CN102195843B - Flow control system and method - Google Patents

Flow control system and method Download PDF

Info

Publication number
CN102195843B
CN102195843B CN201010116760.0A CN201010116760A CN102195843B CN 102195843 B CN102195843 B CN 102195843B CN 201010116760 A CN201010116760 A CN 201010116760A CN 102195843 B CN102195843 B CN 102195843B
Authority
CN
China
Prior art keywords
flow
abnormal flow
abnormal
cleaning equipment
mark
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201010116760.0A
Other languages
Chinese (zh)
Other versions
CN102195843A (en
Inventor
何申
陈敏时
黄璐
韩小勇
刘利军
李连源
魏冰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201010116760.0A priority Critical patent/CN102195843B/en
Publication of CN102195843A publication Critical patent/CN102195843A/en
Application granted granted Critical
Publication of CN102195843B publication Critical patent/CN102195843B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a flow control system and method. The system provided by the invention comprises flow marking equipment, a shunting router and cleaning equipment, wherein the flow marking equipment identifies abnormal flow from the current flow and marks the abnormal flow; the shunting router routes the marked abnormal flow to the cleaning equipment; and the cleaning equipment cleans the abnormal flow. According to the invention, the abnormal flow can be cleaned, and the resource pressure of the cleaning equipment can be reduced.

Description

A kind of flow control system and method
Technical field
The present invention relates to communication technical field, relate in particular to a kind of flow control system and method.
Background technology
In communication system, except normal service traffics, also may have the abnormal flows such as malicious attack, how carrying out abnormal flow control is the problem that various communication systems generally face.
At present, the scheme of carrying out abnormal flow control mainly contains two kinds, specifically refers to Fig. 1 and 2.
Fig. 1 is the first current abnormal flow control system structure chart.
As shown in Figure 1, this first abnormal flow control system comprises checkout equipment (DFI or DPI) 101, router one 02 and cleaning equipment 103.
Checkout equipment bypass section is wherein deployed in outside flow circuit, by light splitting or the mirror image mode flow that notes abnormalities, then notifies cleaning equipment to draw under fire whole flows of equipment by out-band method, by cleaning equipment, whole flows of equipment is under fire cleaned.
Cleaning equipment draws the under fire method of whole flows of equipment three kinds: method one, cleaning equipment is set up bgp neighbor, and broadcast host route makes router recalculate route table items, change former routed path and make under fire whole flows of equipment flow into cleaning equipments; Method two, the router policy route that checkout equipment or cleaning equipment change cleaning equipment access, makes under fire whole flows of equipment flow into cleaning equipment according to this strategy; Method three, the router policy route that checkout equipment or cleaning equipment change cleaning equipment access, makes under fire whole flows of equipment enter blackhole route, thereby abandons under fire whole flows of equipment.
Fig. 2 is the second current abnormal flow control system structure chart.
As shown in Figure 2, this second abnormal flow control system comprises router two 01, cleaning equipment 202 and management server 203.
Cleaning equipment 202 is wherein connected between router two 01 and management server 203, be that cleaning equipment 202 seals in and is deployed on flow circuit, all flows all pass through cleaning equipment 202, from current all flows, detect abnormal flow by cleaning equipment 203, according to the strategy in management server 203, abnormal flow is carried out to full bag and clean.
From such scheme, the first abnormal flow control system need to be cleaned whole flows of equipment under fire, this can make on the one hand normal discharge in equipment under fire take the cleaning resource of cleaning equipment, strengthen the cleaning resource pressure of cleaning equipment, on the other hand, because abnormal flow control system is identified under fire whole flows of equipment according to the destination address of flow, after cleaning, the destination address of flow is constant, the cleaning equipment of the every aspect that therefore abnormal flow is flowed through all can clean abnormal flow, this can cause the problem that secondary cleaning is even repeatedly cleaned.
In the second abnormal flow control system, all flows all will pass through checkout equipment and cleaning equipment, and this can normal stream amount cause delay, affects service quality.
Summary of the invention
In view of this, the object of the embodiment of the present invention is to provide a kind of flow control system and method, abnormal flow is cleaned and to be reduced the resource pressure of cleaning equipment.
For achieving the above object, the technical scheme of the embodiment of the present invention is specifically achieved in that
A kind of flow control system, this system comprises flow marking arrangement, shunting router and cleaning equipment;
Described flow marking arrangement identifies abnormal flow from present flow rate, identifies this abnormal flow;
Described shunting router, routes to cleaning equipment by the abnormal flow of mark;
Described cleaning equipment, cleans abnormal flow.
A kind of flow control methods, the method comprises:
From present flow rate, identify abnormal flow, identify this abnormal flow;
The abnormal flow of mark is routed to cleaning equipment;
Cleaning equipment cleans abnormal flow.
As shown from the above technical solution, the present invention, by identify abnormal flow from present flow rate, identifies this abnormal flow, only the abnormal flow of mark is routed to cleaning equipment, can in cleaning abnormal flow, reduce the resource pressure to cleaning equipment.
Brief description of the drawings
Fig. 1 is the first current abnormal flow control system structure chart.
Fig. 2 is the second current abnormal flow control system structure chart.
Fig. 3 is first flow control system structure chart provided by the invention.
Fig. 4 is second amount control system structure chart provided by the invention.
Fig. 5 is abnormal flow cleaning method flow chart provided by the invention.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Fig. 3 is first flow control system structure chart provided by the invention.
As shown in Figure 3, first flow control system provided by the invention comprises flow marking arrangement 301, shunting router three 02 and cleaning equipment 303.
Flow marking arrangement 301 identifies abnormal flow from present flow rate, identifies this abnormal flow.
Shunting router three 02, routes to cleaning equipment 303 by the abnormal flow of mark.
Cleaning equipment 303, cleans abnormal flow.
Conventionally, after cleaning equipment 303 cleans abnormal flow, the flow tag delete that flow after cleaning is comprised, then returns to shunting router three 02, and shunting router three 02 carries out route by flow after this cleaning according to normal discharge.
Flow marking arrangement 301 wherein, can preset the flow baseline based on the feature such as different application and/or IP and/or port, first flow marking arrangement 301 identifies application protocol or IP address or the port of present flow rate, then in the time that present flow rate exceedes corresponding flow baseline, judge that present flow rate is as abnormal flow.
Flow marking arrangement 301 can by identification field is set in the packet of abnormal flow, to identify this packet be abnormal flow packet, and correspondingly, shunting router three 02 identifies abnormal flow by identifying described identification field from present flow rate.
Described identification field can be any position except application data in data message, is generally TOS field or dscp field.
Identify abnormal flow by identification field is set, and identify abnormal flow by identification marking field, can avoid the full-text data bag of abnormal flow to analyze, saved the computational resource of shunting router three 02.
Flow marking arrangement 301 can also exceed according to present flow rate the degree of flow baseline, which cleaning equipment to clean this abnormal flow for mark according to the different mark of the capabilities setting of the scale of abnormal flow and cleaning equipment by, correspondingly, cleaning equipment 303 cleans after abnormal flow, to changing for the mark that identifies this abnormal flow.
By abnormal flow is carried out to classification, and change abnormal flow mark after cleaning abnormal flow, can realize multistage cleaning.For example, abnormal flow is divided into small-scale, general scale and extensive, small-scale abnormal flow just can be completed by the less Access Layer cleaning equipment of ability, and corresponding mark can be set in the packet of this small-scale abnormal flow, represents to be cleaned by Access Layer cleaning equipment, large-scale abnormal flow need to be by the cleaning equipment of key stratum reticulare, the cleaning equipment of metropolitan area stratum reticulare and the cleaning equipment of Access Layer clean jointly, the Part I in this large-scale abnormal flow is squeezed into the first mark, represent to be cleaned by the cleaning equipment of key stratum reticulare, Part II in this large-scale abnormal flow is squeezed into the second mark, represent to be cleaned by the cleaning equipment of metropolitan area stratum reticulare, remainder in this large-scale abnormal flow is squeezed into the 3rd mark, represent to be cleaned by the cleaning equipment of Access Layer, wherein, as long as belonging to the flow of same link is cleaned by same cleaning equipment.
Clean by this classification to abnormal flow, can improve the efficiency that abnormal flow cleans.
When abnormal flow is carried out to classification cleaning, conventionally adopt 3 grades of cleanings, i.e. key level, provincial or metropolitan area level and access level is as follows with the corresponding formula of cleaning progression for mark figure place:
2 i-1=j, wherein, i represents mark figure place, j represents the maximum series that can dispose.
With TOS reserved place for example, as used TOS reserved place i=2, can meet maximum three grades of cleanings.In the time that reserved place is 00, represent not clean or cleaned, 11 represent one-level cleaning, and 10 represent 2 grades of cleanings, and 01 represents three grades of cleanings.
Flow marking arrangement 301 wherein, possesses the module of identifying flow baseline, can analyze the traffic characteristic of data flow, but needn't identify concrete flow content; The module that also possesses identification application protocol, can adopt data message analytical technology, only analyzes the first packet of data flow, can judge by application protocol features the application protocol content that this data flow adopts; Also possess according to the module of packet being carried out to mark, this mark can be arranged on any position of data message except application data part, and operated by rotary motion is in TOS field or dscp field.
Shunting router three 02 wherein, its effect is that the abnormal flow of mark is shunted, from current all flows, separate normal discharge and abnormal flow according to described mark zone, because abnormal flow mark is arranged in header fields conventionally, therefore shunt router three 02 and conventionally possess the module that data packet header field is identified, separate abnormal flow by the cog region to header fields.
Shunting router three 02 can also route to corresponding cleaning equipment by abnormal flow according to the mark of abnormal flow, for example the extensive abnormal flow being labeled is routed to the first cleaning equipment, the general scale abnormal flow being labeled is routed to the second cleaning equipment, the small-scale abnormal flow being labeled is routed to the 3rd cleaning equipment.
In addition, shunting router three 02 can also possess the module that the flow of particular port inflow is carried out to assigned tags change, and for example, the flux scale after the cleaning that described the first cleaning equipment is sent is designated as normally.Preferably, the module that the mark of abnormal flow is changed is arranged in cleaning equipment, is changed accordingly having cleaned after abnormal flow, to simplify the structure of shunting router three 02 by cleaning equipment.
Cleaning equipment 303 wherein, can adopt multiple cleaning strategy to carry out abnormal flow cleaning, for example, adopt any one or multiple combination of following manner to carry out abnormal flow cleaning:
Adopt blacklist mode or white list mode or carry out the judgement of source address existence or carry out Denial of Service attack judgement or carry out Connection Proxy or identify attack signature or packet content is filtered.These modes are all prior aries, do not repeat herein.
Fig. 4 is second amount control system structure chart provided by the invention.
The amount control system of second shown in Fig. 4 has further comprised management equipment 404 on the control system of first flow shown in Fig. 3 basis.
Management equipment 404 is connected with cleaning equipment 303 with flow marking arrangement 301, flow marking arrangement 301 is according to management strategy identification abnormal flow and mark abnormal flow in management equipment 404, and cleaning equipment 303 cleans abnormal flow according to the cleaning strategy in management equipment 404.
Abnormal flow marking arrangement 301 and cleaning equipment 303 can also report management equipment 404 by abnormal flow mark situation and cleaning situation respectively.
Visible, by management equipment 404 is set, can mark and the cleaning of unified management to abnormal flow, mark situation and the cleaning situation that can also report according to abnormal flow marking arrangement 301 and cleaning equipment 303 generate corresponding form, are convenient to follow-up same management or improve cleaning strategy etc.
In Fig. 4, abnormal flow marking arrangement 301 and management equipment 404 communicate by letter and cleaning equipment 303 and communicating by letter of management equipment 404 adopt out-band method conventionally, general 1 hop distance that adopts between abnormal flow marking arrangement 301 and shunting router three 02, if but use IP head mark abnormal flow, the distance of shunting between router three 02 and abnormal flow marking arrangement 301 can be greater than 1 jumping, but this distance is limited to abnormal flow IP bag sealed in unit, such as VPN starting point, the Qos control appliance etc. of process being next time labeled.
Fig. 5 is abnormal flow cleaning method flow chart provided by the invention.
As shown in Figure 5, the method comprises:
Step 501, flow to be detected flows into abnormal flow marking arrangement DPI.
Step 502, DPI equipment carries out traffic identification to this flow to be detected, if identified successfully, enters step 503, otherwise execution step 504.
Step 503, DPI equipment carries out baseline judgement to flow to be detected, if exceed baseline, execution step 505, otherwise execution step 507.
Step 504, abandons or this flow to be detected of mark.
Step 505, DPI equipment judges needs the flow cleaning whether to exceed the whole network cleansing power, if so, to abandon, otherwise execution step 506.
Step 506, DPI equipment according to policy tag after normally forward, enter step 508.
Step 507, normally forwards this flow.
Step 508, shunting router carries out marker for judgment, if mark hits, performs step 509, otherwise execution step 510.
Mark in this step hit refer to according to mark determine flow is issued to corresponding cleaning equipment.
Step 509, cleaning equipment judges extremely according to mark, if judged extremely, abandons, otherwise execution step 510.
Step 510, cleaning equipment or shunting router carry out mark and also put as normal discharge.
Step 511, shunting router normally forwards the packet after mark is also put.
As seen from the above technical solution, the present invention has the following advantages:
On detection efficiency, can reduce the once full bag to packet and detect, the network performance more at the larger bag number of flow improves successful.
On flow scheduling, this programme is schedules traffic accurately, avoids second traction, reduces the complexity of disposing, and improves detection efficiency.
Aspect dilatation, if need to add new cleaning equipment in system, or the cleaning capacity of change cleaning equipment, only need in checkout equipment, change the module of abnormal flow mark, less to system change, can realize the smooth expansion of system, occur under bottleneck circumstances in performance, by adding equipment, control mark reaches dilatation, avoids cutover.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.

Claims (10)

1. a flow control system, is characterized in that, this system comprises flow marking arrangement, shunting router and cleaning equipment;
Described flow marking arrangement identifies abnormal flow from present flow rate, identifies this abnormal flow;
Described shunting router, routes to cleaning equipment by the abnormal flow of mark;
Described cleaning equipment, cleans abnormal flow;
Wherein, described flow marking arrangement according to the ability of the scale of abnormal flow and cleaning equipment, arranges different marks for identifying the cleaning equipment that cleans this abnormal flow in the packet of this abnormal flow;
Described shunting router, for routing to corresponding cleaning equipment according to the mark of abnormal flow by abnormal flow;
Described cleaning equipment, cleans abnormal flow, and the mark of rear abnormal flow is cleaned in change.
2. system according to claim 1, is characterized in that,
Described flow marking arrangement, presets flow baseline, in the time that present flow rate exceedes this flow baseline, present flow rate is identified as to abnormal flow.
3. system according to claim 2, is characterized in that, described flow baseline is set above according to one in the application protocol of flow, IP address and port or two in advance;
Described flow marking arrangement, application protocol or IP address or the port of identification present flow rate, according to the flow baseline of current setting, whether identification present flow rate is abnormal flow.
4. system according to claim 1, is characterized in that,
Described flow marking arrangement, identification field is set in the packet of abnormal flow, and to identify this packet be abnormal flow packet;
Described shunting router identifies abnormal flow by identifying described identification field from present flow rate.
5. system according to claim 1, is characterized in that, this system further comprises management equipment, and described management equipment is connected with cleaning equipment with flow marking arrangement,
Described flow marking arrangement, according to management strategy identification abnormal flow and mark abnormal flow in described management equipment;
Described cleaning equipment, cleans abnormal flow according to the cleaning strategy in described management equipment.
6. a flow control methods, is characterized in that, the method comprises:
From present flow rate, identify abnormal flow, identify this abnormal flow;
The abnormal flow of mark is routed to cleaning equipment;
Cleaning equipment cleans abnormal flow;
Wherein, according to the ability of the scale of abnormal flow and cleaning equipment, different marks is set in the packet of this abnormal flow for identifying the cleaning equipment that cleans this abnormal flow;
Shunting router routes to corresponding cleaning equipment according to the mark of abnormal flow by abnormal flow;
Cleaning equipment cleans abnormal flow, and the mark of rear abnormal flow is cleaned in change.
7. method according to claim 6, is characterized in that, the described abnormal flow that identifies from present flow rate comprises:
Preset flow baseline, in the time that present flow rate exceedes this flow baseline, present flow rate is identified as to abnormal flow.
8. method according to claim 7, is characterized in that,
Described flow baseline is set above according to one in the application protocol of flow, IP address and port or two in advance, application protocol or IP address or the port of identification present flow rate, according to the flow baseline of current setting, whether identification present flow rate is abnormal flow.
9. method according to claim 6, is characterized in that, this abnormal flow of described mark comprises:
Identification field is set in the packet of abnormal flow, and to identify this packet be abnormal flow packet.
10. method according to claim 9, is characterized in that, the described identification field that arranges comprises:
TOS field is set or dscp field is set;
From present flow rate, identifying abnormal flow comprises:
From present flow rate, identify abnormal flow by identifying described identification field.
CN201010116760.0A 2010-03-02 2010-03-02 Flow control system and method Active CN102195843B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201010116760.0A CN102195843B (en) 2010-03-02 2010-03-02 Flow control system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201010116760.0A CN102195843B (en) 2010-03-02 2010-03-02 Flow control system and method

Publications (2)

Publication Number Publication Date
CN102195843A CN102195843A (en) 2011-09-21
CN102195843B true CN102195843B (en) 2014-06-11

Family

ID=44603260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201010116760.0A Active CN102195843B (en) 2010-03-02 2010-03-02 Flow control system and method

Country Status (1)

Country Link
CN (1) CN102195843B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103107948B (en) * 2011-11-15 2016-02-03 阿里巴巴集团控股有限公司 A kind of flow control methods and device
CN103368858B (en) * 2012-04-01 2016-01-20 百度在线网络技术(北京)有限公司 The flow cleaning method that many strategy combinations load and device
CN105763351B (en) * 2014-12-17 2019-09-03 华为技术有限公司 Dispose method, forwarding device, detection device and the management equipment of value-added service
CN106534051B (en) * 2015-09-11 2020-02-14 阿里巴巴集团控股有限公司 Processing method and device for access request
CN105282152B (en) * 2015-09-28 2018-08-28 广东睿江云计算股份有限公司 A kind of method of abnormal traffic detection
CN105959253A (en) * 2015-11-19 2016-09-21 中国银联股份有限公司 Method and device for determining data flow to be cleaned
CN107347056A (en) * 2016-05-06 2017-11-14 阿里巴巴集团控股有限公司 A kind of data processing method, apparatus and system
CN106059939B (en) * 2016-05-19 2019-12-06 新华三技术有限公司 Message forwarding method and device
CN107623663B (en) 2016-07-15 2020-12-15 阿里巴巴集团控股有限公司 Method and device for processing network flow
CN106131031B (en) * 2016-07-19 2020-03-10 北京兰云科技有限公司 Method and device for cleaning and processing DDoS (distributed denial of service) flow
CN106411910B (en) * 2016-10-18 2019-04-05 优刻得科技股份有限公司 A kind of defence method and system of distributed denial of service attack
CN108123843B (en) * 2016-11-28 2020-04-14 中国移动通信有限公司研究院 Flow detection method, detection data processing method and device
CN107360194A (en) * 2017-09-07 2017-11-17 北京邮电大学 The treating method and apparatus of network attack
CN107733867B (en) * 2017-09-12 2020-09-22 北京神州绿盟信息安全科技股份有限公司 Botnet discovery and protection method, system and storage medium
CN110049004B (en) * 2019-03-03 2021-05-14 北京立思辰安科技术有限公司 Method for generating white list baseline of industrial control environment traffic
CN113794774A (en) * 2021-09-15 2021-12-14 厦门畅合赢文化传媒有限公司 Flow monitoring system based on new network audio-visual media

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257416A (en) * 2008-03-11 2008-09-03 南京邮电大学 Networking type abnormal flow defense method based on combining network with host computer
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN101518021A (en) * 2006-09-18 2009-08-26 阿尔卡特朗讯公司 System and method of securely processing lawfully intercepted network traffic

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101518021A (en) * 2006-09-18 2009-08-26 阿尔卡特朗讯公司 System and method of securely processing lawfully intercepted network traffic
CN101257416A (en) * 2008-03-11 2008-09-03 南京邮电大学 Networking type abnormal flow defense method based on combining network with host computer
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system

Also Published As

Publication number Publication date
CN102195843A (en) 2011-09-21

Similar Documents

Publication Publication Date Title
CN102195843B (en) Flow control system and method
CN101431449B (en) Network flux cleaning system
CN103491095B (en) Flow cleaning framework, device and flow lead, flow re-injection method
CN101364926B (en) Method and apparatus for network protection
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN101124785B (en) System and methods for network reachability detection
CN100450039C (en) Fast convergence method and device of the end-to-end service
RU2520387C2 (en) Method and device for link protection in virtual private local area network
CN101447913B (en) Method and server for determining through optical path and system for establishing through optical path
CN101631089B (en) Flow calculating method, flow calculating device and flow calculating system based on private network VPN
CN102123088B (en) Set up the method and apparatus of traffic engineering tunnel
CN103053138A (en) A device and method for egress packet forwarding using mesh tagging
CN106685823B (en) A kind of flow cleaning method and device
CN103329469A (en) Method of shrinking a data loss window in a packet network device
CN102833109A (en) Positional information processing method and equipment of fault point
CN105591936B (en) A kind of method and apparatus updating forwarding-table item
CN106961387A (en) A kind of link type DDoS defence methods migrated certainly based on forward-path and system
CN101436976A (en) Method, system and equipment for forwarding data frame
CN101815006B (en) aggregation control method of links passing through provider network and system
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
CN108449314A (en) A kind of flow lead method and apparatus
CN109995714A (en) A kind of methods, devices and systems for disposing flow
CN103368844B (en) Message processing method and LSR in MPLS network
CN103297340A (en) Routing convergence method and device in multi-protocol label switching (MPLS) and border gateway protocol (BGP) networking
JP2003060681A (en) Transmission system and transmitter

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant