WO2008141548A1 - A method and device of preventing attack for network equipment - Google Patents

A method and device of preventing attack for network equipment Download PDF

Info

Publication number
WO2008141548A1
WO2008141548A1 PCT/CN2008/070548 CN2008070548W WO2008141548A1 WO 2008141548 A1 WO2008141548 A1 WO 2008141548A1 CN 2008070548 W CN2008070548 W CN 2008070548W WO 2008141548 A1 WO2008141548 A1 WO 2008141548A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
threshold
traffic
resource
information
Prior art date
Application number
PCT/CN2008/070548
Other languages
French (fr)
Chinese (zh)
Inventor
Zhiwang Zhao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008141548A1 publication Critical patent/WO2008141548A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/141Denial of service attacks against endpoints in a network

Definitions

  • the present invention relates to the field of communications, and in particular, to a method and apparatus for implementing intelligent attack defense of a network device. Background technique
  • DoS Denial of Service
  • the most common DoS attack is to use a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests.
  • These service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided.
  • Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
  • the Distributed Denial of DDoS (D s t r iados Denia l of Servi ce) is an enhanced form of DoS attack.
  • a DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the service to legitimate users.
  • the DDoS attack uses a large number of distributed hosts to perform single or multiple targets. attack.
  • network devices For DOS attacks and DDoS attacks, network devices usually use the traffic limit (limit the number of bytes of packets sent to the device per unit time) to prevent DOS attacks.
  • the traffic limiting function of the network device is to protect the device by limiting the size of the data stream sent in a unit time.
  • the network device cannot be intelligently adjusted dynamically, which may result in waste of network device resources.
  • a network device could have been The maximum traffic of the packets of the protocol packets of the IMBps is processed.
  • the traffic limit of 512 KBps is set for the protocol packets. As a result, the traffic of the protocol packets reaches 512 KBps, and packet loss occurs. The processing performance and specifications of the device are degraded.
  • a network device attack defense method includes: acquiring traffic overload packet loss information of a network device, resource information of a network device, a resource security threshold of the network device, and a traffic restriction threshold of the network device; The result of comparing the resource information with the resource security threshold dynamically adjusts the traffic restriction threshold of the service packet flow.
  • Another embodiment of the present invention is directed to: an apparatus for preventing attacks, comprising: an information acquiring module, configured to acquire traffic overload packet loss information of a network device, resource information of a network device, and a resource security threshold of the network device. And a traffic limiting threshold of the network device; the information processing module is configured to analyze the information acquired by the information acquiring module, and dynamically adjust the traffic limiting threshold of the network device according to the analysis result.
  • the technical solution provided by the embodiment of the present invention adopts an intelligent adjustment measure, which can dynamically increase the traffic limit threshold on the device when the system resources are not occupied, and intelligently improve the performance of the device, so that the device The performance of the processing business is optimal.
  • the processing performance of the device can be intelligently improved, and on the other hand, the attack defense performance of the device can be intelligently improved.
  • FIG. 1 is a flowchart of a method for implementing network device attack defense according to an embodiment of the present invention
  • FIG. 2 is a structural block diagram of an apparatus for implementing network device attack defense according to another embodiment of the present invention.
  • 1 is a flow chart of a method for implementing network device attack defense according to an embodiment of the present invention. The method includes:
  • the device In order to protect the network, the device will send the maximum traffic value for a certain type of service. After the actual traffic of the service packet reaches the set maximum traffic value, the device will temporarily stop protecting itself. Packets of this type of service are received, and the packets of the service are discarded. The discarded packets are counted, that is, the number of lost packets of the network device is counted and counted.
  • the resource information of the network device can usually be obtained through the resource management module of the network device.
  • the network device includes a resource management module, and the resource management module is responsible for collecting information such as resource usage of the network device.
  • the resource security threshold of the network device includes at least two types of data: (1) the upper limit threshold of the network device packet loss caused by the network device's traffic limitation; (2) the network device resource occupation data, which mainly refers to the threshold of memory usage and CPU resource occupation. .
  • the resource security threshold can be set by the system default or by the user.
  • the network device periodically collects at least the following two types of information: traffic overload packet loss information and network device resource information of the network device. Since the network device sends the maximum traffic value for a certain type of service setting, After the actual traffic of the service class reaches the set maximum traffic value, the network device will not receive the packets of this type of service for the time being, and will discard the packets of the service. This type of packet is counted, that is, the number of packet loss of the network device is counted and counted. The discarded packet count value is also the traffic overload packet loss information. When the count value is not 0, it indicates that the traffic value of the service packet has reached the set maximum traffic value, that is, the traffic limit threshold set by the network device for the service text.
  • the network device adjusts the network device traffic limit threshold according to the above two types of information.
  • the adjustment method is as follows:
  • the network device does not have a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is 0, and the resource occupancy in the network device does not reach the resource security threshold, the network device remains The original traffic limit threshold is unchanged;
  • the network device If the network device has a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is not Q, and the resource occupancy in the network device does not reach the resource security threshold, then the network device Increase the flow limit threshold;
  • the network device adjusts the traffic limit threshold; d) if the network device already has a cause The packet loss event occurs when the network device itself restricts traffic, and the resource usage in the network device exceeds the resource security threshold. At this time, the network device adjusts the traffic limit threshold.
  • the step value and the maximum adjustment value of the adjustment may be set by the system default or set by the user.
  • the above adjustment methods a) to d) can also be selected as needed to form a similar technical solution. It can be implemented on the access device or on other devices.
  • another embodiment of the present invention provides an apparatus for preventing an attack, and the apparatus package
  • the information acquisition module and the information processing module wherein:
  • An information obtaining module configured to acquire a traffic restriction threshold of the network device, resource information of the network device, and a resource security threshold of the network device, and dynamic device traffic overload packet loss information and device resource occupation information, and send the obtained information To the information processing module;
  • the information processing module is configured to analyze information collected by the information collection module, and dynamically adjust the traffic restriction threshold of the network device according to the analysis result.
  • the information processing module adjusts the network device traffic limit threshold according to the information provided by the information acquisition module.
  • the adjustment method is as follows:
  • the network device does not have a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is 0, and the resource occupancy in the network device does not reach the resource security threshold, then the network is maintained.
  • the original traffic limit threshold of the device is unchanged.
  • the network device has a packet loss event due to the network device's own traffic limitation, that is, the packet loss count value is not Q, and the resource occupancy in the network device does not reach the resource security threshold, then the traffic is increased.
  • Limit threshold the packet loss count value is not Q
  • the network device does not have a packet loss event due to the network device's own traffic limitation, but the network device's resource usage exceeds the security threshold, adjust the traffic limit threshold at this time;
  • the traffic limit threshold is adjusted.
  • the adjusted step value and the maximum adjustment value may be set by the system default or set by the user.
  • the adjusted step value and the maximum adjustment value may be set by the system default or set by the user.
  • the device described in the foregoing embodiment is applicable to a firewall, a router, a switch, a broadband access device, or may be used on other devices.
  • a weight or priority may be added, so that CAR (Car, Committed Acces s) is increased.
  • Ra te which refers to the committed access rate, is an access control.
  • the service packet flow with higher weight or higher priority may be first adjusted.
  • CAR the CAR value of the service packet flow with a lower weight or lower priority is adjusted. If the value of the CAR is decreased, the CAR value of the service packet with a lower weight or lower priority is preferentially lowered. Finally, the CAR value of the service packet flow with a higher weight or a higher priority is adjusted.
  • the weights or priorities can be set as needed.
  • the traffic restriction threshold of a specific service flow or a certain service packet may be directly adjusted according to the situation, so as to preferentially ensure the passage of service packets with higher priority or higher weight.
  • the system resources include CPU, memory, and other parts that may affect the traffic of the service.
  • the above-mentioned embodiments of the present invention adopt intelligent adjustment measures to dynamically increase the traffic threshold of the device when the system resources are not occupied, and intelligently improve the performance of the device to optimize the performance of the device processing service.
  • the intelligent precautions can be used to dynamically limit the threshold for sending traffic to the device when the system resources are overloaded.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a method and device of preventing attack for network equipment, and solves the problem that current communication network could not intelligently prevent attack. The method comprises obtaining a packet losing information of a flow overload, a resource information, a resource security information, and a flow restriction threshold of a network equipment. The flow restriction threshold of a service message is adjusted correspondingly based on the packet losing information of a flow overload and the comparative result of the resource information with the resource security information. Under the condition that the system resource is limited, the method and equipment adopt intelligent adjustment measures to increase the flow restriction threshold dynamically, thus improving the capacity of the network equipment to realize the best service disposing capacity. And under the condition that the system resource is overloaded, the method and equipment adopt intelligent prevention measures to decrease the flow restriction threshold dynamically, thus reaching the purpose of protecting equipment.

Description

网络设备攻击防范的方法和装置 技术领域  Method and device for network device attack prevention
本发明涉及通信领域, 尤其涉及一种实现网络设备智能攻击防范的方法 和装置。 背景技术  The present invention relates to the field of communications, and in particular, to a method and apparatus for implementing intelligent attack defense of a network device. Background technique
拒绝服务 DoS (Denia l of Serv ice , 筒称 DoS)在广义上可以指任何导致 服务器不能正常提供服务的攻击。最常见的 DoS攻击是利用大量的服务请求来 占用过多的服务资源, 致使服务超载, 无法响应其他的请求。 这些服务资源 包括网络带宽、 文件系统空间容量、 开放的进程或连接数。 因为任何资源都 有一定的限制, 所以无论计算机的处理速度多么快、 内存容量多么大、 与互 连网连接的带宽多么高,都无法避免这种攻击带来的后果。 另外一种常见的 DOS攻击是通过欺骗伪装等方法使得提供服务资源的主机出现错误响应,从而 使其停止提供服务甚至崩溃。  Denial of Service (DoS) is broadly defined as any attack that causes a server to fail to provide services. The most common DoS attack is to use a large number of service requests to consume too many service resources, causing the service to be overloaded and unable to respond to other requests. These service resources include network bandwidth, file system space capacity, open processes, or connections. Because any resource has certain limitations, no matter how fast the computer is processed, how much memory capacity is, and how high the bandwidth is connected to the Internet, the consequences of such an attack cannot be avoided. Another common DOS attack is to cause the host that provides the service resource to respond incorrectly by tricking the spoof and so on, thereby stopping the service or even crashing.
分布式拒绝月良务 DDoS (Di s t r ibuted Denia l of Servi ce , 筒称 DDoS)攻 击是 DoS攻击的加强形式。 DoS攻击是以一台接入互联网的单机向目标发动攻 击, 消耗目标主机或者网络的资源, 从而干扰或者完全阻止为合法用户提供 服务, 而 DDoS攻击采用大量分布的主机对单个或多个目标进行攻击。  The Distributed Denial of DDoS (D s t r ibuted Denia l of Servi ce) is an enhanced form of DoS attack. A DoS attack launches an attack on a target connected to the Internet, consuming the resources of the target host or the network, thereby interfering with or completely preventing the service to legitimate users. The DDoS attack uses a large number of distributed hosts to perform single or multiple targets. attack.
针对 DOS攻击和 DDoS攻击, 网络设备通常使用流量限制(限制单位时间内 上送设备的报文字节数) 功能进行 DOS攻击防范。  For DOS attacks and DDoS attacks, network devices usually use the traffic limit (limit the number of bytes of packets sent to the device per unit time) to prevent DOS attacks.
网络设备的流量限制功能是通过限定单位时间内上送的数据流大小来达 到保护设备的目的, 但单纯地使用传统的手工设定流量限制功能进行网络设 备保护存在如下弊端: 一旦该限定流量值设定后, 网络设备不能智能进行动 态调节, 往往可能会导致网络设备资源的浪费。 比如, 某个网络设备本来可 最大处理 IMBps某类协议报文的报文流量, 但为了安全起见, 针对此类协议报 文只设定了 512KBps的流量限制, 结果该类协议报文流量达 512KBps便开始丟 包, 致使该网络设备的处理性能和规格下降; 另外, 如果报文流量设定不合 理, 在大流量攻击下导致网络设备过载仍有可能引发该网络设备业务异常甚 至瘫痪。 发明内容 网络中无法智能防范攻击的问题。 The traffic limiting function of the network device is to protect the device by limiting the size of the data stream sent in a unit time. However, simply using the traditional manual setting of the traffic limiting function for network device protection has the following disadvantages: Once the limited traffic value After the setting, the network device cannot be intelligently adjusted dynamically, which may result in waste of network device resources. For example, a network device could have been The maximum traffic of the packets of the protocol packets of the IMBps is processed. However, for the sake of security, only the traffic limit of 512 KBps is set for the protocol packets. As a result, the traffic of the protocol packets reaches 512 KBps, and packet loss occurs. The processing performance and specifications of the device are degraded. In addition, if the packet traffic is set unreasonably, overloading the network device under a large traffic attack may cause the network device service to be abnormal or even embarrassing. SUMMARY OF THE INVENTION The problem of being unable to intelligently guard against attacks in the network.
本发明解决上述技术问题的一个实施方式是:  One embodiment of the present invention to solve the above technical problems is:
一种网络设备攻击防范的方法, 包括: 获取网络设备的流量过载丟包信 息、 网络设备的资源信息、 网络设备的资源安全阈值和网络设备的流量限制 阈值; 根据所述流量过载丟包信息、 所述资源信息与所述资源安全阈值的比 较结果, 对业务报文流的所述流量限制阈值做出动态调整。  A network device attack defense method includes: acquiring traffic overload packet loss information of a network device, resource information of a network device, a resource security threshold of the network device, and a traffic restriction threshold of the network device; The result of comparing the resource information with the resource security threshold dynamically adjusts the traffic restriction threshold of the service packet flow.
本发明解决上述技术问题的另一个实施方式是: 一种防范攻击的装置, 包括: 信息获取模块, 用于获取网络设备的流量过载丟包信息、 网络设备的 资源信息、 网络设备的资源安全阈值和网络设备的流量限制阈值; 信息处理 模块, 用于分析所述信息获取模块获取到的信息, 并根据分析结果对所述网 络设备的流量限制阈值进行动态调整。  Another embodiment of the present invention is directed to: an apparatus for preventing attacks, comprising: an information acquiring module, configured to acquire traffic overload packet loss information of a network device, resource information of a network device, and a resource security threshold of the network device. And a traffic limiting threshold of the network device; the information processing module is configured to analyze the information acquired by the information acquiring module, and dynamically adjust the traffic limiting threshold of the network device according to the analysis result.
与现有技术相比, 本发明实施方式提供的技术方案, 采用智能调整措施, 可以在系统资源占用不多的情况下, 动态调大设备上送流量限制阈值, 智能 提升设备的性能, 使设备处理业务的性能达到最佳。 采用智能防范所示, 可 以在系统资源占用过载的情况下, 动态调小设备上送流量限制的阈值, 达到 保护设备的目的。 通过该方法和装置的使用, 一方面可智能提升设备的处理 性能, 另一方面也可智能提升设备的攻击防范性能。 附图说明 Compared with the prior art, the technical solution provided by the embodiment of the present invention adopts an intelligent adjustment measure, which can dynamically increase the traffic limit threshold on the device when the system resources are not occupied, and intelligently improve the performance of the device, so that the device The performance of the processing business is optimal. As shown in the smart defense, you can dynamically adjust the threshold for sending traffic restrictions on the device when the system resources are overloaded, so as to protect the device. Through the use of the method and the device, on the one hand, the processing performance of the device can be intelligently improved, and on the other hand, the attack defense performance of the device can be intelligently improved. DRAWINGS
图 1为本发明一个实施方式的实现网络设备攻击防范的方法流程图; 图 2为本发明另一实施方式的实现网络设备攻击防范的装置的结构框图。 具体实施方式 请参阅图 1 ,为本发明一个实施方式的实现网络设备攻击防范的方法流程 图。 该方法包括:  FIG. 1 is a flowchart of a method for implementing network device attack defense according to an embodiment of the present invention; FIG. 2 is a structural block diagram of an apparatus for implementing network device attack defense according to another embodiment of the present invention. 1 is a flow chart of a method for implementing network device attack defense according to an embodiment of the present invention. The method includes:
获取网络设备的上送最大流量值、 网络设备的资源信息和网络设备的资 源安全阈值。  Obtain the maximum traffic value of the network device, the resource information of the network device, and the resource security threshold of the network device.
为了进行网络设备过载防范, 网络设备针对某类业务设定上送最大流量 值, 在该类业务报文实际流量达到设定的上送最大流量值后, 设备为了保护 自身安全, 将暂时不再接收此类业务的报文, 并开始丟弃该类业务的报文, 并对丟弃的该类报文进行计数, 也就是对网络设备的丟包数进行计数统计。  In order to protect the network, the device will send the maximum traffic value for a certain type of service. After the actual traffic of the service packet reaches the set maximum traffic value, the device will temporarily stop protecting itself. Packets of this type of service are received, and the packets of the service are discarded. The discarded packets are counted, that is, the number of lost packets of the network device is counted and counted.
网络设备的资源信息通常可以通过网络设备的资源管理模块来获得。 通 常, 网络设备包括资源管理模块, 该资源管理模块负责收集网络设备的资源 使用情况等信息。  The resource information of the network device can usually be obtained through the resource management module of the network device. Generally, the network device includes a resource management module, and the resource management module is responsible for collecting information such as resource usage of the network device.
网络设备的资源安全阈值至少包括两类数据: ( 1 )网络设备的流量限制 导致的网络设备丟包数据上限阈值; (2 )网络设备资源占用数据, 主要指内 存占用、 CPU资源占用等的阈值。 该资源安全阈值可以由系统默认设定或者由 用户设定。  The resource security threshold of the network device includes at least two types of data: (1) the upper limit threshold of the network device packet loss caused by the network device's traffic limitation; (2) the network device resource occupation data, which mainly refers to the threshold of memory usage and CPU resource occupation. . The resource security threshold can be set by the system default or by the user.
综合分析网络设备的流量过载丟包信息和网络设备的资源信息, 并根据 分析结果做出不同处理。  Comprehensively analyze the traffic overload packet loss information of the network device and the resource information of the network device, and perform different processing according to the analysis result.
网络设备定时收集至少以下两类信息: 网络设备的流量过载丟包信息和 网络设备资源信息。 由于网络设备针对某类业务设定上送最大流量值, 在该 类业务 文实际流量达到设定的上送最大流量值后, 网络设备为了保护自身 安全, 将暂时不再接收此类业务的报文, 并开始丟弃该类业务的报文, 并对 丟弃的该类报文进行计数, 也就是对网络设备的丟包数进行计数统计。 丟弃 的该类报文计数值也就是流量过载丟包信息。 当该计数值不为 0时, 表明该类 业务报文的流量上送值已经达到设定的上送最大流量值, 也就是网络设备对 该类业务 文设定的流量限制阈值。 The network device periodically collects at least the following two types of information: traffic overload packet loss information and network device resource information of the network device. Since the network device sends the maximum traffic value for a certain type of service setting, After the actual traffic of the service class reaches the set maximum traffic value, the network device will not receive the packets of this type of service for the time being, and will discard the packets of the service. This type of packet is counted, that is, the number of packet loss of the network device is counted and counted. The discarded packet count value is also the traffic overload packet loss information. When the count value is not 0, it indicates that the traffic value of the service packet has reached the set maximum traffic value, that is, the traffic limit threshold set by the network device for the service text.
网络设备根据上述两类信息进行网络设备流量限制阈值的调整。 调整方 法如下:  The network device adjusts the network device traffic limit threshold according to the above two types of information. The adjustment method is as follows:
a)如果网络设备不存在因网络设备本身流量限制而发生的丟包事件, 也 就是说丟包计数值为 0 , 且该网络设备中的资源占用未达到所述资源安全阈 值, 则网络设备保持原有的流量限制阈值不变;  a) If the network device does not have a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is 0, and the resource occupancy in the network device does not reach the resource security threshold, the network device remains The original traffic limit threshold is unchanged;
b)如果网络设备存在因网络设备本身流量限制而发生的丟包事件, 也就 是说丟包计数值不为 Q , 且该网络设备中的资源占用未达到所述资源安全阈 值, 此时网络设备调大流量限制阈值;  b) If the network device has a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is not Q, and the resource occupancy in the network device does not reach the resource security threshold, then the network device Increase the flow limit threshold;
c)如果网络设备不存在因网络设备本身流量限制而发生的丟包事件, 但 网络设备的资源占用超出资源安全阈值, 此时网络设备调小流量限制阈值; d)如果网络设备中已存在因网络设备本身流量限制而发生的丟包事件, 且该网络设备中的资源占用超出所述资源安全阈值, 此时网络设备调小流量 限制阈值。  c) If the network device does not have a packet loss event due to the network device's own traffic restriction, but the network device's resource usage exceeds the resource security threshold, the network device adjusts the traffic limit threshold; d) if the network device already has a cause The packet loss event occurs when the network device itself restricts traffic, and the resource usage in the network device exceeds the resource security threshold. At this time, the network device adjusts the traffic limit threshold.
上述 a) ~ d)中网络设备对流量限制阈值的调整过程中, 该调整的步进值 和最大调整值可由系统默认设定或者用户设定。 本领域的技术人员根据上述 实施方式可以知道, 也可以根据需要, 选择上述的调整方式 a) ~ d)中一种或 多种的组合, 以形成类似的技术方案。 接入设备上实现, 也可以在其他设备上使用此方案。  In the process of adjusting the flow limit threshold of the network device in a) ~ d) above, the step value and the maximum adjustment value of the adjustment may be set by the system default or set by the user. Those skilled in the art can know from the above embodiments that one or a combination of the above adjustment methods a) to d) can also be selected as needed to form a similar technical solution. It can be implemented on the access device or on other devices.
如图 2所示, 本发明的另一实施方式提供一种防范攻击的装置, 该装置包 括信息获取模块和信息处理模块, 其中: As shown in FIG. 2, another embodiment of the present invention provides an apparatus for preventing an attack, and the apparatus package The information acquisition module and the information processing module, wherein:
信息获取模块, 用于获取网络设备的流量限制阈值、 网络设备的资源信 息和网络设备的资源安全阈值, 以及动态的设备流量过载丟包信息、 设备资 源占用信息, 并将上述获取到的信息发给信息处理模块;  An information obtaining module, configured to acquire a traffic restriction threshold of the network device, resource information of the network device, and a resource security threshold of the network device, and dynamic device traffic overload packet loss information and device resource occupation information, and send the obtained information To the information processing module;
信息处理模块, 用于分析信息收集模块收集到的信息, 并根据分析结果 对所述网络设备的流量限制阈值进行动态调整。  The information processing module is configured to analyze information collected by the information collection module, and dynamically adjust the traffic restriction threshold of the network device according to the analysis result.
信息处理模块根据信息获取模块提供的信息进行网络设备流量限制阈值 的调整。 调整方法如下:  The information processing module adjusts the network device traffic limit threshold according to the information provided by the information acquisition module. The adjustment method is as follows:
Ά ' ) 如果网络设备不存在因网络设备本身流量限制而发生的丟包事件, 也就是说丟包计数值为 0 ,且该网络设备中的资源占用未达到所述资源安全阈 值, 则保持网络设备原有的流量限制阈值不变;  Ά ' ) If the network device does not have a packet loss event due to the network device's own traffic restriction, that is, the packet loss count value is 0, and the resource occupancy in the network device does not reach the resource security threshold, then the network is maintained. The original traffic limit threshold of the device is unchanged.
)如果网络设备存在因网络设备本身流量限制而发生的丟包事件,也就 是说丟包计数值不为 Q , 且该网络设备中的资源占用未达到所述资源安全阈 值, 此时调大流量限制阈值;  If the network device has a packet loss event due to the network device's own traffic limitation, that is, the packet loss count value is not Q, and the resource occupancy in the network device does not reach the resource security threshold, then the traffic is increased. Limit threshold
如果网络设备不存在因网络设备本身流量限制而发生的丟包事件,但 网络设备的资源占用超出安全阈值, 此时调小流量限制阈值;  If the network device does not have a packet loss event due to the network device's own traffic limitation, but the network device's resource usage exceeds the security threshold, adjust the traffic limit threshold at this time;
cT )如果网络设备中已存在因网络设备本身流量限制而发生的丟包事件, 且该网络设备中的资源占用超出所述资源安全阈值,此时调小流量限制阈值。  cT) If there is a packet loss event in the network device due to the network device's own traffic restriction, and the resource usage in the network device exceeds the resource security threshold, the traffic limit threshold is adjusted.
上述 中信息处理模块对流量限制阈值的调整过程中, 该调整的 步进值和最大调整值可由系统默认设定或者用户设定。 本领域的技术人员根 据上述实施方式可以知道, 也可以根据需要, 选择上述的调整方式 a) ~ d)中 一种或多种的组合, 以形成类似的技术方案。  In the process of adjusting the flow limit threshold by the information processing module, the adjusted step value and the maximum adjustment value may be set by the system default or set by the user. Those skilled in the art can know from the above embodiments that one or more combinations of the above adjustment methods a) to d) can be selected as needed to form a similar technical solution.
上述实施方式所述的装置适用于在防火墙、 路由器、 交换机、 宽带接入 设备上实现, 也可以在其他设备上使用此方案。  The device described in the foregoing embodiment is applicable to a firewall, a router, a switch, a broadband access device, or may be used on other devices.
本发明的上述具体实施方式中, 在对流量限制阈值做上调、 下调的时候 还可以增加一个权重或者优先级, 这样,在增大 CAR ( CAR , Commi t ted Acces s Ra te , 是指承诺接入速率, 是一种接入控制。 按照与用户签订的协议, 对超 出承诺速率的数据包做不同处理: 丟弃或标记; 又称为标记颜色)值的时候 可以首先调大权重较高或者优先级较高的业务报文流的 CAR ,最后调整权重较 低或者优先级较低的业务报文流的 CAR值; 反之, 减小 CAR值的时候, 优先调 低权重较低或者优先级较低的业务报文流的 CAR值,最后调小权重较高或者优 先级较高的业务报文流的 CAR值。 所述的权重或者优先级可以根据需要设定。 In the foregoing specific implementation manner of the present invention, when the traffic restriction threshold is raised or lowered, a weight or priority may be added, so that CAR (Car, Committed Acces s) is increased. Ra te , which refers to the committed access rate, is an access control. According to the agreement with the user, the data packet exceeding the committed rate is processed differently: when discarding or marking; also known as marking color), the service packet flow with higher weight or higher priority may be first adjusted. CAR, the CAR value of the service packet flow with a lower weight or lower priority is adjusted. If the value of the CAR is decreased, the CAR value of the service packet with a lower weight or lower priority is preferentially lowered. Finally, the CAR value of the service packet flow with a higher weight or a higher priority is adjusted. The weights or priorities can be set as needed.
当然, 也可以根据情况, 直接调整特定的某个或者某些业务报文流的流 量限制阈值, 以优先保证优先级较高或权重较高的业务报文的通过。  Of course, the traffic restriction threshold of a specific service flow or a certain service packet may be directly adjusted according to the situation, so as to preferentially ensure the passage of service packets with higher priority or higher weight.
所述的系统资源包括 CPU、 内存, 以及其他可能对业务 >¾文流量产生影响 的部分。  The system resources include CPU, memory, and other parts that may affect the traffic of the service.
本发明的上述实施方式, 采用智能调整措施, 可以在系统资源占用不多 的情况下, 动态调大设备上送流量限制阈值, 智能提升设备的性能, 使设备 处理业务的性能达到最佳。 采用智能防范措施, 可以在系统资源占用过载的 情况下, 动态调小设备上送流量限制的阈值, 达到保护设备的目的。 通过该 方法和装置的使用, 一方面可智能提升设备的处理性能, 另一方面也可智能 提升设备的攻击防范性能。  The above-mentioned embodiments of the present invention adopt intelligent adjustment measures to dynamically increase the traffic threshold of the device when the system resources are not occupied, and intelligently improve the performance of the device to optimize the performance of the device processing service. The intelligent precautions can be used to dynamically limit the threshold for sending traffic to the device when the system resources are overloaded. Through the use of the method and the device, on the one hand, the processing performance of the device can be intelligently improved, and on the other hand, the attack defense performance of the device can be intelligently improved.
以上所述, 仅为本发明较佳的具体实施方式, 但本发明的保护范围并不 局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围和不脱 离本发明的技术思想范围内, 可轻易想到的变化或替换, 都应涵盖在本发明 的保护范围之内。 因此, 本发明的保护范围应该以权利要求的保护范围为准。  The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any technical person skilled in the art can disclose the technical scope of the present invention and the technical idea of the present invention. Variations or substitutions that are conceivable within the scope of the invention are intended to be included within the scope of the invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

权 利 要 求 书 Claim
1. 一种网络设备攻击防范的方法, 其特征在于, 包括:  A method for defending a network device attack, which is characterized by:
获取网络设备的流量过载丟包信息、 网络设备的资源信息、 网络设备的 资源安全阈值和网络设备的流量限制阈值;  Obtaining traffic overload packet loss information of the network device, resource information of the network device, a resource security threshold of the network device, and a traffic restriction threshold of the network device;
根据所述流量过载丟包信息、 所述资源信息与所述资源安全阈值的比较 结果, 对业务报文流的所述流量限制阈值做出动态调整。  And dynamically adjusting the traffic restriction threshold of the service packet flow according to the comparison result of the traffic overload packet loss information, the resource information, and the resource security threshold.
2. 如权利要求 1所述的方法, 其特征在于, 所述根据所述流量过载丟包 信息、 所述资源信息与所述资源安全阈值的比较结果, 对业务报文流的所述 流量限制阈值做出动态调整包括:  The method according to claim 1, wherein the traffic restriction on the service packet flow is performed according to the comparison result of the traffic overload packet loss information, the resource information, and the resource security threshold. Dynamic adjustments to thresholds include:
当网络设备资源占用数据未达到所述资源安全阈值时, 如果网络设备不 存在因网络设备本身流量限制而发生的丟包事件, 则保持原有的流量限制阈 值不变; 或如果网络设备存在因网络设备本身流量限制而发生的丟包事件, 调大所述流量限制阈值。  If the network device resource occupation data does not reach the resource security threshold, if the network device does not have a packet loss event due to the network device's own traffic restriction, the original traffic restriction threshold remains unchanged; or if the network device has a cause The packet loss event occurs when the network device itself restricts traffic, and the traffic limit threshold is increased.
3. 如权利要求 1所述的方法, 其特征在于, 所述根据所述流量过载丟包 信息、 所述资源信息与所述资源安全阈值的比较结果, 对业务报文流的所述 流量限制阈值做出动态调整包括:  The method according to claim 1, wherein the traffic restriction on the service packet flow is performed according to the comparison result of the traffic overload packet loss information, the resource information, and the resource security threshold. Dynamic adjustments to thresholds include:
当网络设备资源占用数据超出所述资源安全阈值时, 调小所述流量限制 阈值。  When the network device resource occupation data exceeds the resource security threshold, the traffic restriction threshold is reduced.
4. 如权利要求 1所述的方法, 其特征在于, 所述资源安全阈值包括: 网络设备的流量限制导致的网络设备丟包数据上限阈值; 或  The method according to claim 1, wherein the resource security threshold comprises: a network device packet loss data upper threshold caused by a network device traffic restriction; or
网络设备资源占用数据上限阈值。  Network device resource usage data upper threshold.
5. 如权利要求 2、 3或 4所述的方法, 其特征在于, 所述网络设备资源占 用数据上限阈值包括内存占用阈值或者 CPU资源占用阈值。  The method of claim 2, 3 or 4, wherein the network device resource occupation data upper threshold comprises a memory occupation threshold or a CPU resource occupation threshold.
6. 如权利要求 1所述的方法, 其特征在于, 所述对业务报文流的所述流 量限制阈值做出动态调整为:  The method according to claim 1, wherein the dynamic limit adjustment of the traffic limit threshold of the service packet flow is:
对特定的某个或者某些业务报文流设置权重或者优先级;  Set weights or priorities for a specific service flow or some service packets;
当调大所述流量限制阈值时, 首先调大权重较高或者优先级较高的业务 报文流的流量限制阈值; 当调小所述流量限制阈值时, 首先调小权重较低或 者优先级较低的业务报文流的流量限制阈值。 When the traffic limit threshold is increased, the service with higher weight or higher priority is first adjusted. The traffic limit threshold of the packet flow. When the traffic limit threshold is set to be smaller, the traffic limit threshold of the service packet flow with lower weight or lower priority is first adjusted.
7. 如权利要求 1所述的方法, 其特征在于, 所述调整是针对所有业务报 文流进行。  7. The method of claim 1, wherein the adjusting is performed for all service message flows.
8. 一种防范攻击的装置, 其特征在于, 包括:  8. A device for preventing attacks, characterized in that it comprises:
信息获取模块, 用于获取网络设备的流量过载丟包信息、 网络设备的资 源信息、 网络设备的资源安全阈值和网络设备的流量限制阈值;  An information obtaining module, configured to acquire traffic overload packet loss information of the network device, resource information of the network device, a resource security threshold of the network device, and a traffic limit threshold of the network device;
信息处理模块, 用于分析所述信息获取模块获取到的信息, 并根据分析 结果对所述网络设备的流量限制阈值进行动态调整。  The information processing module is configured to analyze the information acquired by the information acquiring module, and dynamically adjust the traffic limiting threshold of the network device according to the analysis result.
9. 如权利要求 8所述的装置, 其特征在于, 所述信息处理模块根据分析 结果对所述网络设备的流量限制阈值进行动态调整包括:  The device according to claim 8, wherein the information processing module dynamically adjusts the traffic restriction threshold of the network device according to the analysis result, including:
当网络设备资源占用数据未达到所述资源安全阈值时, 如果网络设备不 存在因网络设备本身流量限制而发生的丟包事件, 则保持原有的流量限制阈 值不变; 或如果网络设备存在因网络设备本身流量限制而发生的丟包事件, 调大所述流量限制阈值。  If the network device resource occupation data does not reach the resource security threshold, if the network device does not have a packet loss event due to the network device's own traffic restriction, the original traffic restriction threshold remains unchanged; or if the network device has a cause The packet loss event occurs when the network device itself restricts traffic, and the traffic limit threshold is increased.
10. 如权利要求 8所述的装置, 其特征在于, 所述信息处理模块根据分析 结果对所述网络设备的流量限制阈值进行动态调整包括:  The apparatus according to claim 8, wherein the information processing module dynamically adjusts the traffic restriction threshold of the network device according to the analysis result, including:
当网络设备资源占用数据超出所述资源安全阈值时, 调小所述流量限制 阈值。  When the network device resource occupation data exceeds the resource security threshold, the traffic restriction threshold is reduced.
11. 如权利要求 8所述的装置, 其特征在于, 所述资源安全阈值包括: 网络设备的流量限制导致的网络设备丟包数据上限阈值; 或  The apparatus according to claim 8, wherein the resource security threshold comprises: a network device packet loss data upper threshold caused by a traffic restriction of the network device; or
网络设备资源占用数据上限阈值。  Network device resource usage data upper threshold.
12. 如权利要求 9、 10或 11所述的装置, 其特征在于, 所述网络设备资源 占用数据上限阈值包括内存占用阈值或者 CPU资源占用阈值。  The device according to claim 9, 10 or 11, wherein the network device resource occupation data upper threshold comprises a memory occupation threshold or a CPU resource occupation threshold.
1 3. 如权利要求 8所述的装置, 其特征在于, 所述的装置适用于防火墙、 路由器、 交换机或宽带接入设备。  3. Apparatus according to claim 8, wherein said apparatus is adapted for use in a firewall, router, switch or broadband access device.
PCT/CN2008/070548 2007-05-17 2008-03-20 A method and device of preventing attack for network equipment WO2008141548A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710074539.1 2007-05-17
CN2007100745391A CN101060531B (en) 2007-05-17 2007-05-17 A method and device for avoiding the attack of network equipment

Publications (1)

Publication Number Publication Date
WO2008141548A1 true WO2008141548A1 (en) 2008-11-27

Family

ID=38866414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070548 WO2008141548A1 (en) 2007-05-17 2008-03-20 A method and device of preventing attack for network equipment

Country Status (2)

Country Link
CN (1) CN101060531B (en)
WO (1) WO2008141548A1 (en)

Families Citing this family (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175044B (en) 2007-12-05 2011-10-26 华为软件技术有限公司 Information flow-rate permission control method and device
CN101299765B (en) * 2008-06-19 2012-02-08 中兴通讯股份有限公司 Method for defending against DDOS attack
CN101478408A (en) * 2008-12-30 2009-07-08 华为技术有限公司 Method, apparatus and system for implementing uploading rate dynamic linkage
CN101478539B (en) * 2008-12-31 2012-05-23 华为技术有限公司 Method and network appliance for preventing network attack
CN101980506B (en) * 2010-10-29 2013-08-14 北京航空航天大学 Flow characteristic analysis-based distributed intrusion detection method
CN102394868B (en) * 2011-10-12 2014-05-07 镇江金钛软件有限公司 Detection method for DDoS attacked address of dynamic threshold
CN103634130B (en) * 2012-08-23 2019-01-08 深圳市共进电子股份有限公司 The self-protecting method and system and network-termination device of network-termination device
CN103812687B (en) * 2012-11-15 2017-12-15 华为技术有限公司 The means of defence and equipment of processor
CN103973663A (en) * 2013-02-01 2014-08-06 中国移动通信集团河北有限公司 Method and device for dynamic threshold anomaly traffic detection of DDOS (distributed denial of service) attack
CN104753863B (en) * 2013-12-26 2018-10-26 中国移动通信集团公司 A kind of defence method of distributed denial of service attack, equipment and system
CN104202297B (en) * 2014-07-30 2018-09-14 新华三技术有限公司 A kind of anti-attack method and equipment adapting dynamically to server performance
CN104243471A (en) * 2014-09-12 2014-12-24 汉柏科技有限公司 Protection method and device against network attack
CN104301248B (en) * 2014-10-31 2018-04-06 新华三技术有限公司 Message rate-limiting method and device
CN104601560A (en) * 2014-12-31 2015-05-06 北京华为朗新科技有限公司 Broadband access device and user authentication method
CN105553736A (en) * 2015-12-24 2016-05-04 北京奇虎科技有限公司 Method and apparatus for controlling network information
CN106254266B (en) * 2016-08-17 2020-02-04 中国联合网络通信集团有限公司 Message processing method and network equipment
CN107547561B (en) * 2017-09-25 2020-10-30 新华三信息安全技术有限公司 Method and device for carrying out DDOS attack protection processing
CN108958884B (en) * 2018-06-22 2022-02-18 郑州云海信息技术有限公司 Virtual machine management method and related device
CN109067807A (en) * 2018-10-16 2018-12-21 杭州安恒信息技术股份有限公司 Safety protecting method, device and electronic equipment based on WEB application firewall overload
CN111049807B (en) * 2019-11-25 2022-03-11 杭州安恒信息技术股份有限公司 Bypass message speed limiting method and system
CN113179247B (en) * 2021-03-23 2023-05-23 杭州安恒信息技术股份有限公司 Denial of service attack protection method, electronic device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001097438A2 (en) * 2000-06-14 2001-12-20 Nokia Inc. Performance enhancement of transmission control protocol (tcp) for wireless network applications
JP2003283555A (en) * 2002-03-22 2003-10-03 Nippon Telegr & Teleph Corp <Ntt> Distributed denial of service attack preventing method, gate device, communication device, and program
CN1691617A (en) * 2004-04-21 2005-11-02 华为技术有限公司 Method of flow control in communication system
CN1747434A (en) * 2004-09-10 2006-03-15 华为技术有限公司 Flow control for pipeline distributing system
CN1848810A (en) * 2006-05-15 2006-10-18 武汉虹旭信息技术有限责任公司 Stream media transmitting rate controlling method
CN1878131A (en) * 2005-06-10 2006-12-13 华为技术有限公司 Method and system for carrying out flow-control

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1152313C (en) * 2000-11-02 2004-06-02 北京算通数字技术研究中心有限公司 Section-by-section congestion control method based on random early detection
CN1282331C (en) * 2003-10-21 2006-10-25 中兴通讯股份有限公司 Device and method for realizing abnormal flow control
CN1859036B (en) * 2005-12-23 2010-04-21 华为技术有限公司 Regulating method and its device for physically random cut-in channel judging threshold

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001097438A2 (en) * 2000-06-14 2001-12-20 Nokia Inc. Performance enhancement of transmission control protocol (tcp) for wireless network applications
JP2003283555A (en) * 2002-03-22 2003-10-03 Nippon Telegr & Teleph Corp <Ntt> Distributed denial of service attack preventing method, gate device, communication device, and program
CN1691617A (en) * 2004-04-21 2005-11-02 华为技术有限公司 Method of flow control in communication system
CN1747434A (en) * 2004-09-10 2006-03-15 华为技术有限公司 Flow control for pipeline distributing system
CN1878131A (en) * 2005-06-10 2006-12-13 华为技术有限公司 Method and system for carrying out flow-control
CN1848810A (en) * 2006-05-15 2006-10-18 武汉虹旭信息技术有限责任公司 Stream media transmitting rate controlling method

Also Published As

Publication number Publication date
CN101060531A (en) 2007-10-24
CN101060531B (en) 2010-10-13

Similar Documents

Publication Publication Date Title
WO2008141548A1 (en) A method and device of preventing attack for network equipment
US9935974B2 (en) Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
US7702806B2 (en) Statistics collection for network traffic
EP1844596B1 (en) Method and system for mitigating denial of service in a communication network
US7246376B2 (en) Method and apparatus for security management in a networked environment
US10075468B2 (en) Denial-of-service (DoS) mitigation approach based on connection characteristics
US8443444B2 (en) Mitigating low-rate denial-of-service attacks in packet-switched networks
US7043759B2 (en) Architecture to thwart denial of service attacks
US8879388B2 (en) Method and system for intrusion detection and prevention based on packet type recognition in a network
US20020032880A1 (en) Monitoring network traffic denial of service attacks
EP1560398A2 (en) Metering packet flows for limiting effects of denial of service attacks
US20020032774A1 (en) Thwarting source address spoofing-based denial of service attacks
US20020103916A1 (en) Thwarting connection-based denial of service attacks
EP1788752A1 (en) Network node with control plane processor overload protection
EP1592197B1 (en) Network amplification attack mitigation
EP2073457A1 (en) A method and apparatus for preventing igmp message attack
WO2008148106A1 (en) Proactive test-based differentiation method and system to mitigate low rate dos attacks
US7680066B2 (en) Method for protecting digital subscriber line access multiplexer, DSLAM and XDSL single service board
TW201124876A (en) System and method for guarding against dispersive blocking attacks
EP2109282B1 (en) Method and system for mitigation of distributed denial of service attacks based on IP neighbourhood density estimation
CN108667804B (en) DDoS attack detection and protection method and system based on SDN architecture
EP2109281A1 (en) Method and system for server-load and bandwidth dependent mitigation of distributed denial of service attacks
CN112040513B (en) Data transmission method, data transmission device and data transmission system
TWI427995B (en) Customer premises equipment and method for avoiding attacks thereof
JP5009200B2 (en) Network attack detection device and defense device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08715284

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08715284

Country of ref document: EP

Kind code of ref document: A1