CN114584338A - Nftables-based white box switch security protection method and device and storage medium - Google Patents
Nftables-based white box switch security protection method and device and storage medium Download PDFInfo
- Publication number
- CN114584338A CN114584338A CN202111669420.5A CN202111669420A CN114584338A CN 114584338 A CN114584338 A CN 114584338A CN 202111669420 A CN202111669420 A CN 202111669420A CN 114584338 A CN114584338 A CN 114584338A
- Authority
- CN
- China
- Prior art keywords
- data
- flood
- white
- link
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000001914 filtration Methods 0.000 claims abstract description 18
- 230000001960 triggered effect Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 4
- 230000007123 defense Effects 0.000 abstract description 6
- 238000004891 communication Methods 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008595 infiltration Effects 0.000 description 1
- 238000001764 infiltration Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/50—Overload detection or protection within a single switching element
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/60—Software-defined switches
- H04L49/602—Multilayer or multiprotocol switching, e.g. IP switching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the invention discloses a safety protection method, a device and a storage medium of a white box switch based on Nftables, relates to the technical field of communication safety, and can identify and block malicious Flood attacks aiming at an operating system of the white box switch and provide real-time attack defense for the white box switch. The invention comprises the following steps: the method comprises the steps that a white-box switch registers a security protection policy for a local INPUT node through Nftables, and executes the security protection policy registered on the INPUT node for received data, wherein the security protection policy comprises: black and white list filtering link, Flood protecting link and protocol speed limiting link. And further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
Description
Technical Field
The invention relates to the technical field of communication security, in particular to a method and a device for protecting a white box switch based on Nftables, and a storage medium.
Background
With the development of SD-WAN technology, the shadow of the white box switch is gradually appearing in various network scenarios such as intelligent metropolitan access, convergence, backbone, etc., rather than being limited to a data center environment, but this also inevitably brings unprecedented security challenges to the white box switch. Without the protection of a data center firewall, white-box devices in an operator network node are easily exposed to the view of hackers and become targets of attack.
For the openprogrammable white box switch product, because the open programmable white box switch product is based on the ONL operating system, the ONL system has the characteristics of large code quantity and high complexity, and some hidden system bugs become risk points influencing the efficient and stable operation of the white box switch. Whether it is a flaw in the product design implementation process, a leak carried in the open source framework, or human oversight in the security policy settings, it may become a soft rib of the product.
At present, many malicious attacks are performed on the defects of the white box switch product, and particularly, malicious Flood attacks on the white box switch operating system cause a great obstacle to the application of the programmable white box switch product. Therefore, how to effectively identify and block the malicious Flood attack aiming at the white box switch operating system, provide real-time attack defense for the white box switch, and realize effective access control becomes a problem needing to be researched and solved.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, and a storage medium for protecting a white box switch based on nfables, which can effectively identify and block malicious Flood attacks against an operating system of the white box switch, provide real-time attack defense for the white box switch, and implement effective access control.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method, including:
the white box switch registers a security protection policy for a local INPUT node through Nftables, wherein the INPUT node is deployed in a network layer and is used for sending data received through the network layer to an application program of an application layer.
The white box switch executes a security protection policy registered on the INPUT node for the received data, wherein the security protection policy comprises: black and white list filtering link, Flood protecting link and protocol speed limiting link.
And further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
In a second aspect, an embodiment of the present invention provides an apparatus, including:
the apparatus operates on a white-box switch configured to register a security protection policy for a local INPUT node via nfables, wherein the INPUT node is deployed at a network layer and configured to transmit data received via the network layer to an application at an application layer.
The device comprises:
and the safety protection policy module is used for executing the safety protection policy registered on the INPUT node by the white box switch for the received data. And further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
The security protection policy module comprises: black and white list filtering unit, Flood protection unit and protocol speed limit unit.
In a third aspect, an embodiment of the present invention provides a storage medium storing a computer program or instructions which, when executed, implement the method in the embodiment.
The embodiment of the invention provides a safety protection method, a device and a storage medium of a white box switch based on an Nftables, and provides a local safety protection method of the white box switch based on an Nftables packet filtering framework. And the flexible configuration of the security policy and the on-demand selection of the effective position of the policy in the protocol stack are carried out by a white box switch manufacturer, an enterprise user and an operator according to the service or use requirements. According to the embodiment, system resource protection under the service function scene of the white box switch can be realized. If data interaction between a data plane and a control plane exists in the implementation of the four-layer load balancing service, the first packet carries out information report of the data plane to the control plane in a summary information mode, and CPU impact can be caused in a large-flow scene.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a data processing flow of a protocol stack of an operating system of a white box switch according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a local security protection architecture of a white box switch according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a method provided by an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments. Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention, and are not to be construed as limiting the present invention. As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The traditional network security architecture usually performs protection based on network boundaries, when a network security system is constructed, a network is firstly divided into areas (an intranet, an extranet, a DMZ (discrete Zone, isolation area), and a server), and then security protection devices, such as a Firewall, intrusion prevention, WAF (Web Application Firewall, website Application level intrusion prevention system) devices, and the like, are placed on different network area boundaries, and the architecture defaults the security of the intranet to some extent. However, most switches' security threats mainly come from within the local area network. The DMZ is a buffer zone between the insecure system and the secure system, which is mainly used to solve the problem that the access user of the external network cannot access the internal network server after the firewall is installed. The WAF is used to provide protection specifically for Web applications by enforcing a series of security policies for HTTP/HTTPs.
The white box switch device is based on an Open Network operating system (ONL), wherein the ONL is an Open source Linux operating system designed for the white box switch, the ONL has the characteristic of high complexity, and hidden system bugs become risk points influencing the efficient and stable operation of the white box switch. To solve the problem, this embodiment constructs a lightweight local firewall system for a white box switch, and can make the DoS attack behavior called DoS attack for common network DoS (Denial of Service) such as SYN Flood, UDP Flood, ICMP Flood, etc., so as to make a computer or a network unable to provide normal services. The attack provides real-time detection and blocking, and the resources of the white box switch operating system are protected from being impacted. Therefore, a zero-trust security mode is established for the white-box switch, the system access authority is only opened for trusted users, applications and traffic, and all possible vulnerability exploitation and infiltration invasion are blocked.
The general design idea lies in that: a local security protection method based on Nftables is provided in combination with a white box switch service scene. The method can identify and block the malicious Flood attack aiming at the white box switch operating system, provide real-time attack defense for the white box switch, realize effective access control through flexible setting of the flow filtering strategy and the protocol speed limiting strategy, and ensure the control surface safety of the white box switch.
An embodiment of the present invention provides a method for protecting a white box switch based on nfables, as shown in fig. 3, including:
and S1, the white box switch registers the security protection strategy for the local INPUT node through Nftables.
The INPUT node is deployed in a network layer and used for sending data received through the network layer to an application program of an application layer. In this embodiment, the basic operation system ONL of the white box switch is based on a Linux kernel, the control plane CPU receives and sends data packets mainly from a switch panel management interface and a switch chip connection interface, and a Netfliter framework of the Linux kernel is used, which is a main implementation framework for performing functions such as packet filtering, connection tracking, network address conversion, and the like in the Linux kernel, Netfilter defines a series of hook nodes in a key flow of processing a packet by a network protocol stack, and registers a related function to implement processing of the packet. Taking the control plane CPU to receive and transmit the IP packet as an example, the main data processing flow of the protocol stack of the white box switch operating system is shown in fig. 1. Wherein, white box switch control plane CPU main data flow includes: receiving data: PREROUTING- > INPUT- > application program; and (3) sending data: an application program- > OUTPUT- > POSTROUTING; routing forwarding data: PREROUTING- > FORWARD- > POSTROUTING.
The configuration of the security protection aspect can be performed by the operation of the user on the white box switch. And the white-box switch completes the registration of the local security protection strategy according to the operation of the user, wherein the white-box switch utilizes the tool of Nftables to carry out the registration action on the INPUT node. Generally, the INPUT node also establishes a storage mode such as a registry correspondingly, and the like, for recording the registered security protection policy.
S2, the white box switch executes the security protection policy registered on the INPUT node for the received data.
Wherein the security protection policy comprises: black and white list filtering link, Flood protecting link and protocol speed limiting link. Specifically, the nfables is an open source packet filtering component for adapting to the Netfliter network subsystem, and can solve a plurality of limitations of the existing Iptables tool, including performance optimization, look-up table support, transactional rule update, automatic rule application, and the like. The invention registers the security protection strategy to the INPUT node through Nftables. The embodiment aims to construct a lightweight local firewall system for a white-box switch, so that a control plane CPU (central processing unit) receives a data flow to perform registration function transformation on an INPUT hook node to achieve the purpose of local security protection. In practical application, a white box switch manufacturer can set a default policy by itself, and only pass the TCP traffic of the service port related to the service for the traffic accessing the white box switch manufacturer. The enterprise user or the operator user can customize the black and white list strategy registered in the INPUT node according to the actual application scene.
In practical applications, white box switches are deployed in data centers, backbone networks, etc. and assume the role of being a "switch" in the usual sense. The data received by the white box switch is mainly the data of the message type.
And S3, further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
In this embodiment, the black and white list filtering link, the Flood protection link, and the protocol speed limit link may be implemented by the following program scripts, and stored in a storage medium in the form of a computer program or an instruction, where the program scripts include:
black and white list filtering link
Flood protection link
Protocol speed limiting link
In this embodiment, as shown in fig. 2, the black and white list filtering step includes:
among the received data, whether the blacklist is matched or not is detected for data conforming to IPv4 or IPv 6. If not, the INPUT process is ended. And if not, detecting whether the data is matched with a white list release strategy, if so, inputting the data into the Flood protection link, and otherwise, discarding the data.
In the Flood protection link, the method comprises the following steps: if the Flood protection is triggered to be started, detecting whether the data is any one of TCP connection, UDP message or ICMP echo request message, if not, inputting the data into the protocol speed limit link. And if so, detecting whether the data is matched with the Flood permission list, and if so, inputting the data into the protocol speed limit link. And if the flow permission list is not matched, detecting whether the data is matched with a flow rejection list. And if the data does not match the Flood rejection list, detecting whether the connection rate of the data sender exceeds the Flood protection configuration rate, and if so, updating the data sender to the Flood rejection list. And if the data does not exceed the preset speed limit value, inputting the data into the protocol speed limit link. And if the data is matched with the Flood reject list, discarding the data.
Discarding the data when it is detected that the data does not match the white list passing policy or the data does not match the Flood reject list. Wherein, TCP connection, UDP message or ICMP echo request message which does not hit the blacklist strategy is monitored by the Flood protection strategy in real time. The system finds out the suspicious TCP SYN Flood/UDP Flood/ICMP Flood attack, and automatically adds the information of the attack source address into a refusal list, and the system discards the access flow from the attack source by default. After the user performs the security operation and maintenance analysis, the user can select to manually remove the host address in the rejection list, and the host flow which is moved out of the rejection list cannot be directly discarded by the system, but is still monitored by the Flood protection policy. The user can add the trusted host into the permission list according to the requirement, and the host flow in the permission list is not monitored by the Flood protection strategy.
Further, in the protocol speed limit link, the method includes: when the protocol speed limit is started, detecting whether the connection speed of the data sender exceeds the limit speed, and if so, discarding the overspeed message. In practical application, a white-box switch manufacturer can set a related protocol speed-limiting strategy according to specific service implementation requirements or operation and maintenance requirements. The user can select whether to start the speed limit function aiming at the specific protocol according to the requirement.
For example, the embodiment is applied to a white box switch, and can be used for defending ping flood, wherein the white box switch sets the nft defense rule as follows:
specification of the rules: the effect of resisting ping flood attack is achieved by limiting the receiving quantity of icmp echo-requests per second, and burst represents the initial maximum peak value. In actual testing, a ping flood attack may be launched on the target white box switch with the hping3 tool. Actual test results: the safety protection module of the white-box switch displays the receiving and intercepting quantity of the icmp echo-request packets, and successfully defends ping flood attack.
The method can also be used for defending Dos attacks, wherein the maximum connection number of the host IP of each white box switch is limited, and the maximum connection number of SSH of each host IP is limited to 1:
actual test results: each white box switch host IP can then only maintain one SSH connection at a time. In addition, the DoS attack defense effect can be better realized by limiting the maximum connection number of each IP and the speed of newly-built connection.
The present embodiment also provides a nfables-based local security protection apparatus for a white-box switch, where the apparatus runs on a white-box switch, and the white-box switch is configured to register a security protection policy for a local INPUT node through nfables, where the INPUT node is deployed in a network layer, and the INPUT node is configured to send data received through the network layer to an application program in an application layer. As shown in fig. 4, the apparatus includes:
a security policy module, configured to execute, by the white box switch, a security policy registered on the INPUT node for the received data; and further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
The security protection policy module comprises: black and white list filtering unit, Flood protection unit and protocol speed limit unit.
The black and white list filtering unit is used for detecting whether the data which accords with IPv4 or IPv6 in the received data is matched with a black list; and if not, detecting whether the data is matched with a white list release strategy, and if so, inputting the data into the Flood protection link.
The Flood protection unit is used for detecting whether data is any one of TCP connection, UDP message or ICMP echo request message if the Flood protection is triggered to be started, and inputting the data into the protocol speed limiting unit if the data is not triggered to be started; if yes, detecting whether the data is matched with a Flood permission list, and if the data is matched with the Flood permission list, inputting the data into the protocol speed limiting unit; if the match does not match the Flood permission list, whether the data match the Flood refusal list or not is detected; if the data does not match the Flood rejection list, detecting whether the connection rate of the data sender exceeds the Flood protection configuration rate, and if so, updating the data sender to the Flood rejection list; if not, inputting data into the protocol speed limiting unit; and when detecting that the data does not match the white list passing strategy or detecting that the data does not match the Flood reject list, discarding the data.
And the protocol speed limiting unit is used for detecting whether the connection speed of the data sending party exceeds the limiting speed when the protocol speed limit is started, and discarding the overspeed message if the connection speed of the data sending party exceeds the limiting speed.
Embodiments of the present invention also provide a storage medium storing a computer program or instructions which, when executed, implement the method in the embodiments.
The embodiment provides a local security protection method of a white box switch based on an nfables packet filtering framework, which designs a set of high-efficiency and lightweight multi-level local security protection component architecture for the white box switch on the premise of fully considering a white box switch function implementation architecture and common service scenes, and guarantees the control surface security of an operating system of the white box switch from the aspects of DoS attack resistance, application trust, protocol speed limit and the like. And flexible configuration of security policies and on-demand selection of effective positions of the policies in a protocol stack are carried out by white box switch manufacturers, enterprise users and operators according to business or use requirements.
The embodiment can realize system resource protection under the scene of the service function of the white-box switch. If data interaction between a data plane and a control plane exists in the implementation of the four-layer load balancing service, the first packet carries out information report of the data plane to the control plane in a summary information mode, and CPU impact can be caused in a large-flow scene.
The embodiments in the present specification are described in a progressive manner, and portions that are similar to each other in the embodiments are referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above description is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A local security protection method of a white box switch based on Nftables is characterized by comprising the following steps:
the method comprises the steps that a white box switch registers a safety protection strategy for a local INPUT node through Nftables, wherein the INPUT node is deployed on a network layer and is used for sending data received through the network layer to an application program of an application layer;
the white box switch executes a security protection policy registered on the INPUT node for the received data, wherein the security protection policy comprises: a black and white list filtering link, a Flood protection link and a protocol speed limit link;
and further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
2. The method according to claim 1, wherein in the black and white list filtering link, the method comprises:
detecting whether the data which conforms to the IPv4 or the IPv6 in the received data is matched with a blacklist;
and if not, detecting whether the data is matched with a white list release strategy, and if so, inputting the data into the Flood protection link.
3. The method according to claim 2, wherein in the Flood protection segment, the method comprises:
if the Flood protection is triggered to be started, detecting whether the data is any one of TCP connection, UDP message or ICMP echo request message, if not, inputting the data into the protocol speed-limiting link;
if yes, detecting whether the data is matched with a Flood permission list, and if the data is matched with the Flood permission list, inputting the data into the protocol speed limit link; if the flow permission list is not matched, detecting whether the data is matched with a flow rejection list;
if the data does not match the Flood rejection list, detecting whether the connection rate of the data sender exceeds the Flood protection configuration rate, and if so, updating the data sender to the Flood rejection list; and if the data does not exceed the preset speed limit value, inputting the data into the protocol speed limit link.
4. The method according to claim 3, wherein data is discarded when it is detected that the data does not match the white list release policy or when it is detected that the data does not match the Flood reject list.
5. The method according to any one of claim 4, wherein in the protocol speed limit link, the method comprises:
when the protocol speed limit is started, detecting whether the connection speed of the data sender exceeds the limit speed, and if so, discarding the overspeed message.
6. A local safeguard of a white-box switch based on Nftables, comprising:
the apparatus runs on a white-box switch, the white-box switch configured to register a security protection policy for a local INPUT node via nfables, wherein the INPUT node is deployed at a network layer, and the INPUT node is configured to transmit data received via the network layer to an application program of an application layer;
the device comprises:
a security policy module, configured to execute, by the white box switch, a security policy registered on the INPUT node for the received data; and further executing the protocol speed limit link for the data of the link filtered by the black and white list and protected by the Flood.
The security protection policy module comprises: black and white list filtering unit, Flood protection unit and agreement speed limit unit.
7. The apparatus of claim 6, wherein the blacklist filtering unit is configured to detect whether a blacklist is matched with data complying with IPv4 or IPv6 in the received data; and if not, detecting whether the data is matched with a white list release strategy, and if so, inputting the data into the Flood protection link.
8. The apparatus according to claim 7, wherein the Flood protection unit is configured to detect whether data is any one of a TCP connection, a UDP message, or an ICMP echo request message if the Flood protection is triggered to be turned on, and input the data into the protocol speed limiting unit if the data is not triggered;
if yes, detecting whether the data is matched with a Flood permission list, and if the data is matched with the Flood permission list, inputting the data into the protocol speed limiting unit; if the flow permission list is not matched, detecting whether the data is matched with a flow rejection list;
if the data does not match the Flood rejection list, detecting whether the connection rate of the data sender exceeds the Flood protection configuration rate, and if so, updating the data sender to the Flood rejection list; if not, inputting data into the protocol speed limiting unit;
discarding the data when it is detected that the data does not match the white list passing policy or the data does not match the Flood reject list.
9. The device according to any one of claims 6 to 8, wherein the protocol speed limit unit is configured to detect whether a connection rate of a data sender exceeds a limit rate when the protocol speed limit is opened, and discard an overspeed message if the connection rate exceeds the limit rate.
10. A storage medium, storing a computer program or instructions which, when executed, implement the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111669420.5A CN114584338B (en) | 2021-12-31 | 2021-12-31 | White box switch safety protection method and device based on Nftables and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111669420.5A CN114584338B (en) | 2021-12-31 | 2021-12-31 | White box switch safety protection method and device based on Nftables and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114584338A true CN114584338A (en) | 2022-06-03 |
| CN114584338B CN114584338B (en) | 2024-03-26 |
Family
ID=81771555
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111669420.5A Active CN114584338B (en) | 2021-12-31 | 2021-12-31 | White box switch safety protection method and device based on Nftables and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114584338B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN111797371A (en) * | 2020-06-16 | 2020-10-20 | 北京京投信安科技发展有限公司 | Switch encryption system |
| CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
| CN112202814A (en) * | 2020-11-04 | 2021-01-08 | 中国电子科技集团公司第三十研究所 | Processing method for endogenous safety dynamic protection function of route switching equipment |
| US20210306373A1 (en) * | 2020-03-31 | 2021-09-30 | Fortinet, Inc. | Hardware acceleration device for denial-of-service attack identification and mitigation |
-
2021
- 2021-12-31 CN CN202111669420.5A patent/CN114584338B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| US20210306373A1 (en) * | 2020-03-31 | 2021-09-30 | Fortinet, Inc. | Hardware acceleration device for denial-of-service attack identification and mitigation |
| CN111797371A (en) * | 2020-06-16 | 2020-10-20 | 北京京投信安科技发展有限公司 | Switch encryption system |
| CN111865990A (en) * | 2020-07-23 | 2020-10-30 | 上海中通吉网络技术有限公司 | Method, device, equipment and system for managing and controlling malicious reverse connection behavior of intranet |
| CN112202814A (en) * | 2020-11-04 | 2021-01-08 | 中国电子科技集团公司第三十研究所 | Processing method for endogenous safety dynamic protection function of route switching equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114584338B (en) | 2024-03-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Birkinshaw et al. | Implementing an intrusion detection and prevention system using software-defined networking: Defending against port-scanning and denial-of-service attacks | |
| Yu et al. | PSI: Precise Security Instrumentation for Enterprise Networks. | |
| US7984493B2 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
| US20180091547A1 (en) | Ddos mitigation black/white listing based on target feedback | |
| Cox et al. | Leveraging SDN for ARP security | |
| US20160294871A1 (en) | System and method for mitigating against denial of service attacks | |
| AbdelSalam et al. | Mitigating ARP spoofing attacks in software-defined networks | |
| Cox et al. | Leveraging SDN and WebRTC for rogue access point security | |
| Alabady | Design and Implementation of a Network Security Model for Cooperative Network. | |
| Gautam et al. | Experimental security analysis of SDN network by using packet sniffing and spoofing technique on POX and Ryu controller | |
| Trabelsi et al. | Denial of firewalling attacks (dof): The case study of the emerging blacknurse attack | |
| Abdulkarem et al. | DDOS attack detection and mitigation at sdn enviroment | |
| KR101593897B1 (en) | Network scan method for circumventing firewall, IDS or IPS | |
| Poongothai et al. | Simulation and analysis of DDoS attacks | |
| Shimanaka et al. | Cyber deception architecture: Covert attack reconnaissance using a safe sdn approach | |
| KR101060959B1 (en) | System and Method for Blocking DVD Attacks Using Ap | |
| Gurusamy et al. | Detection and mitigation of UDP flooding attack in a multicontroller software defined network using secure flow management model | |
| Febro et al. | Telephony Denial of Service defense at data plane (TDoSD@ DP) | |
| CN114584338B (en) | White box switch safety protection method and device based on Nftables and storage medium | |
| JP2006501527A (en) | Method, data carrier, computer system, and computer program for identifying and defending attacks against server systems of network service providers and operators | |
| Chatterjee | Design and development of a framework to mitigate dos/ddos attacks using iptables firewall | |
| Vázquez-Ingelmo et al. | Threats behind default configurations of network devices: wired local network attacks and their countermeasures | |
| Rodrigues et al. | Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach | |
| Mohammed et al. | DoS attacks and defense mechanisms in wireless networks | |
| Sheikh | Denial of Service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |