CN108270600B - Method for processing malicious attack traffic and related server - Google Patents

Method for processing malicious attack traffic and related server Download PDF

Info

Publication number
CN108270600B
CN108270600B CN201611260598.3A CN201611260598A CN108270600B CN 108270600 B CN108270600 B CN 108270600B CN 201611260598 A CN201611260598 A CN 201611260598A CN 108270600 B CN108270600 B CN 108270600B
Authority
CN
China
Prior art keywords
message
user
information
abnormal
log information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201611260598.3A
Other languages
Chinese (zh)
Other versions
CN108270600A (en
Inventor
李海明
隋鹏
杜峰
高桐
宋刚
褚尧
谭永波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Heilongjiang Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Heilongjiang Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611260598.3A priority Critical patent/CN108270600B/en
Publication of CN108270600A publication Critical patent/CN108270600A/en
Application granted granted Critical
Publication of CN108270600B publication Critical patent/CN108270600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/287Remote access server, e.g. BRAS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for processing malicious attack traffic, which comprises the following steps: acquiring log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a remote user dialing authentication server; matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information; and sending control information including the abnormal user information to a remote user dialing authentication server for limiting uplink transmission data of the abnormal user corresponding to the abnormal user information by the remote user dialing authentication server. The invention also discloses a flow analysis server and a remote user dialing authentication server.

Description

Method for processing malicious attack traffic and related server
Technical Field
The present invention relates to the field of broadband services, and In particular, to a method for processing malicious attack traffic, a traffic analysis server, and a Remote User dialing Authentication server (Radius).
Background
The broadband service is an access service for accessing the internet at a high speed, which is provided for users by a basic communication company, and the users can access the internet through an Asymmetric Digital Subscriber Line (ADSL) or an optical fiber, so that high-speed surfing on the internet is realized. Due to the implementation of the strategy implementation scheme of 'broadband China', the access capacity of the family broadband in cities and rural areas gradually reaches 20Mbps and 4Mbps respectively, and part of developed cities reach 100 Mbps. With the increase of broadband access standards and the increase of the number of internet users, a favorable environment is provided for hackers to attack by using Distributed Denial of Service (DDoS), the hackers can manufacture more malicious attack flows by controlling the zombie hosts of the home broadband users with the same number as the conventional home broadband users, the large-flow malicious attacks can congest network bandwidth, the processing capacity of network equipment is seized, the overall utilization rate of the network bandwidth is reduced, and various services can be threatened. For example, in 2015, malicious attack traffic of inter-Network DDoS of China Mobile internet (CMNET) shows a trend of comprehensive outbreak, which directly causes the packet loss rate of a single circuit to exceed 40% during late busy hours, thereby affecting the implementation of various services and causing customer complaints.
For such large-area DDoS malicious traffic attacks in backbone networks and metropolitan area networks, current basic telecommunication operators generally adopt two methods for processing: one mode is a manual mode, namely after the attack of DDoS malicious flow occurs, the surge condition of the flow is observed through a network management system, original logs about the flow in various systems are manually extracted, the source of the DDoS malicious flow is manually analyzed, and then a routing strategy in network equipment is modified through the manual mode so as to achieve the purpose of blocking an IP address of an attack source; the other mode is that a flow cleaning system is deployed in a backbone network and a metropolitan area network of the self, and the flow cleaning system is utilized to realize flow cleaning through the steps of flow detection, flow traction, flow cleaning, flow reinjection and the like.
In addition, for a common flow cleaning system, there are two existing deployment methods: one is a defense method for performing traffic cleansing on the tip, by deploying dedicated traffic cleansing equipment in close proximity to the protected target; the other method is a protection method for carrying out traffic cleaning on a source end, and before malicious attack traffic is converged, the traffic is cleaned in a distributed mode at a plurality of backbone network nodes close to the attack source.
Aiming at the above mentioned manual processing mode of the malicious attack traffic of the DDoS, the maintenance personnel of the operator is required to manually analyze the source of the malicious attack traffic of the DDoS from the logs of various systems quickly after the traffic attack is triggered so as to block the IP address of the attack source; this requires considerable experience in handling security events and equipment maintenance by the maintenance personnel, and therefore, this method requires a high skill on the maintenance personnel, the response speed is limited by the experience of the maintenance personnel, and the handling of the IP address of the dynamic attack source cannot be realized.
The deployment method is characterized in that single-point defense is adopted, only cleaning protection can be provided for locally protected systems or equipment, the defense capability is very limited, large-scale and ultra-large-scale DDoS attack cannot be protected, and malicious attack traffic of the DDoS cannot be restrained from the source, so that congestion or paralysis of a network where a protected target is located is easily caused after large-scale traffic attack occurs; aiming at the protection mode of adopting source end cleaning to deploy flow cleaning equipment, because the deployment mode is mainly characterized in that backbone network nodes are cleaned, the mutual attack of broadband users in a metropolitan area network and internal networks such as Internet Data Centers (IDCs) and the like is difficult to defend; meanwhile, the cleaning system is high in deployment level, and a fine protection strategy is difficult to deploy, so that malicious attack traffic of the DDoS cannot be suppressed from the source.
Therefore, in order to overcome the defect that the existing traffic cleaning mode cannot effectively inhibit the malicious attack traffic of the DDoS from the source, a processing scheme for the malicious attack traffic needs to be found urgently.
Disclosure of Invention
In order to solve the existing problems, embodiments of the present invention are expected to provide a method for processing malicious attack traffic, a traffic analysis server, and a Radius server, which can effectively suppress the malicious attack traffic of DDoS from the source.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the embodiment of the invention provides a method for processing malicious attack traffic, which comprises the following steps:
acquiring log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a remote user dialing authentication server;
matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information;
and sending control information including the abnormal user information to a remote user dialing authentication server for limiting uplink transmission data of the abnormal user corresponding to the abnormal user information by the remote user dialing authentication server.
In the above scheme, the first recording message includes an internet protocol IP address field, an abnormal starting time and an alarm level, and the second recording message includes a user IP address and a current charging starting time;
the matching of the first recorded message in the traffic cleaning log information and the second recorded message in the call ticket log information, and the determining of the abnormal user information includes:
extracting the to-be-processed recording message of which the alarm level recorded in the first recording message reaches a preset level;
comparing the abnormal starting time in the recording message to be processed with the charging starting time of the recording message to be compared in the second recording message, and determining the user IP address corresponding to the recording message to be processed; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
and searching and determining abnormal user information in the second recording message according to the user IP address corresponding to the recording message to be processed.
In the above scheme, the control information further includes the uplink transmission restriction policy;
after the first recorded message in the traffic cleaning log information is matched with the second recorded message in the call ticket log information and abnormal user information is determined, the method further comprises the following steps:
and generating an uplink transmission limitation strategy corresponding to the abnormal user according to the abnormal type and the abnormal duration of the user IP address of the abnormal user corresponding to the abnormal user information in the corresponding to-be-processed recording message.
In the above solution, the log information further includes conversion log information of the network address conversion device;
before the matching of the first recorded message in the traffic cleaning log information and the second recorded message in the call ticket log information and the determination of the abnormal user information, the method further comprises the following steps:
and converting the user IP address in the second recording message according to the conversion log information, so that the user IP address in the second recording message is contained in the IP address field in the first recording message.
The embodiment of the invention also provides a method for processing the malicious attack traffic, which comprises the following steps:
receiving control information including abnormal user information;
and when the abnormal user corresponding to the abnormal user information is on line, sending a flow control message to a broadband access gateway according to the control information so as to limit the uplink transmission data of the abnormal user.
In the above scheme, the control information further includes an uplink transmission restriction policy;
before sending the flow control message to the broadband access gateway according to the control information, the method further includes:
judging whether the uplink transmission limiting strategy meets a preset condition, wherein the preset condition is that the uplink transmission limiting strategy does not conflict with and is compatible with a historical flow control strategy issued by the remote user dialing authentication server;
and when the preset condition is met and the abnormal user is on line, sending the flow control message to a broadband access gateway according to the control information.
An embodiment of the present invention further provides a traffic analysis server, where the traffic analysis server includes: an acquisition component, a matching component and a transmission component; wherein the content of the first and second substances,
the acquisition component is used for acquiring log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a remote user dialing authentication server;
the matching component is used for matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information;
and the sending component is used for sending control information including the abnormal user information to a remote user dialing authentication server, so that the remote user dialing authentication server can limit uplink transmission data of the abnormal user corresponding to the abnormal user information.
In the above scheme, the first recording message includes an internet protocol IP address field, an abnormal starting time and an alarm level, and the second recording message includes a user IP address and a current charging starting time;
the matching means includes: extracting a subcomponent, comparing a subcomponent and finding a subcomponent; wherein the content of the first and second substances,
the extracting subcomponent is used for extracting the to-be-processed recording message recorded in the first recording message, wherein the alarm level of the to-be-processed recording message reaches a preset level;
the comparison subcomponent is used for comparing the abnormal starting time in the record message to be processed with the charging starting time of the record message to be compared in the second record message, and determining the user IP address corresponding to the record message to be processed; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
and the searching subcomponent is used for searching and determining abnormal user information in the second recording message according to the user IP address corresponding to the recording message to be processed.
In the above scheme, the control information further includes the uplink transmission restriction policy;
the traffic analysis server further comprises:
and the generating component is used for generating an uplink transmission limiting strategy corresponding to the abnormal user according to the abnormal type and the abnormal duration of the user IP address of the abnormal user corresponding to the abnormal user information in the corresponding to-be-processed recording message.
In the above solution, the log information further includes conversion log information of the network address conversion device;
the traffic analysis server further comprises:
and a conversion component, configured to convert the user IP address in the second recorded message according to the conversion log information, so that the user IP address in the second recorded message is included in the IP address field in the first recorded message.
The embodiment of the invention also provides a remote user dialing authentication server, which comprises: a receiving component and a speed limiting component; wherein the content of the first and second substances,
the receiving means for receiving control information including abnormal user information;
and the speed limiting component is used for sending a flow control message to the broadband access gateway according to the control information when the abnormal user corresponding to the abnormal user information is on line so as to limit the uplink transmission data of the abnormal user.
In the above scheme, the control information further includes an uplink transmission restriction policy;
the remote user dial-up authentication server further comprises:
a determining unit, configured to determine whether the uplink transmission restriction policy meets a preset condition, where the preset condition is that the uplink transmission restriction policy does not conflict with and is compatible with a historical flow control policy issued by the remote user dial-up authentication server; and when the uplink transmission limiting strategy meets the preset condition, triggering the speed limiting component.
According to the method for processing the malicious attack traffic, the traffic analysis server and the Radius server provided by the embodiment of the invention, the traffic analysis server acquires log information, wherein the log information comprises traffic cleaning log information of traffic cleaning equipment and ticket log information of the Radius server; matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information; sending control information including the abnormal user information to a Radius server for the Radius server to limit uplink transmission data of the abnormal user corresponding to the abnormal user information; correspondingly, the Radius server receives the control information sent by the flow analysis server; when the abnormal user is on line, sending a flow control message to a Broadband Access gateway (BRAS) according to the control information, and limiting uplink transmission data of the abnormal user.
On one hand, the embodiment of the invention obtains the traffic cleaning log information of the traffic cleaning equipment and the ticket log information of the Radius server through the traffic analysis server, matches the obtained traffic cleaning log information and the ticket log information to determine the abnormal user information and the corresponding abnormal user, and sends the control information including the abnormal user information to the Radius server; on the other hand, the Radius server sends flow control information to the BRAS according to the control information to limit uplink transmission data of the abnormal user, so that malicious attack flow of the DDoS is effectively inhibited from the source, and normal operation of broadband services is guaranteed; and, the operation is simple and convenient, and the maintenance cost is low.
Drawings
Fig. 1 is a schematic flow chart illustrating an implementation of a first embodiment of a method for processing malicious attack traffic according to the present invention;
FIG. 2 is a schematic diagram of the structure of a flow cleaning network system;
FIG. 3 is a detailed flow chart illustrating the process of determining abnormal user information in the implementation flow chart shown in FIG. 2;
fig. 4 is a schematic structural diagram of a flow analysis server according to a first embodiment of the present invention;
fig. 5 is a schematic diagram of a detailed structure of a matching component in the traffic analysis server shown in fig. 4;
fig. 6 is a schematic diagram of an implementation flow of a second method for processing malicious attack traffic according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a remote user dialing authentication server according to a first embodiment of the present invention.
Detailed Description
The method for processing the malicious attack traffic is applied to a traffic cleaning network system, on one hand, traffic cleaning log information of traffic cleaning equipment and ticket log information of a Radius server are obtained through a traffic analysis server, the obtained traffic cleaning log information and the ticket log information are matched to determine abnormal user information and corresponding abnormal users, and control information including the abnormal user information is sent to the Radius server; and on the other hand, the Radius server sends a flow control message to the BRAS according to the control information to limit the uplink transmission data of the abnormal user, so that the malicious attack flow of the DDoS from the source is effectively inhibited.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic view of an implementation flow of a first embodiment of a method for processing malicious attack traffic according to the present invention, and referring to fig. 1, the method for processing malicious attack traffic according to this embodiment includes the following steps:
step 101, obtaining log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a Radius server;
the method for processing the malicious attack traffic in the embodiment is mainly applied to a traffic analysis server of a traffic cleaning network system, and is used for analyzing and determining abnormal user information with the malicious attack traffic.
Fig. 2 is a schematic structural diagram of a flow cleaning network system, and referring to fig. 2, the flow cleaning network system includes: the system comprises a flow cleaning system, a flow analysis server, a Radius server and a BRAS.
The flow analysis server is a part of a DDoS flow analysis and treatment platform, and can periodically acquire log information or non-periodically acquire the log information; the trigger condition for the traffic analysis server to obtain the log information aperiodically may be that the log information is obtained when the alarm information sent by the traffic detection device is received. Specifically, the traffic detection device sends alarm information to the traffic cleaning device, and at the same time, the alarm information is sent to the traffic analysis server, so that the traffic analysis server is triggered to obtain log information, and abnormal user information with malicious attack traffic is analyzed and determined according to the obtained log information.
The log information comprises flow cleaning log information of the flow cleaning equipment and ticket log information of a Radius server; in the flow cleaning system, firstly, detection configuration is needed to monitor and protect an IP address field of a broadband user; then, the flow detection equipment detects the service flow in real time, and when the malicious attack flow reaches or exceeds a set safety baseline, the flow detection equipment sends alarm information to the flow cleaning equipment; finally, starting a cleaning and filtering process by the flow cleaning equipment, and generating flow cleaning log information; the traffic cleansing log information may include a plurality of first record messages, each of which includes an IP address field, an abnormality start time, an abnormality type, an abnormality duration, and an alarm level. Correspondingly, in the Radius server, when the broadband user carries out dial-up authentication on the Radius server, the Radius server records the IP address of the user, the related information of the internet and the like, and generates call ticket log information; the call ticket log information may include a plurality of second recorded messages, where each second recorded message includes a user name, a user IP address, the current charging start time, and a BRAS device address.
The mode of acquiring the log information by the traffic analysis server can be set according to actual needs; in this embodiment, the traffic analysis server may collect the traffic cleaning log information and the ticket log information in a syslog quasi-real-time manner aperiodically.
102, matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information;
in this step, the field information of the first recorded message and the field information of the second recorded message may be matched to generate abnormal user information; the field information needing to be matched by the first record message comprises an IP address field, an alarm level and abnormal starting time, and the field information needing to be matched by the second record message comprises a user IP address and the charging starting time; the abnormal user information comprises a user name and a BRAS equipment address.
Further, when an intranet IP address is allocated to a broadband user, the user IP address in the ticket log information is the intranet IP address, and the IP address segment in the flow cleaning log information is a public network IP address, and due to the inconsistency of the IP address forms of the intranet IP address and the public network IP address, when the flow cleaning log and the ticket log information are matched, the matching fails; therefore, when an intranet IP Address is allocated to a broadband user, before the first record message and the second record message are matched, the traffic analysis server further needs to acquire conversion log information of Network Address Translation (NAT) equipment in a syslog quasi-real-time manner; and converting the user IP address in the second recorded message according to the conversion log information, converting the user IP address in the second recorded message into a public network IP address, and enabling the user IP address to be contained in the IP address field in the first recorded message, so that the first recorded message and the second recorded message can be matched.
Specifically, fig. 3 is a schematic diagram of a detailed flow for determining abnormal user information in the implementation flow shown in fig. 2, and referring to fig. 3, step 102 specifically includes the following steps:
step 1021, extracting the to-be-processed recording message of which the alarm level recorded in the first recording message reaches a preset level;
in this step, the alarm level may set a plurality of alarm levels according to the size of the malicious attack traffic, for example, the alarm levels may include three alarm levels, i.e., a high alarm level, a medium alarm level, and a low alarm level; in this embodiment, only the first recording message with the high alarm level is processed, that is, the first recording message with the high alarm level is extracted as the recording message to be processed.
Step 1022, comparing the abnormal starting time in the to-be-processed recording message with the current charging starting time of the to-be-compared recording message in the second recording message, and determining the user IP address corresponding to the to-be-processed recording message; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
and 1023, searching and determining abnormal user information in the second recording message according to the user IP address corresponding to the to-be-processed recording message.
In the embodiment, the IP address field corresponds to a plurality of user IP addresses, the IP address fields correspond to different user IP addresses, the incidence relation between the record message to be processed and the second record message can be established according to the IP address field and the user IP addresses, and the record message to be compared is determined; determining the relation between the abnormal starting time in the record message to be processed and the current charging starting time in the record message to be compared in the second record message, wherein each record message to be processed corresponds to the record message to be compared; and obtaining abnormal user information according to the user name and the BRAS equipment address recorded in the to-be-compared recording message.
Step 103, sending control information including the abnormal user information to a remote user dialing authentication server, so that the remote user dialing authentication server can limit uplink transmission data of the abnormal user corresponding to the abnormal user information.
In this step, the control information may only include the abnormal user information, and may also include the abnormal user information and an uplink transmission restriction policy of the abnormal user corresponding to the abnormal user information, which will be described in detail below. Specifically, the abnormal user corresponding to the abnormal user information forms a blacklist, and the Radius server may limit uplink transmission data for the abnormal user according to the blacklist; when the control information only includes the abnormal user information, the Radius server may limit uplink transmission data of the abnormal user in the blacklist according to a preset uplink transmission limiting policy; when the control information includes the abnormal user information and the uplink transmission limitation strategy of the abnormal user corresponding to the abnormal user information, the Radius server may limit the uplink transmission data of the abnormal user according to the uplink transmission limitation strategy in the control information.
Furthermore, the traffic analysis server may individually set a corresponding uplink transmission restriction policy for each abnormal user in the blacklist, or may use the same uplink transmission restriction policy for all abnormal users in the blacklist; in this embodiment, a detailed description will be given by taking an example in which a corresponding uplink transmission restriction policy is set individually for each abnormal user in a blacklist. Specifically, according to the exception type and exception duration recorded in the corresponding to-be-processed recording message by the user IP address of the exception user corresponding to the exception user information, an uplink transmission restriction policy corresponding to the exception user is generated.
Specifically, when a public network IP address is allocated to a broadband user, the flow analysis server respectively collects flow cleaning log information of the flow cleaning equipment and ticket log information of a Radius server in a syslog quasi-real-time mode; when an intranet IP address is allocated to a broadband user, the flow analysis server respectively collects flow cleaning log information of flow cleaning equipment, ticket log information of a Radius server and conversion log information of NAT equipment in a syslog quasi-real-time mode;
when an intranet IP address is allocated to a broadband user, converting the user IP address in the second recording message according to the conversion log information, converting the user IP address in the second recording message into a public network IP address, and enabling the user IP address to be contained in an IP address section in the first recording message;
extracting the to-be-processed recording message with high alarm level recorded in the first recording message;
according to the IP address field and the user IP address, establishing an incidence relation between the record message to be processed and the second record message, and determining the record message to be compared;
when the abnormal starting time in the record message to be processed is later than the current charging starting time in the record message to be compared, determining the record message to be compared corresponding to each record message to be processed;
obtaining abnormal user information and corresponding abnormal users according to the user name and the BRAS equipment address recorded in the to-be-compared recording message;
generating an uplink transmission limitation strategy corresponding to the abnormal user according to the abnormal type and the abnormal duration recorded by the user IP address of the abnormal user in the corresponding to-be-processed recording message;
and sending control information including the abnormal user information to a Radius server for the Radius server to limit uplink transmission data of the abnormal user corresponding to the abnormal user information.
The traffic analysis server determines the abnormal user information by acquiring traffic cleaning log information of the traffic cleaning equipment and call ticket log information of the Radius server and matching the acquired traffic cleaning log information and the call ticket log information; then, the control information including the abnormal user information is sent to a Radius server, so that the Radius server limits uplink transmission data of the abnormal user corresponding to the abnormal user information, and the malicious attack traffic of the DDoS can be effectively inhibited from the source because: an IP address field, an alarm level, an abnormal type and abnormal duration are recorded in the flow cleaning log information, and the IP address field recorded in the flow cleaning log information indicates that some users in the IP address field have malicious attack flow of DDoS; the call ticket log information records the IP address of the user, the user name, the BRAS equipment address and the charging start time; the flow analysis server determines abnormal user information with the DDoS malicious attack flow and corresponding abnormal users by performing correlation matching on the flow cleaning log information and the ticket log information, and the Radius server limits uplink transmission data of the abnormal users, so that the DDoS malicious attack flow is limited to be uploaded to a network system, and the DDoS malicious attack flow is effectively restrained from the source.
Further, the invention provides a traffic analysis server, which is used for realizing the specific details of the processing method for malicious attack traffic and achieving the same effect.
Fig. 4 is a schematic structural diagram of a first embodiment of a traffic analysis server according to the present invention, and referring to fig. 4, the traffic analysis server of the present embodiment includes: an acquisition section 21, a conversion section 22, a matching section 23, a generation section 24, and a transmission section 25; wherein the content of the first and second substances,
the acquiring component 21 is configured to acquire log information, where the log information includes traffic cleaning log information of a traffic cleaning device, ticket log information of a remote user dialing authentication server, and conversion log information of a network address conversion device;
the flow cleaning log information comprises a first recording message, and the ticket log information comprises a second recording message; the first recording message comprises an IP address field, abnormal starting time and an alarm level, and the second recording message comprises a user IP address and the charging starting time;
the converting component 22 is configured to convert the user IP in the second recorded message according to the conversion log information, so that the user IP address in the second recorded message is included in the IP address field in the first recorded message;
the matching component 23 is configured to match a first recorded message in the traffic cleaning log information with a second recorded message in the ticket log information, and determine abnormal user information;
the generating component 24 is configured to generate an uplink transmission restriction policy corresponding to the abnormal user according to the abnormal type and the abnormal duration of the user IP address of the abnormal user corresponding to the abnormal user information in the corresponding to-be-processed recording message;
the sending unit 25 is configured to send control information including the abnormal user information to a remote user dialing authentication server, so that the remote user dialing authentication server limits uplink transmission data of an abnormal user corresponding to the abnormal user information, where the control information further includes the uplink transmission limitation policy.
Fig. 5 is a schematic diagram of a detailed structure of a matching unit in the traffic analysis server shown in fig. 4, and referring to fig. 5, the matching unit 23 includes: an extract subcomponent 231, a compare subcomponent 232, and a find subcomponent 233; wherein the content of the first and second substances,
the extracting subcomponent 231 is configured to extract the pending record message recorded in the first record message, where the alarm level reaches a preset level;
the comparison sub-component 232 is configured to compare the abnormal starting time in the to-be-processed recording message with the current charging starting time of the to-be-compared recording message in the second recording message, and determine a user IP address corresponding to the to-be-processed recording message; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
the searching subcomponent 233 is configured to search and determine the abnormal user information in the second record message according to the user IP address corresponding to the record message to be processed.
Further, the present invention also provides a method for processing malicious attack traffic, fig. 6 is a schematic flow chart of an implementation of a second embodiment of the method for processing malicious attack traffic of the present invention, and referring to fig. 6, the method for processing malicious attack traffic of the present embodiment includes the following steps:
step 301, receiving control information including abnormal user information;
the method for processing malicious attack traffic in this embodiment is mainly applied to a Radius server of a traffic cleaning network system, as shown in fig. 2, and is used for limiting uplink transmission data of an abnormal user corresponding to abnormal user information; in this embodiment, the Radius server receives control information including abnormal user information sent by the traffic analysis server, sends a flow control message to the BRAS according to the control information, and limits uplink transmission data of an abnormal user corresponding to the abnormal user information.
Step 302, when the abnormal user corresponding to the abnormal user information is online, sending a flow control message to a broadband access gateway according to the control information so as to limit uplink transmission data of the abnormal user.
In this step, limiting the uplink transmission data of the abnormal user corresponding to the abnormal user information may limit the uplink burst Rate (Input _ Peak _ Rate) and/or the uplink Average Rate (Input _ Average _ Rate) of the abnormal user; in this embodiment, the details will be described by taking an example of limiting the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the abnormal user.
Here, the abnormal users corresponding to the abnormal user information form a blacklist, the Radius server may limit the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) for each abnormal user in the blacklist according to a corresponding uplink transmission limit policy, or may limit the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) for all the abnormal users in the blacklist by using the same uplink transmission limit policy; in this embodiment, the details of limiting the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of each abnormal user in the blacklist according to the corresponding uplink transmission limiting policy may be described as an example. Specifically, when the abnormal user corresponding to the abnormal user information is online, the Radius server sends a flow control message to the BRAS according to the control information, and limits the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the abnormal user.
The flow control message may be a bandwidth change control message (COA message) in a Radius extension protocol, and is used to dynamically change a user attribute of a user when a broadband user is online, so as to limit an uplink burst Rate (Input _ Peak _ Rate) and an uplink Average Rate (Input _ Average _ Rate) of the user.
The COA message comprises a changed blacklist and/or a changed uplink transmission limit strategy corresponding to an abnormal user in the blacklist compared with a flow control strategy issued by a Radius server last time, and limits of an uplink burst Rate (Input _ Peak _ Rate) and an uplink Average Rate (Input _ Average _ Rate) of the abnormal user are dynamically realized; meanwhile, the abnormal user which is sent by the Radius server last time and appears in the blacklist but does not appear in the blacklist at this time is changed into the white list user by sending the COA message to the BRAS, so that the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the user are recovered to a normal state.
In order to ensure that the uplink transmission limiting strategy is not conflicted and compatible with the historical flow control strategy issued by the Radius server and ensure that the flow control strategy issued by the Radius server is normally implemented, therefore, when an abnormal user corresponding to the abnormal user information is online, before sending a flow control message to the BRAS according to the control information, whether the uplink transmission limiting strategy is conflicted and compatible with the historical flow control strategy issued by the Radius server or not needs to be judged; the non-conflict and consistency indicates that the uplink transmission limiting strategy is inconsistent with the historical flow control strategy issued by the Radius server and limits the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the users within the management range of the Radius server.
When the Radius server inquires that the uplink transmission limiting strategy conflicts with the issued historical flow control strategy, the Radius server does not issue the uplink transmission limiting strategy, and simultaneously informs a flow analysis server in a DDoS flow analysis and treatment platform of the reason why the uplink transmission limiting strategy is not issued, so that the flow analysis server is ensured to know specific execution conditions; when the Radius server internally inquires that the uplink transmission limiting strategy is not conflicted with and compatible with the issued historical flow control strategy, the Radius server sends a COA message to a BRAS according to the blacklist and the uplink transmission limiting strategy, so that the user attribute is changed under the condition that a broadband user is online; correspondingly, the BRAS limits the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the user according to the user attribute and the corresponding uplink transmission limitation strategy.
Specifically, the Radius server receives control information which is sent by a traffic analysis server and comprises abnormal user information and an uplink transmission limit strategy corresponding to the abnormal user;
judging whether an uplink transmission limiting strategy sent by a flow analysis server is not conflicted with and compatible with a historical flow control strategy issued by the Raidus server; when the Radius server internally inquires that the uplink transmission limiting strategy conflicts with the issued historical flow control strategy, the Radius server does not issue the uplink transmission limiting strategy, and simultaneously informs a flow analysis server in the DDoS flow analysis and disposal platform of the reason why the uplink transmission limiting strategy is not issued, so that the flow analysis server is ensured to know the specific execution condition; when the Radius server internally inquires that the uplink transmission limiting strategy is not conflicted with and compatible with the issued historical flow control strategy, the Radius server issues a COA message to a BRAS through a Radius extension protocol according to the control message; after receiving the COA message, the BRAS limits an uplink burst Rate (Input _ Peak _ Rate) and an uplink Average Rate (Input _ Average _ Rate) of the abnormal user in the blacklist; meanwhile, the uplink burst Rate (Input _ Peak _ Rate) and the uplink Average Rate (Input _ Average _ Rate) of the abnormal user, which appears in the blacklist last time but does not appear in the blacklist this time, are restored to a normal state.
It can be understood that, the Radius server receives the control information sent by the traffic analysis server, sends the flow control message to the BRAS according to the control information, and limits the uplink transmission data of the abnormal user corresponding to the abnormal user information, so as to realize the limitation of the malicious attack traffic of the DDoS from the source, because: the Radius server judges whether the uplink transmission limiting strategy sent by the flow analysis server is not conflicted with and compatible with the issued historical flow control strategy or not according to the control information, and when the uplink transmission limiting strategy is not conflicted with and compatible with the historical flow control strategy issued by the Radius server, the Radius server issues the flow control message, so that the user attribute of the Radius user is changed under the condition that the user is online; after receiving the flow control message, the BRAS limits an uplink burst Rate (Input _ Peak _ Rate) and an uplink Average Rate (Input _ Average _ Rate) of an abnormal user in the blacklist, so that malicious attack flow of the DDoS is limited to be uploaded to a network system, and the malicious attack flow of the DDoS is effectively inhibited from the source.
Further, the invention also provides a remote user dialing authentication server, which is used for realizing the specific details of the second embodiment of the malicious attack traffic processing method of the invention and achieving the same effect.
Fig. 7 is a schematic structural diagram of a remote user dialing authentication server according to a first embodiment of the present invention, and referring to fig. 7, a Radius server according to this embodiment includes: a receiving section 41, a judging section 42, and a speed limiting section 43; wherein the content of the first and second substances,
the receiving part 41 is configured to receive control information including abnormal user information;
the determining component 42 is configured to determine whether the uplink transmission restriction policy meets a preset condition when the control information further includes an uplink transmission restriction policy, where the preset condition is that the uplink transmission restriction policy does not conflict with and is compatible with a historical flow control policy issued by the remote user dial-up authentication server; and when the uplink transmission limiting strategy meets a preset condition, triggering the speed limiting component 43.
And the speed limiting component 43 is configured to send a flow control message to the broadband access gateway according to the control information when the abnormal user corresponding to the abnormal user information is online, so as to limit uplink transmission data of the abnormal user.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, and improvement made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims (12)

1. A method for processing malicious attack traffic, the method comprising:
acquiring log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a remote user dialing authentication server;
matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information;
and sending control information including the abnormal user information to a remote user dialing authentication server for limiting uplink transmission data of the abnormal user corresponding to the abnormal user information by the remote user dialing authentication server.
2. The method according to claim 1, wherein the first record message includes an internet protocol IP address field, an abnormal starting time and an alarm level, and the second record message includes a user IP address and a current billing starting time;
the matching of the first recorded message in the traffic cleaning log information and the second recorded message in the call ticket log information, and the determining of the abnormal user information includes:
extracting the to-be-processed recording message of which the alarm level recorded in the first recording message reaches a preset level;
comparing the abnormal starting time in the recording message to be processed with the charging starting time of the recording message to be compared in the second recording message, and determining the user IP address corresponding to the recording message to be processed; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
and searching and determining abnormal user information in the second recording message according to the user IP address corresponding to the recording message to be processed.
3. The method of claim 2, wherein the control information further comprises an uplink transmission restriction policy;
after the first recorded message in the traffic cleaning log information is matched with the second recorded message in the call ticket log information and abnormal user information is determined, the method further comprises the following steps:
and generating an uplink transmission limitation strategy corresponding to the abnormal user according to the abnormal type and the abnormal duration of the user IP address of the abnormal user corresponding to the abnormal user information in the corresponding to-be-processed recording message.
4. The method of claim 1, wherein the log information further comprises conversion log information of a network address conversion device;
before the matching of the first recorded message in the traffic cleaning log information and the second recorded message in the call ticket log information and the determination of the abnormal user information, the method further comprises the following steps:
and converting the user IP address in the second recording message according to the conversion log information, so that the user IP address in the second recording message is contained in the IP address field in the first recording message.
5. A method for processing malicious attack traffic, the method comprising:
receiving control information including abnormal user information;
the abnormal user information is determined by matching a first recorded message of flow cleaning log information of flow cleaning equipment included in the log information with a second recorded message of ticket log information of a remote user dialing authentication server;
and when the abnormal user corresponding to the abnormal user information is on line, sending a flow control message to a broadband access gateway according to the control information so as to limit the uplink transmission data of the abnormal user.
6. The method of claim 5, wherein the control information further comprises an uplink transmission restriction policy;
before sending the flow control message to the broadband access gateway according to the control information, the method further includes:
judging whether the uplink transmission limiting strategy meets a preset condition, wherein the preset condition is that the uplink transmission limiting strategy is not conflicted with and compatible with a historical flow control strategy issued by a remote user dialing authentication server;
and when the preset condition is met and the abnormal user is on line, sending the flow control message to a broadband access gateway according to the control information.
7. A traffic analysis server, characterized in that the traffic analysis server comprises: an acquisition component, a matching component and a transmission component; wherein the content of the first and second substances,
the acquisition component is used for acquiring log information, wherein the log information comprises flow cleaning log information of flow cleaning equipment and ticket log information of a remote user dialing authentication server;
the matching component is used for matching a first recorded message in the traffic cleaning log information with a second recorded message in the call ticket log information to determine abnormal user information;
and the sending component is used for sending control information including the abnormal user information to a remote user dialing authentication server, so that the remote user dialing authentication server can limit uplink transmission data of the abnormal user corresponding to the abnormal user information.
8. The traffic analysis server according to claim 7, wherein the first record message includes an internet protocol IP address field, an abnormal start time and an alarm level, and the second record message includes a user IP address and a current billing start time;
the matching means includes: extracting a subcomponent, comparing a subcomponent and finding a subcomponent; wherein the content of the first and second substances,
the extracting subcomponent is used for extracting the to-be-processed recording message recorded in the first recording message, wherein the alarm level of the to-be-processed recording message reaches a preset level;
the comparison subcomponent is used for comparing the abnormal starting time in the record message to be processed with the charging starting time of the record message to be compared in the second record message, and determining the user IP address corresponding to the record message to be processed; the to-be-compared recording message is a second recording message associated with the user IP address and the IP address field of the to-be-processed recording message;
and the searching subcomponent is used for searching and determining abnormal user information in the second recording message according to the user IP address corresponding to the recording message to be processed.
9. The traffic analysis server of claim 8, wherein the control information further comprises an upstream transmission restriction policy;
the traffic analysis server further comprises:
and the generating component is used for generating an uplink transmission limiting strategy corresponding to the abnormal user according to the abnormal type and the abnormal duration of the user IP address of the abnormal user corresponding to the abnormal user information in the corresponding to-be-processed recording message.
10. The traffic analysis server of claim 7, wherein the log information further includes conversion log information of a network address conversion device;
the traffic analysis server further comprises:
and a conversion component, configured to convert the user IP address in the second recorded message according to the conversion log information, so that the user IP address in the second recorded message is included in the IP address field in the first recorded message.
11. A remote user dial authentication server, the remote user dial authentication server comprising: a receiving component and a speed limiting component; wherein the content of the first and second substances,
the receiving means for receiving control information including abnormal user information;
the abnormal user information is determined by matching a first recorded message of flow cleaning log information of flow cleaning equipment included in the log information with a second recorded message of ticket log information of a remote user dialing authentication server;
and the speed limiting component is used for sending a flow control message to the broadband access gateway according to the control information when the abnormal user corresponding to the abnormal user information is on line so as to limit the uplink transmission data of the abnormal user.
12. The remote subscriber dial authentication server of claim 11, wherein the control information further comprises an upstream transmission restriction policy;
the remote user dial-up authentication server further comprises:
a determining unit, configured to determine whether the uplink transmission restriction policy meets a preset condition, where the preset condition is that the uplink transmission restriction policy does not conflict with and is compatible with a historical flow control policy issued by the remote user dial-up authentication server; and when the uplink transmission limiting strategy meets the preset condition, triggering the speed limiting component.
CN201611260598.3A 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server Active CN108270600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611260598.3A CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611260598.3A CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Publications (2)

Publication Number Publication Date
CN108270600A CN108270600A (en) 2018-07-10
CN108270600B true CN108270600B (en) 2021-03-05

Family

ID=62755071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611260598.3A Active CN108270600B (en) 2016-12-30 2016-12-30 Method for processing malicious attack traffic and related server

Country Status (1)

Country Link
CN (1) CN108270600B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109450955B (en) * 2018-12-30 2022-04-05 北京世纪互联宽带数据中心有限公司 Traffic processing method and device based on network attack
CN112333130B (en) * 2019-08-05 2023-04-07 阿里巴巴集团控股有限公司 Data processing method, device and storage medium
CN111031054A (en) * 2019-12-19 2020-04-17 紫光云(南京)数字技术有限公司 CC protection method
CN111800412B (en) * 2020-07-01 2023-02-21 中国移动通信集团有限公司 Advanced sustainable threat tracing method, system, computer equipment and storage medium
CN114338066A (en) * 2020-09-30 2022-04-12 中移(苏州)软件技术有限公司 Defense method, system, equipment and storage medium for denial of service attack
CN114584329B (en) * 2020-11-16 2023-09-05 中国移动通信集团广东有限公司 Positioning method and device for reasons of abnormal flow and electronic equipment
CN114173346B (en) * 2021-12-01 2024-04-12 恒安嘉新(北京)科技股份公司 Coverage detection method, device, equipment and medium of malicious program monitoring system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102026199B (en) * 2010-12-03 2016-01-13 中兴通讯股份有限公司 The apparatus and method of a kind of WiMAX system and defending DDoS (Distributed Denial of Service) attacks thereof
CN102075365B (en) * 2011-02-15 2012-12-26 中国工商银行股份有限公司 Method and device for locating and protecting network attack source
CN103188104A (en) * 2011-12-31 2013-07-03 中国移动通信集团浙江有限公司 Method and device for analyzing user behaviors
CN103491095B (en) * 2013-09-25 2016-07-13 中国联合网络通信集团有限公司 Flow cleaning framework, device and flow lead, flow re-injection method
CN104065644B (en) * 2014-05-28 2017-11-21 北京知道创宇信息技术有限公司 CC attack recognition method and apparatus based on log analysis
US10193922B2 (en) * 2015-01-13 2019-01-29 Level 3 Communications, Llc ISP blacklist feed
CN105553790B (en) * 2015-12-08 2018-07-13 中国联合网络通信集团有限公司 A kind of data processing method and strategic server

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104901975A (en) * 2015-06-30 2015-09-09 北京奇虎科技有限公司 Web log safety analyzing method, device and gateway

Also Published As

Publication number Publication date
CN108270600A (en) 2018-07-10

Similar Documents

Publication Publication Date Title
CN108270600B (en) Method for processing malicious attack traffic and related server
EP1999890B1 (en) Automated network congestion and trouble locator and corrector
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN101136922B (en) Service stream recognizing method, device and distributed refusal service attack defending method, system
US7562390B1 (en) System and method for ARP anti-spoofing security
JP5826920B2 (en) Defense method against spoofing attacks using blocking server
EP2403187A1 (en) Method, apparatus and system for botnet host detection
CN107819633B (en) Method for rapidly discovering and processing network fault
EP3404949B1 (en) Detection of persistency of a network node
CN108322417B (en) Network attack processing method, device and system and security equipment
RU2636640C2 (en) Protection method of virtual private communication networks elements from ddos-attacks
CN109450841B (en) Large-scale DDoS attack resisting defense method based on cloud + end equipment on-demand linkage mode
CN103036733A (en) Unconventional network access behavior monitoring system and monitoring method
CN107800668B (en) Distributed denial of service attack defense method, device and system
CN108092940B (en) DNS protection method and related equipment
RU2679219C1 (en) Method of protection of service server from ddos attack
TWI657681B (en) Analysis method of network flow and system
Zhang et al. Unveiling malicious activities in lan with honeypot
Kortebi et al. Home networks traffic monitoring case study: Anomaly detection
CN109347792B (en) Large-scale DDoS attack resistance defense system and method based on cloud + end equipment continuous linkage mode
Kato et al. A real-time intrusion detection system (IDS) for large scale networks and its evaluations
Hooper An intelligent detection and response strategy to false positives and network attacks
Park et al. Threats and countermeasures on a 4G mobile network
KR101506982B1 (en) System and method for detecting and bclocking illegal call through data network
CN112134845A (en) Rejection service system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant