CN108270600A - A kind of processing method and associated server to malicious attack flow - Google Patents

A kind of processing method and associated server to malicious attack flow Download PDF

Info

Publication number
CN108270600A
CN108270600A CN201611260598.3A CN201611260598A CN108270600A CN 108270600 A CN108270600 A CN 108270600A CN 201611260598 A CN201611260598 A CN 201611260598A CN 108270600 A CN108270600 A CN 108270600A
Authority
CN
China
Prior art keywords
message
abnormal user
information
record message
log information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611260598.3A
Other languages
Chinese (zh)
Other versions
CN108270600B (en
Inventor
李海明
隋鹏
杜峰
高桐
宋刚
褚尧
谭永波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Heilongjiang Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611260598.3A priority Critical patent/CN108270600B/en
Publication of CN108270600A publication Critical patent/CN108270600A/en
Application granted granted Critical
Publication of CN108270600B publication Critical patent/CN108270600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of processing method to malicious attack flow, including:Log information is obtained, the log information includes single log information if the flow cleaning log information of flow cleaning equipment and remote customer dialing authentication server;The first record message in the flow cleaning log information with the second record message in the ticket log information is matched, determines abnormal user information;The control information for including the abnormal user information is sent to remote customer dialing authentication server, the uplink transmission data of the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server.The present invention further simultaneously discloses a kind of flow analysis servers and remote customer dialing authentication server.

Description

A kind of processing method and associated server to malicious attack flow
Technical field
The present invention relates to broadband services field more particularly to a kind of processing method to malicious attack flow, flow analyses Server and remote customer dialing authentication server (Radius, Remote Authentication Dial In User Service)。
Background technology
Broadband services is the access service of high speed access internet that Base communication company provides to the user, and user can lead to Cross Asymmetrical Digital Subscriber Line (ADSL, Asymmetric Digital Subscriber Line) or intelligent acess interconnection Net realizes surfing the web for high speed.Due to the implementation of " broadband China " strategy implementation scheme so that the family in city and rural area is wide The access capability of band progressively reaches 20Mbps and 4Mbps respectively, and the flourishing city in part has reached 100Mbps.And with broadband The height-regulating of access standard and increasing for Internet user's quantity, to hacker using distributed denial of service (DDoS, Distributed Denial of Service) it carries out attack and provides favorable environment, hacker can pass through control and previous phase Manufacture more malicious attack flows than the zombie host of the home broadband user of the same quantity, and the malicious attack of big flow Meeting congested network bandwidth, seizes the processing capacity of the network equipment, makes the overall utilization rate of network bandwidth reduce, so as to threaten Multiple business.For example, in 2015, DDoS between the net of China Mobile Internet (CMNET, China Mobile Network) The trend broken out comprehensively is presented in malicious attack flow, and the packet loss for directly resulting in late busy single circuit is more than 40%, so as to The implementation of all kinds of business is affected, has caused the complaint of client.
For the attack of the DDoS malicious traffic streams of this large area in backbone network, Metropolitan Area Network (MAN), current basal telecom operators It can generally be handled using two ways:A kind of mode is manual type, i.e., first after the attack of DDoS malicious traffic streams generation First pass through the surge situation of network management system observation flow, the original log in manual extraction sorts of systems about flow, artificial point The source of DDoS malicious traffic streams is analysed, is then modified by manual type to the routing policy in the network equipment, is reached with this The purpose blocked to the IP address to attack source;Another way is to dispose flow in the backbone network and Metropolitan Area Network (MAN) of oneself Cleaning system, using flow cleaning system, by flow detection, flow lead, flow cleaning and flow re-injection and etc. come Realize flow cleaning.
In addition, for common flow cleaning system, existing deployment mode also there are two types of:One kind is to carry out flow to end The means of defence of cleaning is on the defensive by the flow cleaning equipment in the close local deployment-specific by protection target;Separately A kind of is the means of defence for being carried out to source flow cleaning, before malicious attack traffic aggregation, in multiple backbone close to attack source Distributed cleaning is carried out at net node to flow.
For the artificial treatment mode of the malicious attack flow of DDoS above-mentioned, it is desirable that the maintenance personnel of operator exists Flow attacking occur after, can rapidly from the daily record of sorts of systems Manual analysis go out DDoS malicious attack flow source, with This blocks the IP address of attack source;This requires maintenance personnel has the process experience of quite safe event and plant maintenance warp It tests, therefore, this kind of mode is higher to the skill set requirements of maintenance personnel, and response speed is limited by maintenance personnel's experience, together When can not also realize the processing of IP address to dynamic attacks source.
Flow cleaning equipment is disposed for the protection method using source cleaning, the characteristics of such deployment way is that single-point is prevented It is imperial, be only the local system or equipment protected and provide cleaning protection, and defence capability is extremely limited, for it is extensive, The attack of ultra-large DDoS can not be protected, and the malicious attack flow of DDoS can not be pressed down from source Therefore system, the congestion of network or paralysis where protection target is be easy to cause after large-scale flow attacking occurs;For adopting The protection method cleaned with source disposes flow cleaning equipment, mainly to backbone network node the characteristics of due to such deployment way It is cleaned, therefore, for broadband user in Metropolitan Area Network (MAN) and Internet data center (IDC, Internet Data Center) Accusing each other for intranets is waited, is difficult to defend;Simultaneously as the deployment level of cleaning system is higher, it is difficult to dispose what is become more meticulous Therefore prevention policies, can not also inhibit the malicious attack flow of DDoS from source.
As it can be seen that in order to overcome existing flow cleaning mode that can not have from source to the malicious attack flow of DDoS The defects of effect inhibits, there is an urgent need for find a kind of processing scheme to malicious attack flow.
Invention content
Existing to solve the problems, such as, an embodiment of the present invention is intended to provide a kind of processing sides to malicious attack flow Method, flow analysis servers and Radius servers can effectively inhibit the malicious attack flow of DDoS from source.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
An embodiment of the present invention provides a kind of processing method to malicious attack flow, the method includes:
Log information is obtained, the log information includes flow cleaning log information and the remote user of flow cleaning equipment Single log information if dialing authentication server;
To the first record message in the flow cleaning log information and the second record in the ticket log information Message is matched, and determines abnormal user information;
The control information for including the abnormal user information is sent to remote customer dialing authentication server, for described long-range Subscriber dialing certificate server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
In said program, the first record message includes internet protocol address section, Starting time of anomaly and alarm Rank, the second record message include IP address and this charging time started;
Second in the first record message and the ticket log information in the flow cleaning log information Record message is matched, and determines that abnormal user information includes:
Extract the pending record message that the alarm level recorded in the first record message reaches pre-set level;
Starting time of anomaly in the pending record message and record to be compared in the described second record message are disappeared This charging time started of breath is compared, and determines pending to record the corresponding IP address of message with described;It is described to treat Record message is compared as IP address and the associated second record message of IP address section of the pending record message;
According to the corresponding IP address of the pending record message, searched in the described second record message and true Determine abnormal user information.
In said program, the control information further includes the uplink restriction strategy;
Second in the first record message and the ticket log information in the flow cleaning log information Record message is matched, and after determining abnormal user information, the method further includes:
According to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record message In Exception Type and abnormal perdurabgility, generate uplink restriction strategy corresponding with the abnormal user.
In said program, the log information further includes the conversion log information of network address translation apparatus;
Second in the first record message and the ticket log information in the flow cleaning log information Record message is matched, and before determining abnormal user information, the method further includes:
According to the conversion log information, the IP address in the described second record message is converted, is made described IP address in second record message is contained in the IP address section in the first record message.
The embodiment of the present invention additionally provides a kind of processing method to malicious attack flow, the method includes:
Receive the control information for including abnormal user information;
When the corresponding abnormal user of the abnormal user information is online, disappeared according to the control information transmitted traffic control Breath is limited to broad access network gate with the uplink transmission data to the abnormal user.
In said program, the control information further includes uplink restriction strategy;
It is described according to it is described control information transmitted traffic control message to broad access network gate before, the method is also wrapped It includes:
Judge whether the uplink restriction strategy meets preset condition, the preset condition is and the remote user The historical traffic control strategy that dialing authentication server issues does not conflict and compatible;
When meeting the preset condition, when the abnormal user is online, the flow is sent according to the control information Control message is to broad access network gate.
The embodiment of the present invention additionally provides a kind of flow analysis servers, and the flow analysis servers include:Acquisition unit Part, matching block and transmission component;Wherein,
The obtaining widget, for obtaining log information, the log information includes the flow cleaning of flow cleaning equipment Single log information if log information and remote customer dialing authentication server;
The matching block, for the first record message in the flow cleaning log information and the ticket daily record The second record message in information is matched, and determines abnormal user information;
The transmission component includes the control information of the abnormal user information to remote customer dialing authentication for sending Server, the uplink that the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server pass Transmission of data.
In said program, the first record message includes internet protocol address section, Starting time of anomaly and alarm Rank, the second record message include IP address and this charging time started;
The matching block includes:Subassembly is extracted, compare subassembly and searches subassembly;Wherein,
The extraction subassembly reaches pre-set level for extracting the alarm level recorded in the first record message Pending record message;
The comparison subassembly, for the Starting time of anomaly in the pending record message to be recorded with described second In message it is to be compared record message this charging time started be compared, determine with it is described it is pending record message it is corresponding IP address;The record message to be compared is associated for IP address and the IP address section of the pending record message Second record message;
The lookup subassembly, for according to the corresponding IP address of the pending record message, described the It is searched in two record message and determines abnormal user information.
In said program, the control information further includes the uplink restriction strategy;
The flow analysis servers further include:
Generating unit, for being treated according to the IP address of the corresponding abnormal user of the abnormal user information corresponding Exception Type and abnormal perdurabgility in processing record message, generate uplink limitation plan corresponding with the abnormal user Slightly.
In said program, the log information further includes the conversion log information of network address translation apparatus;
The flow analysis servers further include:
Converting member, for according to the conversion log information, to the IP address in the described second record message into Row conversion so that the IP address in the second record message is contained in the IP address section in the first record message.
The embodiment of the present invention additionally provides a kind of remote customer dialing authentication server, the remote customer dialing authentication clothes Business device includes:Receiving part and speed limit component;Wherein,
The receiving part, for receiving the control information for including abnormal user information;
The speed limit component, for when the corresponding abnormal user of the abnormal user information is online, according to the control Information transmitted traffic control message is limited to broad access network gate with the uplink transmission data to the abnormal user.
In said program, the control information further includes uplink restriction strategy;
The remote customer dialing authentication server further includes:
Judgement part, for judging whether the uplink restriction strategy meets preset condition, the preset condition is Do not conflict with the historical traffic control strategy that the remote customer dialing authentication server issues and compatible;When the uplink When restriction strategy meets the preset condition, the speed limit component is triggered.
It is provided in an embodiment of the present invention that the processing method of malicious attack flow, flow analysis servers and Radius are serviced Device first obtains log information by flow analysis servers, and the log information includes the flow cleaning daily record of flow cleaning equipment Single log information if information and Radius servers;To in the flow cleaning log information first record message with it is described The second record message in ticket log information is matched, and determines abnormal user information;Transmission includes the abnormal user letter It is corresponding abnormal to limit the abnormal user information to Radius servers for the Radius servers for the control information of breath The uplink transmission data at family;Correspondingly, Radius servers receive the control information that flow analysis servers are sent;When described different When common family is online, according to the control information transmitted traffic control message to broad access network gate (BRAS, Broadband Remote Access Server), the uplink transmission data of the abnormal user is limited.
As it can be seen that on the one hand the embodiment of the present invention obtains the flow cleaning day of flow cleaning equipment by flow analysis servers Single log information if will information and Radius servers, and the flow cleaning log information to getting and ticket log information It is matched, to determine abnormal user information and corresponding abnormal user, and will believe including the control of the abnormal user information Breath is sent to Radius servers;On the other hand it is controlled by the Radius servers according to the control information transmitted traffic Message limits the uplink transmission data of the abnormal user, to BRAS it is achieved thereby that the evil of DDoS from source Meaning attack traffic is effectively inhibited, and ensure that the normal operation of broadband services;Also, simple to operate, maintenance cost is low.
Description of the drawings
Fig. 1 is realization flow diagram of the present invention to the processing method embodiment one of malicious attack flow;
Fig. 2 is the composition structure diagram of flow cleaning network system;
Fig. 3 is that the refinement flow diagram that abnormal user information is determined in flow is realized shown in Fig. 2;
Fig. 4 is the composition structure diagram of inventive flow Analysis server embodiment one;
Fig. 5 is that the refinement of matching block in flow analysis servers shown in Fig. 4 forms structure diagram;
Fig. 6 is realization flow diagram of the present invention to the processing method embodiment two of malicious attack flow;
Fig. 7 is the composition structure diagram of remote customer dialing authentication server example one of the present invention.
Specific embodiment
Processing method provided in an embodiment of the present invention to malicious attack flow, applied in flow cleaning network system, On the one hand if obtaining the flow cleaning log information of flow cleaning equipment and Radius servers by flow analysis servers Single log information, and the flow cleaning log information and ticket log information that get are matched, to determine abnormal user Information and corresponding abnormal user, and the control information including the abnormal user information is sent to Radius servers;Separately On the one hand by the Radius servers according to the control information transmitted traffic control message to BRAS, to the abnormal use The uplink transmission data at family is limited, it is achieved thereby that effectively being inhibited to the malicious attack flow of DDoS from source.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.It should Understand, the specific embodiments described herein are merely illustrative of the present invention, is not intended to limit the present invention.
Fig. 1 is realization flow diagram of the present invention to the processing method embodiment one of malicious attack flow, with reference to Fig. 1 institutes Show, the processing method to malicious attack flow of the present embodiment includes the following steps:
Step 101, obtain log information, the flow cleaning log information of the log information including flow cleaning equipment and Single log information if Radius servers;
The processing method to malicious attack flow in the present embodiment is mainly used in the flow of flow cleaning network system In Analysis server, for analyzing and determining the abnormal user information there are malicious attack flow.
Fig. 2 is the composition structure diagram of flow cleaning network system, with reference to shown in Fig. 2, above-mentioned flow cleaning network system System includes:Flow cleaning system, flow analysis servers, Radius servers and BRAS.
Above-mentioned flow analysis servers dispose a part for platform for DDoS flow analyses, and flow analysis servers can week The acquisition log information of phase property, can also acyclic acquisition log information;The acyclic acquisition of flow analysis servers The trigger condition of log information can be when receiving the warning information that flow detection device is sent out, and obtain log information.Tool Body, while flow detection device sends out warning information to flow cleaning equipment, it will warning information is sent to flow point Server is analysed, log information is obtained, and analyzed according to the log information of acquisition and determine to deposit so as to trigger flow analysis servers In the abnormal user information of malicious attack flow.
The log information includes the odd-numbered day if the flow cleaning log information of flow cleaning equipment and Radius servers Will information;In flow cleaning system, it is necessary first to which detection configuration is monitored and protects to the IP address section of broadband user; Then, flow detection device detects service traffics in real time, when security baseline of the malicious attack flow up to or over setting, Flow detection device will send out warning information and give flow cleaning equipment;Finally, by flow cleaning opening of device cleaning and mistake Flow is filtered, and generates flow cleaning log information;The flow cleaning log information can include a plurality of first record message, often Item first records message and includes IP address section, Starting time of anomaly, Exception Type, abnormal perdurabgility and alarm level.Accordingly , in Radius servers, when broadband user is when Radius servers carry out online dialing authentication, Radius server meetings The relevant informations such as IP address and online are recorded, generate ticket log information;The ticket log information can include a plurality of Second record message, every second record message include user name, IP address, this charging time started and BRAS equipment Address.
The mode that flow analysis servers obtain the log information can be configured according to actual needs;The present embodiment In, flow analysis servers can by it is acyclic using syslog quasi real time in a manner of acquire the flow cleaning daily record respectively and believe Breath and ticket log information.
Step 102, in the first record message and the ticket log information in the flow cleaning log information Second record message is matched, and determines abnormal user information;
It, can be to the field information of the first record message and the field information progress of the second record message in the step Match, generate abnormal user information;Wherein, the first record message need to carry out matched field information include IP address section, Alarm level and Starting time of anomaly, the second record message need to carry out matched field information include IP address and This charging time started;The abnormal user information includes user name and BRAS equipment address.
Further, when to broadband user distribute be IP address of internal network when, the User IP in the ticket log information Address is IP address of internal network, and IP address section in the flow cleaning log information is public network IP address, due to the IP of the two Location form is inconsistent, when being matched to the flow cleaning daily record and ticket log information, can lead to that it fails to match;Cause This, when to broadband user distribute be IP address of internal network when, to described first record message and second record message carry out With before, the flow analysis servers using syslog quasi real time mode also need to acquisition network address translation (NAT, Network Address Translation) equipment conversion log information;According to the conversion log information, to described IP address in two record message is converted, and recording the IP address in message by described second is converted into public network IP Address, the IP address section that IP address is made to be contained in the first record message, so as to disappear to the described first record Breath and the second record message are matched.
Specifically, Fig. 3 is that the refinement flow diagram that abnormal user information is determined in flow is realized shown in Fig. 2, with reference to Fig. 3 Shown, step 102 specifically includes following steps:
Step 1021, the pending record that the alarm level recorded in the first record message reaches pre-set level is extracted Message;
In the step, the alarm level can set multiple alarm levels according to the size of malicious attack flow, such as It can include high, low three alarm levels of neutralization;In the present embodiment, only alarm level is recorded for high first at message Reason extracts alarm level and records message as pending record message for high first.
Step 1022, by the Starting time of anomaly in the pending record message with waiting to compare in the described second record message This charging time started for recording message is compared, determine with it is described it is pending with recording the corresponding User IP of message Location;The record message to be compared is IP address and associated second record of IP address section of the pending record message Message;
Step 1023, according to the corresponding IP address of the pending record message, record message described second It is middle to search and determine abnormal user information.
In the present embodiment, IP address section corresponds to multiple IP address, and multiple IP address sections are with corresponding to different User IPs Location can establish the incidence relation of pending record message and the second record message according to IP address section and IP address, really Fixed record message to be compared;Starting time of anomaly in pending record message records to be compared in message with described second The relationship of this charging time started in record message can determine that each is pending to record the corresponding note to be compared of message Record message;According to the user name recorded in the record message to be compared and BRAS equipment address, so as to obtain abnormal user Information.
Step 103, the control information for including the abnormal user information is sent to remote customer dialing authentication server, is supplied The remote customer dialing authentication server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
In the step, the control information can only include abnormal user information, can also include abnormal user simultaneously and believe The uplink restriction strategy of breath abnormal user corresponding with abnormal user information, is below described in detail this.Specifically, The corresponding abnormal user of the abnormal user information will form blacklist, and Radius servers can be according to blacklist to exception User carries out the limitation of uplink transmission data;When only including abnormal user information in the control information, Radius servers The uplink transmission data of abnormal user in blacklist can be limited according to preset uplink restriction strategy;When Uplink limitation plan of the control information simultaneously including abnormal user information and the corresponding abnormal user of abnormal user information When slightly, Radius servers can be according to uplink of the uplink restriction strategy in the control information to abnormal user Data are limited.
Further, flow analysis servers can be separately provided abnormal user each in blacklist corresponding uplink and pass Defeated restriction strategy can also use same uplink restriction strategy to abnormal user all in blacklist;This implementation In example, each abnormal user it will be carried out specifically for corresponding uplink restriction strategy is separately provided in blacklist It is bright.Specifically, disappeared according to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record Exception Type and abnormal perdurabgility recorded in breath, generate uplink restriction strategy corresponding with the abnormal user.
Specifically, when to broadband user distribute be public network IP address when, flow analysis servers are accurate real using syslog When mode acquire single log information if the flow cleaning log information of flow cleaning equipment and Radius servers respectively;When to Broadband user's distribution be IP address of internal network when, quasi real time to acquire flow respectively clear for mode using syslog for flow analysis servers Wash the conversion log information of single log information and NAT device if the flow cleaning log information of equipment, Radius servers;
When what is distributed to broadband user is IP address of internal network, according to the conversion log information, disappear to the described second record IP address in breath is converted, and recording the IP address in message by described second is converted into public network IP address, makes IP address is contained in the IP address section in the first record message;
It is high pending record message to extract the alarm level recorded in the first record message;
According to IP address section and IP address, the incidence relation of pending record message and the second record message is established, Determine record message to be compared;
When the Starting time of anomaly in the pending record message is later than this meter in the record message to be compared When taking the time started, record message to be compared corresponding with the pending record message of each is determined;
According to the user name recorded in the record message to be compared and BRAS equipment address, abnormal user information is obtained And corresponding abnormal user;
According to Exception Type of the IP address of the abnormal user recorded in corresponding pending record message With abnormal perdurabgility, uplink restriction strategy corresponding with the abnormal user is generated;
The control information for including the abnormal user information is sent to Radius servers, is limited for the Radius servers Make the uplink transmission data of the corresponding abnormal user of the abnormal user information.
It is understood that flow analysis servers by obtain flow cleaning equipment flow cleaning log information and Single log information if Radius servers, and the flow cleaning log information to getting and the progress of ticket log information Match, to determine abnormal user information;Then the control information including the abnormal user information is sent to Radius servers, The uplink transmission data of the corresponding abnormal user of the abnormal user information is limited for the Radius servers, can be achieved with from The malicious attack flow of DDoS is effectively inhibited on source, be because:IP address is had recorded in flow cleaning log information Section, alarm level, Exception Type and abnormal perdurabgility, described in the IP address section of the flow cleaning log information recording represents There are the malicious attack flows of DDoS by certain user in IP address section;And in ticket log information with having recorded User IP Location, user name, BRAS equipment address and this charging time started;Flow analysis servers are by by the flow cleaning daily record Information and ticket log information are associated matching, determine the abnormal user information and correspondence of the malicious attack flow there are DDoS Abnormal user, the uplink transmission data of the abnormal user is limited for Radius servers, so as to limit DDoS's Malicious attack flow is uploaded in network system, realizes and the malicious attack flow of DDoS is effectively inhibited from source.
Further, it the present invention provides a kind of flow analysis servers, is used to implement above-mentioned to malicious attack flow The detail of processing method achievees the effect that identical.
Fig. 4 is the composition structure diagram of inventive flow Analysis server embodiment one, with reference to shown in Fig. 4, this implementation The flow analysis servers of example include:Obtaining widget 21, converting member 22, matching block 23, generating unit 24 and transmission component 25;Wherein,
The obtaining widget 21, for obtaining log information, the flow that the log information includes flow cleaning equipment is clear The conversion log of single log information and network address translation apparatus is believed if washing log information, remote customer dialing authentication server Breath;
The flow cleaning log information includes the first record message, and the ticket log information includes the second record and disappears Breath;Wherein, the first record message includes IP address section, Starting time of anomaly and alarm level, the second record message Including IP address and this charging time started;
The converting member 22, for according to the conversion log information, the User IP in message to be recorded to described second It is converted, the IP address section that the IP address in the second record message is made to be contained in the first record message;
The matching block 23, for the first record message in the flow cleaning log information and the ticket day The second record message in will information is matched, and determines abnormal user information;
The generating unit 24, for according to the IP address of the corresponding abnormal user of the abnormal user information right Exception Type and abnormal perdurabgility in the pending record message answered, generate uplink corresponding with the abnormal user Restriction strategy;
The transmission component 25, control information to the remote customer dialing that the abnormal user information is included for transmission are recognized Server is demonstrate,proved, the uplink of the corresponding abnormal user of the abnormal user information is limited for the remote customer dialing authentication server Data are transmitted, the control information further includes the uplink restriction strategy.
Fig. 5 is that the refinement of matching block in flow analysis servers shown in Fig. 4 forms structure diagram, with reference to shown in Fig. 5, The matching block 23 includes:Subassembly 231 is extracted, compare subassembly 232 and searches subassembly 233;Wherein,
The extraction subassembly 231 reaches default grade for extracting the alarm level recorded in the first record message Other pending record message;
It is described comparison subassembly 232, for by it is described it is pending record message in Starting time of anomaly and described second Record message in it is to be compared record message this charging time started be compared, determine with it is described it is pending record message pair The IP address answered;The record message to be compared is closed for IP address and the IP address section of the pending record message Second record message of connection;
The lookup subassembly 233, for according to the corresponding IP address of the pending record message, described It is searched in second record message and determines abnormal user information.
Further, the present invention also provides a kind of processing method to malicious attack flow, Fig. 6 is the present invention to malice The realization flow diagram of the processing method embodiment two of attack traffic, with reference to shown in Fig. 6, the present embodiment to malicious attack stream The processing method of amount includes the following steps:
Step 301, the control information for including abnormal user information is received;
The processing method to malicious attack flow in the present embodiment is mainly used in flow cleaning network system In Radius servers, as shown in Fig. 2, the uplink transmission data for the corresponding abnormal user of abnormal user information limits System;In the present embodiment, Radius servers are to receive the letter of the control including abnormal user information that flow analysis servers are sent Breath, according to the control information transmitted traffic control message to BRAS, to the uplink of the corresponding abnormal user of abnormal user information Transmission data are limited.
Step 302, when the corresponding abnormal user of the abnormal user information is online, stream is sent according to the control information Control message is measured to broad access network gate, is limited with the uplink transmission data to the abnormal user.
In the step, the uplink transmission data of the corresponding abnormal user of the abnormal user information is limited can be right The uplink burst rate (Input_Peak_Rate) of abnormal user and/or uplink Mean Speed (Input_Average_Rate) It is limited;In the present embodiment, it can be averaged with the uplink burst rate (Input_Peak_Rate) and uplink to abnormal user Rate (Input_Average_Rate) is described in detail for being limited.
Here, the corresponding abnormal user of the abnormal user information will form blacklist, and Radius servers can be right Each abnormal user individually carries out uplink burst rate (Input_ according to corresponding uplink restriction strategy in blacklist It Peak_Rate) and the limitation of uplink Mean Speed (Input_Average_Rate), can also be to exception all in blacklist Uplink burst rate (Input_Peak_Rate) and the average speed of uplink are carried out with same uplink restriction strategy is used per family The limitation of rate (Input_Average_Rate);It, can be with to the independent basis of abnormal user each in blacklist in the present embodiment Corresponding uplink restriction strategy carries out uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_ Average_Rate it is described in detail for limitation).Specifically, when the corresponding abnormal user of the abnormal user information exists During line, Radius servers control information transmitted traffic control message to BRAS according to described, to the uplink of the abnormal user Burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) are limited.
The flow control messages can be the bandwidth change control message (COA message) in Radius Extended Protocols, use In when broadband user is online, dynamic changes the user property of user, so as to the uplink burst rate (Input_ to user Peak_Rate it) is limited with uplink Mean Speed (Input_Average_Rate).
The COA message includes compared with the flow control policy that the Radius server last times issue, change it is black List and/or the uplink restriction strategy corresponding with abnormal user in blacklist of change, dynamic implement is to abnormal user The limitation of uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate);It meanwhile will What the Radius server last times sent appears in blacklist and does not appear in the abnormal user in this blacklist, by issuing COA message is to BRAS, and the user property for changing the abnormal user is white list user, thus by the uplink burst rate of this user (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) is restored to normal condition.
In order to which the uplink restriction strategy is made not conflict with the historical traffic control strategy that Radius servers issue And it is compatible, ensure that the flow control policy that Radius servers issue normally is implemented, therefore, when the abnormal user information corresponds to Abnormal user it is online when, according to it is described control information transmitted traffic control message to BRAS before, it is also necessary to judge on described Whether row transmission restriction strategy does not conflict and compatible with the historical traffic control strategy that the Raidus servers issue;It is described not Conflict and the compatible expression uplink restriction strategy and the historical traffic control strategy that Radius servers issue are inconsistent And it is that user's progress uplink burst rate (Input_Peak_Rate) in the range of Radius server admins and uplink are put down The limitation of equal rate (Input_Average_Rate).
When the Radius server internals inquire the uplink restriction strategy and the historical traffic issued control plan When slightly conflicting, then the uplink restriction strategy is not issued, while inform the flow point in DDoS flow analyses disposition platform Not the reason of analysis server does not issue the uplink restriction strategy, it is ensured that flow analysis servers understand specific executive condition; The uplink restriction strategy is inquired when the Radius server internals with the historical traffic control strategy issued not conflict And when compatible, COA message is sent to BRAS according to the blacklist and uplink restriction strategy, so as to online in broadband user In the case of change user property;Correspondingly, BRAS according to user property and corresponding uplink restriction strategy to user Uplink burst rate (Input_Peak_Rate) and uplink Mean Speed (Input_Average_Rate) limited.
Specifically, Radius servers, which receive flow analysis servers and send, includes abnormal user information and and abnormal user The control information of corresponding uplink restriction strategy;
Judge whether the uplink restriction strategy that flow analysis servers are sent issues with the Raidus servers Historical traffic control strategy does not conflict and compatible;When the Radius server internals inquire uplink restriction strategy with issuing Historical traffic control strategy conflict when, then do not issue the uplink restriction strategy, while inform at DDoS flow analyses Not the reason of flow analysis servers in horizontalization platform do not issue the uplink restriction strategy, it is ensured that flow analysis servers Solve specific executive condition;When the Radius server internals inquire the uplink restriction strategy and the historical traffic issued Control strategy do not conflict and it is compatible when, Radius servers issue COA according to the control message by Radius Extended Protocols Message is to BRAS;After BRAS receives COA message, to the uplink burst rate (Input_Peak_ of abnormal user in blacklist Rate it) is limited with uplink Mean Speed (Input_Average_Rate);Meanwhile the last time appeared in into blacklist and not Appear in the uplink burst rate (Input_Peak_Rate) of the abnormal user in this blacklist and uplink Mean Speed (Input_Average_Rate) it is restored to normal condition.
It is understood that Radius servers receive the control information that flow analysis servers are sent, according to the control Information transmitted traffic control message processed to BRAS, to the uplink transmission data of the corresponding abnormal user of the abnormal user information into Row limitation, can be achieved with limiting the malicious attack flow of DDoS from source, be because:The control message includes different Normal user information and uplink restriction strategy corresponding with abnormal user, the Radius servers are believed according to the control Breath, judges whether the uplink restriction strategy that flow analysis servers are sent does not conflict with the historical traffic control strategy issued And it is compatible, do not conflict with the historical traffic control strategy that the Raidus servers issue when the uplink restriction strategy and When compatible, sending flow rate control message, so as to change the user property of Radius user in the case where user is online;BRAS connects After receiving the flow control messages, uplink burst rate (Input_Peak_Rate) to abnormal user in blacklist and upper Row Mean Speed (Input_Average_Rate) is limited, so as to which the malicious attack flow for limiting DDoS uploads to network system In system, realize and the malicious attack flow of DDoS is effectively inhibited from source.
Further, the present invention also provides a kind of remote customer dialing authentication servers, are used to implement the present invention to disliking The detail of the processing method embodiment two for attack traffic of anticipating, achievees the effect that identical.
Fig. 7 is the composition structure diagram of remote customer dialing authentication server example one of the present invention, with reference to Fig. 7 institutes Show, the Radius servers of the present embodiment include:Receiving part 41, judgement part 42 and speed limit component 43;Wherein,
The receiving part 41, for receiving the control information for including abnormal user information;
The judgement part 42, for when the control information further includes uplink restriction strategy, judging on described Whether row transmission restriction strategy meets preset condition, and the preset condition is issues with the remote customer dialing authentication server Historical traffic control strategy do not conflict and compatible;When the uplink restriction strategy meets preset condition, described in triggering Speed limit component 43.
The speed limit component 43, for when the corresponding abnormal user of the abnormal user information is online, according to the control Information transmitted traffic control message processed is limited to broad access network gate with the uplink transmission data to the abnormal user.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.It is all All any modification, equivalent and improvement made within the spirit and scope of the present invention etc. are all contained in the protection model of the present invention Within enclosing.

Claims (12)

1. a kind of processing method to malicious attack flow, which is characterized in that the method includes:
Log information is obtained, the log information includes the flow cleaning log information and remote customer dialing of flow cleaning equipment Single log information if certificate server;
To the first record message in the flow cleaning log information and the second record message in the ticket log information It is matched, determines abnormal user information;
The control information for including the abnormal user information is sent to remote customer dialing authentication server, for the remote user Dialing authentication server limits the uplink transmission data of the corresponding abnormal user of the abnormal user information.
2. according to the method described in claim 1, it is characterized in that, the first record message includes internet protocol address Section, Starting time of anomaly and alarm level, the second record message include IP address and this charging time started;
The first record message in the flow cleaning log information and the second record in the ticket log information Message is matched, and determines that abnormal user information includes:
Extract the pending record message that the alarm level recorded in the first record message reaches pre-set level;
By the Starting time of anomaly in the pending record message and record message to be compared in the described second record message This charging time started is compared, and determines pending to record the corresponding IP address of message with described;It is described to be compared Message is recorded as IP address and the associated second record message of IP address section of the pending record message;
According to the corresponding IP address of the pending record message, search and determine different in the described second record message Normal user information.
3. according to the method described in claim 2, it is characterized in that, the control information further includes the uplink limitation plan Slightly;
The first record message in the flow cleaning log information and the second record in the ticket log information Message is matched, and after determining abnormal user information, the method further includes:
According to the IP address of the corresponding abnormal user of the abnormal user information in corresponding pending record message Exception Type and abnormal perdurabgility, generate uplink restriction strategy corresponding with the abnormal user.
4. according to the method described in claim 1, it is characterized in that, the log information further includes network address translation apparatus Conversion log information;
The first record message in the flow cleaning log information and the second record in the ticket log information Message is matched, and before determining abnormal user information, the method further includes:
According to the conversion log information, the IP address in the described second record message is converted, makes described second IP address in record message is contained in the IP address section in the first record message.
5. a kind of processing method to malicious attack flow, which is characterized in that the method includes:
Receive the control information for including abnormal user information;
When the corresponding abnormal user of the abnormal user information is online, according to the control information transmitted traffic control message extremely Broad access network gate is limited with the uplink transmission data to the abnormal user.
6. according to the method described in claim 5, it is characterized in that, the control information further includes uplink restriction strategy;
It is described according to it is described control information transmitted traffic control message to broad access network gate before, the method further includes:
Judge whether the uplink restriction strategy meets preset condition, the preset condition is and the remote customer dialing The historical traffic control strategy that certificate server issues does not conflict and compatible;
When meeting the preset condition, when the abnormal user is online, the flow control is sent according to the control information Message is to broad access network gate.
7. a kind of flow analysis servers, which is characterized in that the flow analysis servers include:Obtaining widget, matching block With transmission component;Wherein,
The obtaining widget, for obtaining log information, the log information includes the flow cleaning daily record of flow cleaning equipment Single log information if information and remote customer dialing authentication server;
The matching block, for the first record message in the flow cleaning log information and the ticket log information In second record message matched, determine abnormal user information;
The transmission component includes the control information of the abnormal user information to remote customer dialing authentication service for sending Device limits the uplink number of the corresponding abnormal user of the abnormal user information for the remote customer dialing authentication server According to.
8. flow analysis servers according to claim 7, which is characterized in that the first record message includes internet Protocol IP address section, Starting time of anomaly and alarm level, the second record message include IP address and this charging Time started;
The matching block includes:Subassembly is extracted, compare subassembly and searches subassembly;Wherein,
The extraction subassembly reaches pre-set level for extracting the alarm level that records in the first record message and waits to locate Reason record message;
The comparison subassembly, for the Starting time of anomaly in the pending record message to be recorded message with described second In this charging time started of record message to be compared be compared, determine pending to record the corresponding user of message with described IP address;The record message to be compared is IP address and the IP address section associated second of the pending record message Record message;
The lookup subassembly, for according to the corresponding IP address of the pending record message, in the described second note It records and abnormal user information is searched and determined in message.
9. flow analysis servers according to claim 8, which is characterized in that the control information further includes the uplink Transmit restriction strategy;
The flow analysis servers further include:
Generating unit, for according to the IP address of the corresponding abnormal user of the abnormal user information corresponding pending The Exception Type in message and abnormal perdurabgility are recorded, generates uplink restriction strategy corresponding with the abnormal user.
10. flow analysis servers according to claim 7, which is characterized in that the log information is with further including network The conversion log information of location conversion equipment;
The flow analysis servers further include:
Converting member, for according to the conversion log information, turning to the IP address in the described second record message It changes so that the IP address in the second record message is contained in the IP address section in the first record message.
11. a kind of remote customer dialing authentication server, which is characterized in that the remote customer dialing authentication server includes: Receiving part and speed limit component;Wherein,
The receiving part, for receiving the control information for including abnormal user information;
The speed limit component, for when the corresponding abnormal user of the abnormal user information is online, according to the control information Transmitted traffic control message is limited to broad access network gate with the uplink transmission data to the abnormal user.
12. remote customer dialing authentication server according to claim 11, which is characterized in that the control information is also wrapped Include uplink restriction strategy;
The remote customer dialing authentication server further includes:
Judgement part, for judging whether the uplink restriction strategy meets preset condition, the preset condition for institute The historical traffic control strategy that remote customer dialing authentication server issues is stated not conflict and compatible;When the uplink limits When strategy meets the preset condition, the speed limit component is triggered.
CN201611260598.3A 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server Active CN108270600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611260598.3A CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611260598.3A CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Publications (2)

Publication Number Publication Date
CN108270600A true CN108270600A (en) 2018-07-10
CN108270600B CN108270600B (en) 2021-03-05

Family

ID=62755071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611260598.3A Active CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Country Status (1)

Country Link
CN (1) CN108270600B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450955A (en) * 2018-12-30 2019-03-08 北京世纪互联宽带数据中心有限公司 A kind of flow processing method and device based on network attack
CN111031054A (en) * 2019-12-19 2020-04-17 紫光云(南京)数字技术有限公司 CC protection method
CN111800412A (en) * 2020-07-01 2020-10-20 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
WO2021023053A1 (en) * 2019-08-05 2021-02-11 阿里巴巴集团控股有限公司 Data processing method and device, and storage medium
CN114173346A (en) * 2021-12-01 2022-03-11 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium for malicious program monitoring system
CN114338066A (en) * 2020-09-30 2022-04-12 中移(苏州)软件技术有限公司 Defense method, system, equipment and storage medium for denial of service attack
CN114584329A (en) * 2020-11-16 2022-06-03 中国移动通信集团广东有限公司 Method and device for positioning reasons of abnormal flow and electronic equipment
CN115412363A (en) * 2022-09-13 2022-11-29 杭州迪普科技股份有限公司 Abnormal flow log processing method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026199A (en) * 2010-12-03 2011-04-20 中兴通讯股份有限公司 WiMAX system as well as device and method for defending DDoS attack
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN103188104A (en) * 2011-12-31 2013-07-03 中国移动通信集团浙江有限公司 Method and device for analyzing user behaviors
CN103491095A (en) * 2013-09-25 2014-01-01 中国联合网络通信集团有限公司 Flow cleaning framework and device and flow lead and reinjection method
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway
CN105553790A (en) * 2015-12-08 2016-05-04 中国联合网络通信集团有限公司 Data processing method and policy server
US20160205134A1 (en) * 2015-01-13 2016-07-14 Level 3 Communications, Llc Isp blacklist feed

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026199A (en) * 2010-12-03 2011-04-20 中兴通讯股份有限公司 WiMAX system as well as device and method for defending DDoS attack
CN102075365A (en) * 2011-02-15 2011-05-25 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN103188104A (en) * 2011-12-31 2013-07-03 中国移动通信集团浙江有限公司 Method and device for analyzing user behaviors
CN103491095A (en) * 2013-09-25 2014-01-01 中国联合网络通信集团有限公司 Flow cleaning framework and device and flow lead and reinjection method
CN104065644A (en) * 2014-05-28 2014-09-24 北京知道创宇信息技术有限公司 Method and apparatus for recognizing CC attacks based on log analysis
US20160205134A1 (en) * 2015-01-13 2016-07-14 Level 3 Communications, Llc Isp blacklist feed
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway
CN105553790A (en) * 2015-12-08 2016-05-04 中国联合网络通信集团有限公司 Data processing method and policy server

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
孟敏: "基于FreeRADIUS的校园网AAA系统研究与实现", 《万方数据库》 *
巫俊峰: "对用户上行带宽限速控制流量", 《江苏通信》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450955A (en) * 2018-12-30 2019-03-08 北京世纪互联宽带数据中心有限公司 A kind of flow processing method and device based on network attack
CN109450955B (en) * 2018-12-30 2022-04-05 北京世纪互联宽带数据中心有限公司 Traffic processing method and device based on network attack
WO2021023053A1 (en) * 2019-08-05 2021-02-11 阿里巴巴集团控股有限公司 Data processing method and device, and storage medium
CN111031054A (en) * 2019-12-19 2020-04-17 紫光云(南京)数字技术有限公司 CC protection method
CN111800412A (en) * 2020-07-01 2020-10-20 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN111800412B (en) * 2020-07-01 2023-02-21 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN114338066A (en) * 2020-09-30 2022-04-12 中移(苏州)软件技术有限公司 Defense method, system, equipment and storage medium for denial of service attack
CN114584329A (en) * 2020-11-16 2022-06-03 中国移动通信集团广东有限公司 Method and device for positioning reasons of abnormal flow and electronic equipment
CN114584329B (en) * 2020-11-16 2023-09-05 中国移动通信集团广东有限公司 Positioning method and device for reasons of abnormal flow and electronic equipment
CN114173346A (en) * 2021-12-01 2022-03-11 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium for malicious program monitoring system
CN114173346B (en) * 2021-12-01 2024-04-12 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium of malicious program monitoring system
CN115412363A (en) * 2022-09-13 2022-11-29 杭州迪普科技股份有限公司 Abnormal flow log processing method and device

Also Published As

Publication number Publication date
CN108270600B (en) 2021-03-05

Similar Documents

Publication Publication Date Title
CN108270600A (en) A kind of processing method and associated server to malicious attack flow
KR101107742B1 (en) SIP Intrusion Detection and Response System for Protecting SIP-based Services
KR101231975B1 (en) Method of defending a spoofing attack using a blocking server
CN108063765B (en) SDN system suitable for solving network security
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
CN108234404B (en) Defense method, system and related equipment for DDoS attack
US8347383B2 (en) Network monitoring apparatus, network monitoring method, and network monitoring program
US7478429B2 (en) Network overload detection and mitigation system and method
CN109450841B (en) Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode
TW201738796A (en) Prevention and control method, apparatus and system for network attack
RU2636640C2 (en) Protection method of virtual private communication networks elements from ddos-attacks
EP1560398A2 (en) Metering packet flows for limiting effects of denial of service attacks
CN103036733A (en) Unconventional network access behavior monitoring system and monitoring method
CN109327426A (en) A kind of firewall attack defense method
CN110391988B (en) Network flow control method, system and safety protection device
TWI657681B (en) Analysis method of network flow and system
KR20110026926A (en) (method for blocking distributed denial of service
CN110881023A (en) Method for providing network differentiated security service based on SDN/NFV
Huang et al. Detecting stepping-stone intruders by identifying crossover packets in SSH connections
JP2008219149A (en) Traffic control system and traffic control method
RU2675900C1 (en) METHOD OF PROTECTING NODES OF VIRTUAL PRIVATE COMMUNICATION NETWORK FROM DDoS-ATTACKS WITH METHOD OF MANAGING QUANTITY OF RENDERED COMMUNICATION SERVICES TO SUBSCRIBERS
CN111901284A (en) Flow control method and system
JP4322179B2 (en) Denial of service attack prevention method and system
KR101466895B1 (en) Method of detecting voip fraud, apparatus performing the same and storage media storing the same
Chi et al. Detecting and blocking malicious traffic caused by IRC protocol based botnets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant