CN1719829A - Implementing flow control and defensing DOS attack by using MPLS display route - Google Patents
Implementing flow control and defensing DOS attack by using MPLS display route Download PDFInfo
- Publication number
- CN1719829A CN1719829A CN 200410062457 CN200410062457A CN1719829A CN 1719829 A CN1719829 A CN 1719829A CN 200410062457 CN200410062457 CN 200410062457 CN 200410062457 A CN200410062457 A CN 200410062457A CN 1719829 A CN1719829 A CN 1719829A
- Authority
- CN
- China
- Prior art keywords
- network
- flow
- stream
- mpls
- flow control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
This invention relates to a method for carrying out network flow control and defending against distribution 'reject service' attack by a multi-protocol label switch display route system, which can be used in the network performance optimization and flow control and effectively defend against the attack of distribution 'reject service' by introducing the allowance control system.
Description
Technical field belongs to areas of information technology.Propose a kind of explicit route mechanism of multi protocol label exchange MPLS (Multi-Protocol LabelSwitch) of utilizing and carry out the new method that network traffics are controlled and defending distributed " denial of service " DOS (Deny of Service) attacks, this method can be used for optimization of network performance and flow control, can effectively defending distributed " denial of service " attack simultaneously.
Background technology multi protocol label exchange MPLS[1] be a kind of high speed retransmission technique of packet.Different with Traditional IP forwarded hop-by-hop mechanism, in the MPLS network, edge router LER (Label Edge Router) forms equivalent forward pass class FEC (Forwarding Equivalence Class) according to certain rule with packet classification, carry out the mark distribution according to prior appointment or the path (being called explicit route) that calculates by explicit route then, form a label switched path LSP (Label Switch Path) from the source end to destination.Central marker switch router LSR (Label Switch Router) only transmits packet according to this mark, needn't carry out the longest matched and searched of IP.Utilize explicit route mechanism, MPLS can solve the reluctant problems of traditional IP, as: service quality QoS (Quality of Service), flow control and streamline the network resource, avoid congested etc., the problem of these related network performance optimizations can be included into the row of traffic engineering [2] problem.
Utilize MPLS technology implementation traffic engineering, optimize network performance and can realize by adopting suitable explicit route algorithm.Traditional Interior Gateway Protocol IGP (Internal Gateway Protocol) causes shortest path congested to the control ability deficiency of network traffics easily.Therefore effective Control Network flow must be transformed route agreement and algorithm.Can utilize the flow direction of use of routing algorithm and webmaster policy control Internet resources and data, by flow and resource are implemented reasonably control, flow more balancedly is distributed in the existing network, thereby optimize the runnability of network.
Distributed " denial of service " attacked and is meant assailant's within a short period of time, sent the mass data bag to attacking main frame and place network thereof, cause being attacked the host resource overload or the network bandwidth and exhaust, attacked main frame or network " refusal provides service " thereby cause.Defence to distributed dos attack generally is divided into attack and discovery two stages of attack source detected.Simple rely on to detect attack, promptly closely attacked the filtering noxious flow of end, can not the distributed dos attack of fine control because this can refuse some normal flows simultaneously.Be the effectively distributed dos attack of control, find that the attack source is extremely important.Attack stream exists with the form of convergence flow (Traffic Aggregate) usually, and convergence flow is the polymerization with stream of certain feature, as identical source address, and port numbers, destination address, the set of the stream of destination port number.By detection, may find the attack source to convergence flow: normally being attacked main frame or closely being attacked end, by detection, contrast and analysis to flow, the attack convergence flow that notes abnormalities; After finding possible attack convergence flow, also must adopt certain mechanism (as pushback[3]) nearly end router of attacking of announcement, such stream is implemented blocking-up, thereby reach the purpose of the distributed dos attack of control.This method must be attacked nearly three steps of end of attacking of convergence flow, announcement and could effectively implement defence to distributed dos attack through detecting, finding.And introduce advertised information such as pushback, can consume network bandwidth; Simultaneously, because source address is insincere, for finding to attack the true source address of convergence flow, also must use certain mechanism that packet is carried out mark, therefore whole process implements very complicated.And find that the general difficulty in attack source is bigger, because the assailant may use the stream of multiple source address camouflage to attack, so its defence capability is limited.
The defending distributed dos attack of existing network is limited in one's ability: closely attacked the detection of end and flow blocking-up and can cause denial of service on the realistic meaning, because normal stream also has been rejected; And nearly flow resistance off line system of attacking end implements extremely complexity, and effect is limited.Existing network is resisted the fragility of distributed dos attack, and basic reason is that it adopts no connection mechanism, is difficult to data stream is controlled and followed the trail of.
Summary of the invention proposes the explicit route mechanism of a kind of MPLS of utilization and carries out the method that network traffics are controlled and defending distributed " denial of service " attacks.Wherein, explicit route mechanism adopts the explicit route algorithm based on strategy and traffic characteristic, and algorithm is implemented bandwidth preassignment according to network flow characteristic and management strategy to every class stream.Will be to the threshold values of the preallocated result of certain class stream bandwidth as the permission control (Admission Control) of this stream, simultaneously with it as initial value at the available bandwidth of line computation.As applied environment, implement flow control with the MPLS network, network traffics need rationally be distributed in the network according to intrinsic traffic characteristic distribution of network and network management with this method; Simultaneously, the new method of use based on the defending distributed dos attack of explicit route mechanism of MPLS proposed.
Explicit route mechanism based on feature and management strategy has solved resource and problems such as traffic classification, the distribution of link available bandwidth, link metric distribution and flow control, can in the bandwidth demand that satisfies stream, network flow reasonably be distributed in the network according to the network inherent feature.Simultaneously, by introducing the permission controlling mechanism, this explicit route mechanism can more efficiently defending distributed dos attack: the control mode of this explicit route is avoided using detecting in traditional dos attack defence method and is attacked, finds the attack source, and the nearly step of attacking these a series of complexity of end of announcement; It directly implements permission control and flow control at the source end, promptly filters out harmful attack stream from the source end, thereby resources effective is attacked in protection, implements simple possible, and can avoid the generation of " denial of service " preferably.
The technical scheme of using this method to carry out flow control is:
1) according to the requirement of network measure result and network management network traffics are classified, determine the traffic characteristic matrix, the traffic characteristic matrix is a four-tuple, comprising: traffic identifier, source address, destination end address, bandwidth demand.
2) calculated off-line is carried out in the classification of determining stream afterwards: generate link metric according to traffic matrix, then traffic matrix value and link metric are flowed the initial conditions of (multi commodity flow problem) problem as polynary commodity, calculate polynary commodity flow problem, obtain the bandwidth value that flows at every class on every link.
3) with the bandwidth preassignment value of this bandwidth value, in the MPLS LER, carry out determining explicit route in line computation as every class stream.
4) label switched path that utilizes MPLS mark forwarding mechanism to determine along this explicit route carries out the forwarding of packet, implements flow control.
Use the technical scheme of the defending distributed dos attack of this explicit route mechanism to be:
On the basis of above-mentioned flow control, introduce the permission controlling mechanism.In LSR, increase the permission control module, result of calculation (being the bandwidth value that flows at certain class on every link) the sill value that permission is controlled as every class stream with improved polynary commodity flow problem, when in case the bandwidth demand value of certain class stream surpasses this value, then refusal is promptly refused this and is flow to into network for this stream distribution mark.
Adopt calculated off-line and calculate explicit route, polynary commodity flow problem is improved, increase the periodic line consumption value, can in the bandwidth demand that satisfies stream, implement flow control, optimize the use of Internet resources in line computation in the mode that line computation combines.Calculated off-line adopts conventional shortest path first, and its complexity is identical with conventional routing algorithm, does not increase resource cost.
By introducing the permission controlling mechanism, utilize explicit route mechanism and MPLS technology, can limit the Internet resources (referring to bandwidth here) that every class flows at the source end and expend comparatively effective defending distributed dos attack.Permit controlling mechanism and can defend dos attack from the source end based on the routing algorithm of traffic characteristic.The traffic characteristic defined matrix that draws by network measure the kind of stream, it advances node, egress, and the value of stream demand.The stream that is classified can be considered convergence flow.Calculated off-line is characterized as convergence flow according to normal flow distribution and allocates available bandwidth in advance, and the permission controlling mechanism guarantees to refuse this convergence flow when the bandwidth request of certain class stream surpasses its predefined value.When network normally moved, convergence flow basic symbols interflow measure feature distributed, and therefore unaccepted probability is very low.When dos attack takes place, the flow of certain class convergence flow (being attack stream) will substantially exceed its normal value, at this moment permit controlling mechanism will refuse such and flow to into network, but and other stream normal flow is gone into network, guarantee that network provides normal service, thereby avoid the generation of denial of service.This mechanism need not to carry out the discovery and the announcement of attack detecting and attack source, implements simple possible.Simulation results has confirmed should the validity of mechanism aspect the defence dos attack.
Proposition utilizes the method for the explicit route mechanism defence dos attack of MPLS, is not limited to the explicit route algorithm that proposes herein, also can adopt other explicit route algorithm.By explicit route and the permission controlling mechanism defence dos attack of MPLS, be the new method that this paper proposes.
Description of drawings flow control and dos attack defense mechanism are implemented by LER LER.Each module and correlation thereof in the MPLS LSR of supporting this explicit route algorithm have been provided in the accompanying drawing.Wherein, permission control, explicit route calculating, signaling and MPLS bag forwarding mechanism are realized in LSR, and calculated off-line and traffic classification are by special server implementation.When the LSP request arrived LER LER, LER implemented online explicit route calculating, mark request and distribution, permission control and the forwarding of MPLS packet etc. according to this value then at first to server requests link bandwidth initial value.
Embodiment is because the embodiment of defending distributed dos attack is on the flow control basis, so its actual flow control mechanism part that comprised, and added the permission controlling mechanism, therefore only narrated the implementation method of using this mechanism defence dos attack here.
1 pair of flow is classified
Given network G=(V, E), wherein V and E are respectively the set on summit and limit.Regulation has capacity c (e) to its limit e ∈ E.At first according to management strategy or measurement result, network flow is classified, stream type is designated as t.Define grid traffic characteristic matrix P (t, s
i, d
i, B
i), wherein: i=1,2,3...k; s
i, d
iBe respectively i class stream (hereinafter to be referred as stream i) into and out of node; B
iBandwidth demand for stream i.Traffic characteristic roughly reflects the classification of network flow, distributes and bandwidth demand, and its value can be determined by network measure and management strategy.Convection current is carried out sorting result and is obtained the traffic characteristic matrix exactly, purpose be with traffic matrix as initial conditions, each class stream is calculated polynary commodity flow problem as an independent commodity flowmeter.The target of algorithm is that as much as possible different commodity stream is transported to destination from the source end, promptly seeks to satisfy simultaneously the path of the bandwidth demand of various streams in given network.If x
i(e) be that stream i is distributed in the flow on the e of limit, s (e) expends for link, and then the target function of calculated off-line is:
1. constraints be
, it guarantees the link nonoverload; (i=1 2...k), flows bandwidth demand n (i)=B of i to i
i(2), for constraints 2., it satisfies the bandwidth demand of various flows.
The output result is x
i(e), this process is actually according to network flow characteristic information the network bandwidth is pre-assigned to dissimilar stream.
Flow is classified, and the type that obtains flowing in follow-up explicit route calculates, promptly as the FEC of MPLS network, is carried out route and is calculated and flow control.Simultaneously, dissimilar streams are also handled as the convergence flow in the defence dos attack.When the actual flow of certain convergence flow surpasses the flow of its traffic characteristic defined matrix, router will be implemented blocking-up to it.
2 calculated off-line
Utilize the result of the output of improved polynary commodity flow problem,, obtain bandwidth preassignment value x at every class stream promptly to each link as calculated off-line
i(e).For streamlining the network resource, when considering that polynary commodity stream flows the preassignment bandwidth for every class, should avoid link capacity not satisfy the link that such stream requires, and ratio c (the e)/B of the demand of the amount of trying to please and such stream
iBigger link is because the easier bandwidth demand that satisfies such stream of such link.For this reason, revise the value of periodic line consumption s (e), at every class stream i, entrance link expends s (e
i), and make it and B
i/ c (e) becomes linear dependence, promptly
Regulation is as the bandwidth demand B of link bandwidth c (e) less than certain class stream
iThe time, to i class stream, this periodic line consumption s (e
i)=∞.The target function of improved polynary commodity flow problem is:
Constraints is constant, and the output result of algorithm still is x
i(e).Analyze as can be known, adjust s (e
i) value, recomputate polynary commodity flow problem, its essence is in traffic classification, Internet resources (referring to the network bandwidth here) are classified and integrated, make those available bandwidths link relatively more more than needed distribute to such stream as far as possible with respect to the bandwidth demand of certain class stream, promptly according to the requirement of traffic characteristic, the reasonable distribution Internet resources.By introducing periodic line consumption s (e),,, avoid congested largely for rational bandwidth allocation scheme is provided in line computation based on the calculated off-line of traffic characteristic balancing network resource more effectively.
3 permission controls
The bandwidth value x that calculated off-line is obtained at every class stream i
i(e) the serve as a mark sill value of distribution permission control: in each LSR LER, when the bandwidth request value of certain class stream surpasses its current available bandwidth value, the permission controlling mechanism of LER will be refused this stream and pass through.
When dos attack took place, the bandwidth demand value of certain class stream can exceed normal value x
i(e), at this moment, according to the permission controlling mechanism, this stream will be blocked by edge router LER, and other streams then can normally pass through, thereby better avoid the generation of " denial of service ".
4 online explicit routes calculate
Network G=(V, E) in, to its every limit e, definition is designated as r at the available bandwidth of every class stream i
i(e), i=1 wherein, 2 ..k.Initial conditions in line computation is the output valve x of polynary commodity flow problem
i(e).r
i(e) initial value is as making decision: when management strategy allows such stream by this link, make r
i(e)=x
i(e); Otherwise, make r
i(e)=0.The bandwidth demand of supposing current stream x is b, and x belongs to i class stream.Online calculation procedure is:
1) deletion available bandwidth r from G
i(e) less than all links of bandwidth demand b;
2) according to the needs of management strategy and resource classification, structure meets the remnants figure of management strategy and resource classification.
3) use shortest path first in remaining weighted graph, to calculate shortest path for stream x;
4) from former available bandwidth value r
i(e) deduct b in, upgrade available bandwidth.
5 simple permission controlling mechanisms
More than provided the method that explicit route complete, that utilize MPLS comes Control Network flow and defence dos attack.This paper also proposes a kind of simple permission controlling mechanism and comes defending distributed dos attack.
Be protection particular network, definition protected network and the network flow value that can bear thereof.It is as follows to define two tuples:
PN(d
i,b
i)
Wherein, d
iFor protected network (below use d
iReplacement) address for the LSR of implementing permission control, is the destination address of stream;
b
iBe protected network d
iThe bandwidth value that can bear, its initial value is specified by management strategy.
When receiving, LSR LER arrives objective network d
iCertain stream during j, suppose that its bandwidth value is b
IjIf b
Ij≤ b
i, then permit controlling mechanism to allow this stream to pass through, with seasonal b
i=b
i-b
IjIf b
Ij>b
i, then block this stream and pass through.
Through amended b
iThe current flow value that can bear of value representation protected network; surpass this value if flow to the flow of objective network; represent that this network can't provide normal service; current flux has surpassed normal value; network may suffer distributed dos attack; therefore permit controlling mechanism will block the stream that flows to this network, thereby prevent the generation of " denial of service ".
List of references
[1]wduche?D?et?al.Requirements?for?Traffic?Engineering?Over?MPLS.IETF?RFC?2702,1999.9
[2]Rosen?E,Viswanathan?A,and?Callon?R.Multiprotocol?Label?Switching?Architecture.IETF?RFC?3031,2001.1
[3]Tao?Peng?et?al.Defending?Against?Distributed?Denial?of?Service?Attacks?Using?Selective?Pushback.
Claims (3)
1. method of attacking based on flow control and the defence " denial of service " of multi protocol label exchange MPLS (Multi-Protocol Label Switch), by the flow square levy, the calculation of polynary commodity flowmeter, off-line and online explicit route calculate several steps and implement.It is characterized in that: by the improvement of calculated off-line, can effectively implement control, optimize the use of Internet resources network traffics to link metric.
2. flow control methods according to claim 1; can be used to defending distributed " denial of service " attacks; it is characterized in that: by introducing the permission controlling mechanism; when the flow that flows to protected network surpasses permission control sill value; router is blocked this stream and is passed through, thereby avoids objective network that " denial of service " takes place.
3. flow control according to claim 1 and dos attack defence method is characterized in that: with the FEC of traffic classification in the traffic matrix and MPLS network, and the convergence flow in the dos attack is handled as a kind of stream.In the MPLS network, this stream is carried out explicit route calculate, mark distribution and enforcement permission controlling mechanism.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410062457 CN1719829A (en) | 2004-07-09 | 2004-07-09 | Implementing flow control and defensing DOS attack by using MPLS display route |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410062457 CN1719829A (en) | 2004-07-09 | 2004-07-09 | Implementing flow control and defensing DOS attack by using MPLS display route |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1719829A true CN1719829A (en) | 2006-01-11 |
Family
ID=35931552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410062457 Pending CN1719829A (en) | 2004-07-09 | 2004-07-09 | Implementing flow control and defensing DOS attack by using MPLS display route |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1719829A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102323B (en) * | 2007-08-09 | 2011-04-20 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN102158362A (en) * | 2011-04-18 | 2011-08-17 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
| CN104220979A (en) * | 2009-05-27 | 2014-12-17 | 章寅 | Method and apparatus for spatio-temporal compressive sensing |
| CN106060045A (en) * | 2016-05-31 | 2016-10-26 | 东北大学 | Filtering position selection method against bandwidth consumption-type attacks |
-
2004
- 2004-07-09 CN CN 200410062457 patent/CN1719829A/en active Pending
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102323B (en) * | 2007-08-09 | 2011-04-20 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN104220979A (en) * | 2009-05-27 | 2014-12-17 | 章寅 | Method and apparatus for spatio-temporal compressive sensing |
| CN104220979B (en) * | 2009-05-27 | 2017-08-25 | 章寅 | Time-space compression cognitive method and device |
| CN102158362A (en) * | 2011-04-18 | 2011-08-17 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
| CN102158362B (en) * | 2011-04-18 | 2015-05-06 | 中兴通讯股份有限公司 | Network information monitoring realization method, system and device |
| CN106060045A (en) * | 2016-05-31 | 2016-10-26 | 东北大学 | Filtering position selection method against bandwidth consumption-type attacks |
| CN106060045B (en) * | 2016-05-31 | 2019-12-06 | 东北大学 | Filtering position selection method facing bandwidth consumption type attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10193807B1 (en) | Penalty-box policers for network device control plane protection | |
| Oueslati et al. | A new direction for quality of service: Flow-aware networking | |
| EP1271844B1 (en) | Route determining method in a multi protocol label switching network | |
| Lee et al. | A constrained multipath traffic engineering scheme for MPLS networks | |
| US6584071B1 (en) | Routing with service level guarantees between ingress-egress points in a packet network | |
| Feng et al. | Stochastic fair blue: A queue management algorithm for enforcing fairness | |
| EP1352495B1 (en) | Congestion management in computer networks | |
| EP1356642B1 (en) | Path determination in a data network | |
| CN100512215C (en) | Internal load balancing in a data switch using distributed network processing | |
| CN106961387B (en) | Link type DDoS defense method and system based on forwarding path self-migration | |
| EP1158728A2 (en) | Packet processor with multi-level policing logic | |
| US20020089929A1 (en) | Packet processor with multi-level policing logic | |
| KR20040044209A (en) | METHOD AND APPARATUS FOR PROTECTING LEGITIMATE TRAFFIC FROM DoS AND DDoS ATTACKS | |
| US7965717B2 (en) | Multi-staged services policing | |
| CN1767496B (en) | Intelligent selective flow-based data path architecture | |
| Noh et al. | Protection against flow table overflow attack in software defined networks | |
| CN1719829A (en) | Implementing flow control and defensing DOS attack by using MPLS display route | |
| Erbas et al. | An off-line traffic engineering model for MPLS networks | |
| CN1395810A (en) | Method and device for controlling access to communications network | |
| CN1870586A (en) | Optimization route selection method used for bearing network control server | |
| CN1145323C (en) | Simple adaptive fast convergence mark exchange path loop preventing technique | |
| Chen et al. | Multipath qos routing with bandwidth guarantee | |
| Merlin | Finest Trail Collection using CSPF Schemes | |
| CN1600004A (en) | Multidomain access control of data flows associated with quality of service criteria | |
| US20050002377A1 (en) | Router to route packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |