CN106131083A - A kind of attack message detection and take precautions against method and switch - Google Patents

A kind of attack message detection and take precautions against method and switch Download PDF

Info

Publication number
CN106131083A
CN106131083A CN201610770488.5A CN201610770488A CN106131083A CN 106131083 A CN106131083 A CN 106131083A CN 201610770488 A CN201610770488 A CN 201610770488A CN 106131083 A CN106131083 A CN 106131083A
Authority
CN
China
Prior art keywords
attack message
attack
message
acl rule
cycle time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610770488.5A
Other languages
Chinese (zh)
Inventor
严林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201610770488.5A priority Critical patent/CN106131083A/en
Publication of CN106131083A publication Critical patent/CN106131083A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments provide the detection of a kind of attack message and the method taken precautions against and switch.Described method includes: is configured to mate the access control list ACL rule of attack message, and arranges statistics labelling and the initial value of packet accouter in described acl rule;Issue described acl rule in the hardware table item of exchange chip;According to described statistics labelling, the attack message matched with described acl rule received is added up and is saved in described packet accouter;According to the setting cycle time, read the current statistic value of described packet accouter and preserve, current statistic value according to described packet accouter calculates the attack strength of attack message described in the setting cycle time, issue the process strategy of attack message according to this attack strength, improve reliability attack message being detected and taking precautions against.

Description

A kind of attack message detection and take precautions against method and switch
Technical field
The present invention relates to data communication technology field, in particular to the detection of a kind of attack message and the method for strick precaution And switch.
Background technology
Along with the increase of number of network users and the raising to business diversity requirements, the problem day of exchanger switch-in security Benefit is prominent.Attack detecting on switch, the central processing unit (CPU) and the exchange chip that rely primarily on switch complete.Hand over Attack message is also taken precautions against by upper record attack detecting of changing planes, it is necessary first to all of message is transferred to the CPU of switch, with Capture the feature of message.Then analyze message by the CPU of switch and statistics is carried out output journal information and recorded daily record Server.The method causes serious burden to the CPU of switch.Secondly, attack message is not done unified by the method Strategy processes, and simply have recorded daily record.Additionally, the another kind of attack detection method on switch is made by the characteristic of exchange chip Carry out the number of statistical attack message and feed back to user.The method has simply let the user know that the source of attack message and attack Intensity, does not formulate corresponding strategies and processes attack source.
Summary of the invention
The invention provides the detection of a kind of attack message and the method taken precautions against and switch, it is intended to improve attack message is entered Row detection accuracy and carry out the reliability taken precautions against.
First aspect, the method that a kind of attack message that the embodiment of the present invention provides detects and takes precautions against, described method includes:
It is configured to mate the access control list ACL rule of attack message, and statistics mark is set in described acl rule Note and the initial value of packet accouter;Wherein, described statistics labelling is for identifying the attack matched with described acl rule Message is added up, and described packet accouter is for preserving the statistical value of the attack message matched with described acl rule;
Issue described acl rule in the hardware table item of exchange chip;
According to described statistics labelling, the attack message matched with described acl rule received is added up and protected It is stored in described packet accouter;
According to the setting cycle time, read the current statistic value of described packet accouter and preserve, according to described message meter The current statistic value of number device calculates the attack strength of attack message described in the setting cycle time, issues attack according to this attack strength The process strategy of message.
Preferably, the described current statistic value according to described packet accouter calculates attack message described in the setting cycle time The step of attack strength, concrete grammar includes:
Current statistic value according to described packet accouter, is carried out with the historical statistics value of the described packet accouter preserved Mathematic interpolation, draws the intensity of the attack message matched in the setting cycle time with described acl rule according to result of calculation.
Preferably, described in draw the intensity of the attack message matched in the setting cycle time with described acl rule, according to This attack strength issues the process strategy of attack message, and concrete grammar includes:
When the attack message in the described setting cycle time result of calculation less than or equal to the first predetermined number time, issue by The characteristic information of described attack message recorded local daily record and abandons the process strategy of this attack message.
Preferably, described in draw the intensity of the attack message matched in the setting cycle time with described acl rule, according to This attack strength issues the process strategy of attack message, and concrete grammar includes:
When the result of calculation of the attack message in the described setting cycle time is less than or equal to the second predetermined number and more than institute When stating the first predetermined number, issue and the characteristic information of described attack message is uploaded to log server carries out recording and abandoning this The process strategy of attack message.
Preferably, described in draw the intensity of the attack message matched in the setting cycle time with described acl rule, according to This attack strength issues the process strategy of attack message, and concrete grammar includes:
When the result of calculation of the attack message in described setting cycle is more than described second predetermined number, issue described The characteristic information of attack message is uploaded to log server to carry out recording, abandoning this attack message and close this attack message correspondence The process strategy of receiving port.
Second aspect, a kind of switch that the embodiment of the present invention provides, including master control processing module and packet forwarding module, Wherein:
Described master control processing module, for being configured to mate the access control list ACL rule of attack message, and in institute State and acl rule arranges statistics labelling and the initial value of packet accouter;Wherein, described statistics labelling for mark to institute Stating the attack message that acl rule matches to add up, described packet accouter is for preserving and described acl rule matches The statistical value of attack message;Issue described acl rule in the hardware table item of the exchange chip of packet forwarding module;
Described packet forwarding module, for according to the statistics labelling arranged in acl rule, to that receive with described ACL The attack message that rule matches carries out adding up and being saved in described packet accouter;
Described master control processing module, is additionally operable to, according to the setting cycle time, read the current statistic of described packet accouter Value also preserves, and calculates the attack of attack message described in the setting cycle time according to the current statistic value of described packet accouter strong Degree, issues the process strategy of attack message according to this attack strength.
Preferably, described master control processing module, specifically for the current statistic value according to described packet accouter, with preservation The historical statistics value of described packet accouter carry out mathematic interpolation, draw in the setting cycle time with described acl rule phase The intensity of the attack message joined.
Preferably, described master control processing module, specifically for when the counting of the attack message in the described setting cycle time When result is less than or equal to the first predetermined number, issues and the characteristic information of described attack message be recorded local daily record and abandon this The process strategy of attack message.
Preferably, described master control processing module, specifically for:
When the attack message in the described setting cycle time result of calculation less than or equal to the first predetermined number time, issue by The characteristic information of described attack message recorded local daily record and abandons the process strategy of this attack message.
Preferably, described master control processing module, specifically for:
When the result of calculation of the attack message in described setting cycle is more than described second predetermined number, issue described The characteristic information of attack message is uploaded to log server to carry out recording, abandoning this attack message and close this attack message correspondence The process strategy of receiving port.
The embodiment of the present invention provide a kind of attack message detection and take precautions against method and switch, by statistics labelling pair The attack message matched with described acl rule carries out adding up and pass through packet accouter preservation and described acl rule phase The statistical value of the attack message joined, and read the current statistic value of described packet accouter according to the setting cycle time and preserve, Current statistic value according to described packet accouter calculates the attack strength of attack message described in the setting cycle time, attacks according to this Hit intensity issues the process strategy of attack message such that it is able to improves the accuracy detecting attack message and prevents The reliability of model.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below by embodiment required use attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, and it is right therefore to should not be viewed as The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to this A little accompanying drawings obtain other relevant accompanying drawings.
Fig. 1 is the functional block diagram of a kind of switch that embodiment of the present invention provides.
Fig. 2 is the flow chart of the method that a kind of attack message that embodiment of the present invention provides detects and takes precautions against.
Fig. 3 is a kind of cpu queue number being applied to Fig. 2 and the mapping relations figure of speed of embodiment of the present invention offer.
Figure acceptance of the bid note is respectively as follows:
Switch 100;Master control processing module 101;Packet forwarding module 102.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is The a part of embodiment of the present invention rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under not making creative work premise, broadly falls into the scope of protection of the invention.
It should also be noted that similar label and letter represent similar terms, therefore, the most a certain Xiang Yi in following accompanying drawing Individual accompanying drawing is defined, then need not it be defined further and explains in accompanying drawing subsequently.Meanwhile, the present invention's In description, term " first ", " second " etc. are only used for distinguishing and describe, and it is not intended that indicate or hint relative importance.
As it is shown in figure 1, be the functional block diagram of described switch 100.Described switch 100 can include that master control processes Module 101 and packet forwarding module 102, described master control processing module 101 is connected to described packet forwarding module 102, so that institute State and data communication or Signalling exchange between master control processing module 101 and described packet forwarding module 102, can be carried out.For distributed For switch device, master control processing module 101 is positioned on main control card (MPU), and packet forwarding module 102 is positioned at line card (LPU).
Wherein, described master control processing module 101 is for being configured to mate the access control list ACL rule of attack message Then, statistics labelling and the initial value of packet accouter and are set in described acl rule.
In the present embodiment, described switch 100 includes that the access that can carry out rule configuration controls list (Access Control List, ACL), so that attack message is mated.Statistics labelling and message meter it is provided with in described acl rule The initial value of number device.In detail, the acl rule for mating attack message is configured, with to described acl rule mutually The attack message joined carries out adding up, detect and taking precautions against.It is initial that described configuration includes described statistics labelling and packet accouter Value is configured.Wherein, the attack message matched with described acl rule is added up by described statistics labelling for mark. Described packet accouter is for preserving the statistical value of the attack message matched with described acl rule.Described statistics mark Note and described packet accouter are arranged in acl rule list item.This acl rule can need to configure according to user.
The statistics labelling that described packet forwarding module 102 is arranged according to acl rule, to receive with described The attack message that acl rule matches carries out adding up and being saved in described packet accouter.
In the present embodiment, described packet forwarding module 102 is when receiving attack message, to described acl rule mutually The legitimacy of the attack message joined detects, and according to described statistics labelling, detects attack message and enters this attack message Row counting, and count results is stored in packet accouter.
Described master control processing module 101, is additionally operable to, according to the setting cycle time, read the current system of described packet accouter Evaluation also preserves, and calculates the attack of attack message described in the setting cycle time according to the current statistic value of described packet accouter strong Degree, issues the process strategy of attack message according to this attack strength.
Wherein, described master control processing module 101 periodically reads described packet accouter according to the described setting cycle time Current statistic value also preserves, and calculates attack message described in the setting cycle time according to the current statistic value of described packet accouter Attack strength, issues the process strategy of attack message according to this attack strength.
Further, the attack strength of described attack message is according to the counting of the attack message in the described setting cycle time Result carries out classification.Described classification can include strongest, second-order intensity and three grades of intensity, and rank is the highest, and attack strength is more Greatly.In the present embodiment, after described packet forwarding module 102 reads the current statistic value of described packet accouter, unite according to history Evaluation carries out mathematic interpolation.And analysis result draw this attack message within the setting cycle time with described acl rule phase The intensity of the attack message of coupling.Wherein, the intensity of described attack message can be the number of attack message each second.Described point Level can carry out classification according to described attack strength, it is also possible to transfer to the default value of cpu queue to arrange according to attack message.
Wherein, when described attack message transfers to the default value of cpu queue to arrange, three ranks take cpu queue respectively The preset ratio of default value.Such as, described strongest takes the 25% of described cpu queue default value, and described second-order intensity takes institute Stating the 50% of cpu queue default value, described three grades of intensity take the 100% of described cpu queue default value.Different cpu queues are default Value is as shown in Figure 3.When attack message transfers to CPU from 0 queue, then strongest is 50PPS, and second-order intensity is 100PPS, three Level intensity is 200PPS.
In the present embodiment, when the count results of attack message is less than or equal to the first predetermined number in described setting cycle Time (such as 50), then judge that the attack strength of described attack message is strongest.The most described packet forwarding module 102 is to described Packet forwarding module 102 issues the process strategy corresponding with strongest.Described process strategy can be by described attack message Characteristic information recorded local daily record, and abandon this attack message.
When the count results of attack message is less than or equal to the second predetermined number and is more than described first predetermined number, then The attack strength judging described attack message is second-order intensity.The most described packet forwarding module 102 forwards mould to described message Block 102 issues process strategy.Described process strategy can be that the characteristic information of described attack message is uploaded to log server Carry out record, and abandon this attack message.
When the count results of described attack message is more than described second predetermined number, then judge attacking of described attack message Hit intensity is three grades of intensity.The most described packet forwarding module 102 issues and these three grades of intensity to described packet forwarding module 102 Corresponding process strategy.The described strategy that processes is remembered for the characteristic information of described attack message is uploaded to log server Record, and abandon this attack message and close the receiving port that this attack message is corresponding.Should be appreciated that in other embodiments, Described strength grading can also be other any feasible method, and the most in other embodiments, described strength grading also may be used Only to comprise described strongest and second-order intensity, or the other intensity of more stages can also be included.
As in figure 2 it is shown, be the flow chart of the method that a kind of attack message that embodiment of the present invention provides detects and takes precautions against. The method comprises the following steps.
Step S101: be configured to mate the access control list ACL rule of attack message, and in described acl rule Statistics labelling and the initial value of packet accouter are set.
Wherein, described switch 100 includes that the access that can carry out rule configuration controls list (Access Control List, ACL), to mate attack message.Described acl rule is provided with statistics labelling and the initial value of packet accouter.This reality Execute in example, first the acl rule being used for mating attack message is configured, with to the attack matched with described acl rule Message carries out adding up, detect and taking precautions against.In detail, described configuration includes described statistics labelling and the initial value of packet accouter It is configured.Wherein, the attack message matched with described acl rule is added up by described statistics labelling for mark.Institute State packet accouter for the statistical value of the attack message matched with described acl rule is preserved.
Step S102: issue described acl rule in the hardware table item of exchange chip.
Wherein, described master control processing module 101 issues described acl rule to described packet forwarding module 102 exchange chip Hardware table item in.
Step S103: according to described statistics labelling, is carried out the attack message matched with described acl rule received Add up and be saved in described packet accouter.
In the present embodiment, described packet forwarding module 102 is when receiving attack message, to described acl rule mutually The legitimacy of the attack message joined detects, and according to described statistics labelling, thus detects attack message and counts, and Count results is stored in packet accouter.
Step S104: according to the setting cycle time, read the current statistic value of described packet accouter and preserve, according to institute The current statistic value stating packet accouter calculates the attack strength of attack message described in the setting cycle time, according to this attack strength Issue the process strategy of attack message.
Wherein, described master control processing module 101 periodically reads described packet accouter according to the described setting cycle time Current statistic value also preserves, and calculates attack message described in the setting cycle time according to the current statistic value of described packet accouter Attack strength, issues the process strategy of attack message according to this attack strength.
Further, the attack strength of described attack message is according to the counting of the attack message in the described setting cycle time Result carries out classification.Described classification can include strongest, second-order intensity and three grades of intensity, and rank is the highest, and attack strength is more Greatly.In the present embodiment, after described packet forwarding module 102 reads the current statistic value of described packet accouter, unite according to history Evaluation carries out mathematic interpolation.And decomposition computation result draw this attack message within the setting cycle time with described acl rule phase The intensity of the attack message of coupling.Wherein, the intensity of described attack message can be the number of attack message each second.Described point Level can carry out classification according to described attack strength, it is also possible to transfer to the default value of cpu queue to arrange according to attack message.
Wherein, when described attack message transfers to the default value of cpu queue to arrange, three ranks take cpu queue respectively The preset ratio of default value.Such as, described strongest takes the 25% of described cpu queue default value, and described second-order intensity takes institute Stating the 50% of cpu queue default value, described three grades of intensity take the 100% of described cpu queue default value.Different cpu queues are default Value is as shown in Figure 3.When attack message transfers to CPU from 0 queue, then strongest is 50PPS, and second-order intensity is 100PPS, three Level intensity is 200PPS.
In the present embodiment, when the count results of attack message is less than or equal to the first predetermined number in described setting cycle Time (such as 50), then judge that the attack strength of described attack message is strongest.The most described packet forwarding module 102 is to described Packet forwarding module 102 issues the process strategy corresponding with strongest.Described process strategy can be by described attack message Characteristic information recorded local daily record, and abandon this attack message.
When the count results of attack message is less than or equal to the second predetermined number and is more than described first predetermined number, then The attack strength judging described attack message is second-order intensity.The most described packet forwarding module 102 forwards mould to described message Block 102 issues process strategy.Described process strategy can be that the characteristic information of described attack message is uploaded to log server Carry out record, and abandon this attack message.
When the count results of described attack message is more than described second predetermined number, then judge attacking of described attack message Hit intensity is three grades of intensity.The most described packet forwarding module 102 issues and these three grades of intensity to described packet forwarding module 102 Corresponding process strategy.The described strategy that processes is remembered for the characteristic information of described attack message is uploaded to log server Record, and abandon this attack message and close the receiving port that this attack message is corresponding.Should be appreciated that in other embodiments, Described strength grading can also be other any feasible method, and the most in other embodiments, described strength grading also may be used Only to comprise described strongest and second-order intensity, or the other intensity of more stages can also be included.
The embodiment of the present invention provide a kind of attack message detection and take precautions against method and switch, by statistics labelling pair The attack message matched with described acl rule carries out adding up and pass through packet accouter preservation and described acl rule phase The statistical value of the attack message joined, and read the current statistic value of described packet accouter according to the setting cycle time and preserve, Current statistic value according to described packet accouter calculates the attack strength of attack message described in the setting cycle time, attacks according to this Hit intensity issues the process strategy of attack message such that it is able to improves the accuracy detecting attack message and prevents The reliability of model.
It should be noted that in embodiment provided herein, it should be understood that disclosed apparatus and method, can To realize by another way.Device embodiment described above is only schematically, such as, and drawing of described unit Point, it is only a kind of logic function and divides, actual can have other dividing mode when realizing.
In embodiment provided herein, it should be understood that disclosed apparatus and method, can be passed through other Mode realizes.Device embodiment described above is only that schematically such as, flow chart and block diagram in accompanying drawing show The device of multiple embodiments according to the present invention, the architectural framework in the cards of method and computer program product, function and Operation.In this, each square frame in flow chart or block diagram can represent a module, program segment or a part for code, A part for described module, program segment or code comprise one or more for realize regulation logic function perform refer to Order.It should also be noted that at some as in the realization replaced, the function marked in square frame can also be to be different from accompanying drawing institute The order of mark occurs.Such as, two continuous print square frames can essentially perform substantially in parallel, and they sometimes can also be by phase Anti-order performs, and this is depending on involved function.It is also noted that each square frame in block diagram and/or flow chart, with And the combination of the square frame in block diagram and/or flow chart, can be with performing the hardware based of the function of regulation or the special of action System realizes, or can realize with the combination of specialized hardware with computer instruction.
The described unit illustrated as separating component can be or may not be physically separate, shows as unit The parts shown can be or may not be physical location, i.e. may be located at a place, or can also be distributed to multiple On NE.Some or all of unit therein can be selected according to the actual needs to realize the mesh of the present embodiment scheme 's.
It addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it is also possible to It is that unit is individually physically present, it is also possible to two or more unit are integrated in a unit.
The above, the only detailed description of the invention of the present invention, but protection scope of the present invention is not limited thereto, and any Those familiar with the art, in the technical scope that the invention discloses, can readily occur in change or replace, should contain Cover within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with scope of the claims.

Claims (10)

1. an attack message detection and the method for strick precaution, it is characterised in that described method includes:
Be configured to mate attack message access control list ACL rule, and arrange in described acl rule statistics labelling with And the initial value of packet accouter;Wherein, described statistics labelling is for identifying the attack message matched with described acl rule Adding up, described packet accouter is for preserving the statistical value of the attack message matched with described acl rule;
Issue described acl rule in the hardware table item of exchange chip;
According to described statistics labelling, the attack message matched with described acl rule received is added up and is saved in In described packet accouter;
According to the setting cycle time, read the current statistic value of described packet accouter and preserve, according to described packet accouter Current statistic value calculate the attack strength of attack message described in the setting cycle time, issue attack message according to this attack strength Process strategy.
Attack message the most according to claim 1 detection and the method taken precautions against, it is characterised in that described according to described message The current statistic value of enumerator calculates the step of the attack strength of attack message described in the setting cycle time, and concrete grammar includes:
Current statistic value according to described packet accouter, carries out difference with the historical statistics value of the described packet accouter preserved Calculate, draw the intensity of the attack message matched with described acl rule in the setting cycle time according to result of calculation.
Attack message the most according to claim 1 and 2 detection and take precautions against method, it is characterised in that described in draw setting The intensity of the attack message matched with described acl rule in cycle time, issues the place of attack message according to this attack strength Reason strategy, concrete grammar includes:
When the result of calculation of the attack message in the described setting cycle time is less than or equal to the first predetermined number, issue described The characteristic information of attack message recorded local daily record and abandons the process strategy of this attack message.
Attack message the most according to claim 2 detection and take precautions against method, it is characterised in that described in draw setting cycle The intensity of the attack message matched with described acl rule in the time, issues the process plan of attack message according to this attack strength Slightly, concrete grammar includes:
When the result of calculation of the attack message in the described setting cycle time is less than or equal to the second predetermined number and more than described the During one predetermined number, issue and the characteristic information of described attack message is uploaded to log server carries out recording and abandon this attack The process strategy of message.
Attack message the most according to claim 2 detection and take precautions against method, it is characterised in that described in draw setting cycle The intensity of the attack message matched with described acl rule in the time, issues the process plan of attack message according to this attack strength Slightly, concrete grammar includes:
When the result of calculation of the attack message in described setting cycle is more than described second predetermined number, issue described attack The characteristic information of message is uploaded to log server to carry out recording, abandoning this attack message and close corresponding the connecing of this attack message The process strategy of receiving end mouth.
6. a switch, it is characterised in that include master control processing module and packet forwarding module, wherein:
Described master control processing module, for being configured to mate the access control list ACL rule of attack message, and described Acl rule arranges statistics labelling and the initial value of packet accouter;Wherein, described statistics labelling is for identifying with described The attack message that acl rule matches is added up, and described packet accouter is for preserving and attacking that described acl rule matches Hit the statistical value of message;Issue described acl rule in the hardware table item of the exchange chip of packet forwarding module;
Described packet forwarding module, for according to the statistics labelling arranged in acl rule, to that receive with described acl rule The attack message matched carries out adding up and being saved in described packet accouter;
Described master control processing module, is additionally operable to, according to the setting cycle time, read the current statistic value of described packet accouter also Preserve, calculate the attack strength of attack message, root described in the setting cycle time according to the current statistic value of described packet accouter The process strategy of attack message is issued according to this attack strength.
Switch the most according to claim 6, it is characterised in that described master control processing module, specifically for according to described The current statistic value of packet accouter, carries out mathematic interpolation with the historical statistics value of the described packet accouter preserved, draws and set The intensity of the attack message matched with described acl rule in the fixed cycle time.
8. according to the switch described in claim 6 or 7, it is characterised in that
Described master control processing module, specifically for being less than or equal to when the count results of the attack message in the described setting cycle time During the first predetermined number, issue and the characteristic information of described attack message be recorded local daily record and abandon the place of this attack message Reason strategy.
Switch the most according to claim 7, it is characterised in that described master control processing module, specifically for:
When the result of calculation of the attack message in the described setting cycle time is less than or equal to the first predetermined number, issue described The characteristic information of attack message recorded local daily record and abandons the process strategy of this attack message.
Switch the most according to claim 7, it is characterised in that described master control processing module, specifically for:
When the result of calculation of the attack message in described setting cycle is more than described second predetermined number, issue described attack The characteristic information of message is uploaded to log server to carry out recording, abandoning this attack message and close corresponding the connecing of this attack message The process strategy of receiving end mouth.
CN201610770488.5A 2016-08-30 2016-08-30 A kind of attack message detection and take precautions against method and switch Pending CN106131083A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610770488.5A CN106131083A (en) 2016-08-30 2016-08-30 A kind of attack message detection and take precautions against method and switch

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610770488.5A CN106131083A (en) 2016-08-30 2016-08-30 A kind of attack message detection and take precautions against method and switch

Publications (1)

Publication Number Publication Date
CN106131083A true CN106131083A (en) 2016-11-16

Family

ID=57272236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610770488.5A Pending CN106131083A (en) 2016-08-30 2016-08-30 A kind of attack message detection and take precautions against method and switch

Country Status (1)

Country Link
CN (1) CN106131083A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657126A (en) * 2017-01-05 2017-05-10 盛科网络(苏州)有限公司 Device and method for detecting and defending DDos attack
CN106878078A (en) * 2017-02-23 2017-06-20 杭州迪普科技股份有限公司 A kind of method and apparatus for producing daily record
CN107332732A (en) * 2017-06-26 2017-11-07 迈普通信技术股份有限公司 A kind of method of sampling of message flow, device and routing device
CN107689963A (en) * 2017-09-26 2018-02-13 杭州迪普科技股份有限公司 A kind of detection method and device for arp reply message aggression
CN109067585A (en) * 2018-08-15 2018-12-21 杭州迪普科技股份有限公司 A kind of inquiry ACL table item delivery method and device
CN109067744A (en) * 2018-08-08 2018-12-21 新华三技术有限公司合肥分公司 Acl rule processing method, device and communication equipment
CN109214173A (en) * 2017-06-29 2019-01-15 国民技术股份有限公司 Safety equipment and its attack resistance method
CN110191014A (en) * 2019-05-20 2019-08-30 杭州迪普信息技术有限公司 A kind of the hit-count statistical method and device of rule entry
CN112511523A (en) * 2020-11-24 2021-03-16 超越科技股份有限公司 Network security control method based on access control
CN113315744A (en) * 2020-07-21 2021-08-27 阿里巴巴集团控股有限公司 Programmable switch, flow statistic method, defense method and message processing method
CN113885474A (en) * 2021-09-30 2022-01-04 株洲中车时代电气股份有限公司 Control network and train
CN114422178A (en) * 2021-12-10 2022-04-29 锐捷网络股份有限公司 Statistical result reporting method, device and medium based on access control list

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083563A (en) * 2007-07-20 2007-12-05 杭州华三通信技术有限公司 Method and apparatus for preventing distributed refuse service attack
CN101272350A (en) * 2008-05-06 2008-09-24 北京星网锐捷网络技术有限公司 Output access control method and output access control device
US20100217936A1 (en) * 2007-02-02 2010-08-26 Jeff Carmichael Systems and methods for processing access control lists (acls) in network switches using regular expression matching logic
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN103368909A (en) * 2012-03-30 2013-10-23 迈普通信技术股份有限公司 A communication equipment control layer protection apparatus and a communication equipment control layer protection method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100217936A1 (en) * 2007-02-02 2010-08-26 Jeff Carmichael Systems and methods for processing access control lists (acls) in network switches using regular expression matching logic
CN101083563A (en) * 2007-07-20 2007-12-05 杭州华三通信技术有限公司 Method and apparatus for preventing distributed refuse service attack
CN101272350A (en) * 2008-05-06 2008-09-24 北京星网锐捷网络技术有限公司 Output access control method and output access control device
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN103368909A (en) * 2012-03-30 2013-10-23 迈普通信技术股份有限公司 A communication equipment control layer protection apparatus and a communication equipment control layer protection method

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657126B (en) * 2017-01-05 2019-11-08 盛科网络(苏州)有限公司 The device and method of detection and defending DDoS (Distributed Denial of Service) attacks
CN106657126A (en) * 2017-01-05 2017-05-10 盛科网络(苏州)有限公司 Device and method for detecting and defending DDos attack
CN106878078A (en) * 2017-02-23 2017-06-20 杭州迪普科技股份有限公司 A kind of method and apparatus for producing daily record
CN107332732A (en) * 2017-06-26 2017-11-07 迈普通信技术股份有限公司 A kind of method of sampling of message flow, device and routing device
CN109214173A (en) * 2017-06-29 2019-01-15 国民技术股份有限公司 Safety equipment and its attack resistance method
CN107689963A (en) * 2017-09-26 2018-02-13 杭州迪普科技股份有限公司 A kind of detection method and device for arp reply message aggression
CN109067744A (en) * 2018-08-08 2018-12-21 新华三技术有限公司合肥分公司 Acl rule processing method, device and communication equipment
CN109067585A (en) * 2018-08-15 2018-12-21 杭州迪普科技股份有限公司 A kind of inquiry ACL table item delivery method and device
CN109067585B (en) * 2018-08-15 2021-11-23 杭州迪普科技股份有限公司 Method and device for issuing query ACL (access control list) table items
CN110191014A (en) * 2019-05-20 2019-08-30 杭州迪普信息技术有限公司 A kind of the hit-count statistical method and device of rule entry
CN113315744A (en) * 2020-07-21 2021-08-27 阿里巴巴集团控股有限公司 Programmable switch, flow statistic method, defense method and message processing method
WO2022017249A1 (en) * 2020-07-21 2022-01-27 阿里巴巴集团控股有限公司 Programmable switch, traffic statistics method, defense method, and packet processing method
CN112511523A (en) * 2020-11-24 2021-03-16 超越科技股份有限公司 Network security control method based on access control
CN113885474A (en) * 2021-09-30 2022-01-04 株洲中车时代电气股份有限公司 Control network and train
CN114422178A (en) * 2021-12-10 2022-04-29 锐捷网络股份有限公司 Statistical result reporting method, device and medium based on access control list
CN114422178B (en) * 2021-12-10 2024-04-16 锐捷网络股份有限公司 Statistical result reporting method, device and medium based on access control list

Similar Documents

Publication Publication Date Title
CN106131083A (en) A kind of attack message detection and take precautions against method and switch
KR101879416B1 (en) Apparatus and method for detecting abnormal financial transaction
CN108234524A (en) Method, apparatus, equipment and the storage medium of network data abnormality detection
CN108282497A (en) For the ddos attack detection method of SDN control planes
CN105989538B (en) Automatic trading system and automatic trading method for financial products
EP3648433B1 (en) System and method of training behavior labeling model
CN108540431A (en) The recognition methods of account type, device and system
CN104615730B (en) A kind of multi-tag sorting technique and device
CN107563757A (en) The method and device of data risk control
CN107729924B (en) Picture review probability interval generation method and picture review determination method
CN109635564A (en) A kind of method, apparatus, medium and equipment detecting Brute Force behavior
EP3771152B1 (en) Network analysis program, network analysis device, and network analysis method
CN107423278A (en) The recognition methods of essential elements of evaluation, apparatus and system
CN111756760B (en) User abnormal behavior detection method based on integrated classifier and related equipment
CN115357629A (en) Processing method, system, electronic device and storage medium for financial data stream
CN105141637A (en) Transmission encryption method taking flows as granularity
CN109150894A (en) A kind of method and system for identifying malicious user
CN108600172A (en) Hit library attack detection method, device, equipment and computer readable storage medium
WO2019029149A1 (en) Insurance policy-type status information counting method, terminal apparatus and storage medium
CN109495291A (en) Call abnormal localization method, device and server
CN103106558B (en) Packing of product information online monitoring system and method on streamline
CN104883705B (en) A kind of the problem of data service is complained localization method and device
CN111010599B (en) Method and device for processing multi-scene video stream and computer equipment
CN108259441A (en) It is a kind of to prevent URL from accessing the method and device to detour
CN108199979A (en) Flow processing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20161116

RJ01 Rejection of invention patent application after publication