CN111314285B - Method and device for detecting route prefix attack - Google Patents

Method and device for detecting route prefix attack Download PDF

Info

Publication number
CN111314285B
CN111314285B CN201911312280.9A CN201911312280A CN111314285B CN 111314285 B CN111314285 B CN 111314285B CN 201911312280 A CN201911312280 A CN 201911312280A CN 111314285 B CN111314285 B CN 111314285B
Authority
CN
China
Prior art keywords
autonomous domain
source
prefix
monitored
source autonomous
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911312280.9A
Other languages
Chinese (zh)
Other versions
CN111314285A (en
Inventor
黄小红
张沛
马严
李赫扬
赵仕祺
曾曼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201911312280.9A priority Critical patent/CN111314285B/en
Publication of CN111314285A publication Critical patent/CN111314285A/en
Application granted granted Critical
Publication of CN111314285B publication Critical patent/CN111314285B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method and a device for detecting a route prefix attack, wherein the method comprises the following steps: receiving a route updating message sent by an inter-domain route monitoring point; acquiring an IP address prefix to be monitored and a source autonomous domain to be monitored, which are carried in a routing updating message; when a target IP address prefix exists in a preset knowledge base, acquiring a source autonomous domain which has a mapping relation with the target IP address prefix from the preset knowledge base to obtain a source autonomous domain data set; when the source autonomous domain data set records a source autonomous domain to be monitored, determining that no route prefix attack occurs; and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, determining that the routing prefix attack occurs. Because the preset knowledge base stores the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain in a plurality of databases which are not attacked by the routing prefix, whether the routing prefix attack exists or not is judged by the preset knowledge base, and the accuracy of detecting the routing prefix attack is improved.

Description

Method and device for detecting route prefix attack
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting a route prefix attack.
Background
Border Gateway Protocol (BGP) is a routing Protocol for an Autonomous domain (AS) running over a transmission control Protocol, where an Autonomous domain may also be referred to AS an Autonomous domain System. The border gateway protocol is used as a standard inter-domain routing protocol of the internet, and allows the autonomous domain to inform other autonomous domains of routing information.
Since the border gateway Protocol does not have an authorization and identity authentication mechanism, the routing information received by the autonomous domain from the adjacent autonomous domain cannot be authenticated, so that the IP (Internet Protocol) address prefix is easy to hijack, i.e. easy to be attacked by the routing prefix. Specifically, when the routing information received by the autonomous domain from the adjacent autonomous domain is wrong routing information, the message sent by the autonomous domain is forwarded along a wrong path, so that information carried in the message is likely to be leaked, and the security of network communication cannot be ensured.
Therefore, it is desirable to provide a routing prefix attack detection scheme, so as to be able to accurately detect a routing prefix attack and further ensure the security of network communication.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for detecting a routing prefix attack, so that the routing prefix attack can be detected through a trusted mapping relationship between a source autonomous domain and an IP address prefix in a preset knowledge base, thereby improving accuracy of detecting the routing prefix attack. The specific technical scheme is as follows:
in a first aspect, a method for detecting a route prefix attack is provided, where the method includes:
and receiving a route updating message sent by the inter-domain route monitoring point.
And acquiring an internet protocol IP address prefix carried in the route updating message as an IP address prefix to be monitored, and taking the source autonomous domain of the IP address prefix as the source autonomous domain to be monitored.
When a target IP address prefix exists in a preset knowledge base, acquiring a source autonomous domain which has a mapping relation with the target IP address prefix from the preset knowledge base to obtain a source autonomous domain data set; the target IP address prefix comprises an IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain.
And when the source autonomous domain to be monitored is recorded in the source autonomous domain data set, determining that no route prefix attack occurs.
And when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, determining that the routing prefix attack occurs.
Optionally, after acquiring the IP address prefix carried in the route update message as the IP address prefix to be monitored and the source autonomous domain of the IP address prefix as the source autonomous domain to be monitored, the method further includes:
and when the IP address prefix to be monitored does not exist in the preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist, determining that the routing prefix attack occurs.
Optionally, when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, determining that a routing prefix attack occurs includes:
and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the data set of the source autonomous domain belongs.
When the organization to which the source autonomous domain to be monitored belongs is different from the organization to which the source autonomous domain in the source autonomous domain dataset belongs, it is determined that a routing prefix attack has occurred.
Optionally, when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, after determining that a routing prefix attack occurs, the method further includes:
and determining an attack source of the route prefix attack as a source autonomous domain to be monitored.
Optionally, before obtaining the source autonomous domain having a mapping relationship with the target IP address prefix from the preset knowledge base and obtaining the source autonomous domain data set, the method further includes:
and extracting the IP address prefixes of the source autonomous domain recorded in the routing information database and the recorded source autonomous domain to obtain a first mapping relation.
And extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organizational structure to which the source autonomous domain belongs to obtain a second mapping relation.
And extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain.
And extracting the source autonomous domain recorded in the geographic position database and the IP address prefix of the recorded source autonomous domain to obtain a fourth mapping relation.
And generating a preset knowledge base recorded with the first mapping relation, the second mapping relation, the third mapping relation and the fourth mapping relation.
In a second aspect, a device for detecting a route prefix attack is provided, the device including:
and the receiving module is used for receiving the route updating message sent by the inter-domain route monitoring point.
The first obtaining module is used for obtaining the internet protocol IP address prefix carried in the route updating message as the IP address prefix to be monitored, and the source autonomous domain of the IP address prefix as the source autonomous domain to be monitored.
The second acquisition module is used for acquiring a source autonomous domain which has a mapping relation with a target IP address prefix from the preset knowledge base when the target IP address prefix exists in the preset knowledge base, so as to obtain a source autonomous domain data set; the target IP address prefix comprises an IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain.
The first determining module is used for determining that no route prefix attack occurs when the source autonomous domain to be monitored is recorded in the source autonomous domain data set.
And the second determining module is used for determining that the routing prefix attack occurs when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set.
Optionally, the apparatus for detecting a route prefix attack further includes:
and a third determining module, configured to determine that a routing prefix attack occurs when the IP address prefix to be monitored does not exist in the preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist after the IP address prefix carried in the routing update message is acquired as the IP address prefix to be monitored and the source autonomous domain of the IP address prefix is acquired as the source autonomous domain to be monitored.
Optionally, the second determining module includes:
and the judging unit is used for judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set.
And the determining unit is used for determining that the routing prefix attack occurs when the organization mechanism to which the source autonomous domain to be monitored belongs is different from the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs.
Optionally, the apparatus for detecting a route prefix attack further includes:
and the fourth determining module is used for determining that an attack source of the routing prefix attack is the source autonomous domain to be monitored after the routing prefix attack is determined to occur when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set.
Optionally, the apparatus for detecting a route prefix attack further includes:
the first extraction module is configured to extract the IP address prefixes of the source autonomous domain and the recorded source autonomous domain recorded in the routing information database before the source autonomous domain having a mapping relationship with the target IP address prefix is obtained from the preset knowledge base and the source autonomous domain data set is obtained, so as to obtain a first mapping relationship.
And the second extraction module is used for extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organization mechanism to which the source autonomous domain belongs to obtain a second mapping relation.
And the third extraction module is used for extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain.
And the fourth extraction module is used for extracting the IP address prefixes of the source autonomous domain recorded in the geographic position database and the recorded source autonomous domain to obtain a fourth mapping relation.
The generation module is used for generating a preset knowledge base recorded with a first mapping relation, a second mapping relation, a third mapping relation and a fourth mapping relation.
In a third aspect, an electronic device is provided, which includes a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any one of the first aspect when executing a program stored in the memory.
In a fourth aspect, a computer-readable storage medium is provided, having stored therein a computer program which, when executed by a processor, carries out the method steps of any one of the first aspect.
In a fifth aspect, there is provided a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method steps of any of the first aspects.
In this embodiment of the present application, the server may receive a route update message sent by an inter-domain route monitoring point, and then may acquire an IP address prefix carried in the route update message as an IP address prefix to be monitored, and an originating autonomous domain of the IP address prefix as an originating autonomous domain to be monitored. When a target IP address prefix exists in the preset knowledge base, a source autonomous domain having a mapping relation with the target IP address prefix is obtained from the preset knowledge base, and a source autonomous domain data set is obtained, wherein the target IP address prefix comprises the IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored. Wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain. When the source autonomous domain data set records a source autonomous domain to be monitored, determining that no route prefix attack occurs; and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, determining that the routing prefix attack occurs.
Because the preset knowledge base stores the mapping relation between the source autonomous domain recorded in the routing information database, the internet code number resource information base, the resource public key infrastructure RPKI authentication base and the IP address prefix of the source autonomous domain recorded in the geographic position database, and is data which is not attacked by the routing prefix, when judging whether the routing prefix attack exists according to the preset knowledge base, the routing information database dimension, the internet code number resource information base dimension, the resource public key infrastructure RPKI dimension and the geographic position database dimension can be analyzed, and the accuracy of detecting the routing prefix attack is improved.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for detecting a route prefix attack according to an embodiment of the present application;
fig. 2 is a flowchart of another method for detecting a route prefix attack according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a routing prefix attack detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
A detailed description will be given below of a method for detecting a route prefix attack provided in the embodiment of the present application with reference to a specific implementation manner, as shown in fig. 1, the specific steps are as follows:
step 101, receiving a route update message sent by an inter-domain route monitoring point.
Wherein, an analog router can be arranged in the server as an inter-domain route monitoring point. The inter-domain route monitoring point can establish connection with an actual router and receive a route updating message sent by the actual router, namely, the server can receive the route updating message sent by the inter-domain route monitoring point.
The route update message sent by the actual router refers to: BGP (Border Gateway Protocol) update messages received by the actual routers in the network. The BGP update message carries an IP (Internet Protocol) address prefix and an AS (Autonomous System) path, where the AS path records an identifier of a source Autonomous domain that transmits the BGP update message.
The interdomain route monitoring point can receive the route updating message sent by the actual router. The actual route receiver may receive the route update message of the autonomous domain where the actual router is located and the autonomous domain that establishes the BGP session with the autonomous domain where the actual router is located. Therefore, the monitoring of the actual router is realized.
The inter-domain route monitoring point is an internal node of the autonomous domain system, establishes connection with the actual routers and obtains the route updating message, reduces the time for waiting the route updating message to be transmitted between the actual routers and between the autonomous domain systems before obtaining the route updating message, and realizes the purpose of obtaining the route updating message in a short time. Meanwhile, the dependency on nodes outside the autonomous domain system is also reduced, such as autonomous domain monitoring points establishing BGP conversation with the autonomous domain system, which is convenient for the deployment and the extension of a server for realizing the routing prefix attack detection aiming at the autonomous domain to be monitored.
Step 102, obtaining the internet protocol IP address prefix carried in the route updating message as the IP address prefix to be monitored, and the source autonomous domain of the IP address prefix as the source autonomous domain to be monitored.
For example, the IP address prefix carried in the route update message is acquired: 0.0.0.0/16, and using the IP address prefix as the IP address prefix to be monitored. And, obtaining the source autonomous domain carried in the route update message: a is0And using the source autonomous domain as the source autonomous domain to be monitored.
The source autonomous domain of the IP address prefix carried in the route update message may specifically refer to identification information of the source autonomous domain.
103, when a target IP address prefix exists in a preset knowledge base, acquiring a source autonomous domain having a mapping relation with the target IP address prefix from the preset knowledge base to obtain a source autonomous domain data set; the target IP address prefix comprises an IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain.
It can be understood that, before obtaining the source autonomous domain having a mapping relationship with the target IP address prefix from the preset knowledge base, obtaining the source autonomous domain data set, the method further includes:
and extracting the IP address prefixes of the source autonomous domain recorded in the routing information database and the recorded source autonomous domain to obtain a first mapping relation.
And extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organizational structure to which the source autonomous domain belongs to obtain a second mapping relation.
And extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain.
And extracting the source autonomous domain recorded in the geographic position database and the IP address prefix of the recorded source autonomous domain to obtain a fourth mapping relation.
And generating a preset knowledge base recorded with the first mapping relation, the second mapping relation, the third mapping relation and the fourth mapping relation.
In the embodiment of the present application, the preset knowledge base stores: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain. That is, a comprehensive knowledge base can be obtained that records the mapping relationship between the active autonomous domain and the IP prefix of the active autonomous domain, and the mapping relationship is trusted. Therefore, the problem that the compliance operation is wrongly judged as the routing prefix attack due to the lack of correlation among the databases and the non-sharing of the data of the databases is avoided, and the accuracy of the routing prefix attack detection is improved.
Specifically, the routing information database records routing update information obtained from the autonomous domain monitoring point within a preset historical time period, where the routing update information carries an originating autonomous domain and an IP address prefix having a mapping relationship with the originating autonomous domain.
The server can analyze and learn the routing information database, extract the source autonomous domain and the IP address prefix carried by a certain routing update message from the routing information database, and then combine all the extraction records to obtain a first mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain based on the dimension of the routing information database. The autonomous domain monitoring point can establish a BGP session with the autonomous domain to be monitored, which is not attacked by the routing prefix, and receive a routing update message sent by the autonomous domain to be monitored. Therefore, the routing information database can obtain the routing update message which is not attacked by the routing prefix from the autonomous domain monitoring point, and the server can further obtain the first mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain, which is not attacked by the routing prefix, from the routing information database.
The internet code number resource information base stores: the system comprises an autonomous domain, an IP address prefix having a mapping relation with the autonomous domain, an organization to which the autonomous domain belongs, contacts, contact phones, mailboxes and the like of the organization, an allocation unit to which the IP address prefix belongs, management contacts, contact phones, mailboxes and the like of the allocation unit.
The server can extract the source autonomous domain and the IP address prefix recorded in the Internet code resource information base to form a second mapping relation which comprises the source autonomous domain and the IP address prefix of the source autonomous domain based on the Internet code resource information base. Of course, the server may also extract the self-control domain, the IP address prefix, the organization information, the contact information, the mailbox information to which the self-control domain belongs, and the allocation unit information, the management contact information, the contact information, and the mailbox information to which the IP address prefix belongs, which are recorded in the internet code resource information base, to form a second mapping relationship between the IP address prefix of the self-control domain and the organization information, the contact information, and the like to which the self-control domain belongs, based on the internet code resource information base.
The RPKI (Resource Public Key Infrastructure) constructs an IP address Resource authorization and authentication system from the perspective of IP address Resource management, and the IP address Resource authorization and authentication system can be used to verify whether a specific IP address prefix carried in a route update message and a source autonomous domain of the IP address prefix are legal or not. And the mapping relation between the IP address prefixes of the source autonomous domain and the autonomous domain authenticated by the RPKI can be recorded through the RPKI authentication library.
The server can establish connection with the RPKI, and obtain a mapping relation between a source autonomous domain recorded in the RPKI authentication library and an IP address prefix of the source autonomous domain, so as to obtain a third mapping relation.
In a geographic location database such as an International personal ability Item Pool (IPIP) in the related art, geographic location information of an IP address is recorded.
The server can count the IP address prefixes announced by the autonomous domain and not attacked by the routing prefixes to obtain an IP address prefix set. And then extracting the geographic position information of the IP address prefix in the IP address prefix set from a geographic position database, namely the longitude and latitude of the position corresponding to the IP address prefix to obtain a longitude and latitude set. Then, the server can cluster each geographic position point in the longitude and latitude set by using a density-based clustering method, and an interval where the longitude and latitude in the class with the most data are located is used as the geographic position information of the autonomous domain. And obtaining a fourth mapping relation which is based on the dimensionality of the geographic position database, comprises the geographic position information of the source autonomous domain and the geographic position information of the IP address prefix, and comprises the source autonomous domain and the IP address prefix of the source autonomous domain.
The routing information database obtains the IP address prefix of the source autonomous domain from the autonomous domain monitoring point, the IP address prefix of the source autonomous domain recorded in the Internet code number resource information base, the IP address prefix of the source autonomous domain recorded in the RPKI authentication base and the geographic position information of the IP address recorded in the geographic position database, wherein the IP address prefix of the source autonomous domain, the IP address prefix of the Internet code number resource information base and the geographic position information of the IP address recorded in the RPKI authentication base are data which are not attacked by the routing prefix.
Because the preset knowledge base stores: the mapping relation between the source autonomous domain recorded in the routing information database, the internet number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database and the IP address prefix of the source autonomous domain recorded in the routing information database, the internet number resource information base, the Resource Public Key Infrastructure (RPKI) dimension and the geographic position database dimension can be searched when the source autonomous domain with the mapping relation between the target IP address prefix is searched in the preset knowledge base, namely, the source autonomous domain can be searched from a plurality of dimensions, and therefore a comprehensive source autonomous domain data set with the mapping relation between the target IP address prefix can be obtained.
And step 104, when the source autonomous domain to be monitored is recorded in the source autonomous domain data set, determining that no route prefix attack occurs.
And 105, when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set, determining that the routing prefix attack occurs.
The source autonomous domain data set is a set obtained by searching a source autonomous domain having a mapping relation with a target IP address prefix from a preset database. The IP address prefixes of the source autonomous domains recorded in the preset knowledge base are all not attacked by the routing prefix, so the source autonomous domain in the source autonomous domain data set acquired from the preset knowledge base is the source autonomous domain having a mapping relationship with the target IP address prefix when not attacked by the routing prefix.
Therefore, when the source autonomous domain to be monitored is recorded in the source autonomous domain data set, the source autonomous domain to be monitored is a source autonomous domain which has a mapping relation with the target IP address prefix when the source autonomous domain to be monitored is not attacked by the routing prefix, and therefore the routing prefix attack can be determined not to occur; when the source autonomous domain data set does not record the source autonomous domain to be monitored, the source autonomous domain to be monitored is shown to have no mapping relation with the target IP address prefix when the source autonomous domain is not attacked by the routing prefix, so that the routing prefix attack can be determined to occur.
In the embodiment of the present application, the source autonomous domain data set is a multi-dimensional data set because the source autonomous domain data set is obtained from a preset knowledge base. Therefore, whether the routing prefix attack occurs is judged according to the source autonomous domain data set, the routing prefix attack detection is realized from multiple dimensions, and the accuracy of detecting the routing prefix attack is improved.
Optionally, after acquiring the IP address prefix carried in the route update message as the IP address prefix to be monitored and the source autonomous domain of the IP address prefix as the source autonomous domain to be monitored, the method further includes:
and when the IP address prefix to be monitored does not exist in the preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist, determining that the routing prefix attack occurs.
In the embodiment of the application, since the parent prefix of the IP address prefix includes the IP address prefix, after it is determined that the IP address prefix to be monitored does not exist in the preset knowledge base, it can be further determined whether the parent prefix of the IP address prefix exists in the preset knowledge base, and when the parent prefix of the IP address prefix to be monitored does not exist in the preset knowledge base, it is determined that a routing prefix attack occurs. The method and the device search the parent prefix containing the IP address prefix to be monitored, expand the search range, search the parent prefix containing the IP address prefix to be monitored, avoid misjudgment caused by data loss and further improve the accuracy of routing prefix attack detection.
For example, the server may detect whether there is an IP prefix to be monitored 4.4.0.0/16 (i.e., the first 16 bits represent the network portion of the address) in the preset knowledge base, and if not, may detect whether there is a parent prefix of the IP prefix to be monitored 4.4.0.0/8 (i.e., the first 8 bits represent the network portion of the address) in the preset knowledge base, and when there is no parent prefix of the IP address prefix to be monitored in the preset knowledge base, it is determined that a routing prefix attack is sent.
Optionally, when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, determining that a routing prefix attack occurs includes:
and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the data set of the source autonomous domain belongs.
When the organization to which the source autonomous domain to be monitored belongs is different from the organization to which the source autonomous domain in the source autonomous domain dataset belongs, it is determined that a routing prefix attack has occurred.
In this embodiment, the organization to which the source autonomous domain belongs refers to a network operator that allocates the source autonomous domain to the IP address prefix, and the preset knowledge base may obtain a mapping relationship between the source autonomous domain and the IP address prefix of the source autonomous domain from the internet code resource information base, and the organization to which the source autonomous domain belongs. When an organization assigns a source autonomous domain to an IP address prefix, there is a mapping relationship between all IP address prefixes and the source autonomous domain that is not disclosed, so that when a routing prefix attack is detected based on the mapping relationship between the IP address prefixes and the source autonomous domain that the organization has disclosed, the source autonomous domain of the IP address prefixes that are not disclosed is misjudged as having a routing prefix attack. Therefore, when the source autonomous domain to be monitored is not recorded in the source autonomous domain dataset, it is further determined whether the organization to which the source autonomous domain to be monitored belongs is the same as the organization to which the source autonomous domain in the source autonomous domain dataset belongs, and it may be determined whether the source autonomous domain to be monitored and the source autonomous domain in the source autonomous domain dataset are allocated to the target IP address prefix by the same network operator, so that it may be determined whether the source autonomous domain to be monitored is allocated by the organization to which the source autonomous domain having a mapping relationship with the target IP address prefix belongs. If yes, determining that the autonomous domain to be monitored has a mapping relation with the target IP address prefix, so that no route prefix attack occurs; if not, it can be determined that the autonomous domain to be monitored and the target IP address prefix do not have a mapping relation, so that a routing prefix attack occurs. Therefore, the routing prefix attack detection is carried out more specifically, and the accuracy of the routing prefix attack detection is further improved.
For example, when the IP prefix to be monitored is 4.4.0.0/16, the parent prefix of the IP address prefix to be monitored is 4.4.0.0/8, and the source autonomous domain to be monitored is a9Then, obtaining the data set of the source autonomous domain with the mapping relation with the target IP address prefix from the preset knowledge base as S ═ { a ═ a1、a2、a3、a4When the data is collected, the data set of the source autonomous domain does not record the source autonomous domain a9Thus obtaining a from the predetermined knowledge base1、a2、a3、a4And a9And the organization mechanisms belong to and judge whether the organization mechanisms are the same.
When a is1、a2、a3、a4The organization to which it belongs is operator m, and a9When the organization is operator m, a1、a2、a3、a4The associated organization and a9The organization mechanisms are the same. Can determine that the source autonomous domain a to be monitored is not attacked by the routing prefix9To which it belongsThe organization mechanism is the same as the organization mechanism to which the source autonomous domain with the mapping relation with the target IP address prefix belongs, so that the routing prefix attack does not occur; when a is1、a2、a3、a4The organization to which it belongs is operator m, and a9When the organization to which the organization belongs is an operator n, a1、a2、a3And a4The associated organization and a9The organization to which it belongs is different. Can determine that the source autonomous domain a to be monitored is not attacked by the routing prefix9The organization to which the target IP address prefix belongs is different from the organization to which the source autonomous domain having a mapping relation with the target IP address prefix belongs, so that the routing prefix attack occurs.
Optionally, when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, after determining that a routing prefix attack occurs, the method further includes:
and determining an attack source of the route prefix attack as a source autonomous domain to be monitored.
In the embodiment of the application, after the routing prefix attack is determined to occur, the attack source of the routing prefix attack can be accurately positioned, so that subsequent protective measures can be conveniently carried out on the attack source, and the safety of a network where a router sending the routing update message is located is improved.
For example, when the IP prefix to be monitored is 4.4.0.0/16, the source autonomous domain to be monitored is a9And then, acquiring a source autonomous domain having a mapping relation with the IP prefix to be monitored from a preset knowledge base to obtain a source autonomous domain data set: s ═ a1、a3、a4、a5、a7、a8}. However, the source to be monitored is the autonomous domain a9Is not in the source autonomous domain data set, so that the routing prefix attack is determined to occur and the source autonomous domain a to be monitored9I.e. the attack source of the routing prefix attack event.
The embodiment of the present application further provides a flowchart of another method for detecting a route prefix attack, and as shown in fig. 2, the method for detecting a route prefix attack may include the following steps:
s201: obtaining a target IP address prefix and a source autonomous domain to be monitored in a route updating message; the target IP address prefix comprises an IP address prefix to be monitored and a parent prefix of the IP address prefix to be monitored;
s202: judging whether a target IP address prefix exists in a preset knowledge base or not; if yes, go to step S203; if not, go to step S206;
s203: acquiring a source autonomous domain having a mapping relation with a target IP address prefix from a preset knowledge base to obtain a source autonomous domain data set;
s204: judging whether a source autonomous domain to be monitored exists in a source autonomous domain data set; if yes, go to step 207; if not, go to step S205;
s205: judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs; if yes, go to step S207; if not, go to step S206;
s206: determining that the routing prefix attack is sent, wherein the attack source of the routing prefix attack is a source autonomous domain to be monitored;
s207: and determining that the routing prefix attack does not occur.
In this embodiment, the server may compare the target IP address prefix, the autonomous domain to be monitored having a mapping relationship with the target IP address prefix, and the organization to which the autonomous domain to be monitored belongs with the data recorded in the preset knowledge base, to determine whether a routing prefix attack has occurred. The method and the device realize the detection of the routing prefix attack from multiple dimensions and improve the accuracy of detecting the routing prefix attack. After the routing prefix attack is determined to occur, the attack source of the routing prefix attack can be determined, so that a protective measure can be conveniently carried out on the attack source, and the safety of the network corresponding to the routing update message is improved.
In this embodiment of the present application, the server may receive a route update message sent by an inter-domain route monitoring point, and then may acquire an IP address prefix carried in the route update message as an IP address prefix to be monitored, and an originating autonomous domain of the IP address prefix as an originating autonomous domain to be monitored. When a target IP address prefix exists in the preset knowledge base, a source autonomous domain having a mapping relation with the target IP address prefix is obtained from the preset knowledge base, and a source autonomous domain data set is obtained, wherein the target IP address prefix comprises the IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored. Wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain. When the source autonomous domain data set records a source autonomous domain to be monitored, determining that no route prefix attack occurs; and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, determining that the routing prefix attack occurs.
Because the preset knowledge base stores the mapping relation between the source autonomous domain recorded in the routing information database, the internet code number resource information base, the resource public key infrastructure RPKI authentication base and the IP address prefix of the source autonomous domain recorded in the geographic position database, and is data which is not attacked by the routing prefix, when judging whether the routing prefix attack exists according to the preset knowledge base, the routing information database dimension, the internet code number resource information base dimension, the resource public key infrastructure RPKI dimension and the geographic position database dimension can be analyzed, and the accuracy of detecting the routing prefix attack is improved.
Based on the same technical concept, the embodiment of the present application further provides a device for detecting a route prefix attack, as shown in fig. 3, the device includes;
a receiving module 301, configured to receive a route update message sent by an inter-domain route monitoring point.
A first obtaining module 302, configured to obtain an internet protocol IP address prefix carried in the route update message as an IP address prefix to be monitored, and obtain a source autonomous domain of the IP address prefix as the source autonomous domain to be monitored.
A second obtaining module 303, configured to, when a target IP address prefix exists in the preset knowledge base, obtain, from the preset knowledge base, a source autonomous domain having a mapping relationship with the target IP address prefix, to obtain a source autonomous domain data set; the target IP address prefix comprises an IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain.
The first determining module 304 is configured to determine that no route prefix attack occurs when the autonomous source domain to be monitored is recorded in the autonomous source domain dataset.
A second determining module 305, configured to determine that a routing prefix attack occurs when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset.
Optionally, the apparatus for detecting a route prefix attack further includes:
and a third determining module, configured to determine that a routing prefix attack occurs when the IP address prefix to be monitored does not exist in the preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist after the IP address prefix carried in the routing update message is acquired as the IP address prefix to be monitored and the source autonomous domain of the IP address prefix is acquired as the source autonomous domain to be monitored.
Optionally, the second determining module 305 includes:
and the judging unit is used for judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set.
And the determining unit is used for determining that the routing prefix attack occurs when the organization mechanism to which the source autonomous domain to be monitored belongs is different from the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs.
Optionally, the apparatus for detecting a route prefix attack further includes:
and the fourth determining module is used for determining that an attack source of the routing prefix attack is the source autonomous domain to be monitored after the routing prefix attack is determined to occur when the source autonomous domain to be monitored is not recorded in the source autonomous domain data set.
Optionally, the apparatus for detecting a route prefix attack further includes:
the first extraction module is configured to extract the IP address prefixes of the source autonomous domain and the recorded source autonomous domain recorded in the routing information database before the source autonomous domain having a mapping relationship with the target IP address prefix is obtained from the preset knowledge base and the source autonomous domain data set is obtained, so as to obtain a first mapping relationship.
And the second extraction module is used for extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organization mechanism to which the source autonomous domain belongs to obtain a second mapping relation.
And the third extraction module is used for extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain.
And the fourth extraction module is used for extracting the IP address prefixes of the source autonomous domain recorded in the geographic position database and the recorded source autonomous domain to obtain a fourth mapping relation.
The generation module is used for generating a preset knowledge base recorded with a first mapping relation, a second mapping relation, a third mapping relation and a fourth mapping relation.
In this embodiment of the present application, the server may receive a route update message sent by an inter-domain route monitoring point, and then may acquire an IP address prefix carried in the route update message as an IP address prefix to be monitored, and an originating autonomous domain of the IP address prefix as an originating autonomous domain to be monitored. When a target IP address prefix exists in the preset knowledge base, a source autonomous domain having a mapping relation with the target IP address prefix is obtained from the preset knowledge base, and a source autonomous domain data set is obtained, wherein the target IP address prefix comprises the IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored. Wherein, predetermine the knowledge base and store there are: and the routing information database, the Internet code number resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database record the mapping relation between the source autonomous domain and the IP address prefix of the source autonomous domain. When the source autonomous domain data set records a source autonomous domain to be monitored, determining that no route prefix attack occurs; and when the source autonomous domain to be monitored is not recorded in the data set of the source autonomous domain, determining that the routing prefix attack occurs.
Because the preset knowledge base stores the mapping relation between the source autonomous domain recorded in the routing information database, the internet code number resource information base, the resource public key infrastructure RPKI authentication base and the IP address prefix of the source autonomous domain recorded in the geographic position database, and is data which is not attacked by the routing prefix, when judging whether the routing prefix attack exists according to the preset knowledge base, the routing information database dimension, the internet code number resource information base dimension, the resource public key infrastructure RPKI dimension and the geographic position database dimension can be analyzed, and the accuracy of detecting the routing prefix attack is improved.
The embodiment of the present application further provides an electronic device, as shown in fig. 4, which includes a processor 401, a communication interface 402, a memory 403, and a communication bus 404, where the processor 401, the communication interface 402, and the memory 403 complete mutual communication through the communication bus 404,
a memory 403 for storing a computer program;
the processor 401 is configured to implement any method step in the above-described method for detecting a routing prefix attack when executing the program stored in the memory 403.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements any one of the method steps in the above-mentioned route prefix attack detection method embodiment.
In another embodiment provided by the present application, there is also provided a computer program product containing instructions that, when executed on a computer, cause the computer to perform any one of the method steps of the above-mentioned method for detecting a route prefix attack.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to them, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (8)

1. A method for detecting a routing prefix attack, the method comprising:
receiving a route updating message sent by an inter-domain route monitoring point;
acquiring an Internet Protocol (IP) address prefix carried in the route updating message as an IP address prefix to be monitored, and taking an origin autonomous domain of the IP address prefix as an origin autonomous domain to be monitored;
when a target IP address prefix exists in a preset knowledge base, acquiring a source autonomous domain which has a mapping relation with the target IP address prefix from the preset knowledge base to obtain a source autonomous domain data set; the target IP address prefix comprises the IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein the preset knowledge base stores: the mapping relation between the source autonomous domain recorded in the routing information database, the internet code resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database and the IP address prefix of the source autonomous domain recorded in the geographic position database;
when the source autonomous domain to be monitored is recorded in the source autonomous domain data set, determining that no route prefix attack occurs;
when the source autonomous domain to be monitored is not recorded in the source autonomous domain dataset, judging whether the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain dataset belongs;
when the organization mechanism to which the source autonomous domain to be monitored belongs is different from the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs, determining that a routing prefix attack occurs;
and when the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs, determining that no routing prefix attack occurs.
2. The method according to claim 1, wherein after the obtaining an internet protocol IP address prefix carried in the route update message as an IP address prefix to be monitored and an autonomous domain of the IP address prefix as an autonomous domain to be monitored, further comprising:
and when the IP address prefix to be monitored does not exist in the preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist, determining that the routing prefix attack occurs.
3. The method according to claim 1, wherein after determining that a routing prefix attack has occurred when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, further comprising:
and determining the attack source of the routing prefix attack as the autonomous domain to be monitored.
4. The method according to any one of claims 1 to 3, wherein before obtaining the autonomous domain data set by obtaining the autonomous domain having a mapping relation with the target IP address prefix from the predetermined knowledge base, the method further comprises:
extracting the IP address prefixes of the source autonomous domain recorded in the routing information database and the recorded source autonomous domain to obtain a first mapping relation;
extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organizational structure to which the source autonomous domain belongs to obtain a second mapping relation;
extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain;
extracting the source autonomous domain recorded in the geographic position database and the IP address prefix of the recorded source autonomous domain to obtain a fourth mapping relation;
and generating the preset knowledge base recorded with the first mapping relation, the second mapping relation, the third mapping relation and the fourth mapping relation.
5. A routing prefix attack detection apparatus, the apparatus comprising:
the receiving module is used for receiving the route updating message sent by the inter-domain route monitoring point;
a first obtaining module, configured to obtain an internet protocol IP address prefix carried in the route update message as an IP address prefix to be monitored, and a source autonomous domain of the IP address prefix as the source autonomous domain to be monitored;
the second acquisition module is used for acquiring a source autonomous domain which has a mapping relation with a target IP address prefix from a preset knowledge base to obtain a source autonomous domain data set when the target IP address prefix exists in the preset knowledge base; the target IP address prefix comprises the IP address prefix to be monitored or a parent prefix of the IP address prefix to be monitored; wherein the preset knowledge base stores: the mapping relation between the source autonomous domain recorded in the routing information database, the internet code resource information base, the Resource Public Key Infrastructure (RPKI) authentication base and the geographic position database and the IP address prefix of the source autonomous domain recorded in the geographic position database;
a first determining module, configured to determine that no route prefix attack occurs when the source autonomous domain to be monitored is recorded in the source autonomous domain dataset;
a second determining module, configured to, when the autonomous source domain to be monitored is not recorded in the autonomous source domain dataset, determine whether an organization to which the autonomous source domain to be monitored belongs is the same as an organization to which the autonomous source domain in the autonomous source domain dataset belongs;
when the organization mechanism to which the source autonomous domain to be monitored belongs is different from the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs, determining that a routing prefix attack occurs;
and when the organization mechanism to which the source autonomous domain to be monitored belongs is the same as the organization mechanism to which the source autonomous domain in the source autonomous domain data set belongs, determining that no routing prefix attack occurs.
6. The apparatus of claim 5, further comprising:
a third determining module, configured to determine that a routing prefix attack occurs when the IP address prefix to be monitored does not exist in a preset knowledge base and the parent prefix of the IP address prefix to be monitored does not exist after the IP address prefix carried in the routing update message is obtained as the IP address prefix to be monitored and the source autonomous domain of the IP address prefix is obtained as the source autonomous domain to be monitored.
7. The apparatus of claim 5, further comprising:
a fourth determining module, configured to determine that an attack source of the routing prefix attack is the autonomous domain to be monitored after determining that the routing prefix attack occurs when the autonomous domain to be monitored is not recorded in the autonomous domain dataset.
8. The apparatus according to any one of claims 5-7, further comprising:
a first extraction module, configured to extract the IP address prefixes of the source autonomous domain and the recorded source autonomous domain recorded in the routing information database before the source autonomous domain having a mapping relationship with the target IP address prefix is obtained from the preset knowledge base and a source autonomous domain data set is obtained, so as to obtain a first mapping relationship;
the second extraction module is used for extracting the source autonomous domain recorded in the internet code resource information base, the recorded IP address prefix of the source autonomous domain and the recorded organization mechanism to which the source autonomous domain belongs to obtain a second mapping relation;
the third extraction module is used for extracting a third mapping relation between the source autonomous domain recorded in the Resource Public Key Infrastructure (RPKI) authentication library and the recorded IP address prefix of the source autonomous domain;
the fourth extraction module is used for extracting the source autonomous domain recorded in the geographic position database and the IP address prefix of the recorded source autonomous domain to obtain a fourth mapping relation;
and the generating module is used for generating a preset knowledge base recorded with the first mapping relation, the second mapping relation, the third mapping relation and the fourth mapping relation.
CN201911312280.9A 2019-12-18 2019-12-18 Method and device for detecting route prefix attack Active CN111314285B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911312280.9A CN111314285B (en) 2019-12-18 2019-12-18 Method and device for detecting route prefix attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911312280.9A CN111314285B (en) 2019-12-18 2019-12-18 Method and device for detecting route prefix attack

Publications (2)

Publication Number Publication Date
CN111314285A CN111314285A (en) 2020-06-19
CN111314285B true CN111314285B (en) 2021-04-06

Family

ID=71161409

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911312280.9A Active CN111314285B (en) 2019-12-18 2019-12-18 Method and device for detecting route prefix attack

Country Status (1)

Country Link
CN (1) CN111314285B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003959B (en) * 2020-07-13 2023-06-16 深圳网基科技有限公司 Automatic issuing method and device for route origin authorization
CN111865698B (en) * 2020-07-30 2023-10-17 中国电子信息产业集团有限公司第六研究所 Geographic information-based self-control domain-level Internet topology visualization method
CN112565253B (en) * 2020-12-02 2021-11-30 清华大学 Method and device for verifying inter-domain source address, electronic equipment and storage medium
EP4293961A1 (en) * 2021-03-25 2023-12-20 Huawei Technologies Co., Ltd. Routing verification method, apparatus and device, data sending method, apparatus and device, and storage medium
CN114285663A (en) * 2021-12-28 2022-04-05 赛尔网络有限公司 Method, device, equipment and medium for managing attack source address
CN115085984B (en) * 2022-03-03 2023-03-14 北京邮电大学 Outsourcing slow release method facing routing prefix hijacking and related equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656638A (en) * 2009-09-08 2010-02-24 中国科学院计算技术研究所 Inter-domain prefix hijacking detection method for error configuration
US7823202B1 (en) * 2007-03-21 2010-10-26 Narus, Inc. Method for detecting internet border gateway protocol prefix hijacking attacks
JP2011216978A (en) * 2010-03-31 2011-10-27 Nippon Telegraph & Telephone West Corp Route hijack detection method
CN102394794A (en) * 2011-11-04 2012-03-28 中国人民解放军国防科学技术大学 Coordinated monitoring method for preventing BGP routing hijacking
CN105791244A (en) * 2014-12-26 2016-07-20 中国电信股份有限公司 Method, boundary router and system for controlling inter-domain routing change
CN106060014A (en) * 2016-05-18 2016-10-26 中国互联网络信息中心 Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856367B (en) * 2012-12-06 2017-10-20 中国电信股份有限公司 IP network routing safety quick determination method and route analysis server
US10148690B2 (en) * 2015-12-21 2018-12-04 Symantec Corporation Accurate real-time identification of malicious BGP hijacks
CN106453651B (en) * 2016-11-30 2020-01-31 中国互联网络信息中心 RPKI database and data synchronization method
CN107911339B (en) * 2017-10-20 2020-08-11 新华三技术有限公司 Information maintenance method and device
CN108092897B (en) * 2017-11-23 2020-07-21 浙江大学 Trusted routing source management method based on SDN
CN110012119B (en) * 2019-03-12 2019-11-01 广州大学 A kind of IP address prefix authorization and management method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7823202B1 (en) * 2007-03-21 2010-10-26 Narus, Inc. Method for detecting internet border gateway protocol prefix hijacking attacks
CN101656638A (en) * 2009-09-08 2010-02-24 中国科学院计算技术研究所 Inter-domain prefix hijacking detection method for error configuration
JP2011216978A (en) * 2010-03-31 2011-10-27 Nippon Telegraph & Telephone West Corp Route hijack detection method
CN102394794A (en) * 2011-11-04 2012-03-28 中国人民解放军国防科学技术大学 Coordinated monitoring method for preventing BGP routing hijacking
CN105791244A (en) * 2014-12-26 2016-07-20 中国电信股份有限公司 Method, boundary router and system for controlling inter-domain routing change
CN106060014A (en) * 2016-05-18 2016-10-26 中国互联网络信息中心 Method for simultaneously solving prefix hijacking, path hijacking and route leakage attacks

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
IP prefix hijack detection using BGP connectivity monitoring;Hussain Alshamrani et al.;《2016 IEEE 17th International Conference on High Performance Switching and Routing (HPSR)》;20160617;全文 *
基于机器学习的BGP异常事件检测与实现;陆岳昆;《中国优秀硕士学位论文全文数据库(电子期刊)》;20181115;全文 *

Also Published As

Publication number Publication date
CN111314285A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
CN111314285B (en) Method and device for detecting route prefix attack
CN108989150B (en) Login abnormity detection method and device
CN109889547B (en) Abnormal network equipment detection method and device
CN105939326B (en) Method and device for processing message
US10078743B1 (en) Cross identification of users in cyber space and physical world
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
CN107743701A (en) The global clustering to event based on Malware similitude and online degree of belief
CN110677384B (en) Phishing website detection method and device, storage medium and electronic device
CN112003838B (en) Network threat detection method, device, electronic device and storage medium
CN113489713B (en) Network attack detection method, device, equipment and storage medium
TW201405354A (en) Method and Apparatus of Identifying User Risk
CN110417747B (en) Method and device for detecting violent cracking behavior
WO2016022561A1 (en) Method and system for facilitating terminal identifiers
CN110855636B (en) DNS hijacking detection method and device
US10911477B1 (en) Early detection of risky domains via registration profiling
CN107733699B (en) Internet asset security management method, system, device and readable storage medium
CN112953917B (en) Network attack source identification method and device, computer equipment and storage medium
EP3913888A1 (en) Detection method for malicious domain name in domain name system and detection device
CN113328990B (en) Internet route hijacking detection method based on multiple filtering and electronic equipment
CN108810947B (en) Server for identifying real flow based on IP address
WO2018010693A1 (en) Method and apparatus for identifying information from rogue base station
US10320823B2 (en) Discovering yet unknown malicious entities using relational data
CN107612946B (en) IP address detection method and device and electronic equipment
Kumar et al. Each at its Own Pace: Third-Party Dependency and Centralization Around the World
CN112583827B (en) Data leakage detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant