WO2008122186A1 - Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données - Google Patents
Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données Download PDFInfo
- Publication number
- WO2008122186A1 WO2008122186A1 PCT/CN2007/071368 CN2007071368W WO2008122186A1 WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1 CN 2007071368 W CN2007071368 W CN 2007071368W WO 2008122186 A1 WO2008122186 A1 WO 2008122186A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data flow
- length
- minimum length
- traffic
- minimum
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- the present invention relates to the field of communications, and in particular, to a method and apparatus for preventing network attacks.
- DoS Denial of Service
- DoS Denial of Service
- the most common DoS attack is to take advantage of a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests.
- service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided.
- Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
- the DDoS (Di s tr iados Denia l of Service, DDoS) attack is an enhanced form of DoS attack.
- a DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the target host from serving the legitimate user, and the DDoS attack uses a large number of distributed host pairs. Or multiple target hosts to attack.
- network devices For DoS attacks and DDoS attacks, network devices usually use traffic limiting (limit the number of bytes of packets sent to the device per unit time) to prevent them.
- the traffic limiting function of the network device is to protect the network device by limiting the size of the data stream sent in a unit time.
- the inventor finds that the packets constituting the data stream are different in size.
- the number of packets sent to the network device per unit time may be different, resulting in the limitation of the same data stream size.
- Network device attack prevention function The difference. For example, an attacker usually catches this vulnerability and sends a large number of ultra-small packets to the network device in a short period of time. As a result, the traditional anti-attack prevention effect based on the size limit of the data flow is reduced, and even the prevention function is paralyzed.
- the embodiments of the present invention provide a method and device for preventing small message attacks, and solve the problem that the small message attack cannot be prevented in the current communication network.
- a method for preventing a small packet attack includes: determining a minimum length of a packet that can be processed by the device and a data flow restriction value; comparing the actual length of the received packet with the minimum length, if the receiving If the actual length of the received packet is less than the minimum length, the data flow is calculated by using the minimum length; when the traffic of the data flow reaches the data flow limit value, the device starts the defense.
- An apparatus for preventing a small message attack includes a receiving unit, a comparing unit, and a processing unit, wherein the receiving unit is configured to receive a message sent by another device, and obtain an actual received message.
- the minimum length value is compared and the data flow rate is calculated according to the comparison result. If the actual length of the received message is less than the minimum length, the data flow is calculated using the minimum length; the processing unit is configured according to the data flow and the device.
- the data flow limit value determines whether attack defense measures are taken.
- the device when the device receives the d and the packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not calculate the traffic when the device calculates the traffic.
- the actual length of the received packet is used, and the minimum length of the packet that can be processed by the predetermined device is used, which is equivalent to dynamically increasing the outgoing traffic to achieve the length of the small packet.
- the purpose of compensation When the traffic of the data flow reaches the limit of the data flow, the device enters the attack defense state in advance to prevent the number of packets sent to the device in the unit time is too large. The device is abnormal, which effectively prevents small packet attacks.
- FIG. 1 is a flowchart of a method for preventing small message attacks according to an embodiment of the present invention
- FIG. 2 is a structural block diagram of an apparatus for preventing small message attacks according to another embodiment of the present invention.
- the method includes:
- the user determines the minimum length of the packet that can be processed by the device according to the characteristics of the device service.
- the committed access rate (CAR) is set on the device interface to limit the traffic of the data stream to a range. Appropriate passage, while ensuring the normal passage of other data streams.
- the minimum length of the packet that can be processed by the device can be set according to the requirements of the service itself processed by the specific device.
- the minimum length of the Address Resolution Protocol (ARP) packet is 42 bytes. , that is, the data frame length of the ARP request or reply is 42 bytes (28 bytes of ARP data, 14 bytes of Ethernet frame header), therefore, it is possible to set a processable message of the device that processes the ARP message.
- the minimum length is 42 bytes, or a smaller length value is set empirically.
- the network device After receiving the packet, the network device obtains the actual length of the packet.
- the packet length is judged, and the data flow calculation is performed according to the judgment result.
- the specific judgment method is: if the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet; if the actual length of the packet is less than the minimum length , the data flow is calculated using the minimum length.
- the device When the device receives a small message whose length is less than the minimum length, the device does not use the actual length of the received message when calculating the traffic, but uses a preset larger than the received message.
- the minimum length of the packets that can be processed by the device is equivalent to dynamically increasing the upstream traffic and achieving the purpose of length compensation for small packets.
- the device will initiate preventive measures to limit the traffic of the specific data flow to the traffic limit value while ensuring the normal passage of other data flows. Therefore, using this method, the device can enter the attack defense state in advance, avoiding the excessive number of packets sent to the device per unit time, causing abnormalities of the device, thus effectively preventing small "3 ⁇ 4 text attacks.”
- the method described in the foregoing embodiments may be applicable to a firewall, a router, an Ethernet switch, a broadband access device, or may be used on other devices.
- the apparatus includes: a receiving unit, a comparing unit, and a processing unit.
- the receiving unit receives the service packet sent by the other device, and obtains the actual length of the packet
- the comparing unit compares the actual length of the service packet with the minimum length of the packet that can be processed by the device, and according to The comparison result is used to calculate the data flow. If the actual length of the packet is greater than or equal to the minimum length of the packet that can be processed by the device, the data flow is calculated according to the actual length of the packet.
- the minimum length of the message that the device can process, and the data stream traffic is calculated using the minimum length of the message that the device can process.
- the processing unit determines whether to initiate the attack prevention measure according to the data flow value calculated by the comparison unit.
- the device will start the defense to limit the traffic of the specific data flow below the traffic limit value and ensure the normal flow of other data flows.
- the device When the device receives a small packet whose length is smaller than the minimum length of the packet that can be processed by the device, the device does not use the actual length of the packet when calculating the traffic, but uses a larger user setting.
- the minimum length of the packet that can be processed by the device is equivalent to dynamically increasing the uplink traffic to achieve the purpose of length compensation for small packets.
- the device will The precautions are initiated to limit the traffic of the specific data flow to the data flow limit value, and ensure the normal passage of other data flows. Therefore, the device that defends against small packet attacks can prevent the device from entering the attack defense state in advance, and prevent the number of packets sent to the device in the unit time is too large, causing the device to be abnormal.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Cette invention concerne un procédé et un dispositif permettant d'empêcher l'attaque d'un petit paquet de données. Le procédé comprend les étapes qui consistent: à déterminer la longueur minimum d'un paquet pouvant être traité par le dispositif et la valeur seuil du trafic du flux de données; à comparer la longueur en cours du paquet reçu avec la longueur minimum, si la longueur en cours du paquet reçu est inférieure à la longueur minimum, alors la longueur minimum est utilisée pour calculer le trafic du flux de données. Lorsque le trafic du flux de données atteint la valeur seuil du trafic du flux de données, le dispositif enclenche le mécanisme de prévention.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200710073976.1 | 2007-04-05 | ||
CN200710073976A CN101034975B (zh) | 2007-04-05 | 2007-04-05 | 防范小报文攻击的方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008122186A1 true WO2008122186A1 (fr) | 2008-10-16 |
Family
ID=38731297
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2007/071368 WO2008122186A1 (fr) | 2007-04-05 | 2007-12-28 | Procédé et dispositif permettant d'empêcher une attaque d'un petit paquet de données |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN101034975B (fr) |
WO (1) | WO2008122186A1 (fr) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101034975B (zh) * | 2007-04-05 | 2010-05-26 | 华为技术有限公司 | 防范小报文攻击的方法和装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1677933A (zh) * | 2004-04-01 | 2005-10-05 | 华为技术有限公司 | 一种控制协议报文攻击的方法 |
CN1725732A (zh) * | 2005-06-08 | 2006-01-25 | 杭州华为三康技术有限公司 | 一种报文限速方法 |
US20060137009A1 (en) * | 2004-12-22 | 2006-06-22 | V-Secure Technologies, Inc. | Stateful attack protection |
US20070047457A1 (en) * | 2005-08-29 | 2007-03-01 | Harijono Indra G | Method and system for reassembling packets prior to searching |
CN101034975A (zh) * | 2007-04-05 | 2007-09-12 | 华为技术有限公司 | 防范小报文攻击的方法和装置 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1145318C (zh) * | 2001-06-26 | 2004-04-07 | 华为技术有限公司 | 一种因特网服务提供者安全防护的实现方法 |
CN100420197C (zh) * | 2004-05-13 | 2008-09-17 | 华为技术有限公司 | 一种实现网络设备防攻击的方法 |
CN100512207C (zh) * | 2004-12-10 | 2009-07-08 | 华为技术有限公司 | 一种流量控制方法 |
CN1941775A (zh) * | 2006-07-19 | 2007-04-04 | 华为技术有限公司 | 一种防止网络消息攻击的方法及设备 |
-
2007
- 2007-04-05 CN CN200710073976A patent/CN101034975B/zh not_active Expired - Fee Related
- 2007-12-28 WO PCT/CN2007/071368 patent/WO2008122186A1/fr active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1677933A (zh) * | 2004-04-01 | 2005-10-05 | 华为技术有限公司 | 一种控制协议报文攻击的方法 |
US20060137009A1 (en) * | 2004-12-22 | 2006-06-22 | V-Secure Technologies, Inc. | Stateful attack protection |
CN1725732A (zh) * | 2005-06-08 | 2006-01-25 | 杭州华为三康技术有限公司 | 一种报文限速方法 |
US20070047457A1 (en) * | 2005-08-29 | 2007-03-01 | Harijono Indra G | Method and system for reassembling packets prior to searching |
CN101034975A (zh) * | 2007-04-05 | 2007-09-12 | 华为技术有限公司 | 防范小报文攻击的方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN101034975B (zh) | 2010-05-26 |
CN101034975A (zh) | 2007-09-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10075468B2 (en) | Denial-of-service (DoS) mitigation approach based on connection characteristics | |
US9043912B2 (en) | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets | |
US10771501B2 (en) | DDoS attack defense method, system, and related device | |
US9288218B2 (en) | Securing an accessible computer system | |
US6973040B1 (en) | Method of maintaining lists of network characteristics | |
US9088607B2 (en) | Method, device, and system for network attack protection | |
US7882556B2 (en) | Method and apparatus for protecting legitimate traffic from DoS and DDoS attacks | |
US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
CN109005175B (zh) | 网络防护方法、装置、服务器及存储介质 | |
US20130212679A1 (en) | PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS | |
KR20120060655A (ko) | 서버 공격을 탐지할 수 있는 라우팅 장치와 라우팅 방법 및 이를 이용한 네트워크 | |
KR20190053540A (ko) | SDN 기반의 Slow HTTP DDoS 공격의 방어 시스템 및 그 방법 | |
US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
US20110179479A1 (en) | System and method for guarding against dispersed blocking attacks | |
US9641485B1 (en) | System and method for out-of-band network firewall | |
WO2016139910A1 (fr) | Système de communication, procédé de communication, et support non transitoire lisible par ordinateur contenant un programme | |
US8159948B2 (en) | Methods and apparatus for many-to-one connection-rate monitoring | |
Shen et al. | Mitigating SYN Flooding and UDP Flooding in P4-based SDN | |
JP4602158B2 (ja) | サーバ装置保護システム | |
US20110265181A1 (en) | Method, system and gateway for protection against network attacks | |
WO2019096104A1 (fr) | Prévention contre les attaques | |
JP3941763B2 (ja) | クライアントサーバ型サービスにおける輻輳制御システム | |
CN110995586A (zh) | 一种bgp报文的处理方法、装置、电子设备及存储介质 | |
Kumarasamy et al. | An active defense mechanism for TCP SYN flooding attacks | |
JP4694578B2 (ja) | コンピュータネットワークをパケットフラッド(flood)から保護するための方法及びシステム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07846194 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 07846194 Country of ref document: EP Kind code of ref document: A1 |