CN1145318C - A Realization Method of Internet Service Provider's Security Protection - Google Patents

A Realization Method of Internet Service Provider's Security Protection

Info

Publication number
CN1145318C
CN1145318C CNB011188685A CN01118868A CN1145318C CN 1145318 C CN1145318 C CN 1145318C CN B011188685 A CNB011188685 A CN B011188685A CN 01118868 A CN01118868 A CN 01118868A CN 1145318 C CN1145318 C CN 1145318C
Authority
CN
China
Prior art keywords
data flow
configuration information
message
address
isp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB011188685A
Other languages
Chinese (zh)
Other versions
CN1394041A (en
Inventor
薛国锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB011188685A priority Critical patent/CN1145318C/en
Publication of CN1394041A publication Critical patent/CN1394041A/en
Application granted granted Critical
Publication of CN1145318C publication Critical patent/CN1145318C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种因特网服务提供者(ISP)安全防护的实现方法,该方法是由ISP出口路由器上的ISP管理器(ISPKeeper)对外部流入ISP局域网的数据流进行实时监控与处理,自动识别记录每个数据流,并根据配置信息判断当前数据流的流量以及数据流的总流量是否正常,如果正常,则将所收到的报文转发给相应的网络设备,否则丢弃当前报文。使用该方法可有效地抵御黑客对ISP进行的流量攻击,并可提高ISP服务的可靠性。

Figure 01118868

The invention discloses a method for realizing security protection of an Internet service provider (ISP). In the method, the ISP manager (ISPKeeper) on the ISP exit router performs real-time monitoring and processing on the data flow flowing into the ISP local area network from the outside, and automatically identifies Record each data flow, and judge whether the flow of the current data flow and the total flow of the data flow are normal according to the configuration information, if normal, forward the received message to the corresponding network device, otherwise discard the current message. Using this method can effectively resist traffic attacks on ISP by hackers, and can improve the reliability of ISP service.

Figure 01118868

Description

The implementation method of a kind of ISP security protection
Technical field
The present invention relates to the safety protection technique of a kind of ISP, espespecially a kind ofly on egress router, the data flow that flows into the purpose network is carried out Real Time Monitoring and processing, can effectively resist the ISP safety protecting method that ISP suffers flow attacking.
Background technology
Along with the develop rapidly of internet (Internet) with popularize, the network user is more and more, so Intenet ISP (ISP) arises at the historic moment. The typical networking structure of ISP in the ISP LAN, generally is comprised of switch, access server and Web server as shown in Figure 1, the up ISP egress router that is connected to of switch; The ISP egress router has converged the Business Stream of access server and each individual line subscriber, is connected to key IP network by ATM, POS or GE interface.
In the ISP network, the Business Stream that mainly comprises is: the dial user accesses local Web server; The dial user accesses external network; Individual line subscriber is accessed local Web server; External user is accessed local Web server. So, in the process to the Web server access, just being mingled with network hacker to the attack of ISP website, they adopt various means to attack the website of ISP, cause the system of ISP destroyed, even collapse, make it provide service for the user.
From the operation situation of present global ISP, the most normal attack form that is subject to assault of ISP is flow attacking. The method of flow attacking is very simple, be exactly that all over the world multiple devices in an organized way send to target machine (certain dial user IP address) simultaneously and disturb message, produce googol according to flow, cause that the ISP LAN is busy, access server can't work, the mode of employing is distributed attack method. The Main Means that present Some Domestic ISP is attacked adopts flow attacking exactly, and the hacker to the large message of certain dialup ip address PING, causes the ISP LAN busy by multiple devices, affects the normal operation of access server, makes normal dialing user online extremely slow.
Certainly, ISP also can be subject to some other forms of attacks except being subject to above-mentioned flow attacking, such as DOS, eavesdropping message and TCP, IP address spoofing, source routing attack, application layer attack etc.
For above-mentioned assault mode, the most frequently used safety prevention measure is at present: the egress router at ISP uses the technology such as fire wall, address transition and flow-control (CAR). Although, for implementing effectively control by technology such as existing fire wall, address transition, authentication, data encryptions such as eavesdropping the attack patterns such as message and TCP, IP address spoofing, source routing attack, application layer attack. But for this main attack pattern of flow attacking, because the characteristics such as distributed, random of the business model of ISP and attack, these safety protection technique are problems of various degrees all in actual applications:
1) fire wall is that application memory control tabulation (ACL) comes filtering packets on interface, can solve the problem of access control, but not possess the flow-control ability.
2) address transition, so-called address transition refers to before message sends to extranets, this user's private net address is done conversion by egress router first, that is: (source address-private network, the source port) with message is converted to (source address-public network, source port new), and this router keeps this mapping; When message returned, conversion was returned again. Because the dynamic mapping table that router keeps may be very large, generally adopts HASH to search.
The method mainly solves the problem of in-house network information hiding and IP Address Run Short, but, during some are used at FTP, SNMP, SMTP etc., also comprise address information in the content of its message, so it is otiose only changing the source address of message, also need to change the address information in the application of electronic report layer, this also does easily to some standard agreements, and just can't realize for some proprietary protocols, therefore the type of service of its support is restricted. And the method also can't be implemented Flow Control.
3) flow-control, CAR can implement Flow Control to specific Business Stream, but its configuration is complicated, efficient is low, autgmentability is poor, considers the dynamic assignment of dial user IP address, and it uses very difficult in practice.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of implementation method of ISP security protection, the flow attacking that can the more effective ISP of resisting be subjected to, and implement simple and convenient, flexibility and reliability.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The implementation method of a kind of ISP (ISP) security protection, the method comprises the steps: at least
A. when the ISP manager (ISPKeeper) in the ISP egress router will be to the current message that receives of purpose forwarded, at first judge that by the HASH algorithm whether data flow under this message is the existing record among the ISPKeeper, if so, then enter step c; Otherwise, enter step b;
If the message that b. will transmit belongs to a new data flow, then mate the configuration information of the affiliated data flow of this message and judge whether that the match is successful, if the match is successful, then will mate the configuration information stored record of resulting this data flow; The match is successful if do not have, and then searches whether to have defined default value in the configuration information, if having, then with default configuration information stored record, then enters step c; If do not define default value, then by ISPKeeper the current message that receives directly is transmitted to the corresponding purpose network equipment;
C. detect current data stream flow and whether satisfy user configured parameter, if do not satisfy, then with current packet loss of receiving, if flow meets the demands, then continue to detect the total data flow and judge whether total configuration parameter normal? if undesired, then abandon this message, otherwise, if normal, then give the corresponding purpose network equipment by ISPKeeper with current message repeating.
Purpose network described in the step a is ISP LAN or Metropolitan Area Network (MAN) or wide area network. User's configuration parameter described in the step c comprises the transmission bandwidth of individual traffic or Mean Speed, burst-length at least. Total configuration parameter described in the step c comprises overall average speed and total burst-length of data flow at least. Described data flow is the data flow of visiting from outside purpose network apparatus in networks, or the data flow of returning for dial user online.
The configuration information of the matched data stream among the step a further may further comprise the steps: at first find corresponding IP address field definition according to the purpose IP address of data flow under this message in configuration information, find again the configuration information of this address field according to the definition of address field, and with this configuration information stored record in the relevant position of data flow configuration information array.
The method also further may further comprise the steps: when initializing egress router, set in advance the array of a memorying data flow configuration information. Wherein, this array size is to hold the array of all data flow in the IP address realm that will identify, and each element of array is corresponding one by one with a purpose IP address.
The method also further comprises the steps: when initializing egress router, the configuration information of preliminary setting data stream. Configuration information wherein comprises start ip address, end ip address, the interface configuration mode of data flow at least; The transmission bandwidth of each data flow or Mean Speed, burst-length; And the overall average flow of total data stream, total burst-length.
HASH algorithm described in the step a refers to according to rear 16 the respective element positions that this message navigated to data flow configuration information array in each message purpose IP address in the data flow. When by the HASH algorithm data flow message of receiving being navigated to data respective element position, and this moment, this position data with existing was banishd when putting information, then set up a data link table in this position, by front 16 data flow configuration informations of sequentially storing correspondence of purpose IP address.
Can find out from above-mentioned implementation, the present invention is by the realization thought of fire wall, address transition and three kinds of technology of flow-control, search the thought of the control flow among thought, the CAR, message matching idea in the fire wall such as: the HASH in the address transition, effectively combine, and improved, be referred to as ISP manager (ISPKeeper). Its key is: ISPKeeper is positioned on the egress router, flow to the data flow that enters the purpose network carries out real-time analysis and monitoring, ISPKeeper each data flow of the automatic identification record of HASH algorithm, whether and it is normal to detect the flow of each data flow and total data stream according to predefined configuration information, if undesired with regard to dropping packets, just send to corresponding Web server or other network equipment when normal. When the data flow message of receiving belongs to a new data stream, mate first this message, and record the configuration information of this data flow, and then process, and other message of this data flow does not need to mate again.
This shows that the implementation method of ISP security protection provided by the present invention combines fire wall, address transition and three kinds of technology of flow-control, can more effectively prevent hacker's attack, realize the security protection of ISP. See also shown in the table one, show a pair of method of the present invention and made one comprehensively relatively with three kinds of at present general safety protecting methods, can find out that the present invention has stronger protective capacities, the more recognition methods of simple and flexible.
All kinds of technology/comparison content     ISPKeeper Fire wall Address transition     CAR
Resist the flow attacking that ISP is subject to Can automatically identify and record each data flow, and implement flow-control for each data flow on this basis, therefore can resist well flow attacking. Special problem with solving access control is come filtering packets by using ACL at interface, does not have the ability of Flow Control, therefore can't resist flow attacking. Special problem with solving information hiding and IP Address Run Short does not have the ability of Flow Control, so can't resist flow attacking. Can implement Flow Control to specific Business Stream (describing with ACL), but the source address of assault message and destination address all are dynamic changes in the reality, therefore in practice CAR substantially unavailable, can't resist flow attacking.
Configuration complexity Very simple Complexity needs configuration ACL, also need dispose access group command on interface. Simply Very complicated, need configuration ACL and RLACL, on interface, also need dispose complicated rate-limit order.
Efficient and autgmentability Adopt the HASH technology, efficient is high. Use traffic classification, efficient is low, and autgmentability is poor. Adopt the HASH technology, efficient is high. Use traffic classification, efficient is low, and autgmentability is poor.
Supported data stream 250,000 General tens, no 250,000 General tens,
Number Then performance is had a strong impact on. Otherwise performance is had a strong impact on.
Information Statistics Abundant, can obtain the information based on stream Limited Abundant, can obtain the information based on stream Limited
Alarm is carried out in assault Produce Syslog after the data flow that notes abnormalities Produce Syslog for the message of forbidding Nothing Nothing
The router of supporting The NE of Huawei series router The NE of Huawei series router, Cisco's 75 series routers etc. The NE of Huawei series router, Cisco's 75 series routers etc. The NE of Huawei series router, Cisco's 75 series routers etc.
The comparison of several security protections of table one
Description of drawings
Fig. 1 is the typical networking structure schematic diagram of ISP;
Fig. 2 is the typical attack form schematic diagram that ISP is subject to;
Fig. 3 is for flowing into the traffic flow analysis figure of ISP LAN;
Fig. 4 is the flow chart that the inventive method realizes;
Fig. 5 is one embodiment of the invention networking structure schematic diagram;
Fig. 6 is another embodiment of the present invention networking structure schematic diagram.
The specific embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Prevent that key that the hacker attacks ISP from being to carry out Real Time Monitoring and in time process the source of the data flow that enters ISP and flow, by the improper data of effective means elimination, to guarantee the online demand of normal users. Referring to shown in Figure 2, the Business Stream that flows into the ISP LAN is divided into two classes substantially:
1) data flow returned of user online. This data flow is distinguished with purpose IP address, and each data flow takies certain bandwidth, and such as the maximum 128K of Internet user's Mean Speed, the data flow number is controlled, configurable;
2) data flow of access Web server. The purpose IP address of this data flow belongs to the particular address section, such as 10.110.1.0/0.0.0.255, distinguish with IP five-tuple (source address, destination address, protocol type, source port, destination interface), the total bandwidth that these data flow take is controlled, configurable, and the data flow number is controlled, configurable.
Controlled, configurable referring to recited above can set in advance its rational scope by configuration parameter, and a threshold value namely is set, and exceeds this value and then thinks unreasonable, should prohibit to fall. Give an example: the data flow that online is returned for PSTN or ISDN, its average discharge should be 128kbps, so, if flow surpass 128kbps just think irrational, should prohibit to fall. Can be by following statement specific implementation:
Ispkeeper-group 10 single 128,000 16000 these orders guarantee that the average discharge of each data flow and burst-length are fixed value, the average discharge of namely setting each independent data flow is up to 128Kbps, and burst-length mostly is 16Kbyte most. As for the concrete configuration of the inventive method when the practical application, depend primarily on the selected discharge model of ISP, the value of parameters itself does not have any restriction.
In order to realize that the present invention judges processing to the data flow of receiving, at first will be on egress router in advance to the bandwidth of each data flow or Mean Speed, burst-length, and the average discharge of total data stream and the isoparametric zone of reasonableness of burst-length are configured.
Such as: arrange flow into from the outside in the ISP LAN, purpose IP address is 10.110.1.*Data flow, i.e. the data flow of external reference Web server, ftp server etc., its bandwidth or Mean Speed that takies the ISP LAN mostly is 5M most, the bursty data amount is the 800K byte, data flow adds up to 1000. Other is set simultaneously flows into data flow in the ISP LAN from the outside, i.e. the data flow that user's online is returned, each bandwidth (Mean Speed), bursty data amount that can only take at most LAN 128K is the 8K byte, data flow adds up to 20000. Can be by the above-mentioned configuration of following statement specific implementation:
interfaceeth 1/0/0
ispkeeper 10.110.1.0 0.0.0.255 5000000 800000 1000
ispkeeper default 131012 8000 20000
Secondly, also on egress router, generate in advance a data flow configuration information array that is enough to hold traffic flow information in lower all the IP address realms that will identify, each element of this array is corresponding one by one with an IP address, is used for storing the configuration information of different purpose IP address date streams. Such as: identify, record destination address each data flow in 10.110.0.0~10.110.255.255 scope, then generate first an array that 65536 elements are arranged, the corresponding IP address of each array element. After receiving a message, directly according to rear 16 respective element that navigate to data flow configuration information array of this message destination address, record the relevant information of this data flow. In actual mechanical process, for each data flow of receiving, search whether have this record in the array with the HASH algorithm, if being arranged, direct location reads its information, if no, then use first message purpose IP address location, then coupling and recording configuration information. If find this position when this message navigates to correspondence position the record of a data flow has been arranged, then set up a data chained list in this position, front 16 configuration informations that sequentially record each data flow by purpose IP address, the message of this data flow back need not to mate again, and not resembling the fire wall mode needs coupling to each message. Very easy, efficient is very high.
The essential idea of the inventive method is: for an address field that is made of given initial address and end address, by being the configuration of Mean Speed and the burst-length of individual traffic to the configuration of the total data stream Mean Speed of all addresses in the arrival address section and total burst-length and to single ip address in address field, utilize token bucket (Token Bucket) algorithm to carry out the control of flow. So-called Token Bucket algorithm refers to: set a leaky bucket, the speed (namely disposing given data flow Mean Speed) that given this leaky bucket flows out, and leaky bucket bucket long (being burst-length), the a certain moment data flow, if this data flow Length Ratio leaky bucket bucket is grown up, show that leaky bucket will overflow, then this data flow will abandon, otherwise, according to the time of last data arrival and this time interval, calculate the length that leaky bucket flows out, obtain the actual length of vacating of leaky bucket, if the actual length of vacating of the Length Ratio leaky bucket of data flow is large, show also that then leaky bucket will overflow, then this data flow will abandon, if the actual length of vacating of the Length Ratio leaky bucket of data flow is little, then data flow is put into leaky bucket, waits pending.
To ISP Business Stream construction analysis, cooperate simultaneously shown in Figure 4ly for top, the specific implementation of the inventive method comprises the steps: at least
1) when ISPKeeper will transmit a message that receives to the ISP LAN, at first judge by the HASH algorithm whether the data flow under this message belongs to the existing record of ISPKeeper, namely search configuration parameter and the statistical information whether existing this IP address date flows according to rear 16 relevant positions to memorying data flow configuration information array of purpose IP address? if have, then enter step 3); Otherwise, enter step 2).
2) if the message that will transmit belongs to a new data flow, be that the affiliated data flow of current message is not stored any information in the relevant position of memorying data flow configuration information array, then find first corresponding IP address field definition according to its IP address field information, find the configuration information of this address field to mate according to the definition of address field again, and judge whether that the match is successful? if the match is successful, the relevant position that the configuration parameter of this IP address field data flow that will obtain after then will mating and statistical information store data flow configuration information array into. If the existing data flow data in this position this moment, and the IP address of this data flow and current data stream address rear 16 identical, then front 16 with purpose IP address sequentially set up a storage of linked list traffic flow information in this position. The match is successful if do not have, namely in configuration information, do not find the definition of this IP address field, then search whether defined default value in the configuration information, if having, then default configuration information is placed into the relevant position of data flow configuration information array, then enters step 3); If no, then give the corresponding purpose network equipment by ISPKeeper with current message repeating.
3) utilize Token Bucket algorithm to detect current data stream flow and whether satisfy user configured parameter (single Mean Speed, single burst-length), if do not meet the demands, with this packet loss, if flow meets the demands, continue to detect total data stream, namely according to the address field under this data flow, data flow to all addresses in this address field is asked summation, whether configuration parameter one overall average speed and total burst-length according to the data flow that is configured to the assigned address section under the interface configuration mode normal by Token Bucket algorithm detection total flow? if do not meet the demands, then abandon this message, otherwise, if satisfied by ISPKeeper will current message repeating to the corresponding purpose network equipment.
When adopting said method that single ISP is implemented security protection, as shown in Figure 5, wherein, the IP address field of accessing the data flow of this ISP LAN is 10.111.*. *, the IP address field of accessing this ISP dial user's data flow is 10.110.*. * For ISP among the figure is implemented protection, at first create the array that 65535 elements are arranged at the ISP egress router, simultaneously, do following configuration at the ISP egress router:
Ispkeeper-list 1 this order of 10.111.0.0 10.111.255.255/* has determined that the data flow * of access ISP LAN/interface eth 1/0/0/* enters total average discharge that this order of Ethernet interface configuration mode */Ispkeeper-group 1 total 5,000,000 80000/* that links to each other with the ISP LAN accesses the data flow of ISP LAN and is set to 5Mbps, dashes forward Sending out length is set to 80Kbyte*/ispkeeper-default single 128,000 8000/* and should orders the average discharge of each data flow of remaining being accessed dial user's data flow<br/>Be set to 128Kbps, burst-length be set to 8Kbyte*/
Above-mentioned configuration has provided the upper limit of individual traffic average discharge, and the average discharge of total data stream. So, after ISP receives a data flow message, in data flow configuration information array, search the record that whether has this data flow by the HASH algorithm first, if have, whether just detect the average discharge of this data flow less than or equal to 128K, and whether the flow that detects its total data stream within 5Mbps, if just transmit this message to the purpose network equipment, otherwise abandons this message. If there is not this record in the array,, in array, and then determine to transmit or dropping packets according to flow then according to this message of above-mentioned configurations match, and with corresponding configuration information record.
Method of the present invention not only can for an ISP LAN, also can be implemented security protection to a plurality of ISP in a Metropolitan Area Network (MAN) or the wide area network. Take certain networking structure of economizing net as example, this province's net is made of a plurality of ISP, and its networking structure as shown in Figure 6. The operation principle of its enforcement security protection and implementation procedure and single ISP are identical, just in advance configuration is set not too identical, data flow IP address field and the parameter that will relate to each ISP among a plurality of ISP are respectively set, and detect according to different configuration information corresponding to IP address field data flow when flow is judged. The concrete configuration of a plurality of ISP is set and can be realized by following statement among Fig. 6:
Ispkeeper-list 10 10.110.0.0 10.110.255.255<!--SIPO<dP n="10">--<dp n="d10"/>Access ISP1 has been determined in this order of/*, and namely the IP address field is dial user's data of 10.110.*.* Access ISP1 has been determined in stream */Ispkeeper-list 11 these orders of 10.111.0.0 10.111.255.255/*, and namely the IP address field is the LAN data stream of 10.111.*.* */and Ispkeeper-list 20 these orders of 20.110.0.0 20.110.255.255/* have determined access ISP2, namely the IP address field is dial user's data of 20.110.*.*<br/>Access ISP2 has been determined in stream */Ispkeeper-list 21 these orders of 20.111.0.0 20.111.255.255/*, and namely the IP address field is the LAN data stream of 20.111.*.*<br/>*/interface atm 1/0/0/* enter with total average discharge of economizing this order of ATM interface configuration */Ispkeeper-group 11 total 5,000,000 80000/* that in-house network links to each other and accessing the data flow of ISP1 LAN be set to 5Mbps, Burst-length is set to this order of 80Kbyte*/Ispkeeper-group 10 single 128,000 8000/* and will accesses the average discharge of each data flow of ISP1 dial user's data flow and establish Be set to 128Kbps, burst-length be set to this order of 8Kbyte*/Ispkeeper-group 21 total 5,000,000 80000/* access total average discharge of the data flow of ISP2 LAN be set to 5Mbps, Burst-length is set to this order of 80Kbyte*/Ispkeeper-group 20 single 128,000 8000/* and will accesses the average discharge of each data flow of ISP2 dial user's data flow and establish<br/>Be set to 128Kbps, burst-length be set to 8Kbyte*/
The present invention namely banishs the information array of putting to data and carries out the burin-in process aspect in data maintenance, is regularly to detect each customer traffic by system, mainly contains dual mode:
(1) Timing Processing. In given interval, detect each customer traffic, if surpassing on the average discharge given when disposing, average discharge prescribes a time limit, when unusual (large data flow is arranged) namely having occurred, need by Syslog outputting alarm information.
(2) bag drives, not configurable automatic detection. It is divided into again two kinds of situations: a kind of for detected customer traffic every 15 minutes, if a certain user is long-time countless according to arrival, show that this data flow is in idle condition, then remove this user data stream information, another kind is to a certain data flow, if in configuration item, can not find the flow parameter of coupling, then directly remove the information of this data flow.
Method ISPKeeper of the present invention has mainly adopted the technology such as Token Bucket and Hash, has continued to use address transition and has disposed easily style, and configuration is simple, flexible, and operation is efficient, and abundant statistical information and log information is provided. By on ISP egress router and interface that the ISP LAN links to each other, or dispose ISPKeeper on ISP egress router and the interface that key IP network links to each other, can resist well the flow attacking that the hacker carries out ISP.
The present invention is on the basis that fully takes into account the networking structure of ISP, business model and assault characteristics, the technology such as existing fire wall, address transition and CAR are combined effectively, complementary its weak point, thus the flow attacking that ISP suffers more effectively resisted.

Claims (12)

1、一种因特网服务提供者安全防护的实现方法,其特征在于该方法至少包括以下的步骤:1. A method for implementing security protection of an Internet service provider, characterized in that the method at least includes the following steps: a.当因特网服务提供者ISP出口路由器中的ISP管理器ISPKeeper要向目的网络转发当前接收到的报文时,首先通过HASH算法判断该报文所属的数据流是否为ISPKeeper中的已有记录,如果是,则进入步骤c;否则,进入步骤b;a. When the ISP manager ISPKeeper in the ISP egress router of the Internet service provider wants to forward the currently received message to the destination network, it first judges whether the data flow to which the message belongs is an existing record in the ISPKeeper through the HASH algorithm, If yes, go to step c; otherwise, go to step b; b.如果所要转发的报文属于一个新的数据流,则匹配该报文所属数据流的配置信息并判断是否匹配成功,如果匹配成功,则将匹配所得到的该数据流的配置信息存储记录;如果没有匹配成功,则查找配置信息中是否定义了缺省值,如果有,则将缺省的配置信息存储记录,然后进入步骤c;如果没有定义缺省值,则由ISPKeeper将当前接收到的报文直接转发给相应的目的网络设备;b. If the message to be forwarded belongs to a new data flow, then match the configuration information of the data flow to which the message belongs and judge whether the match is successful, if the match is successful, then store the configuration information of the data flow obtained by matching and record ; If no matching is successful, check whether the default value is defined in the configuration information, if yes, store the default configuration information and enter step c; if no default value is defined, the ISPKeeper will receive the current The message is directly forwarded to the corresponding destination network device; c.检测当前数据流流量是否满足用户配置的参数,如果不满足,则将当前收到的报文丢弃,如果流量满足要求,则继续检测总数据流量并判断总配置参数是否正常,如果不正常,则丢弃该报文,否则,如果正常,则由ISPKeeper将当前的报文转发给相应的目的网络设备。c. Detect whether the current data flow meets the parameters configured by the user. If not, discard the currently received message. If the flow meets the requirements, continue to detect the total data flow and judge whether the total configuration parameters are normal. If not , then discard the message, otherwise, if normal, the ISPKeeper will forward the current message to the corresponding destination network device. 2、根据权利要求1所述的实现方法,其特征在于:步骤a中所述的目的网络为ISP局域网、或城域网、或广域网。2. The implementation method according to claim 1, characterized in that: the destination network mentioned in step a is an ISP local area network, or a metropolitan area network, or a wide area network. 3、根据权利要求1所述的实现方法,其特征在于:所述的数据流为外部网络访问目的网络中网络设备的数据流,或为拨号用户上网返回的数据流。3. The realization method according to claim 1, characterized in that: said data flow is the data flow of the network device in the destination network for external network access, or the data flow returned by the dial-up user to go online. 4、根据权利要求1所述的实现方法,其特征在于:步骤a中的匹配数据流的配置信息进一步包括以下步骤:首先根据该报文所属数据流的目的IP地址在配置信息中找到相应的IP地址段定义,再按照地址段的定义找到该地址段的配置信息,并将该配置信息存储记录于数据流配置信息数组的相应位置。4. The implementation method according to claim 1, characterized in that: the configuration information of the matching data flow in step a further includes the following steps: firstly, according to the destination IP address of the data flow to which the message belongs, the corresponding IP address is found in the configuration information. Define the IP address segment, and then find the configuration information of the address segment according to the definition of the address segment, and store and record the configuration information in the corresponding position of the data flow configuration information array. 5、根据权利要求1所述的实现方法,其特征在于该方法还进一步包括以下步骤:在初始化出口路由器时,预先设置一个存储数据流配置信息的数组。5. The implementation method according to claim 1, characterized in that the method further comprises the following step: when initializing the egress router, pre-set an array storing data flow configuration information. 6、根据权利要求5所述的实现方法,其特征在于:所述的数组大小为可容纳所要识别的IP地址范围内所有数据流的数组,且数组的每个元素与一个目的IP地址一一对应。6. The implementation method according to claim 5, characterized in that: the size of the array is an array that can accommodate all data streams within the range of IP addresses to be identified, and each element of the array corresponds to a destination IP address one by one correspond. 7、根据权利要求1所述的实现方法,其特征在于该方法还进一步包括以下的步骤:在初始化出口路由器时,预先设定数据流的配置信息。7. The implementation method according to claim 1, characterized in that the method further comprises the following step: when initializing the egress router, preset the configuration information of the data flow. 8、根据权利要求1或4或7所述的实现方法,其特征在于:所述的配置信息至少包括数据流的起始IP地址、结束IP地址、接口配置模式;每个数据流的传输带宽或平均速率、突发长度;以及总数据流的总平均流量、总突发长度。8. The implementation method according to claim 1, 4 or 7, characterized in that: the configuration information at least includes the starting IP address, ending IP address, and interface configuration mode of the data stream; the transmission bandwidth of each data stream Or average rate, burst length; and total average traffic, total burst length of total data flow. 9、根据权利要求1所述的实现方法,其特征在于:步骤a中所述的HASH算法是指依据数据流中每个报文目的IP地址中的后16位将该报文定位到数据流配置信息数组的相应元素位置。9. The implementation method according to claim 1, characterized in that: the HASH algorithm described in step a refers to locating the message to the data stream according to the last 16 bits in the destination IP address of each message in the data stream The corresponding element position of the configuration information array. 10、根据权利要求9所述的实现方法,其特征在于该方法还可进一步包括以下步骤:当按HASH算法将所收到的数据流报文定位到数据相应元素位置,而此时该位置已有数据流配置信息时,则在此位置建立一数据链表,按目的IP地址的前16位依序存储对应的数据流配置信息。10. The implementation method according to claim 9, characterized in that the method can further comprise the following steps: when the received data flow message is positioned to the corresponding element position of the data according to the HASH algorithm, and the position has been When there is data flow configuration information, a data link list is established at this location, and the corresponding data flow configuration information is stored in order according to the first 16 bits of the destination IP address. 11、根据权利要求1所述的实现方法,其特征在于:步骤c中所述的用户配置参数至少包括单个数据流的传输带宽或平均速率、突发长度。11. The implementation method according to claim 1, wherein the user configuration parameters in step c at least include transmission bandwidth or average rate and burst length of a single data stream. 12、根据权利要求1所述的实现方法,其特征在于:步骤c中所述的总配置参数至少包括数据流的总平均速率和总突发长度。12. The implementation method according to claim 1, characterized in that the total configuration parameters in step c include at least the total average rate and total burst length of the data stream.
CNB011188685A 2001-06-26 2001-06-26 A Realization Method of Internet Service Provider's Security Protection Expired - Fee Related CN1145318C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB011188685A CN1145318C (en) 2001-06-26 2001-06-26 A Realization Method of Internet Service Provider's Security Protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB011188685A CN1145318C (en) 2001-06-26 2001-06-26 A Realization Method of Internet Service Provider's Security Protection

Publications (2)

Publication Number Publication Date
CN1394041A CN1394041A (en) 2003-01-29
CN1145318C true CN1145318C (en) 2004-04-07

Family

ID=4663469

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB011188685A Expired - Fee Related CN1145318C (en) 2001-06-26 2001-06-26 A Realization Method of Internet Service Provider's Security Protection

Country Status (1)

Country Link
CN (1) CN1145318C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968272B (en) * 2005-10-17 2011-08-10 阿尔卡特公司 Method used for remitting denial of service attack in communication network and system

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7650634B2 (en) * 2002-02-08 2010-01-19 Juniper Networks, Inc. Intelligent integrated network security device
US7467202B2 (en) * 2003-09-10 2008-12-16 Fidelis Security Systems High-performance network content analysis platform
US7725035B2 (en) * 2004-04-20 2010-05-25 Fujitsu Limited Method and system for managing network traffic
US20060041940A1 (en) * 2004-08-21 2006-02-23 Ko-Cheng Fang Computer data protecting method
WO2006021132A1 (en) * 2004-08-21 2006-03-02 Ko-Cheng Fang Method for protecting the computer data
US7643468B1 (en) * 2004-10-28 2010-01-05 Cisco Technology, Inc. Data-center network architecture
CN100454839C (en) * 2005-11-24 2009-01-21 华为技术有限公司 Antiattacking apparatus and method based on user
CN101127695B (en) * 2006-08-17 2011-08-24 中兴通讯股份有限公司 A processing method for reducing invalid transmission of network traffic
CN101034975B (en) * 2007-04-05 2010-05-26 华为技术有限公司 Method and device for preventing the small message attack
CN101309216B (en) * 2008-07-03 2011-05-04 中国科学院计算技术研究所 IP packet classification method and apparatus
CN103746928A (en) * 2013-12-30 2014-04-23 迈普通信技术股份有限公司 Method and system for controlling flow rate by utilizing access control list
CN104796291B (en) * 2015-04-27 2018-05-29 清华大学 The detection method and system of core Route Area intradomain router forwarding behavioural norm
CN105763560A (en) * 2016-04-15 2016-07-13 北京思特奇信息技术股份有限公司 Web Service interface flow real-time monitoring method and system
CN106483918B (en) * 2016-11-15 2019-01-04 武汉企鹅能源数据有限公司 A kind of energy consumption monitoring analysis method and its system based on token bucket algorithm
CN111930078B (en) * 2020-06-21 2024-04-19 中国舰船研究设计中心 Network testing device for nuclear control system
CN114978563B (en) * 2021-02-26 2024-05-24 中国移动通信集团广东有限公司 Method and device for blocking IP address
CN113596050B (en) * 2021-08-04 2023-06-30 四川英得赛克科技有限公司 Abnormal flow separation and filtration method, system, storage medium and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968272B (en) * 2005-10-17 2011-08-10 阿尔卡特公司 Method used for remitting denial of service attack in communication network and system

Also Published As

Publication number Publication date
CN1394041A (en) 2003-01-29

Similar Documents

Publication Publication Date Title
CN1145318C (en) A Realization Method of Internet Service Provider&#39;s Security Protection
CN108282497B (en) DDoS attack detection method for SDN control plane
CN112615818B (en) SDN-based DDOS attack protection method, device and system
US7331060B1 (en) Dynamic DoS flooding protection
Abdelsayed et al. An efficient filter for denial-of-service bandwidth attacks
US8201252B2 (en) Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
US7302705B1 (en) Method and apparatus for tracing a denial-of-service attack back to its source
CN101465855B (en) A filtering method and system for synchronous flooding attack
WO2008148099A1 (en) Method and system to mitigate low rate denial of service (dos) attacks
US20060191003A1 (en) Method of improving security performance in stateful inspection of TCP connections
CN102263788A (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
CN104836810A (en) Coordinated detection method of NDN low-speed cache pollution attack
Kamiyama et al. Simple and accurate identification of high-rate flows by packet sampling
Udhayan et al. Demystifying and rate limiting ICMP hosted DoS/DDoS flooding attacks with attack productivity analysis
Cui et al. Feedback-based content poisoning mitigation in named data networking
Perrig et al. StackPi: a new defense mechanism against IP spoofing and DDoS attacks
Khanna et al. Adaptive selective verification
Gong et al. Single packet IP traceback in AS-level partial deployment scenario
Feng et al. Research on the active DDoS filtering algorithm based on IP flow
Dai et al. DAmpADF: A framework for DNS amplification attack defense based on Bloom filters and NAmpKeeper
CN1553662A (en) Method for preventing refusal service attack
Chan et al. Intrusion detection routers: design, implementation and evaluation using an experimental testbed
Wang et al. A more efficient hybrid approach for single-packet IP traceback
Jing et al. NIS04-5: Defending Against Meek DDoS Attacks By IP Traceback-based Rate Limiting

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20040407

Termination date: 20110626