WO2017041656A1 - Traffic processing method, device and system - Google Patents

Traffic processing method, device and system Download PDF

Info

Publication number
WO2017041656A1
WO2017041656A1 PCT/CN2016/097500 CN2016097500W WO2017041656A1 WO 2017041656 A1 WO2017041656 A1 WO 2017041656A1 CN 2016097500 W CN2016097500 W CN 2016097500W WO 2017041656 A1 WO2017041656 A1 WO 2017041656A1
Authority
WO
WIPO (PCT)
Prior art keywords
defense
traffic
destination address
dns
cleaning
Prior art date
Application number
PCT/CN2016/097500
Other languages
French (fr)
Chinese (zh)
Inventor
李阳
董宝强
赵洪日
张毅
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2017041656A1 publication Critical patent/WO2017041656A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2416Real-time traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a traffic processing method, device and system, which are applied to a system comprising an elementary defence device and an advanced defence device, wherein the traffic cleaning capability of the advanced defence device is higher than that of the elementary defence device. The method comprises: a management and control device monitoring whether the load of an elementary defence device for cleaning the user traffic is greater than a first threshold; if a monitoring result is yes, the management and control device transferring the traffic processed by the elementary defence device to the advanced defence device for cleaning; the management and control device controlling the transfer of traffic which has been cleaned to a service processing device for processing. Thus different defence devices can be selected for traffic cleaning according to specific situations, reducing usage costs. At the same time, this series of operations are conducted without being perceived by a user, which does not need an additional operation from the user; thus the user experience is improved by way of dynamically scheduling a defence device.

Description

一种流量处理方法、设备和系统Traffic processing method, device and system
本申请要求2015年09月09日递交的申请号为201510571803.7、发明名称为“一种流量处理方法、设备和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application Serial No. No. No. No. No. No. No. No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No
技术领域Technical field
本申请实施例涉及通信技术领域,特别涉及一种流量处理方法、设备和系统。The embodiments of the present invention relate to the field of communications technologies, and in particular, to a traffic processing method, device, and system.
背景技术Background technique
如图1所示,为DDoS(Distributed Denial of Service,分布式拒绝服务)攻击的示意图,攻击者利用肉鸡发动DDoS攻击,攻击导致业务服务器资源被耗尽,从而拒绝正常用户的服务;针对DDoS攻击,目前已有的防御方案包括:As shown in Figure 1, it is a schematic diagram of a DDoS (Distributed Denial of Service) attack. The attacker uses a broiler to launch a DDoS attack. The attack causes the service server resources to be exhausted, thereby denying the normal user's service. For DDoS attacks. The existing defense programs include:
一、DDoS流量清洗,这是目前最常用的防御DDoS方法,通过DDoS检测设备发现DDoS攻击并预警,当发现DDoS攻击时通知旁路的流量清洗设备牵引被攻击目的IP的流量,清洗攻击流量,回注正常流量。I. DDoS traffic cleaning. This is the most commonly used defense DDoS method. DDoS attacks are detected by the DDoS detection device. When the DDoS attack is discovered, the bypassed traffic cleaning device is used to pull the traffic of the attacked destination IP address and clean the attack traffic. Refill normal traffic.
二、在运营商网络发布黑洞路由,也即当攻击流量超过业务方的承受范围时,为了不影响同一机房的其他业务,业务方有时会通过在运营商网络中发布黑洞路由的方式屏蔽被攻击IP的访问,在骨干网丢弃所有的DDoS流量。2. When blackhole routes are advertised on the carrier network, that is, when the attack traffic exceeds the reach of the service provider, the service party sometimes shields the attacked by issuing blackhole routes in the carrier network so as not to affect other services in the same equipment room. IP access, discarding all DDoS traffic on the backbone network.
但是进行DDoS流量清洗时,初级的防御能力比较低,为了防御更高级别的DDoS攻击,必须不断升级清洗设备和带宽容量,带来成本的大幅攀升;且目前阶段清洗设备无法作为百分百的清洗,只要牵引必定带来误杀和漏杀,对正常业务访问造成一定影响;而发布黑洞路由通过黑洞路由屏蔽IP访问的结果相当于攻击得逞了,即使通过DNS(Domain Name System,域名系统)等方式更改业务的访问IP,也会在一段时间内导致部分业务完全不可用。However, when performing DDoS traffic cleaning, the primary defense capability is relatively low. In order to defend against higher-level DDoS attacks, the cleaning equipment and bandwidth capacity must be continuously upgraded, resulting in a substantial increase in cost; and the current stage of cleaning equipment cannot be 100% Cleaning, as long as the traction must bring about manslaughter and missed, has a certain impact on normal business access; and the release of black hole routing through black hole routing to shield IP access results in the same attack, even through DNS (Domain Name System, Domain Name System), etc. Changing the access IP of the service will also cause some services to be completely unavailable for a period of time.
由上述可以知道,现有基站中的上述目前的主流防御方案并不能完全解决目前遇到的DDoS问题。It can be known from the above that the above-mentioned current mainstream defense scheme in the existing base station cannot completely solve the DDoS problem currently encountered.
发明内容Summary of the invention
针对现有技术中防御DDoS时,无法解决高成本以及效率不高,从而影响用户的正常业务的缺陷,本申请提出了一种流量处理方法,应用于包括初级防御设备和高级防御 设备的系统中,其中所述高级防御设备的流量清洗能力高于所述初级防御设备的清洗能力,该方法包括:In the prior art, in the prior art, when the DDoS is defended, the high cost and the inefficiency are not solved, thereby affecting the defect of the normal service of the user. The present application proposes a traffic processing method, which is applied to the primary defense device and the advanced defense. In the system of the device, the traffic cleaning capability of the advanced defense device is higher than the cleaning capability of the primary defense device, and the method includes:
管控设备监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;The control device monitors whether the load of the primary defense device used to clean the user traffic is greater than a first threshold;
若监控结果为是,所述管控设备将所述初级防御设备处理的流量转移至高级防御设备进行清洗;If the monitoring result is yes, the control device transfers the traffic processed by the primary defense device to the advanced defense device for cleaning;
所述管控设备控制清洗完成的流量转移至业务处理设备进行处理。The control device controls the flow of the cleaning to be transferred to the service processing device for processing.
可选的,所述管控设备将所述初级防御设备处理的流量转移至高级防御设备进行清洗,具体包括:Optionally, the control device transfers the traffic processed by the primary defense device to the advanced defense device for cleaning, specifically:
所述管控设备查找高级防御设备;The control device searches for an advanced defense device;
所述管控设备为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP;The control device allocates a first high-defense IP to the advanced defense device, where the first high-defense IP is different from the initial defense IP of the primary defense device;
所述管控设备将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The management device modifies the destination address of the enhanced DNS device to the first high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the first high-defense IP based on the modified destination address for cleaning. .
可选的,所述管控设备将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至高级防御设备,之后还包括:Optionally, the management device modifies the destination address of the enhanced DNS device to the first high-defense IP, so that the enhanced DNS device transfers the user's traffic to the advanced defense device based on the modified destination address, and then includes:
所述管控设备监控进行流量清洗的高级防御设备的负载是否超过第二阈值;The control device monitors whether the load of the advanced defense device for performing traffic cleaning exceeds a second threshold;
若监控结果为是,所述管控设备创建第二高防IP,其中所述第二高防IP不同于初级防御设备的初防IP以及第一高防IP;If the monitoring result is yes, the management device creates a second high-defense IP, wherein the second high-defense IP is different from the initial defense IP of the primary defense device and the first high-defense IP;
所述管控设备将增强DNS设备解析的目的地址修改为第二高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The control device modifies the destination address of the enhanced DNS device to the second high-defense IP, so that the enhanced DNS device transfers the user's traffic to the second high-defense IP-compliant advanced defense device for cleaning based on the modified destination address. .
本申请还提出了一种流量处理方法,包括The application also proposes a traffic processing method, including
增强DNS设备接收来自用户终端的DNS请求;The enhanced DNS device receives the DNS request from the user terminal;
所述增强DNS设备基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户。The enhanced DNS device parses the DNS request based on an index table stored by itself and includes a correspondence between a DNS request and a destination address, and returns the parsed destination address to the user.
可选的,所述增强DNS设备接收来自用户终端的DNS请求,具体包括:Optionally, the enhanced DNS device receives the DNS request from the user terminal, and specifically includes:
所述增强DNS设备接收用户DNS转发的来自用户终端的DNS请求。 The enhanced DNS device receives a DNS request from a user terminal forwarded by a user DNS.
可选的,所述索引表中的目的地址是可以修改的;该方法进一步包括:Optionally, the destination address in the index table is modifiable; the method further includes:
所述增强DNS设备接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;The enhanced DNS device receives an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
所述增强DNS设备在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。When receiving the DNS request from the user terminal, the enhanced DNS device performs domain name resolution based on the newly modified index table, and returns the parsed latest modified destination address to the user terminal.
本申请还提出了一种管控设备,包括:The application also proposes a management device comprising:
监控模块,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;a monitoring module, configured to monitor whether a load of the primary defense device used for cleaning user traffic is greater than a first threshold;
转移模块,用于当初级防御设备的负载大于第一阈值时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;a transfer module, configured to: when the load of the primary defense device is greater than the first threshold, transfer the traffic processed by the primary defense device to the advanced defense device for cleaning;
处理模块,用于控制清洗完成的流量转移至业务处理设备进行处理。The processing module is configured to control the flow of the cleaning completion to be transferred to the service processing device for processing.
可选的,所述转移模块,具体用于:Optionally, the transfer module is specifically configured to:
查找高级防御设备;Find advanced defense equipment;
为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP;Assigning a first high-defense IP to the advanced defense device, where the first high-defense IP is different from the initial defense IP of the primary defense device;
将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the first high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the first high-defense IP based on the modified destination address for cleaning.
可选的,还包括:Optionally, it also includes:
操作模块,用于监控进行流量清洗的高级防御设备的负载是否超过第二阈值;An operation module, configured to monitor whether a load of an advanced defense device that performs traffic cleaning exceeds a second threshold;
当监控结果为是时,创建第二高防IP,其中所述第二高防IP不同于初级防御设备的初防IP以及第一高防IP;When the monitoring result is yes, a second high-defense IP is created, where the second high-defense IP is different from the primary defense IP of the primary defense device and the first high-defense IP;
将增强DNS设备解析的目的地址修改为第二高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the second high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the second high-defense IP based on the modified destination address for cleaning.
本申请还提出了一种增强DNS设备,包括:The application also proposes an enhanced DNS device, including:
接收模块,用于接收来自用户终端的DNS请求;a receiving module, configured to receive a DNS request from the user terminal;
解析模块,用于基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户。The parsing module is configured to parse the DNS request based on an index table that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user.
可选的,所述接收模块,具体用于:Optionally, the receiving module is specifically configured to:
接收用户DNS转发的来自用户终端的DNS请求。 Receives a DNS request from the user terminal forwarded by the user's DNS.
可选的,所述索引表中的目的地址是可以修改的;所述解析模块还用于:Optionally, the destination address in the index table is modifiable; the parsing module is further configured to:
接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;Receiving an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。Upon receiving the DNS request from the user terminal, the domain name resolution is performed based on the newly modified index table, and the parsed latest modified destination address is returned to the user terminal.
本申请还提出了一种流量处理系统,应用于包括初级防御设备和高级防御设备的系统中,其中所述高级防御设备的流量清洗能力高于所述初级防御设备的清洗能力,该系统包括:The present application further provides a traffic processing system, which is applied to a system including a primary defense device and an advanced defense device, wherein the traffic protection capability of the advanced defense device is higher than the cleaning capability of the primary defense device, and the system includes:
管控设备,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;当监控结果为是时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;控制清洗完成的流量转移至业务处理设备进行处理;The control device is configured to monitor whether the load of the primary defense device used for cleaning the user traffic is greater than a first threshold; when the monitoring result is yes, the traffic processed by the primary defense device is transferred to the advanced defense device for cleaning; and the control cleaning is completed. The traffic is transferred to the service processing device for processing;
增强DNS设备,用于接收来自用户终端的DNS请求;基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户。The enhanced DNS device is configured to receive a DNS request from the user terminal, and parse the DNS request based on an index table stored by the host that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user.
与现有技术相比,本申请中的方案,首先使得用户的流量通过初级防御设备进行流量清洗,同时实时监控初级防御设备的负载情况,并当初级防御设备负载过高时,切换到高级防御设备进行流量清洗,以此根据具体的情况来选择不同的防御设备进行流量清洗,降低了使用成本,同时,这一系列的操作是在用户无感知的情况下进行的,不需要用户进行额外的操作,以此通过动态调度防御设备的方式,提高了用户的体验。Compared with the prior art, the solution in the present application firstly enables the user's traffic to be cleaned by the primary defense device, while monitoring the load of the primary defense device in real time, and switching to the advanced defense when the primary defense device is overloaded. The device performs traffic cleaning to select different defense devices for traffic cleaning according to specific conditions, which reduces the use cost. At the same time, this series of operations is performed without the user's perception, and does not require additional users. Operation, thereby improving the user experience by dynamically scheduling defense devices.
附图说明DRAWINGS
图1为DDoS攻击的示意图;Figure 1 is a schematic diagram of a DDoS attack;
图2为本申请实施例提出的一种流量处理方法的流程示意图;2 is a schematic flowchart of a traffic processing method according to an embodiment of the present application;
图3为本申请实施例提出的一种流量处理方法的流程示意图;3 is a schematic flowchart of a traffic processing method according to an embodiment of the present application;
图4为本申请实施例提出的一种管控设备的结构示意图;4 is a schematic structural diagram of a control device according to an embodiment of the present application;
图5为本申请实施例提出的一种增强DNS设备的结构示意图;FIG. 5 is a schematic structural diagram of an enhanced DNS device according to an embodiment of the present application;
图6为本申请实施例提出的一种流量处理系统的结构示意图。 FIG. 6 is a schematic structural diagram of a traffic processing system according to an embodiment of the present application.
具体实施方式detailed description
如背景技术所述,现有技术中的防御方式无法实现很好的防御效果,使用成本过高,效果不好,导致用户体验不高,为此本申请实施例中提出了一种流量处理方法,应用于包括初级防御设备和高级防御设备的系统中,其中高级防御设备的流量清洗能力高于初级防御设备的清洗能力,如图2所示,该方法包括:As described in the background, the defense method in the prior art cannot achieve a good defense effect, and the use cost is too high, and the effect is not good, resulting in a low user experience. Therefore, a flow processing method is proposed in the embodiment of the present application. It is applied to a system including a primary defense device and an advanced defense device, wherein the traffic protection capability of the advanced defense device is higher than that of the primary defense device, as shown in FIG. 2, the method includes:
步骤201、管控设备监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值。Step 201: The management device monitors whether the load of the primary defense device used to clean the user traffic is greater than a first threshold.
具体的,在检测到存在非法流量的时候,首先启动初级防御设备,对非法流量进行清洗,其中初级防御设备可以是IDC(Internet Data Center,互联网数据中心)设备,由于其并非是专门的流量清洗设备,还需要承担其他的功能,因此其清洗非法流量的能力较低,但使用成本较低,可以应对非法流量较小的情况,管控设备实时监控初级防御设备的负载,具体的,其负载取决于初级防御设备本身的流量清洗能力,当前接收到的流量,可以预设一个阈值,例如为90%,当初级防御设备接收到的流量所需要的清洗能力达到其本身的流量清洗能力的90%,确定其负载大于第一阈值,当然,具体的还可以基于其他的情况或者因素来对负载以及第一阈值进行设置,在此不再进行赘叙。Specifically, when it is detected that there is illegal traffic, the primary defense device is first started to clean the illegal traffic, and the primary defense device may be an IDC (Internet Data Center) device, because it is not a dedicated traffic cleaning. The device also needs to undertake other functions, so its ability to clean illegal traffic is low, but the use cost is low, and it can cope with the situation of small illegal traffic. The control device monitors the load of the primary defense device in real time. Specifically, the load depends on the load. For the traffic cleaning capability of the primary defense device itself, the currently received traffic can be preset with a threshold of, for example, 90%. When the traffic received by the primary defense device requires the cleaning capability to reach 90% of its own traffic cleaning capability. The load is determined to be greater than the first threshold. Certainly, the load and the first threshold may be set based on other conditions or factors, and details are not described herein.
监控会有两个结果,当负载大于第一阈值时,执行步骤202,若负载不大于第一阈值,则可以将经过初级防御设备清洗后的流量转移至业务处理设备来完成相应的服务。The monitoring has two results. When the load is greater than the first threshold, step 202 is performed. If the load is not greater than the first threshold, the traffic that has been cleaned by the primary defense device can be transferred to the service processing device to complete the corresponding service.
步骤202、若监控结果为是,管控设备将初级防御设备处理的流量转移至高级防御设备进行清洗。Step 202: If the monitoring result is yes, the control device transfers the traffic processed by the primary defense device to the advanced defense device for cleaning.
其中,具体的转移过程可以包括:管控设备查找高级防御设备;管控设备为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP,以便增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The specific transfer process may include: the management device searches for the advanced defense device; the management device allocates the first high defense IP to the advanced defense device, where the first high defense IP is different from the initial defense IP of the primary defense device. In order to enhance the DNS device to transfer the user's traffic to the first high-defense IP-compliant advanced defense device for cleaning based on the modified destination address.
具体的,在本申请中,设置有增强DNS设备,该增强DNS设备解析得到的目的地址是可以更改的,在确定初级防御设备的负载大于第一阈值,也即初级防御设备无法很好地完成流量清洗时,首先查找高级防御设备,该高级防御设备是专门用于流量清洗的,其处理能力,效率以及准确性都比初级防御设备高,并为查找到的高级防御设备(例如为高级防御设备1)分配第一高防IP,例如为IP2,具体的可以通过管控设备向增强DNS设备发送更新消息,该更新消息中携带IP2,用以将增强DNS设备解析的目的地址修改为IP2,该IP2不同于初级防御设备的初防IP,并将增强DNS设备解析的目的地址修改为 IP2,具体的,例如增强DNS设备中存储有索引表,索引表中存储有DNS请求与解析的目的地址的对应关系,在此情况下,管控设备向增强DNS设备发送重新解析的命令,增强DNS设备重新解析,解析得到的目的地址将会变为修改后的目的地址,也即IP2,从而将原本在初级防御设备进行流量清洗的流量转移至高级防御设备(例如为高级防御设备1),进行流量清洗。Specifically, in the present application, an enhanced DNS device is provided, and the destination address obtained by the enhanced DNS device can be changed, and it is determined that the load of the primary defense device is greater than the first threshold, that is, the primary defense device cannot be well completed. When traffic is cleaned, first look for the advanced defense device, which is dedicated to traffic cleaning. Its processing power, efficiency and accuracy are higher than the primary defense device, and it is the advanced defense device found (for example, advanced defense). The device 1) allocates the first high-defense IP, for example, IP2, and specifically sends an update message to the enhanced DNS device by using the control device, where the update message carries the IP2, and the destination address for enhancing the DNS device resolution is modified to IP2. IP2 is different from the primary defense IP of the primary defense device, and the destination address of the enhanced DNS device resolution is modified to IP2, specifically, for example, an enhanced DNS device stores an index table, and the index table stores a correspondence between a DNS request and a resolved destination address. In this case, the management device sends a re-resolving command to the enhanced DNS device to enhance the DNS. The device re-parsing, the destination address of the parsing will be changed to the modified destination address, that is, IP2, so that the traffic that was originally cleaned on the primary defense device is transferred to the advanced defense device (for example, the advanced defense device 1). Flow cleaning.
在将流量转移至高级防御设备进行清洗,而事实上,虽然高级防御设备的处理能力比初级防御设备的处理能力高很多,但也不是无限的,相比较于攻击流量,很可能还是不够的,因此考虑到这种情况,在将流量转移至高级防御设备进行清洗之后,还可以执行以下步骤:In the process of transferring traffic to advanced defense equipment for cleaning, in fact, although the processing power of advanced defense equipment is much higher than that of primary defense equipment, it is not unlimited. Compared with attack traffic, it may not be enough. So considering this situation, after transferring traffic to the advanced defense device for cleaning, you can also perform the following steps:
管控设备监控进行流量清洗的高级防御设备的负载是否超过第二阈值;若监控结果为是,管控设备创建第二高防IP,其中第二高防IP不同于初级防御设备的初防IP以及第一高防IP;管控设备将增强DNS设备解析的目的地址修改为第二高防IP;以便增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The control device monitors whether the load of the advanced defense device for traffic cleaning exceeds the second threshold; if the monitoring result is yes, the management device creates the second high-defense IP, where the second high-defense IP is different from the primary defense IP of the primary defense device and the first A high-defense IP; the control device modifies the destination address of the enhanced DNS device to the second high-defense IP; in order to enhance the DNS device to transfer the user's traffic to the second high-defense IP-compliant advanced defense device based on the modified destination address. Cleaning.
具体的,例如高级防御设备1的负载超过第二阈值,与初级防御设备相似的,其负载的评估以及第二阈值的设置可以基于具体的情况设置,在此不再进行赘叙,管控设备会一直实时监控进行流量处理的高级防御设备,例如当确定高级防御设备1的负载超过第二阈值时,则创建一个新的高防IP,也即第二高防IP,例如为IP3,该第二高防IP不同于初级防御设备的初防IP以及第一高防IP,同样可以通过更新消息来携带IP3,以便将增强DNS设备解析的目的地址修改为IP3,并触发增强DNS设备重新进行域名解析,从而将流量转移至IP3对应的高级防御设备,其中IP3对于的高级防御设备可以是高级防御设备1,也即不更换具体的高级防御设备硬件,只是更改其IP,也可以查找一个新的高级防御设备,例如为高级防御设备2,再将IP3分配给高级防御设备2,也即更换高级防御设备,也更换IP地址,在进行IP地址更换后,其原有的针对未更换前的IP的攻击流量将不再有攻击作用,相应的,对于发起攻击者而言,其要想继续攻击,其攻击成本将变得很大,当然再加上更换高级防御设备,难度会更大,其攻击成功将更高,从而达到了防御的目的。Specifically, for example, the load of the advanced defense device 1 exceeds the second threshold, and similar to the primary defense device, the evaluation of the load and the setting of the second threshold may be set based on a specific situation, and the control device will not be described here. An advanced defense device that performs traffic processing in real time, for example, when it is determined that the load of the advanced defense device 1 exceeds a second threshold, a new high-defense IP, that is, a second high-defense IP, such as IP3, is created. The high-defense IP is different from the primary defense IP of the primary defense device and the first high-defense IP. It can also carry the IP3 by updating the message, so as to modify the destination address of the enhanced DNS device resolution to IP3, and trigger the enhanced DNS device to perform domain name resolution again. Therefore, the traffic is transferred to the advanced defense device corresponding to IP3, wherein the advanced defense device for IP3 can be the advanced defense device 1, that is, the specific advanced defense device hardware is not replaced, and only the IP is changed, and a new advanced can also be found. The defense device, for example, the advanced defense device 2, then assigns the IP3 to the advanced defense device 2, that is, replaces the advanced defense device. After the IP address is replaced, the original attack traffic for the unreplaced IP will no longer have an attacking effect. Correspondingly, for the attacker to attack, the attack cost will be continued. It will become very big, of course, with the replacement of advanced defense equipment, the difficulty will be greater, and the attack will be more successful, thus achieving the purpose of defense.
步骤203、管控设备控制清洗完成的流量转移至业务处理设备进行处理。Step 203: The control device controls the flow of the cleaning to be transferred to the service processing device for processing.
不管是经过初级防御设备还是高级防御设备进行流量清洗后,控制清洗完成的流量转移至业务处理设备进行处理,从而实现相应的服务。 After the traffic is cleaned through the primary defense device or the advanced defense device, the traffic that controls the cleaning is transferred to the service processing device for processing, thereby implementing the corresponding service.
以上是基于管控设备的角度来对本申请进行说明,为了对本申请进行进一步的说明,本申请实施例还公开了一种流量处理方法,如图3所示,包括The above is a description of the application based on the perspective of the management device. For further explanation of the application, the embodiment of the present application further discloses a traffic processing method, as shown in FIG. 3, including
步骤301、增强DNS设备接收来自用户终端的DNS请求;Step 301: The enhanced DNS device receives a DNS request from the user terminal.
具体的,增强DNS设备接收来自用户终端的DNS请求,具体包括:Specifically, the enhanced DNS device receives the DNS request from the user terminal, specifically:
增强DNS设备接收用户DNS转发的来自用户终端的DNS请求。The enhanced DNS device receives a DNS request from the user terminal forwarded by the user's DNS.
在一个具体的应用场景中,当用户在用户终端输入域名时,也即发送NDS请求,先发送给用户DNS(Domain Name System,域名系统),由于用户DNS解析的目的地址是无法更换的,因此将接收到的NDS请求发送给增强DNS设备,本申请中提出的增强DNS设备解析的目的地址是可以更改的,以此在不对现有的架构进行变动的情况下,通过增强DNS设备实现了功能上的拓展。In a specific application scenario, when a user inputs a domain name in a user terminal, the NDS request is sent to the user's DNS (Domain Name System), and the destination address of the user's DNS resolution cannot be replaced. Sending the received NDS request to the enhanced DNS device, the destination address of the enhanced DNS device resolution proposed in this application can be changed, thereby implementing the function by enhancing the DNS device without changing the existing architecture. On the expansion.
步骤302、增强DNS设备基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析DNS请求,并将解析得到的目的地址返回给用户终端。Step 302: The enhanced DNS device parses the DNS request based on an index table that is stored by itself and includes a correspondence between the DNS request and the destination address, and returns the parsed destination address to the user terminal.
具体的,将解析出的目的地址返回给用户终端,就可以将用户终端的用户流量引导至解析出的目的地址对应的防御设备(初级防御设备或高级防御设备,以及是哪个高级防御设备,具体取决于解析出的目的地址)进行清洗;而具体的实现中,增强DNS设备中存储有索引表;索引表中存储DNS请求与目的地址的对应关系;增强DNS设备解析DNS请求,并将解析得到的目的地址返回给用户终端,具体包括:Specifically, when the parsed destination address is returned to the user terminal, the user traffic of the user terminal can be directed to the defense device corresponding to the parsed destination address (primary defense device or advanced defense device, and which advanced defense device, specifically According to the parsed destination address, the cleaning is performed; in a specific implementation, the enhanced DNS device stores an index table; the index table stores the correspondence between the DNS request and the destination address; and the enhanced DNS device resolves the DNS request, and the parsing is obtained. The destination address is returned to the user terminal, including:
增强DNS设备基于自身存储的索引表解析DNS请求,获取与DNS请求对应的目的地址返回给用户终端。The enhanced DNS device parses the DNS request based on the index table stored by itself, and obtains the destination address corresponding to the DNS request and returns it to the user terminal.
由于索引表中的目的地址是可以修改的;该方法进一步包括:Since the destination address in the index table is modifiable; the method further includes:
所述增强DNS设备接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;The enhanced DNS device receives an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
所述增强DNS设备在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。When receiving the DNS request from the user terminal, the enhanced DNS device performs domain name resolution based on the newly modified index table, and returns the parsed latest modified destination address to the user terminal.
具体的,在执行域名解析时,有可能索引表中的目的地址进行了修改,也可能没有进行修改;当还未进行修改时,最新修改后的索引表就一直是原索引表(也即初始建立的索引表),因此当进行域名解析时,解析出的最新修改后的目的地址也即原目的地址;而当进行修改后,有可能修改有多次,此时通过最新修改的索引表来执行域名解析,例如有两次修改,第一次修改的时间是2015年5月1日13时12分13秒,第二次修改的 时间则是2015年5月2日13时15分23秒,很明显的,第二次修改的时间是最新的,因此以第二次修改后的索引表进行域名解析,当然也可以以别的方式来对最新进行标识,例如还可以每修改一次,就将标识修改次数的数值加1,后续直接找最大数值对应索引表即可,只要能标识最新修改的索引表即可。Specifically, when performing domain name resolution, it is possible that the destination address in the index table is modified or not modified; when the modification has not been made, the newly modified index table is always the original index table (that is, the initial The index table is created. Therefore, when the domain name resolution is performed, the latest modified destination address is also the original destination address. When the modification is made, it may be modified multiple times. At this time, the newly modified index table is used. Perform domain name resolution. For example, there are two modifications. The first modification time is 13:12:13 on May 1, 2015. The second modification is made. The time is 13:15:23 on May 2, 2015. Obviously, the time of the second modification is the latest, so the domain name resolution is performed with the second modified index table. Of course, other things can be used. The method is to identify the latest. For example, the value of the number of times of modification may be increased by one for each modification, and the index table corresponding to the maximum value may be directly found, as long as the latest modified index table can be identified.
本申请实施例还提出了一种管控设备,如图4所示,包括:The embodiment of the present application further provides a management device, as shown in FIG. 4, including:
监控模块401,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;The monitoring module 401 is configured to monitor whether a load of the primary defense device used for cleaning user traffic is greater than a first threshold;
转移模块402,用于当初级防御设备的负载大于第一阈值时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;The transfer module 402 is configured to transfer the traffic processed by the primary defense device to the advanced defense device for cleaning when the load of the primary defense device is greater than the first threshold;
处理模块403,用于控制清洗完成的流量转移至业务处理设备进行处理。The processing module 403 is configured to control the flow of the cleaning completion to be transferred to the service processing device for processing.
所述转移模块402,具体用于:The transfer module 402 is specifically configured to:
查找高级防御设备;Find advanced defense equipment;
为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP;Assigning a first high-defense IP to the advanced defense device, where the first high-defense IP is different from the initial defense IP of the primary defense device;
将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the first high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the first high-defense IP based on the modified destination address for cleaning.
具体的,该管控设备,还包括:Specifically, the control device further includes:
操作模块,用于监控进行流量清洗的高级防御设备的负载是否超过第二阈值;An operation module, configured to monitor whether a load of an advanced defense device that performs traffic cleaning exceeds a second threshold;
当监控结果为是时,创建第二高防IP,其中所述第二高防IP不同于初级防御设备的初防IP以及第一高防IP;When the monitoring result is yes, a second high-defense IP is created, where the second high-defense IP is different from the primary defense IP of the primary defense device and the first high-defense IP;
将增强DNS设备解析的目的地址修改为第二高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the second high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the second high-defense IP based on the modified destination address for cleaning.
本申请实施例还公开了一种增强DNS设备,如图5所示,包括:The embodiment of the present application further discloses an enhanced DNS device, as shown in FIG. 5, including:
接收模块501,用于接收来自用户终端的DNS请求;The receiving module 501 is configured to receive a DNS request from the user terminal.
解析模块502,用于基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户终端。The parsing module 502 is configured to parse the DNS request based on an index table that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user terminal.
所述接收模块501,具体用于:The receiving module 501 is specifically configured to:
接收用户DNS转发的来自用户终端的DNS请求。 Receives a DNS request from the user terminal forwarded by the user's DNS.
具体的,所述增强DNS设备中存储有索引表;所述索引表中存储DNS请求与目的地址的对应关系;Specifically, the enhanced DNS device stores an index table, where the index table stores a correspondence between a DNS request and a destination address;
所述索引表中的目的地址是可以修改的;所述解析模块502还用于:The destination address in the index table is modifiable; the parsing module 502 is further configured to:
接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;Receiving an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。Upon receiving the DNS request from the user terminal, the domain name resolution is performed based on the newly modified index table, and the parsed latest modified destination address is returned to the user terminal.
本申请实施例还公开了一种流量处理系统,应用于包括初级防御设备和高级防御设备的系统中,其中所述高级防御设备的流量清洗能力高于所述初级防御设备的清洗能力,如图6所示,该系统包括:The embodiment of the present application further discloses a traffic processing system, which is applied to a system including a primary defense device and an advanced defense device, wherein the traffic protection capability of the advanced defense device is higher than the cleaning capability of the primary defense device, as shown in the figure. As shown in 6, the system includes:
管控设备601,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;当监控结果为是时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;控制清洗完成的流量转移至业务处理设备进行处理;The control device 601 is configured to monitor whether the load of the primary defense device used for cleaning user traffic is greater than a first threshold; when the monitoring result is yes, the traffic processed by the primary defense device is transferred to an advanced defense device for cleaning; and the cleaning is controlled. The completed traffic is transferred to the service processing device for processing;
增强DNS设备602,用于接收来自用户终端的DNS请求;基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户。The enhanced DNS device 602 is configured to receive a DNS request from the user terminal, and parse the DNS request based on an index table stored by the host that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user.
与现有技术相比,本申请中的方案,首先使得用户的流量通过初级防御设备进行流量清洗,同时实时监控初级防御设备的负载情况,并当初级防御设备负载过高时,切换到高级防御设备进行流量清洗,以此可以根据具体的情况来选择不同的防御设备进行流量清洗,降低了使用成本,同时,这一系列的操作是在用户无感知的情况下进行的,不需要用户进行额外的操作,以此通过动态调度防御设备的方式,提高了用户的体验。Compared with the prior art, the solution in the present application firstly enables the user's traffic to be cleaned by the primary defense device, while monitoring the load of the primary defense device in real time, and switching to the advanced defense when the primary defense device is overloaded. The device performs traffic cleaning, so that different defense devices can be selected for traffic cleaning according to specific conditions, which reduces the use cost. At the same time, the series of operations are performed without the user's perception, and no additional user is required. The operation improves the user experience by dynamically scheduling defense devices.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本申请可以通过硬件实现,也可以借助软件加必要的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施场景所述 的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present application can be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including several The instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various implementation scenarios described in this application. Methods.
本领域技术人员可以理解附图只是一个优选实施场景的示意图,附图中的模块或流程并不一定是实施本申请所必须的。A person skilled in the art can understand that the drawings are only a schematic diagram of a preferred implementation scenario, and the modules or processes in the drawings are not necessarily required to implement the application.
本领域技术人员可以理解实施场景中的装置中的模块可以按照实施场景描述进行分布于实施场景的装置中,也可以进行相应变化位于不同于本实施场景的一个或多个装置中。上述实施场景的模块可以合并为一个模块,也可以进一步拆分成多个子模块。A person skilled in the art may understand that the modules in the apparatus in the implementation scenario may be distributed in the apparatus for implementing the scenario according to the implementation scenario description, or may be correspondingly changed in one or more devices different from the implementation scenario. The modules of the above implementation scenarios may be combined into one module, or may be further split into multiple sub-modules.
上述本申请序号仅仅为了描述,不代表实施场景的优劣。The above serial numbers are only for the description, and do not represent the advantages and disadvantages of the implementation scenario.
以上公开的仅为本申请的几个具体实施场景,但是,本申请并非局限于此,任何本领域的技术人员能思之的变化都应落入本申请的保护范围。 The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any changes that can be made by those skilled in the art should fall within the protection scope of the present application.

Claims (13)

  1. 一种流量处理方法,其特征在于,应用于包括初级防御设备和高级防御设备的系统中,其中所述高级防御设备的流量清洗能力高于所述初级防御设备的清洗能力,该方法包括:A traffic processing method, which is applied to a system including a primary defense device and an advanced defense device, wherein the traffic protection capability of the advanced defense device is higher than the cleaning capability of the primary defense device, and the method includes:
    管控设备监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;The control device monitors whether the load of the primary defense device used to clean the user traffic is greater than a first threshold;
    若监控结果为是,所述管控设备将所述初级防御设备处理的流量转移至高级防御设备进行清洗;If the monitoring result is yes, the control device transfers the traffic processed by the primary defense device to the advanced defense device for cleaning;
    所述管控设备控制清洗完成的流量转移至业务处理设备进行处理。The control device controls the flow of the cleaning to be transferred to the service processing device for processing.
  2. 如权利要求1所述的方法,其特征在于,所述管控设备将所述初级防御设备处理的流量转移至高级防御设备进行清洗,具体包括:The method according to claim 1, wherein the control device transfers the traffic processed by the primary defense device to the advanced defense device for cleaning, and specifically includes:
    所述管控设备查找高级防御设备;The control device searches for an advanced defense device;
    所述管控设备为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP;The control device allocates a first high-defense IP to the advanced defense device, where the first high-defense IP is different from the initial defense IP of the primary defense device;
    所述管控设备将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The management device modifies the destination address of the enhanced DNS device to the first high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the first high-defense IP based on the modified destination address for cleaning. .
  3. 如权利要求2所述的方法,其特征在于,所述管控设备将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至高级防御设备,之后还包括:The method according to claim 2, wherein the management device modifies the destination address of the enhanced DNS device resolution to the first high anti-IP, so that the enhanced DNS device transfers the user's traffic based on the modified destination address. To advanced defense equipment, including:
    所述管控设备监控进行流量清洗的高级防御设备的负载是否超过第二阈值;The control device monitors whether the load of the advanced defense device for performing traffic cleaning exceeds a second threshold;
    若监控结果为是,所述管控设备创建第二高防IP,其中所述第二高防IP不同于初级防御设备的初防IP以及第一高防IP;If the monitoring result is yes, the management device creates a second high-defense IP, wherein the second high-defense IP is different from the initial defense IP of the primary defense device and the first high-defense IP;
    所述管控设备将增强DNS设备解析的目的地址修改为第二高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The control device modifies the destination address of the enhanced DNS device to the second high-defense IP, so that the enhanced DNS device transfers the user's traffic to the second high-defense IP-compliant advanced defense device for cleaning based on the modified destination address. .
  4. 一种流量处理方法,其特征在于,包括A flow processing method, characterized in that
    增强DNS设备接收来自用户终端的DNS请求;The enhanced DNS device receives the DNS request from the user terminal;
    所述增强DNS设备基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户终端。 The enhanced DNS device parses the DNS request based on an index table stored by itself and includes a correspondence between a DNS request and a destination address, and returns the parsed destination address to the user terminal.
  5. 如权利要求4所述的方法,其特征在于,所述增强DNS设备接收来自用户终端的DNS请求,具体包括:The method of claim 4, wherein the enhanced DNS device receives the DNS request from the user terminal, specifically:
    所述增强DNS设备接收用户DNS转发的来自用户终端的DNS请求。The enhanced DNS device receives a DNS request from a user terminal forwarded by a user DNS.
  6. 如权利要求4所述的方法,其特征在于,所述索引表中的目的地址是可以修改的;该方法进一步包括:The method of claim 4, wherein the destination address in the index table is modifiable; the method further comprising:
    所述增强DNS设备接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;The enhanced DNS device receives an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
    所述增强DNS设备在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。When receiving the DNS request from the user terminal, the enhanced DNS device performs domain name resolution based on the newly modified index table, and returns the parsed latest modified destination address to the user terminal.
  7. 一种管控设备,其特征在于,包括:A control device, comprising:
    监控模块,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;a monitoring module, configured to monitor whether a load of the primary defense device used for cleaning user traffic is greater than a first threshold;
    转移模块,用于当初级防御设备的负载大于第一阈值时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;a transfer module, configured to: when the load of the primary defense device is greater than the first threshold, transfer the traffic processed by the primary defense device to the advanced defense device for cleaning;
    处理模块,用于控制清洗完成的流量转移至业务处理设备进行处理。The processing module is configured to control the flow of the cleaning completion to be transferred to the service processing device for processing.
  8. 如权利要求7所述的设备,其特征在于,所述转移模块,具体用于:The device according to claim 7, wherein the transfer module is specifically configured to:
    查找高级防御设备;Find advanced defense equipment;
    为高级防御设备分配第一高防IP,其中,所述第一高防IP不同于所述初级防御设备的初防IP;Assigning a first high-defense IP to the advanced defense device, where the first high-defense IP is different from the initial defense IP of the primary defense device;
    将增强DNS设备解析的目的地址修改为第一高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第一高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the first high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the first high-defense IP based on the modified destination address for cleaning.
  9. 如权利要求8所述的设备,其特征在于,还包括:The device of claim 8 further comprising:
    操作模块,用于监控进行流量清洗的高级防御设备的负载是否超过第二阈值;An operation module, configured to monitor whether a load of an advanced defense device that performs traffic cleaning exceeds a second threshold;
    当监控结果为是时,创建第二高防IP,其中所述第二高防IP不同于初级防御设备的初防IP以及第一高防IP;When the monitoring result is yes, a second high-defense IP is created, where the second high-defense IP is different from the primary defense IP of the primary defense device and the first high-defense IP;
    将增强DNS设备解析的目的地址修改为第二高防IP,以便所述增强DNS设备基于修改后的目的地址将用户的流量转移至第二高防IP对应的高级防御设备进行清洗。The destination address of the enhanced DNS device is modified to be the second high-defense IP, so that the enhanced DNS device transfers the traffic of the user to the advanced defense device corresponding to the second high-defense IP based on the modified destination address for cleaning.
  10. 一种增强DNS设备,其特征在于,包括:An enhanced DNS device, comprising:
    接收模块,用于接收来自用户终端的DNS请求; a receiving module, configured to receive a DNS request from the user terminal;
    解析模块,用于基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户终端。The parsing module is configured to parse the DNS request based on an index table that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user terminal.
  11. 如权利要求10所述的设备,其特征在于,所述接收模块,具体用于:The device according to claim 10, wherein the receiving module is specifically configured to:
    接收用户DNS转发的来自用户终端的DNS请求。Receives a DNS request from the user terminal forwarded by the user's DNS.
  12. 如权利要求10所述的设备,其特征在于,所述索引表中的目的地址是可以修改的;所述解析模块还用于:The device according to claim 10, wherein the destination address in the index table is modifiable; the parsing module is further configured to:
    接收管控设备的更新消息,所述更新消息中携带所述管控设备设置的更新IP,所述更新消息用于将索引表中的目的地址修改为所述更新IP;Receiving an update message of the management device, where the update message carries an update IP set by the control device, and the update message is used to modify the destination address in the index table to the update IP;
    在接收到来自用户终端的DNS请求时,基于最新修改后的索引表执行域名解析,并将解析出的最新修改后的目的地址返回给用户终端。Upon receiving the DNS request from the user terminal, the domain name resolution is performed based on the newly modified index table, and the parsed latest modified destination address is returned to the user terminal.
  13. 一种流量处理系统,其特征在于,应用于包括初级防御设备和高级防御设备的系统中,其中所述高级防御设备的流量清洗能力高于所述初级防御设备的清洗能力,该系统包括:A traffic processing system is characterized in that it is applied to a system including a primary defense device and an advanced defense device, wherein the traffic protection capability of the advanced defense device is higher than the cleaning capability of the primary defense device, and the system includes:
    管控设备,用于监控用于清洗用户流量的初级防御设备的负载是否大于第一阈值;当监控结果为是时,将所述初级防御设备处理的流量转移至高级防御设备进行清洗;控制清洗完成的流量转移至业务处理设备进行处理;The control device is configured to monitor whether the load of the primary defense device used for cleaning the user traffic is greater than a first threshold; when the monitoring result is yes, the traffic processed by the primary defense device is transferred to the advanced defense device for cleaning; and the control cleaning is completed. The traffic is transferred to the service processing device for processing;
    增强DNS设备,用于接收来自用户终端的DNS请求;基于自身存储的包含DNS请求与目的地址的对应关系的索引表来解析所述DNS请求,并将解析得到的目的地址返回给用户。 The enhanced DNS device is configured to receive a DNS request from the user terminal, and parse the DNS request based on an index table stored by the host that includes a correspondence between the DNS request and the destination address, and return the parsed destination address to the user.
PCT/CN2016/097500 2015-09-09 2016-08-31 Traffic processing method, device and system WO2017041656A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510571803.7 2015-09-09
CN201510571803.7A CN106534043B (en) 2015-09-09 2015-09-09 Flow processing method, equipment and system

Publications (1)

Publication Number Publication Date
WO2017041656A1 true WO2017041656A1 (en) 2017-03-16

Family

ID=58240666

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/097500 WO2017041656A1 (en) 2015-09-09 2016-08-31 Traffic processing method, device and system

Country Status (2)

Country Link
CN (1) CN106534043B (en)
WO (1) WO2017041656A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200274897A1 (en) * 2019-02-21 2020-08-27 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data
CN112256308A (en) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 Target application updating method and device
CN114567605A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Security engine scheduling method and device and readable storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107231344B (en) * 2017-05-04 2020-04-03 杭州迪普科技股份有限公司 Flow cleaning method and device
CN107426230B (en) * 2017-08-03 2019-08-23 优刻得科技股份有限公司 Server scheduling method, apparatus, system, storage medium and equipment
CN109510800B (en) * 2017-09-14 2020-11-27 北京金山云网络技术有限公司 Network request processing method and device, electronic equipment and storage medium
CN113315743B (en) * 2020-02-27 2023-04-18 阿里巴巴集团控股有限公司 Defense processing method, device, equipment and storage medium
CN113872928B (en) * 2021-07-28 2023-05-05 上海纽盾科技股份有限公司 Method, client and system for obtaining benefits through network security defense
CN113923216B (en) * 2021-09-29 2023-12-15 阿里巴巴(中国)有限公司 Distributed cluster current limiting system and method and distributed cluster node

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1705863A1 (en) * 2005-03-25 2006-09-27 AT&T Corp. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
CN101924764A (en) * 2010-08-09 2010-12-22 中国电信股份有限公司 Large-scale DDoS (Distributed Denial of Service) attack defense system and method based on two-level linkage mechanism
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
US20150026800A1 (en) * 2013-07-16 2015-01-22 Fortinet, Inc. Scalable inline behavioral ddos attack mitigation
CN104753863A (en) * 2013-12-26 2015-07-01 中国移动通信集团公司 DDoS (Distributed Denial of Service) attack prevention method, device and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1705863A1 (en) * 2005-03-25 2006-09-27 AT&T Corp. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
CN101924764A (en) * 2010-08-09 2010-12-22 中国电信股份有限公司 Large-scale DDoS (Distributed Denial of Service) attack defense system and method based on two-level linkage mechanism
CN102882892A (en) * 2012-10-26 2013-01-16 杭州迪普科技有限公司 Method and device for protecting DNS (Domain Name Server)
US20150026800A1 (en) * 2013-07-16 2015-01-22 Fortinet, Inc. Scalable inline behavioral ddos attack mitigation
CN104753863A (en) * 2013-12-26 2015-07-01 中国移动通信集团公司 DDoS (Distributed Denial of Service) attack prevention method, device and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200274897A1 (en) * 2019-02-21 2020-08-27 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data
CN112256308A (en) * 2020-11-12 2021-01-22 腾讯科技(深圳)有限公司 Target application updating method and device
CN114567605A (en) * 2022-02-28 2022-05-31 天翼安全科技有限公司 Security engine scheduling method and device and readable storage medium
CN114567605B (en) * 2022-02-28 2023-12-01 天翼安全科技有限公司 Scheduling method and device of security engine and readable storage medium

Also Published As

Publication number Publication date
CN106534043A (en) 2017-03-22
CN106534043B (en) 2020-04-24

Similar Documents

Publication Publication Date Title
WO2017041656A1 (en) Traffic processing method, device and system
US9197666B2 (en) Method and apparatus for mitigating distributed denial of service attacks
Zou et al. Routing worm: A fast, selective attack worm based on ip address information
CN104468624B (en) SDN controllers, routing/exchanging equipment and network defense method
JP5111618B2 (en) Facilitating protection against MAC table overflow attacks
TW201738796A (en) Prevention and control method, apparatus and system for network attack
US20130198845A1 (en) Monitoring a wireless network for a distributed denial of service attack
CN106131031B (en) Method and device for cleaning and processing DDoS (distributed denial of service) flow
US20100095351A1 (en) Method, device for identifying service flows and method, system for protecting against deny of service attack
US9614870B2 (en) Method of DDoS and hacking protection for internet-based servers using a private network of internet servers by executing computer-executable instructions stored on a non-transitory computer-readable medium
TW201804765A (en) Processing network traffic to defend against attacks
CN109587167B (en) Message processing method and device
CN108270722B (en) Attack behavior detection method and device
CN107800668B (en) Distributed denial of service attack defense method, device and system
US11671405B2 (en) Dynamic filter generation and distribution within computer networks
CN110247899B (en) System and method for detecting and relieving ARP attack based on SDN cloud environment
US20160285908A1 (en) Processing Method for Network Address Translation Technology, NAT Device and BNG Device
KR100533785B1 (en) Method for preventing arp/ip spoofing automatically on the dynamic ip address allocating environment using dhcp packet
CN107690004B (en) Method and device for processing address resolution protocol message
US20190068635A1 (en) Data processing method, apparatus, and system
CN106302537A (en) The cleaning method of a kind of DDOS attack flow and system
CN101945053A (en) Method and device for transmitting message
CN109347792B (en) Large-scale DDoS attack resistance defense system and method based on cloud + end equipment continuous linkage mode
Fujinoki Dynamic binary user-splits to protect cloud servers from ddos attacks
Goncalves et al. WIDIP: Wireless distributed IPS for DDoS attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16843594

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16843594

Country of ref document: EP

Kind code of ref document: A1