CN104683319A - Method and device for clearing firewall conversation and network equipment - Google Patents
Method and device for clearing firewall conversation and network equipment Download PDFInfo
- Publication number
- CN104683319A CN104683319A CN201310643323.8A CN201310643323A CN104683319A CN 104683319 A CN104683319 A CN 104683319A CN 201310643323 A CN201310643323 A CN 201310643323A CN 104683319 A CN104683319 A CN 104683319A
- Authority
- CN
- China
- Prior art keywords
- session
- firewall
- session identification
- user
- sessions
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and a device for clearing firewall conversation and network equipment. The method comprises the following steps that when a user is in an off-line state, a first conversation mark of the user corresponding to the first firewall conversation is obtained, and a firewall is controlled to clear the first firewall conversation according to the first conversation mark. Through adopting the mode, under the condition that the user is a malicious attacker of the firewall conversation corresponding service, when a new user uses a user private network IP (internet protocol) address and a public network address for accessing the network, the firewall clears the firewall conversation, so that the problem that the new user innocently receives flow rate attack due to the service is avoided. The mode does not aims at a specific protocol, so that the flow rate attack due to GTP (general data transfer platform) protocol defects can be prevented, and the flow rate attack due to non-GTP protocol defects can also be avoided.
Description
Technical field
The present invention relates to data service technical field, particularly relate to a kind of method, device and the network equipment of removing firewall session.
Background technology
2G/3G/4G user carries out by GPRS/LTE online the various aspects that data service has penetrated into people's work and life, become an important service of mobile terminal, but in the online charging way of valuating with flow, be hidden in the malicious attack GOA(GPRS Over-Billing Attack in GPRS/LTE network, also GPRS customer flow is made to attack), not only make the expenses of surfing Internet of user explode, more cause user and the charging of operator is complained and dispute.
Hit principle with reference to Fig. 1, GOA to be described as follows:
Malicious attacker first accesses attack server 202.1.1.1 by GPRS or LTE network (being referred to as GPRS below because 2/3/4G protocol theory the is substantially identical) INTERNET that surfs the Net, below GGSN/SAE-GW(is referred to as GGSN) equipment distributes private network IP address 10.1.1.1 to malicious attacker, fire compartment wall is mapped to 202.10.1.1 to INTERNET public network address, then this address may exist the data downstream such as UDP video.After malicious attacker rolls off the production line, now when having normal users to be surfed the Net by GPRS network and distributing identical private net address 10.1.1.1, fire compartment wall is also mapped as 202.10.1.1 public network address simultaneously.General fire compartment wall needs a few minutes just can control oneself to dozens of minutes to remove fire compartment wall NAT conversion map, then fire compartment wall NAT conversion map now is not removed, so, this public network address still has the data downstream such as UDP video, attack server 202.1.1.1 data flow (as UDP high-speed data-flow etc.) will be received immediately, not guilty normal users is caused to produce super-flow problem, and then outburst flow attacking.
With reference to Fig. 2, current GPRS customer flow is attacked control program and is mainly utilized special GPRS network fire compartment wall, in GPRS architecture, fundamental cause carrier network being formed to security threat lacks intrinsic fail safe in " GPRS channel protocol " (GTP), GTP is the agreement used between " GPRS Support Node " (GSN), communication between different GPRS network is also dangerous, because GTP does not provide any certification, data integrity or Confidentiality protection, use GPRS network fire compartment wall to strengthen GTP protocol security and can prevent GPRS flow attacking.Special GPRS network fire compartment wall adopts state inspection; providing one in conjunction with the strategy such as flow rate restriction, flow integrity checking, traffic log, charge on traffic not only can protect GPRS network infrastructure to make it to steal attack from Denial of Service attack and user profile, and can control external network user and access authority, control the solution of network insertion of roaming partner.
But existing this scheme designs mainly for GTP agreement defect, lack versatility.
Relational language illustrates:
GPRS: GPRS GPRS(General Packet Radio Service) be a kind of wireless, packet-switched technology based on gsm system, provide end to end, the wireless IP of wide area connects.
LTE: the Long Term Evolution (Long Trem Evolation) being the UMTS technical standard organized to set up by 3GPP, namely usually said 4G communication protocol techniques.
GGSN:GGSN(Gateway GSN, gateway GSN) mainly play gateway effect, it can be connected, as ISDN, PSPDN and LAN etc. with multiple different data network.
SAE-GW: when S-GW and P-GW conjunction is set to a network element, be referred to as SAE-GW.Wherein: S-GW:SAE network user face Access Service Network Gateway, is equivalent to the user plane functions of traditional SGSN.The borde gateway of P-GW:SAE network, provides the functions such as Bearer Control, charging, address assignment and non-3 GPP access, is equivalent to traditional GGSN.
GTP:GTP(GPRS Tunnel Protocol) agreement be 2/3/4G communication in important protocol.
3GPP agreement: release99, release4 to release9 and afterwards version.
Summary of the invention
In view of this, the object of the embodiment of the present invention is to provide a kind of method, device and the network equipment of removing firewall session, to provide not for the mode preventing flow attacking of specific protocol.
For solving the problems of the technologies described above, the embodiment of the present invention provides scheme as follows:
The embodiment of the present invention provides a kind of method removing firewall session, comprising:
During user offline, obtain the first session identification of the first firewall session corresponding to described user;
According to described first session identification, control fire compartment wall and remove described first firewall session.
Preferably, the first session identification of the first firewall session that the described user of described acquisition is corresponding comprises:
Obtain termination number and the private network IP address of the described user that gateway device sends;
According to described termination number and described private network IP address, determine described first session identification.
Preferably, described according to described termination number and described private network IP address, determine that described first session identification comprises:
According to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
According to the firewall session selection strategy preset, from the session identification of described all firewall sessions, select described first session identification.
Preferably, the firewall session selection strategy that described basis is preset, from the session identification of described all firewall sessions, select described first session identification specifically comprise:
According to session identification and the default session control policy of described all firewall sessions, generate each self-corresponding session state information of session identification of described all firewall sessions;
From the session identification of described all firewall sessions, select corresponding session state information meet the first pre-conditioned session identification as described first session identification.
Preferably, described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, the firewall session selection strategy that described basis is preset, from the session identification of described all firewall sessions, select described first session identification specifically comprise:
Judge whether the session number of described all firewall sessions exceedes predetermined threshold value, obtain judged result;
When described judged result is for being, from the session identification of described all firewall sessions, selects corresponding firewall session meet the second pre-conditioned session identification as described first session identification.
Preferably, described first firewall session is whole firewall sessions corresponding to described user.
The embodiment of the present invention also provides a kind of device removing firewall session, comprising:
Acquisition module, during for user offline, obtains the first session identification of the first firewall session corresponding to described user;
Control module, for according to described first session identification, controls fire compartment wall and removes described first firewall session.
Preferably, described acquisition module comprises:
Acquiring unit, for obtaining termination number and the private network IP address of the described user that gateway device sends;
Determining unit, for according to described termination number and described private network IP address, determines described first session identification.
Preferably, described determining unit comprises:
Determine subelement, for according to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
Chooser unit, for according to the firewall session selection strategy preset, selects described first session identification from the session identification of described all firewall sessions.
Preferably, described chooser unit specifically comprises:
Generation unit, for according to the session identification of described all firewall sessions and the session control policy preset, generates each self-corresponding session state information of session identification of described all firewall sessions;
First selected cell, meets the first pre-conditioned session identification as described first session identification for selecting corresponding session state information in the session identification from described all firewall sessions.
Preferably, described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, and described chooser unit specifically comprises:
Judging unit, for judging whether the session number of described all firewall sessions exceedes predetermined threshold value, obtains judged result;
Second selected cell, for when described judged result is for being, selects corresponding firewall session and meeting the second pre-conditioned session identification as described first session identification from the session identification of described all firewall sessions.
Preferably, described first firewall session is whole firewall sessions corresponding to described user.
The embodiment of the present invention also provides a kind of network equipment comprising the device of above-described removing firewall session.
As can be seen from the above, the embodiment of the present invention at least has following beneficial effect:
When described user is the malicious attacker of the corresponding business of firewall session, when new user is by the private network IP address of described user and public network address accesses network, fire compartment wall removes firewall session, thus an innocent person is subject to the problem of flow attacking because of this business to prevent new user.Aforesaid way not for specific protocol, thus both can prevent the flow attacking that GTP agreement defect causes, and can prevent again the flow attacking that non-GTP agreement defect causes.
Accompanying drawing explanation
Fig. 1 represents GOA schematic diagram;
Fig. 2 to represent in prior art by Gn/Gp node deployment GPRS dedicated firewall and closely cooperate with the common firewall being deployed in Gi node, blocks the schematic diagram that GOA attacks;
Fig. 3 represents a kind of flow chart of steps removing the method for firewall session that the embodiment of the present invention provides;
Fig. 4 represents that the GPRS customer flow of the better embodiment of the embodiment of the present invention attacks control system schematic diagram;
Fig. 5 represents that the GPRS customer flow of the better embodiment of the embodiment of the present invention attacks the flow process controlled;
Fig. 6 represents a kind of structural representation removing the device of firewall session that the embodiment of the present invention provides.
Embodiment
For making the object of the embodiment of the present invention, technical scheme and advantage clearly, below in conjunction with the accompanying drawings and the specific embodiments the embodiment of the present invention is described in detail.
Fig. 3 represents a kind of flow chart of steps removing the method for firewall session that the embodiment of the present invention provides, and with reference to Fig. 3, the embodiment of the present invention provides a kind of method removing firewall session, comprises the steps:
Step 301, during user offline, obtains the first session identification of the first firewall session corresponding to described user;
Step 302, according to described first session identification, controls fire compartment wall and removes described first firewall session.
Visible, by the way, when described user is the malicious attacker of the corresponding business of firewall session, when new user is by the private network IP address of described user and public network address accesses network, fire compartment wall removes firewall session, thus an innocent person is subject to the problem of flow attacking because of this business to prevent new user.Aforesaid way not for specific protocol, thus both can prevent the flow attacking that GTP agreement defect causes, and can prevent again the flow attacking that non-GTP agreement defect causes.
Wherein, described first firewall session can be all or part of firewall session corresponding to described user.
Described according to described first session identification, controlling described first firewall session of fire compartment wall removing can comprise:
Send the session clear command comprising described first session identification to fire compartment wall, make fire compartment wall after receiving described session clear command, described first session identification can be parsed from described session clear command, and remove described first firewall session.
Described method may be used for GGSN, also may be used for fire compartment wall, or also may be used for other network equipment of being connected with fire compartment wall with GGSN.
In embodiments of the present invention, the first session identification of the first firewall session that the described user of described acquisition is corresponding can comprise:
Obtain termination number and the private network IP address of the described user that gateway device sends;
According to described termination number and described private network IP address, determine described first session identification.
Wherein, described gateway device such as: GGSN or SAE-GW.
Terminal is such as: mobile phone.
Described according to described termination number and described private network IP address, determine that described first session identification can comprise:
According to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
According to the firewall session selection strategy preset, from the session identification of described all firewall sessions, select described first session identification.
Wherein, the firewall session selection strategy that described basis is preset, from the session identification of described all firewall sessions, select described first session identification specifically can comprise:
According to session identification and the default session control policy of described all firewall sessions, generate each self-corresponding session state information of session identification of described all firewall sessions;
From the session identification of described all firewall sessions, select corresponding session state information meet the first pre-conditioned session identification as described first session identification.
Or, consider that removing high-volume conversation may cause fire wall performance to decline simultaneously, then can have:
Described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, the firewall session selection strategy that described basis is preset, and selects described first session identification and specifically comprise from the session identification of described all firewall sessions:
Judge whether the session number of described all firewall sessions exceedes predetermined threshold value, obtain judged result;
When described judged result is for being, from the session identification of described all firewall sessions, selects corresponding firewall session meet the second pre-conditioned session identification as described first session identification.
Further, can also comprise:
When described judged result is no, by the session identification of described all firewall sessions, as the described firewall session relevant with described user needing to remove.
For the embodiment of the present invention being set forth clearly clear, provide the better embodiment of the embodiment of the present invention below.
This better embodiment provides a kind of mobile GPRS flow attacking control device and method, is achieved through the following technical solutions:
Attack in control technology scheme at GPRS customer flow and introduce GPRS session safety management G2SM (GPRS Session Security Management) equipment and realize reaching the standard grade to user controlling with the management of session of rolling off the production line, solve customer flow attack problem.G2SM utilizes the GPRS user offline information obtained from GGSN system, empties this user conversation, eliminate various flow attacking hidden danger through its firewall interface module converter notice fire compartment wall.
Below in conjunction with accompanying drawing, detailed elaboration is done to this better embodiment.
Fig. 4 shows GPRS customer flow and attacks control system schematic diagram, relates generally to GPRS session safety management control center, GGSN acquisition module, firewall interface module and message processing module etc.These modules can be integrated in GGSN, can be integrated in fire compartment wall, or also can be arranged in other network equipment of being connected with fire compartment wall with GGSN.
Be described as follows:
Secure session management control center, defining the GGSN equipment interface (one or more) of all control, firewall box interface (one or more) and need control GPRS user conversation specific strategy, is the core of whole G2SM system;
User profile acquisition module, the main user profile gathering just to roll off the production line from GGSN equipment (as 1-3 second), being transmitted to message processing module, is whole G2SM system and GGSN unique interface;
Message processing module, after receiving user offline information, will check that secure session pipe control centre uses strategy, and be transmitted to corresponding firewall interface resume module;
Firewall interface module, according to the user profile (as IP address etc.) that just rolls off the production line, this private network IP address session is removed by corresponding fire compartment wall, and by result feedback to message processing module, firewall interface module can according to variety classes different performance fire compartment wall in addition, control to remove user conversation quantity simultaneously, maintain optimum state to keep fire wall performance.
Composition graphs 5, after being rolled off the production line by GPRS online with user #1 below, it is example that user #2 takes identical private net address, illustrates that GPRS customer flow attacks the idiographic flow controlled.
Be described as follows:
The first step, user #1 is by surfing Internet with cell phone INTERNET, GPRS equipment distributes private network IP address 172.1.1.1 to user #1, is mapped to public network address 211.1.1.1 at fire compartment wall to CMNET public network collar extension, access external network server (carrying out the data services such as viewing as accepted UDP video stream data).After user #1 rolls off the production line, interface IP address due to 211.1.1.1 still has the data downstream such as UDP video, fire compartment wall NAT conversion map is not removed (general fire compartment wall all needs a few minutes just to control oneself dismounting to dozens of minutes), surf the Net as user #2 and distribute identical address 172.1.1.1, by the session that reception is not immediately removed as fire compartment walls such as UDP high-speed data-flows, not guilty user #2 is caused to produce super-flow problem, and then outburst flow attacking.
Second step, after user #1 rolls off the production line, G2SM will obtain user #1 offline information (phone number and private network IP address etc.) from GGSN at once, and report GPRS session security control center, the predefined session control policy of GPRS session security control center, by message processing module, the information such as the IP address of user #1 and session status are passed to firewall interface module;
3rd step, if firewall interface module removes all sessions of this user #1 or specified session according to the corresponding fire compartment wall of the message notice such as the private network IP address of user #1 and session status;
4th step, at this moment user #2 surfs the Net and distributes identical address 172.1.1.1, and it is also 211.1.1.1 that public network maps, and totally can access INTERNET;
5th step, because user #1 before surfs the Net session by G2SM initiatively dismounting, the flow attacking now for user #2 can not occur.
So far, the flow process that the attack of GPRS customer flow controls terminates.
This better embodiment achieves and is not changing GPRS existing network structure and introducing on new basis, fault point, still can by management GGSN user conversation, the GPRS customer flow controlling to comprise non-GTP agreement defect is attacked, and reduces user's use and complains with charging, improve network service quality.
This better embodiment is proposing completely newly a kind of/efficient/practical approach in GPRS customer flow attack control, particularly:
Propose and build user conversation safety management system G2SM in the gprs networks, the flexibility that G2SM has and ease for use realize full use existing network equipment, and prevention GPRS customer flow attacks the core apparatus controlled in real time;
Propose and obtain from GGSN the mode that user profile carrying out reads;
Propose the mode preventing GPRS flow attacking from GPRS user offline to removing firewall session;
Propose and remove fire compartment wall user conversation to the processing mode of its performance impact.
In this better embodiment, obtain user offline information according to GGSN, then remove this APN user conversation by api interface notice fire compartment wall; According to fire compartment wall existing network running performance index, G2SM can control to remove quantity to concurrent user's session of fire compartment wall.
The advantage of this better embodiment is:
G2SM scheme provides GPRS user conversation security control center, can not only solve the flow attacking that GPRS network GTP agreement defect causes, and the flow attacking that can also prevent non-GTP agreement defect from causing;
G2SM scheme is completely transparent to GPRS user, and GPRS user uses and is not affected completely;
G2SM scheme adopts open hardware structure, does not have disposal ability to limit in theory, as long as the fire wall performance accepting to empty session has certain free time, just can process magnanimity and to roll off the production line user;
The equipment that G2SM scheme provides accesses GPRS network with parallel way, does not change existing network structure;
The system of G2SM plan implementation is the non-mode that works online, and during system jam, runs without any impact existing GPRS network;
G2SM scheme makes full use of GPRS existing network common firewall, does not need additionally to increase dedicated firewall.
G2SM scheme extensibility is comparatively strong, utilizes the user profile that G2SM obtains, in conjunction with GGSN and Firewall Logging, can develop multiple application (as user behavior analysis module and flow attacking sensing module etc.).
Existing GPRS customer flow is attacked control technology scheme and be there is following defect:
Safeguard function is limited, and special GPRS fire compartment wall designs mainly for GTP agreement defect, flow attacking limited use outside GTP agreement;
Disposal ability is not strong, and special self handling property of GPRS fire compartment wall generally has a definite limitation, easy forming property bottleneck in large user's amount situation;
Network configuration aspect, special GPRS fire compartment wall needs series connection access, needs to adjust existing network structure;
Breakdown Maintenance aspect, special GPRS fire compartment wall needs to be deployed in Gn and Gp node, for GPRS core network introduces new malfunctioning node;
Resource utilization is low, and GPRS network, on the basis disposing common firewall, also additionally will increase special GPRS fire compartment wall and just can prevent GPRS customer flow from attacking.
This better embodiment compensate for the deficiency that existing GPRS flow attacking control technology can only use special GPRS fire compartment wall, improves the practicality of GPRS flow attacking control technology, solves for non-GTP agreement defect flow attacking mode simultaneously.
The embodiment of the present invention also provides a kind of device removing firewall session, comprising:
Acquisition module 601, during for user offline, obtains the first session identification of the first firewall session corresponding to described user;
Control module 602, for according to described first session identification, controls fire compartment wall and removes described first firewall session.
Visible, by the way, when described user is the malicious attacker of the corresponding business of firewall session, when new user is by the private network IP address of described user and public network address accesses network, fire compartment wall removes firewall session, thus an innocent person is subject to the problem of flow attacking because of this business to prevent new user.Aforesaid way not for specific protocol, thus both can prevent the flow attacking that GTP agreement defect causes, and can prevent again the flow attacking that non-GTP agreement defect causes.
Wherein, described acquisition module 601 can comprise:
Acquiring unit, for obtaining termination number and the private network IP address of the described user that gateway device sends;
Determining unit, for according to described termination number and described private network IP address, determines described first session identification.
Described determining unit can comprise:
Determine subelement, for according to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
Chooser unit, for according to the firewall session selection strategy preset, selects described first session identification from the session identification of described all firewall sessions.
Described chooser unit specifically can comprise:
Generation unit, for according to the session identification of described all firewall sessions and the session control policy preset, generates each self-corresponding session state information of session identification of described all firewall sessions;
First selected cell, meets the first pre-conditioned session identification as described first session identification for selecting corresponding session state information in the session identification from described all firewall sessions.
Or, Ke Yiyou:
Described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, and described chooser unit specifically comprises:
Judging unit, for judging whether the session number of described all firewall sessions exceedes predetermined threshold value, obtains judged result;
Second selected cell, for when described judged result is for being, selects corresponding firewall session and meeting the second pre-conditioned session identification as described first session identification from the session identification of described all firewall sessions.
In addition, described first firewall session can be all or part of firewall session corresponding to described user.
The embodiment of the present invention also provides a kind of network equipment, and the described network equipment comprises the device of above-described removing firewall session.The described network equipment is such as: GGSN, fire compartment wall, or, other network equipment be connected with fire compartment wall with GGSN.
The above is only the execution mode of the embodiment of the present invention; should be understood that; for those skilled in the art; under the prerequisite not departing from embodiment of the present invention principle; can also make some improvements and modifications, these improvements and modifications also should be considered as the protection range of the embodiment of the present invention.
Claims (13)
1. remove a method for firewall session, it is characterized in that, comprising:
During user offline, obtain the first session identification of the first firewall session corresponding to described user;
According to described first session identification, control fire compartment wall and remove described first firewall session.
2. the method for claim 1, is characterized in that, the first session identification of the first firewall session that the described user of described acquisition is corresponding comprises:
Obtain termination number and the private network IP address of the described user that gateway device sends;
According to described termination number and described private network IP address, determine described first session identification.
3. method as claimed in claim 2, is characterized in that, described according to described termination number and described private network IP address, determines that described first session identification comprises:
According to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
According to the firewall session selection strategy preset, from the session identification of described all firewall sessions, select described first session identification.
4. method as claimed in claim 3, is characterized in that, the firewall session selection strategy that described basis is preset is selected described first session identification and specifically comprised from the session identification of described all firewall sessions:
According to session identification and the default session control policy of described all firewall sessions, generate each self-corresponding session state information of session identification of described all firewall sessions;
From the session identification of described all firewall sessions, select corresponding session state information meet the first pre-conditioned session identification as described first session identification.
5. method as claimed in claim 3, it is characterized in that, described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, the firewall session selection strategy that described basis is preset, from the session identification of described all firewall sessions, select described first session identification specifically comprise:
Judge whether the session number of described all firewall sessions exceedes predetermined threshold value, obtain judged result;
When described judged result is for being, from the session identification of described all firewall sessions, selects corresponding firewall session meet the second pre-conditioned session identification as described first session identification.
6. the method for claim 1, is characterized in that, described first firewall session is whole firewall sessions corresponding to described user.
7. remove a device for firewall session, it is characterized in that, comprising:
Acquisition module, during for user offline, obtains the first session identification of the first firewall session corresponding to described user;
Control module, for according to described first session identification, controls fire compartment wall and removes described first firewall session.
8. device as claimed in claim 7, it is characterized in that, described acquisition module comprises:
Acquiring unit, for obtaining termination number and the private network IP address of the described user that gateway device sends;
Determining unit, for according to described termination number and described private network IP address, determines described first session identification.
9. device as claimed in claim 8, it is characterized in that, described determining unit comprises:
Determine subelement, for according to described termination number and described private network IP address, determine the session identification of all firewall sessions that described user is corresponding;
Chooser unit, for according to the firewall session selection strategy preset, selects described first session identification from the session identification of described all firewall sessions.
10. device as claimed in claim 9, it is characterized in that, described chooser unit specifically comprises:
Generation unit, for according to the session identification of described all firewall sessions and the session control policy preset, generates each self-corresponding session state information of session identification of described all firewall sessions;
First selected cell, meets the first pre-conditioned session identification as described first session identification for selecting corresponding session state information in the session identification from described all firewall sessions.
11. devices as claimed in claim 9, it is characterized in that, described user is all users of setting-up time section in rolling off the production line corresponding with described fire compartment wall, and described chooser unit specifically comprises:
Judging unit, for judging whether the session number of described all firewall sessions exceedes predetermined threshold value, obtains judged result;
Second selected cell, for when described judged result is for being, selects corresponding firewall session and meeting the second pre-conditioned session identification as described first session identification from the session identification of described all firewall sessions.
12. devices as claimed in claim 7, is characterized in that, described first firewall session is whole firewall sessions corresponding to described user.
13. 1 kinds of network equipments, is characterized in that, comprise the device of the removing firewall session as described in claim arbitrary in claim 7 to 12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310643323.8A CN104683319A (en) | 2013-12-03 | 2013-12-03 | Method and device for clearing firewall conversation and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310643323.8A CN104683319A (en) | 2013-12-03 | 2013-12-03 | Method and device for clearing firewall conversation and network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104683319A true CN104683319A (en) | 2015-06-03 |
Family
ID=53317918
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310643323.8A Pending CN104683319A (en) | 2013-12-03 | 2013-12-03 | Method and device for clearing firewall conversation and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104683319A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852135A (en) * | 2005-07-12 | 2006-10-25 | 华为技术有限公司 | Method for protecting access-in user safety |
| US20070274329A1 (en) * | 2005-02-24 | 2007-11-29 | Fujitsu Limited | Connection support apparatus and gateway apparatus |
| US20080288656A1 (en) * | 2004-12-17 | 2008-11-20 | Jason Davis Forrester | System, method and program product to route message packets |
| CN101364906A (en) * | 2008-09-12 | 2009-02-11 | 成都市华为赛门铁克科技有限公司 | Method and system blocking charging attack |
| CN102970670A (en) * | 2012-12-06 | 2013-03-13 | 华为技术有限公司 | Method, device and system for preventing billing overflow |
-
2013
- 2013-12-03 CN CN201310643323.8A patent/CN104683319A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080288656A1 (en) * | 2004-12-17 | 2008-11-20 | Jason Davis Forrester | System, method and program product to route message packets |
| US20070274329A1 (en) * | 2005-02-24 | 2007-11-29 | Fujitsu Limited | Connection support apparatus and gateway apparatus |
| CN1852135A (en) * | 2005-07-12 | 2006-10-25 | 华为技术有限公司 | Method for protecting access-in user safety |
| CN101364906A (en) * | 2008-09-12 | 2009-02-11 | 成都市华为赛门铁克科技有限公司 | Method and system blocking charging attack |
| CN102970670A (en) * | 2012-12-06 | 2013-03-13 | 华为技术有限公司 | Method, device and system for preventing billing overflow |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104412628B (en) | A kind of method, apparatus and computer-readable medium that application service is provided in telecommunication network | |
| CN106911529A (en) | Power network industry control safety detecting system based on protocol analysis | |
| CN103037373B (en) | Wireless node blocking system | |
| CN103973700A (en) | Mobile terminal preset networking address firewall isolation application system | |
| CN103052053A (en) | Method, device and system for processing priority service | |
| CN106161378A (en) | Security service device, method and business processing device, method and system | |
| CN102026199B (en) | The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof | |
| CN105681272A (en) | Method for detecting and defensing fishing WiFi of mobile terminal | |
| CN102984031B (en) | Method and device for allowing encoding equipment to be safely accessed to monitoring and control network | |
| CN102882894A (en) | Method and device for identifying attack | |
| CN108270600A (en) | A kind of processing method and associated server to malicious attack flow | |
| CN105611533A (en) | Message integrity check MIC inspection method and MIC inspection device | |
| CN105009673B (en) | Business continuance judgment method and equipment | |
| CN103795736B (en) | Firewall networking system for different networking channels of mobile terminal | |
| Xenakis et al. | An advanced persistent threat in 3G networks: Attacking the home network from roaming networks | |
| CN102638442A (en) | System and method for detecting GTP (GPRS Tunnel Protocol) attack | |
| CN101364906A (en) | Method and system blocking charging attack | |
| CN106572482A (en) | Parameter configuration method and apparatus and core network self-configuration and self-optimization platform | |
| CN105681352B (en) | A kind of wireless network access safety management-control method and system | |
| CN102075535A (en) | Distributed denial-of-service attack filter method and system for application layer | |
| CN107979503A (en) | A kind of VoWiFi data flow statistic methods and device | |
| CN104683319A (en) | Method and device for clearing firewall conversation and network equipment | |
| CN105282144A (en) | Novel method for proofing 802.11 wireless deauthentication frame flood DoS | |
| CN109168160A (en) | A kind of anti-loiter network method under wireless routing network environment | |
| Kang et al. | A practical attack on mobile data network using IP spoofing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150603 |