CN109246128A - Prevent the method and system of link type ddos attack - Google Patents
Prevent the method and system of link type ddos attack Download PDFInfo
- Publication number
- CN109246128A CN109246128A CN201811188693.6A CN201811188693A CN109246128A CN 109246128 A CN109246128 A CN 109246128A CN 201811188693 A CN201811188693 A CN 201811188693A CN 109246128 A CN109246128 A CN 109246128A
- Authority
- CN
- China
- Prior art keywords
- network
- ddos
- network flow
- protected
- flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention proposes a kind of realization method and system for preventing link type ddos attack; this method comprises: network flow monitoring system monitoring enters the network flow of protected network by the primary outlet link of protected network, protected network includes: primary outlet link and backup link;When the network flow is less than preset warning value, judge whether to reach ddos attack standard, and when reaching ddos attack standard, notice Intranet DDoS system is drained;When the network flow is greater than or equal to preset warning value; notice public network DDoS system is drained; so that public network DDoS system and public network DNS link, network flow is drawn to public network DDoS system and is cleaned, and the network flow after cleaning is returned into protected network by backup link re-injection.This method can be in conjunction with the advantages of enterprise-level DDoS product and operator's DDoS product, on the basis of not limiting network flow, guarantee safety as far as possible.
Description
Technical field
The present invention relates to field of communication technology more particularly to a kind of implementation method for preventing link type ddos attack and it is
System.
Background technique
Distributed denial of service (Distributed Denial of Service, DDoS) attack refers to multiple calculating
Machine is joined together as Attack Platform, starts ddos attack to one or more computers in Attack Platform, thus exponentially
Improve the power of Denial of Service attack.In general, DDoS primary control program is mounted on a meter using a stealing account number by attacker
On calculation machine, broker program is mounted on each computer in Attack Platform, the time primary control program that one sets will be with
A large amount of broker program communications, with regard to offensive attack when broker program receives instruction.
Ddos attack type mainly there are several types of: allowing leads to other normal users by object of attack system oepration at full load
Can not access, allow by object of attack system occur it is abnormal cause all with that can not access per family, allow by the lattice chain of object of attack
Congestion, which occurs, in road bandwidth causes normal users flowing of access cannot be introduced into.Wherein last one kind is properly termed as link type DDoS and attacks
It hits.Link type ddos attack in order to prevent needs to dispose anti-ddos attack product before link and blocks to Network Attack
It cuts.
Current anti-ddos attack product can be divided into enterprise-level DDoS product and operator's DDoS product, still, enterprise-level
DDoS product can be used only in the scene that network flow is no more than export enterprise bandwidth, and there are security risks for operator's DDoS product.
Summary of the invention
The present invention is directed to solve at least some of the technical problems in related technologies.
For this purpose, an object of the present invention is to provide a kind of implementation method for preventing link type ddos attack, this method
It on the basis of not limiting network flow, can be protected as far as possible in conjunction with the advantages of enterprise-level DDoS product and operator's DDoS product
Demonstrate,prove safety.
It is another object of the present invention to propose a kind of realization system for preventing link type ddos attack.
In order to achieve the above objectives, the realization side for preventing link type ddos attack that first aspect present invention embodiment proposes
Method, comprising: network flow monitoring system monitoring enters the network flow of protected network by the primary outlet link of protected network
Amount, the protected network includes: primary outlet link and backup link;Network flow monitoring system is less than in the network flow
When preset warning value, judge whether to reach ddos attack standard, and when reaching ddos attack standard, notifies described protected
The Intranet DDoS system of network is drained;Network flow monitoring system is greater than or equal to preset alarm in the network flow
When value, notice public network DDoS system is drained, so that the public network DDoS system and public network DNS link, network flow is led
It guides to public network DDoS system to be cleaned, and the network flow after cleaning is returned into described protected by the backup link re-injection
Network.
The implementation method for preventing link type ddos attack that first aspect present invention embodiment proposes, by network flow
It when more than or equal to warning value, is handled by public network DDoS system, can solve enterprise-level DDoS product cannot be used for network
Flow is greater than the case where outlet bandwidth, and realization still can handle link type ddos attack when network flow is larger;By
It when network flow is less than warning value, is handled by Intranet DDoS system, operator DDoS production can not needed in this scenario
The participation of product, avoids security risk.Thus by being handled under network flow different situations by different DDoS products, it can
The advantages of to combine enterprise-level DDoS product and operator's DDoS product, on the basis of not limiting network flow, guarantee as far as possible
Safety.
In order to achieve the above objectives, the realization system for preventing link type ddos attack that second aspect of the present invention embodiment proposes
System, the system comprises network flow monitoring system, the network flow monitoring system includes: monitoring module, logical for monitoring
The primary outlet link for crossing protected network enters the network flow of protected network, and the protected network includes: primary outlet chain
Road and backup link;First notification module, for judging whether to reach when the network flow is less than preset warning value
Ddos attack standard, and when reaching ddos attack standard, notify that the Intranet DDoS system of the protected network is drained;
Second notification module, for when the network flow is greater than or equal to preset warning value, notice public network DDoS system to be carried out
Network flow is drawn to public network DDoS system and cleaned by drainage so that the public network DDoS system and public network DNS link,
And the network flow after cleaning is returned into the protected network by the backup link re-injection.
The realization system for preventing link type ddos attack that second aspect of the present invention embodiment proposes, by network flow
It when more than or equal to warning value, is handled by public network DDoS system, can solve enterprise-level DDoS product cannot be used for network
Flow be greater than outlet bandwidth the case where, realization still can handle link type ddos attack when network flow is larger, by
It when network flow is less than warning value, is handled by Intranet DDoS system, operator DDoS production can not needed in this scenario
The participation of product, avoids security risk.Thus by being handled under network flow different situations by different DDoS products, it can
The advantages of to combine enterprise-level DDoS product and operator's DDoS product, on the basis of not limiting network flow, guarantee as far as possible
Safety.
The additional aspect of the present invention and advantage will be set forth in part in the description, and will partially become from the following description
Obviously, or practice through the invention is recognized.
Detailed description of the invention
Above-mentioned and/or additional aspect and advantage of the invention will become from the following description of the accompanying drawings of embodiments
Obviously and it is readily appreciated that, in which:
Fig. 1 is the flow diagram for the implementation method for preventing link type ddos attack that one embodiment of the invention proposes;
Fig. 2 is the schematic diagram that the system of link type ddos attack is prevented in the embodiment of the present invention;
Fig. 3 is the flow diagram for the implementation method for preventing link type ddos attack that another embodiment of the present invention proposes;
Fig. 4 is the processing flow schematic diagram of Intranet DDoS system in the embodiment of the present invention;
Fig. 5 is the processing flow schematic diagram of public network DDoS system in the embodiment of the present invention;
Fig. 6 is the structural schematic diagram for the realization system for preventing link type ddos attack that another embodiment of the present invention proposes;
Fig. 7 is the structural schematic diagram for the realization system for preventing link type ddos attack that another embodiment of the present invention proposes;
Fig. 8 is the structural schematic diagram for the realization system for preventing link type ddos attack that another embodiment of the present invention proposes.
Specific embodiment
The embodiment of the present invention is described below in detail, examples of the embodiments are shown in the accompanying drawings, wherein from beginning to end
Same or similar label indicates same or similar module or module with the same or similar functions.Below with reference to attached
The embodiment of figure description is exemplary, and for explaining only the invention, and is not considered as limiting the invention.On the contrary, this
The embodiment of invention includes all changes fallen within the scope of the spiritual and intension of attached claims, modification and is equal
Object.
Fig. 1 is the flow diagram for the implementation method for preventing link type ddos attack that one embodiment of the invention proposes, should
Method includes:
S11: network flow monitoring system monitoring enters the net of protected network by the primary outlet link of protected network
Network flow.
Wherein, network flow monitoring system can be set in the inside of protected network, be enterprise network with protected network
For, referring to fig. 2, network flow monitoring system 21 is arranged inside enterprise network.
In some embodiments, referring to Fig. 3, network flow monitoring system monitoring by the primary outlet link of protected network into
The network flow for entering protected network, specifically includes:
S31: flow through a network monitoring system receives the mirror image flow that the outlet device of protected network generates, to the mirror image
Flow is monitored, and obtains the network flow into protected network, wherein mirror image flow is outlet device to primary outlet link
Network flow obtain after mirror image or light-splitting processing.
For example, with reference to Fig. 2, outlet device 22 is set inside enterprise network with the interface of public network, outlet device includes extremely
Few two outbounds, wherein a link is backup link, link in addition is primary outlet link, and backup link is for introducing
The injected network flow of public network DDoS system, primary outlet link are used to introduce the network flow that regular traffic or ddos attack generate
Amount.
Outlet device can carry out mirror image or light-splitting processing to the network flow of primary outlet chain road, obtain mirror image flow,
Mirror image flow is sent to network flow monitoring system later.
Wherein, mirror image processing and light-splitting processing can be copied into identical two parts of data by a data, and the two is different
, mirror image processing support optical port and power port, light-splitting processing only support optical port.
S12: network flow monitoring system judges whether to reach DDoS when the network flow is less than preset warning value
Attack standard, and when reaching ddos attack standard, notify that the Intranet DDoS system of the protected network is drained.
In some embodiments, referring to Fig. 3, after network flow monitoring system receives the mirror image flow of outlet device generation,
This method can also include:
S32: whether the network flow that network flow monitoring system judges that monitoring obtains is less than preset warning value, if so,
33 are executed, otherwise, executes S35.
Wherein, after monitoring obtains network flow, network flow and preset warning value can be compared, to judge
Whether preset warning value is less than.
S33: network flow monitoring system judges whether to reach ddos attack standard, if so, executing S34, otherwise, repetition is held
Row S31 and its subsequent step.
Wherein, it can be pre-configured with DDoS cleaning rule in network flow monitoring system, is advised to be cleaned according to the DDoS
Then judge whether to reach ddos attack standard.For example, the feature of ddos attack is recorded in DDoS cleaning rule, by network flow
Amount is analyzed, if meeting this feature, it is determined that reach ddos attack standard.Specific feature can use existing link
The feature of type ddos attack.
S34: network flow monitoring system notice Intranet DDoS system is drained.
For example, with reference to Fig. 2, Intranet DDoS system 23 can be set inside enterprise network.
It can be specifically network flow monitoring system when network flow monitoring system notice Intranet DDoS system is drained
Starting drainage message is sent to Intranet DDoS system.
In some embodiments, referring to Fig. 3, after the Intranet DDoS system for notifying the protected network is drained,
This method can also include:
S36: network flow monitoring system stops the monitoring to mirror image flow.
Wherein, network flow monitoring system stopping can specifically include the monitoring of mirror image flow:
Network flow monitoring system sends instruction message to outlet device, and outlet device stops mirror image according to the instruction message
Or light-splitting processing;Alternatively,
The stopping of network flow monitoring system is analyzed and processed mirror image flow.
S13: network flow monitoring system notifies public network when the network flow is greater than or equal to preset warning value
DDoS system is drained, so that the public network DDoS system and public network DNS link, network flow is drawn to public network DDoS system
System is cleaned, and the network flow after cleaning is returned the protected network by the backup link re-injection.
In some embodiments, as shown in figure 3, this method is also wrapped when network flow is greater than or equal to preset warning value
It includes:
S35: network flow monitoring system notice public network DDoS system is drained.
For example, with reference to Fig. 2, public network DDoS system 24 can be set on the public network outside enterprise network.
