CN108270600A - A kind of processing method and associated server to malicious attack flow - Google Patents
A kind of processing method and associated server to malicious attack flow Download PDFInfo
- Publication number
- CN108270600A CN108270600A CN201611260598.3A CN201611260598A CN108270600A CN 108270600 A CN108270600 A CN 108270600A CN 201611260598 A CN201611260598 A CN 201611260598A CN 108270600 A CN108270600 A CN 108270600A
- Authority
- CN
- China
- Prior art keywords
- message
- abnormal user
- information
- record message
- log information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/2854—Wide area networks, e.g. public data networks
- H04L12/2856—Access arrangements, e.g. Internet access
- H04L12/2869—Operational details of access network equipments
- H04L12/287—Remote access server, e.g. BRAS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of processing method to malicious attack flow, including:Log information is obtained, the log information includes single log information if the flow cleaning log information of flow cleaning equipment and remote customer dialing authentication server;The first record message in the flow cleaning log information with the second record message in the ticket log information is matched, determines abnormal user information;The control information for including the abnormal user information is sent to remote customer dialing authentication server, the uplink transmission data of the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server.The present invention further simultaneously discloses a kind of flow analysis servers and remote customer dialing authentication server.
Description
Technical field
The present invention relates to broadband services field more particularly to a kind of processing method to malicious attack flow, flow analyses
Server and remote customer dialing authentication server (Radius, Remote Authentication Dial In User
Service)。
Background technology
Broadband services is the access service of high speed access internet that Base communication company provides to the user, and user can lead to
Cross Asymmetrical Digital Subscriber Line (ADSL, Asymmetric Digital Subscriber Line) or intelligent acess interconnection
Net realizes surfing the web for high speed.Due to the implementation of " broadband China " strategy implementation scheme so that the family in city and rural area is wide
The access capability of band progressively reaches 20Mbps and 4Mbps respectively, and the flourishing city in part has reached 100Mbps.And with broadband
The height-regulating of access standard and increasing for Internet user's quantity, to hacker using distributed denial of service (DDoS,
Distributed Denial of Service) it carries out attack and provides favorable environment, hacker can pass through control and previous phase
Manufacture more malicious attack flows than the zombie host of the home broadband user of the same quantity, and the malicious attack of big flow
Meeting congested network bandwidth, seizes the processing capacity of the network equipment, makes the overall utilization rate of network bandwidth reduce, so as to threaten
Multiple business.For example, in 2015, DDoS between the net of China Mobile Internet (CMNET, China Mobile Network)
The trend broken out comprehensively is presented in malicious attack flow, and the packet loss for directly resulting in late busy single circuit is more than 40%, so as to
The implementation of all kinds of business is affected, has caused the complaint of client.
For the attack of the DDoS malicious traffic streams of this large area in backbone network, Metropolitan Area Network (MAN), current basal telecom operators
It can generally be handled using two ways:A kind of mode is manual type, i.e., first after the attack of DDoS malicious traffic streams generation
First pass through the surge situation of network management system observation flow, the original log in manual extraction sorts of systems about flow, artificial point
The source of DDoS malicious traffic streams is analysed, is then modified by manual type to the routing policy in the network equipment, is reached with this
The purpose blocked to the IP address to attack source;Another way is to dispose flow in the backbone network and Metropolitan Area Network (MAN) of oneself
Cleaning system, using flow cleaning system, by flow detection, flow lead, flow cleaning and flow re-injection and etc. come
Realize flow cleaning.
In addition, for common flow cleaning system, existing deployment mode also there are two types of:One kind is to carry out flow to end
The means of defence of cleaning is on the defensive by the flow cleaning equipment in the close local deployment-specific by protection target;Separately
A kind of is the means of defence for being carried out to source flow cleaning, before malicious attack traffic aggregation, in multiple backbone close to attack source
Distributed cleaning is carried out at net node to flow.
For the artificial treatment mode of the malicious attack flow of DDoS above-mentioned, it is desirable that the maintenance personnel of operator exists
Flow attacking occur after, can rapidly from the daily record of sorts of systems Manual analysis go out DDoS malicious attack flow source, with
This blocks the IP address of attack source;This requires maintenance personnel has the process experience of quite safe event and plant maintenance warp
It tests, therefore, this kind of mode is higher to the skill set requirements of maintenance personnel, and response speed is limited by maintenance personnel's experience, together
When can not also realize the processing of IP address to dynamic attacks source.
Flow cleaning equipment is disposed for the protection method using source cleaning, the characteristics of such deployment way is that single-point is prevented
It is imperial, be only the local system or equipment protected and provide cleaning protection, and defence capability is extremely limited, for it is extensive,
The attack of ultra-large DDoS can not be protected, and the malicious attack flow of DDoS can not be pressed down from source
Therefore system, the congestion of network or paralysis where protection target is be easy to cause after large-scale flow attacking occurs;For adopting
The protection method cleaned with source disposes flow cleaning equipment, mainly to backbone network node the characteristics of due to such deployment way
It is cleaned, therefore, for broadband user in Metropolitan Area Network (MAN) and Internet data center (IDC, Internet Data Center)
Accusing each other for intranets is waited, is difficult to defend;Simultaneously as the deployment level of cleaning system is higher, it is difficult to dispose what is become more meticulous
Therefore prevention policies, can not also inhibit the malicious attack flow of DDoS from source.
As it can be seen that in order to overcome existing flow cleaning mode that can not have from source to the malicious attack flow of DDoS
The defects of effect inhibits, there is an urgent need for find a kind of processing scheme to malicious attack flow.
Invention content
Existing to solve the problems, such as, an embodiment of the present invention is intended to provide a kind of processing sides to malicious attack flow
Method, flow analysis servers and Radius servers can effectively inhibit the malicious attack flow of DDoS from source.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
An embodiment of the present invention provides a kind of processing method to malicious attack flow, the method includes:
Log information is obtained, the log information includes flow cleaning log information and the remote user of flow cleaning equipment
Single log information if dialing authentication server;
To the first record message in the flow cleaning log information and the second record in the ticket log information
Message is matched, and determines abnormal user information;
The control information for including the abnormal user information is sent to remote customer dialing authentication server, for described long-range
Subscriber dialing certificate server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
In said program, the first record message includes internet protocol address section, Starting time of anomaly and alarm
Rank, the second record message include IP address and this charging time started;
Second in the first record message and the ticket log information in the flow cleaning log information
Record message is matched, and determines that abnormal user information includes:
Extract the pending record message that the alarm level recorded in the first record message reaches pre-set level;
Starting time of anomaly in the pending record message and record to be compared in the described second record message are disappeared
This charging time started of breath is compared, and determines pending to record the corresponding IP address of message with described;It is described to treat
Record message is compared as IP address and the associated second record message of IP address section of the pending record message;
According to the corresponding IP address of the pending record message, searched in the described second record message and true
Determine abnormal user information.
In said program, the control information further includes the uplink restriction strategy;
Second in the first record message and the ticket log information in the flow cleaning log information
Record message is matched, and after determining abnormal user information, the method further includes:
According to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record message
In Exception Type and abnormal perdurabgility, generate uplink restriction strategy corresponding with the abnormal user.
In said program, the log information further includes the conversion log information of network address translation apparatus;
Second in the first record message and the ticket log information in the flow cleaning log information
Record message is matched, and before determining abnormal user information, the method further includes:
According to the conversion log information, the IP address in the described second record message is converted, is made described
IP address in second record message is contained in the IP address section in the first record message.
The embodiment of the present invention additionally provides a kind of processing method to malicious attack flow, the method includes:
Receive the control information for including abnormal user information;
When the corresponding abnormal user of the abnormal user information is online, disappeared according to the control information transmitted traffic control
Breath is limited to broad access network gate with the uplink transmission data to the abnormal user.
In said program, the control information further includes uplink restriction strategy;
It is described according to it is described control information transmitted traffic control message to broad access network gate before, the method is also wrapped
It includes:
Judge whether the uplink restriction strategy meets preset condition, the preset condition is and the remote user
The historical traffic control strategy that dialing authentication server issues does not conflict and compatible;
When meeting the preset condition, when the abnormal user is online, the flow is sent according to the control information
Control message is to broad access network gate.
The embodiment of the present invention additionally provides a kind of flow analysis servers, and the flow analysis servers include:Acquisition unit
Part, matching block and transmission component;Wherein,
The obtaining widget, for obtaining log information, the log information includes the flow cleaning of flow cleaning equipment
Single log information if log information and remote customer dialing authentication server;
The matching block, for the first record message in the flow cleaning log information and the ticket daily record
The second record message in information is matched, and determines abnormal user information;
The transmission component includes the control information of the abnormal user information to remote customer dialing authentication for sending
Server, the uplink that the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server pass
Transmission of data.
In said program, the first record message includes internet protocol address section, Starting time of anomaly and alarm
Rank, the second record message include IP address and this charging time started;
The matching block includes:Subassembly is extracted, compare subassembly and searches subassembly;Wherein,
The extraction subassembly reaches pre-set level for extracting the alarm level recorded in the first record message
Pending record message;
The comparison subassembly, for the Starting time of anomaly in the pending record message to be recorded with described second
In message it is to be compared record message this charging time started be compared, determine with it is described it is pending record message it is corresponding
IP address;The record message to be compared is associated for IP address and the IP address section of the pending record message
Second record message;
The lookup subassembly, for according to the corresponding IP address of the pending record message, described the
It is searched in two record message and determines abnormal user information.
In said program, the control information further includes the uplink restriction strategy;
The flow analysis servers further include:
Generating unit, for being treated according to the IP address of the corresponding abnormal user of the abnormal user information corresponding
Exception Type and abnormal perdurabgility in processing record message, generate uplink limitation plan corresponding with the abnormal user
Slightly.
In said program, the log information further includes the conversion log information of network address translation apparatus;
The flow analysis servers further include:
Converting member, for according to the conversion log information, to the IP address in the described second record message into
Row conversion so that the IP address in the second record message is contained in the IP address section in the first record message.
The embodiment of the present invention additionally provides a kind of remote customer dialing authentication server, the remote customer dialing authentication clothes
Business device includes:Receiving part and speed limit component;Wherein,
The receiving part, for receiving the control information for including abnormal user information;
The speed limit component, for when the corresponding abnormal user of the abnormal user information is online, according to the control
Information transmitted traffic control message is limited to broad access network gate with the uplink transmission data to the abnormal user.
In said program, the control information further includes uplink restriction strategy;
The remote customer dialing authentication server further includes:
Judgement part, for judging whether the uplink restriction strategy meets preset condition, the preset condition is
Do not conflict with the historical traffic control strategy that the remote customer dialing authentication server issues and compatible;When the uplink
When restriction strategy meets the preset condition, the speed limit component is triggered.
It is provided in an embodiment of the present invention that the processing method of malicious attack flow, flow analysis servers and Radius are serviced
Device first obtains log information by flow analysis servers, and the log information includes the flow cleaning daily record of flow cleaning equipment
Single log information if information and Radius servers;To in the flow cleaning log information first record message with it is described
The second record message in ticket log information is matched, and determines abnormal user information;Transmission includes the abnormal user letter
It is corresponding abnormal to limit the abnormal user information to Radius servers for the Radius servers for the control information of breath
The uplink transmission data at family;Correspondingly, Radius servers receive the control information that flow analysis servers are sent;When described different
When common family is online, according to the control information transmitted traffic control message to broad access network gate (BRAS, Broadband
Remote Access Server), the uplink transmission data of the abnormal user is limited.
As it can be seen that on the one hand the embodiment of the present invention obtains the flow cleaning day of flow cleaning equipment by flow analysis servers
Single log information if will information and Radius servers, and the flow cleaning log information to getting and ticket log information
It is matched, to determine abnormal user information and corresponding abnormal user, and will believe including the control of the abnormal user information
Breath is sent to Radius servers;On the other hand it is controlled by the Radius servers according to the control information transmitted traffic
Message limits the uplink transmission data of the abnormal user, to BRAS it is achieved thereby that the evil of DDoS from source
Meaning attack traffic is effectively inhibited, and ensure that the normal operation of broadband services;Also, simple to operate, maintenance cost is low.
Description of the drawings
Fig. 1 is realization flow diagram of the present invention to the processing method embodiment one of malicious attack flow;
Fig. 2 is the composition structure diagram of flow cleaning network system;
Fig. 3 is that the refinement flow diagram that abnormal user information is determined in flow is realized shown in Fig. 2;
Fig. 4 is the composition structure diagram of inventive flow Analysis server embodiment one;
Fig. 5 is that the refinement of matching block in flow analysis servers shown in Fig. 4 forms structure diagram;
Fig. 6 is realization flow diagram of the present invention to the processing method embodiment two of malicious attack flow;
Fig. 7 is the composition structure diagram of remote customer dialing authentication server example one of the present invention.
Specific embodiment
Processing method provided in an embodiment of the present invention to malicious attack flow, applied in flow cleaning network system,
On the one hand if obtaining the flow cleaning log information of flow cleaning equipment and Radius servers by flow analysis servers
Single log information, and the flow cleaning log information and ticket log information that get are matched, to determine abnormal user
Information and corresponding abnormal user, and the control information including the abnormal user information is sent to Radius servers;Separately
On the one hand by the Radius servers according to the control information transmitted traffic control message to BRAS, to the abnormal use
The uplink transmission data at family is limited, it is achieved thereby that effectively being inhibited to the malicious attack flow of DDoS from source.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.It should
Understand, the specific embodiments described herein are merely illustrative of the present invention, is not intended to limit the present invention.
Fig. 1 is realization flow diagram of the present invention to the processing method embodiment one of malicious attack flow, with reference to Fig. 1 institutes
Show, the processing method to malicious attack flow of the present embodiment includes the following steps:
Step 101, obtain log information, the flow cleaning log information of the log information including flow cleaning equipment and
Single log information if Radius servers;
The processing method to malicious attack flow in the present embodiment is mainly used in the flow of flow cleaning network system
In Analysis server, for analyzing and determining the abnormal user information there are malicious attack flow.
Fig. 2 is the composition structure diagram of flow cleaning network system, with reference to shown in Fig. 2, above-mentioned flow cleaning network system
System includes:Flow cleaning system, flow analysis servers, Radius servers and BRAS.
Above-mentioned flow analysis servers dispose a part for platform for DDoS flow analyses, and flow analysis servers can week
The acquisition log information of phase property, can also acyclic acquisition log information;The acyclic acquisition of flow analysis servers
The trigger condition of log information can be when receiving the warning information that flow detection device is sent out, and obtain log information.Tool
Body, while flow detection device sends out warning information to flow cleaning equipment, it will warning information is sent to flow point
Server is analysed, log information is obtained, and analyzed according to the log information of acquisition and determine to deposit so as to trigger flow analysis servers
In the abnormal user information of malicious attack flow.
The log information includes the odd-numbered day if the flow cleaning log information of flow cleaning equipment and Radius servers
Will information;In flow cleaning system, it is necessary first to which detection configuration is monitored and protects to the IP address section of broadband user;
Then, flow detection device detects service traffics in real time, when security baseline of the malicious attack flow up to or over setting,
Flow detection device will send out warning information and give flow cleaning equipment;Finally, by flow cleaning opening of device cleaning and mistake
Flow is filtered, and generates flow cleaning log information;The flow cleaning log information can include a plurality of first record message, often
Item first records message and includes IP address section, Starting time of anomaly, Exception Type, abnormal perdurabgility and alarm level.Accordingly
, in Radius servers, when broadband user is when Radius servers carry out online dialing authentication, Radius server meetings
The relevant informations such as IP address and online are recorded, generate ticket log information;The ticket log information can include a plurality of
Second record message, every second record message include user name, IP address, this charging time started and BRAS equipment
Address.
The mode that flow analysis servers obtain the log information can be configured according to actual needs;The present embodiment
In, flow analysis servers can by it is acyclic using syslog quasi real time in a manner of acquire the flow cleaning daily record respectively and believe
Breath and ticket log information.
Step 102, in the first record message and the ticket log information in the flow cleaning log information
Second record message is matched, and determines abnormal user information;
It, can be to the field information of the first record message and the field information progress of the second record message in the step
Match, generate abnormal user information;Wherein, the first record message need to carry out matched field information include IP address section,
Alarm level and Starting time of anomaly, the second record message need to carry out matched field information include IP address and
This charging time started;The abnormal user information includes user name and BRAS equipment address.
Further, when to broadband user distribute be IP address of internal network when, the User IP in the ticket log information
Address is IP address of internal network, and IP address section in the flow cleaning log information is public network IP address, due to the IP of the two
Location form is inconsistent, when being matched to the flow cleaning daily record and ticket log information, can lead to that it fails to match;Cause
This, when to broadband user distribute be IP address of internal network when, to described first record message and second record message carry out
With before, the flow analysis servers using syslog quasi real time mode also need to acquisition network address translation (NAT,
Network Address Translation) equipment conversion log information;According to the conversion log information, to described
IP address in two record message is converted, and recording the IP address in message by described second is converted into public network IP
Address, the IP address section that IP address is made to be contained in the first record message, so as to disappear to the described first record
Breath and the second record message are matched.
Specifically, Fig. 3 is that the refinement flow diagram that abnormal user information is determined in flow is realized shown in Fig. 2, with reference to Fig. 3
Shown, step 102 specifically includes following steps:
Step 1021, the pending record that the alarm level recorded in the first record message reaches pre-set level is extracted
Message;
In the step, the alarm level can set multiple alarm levels according to the size of malicious attack flow, such as
It can include high, low three alarm levels of neutralization;In the present embodiment, only alarm level is recorded for high first at message
Reason extracts alarm level and records message as pending record message for high first.
Step 1022, by the Starting time of anomaly in the pending record message with waiting to compare in the described second record message
This charging time started for recording message is compared, determine with it is described it is pending with recording the corresponding User IP of message
Location;The record message to be compared is IP address and associated second record of IP address section of the pending record message
Message;
Step 1023, according to the corresponding IP address of the pending record message, record message described second
It is middle to search and determine abnormal user information.
In the present embodiment, IP address section corresponds to multiple IP address, and multiple IP address sections are with corresponding to different User IPs
Location can establish the incidence relation of pending record message and the second record message according to IP address section and IP address, really
Fixed record message to be compared;Starting time of anomaly in pending record message records to be compared in message with described second
The relationship of this charging time started in record message can determine that each is pending to record the corresponding note to be compared of message
Record message;According to the user name recorded in the record message to be compared and BRAS equipment address, so as to obtain abnormal user
Information.
Step 103, the control information for including the abnormal user information is sent to remote customer dialing authentication server, is supplied
The remote customer dialing authentication server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
In the step, the control information can only include abnormal user information, can also include abnormal user simultaneously and believe
The uplink restriction strategy of breath abnormal user corresponding with abnormal user information, is below described in detail this.Specifically,
The corresponding abnormal user of the abnormal user information will form blacklist, and Radius servers can be according to blacklist to exception
User carries out the limitation of uplink transmission data;When only including abnormal user information in the control information, Radius servers
The uplink transmission data of abnormal user in blacklist can be limited according to preset uplink restriction strategy;When
Uplink limitation plan of the control information simultaneously including abnormal user information and the corresponding abnormal user of abnormal user information
When slightly, Radius servers can be according to uplink of the uplink restriction strategy in the control information to abnormal user
Data are limited.
Further, flow analysis servers can be separately provided abnormal user each in blacklist corresponding uplink and pass
Defeated restriction strategy can also use same uplink restriction strategy to abnormal user all in blacklist;This implementation
In example, each abnormal user it will be carried out specifically for corresponding uplink restriction strategy is separately provided in blacklist
It is bright.Specifically, disappeared according to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record
Exception Type and abnormal perdurabgility recorded in breath, generate uplink restriction strategy corresponding with the abnormal user.
Specifically, when to broadband user distribute be public network IP address when, flow analysis servers are accurate real using syslog
When mode acquire single log information if the flow cleaning log information of flow cleaning equipment and Radius servers respectively;When to
Broadband user's distribution be IP address of internal network when, quasi real time to acquire flow respectively clear for mode using syslog for flow analysis servers
Wash the conversion log information of single log information and NAT device if the flow cleaning log information of equipment, Radius servers;
When what is distributed to broadband user is IP address of internal network, according to the conversion log information, disappear to the described second record
IP address in breath is converted, and recording the IP address in message by described second is converted into public network IP address, makes
IP address is contained in the IP address section in the first record message;
It is high pending record message to extract the alarm level recorded in the first record message;
According to IP address section and IP address, the incidence relation of pending record message and the second record message is established,
Determine record message to be compared;
When the Starting time of anomaly in the pending record message is later than this meter in the record message to be compared
When taking the time started, record message to be compared corresponding with the pending record message of each is determined;
According to the user name recorded in the record message to be compared and BRAS equipment address, abnormal user information is obtained
And corresponding abnormal user;
According to Exception Type of the IP address of the abnormal user recorded in corresponding pending record message
With abnormal perdurabgility, uplink restriction strategy corresponding with the abnormal user is generated;
The control information for including the abnormal user information is sent to Radius servers, is limited for the Radius servers
Make the uplink transmission data of the corresponding abnormal user of the abnormal user information.
It is understood that flow analysis servers by obtain flow cleaning equipment flow cleaning log information and
Single log information if Radius servers, and the flow cleaning log information to getting and the progress of ticket log information
Match, to determine abnormal user information;Then the control information including the abnormal user information is sent to Radius servers,
The uplink transmission data of the corresponding abnormal user of the abnormal user information is limited for the Radius servers, can be achieved with from
The malicious attack flow of DDoS is effectively inhibited on source, be because:IP address is had recorded in flow cleaning log information
Section, alarm level, Exception Type and abnormal perdurabgility, described in the IP address section of the flow cleaning log information recording represents
There are the malicious attack flows of DDoS by certain user in IP address section;And in ticket log information with having recorded User IP
Location, user name, BRAS equipment address and this charging time started;Flow analysis servers are by by the flow cleaning daily record
Information and ticket log information are associated matching, determine the abnormal user information and correspondence of the malicious attack flow there are DDoS
Abnormal user, the uplink transmission data of the abnormal user is limited for Radius servers, so as to limit DDoS's
Malicious attack flow is uploaded in network system, realizes and the malicious attack flow of DDoS is effectively inhibited from source.
Further, it the present invention provides a kind of flow analysis servers, is used to implement above-mentioned to malicious attack flow
The detail of processing method achievees the effect that identical.
Fig. 4 is the composition structure diagram of inventive flow Analysis server embodiment one, with reference to shown in Fig. 4, this implementation
The flow analysis servers of example include:Obtaining widget 21, converting member 22, matching block 23, generating unit 24 and transmission component
25;Wherein,
The obtaining widget 21, for obtaining log information, the flow that the log information includes flow cleaning equipment is clear
The conversion log of single log information and network address translation apparatus is believed if washing log information, remote customer dialing authentication server
Breath;
The flow cleaning log information includes the first record message, and the ticket log information includes the second record and disappears
Breath;Wherein, the first record message includes IP address section, Starting time of anomaly and alarm level, the second record message
Including IP address and this charging time started;
The converting member 22, for according to the conversion log information, the User IP in message to be recorded to described second
It is converted, the IP address section that the IP address in the second record message is made to be contained in the first record message;
The matching block 23, for the first record message in the flow cleaning log information and the ticket day
The second record message in will information is matched, and determines abnormal user information;
The generating unit 24, for according to the IP address of the corresponding abnormal user of the abnormal user information right
Exception Type and abnormal perdurabgility in the pending record message answered, generate uplink corresponding with the abnormal user
Restriction strategy;
The transmission component 25, control information to the remote customer dialing that the abnormal user information is included for transmission are recognized
Server is demonstrate,proved, the uplink of the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server
Data are transmitted, the control information further includes the uplink restriction strategy.
Fig. 5 is that the refinement of matching block in flow analysis servers shown in Fig. 4 forms structure diagram, with reference to shown in Fig. 5,
The matching block 23 includes:Subassembly 231 is extracted, compare subassembly 232 and searches subassembly 233;Wherein,
The extraction subassembly 231 reaches default grade for extracting the alarm level recorded in the first record message
Other pending record message;
It is described comparison subassembly 232, for by it is described it is pending record message in Starting time of anomaly and described second
Record message in it is to be compared record message this charging time started be compared, determine with it is described it is pending record message pair
The IP address answered;The record message to be compared is closed for IP address and the IP address section of the pending record message
Second record message of connection;
The lookup subassembly 233, for according to the corresponding IP address of the pending record message, described
It is searched in second record message and determines abnormal user information.
Further, the present invention also provides a kind of processing method to malicious attack flow, Fig. 6 is the present invention to malice
The realization flow diagram of the processing method embodiment two of attack traffic, with reference to shown in Fig. 6, the present embodiment to malicious attack stream
The processing method of amount includes the following steps:
Step 301, the control information for including abnormal user information is received;
The processing method to malicious attack flow in the present embodiment is mainly used in flow cleaning network system
In Radius servers, as shown in Fig. 2, the uplink transmission data for the corresponding abnormal user of abnormal user information limits
System;In the present embodiment, Radius servers are to receive the letter of the control including abnormal user information that flow analysis servers are sent
Breath, according to the control information transmitted traffic control message to BRAS, to the uplink of the corresponding abnormal user of abnormal user information
Transmission data are limited.
Step 302, when the corresponding abnormal user of the abnormal user information is online, stream is sent according to the control information
Control message is measured to broad access network gate, is limited with the uplink transmission data to the abnormal user.
In the step, the uplink transmission data of the corresponding abnormal user of the abnormal user information is limited can be right
The uplink burst rate (Input_Peak_Rate) of abnormal user and/or uplink Mean Speed (Input_Average_Rate)
It is limited;In the present embodiment, it can be averaged with the uplink burst rate (Input_Peak_Rate) and uplink to abnormal user
Rate (Input_Average_Rate) is described in detail for being limited.
Here, the corresponding abnormal user of the abnormal user information will form blacklist, and Radius servers can be right
Each abnormal user individually carries out uplink burst rate (Input_ according to corresponding uplink restriction strategy in blacklist
It Peak_Rate) and the limitation of uplink Mean Speed (Input_Average_Rate), can also be to exception all in blacklist
Uplink burst rate (Input_Peak_Rate) and the average speed of uplink are carried out with same uplink restriction strategy is used per family
The limitation of rate (Input_Average_Rate);It, can be with to the independent basis of abnormal user each in blacklist in the present embodiment
Corresponding uplink restriction strategy carries out uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_
Average_Rate it is described in detail for limitation).Specifically, when the corresponding abnormal user of the abnormal user information exists
During line, Radius servers control information transmitted traffic control message to BRAS according to described, to the uplink of the abnormal user
Burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) are limited.
The flow control messages can be the bandwidth change control message (COA message) in Radius Extended Protocols, use
In when broadband user is online, dynamic changes the user property of user, so as to the uplink burst rate (Input_ to user
Peak_Rate it) is limited with uplink Mean Speed (Input_Average_Rate).
The COA message includes compared with the flow control policy that the Radius server last times issue, change it is black
List and/or the uplink restriction strategy corresponding with abnormal user in blacklist of change, dynamic implement is to abnormal user
The limitation of uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate);It meanwhile will
What the Radius server last times sent appears in blacklist and does not appear in the abnormal user in this blacklist, by issuing
COA message is to BRAS, and the user property for changing the abnormal user is white list user, thus by the uplink burst rate of this user
(Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) is restored to normal condition.
In order to which the uplink restriction strategy is made not conflict with the historical traffic control strategy that Radius servers issue
And it is compatible, ensure that the flow control policy that Radius servers issue normally is implemented, therefore, when the abnormal user information corresponds to
Abnormal user it is online when, according to it is described control information transmitted traffic control message to BRAS before, it is also necessary to judge on described
Whether row transmission restriction strategy does not conflict and compatible with the historical traffic control strategy that the Raidus servers issue;It is described not
Conflict and the compatible expression uplink restriction strategy and the historical traffic control strategy that Radius servers issue are inconsistent
And it is that user's progress uplink burst rate (Input_Peak_Rate) in the range of Radius server admins and uplink are put down
The limitation of equal rate (Input_Average_Rate).
When the Radius server internals inquire the uplink restriction strategy and the historical traffic issued control plan
When slightly conflicting, then the uplink restriction strategy is not issued, while inform the flow point in DDoS flow analyses disposition platform
Not the reason of analysis server does not issue the uplink restriction strategy, it is ensured that flow analysis servers understand specific executive condition;
The uplink restriction strategy is inquired when the Radius server internals with the historical traffic control strategy issued not conflict
And when compatible, COA message is sent to BRAS according to the blacklist and uplink restriction strategy, so as to online in broadband user
In the case of change user property;Correspondingly, BRAS according to user property and corresponding uplink restriction strategy to user
Uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) limited.
Specifically, Radius servers, which receive flow analysis servers and send, includes abnormal user information and and abnormal user
The control information of corresponding uplink restriction strategy;
Judge whether the uplink restriction strategy that flow analysis servers are sent issues with the Raidus servers
Historical traffic control strategy does not conflict and compatible;When the Radius server internals inquire uplink restriction strategy with issuing
Historical traffic control strategy conflict when, then do not issue the uplink restriction strategy, while inform at DDoS flow analyses
Not the reason of flow analysis servers in horizontalization platform do not issue the uplink restriction strategy, it is ensured that flow analysis servers
Solve specific executive condition;When the Radius server internals inquire the uplink restriction strategy and the historical traffic issued
Control strategy do not conflict and it is compatible when, Radius servers issue COA according to the control message by Radius Extended Protocols
Message is to BRAS;After BRAS receives COA message, to the uplink burst rate (Input_Peak_ of abnormal user in blacklist
Rate it) is limited with uplink Mean Speed (Input_Average_Rate);Meanwhile the last time appeared in into blacklist and not
Appear in the uplink burst rate (Input_Peak_Rate) of the abnormal user in this blacklist and uplink Mean Speed
(Input_Average_Rate) it is restored to normal condition.
It is understood that Radius servers receive the control information that flow analysis servers are sent, according to the control
Information transmitted traffic control message processed to BRAS, to the uplink transmission data of the corresponding abnormal user of the abnormal user information into
Row limitation, can be achieved with limiting the malicious attack flow of DDoS from source, be because:The control message includes different
Normal user information and uplink restriction strategy corresponding with abnormal user, the Radius servers are believed according to the control
Breath, judges whether the uplink restriction strategy that flow analysis servers are sent does not conflict with the historical traffic control strategy issued
And it is compatible, do not conflict with the historical traffic control strategy that the Raidus servers issue when the uplink restriction strategy and
When compatible, sending flow rate control message, so as to change the user property of Radius user in the case where user is online;BRAS connects
After receiving the flow control messages, uplink burst rate (Input_Peak_Rate) to abnormal user in blacklist and upper
Row Mean Speed (Input_Average_Rate) is limited, so as to which the malicious attack flow for limiting DDoS uploads to network system
In system, realize and the malicious attack flow of DDoS is effectively inhibited from source.
Further, the present invention also provides a kind of remote customer dialing authentication servers, are used to implement the present invention to disliking
The detail of the processing method embodiment two for attack traffic of anticipating, achievees the effect that identical.
Fig. 7 is the composition structure diagram of remote customer dialing authentication server example one of the present invention, with reference to Fig. 7 institutes
Show, the Radius servers of the present embodiment include:Receiving part 41, judgement part 42 and speed limit component 43;Wherein,
The receiving part 41, for receiving the control information for including abnormal user information;
The judgement part 42, for when the control information further includes uplink restriction strategy, judging on described
Whether row transmission restriction strategy meets preset condition, and the preset condition is issues with the remote customer dialing authentication server
Historical traffic control strategy do not conflict and compatible;When the uplink restriction strategy meets preset condition, described in triggering
Speed limit component 43.
The speed limit component 43, for when the corresponding abnormal user of the abnormal user information is online, according to the control
Information transmitted traffic control message processed is limited to broad access network gate with the uplink transmission data to the abnormal user.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.It is all
All any modification, equivalent and improvement made within the spirit and scope of the present invention etc. are all contained in the protection model of the present invention
Within enclosing.
Claims (12)
1. a kind of processing method to malicious attack flow, which is characterized in that the method includes:
Log information is obtained, the log information includes the flow cleaning log information and remote customer dialing of flow cleaning equipment
Single log information if certificate server;
To the first record message in the flow cleaning log information and the second record message in the ticket log information
It is matched, determines abnormal user information;
The control information for including the abnormal user information is sent to remote customer dialing authentication server, for the remote user
Dialing authentication server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
2. according to the method described in claim 1, it is characterized in that, the first record message includes internet protocol address
Section, Starting time of anomaly and alarm level, the second record message include IP address and this charging time started;
The first record message in the flow cleaning log information and the second record in the ticket log information
Message is matched, and determines that abnormal user information includes:
Extract the pending record message that the alarm level recorded in the first record message reaches pre-set level;
By the Starting time of anomaly in the pending record message and record message to be compared in the described second record message
This charging time started is compared, and determines pending to record the corresponding IP address of message with described;It is described to be compared
Message is recorded as IP address and the associated second record message of IP address section of the pending record message;
According to the corresponding IP address of the pending record message, search and determine different in the described second record message
Normal user information.
3. according to the method described in claim 2, it is characterized in that, the control information further includes the uplink limitation plan
Slightly;
The first record message in the flow cleaning log information and the second record in the ticket log information
Message is matched, and after determining abnormal user information, the method further includes:
According to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record message
Exception Type and abnormal perdurabgility, generate uplink restriction strategy corresponding with the abnormal user.
4. according to the method described in claim 1, it is characterized in that, the log information further includes network address translation apparatus
Conversion log information;
The first record message in the flow cleaning log information and the second record in the ticket log information
Message is matched, and before determining abnormal user information, the method further includes:
According to the conversion log information, the IP address in the described second record message is converted, makes described second
IP address in record message is contained in the IP address section in the first record message.
5. a kind of processing method to malicious attack flow, which is characterized in that the method includes:
Receive the control information for including abnormal user information;
When the corresponding abnormal user of the abnormal user information is online, according to the control information transmitted traffic control message extremely
Broad access network gate is limited with the uplink transmission data to the abnormal user.
6. according to the method described in claim 5, it is characterized in that, the control information further includes uplink restriction strategy;
It is described according to it is described control information transmitted traffic control message to broad access network gate before, the method further includes:
Judge whether the uplink restriction strategy meets preset condition, the preset condition is and the remote customer dialing
The historical traffic control strategy that certificate server issues does not conflict and compatible;
When meeting the preset condition, when the abnormal user is online, the flow control is sent according to the control information
Message is to broad access network gate.
7. a kind of flow analysis servers, which is characterized in that the flow analysis servers include:Obtaining widget, matching block
With transmission component;Wherein,
The obtaining widget, for obtaining log information, the log information includes the flow cleaning daily record of flow cleaning equipment
Single log information if information and remote customer dialing authentication server;
The matching block, for the first record message in the flow cleaning log information and the ticket log information
In second record message matched, determine abnormal user information;
The transmission component includes the control information of the abnormal user information to remote customer dialing authentication service for sending
Device limits the uplink number of the corresponding abnormal user of the abnormal user information for the remote customer dialing authentication server
According to.
8. flow analysis servers according to claim 7, which is characterized in that the first record message includes internet
Protocol IP address section, Starting time of anomaly and alarm level, the second record message include IP address and this charging
Time started;
The matching block includes:Subassembly is extracted, compare subassembly and searches subassembly;Wherein,
The extraction subassembly reaches pre-set level for extracting the alarm level that records in the first record message and waits to locate
Reason record message;
The comparison subassembly, for the Starting time of anomaly in the pending record message to be recorded message with described second
In this charging time started of record message to be compared be compared, determine pending to record the corresponding user of message with described
IP address;The record message to be compared is IP address and the IP address section associated second of the pending record message
Record message;
The lookup subassembly, for according to the corresponding IP address of the pending record message, in the described second note
It records and abnormal user information is searched and determined in message.
9. flow analysis servers according to claim 8, which is characterized in that the control information further includes the uplink
Transmit restriction strategy;
The flow analysis servers further include:
Generating unit, for according to the IP address of the corresponding abnormal user of the abnormal user information corresponding pending
The Exception Type in message and abnormal perdurabgility are recorded, generates uplink restriction strategy corresponding with the abnormal user.
10. flow analysis servers according to claim 7, which is characterized in that the log information is with further including network
The conversion log information of location conversion equipment;
The flow analysis servers further include:
Converting member, for according to the conversion log information, turning to the IP address in the described second record message
It changes so that the IP address in the second record message is contained in the IP address section in the first record message.
11. a kind of remote customer dialing authentication server, which is characterized in that the remote customer dialing authentication server includes:
Receiving part and speed limit component;Wherein,
The receiving part, for receiving the control information for including abnormal user information;
The speed limit component, for when the corresponding abnormal user of the abnormal user information is online, according to the control information
Transmitted traffic control message is limited to broad access network gate with the uplink transmission data to the abnormal user.
12. remote customer dialing authentication server according to claim 11, which is characterized in that the control information is also wrapped
Include uplink restriction strategy;
The remote customer dialing authentication server further includes:
Judgement part, for judging whether the uplink restriction strategy meets preset condition, the preset condition for institute
The historical traffic control strategy that remote customer dialing authentication server issues is stated not conflict and compatible;When the uplink limits
When strategy meets the preset condition, the speed limit component is triggered.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611260598.3A CN108270600B (en) | 2016-12-30 | 2016-12-30 | Method for processing malicious attack traffic and related server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611260598.3A CN108270600B (en) | 2016-12-30 | 2016-12-30 | Method for processing malicious attack traffic and related server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108270600A true CN108270600A (en) | 2018-07-10 |
CN108270600B CN108270600B (en) | 2021-03-05 |
Family
ID=62755071
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611260598.3A Active CN108270600B (en) | 2016-12-30 | 2016-12-30 | Method for processing malicious attack traffic and related server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108270600B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450955A (en) * | 2018-12-30 | 2019-03-08 | 北京世纪互联宽带数据中心有限公司 | A kind of flow processing method and device based on network attack |
CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
WO2021023053A1 (en) * | 2019-08-05 | 2021-02-11 | 阿里巴巴集团控股有限公司 | Data processing method and device, and storage medium |
CN114173346A (en) * | 2021-12-01 | 2022-03-11 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium for malicious program monitoring system |
CN114338066A (en) * | 2020-09-30 | 2022-04-12 | 中移(苏州)软件技术有限公司 | Defense method, system, equipment and storage medium for denial of service attack |
CN114584329A (en) * | 2020-11-16 | 2022-06-03 | 中国移动通信集团广东有限公司 | Method and device for positioning reasons of abnormal flow and electronic equipment |
CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102026199A (en) * | 2010-12-03 | 2011-04-20 | 中兴通讯股份有限公司 | WiMAX system as well as device and method for defending DDoS attack |
CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
CN103188104A (en) * | 2011-12-31 | 2013-07-03 | 中国移动通信集团浙江有限公司 | Method and device for analyzing user behaviors |
CN103491095A (en) * | 2013-09-25 | 2014-01-01 | 中国联合网络通信集团有限公司 | Flow cleaning framework and device and flow lead and reinjection method |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
CN104901975A (en) * | 2015-06-30 | 2015-09-09 | 北京奇虎科技有限公司 | Web log safety analyzing method, device and gateway |
CN105553790A (en) * | 2015-12-08 | 2016-05-04 | 中国联合网络通信集团有限公司 | Data processing method and policy server |
US20160205134A1 (en) * | 2015-01-13 | 2016-07-14 | Level 3 Communications, Llc | Isp blacklist feed |
-
2016
- 2016-12-30 CN CN201611260598.3A patent/CN108270600B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102026199A (en) * | 2010-12-03 | 2011-04-20 | 中兴通讯股份有限公司 | WiMAX system as well as device and method for defending DDoS attack |
CN102075365A (en) * | 2011-02-15 | 2011-05-25 | 中国工商银行股份有限公司 | Method and device for locating and protecting network attack source |
CN103188104A (en) * | 2011-12-31 | 2013-07-03 | 中国移动通信集团浙江有限公司 | Method and device for analyzing user behaviors |
CN103491095A (en) * | 2013-09-25 | 2014-01-01 | 中国联合网络通信集团有限公司 | Flow cleaning framework and device and flow lead and reinjection method |
CN104065644A (en) * | 2014-05-28 | 2014-09-24 | 北京知道创宇信息技术有限公司 | Method and apparatus for recognizing CC attacks based on log analysis |
US20160205134A1 (en) * | 2015-01-13 | 2016-07-14 | Level 3 Communications, Llc | Isp blacklist feed |
CN104901975A (en) * | 2015-06-30 | 2015-09-09 | 北京奇虎科技有限公司 | Web log safety analyzing method, device and gateway |
CN105553790A (en) * | 2015-12-08 | 2016-05-04 | 中国联合网络通信集团有限公司 | Data processing method and policy server |
Non-Patent Citations (2)
Title |
---|
孟敏: "基于FreeRADIUS的校园网AAA系统研究与实现", 《万方数据库》 * |
巫俊峰: "对用户上行带宽限速控制流量", 《江苏通信》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109450955A (en) * | 2018-12-30 | 2019-03-08 | 北京世纪互联宽带数据中心有限公司 | A kind of flow processing method and device based on network attack |
CN109450955B (en) * | 2018-12-30 | 2022-04-05 | 北京世纪互联宽带数据中心有限公司 | Traffic processing method and device based on network attack |
WO2021023053A1 (en) * | 2019-08-05 | 2021-02-11 | 阿里巴巴集团控股有限公司 | Data processing method and device, and storage medium |
CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
CN111800412A (en) * | 2020-07-01 | 2020-10-20 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
CN111800412B (en) * | 2020-07-01 | 2023-02-21 | 中国移动通信集团有限公司 | Advanced sustainable threat tracing method, system, computer equipment and storage medium |
CN114338066A (en) * | 2020-09-30 | 2022-04-12 | 中移(苏州)软件技术有限公司 | Defense method, system, equipment and storage medium for denial of service attack |
CN114584329A (en) * | 2020-11-16 | 2022-06-03 | 中国移动通信集团广东有限公司 | Method and device for positioning reasons of abnormal flow and electronic equipment |
CN114584329B (en) * | 2020-11-16 | 2023-09-05 | 中国移动通信集团广东有限公司 | Positioning method and device for reasons of abnormal flow and electronic equipment |
CN114173346A (en) * | 2021-12-01 | 2022-03-11 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium for malicious program monitoring system |
CN114173346B (en) * | 2021-12-01 | 2024-04-12 | 恒安嘉新(北京)科技股份公司 | Coverage detection method, device, equipment and medium of malicious program monitoring system |
CN115412363A (en) * | 2022-09-13 | 2022-11-29 | 杭州迪普科技股份有限公司 | Abnormal flow log processing method and device |
Also Published As
Publication number | Publication date |
---|---|
CN108270600B (en) | 2021-03-05 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108270600A (en) | A kind of processing method and associated server to malicious attack flow | |
KR101107742B1 (en) | SIP Intrusion Detection and Response System for Protecting SIP-based Services | |
KR101231975B1 (en) | Method of defending a spoofing attack using a blocking server | |
CN108063765B (en) | SDN system suitable for solving network security | |
CN101136922B (en) | Service stream recognizing method, device and distributed refusal service attack defending method, system | |
CN108234404B (en) | Defense method, system and related equipment for DDoS attack | |
US8347383B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
US7478429B2 (en) | Network overload detection and mitigation system and method | |
CN109450841B (en) | Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode | |
TW201738796A (en) | Prevention and control method, apparatus and system for network attack | |
RU2636640C2 (en) | Protection method of virtual private communication networks elements from ddos-attacks | |
EP1560398A2 (en) | Metering packet flows for limiting effects of denial of service attacks | |
CN103036733A (en) | Unconventional network access behavior monitoring system and monitoring method | |
CN109327426A (en) | A kind of firewall attack defense method | |
CN110391988B (en) | Network flow control method, system and safety protection device | |
TWI657681B (en) | Analysis method of network flow and system | |
KR20110026926A (en) | (method for blocking distributed denial of service | |
CN110881023A (en) | Method for providing network differentiated security service based on SDN/NFV | |
Huang et al. | Detecting stepping-stone intruders by identifying crossover packets in SSH connections | |
JP2008219149A (en) | Traffic control system and traffic control method | |
RU2675900C1 (en) | METHOD OF PROTECTING NODES OF VIRTUAL PRIVATE COMMUNICATION NETWORK FROM DDoS-ATTACKS WITH METHOD OF MANAGING QUANTITY OF RENDERED COMMUNICATION SERVICES TO SUBSCRIBERS | |
CN111901284A (en) | Flow control method and system | |
JP4322179B2 (en) | Denial of service attack prevention method and system | |
KR101466895B1 (en) | Method of detecting voip fraud, apparatus performing the same and storage media storing the same | |
Chi et al. | Detecting and blocking malicious traffic caused by IRC protocol based botnets |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |