CN203800957U - Network Smurf attack characteristic instant defense circuit based on FPGA - Google Patents
Network Smurf attack characteristic instant defense circuit based on FPGA Download PDFInfo
- Publication number
- CN203800957U CN203800957U CN201320509543.7U CN201320509543U CN203800957U CN 203800957 U CN203800957 U CN 203800957U CN 201320509543 U CN201320509543 U CN 201320509543U CN 203800957 U CN203800957 U CN 203800957U
- Authority
- CN
- China
- Prior art keywords
- circuit
- register
- output
- network
- enter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Landscapes
- Logic Circuits (AREA)
Abstract
The utility model provides a network Smurf attack characteristic instant defense circuit based on a FPGA. The defense circuit is arranged between the data link layer and the data physical layer of an Ethernet interface. Register circuits and logic circuits are successively connected between a double-channel half-byte counter/controller and FIFO buffers. An outlet FIFO buffer and an inlet FIFO buffer are connected between MAC circuits and PHY circuits through MII interfaces. The double-channel half-byte counter/controller counts the number of half bytes of a network message so as to latch registers, and controls the activity and inactivity of an outlet logic circuit and an inlet logic circuit. The outlet logic circuit and the inlet logic circuit control the FIFO buffers to transmit data packets to an external network and a CPU. Compared with a product in the prior art, the network Smurf attack characteristic instant defense circuit based on a FPGA is achieved just by hardware and high in realtimeness and flexibility, does not occupy CPU resources and actual network bandwidth, and has high stability.
Description
Technical field
The utility model relates to a kind of network attack defence circuit, specifically relates to a kind of network smurf attack based on FPGA and defends circuit characteristic instant.
Background technology
Along with developing rapidly of internet, electric power system is increasing to the dependence of communication network, and particularly New Generation of Intelligent electrical network is faced with new challenges safely communication network information.Safety defect due to network itself (particularly ICP/IP protocol), various denials of service (Denial of Service, be called for short DoS) attack and can not disappear, wherein smurf attack becomes one of modal network attack mode with features such as its firing area are wide, disguised by force, simple effective, the safety of electric power communication network network in serious threat, greatly affect safe, stable, economy, the high-quality operation of electric power system, affected the implementation process of intelligent grid.
The anti-smurf attack of communication network at present main pure software fire compartment wall and the special chip of relying on adds the firewall box that CPU scheme realizes, all there is corresponding shortcoming in them: pure software fire compartment wall will expend certain cpu resource and have the problems such as real network bandwidth is not high, and when being attacked, problem is particularly serious; It is high, dumb that special chip adds CPU scheme firewall box cost, and needing extra increase equipment and the administrative section of equipment own is exactly easily by various attack.In the urgent need to a kind of based on hardware circuit, do not consume the defence circuit of the networked physics layer smurf attack of cpu resource, high actual network interface bandwidth.
Utility model content
For meeting the needs of prior art, the utility model provides a kind of network smurf attack based on FPGA to defend circuit characteristic instant; Described defence circuit is arranged between the data link layer and data physical layer of Ethernet interface; Go out to register circuit and go out to logical circuit be connected in successively counting/controller and go out between FIFO buffer; Enter to register circuit and enter to logical circuit be connected in successively described counting/controller and enter between FIFO buffer; Described go out to FIFO buffer and described in enter to FIFO buffer and be connected between MAC circuit and PHY circuit by MII interface;
Described counting/controller is by the nibble count latch register to network message, thus described in controlling, go out to register circuit and described in enter the output level to register circuit; Described counting/controller go out described in controlling to logical circuit and described in enter unlatching and the shutoff to logical circuit; The described packet that goes out to send to FIFO buffer buffer memory CPU, described in go out to go out described in controlling to logical circuit to FIFO buffer by described Packet Generation to external network; Describedly enter by external network, to be sent to the packet of described CPU to FIFO buffer buffer memory, described in enter to enter described in controlling to logical circuit to FIFO buffer by described Packet Generation to described CPU.
Preferably, described counting/controller is two-way nibble count/controller;
Preferably, described in, go out to register circuit and comprise clock counter and the type of message register being connected with digital comparator respectively, source IP address register, IP type of message register, segmentation marker register, icmp packet type register, object IP address register and backup purpose IP address register; The number of described digital comparator is 6; Described object IP address register is connected with two inputs of a described digital comparator respectively with described backup purpose IP address register;
Describedly enter to comprise to register circuit type of message register, IP type of message register, icmp packet type register and the icmp packet Type C ode register being connected with digital comparator respectively;
Preferably, described in, go out to logical circuit comprise OR circuit, gate array circuit and or gate output circuit;
The input of described OR circuit is connected with the digital comparator of described object IP address register output with described clock counter; The input of described gate array circuit is connected with described source IP address register, described IP type of message register, described segmentation marker register, the digital comparator of described icmp packet type register output and the output of described OR circuit; Described or the input of gate output circuit and the digital comparator of described type of message register output are connected with the output of described gate array circuit; Output described or gate output circuit goes out to be connected to FIFO buffer with described;
Preferably, described in, enter to logical circuit comprise gate array circuit and or gate output circuit;
The input of described gate array circuit is connected with described IP type of message register, described icmp packet type register and the digital comparator of described icmp packet Type C ode register output; Described or the input of gate output circuit and the digital comparator of described type of message register output are connected with the output of described gate array circuit; Output described or gate output circuit enters to be connected to FIFO buffer with described.
Compared with prior art, excellent effect of the present utility model is:
1, in technical solutions of the utility model, defence circuit is arranged between Ethernet interface data link layer and data physical layer, by MII interface, is connected respectively with MAC circuit chip with PHY chip, has realized smurf attack defence characteristic instant of hardware net;
2, in technical solutions of the utility model, adopt FPGA to realize network smurf attack defence characteristic instant, detect the rate of filtration and soon, do not account for cpu resource and network interface bandwidth;
3, in technical solutions of the utility model, adopt FPGA to realize network smurf attack defence characteristic instant, improved the flexibility of defence circuit, reduce system cost;
4, the network smurf attack based on FPGA that the utility model provides defends circuit to have higher stability, can be incorporated in ethernet mac circuit chip characteristic instant, has higher popularization and proper value.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the utility model is further illustrated.
Fig. 1 is: the topology diagram of circuit is defendd in the network smurf attack based on FPGA that the utility model provides characteristic instant;
Fig. 2 is: the circuit theory diagrams of circuit are defendd in the network smurf attack based on FPGA that the utility model provides characteristic instant.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present application, the technical scheme in the embodiment of the present application is clearly and completely described.
The topology diagram of circuit is defendd in a kind of network smurf attack based on FPGA that Fig. 1 shows the utility model to be provided characteristic instant; Described defence circuit comprises two-way nibble count/controller, goes out to register circuit, enters to register circuit, goes out to logical circuit, enters to logical circuit, goes out to FIFO buffer, enters to FIFO buffer and MII interface; Defence circuit is arranged between the data link layer and data physical layer of Ethernet interface; Go out to register circuit and go out to logical circuit be connected in successively counting/controller and go out between FIFO buffer; Enter to register circuit and enter to logical circuit be connected in successively two-way nibble count/controller and enter between FIFO buffer; Go out to FIFO buffer and enter to FIFO buffer and be connected between MAC circuit and PHY circuit by MII interface; Two-way nibble count/controller, by the individual counting number to the nibble of network message, sends latch control signal to corresponding register, thereby controls out to register circuit and enter the output level to register circuit; Two-way nibble count/controller is controlled out to logical circuit and is entered unlatching and the shutoff to logical circuit; Go out the packet sending to FIFO buffer buffer memory CPU, go out to logical circuit and control out to FIFO buffer Packet Generation is arrived to external network; Enter to FIFO buffer buffer memory and by external network, sent to the packet of CPU, enter to logical circuit and control into FIFO buffer, Packet Generation being arrived to described CPU.
The circuit theory diagrams of circuit are defendd in a kind of network smurf attack based on FPGA that Fig. 2 shows the utility model to be provided characteristic instant;
Go out to register circuit and comprise clock counter and the type of message register being connected with digital comparator respectively, source IP address register, IP type of message register, segmentation marker register, icmp packet type register, object IP address register and backup purpose IP address register; Going out to the number of digital comparator in register circuit is 6; Object IP address register is connected with two inputs of same digital comparator respectively with backup purpose IP address register; Enter to register circuit and comprise type of message register, IP type of message register, icmp packet type register and the icmp packet Type C ode register being connected with digital comparator respectively;
Go out to logical circuit comprise OR circuit, gate array circuit and or gate output circuit; The input of OR circuit is connected with the digital comparator of object IP address register output with clock counter; The input of gate array circuit is connected with source IP address register, IP type of message register, segmentation marker register, the digital comparator of icmp packet type register output and the output of OR circuit; Or the input of gate output circuit is connected with the output of gate array circuit with the digital comparator of type of message register output; Or the output of gate output circuit is connected with MII interface;
Enter to logical circuit comprise gate array circuit and or gate output circuit; The input of gate array circuit is connected with IP type of message register, icmp packet type register and the digital comparator of icmp packet Type C ode register output; Or the input of gate output circuit is connected with the output of gate array circuit with the digital comparator of type of message register output; Or the output of gate output circuit is connected with MII interface;
Two-way nibble count/controller is controlled gate array circuit and or unlatching and the shutoff of gate output circuit.
A kind of network smurf attack based on FPGA that the utility model provides defends the course of work of circuit to be characteristic instant:
Two-way nibble count/controller starts defence circuit after receiving message transmitted signal or message reception signal; The field distribution of the packet that two-way nibble count/controller is sent CPU or external network is to going out to register circuit or entering to the register of register circuit to latch; Digital comparator compares described register and character numerical value coding; Go out to logical circuit and control out to FIFO buffer Packet Generation to external network or abandon; Enter to logical circuit and control into FIFO buffer Packet Generation to CPU or abandon;
(1) when CPU does not send packet to external network, the TX_EN on MII interface is low level, the zero clearing of two-way nibble count/controller; When CPU sends packet to external network, TX_EN on MII interface becomes high level, two-way nibble count/controller starts counting to the nibble of the network message of packet under the effect of TX_CLK, latchs successively type of message register, message fragment flag register, IP type of message register, source IP address register, object IP address register and icmp packet type register;
Digital comparator carries out numeric ratio by described register and character numerical value coding, thereby judges whether packet is IP message, icmp packet, segmented message and request message, and in the present embodiment, packet must not be segmented message; The 10ms clock pulse level of the output level of the digital comparator of object IP address register and backup purpose IP address register and clock counter output carries out logic OR computing, for guaranteeing that the object IP address of network packet in 10ms is not equal to the object IP address of a packet, the continuous data bag while preventing smurf attack;
(2) when external network does not send packet to CPU, the RX_EN on MII interface is low level, and two-way nibble count/controller is not worked; When external network sends packet to CPU, RX_EN on MII interface becomes high level, two-way nibble count/controller starts counting to the nibble of the network message of packet under the effect of RX_CLK, latchs successively type of message register, IP type of message register, icmp packet type register and icmp packet Type C ode register;
Digital comparator carries out numeric ratio by described register and character numerical value coding, thereby judges whether packet is IP message, icmp packet, the unreachable message of object and the unreachable message of port.
Finally should be noted that: described embodiment is only the application's part embodiment, rather than whole embodiment.Embodiment based in the application, those of ordinary skills are not making the every other embodiment obtaining under creative work prerequisite, all belong to the scope of the application's protection.
Claims (5)
1. characteristic instant is defendd a circuit in the network smurf attack based on FPGA, it is characterized in that, described defence circuit is arranged between the data link layer and data physical layer of Ethernet interface; Go out to register circuit and go out to logical circuit be connected in successively counting/controller and go out between FIFO buffer; Enter to register circuit and enter to logical circuit be connected in successively described counting/controller and enter between FIFO buffer; Described go out to FIFO buffer and described in enter to FIFO buffer and be connected between MAC circuit and PHY circuit by MII interface;
Described counting/controller is by the nibble count latch register to network message, thus described in controlling, go out to register circuit and described in enter the output level to register circuit; Described counting/controller go out described in controlling to logical circuit and described in enter unlatching and the shutoff to logical circuit; The described packet that goes out to send to FIFO buffer buffer memory CPU, described in go out to go out described in controlling to logical circuit to FIFO buffer by described Packet Generation to external network; Describedly enter by external network, to be sent to the packet of described CPU to FIFO buffer buffer memory, described in enter to enter described in controlling to logical circuit to FIFO buffer by described Packet Generation to described CPU.
2. characteristic instant is defendd circuit in a kind of network smurf attack based on FPGA as claimed in claim 1, it is characterized in that, described counting/controller is two-way nibble count/controller.
3. circuit is defendd in a kind of network smurf attack based on FPGA as claimed in claim 1 characteristic instant, it is characterized in that, described in go out to register circuit to comprise clock counter and the type of message register being connected with digital comparator respectively, source IP address register, IP type of message register, segmentation marker register, icmp packet type register, object IP address register and backup purpose IP address register; The number of described digital comparator is 6; Described object IP address register is connected with two inputs of a described digital comparator respectively with described backup purpose IP address register;
Describedly enter to comprise to register circuit type of message register, IP type of message register, icmp packet type register and the icmp packet Type C ode register being connected with digital comparator respectively.
4. characteristic instant is defendd circuit in a kind of network smurf attack based on FPGA as described in claim 1 or 3, it is characterized in that, described in go out to logical circuit comprise OR circuit, gate array circuit and or gate output circuit;
The input of described OR circuit is connected with the digital comparator of object IP address register output with clock counter; The input of described gate array circuit is connected with source IP address register, IP type of message register, segmentation marker register, the digital comparator of icmp packet type register output and the output of described OR circuit; Described or the input of gate output circuit and the digital comparator of type of message register output are connected with the output of described gate array circuit; Output described or gate output circuit goes out to be connected to FIFO buffer with described.
5. characteristic instant is defendd circuit in a kind of network smurf attack based on FPGA as described in claim 1 or 3, it is characterized in that, described in enter to logical circuit comprise gate array circuit and or gate output circuit;
The input of described gate array circuit is connected with IP type of message register, icmp packet type register and the digital comparator of icmp packet Type C ode register output; Described or the input of gate output circuit and the digital comparator of type of message register output are connected with the output of described gate array circuit; Output described or gate output circuit enters to be connected to FIFO buffer with described.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201320509543.7U CN203800957U (en) | 2013-08-20 | 2013-08-20 | Network Smurf attack characteristic instant defense circuit based on FPGA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201320509543.7U CN203800957U (en) | 2013-08-20 | 2013-08-20 | Network Smurf attack characteristic instant defense circuit based on FPGA |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN203800957U true CN203800957U (en) | 2014-08-27 |
Family
ID=51383141
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201320509543.7U Expired - Lifetime CN203800957U (en) | 2013-08-20 | 2013-08-20 | Network Smurf attack characteristic instant defense circuit based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN203800957U (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634957A (en) * | 2016-01-29 | 2016-06-01 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Ethernet MAC (Media Access Control) sublayer controller and control method thereof |
| CN108427894A (en) * | 2018-03-27 | 2018-08-21 | 中国农业银行股份有限公司 | A kind of data communications method and device |
| CN108540982A (en) * | 2017-03-06 | 2018-09-14 | 上海诺基亚贝尔股份有限公司 | Communication means and equipment for virtual base station |
-
2013
- 2013-08-20 CN CN201320509543.7U patent/CN203800957U/en not_active Expired - Lifetime
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105634957A (en) * | 2016-01-29 | 2016-06-01 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | Ethernet MAC (Media Access Control) sublayer controller and control method thereof |
| CN108540982A (en) * | 2017-03-06 | 2018-09-14 | 上海诺基亚贝尔股份有限公司 | Communication means and equipment for virtual base station |
| CN108540982B (en) * | 2017-03-06 | 2021-10-22 | 上海诺基亚贝尔股份有限公司 | Communication method and device for virtual base station |
| CN108427894A (en) * | 2018-03-27 | 2018-08-21 | 中国农业银行股份有限公司 | A kind of data communications method and device |
| CN108427894B (en) * | 2018-03-27 | 2021-03-09 | 中国农业银行股份有限公司 | Data communication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kuerban et al. | FlowSec: DOS attack mitigation strategy on SDN controller | |
| CN104580222B (en) | Ddos attack Distributed Detection and response method based on comentropy | |
| WO2014183492A1 (en) | Packet traffic control method and device based on multi-path transmission | |
| WO2016107210A1 (en) | Redundant industrial ethernet system with multistage packet filtering and service classification control | |
| CN103200123B (en) | A kind of switch ports themselves method of controlling security | |
| CN103095603B (en) | A kind of Ethernet storm suppressing method | |
| US11089140B2 (en) | Intelligent controller and sensor network bus, system and method including generic encapsulation mode | |
| CN203800957U (en) | Network Smurf attack characteristic instant defense circuit based on FPGA | |
| CN105337895A (en) | Network equipment host unit, network equipment daughter card and network equipment | |
| CN116405281A (en) | Real-time information detection network switching system | |
| CN105530245A (en) | System for improving non-private network GOOSE message transmission reliability | |
| CN113438182B (en) | Credit-based flow control system and flow control method | |
| Gao et al. | Study on communication service strategy for congestion issue in smart substation communication network | |
| CN103338200B (en) | Based on the network Smurf attack characteristic instant defense circuit realization method of FPGA | |
| CN105721353A (en) | High-performance domestic Ethernet switch based on data center | |
| CN207625600U (en) | Ethernet expanded circuit based on exchanger chip | |
| EP4325802A1 (en) | Pfc storm detection and processing method | |
| CN104821895A (en) | Energy-saving method and device | |
| CN211183974U (en) | Quantum key distribution system-on-chip based on TCP/IP (Transmission control protocol/Internet protocol) unloading engine | |
| Cao et al. | Can multipath TCP Be robust to cyber attacks? A measuring study of MPTCP with active queue management algorithms | |
| CN102752304B (en) | Prevent the method and system that half-connection is attacked | |
| Li | Hardware-Software Codesign for High-Performance Cloud Networks | |
| CN111274195A (en) | RDMA (remote direct memory Access) network flow control method and device and computer readable storage medium | |
| CN103618682A (en) | Low power frequency modulation method based on traffic | |
| CN213817829U (en) | Ethernet port flow speed limiting system based on FPGA |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20140827 |