CN105991637A - Network attack protection method and network attack protection device - Google Patents

Network attack protection method and network attack protection device Download PDF

Info

Publication number
CN105991637A
CN105991637A CN201510330425.3A CN201510330425A CN105991637A CN 105991637 A CN105991637 A CN 105991637A CN 201510330425 A CN201510330425 A CN 201510330425A CN 105991637 A CN105991637 A CN 105991637A
Authority
CN
China
Prior art keywords
message
flow
attack
session characteristics
network device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510330425.3A
Other languages
Chinese (zh)
Other versions
CN105991637B (en
Inventor
邢涛
杨学良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201510330425.3A priority Critical patent/CN105991637B/en
Publication of CN105991637A publication Critical patent/CN105991637A/en
Application granted granted Critical
Publication of CN105991637B publication Critical patent/CN105991637B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a network attack protection method and a network attack protection device which are applied to traffic cleaning equipment. The method includes the following steps that: a first filtering notice sent by traffic detection equipment is received, wherein the first filtering notice contains the session characteristics of a first type of attack messages, wherein the first type of attack messages are messages of which the traffic is greater than a first threshold value; and upstream network equipment is instructed to filter a first type of target messages matched with the session characteristics, wherein the messages arrive at entrance network equipment through the upstream network equipment. With the network attack protection method and the network attack protection device provided by the embodiments of the invention adopted, a specified type of attack messages can be filtered through the session characteristics, so that the filtering accuracy of the messages can be improved; the attack messages are filtered at the upstream network equipment, so that the attack messages cannot arrive at the entrance network equipment, and therefore, entrance bandwidth congestion can be avoided, external services of a server will not be interrupted, and user experience can be improved.

Description

The means of defence of network attack and device
Technical field
The present invention relates to network security technology, particularly relate to means of defence and the device of a kind of network attack.
Background technology
DoS (Denial of Service, Denial of Service attack) refers to utilize various service request to exhaust net The system resource of network, so that network cannot process legal message.And with the rise of Botnet, Simultaneously because the attack method of DoS is simple, impact is relatively big, be difficult to features such as tracing so that DDoS (Distributed Denial of Service, distributed denial of service attack) is quickly grown and day by day Spreading unchecked, the Botnet of thousands of main frames composition is that ddos attack provides required bandwidth and main frame, Define substantial amounts of attack message, cause harm greatly to network.
For reducing the harm of this kind of network attack of DDoS, in correlation technique, by the entrance at network At the network equipment, (such as: ingress router or switch) flow of specialty is disposed in concatenation or bypass Cleaning equipment, filters to attack message.But, above-mentioned flow cleaning scheme, is all from entrance net At network equipment, attack message is filtered, when the flow of attack message is less than the entrance of Ingress Network equipment During bandwidth, can have preferable cleaning performance, but, when the flow of attack message have been above or etc. When ingress bandwidth, ingress bandwidth will Severe blockage, at this moment, relying solely on flow cleaning equipment will not Can effectively clean attack message flow so that ingress bandwidth Severe blockage, ultimately result in server external Service disruption, reduces Consumer's Experience.
Content of the invention
In view of this, the present invention provides means of defence and the device of a kind of network attack, to solve attacking When the flow of message is more than or equal to ingress bandwidth, ingress bandwidth Severe blockage causes server externally to take The problem that business is interrupted, improves Consumer's Experience.
Specifically, the present invention is achieved through the following technical solutions:
The present invention provides the means of defence of a kind of network attack, applies on flow cleaning equipment, described side Method includes:
Receiving the first filter NOTIFY that flow detection device sends, described first filter NOTIFY includes the first kind The session characteristics of attack message, described first kind attack message is the message that flow is more than first threshold;
Instruction upstream network device filters the first kind object message of the described session characteristics of coupling, wherein, report Literary composition reaches Ingress Network equipment through described upstream network device.
The present invention provides the means of defence of another kind of network attack, applies on flow detection device, described Method includes:
Session characteristics detection according to message is sent to the flow of each class message of Ingress Network equipment;
When the flow of any sort message is more than first threshold, confirm that such message is first kind attack message;
Send the first filter NOTIFY and include the described first kind to flow cleaning equipment, described first filter NOTIFY The session characteristics of attack message, so that described flow cleaning equipment instruction upstream network device filters coupling institute Stating the first kind object message of session characteristics, wherein, message reaches entrance through described upstream network device The network equipment.
The present invention also provides the protector of a kind of network attack, applies on flow cleaning equipment, described Side's device includes:
Receiving unit, for receiving the first filter NOTIFY that flow detection device sends, described first filters Notice includes the session characteristics of first kind attack message, and described first kind attack message is that flow is more than first The message of threshold value;
Performance element, for indicating that upstream network device filters the first kind target of the described session characteristics of coupling Message, wherein, message reaches Ingress Network equipment through described upstream network device.
The present invention also provides the protector of another kind of network attack, applies on flow detection device, institute The side's of stating device includes:
Detector unit, is sent to each class of Ingress Network equipment for the session characteristics detection according to message The flow of message;
Confirmation unit, for when the flow of any sort message is more than first threshold, confirming that such message is First kind attack message;
Transmitting element, for sending the first filter NOTIFY to flow cleaning equipment, described first filter NOTIFY Including the session characteristics of described first kind attack message, so that described flow cleaning equipment instruction upstream network Equipment filters the first kind object message of the described session characteristics of coupling, and wherein, message is through described upstream net Network equipment reaches Ingress Network equipment.
The application embodiment of the present invention, can be filtered the attack message of specified type by session characteristics, thus Improve the filtering accuracy to message, and at upstream network device, filter attack message, make attack message Ingress Network equipment can not be reached, thus avoid ingress bandwidth to block, ensure server externally service not by Interrupt, improve Consumer's Experience.
Brief description
Fig. 1 is that the flow process of the means of defence of a kind of network attack shown in the present invention one exemplary embodiment is shown It is intended to;
Fig. 2 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram;
Fig. 3 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram;
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3;
Fig. 5 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram;
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5;
Fig. 7 is a hardware of the protector of a kind of network attack shown in the present invention one exemplary embodiment Structural representation;
Fig. 8 is the structural frames of the protector of a kind of network attack shown in the present invention one exemplary embodiment Figure;
Fig. 9 is the structure of the protector of the another kind of network attack shown in the present invention one exemplary embodiment Block diagram.
Detailed description of the invention
Here will illustrate exemplary embodiment in detail, its example represents in the accompanying drawings.Following When description relates to accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represents same or analogous Key element.Embodiment described in following exemplary embodiment does not represent the institute consistent with the present invention There is embodiment.On the contrary, they only with as appended claims describes in detail, the one of the present invention The example of the consistent apparatus and method of a little aspects.
It is only merely for the purpose describing specific embodiment in terminology used in the present invention, and be not intended to be limiting The present invention." a kind of " of singulative used in the present invention and appended claims, " institute State " and " being somebody's turn to do " be also intended to include most form, unless context clearly shows that other implications.Also should Work as understanding, term "and/or" used herein refer to and comprise one or more be associated list item Any or all possible combination of purpose.
Although it should be appreciated that and term first, second, third, etc. may being used to describe various in the present invention Information, but these information should not necessarily be limited by these terms.These terms only be used for by same type of information that This distinguishes.For example, without departing from the present invention, the first information also can be referred to as Two information, similarly, the second information also can be referred to as the first information.Depend on linguistic context, as in this institute Use word " if " can be construed to " and ... when " or " when ... when " or " response In determination ".
In embodiments of the present invention, the message in network can flow through upstream network device and be sent to entrance The network equipment, flow detection device can be according to the session characteristics of message, in real time to being sent to Ingress Network The message of equipment carries out flow detection, when the flow of any sort message is more than first threshold, confirms such Message is first kind attack message, and flow detection device sends the first filter NOTIFY to flow cleaning equipment, This first filter NOTIFY includes the session characteristics of first kind attack message, and flow cleaning equipment is receiving After one filter NOTIFY, according to session characteristics therein, instruction upstream network device filters the described session of coupling The first kind object message of feature, thus stop such message to enter Ingress Network equipment, and effectively keep away Exempt from ingress bandwidth blocking, and then guarantee server externally services and is not disrupted.
Carry out below in conjunction with means of defence and device to the network attack that the present invention provides for the Fig. 1 to Fig. 9 Describe in detail.
Fig. 1 is that the flow process of the means of defence of a kind of network attack shown in the present invention one exemplary embodiment is shown It is intended to.As it is shown in figure 1, the means of defence of a kind of network attack, apply on flow cleaning equipment, institute The method of stating comprises the steps:
Step 101, receives the first filter NOTIFY that flow detection device sends, and wherein, the first filtration is logical Knowing the session characteristics including first kind attack message, first kind attack message is that flow is more than first threshold Message.
In this step, one of session characteristics five-tuple information including message or multiple, for example, Session characteristics include but is not limited to source IP address, purpose IP address, source IP address and source port combination, Purpose IP address and the combination of destination interface.
Step 102, instruction upstream network device filters the first kind object message of the described session characteristics of coupling, Wherein, message can reach Ingress Network equipment through upstream network device.
In this step, according to an alternate embodiment of the present invention, when upstream network device is configured with ACL During (Access Control List accesses control list) interface, can attack according to the first kind receiving The session characteristics hitting message generates an ACL order, and by an ACL order by ACL interface Being sent to upstream network device, upstream network device, can when receiving an ACL order Talk about feature and local ACL is added to the corresponding relation of the processing mode (for example, filtering) of message In list item, when flowing through the session characteristics of message of upstream network device and matching this ACL table item, upstream The network equipment then filters this message.For example, flow cleaning equipment is according to purpose IP address 1.1.1.1 Generating an ACL order, the list item that upstream network device generates according to an ACL order, such as table Shown in 1:
Table 1
Purpose IP address Processing mode
1.1.1.1 Filter
It according to the list item shown in table 1, is 1.1.1.1 when upstream network device receives purpose IP address Message when, such message can be filtered according to this ACL table item, thus stop such message reach into The mouth network equipment, it is to avoid ingress bandwidth blocks.
After the message to coupling session characteristics for the upstream network device carries out filtration treatment a period of time, the first kind The flow of attack message may reduce therewith, ingress bandwidth may will can not be caused again to block, so, and can No longer filtration treatment is carried out to such message, therefore, it can arrange first in flow cleaning equipment pre- If the time, after an ACL order is sent to upstream network device by flow cleaning equipment, can start Timer starts timing, when timing time reaches the first Preset Time, can upstream the network equipment send out Send the 2nd ACL order, thus indicate that upstream network device stops filtering the first classification of coupling session characteristics Mark message, specifically, the Ke Yiwei: the two ACL order can include attacking the first kind stopping filtering The session characteristics of message, deletion, after receiving the 2nd ACL order, is mated this meeting by upstream network device The ACL table item of words feature, thus stop filtering corresponding message.
The present invention also provides another kind of preferred version, and specifically, flow detection device determines coupling session When the present flow rate of this kind of message of feature is less than first threshold, can send to flow cleaning equipment and eliminate Notice, therefore, flow cleaning equipment can notify to generate the 3rd ACL order according to this elimination, and sends To upstream network device, thus indicate that upstream network device stops filtering the message of coupling session characteristics.On The trip network equipment receives the processing mode of the 3rd ACL order and above-mentioned receives the 2nd ACL order Processing mode can be identical, does not repeats them here.
According to another alternative embodiment of the present invention, specifically, can also be by black hole router filtration Joining the first kind object message of session characteristics, specifically, flow cleaning equipment can be with dialogue-based feature Generate dynamic routing information, wherein, this dynamic routing information is mated the first classification of described session characteristics The down hop of mark message is black hole router, and this dynamic routing information is sent to upstream network device, Upstream network device adds this dynamic routing information in local routing to, when receiving first kind target report This first kind object message is transmitted to blackhole route by Wen Shi, and black hole router receives such message and is Abandon, it should be noted that when upstream network device is configured without corresponding api interface (Application Programming Interface, application programming interface) when, flow cleaning equipment can be dynamic by this Routing iinformation is forwarded to upstream network device through black hole router, otherwise, can be straight by api interface Connect and this dynamic routing information is sent to upstream network device.
It is possible to further arrange the second Preset Time on flow cleaning equipment, set at upstream network After preparation send dynamic routing information, timer will be started, and start timing, when timing time reaches second During Preset Time, flow cleaning equipment upstream can send route deletion notice, upstream net by the network equipment After network equipment receives this route deletion notice, this route table items will be deleted from local routing table, thus Stop filtering first kind attack message, by the preferred embodiment, be sent to described Ingress Network equipment The down hop of message reverts to purpose equipment or the destination server of such message.
Based on above-described embodiment, if flow detection device detects that the flow of any sort message is less than the first threshold It is worth and is more than Second Threshold, can confirm that such message is Equations of The Second Kind attack message, therefore, it can to stream Amount cleaning equipment sends the second filter NOTIFY, and described second filter NOTIFY includes the meeting of Equations of The Second Kind attack message Words feature, after flow cleaning equipment receives this second filter NOTIFY, according to session characteristics therein, can To filter such message according to default filtering rule, wherein, default filtering rule includes but does not limits In rate limit means of defence, tcp state means of defence, black and white lists means of defence, application layer protection Method and fingerprint recognition means of defence, as a example by fingerprint recognition means of defence, flow cleaning equipment receives After message, extract the length of message, message length field is carried out discretization storage, then timing Count the length of the message being currently sent to Ingress Network equipment, set up distributed model, work as Ingress Network During equipment generation Equations of The Second Kind attack, cause the distribution of the fingerprint characteristic of the message of Equations of The Second Kind attack There will be fluctuation, and exceed the distributed mode offset of described distributed model, thus can be according to this fingerprint Described message is filtered by feature, specifically may refer to correlation technique, and this is no longer going to repeat them.
By above-described embodiment, upstream network device filters the message of specified type by coupling session characteristics, Such that it is able to improve the filtering accuracy to attack message, furthermore it is possible to by the attack report of coupling session characteristics Literary composition abandoned before reaching Ingress Network equipment, it is ensured that ingress bandwidth is not blocked.
Fig. 2 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram.As in figure 2 it is shown, the means of defence of a kind of network attack, apply on flow detection device, Described method comprises the steps:
Step 201, the session characteristics detection according to message is sent to each class message of Ingress Network equipment Flow.
In this step, one of the session characteristics of message five-tuple information including message or multiple, For example, session characteristics can include but is not limited to source IP address, purpose IP address, source IP address and source The combination etc. of the combination of port, purpose IP address and destination interface.
Flow detection device can be obtained the report being sent to Ingress Network equipment by mirror image or spectroscopic modes Literary composition, it is possible to but be not limited by DPI (Deep Packet Inspection, deep-packet detection) technology or The meeting of DFI (Deep/Dynamic Flow Inspection, the degree of depth/dynamic stream detection) technology for detection message Words feature, message is classified, and is added up every by the session characteristics of the message going out according to above-mentioned technology for detection The flow of class message.
Step 202, when the flow of any sort message is more than first threshold, confirms that such message is first Class attack message.
User or network manager can be according to the historical traffic data of every class message, in advance in flow inspection Measurement equipment configures first threshold, for example, for the purpose of user IP address 1.1.1.1 and destination interface 53 this Individual combination configuration first threshold is 4GB, when flow detection device detection statistics to purpose IP address is 1.1.1.1, destination interface is that the flow of the message of 53 increases to suddenly 5GB, is more than first threshold 4GB, Therefore, flow detection device can confirm that such message is first kind attack message.
Step 203, sends the first filter NOTIFY to flow cleaning equipment, and this first filter NOTIFY includes The session characteristics of one class attack message, so that flow cleaning equipment instruction upstream network device filters coupling institute Stating the first kind object message of session characteristics, wherein, message reaches Ingress Network through upstream network device Equipment.
In step 203, still as a example by destination interface 53 with this combination of 1.1.1.1 of purpose IP address, Flow detection device just can pass through the first filter NOTIFY, by destination interface 53 and purpose IP address 1.1.1.1 It is sent to flow cleaning equipment, make flow cleaning equipment generate an ACL order according to the first filter NOTIFY, Instruction upstream network device abandons or filters all reports of destination interface the 53rd, purpose IP address 1.1.1.1 Literary composition, thus avoid such message to enter Ingress Network equipment, cause ingress bandwidth to block.
Further, when the flow of first kind attack message is reduced to less than first threshold, flow detection Equipment can send elimination and notify to flow cleaning equipment, so that flow cleaning equipment instruction upstream network sets Standby stopping filters such message, specifically may refer to step 102 as shown in Figure 1, no longer superfluous at this State.
Further, when flow detection device detect any sort message flow be less than first threshold and During more than Second Threshold, flow detection device can confirm that the Equations of The Second Kind attack message of such message, concurrently Sending the second filter NOTIFY to flow cleaning equipment, wherein, the second filter NOTIFY can include that Equations of The Second Kind is attacked The session characteristics of message, so that flow cleaning equipment filters such message according to this session characteristics, citing For, port the 53rd, this combination of purpose IP address 1.1.1.1 for the purpose of user is configured with two threshold values, Be respectively first threshold 4GB, Second Threshold is 2GB, when flow detection device detects the stream of this combination When amount is for 3GB, destination interface 53 can be passed through by flow detection device with purpose IP address 1.1.1.1 Second filter NOTIFY is sent to flow cleaning equipment, so that flow cleaning equipment can filter rule according to default Then filter the message that destination interface is 53 and purpose IP address is 1.1.1.1, wherein, preset and filter rule Then describe in detail in the embodiment illustrated in fig. 1, do not repeat them here.
Application above-described embodiment, can classify to message according to the session characteristics of message, and adds up every The flow of class message, thus it is accurately positioned attack message, and the session characteristics of attack message is sent to stream Amount cleaning equipment, improves the filtering accuracy to attack message.
Fig. 3 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram.As it is shown on figure 3, this embodiment is by flow detection device, flow cleaning equipment and upstream Mutual between network equipment three, describes the protection side of the network attack of one embodiment of the invention in detail Method:
Step 301, flow detection device obtains the message being sent to Ingress Network equipment.
Step 302, flow detection device is according to the flow of each class message of session characteristics detection of message.
Step 303, when the flow of any sort message is more than first threshold, confirms that such message is first Class attack message;
Step 304, flow detection device transmission the first filter NOTIFY is to flow cleaning equipment, wherein, the One filter NOTIFY includes the session characteristics of first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device sends.
Step 306, flow cleaning equipment generates an ACL order according to session characteristics.
Step 307, an ACL order is sent to upstream network device by flow cleaning equipment.
Step 308, upstream network device receives an ACL order.
Step 309, upstream network device generates ACL table item according to an ACL order.
Step 310, when upstream network device receives message, it is judged that whether the session characteristics of this message is Join ACL table item, if it does, then step 311.
Step 311, upstream network device filters the message of coupling session characteristics according to ACL table item.
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3.As shown in Figure 4, including Upstream network device, Ingress Network equipment, flow detection device and flow cleaning equipment, wherein, message It is sent to Ingress Network equipment through upstream network device, then enter by catch net through Ingress Network equipment Network.In embodiments of the present invention, flow detection device passes through mirror image technology or light splitting technology obtains and sends Message to Ingress Network equipment, it is possible to by the session characteristics of the detection messages such as DPI technology, thus Carry out classifying and adding up the flow of every class message to message, when flow detection device detects any sort message Flow more than first threshold when, can confirm that such message is first kind attack message, therefore, flow Detection equipment can send the first filter NOTIFY to flow cleaning equipment, flow cleaning equipment receive this After one filter NOTIFY, an ACL order can be generated according to the session characteristics in the first filter NOTIFY, concurrently Giving upstream network device, upstream network device can generate ACL table item according to an ACL order, When the session characteristics having message mates this ACL table item for the moment, upstream network device can filter this message, Thus stop this message to reach Ingress Network equipment, it is to avoid and Ingress Network equipment Severe blockage, ensure service Device externally services and is not disrupted, and improves Consumer's Experience.
Fig. 5 is the flow process of the means of defence of the another kind of network attack shown in the present invention one exemplary embodiment Schematic diagram.As it is shown in figure 5, this embodiment passes through flow detection device, flow cleaning equipment, upstream net Network equipment and black hole router in many ways mutual, the network describing another embodiment of the present invention in detail is attacked The means of defence hitting:
Step 301, flow detection device obtains the message being sent to Ingress Network equipment.
Step 302, flow detection device is according to the flow of each class message of session characteristics detection of message.
Step 303, when the flow of any sort message is more than first threshold, confirms that such message is first Class attack message;
Step 304, flow detection device transmission the first filter NOTIFY is to flow cleaning equipment, wherein, the One filter NOTIFY includes the session characteristics of first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device sends.
Step 312, flow cleaning equipment generates dynamic routing information according to session characteristics, and wherein, this moves The down hop of the message mating session characteristics in state routing iinformation is black hole router.
Step 313, dynamic routing information is sent to upstream network device by flow cleaning equipment.
Step 314, upstream network device receives dynamic routing information.
Step 315, when upstream network device receives message, upstream network device judges this message Session characteristics can match route table items, if can, then step 316.
Step 316, upstream network device sends message to black hole router.
Step 317, black hole router filters the message that upstream network device sends.
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5.As shown in Figure 6, with figure Unlike 4 illustrated embodiments, on the basis of embodiment illustrated in fig. 4, the present embodiment is provided with black Hole router.Specifically, flow cleaning equipment generates dynamic according to the session characteristics in the first filter NOTIFY Routing iinformation, wherein, the down hop of the message mating session characteristics in this dynamic routing information is black hole road By device, and this dynamic routing information being sent to upstream network device, this can be moved by upstream network device State routing iinformation adds in local routing table, when receiving message, and the session characteristics coupling of this message During route table items, forwarding the packet to black hole router, black hole router was incited somebody to action after receiving this message Filter this message, thus stop this message to enter in Ingress Network equipment.It should be noted that flow cleaning The equipment upstream network equipment forwards dynamic routing information, can select according to the configuration of upstream network device Different paths forwards, for example, when upstream network device is configured without corresponding api interface, and flow This dynamic routing information can be transmitted to black hole router by cleaning equipment, then is transmitted to by black hole router Upstream network device, during whereas if upstream network device is configured with corresponding api interface, flow is clear Dynamic routing information directly can be sent to upstream network device, the invention is not limited in this regard by the equipment of washing.
It should be noted that in embodiments of the present invention, except including flow detection device and flow cleaning Equipment, can also include management platform, when abnormal flow purging system includes management platform When, the information such as dependent instruction between flow detection device and flow cleaning equipment, order or notice is all Can be transmitted by management platform, for example, flow detection device can pass through management platform will First filter NOTIFY, elimination notice, the second filter NOTIFY and route deletion notice are sent to flow cleaning and set Standby.
Furthermore it is also possible to arrange Preset Time in management platform, at flow cleaning equipment upstream net After network equipment sends an ACL order or sends dynamic routing information, management platform can start meter When, when reaching timing time, notify flow cleaning equipment, so that flow cleaning equipment instruction upstream network Equipment stops filtering the message causing first kind attack.
Management platform can be also used for storage flow detection device at flow any sort message being detected More than first threshold or be less than first threshold and more than Second Threshold when send attack alarm log, with And the cleaning daily record that storage flow cleaning equipment sends, wherein, attack alarm log can include but not limit In attack before flow information, cleaning after the information such as flow information, attack traffic size, management platform These information can be analyzed, generate detailed account, be easy to awareness network traffic conditions for user, And first threshold and Second Threshold can also be set according to the historical traffic data in this detailed account.
Application above-described embodiment, can be filtered the attack message of specified type, thus carry by session characteristics The high filtering accuracy to message, and at upstream network device, filter attack message, make attack message not Ingress Network equipment can be reached, thus avoid ingress bandwidth to block, ensure server externally service not by Disconnected, improve Consumer's Experience.
Corresponding with the means of defence embodiment that aforementioned network is attacked, present invention also offers network attack The embodiment of protector.
The embodiment of the protector 400 that inventive network is attacked can be applied respectively at flow cleaning equipment With on flow detection device.Device embodiment can be realized by software, it is also possible to by hardware or soft The mode of combination of hardware realizes.It as a example by implemented in software, as the device on a logical meaning, is logical Computer program instructions corresponding in nonvolatile memory is read interior by the processor crossing its place equipment Deposit what middle operation was formed.For hardware view, as it is shown in fig. 7, the protection attacked for inventive network A kind of hardware structure diagram of device 400 place equipment, except the processor shown in Fig. 7, internal memory, network Outside interface and nonvolatile memory, protector 400 place of network attack in embodiment Equipment, generally according to the actual functional capability of this equipment, can also include other hardware, repeat no more this.
Fig. 8 is the structural frames of the protector of a kind of network attack shown in the present invention one exemplary embodiment Figure.As shown in Figure 8, the protector 400 of a kind of network attack, applies on flow cleaning equipment, This device includes: receiving unit 401 and performance element 402.
Receiving unit 401 is for receiving the first filter NOTIFY that flow detection device sends, and the first filtration is logical Knowing the session characteristics including first kind attack message, first kind attack message is that flow is more than first threshold Message;Performance element 402 is for indicating that upstream network device filters the first kind target of coupling session characteristics Message, wherein, message reaches Ingress Network equipment through upstream network device.
Fig. 9 is the structure of the protector of the another kind of network attack shown in the present invention one exemplary embodiment Block diagram.As it is shown in figure 9, the protector 400 of a kind of network attack, apply on flow detection device, This device includes: detector unit the 501st, confirmation unit 502 and transmitting element 503.
Detector unit 501 is sent to each of Ingress Network equipment for the session characteristics detection according to message The flow of class message.
Confirmation unit 502 is for when the flow of any sort message is more than first threshold, confirming such message For first kind attack message.
Transmitting element 503 leads to flow cleaning equipment, described first filtration for sending the first filter NOTIFY Know the session characteristics including first kind attack message, so that flow cleaning equipment instruction upstream network device mistake The first kind object message of filter coupling session characteristics, wherein, message reaches entrance through upstream network device The network equipment.
In said apparatus the function of unit and effect to realize that process specifically refers in said method corresponding Step realize process, do not repeat them here.
For device embodiment, owing to it corresponds essentially to embodiment of the method, so related part ginseng See that the part of embodiment of the method illustrates.Device embodiment described above is only schematically, The wherein said unit illustrating as separating component can be or may not be physically separate, makees Can be for the parts that unit shows or may not be physical location, i.e. may be located at a place, Or also can be distributed on multiple NE.Can select according to the actual needs part therein or The whole module of person realizes the purpose of the present invention program.Those of ordinary skill in the art are not paying creativeness It in the case of work, is i.e. appreciated that and implements.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all at this Within the spirit of invention and principle, any modification, equivalent substitution and improvement etc. done, should be included in Within the scope of protection of the invention.

Claims (12)

1. the means of defence of a network attack, it is characterised in that apply on flow cleaning equipment, institute The method of stating includes:
Receiving the first filter NOTIFY that flow detection device sends, described first filter NOTIFY includes the first kind The session characteristics of attack message, described first kind attack message is the message that flow is more than first threshold;
Instruction upstream network device filters the first kind object message of the described session characteristics of coupling, wherein, report Literary composition reaches Ingress Network equipment through described upstream network device.
2. method according to claim 1, it is characterised in that described instruction upstream network device mistake The first kind object message of the described session characteristics of filter coupling, comprising:
Generate an ACL order according to described session characteristics, and be sent to described upstream network device, with Indicate that described upstream network device according to a described ACL order, filters the of the described session characteristics of coupling One class object message.
3. method according to claim 2, it is characterised in that sending out to described upstream network device After sending a described ACL order, described method also includes:
When reaching the first Preset Time, send the 2nd ACL order to described upstream network device, to refer to Show that described upstream network device stops filtering the first kind object message of the described session characteristics of coupling.
4. method according to claim 2, it is characterised in that sending out to described upstream network device After sending a described ACL order, described method also includes:
Receive the elimination notice that described flow detection device sends;
Generate the 3rd ACL order according to the described notice that eliminates, and be sent to described upstream network device, with Indicate that described upstream network device stops filtering the first kind object message of the described session characteristics of coupling.
5. method according to claim 1, it is characterised in that described instruction upstream network device mistake The first kind object message of the described session characteristics of filter coupling, comprising:
Generate dynamic routing information based on described session characteristics, described dynamic routing information is mated described meeting The down hop of the first kind object message of words feature is black hole router;
Described dynamic routing information is sent to described upstream network device.
6. method according to claim 5, it is characterised in that described dynamic routing information is being sent out After giving described upstream network device, described method also includes:
When reaching the second Preset Time, send route to described upstream network device and delete notice, to refer to Show that described upstream network device deletes described dynamic routing information.
7. method according to claim 1, it is characterised in that described method also includes:
Receiving the second filter NOTIFY that described flow detection device sends, described second filter NOTIFY includes the The session characteristics of two class attack messages, it is big that described Equations of The Second Kind attack message is that flow is less than described first threshold Message in Second Threshold;
According to described session characteristics, according to default filtering rule, described flow is more than less than first threshold The message of Second Threshold filters.
8. the means of defence of a network attack, it is characterised in that apply on flow detection device, institute The method of stating includes:
Session characteristics detection according to message is sent to the flow of each class message of Ingress Network equipment;
When the flow of any sort message is more than first threshold, confirm that such message is first kind attack message;
Send the first filter NOTIFY and include the described first kind to flow cleaning equipment, described first filter NOTIFY The session characteristics of attack message, so that described flow cleaning equipment instruction upstream network device filters coupling institute Stating the first kind object message of session characteristics, wherein, message reaches entrance through described upstream network device The network equipment.
9. method according to claim 8, it is characterised in that sending the first filter NOTIFY to stream After amount cleaning equipment, described method also includes:
When the flow of described first kind attack message is reduced to less than described first threshold, sends to eliminate and lead to Know to described flow cleaning equipment, so that the described upstream network device of described flow cleaning equipment instruction stops Filter the first kind object message of described coupling session characteristics.
10. method according to claim 8, it is characterised in that described method also includes:
When the flow of any sort message is more than Second Threshold and is less than described first threshold, confirm that such is reported Literary composition is Equations of The Second Kind attack message;
Sending the second filter NOTIFY to described flow cleaning equipment, described second filter NOTIFY includes described The session characteristics of two class attack messages, so that described flow cleaning equipment filters the according to described session characteristics Two class object message.
The protector of 11. 1 kinds of network attacks, it is characterised in that apply on flow cleaning equipment, Described device includes:
Receiving unit, for receiving the first filter NOTIFY that flow detection device sends, described first filters Notice includes the session characteristics of first kind attack message, and described first kind attack message is that flow is more than first The message of threshold value;
Performance element, for indicating that upstream network device filters the first kind target of the described session characteristics of coupling Message, wherein, message reaches Ingress Network equipment through described upstream network device.
The protector of 12. 1 kinds of network attacks, it is characterised in that apply on flow detection device, Described device includes:
Detector unit, is sent to each class of Ingress Network equipment for the session characteristics detection according to message The flow of message;
Confirmation unit, for when the flow of any sort message is more than first threshold, confirming that such message is First kind attack message;
Transmitting element, for sending the first filter NOTIFY to flow cleaning equipment, described first filter NOTIFY Including the session characteristics of described first kind attack message, so that described flow cleaning equipment instruction upstream network Equipment filters the first kind object message of the described session characteristics of coupling, and wherein, message is through described upstream net Network equipment reaches Ingress Network equipment.
CN201510330425.3A 2015-06-15 2015-06-15 The means of defence and device of network attack Active CN105991637B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510330425.3A CN105991637B (en) 2015-06-15 2015-06-15 The means of defence and device of network attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510330425.3A CN105991637B (en) 2015-06-15 2015-06-15 The means of defence and device of network attack

Publications (2)

Publication Number Publication Date
CN105991637A true CN105991637A (en) 2016-10-05
CN105991637B CN105991637B (en) 2019-06-07

Family

ID=57040006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510330425.3A Active CN105991637B (en) 2015-06-15 2015-06-15 The means of defence and device of network attack

Country Status (1)

Country Link
CN (1) CN105991637B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899580A (en) * 2017-02-10 2017-06-27 杭州迪普科技股份有限公司 A kind of flow cleaning method and device
CN107547507A (en) * 2017-06-27 2018-01-05 新华三技术有限公司 A kind of anti-attack method, device, router device and machinable medium
CN108449314A (en) * 2018-02-02 2018-08-24 杭州迪普科技股份有限公司 A kind of flow lead method and apparatus
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN109756456A (en) * 2017-11-06 2019-05-14 中兴通讯股份有限公司 A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN111031054A (en) * 2019-12-19 2020-04-17 紫光云(南京)数字技术有限公司 CC protection method
CN112118271A (en) * 2020-10-29 2020-12-22 杭州迪普科技股份有限公司 Flow cleaning method, device, equipment and computer readable storage medium
CN112565308A (en) * 2021-02-26 2021-03-26 北京邮电大学 Malicious application detection method, device, equipment and medium based on network traffic
WO2022057647A1 (en) * 2020-09-15 2022-03-24 华为技术有限公司 Packet processing method, system, and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003005666A2 (en) * 2001-07-03 2003-01-16 Intel Corporation An apparatus and method for secure, automated response to distributed denial of service attacks
CN101136922A (en) * 2007-04-28 2008-03-05 华为技术有限公司 Service stream recognizing method, device and distributed refusal service attack defending method, system
CN101309150A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Distributed service attack refusing defense method, apparatus and system
CN102111394A (en) * 2009-12-28 2011-06-29 成都市华为赛门铁克科技有限公司 Network attack protection method, equipment and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003005666A2 (en) * 2001-07-03 2003-01-16 Intel Corporation An apparatus and method for secure, automated response to distributed denial of service attacks
US20030014665A1 (en) * 2001-07-03 2003-01-16 Anderson Todd A. Apparatus and method for secure, automated response to distributed denial of service attacks
CN1640090A (en) * 2001-07-03 2005-07-13 英特尔公司 An apparatus and method for secure, automated response to distributed denial of service attacks
CN101136922A (en) * 2007-04-28 2008-03-05 华为技术有限公司 Service stream recognizing method, device and distributed refusal service attack defending method, system
CN101309150A (en) * 2008-06-30 2008-11-19 华为技术有限公司 Distributed service attack refusing defense method, apparatus and system
CN102111394A (en) * 2009-12-28 2011-06-29 成都市华为赛门铁克科技有限公司 Network attack protection method, equipment and system

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899580A (en) * 2017-02-10 2017-06-27 杭州迪普科技股份有限公司 A kind of flow cleaning method and device
CN108737344A (en) * 2017-04-20 2018-11-02 腾讯科技(深圳)有限公司 A kind of network attack protection method and device
CN107547507B (en) * 2017-06-27 2021-07-09 新华三技术有限公司 Anti-attack method and device, router equipment and machine readable storage medium
CN107547507A (en) * 2017-06-27 2018-01-05 新华三技术有限公司 A kind of anti-attack method, device, router device and machinable medium
CN109756456A (en) * 2017-11-06 2019-05-14 中兴通讯股份有限公司 A kind of method, the network equipment and readable storage medium storing program for executing improving network equipment safety
CN109756456B (en) * 2017-11-06 2021-12-03 中兴通讯股份有限公司 Method for improving network equipment safety, network equipment and readable storage medium
CN108449314A (en) * 2018-02-02 2018-08-24 杭州迪普科技股份有限公司 A kind of flow lead method and apparatus
CN108449314B (en) * 2018-02-02 2020-12-29 杭州迪普科技股份有限公司 Flow traction method and device
CN109040141A (en) * 2018-10-17 2018-12-18 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN109040141B (en) * 2018-10-17 2019-11-12 腾讯科技(深圳)有限公司 Detection method, device, computer equipment and the storage medium of abnormal flow
CN110430226A (en) * 2019-09-16 2019-11-08 腾讯科技(深圳)有限公司 Network attack detecting method, device, computer equipment and storage medium
CN110430226B (en) * 2019-09-16 2021-08-17 腾讯科技(深圳)有限公司 Network attack detection method and device, computer equipment and storage medium
CN111031054A (en) * 2019-12-19 2020-04-17 紫光云(南京)数字技术有限公司 CC protection method
WO2022057647A1 (en) * 2020-09-15 2022-03-24 华为技术有限公司 Packet processing method, system, and device
CN112118271A (en) * 2020-10-29 2020-12-22 杭州迪普科技股份有限公司 Flow cleaning method, device, equipment and computer readable storage medium
CN112565308B (en) * 2021-02-26 2021-05-18 北京邮电大学 Malicious application detection method, device, equipment and medium based on network traffic
CN112565308A (en) * 2021-02-26 2021-03-26 北京邮电大学 Malicious application detection method, device, equipment and medium based on network traffic

Also Published As

Publication number Publication date
CN105991637B (en) 2019-06-07

Similar Documents

Publication Publication Date Title
CN105991637A (en) Network attack protection method and network attack protection device
KR100609170B1 (en) system of network security and working method thereof
CN105681353B (en) Defend the method and device of port scan invasion
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
KR101070614B1 (en) Malicious traffic isolation system using botnet infomation and malicious traffic isolation method using botnet infomation
US8634717B2 (en) DDoS attack detection and defense apparatus and method using packet data
US20110035801A1 (en) Method, network device, and network system for defending distributed denial of service attack
CN102263788B (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
US20090300759A1 (en) Attack prevention techniques
JP4768020B2 (en) Method of defending against DoS attack by target victim self-identification and control in IP network
CN113228591B (en) Methods, systems, and computer readable media for dynamically remediating security system entities
Nawrocki et al. Down the black hole: dismantling operational practices of BGP blackholing at IXPs
CN110166480B (en) Data packet analysis method and device
CN1725709A (en) Method of linking network equipment and invading detection system
CN107733878A (en) A kind of safety device of industrial control system
JP2005184792A (en) Band control device, band control method, and program
CN100502356C (en) Multilevel aggregation-based abnormal flow control method and system
CN107018116B (en) Method, device and server for monitoring network traffic
JP2005210601A (en) Intrusion detector
KR100733830B1 (en) DDoS Detection and Packet Filtering Scheme
JP2008219149A (en) Traffic control system and traffic control method
JP2006067078A (en) Network system and attack defense method
JP2006164038A (en) Method for coping with dos attack or ddos attack, network device and analysis device
Dressler et al. Attack detection using cooperating autonomous detection systems (CATS)
JP4322179B2 (en) Denial of service attack prevention method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant