CN107888610A - A kind of method of attack defending, the network equipment and computer-readable storage medium - Google Patents
A kind of method of attack defending, the network equipment and computer-readable storage medium Download PDFInfo
- Publication number
- CN107888610A CN107888610A CN201711230451.4A CN201711230451A CN107888610A CN 107888610 A CN107888610 A CN 107888610A CN 201711230451 A CN201711230451 A CN 201711230451A CN 107888610 A CN107888610 A CN 107888610A
- Authority
- CN
- China
- Prior art keywords
- newly
- built
- built speed
- network equipment
- speed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of method of attack defending, the network equipment and computer-readable storage medium, for improving the attack defending ability of the network equipment.Including:The network equipment records according to historical session, obtains history of the IP device within each specified sampling period actually newly-built speed respectively;Wherein, actually newly-built speed is the network equipment and the quantity of IP device newly-built session within a sampling period to the history in a sampling period;All reality newly-built speed of the network equipment based on acquisition, calculate the IP device at the appointed time in the range of estimate newly-built speed;The network equipment is according to default value rule and estimates newly-built speed, and the targeted rate threshold value of IP device is selected from default rate-valve value set;Wherein, rate-valve value set includes N number of rate-valve value;When the network equipment determines that the currently practical newly-built speed of the IP device exceedes the targeted rate threshold value, discarding needs to be transmitted to the packet of the IP device.
Description
Technical field
The present invention relates to network communication technology field, more particularly, to a kind of method of attack defending, the network equipment and meter
Calculation machine storage medium.
Background technology
Constantly lifted with the popularity rate of network, safe the problem of being become more concerned with as people of network.This is allowed for
It is responsible for carrying out the gateway device of data interaction with outer net, is also referred to as egress gateways equipment sometimes, in integrated behavior management, stream
Amount control, using identification etc. in the case of function, also more and more possesses certain attack defending ability, to protect local
Equipment in net is tried one's best few Cyberthreat by outer net.
In the prior art, egress gateways equipment carries out the mode of attack defending, mainly there is two kinds:
The first, by way of Packet Filtering, in Internet according to access control list (ACL, Access Control
List the selection) wrapped.I.e. according to the source port of packet, destination interface, source IP address, purpose IP address, tunneling
Type such as transmission control protocol (TCP, Transmission Control Protocol), UDP (UDP, User
Datagram Protocol), network Internet Control Message Protocol (ICMP, Internet Control Message Protocol)
Pass through Deng, the header information such as icmp packet type and filter user-defined content determining whether bag.
Second, by way of limiting newly-built session speed or flow.As all IP or specific Intranets IP
One newly-built session speed of setting or flow restriction value, the part more than limits value are then abandoned.
Although the processing mode of above two mode is all fairly simple, they all be present.
Such as first way, source address, destination address and IP port numbers of network attack etc. are all probably
Forge, therefore all attack messages can not be filtered by ACL;And safeguard relatively difficult;And with the increasing of ACL numbers
Add, the process performance of egress gateways equipment also can progressively decline.
And for the second way, each IP situation may be different, therefore sets how many limits for each IP
Value processed can not determine, and also bring the Network Abnormal problem caused by configuration is improper.
Obviously, either using above-mentioned first way or the second way, due to existing when carrying out attack defending
Egress gateways equipment performance declines or the problem of Network Abnormal, will all cause the decline, very of egress gateways equipment anti-attack ability
To performing practically no function.
In consideration of it, the attack defending ability for how effectively improving gateway device becomes a urgent problem to be solved.
The content of the invention
The present invention provides a kind of method of attack defending, the network equipment and computer-readable storage medium, is set to improve gateway
Standby attack defending ability.
A kind of in a first aspect, in order to solve the above technical problems, skill of the method for attack defending provided in an embodiment of the present invention
Art scheme is as follows:
The network equipment records according to historical session, obtains IP device respectively within each specified sampling period
The actual newly-built speed of history;Wherein, actually newly-built speed is the network equipment and the IP to the history in a sampling period
The quantity of equipment newly-built session within one sampling period;
All reality newly-built speed of the network equipment based on acquisition, calculate the IP device at the appointed time in the range of
Estimate newly-built speed;
The network equipment according to default value it is regular and it is described estimate newly-built speed, from default rate-valve value set
Select the targeted rate threshold value of the IP device;Wherein, the rate-valve value set includes N number of rate-valve value;
When the network equipment determines that the currently practical newly-built speed of the IP device exceedes the targeted rate threshold value, lose
Abandon the packet for needing to be transmitted to the IP device.
Optionally, all reality newly-built speed of the network equipment based on acquisition, the IP device is calculated when specified
Between in the range of estimate newly-built speed, including:
The network equipment obtains the IP device in the range of the specified time from the newly-built speed of all reality
Each newly-built speed of reality, to obtain the first data set;
The newly-built speed of all reality in first data set is ranked up according to value size;
Numerical value maximum is selected from first data set or minimum part is actually new according to default first ratio
Speed is built, to obtain the second data set;
It is if what is selected from second data set is numerical value the best part actually newly-built speed, value is minimum
The newly-built speed of reality, estimate newly-built speed as described;If what is selected from second data set is numerical value minimum
The actual newly-built speed in part, then by the maximum newly-built speed of reality of value, newly-built speed is estimated as described.
Optionally, the network equipment according to default value it is regular and it is described estimate newly-built speed, from default speed threshold
The targeted rate threshold value of the IP device is selected in value set, including:
Estimate newly-built speed by described and be multiplied by predetermined coefficient, obtain interim newly-built speed;
The positive difference minimum or negative difference with the interim newly-built speed are obtained from the default rate-valve value set
Maximum rate-valve value, the rate target degree threshold value as the IP device;Wherein, the positive difference is with the interim newly-built speed
For rate as minuend, the negative difference is to be used as subtrahend using the interim newly-built speed.
Optionally, methods described also includes:
The performance parameter of the network equipment is monitored in real time;
When it is determined that the performance parameter is higher than the first default alarm parameter, based on the rate-valve value set, to described
The currently used targeted rate threshold value of IP device is lowered step by step, is often lowered once, monitors the once performance parameter, until
The performance parameter reaches the first preset range or will be adjusted to the speed threshold under the currently used targeted rate threshold value
Untill minimum value in value set.
Optionally, after the performance parameter reaches the first preset range, in addition to:
When the newly-built speed of the complete machine of the network equipment is less than the second default alarm parameter, based on the rate-valve value collection
Close, the targeted rate threshold value currently used to the IP device is raised, often raised once step by step, monitors the once complete machine
Newly-built speed, until the newly-built speed of the complete machine reaches the second preset range or currently used targeted rate threshold value is extensive
Again untill targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of the complete machine is the current reality of all IP devices
The newly-built speed sum in border.
Second aspect, the embodiments of the invention provide a kind of network equipment for attack defending, including:
Acquisition module, for being recorded according to historical session, IP device is obtained respectively within each specified sampling period
The actual newly-built speed of history;Wherein, the history in a sampling period actually newly-built speed be the network equipment with it is described
The quantity of IP device newly-built session within one sampling period;
Computing module, for the newly-built speed of all reality based on acquisition, calculate the IP device at the appointed time scope
Interior estimates newly-built speed;
Choose module, for according to default value it is regular and it is described estimate newly-built speed, from default rate-valve value set
In select the targeted rate threshold value of the IP device;Wherein, the rate-valve value set includes N number of rate-valve value;
Determining module, when the currently practical newly-built speed for determining the IP device exceedes the targeted rate threshold value,
Discarding needs to be transmitted to the packet of the IP device.
Optionally, the computing module is used for:
It is newly-built that each reality of the IP device in the range of the specified time is obtained from the newly-built speed of all reality
Speed, to obtain the first data set;
The newly-built speed of all reality in first data set is ranked up according to value size;
Numerical value maximum is selected from first data set or minimum part is actually new according to default first ratio
Speed is built, to obtain the second data set;
It is if what is selected from second data set is numerical value the best part actually newly-built speed, value is minimum
The newly-built speed of reality, estimate newly-built speed as described;If what is selected from second data set is numerical value minimum
The actual newly-built speed in part, then by the maximum newly-built speed of reality of value, newly-built speed is estimated as described.
Optionally, the selection module is used for:
Estimate newly-built speed by described and be multiplied by predetermined coefficient, obtain interim newly-built speed;
The positive difference minimum or negative difference with the interim newly-built speed are obtained from the default rate-valve value set
Maximum rate-valve value, the rate target degree threshold value as the IP device;Wherein, the positive difference is with the interim newly-built speed
For rate as minuend, the negative difference is to be used as subtrahend using the interim newly-built speed.
Optionally, the network equipment is additionally operable to:
The performance parameter of the network equipment is monitored in real time;
When it is determined that the performance parameter is higher than the first default alarm parameter, based on the rate-valve value set, to described
The currently used targeted rate threshold value of IP device is lowered step by step, is often lowered once, monitors the once performance parameter, until
The performance parameter reaches the first preset range or will be adjusted to the speed threshold under the currently used targeted rate threshold value
Untill minimum value in value set.
Optionally, after the performance parameter reaches the first preset range, the network equipment is additionally operable to:
When the newly-built speed of the complete machine of the network equipment is less than the second default alarm parameter, based on the rate-valve value collection
Close, the targeted rate threshold value currently used to the IP device is raised, often raised once step by step, monitors the once complete machine
Newly-built speed, until the newly-built speed of the complete machine reaches the second preset range or currently used targeted rate threshold value is extensive
Again untill targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of the complete machine is the current reality of all IP devices
The newly-built speed sum in border.
The third aspect, the embodiment of the present invention also provide a kind of computer-readable recording medium, including:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers
When so that computer performs the method as described in above-mentioned first aspect.
By the technical scheme in the said one of the embodiment of the present invention or multiple embodiments, the embodiment of the present invention at least has
There is following technique effect:
In the embodiment that the application provides, IP device is periodically gathered from historical session record by the network equipment
The actual newly-built speed of history, then according to history actually newly-built rate calculations IP device at the appointed time in the range of estimate it is new
Speed is built, and then allows the network equipment according to default value rule and estimates newly-built speed, is selected from default rate-valve value set
Take out the targeted rate threshold value for being adapted to IP device so that the network equipment is it is determined that the currently practical newly-built speed of IP device exceedes mesh
It when marking rate-valve value, can interpolate that out that now the IP device is by network attack, and need to be transmitted to the data of the IP device
Bag is that the network equipment, which should abandon, needs the packet for being transmitted to the IP device from attacker, it is achieved thereby that improving net
The technique effect of the attack defending ability of network equipment.
Further, because the network equipment can be according to the history of each IP device actually newly-built speed and default speed threshold
Value set, automatically determine out the currently practical newly-built rate-limit (i.e. targeted rate threshold value) of each IP device;Then according in real time
The newly-built speed of performance parameter and complete machine of the network equipment monitored, the current targeted rate threshold value of each IP device of adjust automatically,
Make the network equipment when in normal work, moreover it is possible to which the targeted rate threshold value for making each IP device current is relatively reasonable.So as to
The effective targeted rate threshold value for solving each IP device present in existing gateway equipment sets difficult technical problem, makes net
Network equipment can be adaptively the different IP devices of calculating targeted rate threshold value, so as to greatly reduce the targeted rate of each IP device
The difficulty that threshold value is set, and then improve the ease for use and applicability of the attack of network equipment side.
Brief description of the drawings
Fig. 1 is a kind of flow chart of attack defense method provided in an embodiment of the present invention;
Fig. 2 is a kind of structural representation of the network equipment provided in an embodiment of the present invention.
Embodiment
The present invention provides a kind of method and the network equipment of attack defending, to improve the attack defending energy of the network equipment
Power.
Technical scheme in the embodiment of the present application is the above-mentioned technical problem of solution, and general thought is as follows:
A kind of method of attack defending is provided, applied to the network equipment, including:The network equipment records according to historical session,
History of the IP device within each specified sampling period actually newly-built speed is obtained respectively;Wherein, in a sampling period
History actually newly-built speed be the network equipment and IP device newly-built session within a sampling period quantity;Network equipment base
In the newly-built speed of all reality of acquisition, calculate IP device at the appointed time in the range of estimate newly-built speed;Network equipment root
According to default value rule and newly-built speed is estimated, the targeted rate threshold of IP device is selected from default rate-valve value set
Value;Wherein, rate-valve value set includes N number of rate-valve value;The network equipment determines that the currently practical newly-built speed of IP device exceedes
During targeted rate threshold value, the packet from IP device is abandoned.
It is that going through for IP device is periodically gathered from historical session record by the network equipment due to above-mentioned technical proposal
The newly-built speed in historical facts border, then according to history actually newly-built rate calculations IP device at the appointed time in the range of estimate newly-built speed
Rate, and then allow the network equipment according to default value rule and estimate newly-built speed, selected from default rate-valve value set
It is adapted to the targeted rate threshold value of IP device so that the network equipment is it is determined that the currently practical newly-built speed of IP device exceedes target speed
During rate threshold value, it can interpolate that out that now the IP device is by network attack, and the packet for needing to be transmitted to the IP device is
From attacker, the network equipment, which should abandon, needs the packet for being transmitted to the IP device, is set it is achieved thereby that improving network
The technique effect of standby attack defending ability.
In order to be better understood from above-mentioned technical proposal, below by accompanying drawing and specific embodiment to technical solution of the present invention
It is described in detail, it should be understood that the specific features in the embodiment of the present invention and embodiment are to the detailed of technical solution of the present invention
Thin explanation, rather than the restriction to technical solution of the present invention, in the case where not conflicting, the embodiment of the present invention and embodiment
In technical characteristic can be mutually combined.
Fig. 1 is referred to, the embodiment of the present invention provides a kind of method of attack defending, and the processing procedure of this method is as follows.
Step 101:The network equipment records according to historical session, obtains IP device respectively in each specified sampling period
The actual newly-built speed of interior history;Wherein, actually newly-built speed is the network equipment and the IP to the history in a sampling period
The quantity of equipment newly-built session within a sampling period.
It is to be appreciated that in the embodiment that the application provides, the network equipment refers to such as router, interchanger etc
Gateway device or server, for managing the communication of equipment and outer net in LAN, such equipment is also referred to as sometimes
Egress gateways equipment.IP device refers to the equipment with IP address, such as personal computer, server, the network printer.
It is required for because IP device all in Intranet will carry out communication with outer net by the network equipment, this allows for network
Equipment needs have higher transfer capability.And under normal circumstances, the network equipment can all enter to lift the forwarding performance of itself
The processing of row data stream packet accelerates, and specific way is:It is this number when a new data stream packet reaches the network equipment
Flow table item (an also referred to as conversation recording, a connection) is created according to stream packet, except record in a flow table item
The information for the IP device being connected is established with the network equipment, such as protocol number, source IP address, purpose IP address, source port number, purpose
Port numbers etc., it can also track the state and some forward process result queues of this data stream packet.
It is to be appreciated that data stream packet is two-way, request message and back message belong to same data flow
Message.
Although the network equipment can improve the transfer capability of itself by way of data stream packet accelerates processing,
It is limited to the CPU of the network equipment and the disposal ability of caching.Such as, in some period, one of network device management
Or multiple IP devices are attacked by automatic network is carried out, the network equipment will be caused to receive substantial amounts of newly-built session request, it is this
The abnormal conditions of burst allow the network equipment to have little time to handle completely, beyond the disposal ability of the network equipment itself, make net
Network equipment produces congestion information phenomenon, so as to reduce the disposal ability of the network equipment.
In order to allow the network equipment timely to find this abnormal conditions, and make corresponding processing, it is necessary to allow network
The speed that equipment can accurately grasp the newly-built session of each IP device being connected with the network equipment (is referred to as in the embodiment of the present application
Actual newly-built speed).
Specifically, needing the network equipment to be recorded according to historical session, IP device is obtained respectively in each specified sampling
The newly-built speed of reality in cycle;Wherein, the newly-built speed of reality in a sampling period is the network equipment and the IP device
The quantity of newly-built session within a sampling period.It is to be appreciated that the sampling period can be 1ms, 1s, 10s etc., specifically
Do not limit, can be configured according to being actually needed.
As an example it is assumed that the sampling period is 1s, the network equipment is router A, is set for managing all IP in LAN
Standby (assuming that having 20 IP devices) and the communication of outer net, then router A can in current time statistical history conversation recording, e.g.,
The quantity for the newly-built session of each IP device being connected will be established in firm past 1s with the network equipment, as corresponding IP device
Currently practical newly-built speed;The newly-built session of each IP device that is connected will be established in firm past 2s with the network equipment
Quantity, the actual newly-built speed of the history in 2s as corresponding IP device;Will be just built with the network equipment in past 3s
The quantity of the newly-built session of each IP device of connection has been found, the actual newly-built speed of the history in 3s as corresponding IP device, its
It analogizes, and repeats no more.
In firm past 1s, share three IP devices and established with router A and be connected, and this three IP devices are firm
Newly-built successively 100,150,300 newly-built conversation recordings in past 1s, then the network equipment is by the newly-built conversation recording of history,
Just the currently practical newly-built speed that this three IP devices can be calculated is followed successively by 100/s, 150/s, 300/s, calculate this three
After the newly-built speed of reality of platform IP device, it is also necessary to preserved.
So when the network equipment is found, the currently practical newly-built speed of some IP device has exceeded its normal scope, then
The IP device can be judged by network attack.
But this normal range (NR) defines for the network equipment, it is necessary to which the network equipment is that each IP device is set
A fixed targeted rate threshold value, when the network equipment finds that the currently practical newly-built speed of some IP device exceeds its corresponding target
During rate-valve value, then the IP device is judged by network attack, network equipment, which can be abandoned directly, to be needed to be transmitted to the IP
The packet of equipment.
Specifically, the network equipment for some IP device before targeted rate threshold value is set, it is also necessary to first carries out step
102。
Step 102:All reality newly-built speed of the network equipment based on acquisition, calculate IP device at the appointed time in the range of
Estimate newly-built speed.
Embodiment is that first, the network equipment obtains IP device at the appointed time from the newly-built speed of all reality
In the range of the newly-built speed of each reality, to obtain the first data set;Secondly, the network equipment is by all realities in the first data set
The newly-built speed in border is ranked up according to value size;Again, the network equipment according to default first ratio from the first data set
The maximum or minimum part of numerical value actually newly-built speed is selected, to obtain the second data set;Finally, if from the second data set
What is selected is numerical value the best part actually newly-built speed, then by the minimum newly-built speed of reality of wherein value, as estimating
Newly-built speed;, will wherein value be most if what is selected from the second data set is the minimum part of numerical value actually newly-built speed
The newly-built speed of big reality, newly-built speed is estimated as described.
Still by taking the example above as an example, router A is as the network equipment, it is necessary to which it is just past to calculate specified time
In 10s, each IP device estimates newly-built speed, here, to exempt to repeat, newly-built speed is estimated with calculate wherein IP device
Exemplified by.It is to be appreciated that here in order to reduce the data bulk enumerated, specified time 10s will be assumed to be, in practical application
In, specified time can be one hour, one day, one week, not limit specifically.
The network equipment first obtains IP device in firm past 10s, all newly-built speed of reality be 120/s, 520/s,
320/s, 20/s, 0/s, 220/s, 620/s, 70/s, 420/s, 80/s, this 10 groups of data just constitute the first data set;Then,
To this 10 groups in the first data set, actually newly-built speed is ranked up (by being ranked up from big to small) by value size, sequence
Result be 620/s, 520/s, 420/s, 320/s, 220/s, 120/s, 80/s, 70/s, 20/s, 0/s;Then, the network equipment
In default first ratio, it is assumed that be 30%, it is actually newly-built that maximum 30% part of value is selected from the first data set
Speed, it is 620/s, 520/s, 420/s, just constitutes the second data set;Finally, the network equipment selects from the second data set
The minimum newly-built speed 420/s of reality of numerical value, as the IP device at the appointed time in the range of estimate newly-built speed.
It is to be appreciated that it has been only exemplified by the data in the first data set in above-mentioned example according to from getting to small order
Arranged, but can also be arranged according to order from small to large, then that maximum 30% data of access value, specifically with
What mode, which is ranked up, does not limit.Also, 70% partial data of minimum by predetermined ratio such as 70%, can also be taken
In, that maximum actual newly-built speed of numerical value is specifically fetched as newly-built speed is estimated by more large scales, and be according to
Data minimum in the data of largest portion are taken, newly-built speed is estimated also according to taking data maximum in least part data to be used as
Rate does not limit herein.
Determining in the range of specified time, each IP device estimate newly-built speed after, can be to calculate each IP device
Targeted rate threshold value, specifically refer to step 103.
Step 103:The network equipment is according to default value rule and estimates newly-built speed, from default rate-valve value set
Select the targeted rate threshold value of IP device;Wherein, rate-valve value set includes N number of rate-valve value.
Specifically, the network equipment, which will first estimate newly-built speed, is multiplied by predetermined coefficient, interim newly-built speed is obtained;Again from default
Rate-valve value set in obtain with the rate-valve value that the positive difference of interim newly-built speed is minimum or negative difference is maximum, set as IP
Standby rate target degree threshold value;Wherein, positive difference is using interim newly-built speed as minuend, and negative difference is with interim newly-built speed
As subtrahend.
, wherein it is desired to understand, default rate set is combined into empirical data, e.g., IP device can be divided into i classes,
It is M per rate-valve value corresponding to class IP devicej, then j-th of rate-valve value of any sort can be expressed as Mij, i, j are more than 0
Positive integer.
For example, IP device can be divided into common IP device (as the first kind) and server IP device (as second
Class), and it is possible to set high-speed threshold value (first rate-valve value as any sort) and low rate threshold value (to make for them
For second rate-valve value of any sort).Lower bound speed threshold value such as common IP device is 500/s, and high speed limit threshold value is 1000/s,
The high speed limit threshold value of server ip equipment is 3000/s, and high speed limit threshold value is 5000/s.Therefore formed by all kinds of rate-valve values
Set, is just default rate-valve value set 500/s, 1000/s, 3000/s, 5000/s.
It is to be appreciated that specifically how to classify to IP device, and several speed are set for each class IP device
Threshold value does not limit herein, need to be only configured according to respective needs, also, the speed set by each class IP device
The number of threshold value can also differ.
After having above-mentioned understanding to default rate-valve value, the example that will be detailed below providing can be understood.
Specifically, being still combined into example with the example in step 102 and above-mentioned default rate set, router A is as network
Equipment, the targeted rate threshold value of IP device is calculated, the newly-built speed 420/s that estimates calculated in step 102 need to be only multiplied by
Predetermined coefficient, it is assumed that predetermined coefficient 1.5, then it is 420/s × 1.5=630/s that can calculate interim newly-built speed.
Afterwards, from default rate-valve value set 500/s, 1000/s, 3000/s, 5000/s, obtain with temporarily it is newly-built
The minimum rate-valve value 1000/s of speed 630/s positive difference, the targeted rate threshold value as the IP device.
It is to be appreciated that the rate-valve value of positive difference minimum refers in default rate-valve value set, any speed threshold
Value subtracts the rate-valve value that difference is minimum in the result more than 0 that interim rate-valve value obtains.The maximum rate-valve value of negative difference
Refer in default rate-valve value set, interim speed threshold subtracts difference in the result less than 0 that any rate-valve value is worth to
Maximum rate-valve value.The targeted rate threshold value of IP device refers to the currently practical newly-built speed of the IP device no more than
Highest threshold value, rather than the rate-valve value that IP device needs reach.
After the targeted rate threshold value of each IP device is calculated, the network equipment can be according to the targeted rate of each IP device
Threshold value is monitored to the currently practical newly-built speed of individual IP device, specifically see step 104.
Step 104:When the network equipment determines that the currently practical newly-built speed of IP device exceedes targeted rate threshold value, abandoning needs
It is transmitted to the packet of IP device.
In order to ensure the operational efficiency of the network equipment, in said process of the step 101 to step 104 is performed, network is set
It is standby to also need to monitor the performance parameter of itself in real time, wherein, performance parameter is with the CPU of the network equipment and/or caching use feelings
Condition is evaluated, for example, when CPU utilization rate thinks that the performance parameter of the network equipment is normal at 30% to 80%, or for temporary
Deposit the remaining free space of all cachings to E-Packet.
When it is determined that the performance parameter of the network equipment is higher than the first default alarm parameter, based on default rate-valve value collection
Close, the targeted rate threshold value currently used to IP device is lowered, often lowered once step by step, monitors the property of primary network equipment
Energy parameter, until the performance parameter of the network equipment reaches the first preset value or will be adjusted under currently used targeted rate threshold value
Untill minimum value in default rate-valve value set.
For example, router A is as the network equipment, it is assumed that is that its performance parameter is CPU usage by router A
Come what is evaluated, and the first default alarm parameter is 80%, then can determine router A working overloadingly, it is necessary to give way by
Device A is operated in the first preset range 30% to 80%, now has IP device C, IP device with the router A IP devices being connected to
F, wherein IP device C currently used targeted rate threshold value is 1000/s, and targeted rate threshold value currently used IP device F is
5000/s。
Then when router A monitor the performance parameter of itself be 90%, default rate-valve value set 500/ can be based on
S, 1000/s, 3000/s, 5000/s, the targeted rate threshold value currently used to IP device C, IP device F are lowered step by step, i.e.,
The currently used targeted rate threshold values of IP device C are lowered to 500/s from 1000/s for the first time, IP device F is currently used
Targeted rate threshold value is lowered to 3000/s from 5000/s, and now and then monitoring primary performance parameter, the result monitored are 85%,
The first default alarm parameter 80% is still exceeded, it is also necessary to lower (need to carry out second of downward) again.
Due to the currently used targeted rate threshold value 500/s of IP device C be in default rate-valve value set most
Small value, so be not required to lower the currently used targeted rate threshold values of IP device C again, but it is current to continue downward IP device F
The targeted rate threshold value used, i.e., the currently used targeted rate threshold values of IP device F are lowered to 1000/s from 3000/s, now
Monitoring Performance parameter again, the result monitored are 82%, still above the first default alarm parameter 80%, it is also necessary to again
Lower (i.e. third time is lowered).If the result now detected in the first preset range 30% to 80%, illustrates route
Device A has had been restored to normal operating conditions, the targeted rate threshold value 1000/s currently used without lowering IP device F again;
That is, targeted rate threshold value currently used now IP device C is 500/s, and targeted rate threshold value currently used IP device F is
1000/s。
It is then the currently used targeted rate threshold values of IP device F to be lowered into 500/s from 1000/s, so that third time, which is lowered,
Monitoring Performance parameter, the result monitored are 79% again afterwards, less than the first default alarm parameter 80%, then illustrate router A
Normal operating conditions has been had been restored to, has been not required to lower again.Certainly, if the result now monitored is still more than first
Default alarm parameter 80%, is also not required to lower the currently used targeted rate threshold values of IP device F again, because now IP device F
Currently used targeted rate threshold value has been the minimum value in default rate-valve value set.
Further, after performance parameter reaches the first preset range, when the newly-built speed of the complete machine of the network equipment is less than
During the second default alarm parameter, based on default rate-valve value set, the targeted rate threshold value currently used to IP device is carried out
Raise, often raised once step by step, primary performance parameter is monitored, until the newly-built speed of complete machine reaches the second preset value or will currently make
Untill targeted rate threshold value returns to targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of complete machine is all
The newly-built speed sum of the current reality of IP device.
As an example it is assumed that the second default alarm parameter is 20000/s, when the newly-built speed of router A complete machine is less than
20000/s, then it is considered that the newly-built speed of the IP device in router A is too low, the currently used mesh of IP device can be raised
Rate-valve value is marked, to allow the router A newly-built speed of complete machine to maintain the second preset range 20000/s to 100000/s, with
Exemplified by IP device C, IP device F, targeted rate threshold value currently used wherein IP device C is 500/s, and IP device F is currently used
Targeted rate threshold value be 1000/s, and IP device C targeted rate threshold value is 1000/s, IP device F targeted rate threshold value
For 5000/s.
Then after router A performance parameter reaches the first preset range, monitor that the newly-built speed of its complete machine is
10000/s, alarm parameter 20000/s default less than second, can now be based on default rate-valve value set 500/s, 1000/
S, 3000/s, 5000/s, the targeted rate threshold value currently used to IP device C, IP device F are raised step by step, i.e., for the first time
The currently used targeted rate threshold values of IP device C are transferred to 1000/s from 500/s, by the currently used target speed of IP device F
Rate threshold value is transferred to 3000/s from 1000/s, now then monitors the router once A newly-built speed of complete machine, the result monitored
For 15000/s, alarm parameter 20000/s is still preset less than second, it is also necessary to which up-regulation (needs to carry out on second again
Adjust).
Because the currently used targeted rate threshold value 1000/s of IP device C have been to have reached its corresponding targeted rate threshold
Value 1000/s, so being not required to raise the currently used targeted rate threshold values of IP device C again, but up-regulation IP device F can be continued and worked as
The preceding targeted rate threshold value used, i.e., the currently used targeted rate threshold values of IP device F are transferred to 5000/s from 3000/s, this
The Shi Zaici monitoring routers A newly-built speed of complete machine, the result monitored is 18000/s, still is below the second default alarm ginseng
Number 20000/s, but the currently used targeted rate threshold values of IP device F have reached its corresponding targeted rate threshold value 5000/
S, so the currently used targeted rate threshold values of IP device F can not be raised again.
After if up-regulation terminates in first time, detect the now router A newly-built speed of complete machine in the second default model
Enclose in 20000/s to 100000/s, if monitoring that router A performance parameter, can also be again still within the first preset range
Continue to raise the currently used targeted rate threshold values of IP device F, until the currently used targeted rate threshold values of IP device F reach it
Untill corresponding targeted rate threshold value 5000/s;If monitor router A performance parameter beyond the first preset range
The upper limit, then it is not required to raise the currently used targeted rate threshold values of IP device F again.
It should be noted that only after the performance parameter of the network equipment reaches the first preset range, i.e. router A's
CPU has returned to normal level, and/or for keep in the remaining free space of all cachings to E-Packet it is enough after,
The currently used newly-built speed of target of IP device C, IP device F can be raised.
That is, during the currently used targeted rate threshold value of up-regulation IP device, once find the performance of the network equipment
Parameter just stops continuing to raise after the upper limit of the first preset range;Or the performance parameter of the network equipment is still pre- first
If within the scope of, each IP device is raised current targeted rate threshold value and is limited with its own corresponding targeted rate threshold value.
Fig. 2 is referred to, based on same inventive concept, one embodiment of the invention provides a kind of network equipment of attack defending,
Including:
Acquisition module 201, for being recorded according to historical session, IP device is obtained respectively in each specified sampling period
The actual newly-built speed of interior history;Wherein, actually newly-built speed is the network equipment and institute to the history in a sampling period
State the quantity of IP device newly-built session within one sampling period;
Computing module 202, for the newly-built speed of all reality based on acquisition, calculate the IP device at the appointed time model
Newly-built speed is estimated in enclosing;
Choose module 203, for according to default value it is regular and it is described estimate newly-built speed, from default rate-valve value collection
The targeted rate threshold value of the IP device is selected in conjunction;Wherein, the rate-valve value set includes N number of rate-valve value;
Determining module 204, for determining that the currently practical newly-built speed of the IP device exceedes the targeted rate threshold value
When, discarding needs to be transmitted to the packet of the IP device.
Optionally, the computing module 202 is used for:
It is newly-built that each reality of the IP device in the range of the specified time is obtained from the newly-built speed of all reality
Speed, to obtain the first data set;
The newly-built speed of all reality in first data set is ranked up according to value size;
Numerical value maximum is selected from first data set or minimum part is actually new according to default first ratio
Speed is built, to obtain the second data set;
It is if what is selected from second data set is numerical value the best part actually newly-built speed, value is minimum
The newly-built speed of reality, estimate newly-built speed as described;If what is selected from second data set is numerical value minimum
The actual newly-built speed in part, then by the maximum newly-built speed of reality of value, newly-built speed is estimated as described.
Optionally, the selection module 203 is used for:
Estimate newly-built speed by described and be multiplied by predetermined coefficient, obtain interim newly-built speed;
The positive difference minimum or negative difference with the interim newly-built speed are obtained from the default rate-valve value set
Maximum rate-valve value, the rate target degree threshold value as the IP device;Wherein, the positive difference is with the interim newly-built speed
For rate as minuend, the negative difference is to be used as subtrahend using the interim newly-built speed.
Optionally, the network equipment is additionally operable to:
The performance parameter of the network equipment is monitored in real time;
When it is determined that the performance parameter is higher than the first default alarm parameter, based on the rate-valve value set, to described
The currently used targeted rate threshold value of IP device is lowered step by step, is often lowered once, monitors the once performance parameter, until
The performance parameter reaches the first preset range or will be adjusted to the speed threshold under the currently used targeted rate threshold value
Untill minimum value in value set.
Optionally, after the performance parameter reaches the first preset range, the network equipment is additionally operable to:
When the newly-built speed of the complete machine of the network equipment is less than the second default alarm parameter, based on the rate-valve value collection
Close, the targeted rate threshold value currently used to the IP device is raised, often raised once step by step, monitors the once complete machine
Newly-built speed, until the newly-built speed of the complete machine reaches the second preset range or currently used targeted rate threshold value is extensive
Again untill targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of the complete machine is the current reality of all IP devices
The newly-built speed sum in border.
Based on same inventive concept, the embodiment of the present invention also carries a kind of computer-readable recording medium, including:
The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers
When so that computer performs attack defense method as described above.
In the embodiment that the application provides, IP device is periodically gathered from historical session record by the network equipment
The actual newly-built speed of history, then according to history actually newly-built rate calculations IP device at the appointed time in the range of estimate it is new
Speed is built, and then allows the network equipment according to default value rule and estimates newly-built speed, is selected from default rate-valve value set
Take out the targeted rate threshold value for being adapted to IP device so that the network equipment is it is determined that the currently practical newly-built speed of IP device exceedes mesh
It when marking rate-valve value, can interpolate that out that now the IP device is by network attack, and need to be transmitted to the data of the IP device
Bag is that the network equipment, which should abandon, needs the packet for being transmitted to the IP device from attacker, it is achieved thereby that improving net
The technique effect of the attack defending ability of network equipment.
Further, because the network equipment can be according to the history of each IP device actually newly-built speed and default speed threshold
Value set, automatically determine out the currently practical newly-built rate-limit (i.e. targeted rate threshold value) of each IP device;Then according in real time
The newly-built speed of performance parameter and complete machine of the network equipment monitored, the current targeted rate threshold value of each IP device of adjust automatically,
Make the network equipment when in normal work, moreover it is possible to which the targeted rate threshold value for making each IP device current is relatively reasonable.So as to
The effective targeted rate threshold value for solving each IP device present in existing gateway equipment sets difficult technical problem, makes net
Network equipment can be adaptively the different IP devices of calculating targeted rate threshold value, so as to greatly reduce the targeted rate of each IP device
The difficulty that threshold value is set, and then improve the ease for use and applicability of the attack of network equipment side.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program production
Product.Therefore, in terms of the embodiment of the present invention can use complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, the embodiment of the present invention can use wherein includes computer available programs generation in one or more
The meter implemented in the computer-usable storage medium (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.) of code
The form of calculation machine program product.
The embodiment of the present invention is with reference to method according to embodiments of the present invention, equipment (system) and computer program product
Flow chart and/or block diagram describe.It should be understood that can be by computer program instructions implementation process figure and/or block diagram
Each flow and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These calculating can be provided
Processing of the machine programmed instruction to all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices
Device is to produce a machine so that the instruction for passing through computer or the computing device of other programmable data processing devices produces
For realizing the function of being specified in one flow of flow chart or multiple flows and/or one square frame of block diagram or multiple square frames
Device.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
Obviously, those skilled in the art can carry out the essence of various changes and modification without departing from the present invention to the present invention
God and scope.So, if these modifications and variations of the present invention belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising including these changes and modification.
Claims (11)
- A kind of 1. method of attack defending, applied to the network equipment, it is characterised in that including:The network equipment records according to historical session, obtains history of the IP device within each specified sampling period respectively Actual newly-built speed;Wherein, actually newly-built speed is the network equipment and the IP device to the history in a sampling period The quantity of newly-built session within one sampling period;All reality newly-built speed of the network equipment based on acquisition, calculate the IP device at the appointed time in the range of it is pre- Estimate newly-built speed;The network equipment according to default value it is regular and it is described estimate newly-built speed, chosen from default rate-valve value set Go out the targeted rate threshold value of the IP device;Wherein, the rate-valve value set includes N number of rate-valve value;When the network equipment determines that the currently practical newly-built speed of the IP device exceedes the targeted rate threshold value, abandoning needs It is transmitted to the packet of the IP device.
- 2. the method as described in claim 1, it is characterised in that all reality newly-built speed of the network equipment based on acquisition Rate, calculate the IP device at the appointed time in the range of estimate newly-built speed, including:It is each in the range of the specified time that the network equipment obtains the IP device from the newly-built speed of all reality Actual newly-built speed, to obtain the first data set;The newly-built speed of all reality in first data set is ranked up according to value size;The maximum or minimum part of numerical value actually newly-built speed is selected from first data set according to default first ratio Rate, to obtain the second data set;If what is selected from second data set is numerical value the best part actually newly-built speed, by the reality that value is minimum The newly-built speed in border, newly-built speed is estimated as described;If what is selected from second data set is the minimum part of numerical value Actual newly-built speed, then by the maximum newly-built speed of reality of value, newly-built speed is estimated as described.
- 3. method as claimed in claim 2, it is characterised in that the network equipment is regular and described estimate according to default value Newly-built speed, the targeted rate threshold value of the IP device is selected from default rate-valve value set, including:Estimate newly-built speed by described and be multiplied by predetermined coefficient, obtain interim newly-built speed;Obtained from the default rate-valve value set maximum with the positive difference minimum of the interim newly-built speed or negative difference Rate-valve value, the rate target degree threshold value as the IP device;Wherein, the positive difference is made with the interim newly-built speed For minuend, the negative difference is to be used as subtrahend using the interim newly-built speed.
- 4. the method as described in any claims of claim 1-3, it is characterised in that methods described also includes:The performance parameter of the network equipment is monitored in real time;When it is determined that the performance parameter is higher than the first default alarm parameter, based on the rate-valve value set, the IP is set Standby currently used targeted rate threshold value is lowered step by step, is often lowered once, the once performance parameter is monitored, until described Performance parameter reaches the first preset range or will be adjusted to the rate-valve value collection under the currently used targeted rate threshold value Untill minimum value in conjunction.
- 5. method as claimed in claim 4, it is characterised in that after the performance parameter reaches the first preset range, also Including:When the newly-built speed of the complete machine of the network equipment is less than the second default alarm parameter, based on the rate-valve value set, The targeted rate threshold value currently used to the IP device is raised step by step, is often raised once, and once the complete machine is new for monitoring Speed is built, until the newly-built speed of the complete machine reaches the second preset range or recovers the currently used targeted rate threshold value Untill targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of the complete machine is the current reality of all IP devices Newly-built speed sum.
- A kind of 6. network equipment, it is characterised in that including:Acquisition module, for being recorded according to historical session, IP device going through within each specified sampling period is obtained respectively The newly-built speed in historical facts border;Wherein, actually newly-built speed is that the network equipment is set with the IP to the history in a sampling period The quantity of standby session newly-built within one sampling period;Computing module, for the newly-built speed of all reality based on acquisition, calculate the IP device at the appointed time in the range of Estimate newly-built speed;Choose module, for according to default value it is regular and it is described estimate newly-built speed, selected from default rate-valve value set Take out the targeted rate threshold value of the IP device;Wherein, the rate-valve value set includes N number of rate-valve value;Determining module, when the currently practical newly-built speed for determining the IP device exceedes the targeted rate threshold value, abandon Need to be transmitted to the packet of the IP device.
- 7. the network equipment as claimed in claim 6, it is characterised in that the computing module is used for:Each reality newly-built speed of the IP device in the range of the specified time is obtained from the newly-built speed of all reality, To obtain the first data set;The newly-built speed of all reality in first data set is ranked up according to value size;The maximum or minimum part of numerical value actually newly-built speed is selected from first data set according to default first ratio Rate, to obtain the second data set;If what is selected from second data set is numerical value the best part actually newly-built speed, by the reality that value is minimum The newly-built speed in border, newly-built speed is estimated as described;If what is selected from second data set is the minimum part of numerical value Actual newly-built speed, then by the maximum newly-built speed of reality of value, newly-built speed is estimated as described.
- 8. the network equipment as claimed in claim 7, it is characterised in that the selection module is used for:Estimate newly-built speed by described and be multiplied by predetermined coefficient, obtain interim newly-built speed;Obtained from the default rate-valve value set maximum with the positive difference minimum of the interim newly-built speed or negative difference Rate-valve value, the rate target degree threshold value as the IP device;Wherein, the positive difference is made with the interim newly-built speed For minuend, the negative difference is to be used as subtrahend using the interim newly-built speed.
- 9. the network equipment as described in any claims of claim 6-7, it is characterised in that the network equipment is additionally operable to:The performance parameter of the network equipment is monitored in real time;When it is determined that the performance parameter is higher than the first default alarm parameter, based on the rate-valve value set, the IP is set Standby currently used targeted rate threshold value is lowered step by step, is often lowered once, the once performance parameter is monitored, until described Performance parameter reaches the first preset range or will be adjusted to the rate-valve value collection under the currently used targeted rate threshold value Untill minimum value in conjunction.
- 10. the network equipment as claimed in claim 9, it is characterised in that the performance parameter reach the first preset range it Afterwards, the network equipment is additionally operable to:When the newly-built speed of the complete machine of the network equipment is less than the second default alarm parameter, based on the rate-valve value set, The targeted rate threshold value currently used to the IP device is raised step by step, is often raised once, and once the complete machine is new for monitoring Speed is built, until the newly-built speed of the complete machine reaches the second preset range or recovers the currently used targeted rate threshold value Untill targeted rate threshold value corresponding to each IP device;Wherein, the newly-built speed of the complete machine is the current reality of all IP devices Newly-built speed sum.
- A kind of 11. computer-readable recording medium, it is characterised in that:The computer-readable recording medium storage has computer instruction, when the computer instruction is run on computers, So that computer performs the method as any one of claim 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711230451.4A CN107888610B (en) | 2017-11-29 | 2017-11-29 | Attack defense method, network equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711230451.4A CN107888610B (en) | 2017-11-29 | 2017-11-29 | Attack defense method, network equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107888610A true CN107888610A (en) | 2018-04-06 |
| CN107888610B CN107888610B (en) | 2020-05-22 |
Family
ID=61776209
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711230451.4A Active CN107888610B (en) | 2017-11-29 | 2017-11-29 | Attack defense method, network equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107888610B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532620A (en) * | 2020-11-26 | 2021-03-19 | 杭州迪普信息技术有限公司 | Session table control method and device |
| CN116032852A (en) * | 2023-03-28 | 2023-04-28 | 新华三工业互联网有限公司 | Flow control method, device, system, equipment and storage medium based on session |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110138463A1 (en) * | 2009-12-07 | 2011-06-09 | Electronics And Telecommunications Research Institute | Method and system for ddos traffic detection and traffic mitigation using flow statistics |
| CN102882895A (en) * | 2012-10-31 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying message attack |
| CN105246103A (en) * | 2015-09-23 | 2016-01-13 | 广东工业大学 | Load balancing access method for wireless local area network |
| CN106411947A (en) * | 2016-11-24 | 2017-02-15 | 广州华多网络科技有限公司 | Real-time threshold adaptive flow early warning method and device thereof |
| CN106685846A (en) * | 2016-12-29 | 2017-05-17 | 北京华为数字技术有限公司 | Method and device for controlling traffic |
-
2017
- 2017-11-29 CN CN201711230451.4A patent/CN107888610B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110138463A1 (en) * | 2009-12-07 | 2011-06-09 | Electronics And Telecommunications Research Institute | Method and system for ddos traffic detection and traffic mitigation using flow statistics |
| CN102882895A (en) * | 2012-10-31 | 2013-01-16 | 杭州迪普科技有限公司 | Method and device for identifying message attack |
| CN105246103A (en) * | 2015-09-23 | 2016-01-13 | 广东工业大学 | Load balancing access method for wireless local area network |
| CN106411947A (en) * | 2016-11-24 | 2017-02-15 | 广州华多网络科技有限公司 | Real-time threshold adaptive flow early warning method and device thereof |
| CN106685846A (en) * | 2016-12-29 | 2017-05-17 | 北京华为数字技术有限公司 | Method and device for controlling traffic |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112532620A (en) * | 2020-11-26 | 2021-03-19 | 杭州迪普信息技术有限公司 | Session table control method and device |
| CN116032852A (en) * | 2023-03-28 | 2023-04-28 | 新华三工业互联网有限公司 | Flow control method, device, system, equipment and storage medium based on session |
| CN116032852B (en) * | 2023-03-28 | 2023-06-02 | 新华三工业互联网有限公司 | Flow control method, device, system, equipment and storage medium based on session |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107888610B (en) | 2020-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Shafiq et al. | Data mining and machine learning methods for sustainable smart cities traffic classification: A survey | |
| Cui et al. | SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks | |
| CN103929334B (en) | Network Abnormal Notification Method and device | |
| US6930978B2 (en) | System and method for traffic management control in a data transmission network | |
| CN106921666A (en) | A kind of ddos attack system of defense and method based on Synergy | |
| CN110266556A (en) | The method and system of service exception in dynamic detection network | |
| CN104468161B (en) | A kind of collocation method of firewall rule sets under discrimination, device and fire wall | |
| EP2824878A1 (en) | Controller, communication system, switch control method and program | |
| CN105991637B (en) | The means of defence and device of network attack | |
| Shen et al. | Adaptive Markov game theoretic data fusion approach for cyber network defense | |
| CN105812340B (en) | A kind of method and apparatus of virtual network access outer net | |
| CN106326068A (en) | Resource index monitoring method and device | |
| CN104394083B (en) | Method, the method and its device and system of message forwarding of forwarding-table item processing | |
| CN107547567A (en) | A kind of anti-attack method and device | |
| CN106713182A (en) | Method and device for processing flow table | |
| CN107888610A (en) | A kind of method of attack defending, the network equipment and computer-readable storage medium | |
| US9628503B2 (en) | Systems and methods for network destination based flood attack mitigation | |
| CN105379206A (en) | In-network message processing method, in-network message forwarding equipment and in-network message processing system | |
| CN105939284A (en) | Message control strategy matching method and device | |
| CN104869064B (en) | A kind of flow table update method and device | |
| US20230224382A1 (en) | Metadata prioritization | |
| CN107622359A (en) | A kind of operating personnel operate horizontal appraisal procedure and device | |
| KR20120008478A (en) | 10 gbps scalable flow generation and control, using dynamic classification with 3-level aggregation | |
| CN107454052A (en) | Network attack detecting method and attack detecting device | |
| Limmer et al. | Adaptive load balancing for parallel IDS on multi-core systems using prioritized flows |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |