CN115225393A - Source rate limiting method and device, computer program product and electronic equipment - Google Patents

Source rate limiting method and device, computer program product and electronic equipment Download PDF

Info

Publication number
CN115225393A
CN115225393A CN202210861661.8A CN202210861661A CN115225393A CN 115225393 A CN115225393 A CN 115225393A CN 202210861661 A CN202210861661 A CN 202210861661A CN 115225393 A CN115225393 A CN 115225393A
Authority
CN
China
Prior art keywords
speed
source address
limited
source
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210861661.8A
Other languages
Chinese (zh)
Other versions
CN115225393B (en
Inventor
娄扬
李晓然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210861661.8A priority Critical patent/CN115225393B/en
Publication of CN115225393A publication Critical patent/CN115225393A/en
Application granted granted Critical
Publication of CN115225393B publication Critical patent/CN115225393B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Abstract

The application provides a source speed limiting method and device, a computer program product and electronic equipment, which are applied to the technical field of network security, wherein the source speed limiting method comprises the following steps: acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection starting time; and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited. In the above scheme, when the first flow rate of the source address to be speed-limited is greater than the detection rate threshold, it is indicated that the flow of the source address to be speed-limited is larger, and whether to limit the speed of the source address to be speed-limited can be determined according to the type of the source address to be speed-limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the method of directly limiting the speed of the source address with larger flow, the method can avoid limiting the speed of part of source addresses which do not need to be limited, thereby improving the defense effect.

Description

Source rate limiting method and device, computer program product and electronic equipment
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for limiting a source speed, a computer program product, and an electronic device.
Background
Distributed Denial of Service (DDOS) attack defense is one of the important functions of security gateways, where source rate limiting is an important defense against DDOS attacks.
In the prior art, source rate-limiting defense is performed against DDOS attacks, generally, traffic matching a custom service is limited within a threshold in a custom service policy, and a part of the traffic exceeding the threshold is discarded. However, if the threshold of the source speed limit is large, the flow sent to the server is still large, and an ideal defense effect cannot be achieved; if the threshold value of the source speed limit is small, the actual service is possibly limited, and the use of the normal service is influenced. That is, the existing source speed limiting method is adopted, and the defense effect is poor.
Disclosure of Invention
An embodiment of the present application provides a source rate limiting method and apparatus, a computer program product, and an electronic device, so as to solve the technical problem in the prior art that a defense effect is not good.
In a first aspect, an embodiment of the present application provides a source speed limiting method, including: acquiring a first flow rate of a source address to be speed-limited corresponding to a destination address to be protected at a detection start time; and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited. In the above scheme, when the first flow rate of the source address to be speed-limited is greater than the detection rate threshold, it is indicated that the flow of the source address to be speed-limited is larger, and whether to limit the speed of the source address to be speed-limited can be determined according to the type of the source address to be speed-limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the method of directly limiting the speed of the source address with larger flow, the method can avoid limiting the speed of part of source addresses which do not need to be limited, thereby improving the defense effect.
In an optional embodiment, the determining, according to the category of the source address to be speed-limited, whether to limit the speed of the source address to be speed-limited includes: judging whether the source address to be limited belongs to a source speed limit protection address or not; the flow corresponding to the source speed limit protection address belongs to service flow; and if the source address to be speed-limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be speed-limited. In the above scheme, if the source address to be speed-limited belongs to the source speed-limiting protection address, it is indicated that the traffic corresponding to the source address to be speed-limited all belongs to the traffic, and the speed of the source address to be speed-limited may not be limited, thereby avoiding affecting the use of normal traffic. Therefore, the effect of defense can be improved.
In an optional embodiment, after the determining whether the source address to be speed limited belongs to the source speed limit protection address, the method further includes: if the source address to be limited does not belong to the source speed-limiting protection address, judging whether the source address to be limited carries a common source protection label; and if the source address to be limited does not carry the common source protection label, limiting the speed of the source address to be limited. In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address or carry no common source protection label, the source address to be speed-limited can be directly speed-limited, so that the source speed limitation of the source address which is not common is realized, and the purpose of defense is achieved.
In an optional embodiment, after the determining whether the source address to be speed-limited carries a common source protection tag, the method includes: if the source address to be limited carries the common source protection label, judging whether the source address to be limited belongs to the common source address; if the source address to be limited belongs to the common source address, limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is greater than a detection time threshold and the second flow rate of the source address to be limited at the current time is greater than the detection rate threshold; otherwise, the speed limit is not carried out on the source address to be subjected to speed limit. In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address, but carries the common source protection tag and belongs to the common source address, the source address to be speed-limited can be delayed and speed-limited, so that on the basis of ensuring normal service flow, source speed-limiting protection displayed on other common sources is performed, and the defense effect is improved.
In an optional implementation manner, before the obtaining of the first traffic rate of the to-be-speed-limited source address corresponding to the to-be-protected destination address at the detection start time, the method further includes: aiming at a target source address, acquiring a third flow rate of the target source address in a learning time period; judging whether the third flow rate is greater than a source speed limit threshold or not; and if the third flow rate is greater than the source speed limit threshold, determining that the target source address is a common source address. In the scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the speed of an unusual source address can be limited preferentially, the speed of the common source address is not limited or is limited in a delayed manner, and the like, so that the defense effect is improved.
In an optional embodiment, after the determining that the target source address is a common source address, the method further includes: judging whether the flow corresponding to the target source address belongs to service flow; if the flow corresponding to the target source address belongs to the service flow, determining the target source address as a source speed-limiting protection address; otherwise, writing a common source protection label to the target source address. In the scheme, the source speed-limiting protection address can be screened from the common source address according to the flow type corresponding to the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the source speed-limiting protection address can be subjected to speed limitation, the source address to be limited carrying the common source protection label is subjected to speed limitation in a delayed mode, and the like, and the defense effect is improved.
In a second aspect, an embodiment of the present application provides a source speed limiting device, including: the first acquisition module is used for acquiring a first traffic rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at the detection starting time; and the first determining module is used for determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited if the first flow rate is greater than a detection rate threshold. In the above scheme, when the first traffic rate of the source address to be speed-limited is greater than the detection rate threshold, it is indicated that the traffic of the source address to be speed-limited is relatively large, and whether the speed of the source address to be speed-limited is limited can be determined according to the type of the source address to be speed-limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the method of directly limiting the speed of the source address with larger flow, the method can avoid limiting the speed of part of source addresses which do not need to be limited, thereby improving the defense effect.
In an optional embodiment, the first determining module is specifically configured to: judging whether the source address to be limited belongs to a source speed limit protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow; and if the source address to be speed-limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be speed-limited. In the above scheme, if the source address to be speed-limited belongs to the source speed-limiting protection address, it indicates that the traffic corresponding to the source address to be speed-limited all belongs to the traffic, and the speed of the source address to be speed-limited can not be limited, thereby avoiding affecting the use of normal traffic. Therefore, the defense effect can be improved.
In an optional embodiment, the source rate limiting device further includes: the first judging module is used for judging whether the source address to be limited carries a common source protection label or not if the source address to be limited does not belong to the source speed limit protection address; and the first speed limiting module is used for limiting the speed of the source address to be limited if the source address to be limited does not carry the common source protection tag. In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address and does not carry the common source protection label, the source address to be speed-limited can be directly speed-limited, so that the source speed limitation of the source address which is not common is realized, and the purpose of defense is achieved.
In an alternative embodiment, the source rate limiting device includes: the second judging module is used for judging whether the source address to be limited belongs to the common source address or not if the source address to be limited carries the common source protection label; the second speed limiting module is used for limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is greater than a detection time threshold and the second flow rate of the source address to be limited at the current time is greater than the detection rate threshold if the source address to be limited belongs to the common source address; otherwise, the speed limit is not carried out on the source address to be subjected to speed limit. In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address, but carries the common source protection tag and belongs to the common source address, the delay speed limitation can be performed on the source address to be speed-limited, so that the source speed-limiting protection displayed on other common sources is performed on the basis of ensuring the normal service flow, and the defense effect is improved.
In an alternative embodiment, the source rate limiting device further includes: the second acquisition module is used for acquiring a third flow rate of a target source address in a learning time period aiming at the target source address; judging whether the third flow rate is greater than a source speed limit threshold or not; and the second determining module is used for determining that the target source address is a common source address if the third flow rate is greater than the source speed limit threshold. In the scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the speed of an unusual source address can be limited preferentially, the speed of the common source address is not limited or is limited in a delayed manner, and the like, so that the defense effect is improved.
In an alternative embodiment, the source rate limiting device further includes: the third judging module is used for judging whether the flow corresponding to the target source address belongs to the service flow; a third determining module, configured to determine the target source address as a source speed-limiting protection address if traffic corresponding to the target source address belongs to service traffic; otherwise, writing a common source protection label to the target source address. In the scheme, the source speed-limiting protection address can be screened from the common source address according to the flow type corresponding to the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the source speed-limiting protection address can be subjected to speed limitation, the source address to be limited carrying the common source protection label is subjected to speed limitation in a delayed mode, and the like, and the defense effect is improved.
In a third aspect, an embodiment of the present application provides a computer program product, which includes computer program instructions, and when the computer program instructions are read and executed by a processor, the method for limiting the source speed according to the first aspect is performed.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory are communicated with each other through the bus; the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the source rate limiting method of the first aspect.
In a fifth aspect, embodiments of the present application provide a computer-readable storage medium storing computer program instructions, which when executed by a computer, cause the computer to execute the source speed limiting method according to the first aspect.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a flowchart of a source rate limiting method according to an embodiment of the present application;
fig. 2 is a schematic diagram of an embodiment of step S102 provided in this application;
fig. 3 is a block diagram of a source speed limiting device according to an embodiment of the present application;
fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a source rate limiting method according to an embodiment of the present application, where the source rate limiting method may include the following steps:
step S101: and acquiring a first flow rate of a source address to be speed-limited corresponding to the destination address to be protected at the detection starting time.
Step S102: and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited.
Specifically, in step S101, the destination address to be protected is an address corresponding to an access protection object, where the access protection object may be a server or an electronic device; the source address to be speed-limited is an address corresponding to an object sending traffic to the access protection object, and similarly, the object sending traffic may be a server or an electronic device.
The embodiment of the present application does not specifically limit the specific implementation of the detection start time in step S101, and those skilled in the art may appropriately adjust the detection start time according to actual situations. For example, the detection start time may be a time at which the execution of step S101 is started, or the like; or, a detection start time variable may be allocated to the source address to be speed-limited in advance, and if the first traffic rate is found to be greater than the detection rate threshold, the source speed-limiting function for the source address to be speed-limited may be started, and the time for starting the source speed-limiting function is recorded as the detection start time.
The first flow rate is the flow rate from the source address to be limited to the destination address to be protected in unit time. As an implementation manner, the first traffic rate may be determined according to the amount of traffic from the source address to be speed-limited to the destination address to be protected within a period of time.
The embodiment of the present application does not specifically limit the specific implementation manner of the electronic device for acquiring the first flow rate, and those skilled in the art may also appropriately adjust the first flow rate according to actual situations. For example, the electronic device may receive a first traffic rate sent by another device; or, the electronic device may determine the first traffic rate according to the amount of traffic from the source address to be speed-limited to the destination address to be protected within a period of time; alternatively, the electronic device may read the first traffic rate stored in advance from the cloud or locally.
It can be understood that, if the first traffic rate is not greater than the detection rate threshold, the speed of the source address to be limited does not need to be limited; if the first traffic rate is greater than the detection rate threshold, the step S102 may be executed, that is, it is determined whether to limit the speed of the source address to be limited according to the type of the source address to be limited.
The specific implementation manner of the class of the source address to be speed-limited in the embodiment of the present application is not specifically limited, and those skilled in the art may appropriately adjust the source address to be speed-limited according to actual situations. For example, the category of the source address to be restricted may include a common source address and an uncommon source address; or, the category of the source address to be speed-limited may include a source address for transmitting traffic, a source address for transmitting non-traffic, and the like.
It can be understood that, based on different manners of classifying the source address to be speed-limited, the above-mentioned specific implementation of step S102 is also different, and this is not specifically limited in this application embodiment, and a person skilled in the art may appropriately adjust the source address to be speed-limited according to the category of the source address to be speed-limited. In the following examples, some embodiments will be described in detail by way of example.
In the above scheme, when the first traffic rate of the source address to be speed-limited is greater than the detection rate threshold, it is indicated that the traffic of the source address to be speed-limited is relatively large, and whether the speed of the source address to be speed-limited is limited can be determined according to the type of the source address to be speed-limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the method of directly limiting the speed of the source address with larger flow, the method can avoid limiting the speed of part of source addresses which do not need to be limited, thereby improving the defense effect.
Further, on the basis of the foregoing embodiment, the step S102 may specifically include the following steps:
step 1), judging whether the source address to be limited belongs to the source speed limit protection address.
And step 2), if the source address to be limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be limited.
Specifically, in the embodiment of the present application, the category of the source address to be speed-limited may include a source speed-limiting protection address and a non-source speed-limiting protection address. The traffic corresponding to the source speed-limiting protection address belongs to the traffic, that is, the traffic transmitted by the source speed-limiting protection address is the traffic, and the traffic transmitted by the non-source speed-limiting protection address is the non-traffic.
It is to be understood that the specific implementation of the service flow is determined according to the current specific service type, and this is not specifically limited by the embodiment of the present application.
Based on the classification mode, whether the source address to be limited belongs to the source speed-limiting protection address can be judged. If the source address to be speed-limited belongs to the source speed-limiting protection address, the source address to be speed-limited is not limited; if the source address to be speed-limited does not belong to the source speed-limiting protection address, the source address to be speed-limited can be speed-limited or other steps can be executed.
In the above scheme, if the source address to be speed-limited belongs to the source speed-limiting protection address, it indicates that the traffic corresponding to the source address to be speed-limited all belongs to the traffic, and the speed of the source address to be speed-limited can not be limited, thereby avoiding affecting the use of normal traffic. Therefore, the defense effect can be improved.
Further, on the basis of the foregoing embodiment, the step S102 may specifically include the following steps:
step 1), judging whether the source address to be limited belongs to the source speed limit protection address.
And step 2), if the source address to be speed-limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be speed-limited.
And 3) if the source address to be limited does not belong to the source speed-limiting protection address, judging whether the source address to be limited carries a common source protection label.
And 4) if the source address to be speed-limited does not carry the common source protection label, carrying out speed limitation on the source address to be speed-limited.
Specifically, in this embodiment of the present application, the category of the source address to be rate-limited may include a source rate-limiting address and a non-source rate-limiting address, and the non-source rate-limiting address may include a source address carrying a common source protection tag and a source address not carrying a common source protection tag.
Based on the classification mode, if the source address to be speed-limited belongs to the source speed-limiting protection address, the source address to be speed-limited is not limited; if the source address to be speed-limited does not belong to the source speed-limiting protection address, whether the source address to be speed-limited carries a common source protection label or not can be further judged.
If the source address to be speed-limited does not carry the common source protection label, the speed of the source address to be speed-limited can be limited; if the source address to be speed-limited carries the common source protection label, the source address to be speed-limited is not subjected to speed limitation or other steps are executed.
In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address and does not carry the common source protection label, the source address to be speed-limited can be directly speed-limited, so that the source speed limitation of the source address which is not common is realized, and the purpose of defense is achieved.
Further, on the basis of the foregoing embodiment, the step S102 may specifically include the following steps:
step 1), judging whether the source address to be limited belongs to the source speed limit protection address.
And step 2), if the source address to be limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be limited.
And 3) if the source address to be limited does not belong to the source speed limit protection address, judging whether the source address to be limited carries a common source protection label.
And 4) if the source address to be speed-limited does not carry the common source protection label, carrying out speed limitation on the source address to be speed-limited.
And 5) if the source address to be limited carries the common source protection label, judging whether the source address to be limited belongs to the common source address.
Step 6), if the source address to be speed-limited belongs to a common source address, limiting the speed of the source address to be speed-limited when the time interval between the detection starting time and the current time is greater than the detection time threshold and the second traffic rate of the source address to be speed-limited at the current time is greater than the detection rate threshold; otherwise, the speed limit is not carried out on the source address to be limited.
Specifically, in this embodiment of the present application, the category of the source address to be rate-limited may include a common source address and an unusual source address, the common source address may include a source rate-limiting address and a non-source rate-limiting address, the non-source rate-limiting address may include a source address carrying a common source protection tag and a source address not carrying a common source protection tag, and similarly, the source rate-limiting address may include a source address carrying a common source protection tag and a source address not carrying a common source protection tag.
The common source address is a source address which frequently transmits traffic to a destination address to be protected, and the non-common source address is a source address which does not frequently transmit traffic to the destination address to be protected; the flow corresponding to the source speed-limiting protection address belongs to the service flow, and the flow corresponding to the non-source speed-limiting protection address belongs to the non-service flow.
Based on the foregoing classification manner, please refer to fig. 2, and fig. 2 is a schematic diagram illustrating an embodiment of step S102 according to an embodiment of the present disclosure.
Firstly, judging whether a source address to be speed-limited belongs to a source speed-limiting protection address, if so, not carrying out speed limitation on the source address to be speed-limited or adopting other defense processing; if the source address to be speed-limited does not belong to the source speed-limiting protection address, whether the source address to be speed-limited carries a common source protection label or not can be further judged.
If the source address to be speed-limited does not carry the common source protection label, the source address to be speed-limited can be speed-limited; if the source address to be limited carries the common source protection label, whether the source address to be limited belongs to the common source address can be further judged.
If the source address to be speed-limited does not belong to the common source address, the source address to be speed-limited can be speed-limited; if the source address to be speed-limited belongs to the common source address, the delay speed limitation can be carried out on the source address to be speed-limited.
The specific implementation mode of the delay speed limit is as follows: judging whether the time interval between the detection starting time and the current time is greater than a detection time threshold value or not; if the time interval between the detection starting time and the current time is greater than the detection time threshold, judging whether the second flow rate of the source address to be limited at the current time is greater than the detection rate threshold; and if the second traffic rate of the source address to be speed-limited at the current time is greater than the detection rate threshold, starting to limit the speed of the source address to be speed-limited at the moment. And if the time interval between the detection starting time and the current time is not greater than the detection time threshold, or the second flow rate of the source address to be speed-limited at the current time is not greater than the detection rate threshold, not carrying out speed limitation on the source address to be speed-limited or adopting other defense processing.
In the scheme, if the source address to be speed-limited does not belong to the source speed-limiting protection address, but carries the common source protection tag and belongs to the common source address, the source address to be speed-limited can be delayed and speed-limited, so that on the basis of ensuring normal service flow, source speed-limiting protection displayed on other common sources is performed, and the defense effect is improved.
Further, on the basis of the foregoing embodiment, before the foregoing step S101, the source speed limiting method provided in the embodiment of the present application may further include the following steps:
step 1), aiming at a target source address, acquiring a third flow rate of the target source address in a learning time period.
And step 2), judging whether the third flow rate is greater than the source speed limit threshold.
And 3) if the third flow rate is greater than the source speed limit threshold, determining that the target source address is a common source address.
Specifically, for a target source address, the class of the target source address may be determined. When the category of the source address to be restricted includes a common source address and an unusual source address, it can be determined whether the target source address belongs to the common source address or the unusual source address.
Wherein, the determination mode can adopt the steps 1) to 3). First, a third flow rate of the target source address in a learning period may be obtained, where the learning period is a predetermined period, for example: which may be a week, a month, etc. As an embodiment, the third flow rate may be determined according to the amount of traffic transmitted by the target source address in the learning period.
It should be noted that, in the embodiment of the present application, a specific implementation manner of the electronic device for obtaining the third flow rate is not specifically limited, and a person skilled in the art may also appropriately adjust the third flow rate according to an actual situation. For example, the electronic device may receive a third flow rate sent by the other device; or, the electronic device may determine the third flow rate according to the number of flows from the source address to be speed-limited to the destination address to be protected within a period of time; alternatively, the electronic device may read a previously stored third flow rate or the like from the cloud or locally.
Then, it can be determined whether the third flow rate is greater than the source rate limit threshold. If the third flow rate is greater than the source speed limit threshold, the target source address is frequently used, so that the target source address can be determined as a common source address; if the third flow rate is not greater than the source speed limit threshold, the target source address is not frequently used, and therefore the target source address can be determined to be a frequently-used source address.
In one embodiment, a learning periodic time (e.g., learning for N minutes every M hours) may be set, and the above step 1) and step 2) may be executed based on the learning periodic time; as another embodiment, if an attack is encountered during learning, learning may be terminated until learning is resumed without an attack.
In the scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the speed of the source address which is not common can be limited preferentially, the speed of the common source address is not limited or is limited in a delayed manner, and the like, so that the defense effect is improved.
Further, on the basis of the foregoing embodiment, after the step of determining the target source address as the common source address, the source speed limiting method provided in the embodiment of the present application may further include the following steps:
step 1), judging whether the traffic corresponding to the target source address belongs to the service traffic.
Step 2), if the flow corresponding to the target source address belongs to the service flow, determining the target source address as a source speed-limiting protection address; otherwise, writing the common source protection label to the target source address.
Specifically, after the target source address is determined to be the common source address, whether the traffic corresponding to the target source address belongs to the service traffic can be further judged; if the flow corresponding to the target source address belongs to the service flow, the target source address can be determined as a source speed-limiting protection address; and if the traffic corresponding to the target source address does not belong to the service traffic, writing a common source protection label into the target source address.
As an embodiment, the steps 1) to 2) may be performed by an electronic device; as another embodiment, the above steps 1) to 2) may be performed by an administrator through an electronic device.
For example, an administrator may open a function guard configuration interface, and if the function guard uses a source speed limit function, the electronic device may display a common source address on the additional surface; then, an administrator can select a source address matched with the service flow from the common source addresses through the electronic equipment and determine the source address as a source speed-limiting protection address, so that the service flow is more accurately protected; in addition, the administrator can write the common source protection tag into the source address which does not belong to the service traffic in the common source addresses through the electronic device, so that the common source address which does not belong to the service traffic is protected for a certain length.
In the scheme, the source speed-limiting protection address can be screened from the common source address according to the flow type corresponding to the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the source speed-limiting protection address can be subjected to speed limitation, the source address to be limited carrying the common source protection label is subjected to speed limitation in a delayed mode, and the like, and the defense effect is improved.
Further, on the basis of the above embodiment, a "common source address" table may be allocated to each protection function, and the table is used to record the source addresses of the traffic which frequently accesses the protected address or network segment; a 'source speed limit protection address' table can be distributed and used for recording source addresses of transmission service flow and protecting the source addresses from being limited by speed; and a common source protection label can be added, the source address carrying the common source protection label can also be not influenced by the source speed limit to a certain extent, and the priority is inferior to the source address in the source speed limit protection address table.
Referring to fig. 3, fig. 3 is a block diagram of a source speed limiting device according to an embodiment of the present application, where the source speed limiting device 300 includes: a first obtaining module 301, configured to obtain a first traffic rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time; a first determining module 302, configured to determine whether to limit the speed of the source address to be limited according to the type of the source address to be limited if the first traffic rate is greater than a detection rate threshold.
In the embodiment of the application, when the first flow rate of the source address to be speed-limited is greater than the detection rate threshold, it is indicated that the flow of the source address to be speed-limited is larger, and whether the source address to be speed-limited is speed-limited or not can be determined according to the type of the source address to be speed-limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the method of directly limiting the speed of the source address with larger flow, the method can avoid limiting the speed of part of source addresses which do not need to be limited, thereby improving the defense effect.
Further, the first determining module 302 is specifically configured to: judging whether the source address to be limited belongs to a source speed limit protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow; and if the source address to be speed-limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be speed-limited.
In the embodiment of the application, if the source address to be speed-limited belongs to the source speed-limiting protection address, it is indicated that the traffic corresponding to the source address to be speed-limited all belongs to the traffic, and the speed of the source address to be speed-limited can not be limited, thereby avoiding influencing the use of normal traffic. Therefore, the defense effect can be improved.
Further, the source rate limiting device 300 further includes: the first judgment module is used for judging whether the source address to be limited carries a common source protection label or not if the source address to be limited does not belong to the source speed-limiting protection address; and the first speed limiting module is used for limiting the speed of the source address to be limited if the source address to be limited does not carry the common source protection tag.
In the embodiment of the application, if the source address to be speed-limited does not belong to the source speed-limiting protection address or carry no common source protection label, the source address to be speed-limited can be directly speed-limited, so that the source speed limitation of the source address which is not common is realized, and the purpose of defense is achieved.
Further, the source rate limiting device 300 includes: the second judgment module is used for judging whether the source address to be limited belongs to the common source address or not if the source address to be limited carries the common source protection label; the second speed limiting module is used for limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is greater than a detection time threshold and the second traffic rate of the source address to be limited at the current time is greater than the detection rate threshold if the source address to be limited belongs to the common source address; otherwise, the speed limit is not carried out on the source address to be subjected to speed limit.
In the embodiment of the application, if the source address to be speed-limited does not belong to the source speed-limiting protection address, but carries the common source protection tag and belongs to the common source address, the source address to be speed-limited can be delayed and speed-limited, so that on the basis of ensuring normal service flow, source speed-limiting protection displayed on other common sources is performed, and the defense effect is improved.
Further, the source speed limiting device 300 further includes: the second acquisition module is used for acquiring a third flow rate of a target source address in a learning time period aiming at the target source address; judging whether the third flow rate is greater than a source speed limit threshold or not; and the second determining module is used for determining that the target source address is a common source address if the third flow rate is greater than the source speed limit threshold.
In the embodiment of the application, the common source address can be screened out according to the third flow rate of the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the speed of an unusual source address can be limited preferentially, the speed of the common source address is not limited or is limited in a delayed manner, and the like, so that the defense effect is improved.
Further, the source speed limiting device 300 further includes: the third judging module is used for judging whether the flow corresponding to the target source address belongs to the service flow; a third determining module, configured to determine the target source address as a source speed-limiting protection address if traffic corresponding to the target source address belongs to service traffic; otherwise, writing a common source protection label to the target source address.
In the embodiment of the application, the source speed-limiting protection address can be screened out from the common source address according to the flow type corresponding to the target source address, so that in the subsequent process of judging whether to limit the speed according to the type of the source address to be limited, the source speed-limiting protection address can be subjected to speed limitation, the source address to be limited carrying the common source protection tag is subjected to speed limitation in a delayed manner, and the like, and the defense effect is improved.
Referring to fig. 4, fig. 4 is a block diagram of an electronic device according to an embodiment of the present disclosure, where the electronic device 400 includes: at least one processor 401, at least one communication interface 402, at least one memory 403 and at least one communication bus 404. Wherein the communication bus 404 is used for implementing direct connection communication of these components, the communication interface 402 is used for communicating signaling or data with other node devices, and the memory 403 stores machine-readable instructions executable by the processor 401. When the electronic device 400 is in operation, the processor 401 communicates with the memory 403 via the communication bus 404, and the machine-readable instructions, when invoked by the processor 401, perform the source rate limiting method described above.
For example, the processor 401 of the embodiment of the present application may read the computer program from the memory 403 through the communication bus 404 and execute the computer program to implement the following method: step S101: and acquiring a first flow rate of a source address to be speed-limited corresponding to the destination address to be protected at the detection starting time. Step S102: and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited.
The processor 401 may include one or more integrated circuit chips, which may have signal processing capabilities. The Processor 401 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Network Processor (NP), or other conventional processors; the processor may also be a special-purpose processor, including a Neural-Network Processing Unit (NPU), a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic devices, discrete Gate or transistor logic devices, and discrete hardware components. Also, when there are a plurality of processors 401, a part thereof may be a general-purpose processor, and another part thereof may be a dedicated processor.
The Memory 403 includes one or more of, but not limited to, random Access Memory (RAM), read Only Memory (ROM), programmable Read-Only Memory (PROM), erasable Programmable Read-Only Memory (EPROM), electrically Erasable Programmable Read-Only Memory (EEPROM), and the like.
It will be appreciated that the configuration shown in fig. 4 is merely illustrative and that electronic device 400 may include more or fewer components than shown in fig. 4 or have a different configuration than shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof. In this embodiment, the electronic device 400 may be, but is not limited to, an entity device such as a desktop computer, a notebook computer, a smart phone, an intelligent wearable device, a vehicle-mounted device, and may also be a virtual device such as a virtual machine. In addition, the electronic device 400 is not necessarily a single device, but may be a combination of multiple devices, such as a server cluster, and the like.
Embodiments of the present application further provide a computer program product, which includes a computer program stored on a computer-readable storage medium, where the computer program includes computer program instructions, and when the computer program instructions are executed by a computer, the computer can perform the steps of the source speed limiting method in the foregoing embodiments, for example, including: acquiring a first flow rate of a source address to be speed-limited corresponding to a destination address to be protected at a detection start time; and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited.
The embodiment of the application also provides a computer-readable storage medium, which stores computer program instructions, and when the computer program instructions are executed by a computer, the computer causes the computer to execute the source speed limiting method in the foregoing method embodiment.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. A source rate limiting method, comprising:
acquiring a first flow rate of a source address to be speed-limited corresponding to a destination address to be protected at a detection start time;
and if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited.
2. The source speed limiting method according to claim 1, wherein the determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited comprises:
judging whether the source address to be limited belongs to a source speed limit protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow;
and if the source address to be speed-limited belongs to the source speed-limiting protection address, not limiting the speed of the source address to be speed-limited.
3. The source speed limiting method according to claim 2, wherein after the step of judging whether the source address to be speed limited belongs to the source speed limiting protection address, the method further comprises the steps of:
if the source address to be limited does not belong to the source speed-limiting protection address, judging whether the source address to be limited carries a common source protection label;
and if the source address to be limited does not carry the common source protection label, limiting the speed of the source address to be limited.
4. The source rate limiting method according to claim 3, wherein after the step of judging whether the source address to be rate limited carries the common source protection tag, the method comprises the following steps:
if the source address to be limited carries the common source protection label, judging whether the source address to be limited belongs to a common source address;
if the to-be-speed-limited source address belongs to the common source address, limiting the speed of the to-be-speed-limited source address when the time interval between the detection starting time and the current time is greater than a detection time threshold and the second traffic rate of the to-be-speed-limited source address at the current time is greater than the detection rate threshold;
otherwise, the speed limit is not carried out on the source address to be limited.
5. The source rate-limiting method according to any one of claims 1 to 4, wherein before the obtaining of the first traffic rate of the source address to be rate-limited corresponding to the destination address to be protected at the detection start time, the method further comprises:
aiming at a target source address, acquiring a third flow rate of the target source address in a learning time period;
judging whether the third flow rate is greater than a source speed limit threshold or not;
and if the third flow rate is greater than the source speed limit threshold, determining that the target source address is a common source address.
6. The source rate limiting method of claim 5, wherein after the determining that the target source address is a common source address, the method further comprises:
judging whether the traffic corresponding to the target source address belongs to service traffic;
if the flow corresponding to the target source address belongs to the service flow, determining the target source address as a source speed-limiting protection address;
otherwise, writing a common source protection label to the target source address.
7. A source speed limiting device, comprising:
the first acquisition module is used for acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at the detection starting time;
and the first determining module is used for determining whether to limit the speed of the source address to be limited according to the type of the source address to be limited if the first flow rate is greater than a detection rate threshold.
8. A computer program product comprising computer program instructions which, when read and executed by a processor, perform the method of any one of claims 1 to 6.
9. An electronic device, comprising: a processor, memory, and a bus;
the processor and the memory are communicated with each other through the bus;
the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the method of any of claims 1-6.
10. A computer-readable storage medium, storing computer program instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-6.
CN202210861661.8A 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment Active CN115225393B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210861661.8A CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210861661.8A CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN115225393A true CN115225393A (en) 2022-10-21
CN115225393B CN115225393B (en) 2023-09-26

Family

ID=83614401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210861661.8A Active CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN115225393B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10200581A (en) * 1997-01-16 1998-07-31 Nippon Telegr & Teleph Corp <Ntt> Ip packet delay transfer control communication method and device
CN106559349A (en) * 2015-09-24 2017-04-05 阿里巴巴集团控股有限公司 The control method and device of service transmission rate, system
CN108390870A (en) * 2018-02-09 2018-08-10 北京天融信网络安全技术有限公司 A kind of method, apparatus of defending against network attacks, storage medium and equipment
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111901284A (en) * 2019-05-06 2020-11-06 阿里巴巴集团控股有限公司 Flow control method and system
CN113328954A (en) * 2021-05-25 2021-08-31 深圳证券通信有限公司 Method for blocking and limiting service data packet transmission of source end
CN113630318A (en) * 2020-05-06 2021-11-09 华为技术有限公司 Message transmission method and frame type communication equipment
CN114745142A (en) * 2020-12-23 2022-07-12 腾讯科技(深圳)有限公司 Abnormal flow processing method and device, computer equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10200581A (en) * 1997-01-16 1998-07-31 Nippon Telegr & Teleph Corp <Ntt> Ip packet delay transfer control communication method and device
CN106559349A (en) * 2015-09-24 2017-04-05 阿里巴巴集团控股有限公司 The control method and device of service transmission rate, system
CN108390870A (en) * 2018-02-09 2018-08-10 北京天融信网络安全技术有限公司 A kind of method, apparatus of defending against network attacks, storage medium and equipment
CN111901284A (en) * 2019-05-06 2020-11-06 阿里巴巴集团控股有限公司 Flow control method and system
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN113630318A (en) * 2020-05-06 2021-11-09 华为技术有限公司 Message transmission method and frame type communication equipment
CN114745142A (en) * 2020-12-23 2022-07-12 腾讯科技(深圳)有限公司 Abnormal flow processing method and device, computer equipment and storage medium
CN113328954A (en) * 2021-05-25 2021-08-31 深圳证券通信有限公司 Method for blocking and limiting service data packet transmission of source end

Also Published As

Publication number Publication date
CN115225393B (en) 2023-09-26

Similar Documents

Publication Publication Date Title
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
KR101863172B1 (en) Document classification using multiscale text fingerprints
US8214490B1 (en) Compact input compensating reputation data tracking mechanism
US9900335B2 (en) Systems and methods for prioritizing indicators of compromise
WO2020000763A1 (en) Network risk monitoring method and apparatus, computer device and storage medium
CN110311925B (en) DDoS reflection type attack detection method and device, computer equipment and readable medium
WO2020014954A1 (en) Data control method and terminal device
US8527760B2 (en) Determining trust data for devices in a network
US10979446B1 (en) Automated vulnerability chaining
US8789174B1 (en) Method and apparatus for examining network traffic and automatically detecting anomalous activity to secure a computer
CN114915457B (en) Message transmission method, dynamic encryption method, device, electronic equipment and medium
US11876808B2 (en) Detecting phishing attacks on a network
CN114598512B (en) Network security guarantee method and device based on honeypot and terminal equipment
CN103986585A (en) Message preprocessing method and device
CN115225393B (en) Source speed limiting method and device and electronic equipment
CN114006819A (en) Detection strategy generation and device, and data transmission method and device
CN115603985A (en) Intrusion detection method, electronic device and storage medium
CN115037542A (en) Abnormal mail detection method and device
CN115150171A (en) Flow statistical method and device, electronic equipment and storage medium
US10171494B2 (en) Scarecrow for data security
CN116743406A (en) Network security early warning method and device, storage medium and computer equipment
US10949541B1 (en) Rating communicating entities based on the sharing of insecure content
US10560317B2 (en) Subscription to a subset of switching events
CN114676169B (en) Data query method and device
CN111615150B (en) 5G data transmission method, device, equipment and storage medium based on PCIe interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant