CN105991637B - The means of defence and device of network attack - Google Patents
The means of defence and device of network attack Download PDFInfo
- Publication number
- CN105991637B CN105991637B CN201510330425.3A CN201510330425A CN105991637B CN 105991637 B CN105991637 B CN 105991637B CN 201510330425 A CN201510330425 A CN 201510330425A CN 105991637 B CN105991637 B CN 105991637B
- Authority
- CN
- China
- Prior art keywords
- message
- flow
- attack
- network device
- session characteristics
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000011144 upstream manufacturing Methods 0.000 claims abstract description 102
- 238000004140 cleaning Methods 0.000 claims abstract description 82
- 238000001514 detection method Methods 0.000 claims abstract description 64
- 238000001914 filtration Methods 0.000 claims abstract description 45
- 238000000034 method Methods 0.000 claims abstract description 23
- 230000001681 protective effect Effects 0.000 claims description 15
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000012790 confirmation Methods 0.000 claims description 5
- 230000008030 elimination Effects 0.000 claims description 4
- 238000003379 elimination reaction Methods 0.000 claims description 4
- 230000000903 blocking effect Effects 0.000 abstract description 6
- 238000010586 diagram Methods 0.000 description 17
- 238000005516 engineering process Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 6
- 230000015654 memory Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000007480 spreading Effects 0.000 description 1
- 238000003892 spreading Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000005406 washing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention provides the means of defence and device of a kind of network attack, it applies in flow cleaning equipment, the described method includes: receiving the first filter NOTIFY that flow detection device is sent, first filter NOTIFY includes the session characteristics of first kind attack message, and the first kind attack message is the message that flow is greater than first threshold;Indicate that upstream network device filtering matches the first kind object message of the session characteristics, wherein message reaches Ingress Network equipment by the upstream network device.Using the embodiment of the present invention, the attack message of specified type can be filtered by session characteristics, to improve the filtering accuracy to message, and attack message is filtered from upstream network device, prevent attack message from reaching Ingress Network equipment, to avoid ingress bandwidth from blocking, ensure that externally service is not disrupted server, improves user experience.
Description
Technical field
The present invention relates to network security technology more particularly to the means of defences and device of a kind of network attack.
Background technique
DoS (Denial of Service, Denial of Service attack) refers to the system that network is exhausted using various service requests
Resource, to make network that can not handle legal message.And with the rise of Botnet, simultaneously because the attack method of DoS
Simply, it is affected, is difficult to the features such as tracing, so that DDoS (refuse by Distributed Denial of Service, distribution
Exhausted service attack) it obtains quickly growing and increasingly spreading unchecked, the Botnet of thousands of host compositions provides for ddos attack
Required bandwidth and host, forms a large amount of attack message, causes great harm to network.
For the harm for reducing this kind of network attack of DDoS, in the related technology, by the Ingress Network equipment of network
(such as: ingress router or interchanger) the professional flow cleaning equipment of deployment is concatenated or bypasses, attack message is carried out
Filtering.However, above-mentioned flow cleaning scheme, is all to be filtered from Ingress Network equipment to attack message, works as attack message
Flow be less than Ingress Network equipment ingress bandwidth when, can have preferable cleaning effect, however, work as attack message flow
Have been above or be equal to ingress bandwidth when, ingress bandwidth will Severe blockage, at this moment, relying solely on flow cleaning equipment will not
Attack message flow can be effectively cleaned, so that ingress bandwidth Severe blockage, eventually leads to the external service disruption of server, is reduced
User experience.
Summary of the invention
In view of this, the present invention provides the means of defence and device of a kind of network attack, to solve the stream in attack message
When amount is more than or equal to ingress bandwidth, the problem of ingress bandwidth Severe blockage leads to server external service disruption, improves and use
Family experience.
Specifically, the present invention is achieved through the following technical solutions:
The present invention provides a kind of means of defence of network attack, applies in flow cleaning equipment, which comprises
The first filter NOTIFY that flow detection device is sent is received, first filter NOTIFY includes first kind attack message
Session characteristics, the first kind attack message be flow be greater than first threshold message;
Indicate that upstream network device filtering matches the first kind object message of the session characteristics, wherein message passes through institute
It states upstream network device and reaches Ingress Network equipment.
The present invention provides the means of defence of another network attack, applies on flow detection device, which comprises
The flow of every a kind of message of Ingress Network equipment is sent to according to the detection of the session characteristics of message;
When the flow of any sort message is greater than first threshold, confirm that such message is first kind attack message;
It sends the first filter NOTIFY and gives flow cleaning equipment, first filter NOTIFY includes the first kind attack message
Session characteristics so that flow cleaning equipment instruction upstream network device filtering matches the first classification of the session characteristics
Mark message, wherein message reaches Ingress Network equipment by the upstream network device.
It the present invention also provides a kind of protective device of network attack, applies in flow cleaning equipment, side's device packet
It includes:
Receiving unit, for receiving the first filter NOTIFY of flow detection device transmission, first filter NOTIFY includes
The session characteristics of first kind attack message, the first kind attack message are the message that flow is greater than first threshold;
Execution unit is used to indicate the first kind object message that upstream network device filtering matches the session characteristics,
In, message reaches Ingress Network equipment by the upstream network device.
The present invention also provides the protective devices of another network attack, apply on flow detection device, side's device
Include:
Detection unit, the stream of every a kind of message for being sent to Ingress Network equipment according to the detection of the session characteristics of message
Amount;
Confirmation unit, for confirming that such message is attacked for the first kind when the flow of any sort message is greater than first threshold
Hit message;
Transmission unit gives flow cleaning equipment for sending the first filter NOTIFY, and first filter NOTIFY includes described
The session characteristics of first kind attack message, so that flow cleaning equipment instruction upstream network device filtering matches the session
The first kind object message of feature, wherein message reaches Ingress Network equipment by the upstream network device.
Using the embodiment of the present invention, the attack message of specified type can be filtered by session characteristics, to improve to report
The filtering accuracy of text, and attack message is filtered from upstream network device, prevent attack message from reaching Ingress Network equipment,
To avoid ingress bandwidth from blocking, ensure that externally service is not disrupted server, improves user experience.
Detailed description of the invention
Fig. 1 is a kind of flow diagram of the means of defence of network attack shown in an exemplary embodiment of the invention;
Fig. 2 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention;
Fig. 3 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention;
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3;
Fig. 5 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention;
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5;
Fig. 7 is a kind of hardware configuration signal of the protective device of network attack shown in an exemplary embodiment of the invention
Figure;
Fig. 8 is a kind of structural block diagram of the protective device of network attack shown in an exemplary embodiment of the invention;
Fig. 9 is the structural block diagram of the protective device of another network attack shown in an exemplary embodiment of the invention.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistented with the present invention.On the contrary, they be only with it is such as appended
The example of device and method being described in detail in claims, some aspects of the invention are consistent.
It is only to be not intended to limit the invention merely for for the purpose of describing particular embodiments in terminology used in the present invention.
It is also intended in the present invention and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In embodiments of the present invention, the message in network can flow through upstream network device and be sent to Ingress Network and set
Standby, flow detection device can carry out flow to the message for being sent to Ingress Network equipment in real time according to the session characteristics of message
Detection confirms that such message is first kind attack message, flow detection is set when the flow of any sort message is greater than first threshold
Standby to send the first filter NOTIFY to flow cleaning equipment, which includes the session characteristics of first kind attack message,
Flow cleaning equipment, according to session characteristics therein, indicates upstream network device filtering after receiving the first filter NOTIFY
First kind object message with the session characteristics, so that such message be prevented to enter Ingress Network equipment, and is effectively prevented from
Ingress bandwidth blocking, and then ensure that externally service is not disrupted server.
It is described in detail below in conjunction with means of defence and device of the Fig. 1 to Fig. 9 to network attack provided by the invention.
Fig. 1 is a kind of flow diagram of the means of defence of network attack shown in an exemplary embodiment of the invention.Such as
Shown in Fig. 1, a kind of means of defence of network attack is applied in flow cleaning equipment, described method includes following steps:
Step 101, the first filter NOTIFY that flow detection device is sent is received, wherein the first filter NOTIFY includes first
The session characteristics of class attack message, first kind attack message are the message that flow is greater than first threshold.
In this step, session characteristics include one or more in the five-tuple information of message, for example, session characteristics packet
Include but be not limited to the combination of source IP address, purpose IP address, source IP address and source port, the group of purpose IP address and destination port
It closes.
Step 102, the filtering of instruction upstream network device matches the first kind object message of the session characteristics, wherein report
Text can reach Ingress Network equipment by upstream network device.
In this step, an alternative embodiment according to the present invention, when upstream network device is configured with ACL (Access
Control List, accesses control list) interface when, can be generated according to the session characteristics of the first kind attack message received
First ACL order, and the first ACL order is sent to upstream network device by ACL interface, upstream network device is receiving
To when the first ACL order, can be added by session characteristics and to the corresponding relationship of the processing mode (for example, filtering) of message
Into local ACL table item, when flowing through the session characteristics of message of upstream network device and being matched to the ACL table item, upstream network
Equipment then filters the message.For example, flow cleaning equipment generates the first ACL order according to purpose IP address 1.1.1.1, on
The list item that the trip network equipment is generated according to the first ACL order, as shown in table 1:
Table 1
| Purpose IP address | Processing mode |
| 1.1.1.1 | Filtering |
According to list item shown in table 1, when upstream network device receives the message that purpose IP address is 1.1.1.1,
Such message can be filtered, so that such message be prevented to reach Ingress Network equipment, avoids ingress bandwidth according to the ACL table item
Blocking.
After upstream network device is filtered processing a period of time to the message of matching session characteristics, first kind attack message
Flow may reduce therewith, may will no longer will cause ingress bandwidth blocking, in this way, can no longer be carried out to such message
Filter processing, therefore, can be arranged the first preset time, flow cleaning equipment sends out the first ACL order in flow cleaning equipment
After giving upstream network device, it can star timer and start timing, it, can be with when timing time reaches the first preset time
Upstream the network equipment sends the 2nd ACL order, to indicate that upstream network device stops the first of filtering matching session characteristics
Class object message specifically can be with are as follows: the 2nd ACL order may include that will stop the session of the first kind attack message of filtering
Feature, upstream network device will delete the ACL table item for matching the session characteristics, to stop after receiving the 2nd ACL order
Filter corresponding message.
The present invention also provides another preferred embodiments, and specifically, flow detection device determines this of matching session characteristics
When the present flow rate of class message has been less than first threshold, it can be sent to flow cleaning equipment and eliminate notice, therefore, flow cleaning is set
It is standby to be notified to generate the 3rd ACL order according to the elimination, and it is sent to upstream network device, to indicate upstream network device
Stop the message of filtering matching session characteristics.Upstream network device receives the processing mode and above-mentioned reception of the 3rd ACL order
Processing mode to the 2nd ACL order can be identical, and details are not described herein.
It is special specifically can also to filter matching session by black hole router for another alternative embodiment according to the present invention
The first kind object message of sign, specifically, flow cleaning equipment can generate dynamic routing information with dialogue-based feature,
In, the next-hop that the first kind object message of the session characteristics is matched in the dynamic routing information is black hole router, and will
The dynamic routing information is sent to upstream network device, which is added to local routing by upstream network device
In, when receiving first kind object message, which is transmitted to blackhole route, black hole router receives
Such message abandons, it should be noted that when upstream network device does not configure corresponding api interface (Application
Programming Interface, application programming interface) when, flow cleaning equipment can pass through the dynamic routing information
It crosses black hole router and is forwarded to upstream network device, conversely, directly can be sent to the dynamic routing information by api interface
Upstream network device.
It is possible to further which the second preset time is arranged in flow cleaning equipment, sent in the upstream network equipment dynamic
After state routing iinformation, timer will be started, and start timing, when timing time reaches the second preset time, flow cleaning is set
Standby upstream the network equipment to send routing and delete notice, upstream network device receives after the routing deletes notice, will be from
The route table items are deleted in local routing table, are sent to stop filtering first kind attack message by the preferred embodiment
The next-hop of the message of the Ingress Network equipment reverts to the purpose equipment or destination server of such message.
Based on the above embodiment, if flow detection device detects that the flow of any sort message is less than first threshold and is greater than
Second threshold can be confirmed that such message is the second class attack message, therefore, the second filtering can be sent to flow cleaning equipment
Notice, second filter NOTIFY includes the session characteristics of the second class attack message, and flow cleaning equipment receives second mistake
After filter notice, according to session characteristics therein, such message can be filtered according to default filtering rule, wherein default
Filtering rule includes but is not limited to rate limit means of defence, TCP state means of defence, black and white lists means of defence, application layer
Means of defence and fingerprint recognition means of defence, by taking fingerprint recognition means of defence as an example, after flow cleaning equipment receives message,
Message length field is carried out discretization storage, then periodically counts and be currently sent to entrance net by the length for extracting outgoing packet
The length of the message of network equipment, establishes distributed model, when the second class attack occurs for Ingress Network equipment, leads to the second class
The distribution of the fingerprint characteristic of the message of attack will appear fluctuation, and be more than the distributed mode offset of the distributed model, in this way
The message can be filtered according to this fingerprint characteristic, specifically may refer to the relevant technologies, no longer go to live in the household of one's in-laws on getting married one by one herein
It states.
Through the foregoing embodiment, upstream network device filters the message of specified type by matching session characteristics, so as to
To improve the filtering accuracy to attack message, furthermore it is possible to which the attack message for matching session characteristics is set in arrival Ingress Network
It is abandoned before standby, guarantees that ingress bandwidth is not blocked.
Fig. 2 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention.
As shown in Fig. 2, a kind of means of defence of network attack, is applied on flow detection device, described method includes following steps:
Step 201, the flow of every a kind of message of Ingress Network equipment is sent to according to the detection of the session characteristics of message.
