WO2020083272A1 - Procédé et système de génération de stratégie de traitement, et support d'informations - Google Patents

Procédé et système de génération de stratégie de traitement, et support d'informations Download PDF

Info

Publication number
WO2020083272A1
WO2020083272A1 PCT/CN2019/112477 CN2019112477W WO2020083272A1 WO 2020083272 A1 WO2020083272 A1 WO 2020083272A1 CN 2019112477 W CN2019112477 W CN 2019112477W WO 2020083272 A1 WO2020083272 A1 WO 2020083272A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
network node
attack
statistical information
rate
Prior art date
Application number
PCT/CN2019/112477
Other languages
English (en)
Chinese (zh)
Inventor
高腾
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020083272A1 publication Critical patent/WO2020083272A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • an information sending apparatus including: an acquiring module for acquiring statistical information of each network node in a network; a sending module for indicating in the statistical information
  • the statistical information is sent to the controller, where the designated network node meeting the preset condition is used to indicate that there is an attack report in the network
  • the statistical information is used to instruct the controller to generate a processing strategy for attack packets in the network according to the statistical information and the network topology information of the network, and the processing strategy is used for the network
  • the source network node of the attack packet is subjected to rate limiting processing.
  • FIG. 5 is a schematic diagram of module deployment according to an embodiment of the present disclosure.
  • FIG. 9 is an interaction diagram of a controller receiving module and a policy generating module according to an embodiment of the present disclosure.
  • rate limiting processing of the source network node of the attack message in the network includes: setting the current limit according to the CPU usage of the network node in the statistical information and the sending and receiving rate of the attack message Rate ratio, according to the rate limit ratio of the attack packet rate processing.
  • the apparatus includes: a receiving module 22 for receiving when a specified network node in the network meets a preset condition, Statistical information sent by the network nodes of Processing strategy, where the processing strategy is used to perform rate limiting processing on the source network node of the attack packet in the network.
  • receiving module 22 and generating module 24 receive statistical information sent by a network node in the network when the specified network node in the network meets the preset condition, where the specified network node meets the preset condition is used to indicate that there is an attack in the network Packets; based on statistical information and network topology information of the network, generate a processing strategy for attack packets, and perform rate limiting processing on the source network nodes of the attack packets in the network, so as to solve the problem of when the network is attacked by packets in the related technologies.
  • the attack message can only be discarded in a single way, which lacks flexibility, and achieves the effect of flexibly processing the attack message.
  • the preset condition includes: whether the utilization rate of the central processing unit CPU included in the statistical information exceeds a preset threshold value, wherein, when the utilization rate exceeds the preset threshold value, it is determined that the designated network node meets Preset conditions.
  • the data statistics module 52 and the controller receiving module 54 constitute a device monitoring system
  • the strategy generation module 56 and the strategy execution module 58 constitute a speed limit anti-attack processing system.
  • the strategy calculation sub-module 563 generates a corresponding scheme based on the statistical information. If the speed limit condition is met, the corresponding relationship table generated by the controller receiving module is sorted and compared by port and VLAN to determine the characteristics of the message that requires speed limit. It can be based on port, VLAN, and can also limit the speed of sending and receiving separately. If the recovery conditions are met, the corresponding recovery plan is generated according to the speed limit plan.
  • the strategy generation sub-module 564 generates a corresponding strategy according to the calculation result of the strategy calculation sub-module 563, and sets different rate-limiting weights for the packets that need to be rate-limited according to the CPU usage and the statistical message transceiving rate, such as the current transceiving rate 90%, 80%, 70%, etc .; if it is recovery processing, in order to prevent the instantaneous increase of traffic impacting the CPU, a slow recovery strategy can be adopted, such as restoring the rate step by step at a fixed rate based on the current rate, such as 10% Restore step by step.
  • the above "setting different rate limit weights for packets that require rate limit” may be to set different rate limit weights for a type of packet under different circumstances, or it may Different speed limit weights are set for various types of high-speed packets.
  • FIG. 10 is a flowchart of a policy execution module based on an embodiment of the present disclosure.
  • the policy execution module encapsulates the information generated by the policy into a PKT OUT message, and sends the PKT OUT message to the corresponding node device.
  • the corresponding network element receives, that is, the corresponding node device generates the relevant flow table after receiving the PKT OUT message, that is, parses the message to obtain the corresponding flow table, and then the node device sends the corresponding access control list (Access Control List, referred to as ACL) to the driver of the node device to control the rate of message transmission.
  • ACL Access Control List
  • the method for controlling the rate of sending and receiving messages is not limited to this.
  • the above storage medium may include, but is not limited to: U disk, read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short) ), Removable hard disks, magnetic disks or optical disks and other media that can store computer programs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système de génération de stratégie de traitement et un support d'informations. Le procédé de génération de stratégie de traitement consiste : à recevoir, lorsqu'un nœud de réseau spécifié dans un réseau satisfait une condition prédéfinie, des informations statistiques envoyées par un nœud de réseau dans le réseau, le nœud de réseau spécifié satisfaisant la condition prédéfinie pour indiquer qu'il existe un message d'attaque dans le réseau ; et à générer une stratégie de traitement pour le message d'attaque dans le réseau selon les informations statistiques et les informations de topologie de réseau du réseau, la stratégie de traitement étant utilisée pour effectuer un traitement de limitation de vitesse sur un nœud de réseau source du message d'attaque dans le réseau.
PCT/CN2019/112477 2018-10-23 2019-10-22 Procédé et système de génération de stratégie de traitement, et support d'informations WO2020083272A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811236591.7A CN111092840B (zh) 2018-10-23 2018-10-23 处理策略的生成方法、系统及存储介质
CN201811236591.7 2018-10-23

Publications (1)

Publication Number Publication Date
WO2020083272A1 true WO2020083272A1 (fr) 2020-04-30

Family

ID=70330833

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/112477 WO2020083272A1 (fr) 2018-10-23 2019-10-22 Procédé et système de génération de stratégie de traitement, et support d'informations

Country Status (2)

Country Link
CN (1) CN111092840B (fr)
WO (1) WO2020083272A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285918A (zh) * 2021-04-08 2021-08-20 锐捷网络股份有限公司 针对网络攻击的acl过滤表项建立方法及装置
CN113904835A (zh) * 2021-09-30 2022-01-07 新华三信息安全技术有限公司 一种报文上送cpu的防攻击方法及装置
WO2023273843A1 (fr) * 2021-06-28 2023-01-05 中兴通讯股份有限公司 Procédé et appareil de sécurité et de défense, dispositif et support de stockage
CN116339288A (zh) * 2023-04-24 2023-06-27 华能淮阴第二发电有限公司 一种dcs工控系统仿真靶场测试方法及装置

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114268592A (zh) * 2020-09-15 2022-04-01 华为技术有限公司 一种报文的处理方法、系统及设备
CN112437077A (zh) * 2020-11-19 2021-03-02 迈普通信技术股份有限公司 第三方arp攻击、异常处理方法、vrrp网络及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010145181A1 (fr) * 2009-10-10 2010-12-23 中兴通讯股份有限公司 Procédé de défense contre une attaque de réseau, noeud de commande de services et noeud d'accès associé
CN105939339A (zh) * 2016-03-22 2016-09-14 杭州迪普科技有限公司 攻击协议报文流的防护方法及装置
CN107800711A (zh) * 2017-06-16 2018-03-13 南京航空航天大学 一种OpenFlow控制器抵御DDoS攻击的方法
CN108429731A (zh) * 2018-01-22 2018-08-21 新华三技术有限公司 防攻击方法、装置及电子设备

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9306840B2 (en) * 2012-09-26 2016-04-05 Alcatel Lucent Securing software defined networks via flow deflection
CN104506531B (zh) * 2014-12-19 2018-05-01 上海斐讯数据通信技术有限公司 针对流量攻击的安全防御系统及方法
CN104539625B (zh) * 2015-01-09 2017-11-14 江苏理工学院 一种基于软件定义的网络安全防御系统及其工作方法
CN105871771A (zh) * 2015-01-18 2016-08-17 吴正明 一种针对ddos网络攻击的sdn网络架构

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010145181A1 (fr) * 2009-10-10 2010-12-23 中兴通讯股份有限公司 Procédé de défense contre une attaque de réseau, noeud de commande de services et noeud d'accès associé
CN105939339A (zh) * 2016-03-22 2016-09-14 杭州迪普科技有限公司 攻击协议报文流的防护方法及装置
CN107800711A (zh) * 2017-06-16 2018-03-13 南京航空航天大学 一种OpenFlow控制器抵御DDoS攻击的方法
CN108429731A (zh) * 2018-01-22 2018-08-21 新华三技术有限公司 防攻击方法、装置及电子设备

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113285918A (zh) * 2021-04-08 2021-08-20 锐捷网络股份有限公司 针对网络攻击的acl过滤表项建立方法及装置
CN113285918B (zh) * 2021-04-08 2023-10-24 锐捷网络股份有限公司 针对网络攻击的acl过滤表项建立方法及装置
WO2023273843A1 (fr) * 2021-06-28 2023-01-05 中兴通讯股份有限公司 Procédé et appareil de sécurité et de défense, dispositif et support de stockage
CN113904835A (zh) * 2021-09-30 2022-01-07 新华三信息安全技术有限公司 一种报文上送cpu的防攻击方法及装置
CN113904835B (zh) * 2021-09-30 2023-10-24 新华三信息安全技术有限公司 一种报文上送cpu的防攻击方法及装置
CN116339288A (zh) * 2023-04-24 2023-06-27 华能淮阴第二发电有限公司 一种dcs工控系统仿真靶场测试方法及装置
CN116339288B (zh) * 2023-04-24 2024-01-12 华能淮阴第二发电有限公司 一种dcs工控系统仿真靶场测试方法及装置

Also Published As

Publication number Publication date
CN111092840B (zh) 2022-06-21
CN111092840A (zh) 2020-05-01

Similar Documents

Publication Publication Date Title
WO2020083272A1 (fr) Procédé et système de génération de stratégie de traitement, et support d'informations
US11792046B2 (en) Method for generating forwarding information, controller, and service forwarding entity
US10498612B2 (en) Multi-stage selective mirroring
WO2021207922A1 (fr) Procédé de transmission de paquets, dispositif et système
US7522521B2 (en) Route processor adjusting of line card admission control parameters for packets destined for the route processor
EP2933954B1 (fr) Procédé et appareil de notification d'anomalie de réseau
US9276852B2 (en) Communication system, forwarding node, received packet process method, and program
US7639674B2 (en) Internal load balancing in a data switch using distributed network processing
US8443444B2 (en) Mitigating low-rate denial-of-service attacks in packet-switched networks
US8339971B2 (en) Network protection via embedded controls
US8693335B2 (en) Method and apparatus for control plane CPU overload protection
US8787160B2 (en) Method, apparatus, and system for judging path congestion
US9800479B2 (en) Packet processing method, forwarder, packet processing device, and packet processing system
US20220286409A1 (en) Method and apparatus for configuring quality of service policy for service, and computing device
US9577957B2 (en) Facilitating congestion control in a network switch fabric based on group traffic rates
Krishnan et al. Mechanisms for optimizing link aggregation group (LAG) and equal-cost multipath (ECMP) component link utilization in networks
US20230142425A1 (en) Virtual dual queue core stateless active queue management (agm) for communication networks
US9692704B2 (en) Facilitating congestion control in a network switch fabric based on group and aggregate traffic rates
CN114095448A (zh) 一种拥塞流的处理方法及设备
US10749803B1 (en) Enhanced congestion avoidance in network devices
KR102048862B1 (ko) 네트워크 장치의 혼잡 제어 방법 및 장치
Ghanwani et al. Internet Engineering Task Force (IETF) R. Krishnan Request for Comments: 7424 Brocade Communications Category: Informational L. Yong

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19874853

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06.09.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19874853

Country of ref document: EP

Kind code of ref document: A1