CN104601578A - Recognition method and device for attack message and core device - Google Patents

Recognition method and device for attack message and core device Download PDF

Info

Publication number
CN104601578A
CN104601578A CN201510025919.0A CN201510025919A CN104601578A CN 104601578 A CN104601578 A CN 104601578A CN 201510025919 A CN201510025919 A CN 201510025919A CN 104601578 A CN104601578 A CN 104601578A
Authority
CN
China
Prior art keywords
authentication request
request packet
message
duration
described authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510025919.0A
Other languages
Chinese (zh)
Other versions
CN104601578B (en
Inventor
刘丽敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201510025919.0A priority Critical patent/CN104601578B/en
Publication of CN104601578A publication Critical patent/CN104601578A/en
Application granted granted Critical
Publication of CN104601578B publication Critical patent/CN104601578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a recognition method and device for an attack message and a core device. The method comprises the steps of determining the length of conversation of authentication request message without being authenticated; comparing the length of the conservation of the authentication request message with the preset ageing length of the conservation; determining that the authentication request message is the attack message when the length of the conservation of the authentication request message exceeds the preset ageing length of the conservation. According to the scheme, the method has the advantage that the authentication request handling efficiency can be increased.

Description

A kind of attack message recognition methods, device and nucleus equipment
Technical field
The present invention relates to network communication technology field, particularly relate to a kind of attack message recognition methods, device and nucleus equipment.
Background technology
Along with continuous upgrading that is international, domestic network security incident, the safety of network and credible more and more pay close attention to by people.Particularly in colleges and universities, because its customer group is intensive and active, often there is premeditated attack and destroy, campus network is become " severely afflicated area " of safety problem, management also unusual complexity, difficulty.
In order to ensure the fail safe of network, when user access network, needing to carry out access authentication to user, being judged the legitimacy of user by certification.At present, because web authentication mode is disposed conveniently, use simple feature, be used widely in campus network.
Existingly to the mode that user identity carries out certification be: after the authentication request packet of the interface user terminal of core switch, physical layer (the PHY of business module, Physical Layer) obtain the source network agreement (IP carried in authentication request packet, Internet Protocal) address, medium education (MAC, Media Access Control) address, port numbers, VLAN ID (VID, Virtual Local AreaNetwork ID) etc. information, mate with the information of reaching the standard grade in user list, if the match is successful, determine that this user passes through certification, if it fails to match, determine the unverified mistake of this user.For the authentication request packet that the user of unverified mistake sends, not treated after sending to line card end central processing unit (CPU, CentralProcessing Unit), directly on control channel, send management engine CPU.
The authentication request packet sent due to unauthenticated user terminal all on give management engine CPU, when unauthenticated user terminal because poisoning, or application software frequently initiates renewal, malicious attack, peak period is caused to produce a large amount of attack messages, make the management engine cpu load of core switch overweight, the authentication request of part terminal can not be processed in time, and cause user authentication even to wait for the problem that authenticated time is overtime and certification is not gone up slowly, the treatment effeciency of authentication request is low.Therefore, how core switch identifies that the authentication request packet of reception is attack message, reduces quantity attack message being reported management engine, is a problem urgently to be resolved hurrily in authenticating user identification process.
Summary of the invention
The embodiment of the present invention provides a kind of attack message recognition methods, device and nucleus equipment, in order to solve exist in prior art when carrying out authentication, owing to receiving a large amount of attack messages of authentication request packet porch, cause the slow or authentification failure of authentication and the low problem of the authentication request treatment effeciency that causes.
The embodiment of the present invention provides a kind of attack message recognition methods, comprising:
For the authentication request packet of unverified mistake, determine the session duration of described authentication request packet;
The session duration of described authentication request packet and default conversation aging duration are compared;
When the session duration of described authentication request packet is greater than described default conversation aging duration, determine that described authentication request packet is attack message.
By the said method that the embodiment of the present invention provides, by the magnitude relationship of the session duration and default conversation aging duration that judge the authentication request packet of unverified mistake, carry out identification to the attack message in the authentication request packet of unverified mistake to filter, avoid the problem of the slow or authentification failure of authentication that a large amount of attack message causes, improve the treatment effeciency of authentication request.
Further, determine that described authentication request packet is the message of unverified mistake, specifically comprise:
Obtain the attribute information in described authentication request packet;
At the attribute information searched in user list and whether exist in described authentication request packet of reaching the standard grade, described in reach the standard grade in user list and preserve by the attribute information of the authentication request packet of certification;
When not finding the attribute information in described authentication request packet, determine that described authentication request packet is the message of unverified mistake.
Like this, to reach the standard grade user list by safeguarding, can determine that whether authentication request packet is the message of unverified mistake.
Further, after determining that described authentication request packet is the message of unverified mistake, also comprise:
According to the address information in described authentication request packet, from denial of service session list, search described address information;
When not finding described address information, allow to carry out session corresponding to described authentication request packet.
Further, said method, also comprises:
The session duration of described authentication request packet and default Noise Identification duration are compared;
When the session duration of described authentication request packet is greater than default Noise Identification duration, determine that described authentication request packet is noise message, described default Noise Identification duration is less than described default conversation aging duration;
The speed to be sent of management engine is sent to limit to described authentication request packet;
When the session duration of described authentication request packet is not more than default Noise Identification duration, determine that described authentication request packet is normal message.
Like this, can avoid in real network, during owing to occurring when access device that link failure, cessation reaction are slow, certificate server pressure is excessive etc., normal request session timeout and cause normal authentication request packet to be mistaken for attack message.
Further, said method, also comprises:
Authentication request packet is classified;
Sorted message is reported described management engine.
Like this, by carrying out classification process to authentication request packet, the load pressure of follow-up management engine can be alleviated, improve Message Processing efficiency.
Further, described authentication request packet to be classified, specifically comprises:
After the described authentication request packet of confirmation is noise message or normal message, determine that whether the object IP address in described authentication request packet is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If different, determine that described authentication request packet is for needing pseudo-connection class message; Or
Before determining the session duration of described authentication request packet, receive request message; Determine that whether the object IP address in described request message is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If not identical, determining whether carry authentication information in described request message, when carrying authentication information in described request message, determining that described request message is authentication request packet, when not carrying authentication information in described request message, determine that described request message is attached most importance to orientation class message.
The embodiment of the present invention additionally provides a kind of attack message recognition device, comprising:
First determining unit, for the authentication request packet for unverified mistake, determines the session duration of described authentication request packet;
First comparing unit, for comparing the session duration of described authentication request packet and default conversation aging duration;
Second determining unit, for when the session duration of described authentication request packet is greater than described default conversation aging duration, determines that described authentication request packet is attack message.
By the said apparatus that the embodiment of the present invention provides, by the magnitude relationship of the session duration and default conversation aging duration that judge the authentication request packet of unverified mistake, carry out identification to the attack message in the authentication request packet of unverified mistake to filter, avoid the problem of the slow or authentification failure of authentication that a large amount of attack message causes, improve the treatment effeciency of authentication request.
Further, described first determining unit, specifically for obtaining the attribute information in described authentication request packet; At the attribute information searched in user list and whether exist in described authentication request packet of reaching the standard grade, described in reach the standard grade in user list and preserve by the attribute information of the authentication request packet of certification; When not finding the attribute information in described authentication request packet, determine that described authentication request packet is the message of unverified mistake.
Like this, to reach the standard grade user list by safeguarding, can determine that whether authentication request packet is the message of unverified mistake.
Further, said apparatus, also comprises:
Search unit, for after determining that described authentication request packet is the message of unverified mistake, according to the address information in described authentication request packet, from denial of service session list, search described address information;
Allowing conversation element, for when not finding described address information, allowing to carry out session corresponding to described authentication request packet.
Further, said apparatus, also comprises:
Second comparing unit, for comparing the session duration of described authentication request packet and default Noise Identification duration;
3rd determining unit, for when the session duration of described authentication request packet is greater than default Noise Identification duration, determine that described authentication request packet is noise message, described default Noise Identification duration is less than described default conversation aging duration;
Limiting unit, limits for sending to the speed to be sent of management engine to described authentication request packet;
4th determining unit, for when the session duration of described authentication request packet is not more than default Noise Identification duration, confirms that described authentication request packet is normal message.
Like this, can avoid in real network, during owing to occurring when access device that link failure, cessation reaction are slow, certificate server pressure is excessive etc., normal request session timeout and cause normal authentication request packet to be mistaken for attack message.
Further, said apparatus, also comprises:
Taxon, for classifying to authentication request packet;
Report unit, for sorted message is reported described management engine.
Like this, by carrying out classification process to authentication request packet, the load pressure of follow-up management engine can be alleviated, improve Message Processing efficiency.
Further, described taxon, specifically for after the described authentication request packet of confirmation is noise message or normal message, determines that whether the object IP address in described authentication request packet is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If different, determine that described authentication request packet is for needing pseudo-connection class message; Or
Described taxon, specifically for before determining the session duration of described authentication request packet, receives request message; Determine that whether the object IP address in described request message is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If not identical, determining whether carry authentication information in described request message, when carrying authentication information in described request message, determining that described request message is authentication request packet, when not carrying authentication information in described request message, determine that described request message is attached most importance to orientation class message.
Embodiments provide a kind of nucleus equipment, line card and management engine, wherein:
Described line card, attack message recognition device described above;
Described management engine, for receiving the sorted message that described line card end CPU sends, and processes accordingly.
By the nucleus equipment that the embodiment of the present invention provides, by the magnitude relationship of the session duration and default conversation aging duration that judge the authentication request packet of unverified mistake, carry out identification to the attack message in the authentication request packet of unverified mistake to filter, avoid the problem of the slow or authentification failure of authentication that a large amount of attack message causes, improve the treatment effeciency of authentication request.
The further feature of the application and advantage will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the application.The object of the application and other advantages realize by structure specifically noted in write specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
Accompanying drawing is used to provide a further understanding of the present invention, and forms a part for specification, is used from explanation the present invention, is not construed as limiting the invention with the embodiment of the present invention one.In the accompanying drawings:
The flow chart of the attack message recognition methods that Fig. 1 provides for the embodiment of the present invention;
The flow chart of the attack message recognition methods that Fig. 2 provides for the embodiment of the present invention 1;
The flow chart of the attack message recognition methods that Fig. 3 provides for the embodiment of the present invention 2;
The structural representation of the attack message recognition device that Fig. 4 provides for the embodiment of the present invention 3;
The structural representation of the nucleus equipment that Fig. 5 provides for the embodiment of the present invention 4.
Embodiment
In order to provide the implementation of the treatment effeciency improving authentication request, embodiments provide a kind of attack message recognition methods, device and nucleus equipment, below in conjunction with Figure of description, the preferred embodiments of the present invention are described, be to be understood that, preferred embodiment described herein, only for instruction and explanation of the present invention, is not intended to limit the present invention.And when not conflicting, the embodiment in the application and the feature in embodiment can combine mutually.
The embodiment of the present invention provides a kind of attack message recognition methods, as shown in Figure 1, comprising:
Step 101, authentication request packet for unverified mistake, determine the session duration of this authentication request packet.
Step 102, the session duration of this authentication request packet and default conversation aging duration to be compared.
Step 103, when the session duration of authentication request packet is greater than this default conversation aging duration, determine that this authentication request packet is attack message.
In the embodiment of the present invention, user need authentication and access network time, nucleus equipment carries out certification to the authentication request packet reported, wherein, there is partial authentication request message to be that the terminal that authenticated sends, also have partial authentication request message to be that the terminal of unverified mistake sends.Unverified terminal is due to poisoning, or application software frequently initiates renewal, malicious attack, peak period is caused to produce a large amount of attack messages, produce the problem of the slow or authentification failure of authentication, therefore, the embodiment of the present invention, by identifying the attack message in the authentication request packet of unverified mistake, follow-uply can to process the attack message identified.
Further, the line card end of the nucleus equipment in the embodiment of the present invention can realize the identification to attack message, filters, prevent the message aggression of porch to the authentication request packet of nucleus equipment porch.
Below in conjunction with accompanying drawing, with specific embodiment, method provided by the invention and device and corresponding system are described in detail.
Embodiment 1:
The flow chart of the attack message recognition methods that Fig. 2 provides for the embodiment of the present invention 1, specifically comprises following treatment step:
The line card of step 201, nucleus equipment receives authentication request packet.
Nucleus equipment, as the gateway of overall network user, is received in the certification of overall network, carries out centralized management, receives authentication request packet by the line card of nucleus equipment.
Step 202, line card obtain the attribute information of this authentication request packet.
In this step, the attribute information of this authentication request packet comprises the source network agreement (IP carried in this authentication request packet, Internet Protocal) address, media interviews control (MAC, Media Access Control) address, authentication port PORT, VLAN ID (VID, Virtual Local Area Network ID).
Step 203, line card, at the attribute information searched in user list and whether exist in this authentication request packet of reaching the standard grade, if so, enter step 204, if not, enter step 205.
Wherein, preserve by the attribute information of the authentication request packet of certification in this user list of reaching the standard grade, attribute information comprises: source IP address, MAC Address, PORT, VID.Nucleus equipment is reached the standard grade being recorded in by the attribute information of the authentication request packet of certification in user list.
Step 204, line card determine that this authentication request packet is by certification, allow the accessing terminal to network sending this authentication request packet, and are directly forwarded by forwarding by the flow of this terminal.
Step 205, line card determine that this authentication request packet is the message of unverified mistake.
Further, nucleus equipment is when carrying out authentication, the terminal with aggressive message is sent for those, record the relevant information of this terminal to denial of service session list, the all messages this terminal sent think attack message, therefore determine that this authentication request packet is the message of unverified mistake at line card, can check that the session of this authentication request packet is whether in denial of service session list further.
Step 206, line card, according to the address information in this authentication request packet, are searched whether there is this address information, if so, are entered step 207, if not, enter step 208 from denial of service session list.
Wherein, the object IP address being considered to have aggressive source IP address and correspondence is preserved in this denial of service session list.Address information in authentication request packet is source IP address and object IP address.
Step 207, line card abandon this authentication request packet.
In this step, when line card finds this address information from denial of service session list, illustrate that the session of this authentication request packet is considered to have aggressiveness, therefore this authentication request packet directly abandons by line card.Further, for each source IP address in denial of service session list and corresponding object IP address, distribute a refusal Session Timer, when after refusal Session Timer time-out, this source IP address and corresponding object IP address are deleted from this denial of service session list.
The session that step 208, line card allow this authentication request corresponding.
Further, line card, for each authentication request packet, is the source IP address in this authentication request packet and object IP address unique identification one group session, and namely session corresponding to each source IP address and object IP address has unique mark.
Step 209, line card determine whether the session duration of this authentication request packet is greater than default Noise Identification duration, if not, enters step 210, if so, enters step 211.
Wherein, this default Noise Identification duration can be arranged flexibly according to the pressure that bears of the number of users of peak time, certificate server.
Step 210, line card determine that this authentication request packet is normal message.
This authentication request packet, after determining that this authentication request packet is normal message, is sent to management engine with normal message speed by line card.
Step 211, line card determine that this authentication request packet is noise message, send to the speed to be sent of management engine to limit to authentication request packet.
In real network, when link failure appears in access device, cessation reaction is slow, certificate server pressure excessive wait time, there is the situation of normal request session timeout, in order to avoid normal authentication request packet is mistaken for attack message, attack message is control effectively, the session duration of authentication request packet is greater than the message of default Noise Identification duration as noise message, noise message comprises the normal request message of normal request session timeout, also the real attack message that there is threat can be comprised, due to may attack message be there is in noise message, these attack messages will seize the bandwidth of normal users, the handling property of reduction equipment, therefore, this step is after determining that authentication request packet is noise message, this message up sending is limited to the speed to be sent of management engine, speed to be sent is lowered, make the transmission rate of noise message lower than the transmission rate of normal message, reduce noise message and report management engine bandwidth usage.
Step 212, line card determine whether the session duration of this authentication request packet is greater than default conversation aging duration, if so, enters step 213, if not, enters step 214.
Wherein, this default conversation aging duration can be arranged flexibly according to the pressure that bears of the number of users of peak time, certificate server, and this default conversation aging duration is greater than default Noise Identification duration.
Step 213, line card determine that this authentication request packet is attack message, disconnect the session of this authentication request packet, and are recorded in denial of service session list by the address of this authentication request packet and object IP address, open refusal Session Timer.
Above-mentioned steps 209 by the session duration of this authentication request packet and default Noise Identification time length ratio compared with object, to prevent the second line of a couplet user from causing the session duration of authentication request packet to exceed default Noise Identification duration due to reasons such as cessation reaction are slow, second line of a couplet packet loss of link is serious, causing authentication request packet to be mistaken for attack message.Be confirmed as the authentication request packet of noise message, be greater than default Noise Identification duration and be less than between default conversation aging duration, though be limited transmission rate, but do not affect the process of authentication request, if within this period, this user is not also reached the standard grade by certification, be then confirmed as attack message.
Because line card carries out noise message and attack message identification to the flow of porch, and the transmission rate of the above-mentioned management engine of noise message is limited, to attack message denial of service, there is malicious attack and peak period, the interference of ingress noise message can be prevented, ensure that user can normally surf the Net in certification, thus improve the treatment effeciency of authentication request.
Above-mentioned steps 201-213 identifies that the process of attack message specifically can be processed by the Noise Identification module of line card.
Further, after line card carries out attack message identification to the authentication request packet of unverified mistake, classification process can also be carried out to the noise message identified and normal message, sorted message is sent to management engine, alleviate the load pressure of management engine, first can the authentication request packet being confirmed as noise message or normal message be saved in different Buffer Pools, noise message puts into noise message buffering pond, normal message puts into normal message Buffer Pool, noise message or normal message authentication request packet is confirmed as each, concrete classification process following steps 214-216:
Step 214, line card determine that whether the object IP address of this authentication request packet is identical with the address of certificate server, if not, enter step 215, if so, enter step 216.
Step 215, line card determine that the type of this authentication request packet is for needing pseudo-connection class message.
Step 216, line card determine that the type of this authentication request packet to be reached the standard grade class message for needing certification.
Further, line card not only can carry out classification process to the noise message determined after attack message identification and normal message, classification process can also be carried out to all messages received, for each request message that nucleus equipment porch receives, determine that whether the object IP address in this request message is identical with the address of certificate server, if not identical, determine that this request message is for needing pseudo-connection class message; If whether, be namely authentication request packet, if so, determine that this request message to be reached the standard grade class message for needing certification if, identical, determining whether this request message carries authentication information further, if not, determine that this request message is attached most importance to orientation class message.
Above-mentioned to message carry out classify process process specifically can be processed by the web proxy module of line card.
Further, the web proxy module of line card is to after message classification process, by the key message in message after classification, such as source IP address, MAC Address, PORT, VID etc. are packaged into the discernible message format of management engine, and the Web module of management engine is sent to through control channel, the Web module of management engine only need process the simple message that line card reports, and accelerates the speed that message transmits, alleviate the pressure of management engine, improve Message Processing efficiency.
By the said method that the embodiment of the present invention 1 provides, due to the session duration of authentication request packet and the magnitude relationship of default conversation aging duration by judging unverified mistake, carry out identification to the attack message in the authentication request packet of unverified mistake to filter, avoid the problem of the slow or authentification failure of authentication that a large amount of attack message causes, improve the treatment effeciency of authentication request.And by carrying out classification process to noise message and normal message, alleviate the load pressure of management engine, further increase the treatment effeciency of authentication request.
Embodiment 2:
The flow chart of the attack message recognition methods that Fig. 3 provides for the embodiment of the present invention 2, specifically comprises following treatment step:
The line card of step 301, nucleus equipment receives request message.
Step 302, line card are classified to the request message received.
Concrete, for each request message that nucleus equipment porch receives, determining that whether the object IP address in this request message is identical with the address of certificate server, if not identical, determining that this request message connects class message for needing puppet; If whether, be namely authentication request packet, if so, determine that this request message to be reached the standard grade class message for needing certification if, identical, determining whether this request message carries authentication information further, if not, determine that this request message is attached most importance to orientation class message.Redirected class message and need puppet are connected class message and report management engine by line card, and management engine processes accordingly to this two classes message; The certification class message of reaching the standard grade that needs determined is authentication request packet.
The process of message being carried out to classification process specifically can be processed by the web proxy module of line card.
Step 303, for classification process after authentication request packet, obtain the attribute information of this authentication request packet.
In this step, the attribute information of this authentication request packet comprises the source network agreement (IP carried in this authentication request packet, Internet Protocal) address, media interviews control (MAC, Media Access Control) address, authentication port PORT, VLAN ID (VID, Virtual Local Area Network ID).
Step 304, line card, at the attribute information searched in user list and whether exist in this authentication request packet of reaching the standard grade, if so, enter step 305, if not, enter step 306.
Wherein, preserve by the attribute information of the authentication request packet of certification in this user list of reaching the standard grade, attribute information comprises: source IP address, MAC Address, PORT, VID.Nucleus equipment is reached the standard grade being recorded in by the attribute information of the authentication request packet of certification in user list.
Step 305, line card determine that this authentication request packet is by certification, allow the accessing terminal to network sending this authentication request packet, and are directly forwarded by forwarding by the flow of this terminal.
Step 306, line card determine that this authentication request packet is the message of unverified mistake.
Further, nucleus equipment is when carrying out authentication, the terminal with aggressive message is sent for those, record the relevant information of this terminal to denial of service session list, the all messages this terminal sent think attack message, therefore determine that this authentication request packet is the message of unverified mistake at line card, can check that the session of this authentication request packet is whether in denial of service session list further.
Step 307, line card, according to the address information in this authentication request packet, are searched whether there is this address information, if so, are entered step 308, if not, enter step 309 from denial of service session list.
Wherein, the object IP address being considered to have aggressive source IP address and correspondence is preserved in this denial of service session list.Address information in authentication request packet is source IP address and object IP address.
Step 308, line card abandon this authentication request packet.
In this step, when line card finds this address information from denial of service session list, illustrate that the session of this authentication request packet is considered to have aggressiveness, therefore this authentication request packet directly abandons by line card.Further, for each source IP address in denial of service session list and corresponding object IP address, distribute a refusal Session Timer, when after refusal Session Timer time-out, this source IP address and corresponding object IP address are deleted from this denial of service session list.
The session that step 309, line card allow this authentication request corresponding.
Further, line card, for each authentication request packet, is the source IP address in this authentication request packet and object IP address unique identification one group session, and namely session corresponding to each source IP address and object IP address has unique mark.
Step 310, line card determine whether the session duration of this authentication request packet is greater than default Noise Identification duration, if not, enters step 311, if so, enters step 312.
Wherein, this default Noise Identification duration can be arranged flexibly according to the pressure that bears of the number of users of peak time, certificate server.
Step 311, line card determine that this authentication request packet is normal message.
This authentication request packet, after determining that this authentication request packet is normal message, is sent to management engine with normal message speed by line card.
Step 312, line card determine that this authentication request packet is noise message, send to the speed to be sent of management engine to limit to authentication request packet.
In real network, when link failure appears in access device, cessation reaction is slow, certificate server pressure excessive wait time, there is the situation of normal request session timeout, in order to avoid normal authentication request packet is mistaken for attack message, attack message is control effectively, the session duration of authentication request packet is greater than the message of default Noise Identification duration as noise message, noise message comprises the normal request message of normal request session timeout, also the real attack message that there is threat can be comprised, due to may attack message be there is in noise message, these attack messages will seize the bandwidth of normal users, the handling property of reduction equipment, therefore, this step is after determining that authentication request packet is noise message, this message up sending is limited to the speed to be sent of management engine, speed to be sent is lowered, make the transmission rate of noise message lower than the transmission rate of normal message, reduce noise message and report management engine bandwidth usage.
Step 313, line card determine whether the session duration of this authentication request packet is greater than default conversation aging duration, if so, enters step 314, if not, enters step 315.
Wherein, this default conversation aging duration can be arranged flexibly according to the pressure that bears of the number of users of peak time, certificate server, and this default conversation aging duration is greater than default Noise Identification duration.
Step 314, line card determine that this authentication request packet is attack message, disconnect the session of this authentication request packet, and are recorded in denial of service session list by the address of this authentication request packet and object IP address, open refusal Session Timer.
Step 315, line card determine that this authentication request packet is noise message and for non-attack message.
Above-mentioned steps 310 by the session duration of this authentication request packet and default Noise Identification time length ratio compared with object, to prevent the second line of a couplet user from causing the session duration of authentication request packet to exceed default Noise Identification duration due to reasons such as cessation reaction are slow, second line of a couplet packet loss of link is serious, causing authentication request packet to be mistaken for attack message.Be confirmed as the authentication request packet of noise message, be greater than default Noise Identification duration and be less than between default conversation aging duration, though be limited transmission rate, but do not affect the process of authentication request, if within this period, this user is not also reached the standard grade by certification, be then confirmed as attack message.
Because line card carries out noise message and attack message identification to the flow of porch, and the transmission rate of the above-mentioned management engine of noise message is limited, to attack message denial of service, there is malicious attack and peak period, the interference of ingress noise message can be prevented, ensure that user can normally surf the Net in certification, thus improve the treatment effeciency of authentication request.
Above-mentioned steps 303-314 identifies that the process of attack message specifically can be processed by the Noise Identification module of line card.
By the said method that the embodiment of the present invention 1 provides, due to the session duration of authentication request packet and the magnitude relationship of default conversation aging duration by judging unverified mistake, carry out identification to the attack message in the authentication request packet of unverified mistake to filter, avoid the problem of the slow or authentification failure of authentication that a large amount of attack message causes, improve the treatment effeciency of authentication request.And by carrying out classification process to noise message and normal message, alleviate the load pressure of management engine, further increase the treatment effeciency of authentication request.
Embodiment 3:
Based on same inventive concept, according to the attack message recognition methods that the above embodiment of the present invention provides, correspondingly, the embodiment of the present invention 3 additionally provides a kind of attack message recognition device, and its structural representation as shown in Figure 4, specifically comprises:
First determining unit 401, for the authentication request packet for unverified mistake, determines the session duration of described authentication request packet;
First comparing unit 402, for comparing the session duration of described authentication request packet and default conversation aging duration;
Second determining unit 403, for when the session duration of described authentication request packet is greater than described default conversation aging duration, determines that described authentication request packet is attack message.
Further, the first determining unit 401, specifically for obtaining the attribute information in described authentication request packet; At the attribute information searched in user list and whether exist in described authentication request packet of reaching the standard grade, described in reach the standard grade in user list and preserve by the attribute information of the authentication request packet of certification; When not finding the attribute information in described authentication request packet, determine that described authentication request packet is the message of unverified mistake.
Further, said apparatus, also comprises:
Search unit 404, for after determining that described authentication request packet is the message of unverified mistake, according to the address information in described authentication request packet, from denial of service session list, search described address information;
Allowing conversation element 405, for when not finding described address information, allowing to carry out session corresponding to described authentication request packet.
Further, said apparatus, also comprises:
Second comparing unit 406, for comparing the session duration of described authentication request packet and default Noise Identification duration;
3rd determining unit 407, for when the session duration of described authentication request packet is greater than default Noise Identification duration, determine that described authentication request packet is noise message, described default Noise Identification duration is less than described default conversation aging duration;
Limiting unit 408, limits for sending to the speed to be sent of management engine to described authentication request packet;
4th determining unit 409, for when the session duration of described authentication request packet is not more than default Noise Identification duration, confirms that described authentication request packet is normal message.
Further, said apparatus, also comprises:
Taxon 410, for classifying to authentication request packet;
Report unit 411, for sorted message is reported described management engine.
Further, taxon 410, specifically for after the described authentication request packet of confirmation is noise message or normal message, determines that whether the object IP address in described authentication request packet is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If different, determine that described authentication request packet is for needing pseudo-connection class message; Or
Taxon 410, specifically for before determining the session duration of described authentication request packet, receives request message; Determine that whether the object IP address in described request message is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If not identical, determining whether carry authentication information in described request message, when carrying authentication information in described request message, determining that described request message is authentication request packet, when not carrying authentication information in described request message, determine that described request message is attached most importance to orientation class message.
The function of above-mentioned each unit may correspond to the respective handling step in flow process shown in Fig. 1 or Fig. 2, does not repeat them here.
Embodiment 4:
Based on same inventive concept, according to the attack message recognition methods that the above embodiment of the present invention provides, correspondingly, the embodiment of the present invention 4 additionally provides a kind of nucleus equipment, and its structural representation as shown in Figure 5, comprising: line card 501 and management engine 502, wherein:
Described line card 501, for the authentication request packet for unverified mistake, determines the session duration of described authentication request packet; The session duration of described authentication request packet and default conversation aging duration are compared; When the session duration of described authentication request packet is greater than described default conversation aging duration, determine that described authentication request packet is attack message; When the session duration of described authentication request packet is not more than described default conversation aging duration, determine that described authentication request packet is non-attack message; Classification process is carried out to described non-attack message; Sorted message is sent to described management engine.
Described management engine 502, for receiving described sorted message, and processes accordingly.
The above-mentioned nucleus equipment as shown in Figure 5 provided in the embodiment of the present invention 4, wherein included line card 501 and management engine 502 further function, may correspond to the respective handling step in Fig. 1, Fig. 2, shown flow process, does not repeat them here.
In sum, the scheme that the embodiment of the present invention provides, comprising: for the authentication request packet of unverified mistake, determines the session duration of authentication request packet; The session duration of authentication request packet and default conversation aging duration are compared; When the session duration of authentication request packet is greater than described default conversation aging duration, determine that described authentication request packet is attack message.The scheme adopting the embodiment of the present invention to provide, improves the treatment effeciency of authentication request.
The attack message recognition device that the embodiment of the application provides realizes by computer program.Those skilled in the art should be understood that; above-mentioned Module Division mode is only the one in numerous Module Division mode; if be divided into other modules or do not divide module, as long as attack message recognition device has above-mentioned functions, all should within the protection range of the application.
The application describes with reference to according to the flow chart of the method for the embodiment of the present application, equipment (system) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.

Claims (13)

1. an attack message recognition methods, is characterized in that, comprising:
For the authentication request packet of unverified mistake, determine the session duration of described authentication request packet;
The session duration of described authentication request packet and default conversation aging duration are compared;
When the session duration of described authentication request packet is greater than described default conversation aging duration, determine that described authentication request packet is attack message.
2. the method for claim 1, is characterized in that, determines that described authentication request packet is the message of unverified mistake, specifically comprises:
Obtain the attribute information in described authentication request packet;
At the attribute information searched in user list and whether exist in described authentication request packet of reaching the standard grade, described in reach the standard grade in user list and preserve by the attribute information of the authentication request packet of certification;
When not finding the attribute information in described authentication request packet, determine that described authentication request packet is the message of unverified mistake.
3. method as claimed in claim 2, is characterized in that, after determining that described authentication request packet is the message of unverified mistake, also comprise:
According to the address information in described authentication request packet, from denial of service session list, search described address information;
When not finding described address information, allow to carry out session corresponding to described authentication request packet.
4. the method for claim 1, is characterized in that, also comprises:
The session duration of described authentication request packet and default Noise Identification duration are compared;
When the session duration of described authentication request packet is greater than default Noise Identification duration, determine that described authentication request packet is noise message, described default Noise Identification duration is less than described default conversation aging duration;
The speed to be sent of management engine is sent to limit to described authentication request packet;
When the session duration of described authentication request packet is not more than default Noise Identification duration, determine that described authentication request packet is normal message.
5. method as claimed in claim 4, is characterized in that, also comprise:
Authentication request packet is classified;
Sorted message is reported described management engine.
6. method as claimed in claim 5, is characterized in that, describedly classifies to authentication request packet, specifically comprises:
After the described authentication request packet of confirmation is noise message or normal message, determine that whether the object IP address in described authentication request packet is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If different, determine that described authentication request packet is for needing pseudo-connection class message; Or
Before determining the session duration of described authentication request packet, receive request message; Determine that whether the object IP address in described request message is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If not identical, determining whether carry authentication information in described request message, when carrying authentication information in described request message, determining that described request message is authentication request packet, when not carrying authentication information in described request message, determine that described request message is attached most importance to orientation class message.
7. an attack message recognition device, is characterized in that, comprising:
First determining unit, for the authentication request packet for unverified mistake, determines the session duration of described authentication request packet;
First comparing unit, for comparing the session duration of described authentication request packet and default conversation aging duration;
Second determining unit, for when the session duration of described authentication request packet is greater than described default conversation aging duration, determines that described authentication request packet is attack message.
8. device as claimed in claim 7, is characterized in that, described first determining unit, specifically for obtaining the attribute information in described authentication request packet; At the attribute information searched in user list and whether exist in described authentication request packet of reaching the standard grade, described in reach the standard grade in user list and preserve by the attribute information of the authentication request packet of certification; When not finding the attribute information in described authentication request packet, determine that described authentication request packet is the message of unverified mistake.
9. device as claimed in claim 8, is characterized in that, also comprise:
Search unit, for after determining that described authentication request packet is the message of unverified mistake, according to the address information in described authentication request packet, from denial of service session list, search described address information;
Allowing conversation element, for when not finding described address information, allowing to carry out session corresponding to described authentication request packet.
10. device as claimed in claim 7, is characterized in that, also comprise:
Second comparing unit, for comparing the session duration of described authentication request packet and default Noise Identification duration;
3rd determining unit, for when the session duration of described authentication request packet is greater than default Noise Identification duration, determine that described authentication request packet is noise message, described default Noise Identification duration is less than described default conversation aging duration;
Limiting unit, limits for sending to the speed to be sent of management engine to described authentication request packet;
4th determining unit, for when the session duration of described authentication request packet is not more than default Noise Identification duration, confirms that described authentication request packet is normal message.
11. devices as claimed in claim 10, is characterized in that, also comprise:
Taxon, for classifying to authentication request packet;
Report unit, for sorted message is reported described management engine.
12. devices as claimed in claim 11, it is characterized in that, described taxon, specifically for after the described authentication request packet of confirmation is noise message or normal message, determines that whether the object IP address in described authentication request packet is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If different, determine that described authentication request packet is for needing pseudo-connection class message; Or
Described taxon, specifically for before determining the session duration of described authentication request packet, receives request message; Determine that whether the object IP address in described request message is identical with the address of certificate server; If identical, determine that described authentication request packet to be reached the standard grade class message for needing certification; If not identical, determining whether carry authentication information in described request message, when carrying authentication information in described request message, determining that described request message is authentication request packet, when not carrying authentication information in described request message, determine that described request message is attached most importance to orientation class message.
13. 1 kinds of nucleus equipments, is characterized in that, comprising: line card and management engine, wherein:
Described line card, the device as described in claim 8-12;
Described management engine, for receiving the sorted message that described line card end CPU sends, and processes accordingly.
CN201510025919.0A 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment Active CN104601578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510025919.0A CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510025919.0A CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Publications (2)

Publication Number Publication Date
CN104601578A true CN104601578A (en) 2015-05-06
CN104601578B CN104601578B (en) 2018-05-22

Family

ID=53127084

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510025919.0A Active CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Country Status (1)

Country Link
CN (1) CN104601578B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187538A (en) * 2015-09-14 2015-12-23 北京星网锐捷网络技术有限公司 Web authentication noise processing method and processing device
CN105553971A (en) * 2015-12-11 2016-05-04 福建星网锐捷网络有限公司 Method, device and system for processing authentication packet
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
WO2020221095A1 (en) * 2019-04-29 2020-11-05 华为技术有限公司 Network access control method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070106894A1 (en) * 2004-04-15 2007-05-10 Yibo Zhang Communication device, communication system and authentication method
CN101018233A (en) * 2007-03-20 2007-08-15 杭州华为三康技术有限公司 Session control method and control device
CN101567848A (en) * 2009-06-01 2009-10-28 北京星网锐捷网络技术有限公司 Safety control method and exchanger
CN103457953A (en) * 2013-09-11 2013-12-18 重庆大学 Handling mechanism preventing 802.1X protocol attack under security access mode of port
CN104113548A (en) * 2014-07-24 2014-10-22 杭州华三通信技术有限公司 Authentication message processing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070106894A1 (en) * 2004-04-15 2007-05-10 Yibo Zhang Communication device, communication system and authentication method
CN101018233A (en) * 2007-03-20 2007-08-15 杭州华为三康技术有限公司 Session control method and control device
CN101567848A (en) * 2009-06-01 2009-10-28 北京星网锐捷网络技术有限公司 Safety control method and exchanger
CN103457953A (en) * 2013-09-11 2013-12-18 重庆大学 Handling mechanism preventing 802.1X protocol attack under security access mode of port
CN104113548A (en) * 2014-07-24 2014-10-22 杭州华三通信技术有限公司 Authentication message processing method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187538A (en) * 2015-09-14 2015-12-23 北京星网锐捷网络技术有限公司 Web authentication noise processing method and processing device
CN105553971A (en) * 2015-12-11 2016-05-04 福建星网锐捷网络有限公司 Method, device and system for processing authentication packet
CN105553971B (en) * 2015-12-11 2019-06-14 福建星网锐捷网络有限公司 A kind of processing message identifying method, apparatus and system
WO2020221095A1 (en) * 2019-04-29 2020-11-05 华为技术有限公司 Network access control method and device
US11909738B2 (en) 2019-04-29 2024-02-20 Huawei Technologies Co., Ltd. Network access control method and device
CN110071939A (en) * 2019-05-05 2019-07-30 江苏亨通工控安全研究院有限公司 The improved method in industrial network is protected for traditional DDOS firewall SYN FLOOD
CN110071939B (en) * 2019-05-05 2021-06-29 江苏亨通工控安全研究院有限公司 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Also Published As

Publication number Publication date
CN104601578B (en) 2018-05-22

Similar Documents

Publication Publication Date Title
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
CN105635084B (en) Terminal authentication apparatus and method
CN110830447A (en) SPA single packet authorization method and device
CN103248472A (en) Operation request processing method and system and attack identification device
CN110830446B (en) SPA security verification method and device
CN101888329B (en) Address resolution protocol (ARP) message processing method, device and access equipment
US20140344573A1 (en) Decrypting Files for Data Leakage Protection in an Enterprise Network
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
CN104601568A (en) Virtual security isolation method and device
WO2009140889A1 (en) Data transmission control method and data transmission control apparatus
KR20180118610A (en) Network Management
CN106790299B (en) Wireless attack defense method and device applied to wireless Access Point (AP)
CN104601578A (en) Recognition method and device for attack message and core device
CN107800723A (en) CC attack guarding methods and equipment
CN107070893A (en) A kind of power distribution network terminal IEC101 protocol massages certification method of discrimination
CN103067384A (en) Threat processing method, system, linkage client, safety equipment and host
CN103347031A (en) Method and equipment for preventing address resolution protocol (ARP) message attack
Feng et al. Snort improvement on profinet RT for industrial control system intrusion detection
Kang et al. Whitelists based multiple filtering techniques in SCADA sensor networks
CN102045310A (en) Industrial Internet intrusion detection as well as defense method and device
CN102624724B (en) Security gateway and method for securely logging in server by gateway
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
TWI676115B (en) System and method for managing certification for cloud service system
CN106209894A (en) A kind of method based on NGINX unified certification and system
CN103685134A (en) WLAN (Wireless Local Area Network) resource access control method and WLAN resource access control device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS CO., LTD.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.