CN105991637A - Network attack protection method and network attack protection device - Google Patents
Network attack protection method and network attack protection device Download PDFInfo
- Publication number
- CN105991637A CN105991637A CN201510330425.3A CN201510330425A CN105991637A CN 105991637 A CN105991637 A CN 105991637A CN 201510330425 A CN201510330425 A CN 201510330425A CN 105991637 A CN105991637 A CN 105991637A
- Authority
- CN
- China
- Prior art keywords
- message
- flow
- attack
- session characteristics
- network device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a network attack protection method and a network attack protection device which are applied to traffic cleaning equipment. The method includes the following steps that: a first filtering notice sent by traffic detection equipment is received, wherein the first filtering notice contains the session characteristics of a first type of attack messages, wherein the first type of attack messages are messages of which the traffic is greater than a first threshold value; and upstream network equipment is instructed to filter a first type of target messages matched with the session characteristics, wherein the messages arrive at entrance network equipment through the upstream network equipment. With the network attack protection method and the network attack protection device provided by the embodiments of the invention adopted, a specified type of attack messages can be filtered through the session characteristics, so that the filtering accuracy of the messages can be improved; the attack messages are filtered at the upstream network equipment, so that the attack messages cannot arrive at the entrance network equipment, and therefore, entrance bandwidth congestion can be avoided, external services of a server will not be interrupted, and user experience can be improved.
Description
Technical field
The present invention relates to network security technology, particularly relate to means of defence and the device of a kind of network attack.
Background technology
DoS (Denial of Service, Denial of Service attack) refers to utilize various service request to exhaust net
The system resource of network, so that network cannot process legal message.And with the rise of Botnet,
Simultaneously because the attack method of DoS is simple, impact is relatively big, be difficult to features such as tracing so that DDoS
(Distributed Denial of Service, distributed denial of service attack) is quickly grown and day by day
Spreading unchecked, the Botnet of thousands of main frames composition is that ddos attack provides required bandwidth and main frame,
Define substantial amounts of attack message, cause harm greatly to network.
For reducing the harm of this kind of network attack of DDoS, in correlation technique, by the entrance at network
At the network equipment, (such as: ingress router or switch) flow of specialty is disposed in concatenation or bypass
Cleaning equipment, filters to attack message.But, above-mentioned flow cleaning scheme, is all from entrance net
At network equipment, attack message is filtered, when the flow of attack message is less than the entrance of Ingress Network equipment
During bandwidth, can have preferable cleaning performance, but, when the flow of attack message have been above or etc.
When ingress bandwidth, ingress bandwidth will Severe blockage, at this moment, relying solely on flow cleaning equipment will not
Can effectively clean attack message flow so that ingress bandwidth Severe blockage, ultimately result in server external
Service disruption, reduces Consumer's Experience.
Content of the invention
In view of this, the present invention provides means of defence and the device of a kind of network attack, to solve attacking
When the flow of message is more than or equal to ingress bandwidth, ingress bandwidth Severe blockage causes server externally to take
The problem that business is interrupted, improves Consumer's Experience.
Specifically, the present invention is achieved through the following technical solutions:
The present invention provides the means of defence of a kind of network attack, applies on flow cleaning equipment, described side
Method includes:
Receiving the first filter NOTIFY that flow detection device sends, described first filter NOTIFY includes the first kind
The session characteristics of attack message, described first kind attack message is the message that flow is more than first threshold;
Instruction upstream network device filters the first kind object message of the described session characteristics of coupling, wherein, report
Literary composition reaches Ingress Network equipment through described upstream network device.
The present invention provides the means of defence of another kind of network attack, applies on flow detection device, described
Method includes:
Session characteristics detection according to message is sent to the flow of each class message of Ingress Network equipment;
When the flow of any sort message is more than first threshold, confirm that such message is first kind attack message;
Send the first filter NOTIFY and include the described first kind to flow cleaning equipment, described first filter NOTIFY
The session characteristics of attack message, so that described flow cleaning equipment instruction upstream network device filters coupling institute
Stating the first kind object message of session characteristics, wherein, message reaches entrance through described upstream network device
The network equipment.
The present invention also provides the protector of a kind of network attack, applies on flow cleaning equipment, described
Side's device includes:
Receiving unit, for receiving the first filter NOTIFY that flow detection device sends, described first filters
Notice includes the session characteristics of first kind attack message, and described first kind attack message is that flow is more than first
The message of threshold value;
Performance element, for indicating that upstream network device filters the first kind target of the described session characteristics of coupling
Message, wherein, message reaches Ingress Network equipment through described upstream network device.
The present invention also provides the protector of another kind of network attack, applies on flow detection device, institute
The side's of stating device includes:
Detector unit, is sent to each class of Ingress Network equipment for the session characteristics detection according to message
The flow of message;
Confirmation unit, for when the flow of any sort message is more than first threshold, confirming that such message is
First kind attack message;
Transmitting element, for sending the first filter NOTIFY to flow cleaning equipment, described first filter NOTIFY
Including the session characteristics of described first kind attack message, so that described flow cleaning equipment instruction upstream network
Equipment filters the first kind object message of the described session characteristics of coupling, and wherein, message is through described upstream net
Network equipment reaches Ingress Network equipment.
The application embodiment of the present invention, can be filtered the attack message of specified type by session characteristics, thus
Improve the filtering accuracy to message, and at upstream network device, filter attack message, make attack message
Ingress Network equipment can not be reached, thus avoid ingress bandwidth to block, ensure server externally service not by
Interrupt, improve Consumer's Experience.
Brief description
Fig. 1 is that the flow process of the means of defence of a kind of network attack shown in the present invention one exemplary embodiment is shown
It is intended to;
Fig. 2 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram;
Fig. 3 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram;
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3;
Fig. 5 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram;
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5;
Fig. 7 is a hardware of the protector of a kind of network attack shown in the present invention one exemplary embodiment
Structural representation;
Fig. 8 is the structural frames of the protector of a kind of network attack shown in the present invention one exemplary embodiment
Figure;
Fig. 9 is the structure of the protector of the another kind of network attack shown in the present invention one exemplary embodiment
Block diagram.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following
When description relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous
Key element.Embodiment described in following exemplary embodiment does not represent the institute consistent with the present invention
There is embodiment.On the contrary, they only with as appended claims describes in detail, the one of the present invention
The example of the consistent apparatus and method of a little aspects.
It is only merely for the purpose describing specific embodiment in terminology used in the present invention, and be not intended to be limiting
The present invention." a kind of " of singulative used in the present invention and appended claims, " institute
State " and " being somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.Also should
Work as understanding, term "and/or" used herein refer to and comprise one or more be associated list item
Any or all possible combination of purpose.
Although it should be appreciated that and term first, second, third, etc. may being used to describe various in the present invention
Information, but these information should not necessarily be limited by these terms.These terms only be used for by same type of information that
This distinguishes.For example, without departing from the present invention, the first information also can be referred to as
Two information, similarly, the second information also can be referred to as the first information.Depend on linguistic context, as in this institute
Use word " if " can be construed to " and ... when " or " when ... when " or " response
In determination ".
In embodiments of the present invention, the message in network can flow through upstream network device and be sent to entrance
The network equipment, flow detection device can be according to the session characteristics of message, in real time to being sent to Ingress Network
The message of equipment carries out flow detection, when the flow of any sort message is more than first threshold, confirms such
Message is first kind attack message, and flow detection device sends the first filter NOTIFY to flow cleaning equipment,
This first filter NOTIFY includes the session characteristics of first kind attack message, and flow cleaning equipment is receiving
After one filter NOTIFY, according to session characteristics therein, instruction upstream network device filters the described session of coupling
The first kind object message of feature, thus stop such message to enter Ingress Network equipment, and effectively keep away
Exempt from ingress bandwidth blocking, and then guarantee server externally services and is not disrupted.
Carry out below in conjunction with means of defence and device to the network attack that the present invention provides for the Fig. 1 to Fig. 9
Describe in detail.
Fig. 1 is that the flow process of the means of defence of a kind of network attack shown in the present invention one exemplary embodiment is shown
It is intended to.As it is shown in figure 1, the means of defence of a kind of network attack, apply on flow cleaning equipment, institute
The method of stating comprises the steps:
Step 101, receives the first filter NOTIFY that flow detection device sends, and wherein, the first filtration is logical
Knowing the session characteristics including first kind attack message, first kind attack message is that flow is more than first threshold
Message.
In this step, one of session characteristics five-tuple information including message or multiple, for example,
Session characteristics include but is not limited to source IP address, purpose IP address, source IP address and source port combination,
Purpose IP address and the combination of destination interface.
Step 102, instruction upstream network device filters the first kind object message of the described session characteristics of coupling,
Wherein, message can reach Ingress Network equipment through upstream network device.
In this step, according to an alternate embodiment of the present invention, when upstream network device is configured with ACL
During (Access Control List accesses control list) interface, can attack according to the first kind receiving
The session characteristics hitting message generates an ACL order, and by an ACL order by ACL interface
Being sent to upstream network device, upstream network device, can when receiving an ACL order
Talk about feature and local ACL is added to the corresponding relation of the processing mode (for example, filtering) of message
In list item, when flowing through the session characteristics of message of upstream network device and matching this ACL table item, upstream
The network equipment then filters this message.For example, flow cleaning equipment is according to purpose IP address 1.1.1.1
Generating an ACL order, the list item that upstream network device generates according to an ACL order, such as table
Shown in 1:
Table 1
Purpose IP address | Processing mode |
1.1.1.1 | Filter |
It according to the list item shown in table 1, is 1.1.1.1 when upstream network device receives purpose IP address
Message when, such message can be filtered according to this ACL table item, thus stop such message reach into
The mouth network equipment, it is to avoid ingress bandwidth blocks.
After the message to coupling session characteristics for the upstream network device carries out filtration treatment a period of time, the first kind
The flow of attack message may reduce therewith, ingress bandwidth may will can not be caused again to block, so, and can
No longer filtration treatment is carried out to such message, therefore, it can arrange first in flow cleaning equipment pre-
If the time, after an ACL order is sent to upstream network device by flow cleaning equipment, can start
Timer starts timing, when timing time reaches the first Preset Time, can upstream the network equipment send out
Send the 2nd ACL order, thus indicate that upstream network device stops filtering the first classification of coupling session characteristics
Mark message, specifically, the Ke Yiwei: the two ACL order can include attacking the first kind stopping filtering
The session characteristics of message, deletion, after receiving the 2nd ACL order, is mated this meeting by upstream network device
The ACL table item of words feature, thus stop filtering corresponding message.
The present invention also provides another kind of preferred version, and specifically, flow detection device determines coupling session
When the present flow rate of this kind of message of feature is less than first threshold, can send to flow cleaning equipment and eliminate
Notice, therefore, flow cleaning equipment can notify to generate the 3rd ACL order according to this elimination, and sends
To upstream network device, thus indicate that upstream network device stops filtering the message of coupling session characteristics.On
The trip network equipment receives the processing mode of the 3rd ACL order and above-mentioned receives the 2nd ACL order
Processing mode can be identical, does not repeats them here.
According to another alternative embodiment of the present invention, specifically, can also be by black hole router filtration
Joining the first kind object message of session characteristics, specifically, flow cleaning equipment can be with dialogue-based feature
Generate dynamic routing information, wherein, this dynamic routing information is mated the first classification of described session characteristics
The down hop of mark message is black hole router, and this dynamic routing information is sent to upstream network device,
Upstream network device adds this dynamic routing information in local routing to, when receiving first kind target report
This first kind object message is transmitted to blackhole route by Wen Shi, and black hole router receives such message and is
Abandon, it should be noted that when upstream network device is configured without corresponding api interface (Application
Programming Interface, application programming interface) when, flow cleaning equipment can be dynamic by this
Routing iinformation is forwarded to upstream network device through black hole router, otherwise, can be straight by api interface
Connect and this dynamic routing information is sent to upstream network device.
It is possible to further arrange the second Preset Time on flow cleaning equipment, set at upstream network
After preparation send dynamic routing information, timer will be started, and start timing, when timing time reaches second
During Preset Time, flow cleaning equipment upstream can send route deletion notice, upstream net by the network equipment
After network equipment receives this route deletion notice, this route table items will be deleted from local routing table, thus
Stop filtering first kind attack message, by the preferred embodiment, be sent to described Ingress Network equipment
The down hop of message reverts to purpose equipment or the destination server of such message.
Based on above-described embodiment, if flow detection device detects that the flow of any sort message is less than the first threshold
It is worth and is more than Second Threshold, can confirm that such message is Equations of The Second Kind attack message, therefore, it can to stream
Amount cleaning equipment sends the second filter NOTIFY, and described second filter NOTIFY includes the meeting of Equations of The Second Kind attack message
Words feature, after flow cleaning equipment receives this second filter NOTIFY, according to session characteristics therein, can
To filter such message according to default filtering rule, wherein, default filtering rule includes but does not limits
In rate limit means of defence, tcp state means of defence, black and white lists means of defence, application layer protection
Method and fingerprint recognition means of defence, as a example by fingerprint recognition means of defence, flow cleaning equipment receives
After message, extract the length of message, message length field is carried out discretization storage, then timing
Count the length of the message being currently sent to Ingress Network equipment, set up distributed model, work as Ingress Network
During equipment generation Equations of The Second Kind attack, cause the distribution of the fingerprint characteristic of the message of Equations of The Second Kind attack
There will be fluctuation, and exceed the distributed mode offset of described distributed model, thus can be according to this fingerprint
Described message is filtered by feature, specifically may refer to correlation technique, and this is no longer going to repeat them.
By above-described embodiment, upstream network device filters the message of specified type by coupling session characteristics,
Such that it is able to improve the filtering accuracy to attack message, furthermore it is possible to by the attack report of coupling session characteristics
Literary composition abandoned before reaching Ingress Network equipment, it is ensured that ingress bandwidth is not blocked.
Fig. 2 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram.As in figure 2 it is shown, the means of defence of a kind of network attack, apply on flow detection device,
Described method comprises the steps:
Step 201, the session characteristics detection according to message is sent to each class message of Ingress Network equipment
Flow.
In this step, one of the session characteristics of message five-tuple information including message or multiple,
For example, session characteristics can include but is not limited to source IP address, purpose IP address, source IP address and source
The combination etc. of the combination of port, purpose IP address and destination interface.
Flow detection device can be obtained the report being sent to Ingress Network equipment by mirror image or spectroscopic modes
Literary composition, it is possible to but be not limited by DPI (Deep Packet Inspection, deep-packet detection) technology or
The meeting of DFI (Deep/Dynamic Flow Inspection, the degree of depth/dynamic stream detection) technology for detection message
Words feature, message is classified, and is added up every by the session characteristics of the message going out according to above-mentioned technology for detection
The flow of class message.
Step 202, when the flow of any sort message is more than first threshold, confirms that such message is first
Class attack message.
User or network manager can be according to the historical traffic data of every class message, in advance in flow inspection
Measurement equipment configures first threshold, for example, for the purpose of user IP address 1.1.1.1 and destination interface 53 this
Individual combination configuration first threshold is 4GB, when flow detection device detection statistics to purpose IP address is
1.1.1.1, destination interface is that the flow of the message of 53 increases to suddenly 5GB, is more than first threshold 4GB,
Therefore, flow detection device can confirm that such message is first kind attack message.
Step 203, sends the first filter NOTIFY to flow cleaning equipment, and this first filter NOTIFY includes
The session characteristics of one class attack message, so that flow cleaning equipment instruction upstream network device filters coupling institute
Stating the first kind object message of session characteristics, wherein, message reaches Ingress Network through upstream network device
Equipment.
In step 203, still as a example by destination interface 53 with this combination of 1.1.1.1 of purpose IP address,
Flow detection device just can pass through the first filter NOTIFY, by destination interface 53 and purpose IP address 1.1.1.1
It is sent to flow cleaning equipment, make flow cleaning equipment generate an ACL order according to the first filter NOTIFY,
Instruction upstream network device abandons or filters all reports of destination interface the 53rd, purpose IP address 1.1.1.1
Literary composition, thus avoid such message to enter Ingress Network equipment, cause ingress bandwidth to block.
Further, when the flow of first kind attack message is reduced to less than first threshold, flow detection
Equipment can send elimination and notify to flow cleaning equipment, so that flow cleaning equipment instruction upstream network sets
Standby stopping filters such message, specifically may refer to step 102 as shown in Figure 1, no longer superfluous at this
State.
Further, when flow detection device detect any sort message flow be less than first threshold and
During more than Second Threshold, flow detection device can confirm that the Equations of The Second Kind attack message of such message, concurrently
Sending the second filter NOTIFY to flow cleaning equipment, wherein, the second filter NOTIFY can include that Equations of The Second Kind is attacked
The session characteristics of message, so that flow cleaning equipment filters such message according to this session characteristics, citing
For, port the 53rd, this combination of purpose IP address 1.1.1.1 for the purpose of user is configured with two threshold values,
Be respectively first threshold 4GB, Second Threshold is 2GB, when flow detection device detects the stream of this combination
When amount is for 3GB, destination interface 53 can be passed through by flow detection device with purpose IP address 1.1.1.1
Second filter NOTIFY is sent to flow cleaning equipment, so that flow cleaning equipment can filter rule according to default
Then filter the message that destination interface is 53 and purpose IP address is 1.1.1.1, wherein, preset and filter rule
Then describe in detail in the embodiment illustrated in fig. 1, do not repeat them here.
Application above-described embodiment, can classify to message according to the session characteristics of message, and adds up every
The flow of class message, thus it is accurately positioned attack message, and the session characteristics of attack message is sent to stream
Amount cleaning equipment, improves the filtering accuracy to attack message.
Fig. 3 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram.As it is shown on figure 3, this embodiment is by flow detection device, flow cleaning equipment and upstream
Mutual between network equipment three, describes the protection side of the network attack of one embodiment of the invention in detail
Method:
Step 301, flow detection device obtains the message being sent to Ingress Network equipment.
Step 302, flow detection device is according to the flow of each class message of session characteristics detection of message.
Step 303, when the flow of any sort message is more than first threshold, confirms that such message is first
Class attack message;
Step 304, flow detection device transmission the first filter NOTIFY is to flow cleaning equipment, wherein, the
One filter NOTIFY includes the session characteristics of first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device sends.
Step 306, flow cleaning equipment generates an ACL order according to session characteristics.
Step 307, an ACL order is sent to upstream network device by flow cleaning equipment.
Step 308, upstream network device receives an ACL order.
Step 309, upstream network device generates ACL table item according to an ACL order.
Step 310, when upstream network device receives message, it is judged that whether the session characteristics of this message is
Join ACL table item, if it does, then step 311.
Step 311, upstream network device filters the message of coupling session characteristics according to ACL table item.
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3.As shown in Figure 4, including
Upstream network device, Ingress Network equipment, flow detection device and flow cleaning equipment, wherein, message
It is sent to Ingress Network equipment through upstream network device, then enter by catch net through Ingress Network equipment
Network.In embodiments of the present invention, flow detection device passes through mirror image technology or light splitting technology obtains and sends
Message to Ingress Network equipment, it is possible to by the session characteristics of the detection messages such as DPI technology, thus
Carry out classifying and adding up the flow of every class message to message, when flow detection device detects any sort message
Flow more than first threshold when, can confirm that such message is first kind attack message, therefore, flow
Detection equipment can send the first filter NOTIFY to flow cleaning equipment, flow cleaning equipment receive this
After one filter NOTIFY, an ACL order can be generated according to the session characteristics in the first filter NOTIFY, concurrently
Giving upstream network device, upstream network device can generate ACL table item according to an ACL order,
When the session characteristics having message mates this ACL table item for the moment, upstream network device can filter this message,
Thus stop this message to reach Ingress Network equipment, it is to avoid and Ingress Network equipment Severe blockage, ensure service
Device externally services and is not disrupted, and improves Consumer's Experience.
Fig. 5 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment
Schematic diagram.As it is shown in figure 5, this embodiment passes through flow detection device, flow cleaning equipment, upstream net
Network equipment and black hole router in many ways mutual, the network describing another embodiment of the present invention in detail is attacked
The means of defence hitting:
Step 301, flow detection device obtains the message being sent to Ingress Network equipment.
Step 302, flow detection device is according to the flow of each class message of session characteristics detection of message.
Step 303, when the flow of any sort message is more than first threshold, confirms that such message is first
Class attack message;
Step 304, flow detection device transmission the first filter NOTIFY is to flow cleaning equipment, wherein, the
One filter NOTIFY includes the session characteristics of first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device sends.
Step 312, flow cleaning equipment generates dynamic routing information according to session characteristics, and wherein, this moves
The down hop of the message mating session characteristics in state routing iinformation is black hole router.
Step 313, dynamic routing information is sent to upstream network device by flow cleaning equipment.
Step 314, upstream network device receives dynamic routing information.
Step 315, when upstream network device receives message, upstream network device judges this message
Session characteristics can match route table items, if can, then step 316.
Step 316, upstream network device sends message to black hole router.
Step 317, black hole router filters the message that upstream network device sends.
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5.As shown in Figure 6, with figure
Unlike 4 illustrated embodiments, on the basis of embodiment illustrated in fig. 4, the present embodiment is provided with black
Hole router.Specifically, flow cleaning equipment generates dynamic according to the session characteristics in the first filter NOTIFY
Routing iinformation, wherein, the down hop of the message mating session characteristics in this dynamic routing information is black hole road
By device, and this dynamic routing information being sent to upstream network device, this can be moved by upstream network device
State routing iinformation adds in local routing table, when receiving message, and the session characteristics coupling of this message
During route table items, forwarding the packet to black hole router, black hole router was incited somebody to action after receiving this message
Filter this message, thus stop this message to enter in Ingress Network equipment.It should be noted that flow cleaning
The equipment upstream network equipment forwards dynamic routing information, can select according to the configuration of upstream network device
Different paths forwards, for example, when upstream network device is configured without corresponding api interface, and flow
This dynamic routing information can be transmitted to black hole router by cleaning equipment, then is transmitted to by black hole router
Upstream network device, during whereas if upstream network device is configured with corresponding api interface, flow is clear
Dynamic routing information directly can be sent to upstream network device, the invention is not limited in this regard by the equipment of washing.
It should be noted that in embodiments of the present invention, except including flow detection device and flow cleaning
Equipment, can also include management platform, when abnormal flow purging system includes management platform
When, the information such as dependent instruction between flow detection device and flow cleaning equipment, order or notice is all
Can be transmitted by management platform, for example, flow detection device can pass through management platform will
First filter NOTIFY, elimination notice, the second filter NOTIFY and route deletion notice are sent to flow cleaning and set
Standby.
Furthermore it is also possible to arrange Preset Time in management platform, at flow cleaning equipment upstream net
After network equipment sends an ACL order or sends dynamic routing information, management platform can start meter
When, when reaching timing time, notify flow cleaning equipment, so that flow cleaning equipment instruction upstream network
Equipment stops filtering the message causing first kind attack.
Management platform can be also used for storage flow detection device at flow any sort message being detected
More than first threshold or be less than first threshold and more than Second Threshold when send attack alarm log, with
And the cleaning daily record that storage flow cleaning equipment sends, wherein, attack alarm log can include but not limit
In attack before flow information, cleaning after the information such as flow information, attack traffic size, management platform
These information can be analyzed, generate detailed account, be easy to awareness network traffic conditions for user,
And first threshold and Second Threshold can also be set according to the historical traffic data in this detailed account.
Application above-described embodiment, can be filtered the attack message of specified type, thus carry by session characteristics
The high filtering accuracy to message, and at upstream network device, filter attack message, make attack message not
Ingress Network equipment can be reached, thus avoid ingress bandwidth to block, ensure server externally service not by
Disconnected, improve Consumer's Experience.
Corresponding with the means of defence embodiment that aforementioned network is attacked, present invention also offers network attack
The embodiment of protector.
The embodiment of the protector 400 that inventive network is attacked can be applied respectively at flow cleaning equipment
With on flow detection device.Device embodiment can be realized by software, it is also possible to by hardware or soft
The mode of combination of hardware realizes.It as a example by implemented in software, as the device on a logical meaning, is logical
Computer program instructions corresponding in nonvolatile memory is read interior by the processor crossing its place equipment
Deposit what middle operation was formed.For hardware view, as it is shown in fig. 7, the protection attacked for inventive network
A kind of hardware structure diagram of device 400 place equipment, except the processor shown in Fig. 7, internal memory, network
Outside interface and nonvolatile memory, protector 400 place of network attack in embodiment
Equipment, generally according to the actual functional capability of this equipment, can also include other hardware, repeat no more this.
Fig. 8 is the structural frames of the protector of a kind of network attack shown in the present invention one exemplary embodiment
Figure.As shown in Figure 8, the protector 400 of a kind of network attack, applies on flow cleaning equipment,
This device includes: receiving unit 401 and performance element 402.
Receiving unit 401 is for receiving the first filter NOTIFY that flow detection device sends, and the first filtration is logical
Knowing the session characteristics including first kind attack message, first kind attack message is that flow is more than first threshold
Message;Performance element 402 is for indicating that upstream network device filters the first kind target of coupling session characteristics
Message, wherein, message reaches Ingress Network equipment through upstream network device.
Fig. 9 is the structure of the protector of the another kind of network attack shown in the present invention one exemplary embodiment
Block diagram.As it is shown in figure 9, the protector 400 of a kind of network attack, apply on flow detection device,
This device includes: detector unit the 501st, confirmation unit 502 and transmitting element 503.
Detector unit 501 is sent to each of Ingress Network equipment for the session characteristics detection according to message
The flow of class message.
Confirmation unit 502 is for when the flow of any sort message is more than first threshold, confirming such message
For first kind attack message.
Transmitting element 503 leads to flow cleaning equipment, described first filtration for sending the first filter NOTIFY
Know the session characteristics including first kind attack message, so that flow cleaning equipment instruction upstream network device mistake
The first kind object message of filter coupling session characteristics, wherein, message reaches entrance through upstream network device
The network equipment.
In said apparatus the function of unit and effect to realize that process specifically refers in said method corresponding
Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so related part ginseng
See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically,
The wherein said unit illustrating as separating component can be or may not be physically separate, makees
Can be for the parts that unit shows or may not be physical location, i.e. may be located at a place,
Or also can be distributed on multiple NE.Can select according to the actual needs part therein or
The whole module of person realizes the purpose of the present invention program.Those of ordinary skill in the art are not paying creativeness
It in the case of work, is i.e. appreciated that and implements.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all at this
Within the spirit of invention and principle, any modification, equivalent substitution and improvement etc. done, should be included in
Within the scope of protection of the invention.
Claims (12)
1. the means of defence of a network attack, it is characterised in that apply on flow cleaning equipment, institute
The method of stating includes:
Receiving the first filter NOTIFY that flow detection device sends, described first filter NOTIFY includes the first kind
The session characteristics of attack message, described first kind attack message is the message that flow is more than first threshold;
Instruction upstream network device filters the first kind object message of the described session characteristics of coupling, wherein, report
Literary composition reaches Ingress Network equipment through described upstream network device.
2. method according to claim 1, it is characterised in that described instruction upstream network device mistake
The first kind object message of the described session characteristics of filter coupling, comprising:
Generate an ACL order according to described session characteristics, and be sent to described upstream network device, with
Indicate that described upstream network device according to a described ACL order, filters the of the described session characteristics of coupling
One class object message.
3. method according to claim 2, it is characterised in that sending out to described upstream network device
After sending a described ACL order, described method also includes:
When reaching the first Preset Time, send the 2nd ACL order to described upstream network device, to refer to
Show that described upstream network device stops filtering the first kind object message of the described session characteristics of coupling.
4. method according to claim 2, it is characterised in that sending out to described upstream network device
After sending a described ACL order, described method also includes:
Receive the elimination notice that described flow detection device sends;
Generate the 3rd ACL order according to the described notice that eliminates, and be sent to described upstream network device, with
Indicate that described upstream network device stops filtering the first kind object message of the described session characteristics of coupling.
5. method according to claim 1, it is characterised in that described instruction upstream network device mistake
The first kind object message of the described session characteristics of filter coupling, comprising:
Generate dynamic routing information based on described session characteristics, described dynamic routing information is mated described meeting
The down hop of the first kind object message of words feature is black hole router;
Described dynamic routing information is sent to described upstream network device.
6. method according to claim 5, it is characterised in that described dynamic routing information is being sent out
After giving described upstream network device, described method also includes:
When reaching the second Preset Time, send route to described upstream network device and delete notice, to refer to
Show that described upstream network device deletes described dynamic routing information.
7. method according to claim 1, it is characterised in that described method also includes:
Receiving the second filter NOTIFY that described flow detection device sends, described second filter NOTIFY includes the
The session characteristics of two class attack messages, it is big that described Equations of The Second Kind attack message is that flow is less than described first threshold
Message in Second Threshold;
According to described session characteristics, according to default filtering rule, described flow is more than less than first threshold
The message of Second Threshold filters.
8. the means of defence of a network attack, it is characterised in that apply on flow detection device, institute
The method of stating includes:
Session characteristics detection according to message is sent to the flow of each class message of Ingress Network equipment;
When the flow of any sort message is more than first threshold, confirm that such message is first kind attack message;
Send the first filter NOTIFY and include the described first kind to flow cleaning equipment, described first filter NOTIFY
The session characteristics of attack message, so that described flow cleaning equipment instruction upstream network device filters coupling institute
Stating the first kind object message of session characteristics, wherein, message reaches entrance through described upstream network device
The network equipment.
9. method according to claim 8, it is characterised in that sending the first filter NOTIFY to stream
After amount cleaning equipment, described method also includes:
When the flow of described first kind attack message is reduced to less than described first threshold, sends to eliminate and lead to
Know to described flow cleaning equipment, so that the described upstream network device of described flow cleaning equipment instruction stops
Filter the first kind object message of described coupling session characteristics.
10. method according to claim 8, it is characterised in that described method also includes:
When the flow of any sort message is more than Second Threshold and is less than described first threshold, confirm that such is reported
Literary composition is Equations of The Second Kind attack message;
Sending the second filter NOTIFY to described flow cleaning equipment, described second filter NOTIFY includes described
The session characteristics of two class attack messages, so that described flow cleaning equipment filters the according to described session characteristics
Two class object message.
The protector of 11. 1 kinds of network attacks, it is characterised in that apply on flow cleaning equipment,
Described device includes:
Receiving unit, for receiving the first filter NOTIFY that flow detection device sends, described first filters
Notice includes the session characteristics of first kind attack message, and described first kind attack message is that flow is more than first
The message of threshold value;
Performance element, for indicating that upstream network device filters the first kind target of the described session characteristics of coupling
Message, wherein, message reaches Ingress Network equipment through described upstream network device.
The protector of 12. 1 kinds of network attacks, it is characterised in that apply on flow detection device,
Described device includes:
Detector unit, is sent to each class of Ingress Network equipment for the session characteristics detection according to message
The flow of message;
Confirmation unit, for when the flow of any sort message is more than first threshold, confirming that such message is
First kind attack message;
Transmitting element, for sending the first filter NOTIFY to flow cleaning equipment, described first filter NOTIFY
Including the session characteristics of described first kind attack message, so that described flow cleaning equipment instruction upstream network
Equipment filters the first kind object message of the described session characteristics of coupling, and wherein, message is through described upstream net
Network equipment reaches Ingress Network equipment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510330425.3A CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510330425.3A CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105991637A true CN105991637A (en) | 2016-10-05 |
CN105991637B CN105991637B (en) | 2019-06-07 |
Family
ID=57040006
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510330425.3A Active CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105991637B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106899580A (en) * | 2017-02-10 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of flow cleaning method and device |
CN107547507A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of anti-attack method, device, router device and machinable medium |
CN108449314A (en) * | 2018-02-02 | 2018-08-24 | 杭州迪普科技股份有限公司 | A kind of flow lead method and apparatus |
CN108737344A (en) * | 2017-04-20 | 2018-11-02 | 腾讯科技(深圳)有限公司 | A kind of network attack protection method and device |
CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
CN109756456A (en) * | 2017-11-06 | 2019-05-14 | 中兴通讯股份有限公司 | A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety |
CN110430226A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, computer equipment and storage medium |
CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
CN112118271A (en) * | 2020-10-29 | 2020-12-22 | 杭州迪普科技股份有限公司 | Flow cleaning method, device, equipment and computer readable storage medium |
CN112565308A (en) * | 2021-02-26 | 2021-03-26 | 北京邮电大学 | Malicious application detection method, device, equipment and medium based on network traffic |
WO2022057647A1 (en) * | 2020-09-15 | 2022-03-24 | 华为技术有限公司 | Packet processing method, system, and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003005666A2 (en) * | 2001-07-03 | 2003-01-16 | Intel Corporation | An apparatus and method for secure, automated response to distributed denial of service attacks |
CN101136922A (en) * | 2007-04-28 | 2008-03-05 | 华为技术有限公司 | Service stream recognizing method, device and distributed refusal service attack defending method, system |
CN101309150A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Distributed service attack refusing defense method, apparatus and system |
CN102111394A (en) * | 2009-12-28 | 2011-06-29 | 成都市华为赛门铁克科技有限公司 | Network attack protection method, equipment and system |
-
2015
- 2015-06-15 CN CN201510330425.3A patent/CN105991637B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003005666A2 (en) * | 2001-07-03 | 2003-01-16 | Intel Corporation | An apparatus and method for secure, automated response to distributed denial of service attacks |
US20030014665A1 (en) * | 2001-07-03 | 2003-01-16 | Anderson Todd A. | Apparatus and method for secure, automated response to distributed denial of service attacks |
CN1640090A (en) * | 2001-07-03 | 2005-07-13 | 英特尔公司 | An apparatus and method for secure, automated response to distributed denial of service attacks |
CN101136922A (en) * | 2007-04-28 | 2008-03-05 | 华为技术有限公司 | Service stream recognizing method, device and distributed refusal service attack defending method, system |
CN101309150A (en) * | 2008-06-30 | 2008-11-19 | 华为技术有限公司 | Distributed service attack refusing defense method, apparatus and system |
CN102111394A (en) * | 2009-12-28 | 2011-06-29 | 成都市华为赛门铁克科技有限公司 | Network attack protection method, equipment and system |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106899580A (en) * | 2017-02-10 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of flow cleaning method and device |
CN108737344A (en) * | 2017-04-20 | 2018-11-02 | 腾讯科技(深圳)有限公司 | A kind of network attack protection method and device |
CN107547507B (en) * | 2017-06-27 | 2021-07-09 | 新华三技术有限公司 | Anti-attack method and device, router equipment and machine readable storage medium |
CN107547507A (en) * | 2017-06-27 | 2018-01-05 | 新华三技术有限公司 | A kind of anti-attack method, device, router device and machinable medium |
CN109756456A (en) * | 2017-11-06 | 2019-05-14 | 中兴通讯股份有限公司 | A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety |
CN109756456B (en) * | 2017-11-06 | 2021-12-03 | 中兴通讯股份有限公司 | Method for improving network equipment safety, network equipment and readable storage medium |
CN108449314A (en) * | 2018-02-02 | 2018-08-24 | 杭州迪普科技股份有限公司 | A kind of flow lead method and apparatus |
CN108449314B (en) * | 2018-02-02 | 2020-12-29 | 杭州迪普科技股份有限公司 | Flow traction method and device |
CN109040141A (en) * | 2018-10-17 | 2018-12-18 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
CN109040141B (en) * | 2018-10-17 | 2019-11-12 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
CN110430226A (en) * | 2019-09-16 | 2019-11-08 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, computer equipment and storage medium |
CN110430226B (en) * | 2019-09-16 | 2021-08-17 | 腾讯科技(深圳)有限公司 | Network attack detection method and device, computer equipment and storage medium |
CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
WO2022057647A1 (en) * | 2020-09-15 | 2022-03-24 | 华为技术有限公司 | Packet processing method, system, and device |
CN112118271A (en) * | 2020-10-29 | 2020-12-22 | 杭州迪普科技股份有限公司 | Flow cleaning method, device, equipment and computer readable storage medium |
CN112565308B (en) * | 2021-02-26 | 2021-05-18 | 北京邮电大学 | Malicious application detection method, device, equipment and medium based on network traffic |
CN112565308A (en) * | 2021-02-26 | 2021-03-26 | 北京邮电大学 | Malicious application detection method, device, equipment and medium based on network traffic |
Also Published As
Publication number | Publication date |
---|---|
CN105991637B (en) | 2019-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105991637A (en) | Network attack protection method and network attack protection device | |
KR100609170B1 (en) | system of network security and working method thereof | |
CN105681353B (en) | Defend the method and device of port scan invasion | |
CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
KR101070614B1 (en) | Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation | |
US8634717B2 (en) | DDoS attack detection and defense apparatus and method using packet data | |
US20110035801A1 (en) | Method, network device, and network system for defending distributed denial of service attack | |
CN102263788B (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
US20090300759A1 (en) | Attack prevention techniques | |
JP4768020B2 (en) | Method of defending against DoS attack by target victim self-identification and control in IP network | |
CN113228591B (en) | Methods, systems, and computer readable media for dynamically remediating security system entities | |
Nawrocki et al. | Down the black hole: dismantling operational practices of BGP blackholing at IXPs | |
CN110166480B (en) | Data packet analysis method and device | |
CN1725709A (en) | Method of linking network equipment and invading detection system | |
CN107733878A (en) | A kind of safety device of industrial control system | |
JP2005184792A (en) | Band control device, band control method, and program | |
CN100502356C (en) | Multilevel aggregation-based abnormal flow control method and system | |
CN107018116B (en) | Method, device and server for monitoring network traffic | |
JP2005210601A (en) | Intrusion detector | |
KR100733830B1 (en) | DDoS Detection and Packet Filtering Scheme | |
JP2008219149A (en) | Traffic control system and traffic control method | |
JP2006067078A (en) | Network system and attack defense method | |
JP2006164038A (en) | Method for coping with dos attack or ddos attack, network device and analysis device | |
Dressler et al. | Attack detection using cooperating autonomous detection systems (CATS) | |
JP4322179B2 (en) | Denial of service attack prevention method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |