WO2008122186A1 - Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données - Google Patents

Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données Download PDF

Info

Publication number
WO2008122186A1
WO2008122186A1 PCT/CN2007/071368 CN2007071368W WO2008122186A1 WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1 CN 2007071368 W CN2007071368 W CN 2007071368W WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1
Authority
WO
WIPO (PCT)
Prior art keywords
data flow
length
minimum length
traffic
minimum
Prior art date
Application number
PCT/CN2007/071368
Other languages
English (en)
Chinese (zh)
Inventor
Zhiwang Zhao
Shengtao Sun
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008122186A1 publication Critical patent/WO2008122186A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for preventing network attacks.
  • DoS Denial of Service
  • DoS Denial of Service
  • the most common DoS attack is to take advantage of a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests.
  • service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided.
  • Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
  • the DDoS (Di s tr iados Denia l of Service, DDoS) attack is an enhanced form of DoS attack.
  • a DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the target host from serving the legitimate user, and the DDoS attack uses a large number of distributed host pairs. Or multiple target hosts to attack.
  • network devices For DoS attacks and DDoS attacks, network devices usually use traffic limiting (limit the number of bytes of packets sent to the device per unit time) to prevent them.
  • the traffic limiting function of the network device is to protect the network device by limiting the size of the data stream sent in a unit time.
  • the inventor finds that the packets constituting the data stream are different in size.
  • the number of packets sent to the network device per unit time may be different, resulting in the limitation of the same data stream size.
  • Network device attack prevention function The difference. For example, an attacker usually catches this vulnerability and sends a large number of ultra-small packets to the network device in a short period of time. As a result, the traditional anti-attack prevention effect based on the size limit of the data flow is reduced, and even the prevention function is paralyzed.
  • the embodiments of the present invention provide a method and device for preventing small message attacks, and solve the problem that the small message attack cannot be prevented in the current communication network.
  • a method for preventing a small packet attack includes: determining a minimum length of a packet that can be processed by the device and a data flow restriction value; comparing the actual length of the received packet with the minimum length, if the receiving If the actual length of the received packet is less than the minimum length, the data flow is calculated by using the minimum length; when the traffic of the data flow reaches the data flow limit value, the device starts the defense.
  • An apparatus for preventing a small message attack includes a receiving unit, a comparing unit, and a processing unit, wherein the receiving unit is configured to receive a message sent by another device, and obtain an actual received message.
  • the minimum length value is compared and the data flow rate is calculated according to the comparison result. If the actual length of the received message is less than the minimum length, the data flow is calculated using the minimum length; the processing unit is configured according to the data flow and the device.
  • the data flow limit value determines whether attack defense measures are taken.
  • the device when the device receives the d and the packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not calculate the traffic when the device calculates the traffic.
  • the actual length of the received packet is used, and the minimum length of the packet that can be processed by the predetermined device is used, which is equivalent to dynamically increasing the outgoing traffic to achieve the length of the small packet.
  • the purpose of compensation When the traffic of the data flow reaches the limit of the data flow, the device enters the attack defense state in advance to prevent the number of packets sent to the device in the unit time is too large. The device is abnormal, which effectively prevents small packet attacks.
  • FIG. 1 is a flowchart of a method for preventing small message attacks according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an apparatus for preventing small message attacks according to another embodiment of the present invention.
  • the method includes:
  • the user determines the minimum length of the packet that can be processed by the device according to the characteristics of the device service.
  • the committed access rate (CAR) is set on the device interface to limit the traffic of the data stream to a range. Appropriate passage, while ensuring the normal passage of other data streams.
  • the minimum length of the packet that can be processed by the device can be set according to the requirements of the service itself processed by the specific device.
  • the minimum length of the Address Resolution Protocol (ARP) packet is 42 bytes. , that is, the data frame length of the ARP request or reply is 42 bytes (28 bytes of ARP data, 14 bytes of Ethernet frame header), therefore, it is possible to set a processable message of the device that processes the ARP message.
  • the minimum length is 42 bytes, or a smaller length value is set empirically.
  • the network device After receiving the packet, the network device obtains the actual length of the packet.
  • the packet length is judged, and the data flow calculation is performed according to the judgment result.
  • the specific judgment method is: if the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet; if the actual length of the packet is less than the minimum length , the data flow is calculated using the minimum length.
  • the device When the device receives a small message whose length is less than the minimum length, the device does not use the actual length of the received message when calculating the traffic, but uses a preset larger than the received message.
  • the minimum length of the packets that can be processed by the device is equivalent to dynamically increasing the upstream traffic and achieving the purpose of length compensation for small packets.
  • the device will initiate preventive measures to limit the traffic of the specific data flow to the traffic limit value while ensuring the normal passage of other data flows. Therefore, using this method, the device can enter the attack defense state in advance, avoiding the excessive number of packets sent to the device per unit time, causing abnormalities of the device, thus effectively preventing small "3 ⁇ 4 text attacks.”
  • the method described in the foregoing embodiments may be applicable to a firewall, a router, an Ethernet switch, a broadband access device, or may be used on other devices.
  • the apparatus includes: a receiving unit, a comparing unit, and a processing unit.
  • the receiving unit receives the service packet sent by the other device, and obtains the actual length of the packet
  • the comparing unit compares the actual length of the service packet with the minimum length of the packet that can be processed by the device, and according to The comparison result is used to calculate the data flow. If the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet.
  • the minimum length of the message that the device can process, and the data stream traffic is calculated using the minimum length of the message that the device can process.
  • the processing unit determines whether to initiate the attack prevention measure according to the data flow value calculated by the comparison unit.
  • the device will start the defense to limit the traffic of the specific data flow below the traffic limit value and ensure the normal flow of other data flows.
  • the device When the device receives a small packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not use the actual length of the packet when calculating the traffic, but uses a larger user setting.
  • the minimum length of the packet that can be processed by the device is equivalent to dynamically increasing the uplink traffic to achieve the purpose of length compensation for small packets.
  • the device will The precautions are initiated to limit the traffic of the specific data flow to the data flow limit value, and ensure the normal passage of other data flows. Therefore, the device that defends against small packet attacks can prevent the device from entering the attack defense state in advance, and prevent the number of packets sent to the device in the unit time is too large, causing the device to be abnormal.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Cette invention concerne un procédé et un dispositif permettant d'empêcher l'attaque d'un petit paquet de données. Le procédé comprend les étapes qui consistent: à déterminer la longueur minimum d'un paquet pouvant être traité par le dispositif et la valeur seuil du trafic du flux de données; à comparer la longueur en cours du paquet reçu avec la longueur minimum, si la longueur en cours du paquet reçu est inférieure à la longueur minimum, alors la longueur minimum est utilisée pour calculer le trafic du flux de données. Lorsque le trafic du flux de données atteint la valeur seuil du trafic du flux de données, le dispositif enclenche le mécanisme de prévention.
PCT/CN2007/071368 2007-04-05 2007-12-28 Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données WO2008122186A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710073976.1 2007-04-05
CN200710073976A CN101034975B (zh) 2007-04-05 2007-04-05 防范小报文攻击的方法和装置

Publications (1)

Publication Number Publication Date
WO2008122186A1 true WO2008122186A1 (fr) 2008-10-16

Family

ID=38731297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071368 WO2008122186A1 (fr) 2007-04-05 2007-12-28 Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données

Country Status (2)

Country Link
CN (1) CN101034975B (fr)
WO (1) WO2008122186A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101034975B (zh) * 2007-04-05 2010-05-26 华为技术有限公司 防范小报文攻击的方法和装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677933A (zh) * 2004-04-01 2005-10-05 华为技术有限公司 一种控制协议报文攻击的方法
CN1725732A (zh) * 2005-06-08 2006-01-25 杭州华为三康技术有限公司 一种报文限速方法
US20060137009A1 (en) * 2004-12-22 2006-06-22 V-Secure Technologies, Inc. Stateful attack protection
US20070047457A1 (en) * 2005-08-29 2007-03-01 Harijono Indra G Method and system for reassembling packets prior to searching
CN101034975A (zh) * 2007-04-05 2007-09-12 华为技术有限公司 防范小报文攻击的方法和装置

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1145318C (zh) * 2001-06-26 2004-04-07 华为技术有限公司 一种因特网服务提供者安全防护的实现方法
CN100420197C (zh) * 2004-05-13 2008-09-17 华为技术有限公司 一种实现网络设备防攻击的方法
CN100512207C (zh) * 2004-12-10 2009-07-08 华为技术有限公司 一种流量控制方法
CN1941775A (zh) * 2006-07-19 2007-04-04 华为技术有限公司 一种防止网络消息攻击的方法及设备

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677933A (zh) * 2004-04-01 2005-10-05 华为技术有限公司 一种控制协议报文攻击的方法
US20060137009A1 (en) * 2004-12-22 2006-06-22 V-Secure Technologies, Inc. Stateful attack protection
CN1725732A (zh) * 2005-06-08 2006-01-25 杭州华为三康技术有限公司 一种报文限速方法
US20070047457A1 (en) * 2005-08-29 2007-03-01 Harijono Indra G Method and system for reassembling packets prior to searching
CN101034975A (zh) * 2007-04-05 2007-09-12 华为技术有限公司 防范小报文攻击的方法和装置

Also Published As

Publication number Publication date
CN101034975A (zh) 2007-09-12
CN101034975B (zh) 2010-05-26

Similar Documents

Publication Publication Date Title
US10075468B2 (en) Denial-of-service (DoS) mitigation approach based on connection characteristics
US9043912B2 (en) Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets
US10771501B2 (en) DDoS attack defense method, system, and related device
US9288218B2 (en) Securing an accessible computer system
US9088607B2 (en) Method, device, and system for network attack protection
US7882556B2 (en) Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks
US8453208B2 (en) Network authentication method, method for client to request authentication, client, and device
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
CN109005175B (zh) 网络防护方法、装置、服务器及存储介质
KR20120060655A (ko) 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크
KR20190053540A (ko) SDN 기반의 Slow HTTP DDoS 공격의 방어 시스템 및 그 방법
US20090240804A1 (en) Method and apparatus for preventing igmp packet attack
US9641485B1 (en) System and method for out-of-band network firewall
US20110179479A1 (en) System and method for guarding against dispersed blocking attacks
KR20110049282A (ko) 디도스 공격에 대한 디도스 탐지/차단 시스템 및 그 방법
US8159948B2 (en) Methods and apparatus for many-to-one connection-rate monitoring
Shen et al. Mitigating SYN Flooding and UDP Flooding in P4-based SDN
JP4602158B2 (ja) サーバ装置保護システム
US20110265181A1 (en) Method, system and gateway for protection against network attacks
WO2019096104A1 (fr) Prévention contre les attaques
JP3941763B2 (ja) クライアントサーバ型サービスにおける輻輳制御システム
JP4694578B2 (ja) コンピュータネットワークをパケットフラッド(flood)から保護するための方法及びシステム
Kumarasamy et al. An active defense mechanism for TCP SYN flooding attacks
Pande et al. Detection and mitigation of DDoS in SDN
CN107689967B (zh) 一种DDoS攻击检测方法和装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07846194

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07846194

Country of ref document: EP

Kind code of ref document: A1