CN108650237B - Message security check method and system based on survival time - Google Patents

Message security check method and system based on survival time Download PDF

Info

Publication number
CN108650237B
CN108650237B CN201810332931.XA CN201810332931A CN108650237B CN 108650237 B CN108650237 B CN 108650237B CN 201810332931 A CN201810332931 A CN 201810332931A CN 108650237 B CN108650237 B CN 108650237B
Authority
CN
China
Prior art keywords
message
bit
value
ttl
current index
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810332931.XA
Other languages
Chinese (zh)
Other versions
CN108650237A (en
Inventor
林杨宝
张波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Changjiang Computing Technology Co ltd
Fiberhome Telecommunication Technologies Co Ltd
Original Assignee
Fiberhome Telecommunication Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fiberhome Telecommunication Technologies Co Ltd filed Critical Fiberhome Telecommunication Technologies Co Ltd
Priority to CN201810332931.XA priority Critical patent/CN108650237B/en
Publication of CN108650237A publication Critical patent/CN108650237A/en
Application granted granted Critical
Publication of CN108650237B publication Critical patent/CN108650237B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Technology Law (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a message security check method and system based on survival time, relating to the technical field of data communication and providing a message security check method and system based on survival time.

Description

Message security check method and system based on survival time
Technical Field
The invention relates to the technical field of data communication, in particular to a message security check method and system based on survival time.
Background
Time To Live (TTL), which is the maximum number of hops an IP packet can forward in a computer network, is set by the sender of the IP packet. When a host on the network is pinged, the local machine sends out a packet, and the packet is transmitted to the destination host through a certain number of routers, but for many reasons, some packets cannot be normally transmitted to the destination host, and if the packets do not have a survival time, the packets are transmitted on the network all the time, which causes the increase of network overhead. After a packet is delivered to a router, the TTL is automatically decremented by 1, and if decremented to 0 or not delivered to the destination host, it is automatically dropped. A GTSM (generalized TTLSissue mechanism) detection mechanism, which achieves the purpose of preventing the CPU from being attacked by the CPU utilization rate type through TTL detection. The GTSM checks the TTL field of the IPV4 message and judges whether the message is generated by a legal opposite-end neighbor, thereby protecting the IP-based unicast routing protocol from being attacked and consuming resources. When an attacker simulates a real routing protocol and attacks one device continuously, the device consumes a large amount of CPU resources due to processing of the attack messages, so that normal protocol messages cannot be processed.
Therefore, a message security check scheme based on the survival time is needed to accurately judge whether the message is generated by a legitimate peer neighbor or not, and avoid resource consumption caused by the attack on the device.
Disclosure of Invention
Aiming at the defects in the prior art, the invention aims to provide a message security check method and a message security check system based on survival time, which can accurately judge whether a message is generated by a legal opposite-end neighbor or not and avoid resource consumption caused by equipment being attacked.
In order to achieve the above purposes, the technical scheme adopted by the invention is as follows: a message security check method based on survival time comprises the following steps:
obtaining a legal hop count set by a user, and converting the legal hop count into a TTL range of survival time;
calculating a mask of a rule of a corresponding Access Control List (ACL) according to the TTL range;
when equipment receives a message sent by adjacent equipment, whether the message accords with the rule of the ACL is judged according to the mask of the rule of the ACL, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
On the basis of the technical scheme, the legal hop count is hops, and the TTL range is (255-hops-255).
On the basis of the technical scheme, the process of judging whether the message conforms to the ACL rule according to the mask of the ACL rule comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
On the basis of the technical scheme, the process of calculating the mask of the rule of the corresponding access control list ACL according to the TTL range comprises the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
On the basis of the technical scheme, the maximum number of masks of the rules of the corresponding access control list ACL is calculated to be 8 according to the TTL range.
The invention also discloses a message security check system based on the survival time, which comprises:
the system comprises a hop count conversion module, a Time To Live (TTL) module and a time to live (time to live) module, wherein the hop count conversion module is used for acquiring a legal hop count set by a user and converting the legal hop count into a TTL range;
the ACL rule generating module is used for calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
the ACL rule checking module is used for judging whether the message conforms to the ACL rule according to the mask code of the ACL rule when the equipment receives the message sent by the adjacent equipment, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
On the basis of the technical scheme, the legal hop count is hops, and the TTL range is (255-hops-255).
On the basis of the above technical solution, the process that the ACL rule checking module judges whether the packet conforms to the ACL rule according to the mask of the ACL rule includes:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
On the basis of the above technical solution, the specific process of the ACL rule generating module determining whether a message conforms to the ACL rule includes:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
On the basis of the technical scheme, the maximum number of masks of the rules of the corresponding access control list ACL calculated by the ACL rule generating module according to the TTL range is 8.
Compared with the prior art, the invention has the advantages that:
the invention provides a message security check method and system based on survival time, which comprises the steps of converting legal hop count into a TTL range by obtaining legal hop count value input by a user, generating a corresponding ACL rule according to the TTL range, carrying out ACL rule check on a message received by a local machine, directly discarding an illegal message, and accurately judging whether the message is generated by a legal opposite-end neighbor or not, thereby protecting resources consumed by attacking a unicast routing protocol based on IP (Internet protocol) and protecting CPU (Central processing Unit) resources; and converting the TTL range into an ACL rule, and ensuring that the ACL rule entry is minimized, thereby realizing the optimal inspection performance in advance under the condition of minimally occupying hardware resources.
Drawings
Fig. 1 is a schematic flow chart of a message security check method based on time to live in an embodiment of the present invention;
fig. 2 is a schematic flowchart illustrating a process of calculating a mask of an ACL rule in the message security inspection method based on time to live according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of a message security check system based on time-to-live in an embodiment of the present invention.
Detailed Description
Description of terms:
an access Control list, acl (access Control list), is a set of filtering rules, which may be referred to as a rule set. When defining the filtering rule, the user describes the filtering rule according to the TTL value of the message and the corresponding attribute such as the mask value, the input interface, the source or destination address, the protocol type, the source or destination port number and the like, and designates to reject or receive the message. Then, the system classifies the message arriving at the router according to the filtering rule and judges whether the message is rejected or received. The method needs to be used in cooperation with services to realize the function of filtering messages. The invention applies the ACL to a GTSM check mechanism, and judges the validity of the message TTL by defining the ACL rule and carrying out ACL check.
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Example 1:
referring to fig. 1, an embodiment of the present invention provides a message security check method based on a survival time, including the following steps:
s1, obtaining the legal hop count set by the user, and converting the legal hop count into the TTL range of the survival time;
s2, calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
s3, when the device receives the message sent by the adjacent device, judging whether the message accords with the ACL rule according to the mask of the ACL rule, if so, judging the message as a legal message, and allowing the message to be sent; if not, the message is judged to be a non-legal message and discarded.
The embodiment provides a message security check method based on survival time, which comprises the steps of converting a legal hop count into a TTL range by obtaining a legal hop count value input by a user, calculating a mask of a corresponding ACL rule according to the TTL range, carrying out ACL rule check on a message received by a local machine, uploading a legal message, and directly discarding an illegal message, thereby protecting CPU resources.
Example 2:
on the basis of the embodiment 1, the legal hop count is converted into a TTL range, the legal hop count is hos, and the TTL range is (255-hos to 255 ]. for example, the user configures the legal hop count hos to be 40, and the TTL range after conversion is (215 to 255).
Example 3:
on the basis of embodiment 1, the process of determining whether the packet conforms to the ACL rule according to the mask of the ACL rule includes:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, and otherwise, judging that the TTL value does not accord with the ACL rule.
Example 4:
on the basis of embodiment 3, the specific process of determining whether the packet conforms to the ACL rules includes:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of non-0 to the lower bit of the binary number, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
Example 5:
on the basis of embodiment 4, the maximum number of masks of the rule of the corresponding access control list ACL calculated from the TTL range is 8.
Example 6:
referring to fig. 3, a message security check system based on time-to-live includes:
the hop count conversion module is used for acquiring the legal hop count set by the user and converting the legal hop count into a TTL range of survival time;
the ACL rule generating module is used for calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
the ACL rule checking module is used for judging whether the message accords with the rule of the ACL according to the mask code of the rule of the ACL when the equipment receives the message sent by the adjacent equipment, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, the message is judged to be a non-legal message and discarded.
The legal hop count is hops, and the TTL range is (255-hops to 255).
The process that the ACL rule checking module judges whether the message accords with the rule of the ACL according to the mask of the rule of the ACL comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, and otherwise, judging that the TTL value does not accord with the ACL rule.
The specific process of the ACL rule generating module for judging whether the message conforms to the ACL rule includes the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of non-0 to the lower bit of the binary number, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
And the ACL rule generating module calculates the maximum number of masks of the rules of the corresponding access control list ACL to be 8 according to the TTL range.
The present invention is not limited to the above-described embodiments, and it will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and such modifications and improvements are also considered to be within the scope of the present invention. Those not described in detail in this specification are within the skill of the art.

Claims (8)

1. A message security check method based on survival time is characterized by comprising the following steps:
obtaining a legal hop count set by a user, and converting the legal hop count into a TTL range of survival time;
calculating a mask of a rule of a corresponding Access Control List (ACL) according to the TTL range;
when equipment receives a message sent by adjacent equipment, whether the message accords with the rule of the ACL is judged according to the mask of the rule of the ACL, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, judging the message as a non-legal message and discarding the message;
the process of calculating the mask of the rule of the corresponding access control list ACL according to the TTL range comprises the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
2. The message security check method based on the survival time according to claim 1, characterized in that: the legal hop count is hops, and the TTL range is (255-hops-255).
3. The message security check method based on the survival time according to claim 1, characterized in that: the process of judging whether the message conforms to the ACL rule according to the mask of the ACL rule comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
4. The message security check method based on the survival time according to claim 1, characterized in that: and calculating the maximum number of masks of the rules of the corresponding access control list ACL according to the TTL range to be 8.
5. A message security check system based on time-to-live, comprising:
the system comprises a hop count conversion module, a Time To Live (TTL) module and a time to live (time to live) module, wherein the hop count conversion module is used for acquiring a legal hop count set by a user and converting the legal hop count into a TTL range;
the ACL rule generating module is used for calculating the mask of the rule of the corresponding access control list ACL according to the TTL range;
the ACL rule checking module is used for judging whether the message conforms to the ACL rule according to the mask code of the ACL rule when the equipment receives the message sent by the adjacent equipment, if so, the message is judged to be a legal message, and the message is allowed to be sent; if not, judging the message as a non-legal message and discarding the message;
the specific process of the ACL rule generating module for judging whether the message conforms to the ACL rule comprises the following steps:
s31, setting the minimum value of the TTL range as TTL _ min; converting ttl _ min to a binary number;
s32, searching from the highest bit of the binary number not 0 to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s33, continuing to search from the current index to the lower bit, finding the first index of 0 as the current index, keeping the value from the highest bit to the higher bit of the current index unchanged, setting the value of the bit corresponding to the current index to 1, setting the values from the lower bit to the lowest bit of the current index to 0, and forming a mask;
s34, repeating the step S33 until the lowest bit of the binary number is found, judging whether the value of the lowest bit is 0, if so, keeping the value from the highest bit to the higher bit of the current index unchanged, and setting the value of the bit corresponding to the current index as 1 to form a mask; if not, finishing the search.
6. The system for message security check based on time-to-live of claim 5, wherein: the legal hop count is hops, and the TTL range is (255-hops-255).
7. The system for message security check based on time-to-live of claim 5, wherein: the process that the ACL rule checking module judges whether the message accords with the ACL rule according to the mask of the ACL rule comprises the following steps:
and carrying out bitwise AND operation on the TTL value in the received message and the calculated mask, if the mask is obtained, judging that the TTL value accords with the ACL rule, otherwise, judging that the TTL value does not accord with the ACL rule.
8. The system for message security check based on time-to-live of claim 5, wherein: and the ACL rule generating module calculates the maximum number of masks of the rules of the corresponding access control list ACL to be 8 according to the TTL range.
CN201810332931.XA 2018-04-13 2018-04-13 Message security check method and system based on survival time Active CN108650237B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810332931.XA CN108650237B (en) 2018-04-13 2018-04-13 Message security check method and system based on survival time

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810332931.XA CN108650237B (en) 2018-04-13 2018-04-13 Message security check method and system based on survival time

Publications (2)

Publication Number Publication Date
CN108650237A CN108650237A (en) 2018-10-12
CN108650237B true CN108650237B (en) 2020-09-08

Family

ID=63746099

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810332931.XA Active CN108650237B (en) 2018-04-13 2018-04-13 Message security check method and system based on survival time

Country Status (1)

Country Link
CN (1) CN108650237B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112448912B (en) * 2019-08-27 2023-08-01 中兴通讯股份有限公司 Method, device and storage medium for preventing message attack
CN113612730B (en) * 2021-07-05 2023-04-07 裕太微电子股份有限公司 ACL access rule control method, processing device and system
CN115348584A (en) * 2022-07-22 2022-11-15 支付宝(杭州)信息技术有限公司 Detection method and device for private hotspot behavior and service system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878125A (en) * 2005-06-06 2006-12-13 华为技术有限公司 Realization method for improving backbone network security
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN101820383A (en) * 2010-01-27 2010-09-01 中兴通讯股份有限公司 Method and device for restricting remote access of switcher
CN102143009A (en) * 2010-07-07 2011-08-03 华为数字技术有限公司 Message processing method, device and system
CN102546387A (en) * 2011-10-31 2012-07-04 华为技术有限公司 Method, device and system for processing data message
CN104767688A (en) * 2015-04-15 2015-07-08 杭州华三通信技术有限公司 General time-to-live safety mechanism inspection method and device
CN107528781A (en) * 2016-06-22 2017-12-29 中兴通讯股份有限公司 Retransmission method and device, the router of multicast message

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070143851A1 (en) * 2005-12-21 2007-06-21 Fiberlink Method and systems for controlling access to computing resources based on known security vulnerabilities
US9680748B2 (en) * 2013-09-15 2017-06-13 Nicira, Inc. Tracking prefixes of values associated with different rules to generate flows
US9497119B2 (en) * 2014-05-22 2016-11-15 International Business Machines Corporation Supporting access control list rules that apply to TCP segments belonging to ‘established’ connection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1878125A (en) * 2005-06-06 2006-12-13 华为技术有限公司 Realization method for improving backbone network security
CN101340293A (en) * 2008-08-12 2009-01-07 杭州华三通信技术有限公司 Packet safety detection method and device
CN101820383A (en) * 2010-01-27 2010-09-01 中兴通讯股份有限公司 Method and device for restricting remote access of switcher
CN102143009A (en) * 2010-07-07 2011-08-03 华为数字技术有限公司 Message processing method, device and system
CN102546387A (en) * 2011-10-31 2012-07-04 华为技术有限公司 Method, device and system for processing data message
CN104767688A (en) * 2015-04-15 2015-07-08 杭州华三通信技术有限公司 General time-to-live safety mechanism inspection method and device
CN107528781A (en) * 2016-06-22 2017-12-29 中兴通讯股份有限公司 Retransmission method and device, the router of multicast message

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
IPSec 技术在路由器中的实现;余浚;《电脑知识与技术》;20110831;第5343-5345页 *
华为ACL配置;greatnicefish;《https://wenku.baidu.com/view/09716a36c8d376eeafaa310a.html?fr=search》;20160513;第1-26页 *
烽火交换机配置常用命令;花醉love;《https://wenku.baidu.com/view/9885c4c479563c1ec4da7109.html》;20160518;第1-7页 *

Also Published As

Publication number Publication date
CN108650237A (en) 2018-10-12

Similar Documents

Publication Publication Date Title
US9009830B2 (en) Inline intrusion detection
US7360245B1 (en) Method and system for filtering spoofed packets in a network
US9712559B2 (en) Identifying frames
US7167922B2 (en) Method and apparatus for providing automatic ingress filtering
CN107710680B (en) Method and device for sending network attack defense strategy and network attack defense
US7823202B1 (en) Method for detecting internet border gateway protocol prefix hijacking attacks
CN112910792B (en) Message processing method, device and related equipment
US8879388B2 (en) Method and system for intrusion detection and prevention based on packet type recognition in a network
EP1517517A1 (en) IP time to live (ttl) field used as a covert channel
US11968174B2 (en) Systems and methods for blocking spoofed traffic
US20110247068A1 (en) Method And Apparatus For Enhanced Security In A Data Communications Network
CN108650237B (en) Message security check method and system based on survival time
US9258213B2 (en) Detecting and mitigating forwarding loops in stateful network devices
US12021836B2 (en) Dynamic filter generation and distribution within computer networks
CN106534068B (en) Method and device for cleaning counterfeit source IP in DDOS defense system
CN112995040B (en) Message path tracing method and device based on equipment identification calculation
CN107690004B (en) Method and device for processing address resolution protocol message
KR101064382B1 (en) Arp attack blocking system in communication network and method thereof
CN112769694B (en) Address checking method and device
CN114051013B (en) Communication data transmission method and device
CN108900517B (en) Safety route defense method based on HWMP protocol
CN108777654B (en) Message forwarding method and routing equipment
WO2020052499A1 (en) Method, device, and system for anti-phishing attack check
CN109104437B (en) Routing domain, method and device for processing IP message in routing domain
CN111327590A (en) Attack processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20240626

Address after: 430000 No. 6, High-tech Fourth Road, Donghu High-tech Development Zone, Wuhan City, Hubei Province

Patentee after: FIBERHOME TELECOMMUNICATION TECHNOLOGIES Co.,Ltd.

Country or region after: China

Patentee after: Wuhan Changjiang Computing Technology Co.,Ltd.

Address before: 430000 No. 6, High-tech Fourth Road, Donghu High-tech Development Zone, Wuhan City, Hubei Province

Patentee before: FIBERHOME TELECOMMUNICATION TECHNOLOGIES Co.,Ltd.

Country or region before: China