CN115225393B - Source speed limiting method and device and electronic equipment - Google Patents

Source speed limiting method and device and electronic equipment Download PDF

Info

Publication number
CN115225393B
CN115225393B CN202210861661.8A CN202210861661A CN115225393B CN 115225393 B CN115225393 B CN 115225393B CN 202210861661 A CN202210861661 A CN 202210861661A CN 115225393 B CN115225393 B CN 115225393B
Authority
CN
China
Prior art keywords
limited
source
source address
address
speed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210861661.8A
Other languages
Chinese (zh)
Other versions
CN115225393A (en
Inventor
娄扬
李晓然
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210861661.8A priority Critical patent/CN115225393B/en
Publication of CN115225393A publication Critical patent/CN115225393A/en
Application granted granted Critical
Publication of CN115225393B publication Critical patent/CN115225393B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring

Abstract

The application provides a source speed limiting method and device and electronic equipment, which are applied to the technical field of network security, wherein the source speed limiting method comprises the following steps: acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time; if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited. In the above scheme, when the first flow rate of the source address to be limited is greater than the detection rate threshold, it is indicated that the flow rate of the source address to be limited is greater, and whether to limit the source address to be limited according to the category of the source address to be limited can be determined. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the speed limit of the source address with larger flow, the method can avoid the speed limit of part of source addresses which do not need to be limited, thereby improving the defending effect.

Description

Source speed limiting method and device and electronic equipment
Technical Field
The application relates to the technical field of network security, in particular to a source speed limiting method and device, a computer program product and electronic equipment.
Background
Distributed denial of service (Distributed Denial of Service, DDOS) attack defense is one of the important functions of security gateways, where source speed limit is one important defense against DDOS attacks.
In the prior art, source speed limit defense is performed against DDOS attacks, generally, the traffic matching the custom service is limited within a threshold in the custom service policy, and a part of traffic exceeding the threshold is discarded. However, if the threshold value of the source speed limit is larger, the flow sent to the server is still large, and an ideal defending effect is not achieved; if the threshold value of the source speed limit is smaller, the actual service is possibly limited, and the normal service use is affected. That is, the existing source speed limiting method is adopted, and the defense effect is poor.
Disclosure of Invention
The embodiment of the application aims to provide a source speed limiting method and device, a computer program product and electronic equipment, which are used for solving the technical problem of poor defense effect in the prior art.
In a first aspect, an embodiment of the present application provides a source speed limiting method, including: acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time; if the first flow rate is greater than a detection rate threshold, determining whether to limit the source address to be limited according to the category of the source address to be limited. In the above scheme, when the first flow rate of the source address to be limited is greater than the detection rate threshold, it is indicated that the flow rate of the source address to be limited is greater, and whether to limit the source address to be limited according to the category of the source address to be limited can be determined. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the speed limit of the source address with larger flow, the method can avoid the speed limit of part of source addresses which do not need to be limited, thereby improving the defending effect.
In an optional implementation manner, the determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited includes: judging whether the source address to be limited belongs to a source speed limiting protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow; and if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited. In the above scheme, if the source address to be limited belongs to the source speed limiting protection address, it is indicated that the traffic corresponding to the source address to be limited belongs to the traffic, and the source address to be limited can not be limited, so that the influence on the normal traffic use is avoided. Therefore, the defending effect can be improved.
In an optional embodiment, after the determining whether the source address to be speed-limited belongs to a source speed-limiting protection address, the method further includes: if the source address to be limited does not belong to the source speed limiting protection address, judging whether the source address to be limited carries a common source protection label or not; and if the source address to be limited does not carry the common source protection tag, limiting the source address to be limited. In the scheme, if the source address to be limited does not belong to the source speed limit protection address and does not carry the common source protection tag, the source address to be limited can be directly limited, so that the source speed limit of the source address which is not common is realized, and the purpose of defending is achieved.
In an alternative embodiment, after said determining whether the source address to be speed-limited carries a common source protection tag, the method includes: if the source address to be limited carries the common source protection tag, judging whether the source address to be limited belongs to the common source address or not; if the source address to be limited belongs to the common source address, limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than a detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value; otherwise, the source address to be limited is not limited. In the above scheme, if the source address to be limited does not belong to the source speed limit protection address, but carries the common source protection tag and belongs to the common source address, the source address to be limited can be delayed for speed limit, so that the source speed limit protection of other common sources is displayed on the basis of ensuring normal traffic flow, and the defending effect is improved.
In an optional embodiment, before the obtaining the first flow rate of the to-be-speed-limited source address corresponding to the to-be-protected destination address at the detection start time, the method further includes: aiming at a target source address, acquiring a third flow rate of the target source address in a learning time period; judging whether the third flow rate is greater than a source speed limit threshold; and if the third flow rate is greater than the source speed limit threshold, determining the target source address as a common source address. In the above scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the process of judging whether to speed limit according to the category of the source address to be speed-limited, the unusual source address can be preferentially speed-limited, and the common source address is not speed-limited or delayed for speed-limiting, thereby improving the defending effect.
In an alternative embodiment, after said determining that said target source address is a common source address, said method further comprises: judging whether the flow corresponding to the target source address belongs to service flow or not; if the traffic corresponding to the target source address belongs to the service traffic, determining the target source address as a source speed limit protection address; otherwise, writing a common source protection tag into the target source address. In the above scheme, the source speed-limiting protection address can be screened from the common source addresses according to the traffic class corresponding to the target source address, so that in the process of judging whether to speed limit according to the class of the source address to be speed-limited, the source speed-limiting protection address can not be speed-limited, and the delay of the source address to be speed-limited carrying the common source protection tag can be speed-limited, thereby improving the defending effect.
In a second aspect, an embodiment of the present application provides a source speed limiting device, including: the first acquisition module is used for acquiring a first flow rate of a source address to be limited in speed, corresponding to a destination address to be protected, at the detection starting time; and the first determining module is used for determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited if the first flow rate is greater than a detection rate threshold. In the above scheme, when the first flow rate of the source address to be limited is greater than the detection rate threshold, it is indicated that the flow rate of the source address to be limited is greater, and whether to limit the source address to be limited according to the category of the source address to be limited can be determined. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the speed limit of the source address with larger flow, the method can avoid the speed limit of part of source addresses which do not need to be limited, thereby improving the defending effect.
In an alternative embodiment, the first determining module is specifically configured to: judging whether the source address to be limited belongs to a source speed limiting protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow; and if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited. In the above scheme, if the source address to be limited belongs to the source speed limiting protection address, it is indicated that the traffic corresponding to the source address to be limited belongs to the traffic, and the source address to be limited can not be limited, so that the influence on the normal traffic use is avoided. Therefore, the defending effect can be improved.
In an alternative embodiment, the source speed limiting device further includes: the first judging module is used for judging whether the source address to be limited in speed carries a common source protection label or not if the source address to be limited in speed does not belong to the source speed limit protection address; and the first speed limiting module is used for limiting the speed of the source address to be limited if the source address to be limited does not carry the common source protection tag. In the scheme, if the source address to be limited does not belong to the source speed limit protection address and does not carry the common source protection tag, the source address to be limited can be directly limited, so that the source speed limit of the source address which is not common is realized, and the purpose of defending is achieved.
In an alternative embodiment, the source speed limiting device includes: the second judging module is used for judging whether the source address to be limited in speed belongs to a common source address if the source address to be limited in speed carries the common source protection tag; the second speed limiting module is used for limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than a detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value if the source address to be limited belongs to the common source address; otherwise, the source address to be limited is not limited. In the above scheme, if the source address to be limited does not belong to the source speed limit protection address, but carries the common source protection tag and belongs to the common source address, the source address to be limited can be delayed for speed limit, so that the source speed limit protection of other common sources is displayed on the basis of ensuring normal traffic flow, and the defending effect is improved.
In an alternative embodiment, the source speed limiting device further includes: the second acquisition module is used for acquiring a third flow rate of a target source address in a learning time period aiming at the target source address; judging whether the third flow rate is greater than a source speed limit threshold; and the second determining module is used for determining that the target source address is a common source address if the third flow rate is greater than the source speed limit threshold. In the above scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the process of judging whether to speed limit according to the category of the source address to be speed-limited, the unusual source address can be preferentially speed-limited, and the common source address is not speed-limited or delayed for speed-limiting, thereby improving the defending effect.
In an alternative embodiment, the source speed limiting device further includes: the third judging module is used for judging whether the flow corresponding to the target source address belongs to the service flow or not; the third determining module is configured to determine the target source address as a source speed limit protection address if the traffic corresponding to the target source address belongs to traffic; otherwise, writing a common source protection tag into the target source address. In the above scheme, the source speed-limiting protection address can be screened from the common source addresses according to the traffic class corresponding to the target source address, so that in the process of judging whether to speed limit according to the class of the source address to be speed-limited, the source speed-limiting protection address can not be speed-limited, and the delay of the source address to be speed-limited carrying the common source protection tag can be speed-limited, thereby improving the defending effect.
In a third aspect, embodiments of the present application provide a computer program product comprising computer program instructions which, when read and executed by a processor, perform the source rate limiting method as described in the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory, and a bus; the processor and the memory complete communication with each other through the bus; the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to enable the source rate limiting method according to the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer readable storage medium storing computer program instructions which, when executed by a computer, cause the computer to perform the source speed limit method according to the first aspect.
In order to make the above objects, features and advantages of the present application more comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a source speed limiting method according to an embodiment of the present application;
fig. 2 is a schematic diagram of a specific implementation of step S102 according to an embodiment of the present application;
FIG. 3 is a block diagram of a source speed limiting device according to an embodiment of the present application;
Fig. 4 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a flowchart of a source speed limiting method according to an embodiment of the present application, where the source speed limiting method may include the following steps:
step S101: and acquiring a first flow rate of the source address to be limited corresponding to the destination address to be protected at the detection starting time.
Step S102: if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited.
Specifically, in the step S101, the destination address to be protected is an address corresponding to an access protection object, where the access protection object may be a server or an electronic device, etc.; the source address to be speed-limited is an address corresponding to an object sending traffic to the access protection object, and similarly, the object sending traffic can be a server or an electronic device.
The embodiment of the present application does not specifically limit the specific embodiment of the detection start time in step S101, and those skilled in the art may make appropriate adjustments according to the actual situation. For example, the detection start time may be the time at which the execution of step S101 is started, or the like; or, a detection start time variable may be allocated to the source address to be speed-limited in advance, if the first flow rate is found to be greater than the detection rate threshold, the source speed-limiting function of the source address to be speed-limited may be started, and the time for which the source speed-limiting function is started is recorded as the detection start time.
The first traffic rate is the traffic rate from the source address to be limited to the destination address to be protected in a unit time. As an embodiment, the first flow rate may be determined according to the amount of traffic going from the source address to be limited to the destination address to be protected for a period of time.
The embodiment of the present application does not specifically limit the specific implementation manner of the electronic device to obtain the first flow rate, and those skilled in the art may also perform appropriate adjustment according to the actual situation. For example, the electronic device may receive a first traffic rate sent by other devices; or the electronic equipment can determine the first flow rate according to the flow quantity from the source address to be limited to the destination address to be protected in a period of time; alternatively, the electronic device may read a previously stored first flow rate or the like from the cloud or locally.
It can be appreciated that if the first flow rate is not greater than the detection rate threshold, the source address to be rate-limited does not need to be rate-limited; if the first flow rate is greater than the detection rate threshold, the step S102 may be executed, i.e. determining whether to limit the source address to be limited according to the category of the source address to be limited.
The embodiment of the application does not limit the specific implementation of the class of the source address to be limited, and a person skilled in the art can perform appropriate adjustment according to actual situations. For example, the categories of source addresses to be speed limited may include common source addresses and unusual source addresses; alternatively, the class of source addresses to be rate-limited may include source addresses for traffic and source addresses for non-traffic.
It can be understood that, based on different manners of classifying the source address to be speed-limited, the specific implementation manner of the step S102 is also different, which is not limited in particular by the embodiment of the present application, and a person skilled in the art may perform appropriate adjustment according to the classification of the source address to be speed-limited. Wherein, the following examples will illustrate some embodiments in detail.
In the above scheme, when the first flow rate of the source address to be limited is greater than the detection rate threshold, it is indicated that the flow rate of the source address to be limited is greater, and whether to limit the source address to be limited according to the category of the source address to be limited can be determined. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the speed limit of the source address with larger flow, the method can avoid the speed limit of part of source addresses which do not need to be limited, thereby improving the defending effect.
Further, based on the above embodiment, the step S102 may specifically include the following steps:
and 1) judging whether the source address to be limited belongs to the source speed limiting protection address.
And 2) if the source address to be limited belongs to the source speed limiting protection address, not limiting the source address to be limited.
Specifically, in the embodiment of the present application, the category of the source address to be speed-limited may include a source speed-limiting protection address and a non-source speed-limiting protection address. The traffic corresponding to the source speed-limiting protection address belongs to the traffic, that is, the traffic transmitted by the source speed-limiting protection address is the traffic, and the traffic transmitted by the non-source speed-limiting protection address is the non-traffic.
It will be appreciated that the foregoing specific implementation of the traffic flow is determined according to the current specific traffic type, and embodiments of the present application are not limited thereto in detail.
Based on the classification mode, whether the source address to be limited belongs to the source speed limiting protection address can be judged. If the source address to be limited belongs to the source speed limiting protection address, the source address to be limited can not be limited; if the source address to be limited does not belong to the source speed limiting protection address, the source address to be limited can be limited or other steps can be executed.
In the above scheme, if the source address to be limited belongs to the source speed limiting protection address, it is indicated that the traffic corresponding to the source address to be limited belongs to the traffic, and the source address to be limited can not be limited, so that the influence on the normal traffic use is avoided. Therefore, the defending effect can be improved.
Further, based on the above embodiment, the step S102 may specifically include the following steps:
and 1) judging whether the source address to be limited belongs to the source speed limiting protection address.
And 2) if the source address to be limited belongs to the source speed limiting protection address, not limiting the source address to be limited.
And step 3) if the source address to be limited does not belong to the source speed limiting protection address, judging whether the source address to be limited carries a common source protection label.
And step 4), if the source address to be limited does not carry the common source protection tag, limiting the source address to be limited.
Specifically, in the embodiment of the present application, the category of the source address to be speed-limited may include a source speed-limited address and a non-source speed-limited address, and the non-source speed-limited address may further include a source address carrying a common source protection tag and a source address not carrying a common source protection tag.
Based on the classification mode, if the source address to be limited belongs to the source speed limiting protection address, the source address to be limited can not be limited; if the source address to be limited does not belong to the source speed limiting protection address, whether the source address to be limited carries a common source protection label can be further judged.
If the source address to be limited does not carry the common source protection tag, the source address to be limited can be limited; if the source address to be limited carries a common source protection label, the source address to be limited can not be limited or other steps can be executed.
In the scheme, if the source address to be limited does not belong to the source speed limit protection address and does not carry the common source protection tag, the source address to be limited can be directly limited, so that the source speed limit of the source address which is not common is realized, and the purpose of defending is achieved.
Further, based on the above embodiment, the step S102 may specifically include the following steps:
and 1) judging whether the source address to be limited belongs to the source speed limiting protection address.
And 2) if the source address to be limited belongs to the source speed limiting protection address, not limiting the source address to be limited.
And step 3) if the source address to be limited does not belong to the source speed limiting protection address, judging whether the source address to be limited carries a common source protection label.
And step 4), if the source address to be limited does not carry the common source protection tag, limiting the source address to be limited.
And step 5), if the source address to be limited carries a common source protection label, judging whether the source address to be limited belongs to the common source address.
Step 6), if the source address to be limited belongs to the common source address, limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than the detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value; otherwise, the source address to be limited is not limited.
Specifically, in the embodiment of the present application, the class of the source address to be speed-limited may include a common source address and an unusual source address, where the common source address may include a source speed-limited address and an unusual source speed-limited address, and the unusual source speed-limited address may include a source address carrying a common source protection tag and a source address not carrying a common source protection tag, and similarly, the source speed-limited address may include a source address carrying a common source protection tag and a source address not carrying a common source protection tag.
The common source address is a source address which transmits traffic to the destination address to be protected frequently, and the unusual source address is a source address which transmits traffic to the destination address to be protected infrequently; traffic corresponding to the source speed limit protection address belongs to traffic, and traffic corresponding to the non-source speed limit protection address belongs to non-traffic.
Based on the above classification, please refer to fig. 2, fig. 2 is a schematic diagram of a specific implementation of step S102 according to an embodiment of the present application.
Firstly, judging whether a source address to be limited belongs to a source speed limiting protection address, if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited or adopting other defensive processing; if the source address to be limited does not belong to the source speed limiting protection address, whether the source address to be limited carries a common source protection label can be further judged.
If the source address to be limited does not carry the common source protection tag, the source address to be limited can be limited; if the source address to be limited carries a common source protection tag, whether the source address to be limited belongs to the common source address can be further judged.
If the source address to be limited does not belong to the common source address, the source address to be limited can be limited; if the source address to be limited belongs to the common source address, the source address to be limited can be delayed and limited.
The specific implementation mode of the delay speed limit is as follows: judging whether the time interval between the detection starting time and the current time is larger than a detection time threshold value or not; if the time interval between the detection starting time and the current time is larger than the detection time threshold, judging whether the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold; and if the second flow rate of the source address to be limited at the current time is greater than the detection rate threshold, starting to limit the speed of the source address to be limited at the moment. And if the time interval between the detection starting time and the current time is not greater than the detection time threshold, or the second flow rate of the source address to be limited at the current time is not greater than the detection rate threshold, not limiting the source address to be limited or adopting other defensive processing.
In the above scheme, if the source address to be limited does not belong to the source speed limit protection address, but carries the common source protection tag and belongs to the common source address, the source address to be limited can be delayed for speed limit, so that the source speed limit protection of other common sources is displayed on the basis of ensuring normal traffic flow, and the defending effect is improved.
Further, on the basis of the above embodiment, before the step S101, the source speed limiting method provided by the embodiment of the present application may further include the following steps:
step 1), aiming at a target source address, acquiring a third flow rate of the target source address in a learning period.
And 2) judging whether the third flow rate is larger than a source speed limit threshold.
And step 3) if the third flow rate is greater than the source speed limit threshold, determining the target source address as the common source address.
Specifically, for a target source address, the class of the target source address may be determined. When the class of source addresses to be speed-limited includes a common source address and a common source address, it can be determined whether the target source address belongs to a common source address or to an unusual source address.
Wherein, the method of determination can adopt the steps 1) to 3). First, a third flow rate of the target source address may be obtained over a learning period of time, where the learning period of time is a predetermined period of time, for example: may be one week, one month, etc. As an embodiment, the third flow rate may be determined according to the amount of flow transmitted by the target source address in the learning period.
It should be noted that, in the embodiment of the present application, the specific implementation manner of the electronic device to obtain the third flow rate is not specifically limited, and those skilled in the art may also perform appropriate adjustment according to the actual situation. For example, the electronic device may receive a third flow rate sent by the other device; or the electronic equipment can determine the third flow rate according to the flow quantity from the source address to be limited to the destination address to be protected in a period of time; alternatively, the electronic device may read a third flow rate or the like stored in advance from the cloud or locally.
Then, it may be determined whether the third flow rate is greater than a source restriction threshold. If the third flow rate is greater than the source speed limit threshold, the target source address is frequently used, so the target source address can be determined to be a common source address; if the third flow rate is not greater than the source-limiting threshold, it is indicated that the target source address is not commonly used, and therefore the target source address may be determined to be a very common source address.
As an embodiment, a learning regular time (for example, learning N minutes every M hours) may be set, and the steps 1) and 2) may be executed based on the learning regular time; as another embodiment, if an attack is received during learning, learning may be ended until learning is restarted after there is no attack.
In the above scheme, the common source address can be screened out according to the third flow rate of the target source address, so that in the process of judging whether to speed limit according to the category of the source address to be speed-limited, the unusual source address can be preferentially speed-limited, and the common source address is not speed-limited or delayed for speed-limiting, thereby improving the defending effect.
Further, on the basis of the above embodiment, after the step of determining that the target source address is the common source address, the source speed limiting method provided by the embodiment of the present application may further include the following steps:
and 1) judging whether the traffic corresponding to the target source address belongs to the service traffic.
Step 2), if the traffic corresponding to the target source address belongs to the traffic, determining the target source address as a source speed limit protection address; otherwise, writing the common source protection label into the target source address.
Specifically, after determining that the target source address is a common source address, it may be further determined whether the traffic corresponding to the target source address belongs to the traffic; if the traffic corresponding to the target source address belongs to the traffic, the target source address can be determined to be a source speed limit protection address; if the traffic corresponding to the target source address does not belong to the traffic, the common source protection tag can be written into the target source address.
As an embodiment, the above steps 1) -2) may be performed by an electronic device; as another embodiment, the steps 1) to 2) may be performed by an administrator through an electronic device.
For example, an administrator may open a function guard configuration interface, and if the function guard uses a source speed limit function, the electronic device may display a common source address on the overlay; then, an administrator can select a source address matched with the service flow from the common source addresses through the electronic equipment and determine the source address as a source speed limiting protection address, so that the service flow is more accurately protected; in addition, an administrator can write the common source protection tag into the source address which does not belong to the service flow in the common source addresses through the electronic equipment, so that the common source addresses which do not belong to the service flow are protected for a certain length.
In the above scheme, the source speed-limiting protection address can be screened from the common source addresses according to the traffic class corresponding to the target source address, so that in the process of judging whether to speed limit according to the class of the source address to be speed-limited, the source speed-limiting protection address can not be speed-limited, and the delay of the source address to be speed-limited carrying the common source protection tag can be speed-limited, thereby improving the defending effect.
Further, based on the above embodiment, a "common source address" table may be allocated to each protection function, where the table is used to record the source addresses of the traffic that frequently accesses the protected address or network segment; a 'source speed limit protection address' table can be allocated, and the table is used for recording source addresses of transmission service traffic and protecting the source addresses from being limited in speed; the common source protection label can be added, and the source address carrying the common source protection label is not influenced by source speed limit to a certain extent, and the priority is inferior to the source address in the source speed limit protection address table.
Referring to fig. 3, fig. 3 is a block diagram of a source speed limiting device according to an embodiment of the present application, where the source speed limiting device 300 includes: a first obtaining module 301, configured to obtain a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time; the first determining module 302 is configured to determine whether to limit the source address to be limited according to the class of the source address to be limited if the first flow rate is greater than the detection rate threshold.
In the embodiment of the application, when the first flow rate of the source address to be limited is greater than the detection rate threshold, the flow rate of the source address to be limited is larger, and whether the source address to be limited is limited or not can be determined according to the category of the source address to be limited. Because whether the speed is limited is determined according to the type of the source address to be limited, compared with the speed limit of the source address with larger flow, the method can avoid the speed limit of part of source addresses which do not need to be limited, thereby improving the defending effect.
Further, the first determining module 302 is specifically configured to: judging whether the source address to be limited belongs to a source speed limiting protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow; and if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited.
In the embodiment of the application, if the source address to be limited belongs to the source speed limiting protection address, the traffic corresponding to the source address to be limited is indicated to be all the traffic, and the source address to be limited can not be limited, so that the influence on the use of normal traffic is avoided. Therefore, the defending effect can be improved.
Further, the source speed limiting device 300 further includes: the first judging module is used for judging whether the source address to be limited in speed carries a common source protection label or not if the source address to be limited in speed does not belong to the source speed limit protection address; and the first speed limiting module is used for limiting the speed of the source address to be limited if the source address to be limited does not carry the common source protection tag.
In the embodiment of the application, if the source address to be limited does not belong to the source speed limit protection address and does not carry the common source protection tag, the source address to be limited can be directly limited, so that the source speed limit of the source address which is not used commonly is realized, and the purpose of defending is achieved.
Further, the source speed limiting device 300 includes: the second judging module is used for judging whether the source address to be limited in speed belongs to a common source address if the source address to be limited in speed carries the common source protection tag; the second speed limiting module is used for limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than a detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value if the source address to be limited belongs to the common source address; otherwise, the source address to be limited is not limited.
In the embodiment of the application, if the source address to be limited does not belong to the source speed limit protection address, but is carried with the common source protection label and belongs to the common source address, the source address to be limited can be delayed and limited, so that the source speed limit protection displayed by other common sources is performed on the basis of ensuring normal traffic flow, and the defending effect is improved.
Further, the source speed limiting device 300 further includes: the second acquisition module is used for acquiring a third flow rate of a target source address in a learning time period aiming at the target source address; judging whether the third flow rate is greater than a source speed limit threshold; and the second determining module is used for determining that the target source address is a common source address if the third flow rate is greater than the source speed limit threshold.
In the embodiment of the application, the common source address can be screened out according to the third flow rate of the target source address, so that in the process of judging whether to limit the speed according to the category of the source address to be limited, the unusual source address can be limited preferentially, and the common source address is not limited or delayed to limit the speed, thereby improving the defending effect.
Further, the source speed limiting device 300 further includes: the third judging module is used for judging whether the flow corresponding to the target source address belongs to the service flow or not; the third determining module is configured to determine the target source address as a source speed limit protection address if the traffic corresponding to the target source address belongs to traffic; otherwise, writing a common source protection tag into the target source address.
In the embodiment of the application, the source speed-limiting protection address can be screened from the common source addresses according to the traffic class corresponding to the target source address, so that the source speed-limiting protection address can not be limited in the process of judging whether to limit the speed according to the class of the source address to be limited, and the source address to be limited carrying the common source protection tag can be limited in a delayed manner, thereby improving the defending effect.
Referring to fig. 4, fig. 4 is a block diagram of an electronic device according to an embodiment of the present application, where the electronic device 400 includes: at least one processor 401, at least one communication interface 402, at least one memory 403, and at least one communication bus 404. Where communication bus 404 is used to enable direct connection communication of these components, communication interface 402 is used for signaling or data communication with other node devices, and memory 403 stores machine readable instructions executable by processor 401. When the electronic device 400 is in operation, the processor 401 and the memory 403 communicate via the communication bus 404, and the machine readable instructions when invoked by the processor 401 perform the source speed limit method described above.
For example, the processor 401 of the embodiment of the present application may implement the following method by reading a computer program from the memory 403 through the communication bus 404 and executing the computer program: step S101: and acquiring a first flow rate of the source address to be limited corresponding to the destination address to be protected at the detection starting time. Step S102: if the first flow rate is greater than the detection rate threshold, determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited.
The processor 401 includes one or more, which may be an integrated circuit chip, having signal processing capability. The processor 401 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a micro control unit (Micro Controller Unit, MCU), a network processor (Network Processor, NP), or other conventional processor; but may also be a special purpose processor including a Neural Network Processor (NPU), a graphics processor (Graphics Processing Unit GPU), a digital signal processor DSP), an application specific integrated circuit (Application Specific Integrated Circuits ASIC), a field programmable gate array (Field Programmable Gate Array FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Also, when the processor 401 is plural, some of them may be general-purpose processors and another may be special-purpose processors.
The Memory 403 includes one or more, which may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable programmable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc.
It is to be understood that the configuration shown in fig. 4 is merely illustrative, and that electronic device 400 may also include more or fewer components than those shown in fig. 4, or have a different configuration than that shown in fig. 4. The components shown in fig. 4 may be implemented in hardware, software, or a combination thereof. In the embodiment of the present application, the electronic device 400 may be, but is not limited to, a physical device such as a desktop, a notebook, a smart phone, an intelligent wearable device, a vehicle-mounted device, or a virtual device such as a virtual machine. In addition, the electronic device 400 is not necessarily a single device, but may be a combination of a plurality of devices, such as a server cluster, or the like.
An embodiment of the present application further provides a computer program product, including a computer program stored on a computer readable storage medium, the computer program including computer program instructions which, when executed by a computer, are capable of performing the steps of the source speed limit method of the above embodiment, for example, including: acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time; if the first flow rate is greater than a detection rate threshold, determining whether to limit the source address to be limited according to the category of the source address to be limited.
The embodiment of the application also provides a computer readable storage medium, which stores computer program instructions, and when the computer program instructions are executed by a computer, the computer is caused to execute the source speed limiting method in the embodiment of the method.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
Further, the units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
Furthermore, functional modules in various embodiments of the present application may be integrated together to form a single portion, or each module may exist alone, or two or more modules may be integrated to form a single portion.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM) random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and variations will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (6)

1. A source rate limiting method, comprising:
acquiring a first flow rate of a to-be-speed-limited source address corresponding to a to-be-protected destination address at a detection start time;
if the first flow rate is greater than a detection rate threshold, determining whether to limit the source address to be limited according to the category of the source address to be limited;
determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited comprises the following steps:
judging whether the source address to be limited belongs to a source speed limiting protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow, and the flow corresponding to the non-source speed limit protection address belongs to the non-service flow;
if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited;
After the judging whether the source address to be speed-limited belongs to the source speed-limiting protection address, the method further comprises:
if the source address to be limited does not belong to the source speed limiting protection address, judging whether the source address to be limited carries a common source protection label or not;
if the source address to be limited does not carry the common source protection tag, limiting the speed of the source address to be limited;
after the judging whether the source address to be limited in speed carries a common source protection label, the method comprises the following steps:
if the source address to be limited carries the common source protection tag, judging whether the source address to be limited belongs to the common source address or not;
if the source address to be limited belongs to the common source address, limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than a detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value;
otherwise, the source address to be limited is not limited.
2. The source speed limiting method according to claim 1, wherein before the obtaining the to-be-protected destination address corresponding to the to-be-speed limiting source address is the first flow rate at the detection start time, the method further comprises:
Aiming at a target source address, acquiring a third flow rate of the target source address in a learning time period;
judging whether the third flow rate is greater than a source speed limit threshold;
and if the third flow rate is greater than the source speed limit threshold, determining the target source address as a common source address.
3. The source speed limiting method according to claim 2, wherein after said determining that said target source address is a common source address, said method further comprises:
judging whether the flow corresponding to the target source address belongs to service flow or not;
if the traffic corresponding to the target source address belongs to the service traffic, determining the target source address as a source speed limit protection address;
otherwise, writing a common source protection tag into the target source address.
4. A source rate limiting device, comprising:
the first acquisition module is used for acquiring a first flow rate of a source address to be limited in speed, corresponding to a destination address to be protected, at the detection starting time;
the first determining module is used for determining whether to limit the speed of the source address to be limited according to the category of the source address to be limited if the first flow rate is greater than a detection rate threshold;
The first determining module is specifically configured to:
judging whether the source address to be limited belongs to a source speed limiting protection address or not; wherein, the flow corresponding to the source speed limit protection address belongs to the service flow, and the flow corresponding to the non-source speed limit protection address belongs to the non-service flow;
if the source address to be limited belongs to the source speed limiting protection address, not limiting the speed of the source address to be limited;
the source speed limiting device further includes:
the first judging module is used for judging whether the source address to be limited in speed carries a common source protection label or not if the source address to be limited in speed does not belong to the source speed limit protection address;
the first speed limiting module is used for limiting the speed of the source address to be limited if the source address to be limited does not carry the common source protection tag;
the second judging module is used for judging whether the source address to be limited in speed belongs to a common source address if the source address to be limited in speed carries the common source protection tag;
the second speed limiting module is used for limiting the speed of the source address to be limited when the time interval between the detection starting time and the current time is larger than a detection time threshold value and the second flow rate of the source address to be limited at the current time is larger than the detection rate threshold value if the source address to be limited belongs to the common source address; otherwise, the source address to be limited is not limited.
5. An electronic device, comprising: a processor, a memory, and a bus;
the processor and the memory complete communication with each other through the bus;
the memory stores computer program instructions executable by the processor, the processor invoking the computer program instructions to perform the method of any of claims 1-3.
6. A computer readable storage medium storing computer program instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-3.
CN202210861661.8A 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment Active CN115225393B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210861661.8A CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210861661.8A CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN115225393A CN115225393A (en) 2022-10-21
CN115225393B true CN115225393B (en) 2023-09-26

Family

ID=83614401

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210861661.8A Active CN115225393B (en) 2022-07-20 2022-07-20 Source speed limiting method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN115225393B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10200581A (en) * 1997-01-16 1998-07-31 Nippon Telegr & Teleph Corp <Ntt> Ip packet delay transfer control communication method and device
CN106559349A (en) * 2015-09-24 2017-04-05 阿里巴巴集团控股有限公司 The control method and device of service transmission rate, system
CN108390870A (en) * 2018-02-09 2018-08-10 北京天融信网络安全技术有限公司 A kind of method, apparatus of defending against network attacks, storage medium and equipment
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN111901284A (en) * 2019-05-06 2020-11-06 阿里巴巴集团控股有限公司 Flow control method and system
CN113328954A (en) * 2021-05-25 2021-08-31 深圳证券通信有限公司 Method for blocking and limiting service data packet transmission of source end
CN113630318A (en) * 2020-05-06 2021-11-09 华为技术有限公司 Message transmission method and frame type communication equipment
CN114745142A (en) * 2020-12-23 2022-07-12 腾讯科技(深圳)有限公司 Abnormal flow processing method and device, computer equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10200581A (en) * 1997-01-16 1998-07-31 Nippon Telegr & Teleph Corp <Ntt> Ip packet delay transfer control communication method and device
CN106559349A (en) * 2015-09-24 2017-04-05 阿里巴巴集团控股有限公司 The control method and device of service transmission rate, system
CN108390870A (en) * 2018-02-09 2018-08-10 北京天融信网络安全技术有限公司 A kind of method, apparatus of defending against network attacks, storage medium and equipment
CN111901284A (en) * 2019-05-06 2020-11-06 阿里巴巴集团控股有限公司 Flow control method and system
CN110445770A (en) * 2019-07-18 2019-11-12 平安科技(深圳)有限公司 Attack Source positioning and means of defence, electronic equipment and computer storage medium
CN113630318A (en) * 2020-05-06 2021-11-09 华为技术有限公司 Message transmission method and frame type communication equipment
CN114745142A (en) * 2020-12-23 2022-07-12 腾讯科技(深圳)有限公司 Abnormal flow processing method and device, computer equipment and storage medium
CN113328954A (en) * 2021-05-25 2021-08-31 深圳证券通信有限公司 Method for blocking and limiting service data packet transmission of source end

Also Published As

Publication number Publication date
CN115225393A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
RU2607229C2 (en) Systems and methods of dynamic indicators aggregation to detect network fraud
CN110830986B (en) Method, device, equipment and storage medium for detecting abnormal behavior of Internet of things card
CN111274583A (en) Big data computer network safety protection device and control method thereof
US8150779B1 (en) Validating the detection of spam based entities in social networking contexts
CN107392022B (en) Crawler identification and processing method and related device
US10979446B1 (en) Automated vulnerability chaining
CN110011932B (en) Network traffic classification method capable of identifying unknown traffic and terminal equipment
CN111917740A (en) Abnormal flow alarm log detection method, device, equipment and medium
CN113726783B (en) Abnormal IP address identification method and device, electronic equipment and readable storage medium
US11876808B2 (en) Detecting phishing attacks on a network
CN114598512B (en) Network security guarantee method and device based on honeypot and terminal equipment
CN114915457A (en) Message transmission method, dynamic encryption method, device, electronic equipment and medium
CN112600797A (en) Method and device for detecting abnormal access behavior, electronic equipment and storage medium
US10742668B2 (en) Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof
CN115225393B (en) Source speed limiting method and device and electronic equipment
CN115603985A (en) Intrusion detection method, electronic device and storage medium
CN114006819A (en) Detection strategy generation and device, and data transmission method and device
US10171494B2 (en) Scarecrow for data security
CN113225325B (en) IP (Internet protocol) blacklist determining method, device, equipment and storage medium
CN114697440B (en) Network management method and mobile terminal
CN114221807A (en) Access request processing method and device, monitoring equipment and storage medium
CN112560085A (en) Privacy protection method and device of business prediction model
CN111031054A (en) CC protection method
CN115037799B (en) Current limiting method, device, equipment and medium
CN114070627B (en) Production network security monitoring system, method, computer device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant