KR100656348B1 - Apparatus and method for controlling bandwidth using token bucket - Google Patents

Abstract

The present invention relates to a bandwidth control method and a bandwidth control device using a token bucket, and to a reconfigurable bandwidth control device using a token bucket corresponding to suspicious traffic and bandwidth exhaustion attacks using a large amount of bandwidth in a network environment It is about. To this end, the present invention performs bandwidth control in a double token bucket stack composed of a normal bucket and a burst bucket to which the initial number of tokens corresponding to the size of the basic bandwidth and the additional control bandwidth are allocated, and sequentially the tokens of the normal bucket and the burst bucket are sequentially Subtract the number of tokens corresponding to the size of the input packet from the number of tokens in the double token bucket stack being used, and if the number of tokens remaining in the double token bucket stack is negative, discard the packet and recall the number of tokens remaining in the double token bucket stack. The packet is transmitted when the number of tokens in the burst bucket is larger than the initial token number, and when the number of tokens remaining in the double token bucket stack is smaller than the number of tokens in the burst bucket, the packet is transmitted and an alert message is transmitted to the user.

Token bucket, bandwidth control,

Description

Bandwidth control method and bandwidth control device using token bucket {Apparatus and method for controlling bandwidth using token bucket}

FIG. 1 shows the preparation of a DDoS attack and the transmission of Flood traffic 110 which is actual DDoS attack traffic.

2 shows a configuration of a network infringement response card.

3 is a security policy table for packet blocking and bandwidth control recorded in the TCAM.

4 shows a double token bucket mechanism in a stack data structure.

5 is a structural diagram of a stack-type memory using a double token bucket.

6 illustrates a token bucket filling process.

7 is a flowchart of a token bucket filling process.

8 is a flowchart for determining whether an input packet corresponds to a bandwidth control rule.

9 shows a bandwidth control flow chart according to the input of a packet.

10 illustrates a bandwidth control test environment of a gateway device equipped with a security card using IXIA for implementing the bandwidth control method of the present invention.

11 illustrates excessive traffic control by bandwidth control.

In the present invention, in order to control traffic for suspicious traffic using a large amount of bandwidth in a low speed network environment and a high speed network environment, or to control traffic for the purpose of Policng / Shapng in QoS, the bandwidth of traffic per flow using hardware The present invention relates to a reconfigurable bandwidth control apparatus using a token bucket and a method thereof so as to control the control.

While the interest in the Internet is increasing due to the use of useful information and the use of multimedia through the Internet, attacks such as extracting and altering other people's information without permission and preventing the provision of services by competitors are increasing by exploiting it. . In addition, blind attacks targeting an unspecified majority are also increasing.

Distributed Denial of Service (DDoS) attacks on Web sites such as Yahoo and eBay, as well as reports of damages, show that systems that are open to the Internet are very vulnerable to DDoS attacks.

DDoS attacks send a large amount of packets to a target system or target network that targets the attack in a very short time, leading to a temporary interruption in service or inability to maintain a smooth service.

The principles of operation of distributed denial of service attacks, types of attacks, and limitations of existing network and security equipment to minimize such attacks are as follows.

1. Distributed Denial of Service Attacks

Denial of Service (DoS) attacks began to be classified as attacks in the late 1990s, beginning with attacks on one target system at one source address. However, it has recently evolved into an N-N relationship, that is, a distributed denial of service attack.

DDoS is an attack that exploits the structural vulnerabilities of the Internet and is a series of network attacks that, in severe cases, cause paralysis of normal services for hours or even days.

Agencies or companies that have been subjected to such distributed denial-of-service attacks can cause enormous damage, severely deteriorating the credibility of the institution or company, and causing the worst consequences of direct or indirect damage compensation.

DDoS attacks delay the system itself by sending huge amounts of arbitrarily manipulated aggressive traffic to servers (web servers, DNS servers, etc.) and network equipment (routers, firewalls, etc.) operated by the enterprise for customer service. The goal is to create a Denial of Service situation where customers cannot use the services of a company.

Recently, in the form of an attack paralyzing a network to prevent service by attacking a web site or a server for a service, an Internet infrastructure itself is directly attacked by directly attacking an Internet service provider's core routers and DNS servers. It is developing into a form that completely paralyzes.

2. Working principle of DDoS attack

The TCP / IP protocol, the Internet standard, has a weakness in structured security. Any Internet user can use the TCP / IP protocol to send arbitrary data packets to the destination IP with the sender's IP address.

DDoS attacks take the form of attacking Victim Systems using hundreds or thousands of Zombi. Many of these zombies turn from victims to offenders at the same time as the attack orders fall, attacking the target system all at once. Numerous Zombi generate traffic volume of indiscriminate attack generated by each of them to create service outage.

FIG. 1 shows the preparation of a DDoS attack and the transmission of Flood traffic 110 which is actual DDoS attack traffic. The attacker 100 connects to the master 120 using telnet or an encrypted dedicated client program and transmits an attack command. Then, the master 120 receives the attack command again gives an attack command to the agent 130 belonging to the agent, and the agents 130 attempt to exhaust the bandwidth at the same time toward Victim.

3. Types of DDoS Attacks

DDoS attacks basically come in two forms:

1) Bandwidth Attacks

This type of attack sends huge amounts of packets, using both network bandwidth and the resources of the device itself. Major devices such as routers, servers, and firewalls have limited processing capacity, so if this type of attack is exceeded, the network will not be able to handle normal service or the device itself will be inoperable. Can cause.

A typical attack of this type is a packet overflow attack, which sends a large amount of normally visible TCP, UDP, and ICMP packets to a specific destination. In addition, it is not easy to detect an attack by spoofing the sender's address.

2) Application Attacks

This type of attack uses protocols such as TCP and HTTP to send request packets with specific reactions, exhausting the computational resources of the system, making normal service requests and processing impossible.

4. Limitations of Existing Networks and Security Equipment

The main reason why it is difficult to cope with DDoS attacks is that it is difficult to detect DDoS attacks because it is very difficult to accurately distinguish abnormal attack packets sent by hackers and normal service request packets sent by customers.

Also, even if the detection is accurate, the filtering itself through the router or firewall often dies. As a countermeasure against such a .DDoS attack, the following techniques are applied, but the complete solution is insufficient.

BlackHoling

Black hole technology is a method of registering all the traffic transmitted from a router to a specific destination (Victim) in a forwarding information base (FIB) table and sending it to a traffic discarding site called a null interface. However, this method is not a solution because all traffic including normal packets as well as malicious packets sent to the destination are destroyed.

SinkHoling

Sinkhole technology is a technology that transmits packet data to a specific machine capable of analyzing traffic by manipulating a forwarding information base (FIB) for all traffic transmitted from a router to a specific destination. Through this, it is possible to detect the harmfulness of a large number of abnormal attack traffic. However, these attacks have limitations that cannot provide real-time response.

Router

Routers provide filtering using access control lists (ACLs), which are difficult to defend against today's advanced DDoS attacks.

First, routers can defend against some simple DDoS attacks that are not necessary for Internet communications, such as ping attacks, through filtering mechanisms. However, the recent DDoS attack uses the most basic and essential protocol to use the Internet, so it is impossible to use the method of filtering all the specific protocols themselves.

Second, uRPF-based defenses are recommended for spoofed attacks, but there are limits to the actual implementation.

Third, the ACL function of the router has a limitation that it is difficult to be effective against application layer attacks such as HTTP error and HTTP half-open connection attack regardless of whether the source is spoofed.

◆ Firewall

Firewalls have some limitations.

First, since the firewall is located in-line of the network traffic flow path, if the firewall itself is targeted for attack and down by a large amount of attack traffic, all traffic passing through the firewall is cut off. The network may be paralyzed.

Second, even if the firewall can detect abnormal behavior accurately, attacks from spoofed sources are difficult to defend against because they lack the ability to distinguish whether or not they are normal for individual packets.

Intrusion Detection System (IDS)

First, IDS, which relies only on the existing signature method, is difficult to defend against the modified type of attack disguised as a normal packet without the corresponding attack signature.

Second, IDS's biggest limitation as a means of defending against DDoS attacks is that it only detects attacks and does not provide any means to defend against them. IDS should be used in a way that complements and integrates with effective defense solutions.

Manual Response

If a person defends himself by hand, the response may be too partial and immediate response difficult. The typical first response to a DDoS attack is to contact the ISP and ask for the source. Spoofed addresses require complex and lengthy work that many ISPs have to work with to verify. Also, even if the source is known, blocking it means that it blocks all traffic, so there are advantages and disadvantages.

Load Balancing

Lastly, load balancing, redundancy, and triplet are used to enhance the bandwidth and performance of the network to handle even larger traffic. This method is intended to serve a large amount of traffic somehow, but may eventually lead to a situation in which more traffic is not available.

In order to solve the above-mentioned problems, the present invention provides a high-quality control system for bandwidth depletion attacks in the form of blind attacks, which respond to suspicious traffic using a large amount of bandwidth in a network environment and randomly generate a large amount of packets on the Internet. The present invention relates to a reconfigurable bandwidth control apparatus using a token bucket and to a method for providing an internet service.

In order to achieve the above technical problem, the bandwidth control method according to an embodiment of the present invention is the normal bucket and the additional control bandwidth portion of the basic bandwidth portion to which the initial number of tokens corresponding to the size of each of the basic bandwidth and the additional control bandwidth is allocated A method of performing bandwidth control in a double token bucket stack composed of burst buckets of (a) corresponds to the size of an input packet in the number of tokens of the double token bucket stack sequentially using the tokens of the normal bucket and the burst bucket. Subtracting the number of tokens to be made; (b) discarding the packet if the number of tokens remaining in the double token bucket stack is negative; (c) transmitting a packet when the number of tokens remaining in the double token bucket stack is greater than the initial token number in the burst bucket; And (d) transmitting a packet and transmitting an alert message to a user when the number of tokens remaining in the double token bucket stack is smaller than the initial token number in the burst bucket.

According to another exemplary embodiment of the present invention, a preferred bandwidth control device includes a double token bucket including a normal bucket to which an initial number of tokens corresponding to the base bandwidth is allocated and a burst bucket to which an initial number of tokens corresponding to the additional control bandwidth is allocated. stack; A token removing unit which subtracts the number of tokens corresponding to the size of an input packet from the number of tokens of the double token bucket stack using the tokens of the normal bucket and the burst bucket sequentially; A determination unit for determining whether the number of tokens remaining in the double token bucket stack is negative; and discarding the packet if the number of tokens remaining in the double token bucket stack is negative; otherwise, the token remaining in the double token bucket stack A counter for transmitting a packet when the number is greater than the initial token number in the burst bucket, and performing a packet transmission and a warning message transmission when the number of tokens remaining in the double token bucket stack is smaller than the initial token number in the burst bucket. It is characterized by.

Preferred bandwidth control apparatus according to another embodiment of the present invention comprises a look-up engine for determining whether the packet corresponds to a user-defined bandwidth control rule based on the header field of the input packet; If the input packet corresponds to the user-set bandwidth control rule, the lookup engine determines that the normal bucket to which the initial number of tokens corresponding to the basic bandwidth is allocated and the burst bucket to which the initial number of tokens corresponding to the additional control bandwidth are allocated. And the number of tokens subtracting the number of tokens corresponding to the size of the input packet from the number of tokens in which the normal bucket and the burst bucket are sequentially used and the number of tokens in the normal bucket and the number of tokens in the burst bucket are negative. Double token bucket stack for transmitting or discarding packets; and Token charging unit for charging a certain token every predetermined time in the double token bucket.

Another preferred embodiment of the present invention is implemented as a computer readable recording medium having recorded thereon a program for executing the bandwidth control method on a computer.

Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings. It should be noted that the same elements among the drawings are denoted by the same reference numerals and symbols as much as possible even though they are shown in different drawings.

In the following description of the present invention, if it is determined that a detailed description of a related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted.

2 shows a configuration of a network infringement response card.

In order to detect and respond to network misuse, the packet is introduced through the Gigabit Ethernet interface 200 in the security card of FIG. 2. This incoming packet is detected by the network misuse detection and response function based on HDL code in Xilinx's Virtex-II Pro FPGA chipset, without delay in determining whether the packet is misused and responding such as packet discard or transmission. Is executed on the

When the installed system is installed and operated at the gateway location, all the incoming traffic is clustered by the analyzer 210 synthesized in the Xilinx FPGA to form a clustered aggregate flow 211 in subdomain units. The aggregate flow 211 calculates network bandwidth usage (BPS) and packet per second (PPS) for each traffic in real time.

Based on the calculated information, it is delivered to the information processor 220, which is a software block, and generates three types of analysis results through analysis of source address, analysis by destination address, and analysis of destination address and destination port. It passes to the block-in policy manager 230.

3 is a security policy table for packet blocking and bandwidth control recorded in the TCAM.

The policy manager 230 generates 5-tuple information to be executed as a policy based on the analysis result and transmits the information to the packet blocker 241 and the bandwidth controller 242 in the corresponder 240 of the security card. .

The policy thus delivered is stored in a TCAM (Ternary Contents Addressable Memory) in a 144-bit form as shown in FIG. After the policy corresponding to the TCAM is recorded, all traffic flowing in real time is checked whether the rule exists in the TCAM, and in the case of the traffic in the TCAM, the corresponding block (packet blocking module 241 or bandwidth control module ( 242).

The analyzer 210 and the counterpart 240 implemented in the security card as described above are implemented through verilog, which is one of hardware description language (HDL), and is synthesized and operated in a chipset through a synthesis tool.

The information processor 220 and the policy manager 230, which are software modules, are installed in the embedded software and communicate data and policies with each other through communication with server blocks of each block installed in the main CPU.

4 shows a double token bucket mechanism in a stack data structure.

Bandwidth controller of the present invention can be implemented by Shaping and Policing. There are Leaky Bucket model using Queue and Token Bucket model using Queue to provide Shaping and Policing.

The Leaky Bucket model is used as a shaping technique in ATMs with the same packet size, and the Token Bucket model is used for IP-based traffic with the same variable packet size.

In the present invention, the concept of Token Bucket is used, but the concept of the dual token bucket is changed to apply two threshold values.

The bandwidth control function present in the security card shown in FIG. 2 of the present invention is represented by a data structure of a stack by applying a double token bucket mechanism. Using two buckets is equivalent to applying one stack with two thresholds.

The case where the packet falls within the first limit is called an acknowledge state (104). The case where the packet falls between the first limit and between a second limit is called a nonconfirm (105).

In the present invention, the two buckets are not configured separately, but the stack is configured to have two thresholds. In this stack type memory, tokens are periodically added by the token charging process, and the tokens are removed every packet inflow by the packet size.

When the first threshold is reached by this procedure, a warning message is sent to the administrator, and when the second threshold is reached, the packet is discarded.

When the initial bandwidth rule is set, the set bandwidth limit BPS value is input, and a variable value corresponding to the data structure of FIG. 5 is calculated through the following procedure to apply the received value to the token bucket mechanism.

In FIG. 4, a value constituting the memory stack is a sum of a normal bucket 102 value and a burst bucket 103 value, and the initial values of the normal bucket 102 and the burst bucket 103 are an input bandwidth control value ( BPS) value.

The number of tokens in the original stack has a value equal to the TotalToken number 401. When the packet is input through the Gigabit Ethernet interface 200, the token in the stack is removed by the byte value of the packet size, and when the packet is located in the Normal Bucket 404, it is determined that the state corresponds to the Confirm state and the packet is delivered. If it is located in the Burst Bucket 405, it is determined that the state corresponds to the NonConfirm state. If the token value before the packet is introduced is larger than the size of the current packet, the packet is delivered. Otherwise, the packet is discarded.

5 is a structural diagram of a stack-type memory using a double token bucket.

A method of calculating a variable value corresponding to the data structure of FIG. 5 is as follows.

▶ ExcessToken = Input bandwidth control value (bps)

▶ TotalToken = Input Bandwidth Control (bps) * 2

▶ Initial value of CurrentToken = TotalToken

AddedToken = received bandwidth control value (bps) * (1/4000)

▶ SpentToken = ExcessToken-CurrentToken

(However, if SpentToken <0, no value is calculated.

▶ SpentSum = SpentSum + SpentToken

▶ Initial value of SpentToken = 0

Initial value of SpentSum = 0

TransmittedPkts initial value = 0

DroppedPkts initial value = 0

In the data structure of FIG. 5, data related to the token bucket was considered to be able to record a value up to 1 GigaBPS in order to support gigabit traffic. In order to support 1 Gigabit speed, a 23-bit field is required, so a data size of 24 bits is given.

At this time, the data size of 501 to 507 is variably determined according to the maximum value that can provide bandwidth control. TotalToken 501 has a sum value of ExcessToken 502 and CurrentToken 503, where ExcessToken 502 means the value of Burst Bucket 403 of FIG. 4.

SpentSum 504 indicates how many tokens are used in the Burst Bucket 403 of FIG. 4 when the value of the token in the current stack is below the ExcessToken 502.

According to the input of the packet, the value of SpentSum 504 is calculated, and if the value of SpentSum 504 becomes a negative number, the packet is dropped and the SpentSum 504 is set back to the value before the current packet is input. .

AddedToken 505 is set as the number of tokens added to the stack at regular intervals, TransmittedPkts 506 is the number of packets sent and TransmittedPkts 507 is the field for indicating the number of dropped packets.

Token Bucket Charging Process

6 illustrates a token bucket filling process.

FIG. 6 is a process of filling a bucket with a certain amount of tokens at regular intervals in order to configure a stack-type memory as shown in FIG. 5.

The software managing the bandwidth control policy writes the policy to the bandwidth control unit 603 in the network interface card via the device driver 601 and the CPU interface 602.

In order to apply the bandwidth control policy to all incoming packets in real time, it includes a lookup engine 606 with a packet classification function, and 5-tuple (source address, source port, destination address, destination port) of the packet to the lookup engine. , Protocol) value.

After the 5-tuple value of the packet is recorded in the lookup engine, the token charging processor 604 is performed by referring to the address of the memory 607 when the incoming packet exists in the lookup engine.

The bandwidth control unit 603 operates the module with a clock of 125 MHz. One clock corresponds to 8ms. Charging is performed on the same bandwidth control entry every 250 ms, and for this purpose, the charging time calculation and notification unit 605 is included, and the token charging process is charged every 250 ms for the same entry.

7 is a flowchart of a token bucket filling process.

The token bucket charging process receives the charging signal signal through the charging time calculation and notification unit 605 of FIG. 6 and indicates that the input packet corresponds to the bandwidth control rule. 501), ExcessToken 502, CurrentToken 503, and AddedToken 505 are read and stored in a register (S701, S702).

Prior to charging the token, the values of CurrentToken 503 and ExcessToken 502 are compared to determine whether the value of CurrentToken 503 corresponds to the Confirm state or NonConfirm state of FIG. 4 (S703).

If the value of CurrentToken (503) is greater than the value of ExcessToken (502), it is in the Confirmed state, and after adding AddedToken (505) to the CurrentToken (503) value (S704), the value of CurrentToken (503) is TotalToken (501). It is determined whether to exceed (S705).

If the value of CurrentToken (503) exceeds the value of TotalToken (501), artificially assign the value of TotalToken (501) to the value of CurrentToken (503) (S706) .If not, record the value of CurrentToken (503) in the memory. The token charging process is terminated (S713).

If the value is less than the ExcessToken 502, it is in a NonConfirm state, and after adding the AddedToken 505 value to the CurrentToken 503 value (S709), it is determined whether the value of the CurrentToken 503 exceeds the ExcessToken 502 ( S711).

When the value of CurrentToken 503 exceeds ExcessToken 502, the value of SpentSum 504 is initialized to 0 to reset the history for discarding packets. Thereafter, register values corresponding to the values of CurrentToken 503 and SpentSum 504 are recorded in the corresponding memory (S712).

If the value of CurrentToken 503 does not exceed ExcessToken 502, the value of CurrentToken 503 is recorded in the memory and the token charging process is terminated (S713).

8 is a flowchart for determining whether an input packet corresponds to a bandwidth control rule.

8, when a packet is input 801, the header field in the packet is queried to inquire whether the contents of the packet match the field existing in the TCAM of FIG. When the packet corresponding to the bandwidth control rule is introduced as a result of the inquiry, the token bucket charging procedure as shown in FIG. 8 is performed.

When a packet flows in from the network, the packet information extractor 802 parses a header field such as a TCP / UDP / ICMP packet and generates a key value for the corresponding packet.

The generated key value then asks the lookup engine 804 via the packet classifier 803 whether the packet corresponds to a bandwidth control rule. After that, the information of 5-tuple (source address, source port, destination address, destination port, protocol) of the packet is extracted and compared with all entries of TCAM (see FIG. 3). This operation is a packet classification operation, and it can be seen whether an incoming packet corresponds to a bandwidth control rule.

In case of a packet corresponding to the bandwidth control rule, the bandwidth controller 806 transmits the size of the packet and the index address in the memory corresponding to the packet. In case of a packet that does not correspond to the bandwidth control rule, the packet transmission information is transmitted to the bandwidth control unit 806 and the packet is transmitted to the network.

The bandwidth control unit 806 transmits the packet transmission or the packet discard information to the correspondence determination unit 805, and the correspondence determination unit 805 responds to the control result of the bandwidth control unit 806 with respect to the packet introduced through the network. Send or discard the packet accordingly.

9 shows a bandwidth control flow chart according to the input of a packet.

By receiving the size and memory address of the packet from the packet classifier 703 in the security card, a series of flow charts in FIG. 9 is started (S901).

The packet size is read from the packet classifier 703 (S902), and the current CurrentToken 503 and ExcessToken 502 values are read from the memory structure in the stack and stored in the register (S903).

After that, when the CurrentToken 503 is larger than the value of the ExcessToken 502 (S904), it corresponds to the approval state, and the value obtained by subtracting the packet size from the value of the CurrentToken 503 is stored again in the CurrentToken 503 (S905).

This recalculated register value of the CurrentToken is compared with the register value of the ExcessToken and then the packet is in the Normal Bucket 102 or Burst Bucket 103, i.e., in the approved state 104 or the disapproved state 105. Determine (S906).

In the case of the approval state 104, the value of CurrentToken is recorded in the memory (S910). In the case of the disapproval state 105, the administrator may take an action such as transmitting a warning message about the bandwidth (S907).

In the disapproved state 105, since the value of CurrentToken exceeds the first limit, the number of tokens in the Burst Bucket 403 of FIG. 4 when the value of the token in the current stack is located below the ExcessToken 502. Calculate the value of SpentSum 504 indicating if it is being used.

The value of SpentSum 504 has an initial value of 0 and uses a variable called SpentToken to calculate the value of SpentSum. SpentToken minus the value of CurrentToken from ExcessToken and is valid only when it is greater than 0 (S908). If the SpentToken is valid, the value is recorded in the memory (S909). After that, the value of CurrentToken is recorded in the memory (S910).

If the CurrentToken (503) is smaller than the ExcessToken (502) value, the value obtained by subtracting the packet size from the CurrentToken (503) value is stored in the CurrentToken (503) again (S911). (S912). In this case, SpentToken (S912) is valid only when it is larger than 0, and this value indicates how many tokens are used by the Burst Bucket 104.

Thereafter, after determining whether the value of SpentToken is greater than the value of ExcessToken (S913), if the value of SpentToken is greater than the value of ExcessToken, an action such as dropping a packet is taken (S921). In this case, the action may be set by a user or an administrator as a policy for bandwidth control in advance. After that, the value of SpentSum is reinitialized to 0 (S922), then written to memory (S923), and the procedure is terminated (S924).

If the value of SpentToken is not greater than the value of ExcessToken, the value of SpentToken is accumulated in SpentSum (S914), and it is determined whether the value of SpentSum is greater than the value of ExcessToken (S915).

If the value of SpentSum is greater than the value of ExcessToken, an action such as dropping a packet is taken (S918). In this case, the action may be set by a user or an administrator as a policy for bandwidth control in advance. After that, the value of SpentSum is reinitialized to 0 (S919) and then written to memory (S920), and the procedure ends (S924).

If the value of SpentSum is not greater than the value of ExcessToken, the value of SpentSum and the value of CurrentToken are recorded in the memory (S916 and S917) and the procedure is terminated (S924).

10 illustrates a bandwidth control test environment of a gateway device equipped with a security card using IXIA for implementing the bandwidth control method of the present invention. IXIA is a traffic generation and analysis device. It harts for two-way traffic in the following test environment.

(1) Generate normal traffic of 40 Mbps by A port transmission traffic

(2) Anomaly excessive traffic generation gradually increasing from 40 Mbps to 1 Gbps using 8 flows with B Port transmission traffic

(3) Application of bandwidth control rules and control confirmation for abnormal traffic

(4) Create and apply a rule of 40 Mbps per flow to A Port incoming traffic of the security card by the policy manager that creates the bandwidth control policy.

The results in the test environment are shown in Table 1 below.

Packet size A Port Egress Traffic B Port Egress Traffic A Port Incoming Traffic B Port Incoming Traffic 64 Bytes 40 Mbps 40 Mbps to 1 Gbps 20 Mbps to 320 Mbps 40 Mbps 512 Bytes 40 Mbps 40 Mbps to 1 Gbps 20 Mbps to 320 Mbps 40 Mbps 1024 Bytes 40 Mbps 40 Mbps to 1 Gbps 20 Mbps to 320 Mbps 40 Mbps 1518 Bytes 40 Mbps 40 Mbps to 1 Gbps 20 Mbps to 320 Mbps 40 Mbps

As a preferred embodiment of the present invention, the bandwidth control function implemented in the security card through the test provides transmission / reception without loss of packets for bidirectional traffic having a speed of 1 Gbps.

11 illustrates excessive traffic control by bandwidth control.

It shows the result of controlling the bandwidth to 40Mbps for each flow for the packet to be controlled to 320Mbps for a total of eight flows. It can be seen that 40 Mbps of input traffic is delivered without loss of packet even for normal traffic to be protected.

The invention can also be embodied as computer readable code on a computer readable recording medium. Computer-readable recording media include all kinds of recording devices that store data that can be read by a computer system.

Examples of computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like, which are also implemented in the form of carrier waves (for example, transmission over the Internet). It also includes. The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

The best embodiments have been disclosed in the drawings and specification above. Although specific terms have been used herein, they are used only for the purpose of describing the present invention and are not used to limit the scope of the present invention as defined in the meaning or claims.

Therefore, those skilled in the art will understand that various modifications and equivalent other embodiments are possible from this. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

In the present invention, the traffic bandwidth is controlled for IP, TCP, UDP, and ICMP for a specific IP or a specific IP group in a high-speed network environment. It uses the system's memory to determine and apply the current incoming / outgoing packet using the parameters applied to the five fields. Accordingly, the bandwidth control method according to the present invention ensures efficient and accurate polishing in the wide area network.

As described above, in the present invention, in order to control traffic for suspicious traffic using a large amount of bandwidth in a low speed network environment and a high speed network environment or for the purpose of Policng / Shapng in QoS, traffic by flow using hardware The hardware configuration and practical mechanism to control the bandwidth of the system is presented.

Although it is implemented through hardware, the administrator can configure the hardware through the device driver, and this setting can be applied to the 10/100 Ethernet environment, the gigabit environment, and the PoS.

When the bandwidth control method is applied, it is possible to control packets in real time against a bandwidth exhaustion attack in the form of a blind attack that generates a large amount of packets arbitrarily on the Internet, thereby providing a high quality internet service.

Claims (19)

A method of performing bandwidth control in a double token bucket stack comprising a normal bucket of the basic bandwidth portion and a burst bucket of the additional control bandwidth portion to which an initial number of tokens corresponding to each of the basic bandwidth and the additional control bandwidth are allocated, (a) subtracting the number of tokens corresponding to the size of an input packet from the number of tokens of the double token bucket stack using the tokens of the normal bucket and the burst bucket sequentially; (b) discarding the packet if the number of tokens remaining in the double token bucket stack is negative; (c) transmitting a packet when the number of tokens remaining in the double token bucket stack is greater than the initial token number in the burst bucket; And (d) if the number of tokens remaining in the double token bucket stack is less than the initial number of tokens in the burst bucket, transmitting a packet and sending an alert message to the user. The method of claim 1, wherein step (a) And subtracting the number of tokens corresponding to the size of the input packet corresponding to a user-set bandwidth control rule from the number of tokens of the double token bucket stack. The method of claim 1, (e) charging a predetermined token in the double token bucket stack at a predetermined time. The method of claim 1, wherein the initial token number of the double token bucket stack is Bandwidth control method, characterized in that the sum of the initial token number of the normal bucket and the initial token number of the burst bucket. The method of claim 1, wherein step (d) (d1) If the number of tokens remaining in the double token bucket stack is less than the initial token number in the burst bucket, the number of tokens used in the burst bucket is subtracted by subtracting the number of tokens in the double token bucket stack from the initial token number in the burst bucket. Calculating the number; (d2) accumulating the number of tokens used; (d3) discarding the packet if the number of used tokens or the accumulated number of used tokens exceeds the initial token number in the burst bucket. The method of claim 3, wherein step (e) (e1) charging a constant token every predetermined time in the double token bucket stack when the number of tokens in the double token bucket stack is greater than the number of token allocations in the burst bucket; (e2) if the number of tokens in the double token bucket stack filled with the predetermined token is greater than the number of initial tokens in the double token bucket stack, setting the number of tokens in the charged double token bucket stack as the number of initial tokens in the double token bucket stack. ; And (e3) If the number of tokens in the double token bucket stack is smaller than the number of token allocations in the burst bucket, a certain token is charged in the double token bucket stack at a predetermined time, and the number of tokens in the charged double token bucket stack is in the burst bucket. And judging whether the number of tokens is greater than the number of token allocations. The method of claim 6, (e4) resetting the accumulated value of the number of tokens used in the burst bucket to zero when the number of tokens in the charged double token bucket stack exceeds the number of token allocations in the burst bucket; A bandwidth control method. A double token bucket stack including a normal bucket to which an initial token number corresponding to the base bandwidth size is allocated and a burst bucket to which an initial token number corresponding to the additional control bandwidth size is allocated; A token removing unit which subtracts the number of tokens corresponding to the size of an input packet from the number of tokens of the double token bucket stack using the tokens of the normal bucket and the burst bucket sequentially; Determination unit for determining whether the number of tokens remaining in the double token bucket stack is negative; And If the number of tokens remaining in the double token bucket stack is negative, the packet is discarded; otherwise, if the number of tokens remaining in the double token bucket stack is larger than the initial token number in the burst bucket, the packet is transmitted and the double token bucket And a counter configured to perform packet transmission and alert message transmission when the number of tokens remaining in the stack is smaller than the initial token number in the burst bucket. The method of claim 8, wherein the counterpart If the number of tokens remaining in the double token bucket stack is less than the initial token number in the burst bucket, the number of tokens used in the burst bucket is calculated by subtracting the number of tokens in the double token bucket stack from the initial token number in the burst bucket. And accumulate the number of the used tokens and discard the packet when the number of the used tokens or the accumulated use tokens exceeds the initial token number in the burst bucket. The method of claim 8, wherein the initial token number of the double token bucket stack is Bandwidth control device, characterized in that the sum of the initial token number of the normal bucket and the initial token number of the burst bucket. The method of claim 8, A lookup for classifying the input packet to remove the number of tokens corresponding to the size of the input packet from the number of tokens in the double token bucket stack based on a header field of the input packet; An engine; bandwidth control device further comprising. The method of claim 8, And a token charging unit for charging a predetermined token every predetermined time in the double token bucket stack. The method of claim 12, wherein the token charging unit A determination unit that determines whether the number of tokens in the double token bucket stack filled with the predetermined token is greater than the initial number of tokens in the double token bucket stack; An initialization unit configured to set the number of tokens in the charged double token bucket stack as the number of initial tokens in the double token bucket stack when the number of tokens in the charged double token bucket stack is greater than the number of initial tokens in the double token bucket stack; If the number of tokens in the charged double token bucket stack is less than the initial number of tokens in the double token bucket stack, the double token bucket stack is recharged for a predetermined time, and the number of tokens in the refilled double token bucket stack is in the burst bucket. And a judging unit for determining whether the number of tokens is greater than the number of token allocations. The method of claim 13, wherein the judging unit And a reset unit for resetting the accumulated value of the number of tokens used in the burst bucket to zero when the number of tokens in the charged double token bucket stack exceeds the number of token allocations in the burst bucket. controller. A lookup engine that determines whether the packet corresponds to a user-defined bandwidth control rule based on a header field of an input packet; If the input packet corresponds to the user-set bandwidth control rule, the lookup engine determines that the normal bucket to which the initial number of tokens corresponding to the basic bandwidth is allocated and the burst bucket to which the initial number of tokens corresponding to the additional control bandwidth are allocated. And the number of tokens obtained by subtracting the number of tokens corresponding to the size of the input packet from the number of tokens in which the normal bucket and the burst bucket are sequentially used and the number of tokens in the normal bucket and the number of tokens in the burst bucket are negative. Double token bucket stack for transmitting or discarding packets; and Token charging unit for charging a predetermined token every predetermined time in the double token bucket; bandwidth control device comprising a. The method of claim 15, wherein the double token bucket stack The packet is transmitted when the number of tokens remaining in the double token bucket stack is larger than the initial token number in the burst bucket, and when the number of tokens in the double token bucket is smaller than the initial token number in the burst bucket, an alarm message is transmitted to the user while transmitting the packet. Bandwidth Control Unit. The method of claim 16, wherein the double token bucket stack If the number of tokens remaining in the double token bucket stack is less than the initial token number in the burst bucket, the number of tokens used in the burst bucket is calculated by subtracting the number of tokens in the double token bucket stack from the initial token number in the burst bucket. and Accumulating the number of tokens used above And discarding the packet when the number of used tokens or the accumulated number of used tokens exceeds the number of initial tokens in the burst bucket. The method of claim 15, wherein the token charging unit A determination unit that determines whether the number of tokens in the double token bucket stack filled with the predetermined token is greater than the initial number of tokens in the double token bucket stack; An initialization unit configured to set the number of tokens in the charged double token bucket stack as the number of initial tokens in the double token bucket stack when the number of tokens in the charged double token bucket stack is greater than the number of initial tokens in the double token bucket stack; If the number of tokens in the charged double token bucket stack is less than the initial number of tokens in the double token bucket stack, the double token bucket stack is recharged for a predetermined time, and the number of tokens in the refilled double token bucket stack is in the burst bucket. And a judging unit for determining whether the number of tokens is greater than the number of token allocations. 19. The method of claim 18, wherein the trial unit And a reset unit for resetting the accumulated value of the number of tokens used in the burst bucket to zero when the number of tokens in the charged double token bucket stack exceeds the number of token allocations in the burst bucket. controller.

Images