CN109040046B - Network access method and device - Google Patents

Network access method and device Download PDF

Info

Publication number
CN109040046B
CN109040046B CN201810827488.3A CN201810827488A CN109040046B CN 109040046 B CN109040046 B CN 109040046B CN 201810827488 A CN201810827488 A CN 201810827488A CN 109040046 B CN109040046 B CN 109040046B
Authority
CN
China
Prior art keywords
address
destination
network access
message
time period
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810827488.3A
Other languages
Chinese (zh)
Other versions
CN109040046A (en
Inventor
王阳
廖以顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201810827488.3A priority Critical patent/CN109040046B/en
Publication of CN109040046A publication Critical patent/CN109040046A/en
Application granted granted Critical
Publication of CN109040046B publication Critical patent/CN109040046B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The disclosure provides a network access method and device. In the disclosure, when it is detected that the number of network access messages with the destination IP address as the first IP address sent by the first terminal which is not authenticated in a specified time period is equal to the first preset threshold value, checking whether other terminals send network access messages with the destination IP address as the first IP address in a specified time period, when other terminals send network access messages with the destination IP address as the first IP address, the first IP address is determined to be legal, and the network access messages with the destination IP address as the first IP address sent by each terminal which passes the authentication are allowed to pass through, so that the network networking combining Portal authentication and Web agent can not execute the network attack prevention, and the message for normally accessing the Web agent server can not be blocked mistakenly, and the network networking combining Portal authentication and Web agent can be prevented from causing the failure of the normal network access because of the network attack prevention.

Description

Network access method and device
Technical Field
The present disclosure relates to network communication technologies, and in particular, to a network access method and apparatus.
Background
Portal authentication, also known as Web authentication, is a method in which a terminal cannot truly realize network access until the terminal fails Portal authentication, and after the terminal passes Portal authentication, the terminal can access an authorized network to obtain network resource information.
The Web proxy refers to a Web server acting each terminal to access the network to obtain the network resource information, so that the network access can be ensured not to be attacked by an external network.
FIG. 1 illustrates a network networking of Portal authentication in conjunction with a Web agent. As shown in fig. 1, when accessing a network, a terminal 101 sends out an HTTP message. The HTTP message reaches a Broadband Remote Access Server (BRAS) through the switching device 102 and the switching device 103. The BRAS receives the HTTP message, if the terminal 101 sending the HTTP message is found not to pass Portal authentication, the terminal 101 is forced to access the BRAS authentication server for Portal authentication, and when the terminal 101 passes Portal authentication, the service of the terminal 101 accessing the network is redirected to the Web server to be taken as a proxy.
Disclosure of Invention
The disclosure provides a network access method and a device, which are used for preventing normal network access failure caused by network attack prevention in a network group network combining Portal authentication and Web agents.
The technical scheme provided by the disclosure comprises:
a network access method is applied to BRAS and comprises the following steps:
counting the message quantity of network access messages with a first IP address as a destination IP address sent by a first terminal in a specified time period, wherein the first terminal is one of terminals which are not authenticated by an authentication server connected with the BRAS;
if the number of the messages is equal to a first preset threshold value, checking whether other terminals send network access messages with the destination IP address as the first IP address in the specified time period;
when the network access message with the destination IP address as the first IP address sent by other terminals in the specified time period is checked, the first IP address is determined to be legal, and the network access message with the destination IP address as the first IP address sent by other terminals which pass the authentication of the authentication server is allowed to pass.
A network access device, which is applied to a BRAS, comprising:
the system comprises a counting unit, a processing unit and a processing unit, wherein the counting unit is used for counting the message quantity of a network access message which is sent by a first terminal in a specified time period and has a destination IP address as a first IP address, and the first terminal is one of terminals which are not authenticated by an authentication server connected with the BRAS;
the checking unit is used for checking whether other terminals send network access messages with the destination IP address as the first IP address in the specified time period or not when the number of the messages is equal to a first preset threshold value;
and the network access control unit is used for determining that the first IP address is legal when the checking unit checks that the network access messages of which the destination IP addresses are the first IP addresses are sent by other terminals in the specified time period, and allowing the network access messages of which the destination IP addresses are the first IP addresses and which are sent by other terminals and are authenticated by the authentication server to pass through.
According to the technical scheme, in the disclosure, when it is detected that the number of network access messages with the first IP address as the destination IP address sent by a first terminal which fails to pass authentication in a specified time period is equal to a first preset threshold, whether other terminals send network access messages with the first IP address as the destination IP address is detected in the specified time period, and when it is detected that other terminals send network access messages with the first IP address as the destination IP address, it is determined that the first IP address is legal, the network access messages with the first IP address as the destination IP address sent by each terminal which passes authentication are allowed to pass, so that network networking combining Portal authentication and Web proxy can be implemented to prevent network attack and not mistakenly block messages (network access messages) which normally access a Web proxy server, the failure of normal network access caused by network attack prevention in the network group network combining Portal authentication and Web agent is prevented.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a schematic diagram of a network organization combining Portal authentication and Web agents;
FIG. 2 is a flow chart of a method provided by the present disclosure;
FIG. 3 is a schematic diagram of an embodiment of networking provided by the present disclosure;
FIG. 4 is a schematic view of the apparatus structure provided by the present disclosure;
fig. 5 is a schematic hardware structure diagram of the apparatus shown in fig. 4 provided by the present disclosure.
Detailed Description
In the network networking combining Portal authentication and Web agent, Portal authentication is triggered based on HTTP message, and the HTTP message is possibly aiming at network attack, in order to prevent network attack, BRAS can configure anti-attack table entries locally, and the purpose of the anti-attack table entries is as follows: when the HTTP message for accessing a certain destination IP address reaches a set threshold value, the HTTP message for accessing the destination IP address is prohibited from continuously accessing. However, when the method is applied to network networking combining Portal authentication and Web proxy, the Web server proxies each terminal to access the network, and the destination IP address of each terminal accessing all networks is the IP address of the Web server (denoted as IP100), which may cause that once the number of HTTP messages with the destination IP address being IP100 (the IP address of the Web server) reaches a set threshold, all subsequent terminals cannot access the Web proxy server based on the anti-attack entry, resulting in that the terminal that has passed the Portal authentication cannot normally access the network.
In order to prevent the failure of normal network access caused by network attack prevention in the network group combining Portal authentication and Web agent, the application provides the flow shown in FIG. 2.
Referring to fig. 2, fig. 2 is a flow chart of a method provided by the present disclosure. The flow is applied to the BRAS. As shown in fig. 2, the process may include the following steps:
step 201, counting the number of messages of the network access message with the destination IP address as the first IP address sent by the first terminal in the specified time period.
In the present disclosure, the first terminal, the first IP address, and the first preset threshold are only named for convenience of description, and are not intended to be limiting. The first terminal is one of the terminals which are not authenticated by an authentication server (such as a Portal authentication server) connected with the BRAS, and the first IP address is any network IP address. The first preset threshold is self-defined according to actual requirements, and with the aid of an existing anti-attack entry policy (an anti-attack entry is generated when the number of messages reaches a configured threshold within a specified time period), the first preset threshold is smaller than a threshold (which may be recorded as a second preset threshold) configured in the existing anti-attack entry policy, which will be described in detail later, and details are not repeated here.
In the present disclosure, as an embodiment, the network access message may be an HTTP message, and the authentication refers to Portal authentication.
Step 202, if the number of the messages is equal to a first preset threshold, checking whether other terminals send network access messages with the destination IP address being the first IP address in the specified time period, and when the network access messages with the destination IP address being the first IP address sent by other terminals in the specified time period are checked, determining that the first IP address is legal, and allowing the network access messages with the destination IP address being the first IP address sent by other terminals authenticated by the authentication server to pass.
In the disclosure, when it is checked that no other terminal sends a network access message with a destination IP address as a first IP address in the specified time period, as an embodiment, an anti-attack entry is locally generated, so as to prohibit a network access message with the destination IP address as the first destination IP address from passing through according to the anti-attack entry; or, continuously counting the number of packets of the network access packet with the first IP address as the destination IP address sent by the first terminal in the specified time period, until the number of packets in the specified time period is equal to a second preset threshold, locally generating an anti-attack table entry, so as to prohibit the network access packet with the first IP address as the destination IP address from passing through according to the anti-attack table entry, where the second preset threshold is greater than the first preset threshold, so as to prohibit the network access packet with the first IP address as the destination IP address from passing through according to the anti-attack table entry.
In the disclosure, when more than one terminal accesses the same IP address in the same period of time (taking the first IP address as an example), it is indicated that the first IP address may be an IP address of the Web proxy server and is a normal legal IP address, and at this time, no matter whether the number of network access messages accessing the first IP address in a specified period of time reaches the second preset threshold, in the disclosure, an anti-attack entry is not issued for the first IP address, but the first IP address is determined to be legal, and a network access message whose destination IP address is the first IP address and sent by each terminal that has passed authentication is allowed to pass through, so that even in the network networking combining Portal authentication and the Web proxy, the network attack can be prevented from being executed, and the message (network access message) that normally accesses the Web proxy server can not be blocked erroneously, thereby preventing the normal network access failure caused by the network attack in the network networking combining Portal authentication and the Web proxy.
Thus, the flow shown in fig. 2 is completed.
As can be seen from the flow shown in fig. 2, in the present disclosure, when it is detected that the number of network access packets whose destination IP address is the first IP address and sent by a first terminal that fails to pass authentication in a specified time period is equal to a first preset threshold, it is checked whether there is a network access packet whose destination IP address is the first IP address and sent by another terminal in the specified time period, and when it is checked that there is a network access packet whose destination IP address is the first IP address and sent by another terminal in the specified time period, it is determined that the first IP address is legal, and the network access packet whose destination IP address is the first IP address and sent by each terminal that has passed authentication is allowed to pass through, so that a network networking combining Portal authentication and a Web proxy can not only perform network attack prevention, but also not erroneously block a packet (network access packet) that normally accesses a Web proxy server, the failure of normal network access caused by network attack prevention in the network group network combining Portal authentication and Web agent is prevented.
In this disclosure, as an embodiment, the counting, in step 201, the number of the network access packets sent by the first terminal in the specified time period and having the destination IP address as the first IP address may include: when receiving a network access message which is sent by the first terminal and has a destination IP address as a first IP address in the specified time period, checking whether a first message statistical table item containing the following contents exists in a local message statistical table or not: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the received network access message, if yes, the number of the messages in the first message statistical table item is increased by a preset value; if not, adding a first message statistical table item containing the following contents in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively a source IP address and a destination IP address of the received network access message. Finally, the message quantity of the network access message with the destination IP address as the first IP address sent by the first terminal in the appointed time period is counted through the first message counting table entry. It should be noted that the preset value may be, for example, 1 or other values, and the present application is not limited in particular.
The foregoing describes how to count the number of packets of the network access packet whose destination IP address is the first IP address and which is sent by the first terminal in the specified time period, and the method for counting the number of packets of the network access packet sent by each other unauthenticated terminal in the specified time period is similar, and based on this, the local packet statistics table of the BRAS may have the packet statistics table entry of each unauthenticated terminal (including the first terminal).
Based on the local packet statistics table, in step 202, checking whether there is a network access packet whose destination IP address is the first IP address sent by another terminal in the specified time period includes:
searching other message statistical table items which comprise the following contents from other message statistical table items except the first message statistical table item contained in a local message statistical table: the destination IP address is the first IP address;
if the network access message is found, determining that other terminals send the network access message with the destination IP address as the first IP address in the specified time period;
if not, determining that no other terminal sends the network access message with the destination IP address as the first IP address in the specified time period.
In this application, when it is checked that there is another terminal sending the network access packet whose destination IP address is the first IP address in the specified time period, as described in step 202, it is directly determined that the first IP address is legal, and the network access packet whose destination IP address is the first IP address sent by each other terminal that has been authenticated by the authentication server is allowed to pass through, so that the currently counted number of packets (equal to the first preset threshold) of the network access packet whose destination IP address is the first IP address sent by the first terminal in the specified time period is useless, and in order to save resources, the currently counted number of packets (equal to the first preset threshold) of the network access packet whose destination IP address is the first IP address sent by the first terminal in the specified time period may be deleted. Based on the message statistical table, the first message statistical table entry may be deleted.
The disclosure is described below by way of a specific example:
referring to fig. 3, fig. 3 is a diagram of an application networking of an embodiment provided by the present disclosure. In fig. 3, the IP address of the terminal 301 is 10.1.1.2, the IP address of the terminal 302 is 10.1.1.3, the IP address of the terminal 303 is 10.1.1.4, and the IP address of the Web proxy server is 20.1.1.2.
In fig. 3, the BRAS configures an anti-attack entry policy. The anti-attack table item strategy is as follows: and generating an anti-attack table entry corresponding to an IP address when the number of messages accessing a certain IP address in a specified time period reaches a second preset threshold (taking 100 as an example).
The BRAS is also configured with a first preset threshold (for example, 80% or 80 of a second preset threshold). The function of the first preset threshold is described below, and will not be described for the moment.
In fig. 3, the BRAS receives a network access message (denoted as message a1) sent by the terminal 301 within a specified time period. The source IP address of the message a1 is the IP address 10.1.1.2 of the terminal 301, and the destination IP address is the IP address 20.1.1.2 of the Web proxy server. If BRAS finds that the terminal 301 corresponding to the IP address 10.1.1.2 does not pass Portal authentication, it checks whether a message statistic table entry containing the following contents exists in the local message statistic table: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a1, if not, a message statistical table item containing the following contents is added in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a 1. The preset value here takes a value of 1 as an example, and table 1 shows the added message statistics table entries:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 1
TABLE 1
The BRAS receives a network access message (denoted as message a2) sent by the terminal 302 in a specified time period. The source IP address of the message a2 is the IP address 10.1.1.3 of the terminal 302, and the destination IP address is 50.1.1.2. If the BRAS finds that the terminal 302 corresponding to the IP address 10.1.1.3 does not pass Portal authentication, it checks whether a message statistic table entry containing the following contents exists in the local message statistic table: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a2, if not, a message statistical table item containing the following contents is added in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a 2. The preset value here takes the value as 1 as an example, and in combination with table 1, table 2 shows the added message statistics table entries:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 1
2 10.1.1.3 50.1.1.2 1
TABLE 2
The BRAS receives a network access message (denoted as message a3) sent by the terminal 303 within a specified time period. The source IP address of the message a3 is the IP address 10.1.1.4 of the terminal 303, and the destination IP address is 20.1.1.2. If the BRAS finds that the terminal 303 corresponding to the IP address 10.1.1.4 has not passed Portal authentication, the BRAS checks whether a message statistic table entry containing the following contents exists in the local message statistic table: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a3, if not, a message statistical table item containing the following contents is added in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a 3. The preset value here takes the value as 1 as an example, and table 3 shows the added message statistics table entry in combination with table 2:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 1
2 10.1.1.3 50.1.1.2 1
3 10.1.1.4 20.1.1.2 1
TABLE 3
If a period of time elapses within a specified time period, the BRAS receives a network access message (denoted as message a4) sent by the terminal 301 within the specified time period. The source IP address of the message a4 is the IP address 10.1.1.2 of the terminal 301, and the destination IP address is the IP address 20.1.1.2 of the Web proxy server. If BRAS finds that the terminal 301 corresponding to the IP address 10.1.1.2 does not pass Portal authentication, it checks that the message statistic table entry containing the following contents exists in the local message statistic table: and if the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the message a1, increasing the number of the messages in the existing message statistical table entry by preset values. The preset value here takes the value as 1 as an example, and table 3 is updated as table 4:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 2
2 10.1.1.3 50.1.1.2 1
3 10.1.1.4 20.1.1.2 1
TABLE 4
By analogy, after a period of time elapses within a specified time period, the final local packet statistical table is shown in table 5:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 20
2 10.1.1.3 50.1.1.2 30
3 10.1.1.4 20.1.1.2 40
TABLE 5
If a further period of time has elapsed within the specified time period, table 5 is updated to table 6:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.2 20.1.1.2 80
2 10.1.1.3 50.1.1.2 35
3 10.1.1.4 20.1.1.2 55
TABLE 6
In table 6, if the number of packets in the packet statistics table entry (denoted as packet statistics table entry 1) with an Index (Index) of 1 is 80 and is just the first preset threshold (80), it indicates that the number of packets in the network access packet sent by the terminal 301 and having the destination IP address of 20.1.1.2 of the Web proxy server is equal to the first preset threshold (80), and at this time, the BRAS reversely searches the packet statistics table according to the destination IP address of the packet statistics table entry 1, that is, the IP address 20.1.1.2 of the Web proxy server, to find whether there is a destination IP address of another packet statistics table entry as the destination IP address of the packet statistics table entry 1, that is, the IP address 20.1.1.2 of the Web proxy server. The BRAS finds that the destination IP address of the message statistic table item (marked as message statistic table item 3) with the index of 3 is the same as the destination IP address of the message statistic table item 1, namely the IP address 20.1.1.2 of the Web proxy server, and indicates that the terminal 303 and the terminal 301 have the IP address 20.1.1.2 for accessing the Web proxy server in a specified time period, the IP address 20.1.1.2 of the Web proxy server is considered to be legal, the subsequent network access messages with the destination IP address being the IP address 20.1.1.2 of the Web proxy server are allowed to pass through, and the message statistic table item 1 is deleted from the local access statistic table. Table 6 is updated to table 7:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.3 50.1.1.2 35
2 10.1.1.4 20.1.1.2 55
TABLE 7
If a further period of time has elapsed within the specified time period, table 7 is updated to table 8:
index (Index) Source IP address Destination IP address Number of messages
1 10.1.1.3 50.1.1.2 80
2 10.1.1.4 20.1.1.2 55
TABLE 8
In table 8, if the number of messages in the message statistics table entry with index 1 is 80, which is just the first preset threshold (80), it indicates that the number of messages of the network access message with destination IP address 50.1.1.2 sent by the terminal 302 is equal to the first preset threshold (80), and at this time, the BRAS reversely searches the message statistics table according to the destination IP address 50.1.1.2 to find whether there are other message statistics table entries with destination IP addresses 50.1.1.2. As a result, it is found that the destination IP addresses of other packet statistics entries in the packet statistics table are not 50.1.1.2, and at this time, as an embodiment, it may be confirmed that 50.1.1.2 is illegal, and the BRAS locally generates an anti-attack entry, so as to prohibit the network access packet with the destination IP address of 50.1.1.2 from passing through according to the anti-attack entry, and delete the packet statistics entry with the index of 1. As another embodiment, in the present disclosure, the BRAS does not locally generate an anti-attack entry, but waits for the BRAS, once the number of packets of the network access packet with the destination IP address of 50.1.1.2 sent by the terminal 302 in a specified time period is 100, which is just a second preset threshold (100), to locally generate the anti-attack entry, so as to prohibit the network access packet with the destination IP address of 50.1.1.2 from passing through according to the anti-attack entry, and delete the packet statistics entry with the index of 1.
Thus, the description of the embodiments of the present disclosure is completed.
As can be seen from the description of this embodiment, in the present disclosure, once the number of packets of the network access packet for a terminal to access the same destination IP address in a specified time period is equal to the first preset threshold, when more than one terminal accesses the destination IP address, it is determined that the destination IP address is a legal address, which effectively ensures that even a network attack prevention is performed in a network networking combining Portal authentication and a Web agent, the packet (network access packet) that normally accesses a Web agent server is not erroneously blocked, prevents a normal network access failure caused by a network attack prevention in the network networking combining Portal authentication and the Web agent, and ensures network access of all users.
The method provided by the present disclosure is described above, and the apparatus provided by the present disclosure is described below:
referring to fig. 4, fig. 4 is a block diagram of an apparatus provided in the present disclosure. The device is applied to BRAS, and comprises:
the system comprises a counting unit, a processing unit and a processing unit, wherein the counting unit is used for counting the message quantity of a network access message which is sent by a first terminal in a specified time period and has a destination IP address as a first IP address, and the first terminal is one of terminals which are not authenticated by an authentication server connected with the BRAS;
the checking unit is used for checking whether other terminals send network access messages with the destination IP address as the first IP address in the specified time period or not when the number of the messages is equal to a first preset threshold value;
and the network access control unit is used for determining that the first IP address is legal when the checking unit checks that the network access messages of which the destination IP addresses are the first IP addresses are sent by other terminals in the specified time period, and allowing the network access messages of which the destination IP addresses are the first IP addresses and which are sent by other terminals and are authenticated by the authentication server to pass through.
As an embodiment, when the checking unit checks that no network access packet with the destination IP address as the first IP address is sent by another terminal in the specified time period, the network access control unit further locally generates an anti-attack entry, and prohibits the network access packet with the destination IP address as the first destination IP address from passing through according to the anti-attack entry.
As another embodiment, when the checking unit checks that no network access packet with the destination IP address being the first IP address is sent by another terminal in the specified time period, the network access control unit continues to count the number of packets of the network access packet with the destination IP address being the first IP address sent by the first terminal in the specified time period until the number of packets in the specified time period is equal to a second preset threshold, and locally generates an anti-attack entry, so as to prohibit the network access packet with the destination IP address being the first destination IP address from passing through according to the anti-attack entry, where the second preset threshold is greater than the first preset threshold, and prohibit the network access packet with the destination IP address being the first destination IP address from passing through according to the anti-attack entry.
As an embodiment, the counting, by the counting unit, the counting, by the first terminal, the packet number of the network access packet with the destination IP address as the first IP address, which is sent in the specified time period includes:
when receiving a network access message which is sent by the first terminal and has a destination IP address as a first IP address in the specified time period, checking whether a first message statistical table item containing the following contents exists in a local message statistical table or not: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the received network access message,
if so, increasing the number of the messages in the first message statistical table entry by a preset value;
if not, adding a first message statistical table item containing the following contents in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively a source IP address and a destination IP address of the received network access message.
As an embodiment, the counting unit is further configured to delete the first packet statistics table entry from the local packet statistics table when the checking unit checks that there is a network access packet whose destination IP address is the first IP address sent by another terminal in the specified time period.
Thus, the structure of the apparatus shown in FIG. 4 is completed.
Correspondingly, the present disclosure also provides a hardware structure diagram of the apparatus shown in fig. 4. As shown in fig. 5, the hardware structure may include: a machine-readable storage medium and a processor, wherein:
a machine-readable storage medium: the instruction code is stored.
A processor: the network access method disclosed by the above examples of the present disclosure is implemented by communicating with a machine-readable storage medium, reading and executing the instruction codes stored in the machine-readable storage medium.
Thus, the hardware configuration diagram of the apparatus shown in fig. 5 is completed.
In the present disclosure, a machine-readable storage medium may be any electronic, magnetic, optical, or other physical storage device that can contain or store information such as executable instructions, data, and the like. For example, the machine-readable storage medium may be: a RAM (random Access Memory), a volatile Memory, a non-volatile Memory, a flash Memory, a storage drive (e.g., a hard drive), a solid state drive, any type of storage disk (e.g., an optical disk, a dvd, etc.), or similar storage medium, or a combination thereof.
The apparatuses, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in practicing the disclosure.
As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, system, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the disclosed embodiments may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Furthermore, these computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only exemplary of the present disclosure and should not be taken as limiting the disclosure, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.

Claims (10)

1. A network access method is applied to a Broadband Remote Access Server (BRAS), and comprises the following steps:
counting the message quantity of network access messages with a first IP address as a destination IP address sent by a first terminal in a specified time period, wherein the first terminal is one of terminals which are not authenticated by an authentication server connected with the BRAS;
if the number of the messages is equal to a first preset threshold value, checking whether other terminals send network access messages with the destination IP address as the first IP address in the specified time period;
when the network access message with the destination IP address as the first IP address sent by other terminals in the specified time period is checked, the first IP address is determined to be legal, and the network access message with the destination IP address as the first IP address sent by other terminals which pass the authentication of the authentication server is allowed to pass.
2. The method according to claim 1, wherein when it is checked that no other terminal sends the network access packet with the destination IP address being the first IP address within the specified time period, the method comprises:
and locally generating an anti-attack table item to prohibit a network access message with a target IP address as a first target IP address from passing through according to the anti-attack table item.
3. The method according to claim 1, wherein when it is checked that no other terminal sends the network access packet with the destination IP address being the first IP address within the specified time period, the method comprises:
and continuously counting the number of messages of the network access message with the first IP address as the destination IP address sent by the first terminal in the specified time period until the number of the messages in the specified time period is equal to a second preset threshold value, locally generating an anti-attack table item, and prohibiting the network access message with the first destination IP address as the destination IP address from passing through according to the anti-attack table item, wherein the second preset threshold value is larger than the first preset threshold value.
4. The method according to any one of claims 1 to 3, wherein the counting the number of the network access packets sent by the first terminal in the specified time period and having the destination IP address as the first IP address comprises:
when receiving a network access message which is sent by the first terminal and has a destination IP address as a first IP address in the specified time period, checking whether a first message statistical table item containing the following contents exists in a local message statistical table or not: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the received network access message,
if so, increasing the number of the messages in the first message statistical table entry by a preset value;
if not, adding a first message statistical table item containing the following contents in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively a source IP address and a destination IP address of the received network access message.
5. The method according to claim 4, wherein when it is checked that there are other terminals sending the network access message with the destination IP address being the first IP address within the specified time period, the method further comprises: and deleting the first message statistical table entry from a local message statistical table.
6. The method according to claim 4, wherein the checking whether there is another terminal sending the network access packet with the destination IP address being the first IP address in the specified time period comprises:
searching other message statistical table items which comprise the following contents from other message statistical table items except the first message statistical table item contained in a local message statistical table: the destination IP address is the first IP address;
if the network access message is found, determining that other terminals send the network access message with the destination IP address as the first IP address in the specified time period;
if not, determining that no other terminal sends the network access message with the destination IP address as the first IP address in the specified time period.
7. A network access device, which is applied to a broadband remote access server BRAS, comprising:
the system comprises a counting unit, a processing unit and a processing unit, wherein the counting unit is used for counting the message quantity of a network access message which is sent by a first terminal in a specified time period and has a destination IP address as a first IP address, and the first terminal is one of terminals which are not authenticated by an authentication server connected with the BRAS;
the checking unit is used for checking whether other terminals send network access messages with the destination IP address as the first IP address in the specified time period or not when the number of the messages is equal to a first preset threshold value;
and the network access control unit is used for determining that the first IP address is legal when the checking unit checks that the network access messages of which the destination IP addresses are the first IP addresses are sent by other terminals in the specified time period, and allowing the network access messages of which the destination IP addresses are the first IP addresses and which are sent by other terminals and are authenticated by the authentication server to pass through.
8. The apparatus according to claim 7, wherein the network access control unit further locally generates an anti-attack entry when the checking unit checks that no network access packet whose destination IP address is the first IP address is sent by another terminal in the specified time period, or continues to count the number of packets of the network access packet whose destination IP address is the first IP address sent by the first terminal in the specified time period until the number of packets in the specified time period is equal to a second preset threshold, locally generates the anti-attack entry, so as to prohibit the network access packet whose destination IP address is the first destination IP address from passing through according to the anti-attack entry, where the second preset threshold is greater than the first preset threshold;
and prohibiting the network access message with the destination IP address as the first destination IP address from passing through according to the anti-attack table entry.
9. The apparatus according to claim 7 or 8, wherein the counting unit counts the packet number of the network access packet sent by the first terminal in a specified time period and having the destination IP address as the first IP address includes:
when receiving a network access message which is sent by the first terminal and has a destination IP address as a first IP address in the specified time period, checking whether a first message statistical table item containing the following contents exists in a local message statistical table or not: the source IP address and the destination IP address are respectively the source IP address and the destination IP address of the received network access message,
if so, increasing the number of the messages in the first message statistical table entry by a preset value;
if not, adding a first message statistical table item containing the following contents in the local message statistical table: the number of the messages is a preset value, and the source IP address and the destination IP address are respectively a source IP address and a destination IP address of the received network access message.
10. The apparatus according to claim 9, wherein the statistics unit is further configured to delete the first packet statistics table entry from a local packet statistics table when the checking unit checks that there is a network access packet whose destination IP address is the first IP address sent by another terminal in the specified time period.
CN201810827488.3A 2018-07-25 2018-07-25 Network access method and device Active CN109040046B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810827488.3A CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810827488.3A CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Publications (2)

Publication Number Publication Date
CN109040046A CN109040046A (en) 2018-12-18
CN109040046B true CN109040046B (en) 2021-01-26

Family

ID=64645221

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810827488.3A Active CN109040046B (en) 2018-07-25 2018-07-25 Network access method and device

Country Status (1)

Country Link
CN (1) CN109040046B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
CN101873332A (en) * 2010-07-15 2010-10-27 杭州华三通信技术有限公司 WEB authentication method and equipment based on proxy server
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106453119A (en) * 2016-11-18 2017-02-22 杭州华三通信技术有限公司 Authentication control method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8365271B2 (en) * 2008-02-27 2013-01-29 International Business Machines Corporation Controlling access of a client system to access protected remote resources supporting relative URLs
US9456018B2 (en) * 2010-12-22 2016-09-27 Aruba Networks, Inc. HTTP proxy based captive portal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101702717A (en) * 2009-11-24 2010-05-05 杭州华三通信技术有限公司 Method, system and equipment for authenticating Portal
CN101873332A (en) * 2010-07-15 2010-10-27 杭州华三通信技术有限公司 WEB authentication method and equipment based on proxy server
CN102624729A (en) * 2012-03-12 2012-08-01 北京星网锐捷网络技术有限公司 Web authentication method, device and system
CN104852919A (en) * 2015-05-14 2015-08-19 杭州华三通信技术有限公司 Method and apparatus for realizing portal authentication
CN106453119A (en) * 2016-11-18 2017-02-22 杭州华三通信技术有限公司 Authentication control method and device

Also Published As

Publication number Publication date
CN109040046A (en) 2018-12-18

Similar Documents

Publication Publication Date Title
EP2533492B1 (en) A node device and method to prevent overflow of pending interest table in name based network system
KR102039842B1 (en) How to prevent network attacks, devices, and systems
US11671402B2 (en) Service resource scheduling method and apparatus
US9098459B2 (en) Activity filtering based on trust ratings of network
US10135785B2 (en) Network security system to intercept inline domain name system requests
CN110177046B (en) Security exchange chip based on mimicry thought, implementation method and network exchange equipment
US11606372B2 (en) Mitigating against malicious login attempts
US11863570B2 (en) Blockchain-based network security system and processing method
EP2959707A1 (en) Network security system and method
EP3618355B1 (en) Systems and methods for operating a networking device
CN112272166A (en) Traffic processing method, device, equipment and machine readable storage medium
CN113726683A (en) Access current limiting method, device, equipment, storage medium and computer program product
US20190349396A1 (en) Reducing The Impact Of Border Gateway Protocol (BGP) Hijacks
CN108880868B (en) BFD keep-alive message transmission method, device, equipment and machine readable storage medium
US11184371B1 (en) Distributed denial of service attack mitigation
CN109040046B (en) Network access method and device
KR101473652B1 (en) Method and appratus for detecting malicious message
CN113285918A (en) ACL (access control list) filtering table item establishing method and device for network attack
CN108259454B (en) Portal authentication method and device
CN107547504B (en) Intrusion prevention method and device
US10659497B2 (en) Originator-based network restraint system for identity-oriented networks
CN111294330B (en) Method for managing memory
CN113595957B (en) Network defense method and security detection equipment
KR102046612B1 (en) The system for defending dns amplification attacks in software-defined networks and the method thereof
CN112134884A (en) Message serial number updating method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230626

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right