WO2022033157A1

WO2022033157A1 - Network attack defense method, and cp device and up device

Info

Publication number: WO2022033157A1
Application number: PCT/CN2021/099503
Authority: WO
Inventors: 余舟毅; 花荣荣; 彭涛; 王晓凯
Original assignee: 华为技术有限公司
Priority date: 2020-08-11
Filing date: 2021-06-10
Publication date: 2022-02-17
Also published as: CN114079572A

Abstract

Provided are a network attack defense method, and a CP device and a UP device, which belong to the technical field of communications. The method disclosed in the present application is applied to a CP and UP disaggregated communication system. The method comprises: a CP device responding to the case where the receiving rate of a dialing packet meets an abnormal condition so that the CP device generates a first control message, wherein the first control message is used for indicating that a UP device carries a watermark when sending the dialing packet to the CP device; the CP device sending the first control message to the UP device; the CP device identifying an attack packet from a packet stream according to the watermark; and the CP device discarding the attack packet. The method can effectively realize network attack defense, and can ensure the security of a CP device.

Description

Network attack defense method, CP equipment and UP equipment

This application claims the priority of the Chinese patent application with the application number 202010803044.3 and the invention titled "Network Attack Defense Method, CP Equipment and UP Equipment" filed on August 11, 2020, the entire contents of which are incorporated herein by reference middle.

technical field

The present application relates to the field of communication technologies, and in particular, to a network attack defense method, a CP device, and a UP device.

Background technique

With the development of software defined network (SDN) technology and network functions virtualization (NFV) technology, data communication networks have changed from traditional network-centric architecture to data center-centric network architecture. evolution. Traditional network equipment has also evolved from specialization to generalization. In view of this, control plane and user plane disaggregated (control plane and user plane disaggregated, CU separation) technology emerged as the times require, which has become a research hotspot in this field. CU separation refers to a network architecture in which the control plane (CP) and the user plane (UP) are decoupled. When the CU separation architecture is adopted, the CP and UP are located on different hardware devices, or the CP and UP are located on the same hardware device and have separate functions. Nowadays, the CU separation architecture has become the next hop in the evolution of many communication systems, and has been recognized by mainstream manufacturers, operators and standards organizations.

Nowadays, CP devices are at great risk of being attacked by the network, which affects the security of CP devices.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a network attack defense method, a CP device, and a UP device, which help to ensure the security of the CP device. The technical solution is as follows:

In a first aspect, a method for defending against network attacks is provided. The method is applied in a communication system in which the CP and UP are separated. The method is described from the perspective of the CP device. The CP device responds to a dial-up message at a rate that meets the requirements. Abnormal condition, the CP device generates a first control message, the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device; the CP device sends the UP device to the the first control message; the CP device identifies the attack packet in the packet flow according to the watermark; the CP device discards the attack packet.

Through the method of the first aspect, when the CP device finds that the receiving rate of the dial-up packet is abnormal, it considers that it is under a network attack. In this case, the CP device will generate and deliver a control message to the UP device, so that the control message can pass the control message. Notify the UP device to carry the watermark when sending dial-up packets, so as to realize the function that the CP controls the UP to enable the watermark to be turned on. Since it is difficult for an attacker to know the watermark negotiated between the CP device and the UP device, the attacker cannot construct an attack packet containing the watermark. Therefore, when the CP device receives a packet stream, it can determine whether the packet contains a watermark or not. Whether the packet is an attack packet sent by the attacker or a normal packet sent by the UP device, the attack packet is discarded. Since the attack packets are discarded by the CP device, the processing of the attack packets is prevented from consuming the processing resources of the CP device. It can be seen that this method can effectively resist network attacks and ensure the security of the CP device.

Optionally, the watermark includes a first virtual extended local area network identifier (VXLAN network identifier, VNI), the packet stream includes a first packet, and the CP device identifies in the packet stream according to the watermark. The attack packet includes: the CP device determines that the first packet is a non-attack packet according to the first packet including the first VNI.

In this optional manner, the action of the CP device to determine the attack packet according to the first VNI can verify the VNI in the received VXLAN packet by multiplexing the Virtual Extensible Local Area Network (VXLAN) forwarding process. process implementation. Since the CP device can reuse the existing processing logic to realize the network attack defense capability, the computing performance overhead of the CP device to increase the defense capability is saved. It can be seen that this solution for implementing defense against network attacks has low overhead and high practicability.

Optionally, the watermark includes a first random number, the packet stream includes a second packet, and the CP device identifies the attack packet in the packet stream according to the watermark, including: the CP device according to The second packet includes the first random number to determine that the second packet is a non-attack packet.

In this optional manner, since it is difficult for an attacker to know the first random number delivered by the CP device to the UP device, it is impossible to construct an attack packet containing the first random number. Therefore, the CP device can effectively distinguish whether the packet is an attack packet sent by an attacker or a non-attack packet (for example, a normal packet sent by the UP device) according to whether the packet contains the first random number, thereby effectively defending against attacks. cyberattacks.

Optionally, the watermark includes a first timestamp, and the first timestamp is used to indicate a time point of synchronization between the CP device and the UP device, and the packet flow includes a third packet, so The CP device identifying the attack packet in the packet flow according to the watermark, comprising: determining, by the CP device, that the third packet is a non-attack packet according to the third packet including the first timestamp .

In this optional manner, on the one hand, since it is difficult for an attacker to know the time point at which the CP device and the UP device are synchronized, he cannot construct an attack packet including the first timestamp corresponding to the synchronized time point. Therefore, the CP device can effectively distinguish whether the packet is an attack packet sent by an attacker or a non-attack packet (for example, a normal packet sent by an UP device) according to whether the packet contains the first timestamp, thereby effectively defending against attacks. cyberattacks. On the other hand, the time synchronization mechanism between the CP device and the UP device can be multiplexed, thereby reducing the implementation complexity.

Optionally, the watermark includes a first message authentication code, the packet stream includes a fourth packet, and the CP device identifies an attack packet in the packet stream according to the watermark, including: the CP device It is determined that the fourth packet is a non-attack packet according to the fourth packet including the first message authentication code.

In this optional method, since the CP device and the UP device use the message authentication code as a watermark for verifying the message, and the message authentication code needs to be obtained through hash operation, the security is high, and it is difficult to forge, so the ability to resist network attacks is strong. .

Optionally, the first control message includes the watermark; or, the first control message includes watermark type information corresponding to the watermark; or, the first control message includes parameters related to generating the watermark.

Optionally, the first control message is a control plane and user plane separated protocol (control plane and user plane separated protocol, CUSP) message, the CUSP message includes a watermark type length value (type length value, TLV), the watermark The TLV is the TLV carrying the watermark or the parameter.

In this optional manner, since the CP device issues a watermark to the UP device through the CUSP, the CP device and the UP device can be multiplexed to realize the relevant architecture of CUSP communication, thereby improving the usability of the technical solution.

Optionally, the first control message is a Packet Forwarding Control Protocol (Packet Forwarding Control Protocol, PFCP) message, the PFCP message includes a watermark information element (information element, IE), and the watermark IE carries the watermark or IE of the parameter.

In this optional manner, since the CP device issues a watermark to the UP device through the PFCP, the CP device and the UP device can be multiplexed to realize the related architecture of the PFCP communication, thereby improving the usability of the technical solution.

Optionally, the first control message is a PFCP node message; or, the first control message is a PFCP session message.

Optionally, the packet stream includes a fifth packet, and the CP device identifies the attack packet in the packet stream according to the watermark, including: the CP device does not include all the attack packets according to the fifth packet. The watermark determines that the fifth packet is an attack packet.

Optionally, after the CP device sends the first control message to the UP device, the method further includes:

In response to the reception rate of the dial-up message meeting the normal condition, the CP device generates a second control message, and the second control message is used to instruct the UP device to cancel carrying the watermark when sending the dial-up message to the CP device;

The CP device sends the second control message to the UP device.

In this optional method, the CP device confirms that the network attack is stopped when it finds that the receiving rate of the dial-up packets is normal. In this case, the CP device will generate and send a control message to the UP device, so as to notify the UP device through the control message. The UP device cancels the carrying of the watermark when sending the dial-up message, thus supporting the function of the CP to control the UP to turn off the watermark.

Optionally, the communication system is a broadband network gateway (broadband network gateway, BNG) system or a broadband remote access server (virtual broadband remote access server, BRAS) system.

In a second aspect, a network attack defense method is provided. The method is applied in a communication system in which the CP and the UP are separated. The method is described from the perspective of the UP device. The UP device receives the first information from the CP device. A control message, the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device; the UP device carries the watermark in the dial-up message according to the first control message the watermark; the UP device sends a dial-up message including the watermark to the CP device.

Through the method of the second aspect, the UP device sends the dial-up message containing the watermark to the CP device by carrying the watermark in the dial-up message when receiving the control message sent by the CP device, which helps the CP device to base on the Whether the packet contains a watermark can effectively distinguish whether the packet is an attack packet sent by an attacker or a normal packet sent by an UP device, and then discard the attack packet. It can be seen that this method can effectively resist network attacks and ensure the security of the CP device.

Optionally, the watermark includes a first virtual extended local area network identifier VNI.

Optionally, the watermark includes a first random number.

Optionally, the watermark includes a first timestamp.

Optionally, the watermark includes a first message authentication code.

Optionally, the first control message is a control and forwarding separation protocol CUSP message, the CUSP message includes a watermark type length value TLV, and the watermark TLV is a TLV carrying the watermark or the parameter.

Optionally, the first control message is a packet forwarding control protocol PFCP message, the PFCP message includes a watermark information element IE, and the watermark IE is an IE that carries the watermark or the parameter.

Optionally, the communication system is a broadband network gateway BNG system or a broadband remote access server BRAS system.

Optionally, after the UP device carries the watermark in the dial-up message according to the first control message, the method further includes:

The UP device receives a second control message from the CP device, where the second control message is used to instruct the UP device to cancel carrying a watermark when sending a dial-up message to the CP device;

The UP device sends, according to the second control message, a dial-up message that does not include a watermark to the CP device.

In a third aspect, a CP device is provided, and the CP device has a function corresponding to the first aspect or any optional manner of the first aspect. The CP device includes at least one unit, and the at least one unit is configured to implement the method provided in the first aspect or any optional manner of the first aspect.

In one example, the units in the CP device are implemented in software, and the units in the CP device are program modules. In another example, the units in the CP device are implemented by hardware or firmware. For the specific details of the CP device provided by the third aspect, reference may be made to the first aspect or any optional manner of the first aspect, which will not be repeated here.

In a fourth aspect, a UP device is provided, and the UP device has a function corresponding to the second aspect or any optional manner of the second aspect. The UP device includes at least one unit, and the at least one unit is configured to implement the method provided in the second aspect or any optional manner of the second aspect.

In one example, the units in the UP device are implemented in software, and the units in the UP device are program modules. In another example, the units in the UP device are implemented by hardware or firmware. For the specific details of the UP device provided in the fourth aspect, reference may be made to the second aspect or any optional manner of the second aspect, which will not be repeated here.

A fifth aspect provides a CP device, the CP device includes a processor and a communication interface, and the processor is used to execute an instruction, so that the CP device executes the above-mentioned first aspect or any optional manner of the first aspect. method, wherein the communication interface is used for receiving or sending a message. For the specific details of the CP device provided in the fifth aspect, reference may be made to the foregoing first aspect or any optional manner of the first aspect, which will not be repeated here.

In a sixth aspect, a UP device is provided, the UP device includes a processor and a communication interface, the processor is configured to execute an instruction, so that the UP device executes the above-mentioned second aspect or any optional manner of the second aspect. method, wherein the communication interface is used for receiving or sending a message. For the specific details of the UP device provided in the sixth aspect, reference may be made to the second aspect or any optional manner of the second aspect, which will not be repeated here.

In a seventh aspect, a computer-readable storage medium is provided, where at least one instruction is stored in the storage medium, and the instruction is read by a processor to cause the CP device to execute the first aspect or any optional manner of the first aspect. provided method.

In an eighth aspect, a computer-readable storage medium is provided, and at least one instruction is stored in the storage medium, and the instruction is read by a processor to cause the UP device to execute the second aspect or any optional manner of the second aspect. provided method.

In a ninth aspect, a computer program product is provided, the computer program product comprising computer instructions stored in a computer-readable storage medium. The processor of the CP device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the CP device performs the method provided in the first aspect or any optional manner of the first aspect.

In a tenth aspect, a computer program product is provided, the computer program product comprising computer instructions stored in a computer-readable storage medium. The processor of the UP device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the UP device performs the method provided in the second aspect or any optional manner of the second aspect.

In an eleventh aspect, a chip is provided, when the chip runs on a CP device, the CP device is made to execute the method provided in the first aspect or any optional manner of the first aspect.

A twelfth aspect provides a chip that, when the chip runs on a UP device, enables the UP device to perform the method provided in the second aspect or any optional manner of the second aspect.

A thirteenth aspect provides a CP device, where the CP device includes: a main control board and an interface board, and further, may also include a switching network board. The CP device is configured to execute the method in the first aspect or any possible implementation manner of the first aspect. Specifically, the CP device includes a unit for executing the method in the first aspect or any possible implementation manner of the first aspect.

A fourteenth aspect provides an UP device, where the UP device includes: a main control board and an interface board, and further, may also include a switching network board. The UP device is configured to perform the method of the second aspect or any possible implementation of the second aspect. Specifically, the UP device includes means for performing the method in the second aspect or any possible implementation of the second aspect.

A fifteenth aspect provides a communication system in which CP and UP are separated, and the communication system includes a CP device and a UP device. For example, the communication system includes the CP device provided in any one of the third aspect, the fifth aspect, and the thirteenth aspect, and the communication system includes any one of the fourth aspect, the sixth aspect, and the fourteenth aspect. Provided UP equipment.

Description of drawings

1 is a schematic diagram of the architecture of a CU separation system provided by an embodiment of the present application;

2 is a schematic diagram of the working principle of a BNG system with CU separation provided by an embodiment of the present application;

3 is a schematic structural diagram of a communication system provided by an embodiment of the present application;

4 is a functional architecture diagram inside a CP device provided by an embodiment of the present application;

5 is a flowchart of a method for defending a network attack provided by an embodiment of the present application;

6 is a schematic diagram of a CP device and a UP device defending against network attacks according to an embodiment of the present application;

7 is a schematic diagram of the format of a dial-up message including a watermark provided by an embodiment of the present application;

8 is a schematic diagram of the format of a dial-up message including a watermark provided by an embodiment of the present application;

9 is a schematic diagram of the format of a dial-up message including a watermark provided by an embodiment of the present application;

10 is a schematic diagram of the format of a dial-up message including a watermark provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of a CP device 400 provided by an embodiment of the present application;

FIG. 12 is a schematic structural diagram of a UP device 500 provided by an embodiment of the present application;

FIG. 13 is a schematic structural diagram of a device 600 provided by an embodiment of the present application;

FIG. 14 is a schematic structural diagram of a device 700 provided by an embodiment of the present application;

FIG. 15 is a schematic structural diagram of a communication system 800 provided by an embodiment of the present application.

detailed description

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

The following first introduces some terms related concepts involved in the embodiments of the present application.

(1) CU separation

CU separation refers to the network architecture in which CP and UP are decoupled. CU separation includes, but is not limited to, implementation A and implementation B described below.

In implementation A, the control plane and the forwarding plane are located on different hardware devices.

When implementation A is adopted, the CP device and the UP device are two separate and different devices. Optionally, the CP device and the UP device are distributed in different locations. For example, the CP device is located in the data center of the cloud, and the UP device is deployed in a suitable location in the network according to the requirements. In this way, the deployment of the control plane and the forwarding plane is more flexible.

In implementation B, the control plane and the forwarding plane are located on the same hardware device and have separate functions.

When implementation B is adopted, the physical entity of the CP device and the physical entity of the UP device are the same device. For example, the CP device and the UP device run in the same host, the same server or the same terminal.

In one example, both the CP device and the UP device are implemented through virtualization technology. The CP device is called, for example, a virtual CP (virtual CP, vCP), and the UP device is called, for example, a virtual UP (virtual UP, vUP). For example, the CP device is a virtual machine, and the UP device is a virtual router or virtual switch. In an example, both the CP device and the UP device are implemented based on a general physical server combined with the NFV technology, and the CP device and the UP device are two different virtualized network functions (VNFs). For example, both the CP device and the UP device are network elements virtualized through the X86 server.

In another example, the CP device is implemented by a virtualization technology, and the UP device is implemented by a traditional network device. The UP device is called, for example, a physical UP (physical UP, pUP).

This embodiment does not limit the quantitative relationship between the CP device and the UP device in the communication system. In one example, the CP device has a one-to-many relationship with the UP device, that is, one CP device is used to control multiple UP devices. In another example, there is a one-to-one correspondence between CP devices and UP devices, that is, one CP device is used to control one UP device.

This embodiment does not limit the number of UP devices in the communication system. Optionally, the CU-separated communication system includes multiple UP devices. Optionally, a plurality of UP devices are distributed in different locations in the communication system where the CU is separated. Optionally, multiple UP devices in a communication system where CUs are separated cooperate to share forwarding tasks based on a distributed architecture.

It's worth stating that "CU separation" can have different names. For example, different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "CU separation". For example, the term "CU separation" may also sometimes be referred to as "control and forwarding separation", "forwarding control separation", "control plane and user plane separation", "control and user separation", and the like.

It's worth stating that "CP" can have different names. For example, different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "CP". For example, the term "CP" may also sometimes be referred to as "CP function (CPF)" or "CP face". "CP", "CPF" and "CP face" are used interchangeably herein. The term "CP device" refers to any device that implements CP functionality.

It's worth stating that "UP" can have a different name. For example, different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for "UP". For example, the term "UP" may also sometimes be referred to as "UP function (UPF)" or "UP face". "UP", "UPF" and "UP face" are used interchangeably herein. The term "UP device" refers to any device that implements UP functionality.

(2) Broadband network gateway (BNG)

A BNG is a telecom network element device used by operators for broadband access, and is used to undertake the function of connecting user equipment to a broadband network. BNG is mainly responsible for access authentication and Internet Protocol (IP) address allocation.

(3) BNG system with CU separation

The traditional BNG is generally realized by superimposing the user management function on the router. With the continuous emergence of various Internet services, the requirements for the number of user sessions supported by the BNG continue to increase, the user access bandwidth continues to increase, and the requirements for the BNG system to provide open and programmable services to the outside world are getting higher and higher. In view of these requirements, the SDN or NFV-based architecture, the decoupling of control and forwarding of traditional BNG equipment, and the decoupling of software and hardware, form a BNG system with separate CUs. Specifically, referring to FIG. 1 , FIG. 1 is an example illustrating the architecture of the CU-separated BNG system. The CU-separated BNG system extracts and concentrates the user management functions on multiple BNG devices to form CP devices. The BNG devices retain routing and forwarding functions to form UP devices.

On the basis of maintaining the original functions of BNG, the CU-separated BNG system has the advantages brought by the CU-separated architecture. For example, a BNG system separated by a CU can have multiple UP devices, and the CP device schedules multiple UP devices to process traffic forwarding tasks, and the CP device allocates resources to multiple UP devices. The utilization and reliability of the equipment of the BNG system under the separation architecture can be greatly improved. Nowadays, the CU-separated BNG system has become the next hop in the evolution of BNG, and has been fully recognized by mainstream BNG manufacturers, operators and standards organizations. For example, RFC 8772 in the request for comments (RFC, a series of numbered documents) of the Internet Engineering Task Force (IETF) group defines the architecture of CU-separated BNG systems and CP devices The control interface with UP equipment, Broadband Forum (Boardband Forum, BBF) in TR-384 defines the basic architecture of the CU-separated BNG system, in TR-459 defines the module function definition and interface of the CU-separated BNG system definition etc.

It should be noted that, in this embodiment of the present application, the "BNG system with CU separation" may have different names. For example, different standards, different versions of the same standard, different manufacturers, and different application scenarios may have different names for the "BNG system with CU separation". For example, the term "CU-disaggregated BNG system" may sometimes be referred to as "disaggregated BNG system (disaggregated BNG, DBNG)", and correspondingly, the CP device in the CU-disaggregated BNG system may be referred to as DBNG-CP, CU The UP device in the separate BNG system may be referred to as DBNG-UP. For another example, the term "CU-separated BNG system" may also sometimes be referred to as a "virtual broadband network gateway (virtual BNG, vBNG) control plane and user plane separation system (control plane and user plane separation vBNG, CUPS vBNG)", That is, "vBNG CU system", correspondingly, the CP device in the CU-separated BNG system may be referred to as vBNG-CP, and the UP device in the CU-separated BNG system may be referred to as vBNG-UP. For another example, the term "CU-separated BNG system" may also sometimes be referred to as "virtual broadband remote access server (vBRAS) CU system", that is, "vBRAS CU system", correspondingly, the CU-separated The CP device in the BNG system may be referred to as vBRAS-CP, and the UP device in the CU-separated BNG system may be referred to as vBRAS-UP. "DBNG", "vBNG CU system" and "vBRAS CU system" are used interchangeably herein.

Referring to FIG. 2 , the working principle of the BNG system with CU separation is shown in FIG. 2 , including the following S101 to S107 .

S101. Centrally configure the BNG service on the CP device, and configure the routing service on the UP device. The CP device delivers part of the configuration information of the BNG to the UP device through a management interface (management interface, Mi) interface.

S102, the home terminal initiates dialing, and the original dialing message is transmitted to the UP device. The UP device encapsulates the original dial-up packet according to the encapsulation format corresponding to the control packet redirect interface (CPRi) interface, and sends the encapsulated dial-up packet to the CP device for processing. The CP device generates a response packet according to the dial-up packet, and sends the response packet to the UP device through the CPRi interface. After the UP device decapsulates the response packet, it responds to the user.

The home terminal is, for example, a customer premise equipment (customer premise equipment, CPE). The original dial-up message is, for example, a point-to-point protocol over ethernet (point-to-point protocol over ethernet, PPPoE) message or a dynamic host configuration protocol (dynamic host configuration protocol, DHCP) message. The PPPoE dial-up message is, for example, PPPOE Active Discovery Initiation (PPOE Active Discovery Initiation, PADI). The DHCP dial-up message is, for example, a DHCP discover message.

S103. During the dialing process, the CP device interacts with a remote user dialing authentication service (remote authentication dial in user service, RADIUS) server to authenticate and authorize the user.

S104. After the user dials successfully, the CP device sends the user forwarding entry to the UP device through a state control interface (state control interface, SCi) interface.

S105, the CP device uses the SCi interface to control the UP device to advertise routes to a core router (core router, CR).

S106, the user accesses the Internet.

S107. After the user goes online, the CP device sends an accounting packet to the RADIUS server. Optionally, the RADIUS server issues a change of authorization (change of authorization, COA) instruction to adjust the user's service level agreement (service level agreement, SLA).

The following describes the system architecture provided by the embodiments of the present application.

Referring to FIG. 3, an embodiment of the present application provides a communication system 200, and the communication system 200 is an example of a communication system in which the CP and the UP are separated. The communication system 200 includes a CP device 210 , a UP device 220 , an operation and maintenance (OM) 230 , a RADIUS server 240 , a DHCP server 250 , and a CP device 211 . Different network elements in the CP device 210 , the UP device 220 , the OM 230 , the RADIUS server 240 , the DHCP server 250 , and the CP device 211 are connected through a wireless network or a wired network.

There are three kinds of interfaces between the CP device 210 and the UP device 220, and the three kinds of interfaces are the CPRi interface, the Mi interface and the SCi interface respectively.

The CPRi interface is used to upload the original dial-up message received by the UP device 220 to the CP device 210 . For example, in the application scenario shown in FIG. 3 , when the CPE initiates dialing to access the network, the original dialing packet (eg, PPPoE packet or DHCP packet) sent by the CPE will be transmitted to the UP device 220 . The UP device 220 receives the original dial-up message, and after encapsulating the original dial-up message according to the message encapsulation format corresponding to the CPRi interface, the UP device 220 sends the encapsulated dial-up message to the CP device 210 through the CPRi interface. The CPRi interface is implemented through a tunnel between the UP device 220 and the CP device 210 . For example, the CPRi interface is implemented through a user datagram protocol (User Datagram Protocol, UDP)-based tunnel, and the packet encapsulation format corresponding to the CPRi interface is to encapsulate the tunnel header corresponding to the UDP-based tunnel to the original dial-up packet. In an example, the UDP-based tunnel is a generic protocol encapsulation (GPE) tunnel based on Virtual Extensible Local Area Network (VXLAN), and the tunnel header encapsulated to the original dial-up packet includes the VXLAN header and the GPE extension header. In another example, the UDP-based tunnel is a general packet radio service (GPRS) tunneling protocol control plane (GPRS tunneling protocol (GTP) control plane, GTP-C) tunnel, encapsulating the original dial-up message The tunnel header includes the GTP-C header and the network service header (NSH).

The functions of the SCi interface include that the CP device sends a flow table to the UP device, and the UP device sends status information to the CP device. In some embodiments of the present application, the SCi interface is used for the CP device to deliver a control message to the UP device, thereby instructing the UP device to carry a watermark when sending a dial-up message to the CP device through the CPRi interface. In one example, the SCi interface is implemented using a control plane and user plane separated protocol (CUSP). In another example, the SCi interface is implemented using the Packet Forwarding Control Protocol (PFCP).

The Mi interface is used by the CP device to deliver configuration information to the UP device. The Mi interface is implemented by, for example, a network configuration (Network Configuration, NETCONF) protocol.

In addition, as shown in FIG. 3 , the CP device 210 communicates with the OM 230 through, for example, Simple Network Management Protocol (SNMP) or NETCONF. The CP device 210 communicates with the RADIUS server 240, eg, through the RADIUS protocol. The CP device 210 communicates with the DHCP server 250, eg, through DHCP. The CP device 210 and the CP device 211 perform data synchronization through, for example, a data backup message. In one example, the CP device 211 cooperates with the CP device 210 to perform dialing processing based on a load sharing mechanism; in another example, the CP device 210 is the active device, and the CP device 211 is the backup device of the CP device 210 .

The overall structure of the communication system 200 is described above as an example, and the CP device 210 in the communication system 200 is described in detail below.

The functions of the CP device 210 include: supporting the management functions of the UP device 220, including, for example, joining and exiting the UP device 220 and reporting the interface resources of the UP device 220; Dial-up messages to access users; support communication with RADIUS server 240 to perform authentication, authorization and accounting for users; support assigning IP addresses to users; The user traffic is forwarded at the UP device 220 .

In an example, the CP device 210 is a VNF network element, and the CP device 210 is deployed in an NFV infrastructure (NFV infrastructure, NFVI) environment. For example, the CP device 210 is a piece of software, and the CP device 210 runs on an X86 server. For example, the CP device 210 is a distributed software, and different functional modules of the CP device 210 are distributed on different hardware devices.

For example, referring to FIG. 4 , FIG. 4 is an example illustrating the functional architecture inside the CP device 210 . The CP device 210 includes a plurality of dial-up processing modules 2201 and an input output (IO)/load balance (LB) module 2202 . Wherein, multiple dial-up processing modules 2201 are distributed on different hardware devices, for example. The IO/LB module 2202 is used to communicate with the UP device. In addition, the IO/LB module 2202 distributes the load of the received dial-up packets to multiple dial-up processing modules 2201 . By adopting the architecture shown in FIG. 4 , on the one hand, since the dialing processing can be performed in coordination with the computing power of multiple hardware devices, the performance of the communication system 200 in processing user online is effectively guaranteed; on the other hand, when capacity expansion is required, the This is achieved by adding more dial-up processing modules 2201 to the CP device 210, so that the communication system 200 meets the elastic expansion requirements of the VNF.

The system architecture is exemplarily introduced above, and application scenarios to which some embodiments of the present application are suitable are exemplified below with reference to the system architecture described above.

In the system architecture described above, the CP device 210 serves as the control plane of the communication system 200 , and the CP device 210 needs to provide a security function to ensure the system security and service security of the communication system 200 . Since the channels established between the CP device 210 and the UP device 220 through the CPRi interface, Mi interface, SCi interface and other interfaces are generally in-band communication channels, they need to cross the metropolitan area network or even the backbone network, so there is a security risk. Therefore, the CP device 210 needs to adopt security protection measures to defend against network attacks from the channel between the CP device 210 and the UP device 220 .

As a typical way of attacking a server, distributed denial of service attack (DDoS) is one of the main threats faced by the CP device 210 . The main means of DDoS attack is Synchronize Sequence Numbers (SYN) flood attack (SYN flood). Among the three interfaces between the CP device 210 and the UP device 220, the SCi interface and the Mi interface are both based on the Transmission Control Protocol (TCP), and both the SCi interface and the Mi interface have encryption capabilities, which can be passed through The DDoS protection (anti-DDoS) device defends against attacks on the SCi interface and Mi interface of the CP device 210. Therefore, it is relatively difficult to implement defense against DDoS attacks, while the implementation of CPRi interface defense against DDoS attacks is relatively difficult.

Specifically, during the process of sending dial-up packets (eg, PADI packets for PPPoE dialing and DHCP discovery packets for DHCP dialing) on the UP device 220, an attacker may intercept the PADI packets or DHCP discovery packets sent by the UP. The attacker hops the media access control (MAC) address or virtual LAN (VLAN) number in such dial-up packets, constructs a large number of attack packets, and encapsulates them according to the packets of the CPRi interface. format, a large number of encapsulated attack packets are directly sent to the CP device 210 without passing through the UP device 220, thereby initiating a replay attack. After a large number of attack packets enter the CP device 210, it is easy to flood the dial-up packets of normal online users, and a large number of attack packets will cause the CP device 210 to establish a large number of invalid state machines, resulting in CPU utilization of the CP device 210. high, the memory consumption is large, resulting in a denial of service (DoS) effect. Therefore, how the CP device 210 defends against DDoS replay attacks from the CPRi interface is an urgent requirement in the art.

However, since the subsequent process of dialing is required to determine whether a PADI packet or a DHCP discovery packet is an attack packet, that is, a user who only sends a PADI packet or a DHCP discovery packet without sending subsequent dial-up packets is determined as an attack. Therefore, it is difficult for general firewalls or anti-DDoS systems to identify attack packets, and the CP device 210 needs to be used to defend against attack packets. For the CP device 210, since the implementation of the CPRi interface is VXLAN+GPE or GTP-C+NSH tunnel encapsulation, both of which are based on UDP, the CP device 210 cannot use the TCP keychain, etc. The technology verifies the source IP address in the packets received through the CPRi interface. In dial-up packets (such as PADI packets for PPPoE dial-up and DHCP discovery packets for DHCP dial-up), the source MAC address is the MAC address of the dial-up user. The CP device 210 cannot determine whether the source MAC address is legal, and cannot simply rely on the source MAC addresses distinguish attack packets from normal online packets. It can be seen that how the CP device 210 identifies the attack packet from the CPRi interface is one of the technical difficulties in the art.

In some cases, rate limiting is used to defend against replay attacks initiated by PADI packets or DHCP discovery packets. Specifically, the CP device 210 adopts the token bucket technology on the IO/LB module 2202 to group users according to MAC addresses. Then, the CP device 210 performs a committed access rate (committed access rate, CAR) on the rate of each group of dial-up packets sent to the dial-up processing module 2201. When an attack occurs, the IO/LB module 2202 performs a hash operation according to the source MAC address, groups the received dial-up packets, each group corresponds to a token bucket, and restricts the sending to the dial-up processing module according to the rate of the token The dial-up packet rate of 2201, the packets exceeding the token rate will be randomly discarded. In this way, the dialing processing module 2201 will not hang up because the number of sent packets exceeds the processing performance.

However, when the above method is adopted, since the number of groups is limited, it may happen that the MAC address of the attack packet and the MAC address of the normal packet are divided into the same group. Since the token bucket technology randomly discards the packets in the same group, normal packets may also be discarded by the CP device 210, so that normal users cannot go online. In addition, even if the rate limiting method is adopted, the CP device 210 still needs to process many attack packets, which wastes the processing resources of the CP device 210 .

In view of the requirements of the above application scenarios, some embodiments of the present application provide a method for the joint defense of the CP device and the UP device 220 against DDoS attacks. The CP device sends a control message from the SCi interface to notify the UP device 220 to The dial-up packets sent through the CPRi interface carry a watermark, so that the CP device can effectively distinguish attack packets from normal packets according to the watermark, so that the attack packets of the replayer can be discarded. Normal packets can be processed. Through this method, not only can the normal user go online, but also the computing resources of the CP can be saved. In addition, some embodiments extend the SCi interface between the CP device and the UP device 220, and provide how to extend the CUSP message format defined by the standard IETF RFC 8772 and the PFCP message format defined by the BBF TR-459 to implement control message, so that the CP device can use the extended message format to control the UP device 220 to use the watermark or turn off the watermark. In addition, some embodiments extend the CPRi interface between the CP device and the UP device 220, providing how to extend the VXLAN-GPE packet format to carry various types of watermarks.

Below, the technical solution provided by this embodiment is specifically introduced through the method 300 .

Referring to FIG. 5, FIG. 5 is a flowchart of a network attack defense method 300 provided by an embodiment of the present application. The interactive subject of the method 300 includes a CP device and a UP device.

In an example, the CP device in the method 300 is the CP device 210 or the CP device 211 in the communication system 200 shown in FIG. 3 , and the CP device in the method 300 is the UP in the communication system 200 shown in FIG. 3 . device 220.

In one example, the CP device in the method 300 is a CP device in a BNG system where CP and UP are separated, such as a CP or DBNG-CP in a vBNG system. The UP device in the method 300 is the UP device in the BNG system in which the CP and the UP are separated, for example, the UP or DBNG-UP in the vBNG system. In one example, the CP device in method 300 is a CP device in a BRAS system where CP and UP are separated. The UP device in the method 300 is the UP device in the BRAS system in which the CP and the UP are separated.

In another example, the CP device and the UP device in the method 300 are implemented using other CU separation systems other than the BNG system. For example, the CP device in method 300 is the device where the control plane is located in the wired access system or wireless access system separated from other CUs, and the UP device in method 300 is in the wired access system or wireless access system separated from other CUs The device where the forwarding plane is located. For example, the CP device and the UP device in the method 300 are implemented using a CU-separated 4G core network (EPC) system or a CU-separated 5G core network (5GC) system. For example, the CP device is implemented by adopting the CP in the serving gateway (serving gateway, S-GW) separated from the CU. For another example, the CP device is implemented by adopting the CP in the packet data network gateway (PDN gateway, PGW) separated by the CU. For another example, the CP device is implemented by using a mobility management function (access and mobility management function, AMF) network element. For another example, a session management function (session management function, SMF) network element is used to implement the CP device. For another example, the access gateway function (access gateway function, AGF) network element in the WT-456 fixed and mobile converged communication system is used to implement the CP device.

In one example, the method 300 is processed by a general-purpose central processing unit (CPU), or by a CPU and a network processor (NP) jointly, or by a CPU, a network processor (NP) 2 or more than two pieces of hardware in a physical interface card (ph10sical interface card, PIC) are jointly processed, or other processors suitable for packet forwarding may be used instead of NP or PIC. Method 300 does not impose restrictions. For example, in the method 300, the CP performs the processing work corresponding to the method 300 carrying a watermark and identifying the attack packet according to the watermark, and the NP and the PIC undertake the processing work corresponding to the method 300 for sending or receiving packets.

Exemplarily, the method 300 includes steps S301 to S315.

S301. The attacker sends the hopping dial-up packet to the CP device.

During the transmission of dial-up packets from the UP device to the CP device through the network, the attacker captures the dial-up packets sent by the UP device in the network, and performs the parameters (such as source MAC address, VLAN number, etc.) in the dial-up packets. Hopping, sending dial-up packets after hopping to attack.

S303. In response to the reception rate of the dialing packet meeting the abnormal condition, the CP device generates a first control message, where the first control message is used to instruct the UP device to carry a watermark when sending the dialing packet to the CP device.

The abnormal condition is used to detect whether the receiving rate of dial-up packets is abnormal. In one example, satisfying the abnormal condition is that the receiving rate exceeds the rate threshold for a preset period of time.

In one example, the CP device performs speed measurement on dial-up packets. Specifically, the CP device measures the reception rate of the dial-up message, and if the time period for which the reception rate exceeds the rate threshold reaches a preset time period, the CP device determines that the reception rate meets the abnormal condition, and executes S303. For example, the CP device uses CAR to limit the rate of dial-up packets. If the received rate of dial-up packets exceeds the CAR value, it will count the time. When the recorded time exceeds the preset time, it is determined that the received rate meets the abnormal condition.

In an example, the dial-up packet includes the above-mentioned dial-up packet sent by the attacker to the CP device, and also includes the dial-up packet sent by the UP device connected to the CP device.

S304. The CP device sends a first control message to the UP device.

Since the receiving rate of dial-up packets meets the abnormal condition, it is most likely caused by a network attack. Therefore, if the receiving rate of dial-up packets meets the abnormal condition, the CP device can be determined to be attacked by the network. In this case, the CP device will generate the first control message. Since the first control message indicates that the watermark is carried when sending the dial-up message, the CP device notifies the UP device to carry the watermark in the dial-up message by delivering the first control message to the UP device. Therefore, the subsequent dial-up packets sent by the UP device to the CP device will contain a watermark, thereby supporting the function of the CP device to control the UP device to enable watermarking.

The watermark is used by the CP to verify the validity of the dial-up packets it receives. The role of the watermark is similar to the identification of the identity of the UP device. The specific value of the watermark is negotiated between the CP device and the UP device by transmitting the first control message. If the packet sent to the CP device does not contain a watermark or does include a watermark but the watermark is incorrect, it indicates that the packet sent to the CP device does not come from the UP device, then the packet will not pass the verification of the CP device, and the packet will It is recognized as an attack packet by the CP device.

Which data the CP device and the UP device use as the watermark include various implementations, which are illustrated below by using watermark type a to watermark type d.

Watermark type a. Use the adjusted virtual extended local area network identifier (VXLAN network identifier, VNI) as the watermark.

Specifically, a VXLAN tunnel exists between the UP device and the CP device. When the UP device sends a dial-up packet, it will add a VXLAN header containing VNI to the original dial-up packet, so that the dial-up packet with the VXLAN header enters the VXLAN tunnel. Forwarding using VXLAN headers. When the watermark needs to be used to defend against attacks, the CP device will notify the UP device to adjust the value of the VNI in the VXLAN header, so that the VNI in the VXLAN header in the dial-up packet sent by the UP device is changed from the original VNI to the adjusted VNI so that the CP can The device uses the adjusted VNI to verify the dial-up packets sent.

Among them, VNI is a user identifier similar to VLAN ID. A VNI represents a tenant. When a VXLAN packet is encapsulated, a 24-bit length space is allocated to the VNI, so that it can support the isolation of a large number of tenants.

Watermark type b. Use random numbers as watermarks.

When the watermark type b is used, the CP device and the UP device will use random numbers as the watermark of dial-up packets. Specifically, the CP device will notify the UP device to carry a random number when sending a dial-up packet, so that the dial-up packet sent by the UP device to the CP device includes a random number, so that the CP device uses the random number to process the sent dial-up packet. check.

Watermark type c, use timestamp as watermark.

When the watermark type c is adopted, the CP device and the UP device use the time stamp as the watermark of the dial-up message. Specifically, the CP device and the UP device will perform time synchronization. When a watermark needs to be used to defend against attacks, the CP device instructs the UP device to carry a timestamp when sending dial-up packets, so that the dial-up packets sent by the UP device contain Timestamp, so that the CP device can use whether the timestamp corresponds to the synchronization time point to verify the dial-up packet sent. For example, the CP device and the UP device perform time synchronization based on the Network Time Protocol (NTP) protocol. Both the CP device and the UP device use the NTP time calibration server as the clock source, and both the CP device and the UP device receive the time from the NTP time calibration server. The current time point, thereby ensuring the time synchronization between the UP device and the CP device.

Watermark type d, use message authentication code as watermark.

The message authentication code is, for example, a hash value of at least one parameter in the dial-up message. For example, the message authentication code is the hash value of the parameters in the IP header, MAC frame header, and UDP header of the dial-up message. For example, the message authentication code is the hash value of the source MAC address and destination MAC address in the dial-up packet. For another example, the message authentication code is a hash value of the source MAC address, destination MAC address, source IP address, and destination IP address in the dial-up packet. For another example, the message authentication code is the hash value of the source MAC address, destination MAC address, source IP address, destination IP address, and UDP header in the dial-up packet. The message authentication code is obtained, for example, by performing a hash operation according to a hash function.

Several types of watermarks are exemplified above through watermark type a to watermark type d. This embodiment does not limit which type of watermarks the CP device and the UP device use from the watermark type a to the watermark type d. In one example, the CP device selects a specific watermark type according to the strength of the attack. For example, when the attack intensity of the CP device is strong, the watermark type d is selected, that is, the message authentication code is used as the watermark used by the CP device and the UP device to defend against attacks, so as to achieve the best defense effect. For example, when the attack intensity of the CP device is weak, select the watermark type a, that is, adjust the VNI as the watermark used by the CP device and the UP device to defend against attacks, thereby reducing the performance overhead of the CP device and the UP device.

This embodiment does not limit the specific content of the first control message. In one example, the first control message includes a watermark. In other words, the CP device carries the watermark itself in the first control message and delivers it to the UP device. In another example, the first control message includes watermark type information corresponding to the watermark. In another example, the first control message includes parameters related to generating the watermark. For example, the CP device carries at least one of the watermark format, the watermark type, the position of the watermark in the dial-up message, the number of digits of the watermark, and the name of the input parameter for generating the watermark in the first control message, and sends it to the UP equipment. The content of the first control message is exemplified by the following cases a to d in combination with the above watermark type a to watermark type d.

Case a. The content of the first control message when the adjusted VNI is used as the watermark.

Specifically, the CP device obtains the first VNI, and carries the first VNI in the first control message, so that the first control message includes the first VNI. The first VNI refers to the adjusted VNI. The first VNI is different from the VNI used by the UP device when it originally sent dial-up packets. Wherein, this embodiment does not limit how the CP device obtains the first VNI. In an example, the CP device reserves a segment of VNI according to the configuration, and the CP device selects an unoccupied VNI from the reserved segment of VNI as the first VNI. In another example, the CP device carries the watermark type information corresponding to the first VNI in the first control message, so that the first control message includes the watermark type information corresponding to the first VNI. The watermark type information corresponding to the first VNI indicates that the watermark type is VNI.

Case b. The content of the first control message when a random number is used as the watermark.

For example, the first control message includes a first random number. Specifically, the CP device obtains the first random number, and carries the first random number in the first control message. This embodiment does not limit how the CP device obtains the first random number. In one example, the CP device performs calculations through a random number generation algorithm, thereby generating the first random number. In another example, the CP device receives the first random number from the other device. In another example, the CP device carries the watermark type information corresponding to the first random number in the first control message, so that the first control message includes the watermark type information corresponding to the first random number. The watermark type information corresponding to the first random number indicates that the watermark type is a random number.

In an example, when the same CP device controls multiple UP devices, the CP device will generate corresponding random numbers for each UP device, and deliver each random number to the corresponding UP device. Optionally, the CP device generates different random numbers for different UP devices, and delivers different random numbers to different UP devices. For example, the UP device controlled by the CP device includes the first UP device, and the CP device carries the first random number corresponding to the first UP device in the first control message, and sends the first control message to the first UP device. In this way, it is helpful for the CP device to verify the dial-up packets of different UP devices by using different random numbers.

In an example, when multiple interfaces on the same UP device are connected to the CP device, the CP device will generate corresponding random numbers for each interface of the UP device, and the corresponding random numbers between the interfaces and the random numbers will be generated. The relationship is delivered to the UP device. Optionally, the CP device generates different random numbers for different interfaces of the UP device. For example, the UP device accesses the CP device through the first interface, the CP device carries the first random number corresponding to the first interface in the first control message, and sends the first control message to the first UP device, thereby sending the first UP device to the first UP device. Indicates that the first random number is carried when the dial-up packet is sent through the first interface. In this way, the CP device can use different random numbers to verify the dial-up packets of different interfaces on the same UP device.

Case c. The content of the first control message when the timestamp is used as the watermark.

In one example, the first control message includes a first timestamp. Specifically, the CP device obtains the first timestamp corresponding to the synchronization time point according to the time synchronization mechanism with the UP device, and carries the first timestamp in the first control message. In another example, the CP device carries the watermark type information corresponding to the first timestamp in the first control message, so that the first control message includes the watermark type information corresponding to the first timestamp. The watermark type information corresponding to the first timestamp indicates that the watermark type is a timestamp.

In another example, the first control message does not include the first timestamp itself, but includes any information capable of identifying the first timestamp. For example, the first control message includes a one-bit flag field. When the flag field is set, it indicates that the UP device carries the first timestamp when sending the dialing message to the CP device.

Case d. The content of the first control message when the message authentication code is used as the watermark.

In one example, the first control message includes the format of the message verification code. For example, the format of the message verification code is used to instruct the UP device which part of the dial-up message to perform hash operation on to obtain the first message verification code. For another example, the format of the message verification code is used to indicate the hash algorithm used to generate the first message verification code. The format of the message verification code in the first control message is represented by numbers, letters or character strings, for example. In another example, the CP device carries the watermark type information corresponding to the first message verification code in the first control message, so that the first control message includes the watermark type information corresponding to the first message verification code. The watermark type information corresponding to the first message verification code indicates that the watermark type is a message verification code.

Taking the format of the message verification code represented by numbers as an example, the CP device and the UP device, for example, agree that different numbers represent different formats of the message verification code. The two types of information, the source MAC address and the destination MAC address, are hashed to obtain the first message verification code. When the format of the message verification code is represented by 1, the UP device is instructed to obtain the first message verification code by hashing the four pieces of information, source MAC address, destination MAC address, source IP address, and destination IP address in the dial-up packet. . When the format of the message verification code is represented by 2, it instructs the UP device to perform hash operation on the source MAC address, destination MAC address, source IP address, destination IP address and UDP header in the dial-up packet to obtain the first Message verification code.

In another example, the first control message does not include the format of the message verification code, but includes any information capable of identifying the first message verification code. For example, the format of the message verification code is negotiated between the CP device and the UP device in advance. For example, the format of the message verification code is negotiated during the handshake phase between the CP device and the UP device, or the format of the message verification code is preconfigured between the CP device and the UP device. A one-bit flag field in a control message instructs the UP device to carry the first message verification code when it sends a dial-up message to the CP device. When the flag field is set, it instructs the UP device to carry the first message verification code when it sends a dial-up message to the CP device. The first message verification code.

In an example, there is an SCi interface between the CP device and the UP device, and the CP device sends the first control message to the UP device through the SCi interface. In this way, the first control message is also called an SCi message. In an example, the communication protocol implementing the SCi interface is extended, and a new type of SCi message is added. The new type of SCi message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device. The type SCi message is the first control message.

How to extend the communication protocol of the SCi interface to implement the first control message includes multiple implementation manners, and the following is an example of the extension manner 1 and the extension manner 2.

Expansion method 1. Expand CUSP.

IETF RFC 8772 stipulates that the SCi interface is implemented using CUSP between the CP device and the UP device. In some embodiments of the present application, a new type of CUSP message is extended. The new type of CUSP message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device, and the new type of CUSP message is the first control message. Specifically, the CUSP message as the first control message includes a type field. The type field in the CUSP message includes the type value. The value of this type identifies the CUSP message to instruct the UP device to carry the watermark when sending the dial-up message to the CP device. In one example, the type value is the type of control messages in Table 2 (table2) of RFC 8772.

For example, see Table 1 below, which is an example of the CUSP message as the first control message. The type in Table 1 is 9, indicating that the control message is a message that requires the UP dial-up message to carry a watermark, and the corresponding control message name can be the watermark start, which also includes the desired watermark type information. For example: when its value is CRPI_WATERPRINT_VNI, it indicates that it wants UP to send dial-up messages with VNI watermark information; when its value is CRPI_WATERPRINT_RANDOM, it indicates that UP wants to send dial-up messages with random number watermark information; When the value is CRPI_WATERPRINT_TIMESTAMP, it indicates that the UP is expected to carry the timestamp watermark information when sending dial-up packets; when the value is CRPI_WATERPRINT_MAC, it indicates that the UP is expected to carry the message verification code watermark information when sending the dial-up packets. Optionally, the control message also includes a specific watermark value or information about parameters related to generating a related watermark, such as the VNI value, random value, timestamp value, or the watermark that needs to be carried in the dial-up message sent by the UP. Information about the value of the message verification code. When the UP device receives the control message sent by the CP device, it can send the corresponding watermark information according to the pre-configured or pre-agreed information, such as: sending the default VNI value, generating random numbers according to pre-agreed rules, carrying timestamps, The message verification code is sent according to the default rules; the corresponding value can also be obtained from the control message, carried in the dial-up message, and sent to the CP device; a watermark can also be generated according to the parameters carried in the control message and carried in the dial-up message In the text, it is sent to the CP device.

Table 1

In another example, a TLV may be added to the CUSP message to carry the watermark or generate parameters related to the watermark. In an example, the value of the type part of these TLVs can be used to indicate the watermark type corresponding to this TLV, that is, the type of watermark that needs to be carried by the UP device. For example, the CUSP message includes a watermark TLV, and the watermark TLV is a TLV that carries a watermark; or, the watermark TLV is a TLV that carries watermark type information corresponding to the watermark; or, the watermark TLV is a TLV that carries parameters related to generating a watermark, and the watermark TLV The type value can be, for example, 901, indicating that it is a watermark TLV.

This embodiment does not limit the type of the watermark TLV. In one example, the watermark TLV is a new type of TLV, and the watermark TLV includes a type value of the new application, the type value identifying the watermark TLV carrying the watermark or generating parameters related to the watermark. In another example, the watermark TLV is an existing type of TLV. For example, when the adjusted VNI is used as the watermark, the TLV used to carry the VNI in the VXLAN standard is multiplexed as the watermark TLV in this embodiment. The watermark TLV includes at least one of VNI watermark TLV, random number watermark TLV, time stamp watermark TLV, and message verification code watermark TLV. These watermark TLVs are exemplified by (1) to (4) below.

(1) VNI watermark TLV.

The VNI watermark TLV includes the first VNI. The value of the type part of the VNI watermark TLV is, for example, used to indicate that the watermark type corresponding to this TLV is VNI. For example, the VNI watermark TLV includes a VNI field, and the VNI field includes the first VNI. The VNI watermark TLV may also be referred to as CRPI_WATERPRINT_VNI (CRPI_watermark_VNI). For example, see Table 2 below, which is an illustration of the format of the VNI watermark TLV. The VNI in Table 2 is the first VNI. The VNI watermark TLV occupies, for example, 4 bytes. Wherein, the VNI occupies, for example, 3 bytes in the VNI watermark TLV, for example, occupies the second byte to the fourth byte. For example, the first byte of the VNI watermark TLV is all set to 0 for padding.

Table 2

(2) Random number watermark TLV.

The random number watermark TLV includes a first random number. The value of the type part of the random number watermark TLV is, for example, used to indicate that the watermark type corresponding to this TLV is a random number. The random number watermark TLV may also be called CRPI_WATERPRINT_RANDOM (CRPI_watermark_random number). For example, the random number watermark TLV includes a random number field, and the random number field includes a first random number. For example, see Table 3 below, which is an example of the format of the random number watermark TLV, and the random number in Table 3 is the first random number. The random number occupies, for example, 2 bytes.

table 3

(3) Timestamp watermark TLV.

The timestamp watermark TLV includes the first timestamp. The value of the type part of the timestamp watermark TLV is, for example, used to indicate that the watermark type corresponding to this TLV is a timestamp. The timestamp watermark TLV may also be referred to as CRPI_WATERPRINT_TIMESTAMP (CRPI_watermark_timestamp). For example, the timestamp watermark TLV includes a timestamp field, and the timestamp field includes a first timestamp. For example, see Table 4 below, which is an example of the format of the timestamp watermark TLV, and the timestamp in Table 4 is the first timestamp. The timestamp occupies, for example, 1 byte.

Table 4

(4) Message verification code watermark TLV.

The message verification code watermark TLV includes the format of the message verification code. The value of the type part of the message verification code watermark TLV is, for example, used to indicate that the watermark type corresponding to this TLV is a message verification code. The message authentication code watermark TLV may also be referred to as CRPI_WATERPRINT_MAC (CRPI_watermark_message authentication code). For example, the message verification code watermark TLV includes a message verification code format field. When the value of the message verification code format field is 0, the UP device is instructed to obtain the first message verification code by performing hash operation on the source MAC address and the destination MAC address in the dial-up packet. When the value of the message verification code format field is 1, the UP device is instructed to obtain the first message verification code by hashing the source MAC address, destination MAC address, source IP address and destination IP address in the dial-up packet. When the value of the message verification code format field is 2, it instructs the UP device to obtain the first message verification code by hashing the source MAC address, destination MAC address, source IP address, destination IP address and UDP header in the dial-up packet . For example, see Table 5 below, which is an example description of the format of the message verification code watermark TLV, and the message verification code format in Table 5 is the message verification code format field. For example, the message verification code format field occupies 1 byte in the message verification code watermark TLV.

table 5

The second extension method is to extend the PFCP.

For ease of understanding, the following briefly introduces PFCP, and then describes how to extend the PFCP to implement the first control message.

PFCP is a protocol defined by the 3rd Generation Partnership Project (3GPP) and carried over UDP. PFCP defines a set of abstract business models based on 5th generation mobile networks (5th generation mobile networks or 5th generation wireless systems, 5th-Generation, 5G) business, and based on this model defines node messages and sessions between CP and UP. A message and a series of information elements (IEs). PFCP refers to the UP device as the UPF, the CP device as the CPF, and the connection between the CP device and the UP device as the PFCP association (PFCP association). PFCP messages are divided into PFCP node messages (PFCP node related messages) and PFCP session messages (PFCP session related messages). The PFCP message includes two parts: a PFCP message header (PFCP message header) and an IE. The PFCP message header includes fields such as message type and message length. IE adopts the packaging format of TLV. IE is divided into grouped IE (grouped IE) and embedded IE (embedded IE). Embedded IE is the smallest unit of IE. A grouped IE optionally contains multiple embedded IEs. BBF TR-459 stipulates that the SCi interface between the CP device and the UP device is implemented using PFCP.

In one example, the CP device uses the IE in the PFCP message to carry the watermark or generate watermark-related parameters. For example, the PFCP message as the first control message includes a watermark IE, and the watermark IE is an IE that carries a watermark; or, the watermark IE is an IE that carries watermark type information corresponding to the watermark; or, the watermark IE is an IE that carries parameters related to generating a watermark. The watermark type information carried by the Watermark IE is, for example, the value of the type part in the Watermark IE. For example, the value of the type part of the VNI watermark IE is used to indicate that the watermark type corresponding to this IE is VNI. For example, the value of the type part of the random number watermark IE is used to indicate that the watermark type corresponding to this IE is a random number. For example, the value of the type part of the Timestamp Watermark IE is used to indicate that the watermark type corresponding to this IE is Timestamp. For example, the value of the type part of the message verification code watermark IE is used to indicate that the watermark type corresponding to this IE is the message verification code. In one example, the Watermark IE is a Packet IE. In another example, the watermark IE is an embedded IE. For example, see Table 6 below, which is an introduction to the Watermark IE.

Table 6

IEIE	PP	条件/注释Conditions/Comments	IE类型IE type
水印IEWatermark IE	CC	当CP被DDoS攻击时该IE包含水印。The IE contains a watermark when the CP is DDoS attacked.	水印watermark

Wherein, C in Table 6 indicates conditional, indicating that the watermark IE is carried when the condition is met, and the condition is that the CP device may be attacked by DDoS. In this embodiment, when the CP device detects that the receiving rate of the dial-up message is abnormal, it will determine that the condition for carrying the watermark IE is satisfied.

Please refer to Table 7 below, which is an example description of the format of the watermark IE. In Table 7, the type field includes the type of the watermark IE. The type field occupies 2 bytes. The type value in the type field is, for example, a decimal value. The length field includes the length of the watermark IE. The length in the length field does not include, for example, 4 bytes of the type field and the length field. The manufacturer ID (enterprise ID) field includes the manufacturer number. The Manufacturer ID field is an optional field of the Watermark IE. The watermark type (water print type) field and the watermark parameter (water print para) field belong to the data part in the watermark IE or a sub-IE of the watermark IE.

Table 7

The definition of the type field in Table 7 is shown in Table 8 below. In Table 8, 7/1 represents the first bit of a byte (type field); 7/2 represents the second bit of a byte (type field); 7/3 represents a byte (type field) The 3rd bit of ; 7/4 represents the 4th bit of a byte (type field); 7/5 represents the 5th bit of a byte (type field). The definitions of the four watermark parameters from watermark parameter 0 to watermark parameter 3 are the same as or similar to the definitions of the four types of watermark TLVs, namely, VNI watermark TLV, random number watermark TLV, time stamp watermark TLV, and message authentication code watermark TLV described in the extension mode 1.

Table 8

How to use the PFCP message to carry the watermark IE includes various ways. In one example, a PFCP node message is used to carry the Watermark IE. In other words, the first control message is a PFCP node message. In another example, a PFCP session message is used to carry the Watermark IE. In other words, the first control message is a PFCP session message.

In one example, a new type of PFCP message is extended to carry the watermark IE using the new type of PFCP message. The new type of PFCP message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device, and the new type of PFCP message is the first control message provided in this embodiment. Wherein, the PFCP message as the first control message includes a type field. The Type field in the PFCP message includes the Type value. The type value indicates that the PFCP message instructs the UP device to carry the watermark when sending the dial-up message to the CP device.

In the case where the first control message is implemented by extending a new type of PFCP message, this embodiment does not limit the extended PFCP node message or the extended PFCP session message. For example, a new type of PFCP node message is added, for example, a new type value is applied between 16 and 49. This new type of PFCP node message carries the watermark IE, and the CP device sends this new type of PFCP node to the UP device. message to implement the function of watermarking. For another example, a new type of PFCP session message is added, for example, a new type value is applied between 58 and 99. This new type of PFCP session message carries the watermark IE, and the CP device sends this new type of PFCP to the UP device. Conversation message, realizes the function of watermarking.

In another example, the existing PFCP message carrying the watermark IE is multiplexed, and the existing PFCP message carries the watermark IE, which can instruct the UP device to carry the watermark when sending a dial-up message to the CP device, and the existing PFCP message is also The first control message provided in this embodiment. For example, the multiplexing PFCP Session Modification Request (PFCP Session Modification Request) carries the watermark IE, and the PFCP update session request carrying the watermark IE is the first control message provided in this embodiment. The PFCP update session request is a PFCP session message, and the message type value of the PFCP update session request is 52. For example, the IE shown in Table 9 below is added to the Update Forwarding Parameters IE in the PFCP update session request.

Table 9

Among them, P in Table 9 represents Preferences. C in Table 9 indicates Conditional, indicating that the watermark IE is carried when a condition is met, and the condition is that the CP is attacked by DDoS. In this embodiment, when the CP detects that the receiving rate of the dial-up message is abnormal, it will determine that the condition for carrying the watermark IE is satisfied.

S305. The UP device receives a first control message from the CP device, where the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device.

S307. The UP device carries a watermark in the dial-up message according to the first control message.

The dial-up message sent by the UP device includes, for example, the original dial-up message and a watermark. In one example, the original dialing packet is sent by the user equipment, and in another example, the original dialing packet may also be sent by an access device connected to the user equipment. The original dial-up message will be transmitted to the UP device. When the UP device receives the original dial-up message, it obtains a watermark according to the first control message sent by the CP device; the UP device encapsulates the obtained watermark with the original dial-up message to obtain a Watermarked dial-up packets, so that the watermark is carried in the dial-up packets, so that the watermark is added to the dial-up packets sent by the UP device.

The following focuses on the content of the dial-up packets sent by the UP device through the way that the user equipment sends the original dial-up packets.

The dialing method includes but is not limited to PPPoE dialing or DHCP dialing. In the case of using PPPoE dial-up, the original dial-up packets sent by the user equipment are PPPoE dial-up packets. In the case of using DHCP dial-up, the original dial-up packets sent by the user equipment are DHCP dial-up packets.

The PPPoE dial-up message is, for example, a PADI message. See Table 10 below, which is an example of the PADI message format.

Table 10

The meaning of each field in the PADI message shown in Table 10 is shown in Table 11 below.

Table 11

See Table 12 below, which is an example of the format of the DHCP dial-up message. The numbers in parentheses in Table 12 indicate the length of the field, for example, the message type (1) indicates that the length of the message type field is 1 byte, and the transaction ID (4) indicates that the length of the transaction ID field is 4 bytes.

Table 12

The meaning of each field in the DHCP dial-up packet shown in Table 12 above is shown in Table 13 below.

Table 13

The first packet of a DHCP dial-up packet is a DHCP discovery packet. Specifically, in the DFCP dial-up process, when a DHCP client requests an address, it does not know the location of the DHCP server, so the DHCP client will broadcast a request message in the local network, which is called a DHCP discovery message. Arts. The DHCP discovery message is used to discover the DHCP server on the network. All DHCP servers that receive the DHCP discovery message will send a response message, so that the DHCP client can know the location of the DHCP server in the network. See Table 14 below, which is an example of the format of the DHCP discovery message. The meaning of each field in the DHCP dial-up message shown in Table 14 is shown in Table 13 above.

Table 14

The above example describes the format of the dial-up packet. The following describes how the UP device adds a watermark to the dial-up packet.

For example, in the case of using the watermark type a, the UP device obtains the first VNI from the first control message; or the UP device obtains the pre-agreed first VNI, or the UP device generates the first VNI according to the parameters carried in the first control message A VNI. After the UP device obtains the first VNI in any of the three methods, the UP device carries the first VNI in the dial-up message, so that the VNI in the dial-up message sent by the UP device changes from the original VNI to the adjusted VNI. VNI.

For example, in the case of using watermark type b, the UP device obtains the first random number from the first control message; or the UP device obtains the pre-agreed first random number, or the UP device obtains the first random number according to the parameters carried in the first control message Generate a first random number. After the UP device obtains the first random number in any of the three methods, the UP device carries the first random number in the dial-up packet, so that the dial-up packet sent by the UP device adds the random number sent by the CP device. number.

For example, in the case of using watermark type c, the UP device determines the first timestamp according to the time synchronization mechanism between the UP device and the CP device, and the first timestamp is used to indicate the time point of synchronization between the UP device and the CP device . The UP device carries the first time stamp in the dial-up message, so that the dial-up message sent by the UP device adds a time stamp corresponding to the synchronization time point. Optionally, the precision of the first timestamp is second. For example, the time point of synchronization between the UP device and the CP device is 17:43:5 seconds on July 20, 2020, and the first timestamp is 20200720174305.

Or, the UP device generates the first time stamp, and carries the generated first time stamp in the dial-up packet. In one example, the first control message carries a timestamp format, and the UP device generates the first timestamp according to the timestamp format. In this way, the CP device and the UP device agree on a timestamp format by transmitting the first control message, thereby adding a watermark according to the pre-agreed timestamp format. The timestamp format is, for example, the precision of the timestamp, the number of digits of the timestamp, and the like.

This embodiment does not limit whether the first timestamp is a complete timestamp. Optionally, the first timestamp is part of a complete timestamp. For example, the first timestamp is the hour, minute, and second in a full timestamp. For example, a full timestamp is 20200720174305 and the first timestamp is 170510.

For example, in the case of using watermark type d, the UP device performs a hash operation on at least one parameter in the dial-up message to obtain the first message authentication code; the UP device carries the first message authentication code in the dial-up message, so that the UP device The message authentication code is added to the dial-up message sent. Specifically, the UP device obtains the format of the message verification code according to the first control message; or, the UP device obtains a pre-agreed format of the message verification code. After the UP device determines the format of the message verification code in either of the two methods, it performs a hash operation on at least one parameter in the dial-up message according to the format of the message verification code. For example, if the format of the message verification code in the first control message is 1, which means that the format of the message verification code is the hash value of the source MAC address and the destination MAC address in the dial-up packet, then the UP device interprets the source MAC address in the dial-up packet. The two types of information, the address and the destination MAC address, are hashed, and the obtained hash value is used as the first message verification code.

S308, the UP device sends a dial-up message including a watermark to the CP device.

There are various methods for how the UP device sends dial-up packets. In an example, a UDP-based tunnel is established between the UP device and the CP device, and the UP device sends a dial-up packet including a watermark through the UDP-based tunnel, where the dial-up packet including the watermark is a UDP packet.

For example, referring to FIG. 6 , (a) in FIG. 6 is an illustration of the network architecture formed by the UP device, the CP device and the attacker. (b) in FIG. 6 is an example of the format of the dial-up message sent by the UP device when the watermark function is turned off. (c) in FIG. 6 is an example of the format of the dial-up message sent by the attacker. (d) in FIG. 6 is an example of the format of the dial-up message sent by the UP device when the watermark function is enabled. Specifically, when the watermark function is disabled, the UP device will encapsulate the UDP-based tunnel header on the basis of the original dial-up message sent by the user equipment, and then send the dial-up message including the UDP-based tunnel header. Therefore, as shown in (b) of FIG. 6 , the dial-up message sent by the UP device includes two parts, which are the UDP-based tunnel header and the original dial-up message sent by the user equipment. After the attacker captures the dial-up packets sent by the UP device and sent to the CP device, the attacker hops the MAC address or VLAN number in the dial-up packets to obtain hopping dial-up packets. The attacker also sends hop dial packets through the UDP-based tunnel. Therefore, as shown in (c) of FIG. 6 , the dial-up message sent by the attacker includes two parts, which are the UDP-based tunnel header and the hopping dial-up message. After the attacker initiates a replay attack by sending hopping dial packets, the CP device finds that the rate of the dial packets exceeds the rate threshold for a certain period of time, and sends a control message to the UP device to instruct the UP device to add a watermark. After receiving the control message, the UP device enables the watermark function. The UP device encapsulates the UDP-based tunnel header and watermark on the basis of the original dial-up message sent by the user equipment, and then sends the dial-up message including the UDP-based tunnel header and watermark. . Therefore, as shown in (d) of FIG. 6 , the dial-up message sent by the UP device includes three parts, which are the UDP-based tunnel header, the watermark field and the original dial-up message sent by the user equipment.

This embodiment does not limit the carrying position of the watermark field in the dial-up message. In an example, referring to (d) in FIG. 6 , the carrying position of the watermark field is between the UDP-based tunnel header and the original dial-up message sent by the user equipment. For example, in the case of adopting the watermark type b, the watermark field shown in (d) of FIG. 6 is specifically a random number field, and the random number field carries the first random number. For another example, in the case of adopting the watermark type c, the watermark field shown in (d) of FIG. 6 is specifically a timestamp field, and the timestamp field carries the first timestamp. For another example, in the case of adopting the watermark type d, the watermark field shown in (d) of FIG. 6 is specifically the message authentication code field, and the message authentication code field carries the first message authentication code. In another example, the watermark field is carried in a UDP-based tunnel header. For example, in the case of adopting the watermark type a, the UDP-based tunnel header includes a VXLAN header, the watermark field is specifically a VNI field, and the VNI field carries the first VNI. The VNI field including the first VNI is located, for example, in the VXLAN header.

In an example, there is a CPRi interface between the CP device and the UP device, and the CP device sends a dial-up message including a watermark to the UP device through the CPRi interface. In this way, the dial-up message including the watermark is also called CPRi message or CPRi message. The specific implementation methods of the CPRi interface include, but are not limited to, the VXLAN GPE method and the GTP-C method. When different methods are used to implement the CPRi interface, the location of the watermark in the dial-up packets sent by the UP device is different. The following is an example of how the UP device carries the watermark in the dial-up packet sent in the VXLAN GPE mode in case A, and how the UP device carries the watermark in the dial-up packet sent by the GTP-C mode in the case B. An example of a watermark.

Case A. The CPRi interface is implemented by means of VXLAN GPE.

When the CPRi interface is implemented by means of VXLAN GPE, the UDP-based tunnel header shown in Figure 6 is specifically the VXLAN GPE header, and the dial-up message including the watermark sent by the UP device is specifically the VXLAN GPE message. Referring to FIG. 7, FIG. 7 is an illustration of two encapsulation formats of the dial-up message including the watermark-VXLAN GPE message. As shown in (a) of FIG. 7 , the dial-up message including the watermark includes, for example, three parts, namely the VXLAN GPE header, the watermark field and the original dial-up message sent by the user equipment. The watermark field is located in the VXLAN GPE header and the user equipment. Between the original dial-up messages sent by the device; as shown in (b) in Figure 7, the dial-up message including the watermark includes, for example, two parts, namely the VXLAN GPE header and the original dial-up message sent by the user equipment, the watermark Fields are in the VXLAN GPE header.

As shown in Figure 7, the VXLAN GPE header includes a destination MAC address (Destination MAC Address, DA) field, a source MAC address (Source MAC Address, SA) field, a destination IP (Destination IP, DIP) field, a source IP (Source IP) field , SIP) field, UDP header (UDP Header), VXLAN header (VXLAN Header), GPE extension header.

For example, the format of the VXLAN header is shown in Table 15 below. The VXLAN header includes a VNI field, a Reserved (R) field, and an I field. Wherein, the I field is, for example, an instance bit (instance bit, referred to as I bit or I field or I flag), and the I field is used to identify whether the VNI is valid. When the value of the I field is 1, it indicates that the VNI is valid; when the value of the I field is 0 indicates that the VNI is invalid. A reserved field includes one or more bits that are reserved. The VNI field includes the VNI. In this embodiment, the VNI field includes the first VNI.

Table 15

In an example, referring to Table 16 below, the VXLAN header in the VXLAN GPE header further includes a Next Protocol (Next Protocol) field. When applied to a BNG system in which the CP and UP are separated, the value of the next protocol field is, for example, 0x7. In an example, as shown in Table 16, the VXLAN header in the VXLAN GPE header also includes a version (version, Ver) field, the Ver field indicates the version of the VXLAN GPE, and the initial value is 0; the VXLAN header in the VXLAN GPE header also includes the instance A bit (instance bit, referred to as I bit or I field or I flag), when the I bit carries 1, it indicates that the VNI included in the VXLAN header is a valid VNI. The VXLAN header in the VXLAN GPE header also includes the next protocol bit (Next Protocol Bit, referred to as the P bit or the next protocol flag), and the P bit is used to identify that the value of the next protocol field is valid. The VXLAN header in the VXLAN GPE header also includes the broadcast unknown unicast multicast traffic bit (broadcast&unknown-unicast&multicast traffic bit, BUM traffic Bit, referred to as B bit or B field or B flag), and the B bit is used to identify that the message is a broadcast message Or unknown unicast packets or multicast packets (broadcast&unknown-unicast&multica, BUM) packets. The VXLAN header in the VXLAN GPE header also includes an operation and maintenance management flag bit (operation administration and maintenance flag bit, OAM flag bit, referred to as O bit or O field or O flag), and the O bit is used to identify that the message is an OAM message.

Table 16

For example, the format of the GPE extension header is shown in Table 17 below. The GPE extension header includes a P field, a type (Class) field, and a port information (Port Info) field. The P field is used to indicate the type of dialing, and the type of dialing is, for example, DHCP dialing or PPPoE dialing. The type field is used to indicate the specific category of the original dial-up packet. For example, the type field indicates that the original dial-up packet is a PADI packet. For example, the type field indicates that the original dial-up message is a DHCP discovery message. The port information field indicates the interface information that the user equipment accesses on the UP device.

Table 17

The format of the VXLAN GPE message including the watermark sent by the UP device has been generally introduced above. The following describes the format of the VXLAN GPE message with reference to the specific watermark types from watermark type a to watermark type d.

For example, in the case of using the watermark type a, the VXLAN GPE packet sent by the UP device includes the adjusted VNI (the first VNI). Referring to (b) of FIG. 7 , the first VNI is, for example, located in the VXLAN header in (b) of FIG. 7 . For example, referring to Table 15, the first VNI is located in the VXLAN header shown in Table 15, such as in the VNI field in Table 15; for another example, referring to Table 16, the first VNI is located in the VXLAN header shown in Table 16, such as in the VNI field in Table 16.

For example, in the case of using watermark type b, the VXLAN GPE packet sent by the UP device includes a random number (the first random number) generated by the CP device. For example, see FIG. 8, which is an illustration of a VXLAN GPE message including the first random number. The first random number is, for example, located in the random number field in FIG. 8 . For the meaning of each field in FIG. 8, please refer to the above introduction.

For example, in the case of using watermark type c, the VXLAN GPE packet sent by the UP device includes the timestamp (first timestamp) of the synchronization time point between the UP device and the CP device. For example, see FIG. 9, which is an illustration of a VXLAN GPE message including a first timestamp. The first timestamp is, for example, in the timestamp field in FIG. 9 . For the meaning of each field in FIG. 9, please refer to the above introduction.

For example, in the case of using watermark type d, the VXLAN GPE message sent by the UP device includes the message authentication code (first message authentication code) obtained by hashing the parameters in the dial-up message. For example, see FIG. 10, which is an illustration of a VXLAN GPE message including a first message authentication code. The first message authentication code is, for example, in the message authentication code field in FIG. 10 . For the meaning of each field in FIG. 10, please refer to the above introduction.

Case B. The case where the CPRi interface is implemented by means of GTP-C.

When the CPRi interface is implemented in the GTP-C manner, the dial-up message including the watermark sent by the UP device is specifically a GTP-C message. For example, the UDP-based tunnel header shown in (d) of FIG. 6 specifically includes a GTP-C header and an NSH header. For example, the VXLAN GPE headers in the four types of dial-up messages including watermarks shown in FIG. 7 , FIG. 8 , FIG. 9 and FIG. 10 are replaced by GTP-C headers and NSH headers. In one example, a field in the GTP-C header or a field in the NSH header is used to carry the watermark.

S309, the CP device identifies the attack packet in the packet flow according to the watermark.

The packet flow refers to a series of packets received after the CP device sends the first control message. For example, the packet flow includes packets received by the CP device through the CPRi interface. For a packet in the packet flow, the CP device verifies the packet according to the watermark to identify whether the packet is an attack packet sent by an attacker or a normal packet sent by an UP device.

How the CP device identifies attack packets includes multiple implementations. In an example, the attack packet sent by the attacker itself does not carry a watermark. In this case, the CP device determines that the packet is an attack packet according to the fact that the packet does not include a watermark. Taking the process of identifying the fifth packet as an example, for example, the packet flow includes the fifth packet, and the CP device determines that the fifth packet is an attack packet according to the fact that the fifth packet does not include a watermark. In another example, the attack packet sent by the attacker carries a watermark but the watermark is incorrect. In this case, the CP device determines that the watermark carried in the packet is not the watermark sent by the CP device to the UP device before. The packets are attack packets. In the following, in conjunction with the four specific watermark types described above, the specific implementation manners for the CP device to identify attack packets are illustrated by way of identification methods A to D.

Identification method A. The CP device uses VNI to identify attack packets.

Taking the application of the identification method A in identifying the first packet as an example, the first packet refers to a packet in the packet flow received by the CP device after delivering the first VNI. If the first packet does not include the first VNI previously delivered by the CP device to the UP device, this indicates that the first packet is not a packet from the UP device. Therefore, the CP device fails to verify the first packet, and the CP device fails to verify the first packet. It is determined that the first packet is an attack packet. In an example, after the CP device adjusts the original VNI to the first VNI, it saves the first VNI in the local entry; when the CP device receives the first packet, it reads the first VNI from the local entry. VNI, so as to identify the attack packet by using the pre-stored first VNI.

In the following cases A-1 and A-2, the CP device can use the identification method A to discover that the received packet is an attack packet sent by an attacker.

In case A-1, the packets sent by the attacker do not have VNI.

For example, if the first packet does not include VNI, the CP device determines that the first packet is an attack packet according to the fact that the first packet does not include VNI.

In case A-2, the packet sent by the attacker contains VNI but the VNI is incorrect.

For example, the CP device obtains the second VNI from the first packet; the CP device determines whether the second VNI is the same as the first VNI; if the second VNI is different from the first VNI, the CP device determines that the first packet is an attack packet. The second VNI refers to the VNI carried in the first packet. For example, the first packet is also sent based on the VXLAN tunnel, and the second VNI is the VNI in the VXLAN header in the first packet.

By adopting identification method A to defend against network attacks, CP devices and UP devices can achieve the following two effects.

On the one hand, since it is difficult for an attacker to know the adjusted VNI (ie, the first VNI) delivered by the CP device to the UP device, he cannot construct an attack packet containing the adjusted VNI. Therefore, the CP device can distinguish whether the packet is an attack packet sent by the attacker or a normal packet sent by the UP device according to whether the packet contains the adjusted VNI, thereby effectively defending against network attacks by the attacker.

On the other hand, when using VNI to implement the function of defending against network attacks, many processes involved in the communication between the CP device and the UP device based on VXLAN can be reused. For example, the step that the CP device determines the attack packet according to the first VNI can be implemented by multiplexing the process of verifying the VNI in the received VXLAN packet in the VXLAN, and the step that the UP device carries the first VNI in the packet can be implemented. It is implemented by multiplexing the process of carrying VNI in VXLAN packets sent in VXLAN. Since the CP device and the UP device can reuse the existing processing logic to realize the defense capability of network attacks, the computing performance overhead of the CP device to increase the defense capability is saved, and the UP device to increase the defense capability is also saved. Added forwarding performance overhead. Therefore, this solution for implementing defense against network attacks has low overhead and high practicability.

This embodiment does not limit how to identify normal packets when the identification mode A is adopted. In an example, if the first packet includes the first VNI previously delivered by the CP device to the UP device, the verification of the first packet is passed, and the CP device determines that the first packet is a non-attack packet (for example, a normal packet). Arts). In another example, when the CP device uses not only the VNI but also other features other than the VNI to identify the packet, if the first packet includes the first VNI previously delivered by the CP device to the UP device and other If the feature satisfies the normal condition, the CP device determines that the first packet is a normal packet.

Identification method B. The CP device uses random numbers to identify attack packets.

Taking the identification mode B applied to the identification of the second packet as an example, the second packet refers to a packet in the packet flow received by the CP device after delivering the first random number. If the second packet does not include the first random number sent by the CP device to the UP device, it indicates that the second packet is not from the UP device. Therefore, the CP device fails to verify the second packet, and the CP device fails to verify the second packet. The device determines that the second packet is an attack packet. In an example, after the CP device generates the first random number, it stores the first random number in a local table entry; when the CP device receives the second packet, it reads the first random number from the local table entry, Therefore, the attack packet is identified by using the pre-stored first random number.

In the following cases B-1 and B-2, the CP device can use the identification method B to discover that the received packets are attack packets sent by the attacker.

In case B-1, the packets sent by the attacker do not have random numbers.

For example, if the second packet does not include a random number, the CP device determines that the second packet is an attack packet according to the fact that the second packet does not include a random number.

In case B-2, the packet sent by the attacker contains random numbers and the random numbers are incorrect.

For example, the CP device obtains the second random number from the second packet; the CP device determines whether the second random number is the same as the first random number; if the second random number is different from the first random number, the CP device determines that the second packet is attack message. The second random number refers to a random number carried in the second packet.

This embodiment does not limit how to identify normal packets when the identification mode B is adopted. In an example, if the second packet includes the first random number previously sent by the CP device to the UP device, the verification of the second packet is passed, and the CP device determines that the second packet is a non-attack packet (for example, normal message). In another example, when the CP device uses not only the random number but also other features other than the random number to identify the packet, if the second packet includes the first random number previously delivered by the CP device to the UP device and the second packet If other characteristics of the message meet the normal conditions, the CP device determines that the second message is a normal message.

Identification method C. The CP device uses timestamps to identify attack packets.

Taking the identification mode C applied to the identification of the third packet as an example, the third packet refers to a packet in the packet flow received by the CP device after delivering the first control message. If the third packet does not include the first timestamp corresponding to the time point of synchronization between the CP device and the UP device, this indicates that the third packet is not a packet from the UP device. Therefore, the CP device verifies the third packet. If it fails, the CP device determines that the third packet is an attack packet.

Wherein, how the CP device obtains the first timestamp includes various ways. For example, since the time between the CP device and the UP device is synchronized, when the CP device receives the third packet, it reads the timestamp corresponding to the local time point as the first timestamp. Alternatively, when the CP device receives the third packet, it uses an algorithm to compensate the timestamp corresponding to the local time point, and uses the compensated timestamp as the first timestamp.

In the following cases C-1 and C-2, the CP device can use the identification method C to discover that the received packet is an attack packet sent by an attacker.

In case C-1, the packet sent by the attacker does not have a timestamp.

For example, the third packet does not include a time stamp, and the CP device determines that the third packet is an attack packet according to the fact that the third packet does not include a time stamp.

In case C-2, the packet sent by the attacker contains a timestamp but the timestamp is incorrect.

For example, the CP device obtains the second time stamp from the third packet; the CP device compares the second time stamp with the first time stamp; if the time difference between the second time stamp and the first time stamp is greater than the time difference threshold, the CP device It is determined that the third packet is an attack packet. The second timestamp refers to the timestamp carried in the third packet.

This embodiment does not limit how to identify normal packets when the identification mode C is adopted. In an example, if the third packet includes the first timestamp, the verification of the third packet is passed, and the CP device determines that the third packet is a non-attack packet (for example, a normal packet). In another example, if the time difference between the second time stamp and the first time stamp included in the third packet is less than the time difference threshold, for example, the time difference between the second time stamp and the first time difference belongs to a range of plus or minus 1 second Inside, the CP device determines that the third packet is a normal packet. In another example, when the CP device uses not only the time stamp but also other features other than the time stamp to identify the message, if the third message includes the first time stamp and the other features of the third message meet the normal conditions, the CP device The device determines that the third packet is a normal packet.

Identification method D. The CP device uses the message authentication code to identify attack packets.

Taking the identification mode D applied to the identification of the fourth packet as an example, the fourth packet refers to a packet in the packet flow received by the CP device after delivering the first control message. If the fourth packet does not include the first message authentication code, it indicates that the fourth packet is not from the UP device. Therefore, the CP device fails to verify the fourth packet, and the CP device determines that the fourth packet is an attack. message. For example, after the CP device sends the format of the message verification code through the first control message, it saves the format of the message verification code in the local table entry; when the CP device receives the fourth message, it reads from the local table entry The format of the message verification code is to perform a hash operation on at least one parameter in the dial-up message according to the format of the message verification code stored in advance to obtain the first message verification code.

In the following cases D-1 and D-2, the CP device can use the identification method D to discover that the received packets are attack packets sent by the attacker.

In case D-1, the message sent by the attacker has no message authentication code.

For example, the fourth packet does not include the message authentication code, and the CP device determines that the fourth packet is an attack packet according to the fact that the fourth packet does not include the message authentication code.

In case D-2, the packet sent by the attacker contains a message authentication code and the message authentication code is incorrect.

For example, the CP device obtains the second message authentication code from the fourth message; the CP device determines whether the second message authentication code is the same as the first message authentication code; if the second message authentication code is different from the first message authentication code, the CP device determines The fourth packet is an attack packet. The second message authentication code refers to the message authentication code carried in the fourth packet.

This embodiment does not limit how to identify normal packets when the identification mode D is adopted. In an example, if the fourth packet includes the first message authentication code, the verification of the fourth packet is passed, and the CP device determines that the fourth packet is a non-attack packet (for example, a normal packet). In another example, when the CP device uses not only the message authentication code, but also other characteristics than the message authentication code to identify the packet, if the fourth packet includes the first message authentication code and other characteristics of the fourth packet satisfy the normal condition, the CP device determines that the fourth packet is a normal packet.

The identification method a to the identification method d can be combined in any manner. In one example, only one type of watermark in the identification mode a to the identification mode d is used to defend against attacks; in another example, two or more types of watermarks in the identification mode a to the identification mode d are used at the same time Defense attack. Taking the combination of identification mode a and identification mode b as an example, the CP device generates and sends a first control message, and the first control message is used to instruct the UP device to carry the first VNI and the first random number when sending a dial-up message to the CP device; The UP device carries the first VNI and the first random number in the dial-up message according to the first control message; the UP device sends the dial-up message including the first VNI and the first random number to the CP device. When receiving the first packet, the CP device determines that the first packet is an attack packet according to the fact that the first packet does not include the first VNI or does not include the first random number. The CP device determines that the first packet is a normal packet according to the first packet including the first VNI and the first random number.

In an example, the CP device also determines whether the attack packet is sent from the UP device according to the watermark. If the attack packet is sent from the UP device, the CP device limits the rate of the user-side interface on the UP device. The user-side interface refers to the interface connected to the access network or the aggregation network. The user-side interface is the interface used by the UP device to receive original dial-up packets from the user equipment. For example, the CP device sends a third control message to the UP device, where the third control message is used to instruct the UP device to limit the rate of the user-side interface. In response to the third control message, the UP device limits the rate of the original dial-up packet received through the user-side interface. In this way, in scenarios such as home terminal poisoning, by limiting the speed of the user-side interface of the UP device, the problem of the home terminal frantically dialing up to the UP device can be solved.

S310. The CP device discards the attack packet.

The CP device distinguishes attack packets from normal packets according to the watermark, and discards the attack packets. Since the CP device does not need to respond to the attack packets by dialing up, performing authentication and other dial-up processing actions, the computing resources of the CP device are saved. In order to avoid the situation that normal packets are randomly discarded by the token bucket, the CP device can perform dial-up processing for normal packets to ensure that normal users can go online.

In one example, the CP device cooperates with the designated UP device to defend against attacks through watermarking. For example, the CP device measures the speed of the dial-up packets of each source IP address, and obtains the corresponding reception rate of the dial-up packets of each source IP address. If the receiving rate of the dial-up packets of the first source IP address satisfies the abnormal condition, the CP device determines, among at least one UP device associated with the CP device, the first UP device with the first source IP address, and sends the message to the first UP device. The first control message. After that, the first UP device carries the watermark in the dial-up message. According to the watermark, the CP device identifies the attack packet in the packet flow whose IP address is the first source IP address. In this way, since the attacker often impersonates the identity of the UP device when launching an attack, that is, the attacker uses the same source IP address as a certain UP device to send packets, so if the dial-up packet with the first source IP address is received If the rate satisfies the abnormal condition, it indicates that the dial-up packets of the first source IP address are likely to be forged by attackers. Therefore, the CP device defends against attacks by linking with the designated first UP device. Compared with the requirement that all UP devices in the system send the packets The dial-up messages carry watermarks, and the CP device uses watermark verification for all received message flows. The network attack defense function is more precise and the overhead is lower.

S311. In response to the receiving rate of the dial-up message meeting the normal condition, the CP device generates a second control message, where the second control message is used to instruct the UP device to cancel carrying the watermark when sending the dial-up message to the CP device.

If the receiving rate of the dial-up packets meets the normal conditions, the CP device will determine that the network attack has stopped, and the CP device generates and sends a second control message to instruct the UP device to cancel the watermark when sending dial-up packets, thereby closing the pass-through The function of watermark defense against attacks, thereby reducing network overhead and equipment pressure.

For example, the CP device measures the reception rate of dial-up packets. If the duration of the reception rate exceeding the rate threshold is less than the preset duration, or the duration of the reception rate being less than the rate threshold is greater than the preset duration, or the reception rate of dial-up packets is lower than the rate threshold, Then the CP device determines that the reception rate satisfies the normal condition.

In one example, the CUSP is extended to implement the second control message. Specifically, a new type of CUSP message is extended. The new type of CUSP message is used to instruct the UP device to cancel carrying the watermark when sending the dial-up message to the CP device, and the new type of CUSP message is the second control message. Specifically, the CUSP message as the second control message includes a type field. The type field in the CUSP message includes the type value. The type value identifies the CUSP message and instructs the UP device to cancel carrying the watermark when sending the dial-up message to the CP device. In one example, the type value is the type of control messages in Table 2 of RFC 8772. For example, see Table 18 below, which is an example of a CUSP message as the second control message. The watermark end (waterprint_End) in Table 18 is an example of the type name of the CUSP message as the second control message. 10 in Table 18 is an example of the type value of the CUSP message as the second control message.

Table 18

类型(type)type	名称(name)name	注释Notes
1010	水印结束watermark end	停止加水印stop watermarking

In one example, the PFCP extension is implemented to implement the second control message. For example, the PFCP message as the second control message includes the Watermark IE. For the format of the watermark IE, please refer to the introduction in Table 6, Table 7 and Table 8 above. In one example, the second control message is a PFCP node message. In one example, the second control message is a PFCP session message.

S312. The CP device sends a second control message to the UP device.

S313. The UP device receives the second control message from the CP device.

S315. The UP device sends a dial-up message that does not include a watermark to the CP device according to the second control message.

In S315, the dial-up message sent by the UP device includes, for example, the original dial-up message but does not include the watermark. In one example, the original dialing packet is sent by the user equipment, and in another example, the original dialing packet may also be sent by an access device connected to the user equipment. The original dial-up message will be transmitted to the UP device. Since the second control message indicates that the UP device cancels carrying the watermark when sending the dial-up message to the CP device, when the UP device receives the original dial-up message, it will cancel the dial-up message according to the second control message sent by the CP device. The watermark is carried in the UP device, so that the watermark is no longer included in the dial-up packets sent by the UP device.

In the method provided by this embodiment, the CP device sends a control message to the UP device when it finds that the receiving rate of the dial-up message is abnormal, so as to notify the UP device to carry the watermark when sending the dial-up message through the control message. Since the dial-up packets sent by the UP device include a watermark, and the attack packets sent by the attacker do not include a watermark, the CP device can effectively identify the attack packets in the received packet flow according to the watermark, so that the attack packets can be It is discarded by the CP device, thereby effectively resisting network attacks, reducing the risk of the CP device being attacked by the network, and improving the security of the CP device and the communication system.

The interaction process in which the CP device and the UP device participate is exemplarily introduced above through the method 300 . The following describes the CP device and the UP device in the embodiments of the present application. The CP device and the UP device described below have any of the functions of the CP device and the UP device in the foregoing method 300, respectively.

FIG. 11 shows a possible schematic structural diagram of the CP device involved in the above embodiment. The CP device 400 shown in FIG. 11 , for example, implements the functions of the CP device in the method 300 .

Referring to FIG. 11 , the CP device 400 includes a processing unit 401 and a sending unit 402 . Each unit in the CP device 400 is implemented in whole or in part by software, hardware, firmware or any combination thereof. Each unit in the CP device 400 is used to perform the corresponding functions of the CP device in the above method 300 . Specifically, the processing unit 401 is configured to support the CP device 400 to execute S303, S309 and S310. The sending unit 402 is configured to support the CP device 400 to perform S304.

In one example, the processing unit 401 and the sending unit 402 are also configured to support the CP device 400 to perform other processes performed by the CP device in the techniques described herein. For example, the processing unit 401 is further configured to support the CP device 400 to execute S311. The sending unit 402 is further configured to support the CP device 400 to perform S312. For the specific execution process, please refer to the detailed description of the corresponding steps in the method 300, which will not be repeated here.

The division of units in this embodiment of the present application is schematic, and is only a logical function division. In actual implementation, there may be other division methods.

For example, in another example, the various units in the CP device 400 are integrated into one processing unit. For example, each unit in the CP device 400 is integrated on the same chip. The chip includes a processing circuit, an input interface and an output interface that are internally connected and communicated with the processing circuit. The processing unit 401 is implemented by a processing circuit in the chip. The sending unit 402 is implemented through an output interface in the chip. For example, the chip uses one or more field programmable gate arrays (full name in English: field-programmable gate array, English abbreviation: FPGA), programmable logic device (full English name: programmable logic device, English abbreviation: PLD), controller , state machines, gate logic, discrete hardware components, any other suitable circuit, or any combination of circuits capable of performing the various functions described throughout this application.

For another example, in another example, each unit of the CP device 400 physically exists independently. In another example, a part of the units of the CP device 400 exist physically alone, and another part of the units are integrated in one unit. For example, in one example, the processing unit 401 and the sending unit 402 are the same unit. In another example, the processing unit 401 and the sending unit 402 are different units. In one example, the integration of the different units is implemented in the form of hardware, that is, the different units correspond to the same hardware. For another example, the integration of different units is implemented in the form of software units.

In the case of hardware implementation in the CP device 400 , in one example, the processing unit 401 in the CP device 400 is implemented by at least one of the processor 701 or the processor 705 in the device 700 . The sending unit 402 in the CP device 400 is implemented through the communication interface 704 in the device 700 . In another example, the processing unit 401 in the CP device 400 is processed by the central processing unit 611 in the device 600, the central processing unit 631 on the interface board 603, the network processor 632, the central processing unit 641 on the interface board 640, or the network processing unit at least one of the implementations of the device 642 . The sending unit 402 in the CP device 400 is implemented by at least one of the physical interface card 633 or the physical interface card 643 in the device 600 .

In the case of software implementation in the CP device 400, for example, each unit in the CP device 400 is software generated after the processor 701 or the processor 705 in the device 700 reads the program code stored in the memory 703; Each unit in the device 400 is the central processing unit 611 in the device 600, the central processing unit 631 on the interface board 603, the network processor 632, the central processing unit 641 on the interface board 640, or the network processor 642 reads the storage in the memory 612. The software generated after the program code. For example, the CP device 400 is a virtualized device. The virtualization device includes, but is not limited to, at least one of a virtual machine, a container, and a Pod. In one example, the CP device 400 is deployed on a hardware device (eg, a physical server) in the form of a virtual machine. For example, the CP device 400 is implemented based on a general physical server combined with a Network Functions Virtualization (NFV) technology. When implemented by a virtual machine, the CP device 400 is, for example, a virtual host, a virtual router, or a virtual switch. Those skilled in the art can virtualize the CP device 400 on a general physical server in combination with the NFV technology by reading this application. In another example, the CP device 400 is deployed on a hardware device in the form of a container (eg, a docker container). For example, the process of the CP device 400 executing the above method embodiments is encapsulated in an image file, and the hardware device creates the CP device 400 by running the image file. In another example, the CP device 400 is deployed on a hardware device in the form of a Pod. A Pod includes a plurality of containers, and each container is used to implement one or more units in the CP device 400 .

FIG. 12 shows a possible schematic structural diagram of the UP device involved in the above embodiment. The UP device 500 shown in FIG. 12 , for example, implements the functions of the UP device in the method 300 .

Referring to FIG. 12 , the UP device 500 includes a receiving unit 501 , a processing unit 502 and a sending unit 503 . Each unit in the UP device 500 is implemented in whole or in part by software, hardware, firmware, or any combination thereof. Each unit in the UP device 500 is used to perform the corresponding functions of the UP device in the above method 300 . Specifically, the receiving unit 501 is configured to support the UP device 500 to perform S305. The processing unit 502 is used to support the UP device 500 to execute S307. The sending unit 503 is used to support the UP device 500 to perform S308.

In one example, the receiving unit 501, the processing unit 502, or the sending unit 503 are also used to support the UP device 500 to perform other processes performed by the UP device in the techniques described herein. For example, the receiving unit 501 is configured to support the UP device 500 to perform other receiving operations performed by the UP device in the method 300, such as S313. The sending unit 503 is configured to support the UP device 500 to perform other sending operations performed by the UP device in the method 300, such as S315. For the specific execution process, please refer to the detailed description of the corresponding steps in the method 300, which will not be repeated here.

In one example, the various units in the UP device 500 are integrated into one processing unit. For example, each unit in the UP device 500 is integrated on the same chip. The chip includes a processing circuit, an input interface and an output interface that are internally connected and communicated with the processing circuit. The processing unit 502 is implemented by a processing circuit in the chip. The receiving unit 501 is implemented by an input interface in the chip. The sending unit 503 is implemented through an output interface in the chip. For example, the chip uses one or more field programmable gate arrays (full name in English: field-programmable gate array, English abbreviation: FPGA), programmable logic device (full English name: programmable logic device, English abbreviation: PLD), controller , state machines, gate logic, discrete hardware components, any other suitable circuit, or any combination of circuits capable of performing the various functions described throughout this application.

In another example, each unit of the UP device 500 physically exists separately. In another example, some units of the UP device 500 are physically separate and some units are integrated into one unit. For example, in one example, the processing unit 502 and the sending unit 503 are the same unit. In another example, the processing unit 502 and the sending unit 503 are different units. In one example, the integration of the different units is implemented in the form of hardware, that is, the different units correspond to the same hardware. For another example, the integration of different units is implemented in the form of software units.

In the case of hardware implementation in the UP device 500 , in one example, the processing unit 502 in the UP device 500 is implemented by at least one of the processor 701 or the processor 705 in the device 700 . The receiving unit 501 and the sending unit 503 in the UP device 500 are implemented, for example, by the communication interface 704 in the device 700 . In another example, the processing unit 502 in the UP device 500 is processed by the central processing unit 611 in the device 600, the central processing unit 631 on the interface board 603, the network processor 632, the central processing unit 641 on the interface board 640, or the network processing unit at least one of the implementations of the device 642 . The receiving unit 501 and the sending unit 503 in the UP device 500 are implemented by at least one of the physical interface card 633 or the physical interface card 643 in the device 600 .

In the case of software implementation in the UP device 500, for example, each unit in the UP device 500 is software generated by the processor 701 or the processor 705 in the device 700 after reading the program code stored in the memory 703, or, for example, the UP Each unit in the device 500 is the central processing unit 611 in the device 600, the central processing unit 631 on the interface board 603, the network processor 632, the central processing unit 641 on the interface board 640, or the network processor 642 reads the storage in the memory 612. The software generated after the program code. For example, the UP device 500 is a virtualized device. The virtualization device includes, but is not limited to, at least one of a virtual machine, a container, and a Pod. In one example, the UP device 500 is deployed on a hardware device (eg, a physical server) in the form of a virtual machine. For example, the UP device 500 is implemented based on a general physical server combined with a Network Functions Virtualization (NFV) technology. When implemented by a virtual machine, the UP device 500 is, for example, a virtual host, a virtual router or a virtual switch. Those skilled in the art can virtualize the UP device 500 on a general physical server in combination with the NFV technology by reading this application. In another example, the UP device 500 is deployed on a hardware device in the form of a container (eg, a docker container). For example, the process of the UP device 500 executing the above method embodiments is encapsulated in an image file, and the hardware device creates the UP device 500 by running the image file. In another example, the UP device 500 is deployed on a hardware device in the form of a Pod. A Pod includes a plurality of containers, each of which is used to implement one or more units in the UP device 500 .

The above describes how to implement the CP device and the UP device from the perspective of logical functions through the CP device 400 and the UP device 500 . The following describes how to implement the CP device or the UP device from the perspective of hardware through the device 600 and the device 700 . The device 600 shown in FIG. 13 or the device 700 shown in FIG. 14 is an example of the hardware structure of the CP device or the UP device.

The device 600 or the device 700 corresponds to the CP device or the UP device in the above method 300, and the hardware, modules and the other operations and/or functions in the device 600 or the device 700 are respectively for realizing the CP device or the UP device in the method embodiment. Various steps and methods to be implemented, as for the detailed process of how the device 600 or the device 700 defends against network attacks, for details, see the above-mentioned method 300, which is not repeated here for brevity. Wherein, each step of the method 300 is completed by an integrated logic circuit of hardware in the processor of the device 600 or the device 700 or instructions in the form of software. The steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor. The software modules are located in, for example, random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other storage media mature in the art. The storage medium is located in the memory, and the processor reads the information in the memory, and completes the steps of the above method in combination with its hardware, which will not be described in detail here to avoid repetition.

Referring to FIG. 13 , FIG. 13 shows a schematic diagram of a hardware structure of a device provided by an exemplary embodiment of the present application. The device 600 is configured as a CP device or a UP device in the method 300 , for example. The device 600 includes: a main control board 610 and an interface board 630 .

The main control board is also called a main processing unit (MPU) or a route processor card (route processor card). The main control board 610 is used to control and manage various components in the device 600, including route calculation, device management, Equipment maintenance, protocol processing functions. The main control board 610 includes: a central processing unit 611 and a memory 612 .

The interface board 630 is also referred to as a line processing unit (LPU), a line card or a service board. The interface board 630 is used to provide various service interfaces and realize data packet forwarding. The service interface includes, but is not limited to, an Ethernet interface, a POS (Packet over SONET/SDH) interface, etc. The Ethernet interface is, for example, a flexible Ethernet service interface (Flexible Ethernet Clients, FlexE Clients). The interface board 630 includes: a central processing unit 631 , a network processor 632 , a forwarding table entry storage 634 and a physical interface card (PIC) 633 .

The central processing unit 631 on the interface board 630 is used to control and manage the interface board 630 and communicate with the central processing unit 611 on the main control board 610 .

The network processor 632 is used to implement packet forwarding processing. The form of the network processor 632 is, for example, a forwarding chip. Specifically, the network processor 632 is configured to forward the received message based on the forwarding table stored in the forwarding table entry memory 634. If the destination address of the message is the address of the device 600, the message is sent to the CPU (eg The central processing unit 611) processes; if the destination address of the message is not the address of the device 600, the next hop and outgoing interface corresponding to the destination address are found from the forwarding table according to the destination address, and the message is forwarded to the destination The outbound interface corresponding to the address. Wherein, the processing of the uplink packet includes: processing the incoming interface of the packet, and searching the forwarding table; processing of the downlink packet: searching the forwarding table, and so on.

The physical interface card 633 is used to realize the docking function of the physical layer, the original traffic enters the interface board 630 from this, and the processed packets are sent from the physical interface card 633. The physical interface card 633 is also called a daughter card, which can be installed on the interface board 630 and is responsible for converting the photoelectric signal into a message, and after checking the validity of the message, the message is forwarded to the network processor 632 for processing. In one example, the central processing unit may also perform the functions of the network processor 632 , such as implementing software forwarding based on a general-purpose CPU, so that the network processor 632 is not required in the physical interface card 633 .

Optionally, the device 600 includes multiple interface boards, for example, the device 600 further includes an interface board 640 , and the interface board 640 includes a central processing unit 641 , a network processor 642 , a forwarding table entry storage 644 and a physical interface card 643 .

Optionally, the device 600 further includes a switch fabric board 620 . The switch fabric 620 is also called, for example, a switch fabric unit (switch fabric unit, SFU). In the case that the network device has multiple interface boards 630, the switching network board 620 is used to complete data exchange between the interface boards. For example, the interface board 630 and the interface board 640 communicate through, for example, the switch fabric board 620 .

The main control board 610 and the interface board 630 are coupled. E.g. The main control board 610 , the interface board 630 , the interface board 640 , and the switch fabric board 620 are connected to the system backplane through a system bus to achieve intercommunication. In a possible implementation manner, an inter-process communication (IPC) channel is established between the main control board 610 and the interface board 630, and the main control board 610 and the interface board 630 communicate through the IPC channel.

Logically, the device 600 includes a control plane and a forwarding plane, the control plane includes the main control board 610 and the central processing unit 631, and the forwarding plane includes various components that perform forwarding, such as the forwarding entry memory 634, the physical interface card 633, and the network processor 632. The control plane performs functions such as routers, generating forwarding tables, processing signaling and protocol packets, and configuring and maintaining device status. The control plane delivers the generated forwarding tables to the forwarding plane. On the forwarding plane, the network processor 632 is based on the control plane The delivered forwarding table is forwarded to the packet received by the physical interface card 633 by looking up the table. The forwarding table issued by the control plane is stored in the forwarding table entry storage 634, for example. In some embodiments, the control plane and the forwarding plane are, for example, completely separate and not on the same device.

It should be understood that the operations on the interface board 640 in the embodiments of the present application are the same as the operations on the interface board 630, and for brevity, details are not repeated here. It should be understood that the device 600 in this embodiment may correspond to the CP device or the UP device in the above method embodiments, and the main control board 610, the interface board 630 and/or 640 in the device 600, for example, implement the above method embodiments For the sake of brevity, the functions possessed by the CP device or the UP device and/or various steps implemented are not repeated here.

It is worth noting that there may be one or more main control boards, and when there are multiple main control boards, for example, the main control board and the backup main control board are included. There may be one or more interface boards. The stronger the data processing capability of the network device, the more interface boards are provided. There can also be one or more physical interface cards on the interface board. There may be no switch fabric boards, or there may be one or more boards. When there are multiple boards, load sharing and redundancy backup can be implemented together. Under the centralized forwarding architecture, the network device does not need to switch the network board, and the interface board is responsible for the processing function of the service data of the entire system. Under the distributed forwarding architecture, a network device may have at least one switching network board, and the switching network board realizes data exchange between multiple interface boards, providing large-capacity data exchange and processing capabilities. Therefore, the data access and processing capabilities of network devices in a distributed architecture are greater than those in a centralized architecture. Optionally, the form of the network device can also be that there is only one board, that is, there is no switching network board, and the functions of the interface board and the main control board are integrated on this board. The central processing unit on the board can be combined into a central processing unit on this board to perform the functions of the two superimposed, the data exchange and processing capacity of this form of equipment is low (for example, low-end switches or routers and other networks. equipment). The specific architecture used depends on the specific networking deployment scenario, and there is no restriction here.

Referring to FIG. 14, FIG. 14 shows a schematic structural diagram of a device 700 provided by an exemplary embodiment of the present application, where the device 700 is configured as a CP device or a UP device in the method 300, for example. The device 700 may be a host computer, a server or a personal computer or the like. The device 700 may be implemented by a general bus architecture.

Device 700 includes at least one processor 701 , communication bus 702 , memory 703 , and at least one communication interface 704 .

The processor 701 is, for example, a general-purpose central processing unit (central processing unit, CPU), a network processor (network processor, NP), a graphics processor (Graphics Processing Unit, GPU), a neural-network processing unit (neural-network processing units, NPU) ), a data processing unit (Data Processing Unit, DPU), a microprocessor or one or more integrated circuits for implementing the solution of the present application. For example, the processor 701 includes an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD is, for example, a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.

The communication bus 702 is used to transfer information between the aforementioned components. The communication bus 702 can be divided into an address bus, a data bus, a control bus, and the like. For ease of representation, only one thick line is shown in FIG. 14, but it does not mean that there is only one bus or one type of bus.

The memory 703 is, for example, a read-only memory (read-only memory, ROM) or other types of static storage devices that can store static information and instructions, or a random access memory (random access memory, RAM) or a memory device that can store information and instructions. Other types of dynamic storage devices, such as electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disks storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media, or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other medium accessed by a computer, but not limited to this. The memory 703 exists independently, for example, and is connected to the processor 701 through the communication bus 702 . The memory 703 may also be integrated with the processor 701 .

Communication interface 704 uses any transceiver-like device for communicating with other devices or a communication network. The communication interface 704 includes a wired communication interface and may also include a wireless communication interface. Wherein, the wired communication interface may be, for example, an Ethernet interface. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless communication interface may be a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface or a combination thereof, and the like.

In a specific implementation, as an embodiment, the processor 701 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 14 .

In a specific implementation, as an embodiment, the device 700 may include multiple processors, such as the processor 701 and the processor 705 shown in FIG. 14 . Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

In a specific implementation, as an embodiment, the device 700 may further include an output device and an input device. The output device communicates with the processor 701 and can display information in a variety of ways. For example, the output device may be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, a projector, or the like. The input device communicates with the processor 701 and can receive user input in a variety of ways. For example, the input device may be a mouse, a keyboard, a touch screen device, or a sensor device, or the like.

In one example, the memory 703 is used to store the program code 710 for executing the solution of the present application, and the processor 701 can execute the program code 710 stored in the memory 703. That is, the device 700 can implement the network attack defense method provided by the method embodiment through the processor 701 and the program code 710 in the memory 703 .

The device 700 in this embodiment of the present application may correspond to the CP device or the UP device in the foregoing method embodiments, and the processor 701, the communication interface 704, etc. in the device 700 may implement the CP device or the UP device in the foregoing method embodiments. The functions and/or the various steps and methods implemented by the UP device. For brevity, details are not repeated here.

Referring to FIG. 15 , an embodiment of the present application provides a communication system 800 . The system 800 includes: a CP device 801 and a UP device 802 . Optionally, the CP device 801 is the CP device 400 shown in FIG. 11 , the device 600 shown in FIG. 14 , or the device 700 shown in FIG. 15 , and the UP device 802 is the UP device 500 shown in FIG. 12 or The apparatus 600 shown in FIG. 14 or the apparatus 700 shown in FIG. 15 .

In one example, a computer program product is provided that includes computer instructions stored in a computer-readable storage medium. The processor of the CP device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the CP device performs the relevant steps on the CP device side in the above method 300 .

In one example, a computer program product is provided that includes computer instructions stored in a computer-readable storage medium. The processor of the UP device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the UP device performs the relevant steps on the UP device side in the above method 300 .

Those of ordinary skill in the art can realize that, in combination with the method steps and units described in the embodiments disclosed herein, they can be implemented in electronic hardware, computer software, or a combination of the two. Interchangeability, the steps and components of the various embodiments have been generally described in terms of functions in the above description. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Persons of ordinary skill in the art may use different methods of implementing the described functionality for each particular application, but such implementations should not be considered beyond the scope of this application.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the above-described systems, devices and units, reference may be made to the corresponding processes in the foregoing method embodiments, which are not repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be other division methods, for example, multiple units or components may be combined or Integration into another system, or some features can be ignored, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may also be electrical, mechanical or other forms of connection.

The unit described as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit, that is, it may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solutions of the embodiments of the present application.

In addition, each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software units.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application are essentially or part of contributions to the prior art, or all or part of the technical solutions can be embodied in the form of software products, and the computer software products are stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program codes .

In this application, the terms "first", "second" and other words are used to distinguish the same or similar items that have basically the same function and function. It should be understood that there is no logical OR between "first" and "second". Timing dependencies, and do not limit the number and execution order. It will also be understood that, although the following description uses the terms first, second, etc. to describe various elements, these elements should not be limited by the terms. These terms are only used to distinguish one element from another. For example, a first message may be referred to as a second message, and, similarly, a second message may be referred to as a first message, without departing from the scope of the various examples. Both the first message and the second message may be messages, and in some cases, may be separate and distinct messages.

The meaning of the term "at least one" in this application refers to one or more, and the meaning of the term "plurality" in this application refers to two or more, for example, a plurality of messages refers to two or more 's message. The terms "system" and "network" are often used interchangeably herein.

It should also be understood that the term "if" may be interpreted to mean "when" or "upon" or "in response to determining" or "in response to detecting." Similarly, depending on the context, the phrases "if it is determined..." or "if a [statement or event] is detected" can be interpreted to mean "when determining..." or "in response to determining... ” or “on detection of [recited condition or event]” or “in response to detection of [recited condition or event]”.

The above descriptions are only specific implementations of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art can easily think of various equivalent modifications within the technical scope disclosed in the present application. or replacement, these modifications or replacements should be covered within the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

In the above-mentioned embodiments, it may be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer program instructions. When the computer program instructions are loaded and executed on a computer, the procedures or functions according to the embodiments of the present application are generated in whole or in part. The computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.

The computer instructions may be stored in or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program instructions may be transmitted from a website site, computer, server or data center via Transmission by wire or wireless to another website site, computer, server or data center. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media. The available media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, digital video discs (DVDs), or semiconductor media (eg, solid state drives), and the like.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above embodiments can be completed by hardware, or can be completed by instructing relevant hardware through a program, and the program can be stored in a computer-readable storage medium. The storage medium can be read-only memory, magnetic disk or optical disk, etc.

Above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the above-mentioned embodiments, those of ordinary skill in the art should understand that: it can still be used for the above-mentioned implementations The technical solutions described in the examples are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A method for defending a network attack, characterized in that it is applied to a CP device in a communication system in which a control plane CP and a user plane UP are separated, the communication system including the CP device and the UP device, and the method includes:

In response to the reception rate of the dial-up message meeting the abnormal condition, the CP device generates a first control message, and the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device;

sending, by the CP device, the first control message to the UP device;

The CP device identifies the attack packet in the packet flow according to the watermark;

The CP device discards the attack packet.
The method according to claim 1, wherein the watermark includes a first virtual extended local area network identifier (VNI), the packet flow includes a first packet, and the CP device, according to the watermark, records a packet in the packet. Identify attack packets in the flow, including:

The CP device determines that the first packet is a non-attack packet according to the first packet including the first VNI.
The method according to claim 1, wherein the watermark includes a first random number, the packet stream includes a second packet, and the CP device identifies the attack packet in the packet stream according to the watermark text, including:

The CP device determines that the second packet is a non-attack packet according to the second packet including the first random number.
The method according to claim 1, wherein the watermark comprises a first time stamp, and the first time stamp is used to indicate a time point of synchronization between the CP device and the UP device, and the report The packet stream includes a third packet, and the CP device identifies the attack packet in the packet stream according to the watermark, including:

The CP device determines that the third packet is a non-attack packet according to the third packet including the first timestamp.
The method according to claim 1, wherein the watermark includes a first message authentication code, the packet stream includes a fourth packet, and the CP device identifies the attack in the packet stream according to the watermark messages, including:

The CP device determines that the fourth packet is a non-attack packet according to the fourth packet including the first message authentication code.
The method according to any one of claims 1 to 5, wherein the first control message includes the watermark; or, the first control message includes watermark type information corresponding to the watermark; or, The first control message includes parameters related to generating the watermark.
The method according to any one of claims 1 to 6, wherein the first control message is a control and forwarding separation protocol CUSP message, and the CUSP message includes a watermark type length value TLV;

Wherein, the watermark TLV is a TLV that carries the watermark; or, the watermark TLV is a TLV that carries watermark type information corresponding to the watermark; or, the watermark TLV is a TLV that carries parameters related to generating the watermark .
The method according to any one of claims 1 to 6, wherein the first control message is a packet forwarding control protocol PFCP message, and the PFCP message includes a watermark information element IE;

Wherein, the watermark IE is an IE that carries the watermark; or, the watermark IE is an IE that carries watermark type information corresponding to the watermark; or, the watermark IE is an IE that carries parameters related to generating the watermark .
The method according to claim 8, wherein the first control message is a PFCP node message; or, the first control message is a PFCP session message.
The method according to any one of claims 1 to 9, wherein the packet stream includes a fifth packet, and the CP device identifies the attack packet in the packet stream according to the watermark, including:

The CP device determines that the fifth packet is an attack packet according to the fact that the fifth packet does not include the watermark.
The method according to any one of claims 1 to 10, wherein after the CP device sends the first control message to the UP device, the method further comprises:

In response to the reception rate of the dial-up message meeting the normal condition, the CP device generates a second control message, and the second control message is used to instruct the UP device to cancel carrying the watermark when sending the dial-up message to the CP device;

The CP device sends the second control message to the UP device.
The method according to any one of claims 1 to 11, wherein the communication system is a broadband network gateway BNG system or a broadband remote access server BRAS system.
A packet processing method, characterized in that it is applied to a UP device in a communication system in which a control plane CP and a user plane UP are separated, the communication system including the CP device and the UP device, and the method includes:

The UP device receives a first control message from the CP device, where the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device;

The UP device carries the watermark in the dial-up message according to the first control message;

The UP device sends a dial-up message including the watermark to the CP device.
The method according to claim 13, wherein after the UP device carries the watermark in the dial-up message according to the first control message, the method further comprises:

The UP device receives a second control message from the CP device, where the second control message is used to instruct the UP device to cancel carrying a watermark when sending a dial-up message to the CP device;

The UP device sends, according to the second control message, a dial-up message that does not include a watermark to the CP device.
A control plane CP device, characterized in that the CP device is located in a communication system in which the CP and the user plane UP are separated, the communication system includes the CP device and the UP device, and the CP device includes:

a processing unit, configured to generate a first control message in response to the reception rate of the dial-up message meeting an abnormal condition, where the first control message is used to instruct the UP device to carry a watermark when sending the dial-up message to the CP device;

a sending unit, configured to send the first control message to the UP device;

The processing unit is further configured to identify attack packets in the packet flow according to the watermark;

The processing unit is further configured to discard the attack packet.
The CP device according to claim 15, wherein the watermark includes a first virtual extended local area network identifier VNI, the packet flow includes a first packet, and the processing unit is configured to A packet includes that the first VNI determines that the first packet is a non-attack packet.
The CP device according to claim 15, wherein the watermark includes a first random number, the packet stream includes a second packet, and the processing unit is configured to include the second packet according to the second packet. The first random number determines that the second packet is a non-attack packet.
The CP device according to claim 15, wherein the watermark comprises a first time stamp, and the first time stamp is used to indicate a time point of synchronization between the CP device and the UP device, and the The packet flow includes a third packet, and the processing unit is configured to determine that the third packet is a non-attack packet according to the third packet including the first timestamp.
The CP device according to claim 15, wherein the watermark includes a first message authentication code, the packet stream includes a fourth packet, and the processing unit is configured to include, according to the fourth packet, a The first message authentication code determines that the fourth message is a non-attack message.
The CP device according to any one of claims 15 to 19, wherein the processing unit is further configured to generate a second control message in response to the reception rate of the dial-up message satisfying a normal condition, the second control message The control message is used to instruct the UP device to cancel carrying a watermark when sending a dial-up message to the CP device;

The sending unit is further configured to send the second control message to the UP device.
The CP device according to any one of claims 15 to 20, wherein the packet stream includes a fifth packet, and the processing unit is configured to determine according to whether the fifth packet does not include the watermark The fifth packet is an attack packet.
A user plane UP device, characterized in that the UP device is located in a communication system in which a control plane CP and UP are separated, the communication system includes a CP device and the UP device, and the UP device includes:

a receiving unit, configured to receive a first control message from the CP device, where the first control message is used to instruct the UP device to carry a watermark when sending a dial-up message to the CP device;

a processing unit, configured to carry a watermark in the dial-up message according to the first control message;

A sending unit, configured to send a dial-up message including the watermark to the CP device.
The UP device according to claim 22, wherein the receiving unit is further configured to receive a second control message from the CP device, wherein the second control message is used to indicate that the UP device is sending a message to the CP device. When the CP device sends a dial-up message, cancel the carrying of the watermark;

The sending unit is further configured to send a dial-up message that does not include a watermark to the CP device according to the second control message.
A communication system in which a control plane CP and a user plane UP are separated, wherein the system includes the CP device as claimed in any one of claims 15 to 21 and the device as claimed in any one of claims 22 to 23 the UP device described above.