module,, abandons the flow of particular source or object IP address with source IP address, object IP address search blacklist table for respectively;
Dynamic ACL processing module, for searching dynamic ACL ACL, the message that hits dynamic ACL belongs to attack traffic, will process according to the action of dynamic ACL ACL;
Stream table handing module, for searching five-tuple stream table, carries out processing based on the business action of stream, and if do not exist for looking into stream table, message up sending is carried out to first packet analysis and search strategy to set up stream table to described business board.
Further, described stream table handing module, specifically for all stream table list items are traveled through, and whether each list item inspection is wanted to operation mode statistical analysis, if so, the polymerization processing of adding up according to corresponding modes, and the corresponding statistic baseline threshold corresponding with the pattern of preservation calculating contrasted, while exceeding threshold value, think and report described statistic and anomalous event to business board by Traffic Anomaly.
As shown in Figure 5, the protector of a kind of network attack that another embodiment of the present invention provides, has distributed interface plate and the business board shown in Fig. 3, and wherein, business board specifically comprises:
Global treatment module, carry out overall situation filtration or speed limit for searching the dynamic ACL ACL of described business board, the flow passing through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, and the message of matching characteristic is dropped, and flows processing otherwise carry out building of normal message.
Further, described Global treatment module, specifically for the statistic reporting according to the described distributed interface plate of difference, generate the flow baseline threshold based on the time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; And carry out overall analysis specifically for the anomalous event reporting according to described distributed interface plate, and judge the action processing of carrying out.
The embodiment of the present invention can reach the attack of attack detecting and protection effect, particularly application layer better.
As shown in Figure 6, another embodiment of the present invention also provides a kind of router, comprising:
Distributed interface plate, for this plate current amount is carried out to local attack detection and filtration, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
Business board, carries out overall attack judgement and management for the statistical information reporting according to described distributed interface plate.
The embodiment of the present invention can reach the attack of attack detecting and protection effect, particularly application layer better, adopts router integrated, can process all flows, fully meets arrangement requirement.
The concrete content such as signal processing, implementation between the each part of said apparatus, due to the inventive method embodiment based on same conception, can, referring to the narration of the inventive method embodiment, repeat no more herein.
The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with in technical scope that those skilled in the art disclose in the present invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.

Claims (5)

1. a means of defence for network attack, is characterized in that, comprising:
Distributed interface plate carries out local attack detection and filtration to this plate current amount, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information;
The statistical information that business board reports according to described distributed interface plate is carried out overall attack judgement and management;
Wherein, described distributed interface plate and described business board are arranged in same protector, described distributed interface plate is carried out distributed treatment, described business board is carried out centralized control processing, belong to centralized control centre, and described business board comprises polylith, between polylith business board, can carry out flow load sharing processing and carry out redundancy protecting;
Described distributed interface plate carries out local attack detection and filtration to this plate current amount, carries out the pattern statistical analysis based on three to seven layers of application or content and specifically comprises to business plate report statistical information:
Described distributed interface plate detects DPI based on deep message and carries out fingerprint filtration, and discarded packets is containing the attack message of illegal fingerprint feature;
Described distributed interface plate with source IP address, object IP address search blacklist table, abandons the flow of particular source or object IP address respectively;
Described distributed interface plate is searched dynamic ACL ACL, and the message that hits dynamic ACL belongs to attack traffic, will process according to the action of dynamic ACL ACL;
Described distributed interface plate carries out the processing based on stream, comprise and search five-tuple stream table, process according to the business action of stream table, if the five-tuple stream table of whole foundation does not exist or in the time that five-tuple stream table exists, but in this five-tuple stream table, there is not the stream list item that this message is corresponding, message up sending is carried out to first packet analysis and search strategy to set up stream table to described business board;
The statistical information that described business board reports according to described distributed interface plate is carried out overall attack judgement and management and is specifically comprised:
The dynamic ACL ACL that described business board is searched described business board carries out overall situation filtration or speed limit, the flow passing through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, the message of matching characteristic is dropped, and flows processing otherwise carry out building of normal message.
2. method according to claim 1, is characterized in that, described distributed interface plate carries out the processing based on stream, specifically also comprises:
All stream table list items are traveled through, and whether each list item inspection is wanted to operation mode statistical analysis, if, the polymerization processing of adding up according to corresponding modes, and the corresponding statistic baseline threshold corresponding with the pattern of preservation calculating contrasted, while exceeding threshold value, think and report described statistic and anomalous event to business board by Traffic Anomaly.
3. method according to claim 2, is characterized in that, the statistical information that described business board reports according to described interface board is carried out overall attack judgement and management and specifically comprised:
The statistic that described business board reports according to the described distributed interface plate of difference, generate the flow baseline threshold based on the time period, monitor the real-time condition of the flow that each described distributed interface plate reports, and be issued to each distributed interface plate to carry out local attack identification by the local threshold value that different weights generate each distributed interface plate; The anomalous event that described business board reports according to described distributed interface plate is carried out overall analysis, and judges the action processing of carrying out.
4. a protector for network attack, is characterized in that, comprising:
Distributed interface plate, for this plate current amount is carried out to local attack detection and filtration, carries out based on three to seven layers of application or the pattern statistical analysis of content and to business plate report statistical information, and described distributed interface plate is carried out distributed treatment;
Business board, carry out overall attack judgement and management for the statistical information reporting according to described distributed interface plate, described business board is carried out centralized control processing, belong to centralized control centre, and described business board comprises polylith, between polylith business board, can carry out flow load sharing processing and carry out redundancy protecting, described business board specifically comprises: Global treatment module, carry out overall situation filtration or speed limit for searching the dynamic ACL ACL of described business board, the flow passing through carries out deep message and detects the more fingerprint characteristic of DPI matched and searched, the message of matching characteristic is dropped, otherwise the stream of building that carries out normal message is processed, described distributed interface plate specifically comprises:
Fingerprint filtering module, carries out fingerprint filtration for detecting DPI based on deep message, and discarded packets is containing the attack message of illegal fingerprint feature;
Blacklist table handing module,, abandons the flow of particular source or object IP address with source IP address, object IP address search blacklist table for respectively;
Dynamic ACL processing module, for searching dynamic ACL ACL, the message that hits dynamic ACL belongs to attack traffic, will process according to the action of dynamic ACL ACL;
Stream table handing module, be used for searching five-tuple stream table, the business action of carrying out based on stream is processed, if and do not existed or in the time that five-tuple stream table exists for the five-tuple stream table of whole foundation, but in this five-tuple stream table, there is not the stream list item that this message is corresponding, message up sending is carried out to first packet analysis and search strategy to set up stream table to described business board.
5. protector according to claim 4, it is characterized in that, described stream table handing module, specifically for all stream table list items are traveled through, and whether each list item inspection is wanted to operation mode statistical analysis, if, the polymerization processing of adding up according to corresponding modes, and the corresponding statistic baseline threshold corresponding with the pattern of preservation calculating contrasted, while exceeding threshold value, think and report described statistic and anomalous event to business board by Traffic Anomaly.
CN201010512375.8A 2010-10-15 2010-10-15 Method and device for defending network attack, and router Expired - Fee Related CN102143143B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010512375.8A CN102143143B (en) 2010-10-15 2010-10-15 Method and device for defending network attack, and router

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010512375.8A CN102143143B (en) 2010-10-15 2010-10-15 Method and device for defending network attack, and router

Publications (2)

Publication Number Publication Date
CN102143143A CN102143143A (en) 2011-08-03
CN102143143B true CN102143143B (en) 2014-11-05

Family

ID=44410368

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010512375.8A Expired - Fee Related CN102143143B (en) 2010-10-15 2010-10-15 Method and device for defending network attack, and router

Country Status (1)

Country Link
CN (1) CN102143143B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016201780A1 (en) * 2015-06-15 2016-12-22 中兴通讯股份有限公司 Gateway management method and apparatus

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067192B (en) * 2011-10-20 2016-03-16 北京天行网安信息技术有限责任公司 A kind of analytical system of network traffics and method
CN103561001A (en) * 2013-10-21 2014-02-05 华为技术有限公司 Safety protection method and routing device
CN103685306A (en) * 2013-12-20 2014-03-26 汉柏科技有限公司 Method and device for integrating network safety equipment
CN105450582B (en) * 2014-06-24 2019-10-18 华为技术有限公司 Method for processing business, terminal, server and system
CN104283882B (en) * 2014-10-11 2018-01-12 武汉烽火网络有限责任公司 A kind of intelligent safety protection method of router
CN104486157A (en) * 2014-12-16 2015-04-01 国家电网公司 Information system performance detecting method based on deep packet analysis
CN104468636A (en) * 2015-01-09 2015-03-25 李忠 SDN structure for DDoS threatening filtering and link reallocating and working method
CN106161333B (en) 2015-03-24 2021-01-15 华为技术有限公司 SDN-based DDOS attack protection method, device and system
CN105207997B (en) * 2015-08-19 2018-11-09 北京星网锐捷网络技术有限公司 A kind of message forwarding method and system of attack protection
CN106559395B (en) * 2015-09-29 2019-12-03 北京东土军悦科技有限公司 A kind of data message detection method and device based on industrial network
CN106817340B (en) 2015-11-27 2020-05-08 阿里巴巴集团控股有限公司 Early warning decision method, node and subsystem
CN105897609B (en) * 2016-04-01 2019-04-09 浙江宇视科技有限公司 A kind of method and apparatus for supervising data stream transmitting
CN106230781A (en) * 2016-07-18 2016-12-14 杭州迪普科技有限公司 The method and device preventing network attack of sing on web authentication techniques
CN106411934B (en) * 2016-11-15 2017-11-21 平安科技(深圳)有限公司 DoS/DDoS attack detection methods and device
CN107508840B (en) * 2017-09-29 2020-01-07 烽火通信科技股份有限公司 DNS Proxy-based method for monitoring DNS domain name attack
CN109962898B (en) * 2017-12-26 2022-04-01 安天科技集团股份有限公司 Detection method and device for botnet control node
CN110213214B (en) * 2018-06-06 2021-08-31 腾讯科技(深圳)有限公司 Attack protection method, system, device and storage medium
CN109561109A (en) * 2019-01-16 2019-04-02 新华三技术有限公司 A kind of message processing method and device
CN112769740B (en) * 2019-11-06 2023-11-03 中盈优创资讯科技有限公司 Method and system for analyzing network traffic of metropolitan area network
CN110933111B (en) * 2019-12-18 2022-04-26 北京浩瀚深度信息技术股份有限公司 DDoS attack identification method and device based on DPI
CN114465742B (en) * 2020-11-10 2023-05-02 华为技术有限公司 Network security protection method and protection equipment
CN112583850B (en) * 2020-12-27 2023-02-24 杭州迪普科技股份有限公司 Network attack protection method, device and system
CN114978563B (en) * 2021-02-26 2024-05-24 中国移动通信集团广东有限公司 Method and device for blocking IP address
CN115017502A (en) * 2021-03-03 2022-09-06 华为技术有限公司 Flow processing method and protection system
CN113422783A (en) * 2021-07-09 2021-09-21 深圳市高德信通信股份有限公司 Network attack protection method
CN113626736B (en) * 2021-08-10 2023-11-17 迈普通信技术股份有限公司 URL feature learning method, device, electronic equipment and computer readable storage medium
CN114024768A (en) * 2021-12-01 2022-02-08 北京天融信网络安全技术有限公司 Security protection method and device based on DDoS attack
CN114490473B (en) * 2021-12-07 2024-05-03 深圳市三旺通信股份有限公司 Edge computing gateway IO interface system and IO interface calling method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859178A (en) * 2005-11-07 2006-11-08 华为技术有限公司 Network safety control method and system
CN101141458A (en) * 2007-10-12 2008-03-12 网经科技(苏州)有限公司 Network data pipelining type analysis process method
CN101277302A (en) * 2008-05-06 2008-10-01 华为技术有限公司 Apparatus and method for safety centralized protection of distributed network equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266754B2 (en) * 2003-08-14 2007-09-04 Cisco Technology, Inc. Detecting network denial of service attacks

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859178A (en) * 2005-11-07 2006-11-08 华为技术有限公司 Network safety control method and system
CN101141458A (en) * 2007-10-12 2008-03-12 网经科技(苏州)有限公司 Network data pipelining type analysis process method
CN101277302A (en) * 2008-05-06 2008-10-01 华为技术有限公司 Apparatus and method for safety centralized protection of distributed network equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016201780A1 (en) * 2015-06-15 2016-12-22 中兴通讯股份有限公司 Gateway management method and apparatus

Also Published As

Publication number Publication date
CN102143143A (en) 2011-08-03

Similar Documents

Publication Publication Date Title
CN102143143B (en) Method and device for defending network attack, and router
KR101231975B1 (en) Method of defending a spoofing attack using a blocking server
Gupta et al. An ISP level solution to combat DDoS attacks using combined statistical based approach
Gao et al. A dos resilient flow-level intrusion detection approach for high-speed networks
CN102271068A (en) Method for detecting DOS/DDOS (denial of service/distributed denial of service) attack
CN102014116A (en) Protecting against distributed network flood attacks
CN103036733A (en) Unconventional network access behavior monitoring system and monitoring method
CN109327426A (en) A kind of firewall attack defense method
Foroushani et al. TDFA: traceback-based defense against DDoS flooding attacks
Bhuyan et al. Low-rate and high-rate distributed dos attack detection using partial rank correlation
Guo et al. A distributed collaborative entrance Defense framework against DDoS attacks on satellite internet
Wan et al. Engineering of a global defense infrastructure for DDoS attacks
Cheng et al. Detecting and mitigating a sophisticated interest flooding attack in NDN from the network-wide view
Singh et al. Performance analysis of agent based distributed defense mechanisms against DDOS attacks
CN100380336C (en) Protecting against malicious traffic
CN102075535A (en) Distributed denial-of-service attack filter method and system for application layer
WO2005026872A2 (en) Internal lan perimeter security appliance composed of a pci card and complementary software
Dressler et al. Attack detection using cooperating autonomous detection systems (CATS)
US20060225141A1 (en) Unauthorized access searching method and device
Hynek et al. Evaluating bad hosts using adaptive blacklist filter
Park et al. An effective defense mechanism against DoS/DDoS attacks in flow-based routers
Kumarasamy et al. An Efficient Detection Mechanism for Distributed Denial of Service (DDoS) Attack
Pande et al. Prevention mechanism on DDOS attacks by using multilevel filtering of distributed firewalls
Singh et al. Comparative study of various distributed intrusion detection systems for WLAN
CN1838607A (en) High-speed detection and control mechanism for preventing network DoS attack

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C53 Correction of patent for invention or patent application
CB02 Change of applicant information

Address after: 100085 Beijing, Haidian District on the road, No. 3

Applicant after: Beijing Huawei Digital Technology Co.,Ltd.

Address before: 100085 Beijing, Haidian District on the road, No. 3

Applicant before: Huawei Digit Technology Co., Ltd.

COR Change of bibliographic data

Free format text: CORRECT: APPLICANT; FROM: HUAWEI DIGIT TECHNOLOGY CO., LTD. TO: BEIJING HUAWEI DIGITAL TECHNOLOGY CO., LTD.

C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141105

Termination date: 20191015

CF01 Termination of patent right due to non-payment of annual fee