WO2008122186A1 - Method and device for preventing attack of small packet - Google Patents

Method and device for preventing attack of small packet Download PDF

Info

Publication number
WO2008122186A1
WO2008122186A1 PCT/CN2007/071368 CN2007071368W WO2008122186A1 WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1 CN 2007071368 W CN2007071368 W CN 2007071368W WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1
Authority
WO
WIPO (PCT)
Prior art keywords
data flow
length
minimum length
traffic
minimum
Prior art date
Application number
PCT/CN2007/071368
Other languages
French (fr)
Chinese (zh)
Inventor
Zhiwang Zhao
Shengtao Sun
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008122186A1 publication Critical patent/WO2008122186A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for preventing network attacks.
  • DoS Denial of Service
  • DoS Denial of Service
  • the most common DoS attack is to take advantage of a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests.
  • service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided.
  • Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
  • the DDoS (Di s tr iados Denia l of Service, DDoS) attack is an enhanced form of DoS attack.
  • a DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the target host from serving the legitimate user, and the DDoS attack uses a large number of distributed host pairs. Or multiple target hosts to attack.
  • network devices For DoS attacks and DDoS attacks, network devices usually use traffic limiting (limit the number of bytes of packets sent to the device per unit time) to prevent them.
  • the traffic limiting function of the network device is to protect the network device by limiting the size of the data stream sent in a unit time.
  • the inventor finds that the packets constituting the data stream are different in size.
  • the number of packets sent to the network device per unit time may be different, resulting in the limitation of the same data stream size.
  • Network device attack prevention function The difference. For example, an attacker usually catches this vulnerability and sends a large number of ultra-small packets to the network device in a short period of time. As a result, the traditional anti-attack prevention effect based on the size limit of the data flow is reduced, and even the prevention function is paralyzed.
  • the embodiments of the present invention provide a method and device for preventing small message attacks, and solve the problem that the small message attack cannot be prevented in the current communication network.
  • a method for preventing a small packet attack includes: determining a minimum length of a packet that can be processed by the device and a data flow restriction value; comparing the actual length of the received packet with the minimum length, if the receiving If the actual length of the received packet is less than the minimum length, the data flow is calculated by using the minimum length; when the traffic of the data flow reaches the data flow limit value, the device starts the defense.
  • An apparatus for preventing a small message attack includes a receiving unit, a comparing unit, and a processing unit, wherein the receiving unit is configured to receive a message sent by another device, and obtain an actual received message.
  • the minimum length value is compared and the data flow rate is calculated according to the comparison result. If the actual length of the received message is less than the minimum length, the data flow is calculated using the minimum length; the processing unit is configured according to the data flow and the device.
  • the data flow limit value determines whether attack defense measures are taken.
  • the device when the device receives the d and the packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not calculate the traffic when the device calculates the traffic.
  • the actual length of the received packet is used, and the minimum length of the packet that can be processed by the predetermined device is used, which is equivalent to dynamically increasing the outgoing traffic to achieve the length of the small packet.
  • the purpose of compensation When the traffic of the data flow reaches the limit of the data flow, the device enters the attack defense state in advance to prevent the number of packets sent to the device in the unit time is too large. The device is abnormal, which effectively prevents small packet attacks.
  • FIG. 1 is a flowchart of a method for preventing small message attacks according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an apparatus for preventing small message attacks according to another embodiment of the present invention.
  • the method includes:
  • the user determines the minimum length of the packet that can be processed by the device according to the characteristics of the device service.
  • the committed access rate (CAR) is set on the device interface to limit the traffic of the data stream to a range. Appropriate passage, while ensuring the normal passage of other data streams.
  • the minimum length of the packet that can be processed by the device can be set according to the requirements of the service itself processed by the specific device.
  • the minimum length of the Address Resolution Protocol (ARP) packet is 42 bytes. , that is, the data frame length of the ARP request or reply is 42 bytes (28 bytes of ARP data, 14 bytes of Ethernet frame header), therefore, it is possible to set a processable message of the device that processes the ARP message.
  • the minimum length is 42 bytes, or a smaller length value is set empirically.
  • the network device After receiving the packet, the network device obtains the actual length of the packet.
  • the packet length is judged, and the data flow calculation is performed according to the judgment result.
  • the specific judgment method is: if the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet; if the actual length of the packet is less than the minimum length , the data flow is calculated using the minimum length.
  • the device When the device receives a small message whose length is less than the minimum length, the device does not use the actual length of the received message when calculating the traffic, but uses a preset larger than the received message.
  • the minimum length of the packets that can be processed by the device is equivalent to dynamically increasing the upstream traffic and achieving the purpose of length compensation for small packets.
  • the device will initiate preventive measures to limit the traffic of the specific data flow to the traffic limit value while ensuring the normal passage of other data flows. Therefore, using this method, the device can enter the attack defense state in advance, avoiding the excessive number of packets sent to the device per unit time, causing abnormalities of the device, thus effectively preventing small "3 ⁇ 4 text attacks.”
  • the method described in the foregoing embodiments may be applicable to a firewall, a router, an Ethernet switch, a broadband access device, or may be used on other devices.
  • the apparatus includes: a receiving unit, a comparing unit, and a processing unit.
  • the receiving unit receives the service packet sent by the other device, and obtains the actual length of the packet
  • the comparing unit compares the actual length of the service packet with the minimum length of the packet that can be processed by the device, and according to The comparison result is used to calculate the data flow. If the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet.
  • the minimum length of the message that the device can process, and the data stream traffic is calculated using the minimum length of the message that the device can process.
  • the processing unit determines whether to initiate the attack prevention measure according to the data flow value calculated by the comparison unit.
  • the device will start the defense to limit the traffic of the specific data flow below the traffic limit value and ensure the normal flow of other data flows.
  • the device When the device receives a small packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not use the actual length of the packet when calculating the traffic, but uses a larger user setting.
  • the minimum length of the packet that can be processed by the device is equivalent to dynamically increasing the uplink traffic to achieve the purpose of length compensation for small packets.
  • the device will The precautions are initiated to limit the traffic of the specific data flow to the data flow limit value, and ensure the normal passage of other data flows. Therefore, the device that defends against small packet attacks can prevent the device from entering the attack defense state in advance, and prevent the number of packets sent to the device in the unit time is too large, causing the device to be abnormal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and device for preventing the attack of the small packet. The method comprises the following steps of: determining the minimum length of packet processable by the device and the threshold of the traffic of data flow; comparing the actual length of received packet with the minimum length, if the actual length of received packet is smaller than the minimum length, then the minimum length is utilized to calculate the traffic of data flow. When the traffic of data flow reaches the threshold of the traffic of data flow, the device will enable the mechanism of prevention.

Description

防范小报文攻击的方法和装置 技术领域  Method and device for preventing small message attacks
本发明涉及通信领域, 尤其涉及一种防范网络攻击的方法和装置。  The present invention relates to the field of communications, and in particular, to a method and apparatus for preventing network attacks.
背景技术 Background technique
拒绝服务 DoS (Denia l of Service , 简称 DoS)在广义上可以指任何导致 服务器不能正常提供服务的攻击。 最常见的 DoS 攻击是利用大量的服务请求 来占用过多的服务资源, 致使服务超载, 无法响应其他的请求。 这些服务资 源包括网络带宽、 文件系统空间容量、 开放的进程或连接数。 因为任何资源 都有一定的限制, 所以无论计算机的处理速度多么快、 内存容量多么大、 与 互连网连接的带宽多么高,都无法避免这种攻击带来的后果。 另外一种常见的 DOS攻击是通过欺骗伪装等方法使得提供服务资源的主机出现错误响应,从而 使其停止提供服务甚至崩溃。  Denial of Service (DoS) In a broad sense, it can refer to any attack that causes the server to fail to provide services. The most common DoS attack is to take advantage of a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests. These service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided. Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
分布式拒绝月良务 DDoS (Di s tr ibuted Denia l of Service, 简称 DDoS)攻 击是 DoS攻击的加强形式。 DoS攻击是以一台接入互联网的单机向目标发动攻 击, 消耗目标主机或者网络的资源, 从而干扰或者完全阻止所述目标主机为 合法用户提供服务, 而 DDoS攻击釆用大量分布的主机对单个或多个目标主机 进行攻击。  The DDoS (Di s tr ibuted Denia l of Service, DDoS) attack is an enhanced form of DoS attack. A DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the target host from serving the legitimate user, and the DDoS attack uses a large number of distributed host pairs. Or multiple target hosts to attack.
针对 DoS攻击和 DDoS攻击, 网络设备通常使用流量限制 (限制单位时间 内上送设备的报文字节数)功能进行防范。  For DoS attacks and DDoS attacks, network devices usually use traffic limiting (limit the number of bytes of packets sent to the device per unit time) to prevent them.
网络设备的流量限制功能是通过限定单位时间内上送的数据流大小来达 到保护网络设备的目的, 但是, 在实施本发明的过程中, 发明人发现构成数 据流的报文是存在大小区别的, 在相同的数据流的情况下, 如果组成数据流 的报文大小存在巨大差异, 可能会导致单位时间内上送网络设备的报文个数 异, 从而导致了在相同数据流大小限定的情况下出现网络设备攻击防范功能 的差异。 比如, 攻击者通常会抓住这个漏洞, 短时间内向网络设备发送大量 的超小报文, 致使传统的基于数据流流量大小限制的防攻击防范效果下降、 甚至防范功能瘫痪。 The traffic limiting function of the network device is to protect the network device by limiting the size of the data stream sent in a unit time. However, in the process of implementing the present invention, the inventor finds that the packets constituting the data stream are different in size. In the case of the same data stream, if there is a large difference in the size of the packets constituting the data stream, the number of packets sent to the network device per unit time may be different, resulting in the limitation of the same data stream size. Network device attack prevention function The difference. For example, an attacker usually catches this vulnerability and sends a large number of ultra-small packets to the network device in a short period of time. As a result, the traditional anti-attack prevention effect based on the size limit of the data flow is reduced, and even the prevention function is paralyzed.
发明内容 Summary of the invention
本发明的实施方式提供防范小报文攻击的方法和装置, 解决目前通信网 络中无法防范小报文攻击的问题。  The embodiments of the present invention provide a method and device for preventing small message attacks, and solve the problem that the small message attack cannot be prevented in the current communication network.
本发明解决上述技术问题的一个实施方式是:  One embodiment of the present invention to solve the above technical problems is:
一种防范小报文攻击的方法, 包括: 确定设备可处理的报文的最小长度 和数据流流量限制值; 将接收到的报文的实际长度与所述最小长度做比较, 如果所述接收到的报文的实际长度小于所述最小长度, 则使用所述最小长度 计算数据流流量; 当数据流的流量达到所述数据流流量限制值时, 设备将启 动防范措施。  A method for preventing a small packet attack includes: determining a minimum length of a packet that can be processed by the device and a data flow restriction value; comparing the actual length of the received packet with the minimum length, if the receiving If the actual length of the received packet is less than the minimum length, the data flow is calculated by using the minimum length; when the traffic of the data flow reaches the data flow limit value, the device starts the defense.
本发明解决上述技术问题的另一个实施方式是:  Another embodiment of the present invention that solves the above technical problems is:
一种防范小报文攻击的装置, 包括接收单元、 比较单元和处理单元, 其 中, 接收单元用于接收其他设备发来的报文, 并获取该接收到的报文的实际  An apparatus for preventing a small message attack includes a receiving unit, a comparing unit, and a processing unit, wherein the receiving unit is configured to receive a message sent by another device, and obtain an actual received message.
最小长度值比较并根据比较结果计算数据流流量, 如果所述接收到的报文的 实际长度小于所述最小长度, 则使用所述最小长度计算数据流流量; 处理单 元根据数据流的流量和设备的数据流流量限制值确定是否釆取攻击防范措 施。 The minimum length value is compared and the data flow rate is calculated according to the comparison result. If the actual length of the received message is less than the minimum length, the data flow is calculated using the minimum length; the processing unit is configured according to the data flow and the device. The data flow limit value determines whether attack defense measures are taken.
与现有技术相比, 本发明实施方式提供的技术方案中, 由于当设备收到 的是长度小于设备可处理的报文的最小长度的 d、报文时, 设备在计算流量的 时候并没有使用该收到的报文的实际长度, 而是使用了比它大的预先确定的 设备可处理的报文的最小长度, 相当于动态地调大了上送流量, 达到对小报 文进行长度补偿的目的。 当数据流的流量达到所述数据流流量限制值时, 设 备提前进入攻击防范状态, 避免单位时间内上送设备的报文数量过大, 引起 设备的异常, 从而实现对小报文攻击的有效防范。 Compared with the prior art, in the technical solution provided by the embodiment of the present invention, when the device receives the d and the packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not calculate the traffic when the device calculates the traffic. The actual length of the received packet is used, and the minimum length of the packet that can be processed by the predetermined device is used, which is equivalent to dynamically increasing the outgoing traffic to achieve the length of the small packet. The purpose of compensation. When the traffic of the data flow reaches the limit of the data flow, the device enters the attack defense state in advance to prevent the number of packets sent to the device in the unit time is too large. The device is abnormal, which effectively prevents small packet attacks.
附图说明 DRAWINGS
图 1为本发明一个实施方式的防范小报文攻击的方法流程图;  1 is a flowchart of a method for preventing small message attacks according to an embodiment of the present invention;
图 2为本发明另一实施方式的防范小报文攻击的装置的结构框图。  FIG. 2 is a structural block diagram of an apparatus for preventing small message attacks according to another embodiment of the present invention.
具体实施方式 请参阅图 1 , 为本发明一个实施方式的防范小报文攻击的方法流程图。 该 方法包括: 1 is a flowchart of a method for preventing small message attacks according to an embodiment of the present invention. The method includes:
用户根据设备业务的特征确定设备可处理的报文的最小长度; 同时, 在 设备接口上设置承诺速率限制 (committed access rate, 简称 CAR), 将数据流的 流量限制在一个范围之内, 允许其适量的通过, 同时保证了其它数据流的正 常通过。  The user determines the minimum length of the packet that can be processed by the device according to the characteristics of the device service. At the same time, the committed access rate (CAR) is set on the device interface to limit the traffic of the data stream to a range. Appropriate passage, while ensuring the normal passage of other data streams.
此处, 设定设备可处理的报文的最小长度时, 可以根据特定设备处理的 业务本身的要求来设定, 比如地址解析协议 ( Address Resolution Protocol, ARP )报文的最小长度为 42字节,即 ARP请求或回答的数据帧长都是 42字节( 28 字节的 ARP数据, 14字节的以太网帧头), 因此, 可以设定处理 ARP报文的设 备的可处理的报文的最小长度为 42字节, 或者根据经验设置更小的长度值。  Here, the minimum length of the packet that can be processed by the device can be set according to the requirements of the service itself processed by the specific device. For example, the minimum length of the Address Resolution Protocol (ARP) packet is 42 bytes. , that is, the data frame length of the ARP request or reply is 42 bytes (28 bytes of ARP data, 14 bytes of Ethernet frame header), therefore, it is possible to set a processable message of the device that processes the ARP message. The minimum length is 42 bytes, or a smaller length value is set empirically.
网络设备在接收到报文后, 获取报文的实际长度;  After receiving the packet, the network device obtains the actual length of the packet.
进行报文长度判断, 并依据判断结果进行数据流流量计算。  The packet length is judged, and the data flow calculation is performed according to the judgment result.
具体判断方法为: 如果报文的实际长度大于或等于设定的设备可处理的 报文的最小长度, 则按照报文的实际长度计算数据流流量; 如果报文的实际 长度小于所述最小长度, 则使用所述最小长度计算数据流流量。  The specific judgment method is: if the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet; if the actual length of the packet is less than the minimum length , the data flow is calculated using the minimum length.
由于当设备收到的是长度小于所述最小长度的小报文时, 设备在计算流 量的时候并没有使用该收到的报文的实际长度, 而是使用了比它大的预先设 定的设备可处理的报文的最小长度, 相当于动态地调大了上送流量, 达到对 小报文进行长度补偿的目的。 这样, 当该数据流的流量达到流量限制值时, 设备将启动防范措施, 将该特定数据流的流量限制在该流量限制值之内, 同 时保证其他数据流的正常通过。 因此釆用该方法, 可使设备提前进入攻击防 范状态, 避免单位时间内上送设备的报文数量过大, 引起设备的异常, 从而 实现对小"¾文攻击的有效防范。 When the device receives a small message whose length is less than the minimum length, the device does not use the actual length of the received message when calculating the traffic, but uses a preset larger than the received message. The minimum length of the packets that can be processed by the device is equivalent to dynamically increasing the upstream traffic and achieving the purpose of length compensation for small packets. In this way, when the traffic of the data flow reaches the traffic limit value, The device will initiate preventive measures to limit the traffic of the specific data flow to the traffic limit value while ensuring the normal passage of other data flows. Therefore, using this method, the device can enter the attack defense state in advance, avoiding the excessive number of packets sent to the device per unit time, causing abnormalities of the device, thus effectively preventing small "3⁄4 text attacks."
上述实施方式所述的方法可以适用于在防火墙、 路由器、 以太网交换机、 宽带接入设备上实现, 也可以在其他设备上使用此方案。  The method described in the foregoing embodiments may be applicable to a firewall, a router, an Ethernet switch, a broadband access device, or may be used on other devices.
本发明的另一实施方式提供一种防范小报文攻击的装置, 如图 2所示, 该 装置包括: 接收单元、 比较单元和处理单元。 其中, 接收单元接收其他设备 发来的业务报文, 并获取该报文的实际长度, 比较单元将该业务报文的实际 长度与设定的设备可处理的报文的最小长度值比较并根据比较结果计算数据 流流量, 如果报文的实际长度大于或等于设定的设备可处理的报文的最小长 度, 则按照报文的实际长度计算数据流流量; 如果报文的实际长度小于用户 设定的设备可处理的报文的最小长度, 则使用设定的设备可处理的报文的最 小长度计算数据流流量。  Another embodiment of the present invention provides an apparatus for preventing small message attacks. As shown in FIG. 2, the apparatus includes: a receiving unit, a comparing unit, and a processing unit. The receiving unit receives the service packet sent by the other device, and obtains the actual length of the packet, and the comparing unit compares the actual length of the service packet with the minimum length of the packet that can be processed by the device, and according to The comparison result is used to calculate the data flow. If the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet. The minimum length of the message that the device can process, and the data stream traffic is calculated using the minimum length of the message that the device can process.
处理单元根据上述比较单元计算得到的数据流流量值来确定是否启动攻 击防范措施。 当数据流的流量达到数据流流量限制值时, 设备将启动防范措 施, 将该特定数据流的流量限制在该数据流流量限制值以下, 同时保证其他 数据流的正常通过。  The processing unit determines whether to initiate the attack prevention measure according to the data flow value calculated by the comparison unit. When the traffic of the data flow reaches the data flow limit, the device will start the defense to limit the traffic of the specific data flow below the traffic limit value and ensure the normal flow of other data flows.
当设备收到的是长度小于设备可处理的报文的最小长度的小报文时, 设 备在计算流量的时候并没有使用该报文的实际长度, 而是使用了比它大的用 户设定的设备可处理的报文的最小长度, 相当于动态地调大了上送流量, 达 到对小报文进行长度补偿的目的, 这样, 当数据流的流量达到数据流流量限 制值时, 设备将启动防范措施, 将该特定数据流的流量限制在该数据流流量 限制值之内, 同时保证其他数据流的正常通过。 因此该防范小报文攻击的装 置可使设备提前进入攻击防范状态, 避免单位时间内上送设备的报文数量过 大, 引起设备的异常, 从而实现对小报文攻击的有效防范。 以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不 局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围和不脱 离本发明的技术思想范围内, 可轻易想到的变化或替换, 都应涵盖在本发明 的保护范围之内。 因此, 本发明的保护范围应该以权利要求的保护范围为准。 When the device receives a small packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not use the actual length of the packet when calculating the traffic, but uses a larger user setting. The minimum length of the packet that can be processed by the device is equivalent to dynamically increasing the uplink traffic to achieve the purpose of length compensation for small packets. Thus, when the traffic of the data stream reaches the data traffic limit value, the device will The precautions are initiated to limit the traffic of the specific data flow to the data flow limit value, and ensure the normal passage of other data flows. Therefore, the device that defends against small packet attacks can prevent the device from entering the attack defense state in advance, and prevent the number of packets sent to the device in the unit time is too large, causing the device to be abnormal. The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any technical person skilled in the art can disclose the technical scope of the present invention and the technical idea of the present invention. Variations or substitutions that are conceivable within the scope of the invention are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权 利 要求 书 Claim
1. 一种防范小报文攻击的方法, 其特征在于, 包括:  A method for preventing small message attacks, which is characterized by:
确定设备可处理的报文的最小长度和数据流流量限制值;  Determine the minimum length and data flow limit value of the packets that the device can process;
将接收到的报文的实际长度与所述最小长度做比较, 如果所述接收到的报 文的实际长度小于所述最小长度, 则使用所述最小长度计算数据流流量;  Comparing the actual length of the received packet with the minimum length, and if the actual length of the received packet is less than the minimum length, calculating the data flow rate by using the minimum length;
当数据流的流量达到所述数据流流量限制值时, 设备将启动防范措施。 When the traffic of the data stream reaches the data flow traffic limit value, the device will initiate preventive measures.
2. 如权利要求 1所述的方法, 其特征在于, 所述最小长度根据设备业务的 特征确定。 2. The method of claim 1 wherein the minimum length is determined based on characteristics of device services.
3. 如权利要求 2所述的方法, 其特征在于, 所述最小长度不大于所述设备 业务的特征所要求的最小值。  3. The method of claim 2, wherein the minimum length is no greater than a minimum required by characteristics of the device service.
4. 如权利要求 1所述的方法, 其特征在于, 如果所述接收到的报文的实际 长度大于或等于所述最小长度, 则按照报文的实际长度计算数据流流量。  The method according to claim 1, wherein if the actual length of the received message is greater than or equal to the minimum length, the data flow rate is calculated according to the actual length of the message.
5. 如权利要求 1所述的方法, 其特征在于, 所述设备将启动防范措施为: 将该数据流的流量限制在该数据流流量限制值以下, 并允许其他的数据流正常 通过。  The method according to claim 1, wherein the device starts the precautionary measures to: limit the traffic of the data flow to be below the data flow limit value, and allow other data flows to pass normally.
6. 如权利要求 1所述的方法, 其特征在于, 所述设备是防火墙或路由器或 以太网交换机或宽带接入设备。  6. The method of claim 1, wherein the device is a firewall or router or an Ethernet switch or a broadband access device.
7. 一种防范小报文攻击的装置, 其特征在于, 包括接收单元、 比较单元和 处理单元, 其中,  A device for preventing a small message attack, comprising: a receiving unit, a comparing unit, and a processing unit, wherein
接收单元用于接收其他设备发来的报文, 并获取该接收到的报文的实际长 度; 长度值比较并根据比较结果计算数据流流量, 如果所述接收到的报文的实际长 度小于所述最小长度, 则使用所述最小长度计算数据流流量; The receiving unit is configured to receive a packet sent by another device, and obtain an actual length of the received packet; The length value is compared and the data flow is calculated according to the comparison result. If the actual length of the received message is less than the minimum length, the data flow is calculated by using the minimum length;
处理单元根据数据流的流量和设备的数据流流量限制值确定是否釆取攻击 防范措施。  The processing unit determines whether to take attack prevention measures according to the traffic of the data flow and the data flow restriction value of the device.
8.如权利要求 7所述的装置, 其特征在于, 所述最小长度根据设备业务的特 征确定。  8. Apparatus according to claim 7 wherein said minimum length is determined based on characteristics of equipment services.
9. 如权利要求 8所述的装置, 其特征在于, 所述最小长度不大于所述设备 业务的特征所要求的最小值。  9. Apparatus according to claim 8 wherein said minimum length is no greater than a minimum required by characteristics of said equipment service.
10. 如权利要求 7所述的装置, 其特征在于, 如果所述接收到的报文的实际 长度大于或等于所述最小长度, 则按照报文的实际长度计算数据流流量。  10. The apparatus according to claim 7, wherein if the actual length of the received message is greater than or equal to the minimum length, the data flow rate is calculated according to the actual length of the message.
11. 如权利要求 7所述的装置, 其特征在于, 所述设备是防火墙或路由器或 以太网交换机或宽带接入设备。  11. The apparatus of claim 7, wherein the device is a firewall or router or an Ethernet switch or a broadband access device.
PCT/CN2007/071368 2007-04-05 2007-12-28 Method and device for preventing attack of small packet WO2008122186A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710073976A CN101034975B (en) 2007-04-05 2007-04-05 Method and device for preventing the small message attack
CN200710073976.1 2007-04-05

Publications (1)

Publication Number Publication Date
WO2008122186A1 true WO2008122186A1 (en) 2008-10-16

Family

ID=38731297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071368 WO2008122186A1 (en) 2007-04-05 2007-12-28 Method and device for preventing attack of small packet

Country Status (2)

Country Link
CN (1) CN101034975B (en)
WO (1) WO2008122186A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034975B (en) * 2007-04-05 2010-05-26 华为技术有限公司 Method and device for preventing the small message attack

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677933A (en) * 2004-04-01 2005-10-05 华为技术有限公司 Method for controlling protocol message attack
CN1725732A (en) * 2005-06-08 2006-01-25 杭州华为三康技术有限公司 Message speed limit method
US20060137009A1 (en) * 2004-12-22 2006-06-22 V-Secure Technologies, Inc. Stateful attack protection
US20070047457A1 (en) * 2005-08-29 2007-03-01 Harijono Indra G Method and system for reassembling packets prior to searching
CN101034975A (en) * 2007-04-05 2007-09-12 华为技术有限公司 Method and device for preventing the small message attack

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1145318C (en) * 2001-06-26 2004-04-07 华为技术有限公司 Method for implementing safety guard to internet service provider
CN100420197C (en) * 2004-05-13 2008-09-17 华为技术有限公司 Method for guarding against attack realized for networked devices
CN100512207C (en) * 2004-12-10 2009-07-08 华为技术有限公司 Flow controlling method
CN1941775A (en) * 2006-07-19 2007-04-04 华为技术有限公司 Method and apparatus against Internet message attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677933A (en) * 2004-04-01 2005-10-05 华为技术有限公司 Method for controlling protocol message attack
US20060137009A1 (en) * 2004-12-22 2006-06-22 V-Secure Technologies, Inc. Stateful attack protection
CN1725732A (en) * 2005-06-08 2006-01-25 杭州华为三康技术有限公司 Message speed limit method
US20070047457A1 (en) * 2005-08-29 2007-03-01 Harijono Indra G Method and system for reassembling packets prior to searching
CN101034975A (en) * 2007-04-05 2007-09-12 华为技术有限公司 Method and device for preventing the small message attack

Also Published As

Publication number Publication date
CN101034975A (en) 2007-09-12
CN101034975B (en) 2010-05-26

Similar Documents

Publication Publication Date Title
US10075468B2 (en) Denial-of-service (DoS) mitigation approach based on connection characteristics
US9043912B2 (en) Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets
US10771501B2 (en) DDoS attack defense method, system, and related device
US9288218B2 (en) Securing an accessible computer system
US6973040B1 (en) Method of maintaining lists of network characteristics
US9088607B2 (en) Method, device, and system for network attack protection
US7882556B2 (en) Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
CN109005175B (en) Network protection method, device, server and storage medium
US20130212679A1 (en) PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS
KR20120060655A (en) Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof
KR20190053540A (en) System of defensing against Slow HTTP DDoS attack based on SDN and method thereof
US20090240804A1 (en) Method and apparatus for preventing igmp packet attack
US20110179479A1 (en) System and method for guarding against dispersed blocking attacks
US9641485B1 (en) System and method for out-of-band network firewall
WO2016139910A1 (en) Communication system, communication method, and non-transitory computer readable medium storing program
KR20110049282A (en) System and method for detecting and blocking to distributed denial of service attack
US8159948B2 (en) Methods and apparatus for many-to-one connection-rate monitoring
Shen et al. Mitigating SYN Flooding and UDP Flooding in P4-based SDN
JP4602158B2 (en) Server equipment protection system
US20110265181A1 (en) Method, system and gateway for protection against network attacks
WO2019096104A1 (en) Attack prevention
JP3941763B2 (en) Congestion control system for client-server service
JP4694578B2 (en) Method and system for protecting a computer network from packet flood
Pande et al. Detection and mitigation of DDoS in SDN

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07846194

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07846194

Country of ref document: EP

Kind code of ref document: A1