WO2020083272A1 - Procédé et système de génération de stratégie de traitement, et support d'informations - Google Patents
Procédé et système de génération de stratégie de traitement, et support d'informations Download PDFInfo
- Publication number
- WO2020083272A1 WO2020083272A1 PCT/CN2019/112477 CN2019112477W WO2020083272A1 WO 2020083272 A1 WO2020083272 A1 WO 2020083272A1 CN 2019112477 W CN2019112477 W CN 2019112477W WO 2020083272 A1 WO2020083272 A1 WO 2020083272A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- network node
- attack
- statistical information
- rate
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Definitions
- an information sending apparatus including: an acquiring module for acquiring statistical information of each network node in a network; a sending module for indicating in the statistical information
- the statistical information is sent to the controller, where the designated network node meeting the preset condition is used to indicate that there is an attack report in the network
- the statistical information is used to instruct the controller to generate a processing strategy for attack packets in the network according to the statistical information and the network topology information of the network, and the processing strategy is used for the network
- the source network node of the attack packet is subjected to rate limiting processing.
- FIG. 5 is a schematic diagram of module deployment according to an embodiment of the present disclosure.
- FIG. 9 is an interaction diagram of a controller receiving module and a policy generating module according to an embodiment of the present disclosure.
- rate limiting processing of the source network node of the attack message in the network includes: setting the current limit according to the CPU usage of the network node in the statistical information and the sending and receiving rate of the attack message Rate ratio, according to the rate limit ratio of the attack packet rate processing.
- the apparatus includes: a receiving module 22 for receiving when a specified network node in the network meets a preset condition, Statistical information sent by the network nodes of Processing strategy, where the processing strategy is used to perform rate limiting processing on the source network node of the attack packet in the network.
- receiving module 22 and generating module 24 receive statistical information sent by a network node in the network when the specified network node in the network meets the preset condition, where the specified network node meets the preset condition is used to indicate that there is an attack in the network Packets; based on statistical information and network topology information of the network, generate a processing strategy for attack packets, and perform rate limiting processing on the source network nodes of the attack packets in the network, so as to solve the problem of when the network is attacked by packets in the related technologies.
- the attack message can only be discarded in a single way, which lacks flexibility, and achieves the effect of flexibly processing the attack message.
- the preset condition includes: whether the utilization rate of the central processing unit CPU included in the statistical information exceeds a preset threshold value, wherein, when the utilization rate exceeds the preset threshold value, it is determined that the designated network node meets Preset conditions.
- the data statistics module 52 and the controller receiving module 54 constitute a device monitoring system
- the strategy generation module 56 and the strategy execution module 58 constitute a speed limit anti-attack processing system.
- the strategy calculation sub-module 563 generates a corresponding scheme based on the statistical information. If the speed limit condition is met, the corresponding relationship table generated by the controller receiving module is sorted and compared by port and VLAN to determine the characteristics of the message that requires speed limit. It can be based on port, VLAN, and can also limit the speed of sending and receiving separately. If the recovery conditions are met, the corresponding recovery plan is generated according to the speed limit plan.
- the strategy generation sub-module 564 generates a corresponding strategy according to the calculation result of the strategy calculation sub-module 563, and sets different rate-limiting weights for the packets that need to be rate-limited according to the CPU usage and the statistical message transceiving rate, such as the current transceiving rate 90%, 80%, 70%, etc .; if it is recovery processing, in order to prevent the instantaneous increase of traffic impacting the CPU, a slow recovery strategy can be adopted, such as restoring the rate step by step at a fixed rate based on the current rate, such as 10% Restore step by step.
- the above "setting different rate limit weights for packets that require rate limit” may be to set different rate limit weights for a type of packet under different circumstances, or it may Different speed limit weights are set for various types of high-speed packets.
- FIG. 10 is a flowchart of a policy execution module based on an embodiment of the present disclosure.
- the policy execution module encapsulates the information generated by the policy into a PKT OUT message, and sends the PKT OUT message to the corresponding node device.
- the corresponding network element receives, that is, the corresponding node device generates the relevant flow table after receiving the PKT OUT message, that is, parses the message to obtain the corresponding flow table, and then the node device sends the corresponding access control list (Access Control List, referred to as ACL) to the driver of the node device to control the rate of message transmission.
- ACL Access Control List
- the method for controlling the rate of sending and receiving messages is not limited to this.
- the above storage medium may include, but is not limited to: U disk, read-only memory (Read-Only Memory, ROM for short), random access memory (Random Access Memory, RAM for short) ), Removable hard disks, magnetic disks or optical disks and other media that can store computer programs.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
L'invention concerne un procédé et un système de génération de stratégie de traitement et un support d'informations. Le procédé de génération de stratégie de traitement consiste : à recevoir, lorsqu'un nœud de réseau spécifié dans un réseau satisfait une condition prédéfinie, des informations statistiques envoyées par un nœud de réseau dans le réseau, le nœud de réseau spécifié satisfaisant la condition prédéfinie pour indiquer qu'il existe un message d'attaque dans le réseau ; et à générer une stratégie de traitement pour le message d'attaque dans le réseau selon les informations statistiques et les informations de topologie de réseau du réseau, la stratégie de traitement étant utilisée pour effectuer un traitement de limitation de vitesse sur un nœud de réseau source du message d'attaque dans le réseau.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811236591.7A CN111092840B (zh) | 2018-10-23 | 2018-10-23 | 处理策略的生成方法、系统及存储介质 |
CN201811236591.7 | 2018-10-23 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020083272A1 true WO2020083272A1 (fr) | 2020-04-30 |
Family
ID=70330833
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/112477 WO2020083272A1 (fr) | 2018-10-23 | 2019-10-22 | Procédé et système de génération de stratégie de traitement, et support d'informations |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN111092840B (fr) |
WO (1) | WO2020083272A1 (fr) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113285918A (zh) * | 2021-04-08 | 2021-08-20 | 锐捷网络股份有限公司 | 针对网络攻击的acl过滤表项建立方法及装置 |
CN113904835A (zh) * | 2021-09-30 | 2022-01-07 | 新华三信息安全技术有限公司 | 一种报文上送cpu的防攻击方法及装置 |
WO2023273843A1 (fr) * | 2021-06-28 | 2023-01-05 | 中兴通讯股份有限公司 | Procédé et appareil de sécurité et de défense, dispositif et support de stockage |
CN116339288A (zh) * | 2023-04-24 | 2023-06-27 | 华能淮阴第二发电有限公司 | 一种dcs工控系统仿真靶场测试方法及装置 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114268592A (zh) * | 2020-09-15 | 2022-04-01 | 华为技术有限公司 | 一种报文的处理方法、系统及设备 |
CN112437077A (zh) * | 2020-11-19 | 2021-03-02 | 迈普通信技术股份有限公司 | 第三方arp攻击、异常处理方法、vrrp网络及系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010145181A1 (fr) * | 2009-10-10 | 2010-12-23 | 中兴通讯股份有限公司 | Procédé de défense contre une attaque de réseau, noeud de commande de services et noeud d'accès associé |
CN105939339A (zh) * | 2016-03-22 | 2016-09-14 | 杭州迪普科技有限公司 | 攻击协议报文流的防护方法及装置 |
CN107800711A (zh) * | 2017-06-16 | 2018-03-13 | 南京航空航天大学 | 一种OpenFlow控制器抵御DDoS攻击的方法 |
CN108429731A (zh) * | 2018-01-22 | 2018-08-21 | 新华三技术有限公司 | 防攻击方法、装置及电子设备 |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9306840B2 (en) * | 2012-09-26 | 2016-04-05 | Alcatel Lucent | Securing software defined networks via flow deflection |
CN104506531B (zh) * | 2014-12-19 | 2018-05-01 | 上海斐讯数据通信技术有限公司 | 针对流量攻击的安全防御系统及方法 |
CN104539625B (zh) * | 2015-01-09 | 2017-11-14 | 江苏理工学院 | 一种基于软件定义的网络安全防御系统及其工作方法 |
CN105871771A (zh) * | 2015-01-18 | 2016-08-17 | 吴正明 | 一种针对ddos网络攻击的sdn网络架构 |
-
2018
- 2018-10-23 CN CN201811236591.7A patent/CN111092840B/zh active Active
-
2019
- 2019-10-22 WO PCT/CN2019/112477 patent/WO2020083272A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2010145181A1 (fr) * | 2009-10-10 | 2010-12-23 | 中兴通讯股份有限公司 | Procédé de défense contre une attaque de réseau, noeud de commande de services et noeud d'accès associé |
CN105939339A (zh) * | 2016-03-22 | 2016-09-14 | 杭州迪普科技有限公司 | 攻击协议报文流的防护方法及装置 |
CN107800711A (zh) * | 2017-06-16 | 2018-03-13 | 南京航空航天大学 | 一种OpenFlow控制器抵御DDoS攻击的方法 |
CN108429731A (zh) * | 2018-01-22 | 2018-08-21 | 新华三技术有限公司 | 防攻击方法、装置及电子设备 |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113285918A (zh) * | 2021-04-08 | 2021-08-20 | 锐捷网络股份有限公司 | 针对网络攻击的acl过滤表项建立方法及装置 |
CN113285918B (zh) * | 2021-04-08 | 2023-10-24 | 锐捷网络股份有限公司 | 针对网络攻击的acl过滤表项建立方法及装置 |
WO2023273843A1 (fr) * | 2021-06-28 | 2023-01-05 | 中兴通讯股份有限公司 | Procédé et appareil de sécurité et de défense, dispositif et support de stockage |
CN113904835A (zh) * | 2021-09-30 | 2022-01-07 | 新华三信息安全技术有限公司 | 一种报文上送cpu的防攻击方法及装置 |
CN113904835B (zh) * | 2021-09-30 | 2023-10-24 | 新华三信息安全技术有限公司 | 一种报文上送cpu的防攻击方法及装置 |
CN116339288A (zh) * | 2023-04-24 | 2023-06-27 | 华能淮阴第二发电有限公司 | 一种dcs工控系统仿真靶场测试方法及装置 |
CN116339288B (zh) * | 2023-04-24 | 2024-01-12 | 华能淮阴第二发电有限公司 | 一种dcs工控系统仿真靶场测试方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN111092840B (zh) | 2022-06-21 |
CN111092840A (zh) | 2020-05-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2020083272A1 (fr) | Procédé et système de génération de stratégie de traitement, et support d'informations | |
US11792046B2 (en) | Method for generating forwarding information, controller, and service forwarding entity | |
US10498612B2 (en) | Multi-stage selective mirroring | |
WO2021207922A1 (fr) | Procédé de transmission de paquets, dispositif et système | |
US7522521B2 (en) | Route processor adjusting of line card admission control parameters for packets destined for the route processor | |
EP2933954B1 (fr) | Procédé et appareil de notification d'anomalie de réseau | |
US9276852B2 (en) | Communication system, forwarding node, received packet process method, and program | |
US7639674B2 (en) | Internal load balancing in a data switch using distributed network processing | |
US8443444B2 (en) | Mitigating low-rate denial-of-service attacks in packet-switched networks | |
US8339971B2 (en) | Network protection via embedded controls | |
US8693335B2 (en) | Method and apparatus for control plane CPU overload protection | |
US8787160B2 (en) | Method, apparatus, and system for judging path congestion | |
US9800479B2 (en) | Packet processing method, forwarder, packet processing device, and packet processing system | |
US20220286409A1 (en) | Method and apparatus for configuring quality of service policy for service, and computing device | |
US9577957B2 (en) | Facilitating congestion control in a network switch fabric based on group traffic rates | |
Krishnan et al. | Mechanisms for optimizing link aggregation group (LAG) and equal-cost multipath (ECMP) component link utilization in networks | |
US20230142425A1 (en) | Virtual dual queue core stateless active queue management (agm) for communication networks | |
US9692704B2 (en) | Facilitating congestion control in a network switch fabric based on group and aggregate traffic rates | |
CN114095448A (zh) | 一种拥塞流的处理方法及设备 | |
US10749803B1 (en) | Enhanced congestion avoidance in network devices | |
KR102048862B1 (ko) | 네트워크 장치의 혼잡 제어 방법 및 장치 | |
Ghanwani et al. | Internet Engineering Task Force (IETF) R. Krishnan Request for Comments: 7424 Brocade Communications Category: Informational L. Yong |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19874853 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06.09.2021) |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 19874853 Country of ref document: EP Kind code of ref document: A1 |