Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of connection rate limit method, and it can be limited the access frequency of the network equipment or service.
Another object of the present invention is to provide the access restriction method on a kind of fire compartment wall, it can be limited the access frequency of the network equipment or service, and prevent the diffusion of network spam.
Further aim of the present invention is to provide a kind of fire compartment wall, it can be limited the access frequency of the network equipment or service, and prevent the diffusion of network spam.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention discloses a kind of connection rate limit method, this method connects the restriction resource for connecting the limitation function configuration, and this method may further comprise the steps:
A. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step B; Otherwise the packet that allows this newdata to connect passes through;
B. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this data connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
Wherein, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Described connection Limit Type is protection main frame or protection service or restricting host or restriction service.Described connection restriction statistical is sharing mode or exclusively enjoys mode.Described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.The source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
Among the step B of such scheme, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this newdata connection passes through; Otherwise the packet that allows this newdata to connect passes through.
Wherein, in the described blocking-up cycle, this method further comprises: judge whether the new connection speed that statistics obtains surpasses assign thresholds, if then start new blocking-up cycle and new measurement period; Otherwise do not handle.
Perhaps also can be that in step B, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: begin to block, and start new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to the connection of being disposed restriction resource allow or the blocking-up packet by being specially: in the blocking-up process, the connection speed that obtains when statistics stops blocking-up during less than assign thresholds, starts new measurement period, and allowing the packet of the data connection of back to pass through, the connection speed that obtains up to statistics surpasses assign thresholds.
Access restriction method on also a kind of fire compartment wall of the present invention is provided with the connection limitation function in safety regulation, and configuration connects the restriction resource; This method may further comprise the steps:
A. fire compartment wall allows or blocks this packet and pass through according to packet information and the connection status table information received, or continues execution in step b;
B. judge whether the packet information of receiving meets safety regulation, if then the current packet of receiving is connected rate limit, and allow or block this packet and pass through according to the result that connects rate limit; Otherwise blocking this packet passes through.
Wherein, described step a comprises:
Fire compartment wall is retrieved the connection status table according to the packet information of receiving, and judges that the data of building whether this packet belongs in the connection status table connect, if then allow this packet to pass through, and upgrade the connection status table; Otherwise judge whether this packet is first packet that newdata connects, if, then continue execution in step b, pass through otherwise block this packet.Wherein, described packet information comprises: source IP address, purpose IP address, source port, destination interface, agreement.
Among the such scheme step b, the described rate limit that connects is handled and be may further comprise the steps:
B1. judging that newdata connects whether to meet connects the connection features of setting in the restriction resource, if then according to the connection restriction resource that is disposed these data are connected the statistics of speed, continuation execution in step b2; Otherwise the packet that allows this newdata to connect passes through;
B2. judge whether the connection speed that statistics obtains surpasses assign thresholds, if the packet of then blocking this newdata connection passes through; Otherwise according to the connection restriction resource that is disposed, the packet that allows or block this newdata connection passes through.
Wherein, when the connection speed that described statistics obtains surpassed assign thresholds, this method further comprised: start blocking-up cycle and new measurement period;
Correspondingly, in the follow-up data connection processing, if the connection speed that statistics obtains is no more than assign thresholds, then described according to dispose connect that the restriction resource allows or the blocking-up packet by being specially: judge that these data connect whether in the blocking-up cycle, if the packet of then blocking this data connection passes through; Otherwise the packet that allows these data to connect passes through.
In the such scheme, described connection restriction resource comprises: connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Described connection Limit Type is protection main frame or protection service or restricting host or restriction service.Described connection restriction statistical is sharing mode or exclusively enjoys mode.Described connection features is purpose IP address or purpose IP address and destination interface or source IP address or the source IP address and the destination interface of packet.The source IP address of packet, purpose IP address are single IP address or one section IP address range in the described connection features.
The present invention further discloses a kind of fire compartment wall, comprise at least: packet receiver module, memory, Configuration Manager, packet sending module and processing data packets module; Described Configuration Manager is used to dispose safety regulation, and the safety regulation that is disposed is kept in the memory; Described processing data packets module comprises state table processing unit, safety regulation processing unit at least, and described state table processing unit is transmitted to the safety regulation processing unit according to state table information with packet information;
Described processing data packets module further comprises: connect the rate limit processing unit;
Described Configuration Manager is further used for being provided with the connection rate-limiting feature of safety regulation, and configuration connects the restriction resource, and the connection restriction resource that is disposed is saved in the memory;
Described safety regulation module is used for the packet information that the accepting state table handing module sends, and carries out the safety regulation inspection, and according to check result packet information is transmitted to connection rate limit processing module;
Described connection rate limit processing module is used to receive the packet information that the safety regulation processing module is sent, and connects the rate limit processing, abandons or transmit this packet according to connecting rate limit result notice memory; And the result notify status table handing module according to packet upgrades the connection status table.
By such scheme as can be seen, key of the present invention is: increase connection rate limit processing unit in the processing data packets module of existing fire compartment wall, this connection rate limit processing unit connects the speed statistics to the data that meet connection features, and according to statistics and assign thresholds packet is transmitted or abandoned.
Therefore; this fire compartment wall provided by the present invention and access restriction method thereof; a kind of notion that connects rate limit has been proposed; on fire compartment wall, increase and connect the rate-limiting feature module; can realize the restriction of fire compartment wall to data connected reference frequency; and then can limit some host malicious visit Intranets of outer net, and protect the server of Intranet or the safety of some service well, also can visit the outer net particular address, special services limits to Intranet.Connection rate-limiting feature provided by the invention is different from the anti-function of attacking of tradition, this functional definition fire compartment wall can be single ip address or one group of max-session frequency that the IP address is set up.
For example; wish under some situation of serving the visit of being limited the quantity of the network user; access frequency is set in the scope of server permission according to method provided by the invention; just can prevent same client from sending too much request and exhaust Session Resources on the Web server, and then can protect internal server.For another example, when the intranet host infective virus of firewall protection, for the linking number of inside host access outer net is set a threshold value, the diffusion of Control Network rubbish to a certain extent.Therefore, on fire compartment wall, introduce the connection rate-limiting feature, the fail safe that can improve whole network.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The present invention has increased the restriction that data is connected frequency on the safety regulation basis.On hardware was realized, the processing data packets module also comprised connecting the rate limit processing unit except comprising state table processing unit, safety regulation processing unit.This connection rate limit processing unit connects the speed statistics to the data that meet connection features, and according to statistics and threshold value packet is transmitted or abandoned.
Fig. 2 is the structural representation of fire compartment wall of the present invention, comprise: packet receiver module 201, memory 202, Configuration Manager 203, packet sending module 204 and processing data packets module 210, processing data packets module 210 comprise state table processing unit 211, safety regulation processing unit 212 and are connected rate limit processing unit 213.Wherein, the firewall administrator is provided with safety regulation by Configuration Manager 203 and is connected the restriction resource according to user's requirement, and with the safety regulation that disposed be connected and limit resource and be kept in the memory 202.
Packet receiver module 201 receives packet, and the packet of receiving is saved in the memory 202.The information of state table processing unit 211 read data packet from memory 202 in the processing data packets module 210, and according to the connection status table in the packet information search memory 202 that obtains, according to result for retrieval notice memory 202 this packet is transmitted to packet sending module 204, connection status table information in the updated stored device 202 then, or this packet information is transmitted to safety regulation processing unit 212 or directly abandons according to result for retrieval.
The packet information of coming is transmitted in safety regulation processing unit 212 accepting state list processing unit 211, and carries out the safety regulation inspection according to the packet information of receiving.Then, safety regulation processing unit 212 is according to check result, when meeting safety regulation but opening the connection limitation function in the safety regulation, notice memory 202 is transmitted to packet sending module 204 with this packet, then the connection status table information in the notify status list processing unit 211 updated stored devices 202; In meeting its safety regulation of safety regulation, open when connecting limitation function, this packet information is transmitted to connection rate limit processing unit 213; When not meeting safety regulation, with this data packet discarding in the memory 202.
Connect rate limit processing unit 213 and receive the packet information that 212 forwardings of safety regulation processing unit come, and it is resource matched to connect restriction according to the packet information of receiving.Then, connect rate limit processing unit 213 and this packet is transmitted to packet sending module 204 according to matching result notice memory 202, or carry out data connection speed according to matching result and add up, when statistics does not surpass assign thresholds and when not being in the blocking-up cycle, notice memory 202 is transmitted to packet sending module 204 with this packet, and the connection status table information in the notify status list processing unit 211 updated stored devices 202, when statistics surpasses assign thresholds or is in the blocking-up cycle, with this packet deletion in the memory 202.Simultaneously statistics is kept in the memory 202.Wherein, after the blocking-up cycle was meant that connection speed that fire compartment wall finds that statistics obtains surpasses assign thresholds, the blocking-up newdata connected and passes through a period of time of being continued.
The packet that packet sending module 204 reception memorizers 202 send, and the packet of receiving forwarded.
Based on said apparatus, the connection limitation function is set in advance, and configuration connects the restriction resource in safety regulation, then the present invention packet is connected restriction method as shown in Figure 3, comprise the steps:
Step 300, fire compartment wall receive packet, and extract the information in the packet, according to the packet information retrieval connection status table that obtains.
Wherein, the information in the packet comprises: source IP address, purpose IP address, source port, destination interface, host-host protocol etc.Source IP address is meant which IP address packet derives from; Purpose IP address is which IP address packet mails to; Source port and destination interface are represented transmit leg and recipient's port numbers respectively, which service of destination interface representative data bag visit purpose IP address wherein; Host-host protocol comprises the IP protocol suite, such as Transmission Control Protocol or udp protocol etc.
Step 301, judge whether this packet belongs to the data of building that the connection status table comprises and connect, if, direct execution in step 309 then; Otherwise continue execution in step 302.
Step 302~303, judge that whether this packet is first packet that newdata connects,, continue execution in step 304 if then fire compartment wall carries out the safety regulation inspection; Otherwise execution in step 308.
Press the Transmission Control Protocol agreement, a series of packets with identical source IP address, purpose IP address, source port, destination interface belong to same data and connect.Source IP address also belongs to same data with the just the opposite packet of purpose IP address, source port and destination interface and is connected.Newdata connects first packet of each data connection that is meant that fire compartment wall is received.
Whether the packet that step 304, judgement are received meets safety regulation, if, then continue execution in step 305, otherwise execution in step 308.
Wherein, the foundation of carrying out the safety regulation inspection is the feature such as source IP address, purpose IP address, source port, destination interface, agreement of packet.If the matching characteristic that is disposed of the information conforms safety regulation of packet, then this packet meets safety regulation; Otherwise this packet does not meet safety regulation.In addition, also comprise processing method in the safety regulation to packet, such as, the connection limitation function whether started.
Step 305; Judge whether the safety regulation that this packet meets has opened the connection limitation function, if then continue execution in step 306; Otherwise execution in step 309.
Wherein, connect rate limit and just be meant that in office meaning decide in the measurement period, the newdata linking number with same characteristic features by fire compartment wall can not surpass assign thresholds.When fire compartment wall is found to connect speed above assign thresholds, begin to block passing through of newdata connection, a period of time of passing through that lasting always from this moment blocking-up newdata connects is called the blocking-up cycle.
Step 306~307, connect rate limit and handle, and judge according to the information in the packet whether this packet falls into the connection rate limit, if then execution in step 308; Otherwise execution in step 309.
Wherein, whether to fall into the foundation that connects rate limit be to connect the restriction resource to the judgment data bag.Connecting the restriction resource comprises: configuration informations such as connection features, designated statistics cycle, assign thresholds, blocking-up cycle, connection Limit Type, connection restriction statistical.Connect all to belong to fall in speed surpasses assign thresholds and these data are connected the blocking-up cycle and be connected rate limit.
Step 308, block this packet and pass through process ends.
Step 309, allow this packet to pass through, and upgrade the connection status table.
Can know by such scheme, pass through, just can not guarantee the resource of normal connected reference like this for these data connect the state table that connects if connect the packet of limitation function refusal data connection.
In the such scheme, connect method that rate limit handles in described step 306~307 as shown in Figure 4, may further comprise the steps:
Step 401~402, judge according to the information of the packet received that this newdata connects and whether meet connection features, if then these data are connected the statistics of speed, continuation execution in step 403; Otherwise execution in step 407.
Wherein, connection features comprises source IP address, purpose IP address, destination interface of packet etc.The source IP address of packet, purpose IP address may be defined as single IP address, one section IP address range or do not limit in the connection features.The destination interface of packet may be defined as single-port or does not limit in the connection features.Connect speed and be meant at designated statistics in the cycle, the number that the data that meet connection features that fire compartment wall is received connect.A plurality of packets that same data connect only calculate once.The mode that connects the speed statistics can or exclusively enjoy mode for sharing mode.
Whether the connection speed that step 403~404, judgement statistics obtain surpasses assign thresholds, if, then block this packet and pass through, and start the blocking-up cycle, start new measurement period simultaneously; Otherwise continue execution in step 405.
Wherein, after the blocking-up cycle was meant that fire compartment wall find to connect speed and surpasses assign thresholds, the blocking-up newdata connected and passes through a period of time of being continued.That is to say, when fire compartment wall find to connect speed and surpasses threshold value, begin to block passing through of packet that newdata connects, to the timing in blocking-up cycle, expire simultaneously up to the blocking-up cycle.The blocking-up packet is by just being equivalent to data packet discarding.
In the present embodiment, in the blocking-up cycle, fire compartment wall continues monitoring and connects speed, no longer surpasses threshold value even find to connect speed, passes through but still need the blocking-up newdata to connect, and expires up to the blocking-up cycle.When the connection speed that each statistics obtains reaches assign thresholds, need to start new measurement period, restart to add up connecting speed.In the blocking-up cycle,, then need to start new blocking-up cycle and new measurement period if the new connection speed that statistics obtains surpasses assign thresholds.
Step 405~406, judge that this data connect whether in the blocking-up cycle, if then block this packet and pass through process ends; Otherwise execution in step 408.
Step 407, allow this packet to pass through.
In certain embodiments, if connect in the restriction resource and do not dispose the blocking-up cycle, the fire compartment wall persistent surveillance connects speed, when connecting speed and surpass assign thresholds, begin to block the packet that new data connect and pass through, and carry out the connection speed statistics of next round, the connection speed that obtains up to statistics is during less than assign thresholds, stop blocking-up, allow the packet of the data connection of back to pass through, and begin to carry out the connection speed statistics of next round.In other words, this execution mode can be realized blocking the cycle dynamically.
In further embodiments, the fire compartment wall persistent surveillance connects speed, surpasses threshold value if find to connect speed, and the packet of then blocking new data connection passes through, otherwise the packet that allows new data to connect passes through.We can say that this execution mode can be realized the real-time monitoring of fire compartment wall to visit data, guarantee that the accessed frequency of shielded main frame or service all is no more than assign thresholds at any time.Yet this execution mode needs the connection speed that monitors that each is instantaneous in fact, implements more complicated, need take the fire compartment wall more system resources.Therefore, embodiment shown in Figure 4 is a better embodiment of the present invention.
Among the present invention, also comprise connecting Limit Type and being connected the configuration that limits statistical in the connection restriction resource.Wherein, connecting Limit Type comprises: protection main frame, protection service, restricting host, restriction service.
1) the protection main frame refers to: decide to initiate in the measurement period can not surpass assign thresholds to the connection number of times of protected host from office the meaning of the main frame of appointed area.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that protected host is initiated once more, expire up to the blocking-up cycle, and the main frame of appointed area just can initiate to connect to protected host once more.For the connection restriction of protection Host Type, connection features is purpose IP address.
2) the protection service refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding the specified services of initiation on protected host in the measurement period that means in office.Surpass assign thresholds in case connect number of times; then the main frame of appointed area will be blocked by fire compartment wall the data connection that the specified services of protected host is initiated once more; expire up to the blocking-up cycle, the main frame of appointed area just can initiate to connect to the specified services of protected host once more.The main frame of appointed area initiates to connect not limited to other service of protected host.For the connection restriction of protection COS, connection features is purpose IP address and destination interface.
3) restricting host refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding in the measurement period any main frame to be initiated that means in office.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that any main frame is initiated once more, expire up to the blocking-up cycle, and the main frame of appointed area just can initiate to connect to any main frame once more.For the connection restriction of restricting host type, connection features is a source IP address.
4) the restriction service refers to: can not surpass assign thresholds from the main frame of the appointed area connection number of times of deciding in the measurement period specified services of any main frame to be initiated that means in office.Surpass assign thresholds in case connect number of times, then the main frame of appointed area will be blocked by fire compartment wall the data connection that the specified services of any main frame is initiated once more, expire up to the blocking-up cycle, the main frame of appointed area just can initiate to connect to the specified services of any main frame once more.The main frame of appointed area initiates to connect not limited to other service of any main frame.For the connection restriction of restriction COS, connection features is source IP address and destination interface.
In actual applications, protection main frame and protection service are mainly used in the server of protection Intranet.During the server of outer net machine access Intranet, can set the frequency that allows the extranet access internal server, protect the safety of internal server, refuse the machine of some malice function Intranets by fire compartment wall.The difference of protection main frame and protection service is: the protection host function is all services on the protection given host, as long as the address of extranet access is the address of specifying main frame, then defencive function will come into force; The protection service function is the specified services of protection on the given host, and such as http service, ftp service, when the specified services of extranet access given host, defencive function will come into force.
Restricting host and restriction service mainly are the control strategies that need define when the intranet host visit outer net of protected by firewall.The difference of restricting host and restriction service is: the restricting host function is that the frequency to inner particular host visit outer net limits, and can be used to limit the flow of particular host visit outer net in the practical application; Restriction service is the connection restriction of carrying out during to the special service of Intranet particular host visit outer net, such as intranet host visit www service, ftp service.In the practical application; consider that worm-type virus transmits by particular port; if the intranet host of protected by firewall is subjected to the attack of worm-type virus, then can reduce the middle viral external diffusion virus of machine in the Intranet by enabling the restriction service function.
In the practical application, can open in the above-mentioned four types connection limitation function a kind of separately, also can open wherein several simultaneously, can also open all types simultaneously, at this moment, as long as there is one to connect speed above assign thresholds, the data of just blocking all connection features that meet corresponding types connect.
Connect the restriction statistical and be meant when the data connection with identical connection features is added up, can adopt statistical.Generally include two kinds and connect the restriction statisticals: sharing mode and exclusively enjoy mode.Such as, connection restriction for the protection Host Type, sharing mode is meant that All hosts is total above behind the assign thresholds to the connection of protected host in the zone, and any main frame in the appointed area all is blocked the connection of protected host, expires up to the blocking-up cycle; After the mode of exclusively enjoying was meant that a certain main frame in the zone surpasses assign thresholds to the linking number of protected host, this main frame was blocked the connection of protected host, expire up to the blocking-up cycle, and other main frame in should the zone was proceeded to add up.That is to say, each main frame is added up separately the connection of protected host, be independent of each other each other.Above-mentioned four kinds of connection Limit Types all can adopt sharing mode and exclusively enjoy mode.
Describe for some concrete examples below.
As shown in Figure 5, when fire compartment wall was not opened the protection host function, as long as the firewall security rule allows to pass through, main frame just can arbitrarily be visited intranet host A among the Internet.If host-to-host A carries out malicious attack among the Internet, when the access times of host-to-host A among the Internet surpassed certain boundary, host A just may fall by paralysis.On fire compartment wall, open the connection limitation function of protection host A; and the IP address that connection features is a host A is set; at this moment; if the connection speed of host access intranet host A has surpassed the assign thresholds that connects restriction among the Internet; the packet that main frame sends among the Internet will be blocked by fire compartment wall, and can not threaten the safety of host A.
As shown in Figure 5, when fire compartment wall was not opened the protection service function, as long as the firewall security rule allows, main frame just can arbitrarily be visited the service on the host A among the Internet.If host-to-host A carries out malicious attack among the Internet, will consume the resource of host A, consume the dialogue resource of fire compartment wall simultaneously, influence the normal visit of the web service on other host-to-host A, when serious even can cause the host A paralysis.In the web service of opening on the fire compartment wall on the protection host A; and IP address that connection features is a host A and web service corresponding port be set; at this moment; if the connection speed of the web of host access intranet host A service has surpassed the assign thresholds that connects restriction among the Internet; the packet of its visit will be blocked by fire compartment wall; and can not threaten the safety of host A, and can not take the too many resource of fire compartment wall yet, guarantee normal connected reference.
As shown in Figure 6, when fire compartment wall was not opened the restricting host function, the machine of Intranet can arbitrarily be visited the Internet resource.During real network is used, often find that networking speed is slack-off or connect off and on, this be since one or more main frame of client's internal network by network worm infect cause.The machine of supposing the A of working group is infected by worm-type virus, and the machine among the A of working group will outwards be sent out the lot of data bag, consumes a large amount of Internet resources.If open restricting host function restraint of labour group A on fire compartment wall, and the IP address that connection features is all machines among the A of working group is set, then the worm bag that sends of the machine from the A of working group will be blocked by fire compartment wall, guarantees that virus can not spread in a large number.
In a word, the above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.