It can be specifically network flow monitoring system when network flow monitoring system notice public network DDoS system is drained
Starting drainage message is sent to public network DDoS system.
In some embodiments, referring to Fig. 3, after notice public network DDoS system is drained, this method can also include:
S36: network flow monitoring system stops the monitoring to mirror image flow.
Wherein, network flow monitoring system stopping can specifically include the monitoring of mirror image flow:
Network flow monitoring system sends instruction message to outlet device, and outlet device stops mirror image according to the instruction message
Or light-splitting processing;Alternatively,
The stopping of network flow monitoring system is analyzed and processed mirror image flow.
S37: network flow monitoring system configures the outlet device, so that going out with the outlet device postponed to master
The network flow of mouth chain road carries out discard processing.
For example, network flow monitoring equipment is that outlet device configures a blackhole route, thus the net of primary outlet chain road
Network flow will all be abandoned by outlet device.
It, can by being handled by public network DDoS system when network flow is greater than or equal to warning value in the present embodiment
To solve the case where enterprise-level DDoS product cannot be used for network flow greater than outlet bandwidth, realize when network flow is larger according to
So it can handle link type ddos attack, it, can by being handled by Intranet DDoS system when network flow is less than warning value
Not need the participation of operator's DDoS product in this scenario, security risk is avoided.To by not sympathizing in network flow
The advantages of being handled under condition by different DDoS products, enterprise-level DDoS product and operator's DDoS product can be combined,
On the basis of not limiting network flow, guarantee safety as far as possible.
After Intranet DDoS system or public network DDoS system receive starting drainage message, corresponding processing can be executed.
Fig. 4 is the processing flow schematic diagram of Intranet DDoS system in the embodiment of the present invention, which includes:
S41: Intranet DDoS system receives the starting that network flow monitoring system is sent and drains message.
S42: it after Intranet DDoS system receives the starting drainage message that network flow monitoring system is sent, is protected to described
The outlet device of network carries out drainage configuration, so that drainage draws the network flow of primary outlet link with the outlet device postponed
Onto Intranet DDoS system.
For example, Intranet DDoS system to outlet device configuration Border Gateway Protocol (Border Gateway Protocol,
BGP).After outlet device is configured BGP, the network flow of primary outlet link can be sent to Intranet DDoS system, realize network
The traction of flow.Wherein, BGP is existing agreement, therefore BGP configuration can be completed using existing configuration mode.
S43: Intranet DDoS system cleans the network flow that comes of traction, and by the network flow re-injection after cleaning
Onto the outlet device, so that the outlet device sends injected network flow in intranet server.
Wherein, Intranet DDoS system can carry out network flow using the cleaning strategy of existing enterprise-level DDoS product
Cleaning.
After cleaning, the network flow after cleaning can be then forwarded to outlet device by Intranet DDoS system, realize network
The re-injection of flow.
Routing policy can be pre-configured on outlet device, the routing policy for example, when the source address of network flow
When being Intranet DDoS system, then destination address is intranet server, then passes through the routing policy, referring to fig. 2, Intranet DDoS system
23 network flows for being recycled into outlet device 22 will be sent to intranet server 25 by outlet device.By configuring the routing plan
Slightly, loop problem can be led to avoid drainage is repeated.
S44: Intranet DDoS systems inspection whether there is ddos attack, if all without ddos attack in preset time,
It executes S45 and otherwise repeats S43 and its subsequent step.
Wherein, Intranet DDoS system can check for ddos attack using existing means.
S45: cancelling the drainage configuration on the outlet device, and notifies the network flow monitoring system restarting prison
Control.
When ddos attack being all not present within a preset time, then Intranet DDoS system can cancel the BGP to outlet device
Configuration.
In addition, as shown in figure 3, network flow monitoring system can stop pair after notice Intranet DDoS system is drained
The monitoring of mirror image flow.And postponed when Intranet DDoS system is cancelled matching the BGP of outlet device, it can be to network flow monitoring system
System sends instruction message, which is used to indicate the restarting monitoring of network flow monitoring system.
In the present embodiment, after Intranet DDoS system receives starting drainage message, drainage configuration is carried out to outlet device, it can
Network flow is drawn to Intranet DDoS system to realize, to realize cleaning of the Intranet DDoS system to network flow, is prevented
Link type ddos attack.
Fig. 5 is the processing flow schematic diagram of public network DDoS system in the embodiment of the present invention, which includes:
S51: public network DDoS system receives the starting that network flow monitoring system is sent and drains message.
S52: after public network DDoS system receives the starting drainage message that network flow monitoring system is sent, to public network domain name system
System (Domain Name System, DNS) carries out drainage configuration, so that drainage will send script to the public network DNS postponed
The network flow of the protected network is drawn in public network DDoS system.
It wherein, may include: the domain name of protected network, the outlet device of protected network in starting drainage message
Backup link IP address.
Correspondingly, can be specifically included when public network DDoS system carries out drainage configuration to public network DNS:
Public network DDoS system sends configuration message to public network DNS, domain name in the configuration message comprising protected network,
First IP address, so that after public network DNS receives configuration message, by pre-stored IP address corresponding with protected domain name
It is changed to first IP address, wherein first IP address is the outlet device with protected network pre-established
Backup link the associated IP address of IP address.
Wherein, the corresponding relationship of domain name and IP address can be stored in advance in public network DNS, so as to according to domain name mapping with going out IP
Location carries out the transmission of network flow further according to IP address.It is to need to be sent to protected network generally, due to network flow,
And transmitted by the primary outlet link of the outlet device of protected network, it is assumed that the domain name of protected network is A, main
The IP address of outbound is IP1, then what is stored originally in public network DNS is the corresponding relationship of A and IP1.In order to realize net
Network flow drains into public network DDoS system, then needs the network flow for being sent to protected network originally being transmitted to public network
DDoS system then needs to be changed to A corresponding IP address in public network DNS the IP address of public network DDoS system.
Since public network DDoS system can be communicated with protected networks such as multiple enterprise network, public network DDoS system can be with
Different IP address is arranged in corresponding different protected network, therefore, an address can be stored in advance in public network DDoS system
Pond can store the incidence relation between different IP addresses in the address pool.For example, the outlet of the protected network of domain name A is set
The IP address of standby backup link is IP2, and being stored in advance in public network DDoS system with the associated IP address of IP2 is IP3, then above-mentioned
The first IP address be IP3, public network DDoS system can indicate that IP address corresponding with A from IP1 is revised as IP3 by public network DNS.
S53: the network flow that public network DDoS system comes to traction is cleaned, and the network flow after cleaning is passed through
Backup link is recycled into the protected network.
Wherein, after public network DNS carries out IP address modification, the network flow for being sent to protected network originally can be sent
Public network DDoS system is given, realizes and network flow is drawn in public network DDoS system.
On network flow to be drawn to public network DDoS system, public network DDoS system can use existing operator DDoS
The cleaning way of product cleans network flow.
After being cleaned to network flow, the network flow after cleaning can be passed through into backup link again it is sent to and be protected
The network of shield realizes the re-injection of network flow.
It can be specifically the outlet that the destination address of network flow is revised as to protected network in re-injection network flow
The IP address of the backup link of equipment, for example, being revised as IP2, then according to routing principle, which can pass through backup chain
Road is recycled into protected network.
S54: the network flow after public network DDoS systems inspection cleaning, if the network flow in preset time after cleaning is all
Lower than the preset warning value, then S55 is executed, otherwise, repeats S53 and its subsequent step.
Wherein, it can also include: pre- that network flow monitoring system, which is sent in the starting drainage message of public network DDoS system,
If warning value, thus public network DDoS system by parsing starting drainage the available preset warning value of message.
After obtaining preset warning value, public network DDoS system can compare the network flow and preset alarm after cleaning
The size of value, obtains judging result.
S55: cancelling the drainage configuration on the public network DNS, and notifies the network flow monitoring system restarting prison
Control.
After network flow after cleaning within a preset time is below warning value, public network DDoS system can be to public network DNS
Instruction message is sent, public network DNS receives the state before being restored to the corresponding IP address of domain name after the instruction message,
For example, the corresponding IP address of A is restored to IP1 by IP3, protected so that subsequent network flow will be entered by primary outlet link
Protective net network.
In addition, as shown in figure 3, network flow monitoring system can stop pair after notice public network DDoS system is drained
The monitoring of mirror image flow.And postponed when the drainage of public network DNS is matched in the cancellation of public network DDoS system, it can be to network flow monitoring system
System sends instruction message, which is used to indicate the restarting monitoring of network flow monitoring system.
In the present embodiment, after public network DDoS system receives starting drainage message, drainage configuration is carried out to public network DNS, it can
Network flow is drawn to public network DDoS system to realize, to realize cleaning of the public network DDoS system to network flow, is prevented
Link type ddos attack.
Fig. 6 is the structural schematic diagram for the realization system for preventing link type ddos attack that another embodiment of the present invention proposes,
Referring to Fig. 6, which may include: network flow monitoring system 61, which may include:
Monitoring module 611, for monitoring the network flow for entering protected network by the primary outlet link of protected network
Amount, the protected network includes: primary outlet link and backup link;
Wherein, network flow monitoring system can be set in the inside of protected network, be enterprise network with protected network
For, referring to fig. 2, network flow monitoring system is arranged inside enterprise network.
In some embodiments, the monitoring module 611 is specifically used for:
Receive protected network outlet device generate mirror image flow, the mirror image flow is monitored, obtain into
Enter the network flow of protected network, wherein mirror image flow is that outlet device carries out mirror image to the network flow of primary outlet link
Or obtained after light-splitting processing.
For example, with reference to Fig. 2, outlet device is set inside enterprise network with the interface of public network, outlet device includes at least
Two outbounds, wherein a link is backup link, link in addition is primary outlet link, and backup link is for introducing public affairs
The injected network flow of DDoS system is netted, primary outlet link is used to introduce the network flow that regular traffic or ddos attack generate.
Outlet device can carry out mirror image or light-splitting processing to the network flow of primary outlet chain road, obtain mirror image flow,
Mirror image flow is sent to network flow monitoring system later.Wherein, mirror image processing and light-splitting processing can be by a data
It is copied into identical two parts of data, unlike the two, mirror image processing supports optical port and power port, light-splitting processing only to support optical port.
First notification module 612, for judging whether to reach DDoS when the network flow is less than preset warning value
Attack standard, and when reaching ddos attack standard, notify that the Intranet DDoS system of the protected network is drained;
Wherein, after monitoring obtains network flow, network flow and preset warning value can be compared, to judge
Whether preset warning value is less than.
DDoS cleaning rule can be pre-configured in first notification module, to judge whether according to the DDoS cleaning rule
Reach ddos attack standard.For example, the feature of ddos attack is recorded in DDoS cleaning rule, by dividing network flow
Analysis, if meeting this feature, it is determined that reach ddos attack standard.Specific feature can be attacked using existing link type DDoS
The feature hit.
First notification module notice Intranet DDoS system is when being drained, and can be specifically the first notification module to Intranet
DDoS system sends starting drainage message.
Second notification module 613, for notifying public network when the network flow is greater than or equal to preset warning value
DDoS system is drained, so that the public network DDoS system and public network DNS link, network flow is drawn to public network DDoS system
System is cleaned, and the network flow after cleaning is returned the protected network by the backup link re-injection.
For example, with reference to Fig. 2, public network DDoS system can be set on the public network outside enterprise network.
Second notification module notice public network DDoS system is when being drained, and can be specifically the second notification module system to public affairs
It nets DDoS system and sends starting drainage message.
In some embodiments, referring to Fig. 7, the network flow monitoring module 61 further include:
Stopping modular 614, for stopping the monitoring to mirror image flow.
For example, can star stopping modular after the first notification module notice Intranet DDoS system is drained, alternatively, the
After two notification modules notice public network DDoS system is drained, stopping modular can star.
Wherein, stopping modular stopping can specifically include the monitoring of mirror image flow:
Stopping modular sends instruction message to outlet device, and outlet device stops at mirror image or light splitting according to the instruction message
Reason;Alternatively,
Stopping modular triggering monitoring module stopping is analyzed and processed mirror image flow.
In some embodiments, referring to Fig. 7, the network flow monitoring module 61 further include:
Configuration module 615, for being configured to the outlet device, so that with the outlet device postponed to primary outlet chain
The network flow of road carries out discard processing.
For example, can star configuration module after the second notification module notice public network DDoS system is drained.
As soon as example, configuration module is that outlet device configures a blackhole route, thus the network flow of primary outlet chain road
It can all be abandoned by outlet device.
It, can by being handled by public network DDoS system when network flow is greater than or equal to warning value in the present embodiment
To solve the case where enterprise-level DDoS product cannot be used for network flow greater than outlet bandwidth, realize when network flow is larger according to
So it can handle link type ddos attack, it, can by being handled by Intranet DDoS system when network flow is less than warning value
Not need the participation of operator's DDoS product in this scenario, security risk is avoided.To by not sympathizing in network flow
The advantages of being handled under condition by different DDoS products, enterprise-level DDoS product and operator's DDoS product can be combined,
On the basis of not limiting network flow, guarantee safety as far as possible.
In some embodiments, first notification module is for notifying the Intranet DDoS system of the protected network to carry out
Drainage, comprising: network flow monitoring system sends starting drainage message to the Intranet DDoS system of the protected network;
Referring to Fig. 8, the system also includes: Intranet DDoS system 62, the Intranet DDoS system 62 include:
First receiving module 621, the starting for receiving the transmission of network flow monitoring system drain message.
First drainage configuration module 622, for receiving the starting that network flow monitoring system is sent in the first receiving module
After draining message, drainage configuration is carried out to the outlet device of the protected network, so that drainage will with the outlet device postponed
The network flow of primary outlet link is drawn in Intranet DDoS system;
Optionally, the first drainage configuration module is used to carry out the outlet device of the protected network drainage to match
It sets, comprising:
BGP is configured to the outlet device.
After outlet device is configured BGP, the network flow of primary outlet link can be sent to Intranet DDoS system, realize net
The traction of network flow.Wherein, BGP is existing agreement, therefore BGP configuration can be completed using existing configuration mode.
First cleaning module 623, for being cleaned to the network flow that comes of traction, and by the network flow after cleaning
It is recycled on the outlet device, so that the outlet device sends injected network flow in intranet server;
Wherein, the first cleaning module can carry out network flow using the cleaning strategy of existing enterprise-level DDoS product
Cleaning.
After cleaning, the network flow after cleaning can be then forwarded to outlet device by the first cleaning module, realize network
The re-injection of flow.
Routing policy can be pre-configured on outlet device, the routing policy for example, when the source address of network flow
When being Intranet DDoS system, then destination address is intranet server, then passes through the routing policy, referring to fig. 2, Intranet DDoS system
The network flow for being recycled into outlet device will be sent to intranet server by outlet device.It, can be with by configuring the routing policy
It avoids repeating to drain leading to loop problem.
First cancels module 624, for checking for ddos attack, if all attacked without DDoS in preset time
It hits, then cancels the drainage configuration on the outlet device, and notify the network flow monitoring system restarting monitoring.
Wherein, the first cancellation module can check for ddos attack using existing means.
When ddos attack being all not present within a preset time, then the first cancellation module can cancel the BGP to outlet device
Configuration.
In addition, as shown in figure 3, network flow monitoring system can stop pair after notice Intranet DDoS system is drained
The monitoring of mirror image flow.And postponed when the first cancellation module is cancelled matching the BGP of outlet device, it can be to network flow monitoring system
System sends instruction message, which is used to indicate the restarting monitoring of network flow monitoring system.
In the present embodiment, after Intranet DDoS system receives starting drainage message, drainage configuration is carried out to outlet device, it can
Network flow is drawn to Intranet DDoS system to realize, to realize cleaning of the Intranet DDoS system to network flow, is prevented
Link type ddos attack.
In some embodiments, second notification module is drained for the notice public network DDoS system, comprising: net
Network flux monitoring system sends starting drainage message to public network DDoS system;
Referring to Fig. 8, the system also includes: public network DDoS system 63, the public network DDoS system 63 include:
Second receiving module 631, the starting for receiving the transmission of network flow monitoring system drain message.
Second drainage configuration module 632, for receiving the starting that network flow monitoring system is sent in the second receiving module
After draining message, drainage configuration is carried out to public network DNS, so that drainage will send the quilt for script with the public network DNS postponed
The network flow of protection network is drawn in public network DDoS system;
It wherein, may include: the domain name of protected network, the outlet device of protected network in starting drainage message
Backup link IP address.
Correspondingly, the second drainage configuration module is for carrying out drainage configuration to public network DNS, comprising:
Public network DDoS system sends configuration message to public network DNS, domain name in the configuration message comprising protected network,
First IP address, so that after public network DNS receives configuration message, by pre-stored IP address corresponding with protected domain name
It is changed to first IP address, wherein first IP address is the outlet device with protected network pre-established
Backup link the associated IP address of IP address.
Wherein, the corresponding relationship of domain name and IP address can be stored in advance in public network DNS, so as to according to domain name mapping with going out IP
Location carries out the transmission of network flow further according to IP address.It is to need to be sent to protected network generally, due to network flow,
And transmitted by the primary outlet link of the outlet device of protected network, it is assumed that the domain name of protected network is A, main
The IP address of outbound is IP1, then what is stored originally in public network DNS is the corresponding relationship of A and IP1.In order to realize net
Network flow drains into public network DDoS system, then needs the network flow for being sent to protected network originally being transmitted to public network
DDoS system then needs to be changed to A corresponding IP address in public network DNS the IP address of public network DDoS system.
Since public network DDoS system can be communicated with protected networks such as multiple enterprise network, public network DDoS system can be with
Different IP address is arranged in corresponding different protected network, therefore, an address can be stored in advance in public network DDoS system
Pond can store the incidence relation between different IP addresses in the address pool.For example, the outlet of the protected network of domain name A is set
The IP address of standby backup link is IP2, and being stored in advance in public network DDoS system with the associated IP address of IP2 is IP3, then above-mentioned
The first IP address be IP3, public network DDoS system can indicate that IP address corresponding with A from IP1 is revised as IP3 by public network DNS.
Second cleaning module 633, for being cleaned to the network flow that comes of traction, and by the network flow after cleaning
It is recycled into the protected network by the backup link;
Wherein, after public network DNS carries out IP address modification, the network flow for being sent to protected network originally can be sent
Public network DDoS system is given, realizes and network flow is drawn in public network DDoS system.
On network flow to be drawn to public network DDoS system, the second cleaning module can use existing operator DDoS
The cleaning way of product cleans network flow.
After cleaning to network flow, the network flow after cleaning can be then forwarded to protected network, it is real
The re-injection of existing network flow.
It can be specifically the outlet that the destination address of network flow is revised as to protected network in re-injection network flow
The IP address of the backup link of equipment, for example, being revised as IP2, then according to routing principle, which can pass through backup chain
Road is recycled into protected network.
Second cancels module 634, for checking the network flow after cleaning, if the network flow in preset time after cleaning
Amount is below the preset warning value, then cancels the drainage configuration on the public network DNS, and notify the network flow monitoring
System restarting monitoring.
Wherein, it can also include: pre- that network flow monitoring system, which is sent in the starting drainage message of public network DDoS system,
If warning value, thus second cancel module by parsing starting drainage the available preset warning value of message.
After obtaining preset warning value, the second cancellation module can compare network flow and preset alarm after cleaning
The size of value, obtains judging result.
After network flow after cleaning within a preset time is below warning value, second cancels module can be to public network DNS
Instruction message is sent, public network DNS receives the state before being restored to the corresponding IP address of domain name after the instruction message,
For example, the corresponding IP address of A is restored to IP1 by IP3, protected so that subsequent network flow will be entered by primary outlet link
Protective net network.
In addition, as shown in figure 3, network flow monitoring system can stop pair after notice public network DDoS system is drained
The monitoring of mirror image flow.And postponed when the drainage of public network DNS is matched in the second cancellation module cancellation, it can be to network flow monitoring system
System sends instruction message, which is used to indicate the restarting monitoring of network flow monitoring system.
In the present embodiment, after public network DDoS system receives starting drainage message, drainage configuration is carried out to public network DNS, it can
Network flow is drawn to public network DDoS system to realize, to realize cleaning of the public network DDoS system to network flow, is prevented
Link type ddos attack.
It should be noted that in the description of the present invention, term " first ", " second " etc. are used for description purposes only, without
It can be interpreted as indication or suggestion relative importance.In addition, in the description of the present invention, unless otherwise indicated, the meaning of " multiple "
Refer at least two.
Any process described otherwise above or method description are construed as in flow chart or herein, and expression includes
It is one or more for realizing specific logical function or process the step of executable instruction code module, segment or portion
Point, and the range of the preferred embodiment of the present invention includes other realization, wherein can not press shown or discussed suitable
Sequence, including according to related function by it is basic simultaneously in the way of or in the opposite order, to execute function, this should be of the invention
Embodiment person of ordinary skill in the field understood.
It should be appreciated that each section of the invention can be realized with hardware, software, firmware or their combination.Above-mentioned
In embodiment, software that multiple steps or method can be executed in memory and by suitable instruction execution system with storage
Or firmware is realized.It, and in another embodiment, can be under well known in the art for example, if realized with hardware
Any one of column technology or their combination are realized: having a logic gates for realizing logic function to data-signal
Discrete logic, with suitable combinational logic gate circuit specific integrated circuit, programmable gate array (PGA), scene
Programmable gate array (FPGA) etc..
Those skilled in the art are understood that realize all or part of step that above-described embodiment method carries
It suddenly is that relevant hardware can be instructed to complete by program, the program can store in a kind of computer-readable storage medium
In matter, which when being executed, includes the steps that one or a combination set of embodiment of the method.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in a processing module
It is that each unit physically exists alone, can also be integrated in two or more units in a module.Above-mentioned integrated mould
Block both can take the form of hardware realization, can also be realized in the form of software function module.The integrated module is such as
Fruit is realized and when sold or used as an independent product in the form of software function module, also can store in a computer
In read/write memory medium.
Storage medium mentioned above can be read-only memory, disk or CD etc..
In the description of this specification, reference term " one embodiment ", " some embodiments ", " example ", " specifically show
The description of example " or " some examples " etc. means specific features, structure, material or spy described in conjunction with this embodiment or example
Point is included at least one embodiment or example of the invention.In the present specification, schematic expression of the above terms are not
Centainly refer to identical embodiment or example.Moreover, particular features, structures, materials, or characteristics described can be any
One or more embodiment or examples in can be combined in any suitable manner.
Although the embodiments of the present invention has been shown and described above, it is to be understood that above-described embodiment is example
Property, it is not considered as limiting the invention, those skilled in the art within the scope of the invention can be to above-mentioned
Embodiment is changed, modifies, replacement and variant.
Claims (12)
1. a kind of implementation method for preventing link type ddos attack characterized by comprising
Network flow monitoring system monitoring enters the network flow of protected network, institute by the primary outlet link of protected network
Stating protected network includes: primary outlet link and backup link;Wherein, the backup link is returned for introducing public network DDoS system
The network flow of note, the primary outlet link are used to introduce the network flow that regular traffic or ddos attack generate;
Network flow monitoring system notifies the Intranet of the protected network when the network flow is less than preset warning value
DDoS system is drained;
Network flow monitoring system the network flow be greater than or equal to preset warning value when, notice public network DDoS system into
Row drainage, so that the public network DDoS system and public network DNS link, it is clear that network flow is drawn to the progress of public network DDoS system
It washes, and the network flow after cleaning is returned into the protected network by the backup link re-injection.
2. the method according to claim 1, wherein determining the network flow in the network flow monitoring system
Amount is less than after preset warning value, before notifying the Intranet DDoS system of the protected network to be drained, further includes:
Determination reaches ddos attack standard.
3. according to the method described in claim 2, it is characterized in that, the determination reaches ddos attack standard, comprising:
According to preconfigured DDoS cleaning rule in the network flow monitoring system, analyze whether the network flow meets
The ddos attack feature recorded in the DDoS cleaning rule;
If so, determination reaches ddos attack standard.
4. the method according to claim 1, wherein the network flow monitoring system monitoring passes through by catch net
The primary outlet link of network enters the network flow of protected network, comprising:
Network flow monitoring system receives the mirror image flow that the outlet device of protected network generates, and carries out to the mirror image flow
Monitoring obtains the network flow into protected network, wherein mirror image flow is network flow of the outlet device to primary outlet link
It is obtained after amount progress mirror image or light-splitting processing.
5. according to the method described in claim 4, it is characterized in that, the Intranet DDoS system for notifying the protected network into
After row drainage, the method also includes:
Network flow monitoring system stops the monitoring to mirror image flow.
6. according to the method described in claim 4, it is characterized in that, notice public network DDoS system drained after, it is described
Method further include:
Network flow monitoring system stops the monitoring to mirror image flow;And
Network flow monitoring system configures the outlet device, so that with the outlet device postponed to primary outlet chain road
Network flow carry out discard processing.
7. method according to claim 5 or 6, which is characterized in that the network flow monitoring system stops to mirror image stream
The monitoring of amount, comprising:
Network flow monitoring system sends instruction message to the outlet device, and the outlet device stops according to the instruction message
Only mirror image or light-splitting processing;Alternatively,
The stopping of network flow monitoring system is analyzed and processed mirror image flow.
8. method according to claim 1-6, which is characterized in that the Intranet for notifying the protected network
DDoS system is drained, comprising:
Network flow monitoring system sends starting drainage message to the Intranet DDoS system of the protected network;
The method also includes:
Intranet DDoS system receives the starting that network flow monitoring system is sent and drains message;
After Intranet DDoS system receives the starting drainage message that network flow monitoring system is sent, the protected network is gone out
Jaws equipment carries out drainage configuration, so that the network flow of primary outlet link is drawn to Intranet with the outlet device postponed by drainage
In DDoS system;
Intranet DDoS system cleans the network flow that comes of traction, and by the network flow after cleaning be recycled into it is described go out
On jaws equipment, so that the outlet device sends injected network flow in intranet server;
Intranet DDoS systems inspection whether there is ddos attack, if all without ddos attack in preset time, cancel described in
Drainage configuration on outlet device, and notify the network flow monitoring system restarting monitoring.
9. according to the method described in claim 8, it is characterized in that, the outlet device to the protected network draws
Stream configuration, comprising:
BGP is configured to the outlet device.
10. method according to claim 1-6, which is characterized in that the notice public network DDoS system is drawn
Stream, comprising:
Network flow monitoring system sends starting drainage message to public network DDoS system;
The method also includes:
Public network DDoS system receives the starting that network flow monitoring system is sent and drains message;
After public network DDoS system receives the starting drainage message that network flow monitoring system is sent, drainage is carried out to public network DNS and is matched
It sets, so that the network flow that script will be sent to the protected network is drawn to public network with the public network DNS postponed by drainage
In DDoS system;
The network flow that public network DDoS system comes to traction is cleaned, and the network flow after cleaning is passed through the backup
Link is recycled into the protected network;
Network flow after public network DDoS systems inspection cleaning, if the network flow in preset time after cleaning is below described
Preset warning value then cancels the drainage configuration on the public network DNS, and the network flow monitoring system is notified to restart
Monitoring.
11. according to the method described in claim 10, it is characterized in that, including: protected net in starting drainage message
The domain name of network, the IP address of the backup link of the outlet device of protected network is described to carry out drainage configuration to public network DNS,
Include:
Public network DDoS system sends configuration message, the domain name comprising protected network, first in the configuration message to public network DNS
IP address, so that changing pre-stored IP address corresponding with protected domain name after public network DNS receives configuration message
For first IP address, wherein first IP address be pre-establish it is standby with the outlet device of protected network
The associated IP address of IP address of part link.
12. according to the method for claim 11, which is characterized in that an address is stored in advance in the public network DDoS system
Pond, the incidence relation being stored in the address pool between different IP addresses.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811188693.6A CN109246128B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510478261.9A CN105049441B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
CN201811188693.6A CN109246128B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510478261.9A Division CN105049441B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109246128A true CN109246128A (en) | 2019-01-18 |
CN109246128B CN109246128B (en) | 2019-09-17 |
Family
ID=54455652
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811188693.6A Active CN109246128B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
CN201510478261.9A Active CN105049441B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510478261.9A Active CN105049441B (en) | 2015-08-07 | 2015-08-07 | Prevent the method and system of link type ddos attack |
Country Status (1)
Country | Link |
---|---|
CN (2) | CN109246128B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111885606A (en) * | 2020-07-20 | 2020-11-03 | 中国联合网络通信集团有限公司 | Park communication network fusion control method, device and system |
CN113852609A (en) * | 2021-09-03 | 2021-12-28 | 深圳市托奇科技有限公司 | DDoS attack defense method and system based on multi-link end cloud linkage mode |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107332810A (en) * | 2016-04-29 | 2017-11-07 | 阿里巴巴集团控股有限公司 | Attack defense method and device, system |
CN107623663B (en) * | 2016-07-15 | 2020-12-15 | 阿里巴巴集团控股有限公司 | Method and device for processing network flow |
CN105959334B (en) * | 2016-07-20 | 2019-09-24 | 上海携程商务有限公司 | The automatic defense and method of ddos attack |
CN107347067B (en) * | 2017-07-07 | 2021-06-04 | 深信服科技股份有限公司 | Network risk monitoring method and system and security network system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101924764A (en) * | 2010-08-09 | 2010-12-22 | 中国电信股份有限公司 | Large-scale DDoS (Distributed Denial of Service) attack defense system and method based on two-level linkage mechanism |
US20110035801A1 (en) * | 2008-05-23 | 2011-02-10 | Hongxing Li | Method, network device, and network system for defending distributed denial of service attack |
CN103209192A (en) * | 2013-05-10 | 2013-07-17 | 张昱 | Domain status cleaning system for DDoS (distributed denial of service) attack and detection method |
US8510826B1 (en) * | 2005-12-06 | 2013-08-13 | Sprint Communications Company L.P. | Carrier-independent on-demand distributed denial of service (DDoS) mitigation |
US20150215331A1 (en) * | 2012-02-27 | 2015-07-30 | Amazon Technologies, Inc. | Detecting network attacks |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108063765B (en) * | 2014-12-17 | 2021-07-16 | 南昌理工学院 | SDN system suitable for solving network security |
-
2015
- 2015-08-07 CN CN201811188693.6A patent/CN109246128B/en active Active
- 2015-08-07 CN CN201510478261.9A patent/CN105049441B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8510826B1 (en) * | 2005-12-06 | 2013-08-13 | Sprint Communications Company L.P. | Carrier-independent on-demand distributed denial of service (DDoS) mitigation |
US20110035801A1 (en) * | 2008-05-23 | 2011-02-10 | Hongxing Li | Method, network device, and network system for defending distributed denial of service attack |
CN101924764A (en) * | 2010-08-09 | 2010-12-22 | 中国电信股份有限公司 | Large-scale DDoS (Distributed Denial of Service) attack defense system and method based on two-level linkage mechanism |
US20150215331A1 (en) * | 2012-02-27 | 2015-07-30 | Amazon Technologies, Inc. | Detecting network attacks |
CN103209192A (en) * | 2013-05-10 | 2013-07-17 | 张昱 | Domain status cleaning system for DDoS (distributed denial of service) attack and detection method |
Non-Patent Citations (2)
Title |
---|
华山: "基于Anycast架构DNS进行流量清洗部署方案的演进分析", 《电信技术》 * |
郭庆: "云清洗三打DDOS", 《网络世界》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111885606A (en) * | 2020-07-20 | 2020-11-03 | 中国联合网络通信集团有限公司 | Park communication network fusion control method, device and system |
CN111885606B (en) * | 2020-07-20 | 2023-04-07 | 中国联合网络通信集团有限公司 | Park communication network fusion control method, device and system |
CN113852609A (en) * | 2021-09-03 | 2021-12-28 | 深圳市托奇科技有限公司 | DDoS attack defense method and system based on multi-link end cloud linkage mode |
Also Published As
Publication number | Publication date |
---|---|
CN105049441B (en) | 2019-01-01 |
CN109246128B (en) | 2019-09-17 |
CN105049441A (en) | 2015-11-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109246128B (en) | Prevent the method and system of link type ddos attack | |
US10084825B1 (en) | Reducing redundant operations performed by members of a cooperative security fabric | |
US7363528B2 (en) | Brink of failure and breach of security detection and recovery system | |
ES2687049T3 (en) | Procedure, equipment and system to monitor a security gateway to the network | |
KR100800370B1 (en) | Network attack signature generation | |
US20040221177A1 (en) | Device and method for simulating network traffic treatments of a network using policy rules | |
US9813448B2 (en) | Secured network arrangement and methods thereof | |
US20060123481A1 (en) | Method and apparatus for network immunization | |
CN104917653A (en) | Virtual flow monitoring method based on cloud platform and device thereof | |
US20110270957A1 (en) | Method and system for logging trace events of a network device | |
CN103684953B (en) | Avoid flow loss method, apparatus in the multi-link Ethernet Circle to VPLS transmission networks | |
US20090010171A1 (en) | Scaling BFD sessions for neighbors using physical / sub-interface relationships | |
CN101018200B (en) | Bi-planar network architecture | |
US9019863B2 (en) | Ibypass high density device and methods thereof | |
US20170134400A1 (en) | Method for detecting malicious activity on an aircraft network | |
CN108306747B (en) | Cloud security detection method and device and electronic equipment | |
CN108322417A (en) | Processing method, device and system and the safety equipment of network attack | |
CN101432700A (en) | Multi-network virus immunization | |
KR101615045B1 (en) | Intelligent security networking system | |
US20080298229A1 (en) | Network wide time based correlation of internet protocol (ip) service level agreement (sla) faults | |
CN106254338B (en) | Message detecting method and device | |
CN103701824B (en) | A kind of security isolation managing and control system | |
CN106330962B (en) | A kind of flow cleaning management method and device | |
CN103634166B (en) | Equipment survival detection method and equipment survival detection device | |
Khan et al. | FML: A novel forensics management layer for software defined networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |