WO2011041960A1 - Method and apparatus for preventing denial-of-service attack - Google Patents

Method and apparatus for preventing denial-of-service attack Download PDF

Info

Publication number
WO2011041960A1
WO2011041960A1 PCT/CN2010/075781 CN2010075781W WO2011041960A1 WO 2011041960 A1 WO2011041960 A1 WO 2011041960A1 CN 2010075781 W CN2010075781 W CN 2010075781W WO 2011041960 A1 WO2011041960 A1 WO 2011041960A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
hit rate
misses
packet
threshold
Prior art date
Application number
PCT/CN2010/075781
Other languages
French (fr)
Chinese (zh)
Inventor
张世伟
符涛
何辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011041960A1 publication Critical patent/WO2011041960A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to a network in which identity and location identification are separated, and more particularly to a method and apparatus for preventing denial of service attacks in a network in which identity and location are separated.
  • IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol widely used on the Internet has a dual function, and serves as a communication layer host network interface of a network layer in a network topology.
  • the location identifier which is also the identity of the transport layer host network interface.
  • the TCP/IP protocol was not designed with host mobility in mind. However, as host mobility becomes more prevalent, the semantic overload defects of such IP addresses are becoming increasingly apparent.
  • IP address of the host changes, not only the route changes, but also the identity of the host of the communication terminal changes. This causes the routing load to become heavier and heavy, and the change of the host ID will cause the application and connection to be interrupted.
  • Figure 1 shows an integrated network architecture proposed by Beijing Jiaotong University, which realizes the separation of the identity and location identifiers of the terminal.
  • the network architecture includes: mapping server (Map Server, MS), access to the server ( Access Service Router (ASR) and User Equipment (UE), each UE has a unique Access Identifier (AID), and each ASR has a Router Identifier (RID).
  • the UE is mobile and can be registered on each ASR.
  • the RID of the ASR accessed by the UE is stored in the MS. That is, the MS maintains a correspondence table between the AID of each UE and the RID of the ASR actually accessed (AID- RID mapping table).
  • AID- RID mapping table When UE1 and UE2 start to use the network, first initiate a registration process to the MS, UE1 After the ASR1 is registered with the MS, the MS will generate an entry AID1-RID1, indicating that UE1 is registered under ASR1, and subsequent packets sent by other UEs to UE1 will be forwarded by ASR1.
  • the MS will generate an entry for the AID2-RID2, indicating that the UE2 is registered under the ASR2, and the subsequent packets sent by the other UE to the UE2 should be forwarded by the ASR2.
  • the MS will establish an AID-RID mapping table as shown in FIG. 2.
  • UE1 sends a data packet to UE2 (shown as 103 in FIG. 1)
  • UE1 generates a data packet with the destination address AID2, and sends the data packet to ASR1, and ASR1 receives the data.
  • the RID corresponding to AID2 is queried in the local AID-RID mapping table, and the structure of the local AID-RID mapping table of the ASR is as shown in FIG. 3.
  • ASR1 finds the location mapping relationship AID2-RID2 of AID2 in the local AID-RID mapping table, ASR1 encapsulates the data packet and sends it to ASR2.
  • the ASR2 decapsulates and sends it to UE2.
  • ASR1 will query the MS for the location mapping relationship of AID2. After the MS finds the location mapping relationship of AID2, it sends the mapping relationship table AID2-RID2.
  • ASR1 and ASR1 After ASR1 and ASR1 receive this mapping table, they are saved to the local AID-RID mapping table. If the subsequent UE1 retransmits the data packet with the destination address AID2, the ASR2-RID2 mapping relationship is saved in the ASR1, and the ASR1 can directly send the data packet of the UE1 without querying the MS again.
  • the foregoing process is a process of UE registration and data packet transmission in a network in which the integrated identity and location identifiers are separated as shown in FIG. 1. It can be seen from the above process that in the network where the identity and location identifiers are separated, there is an MS.
  • each time the ASR receives a data packet sent to a different destination AID (hereinafter, the data packet of the different destination AID is referred to as the first packet), the ASR must query the MS when the UE1 continuously goes to the ASR1.
  • the packet string shown in Figure 4 will form a network attack.
  • each box represents a data packet sent by the UE, and the destination addresses of the data packets are AID2, AID3, and AID27, that is, if UE1 sequentially sends the destination address as AID2, AID3... AID27
  • This kind of packet with different destination address, ASR1 can't be used every time.
  • the RID corresponding to the AID is found in the local AID-RID mapping table. Therefore, each time the ASR1 sends a message to the MS to query the corresponding mapping entry, the performance of the ASR1 and the MS is greatly degraded. Moreover, if UE1 frequently sends such a first packet, since AIS1 local AID-RID mapping table has limited storage space, ASR1 must age the old mapping entries in the local database, that is, when the database is full, ASR1 When a new mapping entry is received, an old mapping entry must be deleted. When UE1 sends the first packet frequently, many new invalid entries are generated in ASR1. When the database is full, ASR1 may use The newly generated invalid mapping entry of UE1 covers the valid mapping entries of other UEs.
  • the ASR When the ASR receives the data of other UEs, it may be forced to query the MS again because the corresponding valid mapping entries are aged and deleted, further reducing the ASR. Processing performance.
  • the behavior of the UE continuously transmitting data packets of different destination AIDs will cause the following problems:
  • the ASR must query the MS each time, increasing the signaling load of both the ASR and the MS, and reducing the signaling processing performance.
  • a large number of first-packet queries cause a large number of invalid mapping entries to be stored in the ASR local mapping table.
  • the ASR mapping table cache is too large. If the number of caches is limited, the mapping entries are updated too fast, and a large number of invalid mappings are caused.
  • the entry will be overwritten with a valid mapping entry.
  • the data packet sent by the normal UE that is overwritten by the mapping entry needs to re-query the MS.
  • the ASR sends the query message to the MS more frequently, which forms a domino effect, which leads to ASR and MS does not work properly.
  • DOS denial of service
  • the MS signaling load will be more serious, the ASR cache will be more insufficient, and the AID-RID mapping table will be refreshed faster. As a result, the MS is queried more frequently, which further consumes the processing power of the ASR and the MS, thereby causing a Distributed Denial of Service (DDOS) attack.
  • DDOS Distributed Denial of Service
  • the DOS or DDOS attacks in which the UE continuously transmits the first data packet are collectively referred to as the first packet attack.
  • the technical problem to be solved by the present invention is to provide a method and apparatus for preventing a denial of service attack, which solves the problem that a malicious user frequently sends data packets of different destination addresses, resulting in a network device being overloaded and unable to work normally.
  • a method for preventing a denial of service attack includes: when a user's hit rate is lower than a hit rate threshold and/or the user's miss number is higher than a missed threshold, The user is set to the restricted state; and determining whether the data packet is a miss data packet, and if the data packet is a miss data packet, querying the status of the user who sent the data packet, and discarding the data if the user is in the restricted state package.
  • Hit rate The number of packets sent by the user in the local access identifier (AID)-route ID (RID) mapping table to find the RID corresponding to the destination AID divided by the packet sent by the user per unit time. total.
  • the number of misses is the number of data packets sent by the user in the local AID-RID mapping table that are not found in the local AID-RID mapping table.
  • the method further includes: adding a record of the number of misses, the number of hits, and the state of the user in the context of the user.
  • the step of determining whether the data packet is a miss data packet includes: querying a local AID-RID mapping table according to the destination AID of the data packet, and determining that the data packet is a missing data packet if the RID corresponding to the destination AID is not found.
  • the step of setting the user to the restricted state includes: before performing the query of the status of the user who sent the data packet, determining whether the adjustment period of the user restriction state is reached, and if yes, reading the number of misses from the context of the user And the hit number, calculate the hit rate of the user, determine whether the hit rate of the user is lower than the hit rate threshold configured for the user, and/or whether the number of misses of the user is higher than The number of misses configured for the user, and if so, the user is set to the restricted state and counted in the record of the user state in the context of the user.
  • the method further includes: if it is determined that the hit rate of the user is not lower than a hit rate threshold configured for the user and/or the number of misses of the user is not higher than a threshold value of the number of misses configured for the user, further It is determined whether the number of times the user is limited in a period is greater than a limit number threshold. If it is greater, the user is still set to the restricted state; if less, the user is set to the unrestricted state. After the step of calculating the hit rate of the user, the method further includes: clearing the record of the number of misses and hits in the context of the user.
  • the method further determines whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than a threshold for the number of misses configured for the user.
  • the method includes: determining, according to the attribute of the user, whether the user belongs to a special server user, and if so, lowering the standard hit rate threshold by one level, and increasing the standard miss number threshold by one level respectively as the user's hit rate threshold and The number of misses is greater; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and missed threshold.
  • the method further includes : Determine whether the login time of the user is less than a specified login time threshold. If it is less than, the hit rate configured for the user is reduced by one level, and the number of misses configured for the user is increased by one level.
  • the method further includes : Determines whether the startup time is less than a specified startup time threshold.
  • the method further includes : Determine if the system is overloaded. If yes, reduce the hit rate threshold configured for the user by one level, and increase the number of misses configured for the user by one level.
  • the standard hit rate threshold and the standard miss threshold are obtained by: counting the number of all packets sent by one or more users and the number of missed packets in a unit time, and calculating the hit ratio as The average hit rate is calculated as the average number of misses, and the average hit rate and the average number of misses are adjusted as the standard hit rate threshold and the standard miss number.
  • the user attribute is saved in the mapping server or the authentication server. The method further includes: after registering the user with the mapping server, the mapping server adds a user attribute field to the registration response message, and sends the user attribute; or After the user is authenticated, the authentication server adds a user attribute field to the authentication response message and delivers the user attribute.
  • the present invention also provides an apparatus for preventing a denial of service attack, comprising: a user data receiving unit, a local mapping table query unit, and a first packet attack identification and control unit, wherein: the user data receiving unit is configured to: receive a data packet sent by the user Sending the received data packet to the local mapping table query unit; the local mapping table query unit is set to: query the destination AID of the received data packet from the local access identifier (AID)-route identification (RID) mapping table The corresponding RID sends the query result and the data packet to the first packet attack identification and control unit; the first packet attack identification and control unit is set to: the hit rate of the user is lower than the hit rate threshold and/or the number of misses of the user When the value is higher than the missed value threshold, the user is set to the restricted state; and when the received data packet is determined to be a missed data packet according to the received query result, the status of the user who sent the data packet is queried, if If the user is in the restricted state, the packet is discarded
  • Hit rate The number of packets sent by the user in the local AID-RID mapping table to find the RID corresponding to the destination AID divided by the total number of packets sent by the user per unit time; the number of misses is: The number of data packets sent by the user that did not find the RID corresponding to the destination AID in the local AID-RID mapping table.
  • the first packet attack identification and control unit is further configured to: add a record of a miss number, a hit number, and a user state in a context of the user; and determine, according to the received query result, that the received data packet is a miss data packet.
  • the first packet attack identification and control unit is further configured to: determine whether an adjustment period of the user restriction state is reached before performing a query of the state of the user who sent the data packet, and if so, read the number of misses from the context of the user and Hits, calculates the hit rate of the user, determines whether the hit rate of the user is lower than the hit rate threshold configured for the user, and/or whether the number of misses of the user is higher than the number of misses configured for the user. If yes, the user is set to the restricted state and counted in the record of the user state in the context of the user; after the first packet attack identification and control unit calculates the user's hit rate, it is further set to: The number of misses and hits in the context is cleared.
  • the first packet attack identification and control unit is further configured to: if it is determined that the user's hit rate is not lower than a hit rate threshold configured for the user and/or the user's miss number is not higher than the configured for the user If the hit value is wider, it is further determined whether the limit number of the user in a period is greater than a limit number threshold. If it is greater, the user is still set to the limit state; if less, the user is set to the unrestricted state. .
  • the first packet attack identification and control unit is further configured to: determine whether the user's hit rate is lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is higher than a number of misses configured for the user Before the value, according to the user attribute, it is determined whether the user belongs to the special server user. If yes, the standard hit rate threshold is lowered by one level, and the standard miss number threshold is increased by one level to be configured as the user's hit rate threshold and The number of misses is greater; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and missed threshold.
  • the first packet attack identification and control unit is further configured to: determine whether the login time of the user is less than a specified login time threshold, and if less, reduce the hit rate configured for the user by one. Level, which will increase the level of the number of misses configured for this user by one level.
  • the first packet attack identification and control unit is further configured to: determine whether the startup time is less than a specified startup time threshold, and if less, reduce the hit rate threshold configured for the user by one level, and the miss configured for the user The number of thresholds is increased by one level.
  • the first packet attack identification and control unit is further configured to: determine whether the system is overloaded, and if so, reduce the hit rate threshold configured for the user by one level, and increase the number of misses configured for the user by one level.
  • the apparatus also includes a hit rate statistics and modeling unit configured to: count the number of all packets sent by one or more users and the number of missed packets in a unit time, calculate the hit ratio As the average hit rate, the number of misses counted is taken as the average miss.
  • the present invention combines the hit rate control and the miss number control, and combines the user type identification, the system startup state correction, the system overload correction, and the modification of the user's login state to prevent the denial of service attack.
  • the DOS/DDOS attack caused by the frequent sending of the first packet by the malicious user can be effectively controlled.
  • the limitation of the first packet attack can be adjusted according to the system startup, system overload, special user, user login, etc., to ensure the above special scenarios.
  • the system can also use the network normally while avoiding the first packet attack.
  • FIG. 1 is an architectural diagram of a network in which an identity and a location identity are separated in the prior art
  • FIG. 2 is a mapping table in a mapping server
  • FIG. 3 is a local mapping table in an ASR
  • FIG. 5 is an architectural diagram of another network in which identity and location are separated
  • FIG. 6 is an architectural diagram of a network in which a third identity and location identity are separated
  • FIG. 7 is an improvement Schematic diagram of the first packet attack
  • 8 is a schematic structural diagram of an apparatus for preventing a first packet attack according to the present invention
  • FIG. 9 is a flowchart of main functions implemented by a first packet attack identification and control unit
  • FIG. 10 is a flow of a method for adjusting a restriction policy by a first packet attack and identification unit.
  • FIG. 5 shows another architecture for implementing a network in which identity and location identification are separated.
  • the architecture divides the network into an access network and a backbone network.
  • the access network is located at the edge of the backbone network and is responsible for accessing all terminals.
  • the backbone network is responsible for routing and forwarding data packets between terminals accessed through the access network. There is no overlap between the access network and the backbone network in the topology relationship.
  • AID is the user identity of the terminal, and is used to identify the identity of the terminal user (also referred to as the user).
  • the network uniquely assigns an AID to each terminal user, which is used in the access network and remains unchanged during the movement of the terminal. Change; RID is the location identifier assigned to the terminal, used in the backbone network.
  • the terminal accessing the network may be one or more of a mobile terminal, a fixed terminal, and a nomadic terminal, such as a mobile phone, a fixed telephone, a computer, an application server, and the like.
  • the access network is used to provide the terminal with a layer 2 (physical layer and link layer) access means, and maintains a physical access link between the terminal and the ASN.
  • Possible Layer 2 access methods include: Cellular Mobile Network Technology (Global System for Mobile Communications (GSM) / Code Division Multiple Access (CDMA) / Time Division Synchronous Code Division Multiple Access (Time Division) - Synchronous Code Division Multiple Access (TD-SCDMA) I Wideband Code Division Multiple Access (WCDMA) / Worldwide Interoperability for Microwave Access (WiMAX) / Long Term Evolution (LTE) )), Digital Subscriber Line (DSL), broadband fiber access or Wireless Fidelity (WiFi) access.
  • GSM Global System for Mobile Communications
  • CDMA Code Division Multiple Access
  • Time Division Time Division Synchronous Code Division Multiple Access
  • TD-SCDMA Synchronous Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • WiMAX Worldwide Interoperability for Microwave Access
  • LTE Long Term Evolution
  • DSL Digital Subscriber Line
  • WiFi Wireless Fidelity
  • the ASN is a demarcation node of a generalized forwarding plane, a mapping forwarding plane and an access network, and has an interface with an access network, a generalized forwarding plane, and a mapping forwarding plane. It is used to provide access services for the terminal, maintain the connection between the terminal and the network, assign the RID to the terminal, register and register the RID of the terminal to the mapping forwarding plane, maintain the mapping information of the AID-RID, and implement the routing of the data. Forward.
  • the generalized forwarding plane is mainly used for routing and forwarding data packets with the RID as the destination address according to the RID in the data packet. The data routing and forwarding behavior in the generalized forwarding plane is consistent with the traditional IP network.
  • the main network elements of the generalized forwarding plane include a common router (CR) and an Interconnect Service Node (ISN).
  • the mapping forwarding plane is mainly used to store the identity location mapping information of the terminal (ie, AID-RID). Mapping information), processing registration and query of the terminal location, routing and forwarding data packets with the AID as the destination address.
  • the primary network element of the mapping forwarding plane includes an Identity Location Register/Packet Transfer Function (ILR/PTF).
  • the authentication center is used to record attribute information of the network terminal user of the architecture, such as user category, authentication information, and user service level, and completes access authentication and authorization for the terminal, and may also have a charging function.
  • the certificate authority supports two-way authentication between the terminal and the network, and generates user security information for authentication, integrity protection, and encryption.
  • the ASN is independent of the backbone network in the division of the architecture, and is located at the boundary node of the backbone network and the access network, and has an interface with the access network and the backbone network, as shown in FIG. 6.
  • the function actually completed is the same as that of FIG.
  • the method and apparatus of this embodiment can be applied to any of the foregoing network architectures.
  • the following is merely an example of an integrated network architecture, but is not intended to limit the present invention.
  • the main measures are: Configure the local mapping table hit rate threshold and the number of misses in the ASR, if a user initiates the restriction in the unit time.
  • the number of data packets (referred to as miss packets) of the RID corresponding to the destination AID is not found in the local AID-RID mapping table. For example, if the total number of data packets sent by a user in one minute is 200, the number of data packets corresponding to the RID corresponding to the destination AID is 180 in the local mapping table.
  • users operate on the Internet mainly by browsing web pages, downloading, instant calls, games, etc. These applications have specific communication objects.
  • the general service is to establish a Transmission Control Protocol (TCP) connection first, and then Sending a service data packet, therefore, after establishing a TCP connection, the corresponding business operation is performed, that is, most Internet applications do not send one data packet to one destination address and then change another destination address, even if Only TCP connections are established.
  • TCP handshake process also requires multiple signaling interactions.
  • the malicious user may perceive that the low hit rate attack that simply sends the first packet has been prevented by the system, and may use the first packet and the subsequent packet to detect the hit rate of the ASR setting. Value, thereby further initiating an attack. For example, if the first packet with a different destination address is denoted as F (First), the subsequent packet with the same address as the first packet is recorded as S (Secondary), if ASR is to be The hit rate is configured to be 50%, and a malicious user can repeatedly send the sequence of packets shown in Figure 7.
  • the ASR also believes that the user has the characteristics of the first packet attack and should be limited. By counting the number of all packets sent by the user and the number of hit packets in the unit time, you can get the average hit rate and the number of misses.
  • Standard hit rate threshold and missed threshold For example: To establish a suitable standard hit rate, you can count the sum of all packets received by the local user per unit time under the stable operation of ASR, and the sum of all hit packets, using the sum of all hit packets. Divide by the sum of all received packets, get the average hit rate, and adjust the average hit rate appropriately, and adjust by one third as the standard hit rate threshold. In actual use, some errors may need to be corrected due to the user or ASR, which are manifested in the following situations: (1) Special users, for example, some server users who control multiple sensors need to periodically scan each sensor. The sensor acquires data.
  • ASR should set a lower hit rate for these specific users. For this reason, ASR needs to obtain user attribute information from the authentication server or mapping server. If a special user belonging to the server class, especially the server user of the sensor, can reduce the first packet attack. The strength of control.
  • ASR startup needs to be considered. If ASR has just started, a large number of users have not completed the login, and the mapping table is not fully established, and the hit rate is low. It usually lasts for tens of minutes or hours to stabilize. During this time, ASR should appropriately reduce the control of the first packet attack.
  • the hit rate and the number of misses should be modified to increase the strength of the first packet attack control, so that ASR can save more processing performance and handle normal services.
  • the hit rate will be low. Therefore, the ASR should appropriately reduce the control strength during the user's login. To implement the method of the present embodiment, it is necessary to add a record of the number of misses U, the number of hits H, and the hit rate R in the context of the user.
  • FIG. 8 is a schematic structural diagram of an apparatus for preventing a denial of service attack according to the present invention, wherein a first packet attack identification and control unit 806 is the most critical unit, and a hit ratio statistics and modeling unit 808 is an auxiliary unit. Help the device administrator to set the appropriate hit rate threshold and miss threshold.
  • User data receiving unit 804 which is set to: Receive the data packet sent by the user, and send the data packet to the local Mapping table query unit 805.
  • the local mapping table querying unit 805 is configured to: query the RID corresponding to the destination AID from the local AID-RID mapping table according to the destination AID included in the received data packet, and send the query result and the data packet to the first packet attack identification.
  • the query result is: the data packet is a hit data packet or a miss data packet.
  • the first packet attack identification and control unit 806 is configured to: calculate a hit rate of the user, and correct the hit rate threshold according to the user attribute, the system startup state, the system overload status, whether the user is just logged in, etc., in the user's hit When the rate is lower than the hit rate threshold and/or the number of misses of the user is higher than the number of misses, the user is set to the restricted state; and according to the limitation, the data packet is distributed to the data encapsulation sending unit, or Notify the offsite mapping table to query the unit, or discard the processing.
  • the data encapsulation and sending unit 807 is configured to: perform normal encapsulation and forwarding of the hit data packet.
  • the mapping table receiving unit 801 is configured to: receive the mapping table item sent by the mapping server, and update the local mapping table database 802.
  • the local mapping table database 802 is configured to: save a mapping table (AID-RID mapping table) of the user identity and the route identifier, and the table entry is injected into the new mapping table by the mapping table receiving unit, and the mapping entry is aged And the update function, can accept the query request of the local mapping table query unit, and return the query result to the local mapping table query unit 805.
  • the remote mapping table query unit 803 is configured to: according to the recognition result of the first packet attack identification and control unit 806, is responsible for sending the miss data packet to the mapping server by encapsulating into a specific message.
  • the hit rate statistics and modeling unit 808 is configured to: query the query result of the unit 805 according to the local mapping table, and obtain the number of hits and misses of the user from the first packet attack identification and control unit 806, one or The number of all packets sent by multiple users and the number of missed packets, the hit rate is calculated as the average hit rate, and the number of misses counted is taken as the average miss. That is, at regular intervals, an average hit rate is calculated and recorded, and the respective values of the average hit rate from the start-up to the stable are established to form a corresponding hit rate curve, which helps the administrator to set an appropriate hit rate threshold according to the curve.
  • the hit rate statistics and modeling unit 808 also interacts with the first packet attack identification and control unit 806 to record the highest hit rate, the lowest hit rate for each time period, and count how many users are each under each hit rate.
  • the network management human-machine interface 809 is configured to: provide a human-machine interface, set a suitable standard hit ratio and a miss threshold for the first packet attack identification and control unit 806, and query the hit ratio statistics and modeling unit 808 for the hit rate of the system. Model, each hit rate model data is provided according to the administrator's needs.
  • the first packet attack identification and control unit 806 receives the query result and the data packet of the local mapping table query unit 805; the query result is: the data packet is a hit data. Package or missed packet.
  • 902 Identify, according to a source address of the data packet, a user who sends the data packet, and find a context of the user;
  • step 903 The result of the query received from the local mapping table query unit 805 is analyzed. If the result of the query is that the data packet is a miss data packet, step 904 is performed; if the result of the query is that the data packet is a hit data packet, step 909 is performed;
  • step 905 Determine whether the adjustment period of the user restriction state is reached (the adjustment period can be configured by the operator), if yes, perform a process of adjusting the packet restriction policy (described in FIG. 8); if not, execute step 906; 906: Find the user Context, determine whether the user has been set to the restricted state, and if so, proceed to step 907; if not, execute step 908;
  • the corresponding limiting measures such as dropping the data packet, are terminated;
  • Figure 10 shows the process of adjusting the packet restriction policy by the first packet attack identification and control unit, including:
  • the first packet attack and identification unit 806 determines, according to the user attribute, whether the user belongs to the server of the sensor or another special user that performs broadcast or multicast transmission. If yes, step 1002 is performed; if not, step 1003 is performed; Attribute, the mapping server or the authentication server is required to transmit the category information of the user to the ASR. To this end, after the ASR registers with the mapping server or requests authentication from the authentication server, the mapping server registers the response message, and the authentication server Authentication response A user attribute field is added to the message, and the user attribute is transmitted to the ASR, and the ASR is recorded in the context of the user for subsequent control.
  • the server user needs a hit rate that is one level lower than the standard hit rate (for example, about 10% lower).
  • the number of misses is one level higher than the standard number of misses (for example, about 10% higher), allowing the server to perform the first packet transmission operation necessary for the service, and sending a relatively large first packet;
  • step 1004 It is determined whether the login time of the user is less than a specified login time threshold (for example, the login time is less than 10 minutes), if it is less than, then step 1005 is performed; if not less, step 1006 is performed;
  • a specified login time threshold for example, the login time is less than 10 minutes
  • 1005 Decrease the user's hit rate and miss threshold by one level and up one level (such as 10%), allowing the user who just logged in to send a slightly larger first packet, so that the user just logs in. It is not restricted; when the user just logs in, the destination AID that is used to sending has not been mapped in the local mapping table.
  • RID projects, therefore, users have a low hit rate and a high number of misses in a short period of time.
  • step 1006 Determine whether the startup time is less than a specified startup time threshold, if yes, execute step 1007; if not, execute step 1008; when the ASR is just started to be used or the ASR is reset and restarted due to a failure, the local AID of the ASR
  • the -RID mapping table is empty. As the user logs in and sends data, the ASR's local mapping table database entries will gradually increase. After a period of time, the users log in normally and send the packets they frequently send. The local mapping table database entry in the ASR will be stabilized, and the subsequent user's hit rate will maintain a relatively high value. Before the ASR local mapping table is stable, the user's hit rate may be lower.
  • ASR when ASR sets and adjusts the hit rate, it must consider the impact of ASR just starting.
  • This startup process usually takes several tens of minutes to several hours. The specific time can be set by the operator according to the operation. It can be seen that the ASR startup state is determined to prevent a large number of users from being judged as the first packet attacking user when the ASR starts, resulting in these uses. The user is not working properly, this is a necessary means.
  • 1008 Determine whether the system is overloaded. If yes, go to step 1009. If not, execute 1010.
  • the ASR and other devices are overloaded, you can increase the hit rate and lower the number of misses.
  • the number of first packets allowed by the class users ensuring that most users can forward them normally. This is a means of guaranteeing the majority of users' services by sacrificing a small number of users.
  • the ASR load capacity is high, a small number of first-packet attacks have little effect on ASR. To ensure the quality of service, a looser control can be given. Value, but if the load on the ASR itself is high, strictly limiting the hit rate and the miss value are necessary means to reduce the load on the equipment.
  • step 1010 Read the number of misses and hits from the context of the user, calculate the hit rate of the user, determine whether the hit rate of the user is lower than a hit rate threshold configured for the user, and/or a miss of the user. Whether the number is higher than the number of misses configured for the user, and if so, step 1011 is performed; if not, step 1012 is performed;
  • This step is mainly for some malicious users who may implement intermittent attacks. For such users, if they find that multiple attacks have been sent in their history, they can extend their release time limit, and the malicious users will be restricted for a long time. .
  • the present invention combines hit rate control and miss number control, and combines user type identification, system startup state correction, system overload correction, and user just-registered state correction to prevent denial of service attacks, and the present invention can implement malicious users.
  • the DOS/DDOS attack caused by the frequent sending of the first packet is effectively controlled; the limitation of the first packet attack can be adjusted according to the system startup, system overload, special user, user login, etc., to ensure that the system avoids the first packet in the above special scenario. Users can also use the network normally while attacking.

Abstract

A method for preventing denial-of-service (DOS) attacks includes: a user is set as a restricted state if the hit-rate of the user is lower than a hit-rate threshold and/or the non-hit number of the user is higher than a non-hit number threshold; a packet is judged whether it is a non-hit packet, if yes, the state of the user transmitting the packet is queried, and if the user is in the restricted state, then the packet is discarded. An apparatus for preventing denial-of- service attacks is provided by this invention, and the apparatus includes: a user data reception unit, a local mapping list query unit and a first-package attack identification and control unit. It is realized by this invention that the DOS/ Distributed-Denial-Of-Service (DDOS) attacks caused by a malicious user transmitting the first-package continually are able to be controlled. The limit of the first-package attack is able to adjusted according to the circumstance of system startup, system over loading, especial users and user logging, et al, thereby it is able to assure that in the above especial scenarios, the first-package attack is avoided in the system and simultaneously the user is able to use the network normally.

Description

一种防止拒绝服务攻击的方法及装置  Method and device for preventing denial of service attack
技术领域 本发明涉及身份标识与位置标识分离的网络, 尤其涉及一种在身份标识 与位置标识分离的网络中防止拒绝服务攻击的方法及装置。 TECHNICAL FIELD The present invention relates to a network in which identity and location identification are separated, and more particularly to a method and apparatus for preventing denial of service attacks in a network in which identity and location are separated.
背景技术 目前, 因特网广泛使用的传输控制协议 /因特网互联协议(Transmission Control Protocol/Internet Protocol, TCP/IP )协议中 IP地址具有双重功能, 既 作为网络层的通信终端主机网络接口在网络拓朴中的位置标识, 又作为传输 层主机网络接口的身份标识。 TCP/IP 协议设计之初并未考虑主机移动的情 况。但是, 当主机移动越来越普遍时,这种 IP地址的语义过载缺陷日益明显。 当主机的 IP地址发生变化时, 不仅路由要发生变化,通信终端主机的身份标 识也发生变化, 这样会导致路由负载越来越重, 而且主机标识的变化会导致 应用和连接的中断。 提出身份标识和位置标识分离的目的是解决 IP地址的语义过载和路由 负载严重以及安全性等问题,将 IP地址的双重功能进行分离,实现对移动性、 多家乡性、 IP地址动态重分配、 减轻路由负载及下一代互联网中不同网络区 域之间的互访等问题的支持。 图 1所示为北京交通大学提出的一种一体化网络架构, 实现了终端的身 份标识和位置标识的分离,该网络架构包括:映射服务器( Map Server, MS )、 接入月良务器(Access Service Router, ASR )和用户设备 ( User Equipment, UE )等, 每个 UE都有一个唯一的接入标识(Access Identifier, AID ) , 每 个 ASR都有一个路由标识( Router Identifier, RID ) , UE具有移动性, 可以 在各 ASR上注册, 在 MS中保存 UE所接入的 ASR的 RID, 也就是说 MS 保存着每个 UE的 AID和实际接入的 ASR的 RID的对应表( AID-RID映射 表) 。 当 UE1和 UE2开始使用网络时, 首先分别向 MS发起注册流程, UE1 通过 ASRl向 MS注册后, MS将生成一个表项为 AID1-RID1 , 表示 UE1在 ASR1下注册, 后续其它 UE发给 UE1的数据包将经过 ASR1转发。 同样, 当 UE2通过 ASR2向 MS注册后, MS将生成一个表项为 AID2-RID2, 表示 UE2在 ASR2下注册, 后续其它 UE发给 UE2的数据包应经过 ASR2转发。 经过一段时间后, MS上注册的 UE会趋于稳定, MS将建立如图 2所示 的 AID-RID映射表。 当 UE1和 UE2都已经注册后, 并且 UE1向 UE2发送数据包(图 1 中 103所示) 时, UE1生成一个目的地址为 AID2的数据包, 将此数据包发送 给 ASRl , ASR1 收到此数据包后, 在本地的 AID-RID映射表中查询 AID2 对应的 RID, ASR本地的 AID-RID映射表的结构如图 3所示。 如果 ASR1 在本地的 AID-RID 映射表中查到 AID2 的位置映射关系 AID2-RID2, 则 ASR1将此数据包进行封装后发送到 ASR2, ASR2解封装后 发送给 UE2。 如果 ASRl在本地的 AID-RID映射表中查不到 AID2的位置映射关系, 则 ASR1将向 MS查询 AID2的位置映射关系, MS查到 AID2的位置映射关 系后, 将映射关系表 AID2-RID2发送给 ASRl , ASR1收到此映射关系表后, 保存到本地的 AID-RID映射表中。 如果后续 UE1再发送目的地址为 AID2 的数据包, 由于 ASR1中已经保存了 AID2-RID2的映射关系, 则 ASR1无需 再次查询 MS即可直接发送 UE1的数据包。 上述流程是图 1 所示的一体化的身份标识和位置标识分离的网络中 UE 注册和数据包发送流程, 由上述流程可以看出, 在上述身份标识和位置标识 分离的网络中, 存在对 MS造成攻击威胁的场景, ASR每收到 UE—个发向 不同目的 AID的数据包(下文中将这种不同目的 AID的数据包称为首包) , 都必须向 MS进行查询,当 UE1连续向 ASR1发送不同目的 AID的数据包时, 如图 4所示的数据包串, 就会形成网络攻击。 在图 4中, 每个方框都代表一个由 UE发送的数据包, 数据包的目的地 址分别是 AID2, AID3 , AID27, 也就是说, 如果 UE1依次发送目的地 址为 AID2 , AID3... AID27这种不同目的地址的数据包, ASR1每次都不能 在本地的 AID-RID映射表中查到 AID对应的 RID, 因此, ASR1每次都要向 MS发消息查询相应的映射表项, 使 ASR1和 MS的性能大幅下降。 而且, 如果 UE1频繁发送这种首包, 由于 ASR1本地的 AID-RID映射 表的存贮空间有限, ASR1 必须对本地数据库内的旧映射表项进行老化, 也 就是说, 当数据库满后, ASR1 收到一个新的映射表项时, 必须删除一个旧 的映射表项, 这样当 UE1频繁发送首包时, 就会在 ASR1中生成很多新的无 效表项, 当数据库满以后, ASR1可能会用 UE1新生成的无效映射表项覆盖 其它 UE的有效映射表项, 当 ASR收到其它 UE的数据时, 可能因为对应的 有效映射表项被老化删除而被迫再次向 MS查询,进一步降低了 ASR的处理 性能。 综上, UE连续发送不同目的 AID的数据包的行为将造成如下问题: BACKGROUND OF THE INVENTION Currently, an IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) protocol widely used on the Internet has a dual function, and serves as a communication layer host network interface of a network layer in a network topology. The location identifier, which is also the identity of the transport layer host network interface. The TCP/IP protocol was not designed with host mobility in mind. However, as host mobility becomes more prevalent, the semantic overload defects of such IP addresses are becoming increasingly apparent. When the IP address of the host changes, not only the route changes, but also the identity of the host of the communication terminal changes. This causes the routing load to become heavier and heavy, and the change of the host ID will cause the application and connection to be interrupted. The purpose of separating the identity and location identifiers is to solve the problem of semantic overload and serious routing load and security of IP addresses, and separate the dual functions of IP addresses to achieve dynamic redistribution of mobility, multiple townships, and IP addresses. Support for mitigating routing load and mutual visits between different network areas in the next generation Internet. Figure 1 shows an integrated network architecture proposed by Beijing Jiaotong University, which realizes the separation of the identity and location identifiers of the terminal. The network architecture includes: mapping server (Map Server, MS), access to the server ( Access Service Router (ASR) and User Equipment (UE), each UE has a unique Access Identifier (AID), and each ASR has a Router Identifier (RID). The UE is mobile and can be registered on each ASR. The RID of the ASR accessed by the UE is stored in the MS. That is, the MS maintains a correspondence table between the AID of each UE and the RID of the ASR actually accessed (AID- RID mapping table). When UE1 and UE2 start to use the network, first initiate a registration process to the MS, UE1 After the ASR1 is registered with the MS, the MS will generate an entry AID1-RID1, indicating that UE1 is registered under ASR1, and subsequent packets sent by other UEs to UE1 will be forwarded by ASR1. Similarly, after the UE2 registers with the MS through the ASR2, the MS will generate an entry for the AID2-RID2, indicating that the UE2 is registered under the ASR2, and the subsequent packets sent by the other UE to the UE2 should be forwarded by the ASR2. After a period of time, the UE registered on the MS will tend to be stable, and the MS will establish an AID-RID mapping table as shown in FIG. 2. After both UE1 and UE2 have been registered, and UE1 sends a data packet to UE2 (shown as 103 in FIG. 1), UE1 generates a data packet with the destination address AID2, and sends the data packet to ASR1, and ASR1 receives the data. After the packet, the RID corresponding to AID2 is queried in the local AID-RID mapping table, and the structure of the local AID-RID mapping table of the ASR is as shown in FIG. 3. If ASR1 finds the location mapping relationship AID2-RID2 of AID2 in the local AID-RID mapping table, ASR1 encapsulates the data packet and sends it to ASR2. The ASR2 decapsulates and sends it to UE2. If ASR1 cannot find the location mapping relationship of AID2 in the local AID-RID mapping table, ASR1 will query the MS for the location mapping relationship of AID2. After the MS finds the location mapping relationship of AID2, it sends the mapping relationship table AID2-RID2. After ASR1 and ASR1 receive this mapping table, they are saved to the local AID-RID mapping table. If the subsequent UE1 retransmits the data packet with the destination address AID2, the ASR2-RID2 mapping relationship is saved in the ASR1, and the ASR1 can directly send the data packet of the UE1 without querying the MS again. The foregoing process is a process of UE registration and data packet transmission in a network in which the integrated identity and location identifiers are separated as shown in FIG. 1. It can be seen from the above process that in the network where the identity and location identifiers are separated, there is an MS. In the scenario that poses an attack threat, each time the ASR receives a data packet sent to a different destination AID (hereinafter, the data packet of the different destination AID is referred to as the first packet), the ASR must query the MS when the UE1 continuously goes to the ASR1. When sending packets of different destination AIDs, the packet string shown in Figure 4 will form a network attack. In FIG. 4, each box represents a data packet sent by the UE, and the destination addresses of the data packets are AID2, AID3, and AID27, that is, if UE1 sequentially sends the destination address as AID2, AID3... AID27 This kind of packet with different destination address, ASR1 can't be used every time. The RID corresponding to the AID is found in the local AID-RID mapping table. Therefore, each time the ASR1 sends a message to the MS to query the corresponding mapping entry, the performance of the ASR1 and the MS is greatly degraded. Moreover, if UE1 frequently sends such a first packet, since AIS1 local AID-RID mapping table has limited storage space, ASR1 must age the old mapping entries in the local database, that is, when the database is full, ASR1 When a new mapping entry is received, an old mapping entry must be deleted. When UE1 sends the first packet frequently, many new invalid entries are generated in ASR1. When the database is full, ASR1 may use The newly generated invalid mapping entry of UE1 covers the valid mapping entries of other UEs. When the ASR receives the data of other UEs, it may be forced to query the MS again because the corresponding valid mapping entries are aged and deleted, further reducing the ASR. Processing performance. In summary, the behavior of the UE continuously transmitting data packets of different destination AIDs will cause the following problems:
( 1 ) ASR每次都必须向 MS查询,增加了 ASR和 MS双方的信令负荷, 降低了信令处理性能。 (1) The ASR must query the MS each time, increasing the signaling load of both the ASR and the MS, and reducing the signaling processing performance.
( 2 )如果用户大量发送首包, ASR如果釆用本地緩存首包, 等待 MS 查询结果后再转发,将造成 ASR积累大量数据包, 内存消耗严重。如果 ASR 釆用由 MS转发首包的方案, 则会造成理应由 ASR直接发送的数据, 却要经 过 MS转发, 大大增加了 MS的负担。 (2) If the user sends the first packet in a large amount, if the ASR uses the local cache first packet and waits for the MS query result to be forwarded again, the ASR will accumulate a large number of data packets, and the memory consumption is severe. If the ASR uses the scheme of forwarding the first packet by the MS, it will cause the data that should be sent directly by the ASR, but it will be forwarded by the MS, which greatly increases the burden on the MS.
( 3 ) 大量首包查询使 ASR本地映射表中保存了大量的无效映射表项, 从而导致 ASR映射表緩存过大,如果限制緩存数量, 则会导致映射表项更新 过快, 大量无效的映射表项将覆盖有效的映射表项, 对映射表项被覆盖的正 常 UE发送的数据包还需要重新查询 MS, 从而导致 ASR更频繁地向 MS发 送查询消息, 形成一种骨牌效应, 导致 ASR和 MS都不能正常工作。 上述应用场景已形成了拒绝服务(Denial of Service, DOS )攻击, 如果 多个用户同时发起类似攻击, MS信令负荷将更加严重, ASR的緩存将更加 不足, AID-RID映射表将刷新更快, 导致更加频繁地查询 MS, 进一步消耗 了 ASR和 MS的处理能力,从而造成了分布式拒绝服务( Distributed Denial of service, DDOS )攻击。 为表述方便, 下文中将 UE连续发送首数据包的 DOS 或 DDOS攻击统称为首包攻击。 发明内容 本发明要解决的技术问题是提供一种防止拒绝服务攻击的方法及装置, 解决恶意用户频繁发送不同目的地址的数据包, 导致网络设备负荷过大以至 于无法正常工作的问题。 为解决上述技术问题, 本发明的一种防止拒绝服务攻击的方法, 包括: 在用户的命中率低于命中率阔值和 /或该用户的未命中数高于未命中数 阔值时, 将该用户设置为限制状态; 以及 判断数据包是否为未命中数据包, 若数据包为未命中数据包, 则查询发 送该数据包的用户的状态, 如果该用户处于限制状态, 则丟弃该数据包。 命中率为: 单位时间内用户发送的在本地接入标识 ( AID ) -路由标识 ( RID )映射表中查找到目的 AID对应的 RID的数据包的数量除以单位时间 内该用户发送的数据包的总数。 未命中数为:单位时间内用户发送的在本地 AID-RID映射表中未查找到 目的 AID对应的 RID的数据包的数量。 该方法还包括: 在用户的上下文中添加未命中数、 命中数和用户状态的 记录。 判断数据包是否为未命中数据包的步骤包括:根据该数据包的目的 AID, 查询本地的 AID-RID映射表, 若未查找到目的 AID对应的 RID, 则判定该 数据包为未命中数据包, 对发送该数据包的用户的上下文中保存的未命中数 递增一个数据包的记录; 若查找到目的 AID对应的 RID, 则判定该数据包为 命中数据包, 对发送该数据包的用户的上下文中保存的命中数递增一个数据 包的己录。 将该用户设置为限制状态的步骤包括: 在执行查询发送该数据包的用户 的状态前, 还判断是否到达用户限制状态的调整周期, 如果是, 则从该用户 的上下文中读取未命中数和命中数, 计算该用户的命中率, 判断该用户的命 中率是否低于为该用户配置的命中率阔值和 /或该用户的未命中数是否高于 为该用户配置的未命中数阔值, 如果是, 则将该用户设置为限制状态, 并计 入该用户的上下文中的用户状态的记录中。 所述方法还包括: 如果判断该用户的命中率不低于为该用户配置的命中 率阔值和 /或该用户的未命中数不高于为该用户配置的未命中数阔值,则进一 步判断该用户在一周期内的限制次数是否大于一限制次数阔值, 如果大于, 则仍将该用户设置为限制状态; 如果小于, 则将该用户设置为未限制状态。 计算用户的命中率的步骤之后, 所述方法还包括: 将该用户的上下文中 的未命中数和命中数的记录清零。 判断该用户的命中率是否不低于为该用户配置的命中率阔值和 /或该用 户的未命中数是否不高于为该用户配置的未命中数阔值的步骤之前, 所述方 法还包括: 根据用户属性, 判断该用户是否属于特殊服务器用户, 如果是, 则将标准命中率阔值降低一个等级, 将标准未命中数阔值提高一个等级分别 配置为该用户的命中率阔值和未命中数阔值; 如果不是, 将标准命中率阔值 和标准未命中数阔值分别配置为该用户的命中率阔值和未命中数阔值。 判断该用户的命中率是否不低于为该用户配置的命中率阔值和 /或该用 户的未命中数是否不高于为该用户配置的未命中数阔值的步骤之前, 该方法 还包括: 判断该用户的登录时间是否小于一指定的登录时间阔值,如果小于, 则将为该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命中数 阔值提高一个等级。 判断该用户的命中率是否不低于为该用户配置的命中率阔值和 /或该用 户的未命中数是否不高于为该用户配置的未命中数阔值的步骤之前, 该方法 还包括: 判断启动时间是否小于一指定的启动时间阔值, 如果小于, 则将为 该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命中数阔值提 高一个等级。 判断该用户的命中率是否不低于为该用户配置的命中率阔值和 /或该用 户的未命中数是否不高于为该用户配置的未命中数阔值的步骤之前, 该方法 还包括: 判断系统是否过负荷, 如果是, 则将为该用户配置的命中率阔值降 低一个等级, 将为该用户配置的未命中数阔值提高一个等级。 所述标准命中率阔值和标准未命中数阔值是通过如下方式获得: : 统计 单位时间内一个或多个用户发送的全部数据包的数量和未命中数据包的数 量, 计算命中率, 作为平均命中率, 将统计得到的未命中数作为平均未命中 数, 对平均命中率和平均未命中数进行调整, 分别作为标准命中率阔值和标 准未命中数阔值。 用户属性保存在映射服务器或认证服务器中; 所述方法还包括: 在到映射服务器对用户进行注册后, 映射服务器在注册应答消息中增加 一用户属性字段, 下发用户属性; 或者 在向认证服务器请求对用户进行认证后, 认证服务器在认证应答消息中 增加一用户属性字段, 下发用户属性。 本发明还提供了一种防止拒绝服务攻击的装置, 包括: 用户数据接收单 元、 本地映射表查询单元和首包攻击识别和控制单元, 其中: 用户数据接收单元设置为: 接收用户发送的数据包, 将接收到的数据包 发送给本地映射表查询单元; 本地映射表查询单元设置为:从本地的接入标识 ( AID ) -路由标识( RID ) 映射表中查询接收到的数据包的目的 AID对应的 RID,将查询结果和数据包 发送给首包攻击识别和控制单元; 首包攻击识别和控制单元设置为: 在用户的命中率低于命中率阔值和 / 或该用户的未命中数高于未命中数阔值时, 将该用户设置为限制状态; 并在 根据接收到的查询结果判断接收到的数据包为未命中数据包时, 查询发送该 数据包的用户的状态, 如果该用户处于限制状态, 则丟弃该数据包。 命中率为:单位时间内用户发送的在本地 AID-RID映射表中查找到目的 AID对应的 RID 的数据包的数量除以单位时间内该用户发送的数据包的总 数; 未命中数为:单位时间内用户发送的在本地 AID-RID映射表中未查找到 目的 AID对应的 RID的数据包的数量。 所述首包攻击识别和控制单元还设置为: 在用户的上下文中添加未命中 数、 命中数和用户状态的记录; 以及在根据接收到的查询结果判断接收到的 数据包为未命中数据包时, 对发送该数据包的用户的上下文中保存的未命中 数递增一个数据包的记录; 在根据接收到的查询结果判断接收到的数据包为 命中数据包时, 对发送该数据包的用户的上下文中保存的命中数递增一个数 据包的记录。 首包攻击识别和控制单元还设置为: 在执行查询发送该数据包的用户的 状态前, 判断是否到达用户限制状态的调整周期, 如果是, 则从该用户的上 下文中读取未命中数和命中数, 计算该用户的命中率, 判断该用户的命中率 是否低于为该用户配置的命中率阔值和 /或该用户的未命中数是否高于为该 用户配置的未命中数阔值, 如果是, 则将该用户设置为限制状态, 并计入该 用户的上下文中的用户状态的记录中; 首包攻击识别和控制单元计算用户的命中率后, 还设置为: 将该用户的 上下文中的未命中数和命中数的记录清零。 所述首包攻击识别和控制单元还设置为: 如果判断该用户的命中率不低 于为该用户配置的命中率阔值和 /或该用户的未命中数不高于为该用户配置 的未命中数阔值, 则进一步判断该用户在一周期内的限制次数是否大于一限 制次数阔值, 如果大于, 则仍将该用户设置为限制状态; 如果小于, 则将该 用户设置为未限制状态。 首包攻击识别和控制单元还设置为: 判断该用户的命中率是否低于为该 用户配置的命中率阔值和 /或该用户的未命中数是否高于为该用户配置的未 命中数阔值之前, 还根据用户属性, 判断该用户是否属于特殊服务器用户, 如果是, 则将标准命中率阈值降低一个等级, 将标准未命中数阈值提高一个 等级分别配置为该用户的命中率阔值和未命中数阔值; 如果不是, 将标准命 中率阔值和标准未命中数阔值分别配置为该用户的命中率阔值和未命中数阔 值。 首包攻击识别和控制单元还设置为: 判断该用户的登录时间是否小于一 指定的登录时间阔值, 如果小于, 则将为该用户配置的命中率阔值降低一个 等级, 将为该用户配置的未命中数阔值提高一个等级。 首包攻击识别和控制单元还设置为: 判断启动时间是否小于一指定的启 动时间阔值, 如果小于, 则将为该用户配置的命中率阔值降低一个等级, 将 为该用户配置的未命中数阔值提高一个等级。 首包攻击识别和控制单元还设置为: 判断系统是否过负荷, 如果是, 则 将为该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命中数阔 值提高一个等级。 该装置还包括命中率统计和建模单元 ,该命中率统计和建模单元设置为: 统计单位时间内一个或多个用户发送的全部数据包的数量和未命中数据包的 数量, 计算命中率, 作为平均命中率, 将统计得到的未命中数作为平均未命 中数。 综上所述, 本发明结合命中率控制和未命中数控制, 并结合用户类型识 另 'J、 系统启动状态修正、 系统过负荷修正以及用户刚登录状态的修正, 防止 拒绝服务攻击, 本发明可实现对恶意用户频繁发送首包造成的 DOS/DDOS 攻击进行有效控制; 可根据系统启动、 系统过负荷、 特殊用户、 用户登录等 情况, 对首包攻击的限制进行调整, 保证上述特殊场景下系统在避免首包攻 击的同时用户也能够正常使用网络。 (3) A large number of first-packet queries cause a large number of invalid mapping entries to be stored in the ASR local mapping table. As a result, the ASR mapping table cache is too large. If the number of caches is limited, the mapping entries are updated too fast, and a large number of invalid mappings are caused. The entry will be overwritten with a valid mapping entry. The data packet sent by the normal UE that is overwritten by the mapping entry needs to re-query the MS. As a result, the ASR sends the query message to the MS more frequently, which forms a domino effect, which leads to ASR and MS does not work properly. The above application scenario has formed a denial of service (DOS) attack. If multiple users initiate similar attacks at the same time, the MS signaling load will be more serious, the ASR cache will be more insufficient, and the AID-RID mapping table will be refreshed faster. As a result, the MS is queried more frequently, which further consumes the processing power of the ASR and the MS, thereby causing a Distributed Denial of Service (DDOS) attack. For convenience of presentation, the DOS or DDOS attacks in which the UE continuously transmits the first data packet are collectively referred to as the first packet attack. SUMMARY OF THE INVENTION The technical problem to be solved by the present invention is to provide a method and apparatus for preventing a denial of service attack, which solves the problem that a malicious user frequently sends data packets of different destination addresses, resulting in a network device being overloaded and unable to work normally. In order to solve the above technical problem, a method for preventing a denial of service attack according to the present invention includes: when a user's hit rate is lower than a hit rate threshold and/or the user's miss number is higher than a missed threshold, The user is set to the restricted state; and determining whether the data packet is a miss data packet, and if the data packet is a miss data packet, querying the status of the user who sent the data packet, and discarding the data if the user is in the restricted state package. Hit rate: The number of packets sent by the user in the local access identifier (AID)-route ID (RID) mapping table to find the RID corresponding to the destination AID divided by the packet sent by the user per unit time. total. The number of misses is the number of data packets sent by the user in the local AID-RID mapping table that are not found in the local AID-RID mapping table. The method further includes: adding a record of the number of misses, the number of hits, and the state of the user in the context of the user. The step of determining whether the data packet is a miss data packet includes: querying a local AID-RID mapping table according to the destination AID of the data packet, and determining that the data packet is a missing data packet if the RID corresponding to the destination AID is not found. And incrementing the number of misses saved in the context of the user who sent the data packet by one packet; if the RID corresponding to the destination AID is found, determining that the data packet is a hit data packet, for the user who sent the data packet The number of hits saved in the context is incremented by the record of a packet. The step of setting the user to the restricted state includes: before performing the query of the status of the user who sent the data packet, determining whether the adjustment period of the user restriction state is reached, and if yes, reading the number of misses from the context of the user And the hit number, calculate the hit rate of the user, determine whether the hit rate of the user is lower than the hit rate threshold configured for the user, and/or whether the number of misses of the user is higher than The number of misses configured for the user, and if so, the user is set to the restricted state and counted in the record of the user state in the context of the user. The method further includes: if it is determined that the hit rate of the user is not lower than a hit rate threshold configured for the user and/or the number of misses of the user is not higher than a threshold value of the number of misses configured for the user, further It is determined whether the number of times the user is limited in a period is greater than a limit number threshold. If it is greater, the user is still set to the restricted state; if less, the user is set to the unrestricted state. After the step of calculating the hit rate of the user, the method further includes: clearing the record of the number of misses and hits in the context of the user. The method further determines whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than a threshold for the number of misses configured for the user. The method includes: determining, according to the attribute of the user, whether the user belongs to a special server user, and if so, lowering the standard hit rate threshold by one level, and increasing the standard miss number threshold by one level respectively as the user's hit rate threshold and The number of misses is greater; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and missed threshold. Before determining whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than a threshold for the number of misses configured for the user, the method further includes : Determine whether the login time of the user is less than a specified login time threshold. If it is less than, the hit rate configured for the user is reduced by one level, and the number of misses configured for the user is increased by one level. Before determining whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than a threshold for the number of misses configured for the user, the method further includes : Determines whether the startup time is less than a specified startup time threshold. If it is less than, the user-configured hit rate threshold is reduced by one level, and the user-configured miss threshold is increased by one level. Before determining whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than a threshold for the number of misses configured for the user, the method further includes : Determine if the system is overloaded. If yes, reduce the hit rate threshold configured for the user by one level, and increase the number of misses configured for the user by one level. The standard hit rate threshold and the standard miss threshold are obtained by: counting the number of all packets sent by one or more users and the number of missed packets in a unit time, and calculating the hit ratio as The average hit rate is calculated as the average number of misses, and the average hit rate and the average number of misses are adjusted as the standard hit rate threshold and the standard miss number. The user attribute is saved in the mapping server or the authentication server. The method further includes: after registering the user with the mapping server, the mapping server adds a user attribute field to the registration response message, and sends the user attribute; or After the user is authenticated, the authentication server adds a user attribute field to the authentication response message and delivers the user attribute. The present invention also provides an apparatus for preventing a denial of service attack, comprising: a user data receiving unit, a local mapping table query unit, and a first packet attack identification and control unit, wherein: the user data receiving unit is configured to: receive a data packet sent by the user Sending the received data packet to the local mapping table query unit; the local mapping table query unit is set to: query the destination AID of the received data packet from the local access identifier (AID)-route identification (RID) mapping table The corresponding RID sends the query result and the data packet to the first packet attack identification and control unit; the first packet attack identification and control unit is set to: the hit rate of the user is lower than the hit rate threshold and/or the number of misses of the user When the value is higher than the missed value threshold, the user is set to the restricted state; and when the received data packet is determined to be a missed data packet according to the received query result, the status of the user who sent the data packet is queried, if If the user is in the restricted state, the packet is discarded. Hit rate: The number of packets sent by the user in the local AID-RID mapping table to find the RID corresponding to the destination AID divided by the total number of packets sent by the user per unit time; the number of misses is: The number of data packets sent by the user that did not find the RID corresponding to the destination AID in the local AID-RID mapping table. The first packet attack identification and control unit is further configured to: add a record of a miss number, a hit number, and a user state in a context of the user; and determine, according to the received query result, that the received data packet is a miss data packet. And incrementing a record of the number of misses saved in the context of the user who sent the data packet; and determining, when the received data packet is a hit data packet according to the received query result, the user who sent the data packet The number of hits saved in the context is incremented by a record of the packet. The first packet attack identification and control unit is further configured to: determine whether an adjustment period of the user restriction state is reached before performing a query of the state of the user who sent the data packet, and if so, read the number of misses from the context of the user and Hits, calculates the hit rate of the user, determines whether the hit rate of the user is lower than the hit rate threshold configured for the user, and/or whether the number of misses of the user is higher than the number of misses configured for the user. If yes, the user is set to the restricted state and counted in the record of the user state in the context of the user; after the first packet attack identification and control unit calculates the user's hit rate, it is further set to: The number of misses and hits in the context is cleared. The first packet attack identification and control unit is further configured to: if it is determined that the user's hit rate is not lower than a hit rate threshold configured for the user and/or the user's miss number is not higher than the configured for the user If the hit value is wider, it is further determined whether the limit number of the user in a period is greater than a limit number threshold. If it is greater, the user is still set to the limit state; if less, the user is set to the unrestricted state. . The first packet attack identification and control unit is further configured to: determine whether the user's hit rate is lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is higher than a number of misses configured for the user Before the value, according to the user attribute, it is determined whether the user belongs to the special server user. If yes, the standard hit rate threshold is lowered by one level, and the standard miss number threshold is increased by one level to be configured as the user's hit rate threshold and The number of misses is greater; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and missed threshold. The first packet attack identification and control unit is further configured to: determine whether the login time of the user is less than a specified login time threshold, and if less, reduce the hit rate configured for the user by one. Level, which will increase the level of the number of misses configured for this user by one level. The first packet attack identification and control unit is further configured to: determine whether the startup time is less than a specified startup time threshold, and if less, reduce the hit rate threshold configured for the user by one level, and the miss configured for the user The number of thresholds is increased by one level. The first packet attack identification and control unit is further configured to: determine whether the system is overloaded, and if so, reduce the hit rate threshold configured for the user by one level, and increase the number of misses configured for the user by one level. The apparatus also includes a hit rate statistics and modeling unit configured to: count the number of all packets sent by one or more users and the number of missed packets in a unit time, calculate the hit ratio As the average hit rate, the number of misses counted is taken as the average miss. In summary, the present invention combines the hit rate control and the miss number control, and combines the user type identification, the system startup state correction, the system overload correction, and the modification of the user's login state to prevent the denial of service attack. The DOS/DDOS attack caused by the frequent sending of the first packet by the malicious user can be effectively controlled. The limitation of the first packet attack can be adjusted according to the system startup, system overload, special user, user login, etc., to ensure the above special scenarios. The system can also use the network normally while avoiding the first packet attack.
附图概述 图 1为现有技术中的一种身份标识与位置标识分离的网络的架构图; 图 2 为映射服务器中的映射表; 图 3为 ASR中的本地映射表; 图 4为一种典型的首包攻击的示意图; 图 5为另一种身份标识与位置标识分离的网络的架构图; 图 6为第三种身份标识与位置标识分离的网络的架构图; 图 7为一种改进的首包攻击的示意图; 图 8为本发明一种可防止首包攻击的装置的结构示意图; 图 9为首包攻击识别和控制单元实现的主要功能的流程图; 图 10为首包攻击和识别单元调整限制策略的方法的流程图。 BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is an architectural diagram of a network in which an identity and a location identity are separated in the prior art; FIG. 2 is a mapping table in a mapping server; FIG. 3 is a local mapping table in an ASR; Schematic diagram of a typical first packet attack; FIG. 5 is an architectural diagram of another network in which identity and location are separated; FIG. 6 is an architectural diagram of a network in which a third identity and location identity are separated; FIG. 7 is an improvement Schematic diagram of the first packet attack; 8 is a schematic structural diagram of an apparatus for preventing a first packet attack according to the present invention; FIG. 9 is a flowchart of main functions implemented by a first packet attack identification and control unit; FIG. 10 is a flow of a method for adjusting a restriction policy by a first packet attack and identification unit. Figure.
本发明的较佳实施方式 图 5所示为另一种实现身份标识和位置标识分离的网络的架构, 本架构 将网络划分为接入网和骨干网。 接入网位于骨干网的边缘, 用于负责所有终 端的接入。 骨干网负责对通过接入网接入的终端间数据报文的路由和转发。 接入网与骨干网在拓朴关系上没有重叠。 本架构的网络中有两种标识类型: 接入标识(Access Identifier, AID ) 和路由标识( Routing Identifier , RID )。 其中, AID是终端的用户身份识别, 用于标识终端用户 (也简称为用户) 的身份, 网络为每个终端用户唯一分配 一个 AID, 在接入网使用, 在终端的移动过程中始终保持不变; RID是为终 端分配的位置标识, 在骨干网使用。 本架构中, 接入网络的终端可以是移动终端、 固定终端和游牧终端中的 一种或多种, 如手机、 固定电话、 电脑和应用服务器等等。 本架构中,接入网用于为终端提供到二层(物理层和链路层)接入手段, 维护终端与 ASN之间的物理接入链路。可能的二层接入手段包括:蜂窝移动 网技术(全球移动通讯系统 ( Global System for Mobile Communications, GSM ) /码分多址( Code Division Multiple Access , CDMA ) /时分同步码分多 址 ( Time Division- Synchronous Code Division Multiple Access, TD-SCDMA ) I 宽带码分多址(Wideband Code Division Multiple Access, WCDMA ) /微波 存取全球互通 ( Worldwide Interoperability for Microwave Access, WiMAX ) / 长期演进( Long Term Evolution, LTE ) )、数字用户线( Digital Subscriber Line, DSL ) 、 宽带光纤接入或无线保真 (Wireless Fidelity, WiFi )接入等等。 本架构的骨干网组网时分为两个平面: 广义转发平面和映射转发平面, 还包括接入服务节点 (Access Service Node , ASN)和认证中心。 ASN是广义转发平面、 映射转发平面与接入网的分界节点, 具有与接入 网、 广义转发平面和映射转发平面的接口。 用于为终端提供接入服务、 维护 终端与网络的连接, 为终端分配 RID, 到映射转发平面登记注册和查询终端 的 RID, 维护 AID-RID的映射信息, 以及实现数据 4艮文的路由和转发。 广义转发平面主要用于根据数据报文中的 RID进行选路和转发以 RID为 目的地址的数据报文, 广义转发平面内的数据路由转发行为与传统 IP 网络 一致。如图所示,广义转发平面的主要网元包括通用路由器( Common Router, CR )和互联服务节点 (Interconnect Service Node, ISN ) 映射转发平面主要用于保存终端的身份位置映射信息(即 AID-RID的映 射信息), 处理对终端位置的登记注册和查询, 路由并转发以 AID为目的地 址的数据报文。 如图所示, 映射转发平面的主要网元包括身份位置寄存器 / 分组转发功能( Identity Location Register/Packet Transfer Function, ILR/PTF )。 认证中心用于记录本架构网络终端用户的属性信息如用户类别、 认证信 息和用户服务等级等, 完成对终端的接入认证和授权, 还可具有计费功能。 认证中心支持终端与网络间的双向认证, 可产生用于认证、 完整性保护和加 密的用户安全信息。 在另一实施例中, ASN在架构的划分中独立于骨干网, 位于骨干网和接 入网的分界节点, 具有与接入网和骨干网的接口, 如图 6所示。 其实际完成 的功能与图 5是一样的。 本实施例的方法及装置可应用在上述的任意一种网络架构中, 下面仅以 一体化网络架构为例说明本发明, 但不作为对本发明的限制。 BEST MODE FOR CARRYING OUT THE INVENTION Figure 5 shows another architecture for implementing a network in which identity and location identification are separated. The architecture divides the network into an access network and a backbone network. The access network is located at the edge of the backbone network and is responsible for accessing all terminals. The backbone network is responsible for routing and forwarding data packets between terminals accessed through the access network. There is no overlap between the access network and the backbone network in the topology relationship. There are two types of identifiers in the network of this architecture: Access Identifier (AID) and Routing Identifier (RID). The AID is the user identity of the terminal, and is used to identify the identity of the terminal user (also referred to as the user). The network uniquely assigns an AID to each terminal user, which is used in the access network and remains unchanged during the movement of the terminal. Change; RID is the location identifier assigned to the terminal, used in the backbone network. In this architecture, the terminal accessing the network may be one or more of a mobile terminal, a fixed terminal, and a nomadic terminal, such as a mobile phone, a fixed telephone, a computer, an application server, and the like. In this architecture, the access network is used to provide the terminal with a layer 2 (physical layer and link layer) access means, and maintains a physical access link between the terminal and the ASN. Possible Layer 2 access methods include: Cellular Mobile Network Technology (Global System for Mobile Communications (GSM) / Code Division Multiple Access (CDMA) / Time Division Synchronous Code Division Multiple Access (Time Division) - Synchronous Code Division Multiple Access (TD-SCDMA) I Wideband Code Division Multiple Access (WCDMA) / Worldwide Interoperability for Microwave Access (WiMAX) / Long Term Evolution (LTE) )), Digital Subscriber Line (DSL), broadband fiber access or Wireless Fidelity (WiFi) access. The backbone network of the architecture is divided into two planes: a generalized forwarding plane and a mapping forwarding plane, and an access service node (ASN) and a certification center. The ASN is a demarcation node of a generalized forwarding plane, a mapping forwarding plane and an access network, and has an interface with an access network, a generalized forwarding plane, and a mapping forwarding plane. It is used to provide access services for the terminal, maintain the connection between the terminal and the network, assign the RID to the terminal, register and register the RID of the terminal to the mapping forwarding plane, maintain the mapping information of the AID-RID, and implement the routing of the data. Forward. The generalized forwarding plane is mainly used for routing and forwarding data packets with the RID as the destination address according to the RID in the data packet. The data routing and forwarding behavior in the generalized forwarding plane is consistent with the traditional IP network. As shown in the figure, the main network elements of the generalized forwarding plane include a common router (CR) and an Interconnect Service Node (ISN). The mapping forwarding plane is mainly used to store the identity location mapping information of the terminal (ie, AID-RID). Mapping information), processing registration and query of the terminal location, routing and forwarding data packets with the AID as the destination address. As shown in the figure, the primary network element of the mapping forwarding plane includes an Identity Location Register/Packet Transfer Function (ILR/PTF). The authentication center is used to record attribute information of the network terminal user of the architecture, such as user category, authentication information, and user service level, and completes access authentication and authorization for the terminal, and may also have a charging function. The certificate authority supports two-way authentication between the terminal and the network, and generates user security information for authentication, integrity protection, and encryption. In another embodiment, the ASN is independent of the backbone network in the division of the architecture, and is located at the boundary node of the backbone network and the access network, and has an interface with the access network and the backbone network, as shown in FIG. 6. The function actually completed is the same as that of FIG. The method and apparatus of this embodiment can be applied to any of the foregoing network architectures. The following is merely an example of an integrated network architecture, but is not intended to limit the present invention.
为防范首包攻击,最好的办法是在 ASR上对用户的恶意操作进行有效的 控制。 本发明为防范首包 DOS或 DDOS攻击, 釆取的主要措施为: 在 ASR 中配置本地映射表命中率阔值和未命中数阔值, 如果一个用户在单位时间内 用户启动限制措施。 定义本地映射表命中率 (简称命中率)如下: 命中率 =单位时间内用户发送的在本地 AID-RID 映射表中查找到目的 AID对应的 RID的数据包(简称命中数据包) 的数量 ÷单位时间内该用户发 送的数据包的总数; 可以用如下公式表示: R = H/ ( H+U ) ; 其中: R ( Rate )为命中率; H ( Hit )为单位时间内用户发送的命中数据 包的数量; U ( Unhit )为单位时间内用户发送的在本地 AID-RID映射表中未 查找到目的 AID对应的 RID的数据包(简称未命中数据包) 的数量。 举例来说, 如果以 1分钟为单位时间, 某用户在 1分钟内发送的数据包 的总量为 200个, 其中 ASR在本地映射表中查到目的 AID对应的 RID的数 据包的数量为 180个, 则 H=180, U=20, R=H/(H+U)=90% , 也就是说, 在 上述情况下, 该用户发送数据包的命中率为 90 %。 一般来说, 用户上网进行的操作主要是浏览网页、 下载、 即时通话和游 戏等, 这些应用都有特定的通信对象, 一般业务都是先建立传输控制协议 ( Transmission Control Protocol, TCP )连接, 然后发送业务数据包, 因此, 在建立 TCP连接后, 要进行相应的业务操作, 也就是说, 绝大多数因特网应 用都不会向一个目的地址只发一个数据包后就换另外一个目的地址, 即使仅 建立 TCP连接, TCP的握手过程也需要有多条信令交互, 因此, 如果一个用 户存在过低的命中率, 如低于 50%, 其行为一般属于不正常的范围。 除了命中率以外, 单位时间内的未命中数据包的绝对数量也需要关注。 因为釆用命中率进行控制后, 恶意用户可能会察觉到单纯发送首包的低命中 率攻击已经被系统防范, 可能就会釆用首包和后续包夹杂的方式来探测 ASR 设置的命中率阔值, 从而进一步发起攻击, 举例来说, 如果将每个目的地址 不同的首包记为 F ( First ) , 将后续的与首包目的地址相同的数据包记为 S ( Second ) , 如果将 ASR的命中率阔值配置为 50 % , 恶意用户可以重复发 送图 7所示的数据包序列。 如图 7所示, 如果某个恶意用户在单位时间内发送图中的 15个数据包, F都是未命中数据包, S为命中数据包, 未命中数据包的个数 U=6, 命中数 量包的个数 H=9, 根据命中率计算公式得出: R=H/ ( H + U ) = 60 % , 由于 计算出来的命中率 R = 60 % , 大于命中率阔值 50 % , 恶意用户就可以釆用这 种数据包序列发起持续的攻击。 为防止这种固定序列的数据包导致的首包攻击, 在考虑命中率限制的基 础上, 还要进一步限制单位时间内发送首包的总量, 在具体操作上, 可以统 计单位时间内未命中数据包的数量 U, 如果未命中数据包的数量 U达到指定 阔值(未命中数阔值), 同样认为该用户具备首包攻击的特征需要进行限制, 例如, 在上述固定序列的场景中, 如果将未命中数阔值配置为 180, 在单位 时间内 (如 1分钟) 内用户发送了 500个数据包, 由于其未命中率为 1 - 60 % = 40 % , 则其未命中数据包的绝对数量为 500x40 % = 200个, 超出了未命 中数阔值 180, ASR也认为该用户具备首包攻击的特征, 应予以限制。 统计单位时间内用户发送的所有数据包的数量和命中数据包的数量, 就 可以得到平均命中率和未命中数, 根据平均命中率和未命中数, 就可以建立 合适的首包攻击防范模型 (标准命中率阔值和未命中数阔值) 并进行控制。 例如: 为制定合适的标准命中率阔值, 可以统计 ASR稳定运行情况下, 单位 时间内接收到的本地用户的所有数据包的总和,以及所有命中数据包的总和, 用所有命中数据包的总和除以接收到的所有数据包的总和,得到平均命中率, 对平均命中率进行适当调整, 如下调三分之一, 作为标准命中率阔值。 在实际使用中, 由于用户或 ASR的原因会出现一些误差需要修正,表现 在如下几种情况: ( 1 )特殊用户, 例如, 有些控制多个传感器的服务器用户, 需要周期性 扫描各个传感器, 从传感器获取数据, 由于扫描周期通常比较长, 完成一次 扫描后, 到下次扫描时, 该服务器的 AID-RID映射表项可能已被覆盖, 因此 其业务特征本身就属于命中率偏低的情景; 还有一些广播服务器, 也存在类 似情况。 因此 ASR应该对这些特定用户设置较低的命中率阔值, 为此 ASR 需要从认证服务器或者映射服务器获取用户属性信息, 如果属于服务器类的 特殊用户, 特别是传感器的服务器用户可以减少首包攻击的控制力度。 To prevent the first packet attack, the best way is to effectively control the malicious operation of the user on the ASR. In order to prevent the first packet of DOS or DDOS attacks, the main measures are: Configure the local mapping table hit rate threshold and the number of misses in the ASR, if a user initiates the restriction in the unit time. Define the local mapping table hit ratio (referred to as the hit rate) as follows: Hit rate = the number of packets (referred to as hit packets) of the RID corresponding to the destination AID found in the local AID-RID mapping table sent by the user per unit time. The total number of packets sent by the user per unit time; The following formula is expressed: R = H / ( H + U ) ; where: R ( Rate ) is the hit rate; H ( Hit ) is the number of hit packets sent by the user per unit time; U ( Unhit ) is the user within the unit time The number of data packets (referred to as miss packets) of the RID corresponding to the destination AID is not found in the local AID-RID mapping table. For example, if the total number of data packets sent by a user in one minute is 200, the number of data packets corresponding to the RID corresponding to the destination AID is 180 in the local mapping table. Then, H=180, U=20, R=H/(H+U)=90%, that is to say, in the above case, the user sends a packet with a hit rate of 90%. Generally speaking, users operate on the Internet mainly by browsing web pages, downloading, instant calls, games, etc. These applications have specific communication objects. The general service is to establish a Transmission Control Protocol (TCP) connection first, and then Sending a service data packet, therefore, after establishing a TCP connection, the corresponding business operation is performed, that is, most Internet applications do not send one data packet to one destination address and then change another destination address, even if Only TCP connections are established. The TCP handshake process also requires multiple signaling interactions. Therefore, if a user has a low hit rate, such as less than 50%, its behavior is generally an abnormal range. In addition to the hit rate, the absolute number of missed packets per unit time also needs attention. Because the hit rate is controlled, the malicious user may perceive that the low hit rate attack that simply sends the first packet has been prevented by the system, and may use the first packet and the subsequent packet to detect the hit rate of the ASR setting. Value, thereby further initiating an attack. For example, if the first packet with a different destination address is denoted as F (First), the subsequent packet with the same address as the first packet is recorded as S (Secondary), if ASR is to be The hit rate is configured to be 50%, and a malicious user can repeatedly send the sequence of packets shown in Figure 7. As shown in Figure 7, if a malicious user sends 15 packets in the graph within the unit time, F is the miss packet, S is the hit packet, the number of missed packets U=6, hit The number of quantity packages is H=9, which is calculated according to the hit rate formula: R=H/ ( H + U ) = 60 % , due to The calculated hit rate R = 60 %, which is greater than the hit rate threshold of 50%, can be used by malicious users to initiate a continuous attack. In order to prevent the first packet attack caused by the data packet of such a fixed sequence, on the basis of considering the limitation of the hit rate, the total amount of the first packet to be sent per unit time is further limited. In the specific operation, the unit time can be counted as missing. The number of packets U, if the number of missed packets reaches the specified threshold (the number of misses), it is also considered that the feature of the first packet attack needs to be restricted, for example, in the above fixed sequence scenario, If the number of misses is configured to 180, the user sends 500 packets within a unit time (such as 1 minute), because the miss rate is 1 - 60% = 40%, then the missed packet The absolute number is 500x40% = 200, which exceeds the missed threshold of 180. The ASR also believes that the user has the characteristics of the first packet attack and should be limited. By counting the number of all packets sent by the user and the number of hit packets in the unit time, you can get the average hit rate and the number of misses. According to the average hit rate and the number of misses, you can establish a suitable first-pack attack defense model. Standard hit rate threshold and missed threshold) and control. For example: To establish a suitable standard hit rate, you can count the sum of all packets received by the local user per unit time under the stable operation of ASR, and the sum of all hit packets, using the sum of all hit packets. Divide by the sum of all received packets, get the average hit rate, and adjust the average hit rate appropriately, and adjust by one third as the standard hit rate threshold. In actual use, some errors may need to be corrected due to the user or ASR, which are manifested in the following situations: (1) Special users, for example, some server users who control multiple sensors need to periodically scan each sensor. The sensor acquires data. Since the scan period is usually long, after the completion of one scan, the AID-RID mapping entry of the server may have been overwritten by the next scan, so the service characteristic itself is a scenario with a low hit rate; There are also some broadcast servers, and similar situations exist. Therefore, ASR should set a lower hit rate for these specific users. For this reason, ASR needs to obtain user attribute information from the authentication server or mapping server. If a special user belonging to the server class, especially the server user of the sensor, can reduce the first packet attack. The strength of control.
( 2 ) ASR的启动情况也需要考虑, 如果 ASR刚启动不久, 大量用户未 完成登录, 映射表的建立还不完全, 就会出现命中率偏低的情况, 这种情况 一般会持续几十分钟或几小时才能稳定, 在这段时间内, ASR应该适当减小 首包攻击的控制力度。 (2) ASR startup needs to be considered. If ASR has just started, a large number of users have not completed the login, and the mapping table is not fully established, and the hit rate is low. It usually lasts for tens of minutes or hours to stabilize. During this time, ASR should appropriately reduce the control of the first packet attack.
( 3 )系统过负荷的时候,应修改命中率阔值和未命中数阔值, 以加大首 包攻击控制力度, 使 ASR省出更多的处理性能处理正常业务。 ( 4 ) 当用户刚登录到一个新 ASR时, 由于此用户习惯的映射关系尚未 建立, 就会出现命中率偏低, 因此在用户刚登录期间, ASR应适当减小控制 力度。 为实现本实施例的方法, 需要在用户的上下文中添加未命中数 U、 命中 数 H和命中率 R的记录。 (3) When the system is overloaded, the hit rate and the number of misses should be modified to increase the strength of the first packet attack control, so that ASR can save more processing performance and handle normal services. (4) When the user just logs in to a new ASR, since the mapping relationship of this user's habit has not been established, the hit rate will be low. Therefore, the ASR should appropriately reduce the control strength during the user's login. To implement the method of the present embodiment, it is necessary to add a record of the number of misses U, the number of hits H, and the hit rate R in the context of the user.
图 8所示为本发明的一种防止拒绝服务攻击的装置的结构示意图,其中, 首包攻击识别和控制单元 806是最关键的单元, 命中率统计和建模单元 808 是一个辅助单元, 可以帮助设备管理员设定合适的命中率阔值和未命中数阔 值, 下面分别描述各单元的作用: 用户数据接收单元 804, 其设置为: 接收用户发送的数据包, 将数据包 发送给本地映射表查询单元 805。 本地映射表查询单元 805, 其设置为: 根据接收到的数据包中包含的目 的 AID, 从本地 AID-RID映射表中查询目的 AID对应的 RID, 将查询结果 和数据包发送给首包攻击识别和控制单元 806, 查询结果为: 数据包为命中 数据包或未命中数据包。 首包攻击识别和控制单元 806, 其设置为: 计算用户的命中率, 并根据 用户属性、 系统启动状态、 系统过负荷状态、 用户是否处于刚登录状态等修 正命中率阔值,在用户的命中率低于命中率阔值和 /或该用户的未命中数高于 未命中数阔值时, 将该用户设置为限制状态; 并根据限制的情况, 将数据包 分发给数据封装发送单元, 或者通知异地映射表查询单元, 或者丟弃处理。 另外, 此单元将会和命中率统计和建模单元以及网管人机接口交互, 协助建 立合理的标准命中率阔值。 (具体功能请参考下述对图 7和图 8的描述) 数据封装和发送单元 807 , 其设置为: 对命中数据包进行正常封装转发。 映射表接收单元 801 , 其设置为: 接收映射服务器发送来的映射表项, 并对本地映射表数据库 802进行更新。 本地映射表数据库 802 , 其设置为: 保存用户的身份标识和路由标识的 映射对照表 ( AID-RID映射表) , 此表项由映射表接收单元注入新的映射表 项, 具备映射表项老化和更新功能, 可以接受本地映射表查询单元的查询请 求, 并将查询结果返回给本地映射表查询单元 805。 异地映射表查询单元 803 ,其设置为:根据首包攻击识别和控制单元 806 的识别结果, 负责将未命中数据包, 通过封装到特定消息中发送到映射服务 器。 命中率统计和建模单元 808, 其设置为: 根据本地映射表查询单元 805 的查询结果, 并从首包攻击识别和控制单元 806获取用户的命中数和未命中 数, 统计单位时间内一个或多个用户发送的全部数据包的数量和未命中数据 包的数量, 计算命中率, 作为平均命中率, 将统计得到的未命中数作为平均 未命中数。 也就是每隔一定时间, 计算并记录一个平均命中率, 建立从开机 到稳定后平均命中率的各个数值, 形成对应的命中率曲线, 帮助管理员根据 曲线设定合适的命中率阔值。 此外, 该命中率统计和建模单元 808还和首包 攻击识别和控制单元 806交互, 记录每个时间段最高的命中率, 最低的命中 率, 并统计各个命中率下各有多少用户, 建立详细的命中率统计模型。 网管人机接口 809, 其设置为: 提供人机接口, 为首包攻击识别和控制 单元 806设置合适的标准命中率和未命中数阔值, 向命中率统计和建模单元 808查询系统的命中率模型, 根据管理员需要提供各个命中率模型数据。 FIG. 8 is a schematic structural diagram of an apparatus for preventing a denial of service attack according to the present invention, wherein a first packet attack identification and control unit 806 is the most critical unit, and a hit ratio statistics and modeling unit 808 is an auxiliary unit. Help the device administrator to set the appropriate hit rate threshold and miss threshold. The following describes the role of each unit: User data receiving unit 804, which is set to: Receive the data packet sent by the user, and send the data packet to the local Mapping table query unit 805. The local mapping table querying unit 805 is configured to: query the RID corresponding to the destination AID from the local AID-RID mapping table according to the destination AID included in the received data packet, and send the query result and the data packet to the first packet attack identification. And the control unit 806, the query result is: the data packet is a hit data packet or a miss data packet. The first packet attack identification and control unit 806 is configured to: calculate a hit rate of the user, and correct the hit rate threshold according to the user attribute, the system startup state, the system overload status, whether the user is just logged in, etc., in the user's hit When the rate is lower than the hit rate threshold and/or the number of misses of the user is higher than the number of misses, the user is set to the restricted state; and according to the limitation, the data packet is distributed to the data encapsulation sending unit, or Notify the offsite mapping table to query the unit, or discard the processing. In addition, this unit will interact with the hit rate statistics and modeling unit and the network management human-machine interface to help establish a reasonable standard hit rate threshold. (For specific functions, please refer to the description of Figure 7 and Figure 8 below) The data encapsulation and sending unit 807 is configured to: perform normal encapsulation and forwarding of the hit data packet. The mapping table receiving unit 801 is configured to: receive the mapping table item sent by the mapping server, and update the local mapping table database 802. The local mapping table database 802 is configured to: save a mapping table (AID-RID mapping table) of the user identity and the route identifier, and the table entry is injected into the new mapping table by the mapping table receiving unit, and the mapping entry is aged And the update function, can accept the query request of the local mapping table query unit, and return the query result to the local mapping table query unit 805. The remote mapping table query unit 803 is configured to: according to the recognition result of the first packet attack identification and control unit 806, is responsible for sending the miss data packet to the mapping server by encapsulating into a specific message. The hit rate statistics and modeling unit 808 is configured to: query the query result of the unit 805 according to the local mapping table, and obtain the number of hits and misses of the user from the first packet attack identification and control unit 806, one or The number of all packets sent by multiple users and the number of missed packets, the hit rate is calculated as the average hit rate, and the number of misses counted is taken as the average miss. That is, at regular intervals, an average hit rate is calculated and recorded, and the respective values of the average hit rate from the start-up to the stable are established to form a corresponding hit rate curve, which helps the administrator to set an appropriate hit rate threshold according to the curve. In addition, the hit rate statistics and modeling unit 808 also interacts with the first packet attack identification and control unit 806 to record the highest hit rate, the lowest hit rate for each time period, and count how many users are each under each hit rate. Detailed hit rate statistical model. The network management human-machine interface 809 is configured to: provide a human-machine interface, set a suitable standard hit ratio and a miss threshold for the first packet attack identification and control unit 806, and query the hit ratio statistics and modeling unit 808 for the hit rate of the system. Model, each hit rate model data is provided according to the administrator's needs.
图 9为首包攻击识别和控制单元实现的功能的流程, 包括: 901 :首包攻击识别和控制单元 806接收本地映射表查询单元 805的查询 结果和数据包; 查询结果为: 数据包为命中数据包或未命中数据包。 902:根据数据包的源地址识别出发送数据包的用户,查找到该用户的上 下文; 9 is a flow of functions implemented by the first packet attack identification and control unit, including: 901: The first packet attack identification and control unit 806 receives the query result and the data packet of the local mapping table query unit 805; the query result is: the data packet is a hit data. Package or missed packet. 902: Identify, according to a source address of the data packet, a user who sends the data packet, and find a context of the user;
903: 分析从本地映射表查询单元 805接收到的查询结果,如果查询结果 为数据包为未命中数据包, 则执行步骤 904; 如果查询结果为数据包为命中 数据包, 则执行步骤 909;  903: The result of the query received from the local mapping table query unit 805 is analyzed. If the result of the query is that the data packet is a miss data packet, step 904 is performed; if the result of the query is that the data packet is a hit data packet, step 909 is performed;
904: 对用户上下文中的未命中数 U递增一个数据包的记录, 如, 加 1 ; 904: increment the number of misses in the user context by a record of one packet, for example, add 1;
905: 判断是否到达用户限制状态的调整周期 (调整周期可由运营商配 置) , 如果是, 则进行数据包限制策略的调整过程(参见图 8描述) ; 如果 不是, 执行步骤 906; 906: 查找用户的上下文, 判断用户是否已被设置为限制状态, 如果是, 则执行步骤 907; 如果不是, 执行步骤 908; 905: Determine whether the adjustment period of the user restriction state is reached (the adjustment period can be configured by the operator), if yes, perform a process of adjusting the packet restriction policy (described in FIG. 8); if not, execute step 906; 906: Find the user Context, determine whether the user has been set to the restricted state, and if so, proceed to step 907; if not, execute step 908;
907: 根据 ASR配置的数据包处理策略釆取相应限制措施, 如丟弃数据 包等, 结束; 907: According to the packet processing policy configured by the ASR, the corresponding limiting measures, such as dropping the data packet, are terminated;
908: 将数据包发送给异地映射表查询单元, 由异地映射表查询单元向 MS发起映射表的查询处理, 结束; 908: Send the data packet to the remote mapping table query unit, and the query processing unit initiates the query processing of the mapping table to the MS by the remote mapping table query unit, and ends;
909: 将数据包转发给数据封装和发送单元 807进行处理; 909: forward the data packet to the data encapsulation and sending unit 807 for processing;
910: 对用户上下文中的用户的命中数 H加 1 , 结束。 910: Add 1 to the number of hits H of the user in the user context, and end.
图 10所示为首包攻击识别和控制单元进行数据包限制策略的调整过程, 包括: Figure 10 shows the process of adjusting the packet restriction policy by the first packet attack identification and control unit, including:
1001 : 首包攻击和识别单元 806根据用户属性, 判断用户是否属于传感 器的服务器或其它进行广播或组播发送的特殊用户, 如果是, 则执行步骤 1002; 如果不是, 执行步骤 1003; 为获得用户属性, 要求映射服务器或认证服务器将用户的类别信息传送 给 ASR, 为此, 在 ASR到映射服务器对用户进行注册或向认证服务器请求 对用户进行认证后, 映射服务器在注册应答消息中, 认证服务器在认证应答 消息中增加一个用户属性字段, 将用户属性传送给 ASR, ASR记录到用户的 上下文中, 便于后续进行控制。 1001: The first packet attack and identification unit 806 determines, according to the user attribute, whether the user belongs to the server of the sensor or another special user that performs broadcast or multicast transmission. If yes, step 1002 is performed; if not, step 1003 is performed; Attribute, the mapping server or the authentication server is required to transmit the category information of the user to the ASR. To this end, after the ASR registers with the mapping server or requests authentication from the authentication server, the mapping server registers the response message, and the authentication server Authentication response A user attribute field is added to the message, and the user attribute is transmitted to the ASR, and the ASR is recorded in the context of the user for subsequent control.
1002: 为该用户配置特殊的命中率阔值和未命中数阔值, 一般此类服务 器用户所需的命中率阔值较标准命中率阔值低一个等级(如,低 10%左右), 而未命中数阔值较标准未命中数阔值高一个等级(如, 高 10%左右) , 允许 服务器可以正常进行业务必须的首包发送操作, 发送相对较多的首包; 执行 步骤 1004 1002: Configure the user with a special hit rate threshold and a missed threshold. Generally, the server user needs a hit rate that is one level lower than the standard hit rate (for example, about 10% lower). The number of misses is one level higher than the standard number of misses (for example, about 10% higher), allowing the server to perform the first packet transmission operation necessary for the service, and sending a relatively large first packet;
1003: 为该用户配置标准的命中率阔值和未命中数阔值; 1003: Configure the standard hit rate and miss threshold for the user;
1004: 判断该用户的登录时间是否小于一指定的登录时间阔值(如登录 时间小于 10分钟) , 如果小于, 则执行步骤 1005; 如果不小于, 执行步骤 1006; 1004: It is determined whether the login time of the user is less than a specified login time threshold (for example, the login time is less than 10 minutes), if it is less than, then step 1005 is performed; if not less, step 1006 is performed;
1005: 对用户的命中率阔值和未命中数阔值分别下调一个等级和上调一 个等级(如 10% ) , 允许刚登录的用户发送稍多的首包, 以使用户在刚登录 时的业务不会受到限制; 用户刚登录时, 习惯发送的目的 AID 尚未在本地映射表中建立对应的1005: Decrease the user's hit rate and miss threshold by one level and up one level (such as 10%), allowing the user who just logged in to send a slightly larger first packet, so that the user just logs in. It is not restricted; when the user just logs in, the destination AID that is used to sending has not been mapped in the local mapping table.
RID的项目, 因此, 用户会有短暂时间的命中率偏低和未命中数偏高, 为保 证刚登录用户有良好的服务质量需要下调命中率阔值和未命中数阔值。 RID projects, therefore, users have a low hit rate and a high number of misses in a short period of time. In order to ensure that the logged-in user has a good quality of service, it is necessary to lower the hit rate and the number of misses.
1006: 判断启动时间是否小于一指定的启动时间阔值, 如果是, 则执行 步骤 1007; 如果不是, 执行步骤 1008; 在 ASR刚开始投入使用或者 ASR因故障被复位重新启动时, ASR的本 地 AID-RID映射表为空, 随着用户登录和发送数据, ASR的本地映射表数 据库的表项会逐渐增加, 在经过一段时间后, 用户都正常登录, 并都发送了 他们经常发送的数据包后, ASR中的本地映射表数据库表项才会稳定下来, 后续用户的命中率才会维持一个相对较高的数值,而在 ASR的本地映射表稳 定下之前, 用户的命中率可能会较低, 因此, 当 ASR设置和调整命中率阔值 的时候, 必须考虑 ASR刚启动的影响,这个启动过程一般需要几十分钟到几 小时不等, 具体时间可由运营商根据运营情况设定。 可以看出, 判断 ASR启 动状态是为了避免 ASR启动时将大量用户判断为首包攻击用户,导致这些用 户无法正常工作, 这是很必要的手段。 1006: Determine whether the startup time is less than a specified startup time threshold, if yes, execute step 1007; if not, execute step 1008; when the ASR is just started to be used or the ASR is reset and restarted due to a failure, the local AID of the ASR The -RID mapping table is empty. As the user logs in and sends data, the ASR's local mapping table database entries will gradually increase. After a period of time, the users log in normally and send the packets they frequently send. The local mapping table database entry in the ASR will be stabilized, and the subsequent user's hit rate will maintain a relatively high value. Before the ASR local mapping table is stable, the user's hit rate may be lower. Therefore, when ASR sets and adjusts the hit rate, it must consider the impact of ASR just starting. This startup process usually takes several tens of minutes to several hours. The specific time can be set by the operator according to the operation. It can be seen that the ASR startup state is determined to prevent a large number of users from being judged as the first packet attacking user when the ASR starts, resulting in these uses. The user is not working properly, this is a necessary means.
1007:下调命中率阔值一个等级并上调未命中数阔值一个等级(如 10% ), 保证新登录的大批用户可以正常操作; 1007: Lower the hit rate to a level and increase the number of misses by one level (such as 10%) to ensure that a large number of newly registered users can operate normally;
1008: 判断系统是否过负荷, 如果是, 则执行步骤 1009; 如果不是, 执 行 1010; 当 ASR等设备过负荷时,可以相应的调高命中率阔值和调低未命中数阔 值, 降低各类用户允许发送的首包数量, 保证大多数用户能正常转发。 这是 牺牲少量用户而保证大多数用户业务进行的手段,因为在 ASR负荷能力剩余 较高的情况下, 少量的首包攻击对 ASR影响不大, 为保证服务质量, 可以给 予较为宽松的控制阔值,但如果 ASR本身负荷很高,严格限制命中率阔值和 未命中数阔值则是减轻设备负荷的必要手段。 1008: Determine whether the system is overloaded. If yes, go to step 1009. If not, execute 1010. When the ASR and other devices are overloaded, you can increase the hit rate and lower the number of misses. The number of first packets allowed by the class users, ensuring that most users can forward them normally. This is a means of guaranteeing the majority of users' services by sacrificing a small number of users. Because the ASR load capacity is high, a small number of first-packet attacks have little effect on ASR. To ensure the quality of service, a looser control can be given. Value, but if the load on the ASR itself is high, strictly limiting the hit rate and the miss value are necessary means to reduce the load on the equipment.
1009: 根据过负荷情况调高命中率阔值一个等级, 并调低未命中数阔值 一个等级, 调整的范围在 10%左右; 1009: Increase the hit rate by one level according to the overload condition, and lower the number of misses by one level. The adjustment range is about 10%;
1010: 从该用户的上下文中读取未命中数和命中数, 计算该用户的命中 率,判断该用户的命中率是否低于为该用户配置的命中率阔值和 /或该用户的 未命中数是否高于为该用户配置的未命中数阔值,如果是,则执行步骤 1011 ; 如果不是, 执行步骤 1012; 1010: Read the number of misses and hits from the context of the user, calculate the hit rate of the user, determine whether the hit rate of the user is lower than a hit rate threshold configured for the user, and/or a miss of the user. Whether the number is higher than the number of misses configured for the user, and if so, step 1011 is performed; if not, step 1012 is performed;
1011 : 将用户设置为限制状态, 计入用户的上下文中, 将该用户的命中 率和未命中数清零, 结束;  1011: Set the user to the restricted state, count in the user's context, clear the user's hit rate and number of misses, and end;
1012: 查看此用户历史被限制情况, 判断该用户在一周期时间内的被限 制次数是否大于一指定的限制次数阔值, 如果大于, 则仍将该用户设置为限 制状态; 如果小于, 则将该用户设置为未限制状态。  1012: Checking whether the user history is restricted, determining whether the number of times the user is limited in a period of time is greater than a specified limit number of thresholds. If it is greater than, the user is still set to the restricted state; if less, the The user is set to an unrestricted state.
此步骤主要针对某些恶意用户可能会实施间断性攻击, 对于此类用户, 如果查到其历史记录中发送过多次攻击, 可以延长其解除限制时间, 对此恶 意用户实行较长时间的限制。  This step is mainly for some malicious users who may implement intermittent attacks. For such users, if they find that multiple attacks have been sent in their history, they can extend their release time limit, and the malicious users will be restricted for a long time. .
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序 来指令相关硬件完成, 所述程序可以存储于计算机可读存储介质中, 如只读 存储器、 磁盘或光盘等。 可选地, 上述实施例的全部或部分步骤也可以使用 一个或多个集成电路来实现。 相应地, 上述实施例中的各模块 /单元可以釆用 硬件的形式实现, 也可以釆用软件功能模块的形式实现。 本发明不限制于任 何特定形式的硬件和软件的结合。 One of ordinary skill in the art can understand that all or part of the above steps can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, such as read only. Memory, disk or disc, etc. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware, or may be implemented in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性 本发明结合命中率控制和未命中数控制, 并结合用户类型识别、 系统启 动状态修正、 系统过负荷修正以及用户刚登录状态的修正, 防止拒绝服务攻 击,本发明可实现对恶意用户频繁发送首包造成的 DOS/DDOS攻击进行有效 控制; 可根据系统启动、 系统过负荷、 特殊用户、 用户登录等情况, 对首包 攻击的限制进行调整, 保证上述特殊场景下系统在避免首包攻击的同时用户 也能够正常使用网络。 Industrial Applicability The present invention combines hit rate control and miss number control, and combines user type identification, system startup state correction, system overload correction, and user just-registered state correction to prevent denial of service attacks, and the present invention can implement malicious users. The DOS/DDOS attack caused by the frequent sending of the first packet is effectively controlled; the limitation of the first packet attack can be adjusted according to the system startup, system overload, special user, user login, etc., to ensure that the system avoids the first packet in the above special scenario. Users can also use the network normally while attacking.

Claims

权 利 要 求 书 Claim
1、 一种防止拒绝服务攻击的方法, 包括: 在用户的命中率低于命中率阔值和 /或该用户的未命中数高于未命中数 阔值时, 将该用户设置为限制状态; 以及 判断数据包是否为未命中数据包, 若数据包为未命中数据包, 则查询发 送该数据包的用户的状态, 如果该用户处于限制状态, 则丟弃该数据包。 A method for preventing a denial of service attack, comprising: setting a user to a restricted state when a user's hit rate is lower than a hit rate threshold and/or the user's miss is higher than a miss threshold; And determining whether the data packet is a miss data packet, and if the data packet is a miss data packet, querying a status of the user who sent the data packet, and if the user is in a restricted state, discarding the data packet.
2、 如权利要求 1所述的方法, 其中: 所述命中率为: 单位时间内用户发送的在本地接入标识( AID ) -路由标 识(RID )映射表中查找到目的 AID对应的 RID的数据包的数量除以单位时 间内该用户发送的数据包的总数。 2. The method according to claim 1, wherein: the hit ratio is: finding a RID corresponding to the destination AID in a local access identifier (AID)-route identifier (RID) mapping table sent by the user in a unit time. The number of packets divided by the total number of packets sent by the user per unit of time.
3、 如权利要求 2所述的方法, 其中: 3. The method of claim 2, wherein:
所述未命中数为:单位时间内用户发送的在本地 AID-RID映射表中未查 找到目的 AID对应的 RID的数据包的数量。  The number of misses is the number of data packets of the RID corresponding to the destination AID that are not found in the local AID-RID mapping table sent by the user.
4、如权利要求 3所述的方法, 该方法还包括: 在用户的上下文中添加未 命中数、 命中数和用户状态的记录。 4. The method of claim 3, the method further comprising: adding a record of the number of misses, the number of hits, and the state of the user in the context of the user.
5、如权利要求 4所述的方法, 其特征在于, 判断数据包是否为未命中数 据包的步骤包括: 根据该数据包的目的 AID, 查询本地的 AID-RID映射表, 若未查找到目的 AID对应的 RID, 则判定该数据包为未命中数据包, 对发送 该数据包的用户的上下文中保存的未命中数递增一个数据包的记录; 若查找 到目的 AID对应的 RID, 则判定该数据包为命中数据包, 对发送该数据包的 用户的上下文中保存的命中数递增一个数据包的记录。 The method according to claim 4, wherein the step of determining whether the data packet is a miss data packet comprises: querying a local AID-RID mapping table according to the destination AID of the data packet, if the destination is not found The RID corresponding to the AID determines that the data packet is a miss data packet, and increments the number of misses stored in the context of the user who sent the data packet by one data packet; if the RID corresponding to the destination AID is found, it is determined. The packet is a hit packet, and a record of the number of hits saved in the context of the user who sent the packet is incremented by one packet.
6、 如权利要求 5所述的方法, 其中: 将该用户设置为限制状态的步骤包括: 判断是否到达用户限制状态的调 整周期, 如果是, 则从该用户的上下文中读取未命中数和命中数, 计算该用 户的命中率, 判断该用户的命中率是否低于为该用户配置的命中率阔值和 / 或该用户的未命中数是否高于为该用户配置的未命中数阔值, 如果是, 则将 该用户设置为限制状态, 并计入该用户的上下文中的用户状态的记录中。 6. The method of claim 5, wherein: the step of setting the user to the restricted state comprises: determining whether the user restricted state is reached The entire period, if yes, reads the number of misses and hits from the context of the user, calculates the hit rate of the user, and determines whether the hit rate of the user is lower than the hit rate threshold and/or configured for the user. Whether the number of misses of the user is higher than the number of misses configured for the user, and if so, the user is set to the restricted state and counted in the record of the user state in the context of the user.
7、 如权利要求 6所述的方法, 其中, 所述方法还包括: 如果判断该用户的命中率不低于为该用户配置的命中率阔值和 /或该用 户的未命中数不高于为该用户配置的未命中数阔值, 则进一步判断该用户在 一周期内的限制次数是否大于一限制次数阔值, 如果大于, 则仍将该用户设 置为限制状态; 如果小于, 则将该用户设置为未限制状态。 7. The method according to claim 6, wherein the method further comprises: if it is determined that the hit rate of the user is not lower than a hit rate threshold configured for the user and/or the number of misses of the user is not higher than If the number of misses configured for the user is greater than, the number of times the user is limited in a period is greater than a limit number of thresholds. If it is greater than, the user is still set to the restricted state; if less, the The user is set to an unrestricted state.
8、 如权利要求 6所述的方法, 其中, 计算用户的命中率的步骤之后, 所 述方法还包括: 将该用户的上下文中的未命中数和命中数的记录清零。 8. The method of claim 6, wherein after the step of calculating a hit rate of the user, the method further comprises: clearing a record of the number of misses and hits in the context of the user.
9、如权利要求 7所述的方法, 其中, 判断该用户的命中率是否不低于为 该用户配置的命中率阔值和 /或该用户的未命中数是否不高于为该用户配置 的未命中数阔值的步骤之前, 所述方法还包括: 根据用户属性, 判断该用户 是否属于特殊服务器用户, 如果是, 则将标准命中率阔值降低一个等级, 将 标准未命中数阔值提高一个等级分别配置为该用户的命中率阔值和未命中数 阔值; 如果不是, 将标准命中率阔值和标准未命中数阔值分别配置为该用户 的命中率阔值和未命中数阔值。 9. The method of claim 7, wherein determining whether the user's hit rate is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than configured for the user Before the step of missing the threshold value, the method further includes: determining, according to the user attribute, whether the user belongs to a special server user, and if so, lowering the standard hit rate threshold by one level, and increasing the standard miss number threshold One level is configured as the user's hit rate threshold and the number of misses; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and the number of misses. value.
10、 如权利要求 9所述的方法, 其中, 判断该用户的命中率是否不低于 为该用户配置的命中率阔值和 /或该用户的未命中数是否不高于为该用户配 置的未命中数阔值的步骤之前, 该方法还包括: 判断该用户的登录时间是否 小于一指定的登录时间阔值, 如果小于, 则将为该用户配置的命中率阔值降 低一个等级, 将为该用户配置的未命中数阔值提高一个等级。 10. The method of claim 9, wherein determining whether the user's hit rate is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than configured for the user Before the step of missing the threshold, the method further includes: determining whether the login time of the user is less than a specified login time threshold, and if less than, lowering the hit ratio configured for the user by one level, The number of misses for this user configuration is increased by one level.
11、如权利要求 10所述的方法, 其中, 判断该用户的命中率是否不低于 为该用户配置的命中率阔值和 /或该用户的未命中数是否不高于为该用户配 置的未命中数阔值的步骤之前, 该方法还包括: 判断启动时间是否小于一指 定的启动时间阔值, 如果小于, 则将为该用户配置的命中率阔值降低一个等 级, 将为该用户配置的未命中数阔值提高一个等级。 The method according to claim 10, wherein it is determined whether the hit rate of the user is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than that for the user. Before the step of setting the number of misses, the method further includes: determining whether the startup time is less than a specified startup time threshold, and if less than, lowering the hit ratio configured for the user by one level, which will be The number of user-configured misses is increased by one level.
12、如权利要求 11所述的方法, 其中, 判断该用户的命中率是否不低于 为该用户配置的命中率阔值和 /或该用户的未命中数是否不高于为该用户配 置的未命中数阔值的步骤之前, 该方法还包括: 判断系统是否过负荷, 如果 是, 则将为该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命 中数阔值提高一个等级。 12. The method of claim 11, wherein determining whether the user's hit rate is not lower than a hit rate threshold configured for the user and/or whether the number of misses of the user is not higher than configured for the user Before the step of missing the threshold, the method further includes: determining whether the system is overloaded, and if so, lowering the hit rate configured for the user by one level, and increasing the number of misses configured for the user One level.
13、 如权利要求 9所述的方法, 其中, 所述标准命中率阔值和标准未命 中数阔值是通过如下方式获得: 统计单位时间内一个或多个用户发送的全部 数据包的数量和未命中数据包的数量, 计算命中率, 作为平均命中率, 将统 计得到的未命中数作为平均未命中数, 对平均命中率和平均未命中数进行调 整, 分别作为所述标准命中率阔值和标准未命中数阔值。 13. The method according to claim 9, wherein the standard hit rate threshold and the standard miss threshold are obtained by: counting the number of all packets sent by one or more users in a unit time period. The number of missed packets, the hit rate is calculated as the average hit rate, the number of misses is counted as the average miss, and the average hit rate and the average number of misses are adjusted as the standard hit rate threshold. And standard misses.
14、 如权利要求 9所述的方法, 其中: 所述用户属性保存在映射服务器或认证服务器中; 所述方法还包括: 在到所述映射服务器对用户进行注册后, 映射服务器在注册应答消息中 增加一用户属性字段, 下发所述用户属性; 或者 在向所述认证服务器请求对用户进行认证后, 认证服务器在认证应答消 息中增加一用户属性字段, 下发所述用户属性。 14. The method of claim 9, wherein: the user attribute is stored in a mapping server or an authentication server; the method further comprising: after registering the user with the mapping server, the mapping server is in the registration response message Adding a user attribute field to the user attribute; or after requesting the authentication server to authenticate the user, the authentication server adds a user attribute field to the authentication response message, and delivers the user attribute.
15、 一种防止拒绝服务攻击的装置, 包括: 用户数据接收单元、 本地映 射表查询单元和首包攻击识别和控制单元, 其中: 所述用户数据接收单元设置为: 接收用户发送的数据包, 将接收到的数 据包发送给所述本地映射表查询单元; 所述本地映射表查询单元设置为: 从本地的接入标识(AID ) -路由标识 ( RID ) 映射表中查询接收到的数据包的目的 AID对应的 RID, 将查询结果 和数据包发送给所述首包攻击识别和控制单元; 所述首包攻击识别和控制单元设置为: 在用户的命中率低于命中率阔值 和 /或该用户的未命中数高于未命中数阔值时, 将该用户设置为限制状态; 并 在根据接收到的查询结果判断接收到的数据包为未命中数据包时, 查询发送 该数据包的用户的状态, 如果该用户处于限制状态, 则丟弃该数据包。 A device for preventing a denial of service attack, comprising: a user data receiving unit, a local mapping table query unit, and a first packet attack identification and control unit, wherein: the user data receiving unit is configured to: receive a data packet sent by a user, Sending the received data packet to the local mapping table query unit; the local mapping table query unit is set to: a local access identifier (AID) - a route identifier (RID) in the mapping table, querying the RID corresponding to the destination AID of the received data packet, and sending the query result and the data packet to the first packet attack identification and control unit; the first packet attack identification and control unit is set as: When the user's hit rate is lower than the hit rate threshold and/or the user's miss is higher than the miss threshold, the user is set to the restricted state; and the received packet is judged according to the received query result. When the packet is missed, the status of the user who sent the packet is queried, and if the user is in the restricted state, the packet is discarded.
16、 如权利要求 15所述的装置, 其中: 所述命中率为:单位时间内用户发送的在本地 AID-RID映射表中查找到 目的 AID对应的 RID的数据包的数量除以单位时间内该用户发送的数据包的 总数; 所述未命中数为:单位时间内用户发送的在本地 AID-RID映射表中未查 找到目的 AID对应的 RID的数据包的数量。 16. The apparatus according to claim 15, wherein: the hit ratio is: the number of data packets of the RID corresponding to the destination AID found in the local AID-RID mapping table sent by the user per unit time divided by the unit time The total number of data packets sent by the user; the number of misses is the number of data packets sent by the user in the local AID-RID mapping table that are not found in the local AID-RID mapping table.
17、 如权利要求 16所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 在用户的上下文中添加未命中 数、 命中数和用户状态的记录; 以及在根据接收到的查询结果判断接收到的 数据包为未命中数据包时, 对发送该数据包的用户的上下文中保存的未命中 数递增一个数据包的记录; 在根据接收到的查询结果判断接收到的数据包为 命中数据包时, 对发送该数据包的用户的上下文中保存的命中数递增一个数 据包的记录。 17. The apparatus of claim 16, wherein: the first packet attack identification and control unit is further configured to: add a record of a miss number, a hit number, and a user state in a context of the user; and based on the received When the query result determines that the received data packet is a miss data packet, the number of misses saved in the context of the user who sent the data packet is incremented by one data packet; and the received data packet is judged according to the received query result. When a packet is hit, a record of the packet is incremented by the number of hits saved in the context of the user who sent the packet.
18、 如权利要求 17所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 在执行所述查询发送该数据包 的用户的状态前, 判断是否到达用户限制状态的调整周期, 如果是, 则从该 用户的上下文中读取未命中数和命中数, 计算该用户的命中率, 判断该用户 的命中率是否低于为该用户配置的命中率阔值和 /或该用户的未命中数是否 高于为该用户配置的未命中数阔值, 如果是, 则将该用户设置为限制状态, 并计入该用户的上下文中的用户状态的记录中; 所述首包攻击识别和控制单元计算用户的命中率后, 还设置为: 将该用 户的上下文中的未命中数和命中数的记录清零。 18. The apparatus according to claim 17, wherein: the first packet attack identification and control unit is further configured to: determine whether an adjustment period of the user restriction state is reached before performing the querying the state of the user who sent the data packet If yes, read the number of misses and hits from the context of the user, calculate the hit rate of the user, determine whether the hit rate of the user is lower than the hit rate threshold configured for the user, and/or the user Whether the number of misses is higher than the number of misses configured for the user, and if so, the user is set to the restricted state and counted in the record of the user state in the context of the user; After the first packet attack identification and control unit calculates the hit rate of the user, it is further set to: clear the record of the number of misses and hits in the context of the user.
19、 如权利要求 18所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 如果判断该用户的命中率不低 于为该用户配置的命中率阔值和 /或该用户的未命中数不高于为该用户配置 的未命中数阔值, 则进一步判断该用户在一周期内的限制次数是否大于一限 制次数阔值, 如果大于, 则仍将该用户设置为限制状态; 如果小于, 则将该 用户设置为未限制状态。 19. The apparatus of claim 18, wherein: the first packet attack identification and control unit is further configured to: if it is determined that the user's hit rate is not lower than a hit rate threshold configured for the user and/or the user If the number of misses is not higher than the number of misses configured for the user, it is further determined whether the number of times the user is limited in a period is greater than a limit number of thresholds. If greater than, the user is still set to the restricted state. ; If less than, sets the user to an unrestricted state.
20、 如权利要求 19所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 判断该用户的命中率是否低于 为该用户配置的命中率阔值和 /或该用户的未命中数是否高于为该用户配置 的未命中数阔值之前, 还根据用户属性, 判断该用户是否属于特殊服务器用 户, 如果是, 则将标准命中率阔值降低一个等级, 将标准未命中数阔值提高 一个等级分别配置为该用户的命中率阔值和未命中数阔值; 如果不是, 将标 准命中率阔值和标准未命中数阔值分别配置为该用户的命中率阔值和未命中 数阔值。 20. The apparatus of claim 19, wherein: the first packet attack identification and control unit is further configured to: determine whether the user's hit rate is lower than a hit rate threshold configured for the user and/or the user's If the number of misses is higher than the number of misses configured for the user, it is also determined according to the user attribute whether the user belongs to a special server user. If yes, the standard hit rate is reduced by one level, and the standard is missed. The threshold value is increased by one level to be configured as the user's hit rate threshold and the missed threshold; if not, the standard hit rate threshold and the standard miss threshold are respectively configured as the user's hit rate threshold and The number of misses is wide.
21、 如权利要求 20所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 判断该用户的登录时间是否小 于一指定的登录时间阔值, 如果小于, 则将为该用户配置的命中率阔值降低 一个等级, 将为该用户配置的未命中数阔值提高一个等级。 The device according to claim 20, wherein: the first packet attack identification and control unit is further configured to: determine whether the login time of the user is less than a specified login time threshold, and if less than, the user will be the user The configured hit rate threshold is lowered by one level, and the number of misses configured for the user is increased by one level.
22、 如权利要求 21所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 判断启动时间是否小于一指定 的启动时间阔值,如果小于,则将为该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命中数阔值提高一个等级。 22. The apparatus according to claim 21, wherein: the first packet attack identification and control unit is further configured to: determine whether a startup time is less than a specified startup time threshold, and if less, a hit configured for the user Decreasing the rate value by one level will increase the level of the number of misses configured for the user by one level.
23、 如权利要求 22所述的装置, 其中: 所述首包攻击识别和控制单元还设置为: 判断系统是否过负荷,如果是, 则将为该用户配置的命中率阔值降低一个等级, 将为该用户配置的未命中数 阔值提高一个等级。 23. Apparatus according to claim 22 wherein: The first packet attack identification and control unit is further configured to: determine whether the system is overloaded, and if so, reduce the hit rate threshold configured for the user by one level, and increase the number of misses configured for the user by one. grade.
24、如权利要求 20所述的装置, 其中, 该装置还包括命中率统计和建模 单元; 该命中率统计和建模单元设置为: 统计单位时间内一个或多个用户发送 的全部数据包的数量和未命中数据包的数量,计算命中率,作为平均命中率, 将统计得到的未命中数作为平均未命中数。 24. The apparatus of claim 20, wherein the apparatus further comprises a hit rate statistics and modeling unit; the hit rate statistics and modeling unit is configured to: count all packets sent by one or more users per unit time The number of misses and the number of missed packets, the hit rate is calculated as the average hit rate, and the number of misses counted is taken as the average miss.
PCT/CN2010/075781 2009-10-10 2010-08-06 Method and apparatus for preventing denial-of-service attack WO2011041960A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910181127.7A CN102045308B (en) 2009-10-10 2009-10-10 Method and device for preventing denial of service (DoS) attacks
CN200910181127.7 2009-10-10

Publications (1)

Publication Number Publication Date
WO2011041960A1 true WO2011041960A1 (en) 2011-04-14

Family

ID=43856366

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/075781 WO2011041960A1 (en) 2009-10-10 2010-08-06 Method and apparatus for preventing denial-of-service attack

Country Status (2)

Country Link
CN (1) CN102045308B (en)
WO (1) WO2011041960A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014605A (en) * 2021-04-14 2021-06-22 北京理工大学 Quantitative control method for denial of service attack and disturbance

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
BR112015013943A2 (en) 2012-12-19 2017-07-11 Nec Corp communication node, control apparatus, communication system, packet processing method, communication node control method and program
CN107241304B (en) * 2016-03-29 2021-02-02 阿里巴巴集团控股有限公司 Method and device for detecting DDoS attack
CN106789954A (en) * 2016-11-30 2017-05-31 杭州迪普科技股份有限公司 A kind of method and apparatus of the DDOS attack identification based on multi -CPU
CN111241543B (en) * 2020-01-07 2021-03-02 中国搜索信息科技股份有限公司 Method and system for intelligently resisting DDoS attack by application layer

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1297101C (en) * 2003-07-08 2007-01-24 国际商业机器公司 Technique of detecting denial of service attacks
US20080028467A1 (en) * 2006-01-17 2008-01-31 Chris Kommareddy Detection of Distributed Denial of Service Attacks in Autonomous System Domains
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
US20090043724A1 (en) * 2007-08-08 2009-02-12 Radware, Ltd. Method, System and Computer Program Product for Preventing SIP Attacks
CN100479419C (en) * 2003-06-08 2009-04-15 华为技术有限公司 Method for preventing refusal service attack
JP2009219128A (en) * 2009-04-15 2009-09-24 Fujitsu Telecom Networks Ltd Subscriber line terminating device and user terminal for preventing dos/ddos attack

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6789203B1 (en) * 2000-06-26 2004-09-07 Sun Microsystems, Inc. Method and apparatus for preventing a denial of service (DOS) attack by selectively throttling TCP/IP requests
CN101018156A (en) * 2007-02-16 2007-08-15 华为技术有限公司 Method, device and system for preventing the broadband rejection service attack
CN100563149C (en) * 2007-04-25 2009-11-25 华为技术有限公司 A kind of DHCP monitor method and device thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100479419C (en) * 2003-06-08 2009-04-15 华为技术有限公司 Method for preventing refusal service attack
CN1297101C (en) * 2003-07-08 2007-01-24 国际商业机器公司 Technique of detecting denial of service attacks
US20080028467A1 (en) * 2006-01-17 2008-01-31 Chris Kommareddy Detection of Distributed Denial of Service Attacks in Autonomous System Domains
CN101202742A (en) * 2006-12-13 2008-06-18 中兴通讯股份有限公司 Method and system for preventing refusal service attack
US20090043724A1 (en) * 2007-08-08 2009-02-12 Radware, Ltd. Method, System and Computer Program Product for Preventing SIP Attacks
JP2009219128A (en) * 2009-04-15 2009-09-24 Fujitsu Telecom Networks Ltd Subscriber line terminating device and user terminal for preventing dos/ddos attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113014605A (en) * 2021-04-14 2021-06-22 北京理工大学 Quantitative control method for denial of service attack and disturbance
CN113014605B (en) * 2021-04-14 2021-12-28 北京理工大学 Quantitative control method for denial of service attack and disturbance

Also Published As

Publication number Publication date
CN102045308B (en) 2014-04-30
CN102045308A (en) 2011-05-04

Similar Documents

Publication Publication Date Title
US11057404B2 (en) Method and apparatus for defending against DNS attack, and storage medium
KR101506849B1 (en) A generalized dual-mode data forwarding plane for information-centric network
US9800503B2 (en) Control plane protection for various tables using storm prevention entries
US20210344714A1 (en) Cyber threat deception method and system, and forwarding device
US8499146B2 (en) Method and device for preventing network attacks
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
WO2011140795A1 (en) Method and switching device for preventing media access control address spoofing attack
EP3817282A1 (en) Application identifier identification method, device and system
US20120195323A1 (en) Hierarchical rate limiting of control packets
WO2008064562A1 (en) Service processing method, network device and service processing system
WO2011041960A1 (en) Method and apparatus for preventing denial-of-service attack
US9088904B2 (en) Bundled charging for over-the-top and hosted services in IP wireless networks
WO2013029569A1 (en) A Generalized Dual-Mode Data Forwarding Plane for Information-Centric Network
WO2021244449A1 (en) Data processing method and apparatus
US9001650B2 (en) TCP relay apparatus
WO2022206252A1 (en) Network attack processing method and apparatus, and device, computer-readable storage medium and computer program product
KR20140038535A (en) Preventing neighbor-discovery based denial of service attacks
CN107547321B (en) Message processing method and device, related electronic equipment and readable storage medium
CN113114651A (en) Report control method, device, equipment and medium
EP3982600A1 (en) Qos policy method, device, and computing device for service configuration
US9710513B2 (en) Access management method, device and system
CA3043576A1 (en) Systems, apparatuses and methods for cooperating routers
US9264885B2 (en) Method and system for message transmission control, method and system for register/update
WO2012100494A1 (en) Method and apparatus for improving security of neighbor discovery snooping
TW201132055A (en) Routing device and related packet processing circuit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10821569

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10821569

Country of ref document: EP

Kind code of ref document: A1