CN102594834B - Method and device for defending network attack and network equipment - Google Patents
Method and device for defending network attack and network equipment Download PDFInfo
- Publication number
- CN102594834B CN102594834B CN201210062417.1A CN201210062417A CN102594834B CN 102594834 B CN102594834 B CN 102594834B CN 201210062417 A CN201210062417 A CN 201210062417A CN 102594834 B CN102594834 B CN 102594834B
- Authority
- CN
- China
- Prior art keywords
- message
- attack
- isolation
- port
- network equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for defending network attack and network equipment. The method comprises the following steps of: after the network equipment monitors the network attack, acquiring source address information and type information of an attack message; judging whether the port receiving the attack message is a preset attack isolation point; binding the acquired source address information and the acquired type information of the attack message to the port under the condition that the port is the attack isolation point; and otherwise, constructing an isolation message comprising the acquired source address information and the acquired type information of the attack message, and sending the constructed isolation message to the network equipment connected with the port. By the method, the attack message can be filtered through the port preset as the attack isolation point, so that a redundant attack message in the network is reduced, and the problems that network bandwidth resources are wasted and system processing resources of the network equipment are occupied because a large amount of attack messages are forwarded in the network in the prior art are solved.
Description
Technical field
The present invention relates to data communication system, particularly, relate to a kind of defence method of network attack and device, the network equipment.
Background technology
At present, in catenet, conventionally in access switch deploy access control safety function, with defending against network attacks.For example, in network as shown in Figure 1, access switch SW1 connects PC (PC by Port1-Port4, Personal Computer) PC1-PC4, access switch SW2 connects PC5-PC7 by Port1-Port3, SW1 passes through respectively Port5, Port6 is connected to the Port1 of convergence switch SW3, the Port1 of SW4, SW2 is connected to the Port1 of convergence switch SW5 by Port4, between SW3 and SW4, be all connected by Port2, SW3 is connected to the port2 of core switch SW8 by port3, SW4 is connected to the port1 of SW8 by port3, SW5 is connected to the port1 of core switch SW6 by port2, SW6 is connected by port2 respectively with core switch SW7, SW6 is connected by port3 respectively with SW8, SW8 is connected with the port1 of SW7 by port4, at access switch SW1, SW2 deploy access control safety function, for example 802.1x, WEB certification etc., can effectively control the identity legitimacy of access PC, access switch only forwards from legal Internet protocol (IP, Internet Protocol) and media access control (MAC, Media Access Control) message that sends of the PC of address.
Although the network attack that can defend disabled user to initiate by controlling user's identity at present, but, said method cannot defend the Client-initiated that possesses legal identity to attack, possesses the PC of legal IP+MAC address, also initiate illegal network attack, this may be the attack had a mind to of user, also may be because infect the attack of automatically being initiated by virus after virus.Example as shown in Figure 1, PC1 uses legal IP+MAC core switch SW7 to be attacked, attack message is sent to the port1 of SW1 by PC1, SW1 sends to attack message the port1 of SW3 via port5, SW3 sends to attack message the port2 of SW8 via port3, SW8 sends to attack message the port1 of SW7 via port4.At present, the network attack that has two kinds of methods to deal with to be initiated by validated user in prior art, specific as follows described in.
First method is configure base network protective strategy (NFPP on switch SW7; Network Foundation Protection Policy) defend validated user initiate network attack, this strategy can to attack message carry out speed limit, to attack user isolate.But this method is just carried out speed limit to attack message, attack message still exists in network, waste greatly the bandwidth of network, for example, in Fig. 1, the residing position of SW7 is core switch, the user of the second line of a couplet is many, if there are a large amount of words of attacking, need to waste a lot of hardware resources and go to isolate these attack users, if victim is router, each attack message can be given the CPU of SW7, need to use SW7 software resource to judge whether to filter to attack source, greatly take software resource, reduce the performance of CPU processing regular traffic, even and if isolated the attack that this message causes SW7, this attack message stream still exists in network, greatly waste the bandwidth of network.
The equipment that second method is attacked is by sending a warning message to network manager, go to search assailant specifically on any platform switch by network manager, then on this switch by filtering meter item of manual binding, filter out this attack source, or by symmetric multiprocessor structure (SMP, Symmetric Multi-Processor) server issues blocking strategy to switch, filters out this attack message.But this method need to manually be come Search and Orientation attack source, the processing procedure inefficiency that wastes time and energy.
In sum, as seen in the prior art, in the attack, network of initiating for validated user, there are a large amount of attack messages that forward, waste network bandwidth resources, take network equipment system and process the problem of resource.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of defence method of network attack, has a large amount of attack messages that forward, wastes network bandwidth resources, takies network equipment system and process the problem of resource in order to solve in prior art in the attack initiated for validated user, network.
Correspondingly, the embodiment of the present invention also provides a kind of defence installation and network equipment of network attack.
The technical scheme of the embodiment of the present invention is as follows:
A defence method for network attack, comprising: network equipment monitoring is subject to after network attack, obtains source address information and the type information of attack message; Judge whether the port that receives this attack message is the attack isolating points of presetting; Judging that this port is, the in the situation that of attacking isolating points, the source address information of the attack message obtaining and type information to be bundled on this port; Judging that this port is not, the in the situation that of attacking isolating points, to build and comprise the source address information of the attack message obtaining and the isolation message of type information, sends to by the isolation message of structure the network equipment being connected with this port.
A defence installation for network attack, comprising: acquisition module, for after network equipment monitoring is under attack, obtains source address information and the type information of attack message; The first judge module, whether the port that receives this attack message for judging is preset as attack isolating points; Binding module, for judging that at described the first judge module this port is that the in the situation that of attacking isolating points, the source address information of the attack message that described acquisition module is obtained and type information are bundled on this port; Build module, for judging that at described the first judge module this port is not, the in the situation that of attacking isolating points, to build and comprise the source address information of attack message and the isolation message of type information that described acquisition module obtains; Sending module, for sending to by the isolation message of described structure module construction the network equipment being connected with this port.
A kind of defence method of network attack, comprise: the network equipment receives after isolation message, according to the attack message source address information in this isolation message, judge whether the port that the network equipment receives attack message indicated in this isolation message is the attack isolating points of presetting; Judging that this port is, the in the situation that of attacking isolating points, the attack message source address information in this isolation message and type information to be bundled on this port; Judging that this port is not, the in the situation that of attacking isolating points, the isolation message receiving to be sent to the network equipment being connected with this port.
A defence installation for network attack, comprising: receiver module, for receiving isolation message; The first judge module, for the attack message source address information of the isolation message that receives according to described receiver module, judge whether the port that the network equipment receives the indicated attack message of this isolation message is the attack isolating points of presetting; Binding module, for judging that at described the first judge module this port is that the in the situation that of attacking isolating points, the attack message source address information in the isolation message that described receiver module is received and type information are bundled on this port; Sending module, for judging that at described the first judge module this port is not that the in the situation that of attacking isolating points, the isolation message that described receiver module is received sends to the network equipment being connected with the port that receives described attack message.
A kind of network equipment, comprises the defence installation of the first network attack as above and/or the defence installation of the second network attack.
In embodiments of the present invention, the network equipment that is subject to network attack judges when the port that receives attack message is the attack isolating points of presetting, the source address information of attack message and type information are bundled on this port, judge when this port is not the attack isolating points of presetting, structure comprises and obtains the source address information of attack message and the isolation message of type information, and the isolation message of structure is sent to the network equipment being connected with this port, receive the network equipment of isolation message, judge when the port that receives attack message is the attack isolating points of presetting, the source address information of attack message and type information are bundled on this port, judge when this port is not the attack isolating points of presetting, the isolation message receiving is sent to the network equipment being connected with the port that receives attack message, can attack by being preset as the ports filter of isolating points and fall attack message, can reduce the attack message of unnecessary forwarding in network, releasing network bandwidth resource, improve the utilance of the network bandwidth, reduce the network equipment system taking and process resource, improve network equipment system and process the utilance of resource, thereby can solve in prior art, the attack of initiating for validated user, in network, there are a large amount of attack messages that forward, waste network bandwidth resources, take network equipment system and process the problem of resource.
Other features and advantages of the present invention will be set forth in the following description, and, partly from specification, become apparent, or understand by implementing the present invention.Object of the present invention and other advantages can be realized and be obtained by specifically noted structure in write specification, claims and accompanying drawing.
Brief description of the drawings
Fig. 1 is network topology structure schematic diagram in prior art;
Fig. 2 is according to the workflow diagram of the defence method of the network attack of the embodiment of the present invention;
Fig. 3 is the workflow diagram of the preferred enforcement processing mode of method shown in Fig. 2;
Fig. 4 is according to the structured flowchart of the defence assembling device of the network attack of the embodiment of the present invention;
Fig. 5 is the structured flowchart of the preferred implementation of Fig. 4 shown device;
Fig. 6 is the another kind of workflow diagram according to the defence method of the network attack of inventive embodiments;
Fig. 7 is the workflow diagram of the preferred enforcement processing mode of method shown in Fig. 6;
Fig. 8 is according to the structured flowchart of the defence installation of the network attack of the embodiment of the present invention;
Fig. 9 is the structured flowchart of the preferred implementation of Fig. 8 shown device;
Figure 10 is according to the structural representation of the system of defense of the network attack of the concrete application of the embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing, embodiments of the invention are described, should be appreciated that embodiment described herein, only for description and interpretation the present invention, is not intended to limit the present invention.
For there are a large amount of attack messages that forward in the attack, network initiated in prior art, for validated user, waste network bandwidth resources, take system and process the problem of resource, the embodiment of the present invention has proposed a kind of defense schemes of network attack, to address this problem.
In the defense schemes of the network attack that the embodiment of the present invention provides, first provide a kind of isolation mech isolation test to attack message.
This isolation mech isolation test comprises: the port of the selected network equipment is set to attack isolating points in advance; The network equipment is subject to after network attack, judge when the port that receives attack message is the attack isolating points setting in advance, the source address information of attack message and type information are bundled on this port, so that this port filters isolation to the follow-up attack message receiving, when the port that judgement receives attack message is not the attack isolating points of presetting, structure comprises the source address information of attack message and the isolation message of type information, and this isolation message is sent to the network equipment being connected with this port; Receive the network equipment of isolation message, when the port that judgement receives isolation indicated attack message in message is the attack isolating points of presetting, source address information and the type information of the attack message carrying in isolation message are bundled on the port that receives attack message, so that this port filters isolation to the follow-up attack message receiving, judge when this port is not the attack isolating points of presetting, the isolation message receiving is sent to the network equipment being connected with this port.Pass through such scheme, can attack message be isolated in outside this attack isolating points by default attack isolating points (being the port that receives attack message on the network equipment), reduce attack message, the raising network bandwidth utilization factor of unnecessary forwarding in network, the network system resources that minimizing attack message takies, the utilance that raising network system is processed resource.
In the defense schemes of the network attack that the embodiment of the present invention provides, also provide a kind of affirmation mechanism and a kind of mechanism of remedying of isolating after invalid of isolating.
Below the embodiment of the present invention is elaborated.
Fig. 2 shows according to the workflow diagram of the defence method of the network attack of the embodiment of the present invention, and as shown in Figure 1, the method comprises following processing procedure.
Step 21, network equipment monitoring are subject to after network attack, obtain source address information and the type information of attack message;
Step 22, judge whether the port that receives this attack message is the attack isolating points of presetting;
Step 23, judging that this port is to attack isolating points in the situation that, is bundled in the source address information of the attack message obtaining and type information on this port;
Step 24, judging that this port is not to attack isolating points in the situation that, build and comprise the source address information of the attack message obtaining and the isolation message of type information, the isolation message of structure is sent to the network equipment being connected with this port.
The network equipment is subject to after network attack, the port that receives attack message in judgement is the attack isolating points of presetting, the source address information of attack message and type information are bundled on this port, so that this port filters isolation to the follow-up attack message receiving, the network attack message that can send validated user is isolated, and attack message is isolated on the network equipment and is preset as outside the port of attacking isolating points, reduce the attack message of unnecessary forwarding on network, reduce the network bandwidth that attack message takies, improve the utilance of the network bandwidth, reduce the processing of the network equipment to attack message, the system of releasing network equipment is processed resource, improve the system treatment effeciency of the network equipment, thereby can solve the attack of initiating for validated user existing in prior art, in network, there are a large amount of attack messages that forward, waste network bandwidth resources, the system that takies is processed the problem of resource.
Fig. 3 shows the preferred enforcement processing mode of method shown in Fig. 2, and as shown in Figure 3, this preferred process mode comprises following process.
Step 31, in advance the port of the selected network equipment is arranged and attacks isolating points mark, particularly, can be set to attack isolating points according to the one or more physical ports that connect lower floor's network equipment on the needs of network actual motion, the network equipment, or as required on selected network the physical port of the network equipment on ad-hoc location as attack isolating points, for example, according to actual needs, can select the port of the convergence-level network equipment as attacking isolating points, or select the port of access layer network equipment as attacking isolating points;
Step 32, monitoring network equipment are subject to after network attack, obtain source address information and the type information of attack message;
Whether the port that step 33, judgement receive this attack message is preset as attack isolating points, specifically comprise: the port that judgement receives attack message has been provided with in the situation of attacking isolating points mark, determine that this port is to attack isolating points, processes and proceeds to step 34; The port that judgement receives attack message does not arrange in the situation of attacking isolating points mark, determines that this port is not to attack isolating points, processes and proceeds to step 35;
Step 34, the source address information of the attack message obtaining and type information are bundled on the port that receives attack message, so that this port filters the follow-up attack message receiving; A kind of preferred mode, merges into a record by identical source address information, type is different multiple attack messages and is bundled on this port, and this record is used to indicate the message from this same source is all filtered; A kind of preferred mode, receiving after the isolation message that carries isolation failure information, attack message source address information in isolation message and type information are bundled on the port that receives the isolation message that carries isolation failure information, so that this port filters the follow-up attack message receiving; Processing finishes.
Step 35, structure comprise the source address information of the attack message obtaining and the isolation message of type information; A kind of preferred mode arranges the duration information that attack message is filtered to isolation in isolation message;
Step 36, the source internet protocol IP address information comprising according to the source address information of attack message, judge that whether the network equipment self and source attack equipment are in directly connected subnet, and in the situation that judging in directly connected subnet, processing proceeds to step 37; In the situation that judging in the indirectly connected network segment, process and proceed to step 38;
Step 37, the isolation message multicast of structure is sent to the network equipment being connected with the port that receives attack message, process and proceed to step 39;
Step 38, send to and the port that the receives attack message network equipment that be connected, that forward this attack message building isolation message clean culture, a kind of preferred mode, in the source address information of attack message, also comprise the source media access control MAC address information of attack message, attack message source MAC address information in the isolation message of structure is set to zero, in the prior art, in the message of the forwarding receiving at the network equipment, MAC Address is not the MAC Address that sends the source device of this message, but the MAC Address of the last network equipment that forwards this message, therefore, MAC Address in attack message is not to initiate the MAC Address of the equipment of network attack, and the MAC Address of the network equipment of last forwarding attack message, go addressing will cause navigating on the wrong network equipment according to the MAC Address in attack message, so, attack message source MAC address information in the isolation message of structure is set to zero herein, and isolation message clean culture after arranging is sent to and is connected with the port that receives attack message, forward this attack message network equipment,
Step 39, in the given time do not receive isolation success message situation under, in the isolation message building, add the information of attacking isolating points that can not find, the isolation message multicast after adding is sent to the network equipment being connected with the port that receives attack message.
By the processing procedure shown in Fig. 3, the network equipment is subject to after network attack, the attack isolating points of presetting in the case of receiving the port of attack message, the source address information of attack message and type information can be bundled in as attacking on the port of isolating points, so that this attack isolating points filters isolation to the follow-up attack message receiving, can reduce the attack message forwarding on network, in the time thering is the network equipment of isolating points of attack and be positioned on lower network architecture level, just can filter the more attack message of isolation, reduce more significantly the attack message of unnecessary forwarding on network, correspondingly can reduce the processing of the network equipment to attack message, the system of the network equipment that minimizing attack message takies is processed resource, improve the system treatment effeciency of the network equipment.
In the processing procedure shown in Fig. 3, judge attack source equipment and the network equipment self whether in directly connected subnet, isolation message is carried out to multicast or clean culture sends, can distinguish the cyberrelationship between the network equipment and attack source equipment, to save the processing resource of the network equipment and network system.
In the processing procedure shown in Fig. 3, a kind of affirmation mechanism is also provided, this mechanism is that the situation that non-object attack equipment, attack isolating points are isolated success or not to attack message is processed for the network equipment that possesses attack isolating points, this mechanism comprises two kinds of strategies, the first strategy is to the confirmation processing after filtering successfully, and the second strategy is to filtering the remediation after failure.According to the first strategy, after the network equipment filters and isolates successfully attack message, to the object equipment of attack message send the successful message of isolation, to confirm that attack message is successfully isolated.According to the second strategy, in the case of being subject to overtime not the receiving the successful message of isolation of the network equipment of network attack, the network equipment under attack adds the information of attacking isolating points that can not find in isolation message, and this isolation message multicast is sent to the network equipment being connected with the port that receives attack message, all this attack message is isolated so that receive the network equipment of this isolation message, this strategy can make to be arranged in effectively work of the network architecture, the network equipment that level is lower filters attack message, prevent that the network equipment that possesses attack isolating points from breaking down, or it is invalid to attack isolating points, thereby the problem that whole network cannot be filtered attack message, improve efficient that the filtration of attack message is isolated.
In the processing procedure shown in Fig. 3, also provide a kind of mechanism of remedying of isolating after invalid.According to this mechanism, in the time that the network equipment receives the isolation message that carries isolation failure information, illustrate that the network equipment that possesses attack isolating points cannot filter out attack message effectively, receive after the isolation message that carries isolation failure information, the network equipment by source address information and the type information of the attack message in this isolation message receiving, be bundled on the port that receives this isolation message, so that this port filters the follow-up attack message receiving.This mechanism is in the time that the network equipment that possesses attack isolating points cannot effectively filter attack message, can make the upper layer network equipment of this network equipment filter attack message, the problem that prevents attacking isolating points and cannot effectively filter attack message, improves the efficient of filtration isolation to attack message.
For realizing above-mentioned functions, the defence method of the embodiment of the present invention the network attack here can be realized by hardware, also can realize by following software program, and the network equipment comprises the defence installation of following network attack.
Fig. 4 shows according to the structured flowchart of the defence assembling device of the network attack of the embodiment of the present invention, and as shown in Figure 4, this device comprises acquisition module 41, the first judge module 42, binding module 43, builds module 44, sending module 45; Wherein,
Acquisition module 41, for after network equipment monitoring is under attack, obtains source address information and the type information of attack message;
The first judge module 42, whether the port that receives this attack message for judging is preset as attack isolating points;
Binding module 43, be connected to acquisition module 41, the first judge module 42, for judging that at the first judge module 42 this port is the in the situation that of attacking isolating points, the source address information of the attack message that acquisition module 41 is obtained and type information are bundled on this port, so that this port filters the follow-up attack message receiving;
Build module 44, be connected to acquisition module 41, the first judge module 42, for judging that at the first judge module 42 this port is not, the in the situation that of attacking isolating points, to build and comprise the source address information of attack message and the isolation message of type information that acquisition module 41 obtains;
Sending module 45, is connected to and builds module 44, sends to for the isolation message that structure module 44 is built the network equipment being connected with this port.
By the device shown in Fig. 4, be subject to after network attack at the network equipment, the attack isolating points of presetting in the case of receiving the port of attack message, the source address information of attack message and type information can be bundled in as attacking on the port of isolating points, so that this attack isolating points filters isolation to the follow-up attack message receiving, can reduce the attack message forwarding on network, in the time thering is the network equipment of isolating points of attack and be positioned on lower network architecture level, just can earlier filter isolate attack message, reduce significantly the attack message of unnecessary forwarding on network, correspondingly can reduce the processing of the network equipment to attack message, the system of the network equipment that minimizing attack message takies is processed resource, improve the system treatment effeciency of the network equipment.
The operation principle of Fig. 4 shown device as shown in Figure 2, repeats no more here.
A kind of preferred mode, Fig. 5 shows the preferred enforcement structure of Fig. 4 shown device, as shown in Figure 5, this structure comprises: presetting module 46, acquisition module 41, the first judge module 42, binding module 43, build module 44, sending module 45, the second judge module 47, module 48, receiver module 49, timer 50 are set; Wherein, above-mentioned module repeats no more as the already described 26S Proteasome Structure and Function in Fig. 4;
Presetting module 46, attacks isolating points mark for the port of the previously selected network equipment is arranged;
The first judge module 42, the port that receives attack message specifically for judgement has been provided with in the situation of described attack isolating points mark, determines that this port is to attack isolating points; The port that judgement receives attack message does not arrange in the situation of described attack isolating points mark, determines that this port is not to attack isolating points;
Binding module 43, be also to attack isolating points for the port that receives attack message in the first judge module 42 judgements, identical source address information, type is different multiple attack messages are merged into a record, the source address information of attack message is bundled on this port;
Build module 44, also for the duration information that attack message is filtered to isolation being set at isolation message;
Receiver module 49, for receiving the successful message of isolation;
Timer 50, carries out timing for the scheduled duration that receiver module 49 is received to the successful message of isolation;
The second judge module 47, is connected to acquisition module 41, for the source internet protocol IP address information of the source address information of the attack message that obtains according to acquisition module 41, judges that whether the network equipment self and source attack equipment in directly connected subnet;
Module 48 is set, be connected to and build module 44, the second judge module 47, receiver module 49, timer 50, for in the situation that the second judge module judges in the indirectly connected network segment, the attack message source media access control MAC address information of the source address information in the isolation message that structure module 44 builds is set to zero; The in the situation that of also not receiving the successful message of isolation for, receiver module 49 overtime at timer 50, in the isolation message building in structure module 44, add the information of attacking isolating points that can not find;
Sending module 45, specifically in the situation that the second judge module 47 judges in directly connected subnet, the isolation message multicast that structure module 44 is built sends to the network equipment being connected with the port that receives attack message; In the situation that judging in the indirectly connected network segment, the isolation message clean culture that structure module 44 is built sends to and the port that the receives attack message network equipment that be connected, that forward this attack message, or, send to and the port that the receives attack message network equipment that be connected, that forward this attack message the isolation message clean culture that module 48 attack message source MAC address information are set to after zero is set; Also for having added and can not find isolation message, the multicast attacked after the information of isolating points and send to the network equipment being connected with the port that receives attack message module 48 being set.
The operation principle of Fig. 5 shown device as shown in Figure 3, repeats no more here.
By the device shown in Fig. 5, can reduce the attack message of unnecessary forwarding in network, the utilance of the raising network bandwidth, improve the treatment effeciency of the network equipment; Can also realize the affirmation mechanism of filtering attack message success or not to attacking isolating points, improve efficient that attack message is isolated.
Fig. 6 shows the another kind of workflow diagram according to the defence method of the network attack of inventive embodiments, and as shown in Figure 6, this flow process comprises following processing procedure.
Step 61, the network equipment receive after isolation message, according to the attack message source address information in this isolation message, judge whether the port that the network equipment receives attack message indicated in this isolation message is the attack isolating points of presetting;
Step 62, judging that this port is to attack isolating points in the situation that, is bundled in the attack message source address information in this isolation message and type information on this port
Step 63, judging that this port is not to attack isolating points in the situation that, sends to by the isolation message receiving the network equipment being connected with this port.
According to processing procedure as shown in Figure 6, receive the network equipment of isolation message, judging that port that the network equipment self receives the attack message that isolation indicates in message is when attacking isolating points, source address information and the type information of the attack message in isolation message are bundled on this port, so that this port filters isolation to the follow-up attack message receiving, the network attack message isolation that can send validated user, attack message is isolated on the network equipment and is preset as outside the port of attacking isolating points, reduce the attack message of unnecessary forwarding on network, reduce the network bandwidth that attack message takies, improve the utilance of the network bandwidth, reduce the processing of the network equipment to attack message, the system of releasing network equipment is processed resource, improve the system treatment effeciency of the network equipment, thereby can solve the attack of initiating for validated user existing in prior art, in network, there are a large amount of attack messages that forward, waste network bandwidth resources, the system that takies is processed the problem of resource.
Fig. 7 shows the preferred implementation of method shown in Fig. 6, and as shown in Figure 7, this preferred implementation comprises following processing procedure:
Step 71, arrange and attack isolating points mark connecting the port of lower floor's network equipment on the selected network equipment in advance;
Step 72, the network equipment receive after isolation message, according to the source IP address information of the attack message in isolation message, judge whether the port that the network equipment self receives attack message indicated in this isolation message is the attack isolating points of presetting, specifically comprise: judge that the port that the network equipment self receives the indicated attack message of this isolation message has been provided with in the situation of described attack isolating points mark, determine that this port is to attack isolating points, processes and proceeds to step 73; Judge that the port that the network equipment self receives the indicated attack message of this isolation message does not arrange in the situation of described attack isolating points mark, determine that this port is not to attack isolating points, processes and proceeds to step 75;
Step 73, the attack message source address information in this isolation message and type information are bundled on this port, so that this port filters the follow-up attack message receiving; A kind of preferred mode, merges into a record by identical source address information, type is different multiple attack messages, and the source address information of attack message is bundled on this port;
A kind of preferred mode, receiving after the isolation message that carries isolation failure information, attack message source address information in isolation message and type information are bundled on the port that receives the isolation message that carries isolation failure information, so that this port filters the follow-up attack message receiving;
A kind of preferred mode, can not find after the isolation message of attacking isolating points information receiving to carry, attack message source address information and type information in isolation message are bundled on the port that receives attack message, so that this port filters the attack message of indicating in the follow-up isolation message receiving, and by carry can not find the isolation message broadcasting of attacking isolating points information send to receive this isolation message in the network equipment that is connected of the port of the attack message of indicating;
Step 74, monitor port and filter unsuccessfully to described attack message after, in described isolation message, carry isolation failure information, the isolation message that carries isolation failure information is sent to the network equipment being connected with the port that receives isolation message; Monitor port to attacking after packet filtering success, send isolation success message to the network equipment of the destination address information indication of isolating the attack message in message, processing finishes.
Step 75, the isolation message receiving is sent to the network equipment being connected with the port that receives attack message, specifically comprise: whether the attack message source IP address information according to isolation in message, the network equipment that judges the network equipment self and this attack message source IP address information indication be in directly connected subnet, in the situation that judging in directly connected subnet, process and proceed to step 76; In the situation that judging in the indirectly connected network segment, process and proceed to step 77;
Step 76, this isolation message multicast is sent to the network equipment being connected with the port that receives described attack message, a kind of optimal way, because the network equipment of the network equipment and attack message source IP address information indication is in directly connected subnet, just can be according to the source IP address information of the attack message in isolation message, certainly find the source MAC address information of the attack message corresponding with this source IP address information with it at the network equipment, send the mac address information of the source device of attack message, this source MAC address information is added in described isolation message, the isolation message multicast that carries described attack message source MAC address information is sent to the network equipment being connected with the port that receives described attack message, make like this to receive this and carry the network equipment of the isolation message of attack message source MAC address information, can be more accurately the source device that receives the port of attack message and send attack message be positioned, processing finishes.
Step 77, this isolation message clean culture is sent to and the port that the receives described attack message network equipment that be connected, that forward described attack message, processing finishes.
According to handling process as shown in Figure 7, the network equipment is receiving after isolation message, judge that port that the network equipment self receives attack message is in the situation of default network node, the source address information of the attack message in isolation message and type information are bundled in as attacking on the port of isolating points, so that this attack isolating points filters isolation to the follow-up attack message receiving, can reduce the attack message forwarding on network, in the time thering is the network equipment of isolating points of attack and be positioned on lower network architecture level, just can filter the more attack message of isolation, reduce the attack message of unnecessary forwarding on more networks, correspondingly can reduce the processing of the network equipment to attack message, the system of the network equipment that minimizing attack message takies is processed resource, improve the system treatment effeciency of the network equipment.
In the processing procedure shown in Fig. 7, judge attack source equipment and the network equipment self whether in directly connected subnet, isolation message is carried out to multicast or clean culture sends, can distinguish the cyberrelationship between the network equipment and attack source equipment, to save the processing resource of the network equipment and network system.
In the processing procedure shown in Fig. 7, also apply affirmation mechanism as above and the remedy mechanism of isolation after invalid, repeat no more here.
For realizing above-mentioned functions, the defence method of the embodiment of the present invention the network attack here can be realized by hardware, also can realize by following software program, and the network equipment comprises the defence installation of following network attack.
Fig. 8 shows the structured flowchart of the defence installation of the network attack that the embodiment of the present invention provides, and as shown in Figure 8, this device comprises: receiver module 81, the first judge module 82, binding module 83, sending module 84; Wherein,
Receiver module 81, for receiving isolation message;
The first judge module 82, be connected to receiver module 81, for the attack message source address information of the isolation message that receives according to receiver module 81, judge whether the port that the network equipment receives the indicated attack message of this isolation message is the attack isolating points of presetting;
Binding module 83, be connected to receiver module 81, the first judge module 82, for judging that at the first judge module 82 this port is the in the situation that of attacking isolating points, attack message source address information and type information in the isolation message that receiver module 81 is received are bundled on this port, so that this port filters the follow-up attack message receiving;
Sending module 84, be connected to receiver module 81, the first judge module 82, for judging that at the first judge module 82 this port is not that the in the situation that of attacking isolating points, the isolation message that receiver module 81 is received sends to the network equipment being connected with the port that receives described attack message.
The operation principle of Fig. 8 shown device as shown in Figure 7, repeats no more here.
According to device as shown in Figure 8, receive the network equipment of isolation message, judging that port that the network equipment self receives the attack message that isolation indicates in message is when attacking isolating points, source address information and the type information of the attack message in isolation message are bundled on this port, so that this port filters isolation to the follow-up attack message receiving, the network attack message isolation that can send validated user, attack message is isolated on the network equipment and is preset as outside the port of attacking isolating points, reduce the attack message of unnecessary forwarding on network, reduce the network bandwidth that attack message takies, improve the utilance of the network bandwidth, reduce the processing of the network equipment to attack message, the system of releasing network equipment is processed resource, improve the system treatment effeciency of the network equipment, thereby can solve the attack of initiating for validated user existing in prior art, in network, there are a large amount of attack messages that forward, waste network bandwidth resources, the system that takies is processed the problem of resource.
Fig. 9 shows the preferred enforcement structure of Fig. 8 shown device, as shown in Figure 9, this structure comprise receiver module 81, the first judge module 82, binding module 83, sending module 84, the second judge module 85, search module 86, module 87 be set, monitoring modular 88, presetting module 89; Wherein, the already described 26S Proteasome Structure and Function of above-mentioned module in Fig. 8 repeats no more;
Presetting module 89, for arranging attack isolating points mark to connecting the port of lower floor's network equipment on the selected network equipment in advance;
The first judge module 82, specifically for judging that the port that the network equipment receives the indicated attack message of this isolation message has been provided with in the situation of described attack isolating points mark, determines that this port is to attack isolating points; Judge that the port that the network equipment self receives the indicated attack message of this isolation message does not arrange in the situation of described attack isolating points mark, determine that this port is not to attack isolating points;
The second judge module 85, be connected to receiver module 81, for the attack message source internet protocol IP address information of the isolation message that receives according to receiver module 81, judge the network equipment self and this attack message source IP address information indication the network equipment whether in directly connected subnet;
Search module 86, be connected to receiver module 81, for the source IP address information of the attack message of the isolation message that receives according to receiver module 81, find the source MAC address information of the attack message corresponding with this source IP address information;
Monitoring modular 88, for monitoring the situation of ports filter attack message;
Module 87 is set, is connected to receiver module 81, the first judge module 82, searches module 86, monitoring modular 88, for adding the source MAC address information of searching the attack message that module 86 finds to isolation message that receiver module 81 receives; Be also to attack isolating points for the port that receives attack message in the first judge module 82 judgements, monitoring modular 88 these ports of monitoring, to attacking after packet filtering failure, add isolation failure information at receiver module 81 in the isolation message receiving;
Receiver module 81, also for receiving the isolation message that carries isolation failure information; Can not find for receiving to carry the isolation message of attacking isolating points information;
Binding module 83, also be connected to receiver module 81, also for receiving at receiver module 81 after the isolation message that carries isolation failure information, by the attack message source address information in this isolation message and type information, be bundled in and receive on the port of isolation message that carries isolation failure information, so that this port filters the follow-up attack message receiving; Be also to attack isolating points for the port that receives attack message in the first judge module 82 judgements, identical source address information, type is different multiple attack messages are merged into a record, the source address information of attack message is bundled on this port; Also for being received, receiver module 81 carries in the situation that can not find the isolation message of attacking isolating points information, attack message source address information in this isolation message and type information are bundled on the port that receives attack message indicated in this isolation message, so that this port filters the follow-up attack message receiving;
Sending module 84, also be connected to receiver module 81, the second judge module 85, monitoring modular 88, specifically in the situation that the second judge module 85 judges in directly connected subnet, the isolation message multicast that receiver module 81 is received sends to the network equipment being connected with the port that receives attack message, a kind of preferred mode, specifically for sending to by the isolation message multicast that module 87 added after attack message source MAC address information is set the network equipment being connected with the port that receives attack message; In the situation that the second judge module 85 judges in the indirectly connected network segment, the isolation message clean culture that receiver module 81 is received sends to the network equipment that be connected with the port that receives attack message, forwarding attack message; To attacking after packet filtering success, send isolation success message to the network equipment of the destination address information indication of attack message at monitoring modular 88 monitoring ports; Carrying that receiver module 81 is received can not find the isolation message broadcasting of attacking isolating points information send to receive this isolation message in the network equipment that is connected of the port of the attack message of indicating.
The operation principle of Fig. 9 shown device as shown in Figure 7, repeats no more here.
Device as shown in Figure 9, can reduce the attack message of unnecessary forwarding in network, the utilance of the raising network bandwidth, improves the treatment effeciency of the network equipment; Can also realize the affirmation mechanism of filtering attack message success or not to attacking isolating points, improve efficient that attack message is isolated.
The embodiment of the present invention also provides a kind of network equipment, and this network equipment comprises the defence installation of network attack as shown in Figure 4 and Figure 8, and the operation principle of this network equipment respectively as shown in Figure 2 and Figure 6, repeats no more here.A kind of preferred mode, comprises the preferred enforcement structure of the network equipment of device as shown in Figure 4 and Figure 8, can comprise the structure as shown in Fig. 5 and Fig. 9, and its operation principle respectively as shown in Figure 3 and Figure 7, repeats no more here.
The embodiment of the present invention also provides a kind of system of defense of network attack, this system has multiple comprising as the network equipment of Fig. 4 and/or Fig. 8 shown device, the preferred enforcement structure of this system is to have multiple network equipments that install as described in Fig. 5 and/or Fig. 9 that comprise, the operation principle of this system is described above, repeats no more here.
Below the situation of the concrete application of the embodiment of the present invention is described.
Figure 10 shows the structural representation of the system of defense of the network attack of the concrete application of the embodiment of the present invention, as shown in figure 10, access switch SW1 connects PC1-PC4 by Port1-Port4, access switch SW2 connects PC5-PC7 by Port1-Port3, SW1 passes through respectively Port5, Port6 is connected to the Port1 of convergence switch SW3, the Port1 of SW4, SW2 is connected to the Port1 of convergence switch SW5 by Port4, between SW3 and SW4, be all connected by Port2, SW3 is connected to the port2 of core switch SW8 by port3, SW4 is connected to the port1 of SW8 by port3, SW5 is connected to the port1 of core switch SW6 by port2, SW6 is connected by port2 respectively with core switch SW7, SW6 is connected by port3 respectively with SW8, SW8 is connected with the port1 of SW7 by port4, at access switch SW1, SW2 deploy access control safety function, for example 802.1x, WEB certification etc., can effectively control the identity legitimacy of access PC, access switch only forwards the message sending from the PC of legal IP address and MAC Address.In the system shown in Figure 10, the IP address of PC1 is 192.168.3.2/24, MAC Address is 00d0.f800.0001, the management ip address of SW1 is 192.168.1.1/24, the IP address of the port1 of SW3 is 192.168.3.1/24, the IP address of port3 is 192.168.8.2/24, the IP address of the port2 of SW8 is 192.168.8.1/24, the IP address of port1 is 192.168.7.2/24, the IP address of the port1 of SW7 is 192.168.7.1/24, the IP address of PC5 is 192.168.5.2/24, the management ip address of SW2 is 192.168.2.1/24, the IP address of the port1 of SW5 is 192.168.5.1/24.
Scene one
In system as shown in figure 10, in advance the port1 to port4 of SW1 is all set to attack isolating points, these four ports are arranged respectively and attack isolating points mark.
PC1 carries out User Datagram Protocol (UDP by port one 234 to the port 7 of SW7 with legal identity after authenticating, User Datagram Protocol) loopback attack, attack information on SW7, detected, the method that attack detected can be NFPP or other application layer protocols.SW7 detects after attack, according to following treatment step, attack message is on the defensive.
Step 1, SW7 monitors and is subject to network attack, be that port one receives attack protocol Data Unit (PDU, Protocol Data Unit) after, obtain the relevant information of attacking PDU, mainly comprise source address information and the type information of attack message, as shown in table 1, the relevant information of attacking PDU comprises: the source MAC of attack message, attack message type, attack message source IP, object IP, attack message protocol number, source port, destination slogan, wherein, only has transmission control protocol (TCP, Transmission Control Protocol) or the attack of UDP message, just carry source port and destination slogan, only have in the time that attack message is IPv4 or IPv6 message, the relevant information of this attack PDU is just carried protocol number,
In table 1, source MAC is the source MAC that 192.168.7.2 is corresponding, and this is because after cross-network segment forwards, source MAC information can be modified to MAC Address corresponding to IP address that upper hop E-Packets;
Table 1
The port one that step 2, SW7 judgement receive this attack PDU does not arrange attack isolating points mark, determines that port one is not to attack isolating points;
Step 3, SW7 builds the isolation PDU of the relevant information (as shown in table 1) that comprises the attack PDU obtaining, as shown in table 2, this isolation PDU comprises ethernet header, IP header, TCP header, and the relevant information of attack message, the IP address of the source IP address that SW7 comprises according to the source address information of attack message and SW7 self, judge that the network equipment self and source attack equipment are in the indirectly connected network segment, attack message source MAC address information in the isolation PDU of structure is set to zero, as shown in table 2, isolation PDU clean culture as shown in table 2 is sent to and attacks that the port one of PDU is connected with receiving, forward this attack PDU network equipment, be SW8.
Table 2
SW8 receives after isolation PDU as shown in table 2, judge that SW8 self receives that to attack the port 2 of PDU be not the attack isolating points of presetting, and the attack message source IP address according to isolation in PDU and the IP address of SW8 self, judge that SW8 and source attack equipment PC1 be not in directly connected subnet, the isolation PDU clean culture as shown in table 2 receiving is sent to the network equipment being connected with the port 2 that receives attack PDU, i.e. SW3.
SW3 receives after isolation PDU, judge that SW3 self receives that to attack the port one of PDU be not to attack isolating points, attack message source IP address according to isolation in PDU and the IP address of SW3 self, judge that SW3 and source attack equipment PC1 are in directly connected subnet, according to attack message source IP search mac address table, the MAC Address that finds attack source equipment PC1 is 00d0.f800.0001, this MAC Address of PC1 is filled in the isolation PDU receiving, as shown in table 3, and isolation PDU multicast as shown in table 3 is sent to the network equipment being connected with port one, i.e. SW1.
SW1 receives after isolation message as shown in table 3, judge that SW1 self receives the port one of attacking PDU for attacking isolating points, just the attack message information of carrying in table 3 is bundled on port one, port one filters isolation to the follow-up corresponding attack message receiving.
After SW1 isolates successfully to attack packet filtering, according to the attack message object IP in isolation message, to the network equipment of this object IP indication, i.e. SW7 transmission isolation success message, SW7 receives after this isolation success message in the given time, confirms that attack message is isolated.
Table 3
SW7 does not receive in the situation of isolation success message in the given time, in the isolation message as shown in table 3 building, add the information of attacking isolating points that can not find, for example, setting can not find the flag bit of attacking isolating points, this flag bit is within 1 o'clock, to be illustrated in network, to can not find attack isolating points, as shown in table 4, the isolation message multicast after adding is sent to the network equipment being connected with the port that receives attack message, i.e. SW8.SW8 receives to carry and can not find after the isolation message of attacking isolating points information, attack message information in this isolation message is bundled on the port 2 that receives the attack message of indicating in this isolation message, and this isolation message multicast is sent to the network equipment SW3 being connected with port 2, the SW3 that receives this isolation message carries out the identical processing of doing with SW8.
In addition, in the time that SW1 cannot filter isolation or filter unsuccessfully attacking PDU, in isolation message as shown in table 3, add isolation failure information, for example, the flag bit that isolation is failed is set, and this flag bit is within 1 o'clock, to represent to isolate unsuccessfully attacking PDU, as shown in table 5, and isolation message as shown in table 5 after arranging, send to the network equipment being connected with the port 5 that receives isolation message, i.e. SW3.The port one of SW3 receives after isolation PDU as shown in table 5, find that in this isolation PDU, isolating failure flags position is 1, the attack PDU relevant information in this isolation PDU is bundled on port one, the port one of SW3 filters isolation to the follow-up corresponding attack PDU receiving.In like manner, after SW3 filters unsuccessfully to attack PDU, isolation PDU as shown in table 5 is sent to SW8 by port 3, SW8 filters attack message by port 2.
Table 4
Table 5
Above-mentioned each network equipment, when needs are to identical attack message source IP address, when multiple attack messages of different type of messages filter isolation, these multiple attack messages can be merged into a record, message from this IP address is all filtered to isolation, for example SW1 is to being that the different attack message of multiple types of PC1 is while isolating from 192.168.3.2, these multiple attack messages can be merged into a record, message from PC1 is all isolated, to avoid taking too much network bandwidth resources from the message of PC1, avoid filtering the system that attack message takies SW1 too much and process resource.
By above-mentioned processing procedure, the port one of SW1 can will be isolated in the edge of the network architecture as attacking isolating points from the attack message of PC1, because SW1 is lower as access layer equipment, residing network layer, can reduce as much as possible the attack message transmitting in network, can improve the utilance of the network bandwidth, improve the treatment effeciency of the network equipment.
Scene two
In system as shown in figure 10, in advance the port1 to port3 of SW2 is all set to attack isolating points, these three ports are arranged respectively and attack isolating points mark.
PC5 carries out the Internet Internet Control Message Protocol (ICMP with legal identity to SW5, Internet Control Message Protocol) the long ping of large flow attack, the port one of SW5 receives after this attack, obtain the relevant information of attack message, this relevant information is as shown in table 6, comprising assailant's message source MAC, attack message type, attack message source IP, attack message object IP, protocol number.
Table 6
| Assailant's message source MAC | Attack message type | Attack message source IP | Attack message object IP | Protocol number |
| 00d0.f800.0005 | 0x0800 | 192.168.5.2 | 192.168.5.1 | 1(icmp) |
SW5 judges that port one is not the attack isolating points of presetting, further judge that by IP address and the attack message source IP address of SW5 self SW5 and PC5 are in directly connected subnet, build isolation message as shown in table 7, in this isolation message, carry attack message information as shown in table 6, and isolation message multicast as shown in table 7 is sent to the network equipment being connected with port one, i.e. SW2.
Table 7
SW2 receives after isolation message as shown in table 7, judge that the port one that receives the attack message in this isolation message is for attacking isolating points, just the attack message information in this isolation message is bundled on port one, port one filters isolation to the follow-up corresponding attack message receiving.
SW2 isolate the processing of successfully laggard row confirmation to filtering, to isolating the processing of failed processing and the attack message to the multiple types from same IP address, similar with the description in above-mentioned scene one, repeat no more here.
By above-mentioned processing procedure, the port one of SW2 can will be isolated in the edge of the network architecture as attacking isolating points from the attack message of PC5, because SW1 is lower as access layer equipment, residing network layer, can reduce as much as possible the attack message transmitting in network, can improve the utilance of the network bandwidth, improve the treatment effeciency of the network equipment.
In sum, the defense schemes of the network attack providing according to the embodiment of the present invention, application isolation mech isolation test, mutually link and identify by whole network equipment, attack message can be isolated in and attack outside isolating points, in the time that attack isolating points is positioned on lower network layer, can reduce in large quantities the useless attack message existing in network, network bandwidth utilization factor can be provided, improve network equipment system processing resource utilization, the stability of whole net and the efficiency of transmission of Business Stream can be provided; The mechanism of remedying after applying affirmation mechanism and isolating unsuccessfully, can improve efficient that attack message is isolated.
Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if these amendments of the present invention and within modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.
Claims (27)
1. a defence method for network attack, is characterized in that, comprising:
Network equipment monitoring is subject to after network attack, obtains source address information and the type information of attack message;
Judge whether the port that receives this attack message is the attack isolating points of presetting, and described attack isolating points is the port that receives attack message on the network equipment;
Judging that this port is, the in the situation that of attacking isolating points, the source address information of the attack message obtaining and type information to be bundled on this port;
Judging that this port is not, the in the situation that of attacking isolating points, to build and comprise the source address information of the attack message obtaining and the isolation message of type information, sends to by the isolation message of structure the network equipment being connected with this port.
2. method according to claim 1, is characterized in that, the source address information of described attack message comprises: the source internet protocol IP address information of described attack message;
The isolation message of structure is sent to the network equipment being connected with this port, specifically comprises:
According to the source IP address information of described attack message, judge that whether the network equipment and source attack equipment in directly connected subnet, in the situation that judging in directly connected subnet, this isolation message multicast is sent to the network equipment being connected with described port, in the situation that judging in the indirectly connected network segment, this isolation message clean culture is sent to and the described port network equipment that be connected, that forward described attack message.
3. method according to claim 2, is characterized in that, the source address information of described attack message also comprises: the source media access control MAC address information of attack message;
In the situation that judging in the indirectly connected network segment, this isolation message clean culture is sent to and the described port network equipment that be connected, that forward described attack message, specifically comprise:
Attack message source MAC address information in this isolation message is set to zero, and the isolation message clean culture after arranging is sent to and the described port network equipment that be connected, that forward described attack message.
4. method according to claim 1, is characterized in that, described method also comprises:
Do not receive in the given time in the situation of isolation success message, in the isolation message building, add to be used to indicate can not find the information of attacking isolating points, the isolation message multicast after interpolation information is sent to the network equipment being connected with the port that receives attack message.
5. method according to claim 1, is characterized in that, described method also comprises:
Receiving after the isolation message that carries isolation failure information, the attack message source address information in isolation message and type information are being bundled on the port that receives the isolation message that carries isolation failure information.
6. method according to claim 1, is characterized in that, described method also comprises:
Be to attack isolating points at the described port that receives attack message, and exist in the situation of the attack message that multiple source address information are identical, type is different, the source address information of attack message is bundled on this port.
7. a defence installation for network attack, is characterized in that, comprising:
Acquisition module, for after network equipment monitoring is under attack, obtains source address information and the type information of attack message;
The first judge module, whether the port that receives this attack message for judging is preset as attack isolating points, and described attack isolating points is the port that receives attack message on the network equipment;
Binding module, for judging that at described the first judge module this port is that the in the situation that of attacking isolating points, the source address information of the attack message that described acquisition module is obtained and type information are bundled on this port;
Build module, for judging that at described the first judge module this port is not, the in the situation that of attacking isolating points, to build and comprise the source address information of attack message and the isolation message of type information that described acquisition module obtains;
Sending module, for sending to by the isolation message of described structure module construction the network equipment being connected with this port.
8. device according to claim 7, is characterized in that, described device also comprises:
The second judge module, for the source internet protocol IP address information of the source address information of the attack message that obtains according to described acquisition module, judges that whether the network equipment and source attack equipment in directly connected subnet;
Described sending module, specifically in the situation that described the second judge module judges in directly connected subnet, this isolation message multicast is sent to the network equipment being connected with described port, in the situation that judging in the indirectly connected network segment, this isolation message clean culture is sent to and the described port network equipment that be connected, that forward described attack message.
9. device according to claim 8, is characterized in that, described device also comprises:
Module is set, and in the situation that described the second judge module judges in the indirectly connected network segment, the source media access control MAC address information of the attack message source address information in the isolation message of described structure module construction is set to zero;
Described sending module, specifically for sending to described isolation message clean culture after module is set arranges and the described port network equipment that be connected, that forward described attack message.
10. device according to claim 7, is characterized in that, described device also comprises:
Receiver module, for receiving the successful message of isolation;
Timer, carries out timing for the scheduled duration that described receiver module is received to the successful message of isolation;
Module is set, the in the situation that of isolating successful message for not receiving at described timer expiry, described receiver module, in the isolation message of described structure module construction, adds the information of attacking isolating points that can not find that is used to indicate;
Described sending module, also for sending to by described isolation message, the multicast arranging after module interpolation information the network equipment being connected with the port that receives attack message.
11. devices according to claim 7, is characterized in that, described device also comprises:
Receiver module, for receiving the isolation message that carries isolation failure information;
Described binding module, also, for receiving at described receiver module after the isolation message that carries isolation failure information, the attack message source address information in this isolation message and type information are bundled on the port that receives the isolation message that carries isolation failure information.
12. devices according to claim 7, it is characterized in that, described binding module, also to attack isolating points for the port that receives described attack message in described the first judge module judgement, and exist in the situation of the attack message that multiple source address information are identical, type is different, the source address information of attack message is bundled on this port.
The defence method of 13. 1 kinds of network attacks, is characterized in that, comprising:
The network equipment receives after isolation message, according to the attack message source address information in this isolation message, judge whether the port that the network equipment receives attack message indicated in this isolation message is the attack isolating points of presetting, and described attack isolating points is the port that receives attack message on the network equipment;
Judging that this port is, the in the situation that of attacking isolating points, the attack message source address information in this isolation message and type information to be bundled on this port;
Judging that this port is not, the in the situation that of attacking isolating points, the isolation message receiving to be sent to the network equipment being connected with this port.
14. methods according to claim 13, is characterized in that, the source address information of described attack message comprises: the source internet protocol IP address information of described attack message;
Judging that this port is not, the in the situation that of attacking isolating points, the isolation message receiving to be sent to the network equipment being connected with the port that receives described attack message, specifically comprises:
Whether the attack message source IP address information according to isolation in message, the network equipment that judges the network equipment and this attack message source IP address information indication be in directly connected subnet, in the situation that judging in directly connected subnet, this isolation message multicast is sent to the network equipment being connected with the port that receives described attack message, in the situation that judging in the indirectly connected network segment, this isolation message clean culture is sent to and the port that the receives described attack message network equipment that be connected, that forward described attack message.
15. methods according to claim 14, is characterized in that, in the situation that judging in directly connected subnet, this isolation message multicast are sent to the network equipment being connected with the port that receives described attack message, specifically comprise:
According to the source IP address information of described attack message, find the source media access control MAC address information of the attack message corresponding with this source IP address information, this source MAC address information is added in described isolation message, the isolation message multicast that carries described attack message source MAC address information is sent to the network equipment being connected with the port that receives described attack message.
16. methods according to claim 13, is characterized in that, described method also comprises:
To attack isolating points in the case of receiving the port of described attack message, after this port of monitoring filters unsuccessfully to described attack message, in described isolation message, add isolation failure information, the isolation message that has added isolation failure information is sent to the network equipment being connected with the port that receives isolation message;
The network equipment is receiving after the isolation message that carries isolation failure information, and the attack message source address information in isolation message and type information are bundled on the port that receives the isolation message that carries isolation failure information.
17. methods according to claim 13, is characterized in that, described method also comprises:
Be to attack isolating points in the case of receiving the port of described attack message, identical source address information, type is different multiple attack messages merged into a record and be bundled on this port.
18. methods according to claim 13, is characterized in that, described method also comprises:
Receive to carry and can not find after the isolation message of attacking isolating points information, attack message source address information in this isolation message and type information are bundled on the port that receives attack message indicated in this isolation message, and by this isolation message multicast receiving send to receive this isolation message in the network equipment that is connected of the port of indicated attack message.
19. methods according to claim 13, is characterized in that, also comprise the destination address information of attack message in described isolation message;
Described method also comprises:
After monitoring described port and filtering successfully to described attack message, send isolation success message to the network equipment of the destination address information indication of attack message.
The defence installation of 20. 1 kinds of network attacks, is characterized in that, comprising:
Receiver module, for receiving isolation message;
The first judge module, for the attack message source address information of the isolation message that receives according to described receiver module, judge whether the port that the network equipment receives the indicated attack message of this isolation message is the attack isolating points of presetting, and described attack isolating points is the port that receives attack message on the network equipment;
Binding module, for judging that at described the first judge module this port is that the in the situation that of attacking isolating points, the attack message source address information in the isolation message that described receiver module is received and type information are bundled on this port;
Sending module, for judging that at described the first judge module this port is not that the in the situation that of attacking isolating points, the isolation message that described receiver module is received sends to the network equipment being connected with the port that receives described attack message.
21. devices according to claim 20, is characterized in that, described device also comprises:
The second judge module, for the attack message source internet protocol IP address information of the isolation message that receives according to described receiver module, judge the network equipment and this attack message source IP address information indication the network equipment whether in directly connected subnet;
Described sending module, specifically in the situation that described the second judge module judges in directly connected subnet, the isolation message multicast that described receiver module is received sends to the network equipment being connected with the port that receives described attack message, in the situation that described the second judge module judges in the indirectly connected network segment, the isolation message clean culture that described receiver module is received sends to and the port that the receives described attack message network equipment that be connected, that forward described attack message.
22. devices according to claim 21, is characterized in that, described device also comprises:
Search module, for the source IP address information of the attack message of the isolation message that receives according to described receiver module, find the source media access control MAC address information of the attack message corresponding with this source IP address information;
Module is set, for by described search module searches to the source MAC address information of attack message add the isolation message that described receiver module receives to;
Described sending module, specifically for arranging the isolation message multicast that module added after attack message source MAC address information and send to the network equipment being connected with the port that receives described attack message described.
23. devices according to claim 20, is characterized in that, described device also comprises:
Monitoring modular, for monitoring the situation of ports filter attack message;
Module is set, to attack isolating points for the port that receives described attack message in the first judge module judgement, after this port that receives described attack message of described monitoring module monitors filters unsuccessfully to described attack message, in the isolation message receiving at described receiver module, add isolation failure information;
Described sending module, also for arranging the isolation message that module added after isolation failure information and send to the network equipment being connected with the port that receives isolation message described;
Described receiver module, also for receiving the isolation message that carries isolation failure information;
Described binding module, also for receiving at described receiver module after the isolation message that carries isolation failure information, by the attack message source address information in this isolation message and type information, be bundled in and receive on the port of isolation message that carries isolation failure information.
24. devices according to claim 20, it is characterized in that, described binding module, also for being to attack isolating points at the port that receives attack message described in described the first judge module judgement, and exist in the situation of the attack message that multiple source address information are identical, type is different, the source address information of attack message is bundled on this port.
25. devices according to claim 20, is characterized in that, described receiver module also can not find for receiving to carry the isolation message of attacking isolating points information;
Described binding module, is also bundled in for attack message source address information and the type information of this isolation message that described receiver module is received the port that receives attack message indicated in this isolation message;
Described sending module, the network equipment that also sends to the port of the attack message indicated with receiving this isolation message to be connected for this isolation message multicast that described receiver module is received.
26. devices according to claim 20, is characterized in that, described device also comprises:
Monitoring modular, for monitoring the situation of ports filter attack message;
Described sending module, also for after filtering successfully at port described in described monitoring module monitors to described attack message, sends isolation success message to the network equipment of the destination address information indication of attack message.
27. 1 kinds of network equipments, is characterized in that, comprise the defence installation of the defence installation of the network attack as described in any one in claim 7 to 12 and/or the network attack as described in any one in claim 20 to 26.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210062417.1A CN102594834B (en) | 2012-03-09 | 2012-03-09 | Method and device for defending network attack and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210062417.1A CN102594834B (en) | 2012-03-09 | 2012-03-09 | Method and device for defending network attack and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102594834A CN102594834A (en) | 2012-07-18 |
| CN102594834B true CN102594834B (en) | 2014-09-10 |
Family
ID=46483035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210062417.1A Active CN102594834B (en) | 2012-03-09 | 2012-03-09 | Method and device for defending network attack and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594834B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103685258B (en) * | 2013-12-06 | 2018-09-04 | 北京奇安信科技有限公司 | A kind of method and apparatus of quick scans web sites loophole |
| CN104780089B (en) * | 2015-04-17 | 2018-07-24 | 新华三技术有限公司 | Message partition method and device |
| CN104954376B (en) * | 2015-06-17 | 2018-03-06 | 华为技术有限公司 | A kind of adaptive anti-attack method and device |
| CN105357180B (en) * | 2015-09-30 | 2019-06-07 | 华为技术有限公司 | Network system, the hold-up interception method of attack message, device and equipment |
| CN107347047B (en) * | 2016-05-04 | 2021-10-22 | 阿里巴巴集团控股有限公司 | Attack protection method and device |
| CN112804226A (en) * | 2021-01-08 | 2021-05-14 | 光通天下网络科技股份有限公司 | IP data processing method, device, equipment and medium |
| CN114024752B (en) * | 2021-11-08 | 2024-07-19 | 北京天融信网络安全技术有限公司 | Network security defense method, device and system based on whole network linkage |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039176A (en) * | 2007-04-25 | 2007-09-19 | 华为技术有限公司 | DHCP monitoring method and apparatus thereof |
| CN101415002A (en) * | 2008-11-11 | 2009-04-22 | 华为技术有限公司 | Method for preventing message aggression, data communication equipment and communication system |
| CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
| WO2011020254A1 (en) * | 2009-08-21 | 2011-02-24 | 华为技术有限公司 | Method and device for preventing network attacks |
-
2012
- 2012-03-09 CN CN201210062417.1A patent/CN102594834B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101039176A (en) * | 2007-04-25 | 2007-09-19 | 华为技术有限公司 | DHCP monitoring method and apparatus thereof |
| CN101415002A (en) * | 2008-11-11 | 2009-04-22 | 华为技术有限公司 | Method for preventing message aggression, data communication equipment and communication system |
| WO2011020254A1 (en) * | 2009-08-21 | 2011-02-24 | 华为技术有限公司 | Method and device for preventing network attacks |
| CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102594834A (en) | 2012-07-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102594834B (en) | Method and device for defending network attack and network equipment | |
| WO2017148263A1 (en) | Prevention and control method, apparatus and system for network attack | |
| JP4174392B2 (en) | Network unauthorized connection prevention system and network unauthorized connection prevention device | |
| US7765309B2 (en) | Wireless provisioning device | |
| CN100588206C (en) | Computer network risk evaluation device and method therefor | |
| Nordmark et al. | FCFS SAVI: First-Come, first-served source address validation improvement for locally assigned IPv6 addresses | |
| Wu et al. | A source address validation architecture (SAVA) testbed and deployment experience | |
| CN101820383B (en) | Method and device for restricting remote access of switcher | |
| EP1722535A2 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
| CN105262738A (en) | Router and method for preventing ARP attacks thereof | |
| US20070101422A1 (en) | Automated network blocking method and system | |
| US9882904B2 (en) | System and method for filtering network traffic | |
| EP1571806A2 (en) | Network management method and network managing server | |
| CN101378395A (en) | Method and apparatus for preventing reject access aggression | |
| US20130298220A1 (en) | System and method for managing filtering information of attack traffic | |
| CN101321102A (en) | Detection method and access equipment of DHCP server | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| WO2012014509A1 (en) | Unauthorized access blocking control method | |
| CN106789892B (en) | Universal method for defending distributed denial of service attack for cloud platform | |
| US7551559B1 (en) | System and method for performing security actions for inter-layer binding protocol traffic | |
| CN107888711B (en) | Cross-network-segment equipment searching and communication method | |
| US20050198242A1 (en) | System and method for detection/interception of IP collision | |
| Chen et al. | Attack Diagnosis: Throttling distributed denial-of-service attacks close to the attack sources | |
| CN102752266A (en) | Access control method and equipment thereof | |
| CN114710388B (en) | Campus network security system and network monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |