CN1642107A - Method for preventing address-depletion attack - Google Patents
Method for preventing address-depletion attack Download PDFInfo
- Publication number
- CN1642107A CN1642107A CN 200410015144 CN200410015144A CN1642107A CN 1642107 A CN1642107 A CN 1642107A CN 200410015144 CN200410015144 CN 200410015144 CN 200410015144 A CN200410015144 A CN 200410015144A CN 1642107 A CN1642107 A CN 1642107A
- Authority
- CN
- China
- Prior art keywords
- dhcp
- circuit
- broadband access
- server
- access server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention is a method for preventing address exhausted attack, combining DHCP server and wide-band access service to prevent the attack and the processing steps in the wide-band access server include: configuring the maximum DHCP on-line conversation number and the maximum DHCP request frequency for each circuit in a DHCP form on the wide-band access server and initializing them to zero; the wide-band access server monitors and maintains them both. The method effectively prevents the address exhausted attack of an illegal user to the DHCP server, and simultaneously it is simple to configure, easy to implement and once implemented, extremely strengthens the reliability of wide-band access network.
Description
Technical field
The present invention relates to prevent in a kind of broadband access network DHCP (Dynamic Host ConfigurationProtocol, DHCP) server method under fire relates in particular to the prevention method that carries out address exhausted attack in a kind of DHCP of employing broadband access method at Dynamic Host Configuration Protocol server.
Background technology
In broadband access technology, when adopting the DHCP access way, Dynamic Host Configuration Protocol server tends to be subjected to the disabled user and asks to distribute the address in a large number, thereby exhausts the attack of the address resource of Dynamic Host Configuration Protocol server.The DHCP agreement itself there is no Certificate Authority mechanism, can't differentiate legal application or illegal application, and therefore, in general Dynamic Host Configuration Protocol server itself can not be resisted disabled user's attack.
At present, the network construction form of broadband access network generally as depicted in figs. 1 and 2, the user is connected to BAS Broadband Access Server (BAS Broadband Access Server BAS) by ATM circuit or Dotlq circuit, management by BAS Broadband Access Server BAS and control insert the Internet.During access, the user, carries out DHCP proxy and then distributes to described Dynamic Host Configuration Protocol server request address through BAS Broadband Access Server BAS then through the Ethernet switch or the ATM switch+Digital Subscriber Line Access Multiplexer (DSLAM) of two layers of Ethernet by the DHCP agreement.
The concise and to the point protocol interaction flow process of prior art when the user initiates the IP address assignment request, is passed through the agency of described BAS Broadband Access Server BAS as shown in Figure 3, and this request passes to described Dynamic Host Configuration Protocol server; After the IP address be asked and distributed to this Dynamic Host Configuration Protocol server should mutually, the agency of the described BAS Broadband Access Server BAS of process turned back on the described client personal computer PC.When the user stopped surfing the Net, the request that the IP address discharges was the same with request for allocation, also passed to described Dynamic Host Configuration Protocol server by described BAS Broadband Access Server BAS agency.
Just because of existing DHCP agreement and DHCP proxy agreement Certificate Authority mechanism all, therefore can't prevent that the disabled user from carrying out the application IP addresses of repetition, simultaneously also be difficult to distinguish legitimate request and illegal request, access control lists (ACL) technology commonly used at present also is difficult to use in BAS Broadband Access Server BAS and Dynamic Host Configuration Protocol server to prevent illegal request.Therefore in case the DHCP attack of address depletion type takes place, it is the transmission address assignment request that the disabled user does not stop, Dynamic Host Configuration Protocol server because will handle and distribute address resource to each request, therefore, when not corresponding release is asked, address resource will soon be depleted, and validated user can not insert less than the address because of distributing like this, thereby causes catastrophic effect.
Summary of the invention
The object of the present invention is to provide a kind of method that prevents address exhausted attack, by BAS Broadband Access Server BAS the number of addresses that the user asked on user's place in circuit is limited, thereby reach the inhibition disabled user and attack described Dynamic Host Configuration Protocol server, thereby overcome when adopting DHCP to insert form in the existing broadband access network, Dynamic Host Configuration Protocol server suffers the shortcoming that the disabled user attacks easily.
Technical scheme of the present invention is as follows:
A kind of method that prevents address exhausted attack is used for broadband access network and prevents that Dynamic Host Configuration Protocol server is under attack, and the treatment step of described method on BAS Broadband Access Server comprises:
B1), the circuit that on this BAS Broadband Access Server, is DHCP to every access form, dispose maximum DHCP on-line session number and two parameters of maximum DHCP request frequency, and the DHCP on-line session number and the DHCP request frequency of circuit be initialized as 0;
B2), this BAS Broadband Access Server is monitored the DHCP on-line session number of this circuit and DHCP request frequency and is safeguarded.
Described method, wherein, described step b2) further comprising the steps of:
B201), described DHCP on-line session number is meant in this circuit the IP number of addresses by DHCP agreement application success, the user applies success once, this counting adds 1, discharges once, then counting subtracts 1;
B202), in a single day described BAS Broadband Access Server finds that certain circuit DHCP on-line session counts to when reaching its maximum number of sessions, stop all follow-up on this circuit DHCP processing of request, up to there being the request comes of release to make DHCP on-line session number less than its maximum number of sessions.
Described method, wherein, described step b2) further comprising the steps of:
B203), described DHCP request frequency is meant the request number that per second is received from this circuit;
B204) if, described BAS Broadband Access Server finds that the DHCP request frequency of certain section this circuit of time continues greater than maximum DHCP request frequency, promptly sends alarm and shut-off circuit, waits for that the attendant handles.
Described method, wherein, it is as follows that described method also is included in the treatment step of described Dynamic Host Configuration Protocol server:
A1), dispose its access control lists, make the DHCP protocol package of its acceptance from legal BAS Broadband Access Server;
A2), described Dynamic Host Configuration Protocol server when receiving the DHCP request package, mate its access control lists, accept DHCP protocol package according to matching result from legal BAS Broadband Access Server, refusal is from other local DHCP protocol package.
Described method, wherein, described step a2) may further comprise the steps: when described Dynamic Host Configuration Protocol server is received the DHCP bag, mate the access control lists of described configuration,, abandon this bag if do not match according to the source IP address that wraps; Otherwise, bag is carried out respective handling according to the DHCP agreement.
A kind of method that prevents address exhausted attack provided by the present invention, after adopting the method for the invention, utilize the access control lists of described Dynamic Host Configuration Protocol server and described BAS Broadband Access Server to the DHCP on-line session number of circuit and the monitoring and the maintenance of DHCP request frequency, prevented the address exhausted attack of disabled user effectively to Dynamic Host Configuration Protocol server, this method configuration is simple simultaneously, realize easily,, greatly improved the reliability of broadband access network in case implement.
Description of drawings
In the accompanying drawing,
Fig. 1 is the networking schematic diagram based on the Ethernet broadband access network of the prior art;
Fig. 2 is the networking schematic diagram of the broadband access network based on ATM of the prior art;
Fig. 3 is sequential and the schematic flow sheet of the DHCP of prior art when inserting;
Fig. 4 is the handling process schematic diagram of the inventive method on described BAS Broadband Access Server BAS;
Fig. 5 is the handling process schematic diagram of the inventive method on described Dynamic Host Configuration Protocol server.
Embodiment
Be described in further detail below in conjunction with the enforcement of accompanying drawing technical scheme:
Core concept of the present invention is: by BAS Broadband Access Server BAS the number of addresses that the user asked on user's place in circuit is limited, suppress disabled user's attack thereby reach.In broadband access network, be connected by a double layer circuit between user personal computer PC and the described BAS Broadband Access Server BAS, this double layer circuit can be ATM circuit (ATM access), also can be based on the Dotlq circuit (Ethernet access) of VLAN mark.User on a circuit can insert a plurality of sessions, and a session takies an IP address.According to user type, the session number that can insert on the circuit can pre-determined on the described BAS Broadband Access Server, such as general normally session of a circuit of domestic consumer, the enterprise customer is a plurality of sessions of circuit then, and concrete number can mode be definite through consultation with the user by operator.Specific practice is as follows:
On described BAS Broadband Access Server BAS, the subscriber line circuit of needs being carried out the DHCP access is provided with two parameters, promptly maximum DHCP on-line session number and maximum DHCP request frequency; Wherein said DHCP on-line session number is meant the IP number of addresses of this circuit by DHCP agreement application success, if the user applies success once, then this counting adds 1; If discharge once, then counting subtracts 1; Described DHCP request frequency is meant the DHCP request number that per second is received from this circuit; Described BAS Broadband Access Server BAS monitors these two counters and safeguards.In a single day described BAS Broadband Access Server BAS finds that the DHCP on-line session of certain circuit counts to when reaching its maximum number of sessions, just stop all follow-up on this circuit DHCP processing of request are just recovered the DHCP processing of request from this circuit after having the request comes of release to make this DHCP on-line session number less than its maximum number of sessions.Simultaneously, if find that the DHCP request frequency of certain section this circuit of time continues promptly to send alarm and shut-off circuit greater than maximum DHCP request frequency, wait for that the attendant handles.In addition,, on described Dynamic Host Configuration Protocol server, disposed access control lists ACL, made it handle DHCP request from legal BAS Broadband Access Server BAS in order to prevent attack from other places.
By above processing, described Dynamic Host Configuration Protocol server can be avoided disabled user's address exhausted attack, and simultaneously, described BAS Broadband Access Server BAS can also in time find the circuit at disabled user place, thereby offers convenience for the eliminating to the attack source.
The present invention has set in advance a maximum DHCP on-line session number and two threshold parameters of a maximum DHCP request frequency to every circuit on described BAS Broadband Access Server BAS, simultaneously every circuit is provided with DHCP on-line session number and two counting variables of current DHCP request frequency; Find to attack circuit by monitoring rate, and take to stop to serve, method that measures such as alarm, shut-off circuit suppress the attack source prevents that described Dynamic Host Configuration Protocol server is subjected to address exhausted attack.
Said circuit is meant that the ATM from user personal computer PC to described BAS Broadband Access Server BAS connects, as ATM PVC, or the Dotlq PVC that beats the VLAN mark from user PC to described BAS Broadband Access Server BAS.Described DHCP request frequency is meant the number of times of DHCP request in the unit interval.Described DHCP on-line session number is meant on the circuit that a session takies an IP address through the DHCP agreement application success and the IP number of addresses of usefulness.
Anti-attack method of the present invention is implemented on described BAS Broadband Access Server BAS and described Dynamic Host Configuration Protocol server respectively, and its flow process respectively as shown in Figure 4 and Figure 5.
As shown in Figure 4, the handling process of the inventive method on described BAS Broadband Access Server BAS is as follows:
Step 1: on described BAS Broadband Access Server BAS, the maximum DHCP on-line session of the circuit arrangement of every strip adoption DHCP access way is counted max_session and two threshold parameters of maximum DHCP request frequency max_freq, and the DHCP on-line session counted online_session and current DHCP request frequency cur_freq is provided with two counting variables, and initially put 0;
Step 2: when described BAS Broadband Access Server BAS receives from user's DHCP request, recomputate current DHCP request frequency, and judge that the on-line session number is more than or equal to maximum DHCP on-line session thresholding (online_session?>=max_session) and current DHCP request frequency more than or equal to maximum DHCP request frequency thresholding (cur_freq?>=max_freq); If neither satisfy, then this DHCP request after handling, DHCP proxy is sent to described Dynamic Host Configuration Protocol server; Otherwise, if the latter, then alarm and shut-off circuit; If the former then abandons this request package, be left intact or react;
Step 3: after described BAS Broadband Access Server BAS receives the DHCP response packet, set up the DHCP session, and described online DHCP session number is added 1, then bag is transmitted to the user;
Step 4: discharge the DHCP session, and described online DHCP session number is subtracted 1 when discharging request when described BAS Broadband Access Server BAS receives, then bag is transmitted to Dynamic Host Configuration Protocol server from user's DHCP.
As shown in Figure 5, the handling process of the inventive method on described Dynamic Host Configuration Protocol server is as follows:
Step 1: dispose described access control lists ACL at described Dynamic Host Configuration Protocol server, only allow to obtain service from the DHCP protocol package of legal BAS Broadband Access Server BAS;
Step 2: when described Dynamic Host Configuration Protocol server is received the DHCP bag, mate the access control lists of described configuration,, abandon this bag if do not match according to the source IP address that wraps; Otherwise, bag is carried out respective handling according to the DHCP agreement.
By above step, described Dynamic Host Configuration Protocol server can effectively prevent disabled user's address exhausted attack, guarantees the safety of Dynamic Host Configuration Protocol server address resource and effectively uses the reliability and stability of raising broadband access network.
Should be understood that above-mentioned detailed description to specific embodiment of the present invention can not be as scope of patent protection request foundation of the present invention, and should be as the criterion with appended claims of the present invention.
Claims (5)
1, a kind of method that prevents address exhausted attack is used for broadband access network and prevents that Dynamic Host Configuration Protocol server is under attack, and the treatment step of described method on BAS Broadband Access Server comprises:
B1), the circuit that on this BAS Broadband Access Server, is DHCP to every access form, dispose maximum DHCP on-line session number and two parameters of maximum DHCP request frequency, and the DHCP on-line session number and the DHCP request frequency of circuit be initialized as 0;
B2), this BAS Broadband Access Server is monitored the DHCP on-line session number of this circuit and DHCP request frequency and is safeguarded.
2, method according to claim 1 is characterized in that, described step b2) further comprising the steps of:
B201), described DHCP on-line session number is meant in this circuit the IP number of addresses by DHCP agreement application success, the user applies success once, this counting adds 1, discharges once, then counting subtracts 1;
B202), in a single day described BAS Broadband Access Server finds that certain circuit DHCP on-line session counts to when reaching its maximum number of sessions, stop all follow-up on this circuit DHCP processing of request, up to there being the request comes of release to make DHCP on-line session number less than its maximum number of sessions.
3, method according to claim 1 and 2 is characterized in that, described step b2) further comprising the steps of:
B203), described DHCP request frequency is meant the request number that per second is received from this circuit;
B204) if, described BAS Broadband Access Server finds that the DHCP request frequency of certain section this circuit of time continues greater than maximum DHCP request frequency, promptly sends alarm and shut-off circuit, waits for that the attendant handles.
4, method according to claim 3 is characterized in that, it is as follows that described method also is included in the treatment step of described Dynamic Host Configuration Protocol server:
A1), dispose its access control lists, make the DHCP protocol package of its acceptance from legal BAS Broadband Access Server;
A2), described Dynamic Host Configuration Protocol server when receiving the DHCP request package, mate its access control lists, accept DHCP protocol package according to matching result from legal BAS Broadband Access Server, refusal is from other local DHCP protocol package.
5, method according to claim 4 is characterized in that, described step a2) may further comprise the steps: when described Dynamic Host Configuration Protocol server is received the DHCP bag, mate the access control lists of described configuration,, abandon this bag if do not match according to the source IP address that wraps; Otherwise, bag is carried out respective handling according to the DHCP agreement.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100151440A CN100349409C (en) | 2004-01-15 | 2004-01-15 | Method for preventing address-depletion attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100151440A CN100349409C (en) | 2004-01-15 | 2004-01-15 | Method for preventing address-depletion attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1642107A true CN1642107A (en) | 2005-07-20 |
| CN100349409C CN100349409C (en) | 2007-11-14 |
Family
ID=34867940
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100151440A Expired - Fee Related CN100349409C (en) | 2004-01-15 | 2004-01-15 | Method for preventing address-depletion attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100349409C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008064562A1 (en) * | 2006-11-27 | 2008-06-05 | Huawei Technologies Co., Ltd. | Service processing method, network device and service processing system |
| CN101047509B (en) * | 2006-05-31 | 2010-05-12 | 华为技术有限公司 | Session attack detection system and method |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1073244A1 (en) * | 1999-07-29 | 2001-01-31 | International Business Machines Corporation | Method and system for monitoring dynamic host configuration protocol (DHCP) service in an internet protocol network |
| JP3948278B2 (en) * | 2001-12-27 | 2007-07-25 | 富士ゼロックス株式会社 | Setting information allocation method for external network connection |
| KR100437726B1 (en) * | 2002-02-18 | 2004-06-30 | (주)테라정보시스템 | The System for Monitering and Breaking a Private DHCP Server and The same Method |
| CN1248446C (en) * | 2002-05-15 | 2006-03-29 | 华为技术有限公司 | Safe access method for borad band network |
-
2004
- 2004-01-15 CN CNB2004100151440A patent/CN100349409C/en not_active Expired - Fee Related
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101047509B (en) * | 2006-05-31 | 2010-05-12 | 华为技术有限公司 | Session attack detection system and method |
| WO2008064562A1 (en) * | 2006-11-27 | 2008-06-05 | Huawei Technologies Co., Ltd. | Service processing method, network device and service processing system |
| CN1968147B (en) * | 2006-11-27 | 2010-04-14 | 华为技术有限公司 | Service processing method, network device, and service processing system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100349409C (en) | 2007-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7764612B2 (en) | Controlling access to a host processor in a session border controller | |
| US8332925B2 (en) | System and method for distributed multi-processing security gateway | |
| Larsen et al. | Recommendations for transport-protocol port randomization | |
| EP2127313B1 (en) | A containment mechanism for potentially contaminated end systems | |
| CN101110847B (en) | Method, device and system for obtaining medium access control address | |
| US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
| US9882904B2 (en) | System and method for filtering network traffic | |
| EP2309685B1 (en) | A method and apparatus for realizing forwarding the reversal transmission path of the unique address | |
| KR20060116741A (en) | Method and apparatus for identifying and disabling worms in communication networks | |
| WO2011138417A1 (en) | Method for adapting security policies of an information system infrastructure | |
| CN101483515A (en) | DHCP attack guarding method and customer terminal equipment | |
| KR101064382B1 (en) | Arp attack blocking system in communication network and method thereof | |
| WO2012131364A1 (en) | Telephone call processing method and apparatus | |
| KR100533785B1 (en) | Method for preventing arp/ip spoofing automatically on the dynamic ip address allocating environment using dhcp packet | |
| Kumar et al. | Denial of Service due to direct and indirect ARP storm attacks in LAN environment | |
| US20090122784A1 (en) | Method and device for implementing the security of the backbone network | |
| CN1642107A (en) | Method for preventing address-depletion attack | |
| RU2576488C1 (en) | METHOD OF CONSTRUCTING DATA NETWORKS WITH HIGH LEVEL OF SECURITY FROM DDoS ATTACKS | |
| CN100493009C (en) | Method for preventing main computer from being counterfeited in IP ethernet | |
| Kwon et al. | Network security management using ARP spoofing | |
| CN101014026A (en) | Method for implementing general soft gateway of dynamic self-adaptive Radius system | |
| CN106453350B (en) | Anti-attack method and device | |
| KR101069341B1 (en) | Apparatus for preventing distributed denial of service attack creation | |
| JP3560552B2 (en) | Method and apparatus for preventing a flood attack on a server | |
| CN113014530B (en) | ARP spoofing attack prevention method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20071114 Termination date: 20140115 |