CN1249950C - Network access control method of network address conversioin protocol user - Google Patents
Network access control method of network address conversioin protocol user Download PDFInfo
- Publication number
- CN1249950C CN1249950C CN 02129005 CN02129005A CN1249950C CN 1249950 C CN1249950 C CN 1249950C CN 02129005 CN02129005 CN 02129005 CN 02129005 A CN02129005 A CN 02129005A CN 1249950 C CN1249950 C CN 1249950C
- Authority
- CN
- China
- Prior art keywords
- user
- network
- current
- speed
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a network access control method for NAT clients. In the method, a quantity control value for network connection of each client is set, and when the current network connection number of one client is higher than the control value, the subsequent network access of the client is stopped; a speed control value for network session connection of each client is set, and when the current network session connection speed of one client is higher than the control value, the subsequent network access of the client is stopped. The method can be used for effectively preventing NAT equipment from being attacked because malicious clients misuse tool software so as to protect the normal use of most of clients, and simultaneously effectively managing the resources of the NAT equipment according to the characteristics of the clients.
Description
Technical field
The present invention relates to the method that user network inserts, relate in particular to the user's of network address translation (nat) agreement access control method.
Background technology
Along with the network user sharply increases, distributable IP address is fewer and feweri, so the application of network address translation (nat) equipment also more and more widely.The NAT technology is divided into basic NAT and port address translation (pat), basic NAT can be divided into static network address conversion and dynamic address conversion, its common ground is only the IP address to be changed, but public network IP of synchronization can only provide the public network outlet for a private network IP, can not save public network IP address; And under the PAT pattern, each public network IP can provide the public network outlet for a plurality of private users simultaneously, by private network IP and transmission control protocol/User Datagram Protocol (TCP/UDP) port conversion are reached the shared public network outlet of a plurality of private network IP.In the user network access procedure of reality, some user uses TCP class tool software to initiate a large amount of connection session to NAT device, this will influence the visit of other users to Internet in heavy traffic, because the memory source that NAT device can distribute for private user is limited, and because NAT device internal resource dynamic refresh frequency is too high, can not write down all Visitor Logs of the inner private user of NAT, make the user who follows the trail of above-mentioned illegal operation just compare difficulty like this.The user is when carrying out network insertion, NAT device is to the uplink message from private network, if the message of initiating to connect maybe needs the message of the information of connecting, then the storage allocation resource is preserved private network and the required information of public network conversion, then message is carried out that IP address and TCP/UDP port are changed and the message after the conversion is sent to Internet, in said process, NAT device does not manage the user, just merely message is carried out corresponding address and port translation, therefore can't stop the hostile network of illegal private user to insert, take the NAT resource, thereby the proper network resource that influences other users is used undesiredly.
Summary of the invention
The object of the present invention is to provide a kind of NAT user's access control method, use this method can effectively stop the hostile network of illegal private user to insert and undesired take the NAT resource, thereby reduce influence as far as possible other private user.
For achieving the above object, NAT user's provided by the invention access control method comprises:
Each user's network number of connection controlling value is set, when a user's current network linking number surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Each user's network connection speed controlling value is set, when a user's current network connection speed surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Described method comprises:
The quantity that connects control table is used to save as the network number of connection controlling value that each user is provided with; Set up current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user.
The speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Set up current connection speed table, be used to preserve speed or the current available network connection speed of preservation user that user's current network connects.
The task timer is set, is used for user's network connection being controlled according to the network connection speed of setting.
Because the present invention adopts the control of network connection sum to be connected the method for setting up speed control with network the user is carried out network connection control, when certain user network connects sum or network connection speed and surpasses set point, end the follow-up network insertion of this user, thereby the preventing malice user abuses the attack of tool software generation to NAT device effectively, and most of users' normal use is protected; Simultaneously, the present invention can also more effectively manage the NAT device resource according to user personality; Can carry out priority control to a certain extent; NAT user connects sum control and sets up speed control and unite use and can effectively take precautions against SYN (initiation) message and RST (termination) message combination attacks with being connected.
Embodiment
Present technique can be controlled the concurrent visit capacity and the access session speed of the inner private user of NAT effectively, thereby improves the reliability of equipment and provide more operation means for operator.Specifically, the present invention adopts and connects method that sum control and connection speed limit and user's network is connected controls.
At first, when disposing, NAT device can distinguish the user by disposing different IP network sections, take the connection sum restriction of differentiation for different user objects, for example ordinary family user's connection sum is restricted to a less order of magnitude, the user that specific demand is arranged, can be restricted to a bigger order of magnitude with connecting sum as network bar users or group user, concrete condition is decided on the group user group size; Its specific implementation is made of two tables, promptly to set up two tables, first table is the number of connection control table, be used to deposit the controlling value that each user who sets in advance connects sum, second table is current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user, the numerical value of second table connects the variation of generation along with the user and changes, and the message that whether allows the user to connect connects and determined by the comparison of two table value corresponding by NAT device.Suppose that the number of connection control table when the present invention specifically implements is with reference to following table:
| The user | Pre-configured session connection number (controlling value) |
| 10.10.1.1 | 20 |
| 10.10.2.1 | 50 |
| 10.10.3.1 | 100 |
| ....................... |
Current linking number scale is preserved current available network linking number, with reference to following table:
| The user | Current available sessions linking number |
| 10.10.1.1 | 10 |
| 10.10.2.1 | 50 |
| 10.10.3.1 | 100 |
| ....................... |
The explanation of last table, user 10.10.1.1 sets in advance the ability of setting up 20 session connections altogether on NAT device, 10 have been spent now, if user 10.10.1.1 continues to initiate to connect, then " current available sessions linking number " can continue to descend, when dropping to 0,, this user can't not set up new connection by NAT device to Internet again if not discharging original connection.When this user discharged original connection, " current available sessions number " can increase successively.Action of 10.10.1.1 can not influence other users during this.
Secondly, can take the speed limit of the connection foundation of differentiation for different user objects, for example to set up speed limit be a less order of magnitude in ordinary family user's connection, have the user of specific demand such as network bar users or group user connection speed can be restricted to a bigger order of magnitude, concrete condition is decided on the group user group size; Its specific implementation can realize by two tables and task of timer, the one, and the speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Two set up current connection speed table, are used to preserve speed or the current available network connection speed of preservation user that user's current network connects; A task timer also to be set, be used for user's network connection being controlled according to the network connection speed of setting.Certainly, above-mentioned specific implementation also can be made up of a table and a task, this table is current connection speed table, be used to deposit the general speed that the current time can connect, this general speed is along with establishment of connection gradually reduces, and set task timer regularly replenishes this connection speed control number according to predefined speed to this table, connects the control of setting up speed thereby reached.
Each is generally a session (session) by NAT to the visit of Internet the user, and NAT device is necessary for each session and sets up the mapping table of public affairs, private network characteristic corresponding relation so that carry out the NAT conversion of data message, the restriction that connects sum at NAT user has been arranged, the utilance of the limited resources of NAT device is improved, guarantee the use of most normal users, and helped the normal operation of NAT device.For example, in heavy traffic, there has been the user to connect the restriction of setting up speed, NAT device just can be according to predefined speed limit, the user's who exceeds limit value packet loss, also can set the connection speed restriction thus, guarantee that Very Important Person is the control of priority in advance thereby reach to a certain extent according to client's significance level.
Suppose that the connection speed control table when the present invention specifically implements is:
| The user | Pre-configured session connection number/s (speed control value) |
| 10.10.1.1 | 10 |
| 10.10.2.1 | 20 |
| 10.10.3.1 | 30 |
| ....................... |
Current connection speed table is preserved current available network connection speed, with reference to following table:
| The user | Current available sessions linking number |
| 10.10.1.1 | 5 |
| 10.10.2.1 | 20 |
| 10.10.3.1 | 30 |
| ....................... |
Then user 10.10.1.1 has the ability that 10/s session connection is set up on NAT device, 5 have been spent now, if user 10.10.1.1 continues to initiate to connect, then " current available sessions linking number " can continue to descend, when dropping to 0, this user can't set up new connection by NAT device to Internet again." current available sessions linking number " can regularly return to the speed control value.Any action of 10.10.1.1 can not influence other users during this.
Claims (4)
1, a kind of network address translation protocol NAT user's access control method comprises:
Each user's network number of connection controlling value is set, when a user's current network linking number surpasses above-mentioned controlling value, ends the follow-up network insertion of this user;
Each user's network connection speed controlling value is set, when a user's current network connection speed surpasses above-mentioned controlling value, ends the follow-up network insertion of this user.
2, NAT user's according to claim 1 access control method is characterized in that described method comprises: the quantity that connects control table is used to save as the network number of connection controlling value that each user is provided with; Set up current linking number scale, be used to preserve user's current network linking number or preserve the current available network linking number of user.
3, NAT user's according to claim 1 and 2 access control method is characterized in that described method comprises: the speed control that connects table is used to save as the network connection speed controlling value that each user is provided with; Set up current connection speed table, be used to preserve speed or the current available network connection speed of preservation user that user's current network connects.
4, NAT user's according to claim 3 access control method is characterized in that described method comprises: the task timer is set, is used for according to the network connection speed of setting user's network connection being controlled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02129005 CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02129005 CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1477816A CN1477816A (en) | 2004-02-25 |
| CN1249950C true CN1249950C (en) | 2006-04-05 |
Family
ID=34143927
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02129005 Expired - Fee Related CN1249950C (en) | 2002-08-23 | 2002-08-23 | Network access control method of network address conversioin protocol user |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1249950C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100423512C (en) * | 2005-06-17 | 2008-10-01 | 杭州华三通信技术有限公司 | Control method for using resource of network address transition equipment of virtual proviate network method for controlling usage of NAT equipment resources of VPN |
| CN101212483B (en) * | 2006-12-31 | 2012-04-25 | 华为技术有限公司 | Method and system for controlling number of user sessions |
| JP5214402B2 (en) * | 2008-10-22 | 2013-06-19 | 沖電気工業株式会社 | Packet transfer apparatus, packet transfer method, packet transfer program, and communication apparatus |
| CN101969637A (en) * | 2009-07-28 | 2011-02-09 | 华为技术有限公司 | Network connection management method and related device |
| CN102006201B (en) * | 2010-11-23 | 2012-07-25 | 北京星网锐捷网络技术有限公司 | New connection number test method, system and device in network address translation |
| CN103905573B (en) * | 2012-12-26 | 2017-11-21 | 中国移动通信集团广西有限公司 | A kind of method and apparatus being managed to IP resources |
-
2002
- 2002-08-23 CN CN 02129005 patent/CN1249950C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1477816A (en) | 2004-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2002616B1 (en) | Method for managing computational resources | |
| CN1265598C (en) | Dynamic network safety device and method of network treatment apparatus | |
| US8495738B2 (en) | Stealth network node | |
| US7320032B2 (en) | Methods and structure for reducing resource hogging | |
| US11219824B2 (en) | Cloud gaming system and method of initiating a gaming session | |
| US20030126252A1 (en) | Method and apparatus for dynamic client-side load balancing system | |
| CN1249950C (en) | Network access control method of network address conversioin protocol user | |
| WO2002019661A2 (en) | System and process for defending against denial of service attacks on network nodes | |
| EP2456173A1 (en) | Management method and apparatus for network address translation | |
| CN100477671C (en) | Network address converting method for supporting multi-dialogue application-layer protocol under PAT mode | |
| CN101227356A (en) | Equipment, system and method for network access based on dynamic state host computer collocation protocol | |
| CN103685586B (en) | A kind of methods, devices and systems for realizing that address is shared | |
| EP1404080A1 (en) | Method for defense against attacks on nodes in a communication network | |
| CN1628444A (en) | Method and apparatus for dynamic host configuration protocol lease time determination | |
| CN109413018B (en) | Port scanning method and device | |
| CN102427452B (en) | Synchronize (SYN) message transmitting method and device and network equipment | |
| CN109040225B (en) | Dynamic port desktop access management method and system | |
| KR100407517B1 (en) | Apparatus and method for controlling common ownership of ip addresses in a private network | |
| CN113014680B (en) | Broadband access method, device, equipment and storage medium | |
| CN107547561A (en) | A kind of method and device for carrying out DDOS attack protective treatment | |
| CN1274116C (en) | Method for detecting user access state | |
| CN104753867B (en) | A kind of network data access method, equipment and system | |
| CN100433667C (en) | Method for assigning user access resources of private network in conversion of network addresses | |
| CN109167846B (en) | Communication port allocation method and device | |
| CN113489810B (en) | Symmetric NAT penetration method, device, storage medium, equipment and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20060405 Termination date: 20150823 |
|
| EXPY | Termination of patent right or utility model |