WO2017063198A1 - 数据传输的方法、装置和系统 - Google Patents
数据传输的方法、装置和系统 Download PDFInfo
- Publication number
- WO2017063198A1 WO2017063198A1 PCT/CN2015/092131 CN2015092131W WO2017063198A1 WO 2017063198 A1 WO2017063198 A1 WO 2017063198A1 CN 2015092131 W CN2015092131 W CN 2015092131W WO 2017063198 A1 WO2017063198 A1 WO 2017063198A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- security identifier
- node
- data packet
- service data
- controller
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Definitions
- Embodiments of the present invention relate to the field of communications, and, more particularly, to a method, apparatus, and system for data transmission.
- the data stream is vulnerable to network attacks.
- an attacker uses a means of replay, forgery, etc. to deliver a large number of attack packets to the network.
- the transmission of the attack packet will consume a large amount of network bandwidth, and on the other hand, The receiving end has an adverse effect.
- the data stream is header-compressed at the compression end, and the compressed packet after processing is transmitted in the transmission path between the compression end and the decompression end, and finally reaches the decompression end. If a network attack occurs during the transmission of a compressed packet, for example, an attacker uses a means of replay, forgery, etc.
- the embodiment of the invention provides a method, a device and a system for data transmission, which can timely discover that a network attack exists in the process of data stream transmission, and can effectively reduce the transmission of the attack packet in the network.
- a method of data transmission comprising:
- the controller allocates at least one security identifier for the first service data flow
- the first service data flow indicates a data flow corresponding to the first service, and it should be understood that the first service indicates any service in the communication transmission, which is not limited by the embodiment of the present invention.
- the header field of the first service data flow includes a header identifier, specifically, for example, a source IP address, a destination IP address, a source MAC address, a destination MAC address, a transmission protocol information, and a Transmission Control Protocol (Transmission Control Protocol) of the first service data flow. It is simply referred to as "TCP") information or User Datagram Protocol ("UDP”) port information, or information such as the stream ID of the first service data stream. It should be understood that each data packet of the first service data stream includes a header identifier of the first service.
- the security identifier provided by the embodiment of the present invention is an identifier, and the specific form may be a signal form of a number, a letter, or the like, and is used for the data packet X of the first service data stream (corresponding to the first data packet).
- the header is modified, for example, by adding the security identifier in the header field of the data packet X, thereby replacing the data packet X with the second data packet carrying the security identifier; or one of the header fields of the data packet X Or replacing the plurality of header identifiers with the security identifier, for example, replacing the source IP address in the header field of the packet X with the security identifier, thereby replacing the second data packet carrying the security identifier.
- the security identifier mentioned in the embodiment of the present invention is different from the header identifier of the header field of the first service data flow.
- the controller sends a first indication message including the at least one security identifier to the first node in the transmission path of the first service data flow, where the first indication message is used to indicate that the first node utilizes the first one of the at least one security identifier
- Receiving, by the security identifier, the first data packet acquiring the second data packet carrying the first security identifier, and sending the second data packet to the next node in the transmission path, where the first data packet is the first data packet a data packet in a business data stream;
- the controller configures a transmission path for the first service data flow, and the transmission path 120 shown in FIG. 1 includes a first node and a last node, and may also include an intermediate node.
- the first data packet indicates a data packet in the first service data stream, that is, the first data packet includes a header identifier of the first service data stream.
- the first indication message is used to indicate that the first node obtains the second data packet carrying the first security identifier by processing the header identifier of the first data packet, and the first data is obtained.
- the packet is replaced with the second data packet, and the second data packet is sent to the next node in the transmission path.
- a header identifier field filled with the first security identifier is added to the first data packet, so that the first data packet is replaced by the second data packet carrying the first security identifier.
- replacing one of the header identifiers of the first data packet with the first security identifier for example, replacing the source IP address in the header identifier of the first data packet with the first security identifier, thereby replacing the first data packet.
- the header identifier of the first data packet may be processed by other means, and the first data packet is replaced by the second data packet carrying the first security identifier, which is not limited in this embodiment of the present invention.
- the controller sends a second indication message for instructing to send the received second data packet to a next node in the transmission path to an intermediate node in the transmission path, the controller also being in the transmission path
- the last node sends a third indication message for instructing to restore the received second data packet to the corresponding first data packet;
- the controller acquires the number of transmission and reception of the second data packet, where the number of the transmission and reception indicates that the last node receives The number of the second data packet that arrives and the number of the second data packet sent by the first node;
- the controller determines, according to the number of the second data packet to be sent and received, that the first service data stream is subjected to a network attack during the transmission process, and determines that the first security identifier is an attacked security identifier;
- the controller sends a fourth indication message to each node in the transmission path for indicating discarding the data packet currently carrying the attack security identity transmitted in the transmission path.
- the first service data stream is a header compressed data stream
- the at least one security identifier that the controller allocates for the first service data stream includes two One or more security identifiers
- the first security identifier is a first-use security identifier
- the first indication message is specifically used to indicate that the first node preferentially uses the first-use security identifier to replace the first data packet.
- the method further includes:
- the controller determines that the first service data stream is subjected to a traffic analysis attack during the transmission according to the number of the data packets sent and received by the first security identifier.
- the first service data stream is a header compressed data stream, and the at least one allocated for the first service data stream
- the security identifier includes two or more security identifiers, where the first indication message is specifically configured to indicate that the first node selects the first security from the at least one security identifier according to the size of the currently processed first data packet. Identification to replace the first data packet.
- the first indication message is further used to indicate that the first node replaces the first data packet by using the same security identifier. The number does not exceed the preset threshold.
- the method further includes:
- the controller sends a fifth indication message to the head node indicating that the first data packet is no longer processed by the attack security identifier.
- the method further includes:
- the controller acquires the second received by the next node in each of the two adjacent nodes in the transmission path The number of data packets and the number of the second data packets sent by the previous node;
- the controller determines, according to the obtained number of the second data packet received by the next node and the number of the second data packet sent by the previous node, the first node and the second node adjacent to the transmission path.
- the path between nodes is the attacked path;
- the controller allocates an alternate transmission path for the first service data flow, the alternate transmission path not including the attacked path.
- the controller acquires the number of the second data packet sent and received, including:
- the controller acquires the number of the second data packet sent and received according to the preset timer.
- the method further includes:
- the second aspect provides a method of data transmission, the method comprising:
- the first node receives the first indication message sent by the controller, where the first indication message includes at least one security identifier that is allocated by the controller for the first service data flow, where the first node is in the transmission path of the first service data stream.
- the first node replaces the first data packet with the first security identifier of the at least one security identifier, and acquires a second data packet that carries the first security identifier, where the first data packet a data packet in the first service data stream;
- the first node sends the second data packet to a next node in the transmission path
- the first node sends the number of the second data packet that has been sent to the controller, so that the controller determines that the first service data stream is attacked by the network during the transmission, and determines that the first security identifier is Attacked security identity;
- the first service data stream is a header compressed data stream
- the at least one security identifier that the controller allocates for the first service data stream includes two One or more security identifiers
- the first security identifier is a first-use security identifier
- the first indication message is specifically used to indicate that the first node preferentially utilizes the first-use security identifier Substituting the first data packet
- the first node replaces the first data packet with the first security identifier of the at least one security identifier, and obtains the second data packet that carries the first security identifier, including:
- the first node preferentially processes the first data packet by using the first security identifier to obtain the second data packet carrying the first security identifier.
- the first service data stream is a header compressed data stream, and the at least one allocated for the first service data stream
- the security identifier includes two or more security identifiers, where the first indication message is specifically configured to indicate that the first security identifier is selected from the at least one security identifier according to a size of the currently processed first data packet.
- the first node replaces the first data packet with the first security identifier of the at least one security identifier, and obtains the second data packet that carries the first security identifier, including:
- the first node selects the first security identifier from the at least one security identifier according to the size of the first data packet that is currently processed, and replaces the first data packet with the first security identifier to obtain the first security identifier.
- the second packet identified.
- the first indication message is further used to indicate that the first node replaces the first data by using the same security identifier.
- the number of packages does not exceed the preset threshold.
- the method further includes:
- the first node no longer processes the data packet in the first service data stream by using the attacked security identifier.
- the first node is an intermediate node in a transmission path of the second service data stream, and the method further includes:
- the first node forwards the received data packet carrying the second security identifier to the next node in the transmission path of the second service data flow according to the third indication message sent by the controller, where the second security identifier is the a security identifier allocated by the controller for the second service data flow, where the data packet carrying the second security identifier is a processing for the first node in the transmission path of the second service data flow to replace the data packet of the second service data flow After getting it.
- the first node is a last node in a transmission path of the third service data stream, and the method further includes:
- the first node restores the received data packet carrying the third security identifier to the corresponding data packet of the third service data flow according to the fourth indication message sent by the controller, where the third security identifier is the controller. a security identifier assigned to the third service data flow, where the data packet carrying the third security identifier is obtained by replacing a data packet of the third service data flow by a first node in a transmission path of the third service data flow of;
- the first node sends the received number of data packets carrying the third security identifier to the controller, so that the controller determines that the third service data stream is attacked by the network during the transmission.
- a third aspect provides a controller, the controller comprising:
- An allocating module configured to allocate at least one security identifier to the first service data flow
- a sending module configured to send, to the first node in the transmission path of the first service data stream, a first indication message that includes the at least one security identifier that is allocated by the allocation module, where the first indication message is used to indicate that the first node uses the at least one
- the first security identifier in the security identifier replaces the first data packet, acquires the second data packet carrying the first security identifier, and sends the second data packet to the next node in the transmission path, where the first data packet a data packet is a data packet in the first service data stream;
- the sending module is further configured to send, to the intermediate node in the transmission path, a second indication message for instructing to send the received second data packet to a next node in the transmission path, where the sending module is further used to Transmitting, to the last node in the transmission path, a third indication message for indicating that the received second data packet is restored to the corresponding first data packet;
- An acquiring module configured to acquire the number of the second data packet sent and received, the number of the sending and receiving indicating the number of the second data packet received by the last node, and the number of the second data packet sent by the first node;
- the first determining module is configured to: according to the number of the second data packet acquired by the acquiring module, determine that the first service data stream is subjected to a network attack during the transmission process, and determine that the first security identifier is an attacked security identifier;
- the sending module is further configured to send, to each node in the transmission path, a fourth indication message for indicating to discard the data packet currently transmitted in the transmission path and carrying the attacked security identifier determined by the first determining module.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated by the allocating module to the first service data stream includes two One or more security identifiers
- the first security identifier is the first security label
- the first indication message sent by the sending module is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet.
- the controller further includes:
- the second determining module is configured to determine, according to the number of the data packets sent and received by the first security identifier, that the first service data stream is subjected to a traffic analysis attack during the transmission process.
- the first service data stream is a header compressed data stream
- the allocation module allocates the first service data stream.
- the at least one security identifier includes two or more security identifiers, where the first indication message sent by the sending module is specifically used to indicate that the first node is based on the size of the currently processed first data packet, from the at least one The first security identifier is selected in the security identifier to replace the processing the first data packet.
- the first indication message sent by the sending module is further used to indicate that the first node is replaced by using the same security identifier.
- the number of the first data packets does not exceed a preset threshold.
- the sending module is further configured to: determine, by the first determining module, that the first service data stream is in the process of being transmitted In the case of a network attack, a fifth indication message for indicating that the first data packet is no longer processed by the attacked security identifier is sent to the head node.
- the acquiring module is further configured to: when the first determining module determines that the first service data stream is in the process of being transmitted After the network attack, obtaining the number of the second data packet received by the next node in each of the two adjacent nodes in the transmission path and the number of the second data packet sent by the previous node;
- the controller also includes:
- a third determining module configured to determine, according to the number of the second data packet received by the subsequent node acquired by the acquiring module, and the number of the second data packet sent by the previous node, determining the adjacent one of the transmission paths The path between the first node and the second node is the attacked path;
- the allocating module is further configured to allocate an alternate transmission path for the first service data flow, where the alternate transmission path does not include the attacked path.
- the controller further includes:
- a release module configured to release the security identifier assigned to the first service data flow when the flow deletion event of the first service data flow is detected.
- the fourth aspect provides a node for data transmission, the node comprising:
- a receiving module configured to receive a first indication message sent by the controller, where the first indication message includes at least one security identifier allocated by the controller for the first service data flow, where the node is in a transmission path of the first service data stream First node
- a replacement module configured to replace, by using the first security identifier in the at least one security identifier, the first data packet, and the second data packet carrying the first security identifier, according to the first indication message received by the receiving module, where
- the first data packet is a data packet in the first service data stream;
- a sending module configured to send the second data packet acquired by the replacement module to a next node in the transmission path
- the sending module is further configured to send, to the controller, the number of the second data packets that have been sent, so that the controller determines that the first service data flow is subjected to a network attack during the transmission, and determines the first The security identifier is the attacked security identifier;
- the receiving module is further configured to receive, by the controller, a fourth indication message that is used to indicate that the data packet currently carrying the attack security identifier that is currently transmitted in the transmission path is discarded, and discard the current according to the fourth indication message.
- a fourth indication message that is used to indicate that the data packet currently carrying the attack security identifier that is currently transmitted in the transmission path is discarded, and discard the current according to the fourth indication message.
- the first service data stream is a header compressed data stream
- the at least one security identifier that the controller allocates for the first service data stream includes two One or more security identifiers
- the first security identifier is a first-use security identifier
- the first indication message received by the receiving module is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first identifier.
- the replacement module is specifically configured to: first use the first security identifier to replace the first data packet, and obtain the second data packet that carries the first security identifier.
- the first service data stream is a header compressed data stream, and the at least one allocated for the first service data stream
- the security identifier includes two or more security identifiers, where the first indication message received by the receiving module is specifically configured to indicate that the first identifier is selected according to a size of the currently processed first data packet. a security mark;
- the replacement module is specifically configured to: according to the size of the currently processed first data packet, from the at least one The first security identifier is selected in the security identifier, and the first data packet is replaced by the first security identifier, and the second data packet carrying the first security identifier is obtained.
- the first indication message is further used to indicate that the node replaces the first data packet by using the same security identifier. The number does not exceed the preset threshold.
- the replacing module is further configured to: after the receiving module receives the second indication message, do not use the first A security identifier replaces the data packet in the first service data stream.
- the node is an intermediate node in a transmission path of the second service data flow, and the node further includes:
- a forwarding module configured to forward, according to the third indication message sent by the controller, the received data packet carrying the second security identifier to a next node in the transmission path of the second service data stream, where the second security identifier is a security identifier allocated by the controller to the second service data flow, where the data packet carrying the second security identifier replaces the data packet of the second service data flow by the first node in the transmission path of the second service data flow Obtained after processing.
- the node is a last node in a transmission path of the third service data stream, and the node further includes:
- a restoring module configured to restore, according to the fourth indication message sent by the controller, the received data packet carrying the third security identifier into a data packet of the third service data stream, where the third security identifier is the control
- the sending module is further configured to send, to the controller, the number of received data packets carrying the third security identifier, so that the controller determines that the third service data stream is subjected to a network attack during transmission.
- a fifth aspect provides a system for data transmission, the system comprising the controller provided by the third aspect and the node provided by the fourth aspect.
- the device can discard the attack packet in time, thereby effectively reducing the occupation of the transmission resource by the attack packet, improving the utilization of the transmission resource, and reducing the The number of attack packets at the receiving end is reduced to reduce the computational burden on the receiving end.
- FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present invention.
- FIG. 2 is a schematic flowchart of a method for data transmission according to an embodiment of the present invention.
- FIG. 3 shows another schematic flowchart of a method for data transmission according to an embodiment of the present invention.
- FIG. 4 shows a schematic block diagram of a controller provided in accordance with an embodiment of the present invention.
- FIG. 5 shows a schematic block diagram of a node provided in accordance with an embodiment of the present invention.
- FIG. 6 shows a schematic block diagram of a controller provided in accordance with another embodiment of the present invention.
- FIG. 7 shows a schematic block diagram of a node provided in accordance with another embodiment of the present invention.
- FIG. 8 shows a schematic block diagram of a system for data transmission provided in accordance with an embodiment of the present invention.
- the network attack involved in the embodiment of the present invention refers to that an attacker uses a means of replay, forgery, and the like to deliver a large number of attack packets to the network.
- the attack packet mentioned herein refers to a data packet that the attacker replays or falsifies in the network.
- the attacker is located at the head node 121 and the intermediate node. Between 122, the head node 121 sends a data packet X to the intermediate node 122, and the data packet that the attacker replays or falsifies according to the data packet X is called an attack packet.
- FIG. 1 shows only one intermediate node for ease of understanding and description, and the intermediate node 122 shown in FIG. 1 indicates any node located between the head node 121 and the end node 123.
- the controller 140 in FIG. 1 is, for example, a controller in a centralized management network.
- the centralized management network is a form of network composition, and each component in the centralized management network (for example, each node in FIG. 1) is controlled by the same controller (for example, the controller 140 in FIG. 1), thereby Network management becomes flexible and efficient.
- FIG. 1 is only an example and is not limited.
- the compression end 110 may also be a normal transmitting end, and the decompressing end 130 is a receiving end.
- the method, device, and system for data transmission provided by the embodiments of the present invention are not Limited to compressed, decompressed scenes.
- FIG. 2 is a schematic flowchart of a method 200 for data transmission according to an embodiment of the present invention. The method is performed, for example, by the controller 140 shown in FIG. 1. The method 200 includes:
- the controller allocates at least one security identifier to the first service data flow.
- the first service data stream is a header compressed data stream.
- the controller sends a first indication message that includes the at least one security identifier to the first node in the transmission path of the first service data flow, where the first indication message is used to indicate that the first node uses the at least one security identifier.
- the first security identifier replaces the first data packet, acquires the second data packet carrying the first security identifier, and sends the second data packet to the next node in the transmission path, where the first data packet is a data packet in the first service data stream;
- the first data packet refers to a data packet in the first service data stream.
- the first node processes the first data packet, and the first node obtains a first data packet of the first service data stream, and replaces the current data packet that is currently acquired, and then continues to acquire the first data packet.
- the second data packet refers to a data packet that is acquired according to the first data packet and carries the first security identifier.
- the transmission path of the first service data stream includes a head node, an intermediate node, and a last node, specifically a transmission path 120 as shown in FIG.
- the controller 140 sends a first indication message to the head node 121, where the first node 121 replaces the currently acquired first data packet with the second one carrying the first security identifier. data pack.
- the first indication message is used to indicate that the first node obtains the second data packet carrying the first security identifier by processing the header identifier of the first data packet, and A data packet is replaced with the second data packet, and the second data packet is sent to the next node in the transmission path.
- a header identifier field filled with the first security identifier is added to the first data packet, so that the first data packet is replaced by the second data packet carrying the first security identifier.
- replacing one of the header identifiers of the first data packet with the first security identifier for example, replacing the source IP address in the header identifier of the first data packet with the first security identifier, thereby replacing the first data packet.
- the header identifier of the first data packet may be processed by other means, and the first data packet is replaced by the second data packet carrying the first security identifier, which is not limited in this embodiment of the present invention.
- the first indication message sent by the controller to the first node includes a header identifier of the first service data flow, the at least one security identifier, and an identifier of a next node in the transmission path.
- the header identifier of the first service data flow includes, but is not limited to, a source IP address, a destination IP address, a source MAC address, a destination MAC address, a transmission protocol, and a transmission control protocol (Transmission Control Protocol) of the first service data flow. , referred to as "TCP” or User Datagram Protocol (“UDP”) port, or the stream ID of the first service data stream.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the identity of the next node in the transmission path refers to the identity of the next node of the first node in the transmission path of the first service data stream.
- the controller sends, to the intermediate node in the transmission path, a second indication message for indicating that the received second data packet is sent to a next node in the transmission path, and the controller further sends the transmission path to the transmission path.
- the last node in the middle sends a third indication message for instructing to restore the received second data packet to the corresponding first data packet;
- the second indication message sent by the controller to the intermediate node includes the at least one security identifier and an identifier of a next node in the transmission path.
- the intermediate node receives a data packet A, and first determines whether the data packet carries the at least one security identifier, for example, determining that the data packet A carries the first security identifier (ie, the first node pair of the transmission path) If the data packet of a service data stream is sent as a data packet after the replacement process, the data packet A is forwarded to the next node according to the identifier of the next node.
- data packet A in the above example corresponds to the second data packet in the embodiment of the present invention.
- the last node receives a data packet A, and first determines whether the data packet carries the at least one security identifier, for example, determining that the data packet A carries the first security identifier (ie, the first node pair of the transmission path) a data packet of a service data stream is sent as a data packet after the replacement processing, and then the data packet A is restored according to the header identifier of the first service data stream, assuming that the first node is the header of the first data packet If the source IP address in the identifier is replaced by the first security identifier to obtain the data packet A, the last node uses the opposite means to restore the first security identifier in the header identifier of the data packet A to the first service data stream. The source IP address is restored to obtain the first data packet corresponding to the data packet A.
- the first security identifier ie, the first node pair of the transmission path
- the controller acquires the number of the second data packet sent and received, the number of the transceiver includes the number of the second data packet received by the last node, and the number of the second data packet sent by the first node;
- the number of the second data packet sent and received may also indicate the number of times the first node replaces the first data packet by using the first security identifier and the number of times the last node restores the second data packet.
- the controller acquires the number of the second data packet sent and received by the controller, including:
- the controller acquires the number of the second data packet sent and received according to the preset timer.
- the controller when the controller sends the first indication message to the head node, the preset timer is started, and when the preset timer expires, the number of the second data packet is sent and received.
- the controller may notify the first node to report the number of the second data packet that carries the first security identifier that is sent in the preset time period of the preset timer, and the controller may also notify the last node to report the timing of the preset timer.
- the number of second data packets carried in the time period carrying the first security identifier when the controller sends the first indication message to the head node, the preset timer is started, and when the preset timer expires, the number of the second data packet is sent and received.
- the controller may notify the first node to report the number of the second data packet that carries the first security identifier that is sent in the preset time period of the preset timer, and the controller may also notify the last node to report the timing of the preset timer.
- the controller determines, according to the number of the second data packet to be sent and received, that the first service data stream is subjected to a network attack during the transmission, and determines that the first security identifier is an attacked security identifier.
- the controller determines that the number of the second data packets received by the last node minus the number of the second data packets sent by the first node exceeds a preset threshold, determining that the first service data stream is transmitting
- the network is attacked.
- the second data packet carrying the first security identifier is attacked by the network, for example, by an attacker for replay or forgery.
- the controller may also count the ratio of the number of second data packets received by the last node to the number of second data packets sent by the first node, to determine whether the data stream transmission is attacked by a network, or The number of data transmission and reception of the data packet is calculated in other manners to determine whether the transmission of the data stream is attacked by the network. This embodiment of the present invention does not limit this.
- the controller marks the first security identifier as an attack security identifier.
- the controller sends, to each node in the transmission path, a fourth indication message for indicating to discard the data packet currently carrying the attack security identifier transmitted in the transmission path.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- the method 200 further includes:
- the controller sends a fifth indication message to the head node indicating that the first data packet is no longer processed by the attack security identifier.
- the method 200 further includes:
- the controller reassigns a new security identifier to the first service data flow, and instructs the first node to replace the subsequent first data packet of the first service data flow by using the new security identifier, and further indicates that the intermediate node will receive the received
- the data packet of the new security identifier is forwarded to the next node, and the terminal node is instructed to restore the received data packet carrying the new security identifier to the corresponding first data packet.
- the first node may also reselect a security identifier different from the first security identifier from multiple security identifiers allocated by the controller for the first service data flow. And replacing the subsequent first data packet that processes the first service data stream.
- the data transmission method of the embodiment of the present invention can be applied to a scenario in which header compression and a centralized management network are combined to implement end-to-end transmission of header compression.
- header compression is a method to effectively improve bandwidth utilization.
- some information is almost unchanged or can be inferred.
- Header compression is the use of this feature of the data stream, which is not transmitted by the negotiation mechanism when transmitting data packets.
- the compressed header does not contain the information required for node routing, each routing node needs to decompress and recompress the compressed packet, which results in an increase in computing resource consumption and transmission delay.
- a centralized management network is a form of network in which each component of the network is controlled by the same controller, making network management flexible and efficient. At present, researchers have proposed combining header compression with centralized management and control networks to achieve end-to-end transmission of header compression.
- Efficient header compression is premised on context synchronization between the compression and decompression ends, which requires accurate and error-free transmission of the compressed package.
- it is highly likely to cause an error decompression of the compressed packet header, thereby greatly reducing the compression efficiency. Therefore, researchers have designed a variety of mechanisms to improve the robustness of the header compression mechanism.
- ROHC Robust Header Compression
- W-LSB Window-based Least Significant Bits
- SN Sequence Number
- the reason why the SN field is so emphasized is that ROHC uses different compression algorithms for different dynamic domains in the header, but they are all functions related to SN.
- the SN field can also be used to eliminate duplicate packets and avoid context corruption.
- ROHC uses Cyclic Redundancy Check ("CRC") check.
- CRC Cyclic Redundancy Check
- the compression end performs CRC check on the original header, and fills the result into the CRC field of the compressed header.
- the decompressing end decompresses the header, and then performs CRC check on the decompressed header, and the result of the verification is performed.
- CRC field in the compressed header if they are the same, it means that the decompression is correct, otherwise the decompression error.
- the compressed packet generated by the compression end reaches the decompression end through the transmission path shown in FIG. 1, for example, when the compressed packet is subjected to network attack during the transmission process, for example, the attacker uses a replay, forgery, and the like to deliver a large number of attack packets to the network.
- These attack packets are transmitted to the decompressing end.
- the decompressing end decompresses the header, and then performs CRC check on the decompressed header, and compares the result of the check with the CRC field in the compressed header, and decompresses the pair.
- Each of the received compressed packets must perform the above-mentioned decompression calculation operation, including the decompression calculation operation of the attack packet, so that a large amount of computing resources on the decompression end are lost, and a denial of service is caused in a serious case.
- the method for data transmission performs end-to-end transmission of header compression, and can timely discover that a network attack exists during data transmission, and can reduce the attack to a certain extent.
- the transmission of the packet in the network reduces the occupation of the transmission resource by the attack packet on the one hand, and effectively reduces the number of attack packets reaching the decompression end on the other hand, and can reduce the computational burden of the decompression end.
- the controller acquires the number of transmission and reception of the second data packet when determining that the number of consecutive error decompressions of the receiving end exceeds a preset threshold.
- the receiving end refers to a device end that is in communication with the last node, for example, a decompressing end. And when the decompressing end continuously decompresses the number of the compressed packets of the first service data stream that is greater than a preset threshold, reporting an indication message to the controller, for example, reporting a header identifier of the first service data flow, and the controller according to the indication message, Counts the number of packets sent and received by the first security identifier.
- RFC 5858 states that the use of the header compression mechanism increases the risk of traffic analysis attacks on the compressed packets during the transmission process. This is because the compression of the header compression mechanism is less efficient when the context is established, the resulting compressed packets are larger, and the context is well established. After the compression efficiency is improved, the corresponding compressed package is small. In this way, the data stream consisting of compressed packets shows a set of large packets and then becomes a small packet. The network attacker attacks the data transmission according to the transmission characteristics of the packet after the first large packet compressed by the header. This is called a traffic analysis attack. With current technology, it is difficult to effectively detect or prevent traffic analysis attacks.
- the first service data flow is a header compressed data flow
- the at least one security identifier allocated by the controller for the first service data flow includes two or more security
- the first security identifier is the first security identifier
- the first indication message is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet.
- the at least one security identifier allocated for the first service data flow includes multiple security identifiers, for example, three security identifiers are allocated, wherein the first security identifier of the three security identifiers is the first security identifier, that is, Indicates the security identifier that the first node prefers to use.
- the first node when the first node obtains the first first data packet A1 of the first service data stream, the first data packet A1 is replaced by the first security identifier in the at least one security identifier, and the first one is carried.
- the second data packet B1 of the security identifier transmits the second data packet B1 to the next node.
- the first data packet A2 may be replaced by the first security identifier, and the second second security identifier is obtained.
- Data packet B2, the second data packet B2 is sent to the next node; and the second first data packet A2 may be replaced by another security identifier other than the first security identifier in the at least one security identifier.
- Corresponding second data packet that is, when the controller allocates multiple security identifiers for the first service data flow, the first node may be replaced for replacing the first service
- the security identification of the data packet of the data stream, the manner of replacement, and the frequency of replacement are not limited in this embodiment of the present invention.
- the controller allocates a first security identifier for the first service data stream (for example, the header compressed data stream), so that the first node replaces the first service data according to the first security identifier.
- the first packet of the stream or the first few packets of the stream which is beneficial for the controller to monitor the transmission of the first packet or the first few packets of the first service data stream, which is advantageous for discovering traffic analysis attacks. This type of attack.
- the method 200 further includes:
- the controller determines, according to the number of the data packets sent and received by the first-use security identifier, that the first service data stream is subjected to a traffic analysis attack during the transmission process.
- the first service data stream is considered to be subject to traffic analysis attack during transmission.
- the controller may also analyze whether there is a traffic analysis attack in the network by counting the attack situation of the first security identifier of the multiple different data streams. For example, the controller counts the proportion of the number of the first-use security identifiers that are attacked in the number of all the security identifiers that are attacked during the preset time period. When the ratio exceeds the preset threshold, the traffic analysis may be considered in the network. attack.
- the controller allocates multiple security identifiers for each service data flow, for example, assigning three first security data identifiers to the first service data flow.
- the security identifier allocates five security identifiers including the first security identifier for the second service data flow, and allocates M security identifiers including the first security identifier to the Nth service data flow.
- N1 attacked security identifiers are determined (that is, the number of data packets transmitted and received by the security identifiers can be determined to be a network attack), wherein the N1 N2 of the security identifiers are the first security identifiers.
- N2/N1 exceeds a preset threshold, it can be considered that there is a traffic analysis attack in the network.
- the traffic analysis attack can be effectively found according to the number of data packets transmitted and received by the first-use security identifier, thereby facilitating subsequent development of the solution.
- the first node when the controller allocates multiple security identifiers for the first service data flow, the first node may replace the security label used to replace the data packet for processing the first service data flow.
- the controller can define how and how to replace the security label.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated for the first service data stream includes two or more security identifiers
- the first indication message is specifically used to indicate that the first node selects the first security identifier from the at least one security identifier according to the size of the currently processed first data packet, so as to replace the processing the first data packet.
- the first indication message sent by the controller to the head node includes a preset threshold for indicating the first node, when the size of one data packet of the currently processed first service data stream is the first of the previous processing
- the preset threshold for indicating the first node, when the size of one data packet of the currently processed first service data stream is the first of the previous processing
- the current data packet is replaced with a security identifier different from the last utilized security identifier.
- the first indication message sent by the controller to the head node includes a preset threshold for indicating a data packet size range, and is used to indicate the first node, when a data packet of the currently processed first service data stream is recorded.
- the controller selects a security identifier (recorded as security identifier 1) for the plurality of security identifiers of the first service data stream to process the data packet A1, and the next processing
- the controller selects another security identifier for the multiple security identifiers of the first service data flow (recorded as Security ID 2, unlike Security ID 1) processes the packet A2.
- selecting a security identifier for replacing the first data packet can effectively prevent traffic analysis attacks.
- the first indication message is further used to indicate that the first node does not exceed the preset threshold by using the same security identifier to replace the first data packet.
- the replacement of the different security identifiers replaces the subsequent first data packets.
- the method 200 further includes:
- the controller acquires the number of the second data packet received by the next node in each of the two adjacent nodes in the transmission path and the number of the second data packet sent by the previous node;
- the controller determines, according to the obtained number of the second data packet received by the next node and the number of the second data packet sent by the previous node, determining the adjacent first node in the transmission path First The path between the two nodes is the attacked path;
- the controller allocates an alternate transmission path for the first service data flow, the alternative transmission path not including the attacked path.
- the number of the second data packet received by the next node in each of the two adjacent nodes in the transmission path 120 is compared with the second data sent by the previous node.
- the number of packets is found to be the largest difference between the number of the second data packets received by the intermediate node 122 minus the number of the second data packets sent by the first node 121, and the first node 121 and the intermediate node 122 are determined.
- the path is the attacked path.
- the controller re-allocates an alternate transmission path for the first service data flow, the alternate transmission path not including the attacked path (head node 121 - intermediate node 122).
- the security identifier is replaced, so that the network can be resisted to some extent. attack.
- the method before the S210 controller allocates the at least one security identifier to the first service data stream, the method further includes:
- the controller pre-creates a security identity status table, such as but not limited to the form shown in Table 1:
- the status of the security identifier includes: four types: unoccupied, occupied, attacked, and used first.
- the status of the security identifier is unoccupied, that is, the security identifier is not allocated to a certain data flow; the status of the security identifier is occupied, that is, the security identifier has been allocated to the determined data flow; the status of the security identifier
- the security identifier is assigned to the determined data stream, and the data packet carrying the security identifier is subjected to a network attack, for example, being replayed or forged.
- the security identifier may be referred to as an attacked security identifier;
- the status of the security identifier is that the first identifier indicates that the security identifier has been assigned to the determined data stream, and the security identifier is preferentially used to process the data stream.
- the header identifier of the data stream includes, but is not limited to, the source IP address, the destination IP address, the source MAC address, the destination MAC address, the transmission protocol, the Transmission Control Protocol ("TCP"), or the user of the data stream.
- TCP Transmission Control Protocol
- Datagram Protocol User Datagram Protocol, Jane Information such as the "UDP" port or the stream ID of the data stream.
- the transmission path of the security identifier includes a first node and a last node, or also includes an intermediate node.
- the S210 controller allocates at least one security identifier to the first service data flow, including:
- the header identifier of the first service data stream is obtained. For example, in the scenario shown in FIG. 1, when the first node receives the first data packet of the first service data stream sent by the sender, the header identifier of the first service data stream is reported to the controller.
- the first service data flow is allocated at least one security identifier, for example, the first service data flow is assigned a security identifier.
- the security ID #2 and Security ID #3 it should be understood that after the assignment, the status of the at least one security identifier is updated to be occupied. It should be further understood that after the controller allocates the at least one security identifier to the first service data flow, the at least one security identifier has a correspondence relationship with a header identifier of the first service data flow and a transmission path of the first service data flow. .
- the method 200 further includes:
- a stream deletion event of a data stream refers to the termination of the transmission of the data stream in the network.
- the controller detects the flow deletion event of the first service data flow, releasing the security identifier allocated for the first service data flow, and setting the first service in the security identity status table as shown in FIG.
- the security identifiers assigned by the data stream eg, security tokens #1, #2, and #3 are marked as unoccupied.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path.
- the attack packet can be discarded in time, thereby effectively reducing the occupation of the transmission resource by the attack packet and improving the utilization of the transmission resource. It can also effectively reduce the number of attack packets arriving at the receiving end, and can reduce the computing pressure of the receiving end to a certain extent.
- FIG. 2 illustrates a method of data transmission according to an embodiment of the present invention from the perspective of a controller.
- a method for data transmission according to an embodiment of the present invention is described below from the perspective of a node in conjunction with FIG. 3.
- FIG. 3 is a schematic flowchart of a method 300 for data transmission according to an embodiment of the present invention.
- the method 300 includes:
- the first node receives a first indication message sent by the controller, where the first indication message includes at least one security identifier that is allocated by the controller for the first service data stream, where the first node is a transmission of the first service data stream.
- the first indication message sent by the controller to the first node includes a header identifier of the first service data flow, the at least one security identifier, and an identifier of a next node in the transmission path.
- the header identifier of the first service data flow includes, but is not limited to, a source IP address, a destination IP address, a source MAC address, a destination MAC address, a transmission protocol, and a transmission control protocol (Transmission Control Protocol) of the first service data flow. , referred to as "TCP” or User Datagram Protocol (“UDP”) port, or the stream ID of the first service data stream.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the identity of the next node in the transmission path refers to the identity of the next node of the first node in the transmission path of the first service data stream.
- the first node replaces the first data packet by using the first security identifier of the at least one security identifier, and acquires a second data packet that carries the first security identifier, where the first The data packet is a data packet in the first service data stream;
- the first node replaces the first data packet by using the first security identifier in the at least one security identifier according to the first indication message, and acquires the first data identifier that carries the first security identifier.
- Two data packets including:
- the first node obtains a second data packet carrying the first security identifier by processing a header identifier of the first data packet, and replaces the first data packet with the second data packet, and sends the second data packet to the transmission.
- the next node in the path obtains a second data packet carrying the first security identifier by processing a header identifier of the first data packet, and replaces the first data packet with the second data packet, and sends the second data packet to the transmission.
- the next node in the path is the next node in the path.
- a header identifier field filled with the first security identifier is added to the first data packet, so that the first data packet is replaced by the second data packet carrying the first security identifier.
- replacing one of the header identifiers of the first data packet with the first security identifier for example, replacing the source IP address in the header identifier of the first data packet with the first security identifier, thereby replacing the first data packet.
- the header identifier of the first data packet may be processed by other means, and the first data packet is replaced by the second data packet carrying the first security identifier, which is not limited in this embodiment of the present invention.
- the first node sends the second data packet to a next node in the transmission path.
- the controller further indicates that the intermediate node in the transmission path sends the received second data packet to a next node in the transmission path, and the controller further indicates the transmission path.
- the last node in the middle restores the received second data packet to the corresponding first data packet.
- the controller further sends the at least one security identifier and the identifier of the next node in the transmission path to the intermediate node.
- the intermediate node receives a data packet A, and first determines whether the data packet carries the at least one security identifier, for example, determining that the data packet A carries the first security identifier (ie, the first node pair of the transmission path) If the data packet of a service data stream is sent as a data packet after the replacement process, the data packet A is forwarded to the next node according to the identifier of the next node.
- data packet A in the above example corresponds to the second data packet in the embodiment of the present invention.
- the controller further sends a header identifier of the first service data flow and the at least one security identifier to the last node.
- the last node receives a data packet A, and first determines whether the data packet carries the at least one security identifier, for example, determining that the data packet A carries the first security identifier (ie, the first node pair of the transmission path) a data packet of a service data stream is sent as a data packet after the replacement processing, and then the data packet A is restored according to the header identifier of the first service data stream, assuming that the first node is the header of the first data packet If the source IP address in the identifier is replaced by the first security identifier to obtain the data packet A, the last node uses the opposite means to restore the first security identifier in the header identifier of the data packet A to the first service data stream. The source IP address is restored to obtain the first data packet corresponding to the data packet A.
- the first security identifier ie, the first node pair of the transmission path
- the first node sends the number of the second data packet that has been sent to the controller, so that the controller determines that the first service data stream is attacked by the network during the transmission, and determines the first security. Identified as the attacked security identity;
- the first node may report the number of the second data packet to be sent according to the indication message of the controller, and may also report the data, for example, according to the preset timer information.
- the first node receives a second indication message that is sent by the controller, and is used to indicate that the data packet that carries the attack security identifier that is currently transmitted in the transmission path is discarded, and the current indication is discarded according to the second indication message.
- the transmission of the fixed data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the transmission path, so that the attack packet can be discarded in time, thereby effectively reducing the occupation of the transmission resource by the attack packet and improving the transmission resource. Utilization.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- the first indication message involved in the method 300 for data transmission according to the embodiment of the present invention corresponds to the first indication message involved in the method 200 for data transmission according to the embodiment of the present invention
- the second indication message involved in the method 300 of data transmission corresponds to a fourth indication message involved in the method 200 of data transmission provided in accordance with an embodiment of the present invention.
- the method for data transmission performs end-to-end transmission of header compression, and can timely discover that a network attack exists in the data transmission process, and can reduce the transmission of the attack packet in the network to a certain extent, and reduce the attack on the other hand.
- the use of the transmission resources by the packet effectively reduces the number of attack packets arriving at the decompression end, which can reduce the computational burden on the decompression end.
- the method 300 after receiving the second indication message, the method 300 further includes:
- the first node no longer processes the data packet in the first service data flow by using the attacked security identifier.
- the first node may autonomously no longer use the attacked security identifier to process the data packet in the first service data stream. And after receiving the fifth indication message that is sent by the controller to indicate that the attacked security identifier is no longer processed by the attacked security identifier, the attacked security identifier is no longer processed. A packet of data.
- the fifth indication message and the second indication message that are received by the first node may be sent to the first node in two times, or may be delivered to the first node at the same time.
- the fifth indication message and the second indication message are the same indication message, which is not limited by the embodiment of the present invention.
- the controller may send a new security identifier to the first node, indicating that the first node replaces the first data packet with the new security identifier, which can improve the resistance to the network attack to a certain extent.
- the first node is notified that the first security identifier is attacked.
- the method 300 further includes:
- the first data packet subsequent to the first service data stream is replaced with a new security identifier, the new security identifier being different from the first security identifier.
- the new security identifier may be a security identifier different from the first security identifier that is reselected by the first node from the multiple security identifiers allocated by the controller for the first service data flow, or may be the controller
- a security identifier for redistributing a service data stream is not limited in this embodiment of the present invention.
- the security identifier used in the replacement processing of the first node can improve the resistance to network attacks to a certain extent.
- the data transmission method of the embodiment of the present invention can be applied to a scenario in which header compression and a centralized management network are combined to implement end-to-end transmission of header compression.
- RFC 5858 states that the use of the header compression mechanism increases the risk of traffic analysis attacks on the compressed packets during the transmission process. This is because the compression of the header compression mechanism is less efficient when the context is established, the resulting compressed packets are larger, and the context is well established. After the compression efficiency is improved, the corresponding compressed package is small. In this way, the data stream consisting of compressed packets shows a set of large packets and then becomes a small packet. The network attacker attacks the data transmission according to the transmission characteristics of the packet after the first large packet compressed by the header. This is called a traffic analysis attack. With current technology, it is difficult to effectively detect or prevent traffic analysis attacks.
- the first service data flow is a header compressed data flow
- the at least one security identifier allocated by the controller for the first service data flow includes two or more security
- the first security identifier is a first security identifier, where the first indication message is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet;
- S320 The first node, according to the first indication message, replaces the first data packet with the first security identifier of the at least one security identifier, and obtains the second data packet that carries the first security identifier, including:
- the first node preferentially processes the first data packet by using the first security identifier to obtain the second data packet carrying the first security identifier.
- the at least one security identifier allocated for the first service data flow includes multiple security identifiers, for example, three security identifiers are allocated, wherein the first security identifier of the three security identifiers is the first security identifier, that is, Indicates the security identifier that the first node prefers to use.
- the first node when the first node acquires the first first data packet A1 of the first service data flow, the first node uses The first data packet A1 is replaced by the first security identifier in the at least one security identifier, and the first data packet B1 carrying the first security identifier is obtained, and the second data packet B1 is sent to the next node.
- the first data packet A2 may be replaced by the first security identifier, and the second second security identifier is obtained.
- Data packet B2, the second data packet B2 is sent to the next node; and the second first data packet A2 may be replaced by another security identifier other than the first security identifier in the at least one security identifier.
- the first node may replace the security identifier for replacing the data packet for processing the first service data flow, and the replacement manner
- the frequency of the replacement is not limited in this embodiment of the present invention.
- the controller allocates a first security identifier for the first service data stream (for example, the header compressed data stream), so that the first node replaces the first service data according to the first security identifier.
- the first packet of the stream or the first few packets of the stream which is beneficial for the controller to monitor the transmission of the first packet or the first few packets of the first service data stream, which is advantageous for discovering traffic analysis attacks. This type of attack.
- the traffic analysis attack can be effectively found according to the number of data packets transmitted and received by the first-use security identifier, thereby facilitating subsequent development of the solution.
- the first node when the controller allocates multiple security identifiers for the first service data flow, the first node may replace the security identifier used to replace the data packet that processes the first service data flow.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated for the first service data stream includes two or more security identifiers
- the first indication message is specifically configured to indicate that the first security identifier is selected from the at least one security identifier according to a size of the currently processed first data packet.
- S320 The first node, according to the first indication message, replaces the first data packet with the first security identifier of the at least one security identifier, and obtains the second data packet that carries the first security identifier, including:
- the first node selects the first security identifier from the at least one security identifier according to the size of the first data packet that is currently processed, and replaces the first data packet with the first security identifier to obtain the first security identifier.
- the second packet identified.
- the first indication message sent by the controller to the head node includes a preset threshold for indicating the size of a data packet of the currently processed first service data stream and the last processed data packet.
- a preset threshold for indicating the size of a data packet of the currently processed first service data stream and the last processed data packet.
- the first indication message sent by the controller to the head node includes a preset threshold for indicating a data packet size range, and is used to indicate the first node, when a data packet of the currently processed first service data stream is recorded.
- the controller selects a security identifier (recorded as security identifier 1) for the plurality of security identifiers of the first service data stream to process the data packet A1, and the next processing
- the controller selects another security identifier for the multiple security identifiers of the first service data flow (recorded as Security ID 2, unlike Security ID 1) processes the packet A2.
- selecting a security identifier for replacing the first data packet can effectively prevent traffic analysis attacks.
- the first node uses the same security identifier to replace the first data packet to not exceed a preset threshold.
- the first node replaces the security identifier when replacing the data packet of the service data flow with the security identifier, so that the network attack can be resisted to some extent.
- the first node is an intermediate node in a transmission path of the second service data flow
- the method 300 further includes:
- the first node forwards the received data packet carrying the second security identifier to the next node in the transmission path of the second service data flow according to the third indication message sent by the controller, where the second security identifier is used.
- a security identifier assigned by the controller to the second service data flow where the data packet carrying the second security identifier is a data packet of the second service data flow of the first node in the transmission path of the second service data flow Substitute after processing.
- the third indication message includes a security identifier allocated by the controller for the second service data flow and an identifier of a next node in a transmission path of the second service data flow.
- the first node is a transmission path of the third service data stream.
- the method 300 further includes:
- the first node restores, according to the fourth indication message sent by the controller, the received data packet carrying the third security identifier into a data packet corresponding to the third service data flow, where the third security identifier is the a security identifier allocated by the controller for the third service data flow, where the data packet carrying the third security identifier is a processing for the first node in the transmission path of the third service data flow to replace the data packet of the third service data flow Obtained after
- the first node sends the received number of data packets carrying the third security identifier to the controller, so that the controller determines that the third service data stream is attacked by the network during the transmission.
- the fourth indication message includes a header identifier of the third service data stream and a security identifier allocated by the controller for the third service data stream.
- the first node in the embodiment of the present invention may serve as a first node in the transmission path of the service data flow A, and may be used to replace the data packet of the service data flow A according to the security identifier allocated by the controller for the service data flow A. Processing, obtaining a corresponding second data packet, and transmitting to the next node in the transmission path.
- the first node in the embodiment of the present invention may also be used as an intermediate node in the transmission path of the service data stream B, for forwarding the received data packet carrying the security identifier to the next node in the transmission path.
- the first node in the embodiment of the present invention may also be used as the last node in the transmission path of the service data stream C, and used to restore the received data packet carrying the security identifier to the data packet of the corresponding service data stream C, for example,
- the data packet of the service data stream C obtained by the restoration process is sent to the decompression terminal 130 as shown in FIG. 1.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- FIGS. 1 through 3 A method of data transmission according to an embodiment of the present invention is described above with reference to FIGS. 1 through 3, and an apparatus for data transmission according to an embodiment of the present invention is described below with reference to FIGS. 4 and 5.
- the controller shown in FIG. 1 taking the controller as the controller 140 shown in FIG. 1 as an example, and taking the first node as the first node 121 shown in FIG. 1 as an example, and the intermediate node is
- the intermediate node 122 shown in FIG. 1 is taken as an example, and the last node 123 shown in FIG. 1 is taken as an example to describe the data transmission method of the embodiment of the present invention.
- the intermediate node 122 shown in FIG. 1 Means Any node located between the head node 121 and the end node 123 is shown.
- the first service data stream compressed by the header generated by the compression end 110 needs to be transmitted to the decompression end 130 through the transmission path 120, wherein the action of header compression is performed by the end user of the compression end.
- the controller pre-creates a security identity status table, which may be, but is not limited to, as shown in Table 1.
- the status of the security identifier includes four types: occupied, used, attacked, and unoccupied.
- the transmission path of the data stream includes a first node and a last node on the transmission path, and may also include an intermediate node.
- the node 1 receives the first data packet of the first service data flow, and reports the header identifier of the first service data flow to the controller;
- the controller determines, according to the mapping relationship between the header identifier and the security policy, whether to hide the identifier of the first service data stream.
- the header identifier of the first service data flow may be a source IP, a destination IP, a transport protocol, a TCP or a UDP port, and the like; the security policy includes the identifier hiding and the identifier is not hidden.
- the node 1 in step B1 may be the first node shown in FIG. 1 or other nodes communicatively connected to the compression end 110.
- the controller determines to identify and hide the first service data stream, allocate a plurality of unoccupied security identifiers, and determine a transmission path of the first service data stream, such as the transmission path 120 shown in FIG.
- the controller marks the plurality of security identifiers allocated for the first service data flow as occupied, and records information such as an association relationship between the plurality of security identifiers and the first service data stream, and a transmission path of the first service data stream; In addition, the controller may also select one of the plurality of security identifiers as the first security identifier and identify it as being used first.
- the controller For each node on the transmission path 120 of the first service data flow, the controller performs the following steps:
- the controller sends a header identifier of the first service data flow, the multiple security identifiers, and an identifier of the next node (the next node of the first node in the transmission path 120) to the first node; in addition, the controller may further set the first threshold And sending a second threshold to the first node, where the first threshold and the second threshold are set empirically, and the second threshold cannot be less than 1;
- the controller sends the multiple security identifiers and the next node identifier to the intermediate node. It should be understood that the intermediate node shown in FIG. 1 indicates any node located between the first node and the last node;
- the controller sends the header identifier of the first service data flow and the multiple security identifiers to the last node.
- the first node receives a header identifier of the first service data flow sent by the controller, the multiple security identifiers, and the next node identifier, and the first data packet that matches the header identifier of the first service data flow, that is, the first service
- the data packet of the data stream is subjected to identity hiding processing to obtain a second data packet, and the second data packet carrying the first security identifier is transmitted to the intermediate node.
- the identifier hiding process refers to processing the header identifier of the first data packet, and acquiring the second data packet carrying the first security identifier of the multiple security identifiers.
- the first node receives the first security identifier from the plurality of security identifiers sent by the controller, first using the first security identifier to perform identifier hiding processing on the first data packet;
- the first node 121 further receives the first threshold sent by the controller, when the size of the first data packet is greater than or less than the first threshold, the different security identifiers of the multiple security identifiers should be used respectively.
- the first data packet performs identity hiding processing
- the first node further receives the second threshold sent by the controller, when consecutively sending the number of the second data packet carrying the same security identifier is greater than or equal to the second threshold, the first data identifier should be used.
- the package performs identification hiding processing
- the intermediate node receives the multiple security identifiers and the next node identifiers sent by the controller, and when receiving the second data packet carrying any one of the multiple security identifiers, transmitting the second data packet to the second data packet.
- the last node receives the header identifier of the first service data flow sent by the controller, and the multiple security identifiers, when receiving the second data packet carrying any one of the multiple security identifiers,
- the data packet is subjected to an identification de-hiding process (corresponding to the restoration process involved in the embodiment of the present invention) to obtain a first data packet.
- the controller obtains the number of data packets of each data stream (ie, multiple service data streams) sent by the first node and the number of data packets of each data stream received by the last node, and calculates each data stream to be received at the last node. The difference between the number of packets and the number of packets sent by the first node. If the difference is greater than the third threshold, it is confirmed that the data stream is attacked by the network.
- the security identifier is identified as being attacked in the security identifier state table, wherein the third threshold can be set according to experience. .
- the controller counts the first security identifier in the security identifier that was attacked during the past period of time. If the ratio is greater than the fourth threshold, it is confirmed that there is a traffic analysis attack in the network, wherein the fourth threshold may be set according to experience.
- the controller confirms that a certain data stream is attacked, obtains the number of data packets sent by the first node, the intermediate node, and the last node receives the data stream, and calculates the difference between the next node and the previous node between the adjacent nodes on the transmission path. Value, find the neighboring two nodes with the largest difference, and confirm that there is an attacker on the link between the two nodes.
- the controller confirms that a certain security identifier of a data stream X is attacked, the security identifier is sent to the first node, the intermediate node, and the last node on the transmission path of the data stream X; the first node receives the security identifier sent by the controller. And using the security identifier to perform identity hiding processing on the first data packet of the data stream X; the first node, the intermediate node, and the last node discard the second data packet carrying the security identifier;
- the controller may further allocate an unoccupied security identifier to the data stream X, identify that it is occupied, and record information about the association between the security identifier and the data stream X, the transmission path of the data stream X, and the like;
- the controller sends the header identifier and the security identifier of the data stream X to the first node, and sends the security identifier and the next node identifier to the intermediate node, and sends the header identifier and the security identifier of the data stream X to the last node;
- the controller confirms that the second threshold is decreased when there is a traffic analysis attack in the network, and otherwise increases the second threshold.
- the controller when the controller confirms the link where the attacker is located, the alternative path is calculated, and the alternative path does not include the link; the controller sends the header identifier of the data stream to the first node, the intermediate node, and the last node of the alternative path. Or the security identifier, and the next node identifier; when the first node, the intermediate node, and the last node receive the data packet that matches the header identifier or the security identifier of the data stream, the data packet is transmitted to the next node;
- the controller When the controller receives the stream deletion event information of a certain data stream, the security identifier occupied by the data stream is marked as unoccupied.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the node in the transmission path is required to carry the security. If the identified data packet is discarded, the attack packet can be discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- FIG. 4 shows a schematic block diagram of a controller 400 provided in accordance with an embodiment of the present invention, the controller 400 comprising:
- the allocating module 410 is configured to allocate at least one security identifier for the first service data flow
- the sending module 420 is configured to send, to the first node in the transmission path of the first service data flow, a first indication message that includes the at least one security identifier that is allocated by the allocation module, where the first indication message is used to indicate that the first node uses the The first security identifier in the at least one security identifier replaces the first data packet, acquires the second data packet carrying the first security identifier, and sends the second data packet to the next node in the transmission path, where the The first data packet is a data packet in the first service data stream;
- the sending module 420 is further configured to send, to the intermediate node in the transmission path, a second indication message for indicating to send the received second data packet to a next node in the transmission path, where the sending module further uses Transmitting, to the last node in the transmission path, a third indication message for indicating that the received second data packet is restored to the corresponding first data packet;
- the obtaining module 430 is configured to obtain the number of the second data packet sent and received by the last node, and the number of the second data packet sent by the first node, and the number of the second data packet sent by the first node;
- the first determining module 440 is configured to: according to the number of the second data packet acquired by the acquiring module, determine that the first service data stream is subjected to a network attack during the transmission, and determine that the first security identifier is an attacked security identifier. ;
- the sending module 420 is further configured to send, to each node in the transmission path, a fourth indication message for indicating to discard the data packet currently transmitted in the transmission path and carrying the attack security identifier determined by the first determining module. .
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced. It can reduce the calculation pressure of the receiving end to a certain extent.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated by the allocation module for the first service data stream includes two or more security
- the first security identifier is the first security identifier
- the first indication message sent by the sending module 420 is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet.
- the controller 400 further includes:
- the second determining module 450 is configured to determine, according to the number of sending and receiving of the data packet carrying the first-use security identifier, that the first service data stream is subjected to a traffic analysis attack during the transmission process.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated by the allocation module for the first service data stream includes two or more security An identifier
- the first indication message sent by the sending module 420 is specifically used to indicate that the first node selects the first security identifier from the at least one security identifier according to the size of the currently processed first data packet, so as to replace the processing.
- the first data packet is specifically used to indicate that the first node selects the first security identifier from the at least one security identifier according to the size of the currently processed first data packet, so as to replace the processing.
- the first indication message sent by the sending module 420 is further used to indicate that the first node does not exceed the preset threshold by using the same security identifier to replace the first data packet.
- the sending module 420 is further configured to: when the first determining module determines that the first service data stream is attacked by a network during transmission, to send to the first node And instructing to replace the fifth indication message of the first data packet with the attack security identifier.
- the obtaining module 430 is further configured to: after the first determining module 440 determines that the first service data stream is subjected to a network attack during the transmission, acquiring each of the two transmission paths. The number of the second data packet received by the next node among the neighboring nodes and the number of the second data packet sent by the previous node;
- the controller 400 also includes:
- a third determining module 460 configured to determine, according to the number of the second data packet received by the next node acquired by the acquiring module, and the number of the second data packet sent by the previous node, determining a phase in the transmission path The path between the first node and the second node of the neighbor is the attacked path;
- the allocating module 410 is further configured to allocate an alternate transmission path for the first service data flow, where the alternate transmission path does not include the attacked path.
- the acquiring module 430 is specifically configured to acquire, according to a preset timer, the number of the second data packet to be sent and received.
- the controller 400 further includes:
- the release module 470 is configured to release the security identifier allocated for the first service data flow when the flow deletion event of the first service data flow is detected.
- controller 400 is, for example, the controller 140 described in FIG. 1 , and may correspond to the controller in the method for data transmission provided by the embodiment of the present invention, and each module in the controller 400
- the above and other operations and/or functions are respectively implemented in order to implement the respective processes of the respective methods in FIG. 2 and FIG. 3, and are not described herein again for brevity.
- FIG. 5 is a schematic block diagram of a node 500 for data transmission according to an embodiment of the present invention.
- the node 500 includes:
- the receiving module 510 is configured to receive a first indication message sent by the controller, where the first indication message includes at least one security identifier that is allocated by the controller for the first service data flow, and the node 500 is used for transmission of the first service data stream.
- the replacement module 520 is configured to replace, by using the first security identifier of the at least one security identifier, the first data packet, and obtain the second data packet that carries the first security identifier, according to the first indication message that is received by the receiving module.
- the first data packet is a data packet in the first service data stream;
- the sending module 530 is configured to send, to the next node in the transmission path, the second data packet acquired by the replacement module;
- the sending module 530 is further configured to send, to the controller, the number of the second data packets that have been sent, so that the controller determines that the first service data stream is attacked by a network during transmission, and determines the first A security identifier is an attack security identifier;
- the receiving module 510 is further configured to receive, by the controller, a fourth indication message that is sent by the controller to indicate that the data packet currently carrying the attack security identifier that is currently transmitted in the transmission path is discarded, and is discarded according to the fourth indication message. A packet carrying the attacked security identifier currently transmitted in the transmission path.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced. It can reduce the calculation pressure of the receiving end to a certain extent.
- the first service data flow is a header compressed data flow
- the at least one security identifier allocated by the controller for the first service data flow includes two or more security
- the first security identifier is the first security identifier, where the first indication message received by the receiving module 510 is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet;
- the replacement module 520 is specifically configured to: first use the first security identifier to replace the first data packet, and obtain the second data packet that carries the first security identifier.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated for the first service data stream includes two or more security identifiers
- the first indication message received by the receiving module 510 is specifically used to indicate that the first security identifier is selected from the at least one security identifier according to the size of the currently processed first data packet.
- the replacement module 520 is specifically configured to select the first security identifier from the at least one security identifier according to the size of the first data packet that is currently processed, and replace the first data packet with the first security identifier to obtain the The second data packet of the first security identifier.
- the first indication message is further used to indicate that the node does not exceed the preset threshold by using the same security identifier to replace the first data packet.
- the replacing module 520 is further configured to: after the receiving the module 510 receives the second indication message, no longer use the first security identifier to replace the first service data stream. Packet.
- the node 500 of the data transmission provided by the embodiment of the present invention is, for example, the head node 121 described in FIG. 1 , and may correspond to the head node in the data transmission method provided by the embodiment of the present invention, and each of the nodes 500
- the above and other operations and/or functions of the modules are respectively implemented in order to implement the respective processes of the respective methods in FIG. 2 and FIG. 3, and are not described herein again for brevity.
- the node 500 is an intermediate node in a transmission path of the second service data flow, and the node 500 further includes:
- the forwarding module 540 is configured to forward, according to the third indication message sent by the controller, the received data packet carrying the second security identifier to the next node in the transmission path of the second service data flow, where the second security identifier a security identifier allocated by the controller for the second service data flow, where the data packet carrying the second security identifier is the first node in the transmission path of the second service data stream
- the data packet of the second service data stream is obtained after the replacement process.
- the node 500 for data transmission in the embodiment of the present invention is, for example, the intermediate node 122 described in FIG.
- the node 500 is a last node in a transmission path of the third service data stream, and the node 500 further includes:
- the restoration module 550 is configured to restore, according to the fourth indication message sent by the controller, the received data packet carrying the third security identifier into a data packet of the third service data stream, where the third security identifier is a security identifier allocated by the controller for the third service data flow, where the data packet carrying the third security identifier is a processing for the first node in the transmission path of the third service data flow to replace the data packet of the third service data flow Obtained after
- the sending module is further configured to send, to the controller, the number of received data packets carrying the third security identifier, so that the controller determines that the third service data stream is subjected to a network attack during transmission.
- the node 500 for data transmission in the embodiment of the present invention is, for example, the last node 123 described in FIG.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- an embodiment of the present invention further provides a controller 600, which includes a processor 610, a memory 620, a bus system 630, a receiver 640, and a transmitter 650.
- the processor 610, the memory 620, the receiver 640, and the transmitter 650 are connected by a bus system 630.
- the memory 620 is configured to store instructions for executing the instructions stored in the memory 620 to control the receiver 640 to receive. Signal and control transmitter 650 to send a signal. among them,
- the processor 610 is configured to allocate at least one security identifier for the first service data flow
- the transmitter 650 is configured to send, to the first node in the transmission path of the first service data flow, a first indication message that includes the at least one security identifier, where the first indication message is used to indicate that the first node utilizes the at least one security
- the first security identifier in the identifier replaces the first data packet, acquires the second data packet carrying the first security identifier, and sends the second data to the next node in the transmission path.
- the first data packet is a data packet in the first service data stream
- the transmitter 650 is further configured to send, to the intermediate node in the transmission path, a second indication message for instructing to send the received second data packet to a next node in the transmission path, the controller further The last node in the transmission path sends a third indication message for instructing to restore the received second data packet to the corresponding first data packet;
- the processor 610 is further configured to: acquire the number of the second data packet sent and received, the number of the sending and receiving indicating the number of the second data packet received by the last node, and the number of the second data packet sent by the first node ;
- the processor 610 is further configured to: determine, according to the number of the second data packet to be sent and received, that the first service data stream is subjected to a network attack during the transmission, and determine that the first security identifier is an attacked security identifier;
- the transmitter 650 is configured to send, to each node in the transmission path, a fourth indication message for indicating to discard a data packet currently carrying the attack security identifier transmitted in the transmission path.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- the first service data flow is a header compressed data flow
- the at least one security identifier allocated by the controller for the first service data flow includes two or more security
- the first security identifier is the first security identifier
- the first indication message is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet.
- the processor 610 is further configured to:
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated for the first service data stream includes two or more security identifiers
- the first indication message is specifically used to indicate that the first node selects the first security identifier from the at least one security identifier according to the size of the currently processed first data packet, so as to replace the processing the first data packet.
- the first indication message is further used to indicate that the first node does not exceed the preset threshold by using the same security identifier to replace the first data packet.
- the transmitter 650 is further configured to: when the processor 610 determines that the first service data stream is subjected to a network attack during transmission, send the indication to the first node.
- the fifth indication message of the first data packet is no longer replaced by the attacked security identifier.
- the processor 610 is further configured to: after determining that the first service data stream is subjected to a network attack in the transmission process, acquiring each two adjacent nodes in the transmission path. The number of the second data packet received by a node and the number of the second data packet sent by the previous node;
- the processor 610 is further configured to determine, according to the obtained number of the second data packet received by the subsequent node and the number of the second data packet sent by the previous node, the adjacent one of the transmission paths The path between a node and the second node is an attacked path;
- the processor 610 is further configured to allocate an alternate transmission path for the first service data flow, where the alternate transmission path does not include the attacked path.
- the processor 610 is specifically configured to obtain, according to a preset timer, the number of the second data packet to be sent and received.
- the processor 610 is further configured to: when the flow deletion event of the first service data flow is detected, release the security identifier allocated for the first service data flow.
- the processor 610 may be a central processing unit ("CPU"), and the processor 610 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
- the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
- the memory 620 can include read only memory and random access memory and provides instructions and data to the processor 610. A portion of the memory 620 can also include a non-volatile random access memory. For example, the memory 620 can also store information of the device type.
- the bus system 630 may include a power bus, a control bus, a status signal bus, and the like in addition to the data bus. However, for clarity of description, various buses are labeled as bus system 630 in the figure.
- each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 610 or an instruction in a form of software.
- the steps of the method disclosed in connection with the embodiments of the present invention can be directly implemented as a hardware processor or completed by a combination of hardware and software modules in the processor.
- the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
- the storage medium is located in the memory 620, and the processor 610 reads the information in the memory 620 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
- controller 600 may correspond to a controller in the method of data transmission of the embodiment of the present invention, and may correspond to the controller 400 according to an embodiment of the present invention, and each of the controllers 600
- the above and other operations and/or functions of the modules are respectively implemented in order to implement the respective processes of the respective methods of FIG. 2 and FIG. 3, and are not described herein again for brevity.
- an embodiment of the present invention further provides a node 700 for data transmission.
- the node 700 includes a processor 710, a memory 720, a bus system 730, a receiver 740, and a transmitter 750.
- the processor 710, the memory 720, the receiver 740 and the transmitter 750 are connected by a bus system 730 for storing instructions for executing instructions stored in the memory 720 to control the receiver 740 to receive.
- Signal and control transmitter 750 to send a signal.
- the receiver 740 is configured to receive the first indication message that is sent by the controller, where the first indication message includes at least one security identifier that is allocated by the controller for the first service data flow, where the first node is the first service data.
- the first node in the transmission path of the stream;
- the processor 710 is configured to: replace, according to the first indication message, the first data packet by using the first security identifier of the at least one security identifier, and acquire a second data packet that carries the first security identifier, where the first The data packet is a data packet in the first service data stream;
- the transmitter 750 is configured to send the second data packet to a next node in the transmission path.
- the first node sends the number of the second data packet that has been sent to the controller, so that the controller determines that the first service data stream is attacked by the network during the transmission, and determines that the first security identifier is Attacked security identity;
- the receiver 740 is configured to receive, by the controller, a fourth indication message that is used to indicate that the data packet currently carrying the attack security identifier that is currently transmitted in the transmission path is discarded, and discard the current current according to the fourth indication message.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- the first service data flow is a header compressed data flow
- the at least one security identifier allocated by the controller for the first service data flow includes two or more security
- the first security identifier is a first security identifier, where the first indication message is specifically used to indicate that the first node preferentially uses the first security identifier to replace the first data packet;
- the processor 710 is specifically configured to: first use the first security identifier to replace the first data packet, and obtain the second data packet that carries the first security identifier.
- the first service data stream is a header compressed data stream
- the at least one security identifier allocated for the first service data stream includes two or more security identifiers
- the first indication message is specifically configured to indicate that the first security identifier is selected from the at least one security identifier according to a size of the currently processed first data packet.
- the processor 710 is specifically configured to: select the first security identifier from the at least one security identifier according to the size of the currently processed first data packet, and replace the first data packet with the first security identifier, and obtain the The second data packet of the first security identifier.
- the first indication message is further used to indicate that the node does not exceed the preset threshold by using the same security identifier to replace the first data packet.
- the processor 710 is further configured to: after receiving the second indication message, the receiver 740 does not use the attacked security identifier to process data in the first service data stream. package.
- the first node is an intermediate node in a transmission path of the second service data stream
- the processor 710 is further configured to: according to the third indication message sent by the controller, the received The data packet carrying the second security identifier is forwarded to the next node in the transmission path of the second service data stream, where the second security identifier is a security identifier assigned by the controller to the second service data stream, and the second identifier is carried.
- the data packet of the security identifier is obtained by replacing the data packet of the second service data stream by the first node in the transmission path of the second service data stream.
- the first node is a last node in a transmission path of the third service data stream
- the processor 710 is further configured to: according to the fourth indication message sent by the controller, the received The data packet carrying the third security identifier is processed into a corresponding data packet of the third service data stream, where the third security identifier is a security identifier allocated by the controller for the third service data stream, and the third security identifier is carried by the controller.
- Packet is the first node in the transmission path of the third service data stream Obtaining after the data packet of the third service data stream is replaced;
- the transmitter 750 is further configured to send, to the controller, the number of received data packets carrying the third security identifier, so that the controller determines that the third service data stream is subjected to a network attack during transmission.
- the embodiment of the present invention further provides a system 800 for data transmission, which includes a controller 400 provided by an embodiment of the present invention and a node 500 for data transmission provided by an embodiment of the present invention.
- the security identifier according to the number of data packets transmitted and received by the security identifier, it is determined that the transmission of the data stream is attacked by the network, and the data packet carrying the security identifier is discarded by the node in the indication transmission path, thereby realizing The attack packet is discarded in time, which can effectively reduce the occupation of the transmission resource by the attack packet and improve the utilization of the transmission resource.
- the number of attack packets arriving at the receiving end can also be effectively reduced, and the computing pressure of the receiving end can be reduced to some extent.
- the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be directed to the embodiments of the present invention.
- the implementation process constitutes any limitation.
- the disclosed systems, devices, and methods may be implemented in other manners.
- the device embodiments described above are merely illustrative.
- the division of the unit is only a logical function division.
- there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
- Another point that is shown or discussed between each other The coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
- the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
- the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
- the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
- the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
- the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明实施例提供一种数据传输的方法、装置和系统,该方法包括:为数据流分配至少一个安全标识;指示传输路径中首节点利用至少一个安全标识中的第一安全标识替换处理该数据流的第一数据包,获取携带第一安全标识的第二数据包,并向传输路径中下一节点发送第二数据包;指示传输路径中末节点将该第二数据包还原处理为对应的第一数据包;获取第二数据包的收发数量;根据该第二数据包的收发数量,确定该数据流在传输过程中遭到网络攻击,并确定第一安全标识为受攻击安全标识;指示传输路径中的节点丢弃携带该受攻击安全标识的数据包。本发明实施例能够有效减少攻击包对传输资源的占用,也能够减少到达接收端的攻击包的数量,降低接收端的计算负担。
Description
本发明实施例涉及通信领域,并且更具体地,涉及一种数据传输的方法、装置和系统。
数据流在传输过程中,容易受到网络攻击,例如攻击者用重放、伪造等攻击手段向网络中投放大量攻击包,一方面,攻击包的传输会损耗大量网络带宽,另一方面也会对接收端造成不利影响。例如在如图1所示的报头压缩的场景中,数据流在压缩端进行报头压缩,处理之后的压缩包在压缩端与解压缩端之间的传输路径中传输,最终到达解压端。如果在压缩包传输过程中遭到网络攻击,例如攻击者用重放、伪造等攻击手段向网络中投放大量攻击包,这些大量的攻击包会传输至解压端,导致解压端会损耗大量的计算资源用于解码这些攻击包,严重时会造成拒绝服务。
发明内容
本发明实施例提供一种数据传输的方法、装置和系统,能够及时发现数据流传输过程中存在网络攻击,并能够有效减少攻击包在网络中的传输。
第一方面,提供了一种数据传输的方法,该方法包括:
控制器为第一业务数据流分配至少一个安全标识;
具体地,该第一业务数据流指示第一业务对应的数据流,应理解,该第一业务指示通信传输中的任何业务,本发明实施例对此不作限定。该第一业务数据流的报头字段包括报头标识,具体地例如第一业务数据流的源IP地址、目的IP地址、源MAC地址、目的MAC地址,传输协议信息、传输控制协议(Transmission Control Protocol,简称为“TCP”)信息或用户数据报协议(User Datagram Protocol,简称为“UDP”)端口信息、或者该第一业务数据流的流ID等信息。应理解,该第一业务数据流的每个数据包都包括该第一业务的报头标识。
具体地,本发明实施例提出的安全标识为一种标识,具体形式可以是数字、字母等信号形式,用于对第一业务数据流的数据包X(对应第一数据包)
的报头作修改,例如在该数据包X的报头字段增加该安全标识,从而将该数据包X替换处理为携带该安全标识的第二数据包;或者将该数据包X的报头字段中的一个或多个报头标识替换为该安全标识,例如将数据包X的报头字段中的源IP地址替换为该安全标识,从而替换得到携带该安全标识的第二数据包。本发明实施例提及的安全标识不同于第一业务数据流的报头字段的报头标识。
该控制器向该第一业务数据流的传输路径中的首节点发送包括该至少一个安全标识的第一指示消息,该第一指示消息用于指示该首节点利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,并向该传输路径中的下一节点发送该第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
具体地,该控制器为该第一业务数据流配置传输路径,如图1所示的传输路径120,包括首节点和末节点,也可以包括中间节点。
该第一数据包指示该第一业务数据流中的数据包,即该第一数据包包括该第一业务数据流的报头标识。
可选地,在本发明实施例中,该第一指示消息用于指示首节点通过处理该第一数据包的报头标识,获取携带该第一安全标识的第二数据包,并将第一数据包替换为该第二数据包,将该第二数据包发送至传输路径中的下一节点。
具体地,例如,在第一数据包中增加填充有该第一安全标识的报头标识字段,从而将第一数据包替换处理为携带第一安全标识的第二数据包。或者,将第一数据包的某一个报头标识替换为该第一安全标识,例如将第一数据包的报头标识中的源IP地址替换为该第一安全标识,从而将第一数据包替换处理为携带第一安全标识的第二数据包。还可以采用其他手段对第一数据包的报头标识进行处理,最终将第一数据包替换处理为携带第一安全标识的第二数据包,本发明实施例对此不作限定。
该控制器向该传输路径中的中间节点发送用于指示将接收到的该第二数据包发送至该传输路径中的下一节点的第二指示消息,该控制器还向该传输路径中的末节点发送用于指示将接收到的该第二数据包还原处理为对应的该第一数据包的第三指示消息;
该控制器获取该第二数据包的收发数量,该收发数量指示该末节点接收
到的该第二数据包的个数和该首节点发送的该第二数据包的个数;
该控制器根据该第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该控制器向该传输路径中的每个节点发送用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息。
结合第一方面,在第一方面的一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,该方法还包括:
该控制器根据携带该首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示该首节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,以替换处理该第一数据包。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,该第一指示消息还用于指示该首节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,在确定该第一业务数据流在传输过程中遭到网络攻击的情况下,该方法还包括:
该控制器向该首节点发送用于指示不再利用该受攻击安全标识替换处理该第一数据包的第五指示消息。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,在确定该第一业务数据流在传输过程中遭到网络攻击之后,该方法还包括:
该控制器获取该传输路径中每两个相邻节点中后一节点接收的该第二
数据包的个数与前一节点发送的该第二数据包的个数;
该控制器根据获取的该后一节点接收的该第二数据包的个数与该前一节点发送的该第二数据包的个数,确定该传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;
该控制器为该第一业务数据流分配替代传输路径,该替代传输路径不包括该受攻击路径。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,该控制器获取该第二数据包的收发数量,包括:
该控制器根据预设定时器,获取该第二数据包的收发数量。
结合第一方面和上述可能的实现方式,在第一方面的另一种可能的实现方式中,该方法还包括:
当该控制器检测到该第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识。
第二方面提供了一种数据传输的方法,该方法包括:
第一节点接收控制器发送的第一指示消息,该第一指示消息包括该控制器为第一业务数据流分配的至少一个安全标识,该第一节点为该第一业务数据流的传输路径中的首节点;
该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
该第一节点向该传输路径中的下一节点发送该第二数据包;
该第一节点向该控制器发送已经发送的该第二数据包的个数,以便于该控制器确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该第一节点接收该控制器发送的用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息,并根据该第四指示消息,丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包。
结合第二方面,在第二方面的一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识
替换处理该第一数据包;
该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,包括:
该第一节点优先利用该第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包。
结合第二方面和上述可能的实现方式,在第二方面的另一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识;
该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,包括:
该第一节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,并利用该第一安全标识替换处理该第一数据包,获取携带该第一安全标识的第二数据包。
结合第二方面和上述可能的实现方式,在第二方面的另一种可能的实现方式中,该第一指示消息还用于指示该第一节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
结合第二方面和上述可能的实现方式,在第二方面的另一种可能的实现方式中,在接收到该第二指示消息之后,该方法还包括:
该第一节点不再利用该受攻击安全标识处理该第一业务数据流中的数据包。
结合第二方面和上述可能的实现方式,在第二方面的另一种可能的实现方式中,该第一节点为第二业务数据流的传输路径中的中间节点,该方法还包括:
该第一节点根据控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至该第二业务数据流的传输路径中的下一节点,其中第二安全标识为该控制器为该第二业务数据流分配的安全标识,该携带第二安全标识的数据包为该第二业务数据流的传输路径中的首节点对该第二业务数据流的数据包进行替换处理后得到的。
结合第二方面和上述可能的实现方式,在第二方面的另一种可能的实现
方式中,该第一节点为第三业务数据流的传输路径中的末节点,该方法还包括:
该第一节点根据控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的该第三业务数据流的数据包,其中第三安全标识为该控制器为该第三业务数据流分配的安全标识,该携带第三安全标识的数据包为该第三业务数据流的传输路径中的首节点对该第三业务数据流的数据包进行替换处理后得到的;
该第一节点向该控制器发送接收到的携带该第三安全标识的数据包的个数,以便于该控制器确定该第三业务数据流在传输过程中遭到网络攻击。
第三方面提供了一种控制器,该控制器包括:
分配模块,用于为第一业务数据流分配至少一个安全标识;
发送模块,用于向该第一业务数据流的传输路径中的首节点发送包括该分配模块分配的至少一个安全标识的第一指示消息,该第一指示消息用于指示该首节点利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,并向该传输路径中的下一节点发送该第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
该发送模块还用于,向该传输路径中的中间节点发送用于指示将接收到的该第二数据包发送至该传输路径中的下一节点的第二指示消息,该发送模块还用于,向该传输路径中的末节点发送用于指示将接收到的该第二数据包还原处理为对应的该第一数据包的第三指示消息;
获取模块,用于获取该第二数据包的收发数量,该收发数量指示该末节点接收到的该第二数据包的个数和该首节点发送的该第二数据包的个数;
第一确定模块用于,根据该获取模块获取的第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该发送模块还用于,向该传输路径中的每个节点发送用于指示丢弃当前在该传输路径中传输的携带该第一确定模块确定的受攻击安全标识的数据包的第四指示消息。
结合第三方面,在第三方面的一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,该分配模块为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标
识,其中,该发送模块发送的该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该控制器还包括:
第二确定模块,用于根据携带该首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,该分配模块为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该发送模块发送的该第一指示消息具体用于指示该首节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,以替换处理该第一数据包。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该发送模块发送的该第一指示消息还用于指示该首节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该发送模块还用于,在该第一确定模块确定该第一业务数据流在传输过程中遭到网络攻击的情况下,向该首节点发送用于指示不再利用该受攻击安全标识替换处理该第一数据包的第五指示消息。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该获取模块还用于,在该第一确定模块确定该第一业务数据流在传输过程中遭到网络攻击之后,获取该传输路径中每两个相邻节点中后一节点接收的该第二数据包的个数与前一节点发送的该第二数据包的个数;
该控制器还包括:
第三确定模块,用于根据该获取模块获取的该后一节点接收的该第二数据包的个数与该前一节点发送的该第二数据包的个数,确定该传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;
该分配模块还用于,为该第一业务数据流分配替代传输路径,该替代传输路径不包括该受攻击路径。
结合第三方面和上述可能的实现方式,在第三方面的另一种可能的实现方式中,该控制器还包括:
释放模块,用于当检测到该第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识。
第四方面提供了一种数据传输的节点,该节点包括:
接收模块,用于接收控制器发送的第一指示消息,该第一指示消息包括该控制器为第一业务数据流分配的至少一个安全标识,该节点为该第一业务数据流的传输路径中的首节点;
替换模块,用于根据该接收模块接收的该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
发送模块,用于向该传输路径中的下一节点发送该替换模块获取的该第二数据包;
该发送模块还用于,向该控制器发送已经发送的该第二数据包的个数,以便于该控制器确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该接收模块还用于,接收该控制器发送的用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息,并根据该第四指示消息,丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包。
结合第四方面,在第四方面的一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该接收模块接收的该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包;
该替换模块具体用于,优先利用该第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包。
结合第四方面和上述可能的实现方式,在第四方面的另一种可能的实现方式中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该接收模块接收的该第一指示消息具体用于指示根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识;
该替换模块具体用于,根据当前处理的第一数据包的大小,从该至少一
个安全标识中选择该第一安全标识,并利用该第一安全标识替换处理该第一数据包,获取携带该第一安全标识的第二数据包。
结合第四方面和上述可能的实现方式,在第四方面的另一种可能的实现方式中,该第一指示消息还用于指示该节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
结合第四方面和上述可能的实现方式,在第四方面的另一种可能的实现方式中,该替换模块还用于,在该接收模块接收到该第二指示消息后,不再利用该第一安全标识替换处理该第一业务数据流中的数据包。
结合第四方面和上述可能的实现方式,在第四方面的另一种可能的实现方式中,该节点为第二业务数据流的传输路径中的中间节点,该节点还包括:
转发模块,用于根据控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至该第二业务数据流的传输路径中的下一节点,其中第二安全标识为该控制器为该第二业务数据流分配的安全标识,该携带第二安全标识的数据包为该第二业务数据流的传输路径中的首节点对该第二业务数据流的数据包进行替换处理后得到的。
结合第四方面和上述可能的实现方式,在第四方面的另一种可能的实现方式中,该节点为第三业务数据流的传输路径中的末节点,该节点还包括:
还原模块,用于根据控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的该第三业务数据流的数据包,其中第三安全标识为该控制器为该第三业务数据流分配的安全标识,该携带第三安全标识的数据包为该第三业务数据流的传输路径中的首节点对该第三业务数据流的数据包进行替换处理后得到的;
该发送模块还用于,向该控制器发送接收到的携带该第三安全标识的数据包的个数,以便于该控制器确定该第三业务数据流在传输过程中遭到网络攻击。
第五方面提供了一种数据传输的系统,该系统包括第三方面提供的控制器和第四方面提供的节点。
基于上述技术方案,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率,同时也能够减少到
达接收端的攻击包的数量,以降低接收端的计算负担。
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1示出了本发明实施例的应用场景的示意图。
图2示出了根据本发明实施例提供的数据传输的方法的示意性流程图。
图3示出了根据本发明实施例提供的数据传输的方法的另一示意性流程图。
图4示出了根据本发明实施例提供的控制器的示意性框图。
图5示出了根据本发明实施例提供的节点的示意性框图。
图6示出了根据本发明另一实施例提供的控制器的示意性框图。
图7示出了根据本发明另一实施例提供的节点的示意性框图。
图8示出了根据本发明实施例提供的数据传输的系统的示意性框图。
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
本发明实施例中涉及的网络攻击指的是,攻击者用重放、伪造等攻击手段向网络中投放大量攻击包。应理解,本文中提及的攻击包指的是,攻击者在网络中重放或伪造的数据包,具体地,例如,在图1所示场景中,假设攻击者位于首节点121与中间节点122之间,首节点121向中间节点122发送一个数据包X,则该攻击者根据该数据包X重放或者伪造的数据包称之为攻击包。
为了便于理解本发明实施例提供的数据传输的方法、装置和系统,下面结合图1首先描述一下本发明实施例的应用场景。如图1所示,压缩端110发出的数据流,要经过包括首节点121、中间节点122和末节点123的传输
路径120达到解压端130,其中该传输路径120中的各个节点在控制器140的控制下,传输压缩端110发出的数据流。应理解,为了便于理解和描述,图1只示出一个中间节点,图1所示的中间节点122指示任一个位于首节点121与末节点123之间的节点。
具体地,图1中的控制器140例如为集中管控网络中的控制器。
应理解,集中管控网络是一种网络组成形式,集中管控网络中的每个组件(例如图1中的各个节点)均受同一个控制器(例如图1中的控制器140)控制,从而使网络管理变得灵活和高效。
应理解,图1仅为示例而非限定,例如压缩端110还可以为通常的发送端,对应的,解压端130为接收端,本发明实施例提供的数据传输的方法、装置和系统并不局限于压缩、解压缩的场景。
图2示出了根据本发明实施例提供的一种数据传输的方法200的示意性流程图,该方法例如由图1所示的控制器140执行,该方法200包括:
S210,控制器为第一业务数据流分配至少一个安全标识;
具体地,例如该第一业务数据流为报头压缩的数据流。
S220,该控制器向该第一业务数据流的传输路径中的首节点发送包括该至少一个安全标识的第一指示消息,该第一指示消息用于指示该首节点利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,并向该传输路径中的下一节点发送该第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
应理解,该第一数据包指的是第一业务数据流中的数据包。首节点处理第一数据包,指的是,该首节点当前获取到该第一业务数据流的一个第一数据包,并替换处理该当前获取的该第一数据包,后续会继续获取该第一业务数据流的下一个第一数据包,进行替换处理,以此类推。第二数据包指的是根据第一数据包获取的携带第一安全标识的数据包。第一业务数据流的传输路径包括首节点、中间节点和末节点,具体如图1中所示的传输路径120。
具体地,在图1所示的场景中,控制器140向首节点121发送第一指示消息,该首节点121将当前获取到的第一数据包替换处理为携带该第一安全标识的第二数据包。
可选地,在本发明实施例中,该第一指示消息用于指示首节点通过处理该第一数据包的报头标识,获取携带该第一安全标识的第二数据包,并将第
一数据包替换为该第二数据包,将该第二数据包发送至传输路径中的下一节点。
具体地,例如,在第一数据包中增加填充有该第一安全标识的报头标识字段,从而将第一数据包替换处理为携带第一安全标识的第二数据包。或者,将第一数据包的某一个报头标识替换为该第一安全标识,例如将第一数据包的报头标识中的源IP地址替换为该第一安全标识,从而将第一数据包替换处理为携带第一安全标识的第二数据包。还可以采用其他手段对第一数据包的报头标识进行处理,最终将第一数据包替换处理为携带第一安全标识的第二数据包,本发明实施例对此不作限定。
可选地,在本发明实施例中,控制器向首节点发送的该第一指示消息包括第一业务数据流的报头标识、该至少一个安全标识和该传输路径中下一节点的标识。
具体地,第一业务数据流的报头标识包括但不限定于,该第一业务数据流的源IP地址、目的IP地址、源MAC地址、目的MAC地址,传输协议、传输控制协议(Transmission Control Protocol,简称为“TCP”)或用户数据报协议(User Datagram Protocol,简称为“UDP”)端口、或者该第一业务数据流的流ID等信息。
应理解,该传输路径中下一节点的标识指的是在第一业务数据流的传输路径中,该首节点的下一节点的标识。
S230,该控制器向该传输路径中的中间节点发送用于指示将接收到的该第二数据包发送至该传输路径中的下一节点的第二指示消息,该控制器还向该传输路径中的末节点发送用于指示将接收到的该第二数据包还原处理为对应的该第一数据包的第三指示消息;
可选地,在本发明实施例中,控制器向中间节点发送的该第二指示消息包括该至少一个安全标识和该传输路径中下一节点的标识。
具体地,例如中间节点接收到一个数据包A,先判断该数据包是否携带该至少一个安全标识,例如确定该数据包A中携带了该第一安全标识(即该传输路径的首节点对第一业务数据流的数据包作替换处理后所发送的数据包),则根据下一节点的标识,将该数据包A转发至下一节点。
应理解,上面例子中的数据包A对应于本发明实施例中的第二数据包。
可选地,在本发明实施例中,控制器向末节点发送的该第三指示消息包
括该第一业务数据流的报头标识和该至少一个安全标识。
具体地,例如末节点接收到一个数据包A,先判断该数据包是否携带该至少一个安全标识,例如确定该数据包A中携带了该第一安全标识(即该传输路径的首节点对第一业务数据流的数据包作替换处理后所发送的数据包),然后根据该第一业务数据流的报头标识,对该数据包A作还原处理,假设首节点是将第一数据包的报头标识中的源IP地址替换为该第一安全标识得到该数据包A的,则末节点采用相反的手段,将数据包A的报头标识中的第一安全标识还原为该第一业务数据流的源IP地址,从而还原得到数据包A对应的第一数据包。
S240,该控制器获取该第二数据包的收发数量,该收发数量指示该末节点接收到的该第二数据包的个数和该首节点发送的该第二数据包的个数;
具体地,该第二数据包的收发数量也可指示首节点采用第一安全标识替换处理第一数据包的次数和末节点还原处理第二数据包的次数。
可选地,在本发明实施例中,S240该控制器获取该第二数据包的收发数量,包括:
该控制器根据预设定时器,获取该第二数据包的收发数量。
具体地,例如,控制器从开始向首节点发送第一指示消息时,就启动预设定时器,当该预设定时器超时时,统计该第二数据包的收发数量。控制器可以通知首节点上报在该预设定时器的定时时段内所发送的携带第一安全标识的第二数据包的个数,控制器也可以通知末节点上报在该预设定时器的定时时段内所接收的携带该第一安全标识的第二数据包的个数。
S250,该控制器根据该第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
具体地,例如当控制器确定末节点接收的第二数据包的个数减去首节点发送的第二数据包的个数的差值超过预设阈值时,确定该第一业务数据流在传输过程中遭到网络攻击,具体地,携带该第一安全标识的第二数据包遭到网络攻击,例如被攻击者重放或伪造。
应理解,控制器也可以统计末节点接收的第二数据包的个数与首节点发送的第二数据包的个数的比值,来判断数据流的传输是否遭到网络攻击,或者对该第二数据包的收发数量进行其他方式的计算,来判断数据流的传输是否遭到网络攻击,本发明实施例对此不作限定。
具体地,当根据该第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击时,控制器将该第一安全标识标记为受攻击安全标识。
S260,该控制器向该传输路径中的每个节点发送用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
可选地,在本发明实施例中,在确定该第一业务数据流在传输过程中遭到网络攻击的情况下,该方法200还包括:
该控制器向该首节点发送用于指示不再利用该受攻击安全标识替换处理该第一数据包的第五指示消息。
可选地,在本发明实施例中,在指示首节点不再利用该受攻击安全标识替换处理该第一数据包之后,该方法200还包括:
控制器为第一业务数据流重新分配新的安全标识,并指示该首节点利用该新安全标识替换处理该第一业务数据流的后续第一数据包,还指示中间节点将接收到的携带该新安全标识的数据包转发至下一节点,还指示末节点将接收到的携带该新安全标识的数据包还原处理为对应的第一数据包。
应理解,通过指示首节点更换替换处理所使用的安全标识,能够一定程度上提高对网络攻击的抵抗力度。
可选地,首节点在获知第一安全标识为受攻击安全标识之后,也可以从控制器为该第一业务数据流分配的多个安全标识中重新选择一个不同于第一安全标识的安全标识,来替换处理该第一业务数据流的后续第一数据包。
本发明实施例的数据传输的方法可以应用于将报头压缩与集中管控网络结合在一起实现报头压缩的端到端传输的场景。
应理解,报头压缩是一种有效提高带宽利用率的方法。在同一数据流的数据包报头中,有一些信息几乎不变或可以推测出来。报头压缩正是利用数据流的这种特性,通过协商机制在传输数据包时不再传输这些信息,从而节
约了带宽。但是,由于压缩后的报头中不含节点路由所需要的信息,因此各路由节点都需要对压缩包进行解压缩和再压缩处理,这造成了计算资源的消耗和传输时延的增加。集中管控网络是一种网络组成形式,该种网络的每个组件均受同一个控制器控制,从而使网络管理变得灵活和高效。目前,已经有研究人员提出将报头压缩与集中管控网络结合在一起,从而实现报头压缩的端到端传输。
高效率的报头压缩以压缩端和解压端之间的上下文同步为前提,这就需要实现压缩包的准确无误传输。当存在网络攻击时,极有可能造成压缩包报头的错误解压缩,从而使压缩效率大幅下降。因此,研究人员设计了多种机制来提高报头压缩机制的健壮性。
健壮性报头压缩(Robust Header Compression,简称为“ROHC”)是目前健壮性最好的报头压缩机制之一。在ROHC中,压缩端使用基于窗口的最低有效位(Window-based Least Significant Bits,简称为“W-LSB”)编码原报头中的序列号(Sequence Number,简称为“SN”)字段,解压端再进行解码。之所以如此重视SN字段,是因为ROHC对报头中的不同动态域使用不同的压缩算法,但都是关于SN的函数。此外,SN字段还可以用于剔除重复的数据包,避免上下文的破坏。
为避免因网络攻击造成上下文破坏及差错扩散,ROHC使用了循环冗余检查(Cyclic Redundancy Check,简称为“CRC”)校验。压缩端对原报头进行CRC校验,并将结果填入压缩报头的CRC域中,解压端收到压缩包后先解压缩报头,再对解压后的报头进行CRC校验,将校验的结果与压缩报头中的CRC域作比较,若相同,表明解压无误,否则解压错误。
压缩端生成的压缩包经过例如图1所示的传输路径到达解压端,当压缩包在传输过程中遭到网络攻击,例如攻击者用重放、伪造等攻击手段向网络中投放大量攻击包,这些攻击包会传输至解压端,解压端收到压缩包后先解压缩报头,再对解压后的报头进行CRC校验,将校验的结果与压缩报头中的CRC域作比较,解压端对接收到的每个压缩包都要进行上述解压缩计算操作,包括对攻击包的解压缩计算操作,这样,会损耗解压端大量的计算资源,严重时会造成拒绝服务。
根据本发明实施例提供的数据传输的方法进行报头压缩的端到端传输,能够及时发现数据传输过程中存在网络攻击,并能够在一定程度上减少攻击
包在网络中的传输,一方面降低攻击包对传输资源的占用,另一方面,有效减少到达解压端的攻击包的数量,能够降低解压端的计算负担。
可选地,在本发明实施例中,在S240中,控制器在确定接收端连续错误解压缩的次数超过预设阈值时,获取该第二数据包的收发数量。
具体地,接收端指的是与末节点通信连接的设备端,例如为解压端。当解压端连续错误解压缩该第一业务数据流的压缩包的数量大于预设阈值时,向控制器上报指示消息,例如上报该第一业务数据流的报头标识,控制器根据该指示消息,统计携带第一安全标识的数据包的收发数量。
RFC5858指出,报头压缩机制的使用会增加压缩包在传输过程中遭到流量分析攻击的风险,这是因为报头压缩机制建立上下文时的压缩效率较低,生成的压缩包较大,而上下文建立好后压缩效率提高,对应生成的压缩包小。这样,压缩包组成的数据流就表现出先是一组大包,然后变为小包的特性。网络攻击者根据报头压缩的这种先大包后小包的传输特性,对数据传输的攻击称之为流量分析攻击。当前技术,很难有效地发现或者预防流量分析攻击这种攻击方式。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包。
在本发明实施例中,为第一业务数据流分配的至少一个安全标识包括多个安全标识,例如分配3个安全标识,其中,3个安全标识中的第一安全标识为首用安全标识,即指示首节点优先使用的安全标识。
例如,首节点获取到第一业务数据流的第一个第一数据包A1时,利用该至少一个安全标识中的首用安全标识替换处理该第一数据包A1,得到第一个携带第一安全标识的第二数据包B1,将该第二数据包B1发送至下一节点。当首节点获取到第一业务数据流的第二个第一数据包A2时,可以继续利用该首用安全标识替换处理该第一数据包A2,得到第二个携带第一安全标识的第二数据包B2,将该第二数据包B2发送至下一节点;也可以利用至少一个安全标识中的除了首用安全标识之外的另外一个安全标识替换处理第二个第一数据包A2,得到对应的第二数据包,也就是说,当控制器为第一业务数据流分配多个安全标识时,首节点可以更换用于替换处理第一业务
数据流的数据包的安全标识,更换的方式和更换的频率,本发明实施例对此均不作限定。
应理解,在本发明实施例中,控制器为第一业务数据流(例如报头压缩的数据流)分配的首用安全标识,从而使得首节点根据该首用安全标识去替换处理第一业务数据流的第一个数据包或者最前面的几个数据包,这样有利于控制器监控第一业务数据流的首个数据包或者最前面的几个数据包的传输情况,有利于发现流量分析攻击这种攻击方式。
可选地,在本发明实施例中,该方法200还包括:
S270,该控制器根据携带该首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
具体地,例如,当控制器确定末节点接收到的携带首用安全标识的数据包的个数与首节点发送的携带首用安全标识的数据包的个数的差值超过预设阈值,可以认为该第一业务数据流在传输过程中遭到流量分析攻击。
应理解,在本发明实施例中,控制器也可以通过统计多个不同数据流的首用安全标识的受攻击情况,来分析网络中是否存在流量分析攻击。例如,控制器统计在预设时间段内,受攻击的首用安全标识的数量在受攻击的所有安全标识的数量中的比例,当该比例超过预设阈值时,可以认为网络中存在流量分析攻击。
具体地,网络中同时会传输多个不同业务数据流,对应地,控制器分别为每个业务数据流分配多个安全标识,例如,为第一业务数据流分配包括首用安全标识的3个安全标识,为第二业务数据流分配包括首用安全标识的5个安全标识,…,为第N业务数据流分配包括首用安全标识的M个安全标识。对于每个业务数据流的传输,采用S210至S260的步骤,例如确定了N1个受攻击的安全标识(即根据携带这些安全标识的数据包的收发数量能够确定存在网络攻击),其中,这N1个安全标识中有N2个是首用安全标识。当确定比值N2/N1超过预设阈值时,可以认为网络中存在流量分析攻击。
因此,在本发明实施例中,通过为数据流分配首用安全标识,根据携带该首用安全标识的数据包的收发数量,能够有效发现流量分析攻击,从而有助于后续制定解决方案。
可选地,在本发明实施例中,当控制器为第一业务数据流分配多个安全标识时,首节点可以更换用于替换处理第一业务数据流的数据包的安全标
识,控制器可以定义更换安全标识的方式和频率。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示该首节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,以替换处理该第一数据包。
具体地,例如,控制器向首节点发送的第一指示消息中包括预设阈值,用于指示首节点,当当前处理的第一业务数据流的一个数据包的尺寸与上一个处理的第一业务数据流的数据包的尺寸之差超过该预设阈值时,采用不同于上一个利用的安全标识的安全标识替换处理当前的数据包。
再例如,控制器向首节点发送的第一指示消息中包括用于指示数据包尺寸范围的预设阈值,用于指示该首节点,当当前处理的第一业务数据流的一个数据包(记为数据包A1)的尺寸小于该预设阈值时,从控制器为该第一业务数据流的多个安全标识中选择一个安全标识(记为安全标识①)处理该数据包A1,当下一个处理的第一业务数据流的一个数据包(记为数据包A2)的尺寸大于该预设阈值时,从控制器为该第一业务数据流的多个安全标识中选择另外一个安全标识(记为安全标识②,不同于安全标识①)处理该数据包A2。
应理解,在本发明实施例中,根据当前处理的第一数据包的大小,选择用于替换处理该第一数据包的安全标识,能够有效预防流量分析攻击。
可选地,在本发明实施例中,该第一指示消息还用于指示该首节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
具体地,例如,当首节点利用同一个安全标识替换处理的第一数据包的数量超过控制器所指示的预设阈值时,更换不同的安全标识替换处理后续的第一数据包。
可选地,在本发明实施例中,在确定该第一业务数据流在传输过程中遭到网络攻击之后,该方法200还包括:
1)该控制器获取该传输路径中每两个相邻节点中后一节点接收的该第二数据包的个数与前一节点发送的该第二数据包的个数;
2)该控制器根据获取的该后一节点接收的该第二数据包的个数与该前一节点发送的该第二数据包的个数,确定该传输路径中相邻的第一节点与第
二节点之间的路径为受攻击路径;
3)该控制器为该第一业务数据流分配替代传输路径,该替代传输路径不包括该受攻击路径。
具体地,例如在图1所示的场景中,通过统计该传输路径120中每两个相邻节点中后一节点接收的该第二数据包的个数与前一节点发送的该第二数据包的个数,发现中间节点122接收的该第二数据包的个数减去首节点121发送的该第二数据包的个数之差最大,则确定首节点121与中间节点122之间的路径为受攻击路径。控制器重新为第一业务数据流分配替代传输路径,该替代传输路径不包括受攻击路径(首节点121—中间节点122)。
因此,在本发明实施例中,通过为业务数据流分配多个安全标识,并指示首节点在利用安全标识替换处理业务数据流的数据包时,更换安全标识,这样能够在一定程度上抵抗网络攻击。
可选地,在本发明实施例中,在S210控制器为第一业务数据流分配至少一个安全标识之前,还包括:
控制器预先创建安全标识状态表,例如但不限定于表1所示的形式:
表1
安全标识 | 状态 | 数据流的报头标识 | 数据流的传输路径 |
安全标识#1 | |||
安全标识#2 | |||
… | |||
安全标识#N |
其中,安全标识的状态包括:未被占用、被占用、被攻击和被首用四种类型。其中,安全标识的状态为未被占用指的是该安全标识还未分配给某个数据流;安全标识的状态为被占用指的是该安全标识已经分配给确定的数据流;安全标识的状态为被攻击指的是该安全标识已经分配给确定的数据流,且携带该安全标识的数据包遭到网络攻击,例如被重放或者被伪造,该安全标识可以称之为受攻击安全标识;安全标识的状态为被首用指的是,该安全标识已经分配给确定的数据流,且该安全标识优先用于处理该数据流。数据流的报头标识包括但不限定于,该数据流的源IP地址、目的IP地址、源MAC地址、目的MAC地址,传输协议、传输控制协议(Transmission Control Protocol,简称为“TCP”)或用户数据报协议(User Datagram Protocol,简
称为“UDP”)端口、或者该数据流的流ID等信息。安全标识的传输路径包括首节点和末节点,或者还包括中间节点。
可选地,在本发明实施例中,S210控制器为第一业务数据流分配至少一个安全标识,包括:
获取该第一业务数据流;
具体地,获取该第一业务数据流的报头标识。例如在图1所示场景中,当首节点接收到发送端发送的第一业务数据流的第一个数据包时,向该控制器上报该第一业务数据流的报头标识。
根据预设的安全标识状态表为该第一业务数据流分配至少一个安全标识。
具体地,根据如表1所示的安全标识状态表中的状态为未被占用的安全标识,为该第一业务数据流分配至少一个安全标识,例如为该第一业务数据流分配安全标识#1、安全标识#2和安全标识#3,应理解,分配之后,该至少一个安全标识的状态更新为被占用。还应理解,控制器为第一业务数据流分配该至少一个安全标识之后,该至少一个安全标识与该第一业务数据流的报头标识、该第一业务数据流的传输路径之间具有对应关系。
可选地,在本发明实施例中,该方法200还包括:
当该控制器检测到该第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识。
应理解,一个数据流的流删除事件指的是,该数据流在网络中的传输终止。
具体地,当控制器检测到第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识,并将如1所示的安全标识状态表中的为该第一业务数据流分配的安全标识(例如安全标识#1、#2和#3)标记为未被占用。
综上所述,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
图2从控制器的角度描述了根据本发明实施例提供的数据传输的方法,下面结合图3从节点的角度描述根据本发明实施例提供的数据传输的方法。
图3示出了根据本发明实施例提供的数据传输的方法300的示意性流程图,该方法300包括:
S310,第一节点接收控制器发送的第一指示消息,该第一指示消息包括该控制器为第一业务数据流分配的至少一个安全标识,该第一节点为该第一业务数据流的传输路径中的首节点;
可选地,在本发明实施例中,控制器向首节点发送的该第一指示消息包括第一业务数据流的报头标识、该至少一个安全标识和该传输路径中下一节点的标识。
具体地,第一业务数据流的报头标识包括但不限定于,该第一业务数据流的源IP地址、目的IP地址、源MAC地址、目的MAC地址,传输协议、传输控制协议(Transmission Control Protocol,简称为“TCP”)或用户数据报协议(User Datagram Protocol,简称为“UDP”)端口、或者该第一业务数据流的流ID等信息。
应理解,该传输路径中下一节点的标识指的是在第一业务数据流的传输路径中,该首节点的下一节点的标识。
S320,该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
可选地,在本发明实施例中,该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,包括:
该首节点通过处理该第一数据包的报头标识,获取携带该第一安全标识的第二数据包,并将第一数据包替换为该第二数据包,将该第二数据包发送至传输路径中的下一节点。
具体地,例如,在第一数据包中增加填充有该第一安全标识的报头标识字段,从而将第一数据包替换处理为携带第一安全标识的第二数据包。或者,将第一数据包的某一个报头标识替换为该第一安全标识,例如将第一数据包的报头标识中的源IP地址替换为该第一安全标识,从而将第一数据包替换处理为携带第一安全标识的第二数据包。还可以采用其他手段对第一数据包的报头标识进行处理,最终将第一数据包替换处理为携带第一安全标识的第二数据包,本发明实施例对此不作限定。
S330,该第一节点向该传输路径中的下一节点发送该第二数据包;
应理解,在本发明实施例中,该控制器还指示该传输路径中的中间节点将接收到的该第二数据包发送至该传输路径中的下一节点,该控制器还指示该传输路径中的末节点将接收到的该第二数据包还原处理为对应的该第一数据包。
可选地,在本发明实施例中,控制器还向中间节点发送该至少一个安全标识和该传输路径中下一节点的标识。
具体地,例如中间节点接收到一个数据包A,先判断该数据包是否携带该至少一个安全标识,例如确定该数据包A中携带了该第一安全标识(即该传输路径的首节点对第一业务数据流的数据包作替换处理后所发送的数据包),则根据下一节点的标识,将该数据包A转发至下一节点。
应理解,上面例子中的数据包A对应于本发明实施例中的第二数据包。
可选地,在本发明实施例中,控制器还向末节点发送该第一业务数据流的报头标识和该至少一个安全标识。
具体地,例如末节点接收到一个数据包A,先判断该数据包是否携带该至少一个安全标识,例如确定该数据包A中携带了该第一安全标识(即该传输路径的首节点对第一业务数据流的数据包作替换处理后所发送的数据包),然后根据该第一业务数据流的报头标识,对该数据包A作还原处理,假设首节点是将第一数据包的报头标识中的源IP地址替换为该第一安全标识得到该数据包A的,则末节点采用相反的手段,将数据包A的报头标识中的第一安全标识还原为该第一业务数据流的源IP地址,从而还原得到数据包A对应的第一数据包。
S340,该第一节点向该控制器发送已经发送的该第二数据包的个数,以便于该控制器确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
具体地,该第一节点可以根据控制器的指示消息上报该第二数据包的发送个数,也可以主动上报,例如根据预设定时器信息主动上报。
S350,该第一节点接收该控制器发送的用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第二指示消息,并根据该第二指示消息,丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确
定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
应理解,根据本发明实施例提供的数据传输的方法300中涉及的第一指示消息对应于根据本发明实施例提供的数据传输的方法200中涉及的第一指示消息;根据本发明实施例提供的数据传输的方法300中涉及的第二指示消息对应于根据本发明实施例提供的数据传输的方法200中涉及的第四指示消息。
根据本发明实施例提供的数据传输的方法进行报头压缩的端到端传输,能够及时发现数据传输过程中存在网络攻击,并能够在一定程度上减少攻击包在网络中的传输,一方面降低攻击包对传输资源的占用,另一方面,有效减少到达解压端的攻击包的数量,能够降低解压端的计算负担。
可选地,在本发明实施例中,在接收到该第二指示消息之后,该方法300还包括:
S360,该第一节点不再利用该受攻击安全标识处理该第一业务数据流中的数据包。
具体地,第一节点可以在丢弃携带受攻击安全标识的数据包之后,自主地不再利用该受攻击安全标识处理该第一业务数据流中的数据包。也可以是在接收到控制器下发的用于指示不再利用该受攻击安全标识处理该第一业务数据流中的数据包的第五指示消息之后,不再利用该受攻击安全标识处理第一数据包。
应理解,第一节点接收到的该第五指示消息和第二指示消息,可以是控制器分两次下发到该第一节点的,也可以是同时下发到第一节点的,还可以是该第五指示消息和第二指示消息为同一个指示消息,本发明实施例对此不作限定。
具体地,控制器可以向首节点下发一个新的安全标识,指示首节点利用新的安全标识替换处理后续的第一数据包,这样能够一定程度上提高对网络攻击的抵抗力度。
可选地,在本发明实施例中,在第一节点获知该第一安全标识为受攻击
安全标识之后,该方法300还包括:
利用新的安全标识替换处理该第一业务数据流后续的第一数据包,该新的安全标识不同于第一安全标识。
具体地,该新的安全标识可以是第一节点从控制器为该第一业务数据流分配的多个安全标识中重新选择的不同于第一安全标识的安全标识,也可以是控制器为第一业务数据流重新分配的安全标识,本发明实施例对此不作限定。
应理解,首节点更换替换处理所使用的安全标识,能够一定程度上提高对网络攻击的抵抗力度。
本发明实施例的数据传输的方法可以应用于将报头压缩与集中管控网络结合在一起实现报头压缩的端到端传输的场景。
RFC5858指出,报头压缩机制的使用会增加压缩包在传输过程中遭到流量分析攻击的风险,这是因为报头压缩机制建立上下文时的压缩效率较低,生成的压缩包较大,而上下文建立好后压缩效率提高,对应生成的压缩包小。这样,压缩包组成的数据流就表现出先是一组大包,然后变为小包的特性。网络攻击者根据报头压缩的这种先大包后小包的传输特性,对数据传输的攻击称之为流量分析攻击。当前技术,很难有效地发现或者预防流量分析攻击这种攻击方式。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包;
S320该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,包括:
该第一节点优先利用该第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包。
在本发明实施例中,为第一业务数据流分配的至少一个安全标识包括多个安全标识,例如分配3个安全标识,其中,3个安全标识中的第一安全标识为首用安全标识,即指示首节点优先使用的安全标识。
例如,首节点获取到第一业务数据流的第一个第一数据包A1时,利用
该至少一个安全标识中的首用安全标识替换处理该第一数据包A1,得到第一个携带第一安全标识的第二数据包B1,将该第二数据包B1发送至下一节点。当首节点获取到第一业务数据流的第二个第一数据包A2时,可以继续利用该首用安全标识替换处理该第一数据包A2,得到第二个携带第一安全标识的第二数据包B2,将该第二数据包B2发送至下一节点;也可以利用至少一个安全标识中的除了首用安全标识之外的另外一个安全标识替换处理第二个第一数据包A2,得到对应的第二数据包,也就是说,当控制器为第一业务数据流分配多个安全标识时,首节点可以更换用于替换处理第一业务数据流的数据包的安全标识,更换的方式和更换的频率,本发明实施例对此均不作限定。
应理解,在本发明实施例中,控制器为第一业务数据流(例如报头压缩的数据流)分配的首用安全标识,从而使得首节点根据该首用安全标识去替换处理第一业务数据流的第一个数据包或者最前面的几个数据包,这样有利于控制器监控第一业务数据流的首个数据包或者最前面的几个数据包的传输情况,有利于发现流量分析攻击这种攻击方式。
因此,在本发明实施例中,通过为数据流分配首用安全标识,根据携带该首用安全标识的数据包的收发数量,能够有效发现流量分析攻击,从而有助于后续制定解决方案。
可选地,在本发明实施例中,当控制器为第一业务数据流分配多个安全标识时,首节点可以更换用于替换处理第一业务数据流的数据包的安全标识。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识;
S320该第一节点根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,包括:
该第一节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,并利用该第一安全标识替换处理该第一数据包,获取携带该第一安全标识的第二数据包。
具体地,例如,控制器向首节点发送的第一指示消息中包括预设阈值,用于指示首节点,当当前处理的第一业务数据流的一个数据包的尺寸与上一个处理的数据包的尺寸之差超过该预设阈值时,采用不同于上一个利用的安全标识的安全标识替换处理当前的数据包。
再例如,控制器向首节点发送的第一指示消息中包括用于指示数据包尺寸范围的预设阈值,用于指示该首节点,当当前处理的第一业务数据流的一个数据包(记为数据包A1)的尺寸小于该预设阈值时,从控制器为该第一业务数据流的多个安全标识中选择一个安全标识(记为安全标识①)处理该数据包A1,当下一个处理的第一业务数据流的一个数据包(记为数据包A2)的尺寸大于该预设阈值时,从控制器为该第一业务数据流的多个安全标识中选择另外一个安全标识(记为安全标识②,不同于安全标识①)处理该数据包A2。
应理解,在本发明实施例中,根据当前处理的第一数据包的大小,选择用于替换处理该第一数据包的安全标识,能够有效预防流量分析攻击。
可选地,在本发明实施例中,该首节点利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
具体地,当该首节点连续发送携带有相同安全标识的第二数据包的数量大于或等于预设阈值时,更换不同的安全标识对当前的第一数据包进行替换处理(也可称之为标识隐藏处理)。
因此,在本发明实施例中,首节点在利用安全标识替换处理业务数据流的数据包时,更换安全标识,这样能够在一定程度上抵抗网络攻击。
可选地,在本发明实施例中,该第一节点为第二业务数据流的传输路径中的中间节点,该方法300还包括:
S370,该第一节点根据控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至该第二业务数据流的传输路径中的下一节点,其中第二安全标识为该控制器为该第二业务数据流分配的安全标识,该携带第二安全标识的数据包为该第二业务数据流的传输路径中的首节点对该第二业务数据流的数据包进行替换处理后得到的。
具体地,该第三指示消息包括该控制器为该第二业务数据流分配的安全标识和该第二业务数据流的传输路径中下一节点的标识。
可选地,在本发明实施例中,该第一节点为第三业务数据流的传输路径
中的末节点,该方法300还包括:
S380,该第一节点根据控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的该第三业务数据流的数据包,其中第三安全标识为该控制器为该第三业务数据流分配的安全标识,该携带第三安全标识的数据包为该第三业务数据流的传输路径中的首节点对该第三业务数据流的数据包进行替换处理后得到的;
该第一节点向该控制器发送接收到的携带该第三安全标识的数据包的个数,以便于该控制器确定该第三业务数据流在传输过程中遭到网络攻击。
具体地,该第四指示消息包括该第三业务数据流的报头标识和该控制器为该第三业务数据流分配的安全标识。
应理解,本发明实施例的第一节点可以作为业务数据流A的传输路径中的首节点,用于根据控制器为该业务数据流A分配的安全标识对业务数据流A的数据包作替换处理,得到对应的第二数据包,发送至传输路径中的下一节点。本发明实施例的第一节点也可以作为业务数据流B的传输路径中的中间节点,用于将接收到的携带安全标识的数据包转发至传输路径中的下一节点。本发明实施例的第一节点也可以作为业务数据流C的传输路径中的末节点,用于将接收到的携带安全标识的数据包还原处理为对应的业务数据流C的数据包,例如将还原处理得到的业务数据流C的数据包发送至如图1所示的解压端130。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
上文结合图1至图3描述了根据本发明实施例提供的数据传输的方法,下面结合图4和图5描述根据本发明实施例提供的数据传输的装置。
为了便于理解,下面结合图1所示的拓扑图,以控制器为如图1所示的控制器140为例,以首节点为如图1所示的首节点121为例,以中间节点为如图1所示的中间节点122为例,以末节点为如图1所示的末节点123为例,描述本发明实施例的数据传输的方法,应理解,图1所示的中间节点122指
示任一个位于首节点121与末节点123之间的节点。如图1所示,压缩端110生成的报头压缩的第一业务数据流需要通过传输路径120传输至解压端130,其中,报头压缩的动作由压缩端的终端用户执行。
数据传输的过程分为以下几个步骤:
步骤A:
控制器预先创建安全标识状态表,可以但不限于如表1所示。
安全标识的状态包括被占用、被首用、被攻击和未被占用四种,数据流的传输路径包括传输路径上的首节点和末节点,还可以包括中间节点。
步骤B:
B1,节点①收到第一业务数据流的第一个数据包,向控制器上报第一业务数据流的报头标识;
控制器根据报头标识与安全策略的映射关系,确定是否对该第一业务数据流进行标识隐藏。其中,第一业务数据流的报头标识可以是源IP、目的IP、传输协议、TCP或UDP端口等;安全策略包括标识隐藏和标识不隐藏。
应理解,步骤B1中的节点①可以是图1中所示的首节点,也可以是与压缩端110通信连接的其他节点。
B2,控制器确定对该第一业务数据流进行标识隐藏时,分配多个未被占用的安全标识,并确定第一业务数据流的传输路径,例如图1中所示的传输路径120;
控制器将为第一业务数据流分配的多个安全标识标记为被占用,并记录该多个安全标识与第一业务数据流之间的关联关系、第一业务数据流的传输路径等信息;另外,控制器还可选择该多个安全标识中的一个作为首用安全标识,并标识为被首用。
B3,针对第一业务数据流的传输路径120上的各个节点,控制器执行以下步骤:
控制器将第一业务数据流的报头标识、该多个安全标识和下一节点(首节点在传输路径120中的下一节点)标识发送给首节点;另外,控制器还可将第一阈值和第二阈值发送给首节点,其中,第一阈值和第二阈值可根据经验设置,且第二阈值不能小于1;
控制器将该多个安全标识和下一节点标识发送给中间节点,应理解,图1所示的中间节点指示任一个位于首节点与末节点之间的节点;
控制器将第一业务数据流的报头标识、该多个安全标识发送给末节点。
B4,首节点接收控制器发送的第一业务数据流的报头标识、该多个安全标识和下一节点标识,对与第一业务数据流的报头标识匹配的第一数据包(即第一业务数据流的数据包)进行标识隐藏处理得到第二数据包,将携带有第一安全标识的第二数据包传输至中间节点。其中,标识隐藏处理指的是对第一数据包的报头标识作处理,获取报头标识携带该多个安全标识中的第一安全标识的第二数据包。
B4.1,若首节点接收到控制器发送的该多个安全标识中有首用安全标识,首先使用该首用安全标识对第一数据包进行标识隐藏处理;
B4.2,若首节点121还接收到控制器发送的第一阈值,当第一数据包的尺寸大于和小于该第一阈值时,应分别使用该多个安全标识中的不同安全标识对该第一数据包进行标识隐藏处理;
B4.3,若首节点还接收到控制器发送的第二阈值,当连续发送携带有相同安全标识的第二数据包的数量大于等于第二阈值时,应使用不同的安全标识对第一数据包进行标识隐藏处理;
B5,中间节点接收控制器发送的该多个安全标识和下一节点标识,当接收到携带有该多个安全标识中的任一个安全标识的第二数据包时,将第二数据包传输至下一节点;
B6,末节点接收控制器发送的第一业务数据流的报头标识、该多个安全标识,当接收到携带有该多个安全标识中的任一个安全标识的第二数据包时,对第二数据包进行标识解隐藏处理(对应于本发明实施例中涉及的还原处理)得到第一数据包。
步骤C:
C1,每隔一段时间,控制器获得首节点发送的各数据流(即多个业务数据流)的数据包数和末节点接收的各数据流的数据包数,计算各数据流在末节点接收的数据包数与首节点发送的数据包数的差值,若差值大于第三阈值,则确认该数据流遭到网络攻击。
若该遭到攻击的数据流的数据包携带了一个安全标识,则确认该安全标识遭到攻击,将该安全标识在安全标识状态表中标识为被攻击,其中,第三阈值可根据经验设置。
C2,控制器统计过去的这段时间里被攻击的安全标识中首用安全标识所
占的比例,若比例大于第四阈值,则确认网络中存在流量分析攻击,其中,第四阈值可根据经验设置。
C3,控制器确认某数据流遭到攻击,获得首节点发送、中间节点转发和末节点接收该数据流的数据包数,计算传输路径上相邻两节点间后一节点与前一节点的差值,找出差值最大的相邻两节点,确认该两节点间的链路存在攻击者。
步骤D:
D1,当控制器确认某数据流X的某安全标识遭到攻击,向该数据流X的传输路径上的首节点、中间节点、末节点发送该安全标识;首节点接收控制器发送的安全标识,不再使用该安全标识对该数据流X的第一数据包进行标识隐藏处理;首节点、中间节点和末节点丢弃携带有该安全标识的第二数据包;
另外,控制器还可为该数据流X分配一个未被占用的安全标识,标识为被占用,并记录安全标识与该数据流X之间的关联关系、该数据流X的传输路径等信息;控制器将该数据流X的报头标识、安全标识发送给首节点,将安全标识和下一节点标识发送给该中间节点,将该数据流X的报头标识、安全标识发送给末节点;首节点接收控制器发送的该数据流X的报头标识和安全标识,对与该数据流X的报头标识匹配的第一数据包进行标识隐藏处理时,还可以使用新分配的安全标识;
D2,控制器确认网络中存在流量分析攻击时减小第二阈值,否则增大第二阈值;
D3,当控制器确认攻击者所在的链路时,计算出可替代路径,可替代路径不含该链路;控制器向可替代路径的首节点、中间节点和末节点发送数据流的报头标识或安全标识,以及下一节点标识;首节点、中间节点和末节点接收到与数据流的报头标识或安全标识匹配的数据包时,将数据包传输至下一节点;
步骤E:
当控制器收到某数据流的流删除事件信息时,将该数据流所占用的安全标识标记为未被占用。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全
标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
图4示出了根据本发明实施例提供的控制器400的示意性框图,该控制器400包括:
分配模块410,用于为第一业务数据流分配至少一个安全标识;
发送模块420,用于向该第一业务数据流的传输路径中的首节点发送包括该分配模块分配的至少一个安全标识的第一指示消息,该第一指示消息用于指示该首节点利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,并向该传输路径中的下一节点发送该第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
该发送模块420还用于,向该传输路径中的中间节点发送用于指示将接收到的该第二数据包发送至该传输路径中的下一节点的第二指示消息,该发送模块还用于,向该传输路径中的末节点发送用于指示将接收到的该第二数据包还原处理为对应的该第一数据包的第三指示消息;
获取模块430,用于获取该第二数据包的收发数量,该收发数量指示该末节点接收到的该第二数据包的个数和该首节点发送的该第二数据包的个数;
第一确定模块440用于,根据该获取模块获取的第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该发送模块420还用于,向该传输路径中的每个节点发送用于指示丢弃当前在该传输路径中传输的携带该第一确定模块确定的受攻击安全标识的数据包的第四指示消息。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,
能够在一定程度上减轻接收端的计算压力。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该分配模块为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该发送模块420发送的该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包。
可选地,在本发明实施例中,该控制器400还包括:
第二确定模块450,用于根据携带该首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该分配模块为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该发送模块420发送的该第一指示消息具体用于指示该首节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,以替换处理该第一数据包。
可选地,在本发明实施例中,该发送模块420发送的该第一指示消息还用于指示该首节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
可选地,在本发明实施例中,该发送模块420还用于,在该第一确定模块确定该第一业务数据流在传输过程中遭到网络攻击的情况下,向该首节点发送用于指示不再利用该受攻击安全标识替换处理该第一数据包的第五指示消息。
可选地,在本发明实施例中,该获取模块430还用于,在该第一确定模块440确定该第一业务数据流在传输过程中遭到网络攻击之后,获取该传输路径中每两个相邻节点中后一节点接收的该第二数据包的个数与前一节点发送的该第二数据包的个数;
该控制器400还包括:
第三确定模块460,用于根据该获取模块获取的该后一节点接收的该第二数据包的个数与该前一节点发送的该第二数据包的个数,确定该传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;
该分配模块410还用于,为该第一业务数据流分配替代传输路径,该替代传输路径不包括该受攻击路径。
可选地,在本发明实施例中,该获取模块430具体用于,根据预设定时器,获取该第二数据包的收发数量。
可选地,在本发明实施例中,该控制器400还包括:
释放模块470,用于当检测到该第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识。
应理解,根据本发明实施例提供的控制器400例如为图1所述的控制器140,可对应于本发明实施例提供的数据传输的方法中的控制器,并且控制器400中的各个模块的上述和其他操作和/或功能分别为了实现图2和图3中的各个方法的相应流程,为了简洁,在此不再赘述。
图5示出了根据本发明实施例提供的数据传输的节点500的示意性框图,该节点500包括:
接收模块510,用于接收控制器发送的第一指示消息,该第一指示消息包括该控制器为第一业务数据流分配的至少一个安全标识,该节点500为该第一业务数据流的传输路径中的首节点;
替换模块520,用于根据该接收模块接收的该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
发送模块530,用于向该传输路径中的下一节点发送该替换模块获取的该第二数据包;
该发送模块530还用于,向该控制器发送已经发送的该第二数据包的个数,以便于该控制器确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该接收模块510还用于,接收该控制器发送的用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息,并根据该第四指示消息,丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,
能够在一定程度上减轻接收端的计算压力。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该接收模块510接收的该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包;
该替换模块520具体用于,优先利用该第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该接收模块510接收的该第一指示消息具体用于指示根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识;
该替换模块520具体用于,根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,并利用该第一安全标识替换处理该第一数据包,获取携带该第一安全标识的第二数据包。
可选地,在本发明实施例中,该第一指示消息还用于指示该节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
可选地,在本发明实施例中,该替换模块520还用于,在该接收模块510接收到该第二指示消息后,不再利用该第一安全标识替换处理该第一业务数据流中的数据包。
应理解,根据本发明实施例提供的数据传输的节点500例如为图1所述的首节点121,可对应于本发明实施例提供的数据传输的方法中的首节点,并且节点500中的各个模块的上述和其他操作和/或功能分别为了实现图2和图3中的各个方法的相应流程,为了简洁,在此不再赘述。
可选地,在本发明实施例中,该节点500为第二业务数据流的传输路径中的中间节点,该节点500还包括:
转发模块540,用于根据控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至该第二业务数据流的传输路径中的下一节点,其中第二安全标识为该控制器为该第二业务数据流分配的安全标识,该携带第二安全标识的数据包为该第二业务数据流的传输路径中的首节点对该第
二业务数据流的数据包进行替换处理后得到的。
具体地,本发明实施例中的数据传输的节点500例如为图1所述的中间节点122。
可选地,在本发明实施例中,该节点500为第三业务数据流的传输路径中的末节点,该节点500还包括:
还原模块550,用于根据控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的该第三业务数据流的数据包,其中第三安全标识为该控制器为该第三业务数据流分配的安全标识,该携带第三安全标识的数据包为该第三业务数据流的传输路径中的首节点对该第三业务数据流的数据包进行替换处理后得到的;
该发送模块还用于,向该控制器发送接收到的携带该第三安全标识的数据包的个数,以便于该控制器确定该第三业务数据流在传输过程中遭到网络攻击。
具体地,本发明实施例中的数据传输的节点500例如为图1所述的末节点123。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
如图6所示,本发明实施例还提供一种控制器600,该控制器600包括处理器610、存储器620、总线系统630、接收器640和发送器650。其中,处理器610、存储器620、接收器640和发送器650通过总线系统630相连,该存储器620用于存储指令,该处理器610用于执行该存储器620存储的指令,以控制接收器640接收信号,并控制发送器650发送信号。其中,
该处理器610用于,为第一业务数据流分配至少一个安全标识;
该发送器650用于,向该第一业务数据流的传输路径中的首节点发送包括该至少一个安全标识的第一指示消息,该第一指示消息用于指示该首节点利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,并向该传输路径中的下一节点发送该第二数
据包,其中,该第一数据包为该第一业务数据流中的数据包;
该发送器650还用于,向该传输路径中的中间节点发送用于指示将接收到的该第二数据包发送至该传输路径中的下一节点的第二指示消息,该控制器还向该传输路径中的末节点发送用于指示将接收到的该第二数据包还原处理为对应的该第一数据包的第三指示消息;
该处理器610还用于,获取该第二数据包的收发数量,该收发数量指示该末节点接收到的该第二数据包的个数和该首节点发送的该第二数据包的个数;
该处理器610还用于,根据该第二数据包的收发数量,确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
该发送器650用于,向该传输路径中的每个节点发送用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包。
可选地,在本发明实施例中,该处理器610还用于,
根据携带该首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示该首节点根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,以替换处理该第一数据包。
可选地,在本发明实施例中,该第一指示消息还用于指示该首节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
可选地,在本发明实施例中,该发送器650还用于,在处理器610确定该第一业务数据流在传输过程中遭到网络攻击的情况下,向该首节点发送用于指示不再利用该受攻击安全标识替换处理该第一数据包的第五指示消息。
可选地,在本发明实施例中,该处理器610还用于,在确定该第一业务数据流在传输过程中遭到网络攻击之后,获取该传输路径中每两个相邻节点中后一节点接收的该第二数据包的个数与前一节点发送的该第二数据包的个数;
该处理器610还用于,根据获取的该后一节点接收的该第二数据包的个数与该前一节点发送的该第二数据包的个数,确定该传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;
该处理器610还用于,为该第一业务数据流分配替代传输路径,该替代传输路径不包括该受攻击路径。
可选地,在本发明实施例中,该处理器610具体用于,据预设定时器,获取该第二数据包的收发数量。
可选地,在本发明实施例中,该处理器610还用于,当检测到该第一业务数据流的流删除事件时,释放为该第一业务数据流分配的安全标识。
应理解,在本发明实施例中,该处理器610可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器610还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
该存储器620可以包括只读存储器和随机存取存储器,并向处理器610提供指令和数据。存储器620的一部分还可以包括非易失性随机存取存储器。例如,存储器620还可以存储设备类型的信息。
该总线系统630除包括数据总线之外,还可以包括电源总线、控制总线和状态信号总线等。但是为了清楚说明起见,在图中将各种总线都标为总线系统630。
在实现过程中,上述方法的各步骤可以通过处理器610中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤
可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器620,处理器610读取存储器620中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。
应理解,根据本发明实施例的控制器600可对应于本发明实施例的数据传输的方法中的控制器,以及可以对应于根据本发明实施例的控制器400,并且控制器600中的各个模块的上述和其它操作和/或功能分别为了实现图2和图3的各个方法的相应流程,为了简洁,在此不再赘述。
如图7所示,本发明实施例还提供了一种数据传输的节点700,该节点700包括处理器710、存储器720、总线系统730、接收器740和发送器750。其中,处理器710、存储器720、接收器740和发送器750通过总线系统730相连,该存储器720用于存储指令,该处理器710用于执行该存储器720存储的指令,以控制接收器740接收信号,并控制发送器750发送信号。其中,该接收器740用于接收控制器发送的第一指示消息,该第一指示消息包括该控制器为第一业务数据流分配的至少一个安全标识,该第一节点为该第一业务数据流的传输路径中的首节点;
处理器710用于,根据该第一指示消息,利用该至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包,其中,该第一数据包为该第一业务数据流中的数据包;
发送器750用于,向该传输路径中的下一节点发送该第二数据包;
该第一节点向该控制器发送已经发送的该第二数据包的个数,以便于该控制器确定该第一业务数据流在传输过程中遭到网络攻击,并确定该第一安全标识为受攻击安全标识;
接收器740用于,接收该控制器发送的用于指示丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包的第四指示消息,并根据该第四指示消息,丢弃当前在该传输路径中传输的携带该受攻击安全标识的数据包。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,该控制器为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,且该第一安全标识为首用安全标识,其中,该第一指示消息具体用于指示该首节点优先利用该首用安全标识替换处理该第一数据包;
处理器710具体用于,优先利用该第一安全标识替换处理第一数据包,获取携带该第一安全标识的第二数据包。
可选地,在本发明实施例中,该第一业务数据流为报头压缩的数据流,为该第一业务数据流分配的该至少一个安全标识包括两个或两个以上的安全标识,其中,该第一指示消息具体用于指示根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识;
处理器710具体用于,根据当前处理的第一数据包的大小,从该至少一个安全标识中选择该第一安全标识,并利用该第一安全标识替换处理该第一数据包,获取携带该第一安全标识的第二数据包。
可选地,在本发明实施例中,该第一指示消息还用于指示该节点,利用同一个安全标识替换处理该第一数据包的数量不超过预设阈值。
可选地,在本发明实施例中,处理器710具体还用于,在接收器740接收到该第二指示消息之后,不再利用该受攻击安全标识处理该第一业务数据流中的数据包。
可选地,在本发明实施例中,该第一节点为第二业务数据流的传输路径中的中间节点,处理器710还用于,根据控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至该第二业务数据流的传输路径中的下一节点,其中第二安全标识为该控制器为该第二业务数据流分配的安全标识,该携带第二安全标识的数据包为该第二业务数据流的传输路径中的首节点对该第二业务数据流的数据包进行替换处理后得到的。
可选地,在本发明实施例中,该第一节点为第三业务数据流的传输路径中的末节点,处理器710还用于,根据控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的该第三业务数据流的数据包,其中第三安全标识为该控制器为该第三业务数据流分配的安全标识,该携带第三安全标识的数据包为该第三业务数据流的传输路径中的首节点
对该第三业务数据流的数据包进行替换处理后得到的;
发送器750还用于,向该控制器发送接收到的携带该第三安全标识的数据包的个数,以便于该控制器确定该第三业务数据流在传输过程中遭到网络攻击。
如图8所示,本发明实施例还提供了一种数据传输的系统800,该系统800包括本发明实施例提供的控制器400和本发明实施例提供的数据传输的节点500。
因此,在本发明实施例中,根据携带安全标识的数据包的收发数量,确定数据流的传输遭到网络攻击,并通过指示传输路径中的节点将携带该安全标识的数据包丢弃,能够实现及时丢弃攻击包,从而能够有效减少攻击包对传输资源的占用,提高传输资源的利用率。
此外,在本发明实施例中,也能够有效减少攻击包到达接收端的数量,能够在一定程度上减轻接收端的计算压力。
还应理解,本文中涉及的第一、第二、第三、第四以及各种数字编号仅为描述方便进行的区分,并不用来限制本发明实施例的范围。
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间
的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。
Claims (31)
- 一种数据传输的方法,其特征在于,包括:控制器为第一业务数据流分配至少一个安全标识;所述控制器向所述第一业务数据流的传输路径中的首节点发送包括所述至少一个安全标识的第一指示消息,所述第一指示消息用于指示所述首节点利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,并向所述传输路径中的下一节点发送所述第二数据包,其中,所述第一数据包为所述第一业务数据流中的数据包;所述控制器向所述传输路径中的中间节点发送用于指示将接收到的所述第二数据包发送至所述传输路径中的下一节点的第二指示消息,所述控制器还向所述传输路径中的末节点发送用于指示将接收到的所述第二数据包还原处理为对应的所述第一数据包的第三指示消息;所述控制器获取所述第二数据包的收发数量,所述收发数量指示所述末节点接收到的所述第二数据包的个数和所述首节点发送的所述第二数据包的个数;所述控制器根据所述第二数据包的收发数量,确定所述第一业务数据流在传输过程中遭到网络攻击,并确定所述第一安全标识为受攻击安全标识;所述控制器向所述传输路径中的每个节点发送用于指示丢弃当前在所述传输路径中传输的携带所述受攻击安全标识的数据包的第四指示消息。
- 根据权利要求1所述的方法,其特征在于,所述第一业务数据流为报头压缩的数据流,所述控制器为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,且所述第一安全标识为首用安全标识,其中,所述第一指示消息具体用于指示所述首节点优先利用所述首用安全标识替换处理所述第一数据包。
- 根据权利要求2所述的方法,其特征在于,所述方法还包括:所述控制器根据携带所述首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
- 根据权利要求1所述的方法,其特征在于,所述第一业务数据流为报头压缩的数据流,为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,其中,所述第一指示消息具体用于指示所述首节点根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择 所述第一安全标识,以替换处理所述第一数据包。
- 根据权利要求2至4中任一项所述的方法,其特征在于,所述第一指示消息还用于指示所述首节点,利用同一个安全标识替换处理所述第一数据包的数量不超过预设阈值。
- 根据权利要求1至5中任一项所述的方法,其特征在于,在确定所述第一业务数据流在传输过程中遭到网络攻击的情况下,所述方法还包括:所述控制器向所述首节点发送用于指示不再利用所述第一安全标识替换处理所述第一数据包的第五指示消息。
- 根据权利要求1至6中任一项所述的方法,其特征在于,在确定所述第一业务数据流在传输过程中遭到网络攻击之后,所述方法还包括:所述控制器获取所述传输路径中每两个相邻节点中后一节点接收的所述第二数据包的个数与前一节点发送的所述第二数据包的个数;所述控制器根据获取的所述后一节点接收的所述第二数据包的个数与所述前一节点发送的所述第二数据包的个数,确定所述传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;所述控制器为所述第一业务数据流分配替代传输路径,所述替代传输路径不包括所述受攻击路径。
- 根据权利要求1至7中任一项所述的方法,其特征在于,所述方法还包括:当所述控制器检测到所述第一业务数据流的流删除事件时,释放为所述第一业务数据流分配的安全标识。
- 一种数据传输的方法,其特征在于,包括:第一节点接收控制器发送的第一指示消息,所述第一指示消息包括所述控制器为第一业务数据流分配的至少一个安全标识,所述第一节点为所述第一业务数据流的传输路径中的首节点;所述第一节点根据所述第一指示消息,利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,其中,所述第一数据包为所述第一业务数据流中的数据包;所述第一节点向所述传输路径中的下一节点发送所述第二数据包;所述第一节点向所述控制器发送已经发送的所述第二数据包的个数,以便于所述控制器确定所述第一业务数据流在传输过程中遭到网络攻击,并确 定所述第一安全标识为受攻击安全标识;所述第一节点接收所述控制器发送的用于指示丢弃当前在所述传输路径中传输的携带所述受攻击安全标识的数据包的第二指示消息,并根据所述第二指示消息,丢弃当前在所述传输路径中传输的携带所述受攻击安全标识的数据包。
- 根据权利要求9所述的方法,其特征在于,所述第一业务数据流为报头压缩的数据流,所述控制器为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,且所述第一安全标识为首用安全标识,其中,所述第一指示消息具体用于指示所述首节点优先利用所述首用安全标识替换处理所述第一数据包;所述第一节点根据所述第一指示消息,利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,包括:所述第一节点优先利用所述第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包。
- 根据权利要求9所述的方法,其特征在于,所述第一业务数据流为报头压缩的数据流,为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,其中,所述第一指示消息具体用于指示根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择所述第一安全标识;所述第一节点根据所述第一指示消息,利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,包括:所述第一节点根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择所述第一安全标识,并利用所述第一安全标识替换处理所述第一数据包,获取携带所述第一安全标识的第二数据包。
- 根据权利要求9至11中任一项所述的方法,其特征在于,所述第一指示消息还用于指示所述第一节点,利用同一个安全标识替换处理所述第一数据包的数量不超过预设阈值。
- 根据权利要求9至12中任一项所述的方法,其特征在于,在接收到所述第二指示消息之后,所述方法还包括:所述第一节点不再利用所述第一安全标识处理所述第一业务数据流中的数据包。
- 根据权利要求9至13中任一项所述的方法,其特征在于,所述第一节点为第二业务数据流的传输路径中的中间节点,所述方法还包括:所述第一节点根据所述控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至所述第二业务数据流的传输路径中的下一节点,其中第二安全标识为所述控制器为所述第二业务数据流分配的安全标识,所述携带第二安全标识的数据包为所述第二业务数据流的传输路径中的首节点对所述第二业务数据流的数据包进行替换处理后得到的。
- 根据权利要求9至14中任一项所述的方法,其特征在于,所述第一节点为第三业务数据流的传输路径中的末节点,所述方法还包括:所述第一节点根据所述控制器发送的第四指示消息,将接收到的携带第三安全标识的数据包还原处理为对应的所述第三业务数据流的数据包,其中第三安全标识为所述控制器为所述第三业务数据流分配的安全标识,所述携带第三安全标识的数据包为所述第三业务数据流的传输路径中的首节点对所述第三业务数据流的数据包进行替换处理后得到的;所述第一节点向所述控制器发送接收到的携带所述第三安全标识的数据包的个数,以便于所述控制器确定所述第三业务数据流在传输过程中遭到网络攻击。
- 一种控制器,其特征在于,包括:分配模块,用于为第一业务数据流分配至少一个安全标识;发送模块,用于向所述第一业务数据流的传输路径中的首节点发送包括所述分配模块分配的至少一个安全标识的第一指示消息,所述第一指示消息用于指示所述首节点利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,并向所述传输路径中的下一节点发送所述第二数据包,其中,所述第一数据包为所述第一业务数据流中的数据包;所述发送模块还用于,向所述传输路径中的中间节点发送用于指示将接收到的所述第二数据包发送至所述传输路径中的下一节点的第二指示消息,所述发送模块还用于,向所述传输路径中的末节点发送用于指示将接收到的所述第二数据包还原处理为对应的所述第一数据包的第三指示消息;获取模块,用于获取所述第二数据包的收发数量,所述收发数量指示所述末节点接收到的所述第二数据包的个数和所述首节点发送的所述第二数据包的个数;第一确定模块用于,根据所述获取模块获取的第二数据包的收发数量,确定所述第一业务数据流在传输过程中遭到网络攻击,并确定所述第一安全标识为受攻击安全标识;所述发送模块还用于,向所述传输路径中的每个节点发送用于指示丢弃当前在所述传输路径中传输的携带所述第一确定模块确定的受攻击安全标识的数据包的第四指示消息。
- 根据权利要求16所述的控制器,其特征在于,所述第一业务数据流为报头压缩的数据流,所述分配模块为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,且所述第一安全标识为首用安全标识,其中,所述发送模块发送的所述第一指示消息具体用于指示所述首节点优先利用所述首用安全标识替换处理所述第一数据包。
- 根据权利要求17所述的控制器,其特征在于,所述控制器还包括:第二确定模块,用于根据携带所述首用安全标识的数据包的收发数量,确定所述第一业务数据流在传输过程中遭到流量分析攻击。
- 根据权利要求16所述的控制器,其特征在于,所述第一业务数据流为报头压缩的数据流,所述分配模块为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,其中,所述发送模块发送的所述第一指示消息具体用于指示所述首节点根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择所述第一安全标识,以替换处理所述第一数据包。
- 根据权利要求17至19中任一项所述的控制器,其特征在于,所述发送模块发送的所述第一指示消息还用于指示所述首节点,利用同一个安全标识替换处理所述第一数据包的数量不超过预设阈值。
- 根据权利要求16至20中任一项所述的控制器,其特征在于,所述发送模块还用于,在所述第一确定模块确定所述第一业务数据流在传输过程中遭到网络攻击的情况下,向所述首节点发送用于指示不再利用所述第一安全标识替换处理所述第一数据包的第五指示消息。
- 根据权利要求16至21中任一项所述的控制器,其特征在于,所述获取模块还用于,在所述第一确定模块确定所述第一业务数据流在传输过程中遭到网络攻击之后,获取所述传输路径中每两个相邻节点中后一节点接收的所述第二数据包的个数与前一节点发送的所述第二数据包的个数;所述控制器还包括:第三确定模块,用于根据所述获取模块获取的所述后一节点接收的所述第二数据包的个数与所述前一节点发送的所述第二数据包的个数,确定所述传输路径中相邻的第一节点与第二节点之间的路径为受攻击路径;所述分配模块还用于,为所述第一业务数据流分配替代传输路径,所述替代传输路径不包括所述受攻击路径。
- 根据权利要求16至22中任一项所述的控制器,其特征在于,所述控制器还包括:释放模块,用于当检测到所述第一业务数据流的流删除事件时,释放为所述第一业务数据流分配的安全标识。
- 一种数据传输的节点,其特征在于,包括:接收模块,用于接收控制器发送的第一指示消息,所述第一指示消息包括所述控制器为第一业务数据流分配的至少一个安全标识,所述节点为所述第一业务数据流的传输路径中的首节点;替换模块,用于根据所述接收模块接收的所述第一指示消息,利用所述至少一个安全标识中的第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包,其中,所述第一数据包为所述第一业务数据流中的数据包;发送模块,用于向所述传输路径中的下一节点发送所述替换模块获取的所述第二数据包;所述发送模块还用于,向所述控制器发送已经发送的所述第二数据包的个数,以便于所述控制器确定所述第一业务数据流在传输过程中遭到网络攻击,并确定所述第一安全标识为受攻击安全标识;所述接收模块还用于,接收所述控制器发送的用于指示丢弃当前在所述传输路径中传输的携带所述受攻击安全标识的数据包的第二指示消息,并根据所述第二指示消息,丢弃当前在所述传输路径中传输的携带所述受攻击安全标识的数据包。
- 根据权利要求24所述的节点,其特征在于,所述第一业务数据流为报头压缩的数据流,所述控制器为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,且所述第一安全标识为首用安全标识,其中,所述接收模块接收的所述第一指示消息具体用于指示所述首节点优先利用所述首用安全标识替换处理所述第一数据包;所述替换模块具体用于,优先利用所述第一安全标识替换处理第一数据包,获取携带所述第一安全标识的第二数据包。
- 根据权利要求24所述的节点,其特征在于,所述第一业务数据流为报头压缩的数据流,为所述第一业务数据流分配的所述至少一个安全标识包括两个或两个以上的安全标识,其中,所述接收模块接收的所述第一指示消息具体用于指示根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择所述第一安全标识;所述替换模块具体用于,根据当前处理的第一数据包的大小,从所述至少一个安全标识中选择所述第一安全标识,并利用所述第一安全标识替换处理所述第一数据包,获取携带所述第一安全标识的第二数据包。
- 根据权利要求24至26中任一项所述的节点,其特征在于,所述第一指示消息还用于指示所述节点,利用同一个安全标识替换处理所述第一数据包的数量不超过预设阈值。
- 根据权利要求24至27中任一项所述的节点,其特征在于,所述替换模块还用于,在所述接收模块接收到所述第二指示消息后,不再利用所述第一安全标识替换处理所述第一业务数据流中的数据包。
- 根据权利要求24至28中任一项所述的节点,其特征在于,所述节点为第二业务数据流的传输路径中的中间节点,所述节点还包括:转发模块,用于根据所述控制器发送的第三指示消息,将接收到的携带第二安全标识的数据包转发至所述第二业务数据流的传输路径中的下一节点,其中第二安全标识为所述控制器为所述第二业务数据流分配的安全标识,所述携带第二安全标识的数据包为所述第二业务数据流的传输路径中的首节点对所述第二业务数据流的数据包进行替换处理后得到的。
- 根据权利要求24至29中任一项所述的节点,其特征在于,所述节点为第三业务数据流的传输路径中的末节点,所述节点还包括:还原模块,用于根据所述控制器发送的第四指示消息,将接收到的携带 第三安全标识的数据包还原处理为对应的所述第三业务数据流的数据包,其中第三安全标识为所述控制器为所述第三业务数据流分配的安全标识,所述携带第三安全标识的数据包为所述第三业务数据流的传输路径中的首节点对所述第三业务数据流的数据包进行替换处理后得到的;所述发送模块还用于,向所述控制器发送接收到的携带所述第三安全标识的数据包的个数,以便于所述控制器确定所述第三业务数据流在传输过程中遭到网络攻击。
- 一种数据传输的系统,其特征在于,包括:如上述权利要求16至23中任一项所述的控制器和上述权利要求24至30中任一项所述的节点。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201580029316.6A CN107005538B (zh) | 2015-10-16 | 2015-10-16 | 数据传输的方法、装置和系统 |
PCT/CN2015/092131 WO2017063198A1 (zh) | 2015-10-16 | 2015-10-16 | 数据传输的方法、装置和系统 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2015/092131 WO2017063198A1 (zh) | 2015-10-16 | 2015-10-16 | 数据传输的方法、装置和系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2017063198A1 true WO2017063198A1 (zh) | 2017-04-20 |
Family
ID=58517044
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2015/092131 WO2017063198A1 (zh) | 2015-10-16 | 2015-10-16 | 数据传输的方法、装置和系统 |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107005538B (zh) |
WO (1) | WO2017063198A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113395247A (zh) * | 2020-03-11 | 2021-09-14 | 华为技术有限公司 | 一种防止对SRv6 HMAC校验进行重放攻击的方法和设备 |
CN114189565A (zh) * | 2020-08-31 | 2022-03-15 | 华为技术有限公司 | 一种头域还原系统、方法及相关设备 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114499962B (zh) * | 2021-12-24 | 2023-09-08 | 深圳开源互联网安全技术有限公司 | 文件检测方法、装置、计算机设备和存储介质 |
CN115174446B (zh) * | 2022-07-21 | 2023-11-03 | 天翼云科技有限公司 | 一种网络流量统计的方法、装置及电子设备 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101453389A (zh) * | 2008-11-19 | 2009-06-10 | 中国网络通信集团公司 | 流量监测方法及系统 |
CN102801727A (zh) * | 2012-08-13 | 2012-11-28 | 常州大学 | 一种基于自治域系统的DDoS攻击追踪方法 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102457489B (zh) * | 2010-10-26 | 2015-11-25 | 中国民航大学 | Low-rate DoS(LDoS)攻击、检测和防御模块 |
US8832831B2 (en) * | 2012-03-21 | 2014-09-09 | Radware, Ltd. | Method and system for detecting and mitigating attacks performed using cryptographic protocols |
CN103701795B (zh) * | 2013-12-20 | 2017-11-24 | 北京奇安信科技有限公司 | 拒绝服务攻击的攻击源的识别方法和装置 |
CN104967588B (zh) * | 2014-05-26 | 2017-02-15 | 腾讯科技(深圳)有限公司 | 分布式拒绝服务DDoS攻击的防护方法及其装置和系统 |
-
2015
- 2015-10-16 WO PCT/CN2015/092131 patent/WO2017063198A1/zh active Application Filing
- 2015-10-16 CN CN201580029316.6A patent/CN107005538B/zh active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101453389A (zh) * | 2008-11-19 | 2009-06-10 | 中国网络通信集团公司 | 流量监测方法及系统 |
CN102801727A (zh) * | 2012-08-13 | 2012-11-28 | 常州大学 | 一种基于自治域系统的DDoS攻击追踪方法 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113395247A (zh) * | 2020-03-11 | 2021-09-14 | 华为技术有限公司 | 一种防止对SRv6 HMAC校验进行重放攻击的方法和设备 |
CN114189565A (zh) * | 2020-08-31 | 2022-03-15 | 华为技术有限公司 | 一种头域还原系统、方法及相关设备 |
CN114189565B (zh) * | 2020-08-31 | 2023-10-20 | 华为技术有限公司 | 一种头域还原系统、方法及相关设备 |
Also Published As
Publication number | Publication date |
---|---|
CN107005538B (zh) | 2020-06-30 |
CN107005538A (zh) | 2017-08-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109391560B (zh) | 网络拥塞的通告方法、代理节点及计算机设备 | |
JP7029471B2 (ja) | アップリンクデータ解凍、圧縮方法および装置 | |
US9232433B2 (en) | Dynamic coding for network traffic by fog computing node | |
EP2944056B1 (en) | Distributed traffic inspection in a telecommunications network | |
US8953631B2 (en) | Interruption, at least in part, of frame transmission | |
JP2018500842A (ja) | ビットフォワーディングイングレスルータ、ビットフォワーディングルータ及び運用管理保守テスト方法 | |
CN102148768B (zh) | 报文转发方法和报文转发设备 | |
US9565162B2 (en) | One-way transmission and reception with delayed TCP ACK message and monitoring for UDP and TCP frames | |
WO2020063339A1 (zh) | 一种实现数据传输的方法、装置和系统 | |
US20190238461A1 (en) | Systems and methods for identifying candidate flows in data packet networks | |
WO2017063198A1 (zh) | 数据传输的方法、装置和系统 | |
WO2020001204A1 (zh) | 一种链路备份的方法、装置及计算机可读存储介质 | |
WO2018113425A1 (zh) | 一种检测时延的方法、装置及系统 | |
US20160112502A1 (en) | Distributed computing based on deep packet inspection by network devices along network path to computing device | |
EP3116160B1 (en) | Oam packet processing method, network device and network system | |
CN108521371B (zh) | 报文转发方法及装置 | |
CN107222427A (zh) | 一种报文处理的方法及相关设备 | |
WO2021128927A1 (zh) | 报文的处理方法及装置、存储介质和电子装置 | |
US10797986B2 (en) | Link discovery method and apparatus | |
WO2017173880A1 (zh) | 降低传输丢包率的方法和装置 | |
WO2016197689A1 (zh) | 处理报文的方法、装置和系统 | |
US20140092725A1 (en) | Method and first network node for managing an ethernet network | |
CN105763375B (zh) | 一种数据包发送方法、接收方法及微波站 | |
US9083617B2 (en) | Reducing latency of at least one stream that is associated with at least one bandwidth reservation | |
JP7123194B2 (ja) | データ送信方法、送信デバイス、データ受信方法、および受信デバイス |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15906081 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15906081 Country of ref document: EP Kind code of ref document: A1 |