WO2009018737A1 - Method and network device for preventing dos attacks - Google Patents

Method and network device for preventing dos attacks Download PDF

Info

Publication number
WO2009018737A1
WO2009018737A1 PCT/CN2008/071461 CN2008071461W WO2009018737A1 WO 2009018737 A1 WO2009018737 A1 WO 2009018737A1 CN 2008071461 W CN2008071461 W CN 2008071461W WO 2009018737 A1 WO2009018737 A1 WO 2009018737A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
inbound interface
data
network device
interface information
Prior art date
Application number
PCT/CN2008/071461
Other languages
French (fr)
Chinese (zh)
Inventor
Zhiwang Zhao
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009018737A1 publication Critical patent/WO2009018737A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to the field of network technologies, and in particular, to a method and network device for preventing DOS attacks. Background technique
  • DOS Delivery Of Service
  • DDOS attacks Distributed Deny Of Service
  • Service attacks are the most common and have the greatest hazard to network devices.
  • DOS attack an attacker uses a large number of data packets or malformed packets in a short period of time to continuously initiate a connection or request response to a network device.
  • the network device cannot handle legitimate tasks due to excessive load, and abnormal services or even device failure occur. .
  • the DOS attack defense is implemented by the traffic limiting technology, which limits the data traffic sent to the device in a unit time to protect the device.
  • the network device will continue to discard normal service packets after the abnormal traffic is discarded. As a result, normal services are affected. Under normal circumstances, an attack of a certain type of protocol may cause an abnormality of device-level services, so that an illegal user can achieve the purpose of DOS attack, and simply rely on manually limiting the traffic value to suppress the attack range, and cannot effectively narrow down the attack on the network device. The impact of the business.
  • Prior art 2 By deploying NETSTREAM (network traffic sampling) related equipment for device traffic sampling, and analyzing the sample data to achieve DOS traceability, to achieve the purpose of preventing DOS attacks.
  • NETSTREAM network traffic sampling
  • the network device After the NETSTREAM is turned on, the network device will have a greater impact on device performance. In addition, the physical port of the device needs to be connected to the server, which wastes network resources.
  • the embodiments of the present invention provide a method and a device for preventing DOS attacks, which are used for attack source tracing to ensure the normal operation of most services of a network device in the event of an attack.
  • An embodiment of the present invention provides a method for preventing a DOS attack, where the method includes:
  • the embodiment of the invention further provides a network device, including:
  • a counting module configured to perform packet loss counting on the data packet according to the primary CAR resource
  • an extracting module configured to: when determining that the number of lost packets of the data packet exceeds a first threshold, extracting inbound interface information of the data packet;
  • the control module is configured to perform flow control on the data packet passing the inbound interface according to the inbound interface information.
  • the packet loss count is performed on the data packet according to the primary CAR resource.
  • the data packet is determined to be a DOS attack.
  • the DOS attack provides a basis for the flow control of the data packets passing through the inbound interface, and does not need to perform flow control on all data packets processed by the network device, thereby locking the flow control target.
  • the scope of the flow control is narrowed to ensure the normal operation of most services of the network device in the event of an attack.
  • the network device itself can implement the function of preventing DOS attacks without deploying special
  • the server interacts with the server to prevent DOS attacks, reducing operating costs, simplifying maintenance, and further saving network resources.
  • FIG. 1 is a flowchart of a process for preventing a DOS attack in an embodiment of the present invention
  • FIG. 2 is a flowchart of a specific example of preventing a DOS attack in the embodiment of the present invention
  • FIG. 3A, FIG. 3B, FIG. 3C, FIG. 3D, and FIG. 3E are schematic diagrams showing the structure of a network device according to an embodiment of the present invention. detailed description
  • a process for preventing a DOS attack is as follows: Step 11. Perform a packet loss count on a data packet according to a Level 1 CAR (Committed Access Rate) resource.
  • Level 1 CAR Committed Access Rate
  • Step 12 When the number of data packet loss exceeds the first threshold, the inbound interface information of the data packet is extracted.
  • Step 13 Perform flow control on the data packet passing the inbound interface according to the extracted inbound interface information.
  • the first threshold may be set according to the delivered primary CAR resource.
  • extracting the inbound interface information of the data packet may include: generating a data packet and generating the data packet The sample data is used to analyze the sample data; according to the analysis of the sample data, the inbound interface information of the data message is extracted.
  • the sample data can be stored locally after the sample data is generated. It can be stored in a specified format, such as storing the data in the Ethereal format locally. Ethereal is a common packet capture software. It is also possible to store the sample data in a local RAM (Random Access Memory), NVRAM (Non Volatile Random Access Memory), CF (Compact Flash Card) memory card, FLASH. (Flash) One or any combination.
  • RAM Random Access Memory
  • NVRAM Non Volatile Random Access Memory
  • CF Compact Flash Card
  • the flow control of the data packet passing the inbound interface may be performed according to the extracted inbound interface information, and the second level CAR is started according to the extracted inbound interface information, that is, the CAR is refined for the data packet.
  • a CAR based on the inbound interface information and the data packet information is implemented, and the secondary CAR resource is further delivered.
  • the traffic of the data packet passing the inbound interface is controlled according to the delivered secondary CAR resource.
  • the second threshold may be set according to the original primary CAR and the secondary CAR that is subsequently started. When the traffic of the data packet passing the inbound interface does not exceed the second threshold, the second packet may be collected.
  • Level CAR resources in order to reuse secondary CAR resources when they are attacked again.
  • Step 21 The device arranges a traditional CAR solution, that is, performs CAR resource allocation according to a service classification or a policy or whether the service has at least one common feature. Level CAR resources).
  • Step 22 The device starts the monitoring system, and performs real-time monitoring of the first-level CAR discarding count.
  • the monitoring system finds that a large number of packet loss occurs in a certain type of protocol packet, and exceeds the set first threshold, indicating that such a service has occurred in DOS. attack.
  • Step 23 When the monitoring system detects that the attack occurs, the triggering device starts the learning mechanism, and performs the learning of the feature information of the packet according to the set sampling time within a preset time.
  • the learning information may include: Incoming interface information (such as VLAN (Virtual Local Area Network), PORT (port), etc.), message content information, and so on.
  • Step 24 After the learning time reaches the set value, the learning is stopped, and the storage is performed according to the specified format.
  • the specified format includes the Ethereal format, etc., and the storage area includes the device's RAM/NVRAM/CF card/FLASH.
  • the device may provide an interactive means for querying the data, and the device may provide an interactive means to manually trigger the learning.
  • Step 25 The device performs data feature analysis according to the learning content, and starts the secondary CAR according to the inbound interface information of the packet, that is, CAR is refined for the protocol packet, and the CAR based on the sub-interface and the protocol information is implemented. Ensure that the DOS attack only affects the inbound interface range where the attack is located. The other interface services of the device can resume normal operation.
  • Step 26 The device continues to monitor the DOS attack. If the DOS attack does not exist, that is, the number of lost packets does not exceed the second threshold, the secondary CAR resource delivered by the smart device is recovered. The system continues to run according to the original primary CAR solution. . The secondary CAR resource can be reused again when the device is attacked again.
  • an embodiment of the present invention further provides a network device, which is configured as shown in FIG. 3A, and includes: a counting module 31, an extracting module 32, and a control module 33; wherein, the counting module 31 is configured according to a first-level CAR.
  • the resource module performs a packet loss count on the data packet.
  • the extracting module 32 is configured to extract the inbound interface information of the data packet when the number of the data packet loss exceeds the first threshold
  • the control module 33 is configured to Interface information, which controls traffic on data packets passing the inbound interface.
  • the extraction module 32 shown in FIG. 3A may further include: a sampling unit 321, an analyzing unit 322, and an extracting unit 323; wherein, the sampling unit 321 is configured to perform data packet processing. After the sample is generated, the sample data is generated; the analyzing unit 322 is configured to analyze the sample data; and the extracting unit 323 is configured to extract the inbound interface information of the data message according to the analysis of the sample data.
  • the extraction module 32 shown in FIG. 3B may further include:
  • the storage unit 324 is configured to store the sample data locally.
  • the storage unit 324 can be further used to store the sample data locally in the Ethereal format.
  • the storage unit 324 can be further configured to store the sample data to one of local RAM, NVRAM, CF card, FLASH, or any combination.
  • control module 33 shown in FIG. 3A may further include: a sending unit 331 and a control unit 332.
  • the sending unit 331 is configured to deliver a secondary CAR according to the inbound interface information.
  • the control unit 332 is configured to perform flow control on the data packet passing the inbound interface according to the secondary CAR resource.
  • the network device shown in FIG. 3D may further include: a recovery module 34, configured to: when the traffic of the data packet passing the inbound interface does not exceed a second threshold, Secondary CAR resources.
  • a recovery module 34 configured to: when the traffic of the data packet passing the inbound interface does not exceed a second threshold, Secondary CAR resources.
  • the storage medium can include: ROM, RAM, Disk or disc, etc.
  • the packet loss count is performed on the data packet according to the first-level CAR resource.
  • the data packet is determined to be a DOS attack data packet;
  • Attack source tracing is performed by extracting the inbound interface information of the data packet to provide a basis for preventing DOS attacks. Only the inbound interface information is used to perform flow control on the data packets passing the inbound interface without all data processed by the network device.
  • the traffic control is performed on the packet, so that the flow control target is locked, the flow control range is narrowed, and the majority of the services of the network device in the event of an attack are ensured to the maximum extent.
  • the network device itself can be used by the method of the embodiment of the present invention. It implements the function of preventing DOS attacks without deploying a dedicated server and interacting with the server to prevent DOS attacks, reducing operating costs, simplifying maintenance and management, and further saving network resources.
  • data can be sampled and stored locally for attack by the network device for attack source tracing; the classification and analysis of the trace source data can be used to generate dynamic and intelligent according to the data source range.
  • Small-scale CAR function intelligent suppression of attacks, The DOS attack is effectively prevented.
  • the network device can reclaim the CAR resources that are sent by the smart device for use in the next attack.
  • the embodiment of the present invention provides only the case of the second-level CAR. If necessary, three or more levels of CAR can be set to implement the refinement control, and the technical effects of the embodiments of the present invention can also be achieved.

Abstract

A method for preventing DOS attacks is disclosed. The method comprises: making discard packet counting to the data packets according to the first level CAR resource; when determining that the discard packet number of the data packets exceeding the first threshold, extracting the input interface information of the data packets; making flow controlling to the data packets through the input interface according to the input interface information. A network device is disclosed at the same time. The source of attacks can be determined. It can guarantee the furthest that the majority of services can run normally when the network device is being attacked. The cost of managing is decreased and the network resource is saved.

Description

防止 DOS攻击的方法及网络设备 技术领域  Method and network device for preventing DOS attack
本发明涉及网络技术领域, 尤其涉及防止 DOS攻击的方法及网络设备。 背景技术  The present invention relates to the field of network technologies, and in particular, to a method and network device for preventing DOS attacks. Background technique
随着 Internet的发展, 组网环境日趋复杂, 随之而来的网络攻击也日益频 繁, 尤其以 DOS ( Denial Of Service, 拒绝服务攻击 )类攻击(包括 DDOS攻 击 (Distributed Deny Of Service, 分布式拒绝服务攻击))最为常见, 对网络 设备的危害性也最大。 DOS攻击中, 攻击者在短时间内使用大量数据包或畸 形报文, 向网络设备不断发起连接或请求响应, 导致网络设备由于负荷过重 而不能处理合法任务, 出现业务异常甚至设备瘫痪的情况。  With the development of the Internet, the networking environment is becoming more and more complex, and the subsequent network attacks are becoming more and more frequent, especially DOS (Denial Of Service) attacks (including DDOS attacks (Distributed Deny Of Service). Service attacks)) are the most common and have the greatest hazard to network devices. In a DOS attack, an attacker uses a large number of data packets or malformed packets in a short period of time to continuously initiate a connection or request response to a network device. As a result, the network device cannot handle legitimate tasks due to excessive load, and abnormal services or even device failure occur. .
现有技术提供以下两种方案用于防止 DOS攻击:  The prior art provides the following two solutions for preventing DOS attacks:
现有技术一  Prior art one
通过流量限制技术进行 DOS攻击防范, 即限制单位时间内上送设备的数 据流量, 以达到保护设备的目的。  The DOS attack defense is implemented by the traffic limiting technology, which limits the data traffic sent to the device in a unit time to protect the device.
发明人经过分析, 发现现有技术一虽然能有效緩解 DOS攻击对网络设备 带来的影响, 但由于其单纯依靠传统的手工设定流量限制功能对网络设备进 行保护, 因此仍然存在如下不足:  After analyzing, the inventor found that although the prior art can effectively alleviate the impact of DOS attacks on network devices, it still has the following disadvantages because it relies solely on the traditional manual setting of traffic limiting functions to protect network devices:
1、 一旦限定流量值被固定设置, 网络设备在丟弃异常流量后, 很可能会 继续丟弃正常业务报文, 从而导致正常业务受到影响。 在通常情况下, 某一 类协议的攻击会导致设备级业务的异常, 使非法用户达成 DOS攻击的目的, 而单纯依靠手工限定流量值进行攻击范围抑制, 并不能有效地缩小攻击对网 络设备的业务造成的影响。  1. Once the limited traffic value is set, the network device will continue to discard normal service packets after the abnormal traffic is discarded. As a result, normal services are affected. Under normal circumstances, an attack of a certain type of protocol may cause an abnormality of device-level services, so that an illegal user can achieve the purpose of DOS attack, and simply rely on manually limiting the traffic value to suppress the attack range, and cannot effectively narrow down the attack on the network device. The impact of the business.
2、攻击发生时,仅仅通过丟包的方式保护网络设备, 不能进行攻击溯源。 现有技术二 通过部署 NETSTREAM (网络流量釆样)相关设备进行设备流量釆样, 并对釆样数据进行分析以实现 DOS溯源, 达到防范 DOS攻击的目的。 2. When an attack occurs, the network device is protected only by packet loss, and attack source tracing cannot be performed. Prior art 2 By deploying NETSTREAM (network traffic sampling) related equipment for device traffic sampling, and analyzing the sample data to achieve DOS traceability, to achieve the purpose of preventing DOS attacks.
在实现本发明实施例的过程中, 发明人经过分析, 发现现有技术二存在 如下不足之处:  In the process of implementing the embodiments of the present invention, the inventors have analyzed and found that the prior art 2 has the following deficiencies:
1、 需要部署 NETSTREM服务器等设备, 造价较高。  1, need to deploy equipment such as NETSTREM server, the cost is higher.
2、 网络设备在开启 NETSTREAM釆样后, 对设备性能会造成较大的影 响。 另外, 需占用设备的物理端口连接服务器, 浪费网络资源。  2. After the NETSTREAM is turned on, the network device will have a greater impact on device performance. In addition, the physical port of the device needs to be connected to the server, which wastes network resources.
3、 由于服务器、 网络设备是不同的设备, 因此在运营维护管理上比单一 设备管理要困难的多。 发明内容  3. Since servers and network devices are different devices, it is much more difficult to manage and maintain than single devices. Summary of the invention
本发明实施例提供一种防止 DOS攻击的方法及设备,用以进行攻击溯源 , 最大限度地保证网络设备在遭受攻击的情况下多数业务的正常运转。  The embodiments of the present invention provide a method and a device for preventing DOS attacks, which are used for attack source tracing to ensure the normal operation of most services of a network device in the event of an attack.
本发明实施例提供一种防止 DOS攻击的方法, 该方法包括:  An embodiment of the present invention provides a method for preventing a DOS attack, where the method includes:
根据一级 CAR资源对数据报文进行丟包计数;  Packet loss counting of data packets according to the primary CAR resource;
确定所述数据报文的丟包数目超过第一阈值时, 提取所述数据报文的入 接口信息;  And determining, when the number of packet loss of the data packet exceeds a first threshold, extracting the inbound interface information of the data packet;
根据所述入接口信息, 对通过所述入接口的数据报文进行流量控制。 本发明实施例还提供一种网络设备, 包括:  And performing flow control on the data packet passing the inbound interface according to the inbound interface information. The embodiment of the invention further provides a network device, including:
计数模块, 用于根据一级 CAR资源对数据报文进行丟包计数;  a counting module, configured to perform packet loss counting on the data packet according to the primary CAR resource;
提取模块, 用于在确定所述数据报文的丟包数目超过第一阈值时, 提取 所述数据报文的入接口信息;  And an extracting module, configured to: when determining that the number of lost packets of the data packet exceeds a first threshold, extracting inbound interface information of the data packet;
控制模块, 用于根据所述入接口信息, 对通过所述入接口的数据报文进 行流量控制。  The control module is configured to perform flow control on the data packet passing the inbound interface according to the inbound interface information.
本发明实施例中, 根据一级 CAR资源对数据报文进行丟包计数; 确定所 述数据报文的丟包数目超过第一阈值时, 即可确定所述数据报文为 DOS攻击 数据报文; 进而通过提取所述数据报文的入接口信息进行攻击溯源, 为防止In the embodiment of the present invention, the packet loss count is performed on the data packet according to the primary CAR resource. When the number of the data packet loss exceeds the first threshold, the data packet is determined to be a DOS attack. Data packet; and then extracting the source interface information of the data packet to perform attack source tracing,
DOS攻击提供依据; 只需进一步根据所述入接口信息, 对通过所述入接口的 数据报文进行流量控制, 而无需对网络设备处理的所有数据报文进行流量控 制, 从而锁定流控目标, 缩小流控范围, 最大限度地保证网络设备在遭受攻 击的情况下多数业务的正常运转; 另外, 釆用本发明实施例方法, 网络设备 自身即可实现防止 DOS攻击的功能, 而无需部署专门的服务器, 并与服务器 进行交互以防止 DOS攻击, 使运营成本降低、 维护管理简单, 并进一步节约 了网络资源。 附图说明 The DOS attack provides a basis for the flow control of the data packets passing through the inbound interface, and does not need to perform flow control on all data packets processed by the network device, thereby locking the flow control target. The scope of the flow control is narrowed to ensure the normal operation of most services of the network device in the event of an attack. In addition, by using the method of the embodiment of the present invention, the network device itself can implement the function of preventing DOS attacks without deploying special The server interacts with the server to prevent DOS attacks, reducing operating costs, simplifying maintenance, and further saving network resources. DRAWINGS
图 1为本发明实施例中防止 DOS攻击的处理流程图;  1 is a flowchart of a process for preventing a DOS attack in an embodiment of the present invention;
图 2为本发明实施例中防止 DOS攻击的具体实例的处理流程图; 图 3A、 图 3B、 图 3C、 图 3D、 图 3E为本发明实施例中网络设备的结构 示意图。 具体实施方式  FIG. 2 is a flowchart of a specific example of preventing a DOS attack in the embodiment of the present invention; FIG. 3A, FIG. 3B, FIG. 3C, FIG. 3D, and FIG. 3E are schematic diagrams showing the structure of a network device according to an embodiment of the present invention. detailed description
下面结合说明书附图对本发明实施例方法进行详细说明。  The method of the embodiment of the present invention will be described in detail below with reference to the accompanying drawings.
如图 1所示, 本发明实施例中, 一种防止 DOS攻击的处理流程如下: 步骤 11、 根据一级 CAR ( Committed Access Rate, 承诺的访问速率 ) 资 源对数据报文进行丟包计数。  As shown in FIG. 1 , in the embodiment of the present invention, a process for preventing a DOS attack is as follows: Step 11. Perform a packet loss count on a data packet according to a Level 1 CAR (Committed Access Rate) resource.
步骤 12、 确定数据报文的丟包数目超过第一阈值时, 提取数据报文的入 接口信息。  Step 12: When the number of data packet loss exceeds the first threshold, the inbound interface information of the data packet is extracted.
步骤 13、 根据提取的入接口信息, 对通过该入接口的数据报文进行流量 控制。  Step 13. Perform flow control on the data packet passing the inbound interface according to the extracted inbound interface information.
在步骤 11 中, 第一阈值可以根据下发的一级 CAR资源进行设置。 在步 骤 12中, 提取数据报文的入接口信息可以包括: 对数据报文进行釆样, 生成 釆样数据, 对釆样数据进行分析; 根据对釆样数据的分析, 提取数据报文的 入接口信息。 In step 11, the first threshold may be set according to the delivered primary CAR resource. In step 12, extracting the inbound interface information of the data packet may include: generating a data packet and generating the data packet The sample data is used to analyze the sample data; according to the analysis of the sample data, the inbound interface information of the data message is extracted.
一个实施例中, 对数据报文进行釆样后, 生成釆样数据后, 可以将釆样 数据存储在本地。可以按指定格式进行存储,如按 Ethereal格式将釆样数据存 储在本地, Ethereal为一种常见的抓包软件。 还可以将釆样数据存储至本地的 RAM ( Random Access Memory, 随机存取存储器)、 NVRAM ( Non Volatile Random Access Memory,非易失性随机存取存储器)、 CF( Compact Flash Card ) 存储卡、 FLASH (闪存)其中之一或任意组合。  In one embodiment, after the data message is sampled, the sample data can be stored locally after the sample data is generated. It can be stored in a specified format, such as storing the data in the Ethereal format locally. Ethereal is a common packet capture software. It is also possible to store the sample data in a local RAM (Random Access Memory), NVRAM (Non Volatile Random Access Memory), CF (Compact Flash Card) memory card, FLASH. (Flash) One or any combination.
在步骤 13中, 根据提取的入接口信息, 对通过该入接口的数据报文进行 流量控制可以包括: 根据提取的入接口信息启动二级 CAR, 即针对此类数据 报文进行 CAR细化, 实现基于入接口信息和数据报文信息的 CAR,并进一步 下发二级 CAR资源; 根据下发的二级 CAR资源对通过该入接口的数据报文 进行流量控制。 一个实施例中, 可以根据原有的一级 CAR和后续启动的二级 CAR设置第二阈值, 在确定通过该入接口的数据报文的流量不超过第二阈值 时, 可以回收下发的二级 CAR资源, 以便于在再次遭受攻击时, 重复使用二 级 CAR资源。  In step 13, the flow control of the data packet passing the inbound interface may be performed according to the extracted inbound interface information, and the second level CAR is started according to the extracted inbound interface information, that is, the CAR is refined for the data packet. A CAR based on the inbound interface information and the data packet information is implemented, and the secondary CAR resource is further delivered. The traffic of the data packet passing the inbound interface is controlled according to the delivered secondary CAR resource. In an embodiment, the second threshold may be set according to the original primary CAR and the secondary CAR that is subsequently started. When the traffic of the data packet passing the inbound interface does not exceed the second threshold, the second packet may be collected. Level CAR resources, in order to reuse secondary CAR resources when they are attacked again.
如图 2所示, 一个具体实例中, 防止 DOS攻击的处理流程如下: 步骤 21、设备布置传统的 CAR方案, 即按照业务分类或策略或是否具有 至少一个共同特征的业务进行 CAR资源分配 (一级 CAR资源)。  As shown in FIG. 2, in a specific example, the process for preventing a DOS attack is as follows: Step 21: The device arranges a traditional CAR solution, that is, performs CAR resource allocation according to a service classification or a policy or whether the service has at least one common feature. Level CAR resources).
步骤 22、 设备启动监控系统, 进行一级 CAR丟弃计数实时监控, 在监控 系统发现某类协议报文发生了大量丟包, 并超过了设定的第一阈值, 表明此 类业务发生了 DOS攻击。  Step 22: The device starts the monitoring system, and performs real-time monitoring of the first-level CAR discarding count. The monitoring system finds that a large number of packet loss occurs in a certain type of protocol packet, and exceeds the set first threshold, indicating that such a service has occurred in DOS. attack.
步骤 23、 在监控系统检测到攻击发生时, 触发设备启动学习机制, 按照 设定的釆样比在预设时间内进行此类报文特征信息的学习。 学习信息可以包 括: 入接口信息(如 VLAN ( Virtual Local Area Network, 虚拟局域网)、 PORT (端口)等)、 报文内容信息等。 步骤 24、 学习时间达到设定值后停止学习, 并按照指定的格式进行存储。 指定格式包括 Ethereal格式等, 存储区域包括设备的 RAM/NVRAM/CF 卡 /FLASH等。 一个实施例中, 设备可以提供交互手段进行釆样数据查询, 另外 设备可以提供交互手段手工触发学习。 Step 23: When the monitoring system detects that the attack occurs, the triggering device starts the learning mechanism, and performs the learning of the feature information of the packet according to the set sampling time within a preset time. The learning information may include: Incoming interface information (such as VLAN (Virtual Local Area Network), PORT (port), etc.), message content information, and so on. Step 24: After the learning time reaches the set value, the learning is stopped, and the storage is performed according to the specified format. The specified format includes the Ethereal format, etc., and the storage area includes the device's RAM/NVRAM/CF card/FLASH. In one embodiment, the device may provide an interactive means for querying the data, and the device may provide an interactive means to manually trigger the learning.
步骤 25、 设备根据学习内容进行数据特征分析, 并按照此类报文的入接 口信息启动二级 CAR, 即针对此类协议报文进行 CAR细化, 实现基于子接口 和协议信息的 CAR,这样确保了 DOS攻击发生时只影响攻击所在的入接口范 围业务, 设备其他接口业务可正常恢复运转。  Step 25: The device performs data feature analysis according to the learning content, and starts the secondary CAR according to the inbound interface information of the packet, that is, CAR is refined for the protocol packet, and the CAR based on the sub-interface and the protocol information is implemented. Ensure that the DOS attack only affects the inbound interface range where the attack is located. The other interface services of the device can resume normal operation.
步骤 26、设备继续监控 DOS攻击情况, 如发现此类 DOS攻击已不存在, 即丟包数不超过第二阈值, 则回收智能下发的二级 CAR资源, 系统按照原有 一级 CAR方案继续运行。在设备再次遭受攻击时,可再次重复使用二级 CAR 资源。  Step 26: The device continues to monitor the DOS attack. If the DOS attack does not exist, that is, the number of lost packets does not exceed the second threshold, the secondary CAR resource delivered by the smart device is recovered. The system continues to run according to the original primary CAR solution. . The secondary CAR resource can be reused again when the device is attacked again.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步 骤, 是可以通过程序指令相关硬件完成的。 实施例对应的软件可以存储在一 个计算机可存储读取的介质中, 如 R0M/RAM、 磁碟、 光盘等。  One of ordinary skill in the art will appreciate that all or part of the steps in implementing the above-described embodiments can be accomplished by program-related hardware. The software corresponding to the embodiment can be stored in a computer readable storage medium such as ROM/RAM, disk, optical disk, and the like.
基于同一发明构思, 本发明实施例还提供一种网络设备, 其结构如图 3A 所示, 包括: 计数模块 31、 提取模块 32、 控制模块 33; 其中, 计数模块 31 , 用于根据一级 CAR资源对数据报文进行丟包计数; 提取模块 32,用于在确定 数据报文的丟包数目超过第一阈值时, 提取数据报文的入接口信息; 控制模 块 33 , 用于根据提取的入接口信息, 对通过该入接口的数据报文进行流量控 制。  Based on the same inventive concept, an embodiment of the present invention further provides a network device, which is configured as shown in FIG. 3A, and includes: a counting module 31, an extracting module 32, and a control module 33; wherein, the counting module 31 is configured according to a first-level CAR. The resource module performs a packet loss count on the data packet. The extracting module 32 is configured to extract the inbound interface information of the data packet when the number of the data packet loss exceeds the first threshold, and the control module 33 is configured to Interface information, which controls traffic on data packets passing the inbound interface.
如图 3B所示,一个实施例中,图 3A所示的提取模块 32可以进一步包括: 釆样单元 321、 分析单元 322、 提取单元 323; 其中, 釆样单元 321 , 用于对 数据报文进行釆样后, 生成釆样数据; 分析单元 322, 用于对釆样数据进行分 析;提取单元 323 ,用于根据对釆样数据的分析,提取数据报文的入接口信息。  As shown in FIG. 3B, in an embodiment, the extraction module 32 shown in FIG. 3A may further include: a sampling unit 321, an analyzing unit 322, and an extracting unit 323; wherein, the sampling unit 321 is configured to perform data packet processing. After the sample is generated, the sample data is generated; the analyzing unit 322 is configured to analyze the sample data; and the extracting unit 323 is configured to extract the inbound interface information of the data message according to the analysis of the sample data.
如图 3C所示,一个实施例中,图 3B所示的提取模块 32可以进一步包括: 存储单元 324, 用于将釆样数据存储在本地。 As shown in FIG. 3C, in an embodiment, the extraction module 32 shown in FIG. 3B may further include: The storage unit 324 is configured to store the sample data locally.
存储单元 324可以进一步用于按 Ethereal格式将釆样数据存储在本地。 存储单元 324 还可以进一步用于将釆样数据存储至本地的 RAM、 NVRAM, CF卡、 FLASH其中之一或任意组合。  The storage unit 324 can be further used to store the sample data locally in the Ethereal format. The storage unit 324 can be further configured to store the sample data to one of local RAM, NVRAM, CF card, FLASH, or any combination.
如图 3D所示, 一个实施例中, 图 3A所示的控制模块 33可以进一步包 括: 下发单元 331、 控制单元 332; 其中, 下发单元 331 , 用于根据入接口信 息下发二级 CAR资源;控制单元 332,用于根据二级 CAR资源对通过该入接 口的数据报文进行流量控制。  As shown in FIG. 3D, in an embodiment, the control module 33 shown in FIG. 3A may further include: a sending unit 331 and a control unit 332. The sending unit 331 is configured to deliver a secondary CAR according to the inbound interface information. The control unit 332 is configured to perform flow control on the data packet passing the inbound interface according to the secondary CAR resource.
如图 3E所示, 一个实施例中, 图 3D所示的网络设备可以进一步包括: 回收模块 34,用于在确定通过该入接口的数据报文的流量不超过第二阈值时, 回收下发的二级 CAR的资源。  As shown in FIG. 3E, in an embodiment, the network device shown in FIG. 3D may further include: a recovery module 34, configured to: when the traffic of the data packet passing the inbound interface does not exceed a second threshold, Secondary CAR resources.
本领域普通技术人员可以理解上述实施例方法中的全部或部分步骤是可 以通过程序来指令相关的硬件完成, 该程序可以存储于一计算机可读存储介 质中, 存储介质可以包括: ROM、 RAM, 磁盘或光盘等。  A person skilled in the art can understand that all or part of the steps in the foregoing method can be completed by a program, and the program can be stored in a computer readable storage medium. The storage medium can include: ROM, RAM, Disk or disc, etc.
本发明实施例中, 根据一级 CAR资源对数据报文进行丟包计数; 确定所 述数据报文的丟包数目超过第一阈值时, 即可确定数据报文为 DOS攻击数据 报文; 进而通过提取数据报文的入接口信息进行攻击溯源, 为防止 DOS攻击 提供依据; 只需进一步根据入接口信息, 对通过该入接口的数据报文进行流 量控制, 而无需对网络设备处理的所有数据报文进行流量控制, 从而锁定流 控目标, 缩小流控范围, 最大限度地保证网络设备在遭受攻击的情况下多数 业务的正常运转; 另外, 釆用本发明实施例方法, 网络设备自身即可实现防 止 DOS攻击的功能, 而无需部署专门的服务器, 并与服务器进行交互以防止 DOS攻击, 使运营成本降低、 维护管理简单, 并进一步节约了网络资源。  In the embodiment of the present invention, the packet loss count is performed on the data packet according to the first-level CAR resource. When the number of packet loss of the data packet exceeds the first threshold, the data packet is determined to be a DOS attack data packet; Attack source tracing is performed by extracting the inbound interface information of the data packet to provide a basis for preventing DOS attacks. Only the inbound interface information is used to perform flow control on the data packets passing the inbound interface without all data processed by the network device. The traffic control is performed on the packet, so that the flow control target is locked, the flow control range is narrowed, and the majority of the services of the network device in the event of an attack are ensured to the maximum extent. In addition, the network device itself can be used by the method of the embodiment of the present invention. It implements the function of preventing DOS attacks without deploying a dedicated server and interacting with the server to prevent DOS attacks, reducing operating costs, simplifying maintenance and management, and further saving network resources.
本发明实施例中, 可以在网络设备遭受攻击的情况下进行数据釆样并进 行本地存储, 供攻击溯源使用; 可以通过对釆样溯源数据的分类分析, 按照 数据来源范围产生动态、 智能的更小范围的 CAR功能, 进行攻击智能抑制, 有效地防范了 DOS攻击; 在攻击去除的时候, 网络设备可以回收智能下发的 CAR资源, 供下次遭受攻击时使用。 In the embodiment of the present invention, data can be sampled and stored locally for attack by the network device for attack source tracing; the classification and analysis of the trace source data can be used to generate dynamic and intelligent according to the data source range. Small-scale CAR function, intelligent suppression of attacks, The DOS attack is effectively prevented. When the attack is removed, the network device can reclaim the CAR resources that are sent by the smart device for use in the next attack.
本发明实施例提供的只是设置有二级 CAR的情况, 根据需要, 也可以设 置三级或更多级的 CAR来实现细化控制, 同样可以达到本发明实施例的技术 效果。  The embodiment of the present invention provides only the case of the second-level CAR. If necessary, three or more levels of CAR can be set to implement the refinement control, and the technical effects of the embodiments of the present invention can also be achieved.
显然, 本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明 的精神和范围。 这样, 倘若对本发明的这些修改和变型属于本发明权利要求 及其等同技术的范围之内, 则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and the modifications of the invention

Claims

权利 要 求 书 Claim
1、 一种防止 DOS攻击的方法, 其特征在于, 该方法包括:  A method for preventing a DOS attack, characterized in that the method comprises:
根据一级承诺的访问速率 CAR资源对数据报文进行丟包计数;  According to the access rate of the first-level commitment, the CAR resource counts the packet loss of the data packet.
确定所述数据报文的丟包数目超过第一阈值时, 提取所述数据报文的入接 口信息;  And determining, when the number of packet loss of the data packet exceeds a first threshold, extracting the ingress interface information of the data packet;
根据所述入接口信息, 对通过所述入接口的数据报文进行流量控制。  And performing flow control on the data packet passing the inbound interface according to the inbound interface information.
2、 如权利要求 1所述的防止 DOS攻击的方法, 其特征在于, 提取所述数 据报文的入接口信息包括: 对所述数据报文进行釆样, 生成釆样数据; 对釆样 数据进行分析; 根据对釆样数据的分析, 提取所述数据报文的入接口信息。  2. The method for preventing DOS attacks according to claim 1, wherein extracting the inbound interface information of the data packet comprises: sampling the data packet to generate sample data; Performing an analysis; extracting the inbound interface information of the data packet according to the analysis of the sample data.
3、 如权利要求 2所述的防止 DOS攻击的方法, 其特征在于, 对所述数据 报文进行釆样, 生成釆样数据的步骤后, 还包括: 将釆样数据存储在本地。  The method for preventing a DOS attack according to claim 2, wherein after the step of generating the sample data and the step of generating the sample data, the method further comprises: storing the sample data locally.
4、 如权利要求 3所述的防止 DOS攻击的方法, 其特征在于, 按 Ethereal 格式将釆样数据存储在本地。  4. A method of preventing DOS attacks according to claim 3, wherein the sample data is stored locally in the Ethereal format.
5、 如权利要求 3所述的防止 DOS攻击的方法, 其特征在于, 将釆样数据 存储至本地的 RAM、 NVRAM, CF卡、 FLASH其中之一或任意组合。  The method for preventing DOS attacks according to claim 3, wherein the data is stored in one of local RAM, NVRAM, CF card, FLASH or any combination.
6、 如权利要求 1至 5任一项所述的防止 DOS攻击的方法, 其特征在于, 根据所述入接口信息, 对通过所述入接口的数据报文进行流量控制包括:  The method for preventing DOS attacks according to any one of claims 1 to 5, wherein, according to the inbound interface information, performing flow control on data packets passing the inbound interface includes:
根据所述入接口信息下发二级 CAR资源;  Delivering a secondary CAR resource according to the inbound interface information;
根据所述二级 CAR资源对通过所述入接口的数据报文进行流量控制。  Performing flow control on the data packet passing the inbound interface according to the secondary CAR resource.
7、 如权利要求 6所述的防止 DOS攻击的方法, 其特征在于, 该方法进一 步包括:  7. The method of preventing a DOS attack according to claim 6, wherein the method further comprises:
确定通过所述入接口的数据报文的流量不超过第二阈值时, 回收所述二级 CAR资源。  The secondary CAR resource is recovered when the traffic of the data packet passing the inbound interface does not exceed the second threshold.
8、 一种网络设备, 其特征在于, 包括:  8. A network device, comprising:
计数模块(31 ), 用于根据一级 CAR资源对数据报文进行丟包计数; 提取模块( 32 ), 用于在确定所述数据报文的丟包数目超过第一阈值时, 提 取所述数据报文的入接口信息; a counting module (31), configured to perform packet loss counting on the data packet according to the primary CAR resource; and an extracting module (32), configured to: when determining that the number of lost packets of the data packet exceeds a first threshold, Taking the inbound interface information of the data packet;
控制模块( 33 ), 用于根据所述入接口信息, 对通过所述入接口的数据报文 进行流量控制。  The control module (33) is configured to perform flow control on the data packet passing the inbound interface according to the inbound interface information.
9、 如权利要求 8所述的网络设备, 其特征在于, 所述提取模块(32 )进一 步包括:  The network device according to claim 8, wherein the extracting module (32) further comprises:
釆样单元(321 ), 用于对所述数据报文进行釆样, 生成釆样数据; 分析单元(322 ), 用于对釆样数据进行分析;  a sample unit (321), configured to sample the data message to generate sample data; and an analysis unit (322) configured to analyze the sample data;
提取单元( 323 ), 用于根据对釆样数据的分析, 提取所述数据报文的入接 口信息。  The extracting unit (323) is configured to extract the inbound interface information of the data packet according to the analysis of the sample data.
10、 如权利要求 9所述的网络设备, 其特征在于, 所述提取模块进一步包 括:  The network device according to claim 9, wherein the extracting module further comprises:
存储单元(324 ), 用于将釆样数据存储在本地。  The storage unit (324) is configured to store the sample data locally.
11、 如权利要求 10 所述的网络设备, 其特征在于, 所述存储单元(324 ) 进一步用于按 Ethereal格式将釆样数据存储在本地。  The network device according to claim 10, wherein the storage unit (324) is further configured to store the sample data locally in the Ethereal format.
12、 如权利要求 10所述的网络设备, 其特征在于, 所述存储单元(324 ) 进一步用于将釆样数据存储至本地的 RAM、 NVRAM, CF卡、 FLASH其中之 一或任意组合。  The network device according to claim 10, wherein the storage unit (324) is further configured to store the sample data to one of the local RAM, the NVRAM, the CF card, the FLASH, or any combination thereof.
13、 如权利要求 8至 12任一项所述的网络设备, 其特征在于, 所述控制模 块(33 )进一步包括:  The network device according to any one of claims 8 to 12, wherein the control module (33) further comprises:
下发单元( 331 ), 用于根据所述入接口信息下发二级 CAR资源; 控制单元 ( 332 ), 用于根据所述二级 CAR资源对通过所述入接口的数据报 文进行流量控制。  a sending unit (331), configured to send a secondary CAR resource according to the inbound interface information, where the control unit (332) is configured to perform flow control on the data packet passing the inbound interface according to the secondary CAR resource .
14、 如权利要求 13所述的网络设备, 其特征在于, 所述设备进一步包括: 回收模块(34 ), 用于在确定通过所述入接口的数据报文的流量不超过第二 阈值时, 回收所述二级 CAR资源。  The network device according to claim 13, wherein the device further comprises: a recycling module (34), configured to: when determining that the traffic of the data packet passing the inbound interface does not exceed a second threshold, Recover the secondary CAR resources.
PCT/CN2008/071461 2007-08-09 2008-06-27 Method and network device for preventing dos attacks WO2009018737A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007101405289A CN101102323B (en) 2007-08-09 2007-08-09 Method and device for preventing DOS attack
CN200710140528.9 2007-08-09

Publications (1)

Publication Number Publication Date
WO2009018737A1 true WO2009018737A1 (en) 2009-02-12

Family

ID=39036414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071461 WO2009018737A1 (en) 2007-08-09 2008-06-27 Method and network device for preventing dos attacks

Country Status (2)

Country Link
CN (1) CN101102323B (en)
WO (1) WO2009018737A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113268A (en) * 2019-04-26 2019-08-09 新华三技术有限公司合肥分公司 Flow control methods, device and server

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102323B (en) * 2007-08-09 2011-04-20 华为技术有限公司 Method and device for preventing DOS attack
CN101299765B (en) * 2008-06-19 2012-02-08 中兴通讯股份有限公司 Method for defending against DDOS attack
CN101415000B (en) * 2008-11-28 2012-07-11 中国移动通信集团四川有限公司 Method for preventing Dos aggression of business support system
CN102420825B (en) * 2011-11-30 2014-07-02 北京星网锐捷网络技术有限公司 Network attack defense and detection method and system thereof
CN104243471A (en) * 2014-09-12 2014-12-24 汉柏科技有限公司 Protection method and device against network attack
CN104852862B (en) * 2015-05-28 2018-08-24 新华三技术有限公司 A kind of network speed limit method and device
CN108632270B (en) * 2018-05-03 2020-07-24 河海大学常州校区 Low-rate TCP DoS attack prevention method based on software defined network
CN112217777A (en) * 2019-07-12 2021-01-12 上海云盾信息技术有限公司 Attack backtracking method and equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578231A (en) * 2003-07-08 2005-02-09 国际商业机器公司 Technique of detecting denial of service attacks
US20050157647A1 (en) * 2004-01-21 2005-07-21 Alcatel Metering packet flows for limiting effects of denial of service attacks
CN1750536A (en) * 2004-09-14 2006-03-22 国际商业机器公司 Method and system for managing refuse service attack
CN101102323A (en) * 2007-08-09 2008-01-09 华为技术有限公司 Method and device for preventing DOS attack

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100356750C (en) * 2002-08-10 2007-12-19 华为技术有限公司 Flow control method for synchronous digital system network transmission data business
CN1156125C (en) * 2002-09-29 2004-06-30 清华大学 Flow control method based on feedback of client terminal
CN1719829A (en) * 2004-07-09 2006-01-11 北京航空航天大学 Implementing flow control and defensing DOS attack by using MPLS display route

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1578231A (en) * 2003-07-08 2005-02-09 国际商业机器公司 Technique of detecting denial of service attacks
US20050157647A1 (en) * 2004-01-21 2005-07-21 Alcatel Metering packet flows for limiting effects of denial of service attacks
CN1750536A (en) * 2004-09-14 2006-03-22 国际商业机器公司 Method and system for managing refuse service attack
CN101102323A (en) * 2007-08-09 2008-01-09 华为技术有限公司 Method and device for preventing DOS attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110113268A (en) * 2019-04-26 2019-08-09 新华三技术有限公司合肥分公司 Flow control methods, device and server
CN110113268B (en) * 2019-04-26 2022-04-08 新华三技术有限公司合肥分公司 Flow control method and device and server

Also Published As

Publication number Publication date
CN101102323A (en) 2008-01-09
CN101102323B (en) 2011-04-20

Similar Documents

Publication Publication Date Title
WO2009018737A1 (en) Method and network device for preventing dos attacks
EP2790382B1 (en) Protection method and device against attacks
KR100942456B1 (en) Method for detecting and protecting ddos attack by using cloud computing and server thereof
EP2257024B1 (en) Method, network apparatus and network system for defending distributed denial of service ddos attack
KR101424490B1 (en) Reverse access detecting system and method based on latency
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
US20170374098A1 (en) Denial-of-service (dos) mitigation approach based on connection characteristics
CN102487339A (en) Attack preventing method for network equipment and device
WO2019178966A1 (en) Network attack defense method and apparatus, and computer device and storage medium
US10505952B2 (en) Attack detection device, attack detection method, and attack detection program
CN108270722B (en) Attack behavior detection method and device
CN101098227A (en) User safety protection method of broadband access equipment
CN103248472A (en) Operation request processing method and system and attack identification device
WO2008131658A1 (en) Method and device for dhcp snooping
US8839406B2 (en) Method and apparatus for controlling blocking of service attack by using access control list
CN103916387A (en) DDOS attack protection method and system
CN102882894A (en) Method and device for identifying attack
CN110113290B (en) Network attack detection method, device, host and storage medium
WO2008131650A1 (en) Dhcp snooping method and device thereof
CN101582880B (en) Method and system for filtering messages based on audited object
CN106953830B (en) DNS (Domain name System) safety protection method and device and DNS
WO2009018769A1 (en) Method and network device for defending against invalid message attack
WO2020158896A1 (en) Communication device
CN103795590B (en) A kind of computational methods of network traffics detection threshold value
CN112134845A (en) Rejection service system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757860

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757860

Country of ref document: EP

Kind code of ref document: A1