CN111416806B - IP address tracing method and device for anonymous attack traffic of backbone network - Google Patents
IP address tracing method and device for anonymous attack traffic of backbone network Download PDFInfo
- Publication number
- CN111416806B CN111416806B CN202010174652.2A CN202010174652A CN111416806B CN 111416806 B CN111416806 B CN 111416806B CN 202010174652 A CN202010174652 A CN 202010174652A CN 111416806 B CN111416806 B CN 111416806B
- Authority
- CN
- China
- Prior art keywords
- link
- flow
- path
- intersect
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Abstract
The invention discloses an IP address tracing method and device for backbone network anonymous attack flow, wherein the method comprises the following steps: acquiring network topology information of an autonomous domain, and selecting a minimum link set to monitor all traffic in the autonomous domain through links; deploying monitoring equipment on a link, and reducing the load of each monitoring equipment to the minimum; when any monitoring device finds abnormal flow, any monitoring device is taken as a tree root, a reverse flow tree is constructed, and in the flow tree, the flow flows to the tree root from leaves, wherein the flow of all paths monitoring links is eliminated, the tracing device of the router is started step by step, and the continuous flow source is searched step by step to obtain a search result. The method can complete real address range positioning of anonymous attack flow, and is simple and easy to implement.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to an IP address tracing method and device for backbone network anonymous attack flow.
Background
In the technology for detecting the anonymous attack traffic tracing in the internet autonomous domain, how to mention the tracing cost and efficiency is one of key problems, the tracing based on dynamic packet marking often has the problems of high calculation cost and the like, a real-time dynamic tracing scheme does not need to mark packets and mainly aims at persistent anonymous attacks, the tracing is performed step by step through pluggable router traffic detection equipment, additional calculation caused by marking can be avoided, in addition, the detection is started only when the attacks occur, the normal routing efficiency cannot be influenced, however, the scheme has the defect that the effective tracing can be performed only when the attacks occur and continuously.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, the invention aims to provide an IP address tracing method for the anonymous attack traffic of the backbone network, which can complete the real address range positioning of the anonymous attack traffic and is simple and easy to implement.
The invention also aims to provide an IP address tracing device for anonymous attack traffic of the backbone network.
In order to achieve the above object, an embodiment of the present invention provides an IP address tracing method for anonymous attack traffic of a backbone network, including the following steps: acquiring network topology information of an autonomous domain, and selecting a minimum link set to monitor all flow in the autonomous domain through links; deploying monitoring devices on the link and reducing the load of each monitoring device to the minimum; when any monitoring device finds abnormal flow, the monitoring device is taken as a tree root, a reverse flow tree is constructed, flow in the flow tree flows to the tree root from leaves, wherein the flow of all paths monitoring links is eliminated, the tracing device of the router is started step by step, and the continuous flow source is searched step by step to obtain a search result.
According to the IP address tracing method for the anonymous attack traffic of the backbone network, the work of monitoring the traffic is taken charge of by-pass monitoring equipment, network overhead is not influenced, the tracing process is completed by the monitoring equipment and the router in a matching mode, and the router can complete tracing only by paying small overhead, so that the real address range positioning of the anonymous attack traffic can be completed, and the method is simple and easy to implement.
In addition, the method for tracing the source of the IP address of the anonymous attack traffic of the backbone network according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, after obtaining the network topology information of the autonomous domain, the method further includes: the links and paths in the topology are classified.
Further, in one embodiment of the present invention, the paths include an exclusive path, a shared path, and the links include an exclusive link and a shared link.
Further, in an embodiment of the present invention, the selecting the smallest link set includes:
computing an exclusive Path set S _ Psingle={P1,P2,…,Ps},S_PsingleE omega, calculating exclusive link set S _ Esingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle;
S_EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty;
for S _ Pintersect={P1,P2,…,Pn}, arbitrary Pi∈S_PintersectI e {1,2, …, n }, and obtaining the link set contained in the path, i.e. Pi={Li1,Li2,…,Lin}; for S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, resulting in a set of paths that the link can monitor, S _ P (L)i)={P1',P2',…,Pm'};
Finding the minimum set of links S _ Emin={L1”,L2”,…,Ln"} such that
And L isi∈Pi。
Further, in one embodiment of the invention, all monitoring devices monitor static traffic and monitor static traffic by link allocation in a dynamically balanced manner.
In order to achieve the above object, another embodiment of the present invention provides an IP address tracing apparatus for anonymous attack traffic of a backbone network, including: the acquisition module is used for acquiring network topology information of an autonomous domain and selecting a minimum link set so as to monitor all flow in the autonomous domain through links; the deployment module is used for deploying the monitoring equipment on the link and reducing the load of each monitoring equipment to the minimum; and the construction module is used for constructing a reverse flow tree by taking any monitoring device as a tree root when the abnormal flow is found by any monitoring device, wherein the flow flows to the tree root from leaves in the flow tree, the flow of all paths for monitoring links is eliminated, the tracing device of the router is started step by step, and the continuous flow source is searched step by step to obtain a search result.
The IP address tracing device of the backbone network anonymous attack flow, provided by the embodiment of the invention, takes charge of the work of monitoring the flow by the bypass monitoring equipment, does not influence network overhead, the tracing process is completed by the monitoring equipment and the router in a matching way, and the router can complete tracing only by paying small overhead, so that the real address range positioning of the anonymous attack flow can be completed, and the IP address tracing device is simple and easy to realize.
In addition, the IP address tracing apparatus for the backbone network anonymous attack traffic according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the method further includes: and the classification module is used for classifying links and paths in the topology after the network topology information of the autonomous domain is acquired.
Further, in one embodiment of the present invention, the paths include an exclusive path, a shared path, and the links include an exclusive link and a shared link.
Further, in an embodiment of the present invention, the selecting the smallest link set includes:
computing an exclusive Path set S _ Psingle={P1,P2,…,Ps},S_PsingleE omega, calculating exclusive link set S _ Esingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle;
S_EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty;
for S _ Pintersect={P1,P2,…,Pn}, arbitrary Pi∈S_PintersectI e {1,2, …, n }, and obtaining the link set contained in the path, i.e. Pi={Li1,Li2,…,Lin}; for S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, resulting in a set of paths that the link can monitor, S _ P (L)i)={P1',P2',…,Pm'};
Finding the minimum set of links S _ Emin={L1”,L2”,…,Ln"} such that
And L isi∈Pi。
Further, in one embodiment of the invention, all monitoring devices monitor static traffic and monitor static traffic by link allocation in a dynamically balanced manner.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a flowchart of an IP address tracing method for anonymous attack traffic of a backbone network according to an embodiment of the present invention;
fig. 2 is a flowchart of an IP address tracing method for anonymous attack traffic of a backbone network according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a process of monitoring a link to initiate tracing when an abnormal bandwidth is discovered according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an IP address tracing apparatus for anonymous attack traffic of a backbone network according to an embodiment of the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are illustrative and intended to be illustrative of the invention and are not to be construed as limiting the invention.
The following describes an IP address tracing method and apparatus for anonymous attack traffic of a backbone network according to an embodiment of the present invention with reference to the accompanying drawings, and first, an IP address tracing method for anonymous attack traffic of a backbone network according to an embodiment of the present invention will be described with reference to the accompanying drawings.
Fig. 1 is a flowchart of an IP address tracing method for anonymous attack traffic of a backbone network according to an embodiment of the present invention.
As shown in fig. 1, the method for tracing the source of the IP address of the anonymous attack traffic of the backbone network includes the following steps:
in step S101, network topology information of the autonomous domain is obtained, and a minimum link set is selected to monitor all traffic in the autonomous domain through the link.
It can be understood that, the network topology information of the autonomous domain is obtained, the minimum link set is selected, so that the links can monitor all the flows in the autonomous domain,
further, in an embodiment of the present invention, after obtaining the network topology information of the autonomous domain, the method further includes: links and paths in the topology are classified, wherein the paths comprise an exclusive path and a shared path, and the links comprise an exclusive link and a shared link.
Specifically, links and paths in the topology are classified, the path is defined as the shortest path from one edge router to another edge router, and the main purpose of classifying the topology and the links is to simplify the amount of calculation for detecting the link set most. If only one link exists in one path, the link is divided into an independent link, otherwise, the link is divided into a shared link.
In step S102, monitoring devices are deployed on the link, and the load of each monitoring device is reduced to a minimum.
It will be appreciated that monitoring devices are deployed on these links and that the load of each monitoring device is balanced as much as possible.
Specifically, an optimal monitoring link set is selected, monitoring equipment and tracing equipment are deployed, the process of selecting the optimal monitoring link can be regarded as a problem model of a coverage set, and a solution can be solved by using an approximate greedy algorithm, wherein the solution is not necessarily an optimal solution, but is an approximate optimal solution. The monitoring device is used for monitoring all the traffic, and the tracing device is responsible for inquiring the previous hop routing address of the traffic during tracing.
The tracing device is deployed on all nodes, is in a standby state at ordinary times, runs with low power consumption, and is restarted only when the tracing is needed.
In step S103, when any monitoring device finds abnormal traffic, a reverse traffic tree is constructed with any monitoring device as a tree root, and in the traffic tree, traffic flows from leaves to the tree root, wherein traffic of all paths monitoring links is excluded, a tracing device of a router is started step by step, and a continuous traffic source is searched step by step to obtain a search result.
It can be understood that once a monitoring device finds abnormal traffic, the monitoring device is taken as a tree root to construct an inverse traffic tree, and in the traffic tree, the traffic flows from leaves to the tree root. Firstly, the flow of all paths monitoring links is eliminated, then the tracing equipment of the router is started step by step, and the continuous flow source is searched step by step.
Specifically, the link is monitored to find abnormal bandwidth, and a tracing process is started. The monitoring equipment finds continuous abnormal flow, uses the destination address of the flow as a tree root to construct a reverse flow tree, finds the last node 1 of the abnormal flow according to the flow tree, starts tracing by the node, detects the continuous abnormal flow, checks the last node 2 of the flow, and sends a tracing request, and the node 2 repeats the operation of the node 1 until a real source edge router is reached, so that the area where the anonymous flow is located can be determined.
The following further explains the method for tracing the source of the IP address of the anonymous attack traffic of the backbone network by using a specific embodiment, as shown in fig. 2, the method specifically includes:
1. and acquiring a physical topological structure of the autonomous domain for calculating a monitoring link of a monitoring point to be deployed.
2. The links and paths in the topology are classified.
ω denotes the set of shortest paths connecting two different edge routers (an edge router connects at least one subnet), RiEdge router, R, representing all connected subnetworks within an autonomous domaini∈ν,i∈{1,2,3,…,n},RiThe number of connected subnetworks is NRi(Subnet)。
Pi-jIs represented by RiTo RjPath (Dijkstra), Pi-j∈ω,i<j, a path may be denoted as P regardless of the particular edge routeri,PiE ω, i e {1,2, …, n }. If L isiIs Pi-jI e {1,2, …, m }, then Pi-j={L1,L2,L3,...,Lm}; for a path P according to IP prefixi-jIs divided into Pi-jThe number of traffic pieces in between can be expressed as NFPi-j=NRi_Subnet×NRj_Subnet。
An exclusive path, for path P, P' is a parallel path if and only if,
P'∈ω,
Pi≠P',
the parallel paths P' are parallel to each other,
Lican be used as a monitoring link. Wherein, each link on the parallel path is an independent link, otherwise, the link is wrong.
The path is shared by the first and second communication devices,
then P isi,PjAre all cross paths.
Shared-only link, link LiI e {1,2, …, n } is an exclusive link if and only if, Li∈P',P'∈ω,
Shared link, link LiI e {1,2, …, n } is the shared link if and only if, Li∈Pj,Pj∈ω,j>1。
3. And selecting an optimal monitoring link set, and deploying monitoring equipment and tracing equipment.
Computing an exclusive Path set S _ Psingle={P1,P2,…,Ps},S_PsingleE ω. Computing a set of exclusive links SE _ Esingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle。
S_EminInitialization is null, for P ', if P' is ∈ S _ PsingleIf the L ' belongs to the P ', adding the L ' to the S _ EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty.
For S _ Pintersect={P1,P2,…,PnH, any Pi∈S_PintersectI e {1,2, …, n }, the set of links that the path contains, i.e., P, can be obtainedi={Li1,Li2,…,Lin}. For S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, a set of paths, S _ P (L), that the link can monitor can be obtainedi)={P1',P2',…,Pm'}。
Solving minimum monitoring link set S _ Emin={L1”,L2”,…,Ln"} such that
And L isi∈Pi。
Static flow rate: in the monitoring link and path relationship, one-to-one, path P can only be monitored by the only monitoring L link, so all traffic on P must be monitored by L. In a one-to-many relationship, all paths in the path set { P1, P2, …, Pn } can only be monitored by a unique link L, so all traffic on the paths in the set must be monitored by L, and these traffic must be monitored is referred to as necessary monitored traffic, which is the concept for any one monitored link.
Adjusting the flow rate: in the relationship between the monitoring links and the paths, in the many-to-one and many-to-many relationships, one path has a plurality of monitoring links, so that the flow passing through the path is not the flow of a certain monitoring link which needs to be monitored, that is, whether or not to detect or how much flow to monitor can be adjusted, which is called adjusting the flow.
The optimization scheme is as follows: all monitoring devices must monitor static traffic and for dynamic traffic, it is monitored by link allocation in a dynamically balanced manner.
4. And deploying the tracing device on all the nodes.
5. And monitoring a link to find abnormal bandwidth, and starting a tracing process.
As shown in fig. 3, the monitoring link finds abnormal bandwidth, and starts a tracing process. The monitoring equipment finds continuous abnormal flow, takes a monitoring point as a tree root and a router as a node, constructs a reverse flow tree, finds the last node 1 of the abnormal flow according to the flow tree, starts tracing by the node, detects the continuous abnormal flow, checks the last node 2 of the flow, sends a tracing request, and repeats the operation of the node 1 by the node 2 until a real source edge router, so that the area where the anonymous flow is located can be determined.
According to the IP address tracing method for the anonymous attack traffic of the backbone network provided by the embodiment of the invention, the work of monitoring the traffic is taken charge of by-pass monitoring equipment, the network overhead is not influenced, the tracing process is completed by the monitoring equipment and the router in a matching way, and the router can complete the tracing only by paying small overhead, so that the real address range positioning of the anonymous attack traffic can be completed, and the method is simple and easy to realize.
Next, an IP address tracing apparatus for anonymous attack traffic of a backbone network according to an embodiment of the present invention is described with reference to the drawings.
Fig. 4 is a schematic structural diagram of an IP address tracing apparatus for anonymous attack traffic of a backbone network according to an embodiment of the present invention.
As shown in fig. 4, the IP address tracing apparatus 10 for anonymous attack traffic of the backbone network includes: an acquisition module 100, a deployment module 200, and a build module 300.
The acquiring module 100 is configured to acquire network topology information of an autonomous domain, and select a minimum link set to monitor all traffic in the autonomous domain through a link; the deployment module 200 is used to deploy monitoring devices on the link and to minimize the load on each monitoring device; the construction module 300 is configured to construct a reverse traffic tree by using any monitoring device as a tree root when any monitoring device finds abnormal traffic, where in the traffic tree, traffic flows from leaves to the tree root, where traffic of all paths monitoring links is excluded, tracing devices of the router are started step by step, and a continuous traffic source is searched step by step to obtain a search result. The device 10 of the embodiment of the invention can complete the real address range positioning of the anonymous attack traffic, and is simple and easy to realize.
Further, in one embodiment of the present invention, the apparatus 10 of the embodiment of the present invention further comprises: and (5) a classification module. The classification module is used for classifying links and paths in the topology after acquiring network topology information of the autonomous domain.
Further, in one embodiment of the invention, the paths include an exclusive path, a shared path, and the links include an exclusive link and a shared link.
Further, in an embodiment of the present invention, selecting the smallest link set includes:
computing an exclusive Path set S _ Psingle={P1,P2,…,Ps},S_PsingleE ω. Computing a set of exclusive links SE _ Esingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle;
S_EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty;
for S _ Pintersect={P1,P2,…,Pn}, arbitrary Pi∈S_PintersectI e {1,2, …, n }, and obtaining the link set contained in the path, i.e. Pi={Li1,Li2,…,Lin}; for S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, resulting in a set of paths that the link can monitor, S _ P (L)i)={P1',P2',…,Pm'};
Finding the minimum set of links S _ Emin={L1”,L2”,…,Ln"} such that
And L isi∈Pi。
Further, in one embodiment of the invention, all monitoring devices monitor static traffic and monitor static traffic by link allocation in a dynamically balanced manner.
It should be noted that the explanation of the foregoing embodiment of the IP address tracing method for the backbone anonymous attack traffic is also applicable to the IP address tracing apparatus for the backbone anonymous attack traffic of this embodiment, and details are not described here.
According to the IP address tracing device for the anonymous attack traffic of the backbone network, which is provided by the embodiment of the invention, the work of monitoring the traffic is taken charge of by-pass monitoring equipment, the network overhead is not influenced, the tracing process is completed by the monitoring equipment and the router in a matching way, and the router can complete the tracing only by paying small overhead, so that the real address range positioning of the anonymous attack traffic can be completed, and the IP address tracing device is simple and easy to realize.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (8)
1. An IP address tracing method for backbone network anonymous attack flow is characterized by comprising the following steps:
acquiring network topology information of an autonomous domain, and selecting a minimum link set to monitor all traffic in the autonomous domain through links, wherein the selecting the minimum link set comprises:
computing an exclusive path set S _ Psingle={P1,P2,…,Ps},S_PsingleE omega, calculating exclusive link set S _ Esingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle;S_EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty; for S _ Pintersect={P1,P2,…,Pn}, arbitrary Pi∈S_PintersectI e {1,2, …, n }, and obtaining the link set contained in the path, i.e. Pi={Li1,Li2,…,Lin}; for S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, resulting in a set of paths that the link can monitor, S _ P (L)i)={P1',P2',…,Pm', where ω denotes the set of shortest paths connecting two different edge routers, Pi-jIs represented by RiTo RjPath of (1), Pi-j∈ω,i<j, a path may be denoted as P regardless of the particular edge routeri,Pi∈ω,i∈{1,2,…,n},LiIs Pi-jP is a path, P' is a parallel path;
deploying monitoring devices on the link and reducing the load of each monitoring device to the minimum;
when any monitoring device finds abnormal flow, the monitoring device is taken as a tree root, a reverse flow tree is constructed, flow in the flow tree flows to the tree root from leaves, wherein the flow of all paths monitoring links is eliminated, the tracing device of the router is started step by step, and the continuous flow source is searched step by step to obtain a search result.
2. The method of claim 1, further comprising, after obtaining network topology information of the autonomous domain:
the links and paths in the topology are classified.
3. The method of claim 2, wherein the path comprises an exclusive path, a shared path, and wherein the link comprises an exclusive link and a shared link.
4. The method of claim 1, wherein all monitoring devices monitor static traffic and the static traffic is monitored by link assignments in a dynamically balanced manner.
5. An IP address tracing device for backbone network anonymous attack flow is characterized by comprising:
an obtaining module, configured to obtain network topology information of an autonomous domain, and select a minimum link set to monitor all traffic in the autonomous domain through a link, where the selecting the minimum link set includes:
computing an exclusive Path set S _ Psingle={P1,P2,…,Ps},S_PsingleE, omega, calculating a set S _ E of exclusive linkssingle={L1,L2,…,LnTherein of
Li∈Pj,
Then the set of shared paths S _ Pintersect=ω–S_PsingleShared link set S _ Eintersect=ε-S_Esingle;S_EminIn (1), P' is selected from S _ PsingleRemove until S _ PsingleIs empty; for S _ Pintersect={P1,P2,…,Pn}, arbitrary Pi∈S_PintersectI ∈ {1,2, …, n }, resulting in the set of links that the path contains, i.e., Pi={Li1,Li2,…,Lin}; for S _ Eintersect={L1,L2,…,LnIs any Li,Li∈S_EintersectI e {1,2, …, n }, resulting in a set of paths that the link can monitor, S _ P (L)i)={P1',P2',…,Pm' }; finding the minimum set of links S _ Emin={L1”,L2”,…,Ln"} such that
And L isi∈Pi,Pi-j∈ω,i<j, a path may be denoted as P regardless of the particular edge routeri,Pi∈ω,i∈{1,2,…,n},LiIs Pi-jP is a path, P' is a parallel path;
the deployment module is used for deploying the monitoring equipment on the link and reducing the load of each monitoring equipment to the minimum;
and the construction module is used for constructing a reverse flow tree by taking any monitoring device as a tree root when the abnormal flow is found by any monitoring device, wherein the flow flows to the tree root from leaves in the flow tree, the flow of all paths for monitoring links is eliminated, the tracing device of the router is started step by step, and the continuous flow source is searched step by step to obtain a search result.
6. The apparatus of claim 5, further comprising:
and the classification module is used for classifying links and paths in the topology after the network topology information of the autonomous domain is acquired.
7. The apparatus of claim 6, wherein the path comprises an exclusive path, a shared path, and wherein the link comprises an exclusive link and a shared link.
8. The apparatus of claim 5, wherein all monitoring devices monitor static traffic and the static traffic is monitored by link allocation in a dynamically balanced manner.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010174652.2A CN111416806B (en) | 2020-03-13 | 2020-03-13 | IP address tracing method and device for anonymous attack traffic of backbone network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010174652.2A CN111416806B (en) | 2020-03-13 | 2020-03-13 | IP address tracing method and device for anonymous attack traffic of backbone network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111416806A CN111416806A (en) | 2020-07-14 |
| CN111416806B true CN111416806B (en) | 2022-05-10 |
Family
ID=71494428
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010174652.2A Active CN111416806B (en) | 2020-03-13 | 2020-03-13 | IP address tracing method and device for anonymous attack traffic of backbone network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111416806B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112737865B (en) * | 2021-01-18 | 2022-05-03 | 清华大学 | Internet of things equipment flow modeling and detecting method and device based on automaton |
| CN114143112B (en) * | 2021-12-08 | 2024-03-29 | 赛尔网络有限公司 | Malicious attack mail analysis method, device, equipment and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337951A (en) * | 2014-08-15 | 2016-02-17 | 中国电信股份有限公司 | Method and device carrying out path backtracking for system attack |
| CN105915505A (en) * | 2016-03-31 | 2016-08-31 | 中国科学院信息工程研究所 | Anonymous network user traceablility method based on TCP/IP side channel |
| CN106506274A (en) * | 2016-11-08 | 2017-03-15 | 东北大学秦皇岛分校 | A kind of efficient single bag source tracing method of dynamic extending |
| CN108494769A (en) * | 2018-03-21 | 2018-09-04 | 广州大学 | The source tracing method of service is hidden in a kind of Tor Anonymizing networks |
| CN109120602A (en) * | 2018-07-25 | 2019-01-01 | 中国人民公安大学 | A kind of IPv6 attack source tracing method |
| CN110290234A (en) * | 2019-07-16 | 2019-09-27 | 广东热点软件技术服务有限公司 | Method, apparatus, system, equipment and the storage medium that node address is traced to the source |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8068414B2 (en) * | 2004-08-09 | 2011-11-29 | Cisco Technology, Inc. | Arrangement for tracking IP address usage based on authenticated link identifier |
-
2020
- 2020-03-13 CN CN202010174652.2A patent/CN111416806B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105337951A (en) * | 2014-08-15 | 2016-02-17 | 中国电信股份有限公司 | Method and device carrying out path backtracking for system attack |
| CN105915505A (en) * | 2016-03-31 | 2016-08-31 | 中国科学院信息工程研究所 | Anonymous network user traceablility method based on TCP/IP side channel |
| CN106506274A (en) * | 2016-11-08 | 2017-03-15 | 东北大学秦皇岛分校 | A kind of efficient single bag source tracing method of dynamic extending |
| CN108494769A (en) * | 2018-03-21 | 2018-09-04 | 广州大学 | The source tracing method of service is hidden in a kind of Tor Anonymizing networks |
| CN109120602A (en) * | 2018-07-25 | 2019-01-01 | 中国人民公安大学 | A kind of IPv6 attack source tracing method |
| CN110290234A (en) * | 2019-07-16 | 2019-09-27 | 广东热点软件技术服务有限公司 | Method, apparatus, system, equipment and the storage medium that node address is traced to the source |
Non-Patent Citations (1)
| Title |
|---|
| 一种基于拓扑分析的网络攻击流量分流和阻断方法;宋宇波等;《信息网络安全》;20200310(第03期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111416806A (en) | 2020-07-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7215644B2 (en) | Inter-domain constraint-based shortest path first technique for supporting hierarchical routing in interconnected multi-domain optical transport networks | |
| US11943136B2 (en) | Advanced preferred path route graph features in a network | |
| KR102002189B1 (en) | Method and apparatus for resilient routing of control traffic in a split-architecture system | |
| US8310931B2 (en) | Discovering network topology from routing information | |
| CN108259341B (en) | Prefix label distribution method and SDN controller | |
| CN104283789B (en) | Route convergent method and system | |
| US8958305B2 (en) | OSPF point-to-multipoint over broadcast or NBMA mode | |
| US11632322B2 (en) | Preferred path route graphs in a network | |
| CN111416806B (en) | IP address tracing method and device for anonymous attack traffic of backbone network | |
| Aoki et al. | Controller placement problem to enhance performance in multi-domain SDN networks | |
| US10560367B2 (en) | Bidirectional constrained path search | |
| US6973028B1 (en) | SONET ring map generation method and system | |
| CN108924011A (en) | Monitoring system, relevant device, method and medium for OSPF+ Routing Protocol | |
| CN114666227B (en) | Network topology detection method under non-cooperative condition | |
| Menth et al. | Efficiency of routing and resilience mechanisms in packet‐switched communication networks | |
| JP6407092B2 (en) | Load distribution apparatus, load distribution method and program | |
| KR101660967B1 (en) | Apparatus and method for generating path in transtort network | |
| CN102075364B (en) | Method and equipment for determining direct link | |
| CN107707429A (en) | The method and system that a kind of discovery IP routes are interrupted | |
| Wang et al. | Fast connection recovery against region failures with landmark-based source routing | |
| Kaur et al. | Comparative study of OSPFv3, IS-IS and OSPFv3 IS-IS protocols using OPNET | |
| CN102857424B (en) | Method and equipment for establishing LSP (label switched path) in MPLS (multi-protocol label switching) network | |
| KR20080052861A (en) | The ip topology management system using the ip topology auto discovery and a method | |
| CN106411748B (en) | The dynamic topology maintaining method of across a network | |
| Jha et al. | Realisation of link state routing protocol and advance distance vector in different IP schema |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |