CN105812318A - Method, controller and system for preventing attack in network - Google Patents
Method, controller and system for preventing attack in network Download PDFInfo
- Publication number
- CN105812318A CN105812318A CN201410840277.5A CN201410840277A CN105812318A CN 105812318 A CN105812318 A CN 105812318A CN 201410840277 A CN201410840277 A CN 201410840277A CN 105812318 A CN105812318 A CN 105812318A
- Authority
- CN
- China
- Prior art keywords
- switch
- address
- main frame
- attack
- attack source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a controller and a system for preventing attack in a network. The method comprises the steps of receiving data packets of all access servers reported by switches and attack data packets reported by a firewall; comparing the received data packets separately reported by the firewall and the switches to determine a switch connected with an attack source host and a corresponding switch port; and transmitting a first control instruction to the switch connected with the attack source host, to discard invalid data packets sent by the attack source host and received by the switch port. According to the method and the system, the switch and the port connected to the host initiating attack are judged by comparing messages reported by the firewall and the switches, and an accurate matching flow table is transmitted to the corresponding access switch to control the forwarding behavior of the corresponding messages, so that the attack source is blocked, the resource consumption of firewall hardware and network bandwidth is reduced, and the requirement for the processing capability of the firewall is simultaneously reduced.
Description
Technical field
The present invention relates to network safety filed, particularly to a kind of for preventing method, controller and the system attacked in a network.
Background technology
SDN (software defined network based on OpenFlow agreement, SoftwareDefinedNetwork) network is the new network framework that a kind of control separates with carrying, accurate flow control can be carried out based on Business Stream, be realized the sophisticated functions of various network element by application software.
SYNFlood is current most popular DoS (Denial of Service attack) and one of DDoS (distributed denial of service attack) mode, this is that one utilizes Transmission Control Protocol defect, send a large amount of TCP connection request forged, the attack pattern of (CPU at full capacity or low memory) so that the side's of being hacked resource exhaustion.
Take precautions against SYNFlood attack at present and mainly have the technology such as SynCache/Cookie, fire wall server is protected, but be required for consuming the resource of fire wall, thus firewall hardware disposal ability is proposed significantly high requirement, improve protection cost;The SYN message simultaneously launched a offensive still transmits in a network, also consumes the network bandwidth.
Summary of the invention
In view of above technical problem, the invention provides a kind of for preventing the method attacked, controller and system in a network: the requirement to fire wall disposal ability can be reduced;Attack source can be reviewed, stop attack message transmission in a network, save Internet resources.
According to an aspect of the present invention, it is provided that a kind of for prevent in a network attack method, including:
The Attacking Packets that the packet of all access servers that desampler reports and fire wall report;
The packet that the fire wall received and switch are reported respectively compares, to determine the switch being connected with attack source main frame and respective switch port;
The first control instruction is issued, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves to the switch being connected with attack source main frame.
In one embodiment of the invention, before the packet of all access servers of desampler transmission, described method also includes:
Send the second control instruction to switch, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported simultaneously.
In one embodiment of the invention, it is determined that after the switch being connected with attack source main frame and respective switch port, described method also includes:
Delete the second control instruction that the switch being connected with attack source main frame receives, perform to issue to the switch being connected with attack source main frame the step of the first control instruction afterwards.
In one embodiment of the invention, issuing the first control instruction to the switch being connected with attack source main frame, the step to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves is included:
Obtain the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame;
The first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
In one embodiment of the invention, the step obtaining the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame includes:
Obtain the legal hosts IP address being connected with described switch ports themselves from Dynamic Host Configuration Protocol server, wherein, legal hosts IP is distributed to legal hosts by Dynamic Host Configuration Protocol server in address;
Attack source host IP address will can not be defined as from the host IP address that Dynamic Host Configuration Protocol server obtains.
In one embodiment of the invention, the step obtaining the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame includes:
The host port being connected to all and described switch ports themselves issues address resolution request;
The legal hosts IP address receiving legal hosts response address resolution request and return;
The IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
According to a further aspect in the invention, it is provided that a kind of for preventing the controller attacked in a network, including receiving unit, comparing unit and control unit, wherein:
Receive unit, the Attacking Packets that the packet of all access servers reported for desampler and fire wall report;
Comparing unit, compares for the packet that the fire wall received and switch are reported respectively, to determine the switch being connected with attack source main frame and respective switch port;
Control unit, for issuing the first control instruction to the switch being connected with attack source main frame, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves.
In one embodiment of the invention, control unit is additionally operable to before receiving the packet of all access servers that unit desampler sends, the second control instruction is sent to switch, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported simultaneously.
In one embodiment of the invention, control unit is additionally operable to determine after the switch being connected with attack source main frame and respective switch port at comparing unit, delete the second control instruction that the switch being connected with attack source main frame receives, perform to issue to the switch being connected with attack source main frame the operation of the first control instruction afterwards.
In one embodiment of the invention, control unit is issuing the first control instruction to the switch being connected with attack source main frame, during to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves, the IP address of IP address and attack source main frame specifically for obtaining the legal hosts being connected with described switch ports themselves;The first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
In one embodiment of the invention, control unit is when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, specifically for obtaining the legal hosts IP address being connected with described switch ports themselves from Dynamic Host Configuration Protocol server, wherein, legal hosts is distributed to by Dynamic Host Configuration Protocol server in legal hosts IP address;And will can not be defined as attack source host IP address from the host IP address that Dynamic Host Configuration Protocol server obtains.
In one embodiment of the invention, control unit, when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, issues address resolution request specifically for the host port being connected to all and described switch ports themselves;The legal hosts IP address receiving legal hosts response address resolution request and return;And the IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
According to a further aspect in the invention, it is provided that a kind of for preventing the system attacked in a network, including switch, fire wall and controller, wherein:
Switch, for the packet of all access servers is transmitted to server, is sent to controller by the packet of all access servers simultaneously;
Protecting wall, for when server is under attack, being sent to controller by Attacking Packets;
Controller, for the controller for preventing attack in a network described in any of the above-described embodiment.
In one embodiment of the invention, fire wall includes attack detecting unit, recognition unit and data transmission unit, wherein:
Whether under attack attack detecting unit, be used for detecting server;
Recognition unit, for when attack detecting unit detects that server is under attack, it is judged that whether the attack that server is subject in the given time exceedes predetermined threshold;
Data transmission unit, for the judged result according to recognition unit, if the attack that server is subject in the given time exceedes predetermined threshold, reports controller using the packet received as Attacking Packets.
The present invention message by comparing fire wall and switch reports, judge switch and port that the main frame of offensive attack is connected to, and corresponding access switch is issued the forwarding behavior of the accurately corresponding message of coupling stream table control, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth;Also reduce the requirement to fire wall disposal ability simultaneously.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment or description of the prior art will be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is that the present invention is for preventing the schematic diagram of one embodiment of method of attack in a network.
Fig. 2 is that the present invention is for preventing the schematic diagram of another embodiment of method of attack in a network.
Fig. 3 is that the present invention is for preventing the schematic diagram of one embodiment of controller of attack in a network.
Fig. 4 is that the present invention is for preventing the schematic diagram of one embodiment of system of attack in a network.
Fig. 5 is the schematic diagram of fire wall in one embodiment of the invention.
Fig. 6 is that the present invention is for preventing the schematic diagram of the another embodiment of method of attack in a network.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Description only actually at least one exemplary embodiment is illustrative below, never as any restriction to the present invention and application or use.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not making creative work premise, broadly fall into the scope of protection of the invention.
Unless specifically stated otherwise, the parts otherwise set forth in these embodiments and positioned opposite, the numerical expression of step and numerical value do not limit the scope of the invention.
Simultaneously, it should be appreciated that for the ease of describing, the size of the various piece shown in accompanying drawing is not draw according to actual proportionate relationship.
The known technology of person of ordinary skill in the relevant, method and apparatus are likely to be not discussed in detail, but in the appropriate case, described technology, method and apparatus should be considered to authorize a part for description.
Shown here with in all examples discussed, any occurrence should be construed as merely exemplary, not as restriction.Therefore, other example of exemplary embodiment can have different values.
It should also be noted that similar label and letter below figure represent similar terms, therefore, once a certain Xiang Yi accompanying drawing is defined, then it need not be further discussed in accompanying drawing subsequently.
Fig. 1 is that the present invention is for preventing the schematic diagram of one embodiment of method of attack in a network.Preferably, the present embodiment can be performed by the controller being used for preventing in a network attack.The method comprises the following steps:
Step 101, the Attacking Packets that the packet of all access servers that desampler reports and fire wall report.
Step 102, the packet that the fire wall received and switch are reported respectively compares, to determine the switch being connected with attack source main frame and respective switch port.
Step 103, issues the first control instruction to the switch being connected with attack source main frame, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves.
Based on the method for preventing from a network attacking that the above embodiment of the present invention provides, by the message comparing fire wall and switch reports, judge switch and port that the main frame of offensive attack is connected to, and corresponding access switch is issued the forwarding behavior of the accurately corresponding message of coupling stream table control, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth;Also reduce the requirement to fire wall disposal ability simultaneously.
In one embodiment of the invention, before fire wall reports Attacking Packets, also including the step determining Attacking Packets, the wherein said step determining Attacking Packets may include that
Step (a), detects whether the attack for server.Concrete detection process may include that attack source host A constantly sends the packet accessing server, and source MAC and IP is counterfeit address, and request and server set up session;Fire wall receives the backward source IP address main frame of request, and (if i.e., the counterfeit legal hosts B of attack source host A, then source IP address main frame is legal hosts B;If the counterfeit non-existent main frame X of attack source host A, then source IP address main frame is main frame X) send confirmation ACK frame, as do not received the reply of source IP address main frame (host B or main frame X), fire wall then thinks that this request is the attack for server, this request is abandoned, it is determined that the attack for server detected;If receiving the reply of source IP address main frame, fire wall thinks that this request is normal request, is transmitted to server process.
Step (b), when attack detecting unit detects the attack for server, it is judged that whether the attack that server is subject in the given time exceedes predetermined threshold.
Step (c), if the attack that server is subject in the given time exceedes predetermined threshold, reports controller using the packet received as Attacking Packets.
Fig. 2 is that the present invention is for preventing the schematic diagram of another embodiment of method of attack in a network.Preferably, the present embodiment can be performed by the controller being used for preventing in a network attack.The method comprises the following steps:
Step 201, sends the second control instruction to switch, to indicate switch that the packet of all access servers is transmitted to server, is reported by the packet of all access servers simultaneously.
In one embodiment of the invention, described second control instruction may include that SDN controller adds list item i to the table0 of all switches, and priority is the highest, and coupling purpose IP=is hacked the IP of server, match protocol type is TCP/IP, action is gotogroupj;Issuing group table groupj to all switches, type is ALL, and an action bucket is outputcontroller, and another action bucket is normal forwarding.
Step 202, the Attacking Packets that the packet of all access servers that desampler reports and fire wall report.
Step 203, the packet (message) that the fire wall received and switch are reported respectively compares, to determine the switch 1 being connected with attack source main frame and respective switch port a.
Step 204, deletes the second control instruction that the switch being connected with attack source main frame receives.
In one embodiment of the invention, step 204 includes: delete list item i and the groupj of all access switch table0.
Step 205, obtains the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame.
In one embodiment of the invention, in the Operation Network having authentication and accounting, step 205 may include that and obtains, from Dynamic Host Configuration Protocol server, the legal hosts IP address being connected with described switch ports themselves, and wherein, legal hosts IP is distributed to legal hosts by Dynamic Host Configuration Protocol server in address;Attack source host IP address will can not be defined as from the host IP address that Dynamic Host Configuration Protocol server obtains.
In one embodiment of the invention, without in the network of certification, step 205 may include that the host port being connected to all and described switch ports themselves issues address resolution request;The legal hosts IP address receiving legal hosts response address resolution request and return;The IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
Step 206, the first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
In one embodiment of the invention, step 206 may include that the switch being connected to attack source main frame issues the first sub-control instruction, to indicate the switch that attack source main frame is connected to that the packet that legal hosts IP address sends extremely described switch ports themselves is transmitted to server, wherein, the priority level of the first sub-control instruction is the first priority;The switch 1 being connected to attack source main frame issues the second sub-control instruction, the packet to described switch ports themselves is sent to indicate the switch that attack source main frame is connected to abandon all IP addresses, wherein, the priority level of the second sub-control instruction is the second priority, and the first priority is higher than the second priority.
In one embodiment of the invention, step 206 may include that to issue to switch 1 accurately mates list item, coupling source address is the legal hosts IP address under the port a that controller Topology Discovery gets, coupling destination address is server ip address, fit into port-for-port a, behavior is normal forwarding, and priority is m;To 1 time forwarding list item of switch, coupling destination address is server ip address, fits into port-for-port a, and behavior is for abandoning, and priority is n, and wherein, m, n are the natural number more than 0 and m > n.
In the above embodiment of the present invention, for preventing the method attacked from can apply to SDN in a network, to prevent SYNFlood from attacking.Preferably, the present embodiment can be performed by SDN controller.The above embodiment of the present invention finds to be subject to, when SYNFlood attacks, attack message characteristics is sent to controller at fire wall, utilize SDN controller that Business Stream is accurately controlled function, behavior is forwarded to be controlled the switch accessing attack source main frame, abandon the attack message of attack source camouflage IP, forward normal IP message, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth.
Fig. 3 is that the present invention is for preventing the schematic diagram of one embodiment of controller of attack in a network.As it is shown on figure 3, described controller includes receiving unit 301, comparing unit 302 and control unit 303, wherein:
Receive unit 301, the Attacking Packets that the packet of all access servers reported for desampler and fire wall report.
Comparing unit 302, compares for the packet that the fire wall received and switch are reported respectively, to determine the switch being connected with attack source main frame and respective switch port.
Control unit 303, for issuing the first control instruction to the switch being connected with attack source main frame, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves.
Based on the controller for preventing attack in a network that the above embodiment of the present invention provides, by the message comparing fire wall and switch reports, judge switch and port that the main frame of offensive attack is connected to, corresponding access switch is issued accurately coupling stream table and controls the forwarding behavior of corresponding message by controller, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth;Also reduce the requirement to fire wall disposal ability simultaneously.
In one embodiment of the invention, control unit 303 is additionally operable to before receiving the packet of all access servers that unit 301 desampler sends, the second control instruction is sent to switch, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported simultaneously.
In one embodiment of the invention, control unit 303 is additionally operable to determine after the switch being connected with attack source main frame and respective switch port at comparing unit 302, delete the second control instruction that the switch being connected with attack source main frame receives, perform to issue to the switch being connected with attack source main frame the operation of the first control instruction afterwards.
In one embodiment of the invention, control unit 303 is issuing the first control instruction to the switch being connected with attack source main frame, during to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves, the IP address of IP address and attack source main frame specifically for obtaining the legal hosts being connected with described switch ports themselves;The first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
In one embodiment of the invention, control unit 303 is when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, specifically for obtaining the legal hosts IP address being connected with described switch ports themselves from Dynamic Host Configuration Protocol server, wherein, legal hosts is distributed to by Dynamic Host Configuration Protocol server in legal hosts IP address;And will can not be defined as attack source host IP address from the host IP address that Dynamic Host Configuration Protocol server obtains.
In one embodiment of the invention, control unit 303, when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, issues address resolution request specifically for the host port being connected to all and described switch ports themselves;The legal hosts IP address receiving legal hosts response address resolution request and return;And the IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
In the above embodiment of the present invention, described controller can SDN controller, thus can apply to SDN, to prevent SYNFlood from attacking.The above embodiment of the present invention finds to be subject to, when SYNFlood attacks, attack message characteristics is sent to controller at fire wall, utilize SDN controller that Business Stream is accurately controlled function, behavior is forwarded to be controlled the switch accessing attack source main frame, abandon the attack message of attack source camouflage IP, forward normal IP message, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth.
Fig. 4 is that the present invention is for preventing the schematic diagram of one embodiment of system of attack in a network.As shown in Figure 4, described for preventing the system attacked from including switch, fire wall and controller in a network, wherein:
Switch, for the packet of all access servers is transmitted to server, is sent to controller by the packet of all access servers simultaneously.
Protecting wall, for when server is under attack, being sent to controller by Attacking Packets.
Controller, the Attacking Packets that the packet of all access servers reported for desampler and fire wall report;The packet that the fire wall received and switch are reported respectively compares, to determine the switch being connected with attack source main frame and respective switch port;The first control instruction is issued, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves to the switch being connected with attack source main frame.
Based on the system for preventing attack in a network that the above embodiment of the present invention provides, the controller message by comparing fire wall and switch reports, judge switch and port that the main frame of offensive attack is connected to, corresponding access switch is issued accurately coupling stream table and controls the forwarding behavior of corresponding message by controller, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth;Also reduce the requirement to fire wall disposal ability simultaneously.
In an embodiment of the invention, described controller is the controller for preventing attack in a network described in any of the above-described embodiment.
In an embodiment of the invention, as Fig. 4 shows, described controller can include multiple controllers such as controller 1, controller 2, controller m, controller n, and its middle controller 1, controller 2 are access controller.Access controller 1 is connected with attack source host A, and legal hosts is connected with access controller 2.
In an embodiment of the invention, described controller is SDN controller.Described switch is OpenFlow switch.
In the above embodiment of the present invention, described for preventing the system attacked from can apply to SDN in a network, to prevent SYNFlood from attacking.The above embodiment of the present invention finds to be subject to, when SYNFlood attacks, attack message characteristics is sent to controller at fire wall, utilize SDN controller that Business Stream is accurately controlled function, behavior is forwarded to be controlled the switch accessing attack source main frame, abandon the attack message of attack source camouflage IP, forward normal IP message, thus having blocked attack source, reduce the resource consumption of firewall hardware and the network bandwidth.
Fig. 5 is the schematic diagram of fire wall in embodiment illustrated in fig. 4 of the present invention.As it is shown in figure 5, the fire wall in Fig. 4 includes attack detecting unit 501, recognition unit 502 and data transmission unit 503, wherein:
Whether under attack attack detecting unit 501, be used for detecting server.
Recognition unit 502, for when attack detecting unit 501 detects that server is under attack, it is judged that whether the attack that server is subject in the given time exceedes predetermined threshold.
Data transmission unit 503, for the judged result according to recognition unit 502, if the attack that server is subject in the given time exceedes predetermined threshold, reports controller using the packet received as Attacking Packets.
Fig. 6 is that the present invention is for preventing the schematic diagram of the another embodiment of method of attack in a network.Preferably, described method can prevent the system attacked from performing as shown in Figure 4 in a network.
In the specific embodiment described in Fig. 6, attack source host A constantly sends the invalid data bag accessing server to switch 1, and source MAC and IP is counterfeit address, and asks and server sets up session and destination address is server ip address.
As shown in Figure 6, described method includes:
Step 601, controller sends the second control instruction to all switches including switch 1, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported controller simultaneously.Wherein, described second control instruction may include that SDN controller adds list item i to the table0 of all switches, and priority is the highest, and coupling purpose IP=is hacked the IP of server, and match protocol type is TCP/IP, action is gotogroupj;Issuing group table groupj to all switches, type is ALL, and an action bucket is outputcontroller, and another action bucket is normal forwarding.
Step 602, switch 1 is according to the second control instruction, and invalid data bag that sent by attack source host A, that destination address is server ip address is transmitted to fire wall.
Step 603, switch 1 is according to the second control instruction, and invalid data that sent by attack source host A, that destination address is server ip address is wrapped and offered controller.
Step 604, protecting wall judges that described invalid data bag is Attacking Packets.Fire wall receives the backward source IP address main frame of request (due to the counterfeit legal hosts B of attack source host A, then source IP address main frame is legal hosts B) send confirmation ACK frame, as do not received the reply of legal hosts B, then fire wall thinks that this request is the attack for server, this request is abandoned, then judges the attack for server to be detected;When the attack that simultaneously determining server is subject in the given time exceedes predetermined threshold, using the invalid data bag that receives as Attacking Packets.
Step 605, reports controller by described Attacking Packets.
Step 606, the packet (message) that the fire wall received and switch are reported respectively compares, from multiple switches as shown in Figure 4, it is determined that the switch 1 being connected with attack source main frame and respective switch port a.
Step 607, deletes the second control instruction that the switch 1 being connected with attack source main frame receives, i.e. delete list item i and the groupj of all access switch table0.
Step 608, the first control instruction is issued to the switch being connected with attack source main frame, wherein, described first control instruction includes issuing to switch 1 accurately mating list item, coupling source address is the legal hosts IP address under the port a that controller Topology Discovery gets, and coupling destination address is server ip address, fits into port-for-port a, behavior is normal forwarding, and priority is m;To 1 time forwarding list item of switch, coupling destination address is server ip address, fits into port-for-port a, and behavior is for abandoning, and priority is n, wherein m > n.The switch being connected with attack source main frame can be realized by described first control instruction, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
Step 609, according to described first control instruction, owing to the counterfeit address of attack source host A is not the legal hosts IP address under the port a that gets of controller Topology Discovery, therefore the accurate match options that priority is n is performed, the invalid data that sent by attack source host A, coupling destination address is server ip address, fit into port-for-port a abandons, thus having abandoned the SYN packet pretending source IP address that attack source main frame sends.
The requirement to fire wall disposal ability is reduced by the above embodiment of the present invention;Attack source can be reviewed, stop attack message transmission in a network, save Internet resources.
Reception unit 301 described above, comparing unit 302, control unit 303, attack detecting unit 501, recognition unit 502, data transmission unit 503 functional unit such as grade can be implemented as the general processor for performing function described herein, programmable logic controller (PLC) (PLC), digital signal processor (DSP), special IC (ASIC), field programmable gate array (FPGA) or other PLDs, discrete gate or transistor logic, discrete hardware components or it is arbitrarily appropriately combined.
So far, the present invention is described in detail.In order to avoid covering the design of the present invention, it does not have describe details more known in the field.Those skilled in the art are as described above, complete it can be appreciated how implement technical scheme disclosed herein.
One of ordinary skill in the art will appreciate that all or part of step realizing above-described embodiment can be completed by hardware, can also be completed by the hardware that program carrys out instruction relevant, described program can be stored in a kind of computer-readable recording medium, storage medium mentioned above can be read only memory, disk or CD etc..
Description of the invention provides for example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is in order to principles of the invention and practical application are better described, and makes those of ordinary skill in the art it will be appreciated that the present invention is thus design is suitable to the various embodiments with various amendments of special-purpose.
Claims (14)
1. the method for preventing from a network attacking, it is characterised in that including:
The Attacking Packets that the packet of all access servers that desampler reports and fire wall report;
The packet that the fire wall received and switch are reported respectively compares, to determine the switch being connected with attack source main frame and respective switch port;
The first control instruction is issued, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves to the switch being connected with attack source main frame.
2. method according to claim 1, it is characterised in that before the packet of all access servers of desampler transmission, also includes:
Send the second control instruction to switch, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported simultaneously.
3. method according to claim 2, it is characterised in that after determining the switch being connected with attack source main frame and respective switch port, also include:
Delete the second control instruction that the switch being connected with attack source main frame receives, perform to issue to the switch being connected with attack source main frame the step of the first control instruction afterwards.
4. method according to claim 3, it is characterised in that issue the first control instruction to the switch being connected with attack source main frame, the step to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves is included:
Obtain the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame;
The first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
5. method according to claim 4, it is characterised in that the step obtaining the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame includes:
Obtain the legal hosts IP address being connected with described switch ports themselves from Dynamic Host Configuration Protocol server, wherein, legal hosts IP is distributed to legal hosts by Dynamic Host Configuration Protocol server in address;
Attack source host IP address will can not be defined as from the host IP address that Dynamic Host Configuration Protocol server obtains.
6. method according to claim 4, it is characterised in that the step obtaining the IP address of the legal hosts being connected with described switch ports themselves and the IP address of attack source main frame includes:
The host port being connected to all and described switch ports themselves issues address resolution request;
The legal hosts IP address receiving legal hosts response address resolution request and return;
The IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
7. the controller being used for preventing attack in a network, it is characterised in that include receiving unit, comparing unit and control unit, wherein:
Receive unit, the Attacking Packets that the packet of all access servers reported for desampler and fire wall report;
Comparing unit, compares for the packet that the fire wall received and switch are reported respectively, to determine the switch being connected with attack source main frame and respective switch port;
Control unit, for issuing the first control instruction to the switch being connected with attack source main frame, to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves.
8. controller according to claim 7, it is characterised in that
Control unit is additionally operable to before receiving the packet of all access servers that unit desampler sends, the second control instruction is sent to switch, to indicate switch that the packet of all access servers is transmitted to server, the packet of all access servers is reported simultaneously.
9. controller according to claim 8, it is characterised in that
Control unit is additionally operable to determine after the switch being connected with attack source main frame and respective switch port at comparing unit, delete the second control instruction that the switch being connected with attack source main frame receives, perform to issue to the switch being connected with attack source main frame the operation of the first control instruction afterwards.
10. controller according to claim 9, it is characterised in that
Control unit is issuing the first control instruction to the switch being connected with attack source main frame, during to abandon the invalid data bag sent by attack source main frame received by described switch ports themselves, the IP address of IP address and attack source main frame specifically for obtaining the legal hosts being connected with described switch ports themselves;The first control instruction is issued to the switch being connected with attack source main frame, with the switch that instruction is connected with attack source main frame, the packet sent by legal hosts received by described switch ports themselves is transmitted to server, the data packet discarding sent by attack source main frame that simultaneously will be received by described switch ports themselves.
11. controller according to claim 10, it is characterised in that
Control unit is when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, specifically for obtaining the legal hosts IP address being connected with described switch ports themselves from Dynamic Host Configuration Protocol server, wherein, legal hosts is distributed to by Dynamic Host Configuration Protocol server in legal hosts IP address;And will can not be defined as attack source host IP address from the host IP address that Dynamic Host Configuration Protocol server obtains.
12. controller according to claim 10, it is characterised in that
Control unit, when the IP address of the IP address of the legal hosts that acquisition is connected with described switch ports themselves and attack source main frame, issues address resolution request specifically for the host port being connected to all and described switch ports themselves;The legal hosts IP address receiving legal hosts response address resolution request and return;And the IP address of the main frame of dont answer address resolution request is defined as attack source host IP address.
13. one kind for preventing the system attacked in a network, it is characterised in that includes switch, fire wall and controller, wherein:
Switch, for the packet of all access servers is transmitted to server, is sent to controller by the packet of all access servers simultaneously;
Protecting wall, for when server is under attack, being sent to controller by Attacking Packets;
Controller, the controller for preventing attack in a network according to any one of claim 7-12.
14. system according to claim 13, it is characterised in that fire wall includes attack detecting unit, recognition unit and data transmission unit, wherein:
Whether under attack attack detecting unit, be used for detecting server;
Recognition unit, for when attack detecting unit detects that server is under attack, it is judged that whether the attack that server is subject in the given time exceedes predetermined threshold;
Data transmission unit, for the judged result according to recognition unit, if the attack that server is subject in the given time exceedes predetermined threshold, reports controller using the packet received as Attacking Packets.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410840277.5A CN105812318B (en) | 2014-12-30 | 2014-12-30 | For preventing method, controller and the system of attack in a network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410840277.5A CN105812318B (en) | 2014-12-30 | 2014-12-30 | For preventing method, controller and the system of attack in a network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105812318A true CN105812318A (en) | 2016-07-27 |
| CN105812318B CN105812318B (en) | 2019-02-12 |
Family
ID=56980035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410840277.5A Active CN105812318B (en) | 2014-12-30 | 2014-12-30 | For preventing method, controller and the system of attack in a network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105812318B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506547A (en) * | 2016-12-23 | 2017-03-15 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for Denial of Service attack |
| CN107231366A (en) * | 2017-06-19 | 2017-10-03 | 电子科技大学 | A kind of method that DHCP is cheated of preventing based on SDN |
| CN110830453A (en) * | 2019-10-21 | 2020-02-21 | 新华三信息安全技术有限公司 | Attack processing method and device, electronic equipment and computer readable storage medium |
| CN110830301A (en) * | 2019-11-11 | 2020-02-21 | 国网江苏省电力有限公司检修分公司 | Power secondary system station control layer topology scanning method and device based on safety encryption |
| CN111490975A (en) * | 2020-03-23 | 2020-08-04 | 山东大学 | Distributed denial of service DDoS attack tracing system and method based on software defined network |
| CN113411350A (en) * | 2021-07-28 | 2021-09-17 | 广东省大湾区集成电路与系统应用研究院 | Network system for defending DDOS attack |
| CN113973011A (en) * | 2021-10-15 | 2022-01-25 | 杭州安恒信息安全技术有限公司 | Network attack protection method, system and computer storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549524A (en) * | 2003-05-09 | 2004-11-24 | 华为技术有限公司 | Method for obtaining user address information based on two-layer Ethernet exchanger |
| CN1571378A (en) * | 2003-07-25 | 2005-01-26 | 华为技术有限公司 | A method and apparatus for implementing network access control based on link layer protocol |
| US20100058471A1 (en) * | 2008-09-04 | 2010-03-04 | Estsoft Corp. | Method and system for defending ddos attack |
| US20130333029A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for traffic diversion in software defined networks for mitigating denial of service attacks |
-
2014
- 2014-12-30 CN CN201410840277.5A patent/CN105812318B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1549524A (en) * | 2003-05-09 | 2004-11-24 | 华为技术有限公司 | Method for obtaining user address information based on two-layer Ethernet exchanger |
| CN1571378A (en) * | 2003-07-25 | 2005-01-26 | 华为技术有限公司 | A method and apparatus for implementing network access control based on link layer protocol |
| US20100058471A1 (en) * | 2008-09-04 | 2010-03-04 | Estsoft Corp. | Method and system for defending ddos attack |
| US20130333029A1 (en) * | 2012-06-11 | 2013-12-12 | Radware, Ltd. | Techniques for traffic diversion in software defined networks for mitigating denial of service attacks |
Non-Patent Citations (2)
| Title |
|---|
| RODRIGO ET AL.: "Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow", 《IEEE LCN》 * |
| S.LIM ET AL.: "A SDN-Oriented DDoS Blocking Scheme for Botnet-Based Attacks", 《IEEE ICUFN》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106506547A (en) * | 2016-12-23 | 2017-03-15 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for Denial of Service attack |
| CN106506547B (en) * | 2016-12-23 | 2020-07-10 | 北京奇虎科技有限公司 | Processing method, WAF, router and system for denial of service attack |
| CN107231366A (en) * | 2017-06-19 | 2017-10-03 | 电子科技大学 | A kind of method that DHCP is cheated of preventing based on SDN |
| CN110830453A (en) * | 2019-10-21 | 2020-02-21 | 新华三信息安全技术有限公司 | Attack processing method and device, electronic equipment and computer readable storage medium |
| CN110830301A (en) * | 2019-11-11 | 2020-02-21 | 国网江苏省电力有限公司检修分公司 | Power secondary system station control layer topology scanning method and device based on safety encryption |
| CN111490975A (en) * | 2020-03-23 | 2020-08-04 | 山东大学 | Distributed denial of service DDoS attack tracing system and method based on software defined network |
| CN113411350A (en) * | 2021-07-28 | 2021-09-17 | 广东省大湾区集成电路与系统应用研究院 | Network system for defending DDOS attack |
| CN113411350B (en) * | 2021-07-28 | 2023-02-24 | 广东省大湾区集成电路与系统应用研究院 | Network system for defending DDOS attack |
| CN113973011A (en) * | 2021-10-15 | 2022-01-25 | 杭州安恒信息安全技术有限公司 | Network attack protection method, system and computer storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105812318B (en) | 2019-02-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| CN108551446B (en) | Anti-attack SYN message processing method and device, firewall and storage medium | |
| CN105516080B (en) | The processing method of TCP connection, apparatus and system | |
| TWI677222B (en) | Connection establishment method and device applied to server load balancing | |
| KR102088299B1 (en) | Apparatus and method for detecting drdos | |
| EP3119052B1 (en) | Method, device and switch for identifying attack flow in a software defined network | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| CN103347016A (en) | Attack defense method | |
| US20160036839A1 (en) | Controller for software defined networking and method of detecting attacker | |
| CN110166408B (en) | Method, device and system for defending flood attack | |
| JP7171904B2 (en) | packet processing | |
| CN103051605A (en) | Data packet processing method, device and system | |
| KR20120060655A (en) | Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof | |
| CN105577669B (en) | A kind of method and device of the false source attack of identification | |
| CN104883360A (en) | ARP spoofing fine-grained detecting method and system | |
| WO2016177131A1 (en) | Method, apparatus, and system for preventing dos attacks | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN106487807A (en) | A kind of means of defence of domain name mapping and device | |
| US8159948B2 (en) | Methods and apparatus for many-to-one connection-rate monitoring | |
| CN110365658A (en) | A kind of protection of reflection attack and flow cleaning method, apparatus, equipment and medium | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| CN110191104A (en) | A kind of method and device of security protection | |
| Boppana et al. | Analyzing the vulnerabilities introduced by ddos mitigation techniques for software-defined networks | |
| CN108667829A (en) | A kind of means of defence of network attack, device and storage medium | |
| CN102546587B (en) | Prevent gateway system Session Resources by the method that maliciously exhausts and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |