CN1394041A - Method for implementing safety guard to Internet service provider - Google Patents
Method for implementing safety guard to Internet service provider Download PDFInfo
- Publication number
- CN1394041A CN1394041A CN 01118868 CN01118868A CN1394041A CN 1394041 A CN1394041 A CN 1394041A CN 01118868 CN01118868 CN 01118868 CN 01118868 A CN01118868 A CN 01118868A CN 1394041 A CN1394041 A CN 1394041A
- Authority
- CN
- China
- Prior art keywords
- data flow
- isp
- configuration information
- address
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the method for realizing the safety protection for the Internet service provider (ISP). The ISP Keeper of the router on the ISP exit monitors and processes the data stream, which is entering the ISP local network from outside, in real time, recognizing and recording each data stream automatically. Moreover, based on the configuration information, the Keeper determines whether the flux of the present data stream and the total flux of the data stream are normal or not. If the said fluxes are normal, then the received message is transmitted to the relevant network devices, otherwise, the present message is discarded. The invention can defend the ISP against flood attack from hacker effectively so as to improve the reliability of the ISP services.
Description
The present invention relates to the safety protection technique of a kind of ISP, refer to especially a kind ofly on egress router, the data flow that flows into the purpose network be monitored in real time and handled, can effectively resist the ISP safety protecting method that ISP suffers flow attacking.
Along with the develop rapidly of internet (Internet) with popularize, the network user is more and more, so Intenet ISP (ISP) arises at the historic moment.The typical networking structure of ISP in the ISP local area network (LAN), generally is made up of switch, access server and Web server as shown in Figure 1, the up ISP egress router that is connected to of switch; The ISP egress router has converged the Business Stream of access server and each individual line subscriber, is connected to key IP network by ATM, POS or GE interface.
In the ISP network, the Business Stream that mainly comprises is: the dial user visits local Web server; Dialing user capture external network; Individual line subscriber is visited local Web server; External user is visited local Web server.So, in process, just being mingled with the attack of network hacker to the ISP website to the Web server visit, they adopt various means to attack the website of ISP, cause the system of ISP destroyed, even collapse, make it provide service for the user.
From the operation situation of present global ISP, the most normal attack form that is subjected to assault of ISP is a flow attacking.The method of flow attacking is very simple, be exactly that all over the world multiple devices in an organized way send to target machine (certain dial user IP address) simultaneously and disturb message, produce googol according to flow, cause that the ISP local area network (LAN) is busy, access server can't operate as normal, the mode of employing is distributed attack method.The main means that present domestic part ISP is attacked adopt flow attacking exactly, and the hacker to the big message of certain dialup ip address PING, causes the ISP local area network (LAN) busy by multiple devices, influences the operate as normal of access server, make normal dialing user online extremely slow.
Certainly, ISP also can be subjected to some other forms of attacks except being subjected to above-mentioned flow attacking, as DOS, eavesdropping message and TCP, IP address spoofing, source routing attack, application layer attack or the like.
At above-mentioned assault mode, the most frequently used safety prevention measure is at present: use fire compartment wall, address transition and flow control technology such as (CAR) on the egress router of ISP.Though, for can effectively controlling by technology implementations such as existing fire compartment wall, address transition, authentication, data encryptions such as attack patterns such as eavesdropping message and TCP, IP address spoofing, source routing attack, application layer attack.But for this main attack pattern of flow attacking, because characteristics such as distributed, the randomness of the business model of ISP and attack, these safety protection technique are problems of various degrees all in actual applications:
1) fire compartment wall is that application memory control tabulation (ACL) comes filtering packets on interface, can solve the problem of access control, but not possess the flow control ability.
2) address transition, so-called address transition is meant before message sends to extranets, this user's private net address is done conversion by egress router earlier, that is: (source address-private network, the source port) with message is converted to (source address-public network, source port new), and this router keeps this mapping; When message returned, conversion was returned again.Because the dynamic mapping table that router keeps may be very big, generally adopts HASH to search.
This method mainly solves concealment of in-house network information and IP address problem of shortage, but, during some are used at FTP, SNMP, SMTP etc., also comprise address information in its content of message, so it is otiose only changing the source address of message, also need to change the address information in the message application layer, this also does easily to some standard agreements, and just can't realize for some proprietary protocols, therefore the type of service of its support is restricted.And this method also can't be implemented Flow Control.
3) flow control, CAR can implement Flow Control to specific Business Stream, but its configuration is complicated, efficient is low, autgmentability is poor, considers the dynamic assignment of dial user IP address, and it uses very difficulty in practice.
In view of this, main purpose of the present invention is to provide a kind of implementation method of ISP security protection, makes its energy flow attacking that the more effective ISP of resisting was subjected to, and implements simple and convenient, flexibility and reliability.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The implementation method of a kind of Internet service provider (ISP) security protection, this method comprises the steps: at least
A. when the ISP manager (ISPKeeper) in the ISP egress router will be to the current message that receives of purpose forwarded, at first judge that by the HASH algorithm whether data flow under this message is the existing record among the ISPKeeper, if then enter step c; Otherwise, enter step b;
If b. the message that will transmit belongs to a new data flow, then mate the configuration information of the affiliated data flow of this message and judge whether that the match is successful, if the match is successful, then will mate the configuration information stored record of resulting this data flow; The match is successful if do not have, and then searches whether to have defined default value in the configuration information, if having, then with default configuration information stored record, enters step c then; If do not define default value, then the current message that receives directly is transmitted to the corresponding target network equipment by ISPKeeper;
C. detect current data stream flow and whether satisfy user configured parameter, if do not satisfy, then with current packet loss of receiving, if flow meets the demands, then continue to detect the total data flow and judge whether total configuration parameter normal? if undesired, then abandon this message, otherwise, if normal, then current message is transmitted to the corresponding target network equipment by ISPKeeper.
Purpose network described in the step a is ISP local area network (LAN) or metropolitan area network or wide area network.User's configuration parameter described in the step c comprises the transmission bandwidth of individual traffic or Mean Speed, burst length at least.Total configuration parameter described in the step c comprises overall average speed and total burst length of data flow at least.Described data flow is the data flow of the network equipment in the visiting from outside purpose network, or the data flow of returning for dial user online.
The configuration information of the matched data stream among the step a further may further comprise the steps: at first find the definition of corresponding IP address section according to the purpose IP address of data flow under this message in configuration information, find the configuration information of this address field again according to the definition of address field, and with this configuration information stored record in the relevant position of data flow configuration information array.
This method also further may further comprise the steps: when the initialization egress router, set in advance the array of a memorying data flow configuration information.Wherein, this array size is to hold the array of all data flow in the IP address range that will discern, and each element of array is corresponding one by one with a purpose IP address.
This method also further comprises the steps: when the initialization egress router, the configuration information of preliminary setting data stream.Configuration information wherein comprises start ip address, end ip address, the interface configuration mode of data flow at least; The transmission bandwidth of each data flow or Mean Speed, burst length; And the overall average flow of total data stream, total burst length.
HASH algorithm described in the step a is meant according to back 16 the respective element positions that this message navigated to data flow configuration information array in each message purpose IP address in the data flow.When the data flow message of being received being navigated to data respective element position by the HASH algorithm, and this moment, this position data with existing was banishd when putting information, then set up a data link table, store the corresponding data flow configuration information in regular turn by preceding 16 of purpose IP address in this position.
From above-mentioned implementation as can be seen, the present invention is by the realization thought of fire compartment wall, address transition and three kinds of technology of flow control, search the thought of the control flow among thought, the CAR, message matching idea in the fire compartment wall as: the HASH in the address transition, effectively combine, and improved, be referred to as ISP manager (ISPKeeper).Its key is: ISPKeeper is positioned on the egress router, flow to the data flow that enters the purpose network carries out real-time analysis and monitoring, ISPKeeper each data flow of the automatic identification record of HASH algorithm, whether and it is normal to detect the flow of each data flow and total data stream according to predefined configuration information, if undesired, just often just send to relevant Web server or other network equipment with regard to dropping packets.When the data flow message of receiving belongs to a new data stream, mate this message earlier, and write down the configuration information of this data flow, and then process, and other message of this data flow does not need to mate again.
This shows that the implementation method of ISP security protection provided by the present invention combines fire compartment wall, address transition and three kinds of technology of flow control, make the attack that it can the more effective hacker of preventing, realize the security protection of ISP.See also shown in the table one, show a pair of method of the present invention and made one comprehensively relatively with three kinds of at present general safety protecting methods, as can be seen, the present invention has stronger protective capacities, the more recognition methods of simple and flexible.
| All kinds of technology/comparison content | ISPKeeper | Fire compartment wall | Address transition | CAR |
| Resist the flow attacking that ISP is subjected to | Can automatically identify and record each data flow; And implement flow-control for each data flow on this basis, therefore can resist well flow attacking. | Special in the problem that solves access control, come filtering packets by on interface, using ACL, therefore the ability that does not have Flow Control can't resist flow attacking. | Specially with solving information concealment and IP address problem of shortage, therefore the ability that does not have Flow Control can't resist flow attacking. | Can implement Flow Control to specific Business Stream (describing with ACL); But the source address of assault message and destination address all are dynamic changes in the reality, therefore in practice CAR substantially unavailable, can't resist flow attacking. |
| Configuration complexity | Very simple | Complicated, need configuration ACL, on interface, also need dispose access-group order. | Simply | Very complicated, need configuration ACL and RLACL, on interface, also need dispose complicated rate-limit order. |
| Efficient and autgmentability | Adopt the HASH technology, the efficient height. | Use traffic classification, efficient is low, and autgmentability is poor. | Adopt the HASH technology, the efficient height. | Use traffic classification, efficient is low, and autgmentability is poor. |
| Support the data fluxion | 250,000 | General tens, otherwise performance is had a strong impact on. | 250,000 | General tens, otherwise performance is had a strong impact on. |
| Information Statistics | Abundant, can obtain information based on stream | Limited | Abundant, can obtain information based on stream | Limited |
| Assault is alarmed | Produce Syslog after the data flow that notes abnormalities | Produce Syslog for the message of forbidding | Do not have | Do not have |
| The router of supporting | The NE of Huawei series router | The NE of Huawei series router, Cisco's 75 series routers etc. | The NE of Huawei series router, Cisco's 75 series routers etc. | The NE of Huawei series router, Cisco's 75 series routers etc. |
The comparison of several security protections of table one
Following conjunction with figs. is further described as follows to detailed technology content of the present invention:
Fig. 1 is the typical networking structure schematic diagram of ISP;
The typical attack form schematic diagram that Fig. 2 is subjected to for ISP;
Fig. 3 is for flowing into the traffic flow analysis figure of ISP local area network (LAN);
The flow chart that Fig. 4 realizes for the inventive method;
Fig. 5 is one embodiment of the invention networking structure schematic diagram;
Fig. 6 is another embodiment of the present invention networking structure schematic diagram.
Prevent that key that the hacker attacks ISP from being will to the source of the data flow that enters ISP and flow is monitored in real time and in time handle, by the improper data of effective means elimination, to guarantee the online demand of normal users.Referring to shown in Figure 2, the Business Stream that flows into the ISP local area network (LAN) is divided into two classes substantially:
1) data flow returned of user online.This data flow is distinguished with purpose IP address, and each data flow takies certain bandwidth, and as the maximum 128K of Internet user's Mean Speed, the data flow number is controlled, configurable;
2) data flow of visit Web server.The purpose IP address of this data flow belongs to the particular address section, as 10.110.1.0/0.0.0.255, distinguish with IP five-tuple (source address, destination address, protocol type, source port, destination interface), the total bandwidth that these data flow take is controlled, configurable, and the data flow number is controlled, configurable.
Controlled, configurable being meant recited above can set in advance its reasonable range by configuration parameter, and a threshold value promptly is set, and exceeds this value and then thinks unreasonable, should prohibit to fall.Give an example: the data flow that online is returned for PSTN or ISDN, its average discharge should be 128kbps, so, if flow surpass 128kbps just think irrational, should prohibit to fall.Can be by following statement specific implementation:
Ispkeeper-group 10 single 128,000 16000 these orders guarantee that the average discharge of each data flow and burst length are fixed value, the average discharge of promptly setting each independent data flow is up to 128Kbps, and burst length mostly is 16Kbyte most.As for the concrete configuration of the inventive method when the practical application, depend primarily on the selected discharge model of ISP, the value of each parameter itself does not have any restriction.
In order to realize that the present invention carries out judgment processing to the data flow of being received, at first will be on egress router in advance to the bandwidth of each data flow or Mean Speed, burst length, and the average discharge of total data stream and the isoparametric zone of reasonableness of burst length are configured.
Such as: be provided with flow into from the outside in the ISP local area network (LAN), purpose IP address is 10.110.1.
*Data flow, i.e. the data flow of external reference Web server, ftp server etc., its bandwidth or Mean Speed that takies the ISP local area network (LAN) mostly is 5M most, the bursty data amount is the 800K byte, data flow adds up to 1000.Other is set simultaneously flows into data flow in the ISP local area network (LAN) from the outside, i.e. the data flow that user's online is returned, each bandwidth (Mean Speed), bursty data amount that can only take local area network (LAN) 128K at most is the 8K byte, data flow adds up to 20000.Can be by the above-mentioned configuration of following statement specific implementation:
interface?eth?1/0/0
ispkeeper?10.110.1.0??0.0.0.255??5000000?800000??1000
ispkeeper?default??131012?8000?20000
Secondly, also on egress router, generate a data flow configuration information array that is enough to hold traffic flow information in following all IP address ranges that will discern in advance, each element of this array is corresponding one by one with an IP address, is used to store the configuration information of various objectives IP address date stream.Such as: discern, write down destination address each data flow in 10.110.0.0~10.110.255.255 scope, then generate the array that 65536 elements are arranged earlier, the corresponding IP address of each array element.After receiving a message,, write down the relevant information of this data flow directly according to back 16 respective element that navigate to data flow configuration information array of this message destination address.In actual mechanical process,, search whether have this record in the array with the HASH algorithm for each data flow of receiving, if being arranged, direct location reads its information, if no, then use first message purpose IP address location, then coupling and recording configuration information.If find this position when this message navigates to correspondence position the record of a data flow has been arranged, then set up a data chained list in this position, preceding 16 configuration informations that write down each data flow in regular turn by purpose IP address, the message of this data flow back need not to mate again, and not resembling the fire compartment wall mode all needs coupling to each message.Very easy, efficient is very high.
The essential idea of the inventive method is: for an address field that is made of given initial address and end address, is the configuration of the Mean Speed and the burst length of individual traffic by the total data stream Mean Speed to all addresses in the arrival address section with the configuration of total burst length and to single ip address in address field, utilizes token bucket (Token Bucket) algorithm to carry out the control of flow.So-called Token Bucket algorithm is meant: set one and leak bucket, the speed (promptly disposing given data flow Mean Speed) that given this leakage bucket flows out, and leakage bucket bucket long (being burst length), the a certain moment data flow, if this data flow length is grown up than leaking the bucket bucket, show that leaking bucket will overflow, then this data flow will abandon, otherwise, according to the time of last data arrival and this time interval, calculate a length of leaking the bucket outflow, obtain the leak actual length of vacating of bucket, the length of event data stream is bigger than leaking the actual length of vacating of bucket, show also that then leaking bucket will overflow, then this data flow will abandon, and the length of event data stream is littler than leaking the actual length of vacating of bucket, then data flow is put into Lou bucket, waits pending.
At top analysis to ISP Business Stream structure, cooperate shown in Figure 4ly simultaneously, the specific implementation of the inventive method comprises the steps: at least
1) when ISPKeeper will be when the ISP local area network (LAN) be transmitted a message that receives, at first judge by the HASH algorithm whether the data flow under this message belongs to the existing record of ISPKeeper, just search configuration parameter and the statistical information whether existing this IP address date flows according to back 16 relevant positions of purpose IP address to memorying data flow configuration information array? if have, then enter step 3); Otherwise, enter step 2).
2) if the message that will transmit belongs to a new data flow, be that the affiliated data flow of current message is not stored any information in the relevant position of memorying data flow configuration information array, then find the definition of corresponding IP address section earlier according to its IP address field information, find the configuration information of this address field to mate according to the definition of address field again, and judge whether that the match is successful? if the match is successful, the relevant position that the configuration parameter of this IP address field data flow that will obtain after then will mating and statistical information store data flow configuration information array into.If the existing data flow data in this position this moment, and the IP address of this data flow and current data stream address back 16 identical, then preceding 16 with purpose IP address set up a storage of linked list traffic flow information in regular turn in this position.The match is successful if do not have, promptly in configuration information, do not find the definition of this IP address field, then search whether defined default value in the configuration information, if having, then default configuration information is placed into the relevant position of data flow configuration information array, then enters step 3); If no, then current message is transmitted to the corresponding target network equipment by ISPKeeper.
3) utilize Token Bucket algorithm to detect current data stream flow and whether satisfy user configured parameter (single Mean Speed, single burst length), if do not meet the demands, with this packet loss, if flow meets the demands, continue to detect total data stream, promptly according to the address field under this data flow, data flow to all addresses in this address field is asked summation, whether configuration parameter one overall average speed and total burst length according to the data flow that is configured to the assigned address section under the interface configuration mode normal by Token Bucket algorithm detection total flow? if do not meet the demands, then abandon this message, otherwise, if satisfy then current message be transmitted to the corresponding target network equipment by ISPKeeper.
When adopting said method that single ISP is implemented security protection, as shown in Figure 5, wherein, the IP address field of visiting the data flow of this ISP local area network (LAN) is 10.111.
*.
*, the IP address field of visiting this ISP dial user's data flow is 10.110.
*.
*For ISP among the figure is implemented protection, at first on the ISP egress router, create the array that 65535 elements are arranged, simultaneously, on the ISP egress router, do following configuration:
Ispkeeper-list?1?10.111.0.0?10.111.255.255
/
*The data flow of visit ISP local area network (LAN) has been determined in this order
*/
interface?eth?I/0/0
/
*Enter the Ethernet interface configuration mode that links to each other with the ISP local area network (LAN)
*/
Ispkeeper-group??1?total?5000000?80000
/
*Total average discharge that the data flow of ISP local area network (LAN) is visited in this order is set to 5Mbps, burst length is set to 80Kbyte
*/
ispkeeper-default?single?128000?8000
/
*The average discharge of each data flow of remaining visit dialing user's data stream of this order is set to 128Kbps, burst length is set to 8Kbyte
*/ above-mentioned configuration has provided the upper limit of individual traffic average discharge, and the average discharge of total data stream.So, after ISP receives a data flow message, in data flow configuration information array, search the record that whether has this data flow by the HASH algorithm earlier, if have, whether the average discharge that just detects this data flow is smaller or equal to 128K, and whether the flow that detects its total data stream within 5Mbps, is given the purpose network equipment if just transmit this message, otherwise is abandoned this message.If there is not this record in the array, in array, and then transmit or dropping packets according to flow decision then according to this message of above-mentioned configurations match, and with corresponding configuration information record.
Method of the present invention not only can also can be implemented security protection to a plurality of ISP in a metropolitan area network or the wide area network at an ISP local area network (LAN).The networking structure of economizing net with certain is an example, and this province's net is made of a plurality of ISP, and its networking structure as shown in Figure 6.The operation principle of its enforcement security protection and implementation procedure and single ISP are identical, just configuration settings in advance is not too identical, the data flow IP address field and the parameter that will relate to each ISP among a plurality of ISP are respectively set, and the configuration information according to different IP address field data flow correspondences detects when flow is judged.The concrete configuration settings of a plurality of ISP can be realized by following statement among Fig. 6:
Ispkeeper-list?10?10.110.0.0?10.110.255.255
/
*Visit ISP1 has been determined in this order, and promptly the IP address field is 10.110.
*.
*Dial user's data flow
*/
Ispkeeper-list?11?10.111.0.0?10.111.255.255
/
*Visit ISP1 has been determined in this order, and promptly the IP address field is 10.111.
*.
*LAN data stream
*/
Ispkeeper-list?20?20.110.0.0?20.110.255.255
/
*Visit ISP2 has been determined in this order, and promptly the IP address field is 20.110.
*.
*Dial user's data flow
*/
lspkeeper-list?21?20.111.0.0?20.111.255.255
/
*Visit ISP2 has been determined in this order, and promptly the IP address field is 20.111.
*.
*LAN data stream
*/
interface?atm?1/0/0
/
*Enter and economize the ATM interface configuration that in-house network links to each other
*/
Ispkeeper-group??11?total??5000000?80000
/
*Total average discharge that the data flow of ISP1 local area network (LAN) is visited in this order is set to 5Mbps, burst length is set to 80Kbyte
*/
Ispkeeper-group??10??single?128000??8000
/
*The average discharge of each data flow that ISP1 dial user's data flow is visited in this order is set to 128Kbps, burst length is set to 8Kbyte
*/
Ispkeeper-group??21?total??5000000?80000
/
*Total average discharge that the data flow of ISP2 local area network (LAN) is visited in this order is set to 5Mbps, burst length is set to 80Kbyte
*/
Ispkeeper-group??20??single?128000?8000
/
*The average discharge of each data flow that ISP2 dial user's data flow is visited in this order is set to 128Kbps, burst length is set to 8Kbyte
*/
The present invention just banishs the information array of putting to data and carries out the burin-in process aspect in data maintenance, is regularly to detect each customer traffic by system, mainly contains dual mode:
(1) Timing Processing.In given interval, detect each customer traffic, if surpassing on the average discharge given when disposing, average discharge prescribes a time limit, when unusual (big data flow is arranged) promptly having occurred, need by Syslog outputting alarm information.
(2) bag drives, not configurable automatic detection.It is divided into two kinds of situations again: a kind of for detected customer traffic every 15 minutes, if the long-time free of data of a certain user arrives, show that this data flow is in idle condition, then remove this user data stream information, another kind is to a certain data flow, if in configuration item, can not find the flow parameter of coupling, then directly remove the information of this data flow.
Method ISPKeeper of the present invention has mainly adopted technology such as Token Bucket and Hash, has continued to use address transition and has disposed style easily, and configuration is simple, flexible, and operation is efficient, and abundant statistical information and log information is provided.By on ISP egress router and interface that the ISP local area network (LAN) links to each other, or dispose ISPKeeper on ISP egress router and the interface that key IP network links to each other, can resist the flow attacking that the hacker carries out ISP well.
The present invention is on the basis that fully takes into account the networking structure of ISP, business model and assault characteristics, technology such as existing fire compartment wall, address transition and CAR are combined effectively, complementary its weak point, thereby the flow attacking of more effectively resisting ISP and being suffered.
Claims (12)
1, the implementation method of a kind of Internet service provider (ISP) security protection is characterized in that this method comprises the steps: at least
A. when the ISP manager (ISPKeeper) in the ISP egress router will be to the current message that receives of purpose forwarded, at first judge that by the HASH algorithm whether data flow under this message is the existing record among the ISPKeeper, if then enter step c; Otherwise, enter step b;
If b. the message that will transmit belongs to a new data flow, then mate the configuration information of the affiliated data flow of this message and judge whether that the match is successful, if the match is successful, then will mate the configuration information stored record of resulting this data flow; The match is successful if do not have, and then searches whether to have defined default value in the configuration information, if having, then with default configuration information stored record, enters step c then; If do not define default value, then the current message that receives directly is transmitted to the corresponding target network equipment by ISPKeeper;
C. detect current data stream flow and whether satisfy user configured parameter, if do not satisfy, then with current packet loss of receiving, if flow meets the demands, then continue to detect the total data flow and judge whether total configuration parameter normal? if undesired, then abandon this message, otherwise, if normal, then current message is transmitted to the corresponding target network equipment by ISPKeeper.
2, implementation method according to claim 1 is characterized in that: the purpose network described in the step a is ISP local area network (LAN) or metropolitan area network or wide area network.
3, implementation method according to claim 1 is characterized in that: described data flow is the data flow of the network equipment in the visiting from outside purpose network, or the data flow of returning for dial user online.
4, implementation method according to claim 1, it is characterized in that: the configuration information of the matched data stream among the step a further may further comprise the steps: at first find the definition of corresponding IP address section according to the purpose IP address of data flow under this message in configuration information, find the configuration information of this address field again according to the definition of address field, and with this configuration information stored record in the relevant position of data flow configuration information array.
5, implementation method according to claim 1 is characterized in that this method also further may further comprise the steps: when the initialization egress router, set in advance the array of a memorying data flow configuration information.
6, implementation method according to claim 5 is characterized in that: described array size is to hold the array of all data flow in the IP address range that will discern, and each element of array is corresponding one by one with a purpose IP address.
7, implementation method according to claim 1 is characterized in that this method also further comprises the steps: when the initialization egress router, the configuration information of preliminary setting data stream.
8, according to claim 1 or 4 or 7 described implementation methods, it is characterized in that: described configuration information comprises start ip address, end ip address, the interface configuration mode of data flow at least; The transmission bandwidth of each data flow or Mean Speed, burst length; And the overall average flow of total data stream, total burst length.
9, implementation method according to claim 1 is characterized in that: the HASH algorithm described in the step a is meant according to back 16 the respective element positions that this message navigated to data flow configuration information array in each message purpose IP address in the data flow.
10, implementation method according to claim 9, it is characterized in that this method also can further may further comprise the steps: when the data flow message of being received being navigated to data respective element position by the HASH algorithm, and this moment, this position data with existing was banishd when putting information, then set up a data link table, store the corresponding data flow configuration information in regular turn by preceding 16 of purpose IP address in this position.
11, implementation method according to claim 1 is characterized in that: the user's configuration parameter described in the step c comprises the transmission bandwidth of individual traffic or Mean Speed, burst length at least.
12, implementation method according to claim 1 is characterized in that: the total configuration parameter described in the step c comprises overall average speed and total burst length of data flow at least.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011188685A CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011188685A CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1394041A true CN1394041A (en) | 2003-01-29 |
| CN1145318C CN1145318C (en) | 2004-04-07 |
Family
ID=4663469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011188685A Expired - Fee Related CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1145318C (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006021132A1 (en) * | 2004-08-21 | 2006-03-02 | Ko-Cheng Fang | Method for protecting the computer data |
| CN100364276C (en) * | 2004-04-20 | 2008-01-23 | 富士通株式会社 | Method and system for managing network traffic |
| CN100454839C (en) * | 2005-11-24 | 2009-01-21 | 华为技术有限公司 | Antiattacking apparatus and method based on user |
| CN100556031C (en) * | 2003-03-28 | 2009-10-28 | 丛林网络公司 | Intelligent integrated network security device |
| CN101034975B (en) * | 2007-04-05 | 2010-05-26 | 华为技术有限公司 | Method and device for preventing the small message attack |
| CN101309216B (en) * | 2008-07-03 | 2011-05-04 | 中国科学院计算技术研究所 | IP packet classification method and apparatus |
| CN101116068B (en) * | 2004-10-28 | 2011-05-18 | 思科技术公司 | Intrusion detection in a data center environment |
| CN101127695B (en) * | 2006-08-17 | 2011-08-24 | 中兴通讯股份有限公司 | A processing method for reducing invalid transmission of network traffic |
| CN1965306B (en) * | 2003-09-10 | 2012-09-26 | 菲德利斯安全系统公司 | High-performance network content analysis platform |
| CN103746928A (en) * | 2013-12-30 | 2014-04-23 | 迈普通信技术股份有限公司 | Method and system for controlling flow rate by utilizing access control list |
| CN104796291A (en) * | 2015-04-27 | 2015-07-22 | 清华大学 | System and method for detecting transmission standardization of routers in core routing area |
| CN105763560A (en) * | 2016-04-15 | 2016-07-13 | 北京思特奇信息技术股份有限公司 | Web Service interface flow real-time monitoring method and system |
| CN106483918A (en) * | 2016-11-15 | 2017-03-08 | 武汉企鹅能源数据有限公司 | A kind of energy consumption monitoring analysis method based on token bucket algorithm and its system |
| CN111930078A (en) * | 2020-06-21 | 2020-11-13 | 中国舰船研究设计中心 | Network testing device for core control system |
| CN113596050A (en) * | 2021-08-04 | 2021-11-02 | 四川英得赛克科技有限公司 | Abnormal flow separation and filtration method and system, storage medium and electronic equipment |
| CN114978563A (en) * | 2021-02-26 | 2022-08-30 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7647623B2 (en) * | 2005-10-17 | 2010-01-12 | Alcatel Lucent | Application layer ingress filtering |
-
2001
- 2001-06-26 CN CNB011188685A patent/CN1145318C/en not_active Expired - Fee Related
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100556031C (en) * | 2003-03-28 | 2009-10-28 | 丛林网络公司 | Intelligent integrated network security device |
| CN1965306B (en) * | 2003-09-10 | 2012-09-26 | 菲德利斯安全系统公司 | High-performance network content analysis platform |
| CN100364276C (en) * | 2004-04-20 | 2008-01-23 | 富士通株式会社 | Method and system for managing network traffic |
| WO2006021132A1 (en) * | 2004-08-21 | 2006-03-02 | Ko-Cheng Fang | Method for protecting the computer data |
| CN101116068B (en) * | 2004-10-28 | 2011-05-18 | 思科技术公司 | Intrusion detection in a data center environment |
| CN100454839C (en) * | 2005-11-24 | 2009-01-21 | 华为技术有限公司 | Antiattacking apparatus and method based on user |
| CN101127695B (en) * | 2006-08-17 | 2011-08-24 | 中兴通讯股份有限公司 | A processing method for reducing invalid transmission of network traffic |
| CN101034975B (en) * | 2007-04-05 | 2010-05-26 | 华为技术有限公司 | Method and device for preventing the small message attack |
| CN101309216B (en) * | 2008-07-03 | 2011-05-04 | 中国科学院计算技术研究所 | IP packet classification method and apparatus |
| CN103746928A (en) * | 2013-12-30 | 2014-04-23 | 迈普通信技术股份有限公司 | Method and system for controlling flow rate by utilizing access control list |
| CN104796291A (en) * | 2015-04-27 | 2015-07-22 | 清华大学 | System and method for detecting transmission standardization of routers in core routing area |
| CN104796291B (en) * | 2015-04-27 | 2018-05-29 | 清华大学 | The detection method and system of core Route Area intradomain router forwarding behavioural norm |
| CN105763560A (en) * | 2016-04-15 | 2016-07-13 | 北京思特奇信息技术股份有限公司 | Web Service interface flow real-time monitoring method and system |
| CN106483918A (en) * | 2016-11-15 | 2017-03-08 | 武汉企鹅能源数据有限公司 | A kind of energy consumption monitoring analysis method based on token bucket algorithm and its system |
| CN106483918B (en) * | 2016-11-15 | 2019-01-04 | 武汉企鹅能源数据有限公司 | A kind of energy consumption monitoring analysis method and its system based on token bucket algorithm |
| CN111930078A (en) * | 2020-06-21 | 2020-11-13 | 中国舰船研究设计中心 | Network testing device for core control system |
| CN111930078B (en) * | 2020-06-21 | 2024-04-19 | 中国舰船研究设计中心 | Network testing device for nuclear control system |
| CN114978563A (en) * | 2021-02-26 | 2022-08-30 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
| CN114978563B (en) * | 2021-02-26 | 2024-05-24 | 中国移动通信集团广东有限公司 | Method and device for blocking IP address |
| CN113596050A (en) * | 2021-08-04 | 2021-11-02 | 四川英得赛克科技有限公司 | Abnormal flow separation and filtration method and system, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1145318C (en) | 2004-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1394041A (en) | Method for implementing safety guard to Internet service provider | |
| CN112615818B (en) | SDN-based DDOS attack protection method, device and system | |
| US8201252B2 (en) | Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks | |
| US8089871B2 (en) | Method and apparatus for traffic control of dynamic denial of service attacks within a communications network | |
| Yaar et al. | Pi: A path identification mechanism to defend against DDoS attacks | |
| CN101529386B (en) | Behavior-based traffic differentiation to defend against distributed denial of service(DDOS) attacks | |
| Abdelsayed et al. | An efficient filter for denial-of-service bandwidth attacks | |
| CN102111394B (en) | Network attack protection method, equipment and system | |
| WO2008148099A1 (en) | Method and system to mitigate low rate denial of service (dos) attacks | |
| CN112769785B (en) | Network integrated depth detection device and method based on rack switch equipment | |
| CN101106518A (en) | Service denial method for providing load protection of central processor | |
| WO2008080324A1 (en) | A method and apparatus for preventing igmp message attack | |
| CN107438066B (en) | DoS/DDoS attack defense module and method based on SDN controller | |
| CN101917425A (en) | Centralized cleaning system and method for internet bar flow in manner of bidirectional online | |
| CN101193045A (en) | Method for capturing and limiting speed of data packets via line card | |
| Udhayan et al. | Demystifying and rate limiting ICMP hosted DoS/DDoS flooding attacks with attack productivity analysis | |
| EP1595193A2 (en) | Detecting and protecting against worm traffic on a network | |
| Xing et al. | Isolation forest-based mechanism to defend against interest flooding attacks in named data networking | |
| Yuste et al. | Inerte: integrated nexus-based real-time fault injection tool for embedded systems | |
| CN116389120A (en) | Novel DDOS attack defense system and method based on IP and topology confusion | |
| Kim et al. | High-speed router filter for blocking TCP flooding under DDoS attack | |
| CN1553662A (en) | Method for preventing refusal service attack | |
| Wang et al. | A more efficient hybrid approach for single-packet IP traceback | |
| Chan et al. | Intrusion detection routers: design, implementation and evaluation using an experimental testbed | |
| CN1838607A (en) | High-speed detection and control mechanism for preventing network DoS attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040407 Termination date: 20110626 |