CN102833268B - Method, equipment and system for resisting wireless network flooding attack - Google Patents

Method, equipment and system for resisting wireless network flooding attack Download PDF

Info

Publication number
CN102833268B
CN102833268B CN201210344628.4A CN201210344628A CN102833268B CN 102833268 B CN102833268 B CN 102833268B CN 201210344628 A CN201210344628 A CN 201210344628A CN 102833268 B CN102833268 B CN 102833268B
Authority
CN
China
Prior art keywords
sta
access
target url
mark
url
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210344628.4A
Other languages
Chinese (zh)
Other versions
CN102833268A (en
Inventor
陈小龙
李子泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201210344628.4A priority Critical patent/CN102833268B/en
Publication of CN102833268A publication Critical patent/CN102833268A/en
Application granted granted Critical
Publication of CN102833268B publication Critical patent/CN102833268B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02ATECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
    • Y02A30/00Adapting or protecting infrastructure or their operation

Abstract

The embodiment of the invention provides a method, equipment and a system for resisting the wireless network flooding attack. The method for resisting the wireless network flooding attack comprises the following steps of: a first access point (AP) obtains the total target webpage address URL (uniform resource locator) number of access times of a wireless station (STA) in a first period; the ratio of the total number of access times and the period time is recorded; if the ratio is more than a preset threshold value, the first AP refuses STA to access the target URL; an identification comprising STA and a strategy execution request message of target URL is sent to an access controller (AC); therefore the AC sends an access denying message comprising the STA identification and the target URL to at least one second AP; and at least one second AP refuses the STA to access the target URL. According to the embodiment of the invention, the safety and the reliability of the access equipment of the whole network can be improved.

Description

Method, the equipment and system of opposing wireless network extensive aggression
Technical field
The embodiment of the present invention relates to the communication technology, particularly relates to a kind of method, the equipment and system of resisting wireless network extensive aggression.
Background technology
WLAN(Wireless local area network, WLAN (wireless local area network)) be the product that computer network and wireless communication technology combine, user can by WLAN at any time, access network everywhere, thus utilize Internet resources easily.
In a WLAN, the flood forwarding of message of wireless network directly will have influence on performance and the fail safe of wireless network.The detection of prior art to extensive aggression is mainly: carry out flow monitoring and statistics to mobile radio terminal, when the message flow of mobile radio terminal exceedes predetermined threshold value, mobile radio terminal is added blacklist, and abandons the message of mobile radio terminal transmission.
Based on the opposing extensive aggression method of flow detection in prior art, the wireless access network equipment of the whole network cannot stop extensive aggression source also can abandon legal message simultaneously, causes the wireless access network equipment safety and reliability of the whole network low.
Summary of the invention
The embodiment of the present invention provides a kind of method, the equipment and system of resisting wireless network extensive aggression, to improve the wireless access network equipment safety and reliability of the whole network.
On the one hand, the embodiment of the present invention provides a kind of method of resisting wireless network extensive aggression, comprising:
First wireless access network equipment AP obtains the access total degree of wireless stations STA at period 1 access destination web page address URL, and records the ratio of described access total degree and described time period 1;
If described ratio is greater than predetermined threshold value, then a described AP refuses described STA and accesses described target URL, send to radio access network controller AC and comprise the mark of described STA and the strategy execution request message of described target URL, to make described AC comprise the mark of described STA and the denied access message of described target URL at least one the 2nd AP transmission, refuse described STA to make at least one the 2nd AP described and access described target URL.
The embodiment of the present invention also provides the method for another kind of opposing wireless network extensive aggression, comprising:
Radio access network controller AC receives the mark of carrying wireless stations STA of the first wireless access network equipment AP transmission and the strategy execution request message of target web address URL;
Described AC generates according to described strategy execution request message and carries the mark of described STA and the denied access message of described target URL, and described denied access message is sent at least one the 2nd AP, refuse described STA to make at least one the 2nd AP described and access described target URL.
On the other hand, the embodiment of the present invention provides a kind of wireless access network equipment, comprising:
Acquisition module: for obtaining the access total degree of wireless stations STA at period 1 access destination web page address URL, and record the ratio of described access total degree and described time period 1;
Policy enforcement module: if be greater than predetermined threshold value for described ratio, refuse described STA and access described target URL, send to radio access network controller AC and comprise the mark of described STA and the strategy execution request message of described target URL, to make described AC comprise the mark of described STA and the denied access message of described target URL at least one other AP transmission, refuse described STA to make at least one other AP described and access described target URL.
The embodiment of the present invention also provides a kind of radio access network controller, comprising:
Receiver module: for receiving the mark of carrying wireless stations STA and the strategy execution request message of target web address URL that wireless access network equipment AP sends;
Notice Executive Module: carry the mark of described STA and the denied access message of described target URL for generating according to described strategy execution request message, and described denied access message is sent at least one other AP, refuse described STA to make at least one other AP described and access described target URL.
Again on the one hand, the embodiment of the present invention also provides a kind of system of resisting wireless network extensive aggression, comprises above-mentioned arbitrary described wireless access network equipment and above-mentioned arbitrary described radio access network controller.
Method, the equipment and system of the opposing wireless network extensive aggression that the embodiment of the present invention provides, the access total degree of wireless stations STA at period 1 access destination web page address URL is obtained by the first wireless access network equipment AP, the ratio of record access total degree and cycle time, can obtain the average frequency of STA access destination URL within the unit interval.When ratio is greater than predetermined threshold value, an AP refuses STA access destination URL, but does not refuse STA and access other URL.One AP sends to AC and comprises the mark of STA and the strategy execution request message of target URL, the mark of STA and the denied access message of target URL is comprised at least one the 2nd AP transmission to make AC, STA access destination URL is refused to make at least one the 2nd AP, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improves the safety and reliability of the wireless access network equipment of the whole network.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart that the present invention resists the embodiment of the method one of wireless network extensive aggression;
Fig. 2 is the flow chart that the present invention resists the embodiment of the method two of wireless network extensive aggression;
Fig. 3 is the flow chart that the present invention resists the embodiment of the method three of wireless network extensive aggression;
Fig. 4 is the structural representation of wireless access network equipment embodiment one of the present invention;
Fig. 5 is the structural representation of wireless access network equipment embodiment two of the present invention;
Fig. 6 is the structural representation of wireless access network equipment embodiment three of the present invention;
Fig. 7 is the structural representation of radio access network controller embodiment one of the present invention;
Fig. 8 is the structural representation of radio access network controller embodiment two of the present invention;
Fig. 9 is the structural representation that the present invention resists the system embodiment one of wireless network extensive aggression;
Figure 10 is the structural representation that the present invention resists the system embodiment two of wireless network extensive aggression.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Technical scheme of the present invention, can be applied in WLAN (wireless local area network) WLAN, wireless local area network technology is 802.11 Medium Access Control standard proposed based on IEEE, the standards define wireless stations (wireless station, be called for short STA) with wireless access network equipment (Access Point, be called for short AP) between air interface specification.STA is the client of wireless network, and concrete can be the computer including 802.11 wireless network interface cards.And AP is similar to the base station in wireless network, it can create one group of basic service, and a large amount of STA is bridged to other existing networks from wireless network.Communicated by public wireless channel between STA and AP.
Radio access network controller (Access Controller, be called for short AC) be a kind of network equipment, it is the core of a wireless network, is in charge of the AP in wireless network, comprises the management of AP: issue configuration, amendment relevant configured parameter, radio-frequency intelligent management etc.Current WIFI network covers, and the coverage mode adopting AC+AP, in wireless network, an AC, multiple AP, be conducive to the centralized management of wireless network more.
Fig. 1 is the flow chart that the present invention resists the embodiment of the method one of wireless network extensive aggression, and as shown in Figure 1, the method flow of the present embodiment can comprise:
Step 101 a: AP obtains the access total degree of STA in period 1 access destination web page address (UniformResource Locator is called for short URL), and the ratio of record access total degree and time period 1;
Each webpage on Internet (being called for short Internet) has a unique name identification, is usually referred to as webpage (being called for short Web) address, is commonly called as " network address ".After wireless stations STA is associated with an AP, an AP obtains the access total degree of STA access destination URL within time period 1, and the ratio of record access total degree and cycle time.Such as, the cycle time of period 1 is T, and access total degree is Ci, then ratio K is Ci/T, i.e. the average frequency of STA access destination URL within the unit interval.Wherein, the cycle time of period 1 can set according to actual needs, is not particularly limited at this.
Step 102: if ratio is greater than predetermined threshold value, then an AP refuses STA access destination URL, send to radio access network controller AC and comprise the mark of STA and the strategy execution request message of target URL, to make AC comprise the mark of STA and the denied access message of target URL at least one the 2nd AP transmission, refuse STA to make at least one the 2nd AP and access described target URL.At least one above-mentioned the 2nd AP is specifically as follows the AP in the whole network except an AP, but also can be part the 2nd AP.
If the ratio K in step 102 is greater than predetermined threshold value, then an AP refuses STA access destination URL, and comprises the mark of STA and the strategy execution request message of target URL to radio access network controller AC transmission.The above-mentioned strategy execution request message sending the mark and target URL comprising STA to radio access network controller AC can comprise two kinds of situations: an AP running status, and the mark of STA and target URL are encapsulated in request (being called for short Request) message as strategy execution request message by an AP; One AP adds AC, and the mark of STA and target URL are encapsulated in discovery (being called for short Discover) message as strategy execution request message by an AP.The mark of above-mentioned STA can be the MAC Address of STA, can also be IP address etc., comprises the mark of STA and the target URL of described STA access in strategy execution request message.After AC receives strategy execution request message, can send to an AP response message having received strategy execution request message, if an AP wait timeout, not receive the response message that AC sends, then again perform request message to AC sending strategy.If the ratio K in step 102 is less than predetermined threshold value, then an AP enters next cycle, new record access times of laying equal stress on.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, the access total degree of wireless stations STA at period 1 access destination web page address URL is obtained by the first wireless access network equipment AP, the ratio of record access total degree and cycle time, can obtain the average frequency of STA access destination URL within the unit interval.When ratio is greater than predetermined threshold value, an AP refuses STA access destination URL, but does not refuse STA and access other URL.One AP sends to AC and comprises the mark of STA and the strategy execution request message of target URL, the mark of STA and the denied access message of target URL is comprised at least one the 2nd AP transmission to make AC, STA access destination URL is refused to make at least one the 2nd AP, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improves the safety and reliability of the wireless access network equipment of the whole network.
Fig. 2 is the flow chart that the present invention resists the embodiment of the method two of wireless network extensive aggression, as shown in Figure 2, obtained STA before the access total degree of period 1 access destination URL, also comprise at an AP:
Step 201: when STA is associated with an AP, an AP records the mark of STA, initialization statistic record table opening timing device;
Step 202 a: AP judges whether then timer, if not, performs step 204, if so, performs step 203;
Step 203: if timer then, then the access total degree of STA access destination URL is recorded in statistic record table by an AP;
Step 204: if timer is not then, receives at least one HTTP HTTP request message decapsulation that STA sends, obtains the target URL of mark correspondence of STA;
Step 205: judge whether the request message of at least one HTTP belongs to target URL, if so, performs step 206, if not, returns step 202;
The access times of step 206:STA access destination URL increase by 1 and return step 202.
In specific implementation process, in step 201, when STA is associated with an AP, an AP records the mark of STA, initialization statistic record table.The mark of STA is described, target URL and statistics number etc. in statistic record table.
In step 202., an AP judges whether then timer, and wherein the timing of timer is the time of period 1.If timer then, then an AP records the total degree of STA access destination URL, and carries out the timing of next cycle time.
Timer is not then, then enter step 204, an AP receives one or more HTML (Hypertext Markup Language) (hypertext transport protocol the is called for short HTTP) request message that STA sends, and by this message decapsulation, obtain the target URL of the mark correspondence of STA.
In step 205, whether the one or more HTTP message in determining step 204 belong to target URL, if so, then enter step 206, and the access times of STA access destination URL increase by 1, forward this message simultaneously and return step 202.If not, step 202 is got back to equally.Above-mentioned steps circulation is carried out, till timer then.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, by the access total degree of the STA access destination URL in the record period time, the number of times that concrete STA accesses particular webpage address can be obtained, be the attack source that an AP recognition of devices is concrete, and identify that the target URL of attack source access provides authentic data.
Alternatively, an above-mentioned AP refusal STA access destination URL comprises: in Preset Time, refuse STA access destination URL;
Also comprise in strategy execution request message: the information of Preset Time, in Preset Time, refuse STA access destination URL to make at least one the 2nd AP.
Particularly, the STA access destination URL that an AP can exceed threshold value to access total degree and the ratio of cycle time carries out the locking of one section of Preset Time, within this locking time, forbids this STA access destination URL.This locking time is the length of Preset Time, Preset Time, and can set according to actual needs, the present invention is not particularly limited at this.
One AP sends the strategy execution request message comprising the information of Preset Time to AC, namely the information of the mark of STA, target URL and Preset Time is included in strategy execution request message, AC sends denied access message at least one the 2nd AP, the STA access destination URL that at least one the 2nd AP can be made to refuse above-mentioned access total degree and the ratio of cycle time exceed threshold value.
Meanwhile, in this Preset Time, an AP does not also send to AC and removes strategy execution request message, then the 2nd AP hung under all AC all refuses above-mentioned STA access destination URL.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.
Resist on the embodiment of the method one of wireless network extensive aggression and the basis of embodiment two in the present invention, refuse STA at an AP and access URL, after radio access network controller AC transmission comprises the mark of STA and the strategy execution request message of target URL, also comprise:
After Preset Time, one AP allows STA access destination URL, send to AC and comprise the mark of STA and the releasing strategy execution request message of target URL, to make AC send the permission access message of mark and the target URL comprising STA at least one the 2nd AP, allow STA access destination URL to make at least one the 2nd AP.
Simultaneously, one AP allows STA access destination URL, and comprise the mark of STA and the releasing strategy execution request message of target URL to AC transmission, to make AC send the permission access message of mark and the target URL comprising STA at least one the 2nd AP, allow STA access destination URL to make at least one the 2nd AP.It will be understood by those skilled in the art that the information owing to including Preset Time in strategy execution message, therefore, after Preset Time, AC also can send the permission access message of mark and the target URL comprising STA voluntarily to the 2nd AP.Accordingly, the releasing strategy execution request message sending the mark and target URL that comprise STA to AC comprises two kinds of situations: an AP running status, and the mark of STA and target URL are encapsulated in request Request message as releasing strategy execution request message by an AP; One AP adds AC, and the mark of STA and target URL are encapsulated into and find in Discover message as releasing strategy execution request message by an AP.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.By after Preset Time, an AP allows STA access destination URL, sends and comprises the mark of STA and the releasing strategy execution request message of target URL, remove the locking to STA to AC, allows STA access destination URL to make at least one the 2nd AP.
In above-mentioned embodiment of the method, particularly, the MAC address being designated STA of STA.MAC Address is used for the position of define grid equipment, and mark of really relying when MAC Address is transmission data sends the STA of data and receives the address of STA of data, and it is generally globally unique.Using the mark of the MAC Address of STA as STA, accurately STA can be identified.
Fig. 3 is the flow chart that the present invention resists the embodiment of the method three of wireless network extensive aggression, and as shown in Figure 3, the method flow that the embodiment of the present invention provides comprises the following steps:
Step 301:AC receives the mark of carrying wireless stations STA of the first wireless access network equipment AP transmission and the strategy execution request message of target web address URL;
Step 302:AC generates according to strategy execution request message and carries the mark of STA and the denied access message of target URL, and denied access message is sent at least one the 2nd AP, refuses STA access destination URL to make at least one the 2nd AP.
In specific implementation process, after AC receives the strategy execution request message of an AP transmission, carry out decapsulation, obtain the mark of STA and the parameter information of target URL, and the mark of STA and the parameter information of target URL are regenerated denied access message, and denied access message is sent at least one the 2nd AP, denied access message also periodically can be sent at least one the 2nd AP by AC, time cycle can be 20S or 30S etc., concrete cycle time, the present invention is not particularly limited at this.At least one above-mentioned the 2nd AP is other AP equipment beyond an AP, when AC needs the whole network to notice, denied access message can be sent to the 2nd AP of the whole network, also can send to part the 2nd AP as required.After at least one the 2nd AP receives denied access message, refusal STA access destination web page address URL, and the response message to AC transmission and reception to denied access message, AC notices an AP and is disposed.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, the mark of carrying wireless stations STA of the first wireless access network equipment AP transmission and the strategy execution request message of target URL is received by radio access network controller AC, AC generates according to strategy execution request message and carries the mark of STA and the denied access message of target URL, and denied access message is sent at least one the 2nd AP, STA access destination web page address URL is refused to make at least one the 2nd AP, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improve the safety and reliability of the wireless access network equipment of the whole network.
Alternatively, also comprise in above-mentioned strategy execution request message: the information of Preset Time, in Preset Time, refuse STA access destination URL to make at least one the 2nd AP.
Particularly, AC receives the strategy execution request message comprising the information of Preset Time that an AP sends, and namely includes the information of the mark of STA, target URL and Preset Time in strategy execution request message; AC sends denied access message at least one the 2nd AP, the STA access destination URL that at least one the 2nd AP can be made to refuse above-mentioned access total degree and the ratio of cycle time exceed threshold value.
Meanwhile, in this Preset Time, an AP does not also send to AC and removes strategy execution request message, then the 2nd AP hung under all AC all refuses above-mentioned STA access destination URL.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.
Resist on the basis of embodiment of the method three of wireless network extensive aggression in above-mentioned the present invention, AC also comprises after receiving the mark of carrying STA of an AP transmission and the strategy execution request message of target URL:
After Preset Time, AC receives and comprises the mark of STA and the releasing strategy execution request message of target URL, send the permission access message of mark and the target URL comprising STA at least one the 2nd AP, allow STA access destination URL to make at least one the 2nd AP.
AC sends the permission access message of mark and the target URL comprising STA at least one the 2nd AP simultaneously.Permission access message also periodically can be sent at least one the 2nd AP by AC, realizes the real-time that AC the whole network is noticed.Time cycle can be 20S or 30S etc., and concrete cycle time, the present invention is not particularly limited at this.At least one the 2nd AP allows STA access destination URL after receiving and allowing access message.It will be understood by those skilled in the art that the information owing to including Preset Time in strategy execution message, therefore, after Preset Time, AC also can send the permission access message of mark and the target URL comprising STA voluntarily to the 2nd AP.
The denied access message that above-mentioned AC sends to its lower the 2nd AP hung is specifically as follows wireless access point control and supply (Controlling and Provisioning of Wireless AccessPoint with permission access message, be called for short CAPWAP) the control message of agreement, comprise IP header, User Datagram Protoco (UDP) (User Datagram Protocol is called for short UDP) header, CAPWAP message head, CAPWAP key-course and message content.Wherein message content comprises attack information and the AP operation information of manufacturer's information, positional information, the mark comprising STA and target URL, these message contents are encapsulated in CAPWAP message by type of message-message length-message content (Type-Length-Value is called for short TLV) form.CAPWAP message has some advantages of CAPWAP passage, comprises network address translation (Network Address Translation is called for short NAT) penetrability and fail safe.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.By after Preset Time, AC receives and comprises the mark of STA and the releasing strategy execution request message of target URL, send the permission access message of mark and the target URL comprising STA at least one the 2nd AP, remove the locking to STA, allow STA access destination URL to make at least one the 2nd AP.
In above-mentioned embodiment of the method, particularly, the MAC address being designated STA of STA.Using the mark of the MAC Address of STA as STA, accurately STA can be identified.
Fig. 4 is the structural representation of wireless access network equipment embodiment one of the present invention, as shown in Figure 4, the wireless access network equipment AP40 that the embodiment of the present invention provides comprises acquisition module 41 and policy enforcement module 42, wherein acquisition module 41 is for obtaining the access total degree of wireless stations STA at period 1 access destination web page address URL, and the ratio of record access total degree and time period 1; If policy enforcement module 42 is greater than predetermined threshold value for ratio, refusal STA access destination URL, send to radio access network controller AC and comprise the mark of STA and the strategy execution request message of target URL, to make AC comprise the mark of STA and the denied access message of target URL at least one other AP transmission, refuse STA access destination URL to make at least one other AP.
The wireless access network equipment that the embodiment of the present invention provides, the access total degree of wireless stations STA at period 1 access destination web page address URL is obtained by acquisition module, the ratio of record access total degree and cycle time, can obtain the average frequency of STA access destination URL within the unit interval.When ratio is greater than predetermined threshold value, policy enforcement module refusal STA access destination URL, but do not refuse STA and access other URL, and transmission comprises the mark of STA and the strategy execution request message of target URL, the mark of STA and the denied access message of target URL is comprised at least one other AP transmission to make AC, refuse STA to make at least one other AP and access described target URL, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improves the safety and reliability of the wireless access network equipment of the whole network.
The wireless access network equipment of the present embodiment, may be used for the technical scheme performing embodiment of the method shown in Fig. 1, it is similar that it realizes principle, repeats no more herein.
Fig. 5 is the structural representation of wireless access network equipment embodiment two of the present invention, and as shown in Figure 5, the wireless access network equipment that the embodiment of the present invention provides, on the embodiment basis that Fig. 4 provides, also comprises logging modle 43 and timing module 44.
Wherein, logging modle 43 for when STA is associated with AP, the mark of record STA, initialization statistic record table opening timing device;
Timing module 44: for judging whether then timer; If timer is not then, receives at least one HTTP HTTP request message decapsulation that STA sends, obtain the target URL of mark correspondence of STA; Judge whether the request message of at least one HTTP belongs to target URL, if so, then the access times of STA access destination URL increase by 1 and return and judge timer whether step then; If not, return and judge timer whether step then; If timer then, then the access total degree of STA access destination URL is recorded in statistic record table.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, by the access total degree of the STA access destination URL in the timing module record period time, the number of times that concrete STA accesses particular webpage address can be obtained, for the attack source that AP recognition of devices is concrete, and identify that the target URL of attack source access provides authentic data.
The wireless access network equipment of the present embodiment, may be used for the technical scheme performing embodiment of the method shown in Fig. 2, it realizes principle and technique effect is similar, repeats no more herein.
Alternatively, an above-mentioned AP refusal STA access destination URL comprises: in Preset Time, refuse STA access destination URL;
Also comprise in strategy execution request message: the information of Preset Time, in Preset Time, refuse STA access destination URL to make at least one the 2nd AP.
The wireless access network equipment of the present embodiment, may be used for the technical scheme performing said method embodiment, it is similar that it realizes principle, repeats no more herein.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.
Fig. 6 is the structural representation of wireless access network equipment embodiment three of the present invention, and as shown in Figure 6, the wireless access network equipment that the embodiment of the present invention provides, on the embodiment basis that Fig. 5 provides, also comprises and removes policy enforcement module 45.Wherein remove policy enforcement module 45 for after Preset Time, allow STA access destination URL, send to AC and comprise the mark of STA and the releasing strategy execution request message of target URL, to make AC send the permission access message of mark and the target URL comprising STA at least one other AP, allow STA access destination URL to make at least one other AP.
The wireless access network equipment of the wireless access network equipment embodiment one to three that the AP in embodiment of the method one to the embodiment three of the invention described above opposing wireless network extensive aggression can adopt the embodiment of the present invention to provide.
The wireless access network equipment that the embodiment of the present invention provides, by after Preset Time, remove policy enforcement module and comprise the mark of STA and the releasing strategy execution request message of target URL to AC transmission, remove the locking to STA Preset Time, allow STA access destination URL to make at least one other AP.
Fig. 7 is the structural representation of radio access network controller embodiment one of the present invention.As shown in Figure 7, the radio access network controller 50 that the embodiment of the present invention provides comprises receiver module 51 and notices Executive Module 52, wherein, receiver module 51 is for the mark of carrying wireless stations STA that receives AP and send and the strategy execution request message of target web address URL; Notice Executive Module 52 and carry the mark of STA and the response message of target URL for generating according to strategy execution request message, and response message is sent at least one other AP, refuse STA access destination URL to make at least one other AP.
The radio access network controller that the embodiment of the present invention provides, the mark of carrying wireless stations STA of the first wireless access network equipment AP transmission and the strategy execution request message of target URL is received by receiver module, notice Executive Module and carry the mark of STA and the denied access message of target URL according to the generation of strategy execution request message, and denied access message is sent at least one other AP, STA access destination web page address URL is refused to make at least one other AP, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improve the safety and reliability of the wireless access network equipment of the whole network.
The wireless access network equipment of the present embodiment, may be used for the technical scheme performing embodiment of the method shown in Fig. 3, it is similar that it realizes principle, repeats no more herein.
Alternatively, also comprise in above-mentioned strategy execution request message: the information of Preset Time, in Preset Time, refuse STA access destination URL to make at least one the 2nd AP.
The wireless access network equipment of the present embodiment, may be used for the technical scheme performing said method embodiment, it is similar that it realizes principle, repeats no more herein.
The method of the opposing wireless network extensive aggression that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.
Fig. 8 is the structural representation of radio access network controller embodiment two of the present invention, and as shown in Figure 8, the radio access network controller that the embodiment of the present invention provides, on the embodiment basis that Fig. 7 provides, also comprises noticing and removes module 53.Wherein, notice and remove module 53 for after Preset Time, receive and comprise the mark of STA and the releasing strategy execution request message of target URL, send the permission access message of mark and the target URL comprising STA at least one other AP, allow STA access destination URL to make at least one other AP.
The wireless access network equipment of the radio access network controller embodiment one to three that the 2nd AP in embodiment of the method one to the embodiment three of the invention described above opposing wireless network extensive aggression can adopt the embodiment of the present invention to provide.
The wireless access network equipment that the embodiment of the present invention provides, in Preset Time, the AP of the whole network can be made to resist the wireless network extensive aggression of STA, while the wireless network extensive aggression of opposing STA, only refuse STA access destination URL, do not refuse STA and access other URL.By after Preset Time, notice the reception of releasing module and comprise the mark of STA and the releasing strategy execution request message of target URL, the permission access message of mark and the target URL comprising STA is sent at least one other AP, remove the locking to STA, allow STA access destination URL to make at least one other AP.
Fig. 9 is the structural representation that the present invention resists the system embodiment one of wireless network extensive aggression, and as shown in Figure 9, the system of the present embodiment comprises wireless access network equipment 40, radio access network controller 50.Wherein, wireless access network equipment 40 can adopt the structure of the arbitrary wireless access network embodiment of Fig. 4 ~ Fig. 6, its accordingly, can perform the technical scheme of either method embodiment in Fig. 1 ~ Fig. 2, it is similar that it realizes principle, repeats no more herein.Radio access network controller 50 can adopt the structure of the arbitrary radio access network controller of Fig. 7 and Fig. 8, its accordingly, can perform the technical scheme of the embodiment of the method for Fig. 3, it is similar that it realizes principle, repeats no more herein.Figure 10 is the structural representation that the present invention resists the system embodiment two of wireless network extensive aggression, and the concrete structure schematic diagram of wireless access network equipment 40 and radio access network controller 50 in system has been shown in Figure 10, and the relation between each module.The specific implementation principle of the system of opposing wireless network extensive aggression and technique effect, can refer to said method embodiment and apparatus embodiments, repeat no more herein.
The system of the opposing wireless network extensive aggression that the embodiment of the present invention provides, the access total degree of wireless stations STA at period 1 access destination web page address URL is obtained by wireless access network equipment AP, the ratio of record access total degree and time period 1, can obtain the average frequency of STA access destination URL within the unit interval.When ratio is greater than predetermined threshold value, AP refuses STA access destination URL, but does not refuse STA and access other URL.AP sends to AC and comprises the mark of STA and the strategy execution request message of target URL, the mark of STA and the denied access message of target URL is comprised at least one other AP transmission to make AC, STA access destination URL is refused to make at least one other AP, achieve and identify extensive aggression source in network-wide basis, the access that floods of refusal attack source, improves the safety and reliability of the wireless access network equipment of the whole network.
One of ordinary skill in the art will appreciate that: all or part of step realizing above-mentioned each embodiment of the method can have been come by the hardware that program command is relevant.Aforesaid program can be stored in a computer read/write memory medium.This program, when performing, performs the step comprising above-mentioned each embodiment of the method; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium.
Last it is noted that above each embodiment is only in order to illustrate technical scheme of the present invention, be not intended to limit; Although with reference to foregoing embodiments to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein some or all of technical characteristic; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims (12)

1. resist a method for wireless network extensive aggression, it is characterized in that, comprising:
First wireless access network equipment AP obtains the access total degree of wireless stations STA at period 1 access destination web page address URL, and records the ratio of described access total degree and described time period 1;
If described ratio is greater than predetermined threshold value, then a described AP refuses described STA and accesses described target URL, send to radio access network controller AC and comprise the mark of described STA and the strategy execution request message of described target URL, to make described AC comprise the mark of described STA and the denied access message of described target URL at least one the 2nd AP transmission, refuse described STA to make at least one the 2nd AP described and access described target URL;
Wherein, also comprise in described strategy execution request message: the information of Preset Time, in described Preset Time, refuse described STA to make at least one the 2nd AP described and access described target URL.
2. method according to claim 1, is characterized in that, obtained STA before the access total degree of period 1 access destination URL, also comprise at a described AP:
When described STA is associated with a described AP, a described AP records the mark of described STA, initialization statistic record table opening timing device;
A described AP judges whether then described timer;
If described timer not then, receive described STA send at least one HTTP HTTP request message and decapsulation, obtain the described target URL of the mark correspondence of described STA; Judge whether the request message of at least one HTTP described belongs to described target URL, the access times that if so, then described STA accesses described target URL increase by 1 and return and describedly judge described timer whether step then; If not, return and describedly judge described timer whether step then;
If described timer then, then the access total degree that described STA is accessed described target URL by a described AP is recorded in described statistic record table.
3. method according to claim 1 and 2, is characterized in that:
A described AP refuses described STA and accesses described target URL and comprise: in Preset Time, refuse described STA access described target URL.
4. method according to claim 3, is characterized in that: a described AP refuses described STA and accesses described URL, after radio access network controller AC transmission comprises the mark of described STA and the strategy execution request message of described target URL, also comprises:
After described Preset Time, a described AP allows described STA to access described target URL, send to described AC and comprise the mark of described STA and the releasing strategy execution request message of described target URL, to make described AC send the permission access message of mark and the described target URL comprising described STA at least one the 2nd AP described, described STA is allowed to access described target URL to make at least one the 2nd AP described.
5. resist a method for wireless network extensive aggression, it is characterized in that, comprising:
Radio access network controller AC receives the mark of carrying wireless stations STA of the first wireless access network equipment AP transmission and the strategy execution request message of target web address URL;
Described AC generates according to described strategy execution request message and carries the mark of described STA and the denied access message of described target URL, and described denied access message is sent at least one the 2nd AP, refuse described STA to make at least one the 2nd AP described and access described target URL;
Wherein, also comprise in described strategy execution request message: the information of Preset Time, in described Preset Time, refuse described STA to make at least one the 2nd AP described and access described target URL.
6. method according to claim 5, is characterized in that: described AC also comprises after receiving the mark of carrying STA of an AP transmission and the strategy execution request message of described target URL:
After described Preset Time, described AC receives and comprises the mark of described STA and the releasing strategy execution request message of described target URL, send the permission access message of mark and the described target URL comprising described STA at least one the 2nd AP described, allow described STA to access described target URL to make at least one the 2nd AP described.
7. a wireless access network equipment AP, is characterized in that, comprising:
Acquisition module: for obtaining the access total degree of wireless stations STA at period 1 access destination web page address URL, and record the ratio of described access total degree and described time period 1;
Policy enforcement module: if be greater than predetermined threshold value for described ratio, refuse described STA and access described target URL, send to radio access network controller AC and comprise the mark of described STA and the strategy execution request message of described target URL, to make described AC comprise the mark of described STA and the denied access message of described target URL at least one other AP transmission, refuse described STA to make at least one other AP described and access described target URL;
Wherein, also comprise in described strategy execution request message: the information of Preset Time, in described Preset Time, refuse described STA to make at least one the 2nd AP described and access described target URL.
8. wireless access network equipment according to claim 7, is characterized in that, also comprises:
Logging modle: for when described STA is associated with described AP, record the mark of described STA, initialization statistic record table opening timing device;
Timing module: for judging whether then described timer; If described timer not then, receive described STA send at least one HTTP HTTP request message and decapsulation, obtain the described target URL of the mark correspondence of described STA; Judge whether the request message of at least one HTTP described belongs to described target URL, the access times that if so, then described STA accesses described target URL increase by 1 and return and describedly judge described timer whether step then; If not, return and describedly judge described timer whether step then; If described timer then, then the access total degree of described STA being accessed described target URL is recorded in described statistic record table.
9. the wireless access network equipment according to claim 7 or 8, is characterized in that, also comprises:
Remove policy enforcement module: for after Preset Time, described STA is allowed to access described target URL, send to described AC and comprise the mark of described STA and the releasing strategy execution request message of described target URL, to make described AC send the permission access message of mark and the described target URL comprising described STA at least one other AP described, described STA is allowed to access described target URL to make at least one other AP described.
10. a radio access network controller, is characterized in that, comprising:
Receiver module: for receiving the mark of carrying wireless stations STA and the strategy execution request message of target web address URL that wireless access network equipment AP sends;
Notice Executive Module: carry the mark of described STA and the denied access message of described target URL for generating according to described strategy execution request message, and described denied access message is sent at least one other AP, refuse described STA to make at least one other AP described and access described target URL;
Wherein, also comprise in described strategy execution request message: the information of Preset Time, in described Preset Time, refuse described STA to make at least one the 2nd AP described and access described target URL.
11. radio access network controller according to claim 10, is characterized in that, also comprise:
Notice and remove module: for after Preset Time, receive and comprise the mark of described STA and the releasing strategy execution request message of described target URL, send the permission access message of mark and the described target URL comprising described STA at least one other AP described, allow described STA to access described target URL to make at least one other AP described.
12. 1 kinds of systems of resisting wireless network extensive aggression, is characterized in that, comprising: the arbitrary described wireless access network equipment of claim 7-9 and the arbitrary described radio access network controller of claim 10-11.
CN201210344628.4A 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack Active CN102833268B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210344628.4A CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210344628.4A CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Publications (2)

Publication Number Publication Date
CN102833268A CN102833268A (en) 2012-12-19
CN102833268B true CN102833268B (en) 2015-03-11

Family

ID=47336238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210344628.4A Active CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Country Status (1)

Country Link
CN (1) CN102833268B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103118360B (en) * 2012-12-21 2015-08-19 成都科来软件有限公司 A kind of system blocking mobile radio terminal
CN104378369A (en) * 2014-11-11 2015-02-25 上海斐讯数据通信技术有限公司 Wireless flooding attack prevention method
CN104768176B (en) * 2015-04-15 2018-08-24 新华三技术有限公司 The method, apparatus that sFlow is sampled in wireless network
CN106598723A (en) * 2015-10-19 2017-04-26 北京国双科技有限公司 Configuration method and device for resources in distributed system
CN107612924B (en) * 2017-09-30 2021-02-23 北京奇虎科技有限公司 Attacker positioning method and device based on wireless network intrusion
CN107509200A (en) * 2017-09-30 2017-12-22 北京奇虎科技有限公司 Equipment localization method and device based on wireless network invasion
CN107579997A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 Wireless network intrusion detection system
CN107484173A (en) * 2017-09-30 2017-12-15 北京奇虎科技有限公司 Wireless network intrusion detection method and device
CN111480364B (en) * 2018-05-25 2021-09-14 华为技术有限公司 Access control method, device and readable storage medium
CN111355686B (en) * 2018-12-21 2022-07-05 天翼云科技有限公司 Method, device, system and storage medium for defending flood attacks
CN112839015B (en) * 2019-11-25 2022-08-19 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
CN111556109B (en) * 2020-04-17 2021-05-18 北京达佳互联信息技术有限公司 Request processing method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286996A (en) * 2008-05-30 2008-10-15 北京星网锐捷网络技术有限公司 Storm attack resisting method and apparatus
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN102547714A (en) * 2011-12-28 2012-07-04 福建三元达通讯股份有限公司 Method for preventing flooding attack in wireless local area network
CN102595333A (en) * 2012-02-06 2012-07-18 福建星网锐捷网络有限公司 Message transmitting method and wireless access equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2676402A4 (en) * 2011-02-17 2015-06-03 Sable Networks Inc Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286996A (en) * 2008-05-30 2008-10-15 北京星网锐捷网络技术有限公司 Storm attack resisting method and apparatus
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN102547714A (en) * 2011-12-28 2012-07-04 福建三元达通讯股份有限公司 Method for preventing flooding attack in wireless local area network
CN102595333A (en) * 2012-02-06 2012-07-18 福建星网锐捷网络有限公司 Message transmitting method and wireless access equipment

Also Published As

Publication number Publication date
CN102833268A (en) 2012-12-19

Similar Documents

Publication Publication Date Title
CN102833268B (en) Method, equipment and system for resisting wireless network flooding attack
Chen et al. Narrow band internet of things
Zheng et al. Challenges of massive access in highly dense LTE-advanced networks with machine-to-machine communications
Chen et al. Overhaul of IEEE 802.11 modeling and simulation in ns-2
CN104619037B (en) The method for handling random access in a wireless communication system
CN102833824B (en) Access method and device for wireless local area network and network equipment
CN102740407B (en) Uplink dispatch method and system, terminal and base station
EP2541834B1 (en) Method and device for managing machince-to-machine network topology structure
CN104601276A (en) Method of Handling Coverage Enhancement in Wireless Communication System
CN101931982A (en) Network failure positioning method and device
US20070093208A1 (en) Method and system for providing interference avoidance and network coexistence in wireless systems
WO2008020731A1 (en) Multicast procedure in a wireless network
CN102291820B (en) Paging method, system and device
CN104754702A (en) Interference control method, equipment and system for random access
CN109842919A (en) A kind of communication of terminal and base station, terminal method of network entry and device
JP2016508680A (en) Method, apparatus and system for implementing security detection in heterogeneous networks
KR20220119477A (en) Method and device for sidelink communication
CN106255177A (en) The transmission method of a kind of equipment state and device
Chan et al. Performance and cross-layer design of CSMA for wireless networks with multipacket reception
Jaber et al. On cellular network planning and operation with M2M signalling and security considerations
Kalalas et al. Handling mission-critical communication in smart grid distribution automation services through LTE
TW202005463A (en) Telecommunication method and device of telecommunication, end-device and gateway based upon relay equipment reducing the unpredictability of sending the first downlink data frame so as to enhance transmission and receiving efficiency
JP7039717B2 (en) Paging policy determination method, equipment, RAN element and core network element
RU2605438C2 (en) Server device adapted to analyze behavior during communication, control device, control method for mobile terminal and computer program
CN106572482B (en) Parameter configuration method and device and core network self-configuration self-optimization platform

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS Co.,Ltd.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.

CP01 Change in the name or title of a patent holder