WO2011110079A1 - Message forwarding method for avoiding network attacks and gateway - Google Patents

Message forwarding method for avoiding network attacks and gateway Download PDF

Info

Publication number
WO2011110079A1
WO2011110079A1 PCT/CN2011/071597 CN2011071597W WO2011110079A1 WO 2011110079 A1 WO2011110079 A1 WO 2011110079A1 CN 2011071597 W CN2011071597 W CN 2011071597W WO 2011110079 A1 WO2011110079 A1 WO 2011110079A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
uplink
downlink
token counter
token
Prior art date
Application number
PCT/CN2011/071597
Other languages
French (fr)
Chinese (zh)
Inventor
胡玉胜
秦欣
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011110079A1 publication Critical patent/WO2011110079A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • H04L67/5651Reducing the amount or size of exchanged application data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to network attacks, and in particular, to a packet forwarding method and a gateway for preventing network attacks.
  • Over Billing is a common method of network attack.
  • the principle is that the server on the Internet uses the IP address of the client it detects to penetrate the firewall through the established connection with the client.
  • the terminal sends a large number of packets, causing the client to be incorrectly charged. At this time, the client will be charged more and cause the user's complaint.
  • the QoS guarantee technology can be used to perform downlink traffic limiting on the gateway side according to the QoS subscription of the client, so that the packets exceeding the QoS sent by the server will be discarded.
  • the gateway is connected to the firewall. In this mode, the gateway notifies the user of the online status of the user to the firewall.
  • the firewall clears the flow related to the IP address of the user who has been offline. If the user uses the IP address again, the connection initiated by the server will be invalid, and the packet cannot be downlinked, thus protecting the user.
  • this method still has the following drawbacks: 1. For online users, there is no good way to block malicious downstream traffic; 2. The development of custom interfaces of gateway devices and firewalls is required, and it is difficult to use between devices of different manufacturers. . Summary of the invention
  • the embodiment of the invention provides a packet forwarding method and a gateway for preventing network attacks, so as to avoid malicious charging caused by an Over Billing attack initiated by the network side, and improve the terminal user's Experience.
  • a packet forwarding method for preventing a network attack includes:
  • the downlink packet token counter is full
  • the uplink packet token counter is not zero, the uplink packet token counter is decremented by one, and the uplink packet is forwarded to the server.
  • a gateway, the gateway includes:
  • the receiving unit is configured to receive an uplink packet sent by the client, or a downlink packet sent by the server;
  • the logic unit is configured to: when the receiving unit receives the uplink message sent by the client, determine whether the uplink message is an ICMP unreachable message; and when the uplink message is not an ICMP unreachable message, , determining whether the uplink message token counter is zero;
  • a processing unit configured to: when the result of the determining that the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full; and the result of the logical unit is an uplink packet When the token counter is zero, the uplink packet is discarded, or when the logical unit determines that the uplink packet token counter is not zero, the uplink packet token counter is decremented by one;
  • a sending unit configured to: when the result of the determining by the logical unit is that the uplink packet token counter is not zero, forwarding the uplink packet to the server.
  • a packet forwarding method for preventing a network attack includes:
  • the uplink packet token counter When receiving the downlink packet sent by the server, the uplink packet token counter is filled. Determine whether the downlink message token counter is zero;
  • the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and the downlink packet is forwarded to the client.
  • the method and the gateway provided by the embodiment of the present invention monitor the forwarding process of the flow-based uplink and downlink packets through a token mechanism, and prevent any one-way over-delivery.
  • FIG. 1 is a schematic diagram of a network architecture applied to a gateway according to an embodiment of the present invention
  • FIG. 2 is a flow chart of a method according to an embodiment of the present invention.
  • FIG. 3 is a flowchart of a method according to another embodiment of the present invention.
  • FIG. 4 is a structural block diagram of a gateway according to an embodiment of the present invention. detailed description
  • FIG. 1 is a schematic diagram of a network architecture of a packet forwarding method for preventing network attacks according to the embodiment.
  • the network architecture includes a client UE and a server Serve at a gateway GGSN.
  • the number of downlink packets allowed by the server in each uplink packet may be set in advance, that is, the number of downlink packet token counters may be set in advance, and the deep packet parsing may be performed after receiving the uplink packet.
  • the DPI) capability knows the service type, and defines the number of downlink packets allowed by each server in each uplink packet by referring to the service type. That is, the number of downlink packet token counters is set according to this, for example, the HTTP link can be set to allow downlink.
  • the number of packets is 5, and for example, the link of RTSP, the number of allowed downlink packets is set. If the number of the downlink packet token counter is set in advance, if the uplink packet is received, the DPI capability is used to learn the service type, and the downlink packet token counter is referenced by referring to the service type. The number is adjusted. If the above defined value is exceeded, it is discarded at the gateway GGSN. This can block the server from over-sending the message regardless of the client's response capability.
  • the number of uplink packets allowed by each downlink packet may be set in advance, that is, the number of uplink packet token counters may be preset; or deep packet parsing may be used (
  • the DPI) capability learns the service type, and defines the number of uplink packets allowed by each downlink packet according to the service type, that is, sets the number of uplink packet token counters according to this, for example, the HTTP link can be set to allow uplink.
  • the number of packets is 5, and for example, the link of the RTSP is set to 10, and the number of uplink packets allowed is 10; if the number of uplink token counters is set in advance, if the downlink packet is received, Then, the DPI capability is used to learn the service type, and the number of the uplink packet token counter is adjusted according to the service type. If this value is exceeded, it is also discarded at the gateway GGSN. This prevents the client from sending too many packets to the server.
  • FIG. 2 and FIG. 3 are flowcharts of a packet forwarding method for preventing network attacks according to an embodiment of the present invention.
  • the method is applied to a gateway, and the gateway monitors flow information established by a client in a process of using a service, for example, TCP ( The Transmission Control Protocol (UDP) and the UDP (User Datagram Protocol) detect the number of upstream and downstream packets and use the uplink/downlink packets as tokens to control packet forwarding. among them:
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • FIG. 2 is a flowchart of a packet forwarding method for preventing a network attack according to an embodiment of the present invention.
  • a gateway receives an uplink packet sent by a client, the method includes:
  • Step 201 Determine whether the uplink packet is an ICMP unreachable packet
  • a malicious packet is sent to the downstream device, for example, the server sends a packet to the client frequently, regardless of the responsiveness of the client, the packet is likely to be a malicious packet, which may result in an uplink ICMP unreachable packet.
  • the downlink packet sent from the server is sent to the client. If the client does not listen to the port and considers it to be an illegal packet, it sends back to the server. An ICMP unreachable message.
  • Step 202 If the uplink packet is not an ICMP unreachable packet, determine whether the uplink packet token counter is zero.
  • the number of the uplink packet token counters may be set according to the foregoing three methods to count the packet forwarding status. If the number of the uplink packet token counters is zero, It means that too many uplink messages are sent, and the uplink should be stopped.
  • Step 203 If the uplink packet token counter is zero, discard the uplink packet, and then fill the downlink packet token counter.
  • the upstream packet token counter is zero and the uplink needs to be stopped, the upstream packet can be discarded. If there is an uplink packet, the downlink packet token counter is also filled, indicating that the downlink packet can be smoothly passed. The process of filling the downlink packet token counter can also be performed in the step. In the 202, the embodiment is not limited thereto.
  • the number of the downlink packet token counters may be set according to the foregoing three methods to count the packet forwarding conditions.
  • Step 204 If the uplink packet token counter is not zero, the uplink packet token counter is decremented by one, then the downlink packet token counter is full, and the uplink packet is forwarded to the server. .
  • the uplink packet token counter is not zero, the uplink packet can be sent to the server at the same time, and the uplink packet token counter is decremented by one, indicating that the uplink packet can be sent. The uplink message has been reduced by one. Similarly, since there is an uplink packet, the downlink packet token counter is also full, indicating that the downlink packet can be smoothly passed, and the process of filling the downlink packet token counter can also be placed. In the step 202, the embodiment is not limited thereto.
  • step 201 if the uplink packet is an ICMP unreachable packet, as described above, it may indicate that a malicious packet may appear in the downlink, and the downlink packet token counter is cleared. Zero, that is, the forwarding of downstream packets is prohibited.
  • the method in this embodiment is applicable not only to the TCP stream but also to the UDP stream, and details are not described herein again.
  • the gateway acts as a forwarding device, and does not pay attention to the health status of the packet flow. This causes the client to inevitably receive malicious packets, and the client can only passively respond to packet loss.
  • the method provided enables the gateway to determine whether the packet flow is normal, and to drop packets before the gateway charges, thereby reducing the charging error.
  • FIG. 3 is a flowchart of a packet forwarding method for preventing a network attack according to an embodiment of the present invention.
  • a gateway receives a downlink packet sent by a server
  • the method in this embodiment may be performed separately.
  • the method of the embodiment shown in FIG. 2 can be used in combination with the method shown in FIG. 2, which is not limited thereto, and is not limited to the sequence when the method of the embodiment shown in FIG. 2 is used. Referring to Figure 3, the method includes:
  • Step 301 Determine whether the downlink message token counter is zero
  • the number of the downlink packet token counters may be set according to the foregoing three methods to count the packet forwarding situation. If the number of the downlink packet token counters is zero, It means that too many downlink messages are sent, and the downlink should be stopped.
  • Step 302 If the downlink packet token counter is zero, discard the downlink packet, and then fill the uplink packet token counter.
  • the downstream packet token counter is zero and the downlink needs to be stopped, the downlink packet can be discarded. If there is a downlink packet, the uplink packet token counter is also full, indicating that the uplink packet can be smoothly passed. The process of filling the uplink packet token counter can also be received at the gateway. The downlink packet sent by the server is executed. This embodiment is not limited thereto.
  • the number of the uplink packet token counters may be set according to the foregoing three methods to count the packet forwarding conditions.
  • Step 303 If the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and then the uplink packet token counter is full, and the downlink packet is forwarded to the guest. Account.
  • the downlink packet token counter is not zero, it indicates that the downlink packet can continue to be sent. Then, the downlink packet is forwarded to the client end, and the downlink packet token counter is decremented by one. The number of downlink messages sent has been reduced by one. Similarly, since there is a downlink packet, the uplink packet token counter is also full, indicating that the uplink packet can be smoothly passed. The process of filling the uplink packet token counter can also be performed at the gateway. It is executed when receiving the downlink packet sent by the server. This embodiment is not limited thereto.
  • the method in this embodiment is applicable not only to the TCP stream but also to the UDP stream, and will not be described again here.
  • the gateway acts as a forwarding device, and does not pay attention to the health status of the packet flow. This causes the client to inevitably receive malicious packets, and the client can only passively respond to packet loss.
  • the method provided enables the gateway to determine whether the packet flow is normal, and to drop packets before the gateway charges, thereby reducing the charging error.
  • the method provided by the embodiment of the present invention monitors the forwarding process of the flow-based uplink and downlink packets by using a token mechanism, and solves the one-way excessive uplink and downlink by processing the uplink and downlink packet processes.
  • the problem prevents any one-way over-delivery situation. Since this mechanism is implemented stream by stream, it does not affect the normal traffic delivery of the user. Moreover, since the scheme can be implemented by simply performing a simple counting and judgment, the implementation is simple.
  • the gateway includes: a receiving unit 41, configured to receive an uplink packet sent by a client, or a downlink packet sent by a server;
  • the uplink packet sent by the client or the downlink packet sent by the server is the transmission control protocol packet or the user data packet protocol packet.
  • the logic unit 42 is configured to determine, when the receiving unit 41 receives the uplink packet sent by the client, whether the uplink packet is an ICMP unreachable packet, and when the uplink packet is not an ICMP unreachable packet. , determining whether the uplink message token counter is zero;
  • the processing unit 43 is configured to: when the result of the determination by the logic unit 42 is that the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full; and the result of the logic unit 42 is an uplink packet command. When the card counter is zero, the uplink message is discarded, or when the result of the logic unit 42 is that the uplink message token counter is not zero, the uplink message token counter is decremented by one;
  • the sending unit 44 is configured to forward the uplink packet to the server when the judgment result of the logic unit 42 is that the uplink packet token counter is not zero.
  • the processing unit 43 is further configured to clear the downlink message token counter when the result of the determination by the logic unit 42 is that the uplink message is an ICMP unreachable message.
  • the logic unit 42 is further configured to: when the receiving unit 41 receives the downlink packet sent by the server, determine whether the downlink packet token counter is zero;
  • the processing unit 43 is further configured to: when the receiving unit 41 receives the downlink packet sent by the server, fill the uplink packet token counter; and when the logic unit 42 determines that the downlink packet token counter is zero, Discarding the downlink packet, or decrementing the downlink packet token counter by one when the logic unit 42 determines that the downlink packet token counter is not zero;
  • the sending unit 44 is further configured to forward the downlink message to the client.
  • the gateway further includes:
  • the setting unit 45 is configured to preset the number of the uplink packet token counter and the number of the downlink packet token counter; or, the receiving unit 41 receives the uplink packet sent by the client or the downlink sent by the server.
  • the deep packet parsing capability is used to learn the service type
  • the reference service type is used to set the number of the uplink packet token counter or the number of the downlink packet token counter; or, the number of the uplink packet token counter is preset.
  • the number of the downlink packet token counters after receiving the uplink packet sent by the client or the downlink packet sent by the server, using the deep packet parsing capability to learn the service type, and adjusting the uplink packet according to the service type.
  • the number of token counters or the number of the downlink message token counters to provide to the logical unit 42 judges the number of messages and provides a reset to the processing unit 43 for the values.
  • the components of the gateway in this embodiment are respectively used to implement the steps of the foregoing method. Since the steps have been described in detail in the method embodiments, details are not described herein.
  • the gateway provided by the embodiment of the present invention monitors the forwarding process of the flow-based uplink and downlink packets through a token mechanism, and solves the one-way excessive uplink and downlink by processing the uplink and downlink packet processes.
  • the problem prevents any one-way over-delivery situation. Since this mechanism is implemented stream by stream, it does not affect the normal traffic delivery of the user. Moreover, since the scheme can be implemented by simply performing a simple counting and judgment, the implementation is simple.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the present invention provide a message forwarding method and gateway for avoiding network attacks. Said method includes: when receiving an uplink message transmitted from a client, judging whether said uplink message is an Internet Control Message Protocol (ICMP) unreachable message; if said uplink message is not an ICMP unreachable message, setting a downlink message token counter as full; judging whether an uplink message token counter is equal to zero; if the uplink message token counter is equal to zero, discarding said uplink message; and if the uplink message token counter is not equal to zero, subtracting one from the numerical value of the uplink message token counter and forwarding said uplink message to a server side. Through a token mechanism, the method and gateway provided by the embodiments of the present invention monitor the forwarding procedure of stream-based uplink and downlink messages and avoid the situation of any excessive unidirectional packet transmission.

Description

防止网络攻击的报文转发方法和网关  Message forwarding method and gateway for preventing network attacks
本申请要求于 2010 年 08 月 31 日提交中国专利局、 申请号为 201010270874.0、 发明名称为 "防止网络攻击的报文转发方法和网关"的中 国专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  This application claims priority to Chinese Patent Application No. 201010270874.0, entitled "Message Forwarding Method and Gateway for Preventing Cyber Attacks", filed on August 31, 2010, the entire contents of which are incorporated by reference. In this application. Technical field
本发明涉及网络攻击, 尤其涉及一种防止网络攻击的报文转发方法和 网关。 背景技术  The present invention relates to network attacks, and in particular, to a packet forwarding method and a gateway for preventing network attacks. Background technique
Over Billing (过度计费)是一种常见的网络攻击方式,其原理是, Internet 上的服务器, 利用其探测到的客户端的 IP地址, 通过与客户端已经建立的 连接来穿透防火墙, 向客户端发送大量的报文, 导致客户端被错误的计费。 这时, 客户端会被多计费, 导致用户的投诉。  Over Billing is a common method of network attack. The principle is that the server on the Internet uses the IP address of the client it detects to penetrate the firewall through the established connection with the client. The terminal sends a large number of packets, causing the client to be incorrectly charged. At this time, the client will be charged more and cause the user's complaint.
为了解决这一问题, 可以使用 QoS保证技术, 在网关侧按照客户端的 QoS签约进行下行的限流,这样服务器端发出的超出 QoS的报文将被丢弃, 然而, 如果签约的 QoS较大,那么服务器端还是能够发送很多的下行报文, 计费还是有很大的误差。 因此, 目前一般是采用网关与防火墙连动的方式, 这种方式下, 网关将用户的在线情况通过信令通知到防火墙, 防火墙对已 经下网的用户的 IP地址涉及的流进行清理, 完全阻断, 当用户再次使用这 个 IP地址的时候, 服务器发起的连接就失效了, 报文无法下行, 从而保护 了用户。 但是这种方式仍然存在以下缺陷: 1、 对于在线的用户, 没有好的 办法阻断恶意下行流量; 2、需要网关设备和防火墙的定制接口的开发工作, 并且难以在不同厂家的设备之间使用。 发明内容  In order to solve this problem, the QoS guarantee technology can be used to perform downlink traffic limiting on the gateway side according to the QoS subscription of the client, so that the packets exceeding the QoS sent by the server will be discarded. However, if the QoS of the subscription is large, then The server can still send a lot of downlink messages, and the billing still has a large error. Therefore, at present, the gateway is connected to the firewall. In this mode, the gateway notifies the user of the online status of the user to the firewall. The firewall clears the flow related to the IP address of the user who has been offline. If the user uses the IP address again, the connection initiated by the server will be invalid, and the packet cannot be downlinked, thus protecting the user. However, this method still has the following drawbacks: 1. For online users, there is no good way to block malicious downstream traffic; 2. The development of custom interfaces of gateway devices and firewalls is required, and it is difficult to use between devices of different manufacturers. . Summary of the invention
本发明实施例提供了一种防止网络攻击的报文转发方法和网关, 以避 免网络侧发起的 Over Billing的攻击导致的恶意计费, 同时改善终端用户的 体验。 The embodiment of the invention provides a packet forwarding method and a gateway for preventing network attacks, so as to avoid malicious charging caused by an Over Billing attack initiated by the network side, and improve the terminal user's Experience.
本发明实施例的上述目的是通过如下技术方案实现的:  The above object of the embodiment of the present invention is achieved by the following technical solutions:
一种防止网络攻击的报文转发方法, 所述方法包括:  A packet forwarding method for preventing a network attack, where the method includes:
当接收到客户端发送的上行报文时, 判断所述上行报文是否是 ICMP 不可达报文;  When receiving the uplink packet sent by the client, determining whether the uplink packet is an ICMP unreachable packet;
如果所述上行报文不是 ICMP不可达报文, 则将下行报文令牌计数器 置满;  If the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full;
判断上行报文令牌计数器是否为零;  Determine whether the uplink packet token counter is zero;
如果上行报文令牌计数器为零, 则丢弃所述上行报文;  If the uplink packet token counter is zero, discarding the uplink packet;
如果上行报文令牌计数器不为零, 则将所述上行报文令牌计数器减一, 并将所述上行报文转发到服务器端。  If the uplink packet token counter is not zero, the uplink packet token counter is decremented by one, and the uplink packet is forwarded to the server.
一种网关, 所述网关包括:  A gateway, the gateway includes:
接收单元, 用于接收客户端发送的上行报文, 或者服务器端发送的下 行报文;  The receiving unit is configured to receive an uplink packet sent by the client, or a downlink packet sent by the server;
逻辑单元, 用于在所述接收单元接收到客户端发送的上行报文时, 判 断所述上行报文是否为 ICMP 不可达报文; 并用于在所述上行报文不是 ICMP不可达报文时, 判断上行报文令牌计数器是否为零;  The logic unit is configured to: when the receiving unit receives the uplink message sent by the client, determine whether the uplink message is an ICMP unreachable message; and when the uplink message is not an ICMP unreachable message, , determining whether the uplink message token counter is zero;
处理单元,用于在所述逻辑单元的判断结果为所述上行报文不是 ICMP 不可达报文时, 将下行报文令牌计数器置满; 并在所述逻辑单元的判断结 果为上行报文令牌计数器为零时, 丢弃所述上行报文, 或者在所述逻辑单 元的判断结果为上行报文令牌计数器不为零时, 将所述上行报文令牌计数 器减一;  a processing unit, configured to: when the result of the determining that the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full; and the result of the logical unit is an uplink packet When the token counter is zero, the uplink packet is discarded, or when the logical unit determines that the uplink packet token counter is not zero, the uplink packet token counter is decremented by one;
发送单元, 用于在所述逻辑单元的判断结果为上行报文令牌计数器不 为零时, 将所述上行报文转发到服务器端。  And a sending unit, configured to: when the result of the determining by the logical unit is that the uplink packet token counter is not zero, forwarding the uplink packet to the server.
一种防止网络攻击的报文转发方法, 所述方法包括:  A packet forwarding method for preventing a network attack, where the method includes:
当接收到服务器端发送的下行报文时, 将上行报文令牌计数器置满; 判断下行报文令牌计数器是否为零; When receiving the downlink packet sent by the server, the uplink packet token counter is filled. Determine whether the downlink message token counter is zero;
如果下行报文令牌计数器为零, 则丢弃所述下行报文;  If the downlink packet token counter is zero, discarding the downlink packet;
如果下行报文令牌计数器不为零, 则将所述下行报文令牌计数器减一, 并将所述下行报文转发到客户端。 本发明实施例提供的方法和网关, 通过 一种令牌机制, 监控了基于流的上下行报文的转发流程, 防止了任何单向 过度发包的情况。 附图说明  If the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and the downlink packet is forwarded to the client. The method and the gateway provided by the embodiment of the present invention monitor the forwarding process of the flow-based uplink and downlink packets through a token mechanism, and prevent any one-way over-delivery. DRAWINGS
此处所说明的附图用来提供对本发明的进一歩理解, 构成本申请的一 部分, 并不构成对本发明的限定。 在附图中:  The drawings described herein are provided to provide a further understanding of the invention and are in no way of limitation. In the drawing:
图 1为本发明实施例的方法应用于网关的网络架构示意图;  1 is a schematic diagram of a network architecture applied to a gateway according to an embodiment of the present invention;
图 2为本发明一个实施例的方法流程图;  2 is a flow chart of a method according to an embodiment of the present invention;
图 3为本发明另一实施例的方法流程图;  3 is a flowchart of a method according to another embodiment of the present invention;
图 4为本发明实施例的网关的组成框图。 具体实施方式  FIG. 4 is a structural block diagram of a gateway according to an embodiment of the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚明白, 下面结合 实施例和附图, 对本发明实施例做进一歩详细说明。 在此, 本发明的示意 性实施例及其说明用于解释本发明, 但并不作为对本发明的限定。  In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clearly, the embodiments of the present invention will be described in detail below with reference to the embodiments and drawings. The illustrative embodiments of the present invention and the description thereof are intended to explain the present invention, but are not intended to limit the invention.
图 1 为本实施例的防止网络攻击的报文转发方法应用于网关的网络架 构示意图, 请参照图 1, 该网络架构中除了包括网关 GGSN 以外, 还包括 客户端 UE以及服务器端 Serve 在网关 GGSN中, 可以预先设置每个上 行报文允许 Server端下行报文的个数, 也即预先设置下行报文令牌计数器 的个数; 也可以在收到上行报文后, 利用深度报文解析(DPI) 能力获知业 务类型, 并参考业务类型定义每个上行报文允许 Server端下行报文的个数, 也即据此设置下行报文令牌计数器的个数, 例如 HTTP 的链接可以设置允 许下行报文的个数为 5, 又例如 RTSP的链接, 则设置允许下行报文的个数 为 50; 还可以在预先设置了下行报文令牌计数器的个数后, 如果收到上行 报文, 则利用 DPI能力获知业务类型, 并参考该业务类型对上述下行报文 令牌计数器的个数进行调整。如果超出上述定义值, 就在网关 GGSN丢弃, 如此可以阻断 Server端不顾客户端响应能力的情况下, 过度发送报文。 同 样的, 在该网关 GGSN中, 也可以预先设置每个下行报文允许客户端上行 报文的个数, 也即预先设置上行报文令牌计数器的个数; 也可以利用深度 报文解析(DPI) 能力获知业务类型, 并参考业务类型定义每个下行报文允 许客户端上行报文的个数, 也即据此设置上行报文令牌计数器的个数, 例 如 HTTP的链接可以设置允许上行报文的个数为 5, 又例如 RTSP的链接, 则设置允许上行报文的个数为 10; 还可以在预先设置了上行报文令牌计数 器的个数后, 如果收到下行报文, 则利用 DPI能力获知业务类型, 并参考 该业务类型对上述上行报文令牌计数器的个数进行调整。 如果超出这个定 义值, 也在网关 GGSN丢弃, 如此可以防止客户端向服务器端发送过多的 报文。 FIG. 1 is a schematic diagram of a network architecture of a packet forwarding method for preventing network attacks according to the embodiment. Referring to FIG. 1 , the network architecture includes a client UE and a server Serve at a gateway GGSN. The number of downlink packets allowed by the server in each uplink packet may be set in advance, that is, the number of downlink packet token counters may be set in advance, and the deep packet parsing may be performed after receiving the uplink packet. The DPI) capability knows the service type, and defines the number of downlink packets allowed by each server in each uplink packet by referring to the service type. That is, the number of downlink packet token counters is set according to this, for example, the HTTP link can be set to allow downlink. The number of packets is 5, and for example, the link of RTSP, the number of allowed downlink packets is set. If the number of the downlink packet token counter is set in advance, if the uplink packet is received, the DPI capability is used to learn the service type, and the downlink packet token counter is referenced by referring to the service type. The number is adjusted. If the above defined value is exceeded, it is discarded at the gateway GGSN. This can block the server from over-sending the message regardless of the client's response capability. Similarly, in the gateway GGSN, the number of uplink packets allowed by each downlink packet may be set in advance, that is, the number of uplink packet token counters may be preset; or deep packet parsing may be used ( The DPI) capability learns the service type, and defines the number of uplink packets allowed by each downlink packet according to the service type, that is, sets the number of uplink packet token counters according to this, for example, the HTTP link can be set to allow uplink. The number of packets is 5, and for example, the link of the RTSP is set to 10, and the number of uplink packets allowed is 10; if the number of uplink token counters is set in advance, if the downlink packet is received, Then, the DPI capability is used to learn the service type, and the number of the uplink packet token counter is adjusted according to the service type. If this value is exceeded, it is also discarded at the gateway GGSN. This prevents the client from sending too many packets to the server.
图 2和图 3为本发明实施例提供的防止网络攻击的报文转发方法的流 程图, 该方法应用于网关, 由网关通过监控客户端在使用业务的过程中建 立的流信息, 例如 TCP (Transmission Control Protocol, 传输控制协议) 和 UDP (User Datagram Protocol, 用户数据包协议), 检测上下行的报文的个 数, 使用上 /下行报文作为令牌, 来控制报文的转发。 其中:  FIG. 2 and FIG. 3 are flowcharts of a packet forwarding method for preventing network attacks according to an embodiment of the present invention. The method is applied to a gateway, and the gateway monitors flow information established by a client in a process of using a service, for example, TCP ( The Transmission Control Protocol (UDP) and the UDP (User Datagram Protocol) detect the number of upstream and downstream packets and use the uplink/downlink packets as tokens to control packet forwarding. among them:
图 2为本发明实施例提供的防止网络攻击的报文转发方法中, 当网关 接收到客户端发送的上行报文时的流程图, 请参照图 2, 该方法包括:  FIG. 2 is a flowchart of a packet forwarding method for preventing a network attack according to an embodiment of the present invention. When a gateway receives an uplink packet sent by a client, the method includes:
歩骤 201 : 判断所述上行报文是否是 ICMP不可达报文;  Step 201: Determine whether the uplink packet is an ICMP unreachable packet;
其中, 如果下行出现恶意报文, 例如服务器端不顾客户端的响应能力, 频繁向客户端发送报文, 则该报文很有可能为恶意报文, 如此则有可能导 致上行出现 ICMP不可达报文。 再例如, 从 Server端来的下行报文发送给 了客户端, 客户端没有监听这个端口, 认为是非法报文, 则向 Server端回 一个 ICMP不可达报文。 If a malicious packet is sent to the downstream device, for example, the server sends a packet to the client frequently, regardless of the responsiveness of the client, the packet is likely to be a malicious packet, which may result in an uplink ICMP unreachable packet. . For example, the downlink packet sent from the server is sent to the client. If the client does not listen to the port and considers it to be an illegal packet, it sends back to the server. An ICMP unreachable message.
歩骤 202: 如果所述上行报文不是 ICMP不可达报文, 则判断上行报文 令牌计数器是否为零;  Step 202: If the uplink packet is not an ICMP unreachable packet, determine whether the uplink packet token counter is zero.
其中, 如前所述, 本实施例可以根据前述三种方法设置上行报文令牌 计数器的个数, 以对报文转发情况进行计数, 如果该上行报文令牌计数器 的个数为零, 则说明发送了过多的上行报文, 应该停止上行。  As described above, in this embodiment, the number of the uplink packet token counters may be set according to the foregoing three methods to count the packet forwarding status. If the number of the uplink packet token counters is zero, It means that too many uplink messages are sent, and the uplink should be stopped.
歩骤 203 : 如果上行报文令牌计数器为零, 则丢弃所述上行报文, 然后 将下行报文令牌计数器置满;  Step 203: If the uplink packet token counter is zero, discard the uplink packet, and then fill the downlink packet token counter.
其中, 由于上行报文令牌计数器为零, 需要停止上行, 则可以将该上 行报文丢弃。 而由于有上行的报文, 则还要将下行报文令牌计数器置满, 表示可以允许下行报文的顺畅通过, 其中, 将下行报文令牌计数器置满的 处理也可以放在歩骤 202中, 本实施例并不以此作为限制。  If the upstream packet token counter is zero and the uplink needs to be stopped, the upstream packet can be discarded. If there is an uplink packet, the downlink packet token counter is also filled, indicating that the downlink packet can be smoothly passed. The process of filling the downlink packet token counter can also be performed in the step. In the 202, the embodiment is not limited thereto.
其中, 如前所述, 本实施例可以根据前述三种方法设置下行报文令牌 计数器的个数, 以对报文转发情况进行计数。  As described above, in this embodiment, the number of the downlink packet token counters may be set according to the foregoing three methods to count the packet forwarding conditions.
歩骤 204: 如果上行报文令牌计数器不为零, 则将所述上行报文令牌计 数器减一, 然后将下行报文令牌计数器置满, 并将所述上行报文转发到服 务器端。  Step 204: If the uplink packet token counter is not zero, the uplink packet token counter is decremented by one, then the downlink packet token counter is full, and the uplink packet is forwarded to the server. .
其中, 由于上行报文令牌计数器不为零, 则说明还可以继续发送上行 报文, 则此时将该上行报文转发到服务器端, 同时将上行报文令牌计数器 减一, 表示可以发送的上行报文减少了一个。 同样的, 由于有上行的报文, 则还要将下行报文令牌计数器置满, 表示可以允许下行报文的顺畅通过, 其中, 将下行报文令牌计数器置满的处理也可以放在歩骤 202 中, 本实施 例并不以此作为限制。  If the uplink packet token counter is not zero, the uplink packet can be sent to the server at the same time, and the uplink packet token counter is decremented by one, indicating that the uplink packet can be sent. The uplink message has been reduced by one. Similarly, since there is an uplink packet, the downlink packet token counter is also full, indicating that the downlink packet can be smoothly passed, and the process of filling the downlink packet token counter can also be placed. In the step 202, the embodiment is not limited thereto.
在本实施例中, 根据歩骤 201 的判断结果, 如果上行报文是 ICMP不 可达报文, 如前所述, 则说明下行可能出现了恶意报文, 此时将下行报文 令牌计数器清零, 也即禁止转发下行报文。 本实施例的方法不仅适用于 TCP流,也同样适用于 UDP流,在此不再 赘述。 In this embodiment, according to the judgment result of step 201, if the uplink packet is an ICMP unreachable packet, as described above, it may indicate that a malicious packet may appear in the downlink, and the downlink packet token counter is cleared. Zero, that is, the forwarding of downstream packets is prohibited. The method in this embodiment is applicable not only to the TCP stream but also to the UDP stream, and details are not described herein again.
当前状态下, 网关作为转发设备, 对报文流的健康状态是不关注的, 这就导致了客户端不可避免地收到恶意报文, 在客户端只能被动响应丢包, 而本实施例提供的方法使得网关可以判断报文流是否正常, 在网关计费之 前丢包, 减少了计费误差。  In the current state, the gateway acts as a forwarding device, and does not pay attention to the health status of the packet flow. This causes the client to inevitably receive malicious packets, and the client can only passively respond to packet loss. The method provided enables the gateway to determine whether the packet flow is normal, and to drop packets before the gateway charges, thereby reducing the charging error.
图 3 为本发明实施例提供的防止网络攻击的报文转发方法中, 当网关 接收到服务器端发送的下行报文时的流程图, 需要说明的是, 本实施例的 方法可以单独进行, 也可以结合图 2所示实施例的方法进行, 本实施例并 不以此作为限制, 且在结合图 2所示实施例的方法进行时, 并不限制其先 后顺序。 请参照图 3, 该方法包括:  FIG. 3 is a flowchart of a packet forwarding method for preventing a network attack according to an embodiment of the present invention. When a gateway receives a downlink packet sent by a server, it should be noted that the method in this embodiment may be performed separately. The method of the embodiment shown in FIG. 2 can be used in combination with the method shown in FIG. 2, which is not limited thereto, and is not limited to the sequence when the method of the embodiment shown in FIG. 2 is used. Referring to Figure 3, the method includes:
歩骤 301 : 判断下行报文令牌计数器是否为零;  Step 301: Determine whether the downlink message token counter is zero;
其中, 如前所述, 本实施例可以根据前述三种方法设置下行报文令牌 计数器的个数, 以对报文转发情况进行计数, 如果该下行报文令牌计数器 的个数为零, 则说明发送了过多的下行报文, 应该停止下行。  As described above, in this embodiment, the number of the downlink packet token counters may be set according to the foregoing three methods to count the packet forwarding situation. If the number of the downlink packet token counters is zero, It means that too many downlink messages are sent, and the downlink should be stopped.
歩骤 302: 如果下行报文令牌计数器为零, 则丢弃所述下行报文, 然后 将上行报文令牌计数器置满;  Step 302: If the downlink packet token counter is zero, discard the downlink packet, and then fill the uplink packet token counter.
其中, 由于下行报文令牌计数器为零, 需要停止下行, 则可以将该下 行报文丢弃。 而由于有下行的报文, 则还要将上行报文令牌计数器置满, 表示可以允许上行报文的顺畅通过, 其中, 将上行报文令牌计数器置满的 处理也可以在网关接收到服务器端发送的下行报文时执行, 本实施例并不 以此作为限制。  If the downstream packet token counter is zero and the downlink needs to be stopped, the downlink packet can be discarded. If there is a downlink packet, the uplink packet token counter is also full, indicating that the uplink packet can be smoothly passed. The process of filling the uplink packet token counter can also be received at the gateway. The downlink packet sent by the server is executed. This embodiment is not limited thereto.
其中, 如前所述, 本实施例可以根据前述三种方法设置上行报文令牌 计数器的个数, 以对报文转发情况进行计数。  As described above, in this embodiment, the number of the uplink packet token counters may be set according to the foregoing three methods to count the packet forwarding conditions.
歩骤 303 : 如果下行报文令牌计数器不为零, 则将所述下行报文令牌计 数器减一, 然后将上行报文令牌计数器置满, 并将所述下行报文转发到客 户端。 Step 303: If the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and then the uplink packet token counter is full, and the downlink packet is forwarded to the guest. Account.
其中, 由于下行报文令牌计数器不为零, 则说明还可以继续发送下行 报文, 则此时将该下行报文转发到客户端端, 同时将下行报文令牌计数器 减一, 表示可以发送的下行报文减少了一个。 同样的, 由于有下行的报文, 则还要将上行报文令牌计数器置满, 表示可以允许上行报文的顺畅通过, 其中, 将上行报文令牌计数器置满的处理也可以在网关接收到服务器端发 送的下行报文时执行, 本实施例并不以此作为限制。  If the downlink packet token counter is not zero, it indicates that the downlink packet can continue to be sent. Then, the downlink packet is forwarded to the client end, and the downlink packet token counter is decremented by one. The number of downlink messages sent has been reduced by one. Similarly, since there is a downlink packet, the uplink packet token counter is also full, indicating that the uplink packet can be smoothly passed. The process of filling the uplink packet token counter can also be performed at the gateway. It is executed when receiving the downlink packet sent by the server. This embodiment is not limited thereto.
本实施例的方法不仅适用于 TCP流,也同样适用于 UDP流,在此不再 赘述。  The method in this embodiment is applicable not only to the TCP stream but also to the UDP stream, and will not be described again here.
当前状态下, 网关作为转发设备, 对报文流的健康状态是不关注的, 这就导致了客户端不可避免地收到恶意报文, 在客户端只能被动响应丢包, 而本实施例提供的方法使得网关可以判断报文流是否正常, 在网关计费之 前丢包, 减少了计费误差。  In the current state, the gateway acts as a forwarding device, and does not pay attention to the health status of the packet flow. This causes the client to inevitably receive malicious packets, and the client can only passively respond to packet loss. The method provided enables the gateway to determine whether the packet flow is normal, and to drop packets before the gateway charges, thereby reducing the charging error.
本发明实施例提供的方法, 通过一种令牌机制, 监控了基于流的上下 行报文的转发流程, 通过对上行和下行报文流程的处理, 解决了单向过多 地进行上行和下行的问题, 防止了任何单向过度发包的情况。 由于这个机 制是逐流实现的, 所以不会影响用户的正常的业务传递。 又由于只要进行 一个简单的计数和判断即可实施本方案, 因此实现简单。  The method provided by the embodiment of the present invention monitors the forwarding process of the flow-based uplink and downlink packets by using a token mechanism, and solves the one-way excessive uplink and downlink by processing the uplink and downlink packet processes. The problem prevents any one-way over-delivery situation. Since this mechanism is implemented stream by stream, it does not affect the normal traffic delivery of the user. Moreover, since the scheme can be implemented by simply performing a simple counting and judgment, the implementation is simple.
图 4为本发明实施例提供的网关的组成框图,请参照图 4,该网关包括: 接收单元 41, 用于接收客户端发送的上行报文, 或者服务器端发送的 下行报文;  4 is a block diagram of a gateway according to an embodiment of the present invention. Referring to FIG. 4, the gateway includes: a receiving unit 41, configured to receive an uplink packet sent by a client, or a downlink packet sent by a server;
其中, 接收单元 41接收到的客户端发送的上行报文或者服务器端发送 的下行报文为传输控制协议报文或者用户数据包协议报文。  The uplink packet sent by the client or the downlink packet sent by the server is the transmission control protocol packet or the user data packet protocol packet.
逻辑单元 42, 用于在接收单元 41接收到客户端发送的上行报文时, 判 断所述上行报文是否为 ICMP 不可达报文; 并用于在所述上行报文不是 ICMP不可达报文时, 判断上行报文令牌计数器是否为零; 处理单元 43, 用于在逻辑单元 42 的判断结果为所述上行报文不是 ICMP不可达报文时, 将下行报文令牌计数器置满; 并在逻辑单元 42的判 断结果为上行报文令牌计数器为零时, 丢弃所述上行报文, 或者在逻辑单 元 42的判断结果为上行报文令牌计数器不为零时, 将所述上行报文令牌计 数器减一; The logic unit 42 is configured to determine, when the receiving unit 41 receives the uplink packet sent by the client, whether the uplink packet is an ICMP unreachable packet, and when the uplink packet is not an ICMP unreachable packet. , determining whether the uplink message token counter is zero; The processing unit 43 is configured to: when the result of the determination by the logic unit 42 is that the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full; and the result of the logic unit 42 is an uplink packet command. When the card counter is zero, the uplink message is discarded, or when the result of the logic unit 42 is that the uplink message token counter is not zero, the uplink message token counter is decremented by one;
发送单元 44,用于在逻辑单元 42的判断结果为上行报文令牌计数器不 为零时, 将所述上行报文转发到服务器端。  The sending unit 44 is configured to forward the uplink packet to the server when the judgment result of the logic unit 42 is that the uplink packet token counter is not zero.
在一个实施例中, 处理单元 43还用于在逻辑单元 42的判断结果为, 所述上行报文是 ICMP不可达报文时, 将下行报文令牌计数器清零。  In one embodiment, the processing unit 43 is further configured to clear the downlink message token counter when the result of the determination by the logic unit 42 is that the uplink message is an ICMP unreachable message.
在一个实施例中:  In one embodiment:
逻辑单元 42还用于在接收单元 41接收到服务器端发送的下行报文时, 判断下行报文令牌计数器是否为零;  The logic unit 42 is further configured to: when the receiving unit 41 receives the downlink packet sent by the server, determine whether the downlink packet token counter is zero;
处理单元 43还用于在接收单元 41接收到服务器端发送的下行报文时, 将上行报文令牌计数器置满; 并在逻辑单元 42的判断结果为下行报文令牌 计数器为零时, 丢弃所述下行报文, 或者在逻辑单元 42的判断结果为下行 报文令牌计数器不为零时, 将所述下行报文令牌计数器减一;  The processing unit 43 is further configured to: when the receiving unit 41 receives the downlink packet sent by the server, fill the uplink packet token counter; and when the logic unit 42 determines that the downlink packet token counter is zero, Discarding the downlink packet, or decrementing the downlink packet token counter by one when the logic unit 42 determines that the downlink packet token counter is not zero;
发送单元 44还用于将所述下行报文转发到客户端。  The sending unit 44 is further configured to forward the downlink message to the client.
在一个实施例中, 该网关还包括:  In an embodiment, the gateway further includes:
设置单元 45, 用于预先设置上行报文令牌计数器的个数以及下行报文 令牌计数器的个数; 或者, 在接收单元 41接收到客户端发送的上行报文或 者服务器端发送的下行报文后, 利用深度报文解析能力获知业务类型, 参 考业务类型设置上行报文令牌计数器的个数或者下行报文令牌计数器的个 数; 或者, 预先设置上行报文令牌计数器的个数以及下行报文令牌计数器 的个数, 在接收到客户端发送的上行报文或者服务器端发送的下行报文后, 利用深度报文解析能力获知业务类型, 根据业务类型调整所述上行报文令 牌计数器的个数或者所述下行报文令牌计数器的个数, 以提供给逻辑单元 42进行报文数量的判断, 以及提供给处理单元 43进行数值的重置。 The setting unit 45 is configured to preset the number of the uplink packet token counter and the number of the downlink packet token counter; or, the receiving unit 41 receives the uplink packet sent by the client or the downlink sent by the server. After the text, the deep packet parsing capability is used to learn the service type, and the reference service type is used to set the number of the uplink packet token counter or the number of the downlink packet token counter; or, the number of the uplink packet token counter is preset. And the number of the downlink packet token counters, after receiving the uplink packet sent by the client or the downlink packet sent by the server, using the deep packet parsing capability to learn the service type, and adjusting the uplink packet according to the service type. The number of token counters or the number of the downlink message token counters to provide to the logical unit 42 judges the number of messages and provides a reset to the processing unit 43 for the values.
本实施例的网关的各组成部分分别用于实现前述方法的各歩骤, 由于 在方法实施例中, 已经对各歩骤进行了详细说明, 在此不再赘述。  The components of the gateway in this embodiment are respectively used to implement the steps of the foregoing method. Since the steps have been described in detail in the method embodiments, details are not described herein.
本发明实施例提供的网关, 通过一种令牌机制, 监控了基于流的上下 行报文的转发流程, 通过对上行和下行报文流程的处理, 解决了单向过多 地进行上行和下行的问题, 防止了任何单向过度发包的情况。 由于这个机 制是逐流实现的, 所以不会影响用户的正常的业务传递。 又由于只要进行 一个简单的计数和判断即可实施本方案, 因此实现简单。  The gateway provided by the embodiment of the present invention monitors the forwarding process of the flow-based uplink and downlink packets through a token mechanism, and solves the one-way excessive uplink and downlink by processing the uplink and downlink packet processes. The problem prevents any one-way over-delivery situation. Since this mechanism is implemented stream by stream, it does not affect the normal traffic delivery of the user. Moreover, since the scheme can be implemented by simply performing a simple counting and judgment, the implementation is simple.
以上所述的具体实施例, 对本发明的目的、 技术方案和有益效果进行 了进一歩详细说明, 所应理解的是, 以上所述仅为本发明的具体实施例而 已, 并不用于限定本发明的保护范围, 凡在本发明的精神和原则之内, 所 做的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  The specific embodiments of the present invention have been described in detail with reference to the preferred embodiments of the present invention. The scope of the invention, any modifications, equivalents, improvements, etc., made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

权利要求 Rights request
1、 一种防止网络攻击的报文转发方法, 其特征在于, 所述方法包括: 当接收到客户端发送的上行报文时, 判断所述上行报文是否是 ICMP 不可达报文;  A packet forwarding method for preventing a network attack, the method includes: when receiving an uplink packet sent by a client, determining whether the uplink packet is an ICMP unreachable packet;
如果所述上行报文不是 ICMP不可达报文, 则将下行报文令牌计数器 置满;  If the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full;
判断上行报文令牌计数器是否为零;  Determine whether the uplink packet token counter is zero;
如果上行报文令牌计数器为零, 则丢弃所述上行报文;  If the uplink packet token counter is zero, discarding the uplink packet;
如果上行报文令牌计数器不为零, 则将所述上行报文令牌计数器减一, 并将所述上行报文转发到服务器端。  If the uplink packet token counter is not zero, the uplink packet token counter is decremented by one, and the uplink packet is forwarded to the server.
2、 根据权利要求 1所述的方法, 其特征在于:  2. The method of claim 1 wherein:
如果所述上行报文是 ICMP不可达报文, 则将下行报文令牌计数器清 令。  If the uplink packet is an ICMP unreachable packet, the downlink packet token counter is cleared.
3、 根据权利要求 1所述的方法, 其特征在于, 所述方法还包括: 当接收到服务器端发送的下行报文时, 将上行报文令牌计数器置满; 判断下行报文令牌计数器是否为零;  The method according to claim 1, wherein the method further comprises: when receiving the downlink packet sent by the server, filling the uplink packet token counter; determining the downlink packet token counter Whether it is zero;
如果下行报文令牌计数器为零, 则丢弃所述下行报文;  If the downlink packet token counter is zero, discarding the downlink packet;
如果下行报文令牌计数器不为零, 则将所述下行报文令牌计数器减一, 并将所述下行报文转发到客户端。  If the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and the downlink packet is forwarded to the client.
4、 根据权利要求 3所述的方法, 其特征在于, 所述上行报文或者所述 下行报文为传输控制协议报文或者用户数据包协议报文。  The method according to claim 3, wherein the uplink packet or the downlink packet is a transmission control protocol packet or a user data packet protocol packet.
5、 根据权利要求 3所述的方法, 其特征在于, 所述方法还包括: 预先设置上行报文令牌计数器的个数以及下行报文令牌计数器的个 数; 或者 器的个数或者下行报文令牌计数器的个数; 或者 The method according to claim 3, wherein the method further comprises: presetting the number of uplink message token counters and the number of downlink message token counters; or The number of devices or the number of downlink message token counters; or
预先设置上行报文令牌计数器的个数以及下行报文令牌计数器的个 数, 在接收到客户端发送的上行报文或者服务器端发送的下行报文后, 利 用深度报文解析能力获知业务类型, 根据业务类型调整所述上行报文令牌 计数器的个数或者所述下行报文令牌计数器的个数。  The number of the uplink packet token counters and the number of the downlink packet token counters are set in advance. After receiving the uplink packets sent by the client or the downlink packets sent by the server, the service is learned by using the deep packet parsing capability. The type of the uplink packet token counter or the number of the downlink packet token counter is adjusted according to the service type.
6、 一种防止网络攻击的报文转发方法, 其特征在于, 所述方法包括: 当接收到服务器端发送的下行报文时, 将上行报文令牌计数器置满; 判断下行报文令牌计数器是否为零;  A packet forwarding method for preventing a network attack, the method comprising: when receiving a downlink packet sent by a server, filling an uplink packet token counter; determining a downlink packet token Whether the counter is zero;
如果下行报文令牌计数器为零, 则丢弃所述下行报文;  If the downlink packet token counter is zero, discarding the downlink packet;
如果下行报文令牌计数器不为零, 则将所述下行报文令牌计数器减一, 并将所述下行报文转发到客户端。  If the downlink packet token counter is not zero, the downlink packet token counter is decremented by one, and the downlink packet is forwarded to the client.
7、 根据权利要求 6所述的方法, 其特征在于, 所述下行报文为传输控 制协议报文或者用户数据包协议报文。  The method according to claim 6, wherein the downlink message is a transmission control protocol message or a user data packet protocol message.
8、 根据权利要求 6所述的方法, 其特征在于, 所述方法还包括: 预先设置上行报文令牌计数器的个数以及下行报文令牌计数器的个 数; 或者  The method according to claim 6, wherein the method further comprises: presetting the number of uplink message token counters and the number of downlink message token counters; or
在接收到客户端发送的上行报文或者服务器端发送的下行报文后, 利 用深度报文解析能力获知业务类型, 根据业务类型设置上行报文令牌计数 器的个数或者下行报文令牌计数器的个数; 或者  After receiving the uplink packet sent by the client or the downlink packet sent by the server, the deep packet parsing capability is used to learn the service type, and the number of the uplink packet token counter or the downlink packet token counter is set according to the service type. Number of; or
预先设置上行报文令牌计数器的个数以及下行报文令牌计数器的个 数, 在接收到客户端发送的上行报文或者服务器端发送的下行报文后, 利 用深度报文解析能力获知业务类型, 根据业务类型调整所述上行报文令牌 计数器的个数或者所述下行报文令牌计数器的个数。  The number of the uplink packet token counters and the number of the downlink packet token counters are set in advance. After receiving the uplink packets sent by the client or the downlink packets sent by the server, the service is learned by using the deep packet parsing capability. The type of the uplink packet token counter or the number of the downlink packet token counter is adjusted according to the service type.
9、 一种网关, 其特征在于, 所述网关包括:  A gateway, wherein the gateway comprises:
接收单元, 用于接收客户端发送的上行报文, 或者服务器端发送的下 行报文; 逻辑单元, 用于在所述接收单元接收到客户端发送的上行报文时, 判 断所述上行报文是否为 ICMP 不可达报文; 并用于在所述上行报文不是 ICMP不可达报文时, 判断上行报文令牌计数器是否为零; The receiving unit is configured to receive an uplink packet sent by the client, or a downlink packet sent by the server; The logic unit is configured to: when the receiving unit receives the uplink message sent by the client, determine whether the uplink message is an ICMP unreachable message; and when the uplink message is not an ICMP unreachable message, , determining whether the uplink message token counter is zero;
处理单元,用于在所述逻辑单元的判断结果为所述上行报文不是 ICMP 不可达报文时, 将下行报文令牌计数器置满; 并在所述逻辑单元的判断结 果为上行报文令牌计数器为零时, 丢弃所述上行报文, 或者在所述逻辑单 元的判断结果为上行报文令牌计数器不为零时, 将所述上行报文令牌计数 器减一;  a processing unit, configured to: when the result of the determining that the uplink packet is not an ICMP unreachable packet, the downlink packet token counter is full; and the result of the logical unit is an uplink packet When the token counter is zero, the uplink packet is discarded, or when the logical unit determines that the uplink packet token counter is not zero, the uplink packet token counter is decremented by one;
发送单元, 用于在所述逻辑单元的判断结果为上行报文令牌计数器不 为零时, 将所述上行报文转发到服务器端。  And a sending unit, configured to: when the result of the determining by the logical unit is that the uplink packet token counter is not zero, forwarding the uplink packet to the server.
10、 根据权利要求 9所述的网关, 其特征在于:  10. The gateway of claim 9 wherein:
所述处理单元还用于在所述逻辑单元的判断结果为, 所述上行报文是 ICMP不可达报文时, 将下行报文令牌计数器清零。  The processing unit is further configured to: when the determining result of the logic unit is that the uplink packet is an ICMP unreachable packet, clear the downlink packet token counter.
11、 根据权利要求 9所述的网关, 其特征在于:  11. The gateway of claim 9 wherein:
所述逻辑单元还用于在所述接收单元接收到服务器端发送的下行报文 时, 判断下行报文令牌计数器是否为零;  The logic unit is further configured to: when the receiving unit receives the downlink packet sent by the server, determine whether the downlink packet token counter is zero;
所述处理单元还用于在所述接收单元接收到服务器端发送的下行报文 时, 将上行报文令牌计数器置满; 并在所述逻辑单元的判断结果为下行报 文令牌计数器为零时, 丢弃所述下行报文, 或者在所述逻辑单元的判断结 果为下行报文令牌计数器不为零时, 将所述下行报文令牌计数器减一; 所述发送单元还用于将所述下行报文转发到客户端。  The processing unit is further configured to: when the receiving unit receives the downlink packet sent by the server, fill the uplink packet token counter; and the judgment result in the logic unit is that the downlink packet token counter is Zero-time, discarding the downlink packet, or decrementing the downlink packet token counter by one when the logic unit determines that the downlink packet token counter is not zero; the sending unit is further configured to: Forwarding the downlink packet to the client.
12、 根据权利要求 11所述的网关, 其特征在于, 所述接收单元接收到 的客户端发送的上行报文或者服务器端发送的下行报文为传输控制协议报 文或者用户数据包协议报文。  The gateway according to claim 11, wherein the receiving device receives the uplink packet sent by the client or the downlink packet sent by the server is a transmission control protocol packet or a user data packet protocol packet. .
13、 根据权利要求 9所述的网关, 其特征在于, 所述网关还包括: 设置单元, 用于预先设置上行报文令牌计数器的个数以及下行报文令 牌计数器的个数; 或者, 在所述接收单元接收到客户端发送的上行报文或 者服务器端发送的下行报文后, 利用深度报文解析能力获知业务类型, 根 据业务类型设置上行报文令牌计数器的个数或者下行报文令牌计数器的个 数; 或者, 预先设置上行报文令牌计数器的个数以及下行报文令牌计数器 的个数, 在接收到客户端发送的上行报文或者服务器端发送的下行报文后, 利用深度报文解析能力获知业务类型, 根据业务类型调整所述上行报文令 牌计数器的个数或者所述下行报文令牌计数器的个数。 The gateway according to claim 9, wherein the gateway further comprises: a setting unit, configured to preset a number of uplink packet token counters and a downlink packet order The number of the card counters; or, after receiving the uplink message sent by the client or the downlink message sent by the server, the receiving unit uses the deep packet parsing capability to learn the service type, and sets the uplink message according to the service type. The number of the card counters or the number of the downlink packet token counters; or, the number of the uplink packet token counters and the number of the downlink packet token counters are set in advance, and the uplink packets sent by the client are received. Or, after the downlink packet sent by the server, the service type is obtained by using the deep packet parsing capability, and the number of the uplink packet token counter or the number of the downlink packet token counter is adjusted according to the service type.
PCT/CN2011/071597 2010-08-31 2011-03-08 Message forwarding method for avoiding network attacks and gateway WO2011110079A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2010102708740A CN101917450B (en) 2010-08-31 2010-08-31 Message forwarding method for preventing network attack and gateway
CN201010270874.0 2010-08-31

Publications (1)

Publication Number Publication Date
WO2011110079A1 true WO2011110079A1 (en) 2011-09-15

Family

ID=43324834

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071597 WO2011110079A1 (en) 2010-08-31 2011-03-08 Message forwarding method for avoiding network attacks and gateway

Country Status (2)

Country Link
CN (1) CN101917450B (en)
WO (1) WO2011110079A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917450B (en) * 2010-08-31 2013-08-07 华为技术有限公司 Message forwarding method for preventing network attack and gateway
CN103281333B (en) * 2013-06-17 2016-12-28 山石网科通信技术有限公司 The retransmission method of data stream and device
CN106301832B (en) * 2015-05-21 2020-04-03 中兴通讯股份有限公司 Method and device for processing system log message

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123492A (en) * 2007-09-06 2008-02-13 杭州华三通信技术有限公司 Method and device for detecting scanning attack
US20090116426A1 (en) * 2007-11-05 2009-05-07 Qualcomm Incorporated Sdu discard mechanisms for wireless communication systems
CN101494639A (en) * 2008-01-25 2009-07-29 华为技术有限公司 Method and apparatus for preventing aggression in packet communication system
CN101917450A (en) * 2010-08-31 2010-12-15 华为技术有限公司 Message forwarding method for preventing network attack and gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101123492A (en) * 2007-09-06 2008-02-13 杭州华三通信技术有限公司 Method and device for detecting scanning attack
US20090116426A1 (en) * 2007-11-05 2009-05-07 Qualcomm Incorporated Sdu discard mechanisms for wireless communication systems
CN101494639A (en) * 2008-01-25 2009-07-29 华为技术有限公司 Method and apparatus for preventing aggression in packet communication system
CN101917450A (en) * 2010-08-31 2010-12-15 华为技术有限公司 Message forwarding method for preventing network attack and gateway

Also Published As

Publication number Publication date
CN101917450A (en) 2010-12-15
CN101917450B (en) 2013-08-07

Similar Documents

Publication Publication Date Title
Balakrishnan et al. The congestion manager
Perkins et al. Multimedia congestion control: Circuit breakers for unicast RTP sessions
Floyd et al. Quick-Start for TCP and IP
US7835285B2 (en) Quality of service, policy enhanced hierarchical disruption tolerant networking system and method
WO2009089701A1 (en) Method and system for packet inspection
WO2008138196A1 (en) Method and device for reporting information
JP2021516012A (en) Flow management in the network
WO2014075485A1 (en) Processing method for network address translation technology, nat device and bng device
US9820183B2 (en) User plane congestion control
CN106656648A (en) Application flow dynamic protection method and system based on household gateway, and household gateway
WO2015149353A1 (en) Oam packet processing method, network device and network system
WO2011035589A1 (en) Bandwidth controlling method and device, evolved packet system and gateway
WO2017143897A1 (en) Method, device, and system for handling attacks
JP5506591B2 (en) Communication system and communication quality control method
WO2011110079A1 (en) Message forwarding method for avoiding network attacks and gateway
JP2005086520A (en) Congestion control system in client server type service
Mathis et al. Congestion exposure (conex) concepts, abstract mechanism, and requirements
JP2011166418A (en) Communication control method for improving throughput, communication system, and program for the same
Zaghal et al. EFSM/SDL modeling of the original TCP standard (RFC793) and the Congestion Control Mechanism of TCP Reno
CN108449280B (en) Method and device for avoiding ping-pong of TCP (Transmission control protocol) messages
JP2004180315A (en) Improved protocol performance using ack filtering
WO2014117705A1 (en) Data service acceleration method and device
Kulatunga et al. Enforcing layered multicast congestion control using ECN-nonce
Geva et al. QoSoDoS: If you can't beat them, join them!
US8169901B1 (en) Method and apparatus for controlling access to a media port

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11752822

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11752822

Country of ref document: EP

Kind code of ref document: A1