In this step, the session characteristics of message include one or more in the five-tuple information of message, for example, meeting
Words feature can include but is not limited to the combination of source IP address, purpose IP address, source IP address and source port, purpose IP address with
The combination etc. of destination port.
Flow detection device can obtain the message for being sent to Ingress Network equipment by mirror image or spectroscopic modes, and can
With but be not limited by DPI (Deep Packet Inspection, deep-packet detection) technology or DFI (Deep/Dynamic
Flow Inspection, the detection of depth/dynamic stream) technology detection messages session characteristics, the report detected according to above-mentioned technology
The session characteristics of text classify to message, and count the flow of every class message.
Step 202, when the flow of any sort message is greater than first threshold, confirm that such message is first kind attack report
Text.
User or network administrator can be according to the historical traffic datas of every class message, in advance in flow detection device
Configure first threshold, for example, user be purpose IP address 1.1.1.1 with destination port 53 this combine configure first threshold be
4GB, when the flow for the message that flow detection device detection statistics to purpose IP address are 1.1.1.1, destination port is 53 is unexpected
Increasing is 5GB, is greater than first threshold 4GB, and therefore, flow detection device can be confirmed that such message is first kind attack message.
Step 203, it sends the first filter NOTIFY and gives flow cleaning equipment, which includes first kind attack report
The session characteristics of text, so that the instruction upstream network device filtering of flow cleaning equipment matches the first kind target of the session characteristics
Message, wherein message reaches Ingress Network equipment by upstream network device.
In step 203, for still by destination port 53, this is combined with purpose IP address 1.1.1.1, flow detection
Destination port 53 and purpose IP address 1.1.1.1 can be sent to flow cleaning equipment by the first filter NOTIFY by equipment,
Flow cleaning equipment is set to generate the first ACL order according to the first filter NOTIFY, instruction upstream network device abandons or filtering mesh
Port 53, purpose IP address 1.1.1.1 all messages, so that such message be avoided to enter Ingress Network equipment, cause into
Port band width blocking.
Further, when the flow of first kind attack message is reduced to less than first threshold, flow detection device can be with
It sends to eliminate and notifies to give flow cleaning equipment, so that flow cleaning equipment instruction upstream network device stops filtering such message,
It specifically may refer to step 102 as shown in Figure 1, details are not described herein.
Further, when flow detection device detects that the flow of any sort message is less than first threshold and greater than second
When threshold value, the second class attack message of such message is can be confirmed in flow detection device, and sends the second filter NOTIFY to flow
Cleaning equipment, wherein the second filter NOTIFY may include the session characteristics of the second class attack message, to make flow cleaning equipment
Such message is filtered according to the session characteristics, for example, user is purpose port 53, purpose IP address 1.1.1.1 this group
Conjunction is configured with two threshold values, respectively first threshold 4GB, second threshold 2GB, when flow detection device detects the combination
When flow is 3GB, flow detection device can be sent out destination port 53 and purpose IP address 1.1.1.1 by the second filter NOTIFY
Flow cleaning equipment is given, so that it is 53 and purpose that flow cleaning equipment can filter destination port according to default filtering rule
IP address is the message of 1.1.1.1, wherein default filtering rule is described in detail in the embodiment illustrated in fig. 1, no longer superfluous herein
It states.
It using above-described embodiment, can be classified according to the session characteristics of message to message, and count every class message
The session characteristics of attack message so that attack message be accurately positioned, and are sent to flow cleaning equipment, improved to attack by flow
The filtering accuracy of message.
Fig. 3 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention.
As shown in figure 3, the embodiment passes through the friendship between flow detection device, flow cleaning equipment and upstream network device three
Mutually, the means of defence of the network attack of one embodiment of the invention is described in detail:
Step 301, flow detection device obtains the message for being sent to Ingress Network equipment.
Step 302, flow detection device detects the flow of every a kind of message according to the session characteristics of message.
Step 303, when the flow of any sort message is greater than first threshold, confirm that such message is first kind attack report
Text;
Step 304, flow detection device sends the first filter NOTIFY and gives flow cleaning equipment, wherein the first filter NOTIFY
Session characteristics including first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device is sent.
Step 306, flow cleaning equipment generates the first ACL order according to session characteristics.
Step 307, the first ACL order is sent to upstream network device by flow cleaning equipment.
Step 308, upstream network device receives the first ACL order.
Step 309, upstream network device generates ACL table item according to the first ACL order.
Step 310, when upstream network device receives message, judge whether the session characteristics of the message match ACL table item,
If it does, then executing step 311.
Step 311, upstream network device filters the message of matching session characteristics according to ACL table item.
Fig. 4 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 3.As shown in figure 4, being set including upstream network
Standby, Ingress Network equipment, flow detection device and flow cleaning equipment, wherein message by upstream network device be sent into
The mouth network equipment, enters protected network using Ingress Network equipment.In embodiments of the present invention, flow detection device passes through
Mirror image technology or light splitting technology obtain the message for being sent to Ingress Network equipment, and can pass through the detection messages such as DPI technology
Session characteristics, to be classified and be counted the flow of every class message to message, when flow detection device detects any sort
When the flow of message is greater than first threshold, it can be confirmed that such message is first kind attack message, therefore, flow detection device can
It, can be according to the after flow cleaning equipment receives first filter NOTIFY to send the first filter NOTIFY to flow cleaning equipment
Session characteristics in one filter NOTIFY generate the first ACL order, and are sent to upstream network device, and upstream network device can root
ACL table item is generated according to the first ACL order, when the session characteristics for having message match the ACL table item a period of time, upstream network device
The message can be filtered, so that the message be prevented to reach Ingress Network equipment, Ingress Network equipment Severe blockage is avoided, ensures clothes
Externally service is not disrupted business device, improves user experience.
Fig. 5 is the flow diagram of the means of defence of another network attack shown in an exemplary embodiment of the invention.
As shown in figure 5, the embodiment passes through flow detection device, flow cleaning equipment, upstream network device and black hole router
Multi-party interaction, is described in detail the means of defence of the network attack of another embodiment of the present invention:
Step 301, flow detection device obtains the message for being sent to Ingress Network equipment.
Step 302, flow detection device detects the flow of every a kind of message according to the session characteristics of message.
Step 303, when the flow of any sort message is greater than first threshold, confirm that such message is first kind attack report
Text;
Step 304, flow detection device sends the first filter NOTIFY and gives flow cleaning equipment, wherein the first filter NOTIFY
Session characteristics including first kind attack message.
Step 305, flow cleaning equipment receives the first filter NOTIFY that flow detection device is sent.
Step 312, flow cleaning equipment generates dynamic routing information according to session characteristics, wherein the dynamic routing information
The next-hop of the message of middle matching session characteristics is black hole router.
Step 313, dynamic routing information is sent to upstream network device by flow cleaning equipment.
Step 314, upstream network device receives dynamic routing information.
Step 315, when upstream network device receives message, upstream network device judges the session characteristics energy of the message
Route table items are enough matched to, if can, then follow the steps 316.
Step 316, message is sent to black hole router by upstream network device.
Step 317, the message that black hole router filtering upstream network device is sent.
Fig. 6 is a kind of application scenarios schematic diagram shown in embodiment illustrated in fig. 5.As shown in fig. 6, and embodiment illustrated in fig. 4
Unlike, on the basis of the embodiment shown in fig. 4, the present embodiment is provided with black hole router.Specifically, flow cleaning is set
The standby session characteristics according in the first filter NOTIFY generate dynamic routing information, wherein match session in the dynamic routing information
The next-hop of the message of feature is black hole router, and the dynamic routing information is sent to upstream network device, upstream network
The dynamic routing information can be added in local routing table by equipment, when receiving message, and the session characteristics of the message
When with route table items, black hole router is forwarded the packet to, black hole router will filter the message after receiving the message, from
And the message is prevented to enter in Ingress Network equipment.It should be noted that the upstream network equipment forwarding of flow cleaning equipment is dynamic
State routing iinformation can select different paths to forward, for example, when upstream network device does not have according to the configuration of upstream network device
When having the corresponding api interface of configuration, which can be transmitted to black hole router by flow cleaning equipment, then by black
Hole router is transmitted to upstream network device, whereas if flow is clear when upstream network device is configured with corresponding api interface
Washing equipment directly can be sent to upstream network device, the invention is not limited in this regard for dynamic routing information.
It should be noted that in embodiments of the present invention, in addition to including flow detection device and flow cleaning equipment, may be used also
To include management platform, when in abnormal flow cleaning system including management platform, flow detection device and flow
The information such as dependent instruction, order or notice between cleaning equipment can be transmitted by management platform, for example, flow
Detection device can be deleted the first filter NOTIFY, elimination notice, the second filter NOTIFY and routing by management platform logical
Know and is sent to flow cleaning equipment.
Furthermore it is also possible to which preset time is arranged in management platform, in flow cleaning equipment, upstream the network equipment is sent out
After sending the first ACL order or sending dynamic routing information, management platform can start timing, when reaching timing time, lead to
Flow cleaning equipment is known, so that flow cleaning equipment instruction upstream network device stops filtering and leads to the report of first kind attack
Text.
Management platform can be also used for storage flow detection device and be greater than the in the flow for detecting any sort message
One threshold value or the attack alarm log sent less than first threshold and when being greater than second threshold, and storage flow cleaning equipment
The cleaning log of transmission, wherein attack alarm log, which can include but is not limited to flow after attacking preceding flow information, cleaning, to be believed
The information such as breath, attack traffic size, management platform can analyze these information, generate detailed account, for
Family be convenient for awareness network traffic conditions, and can also according to the historical traffic data in the detailed account be arranged first threshold and
Second threshold.
Using above-described embodiment, the attack message of specified type can be filtered by session characteristics, to improve to message
Filtering accuracy, and from upstream network device filter attack message, prevent attack message from reaching Ingress Network equipment, from
And ingress bandwidth is avoided to block, it ensures that externally service is not disrupted server, improves user experience.
Corresponding with the means of defence embodiment of aforementioned network attack, the present invention also provides the protective devices of network attack
Embodiment.
The embodiment of the protective device 400 of inventive network attack can be applied respectively in flow cleaning equipment and flow inspection
On measurement equipment.Installation practice can also be realized by software realization by way of hardware or software and hardware combining.With
It is by the processor of equipment where it by non-volatile memories as the device on a logical meaning for software realization
Corresponding computer program instructions are read into memory what operation was formed in device.For hardware view, as shown in fig. 7, for this
A kind of hardware structure diagram of the 400 place equipment of protective device of invention network attack, in addition to processor shown in Fig. 7, memory, net
Except network interface and nonvolatile memory, equipment in embodiment where the protective device 400 of network attack generally according to
The actual functional capability of the equipment can also include other hardware, repeat no more to this.
Fig. 8 is a kind of structural block diagram of the protective device of network attack shown in an exemplary embodiment of the invention.Such as Fig. 8
Shown, a kind of protective device 400 of network attack is applied in flow cleaning equipment, which includes: 401 He of receiving unit
Execution unit 402.
Receiving unit 401 is used to receive the first filter NOTIFY of flow detection device transmission, and the first filter NOTIFY includes the
The session characteristics of a kind of attack message, first kind attack message are the message that flow is greater than first threshold;Execution unit 402 is used for
Indicate the first kind object message of upstream network device filtering matching session characteristics, wherein message is arrived by upstream network device
Up to Ingress Network equipment.
Fig. 9 is the structural block diagram of the protective device of another network attack shown in an exemplary embodiment of the invention.Such as
Shown in Fig. 9, a kind of protective device 400 of network attack is applied on flow detection device, which includes: detection unit
501, confirmation unit 502 and transmission unit 503.
Detection unit 501 is used to be sent to every a kind of message of Ingress Network equipment according to the detection of the session characteristics of message
Flow.
Confirmation unit 502 is used for when the flow of any sort message is greater than first threshold, confirms that such message is the first kind
Attack message.
Transmission unit 503 gives flow cleaning equipment for sending the first filter NOTIFY, and first filter NOTIFY includes the
The session characteristics of a kind of attack message, so that the first of flow cleaning equipment instruction upstream network device filtering matching session characteristics
Class object message, wherein message reaches Ingress Network equipment by upstream network device.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize the present invention program.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.
Claims (11)
1. a kind of means of defence of network attack, which is characterized in that apply in flow cleaning equipment, which comprises
The first filter NOTIFY that flow detection device is sent is received, first filter NOTIFY includes the meeting of first kind attack message
Feature is talked about, the first kind attack message is the message that flow is greater than first threshold;
Indicate that upstream network device filtering matches the first kind object message of the session characteristics, wherein message passes through on described
It swims the network equipment and reaches Ingress Network equipment;
The second filter NOTIFY that the flow detection device is sent is received, second filter NOTIFY includes the second class attack message
Session characteristics, the second class attack message be flow be less than the first threshold be greater than second threshold message;
According to the session characteristics of the second class attack message, according to default filtering rule, the flow is greater than less than first threshold
The message of second threshold is filtered.
2. the method according to claim 1, wherein instruction upstream network device filtering matches the session
The first kind object message of feature, comprising:
The first ACL order is generated according to the session characteristics, and is sent to the upstream network device, to indicate the upstream net
Network equipment matches the first kind object message of the session characteristics according to the first ACL order, filtering.
3. according to the method described in claim 2, it is characterized in that, sending the first ACL to the upstream network device
After order, the method also includes:
When reaching the first preset time, Xiang Suoshu upstream network device sends the 2nd ACL order, to indicate the upstream network
Equipment stops the first kind object message that filtering matches the session characteristics.
4. according to the method described in claim 2, it is characterized in that, sending the first ACL to the upstream network device
After order, the method also includes:
Receive the elimination notice that the flow detection device is sent;
It is notified to generate the 3rd ACL order according to the elimination, and is sent to the upstream network device, to indicate the upstream net
Network equipment stops the first kind object message that filtering matches the session characteristics.
5. the method according to claim 1, wherein instruction upstream network device filtering matches the session
The first kind object message of feature, comprising:
Dynamic routing information is generated based on the session characteristics, matches the first of the session characteristics in the dynamic routing information
The next-hop of class object message is black hole router;
The dynamic routing information is sent to the upstream network device.
6. according to the method described in claim 5, it is characterized in that, the dynamic routing information is sent to the upstream net
After network equipment, the method also includes:
When reaching the second preset time, Xiang Suoshu upstream network device sends routing and deletes notice, to indicate the upstream net
Network equipment deletes the dynamic routing information.
7. a kind of means of defence of network attack, which is characterized in that apply on flow detection device, which comprises
The flow of every a kind of message of Ingress Network equipment is sent to according to the detection of the session characteristics of message;
When the flow of any sort message is greater than first threshold, confirm that such message is first kind attack message;
It sends the first filter NOTIFY and gives flow cleaning equipment, first filter NOTIFY includes the meeting of the first kind attack message
Feature is talked about, so that flow cleaning equipment instruction upstream network device filtering matches the first kind target report of the session characteristics
Text, wherein message reaches Ingress Network equipment by the upstream network device;
When the flow of any sort message, which is less than the first threshold, is greater than the message of second threshold, confirm that such message is second
Class attack message;
It sends the second filter NOTIFY and gives flow cleaning equipment, second filter NOTIFY includes the meeting of the second class attack message
Feature is talked about, so that flow cleaning equipment instruction upstream network device filtering matches the second class target report of the session characteristics
Text, wherein message reaches Ingress Network equipment by the upstream network device.
8. the method according to the description of claim 7 is characterized in that send the first filter NOTIFY to flow cleaning equipment it
Afterwards, the method also includes:
When the flow of the first kind attack message is reduced to less than the first threshold, sends and eliminate notice to the flow
Cleaning equipment, so that the flow cleaning equipment indicates that the upstream network device stops the of the filtering matching session characteristics
A kind of object message.
9. the method according to the description of claim 7 is characterized in that the method also includes:
When the flow of any sort message is greater than second threshold and is less than the first threshold, confirm that such message is that the second class is attacked
Hit message;
The second filter NOTIFY is sent to the flow cleaning equipment, second filter NOTIFY includes the second class attack message
Session characteristics so that the flow cleaning equipment according to the session characteristics filter the second class object message.
10. a kind of protective device of network attack, which is characterized in that apply in flow cleaning equipment, described device includes:
First receiving unit, for receiving the first filter NOTIFY of flow detection device transmission, first filter NOTIFY includes
The session characteristics of first kind attack message, the first kind attack message are the message that flow is greater than first threshold;
First execution unit is used to indicate the first kind object message that upstream network device filtering matches the session characteristics,
In, message reaches Ingress Network equipment by the upstream network device;
Second receiving unit, the second filter NOTIFY sent for receiving the flow detection device, second filter NOTIFY
Session characteristics including the second class attack message, the second class attack message are that flow is less than the first threshold greater than second
The message of threshold value;
Second execution unit, for the session characteristics according to the second class attack message, according to default filtering rule, to the flow
The message for being greater than second threshold less than first threshold is filtered.
11. a kind of protective device of network attack, which is characterized in that apply on flow detection device, described device includes:
Detection unit, the flow of every a kind of message for being sent to Ingress Network equipment according to the detection of the session characteristics of message;
First confirmation unit, for confirming that such message is attacked for the first kind when the flow of any sort message is greater than first threshold
Hit message;
First transmission unit gives flow cleaning equipment for sending the first filter NOTIFY, and first filter NOTIFY includes described
The session characteristics of first kind attack message, so that flow cleaning equipment instruction upstream network device filtering matches the session
The first kind object message of feature, wherein message reaches Ingress Network equipment by the upstream network device;
Second confirmation unit, for when the flow of any sort message be less than the first threshold be greater than second threshold message when,
Confirm that such message is the second class attack message;
Second transmission unit gives flow cleaning equipment for sending the second filter NOTIFY, and second filter NOTIFY includes described
The session characteristics of second class attack message, so that flow cleaning equipment instruction upstream network device filtering matches the session
Second class object message of feature, wherein message reaches Ingress Network equipment by the upstream network device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510330425.3A CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510330425.3A CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105991637A CN105991637A (en) | 2016-10-05 |
| CN105991637B true CN105991637B (en) | 2019-06-07 |
Family
ID=57040006
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510330425.3A Active CN105991637B (en) | 2015-06-15 | 2015-06-15 | The means of defence and device of network attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105991637B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106899580A (en) * | 2017-02-10 | 2017-06-27 | 杭州迪普科技股份有限公司 | A kind of flow cleaning method and device |
| CN108737344B (en) * | 2017-04-20 | 2021-08-24 | 腾讯科技(深圳)有限公司 | Network attack protection method and device |
| CN107547507B (en) * | 2017-06-27 | 2021-07-09 | 新华三技术有限公司 | Anti-attack method and device, router equipment and machine readable storage medium |
| CN109756456B (en) * | 2017-11-06 | 2021-12-03 | 中兴通讯股份有限公司 | Method for improving network equipment safety, network equipment and readable storage medium |
| CN108449314B (en) * | 2018-02-02 | 2020-12-29 | 杭州迪普科技股份有限公司 | Flow traction method and device |
| CN109040141B (en) * | 2018-10-17 | 2019-11-12 | 腾讯科技(深圳)有限公司 | Detection method, device, computer equipment and the storage medium of abnormal flow |
| CN110430226B (en) * | 2019-09-16 | 2021-08-17 | 腾讯科技(深圳)有限公司 | Network attack detection method and device, computer equipment and storage medium |
| CN111031054A (en) * | 2019-12-19 | 2020-04-17 | 紫光云(南京)数字技术有限公司 | CC protection method |
| CN114268592A (en) * | 2020-09-15 | 2022-04-01 | 华为技术有限公司 | A message processing method, system and device |
| CN112118271B (en) * | 2020-10-29 | 2023-06-27 | 杭州迪普科技股份有限公司 | Flow cleaning method, device, equipment and computer readable storage medium |
| CN112565308B (en) * | 2021-02-26 | 2021-05-18 | 北京邮电大学 | Method, device, device and medium for detecting malicious application based on network traffic |
| CN115412310A (en) * | 2022-08-11 | 2022-11-29 | 天翼安全科技有限公司 | DDoS attack protection method, device, equipment and computer storage medium |
| CN115883161B (en) * | 2022-11-25 | 2024-10-25 | 中国联合网络通信集团有限公司 | Data flow transmission method, device and storage medium |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7028179B2 (en) * | 2001-07-03 | 2006-04-11 | Intel Corporation | Apparatus and method for secure, automated response to distributed denial of service attacks |
| CN101136922B (en) * | 2007-04-28 | 2011-04-13 | 华为技术有限公司 | Service stream recognizing method, device and distributed refusal service attack defending method, system |
| CN101309150B (en) * | 2008-06-30 | 2012-06-27 | 成都市华为赛门铁克科技有限公司 | Distributed service attack refusing defense method, apparatus and system |
| CN102111394B (en) * | 2009-12-28 | 2015-03-11 | 华为数字技术(成都)有限公司 | Network attack protection method, equipment and system |
-
2015
- 2015-06-15 CN CN201510330425.3A patent/CN105991637B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN105991637A (en) | 2016-10-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105991637B (en) | The means of defence and device of network attack | |
| US9742800B2 (en) | System and method for software defined behavioral DDoS attack mitigation | |
| Mahajan et al. | Controlling high bandwidth aggregates in the network | |
| CN102143143B (en) | Method and device for defending network attack, and router | |
| KR100609170B1 (en) | Network Security System and Its Operation Method | |
| KR101574193B1 (en) | Apparatus and method for defending DDoS attack | |
| US9479532B1 (en) | Mitigating denial of service attacks | |
| WO2018108052A1 (en) | Ddos attack defense method, system and related equipment | |
| US20110138463A1 (en) | Method and system for ddos traffic detection and traffic mitigation using flow statistics | |
| CN104967588B (en) | Protection method, apparatus and system for distributed denial of service DDoS (distributed denial of service) attack | |
| US10142355B2 (en) | Protection of telecommunications networks | |
| Nawrocki et al. | Down the black hole: dismantling operational practices of BGP blackholing at IXPs | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| You et al. | Packet in message based DDoS attack detection in SDN network using OpenFlow | |
| CN102790778A (en) | DDos (distributed denial of service) attack defensive system based on network trap | |
| CA2904463C (en) | Protection of telecommunications networks | |
| CN108028828B (en) | A distributed denial of service DDoS attack detection method and related equipment | |
| CN103428224A (en) | Method and device for intelligently defending DDoS attacks | |
| CN106657126B (en) | The device and method of detection and defending DDoS (Distributed Denial of Service) attacks | |
| CN101001249A (en) | Method and device for preventing IGMP message attack | |
| CN106027497A (en) | DDoS (Distributed Denial of Service) tracing and source end filtering method oriented to SDN (Software Defined Networking) and based on OpenFlow-DPM | |
| CN108737344A (en) | A kind of network attack protection method and device | |
| JP2006067078A (en) | Network system and attack prevention method | |
| JP2005210601A (en) | Intrusion detection device | |
| Tanachaiwiwat et al. | Differential packet filtering against DDoS flood attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |