CN102594834A - Method and device for defending network attack and network equipment - Google Patents

Method and device for defending network attack and network equipment Download PDF

Info

Publication number
CN102594834A
CN102594834A CN2012100624171A CN201210062417A CN102594834A CN 102594834 A CN102594834 A CN 102594834A CN 2012100624171 A CN2012100624171 A CN 2012100624171A CN 201210062417 A CN201210062417 A CN 201210062417A CN 102594834 A CN102594834 A CN 102594834A
Authority
CN
China
Prior art keywords
attack
isolation
message
port
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012100624171A
Other languages
Chinese (zh)
Other versions
CN102594834B (en
Inventor
赖鹏飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Star Net Ruijie Networks Co Ltd
Original Assignee
Beijing Star Net Ruijie Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Star Net Ruijie Networks Co Ltd filed Critical Beijing Star Net Ruijie Networks Co Ltd
Priority to CN201210062417.1A priority Critical patent/CN102594834B/en
Publication of CN102594834A publication Critical patent/CN102594834A/en
Application granted granted Critical
Publication of CN102594834B publication Critical patent/CN102594834B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for defending network attack and network equipment. The method comprises the following steps of: after the network equipment monitors the network attack, acquiring source address information and type information of an attack message; judging whether the port receiving the attack message is a preset attack isolation point; binding the acquired source address information and the acquired type information of the attack message to the port under the condition that the port is the attack isolation point; and otherwise, constructing an isolation message comprising the acquired source address information and the acquired type information of the attack message, and sending the constructed isolation message to the network equipment connected with the port. By the method, the attack message can be filtered through the port preset as the attack isolation point, so that a redundant attack message in the network is reduced, and the problems that network bandwidth resources are wasted and system processing resources of the network equipment are occupied because a large amount of attack messages are forwarded in the network in the prior art are solved.

Description

Network attack defense method and device and network equipment
Technical Field
The present invention relates to data communication systems, and in particular, to a method and an apparatus for defending against network attacks, and a network device.
Background
Currently, in large networks, access control security functions are typically deployed on the access switches to protect against network attacks. For example, in the network shown in fig. 1, access switch SW1 is connected to Personal Computer (PC, Personal Computer) PC1-PC 1 through Port1-Port4, access switch SW1 is connected to PC1-PC 1 through Port1-Port 1, SW1 is connected to Port1 of aggregation switch SW1 through Port1 and Port1, respectively, SW1 is connected to Port1 of aggregation switch SW1 through Port1, SW1 is connected to Port1 of core switch SW1 through Port1, SW1 is connected to Port1 of core switch SW1 through Port1, SW1 and SW1 are connected to Port1 through Port1, SW1 and SW are connected to Port1 through Port1, SW is connected to Port1 through IP, SW1 and the internet switch 1, the internet access switch SW is capable of controlling only through internet protocol such as internet access, and internet access switch SW1, internet protocol) and Media Access Control (MAC) addresses.
At present, although the network attack initiated by an illegal user can be defended by controlling the identity of the user, the method cannot defend the attack initiated by the user with a legal identity, namely, the PC with a legal IP + MAC address also initiates the illegal network attack, which may be the attack intentionally initiated by the user or the attack automatically initiated by the virus after the virus infection. For example, as shown in fig. 1, PC1 is attacking core switch SW7 using legitimate IP + MAC, the attack message is sent from PC1 to port1 of SW1, SW1 sends the attack message to port1 of SW3 via port5, SW3 sends the attack message to port2 of SW8 via port3, and SW8 sends the attack message to port1 of SW7 via port 4. Currently, there are two methods in the prior art for dealing with a network attack initiated by a legitimate user, which are described in detail below.
The first method is to configure a basic network Protection Policy (NFPP) on the switch SW7 to defend network attacks initiated by legitimate users, where the Policy can limit the speed of attack messages and isolate attacking users. However, this method only limits the speed of the attack packet, and the attack packet still exists in the network, which greatly wastes the bandwidth of the network, for example, in fig. 1, the position of SW7 is the core switch, the number of users connected downstream is large, if there is a large amount of attacks, a lot of hardware resources need to be wasted to isolate these attack users, if the attacker is the router, each attack packet is sent to the CPU of SW7, it needs to use SW7 software resources to judge whether to filter the attack source, which greatly occupies the software resources, reduces the performance of the CPU for processing normal services, and even if the attack to SW7 caused by the packet is isolated, the attack packet stream still exists in the network, which greatly wastes the bandwidth of the network.
The second method is that the attacked device sends alarm information to the network administrator, the network administrator searches the switch where the attacker is specifically located, and then filters the attack source by manually binding a filtering table entry on the switch, or sends a blocking policy to the switch by a symmetric multi-Processor (SMP) server to filter the attack message. However, this method requires manual work to find the source of the positioning attack, and the processing procedure is time-consuming, labor-consuming and inefficient.
In summary, it can be seen that in the prior art, the problems of attacks initiated by legitimate users, a large amount of forwarded attack packets in a network, network bandwidth resources being wasted, and network device system processing resources being occupied are solved.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method for defending against network attacks, so as to solve the problems in the prior art that attacks initiated by legitimate users, a large amount of forwarded attack packets exist in a network, network bandwidth resources are wasted, and processing resources of a network device system are occupied.
Correspondingly, the embodiment of the invention also provides a defense device for network attack and network equipment.
The technical scheme of the embodiment of the invention is as follows:
a method for defending against cyber attacks, comprising: after the network equipment monitors that the network is attacked, the source address information and the type information of the attack message are obtained; judging whether the port receiving the attack message is a preset attack isolation point or not; under the condition that the port is judged to be an attack isolation point, the source address information and the type information of the obtained attack message are bound on the port; and under the condition that the port is judged not to be an attack isolation point, constructing an isolation message comprising the source address information and the type information of the acquired attack message, and sending the constructed isolation message to the network equipment connected with the port.
A defense apparatus against cyber attacks, comprising: the acquisition module is used for acquiring source address information and type information of the attack message after the network equipment is monitored to be attacked; the first judging module is used for judging whether the port receiving the attack message is preset as an attack isolation point or not; a binding module, configured to bind, when the first determining module determines that the port is an attack isolation point, the source address information and the type information of the attack packet acquired by the acquiring module to the port; the constructing module is used for constructing the isolation message comprising the source address information and the type information of the attack message acquired by the acquiring module under the condition that the first judging module judges that the port is not the attack isolation point; and the sending module is used for sending the isolation message constructed by the construction module to the network equipment connected with the port.
A method for defending against cyber attacks, comprising: after receiving the isolation message, the network device judges whether a port of the network device receiving the attack message indicated in the isolation message is a preset attack isolation point or not according to the address information of the attack message source in the isolation message; under the condition that the port is judged to be an attack isolation point, binding attack message source address information and type information in the isolation message on the port; and under the condition that the port is judged not to be an attack isolation point, sending the received isolation message to the network equipment connected with the port.
A defense apparatus against cyber attacks, comprising: the receiving module is used for receiving the isolation message; the first judging module is used for judging whether a port of the network equipment receiving the attack message indicated by the isolation message is a preset attack isolation point or not according to the attack message source address information in the isolation message received by the receiving module; a binding module, configured to bind, when the first determining module determines that the port is an attack isolation point, the address information and the type information of the attack message source in the isolation message received by the receiving module to the port; and the sending module is used for sending the isolation message received by the receiving module to the network equipment connected with the port receiving the attack message under the condition that the first judging module judges that the port is not the attack isolation point.
A network device comprising a first network attack defense and/or a second network attack defense as described above.
In the embodiment of the invention, when the network equipment under network attack judges that a port receiving an attack message is a preset attack isolation point, the source address information and the type information of the attack message are bound on the port, and when the port is judged not to be the preset attack isolation point, the isolation message comprising the source address information and the type information of the attack message is constructed and sent to the network equipment connected with the port; when the network device receiving the isolation message judges that the port receiving the attack message is a preset attack isolation point, binding the source address information and the type information of the attack message on the port, when judging that the port is not a preset attack isolation point, the received isolation message is sent to the network equipment connected with the port receiving the attack message, the attack message can be filtered through the port preset as an attack isolation point, the unnecessary forwarded attack message in the network can be reduced, the network bandwidth resource is released, the utilization rate of the network bandwidth is improved, the occupied network equipment system processing resource is reduced, the utilization rate of the network equipment system processing resource is improved, therefore, the problems of attack initiated by a legal user, a large amount of forwarded attack messages in a network, network bandwidth resource waste and network equipment system processing resource occupation in the prior art can be solved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is a diagram illustrating a prior art network topology;
FIG. 2 is a flowchart illustrating a method for defending against cyber attacks according to an embodiment of the present invention;
FIG. 3 is a work flow diagram of a preferred embodiment process for the method of FIG. 2;
FIG. 4 is a block diagram of a defense apparatus against network attacks according to an embodiment of the present invention;
FIG. 5 is a block diagram of the preferred embodiment of the apparatus shown in FIG. 4;
FIG. 6 is another flowchart of the defense method of network attack according to the embodiment of the invention;
FIG. 7 is a flow chart of the operation of a preferred embodiment process of the method of FIG. 6;
fig. 8 is a block diagram showing the structure of a network attack defense apparatus according to an embodiment of the present invention;
FIG. 9 is a block diagram of the preferred embodiment of the apparatus shown in FIG. 8;
fig. 10 is a schematic structural diagram of a network attack defense system according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in conjunction with the accompanying drawings, and it should be understood that the embodiments described herein are only for the purpose of illustrating and explaining the present invention, and are not intended to limit the present invention.
Aiming at the problems of attack initiated by a legal user, a large amount of forwarded attack messages in a network, network bandwidth resource waste and system processing resource occupation in the prior art, the embodiment of the invention provides a network attack defense scheme to solve the problems.
In the defense scheme of the network attack provided by the embodiment of the invention, firstly, an isolation mechanism for attack messages is provided.
The isolation mechanism includes: setting a port of the selected network equipment as an attack isolation point in advance; after the network equipment is attacked by a network, when judging that a port receiving an attack message is a preset attack isolation point, binding source address information and type information of the attack message on the port so as to enable the port to filter and isolate the subsequently received attack message, and when judging that the port receiving the attack message is not the preset attack isolation point, constructing an isolation message comprising the source address information and the type information of the attack message, and sending the isolation message to the network equipment connected with the port; when the network device receiving the isolation message judges that a port receiving the attack message indicated in the isolation message is a preset attack isolation point, the network device binds source address information and type information of the attack message carried in the isolation message to the port receiving the attack message, so that the port filters and isolates the subsequent received attack message, and when the port is judged not to be the preset attack isolation point, the network device sends the received isolation message to the network device connected with the port. By the scheme, the attack message can be isolated outside the attack isolation point through the preset attack isolation point (namely the port of the network equipment receiving the attack message), so that the unnecessary forwarded attack message in the network is reduced, the network bandwidth utilization rate is improved, the network system resources occupied by the attack message are reduced, and the utilization rate of the network system processing resources is improved.
The defense scheme of the network attack provided by the embodiment of the invention also provides an isolation confirmation mechanism and a remedy mechanism after the isolation is invalid.
The following provides a detailed description of embodiments of the invention.
Fig. 2 is a flowchart illustrating a method for defending against a cyber attack according to an embodiment of the present invention, and the method includes the following processes, as shown in fig. 1.
Step 21, after the network equipment monitors the network attack, obtaining source address information and type information of the attack message;
step 22, judging whether the port receiving the attack message is a preset attack isolation point;
step 23, binding the source address information and the type information of the acquired attack message on the port under the condition that the port is judged to be the attack isolation point;
and 24, under the condition that the port is judged not to be the attack isolation point, constructing an isolation message comprising the source address information and the type information of the obtained attack message, and sending the constructed isolation message to the network equipment connected with the port.
After the network equipment is attacked by the network, under the condition that the port receiving the attack message is judged to be the preset attack isolation point, the source address information and the type information of the attack message are bound on the port, so that the port filters and isolates the subsequent received attack message, the network attack message sent by a legal user can be isolated, the attack message is isolated outside the port preset as the attack isolation point on the network equipment, the unnecessary forwarded attack message on the network is reduced, the network bandwidth occupied by the attack message is reduced, the utilization rate of the network bandwidth is improved, the processing of the attack message by the network equipment is reduced, the system processing resource of the network equipment is released, the system processing efficiency of the network equipment is improved, and the problems that the attack initiated by the legal user, a large amount of forwarded attack messages exist in the network, the source address information and the type information of the attack message are bound on the port, and the attack message is isolated, Wasting network bandwidth resource and occupying system processing resource.
Fig. 3 shows a preferred embodiment of the processing of the method of fig. 2, which, as shown in fig. 3, comprises the following process.
Step 31, setting an attack isolation point identifier in advance for a port of a selected network device, specifically, setting one or more physical ports of the network device connected to a lower layer network device as an attack isolation point according to the actual operation requirement of the network, or selecting a physical port of the network device at a specific position on the network as an attack isolation point according to the requirement, for example, according to the actual requirement, selecting a port of a convergence layer network device as an attack isolation point, or selecting a port of an access layer network device as an attack isolation point;
step 32, after the network equipment is monitored to be attacked by the network, the source address information and the type information of the attack message are obtained;
step 33, determining whether the port receiving the attack packet is preset as an attack isolation point, specifically including: determining that the port receiving the attack packet is an attack isolation point when judging that the port has been set with the attack isolation point identifier, and processing proceeds to step 34; determining that the port receiving the attack packet is not an attack isolation point under the condition that the port does not set an attack isolation point identifier, and processing goes to step 35;
step 34, binding the source address information and the type information of the acquired attack message on a port receiving the attack message, so that the port filters the subsequently received attack message; in a preferred mode, a plurality of attack messages with the same source address information and different types are combined into a record and bound on the port, and the record is used for indicating that the messages from the same source address are all filtered; in a preferred mode, after receiving an isolation message carrying isolation failure information, binding attack message source address information and type information in the isolation message to a port receiving the isolation message carrying the isolation failure information, so that the port filters a subsequently received attack message; the process is ended.
Step 35, constructing an isolation message including the source address information and the type information of the acquired attack message; in a preferred mode, time length information for filtering and isolating the attack message is set in the isolation message;
step 36, judging whether the network device and the source attack device are in a direct connection network segment according to source Internet Protocol (IP) address information included in the source address information of the attack message, and performing processing to step 37 under the condition that the network device and the source attack device are in the direct connection network segment; in the case where it is determined that the network segment is not in the direct connection network segment, the process proceeds to step 38;
step 37, multicast-sending the constructed isolation message to the network device connected to the port receiving the attack message, and processing goes to step 39;
step 38, unicast-sending the constructed isolation message to the network device connected with the port receiving the attack message and forwarding the attack message; in a preferred mode, when the source address information of the attack packet further includes source media access control MAC address information of the attack packet, the source MAC address information of the attack packet in the constructed isolation packet is set to zero, and in the forwarded packet received by the network device in the prior art, the MAC address is not the MAC address of the source device that sent the packet but the MAC address of the network device that forwarded the packet last time, so the MAC address in the attack packet is not the MAC address of the device that initiated the network attack, and the MAC address of the network device that forwarded the attack packet last time is addressed according to the MAC address in the attack packet, which will result in being located on the wrong network device, so the source MAC address information of the attack packet in the constructed isolation packet is set to zero, and the set isolation packet is unicast-sent to the network device connected to the port that received the attack packet, Forwarding the attack message network device;
and 39, under the condition that the isolation success message is not received within the preset time, adding the information that the attack isolation point cannot be found in the constructed isolation message, and multicasting the added isolation message to the network equipment connected with the port receiving the attack message.
Through the processing process shown in fig. 3, after the network device is attacked by the network, in the case that the port receiving the attack packet is the preset attack isolation point, the source address information and the type information of the attack packet can be bound to the port serving as the attack isolation point, so that the attack isolation point can filter and isolate the subsequently received attack packet, thereby reducing the attack packet forwarded on the network.
In the processing process shown in fig. 3, it is determined whether the attack source device and the network device are in a direct connection network segment to perform multicast or unicast transmission on the isolated packet, so that the network relationship between the network device and the attack source device can be distinguished to save processing resources of the network device and the network system.
In the processing procedure shown in fig. 3, a confirmation mechanism is further provided, where the mechanism processes whether the isolation of the attack packet is successful or not for the network device with the attack isolation point, which is a non-target attack device, and the attack isolation point includes two strategies, a first strategy is confirmation processing after the filtering is successful, and a second strategy is remediation processing after the filtering is failed. According to the first strategy, after filtering and isolating the attack message successfully, the network device sends an isolation success message to the target device of the attack message to confirm that the attack message is successfully isolated. According to the second strategy, under the condition that the network equipment under network attack does not receive the successful isolation message after overtime, the network equipment under attack adds the information that the attack isolation point can not be found in the isolation message, and multicasts the isolation message to the network equipment connected with the port receiving the attack message, so that the network equipment receiving the isolation message can isolate the attack message.
In the process shown in fig. 3, a remediation mechanism is also provided to isolate the invalidation. According to the mechanism, when the network device receives the isolation message carrying the isolation failure information, the network device with the attack isolation point is shown to be incapable of effectively filtering the attack message, and after the isolation message carrying the isolation failure information is received, the network device binds the source address information and the type information of the attack message in the received isolation message to the port receiving the isolation message, so that the port filters the subsequent received attack message. When the network equipment with the attack isolation point can not effectively filter the attack message, the mechanism can enable upper network equipment of the network equipment to filter the attack message, so that the problem that the attack isolation point can not effectively filter the attack message is prevented, and the effective rate of filtering and isolating the attack message is improved.
In order to implement the above functions, the method for defending against network attacks in the embodiments of the present invention may be implemented by hardware, or may be implemented by a software program, where the network device includes the following device for defending against network attacks.
Fig. 4 is a block diagram illustrating a configuration of a network attack defending device according to an embodiment of the present invention, and as shown in fig. 4, the device includes an obtaining module 41, a first determining module 42, a binding module 43, a building module 44, and a sending module 45; wherein,
the obtaining module 41 is configured to obtain source address information and type information of an attack packet after the network device is monitored and attacked;
a first judging module 42, configured to judge whether a port receiving the attack packet is preset as an attack isolation point;
a binding module 43, connected to the obtaining module 41 and the first determining module 42, configured to bind, when the first determining module 42 determines that the port is an attack isolation point, the source address information and the type information of the attack packet obtained by the obtaining module 41 to the port, so that the port filters a subsequently received attack packet;
a constructing module 44, connected to the obtaining module 41 and the first judging module 42, configured to construct an isolation packet including the source address information and the type information of the attack packet obtained by the obtaining module 41 when the first judging module 42 judges that the port is not an attack isolation point;
and a sending module 45, connected to the constructing module 44, configured to send the isolated packet constructed by the constructing module 44 to the network device connected to the port.
Through the apparatus shown in fig. 4, after the network device is attacked by the network, and under the condition that the port receiving the attack packet is the preset attack isolation point, the source address information and the type information of the attack packet can be bound to the port serving as the attack isolation point, so that the attack isolation point can filter and isolate the subsequently received attack packet, and can reduce the attack packet forwarded on the network.
The working principle of the device shown in fig. 4 is shown in fig. 2, and will not be described in detail here.
In a preferred manner, fig. 5 shows a preferred embodiment of the device of fig. 4, which, as shown in fig. 5, comprises: the system comprises a presetting module 46, an obtaining module 41, a first judging module 42, a binding module 43, a constructing module 44, a sending module 45, a second judging module 47, a setting module 48, a receiving module 49 and a timer 50; the structure and functions of the modules are not described again as those in fig. 4;
a preset module 46, configured to set an attack isolation point identifier for a port of a preselected network device;
the first determining module 42 is specifically configured to determine that a port receiving the attack packet is an attack isolation point when determining that the port has already been provided with the attack isolation point identifier; determining that the port receiving the attack message is not an attack isolation point under the condition that the port does not set the attack isolation point identifier;
the binding module 43 is further configured to, when the first determining module 42 determines that the port receiving the attack packet is the attack isolation point, combine a plurality of attack packets with the same source address information and different types into one record, and bind the source address information of the attack packet to the port;
the constructing module 44 is further configured to set duration information for filtering and isolating the attack packet in the isolation packet;
a receiving module 49, configured to receive an isolation success message;
a timer 50, configured to time a predetermined time length for which the receiving module 49 receives the isolation success message;
a second determining module 47, connected to the obtaining module 41, configured to determine whether the network device itself and the source attack device are in a direct connection network segment according to source internet protocol IP address information in the source address information of the attack packet obtained by the obtaining module 41;
a setting module 48, connected to the constructing module 44, the second judging module 47, the receiving module 49, and the timer 50, configured to set, when the second judging module judges that the packet is in a non-direct network segment, attack message source media access control MAC address information of the source address information in the isolated message constructed by the constructing module 44 to zero; the method is further used for adding information that the attack isolation point cannot be found in the isolation message constructed by the construction module 44 under the condition that the timer 50 is overtime and the receiving module 49 does not receive the successful isolation message;
the sending module 45 is specifically configured to, when the second determining module 47 determines that the network segment is in the direct connection network segment, multicast the isolation packet constructed by the constructing module 44 to a network device connected to the port that receives the attack packet; under the condition that the network segment is judged to be in a non-direct connection network segment, the isolation message constructed by the construction module 44 is sent to the network device which is connected with the port receiving the attack message and forwards the attack message in a unicast mode, or the isolation message which is obtained by setting the MAC address information of the attack message source to be zero by the setting module 48 is sent to the network device which is connected with the port receiving the attack message and forwards the attack message in a unicast mode; and is further configured to send, to the network device connected to the port receiving the attack packet, the isolation packet and the multicast packet after the setting module 48 adds the information that the attack isolation point cannot be found.
The working principle of the device shown in fig. 5 is shown in fig. 3, and will not be described in detail here.
By the device shown in fig. 5, unnecessary forwarded attack messages in the network can be reduced, the utilization rate of the network bandwidth can be improved, and the processing efficiency of the network equipment can be improved; and a mechanism for confirming whether the attack message filtering of the attack isolation point is successful or not can be realized, and the effective rate of the attack message isolation is improved.
Fig. 6 shows another work flow diagram of the defense method against network attacks according to the embodiment of the invention, and as shown in fig. 6, the flow includes the following processing procedures.
Step 61, after receiving the isolation message, the network device judges whether the port of the network device receiving the attack message indicated in the isolation message is a preset attack isolation point according to the attack message source address information in the isolation message;
step 62, binding the source address information and the type information of the attack message in the isolation message on the port under the condition that the port is judged to be the attack isolation point
And 63, under the condition that the port is judged not to be the attack isolation point, sending the received isolation message to the network equipment connected with the port.
According to the processing procedure shown in fig. 6, when the network device receiving the isolation packet determines that the port of the network device itself receiving the attack packet indicated in the isolation packet is the attack isolation point, the source address information and the type information of the attack packet in the isolation packet are bound to the port, so that the port filters and isolates the subsequently received attack packet, thereby isolating the network attack packet sent by the legitimate user, isolating the attack packet outside the port preset as the attack isolation point on the network device, reducing the attack packet unnecessarily forwarded on the network, reducing the network bandwidth occupied by the attack packet, increasing the utilization rate of the network bandwidth, reducing the processing of the attack packet by the network device, releasing the system processing resources of the network device, increasing the system processing efficiency of the network device, and thus solving the problems of attack initiated by the legitimate user, the attack packet, and the like in the prior art, The problems of a large amount of transmitted attack messages, network bandwidth resource waste and system processing resource occupation exist in the network.
Fig. 7 shows a preferred embodiment of the method shown in fig. 6, which, as shown in fig. 7, comprises the following processes:
step 71, setting an attack isolation point identifier for a port of the selected network equipment connected with the lower-layer network equipment in advance;
step 72, after receiving the isolation packet, the network device determines, according to the source IP address information of the attack packet in the isolation packet, whether a port of the network device itself receiving the attack packet indicated in the isolation packet is a preset attack isolation point, which specifically includes: determining that the port is an attack isolation point when the port of the network device receiving the attack packet indicated by the isolation packet is set with the attack isolation point identifier, and processing proceeds to step 73; determining that the port, which receives the attack packet indicated by the isolation packet, of the network device itself is not an attack isolation point when the attack isolation point identifier is not set in the port, and processing proceeds to step 75;
step 73, binding the source address information and the type information of the attack message in the isolation message on the port so as to enable the port to filter the subsequently received attack message; in a preferred mode, a plurality of attack messages with the same source address information and different types are combined into one record, and the source address information of the attack messages is bound on the port;
in a preferred mode, after receiving an isolation message carrying isolation failure information, binding attack message source address information and type information in the isolation message to a port receiving the isolation message carrying the isolation failure information, so that the port filters a subsequently received attack message;
in a preferred mode, after receiving an isolation message carrying information that an attack isolation point cannot be found, binding the address information and the type information of an attack message source in the isolation message to a port receiving the attack message, so that the port filters the attack message indicated in the subsequently received isolation message, and broadcasting the isolation message carrying the information that the attack isolation point cannot be found to a network device connected with the port receiving the attack message indicated in the isolation message;
step 74, after monitoring that the port fails to filter the attack message, carrying isolation failure information in the isolation message, and sending the isolation message carrying the isolation failure information to the network device connected with the port receiving the isolation message; and after monitoring that the port successfully filters the attack message, sending an isolation success message to the network equipment indicated by the destination address information of the attack message in the isolation message, and finishing the processing.
Step 75, sending the received isolation packet to a network device connected to the port receiving the attack packet, which specifically includes: judging whether the network equipment and the network equipment pointed by the attack message source IP address information are in a direct connection network segment or not according to the attack message source IP address information in the isolation message, and processing the step 76 when the network equipment and the network equipment are in the direct connection network segment; in the case where it is determined to be in the non-direct-connection segment, the process proceeds to step 77;
step 76, multicast-sending the isolation message to the network device connected to the port receiving the attack message; in a preferred mode, because the network device and the network device to which the attack message source IP address information refers are in a direct connection network segment, the network device can find the source MAC address information of the attack message corresponding to the source IP address information, that is, the MAC address information of the source device sending the attack message, on the network device itself according to the source IP address information of the attack message in the isolation message, add the source MAC address information into the isolation message, multicast-send the isolation message carrying the attack message source MAC address information to the network device connected to the port receiving the attack message, so that the network device receiving the isolation message carrying the attack message source MAC address information can more accurately locate the port receiving the attack message and the source device sending the attack message, and the processing is finished.
And 77, sending the isolated message to the network equipment which is connected with the port receiving the attack message and used for forwarding the attack message in a unicast way, and finishing the processing.
According to the processing flow shown in fig. 7, after receiving the isolation packet, the network device determines that the port of the network device itself receiving the attack packet is a preset network node, and binds the source address information and the type information of the attack packet in the isolation packet to the port serving as the attack isolation point, so that the attack isolation point filters and isolates the subsequently received attack packet, thereby reducing the attack packets forwarded on the network.
In the processing process shown in fig. 7, it is determined whether the attack source device and the network device are in a direct connection network segment to perform multicast or unicast transmission on the isolated packet, so that the network relationship between the network device and the attack source device can be distinguished to save processing resources of the network device and the network system.
In the processing procedure shown in fig. 7, the above-described confirmation mechanism and remediation mechanism after the isolation invalidation are also applied, and are not described here again.
In order to implement the above functions, the method for defending against network attacks in the embodiments of the present invention may be implemented by hardware, or may be implemented by a software program, where the network device includes the following device for defending against network attacks.
Fig. 8 is a block diagram illustrating a configuration of a defense apparatus against network attacks according to an embodiment of the present invention, and as shown in fig. 8, the apparatus includes: a receiving module 81, a first judging module 82, a binding module 83, and a sending module 84; wherein,
a receiving module 81, configured to receive the isolated packet;
a first judging module 82, connected to the receiving module 81, configured to judge, according to the address information of the attack message source in the isolation message received by the receiving module 81, whether a port of the network device receiving the attack message indicated by the isolation message is a preset attack isolation point;
a binding module 83, connected to the receiving module 81 and the first determining module 82, configured to bind, when the first determining module 82 determines that the port is an attack isolation point, the address information and the type information of the attack message source in the isolation message received by the receiving module 81 to the port, so that the port filters a subsequent received attack message;
the sending module 84 is connected to the receiving module 81 and the first judging module 82, and is configured to send the isolation packet received by the receiving module 81 to the network device connected to the port that receives the attack packet when the first judging module 82 judges that the port is not the attack isolation point.
The working principle of the device shown in fig. 8 is shown in fig. 7, and will not be described in detail here.
According to the apparatus shown in fig. 8, when the network device receiving the isolation packet determines that the port of the network device itself receiving the attack packet indicated in the isolation packet is the attack isolation point, the source address information and the type information of the attack packet in the isolation packet are bound to the port, so that the port filters and isolates the subsequently received attack packet, thereby isolating the network attack packet sent by the legitimate user, isolating the attack packet outside the port preset as the attack isolation point on the network device, reducing the attack packet unnecessarily forwarded on the network, reducing the network bandwidth occupied by the attack packet, increasing the utilization rate of the network bandwidth, reducing the processing of the attack packet by the network device, releasing the system processing resources of the network device, increasing the system processing efficiency of the network device, and thus solving the problems of attack initiated by the legitimate user, the attack packet existing in the prior art, The problems of a large amount of transmitted attack messages, network bandwidth resource waste and system processing resource occupation exist in the network.
Fig. 9 shows a preferred implementation structure of the apparatus shown in fig. 8, and as shown in fig. 9, the structure includes a receiving module 81, a first determining module 82, a binding module 83, a sending module 84, a second determining module 85, a searching module 86, a setting module 87, a monitoring module 88, and a presetting module 89; the above structure and functions of the above modules in fig. 8 are not described again;
a preset module 89, configured to set an attack isolation point identifier in advance for a port of a selected network device connected to a lower layer network device;
the first determining module 82 is specifically configured to determine that a port, which receives the attack packet indicated by the isolated packet, of the network device is an attack isolation point when the port is already provided with the attack isolation point identifier; determining that the port of the network device which receives the attack message indicated by the isolation message is not an attack isolation point under the condition that the port is not provided with the attack isolation point identifier;
the second judging module 85 is connected to the receiving module 81, and is configured to judge whether the network device itself and the network device indicated by the attack message source IP address information are in a direct connection network segment according to the attack message source IP address information in the isolation message received by the receiving module 81;
a searching module 86, connected to the receiving module 81, configured to search, according to the source IP address information of the attack packet in the isolation packet received by the receiving module 81, source MAC address information of the attack packet corresponding to the source IP address information;
a monitoring module 88, configured to monitor a situation that the port filters the attack packet;
the setting module 87 is connected to the receiving module 81, the first judging module 82, the searching module 86 and the monitoring module 88, and is configured to add the source MAC address information of the attack packet searched by the searching module 86 to the isolated packet received by the receiving module 81; the monitoring module 88 is further configured to, in a case that the first determining module 82 determines that the port receiving the attack packet is the attack isolation point, add the isolation failure information to the isolation packet received by the receiving module 81 after monitoring that the port fails to filter the attack packet;
the receiving module 81 is further configured to receive an isolation packet carrying isolation failure information; the system comprises a receiving module, a transmitting module and a receiving module, wherein the receiving module is used for receiving an isolation message carrying information that an attack isolation point cannot be found;
the binding module 83 is further connected to the receiving module 81, and is further configured to bind, after the receiving module 81 receives the isolation packet with the isolation failure information, the address information and the type information of the attack packet source in the isolation packet to the port that receives the isolation packet with the isolation failure information, so that the port filters the subsequently received attack packet; the first judging module 82 is further configured to, when judging that the port receiving the attack packet is the attack isolation point, combine a plurality of attack packets having the same source address information and different types into one record, and bind the source address information of the attack packet to the port; the device is further configured to bind, when the receiving module 81 receives an isolation packet carrying information of an attack isolation point that cannot be found, the source address information and the type information of the attack packet in the isolation packet to a port that receives the attack packet indicated in the isolation packet, so that the port filters a subsequently received attack packet;
the sending module 84 is further connected to the receiving module 81, the second judging module 85, and the monitoring module 88, and is specifically configured to, when the second judging module 85 judges that the network segment is in the direct connection network segment, multicast and send the isolation packet received by the receiving module 81 to the network device connected to the port that receives the attack packet, in a preferred manner, specifically, multicast and send the isolation packet to the network device connected to the port that receives the attack packet, after the attack packet source MAC address information is added to the setting module 87; under the condition that the second judging module 85 judges that the network segment is not in a direct connection network segment, the isolation message received by the receiving module 81 is sent to the network equipment which is connected with the port receiving the attack message and used for forwarding the attack message in a unicast mode; after the monitoring module 88 successfully filters the attack message, the isolation success message is sent to the network device pointed by the destination address information of the attack message; and broadcasting the isolation message carrying the information that the attack isolation point cannot be found, which is received by the receiving module 81, to the network device connected to the port receiving the attack message indicated in the isolation message.
The working principle of the device shown in fig. 9 is shown in fig. 7, and will not be described in detail here.
The device shown in fig. 9 can reduce unnecessary forwarded attack messages in the network, improve the utilization rate of the network bandwidth, and improve the processing efficiency of the network device; and a mechanism for confirming whether the attack message filtering of the attack isolation point is successful or not can be realized, and the effective rate of the attack message isolation is improved.
The embodiment of the present invention further provides a network device, where the network device includes the network attack defense apparatus shown in fig. 4 and fig. 8, and the working principles of the network device are respectively shown in fig. 2 and fig. 6, which are not described herein again. A preferred implementation structure of a network device including the apparatus shown in fig. 4 and 8 may include the structures shown in fig. 5 and 9, and the operation principles thereof are shown in fig. 3 and 7, respectively, and are not described herein again.
An embodiment of the present invention further provides a system for defending against network attacks, where the system has a plurality of network devices including the apparatus shown in fig. 4 and/or fig. 8, and a preferred implementation structure of the system is a network device including a plurality of apparatuses shown in fig. 5 and/or fig. 9, and a working principle of the system is as described above, and is not described here again.
The following describes a specific application of the embodiments of the present invention.
Fig. 10 is a schematic structural diagram of a network attack defense system specifically applied to an embodiment of the present invention, as shown in fig. 10, an access switch SW1 is connected to a PC1-PC 1 through a Port1-Port4, the access switch SW1 is connected to the PC1-PC 1 through a Port1-Port 1, SW1 is connected to the Port1 of the sink switch SW1 and the Port1 of SW1 through ports 1 and respectively, SW1 is connected to the Port1 of the sink switch SW1 through a Port1, SW1 is connected to the Port1 of the core switch SW1 through a Port1, SW1 is connected to the Port1 through a Port1, SW1 is connected to the upper portion 1 through a WEB switch 1, SW1, the access switch SW1 is connected to a security switch 1, the upper portion 1, the access switch 1, the SW1 is connected to the upper portion 1 through a security switch 1, the security switch, the access switch only forwards the messages sent by the PC from the legal IP address and the legal MAC address. In the system shown in fig. 10, the IP address of PC1 is 192.168.3.2/24, the MAC address is 00d0.f800.0001, the management IP address of SW1 is 192.168.1.1/24, the IP address of port1 of SW3 is 192.168.3.1/24, the IP address of port3 is 192.168.8.2/24, the IP address of port2 of SW8 is 192.168.8.1/24, the IP address of port1 is 192.168.7.2/24, the IP address of port1 of SW7 is 192.168.7.1/24, the IP address of PC5 is 192.168.5.2/24, the management IP address of SW2 is 192.168.2.1/24, and the IP address of port1 of SW5 is 192.168.5.1/24.
Scene one
In the system shown in fig. 10, port1 to port4 of SW1 are all set as attack isolation points in advance, and attack isolation point identifiers are set for the four ports respectively.
After the authentication, the PC1 performs a loopback attack of a User Datagram Protocol (UDP) on the port 7 of the SW7 through the port 1234 with a legal identity, attack information is detected on the SW7, and a method for detecting the attack may be NFPP or other application layer protocols. After the SW7 detects the attack, the attack message is defended according to the following processing steps.
After monitoring that a network attack is received, that is, after a port1 receives an attack Protocol Data Unit (PDU), SW7 obtains relevant information of the attack PDU, which mainly includes source address information and type information of an attack packet, as shown in table 1, the relevant information of the attack PDU includes: the source MAC address of the attack message, the type of the attack message, the IP of the attack message source, the destination IP, the protocol number of the attack message, the source port and the destination port number, wherein the source port and the destination port number are carried only by the attack of a Transmission Control Protocol (TCP) or a UDP message, and the protocol number is carried only by the relevant information of the attack PDU when the attack message is an IPv4 or IPv6 message;
in table 1, the source MAC is a source MAC corresponding to 192.168.7.2, because after the cross-network segment forwarding, the source MAC information is modified to an MAC address corresponding to the IP address of the previous-hop forwarding packet;
TABLE 1
Figure BDA0000142220730000191
Step two, SW7 judges that the port1 receiving the attack PDU has not set the attack isolation point mark, and determines that the port1 is not the attack isolation point;
step three, the SW7 constructs an isolation PDU including the obtained relevant information (shown in table 1) of the attack PDU, as shown in table 2, the isolation PDU includes an ethernet header, an IP header, a TCP header, and relevant information of the attack packet, the SW7 determines that the network device itself and the source attack device are in a non-direct network segment according to a source IP address included in the source address information of the attack packet and an IP address of the SW7 itself, sets the source MAC address information of the attack packet in the constructed isolation PDU to zero, as shown in table 2, unicast-transmits the isolation PDU shown in table 2 to the network device connected to the port1 receiving the attack PDU and forwarding the attack PDU, that is, the SW 8.
TABLE 2
Figure BDA0000142220730000201
After receiving the isolated PDU shown in table 2, SW8 determines that port2 of SW8, which receives the attack PDU, is not a preset attack isolation point, and determines that SW8 and source attack device PC1 are not in a direct connection segment according to the IP address of the attack message source in the isolated PDU and the IP address of SW8, and unicast-transmits the received isolated PDU shown in table 2 to the network device connected to port2 which receives the attack PDU, that is, SW 3.
After the SW3 receives the isolated PDU, it determines that port1 of SW3, which receives the attack PDU, is not an attack isolation point, determines that SW3 and PC1 of the source attack device are in a direct connection network segment according to the IP address of the attack message source in the isolated PDU and the IP address of SW3, searches a MAC address table according to the IP of the attack message source, finds that the MAC address of PC1 of the attack source device is 00d0.f800.0001, fills the MAC address of PC1 into the received isolated PDU, as shown in table 3, and multicast-transmits the isolated PDU shown in table 3 to the network device connected to port1, that is, SW 1.
After the SW1 receives the isolation packet shown in table 3, it determines that port1 of SW1, which receives the attack PDU, is an attack isolation point, and binds the attack packet information carried in table 3 to port1, and port1 filters and isolates the subsequently received corresponding attack packet.
After the SW1 successfully filters and isolates the attack message, according to the target IP of the attack message in the isolation message, the SW 39 7 sends an isolation success message to the network device indicated by the target IP, and after the SW7 receives the isolation success message within a predetermined time, it is confirmed that the attack message is isolated.
TABLE 3
Figure BDA0000142220730000211
Under the condition that the SW7 does not receive the isolation success message within the predetermined time, adding information that the attack isolation point cannot be found in the constructed isolation message shown in table 3, for example, setting a flag bit of the attack isolation point cannot be found, and when the flag bit is 1, indicating that the attack isolation point cannot be found in the network, as shown in table 4, multicast-sending the added isolation message to the network device connected to the port receiving the attack message, that is, SW 8. After receiving the isolation message carrying the information that the attack isolation point cannot be found, the SW8 binds the information of the attack message in the isolation message to the port2 receiving the attack message indicated in the isolation message, multicasts the isolation message to send to the network device SW3 connected to the port2, and performs the same processing as that performed by the SW8 on the SW3 receiving the isolation message.
In addition, when SW1 fails to filter and isolate the attack PDU or fails to filter, isolation failure information is added to the isolation packet shown in table 3, for example, an isolation failure flag is set, and when the flag is 1, the isolation packet shown in table 5 is sent to the network device connected to the port5 receiving the isolation packet, that is, SW 3. After receiving the isolation PDU shown in table 5, the port1 of SW3 finds that the isolation failure flag bit in the isolation PDU is 1, binds the attack PDU related information in the isolation PDU to the port1, and the port1 of SW3 performs filtering isolation on the subsequently received corresponding attack PDU. Similarly, when SW3 fails to filter attack PDUs, the isolated PDUs shown in table 5 are sent to SW8 through port3, and SW8 filters attack packets through port 2.
TABLE 4
Figure BDA0000142220730000221
TABLE 5
Figure BDA0000142220730000222
When the network devices need to filter and isolate multiple attack messages with the same attack message source IP address and different message types, the multiple attack messages can be merged into one record, and the messages from the IP address can be filtered and isolated, for example, when the SW1 isolates multiple attack messages with different types from 192.168.3.2, namely, the PC1, the multiple attack messages can be merged into one record, and the messages from the PC1 can be isolated, so that the network bandwidth resources are prevented from being excessively occupied by the messages from the PC1, and the system processing resources of the SW1 are prevented from being excessively occupied by the filtered attack messages.
Through the above processing procedure, the port1 of the SW1, as an attack isolation point, can isolate the attack packet from the PC1 at the edge of the network architecture, and since the SW1, as an access layer device, is located at a lower network level, can reduce the attack packet transmitted in the network as much as possible, can improve the utilization rate of the network bandwidth, and improve the processing efficiency of the network device.
Scene two
In the system shown in fig. 10, port1 to port3 of SW2 are all set as attack isolation points in advance, and attack isolation point identifiers are set for the three ports respectively.
The PC5 performs a large-traffic long ping attack of Internet Control Message Protocol (ICMP) on SW5 with a legal identity, and after receiving the attack, the port1 of SW5 obtains relevant information of the attack message, where the relevant information is shown in table 6, and includes an attacker message source MAC, an attack message type, an attack message source IP, an attack message destination IP, and a Protocol number.
TABLE 6
Attacker message source MAC Attack message type Attack message source IP IP for attacking message destination ProtocolNumber (C)
00d0.f800.0005 0x0800 192.168.5.2 192.168.5.1 1(icmp)
The SW5 determines that the port1 is not a preset attack isolation point, further determines that the SW5 and the PC5 are in a direct connection network segment through the IP address of the SW5 and the IP address of the attack message source, constructs an isolation message shown in table 7, carries attack message information shown in table 6 in the isolation message, and multicast-sends the isolation message shown in table 7 to a network device connected to the port1, that is, SW 2.
TABLE 7
Figure BDA0000142220730000231
After SW2 receives the isolation message shown in table 7, it determines that port1 receiving the attack message in the isolation message is an attack isolation point, and binds the attack message information in the isolation message to port1, and port1 filters and isolates the subsequently received corresponding attack message.
The SW2 performs processing of confirming after successful filtering and isolation, processing of failure of isolation, and processing of multiple types of attack packets from the same IP address, which is similar to the description in the scenario one above, and is not described here again.
Through the above processing procedure, the port1 of the SW2, as an attack isolation point, can isolate the attack packet from the PC5 at the edge of the network architecture, and since the SW1, as an access layer device, is located at a lower network level, can reduce the attack packet transmitted in the network as much as possible, can improve the utilization rate of the network bandwidth, and improve the processing efficiency of the network device.
In summary, according to the defense scheme of network attack provided by the embodiment of the present invention, an isolation mechanism is applied, and through mutual linkage and identification of devices in the whole network, attack packets can be isolated outside an attack isolation point, and when the attack isolation point is located at a lower network level, useless attack packets existing in the network can be greatly reduced, a network bandwidth utilization rate can be provided, a network device system processing resource utilization rate can be improved, and stability of the whole network and transmission efficiency of service flows can be provided; by applying the confirmation mechanism and the remedy mechanism after the isolation failure, the effective rate of the attack message isolation can be improved.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (27)

1. A method for defending against network attacks is characterized by comprising the following steps:
after the network equipment monitors that the network is attacked, the source address information and the type information of the attack message are obtained;
judging whether the port receiving the attack message is a preset attack isolation point or not;
under the condition that the port is judged to be an attack isolation point, the source address information and the type information of the obtained attack message are bound on the port;
and under the condition that the port is judged not to be an attack isolation point, constructing an isolation message comprising the source address information and the type information of the acquired attack message, and sending the constructed isolation message to the network equipment connected with the port.
2. The method of claim 1, wherein the source address information of the attack packet comprises: source Internet Protocol (IP) address information of the attack message;
sending the constructed isolation message to the network device connected to the port, specifically comprising:
and judging whether the network equipment and the source attack equipment are in a direct connection network segment or not according to the source IP address information of the attack message, multicasting and sending the isolation message to the network equipment connected with the port under the condition of judging that the isolation message is in the direct connection network segment, and unicasting and sending the isolation message to the network equipment connected with the port and forwarding the attack message under the condition of judging that the isolation message is in a non-direct connection network segment.
3. The method of claim 2, wherein the source address information of the attack packet further comprises: the source media of the attack message accesses and controls the MAC address information;
under the condition that the network device is judged to be in the non-direct connection network segment, the isolation message is sent to the network device which is connected with the port in a unicast mode and forwards the attack message, and the method specifically comprises the following steps:
and setting the MAC address information of the attack message source in the isolation message to be zero, and sending the set isolation message to the network equipment which is connected with the port and forwards the attack message in a unicast way.
4. The method of claim 1, further comprising:
and under the condition that the successful isolation message is not received within the preset time, adding information for indicating that the attack isolation point can not be found in the constructed isolation message, and multicasting the isolation message after the information is added to send to the network equipment connected with the port receiving the attack message.
5. The method of claim 1, further comprising:
after receiving the isolation message carrying the isolation failure information, binding the attack message source address information and the type information in the isolation message to a port receiving the isolation message carrying the isolation failure information.
6. The method of claim 1, further comprising:
and binding the source address information of the attack message on the port under the condition that the port receiving the attack message is an attack isolation point and a plurality of attack messages with the same source address information and different types exist.
7. A defense apparatus against cyber attacks, comprising:
the acquisition module is used for acquiring source address information and type information of the attack message after the network equipment is monitored to be attacked;
the first judging module is used for judging whether the port receiving the attack message is preset as an attack isolation point or not;
a binding module, configured to bind, when the first determining module determines that the port is an attack isolation point, the source address information and the type information of the attack packet acquired by the acquiring module to the port;
the constructing module is used for constructing the isolation message comprising the source address information and the type information of the attack message acquired by the acquiring module under the condition that the first judging module judges that the port is not the attack isolation point;
and the sending module is used for sending the isolation message constructed by the construction module to the network equipment connected with the port.
8. The apparatus of claim 7, further comprising:
the second judging module is used for judging whether the network equipment and the source attack equipment are in a direct connection network segment or not according to the source internet protocol IP address information in the source address information of the attack message acquired by the acquiring module;
the sending module is specifically configured to, when the second determining module determines that the network device is in a direct connection network segment, multicast and send the isolation packet to the network device connected to the port, and when the network device is determined that the network device is not in a direct connection network segment, unicast and send the isolation packet to the network device connected to the port and forwarding the attack packet.
9. The apparatus of claim 8, further comprising:
the setting module is used for setting the source media access control MAC address information of the attack message source address information in the isolation message constructed by the construction module to be zero under the condition that the second judgment module judges that the source media access control MAC address information is in a non-direct connection network segment;
the sending module is specifically configured to send the isolation packet set by the setting module to the network device connected to the port and forwarding the attack packet in a unicast manner.
10. The apparatus of claim 7, further comprising:
the receiving module is used for receiving the isolation success message;
the timer is used for timing the preset time length for the receiving module to receive the isolation success message;
the setting module is further configured to add information for indicating that the attack isolation point cannot be found in the isolation message constructed by the construction module under the conditions that the timer is overtime and the receiving module does not receive the isolation success message;
the sending module is further configured to send the isolation packet and the multicast packet, to which the information is added by the setting module, to the network device connected to the port that receives the attack packet.
11. The apparatus of claim 7, further comprising:
the receiving module is used for receiving the isolation message carrying the isolation failure information;
the binding module is further configured to bind, after the receiving module receives the isolation packet carrying the isolation failure information, the attack packet source address information and the type information in the isolation packet to a port that receives the isolation packet carrying the isolation failure information.
12. The apparatus according to claim 7, wherein the binding module is further configured to bind the source address information of the attack packet to the port when the first determining module determines that the port receiving the attack packet is the attack isolation point and there are multiple attack packets with the same source address information and different types.
13. A method for defending against network attacks is characterized by comprising the following steps:
after receiving the isolation message, the network device judges whether a port of the network device receiving the attack message indicated in the isolation message is a preset attack isolation point or not according to the address information of the attack message source in the isolation message;
under the condition that the port is judged to be an attack isolation point, binding attack message source address information and type information in the isolation message on the port;
and under the condition that the port is judged not to be an attack isolation point, sending the received isolation message to the network equipment connected with the port.
14. The method of claim 13, wherein the source address information of the attack packet comprises: source Internet Protocol (IP) address information of the attack message;
under the condition that the port is judged not to be an attack isolation point, sending the received isolation message to the network equipment connected with the port receiving the attack message, and specifically comprising the following steps:
judging whether the network equipment and the network equipment pointed by the attack message source IP address information are in a direct connection network segment or not according to the attack message source IP address information in the isolation message, multicasting the isolation message to the network equipment connected with the port receiving the attack message under the condition of judging that the isolation message is in the direct connection network segment, and unicasting the isolation message to the network equipment connected with the port receiving the attack message and forwarding the attack message under the condition of judging that the isolation message is in a non-direct connection network segment.
15. The method according to claim 14, wherein, in a case where it is determined that the packet is in the direct connection segment, multicast-sending the isolated packet to a network device connected to a port that receives the attack packet specifically includes:
and searching source Media Access Control (MAC) address information of the attack message corresponding to the source IP address information according to the source IP address information of the attack message, adding the source MAC address information into the isolation message, and multicasting the isolation message carrying the MAC address information of the attack message source to network equipment connected with a port receiving the attack message.
16. The method of claim 13, further comprising:
under the condition that the port receiving the attack message is an attack isolation point, after monitoring that the port fails to filter the attack message, adding isolation failure information into the isolation message, and sending the isolation message added with the isolation failure information to network equipment connected with the port receiving the isolation message;
after receiving the isolation message carrying the isolation failure information, the network device binds the source address information and the type information of the attack message in the isolation message to the port receiving the isolation message carrying the isolation failure information.
17. The method of claim 13, further comprising:
and combining a plurality of attack messages with the same source address information and different types into one record to be bound on the port under the condition that the port receiving the attack message is an attack isolation point.
18. The method of claim 13, further comprising:
after receiving the isolation message carrying the information that the attack isolation point cannot be found, binding the source address information and the type information of the attack message in the isolation message to the port receiving the attack message indicated in the isolation message, and multicasting the received isolation message to the network equipment connected with the port receiving the attack message indicated in the isolation message.
19. The method according to claim 13, wherein the isolation message further includes destination address information of the attack message;
the method further comprises the following steps:
and after monitoring that the port successfully filters the attack message, sending an isolation success message to the network equipment pointed by the destination address information of the attack message.
20. A defense apparatus against cyber attacks, comprising:
the receiving module is used for receiving the isolation message;
the first judging module is used for judging whether a port of the network equipment receiving the attack message indicated by the isolation message is a preset attack isolation point or not according to the attack message source address information in the isolation message received by the receiving module;
a binding module, configured to bind, when the first determining module determines that the port is an attack isolation point, the address information and the type information of the attack message source in the isolation message received by the receiving module to the port;
and the sending module is used for sending the isolation message received by the receiving module to the network equipment connected with the port receiving the attack message under the condition that the first judging module judges that the port is not the attack isolation point.
21. The apparatus of claim 20, further comprising:
the second judgment module is used for judging whether the network equipment and the network equipment pointed by the attack message source IP address information are in a direct connection network segment or not according to the attack message source IP address information in the isolation message received by the receiving module;
the sending module is specifically configured to, when the second determining module determines that the network device is in a direct connection network segment, multicast and send the isolation packet received by the receiving module to a network device connected to a port that receives the attack packet, and when the second determining module determines that the network device is in a non-direct connection network segment, unicast and send the isolation packet received by the receiving module to a network device connected to a port that receives the attack packet and that forwards the attack packet.
22. The apparatus of claim 21, further comprising:
the searching module is used for searching source Media Access Control (MAC) address information of the attack message corresponding to the source IP address information according to the source IP address information of the attack message in the isolation message received by the receiving module;
the setting module is used for adding the source MAC address information of the attack message searched by the searching module into the isolation message received by the receiving module;
the sending module is specifically configured to multicast and send the isolation packet to the network device connected to the port that receives the attack packet, where the attack packet is added to the MAC address information of the attack packet source by the setting module.
23. The apparatus of claim 20, further comprising:
the monitoring module is used for monitoring the condition of filtering the attack message by the port;
the setting module is further configured to, when the first determining module determines that the port receiving the attack packet is the attack isolation point, add isolation failure information to the isolation packet received by the receiving module after the monitoring module monitors that the port receiving the attack packet fails to filter the attack packet;
the sending module is further configured to send the isolation message to which the isolation failure information is added by the setting module to a network device connected to the port that receives the isolation message;
the receiving module is further configured to receive an isolation packet carrying isolation failure information;
the binding module is further configured to bind, after the receiving module receives the isolation packet carrying the isolation failure information, the attack packet source address information and the type information in the isolation packet to the port receiving the isolation packet carrying the isolation failure information.
24. The apparatus according to claim 20, wherein the binding module is further configured to bind the source address information of the attack packet to the port when the first determining module determines that the port receiving the attack packet is the attack isolation point and there are multiple attack packets with the same source address information and different types.
25. The apparatus according to claim 20, wherein the receiving module is further configured to receive an isolated packet carrying information that an attack isolation point cannot be found;
the binding module is further configured to bind, to a port that receives the attack packet indicated in the isolated packet, the attack packet source address information and the type information in the isolated packet received by the receiving module;
the sending module is further configured to multicast and send the isolated packet received by the receiving module to a network device connected to a port that receives the attack packet indicated in the isolated packet.
26. The apparatus of claim 20, further comprising:
the monitoring module is used for monitoring the condition of filtering the attack message by the port;
the sending module is further configured to send an isolation success message to the network device indicated by the destination address information of the attack packet after the monitoring module monitors that the port successfully filters the attack packet.
27. A network device comprising a network attack defense according to any one of claims 7 to 12 and/or a network attack defense according to any one of claims 20 to 26.
CN201210062417.1A 2012-03-09 2012-03-09 Method and device for defending network attack and network equipment Active CN102594834B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210062417.1A CN102594834B (en) 2012-03-09 2012-03-09 Method and device for defending network attack and network equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210062417.1A CN102594834B (en) 2012-03-09 2012-03-09 Method and device for defending network attack and network equipment

Publications (2)

Publication Number Publication Date
CN102594834A true CN102594834A (en) 2012-07-18
CN102594834B CN102594834B (en) 2014-09-10

Family

ID=46483035

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210062417.1A Active CN102594834B (en) 2012-03-09 2012-03-09 Method and device for defending network attack and network equipment

Country Status (1)

Country Link
CN (1) CN102594834B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685258A (en) * 2013-12-06 2014-03-26 北京奇虎科技有限公司 Method and device for fast scanning website loopholes
CN104780089A (en) * 2015-04-17 2015-07-15 杭州华三通信技术有限公司 Message isolating method and device
CN104954376A (en) * 2015-06-17 2015-09-30 华为技术有限公司 Self-adaptive anti-attack method and device
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN110233834A (en) * 2015-09-30 2019-09-13 华为技术有限公司 Network system, the hold-up interception method of attack message, device and equipment
CN112804226A (en) * 2021-01-08 2021-05-14 光通天下网络科技股份有限公司 IP data processing method, device, equipment and medium
CN114024752A (en) * 2021-11-08 2022-02-08 北京天融信网络安全技术有限公司 Network security defense method, equipment and system based on whole network linkage

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101415002A (en) * 2008-11-11 2009-04-22 华为技术有限公司 Method for preventing message aggression, data communication equipment and communication system
CN101951367A (en) * 2010-09-09 2011-01-19 健雄职业技术学院 Method for preventing campus network from virus attacks
WO2011020254A1 (en) * 2009-08-21 2011-02-24 华为技术有限公司 Method and device for preventing network attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101415002A (en) * 2008-11-11 2009-04-22 华为技术有限公司 Method for preventing message aggression, data communication equipment and communication system
WO2011020254A1 (en) * 2009-08-21 2011-02-24 华为技术有限公司 Method and device for preventing network attacks
CN101951367A (en) * 2010-09-09 2011-01-19 健雄职业技术学院 Method for preventing campus network from virus attacks

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103685258A (en) * 2013-12-06 2014-03-26 北京奇虎科技有限公司 Method and device for fast scanning website loopholes
CN103685258B (en) * 2013-12-06 2018-09-04 北京奇安信科技有限公司 A kind of method and apparatus of quick scans web sites loophole
CN104780089A (en) * 2015-04-17 2015-07-15 杭州华三通信技术有限公司 Message isolating method and device
CN104780089B (en) * 2015-04-17 2018-07-24 新华三技术有限公司 Message partition method and device
CN104954376A (en) * 2015-06-17 2015-09-30 华为技术有限公司 Self-adaptive anti-attack method and device
CN104954376B (en) * 2015-06-17 2018-03-06 华为技术有限公司 A kind of adaptive anti-attack method and device
CN110233834A (en) * 2015-09-30 2019-09-13 华为技术有限公司 Network system, the hold-up interception method of attack message, device and equipment
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN112804226A (en) * 2021-01-08 2021-05-14 光通天下网络科技股份有限公司 IP data processing method, device, equipment and medium
CN114024752A (en) * 2021-11-08 2022-02-08 北京天融信网络安全技术有限公司 Network security defense method, equipment and system based on whole network linkage

Also Published As

Publication number Publication date
CN102594834B (en) 2014-09-10

Similar Documents

Publication Publication Date Title
CN102594834A (en) Method and device for defending network attack and network equipment
JP5000501B2 (en) Dynamic host configuration and network access authentication
EP2346205B1 (en) A method and device for preventing network attack
CN101415012B (en) Method and system for defending address analysis protocol message aggression
EP2845365B1 (en) Method and devices for protecting neighbour discovery cache against dos attacks
US8189580B2 (en) Method for blocking host in IPv6 network
US9882904B2 (en) System and method for filtering network traffic
US20070064697A1 (en) System, method and program for identifying source of malicious network messages
US20190149573A1 (en) System of defending against http ddos attack based on sdn and method thereof
WO2010072096A1 (en) Method and broadband access device for improving the security of neighbor discovery in ipv6 environment
EP1571806A2 (en) Network management method and network managing server
US7826447B1 (en) Preventing denial-of-service attacks employing broadcast packets
Chen et al. Attack Diagnosis: Throttling distributed denial-of-service attacks close to the attack sources
WO2010130181A1 (en) Device and method for preventing internet protocol version 6 (ipv6) address being fraudulently attacked
CN102752266A (en) Access control method and equipment thereof
JP2008154012A (en) Network monitoring device, network monitoring method, network communicating method, and network quarantine system
JP4641848B2 (en) Unauthorized access search method and apparatus
JP2004248185A (en) System for protecting network-based distributed denial of service attack and communication device
WO2006088751A2 (en) Access control for mobile multicast
US8625456B1 (en) Withholding a data packet from a switch port despite its destination address
KR102092015B1 (en) Method, apparatus and computer program for recognizing network equipment in a software defined network
KR101382527B1 (en) Network security method and system for preventing arp spoofing
KR101005870B1 (en) Method for blocking session of transmission control protocol for unauthenticated apparatus
JP4326423B2 (en) Management device and unauthorized access protection system
JP2008028720A (en) Ip network apparatus capable of controlling send side ip address arrogating ip packet, and send side ip address arrogating ip packet control method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant