[go: up one dir, main page]

WO2009121253A1 - Network configuring method for preventing attack, method and device for preventing attack - Google Patents

Network configuring method for preventing attack, method and device for preventing attack Download PDF

Info

Publication number
WO2009121253A1
WO2009121253A1 PCT/CN2009/070564 CN2009070564W WO2009121253A1 WO 2009121253 A1 WO2009121253 A1 WO 2009121253A1 CN 2009070564 W CN2009070564 W CN 2009070564W WO 2009121253 A1 WO2009121253 A1 WO 2009121253A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
user
rate
specific type
vlan
Prior art date
Application number
PCT/CN2009/070564
Other languages
French (fr)
Chinese (zh)
Inventor
吴迪
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2009121253A1 publication Critical patent/WO2009121253A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present invention relate to the field of communications, and in particular, to a method for configuring an attack prevention network and a method and apparatus for preventing attacks. Background technique
  • the ARP (Address Resolution Protocol) attack is a common attack mode for network devices.
  • the specific attack modes are as follows: (1) Sending a large number of ARP request/response packets to the gateway device. This attack mode will occupy the device. The port bandwidth, the gateway device is busy processing ARP packets, occupies the CPU resources of the device, causing network capacity degradation, interruption, etc.; (2) Sending scanning packets whose destination address changes continuously, such as the PING packet, to the gateway device; The gateway device generates a large number of ARP-snoop packets (messages indicating that ARP entries do not exist), occupies the CPU resources of the device, and causes network capability degradation and interruption.
  • ARP-snoop packets messages indicating that ARP entries do not exist
  • an access control list (ACL) is used on the network device to filter packets entering the network device according to the source and destination addresses.
  • ACL access control list
  • the source of the attack is identified by manual intervention.
  • the ACL rule is configured to filter the attack packets according to the characteristics of the attack packets.
  • This solution requires manual intervention, which is difficult to achieve automatic protection when an attack occurs.
  • the attacker can filter the source and destination addresses of the packets to avoid filtering of ACL rules.
  • Another prior art is to limit the rate of ARP packets by source and destination addresses.
  • the network administrator configures a reasonable ARP packet rate limit according to the actual situation of the network. When the rate of ARP packets of a source or destination address exceeds the upper limit. If an ARP attack occurs, the packets that exceed the upper limit of the rate limit will be discarded. Other ARP packets are not affected. Because this solution must retain the access time of all ARP packets, it consumes a large amount of resources and may fail when the attacker's address changes frequently. Summary of the invention
  • Embodiments of the present invention provide a method for configuring an attack prevention network, a method and apparatus for preventing an attack, and solving the problem of preventing a specific type of packet attack in a current communication network.
  • an embodiment of the present invention provides a method for configuring a network for preventing an attack, where the network includes a routing device and a user equipment, where the user equipment communicates with an access carrier network through the routing device.
  • the method for configuring the network includes: configuring a user VLAN ID for the user equipment; configuring QinQ mode access for the user equipment on the user access interface of the routing device; and sending the user equipment packet as a QinQ message Configure the suppression rate and default behavior of specific types of packets based on the user VLAN ID of the inner layer of the QinQ packet.
  • another embodiment of the present invention provides a method for preventing an attack.
  • the method is used to configure a QinQ access network, and identify a user according to a user VLAN ID of an inner layer of the QinQ.
  • the method includes: Determining whether the rate of the packet of the specified type has been configured, and if so, determining whether the rate of the packet of the specific type reaches the upper limit of the rate. If yes, discarding the packet; The default action is performed if the packet rate limit is not configured for a specific type of packet.
  • another embodiment of the present invention provides an apparatus for preventing an attack, including a configuration unit, a speed limit determination unit, a speed limit upper limit determination unit, and an execution unit, where the configuration unit is configured to
  • the user access interface of the routing device is configured to access the QinQ mode, and the rate limit and the default action of the specific type are configured according to the user VLAN ID of the inner layer of the QinQ packet.
  • the rate limiting determining unit is configured to determine the received Whether the rate limit of the packet has been configured for a specific type of packet, and if yes, the rate limit determination unit determines whether the rate of the packet of the specific type reaches the upper limit of the rate.
  • the row unit performs an action according to the determination result of the speed limit upper limit determining unit; if the speed limit determining unit determines that the received specific type message does not have the configured message speed limit, the execution unit performs the default action.
  • the embodiment of the present invention can automatically protect a specific type of packet attack after the network configuration is completed, without manual intervention; even if an attack occurs, the scope of the attack can be narrowed down to a specific user, It affects the normal network connection of other users or user groups with different VLAN IDs on the same interface; it is difficult for an attacker to change the source and destination IP addresses to avoid the protection of the security policy, and does not bring additional performance overhead;
  • the user configures the protection policy, which reduces the consumption of system resources and reduces the pressure on the hardware performance. It can prevent network type scanning attacks while blocking certain types of packet attacks.
  • FIG. 1 is a networking diagram of an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for preventing an attack according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for preventing an attack according to another embodiment of the present invention.
  • FIG. 4 is a flow chart of an apparatus for preventing an attack according to another embodiment of the present invention.
  • DETAILED DESCRIPTION OF THE INVENTION In the IEEE 802.1Q standard, the Ethernet frame format is modified, and a 4-byte 802.1Q Tag is added between the source MAC address field and the protocol length/type field (Length/Typee).
  • the 12-bit ID (Virtual Local Area Network Identifier) is used, as shown in the shaded message field in Table 1.
  • the earliest QinQ is to implement a VPN-like (Virtual Private Network) application, that is, the inner layer of the packet is the user VLAN ID, and the outer layer is the VLAN ID of the carrier.
  • the outer VLAN ID of the packet traverses the carrier network and uses the inner VLAN ID to implement user interworking.
  • Now QinQ technology has become more of a logo for users. In the technical solution of the embodiment of the present invention, this feature of QinQ is used as the purpose of access protection.
  • FIG. 1 A networking diagram of an embodiment of the present invention is shown in FIG. 1.
  • the network includes an access carrier network, an edge router, a Layer 2 switch, and User A, User B, and User C.
  • User A, User B, and User C communicate with the access carrier network through switches and edge routers.
  • the IP address of user A is 192.168.0.10
  • the VLAN ID of the user A that is, the VLAN ID of user A
  • the IP address of user B is 192.168.0.11
  • the VLAN ID of the user B that is, the VLAN ID of user B
  • the IP address of user C is 192.168.0.12, the VLAN number to which it belongs (that is, the VLAN ID of user C) is 102; and the Layer 2 switch that communicates with users A, B, C, and edge routers communicates with users A, B, and C.
  • the port is Tmnkl00 ⁇ 110, the IP address of the edge router is 192.168.0.1, and the outer VLAN ID of QinQ is 10.
  • Any one of the users 8, B, and C may be a single user, or may be an outlet of a user network, and there are multiple user devices below, as long as the user network exits below These user devices are all within a single security policy domain.
  • the IP address and the VLAN number indicated in FIG. 1 are examples for explaining the networking mode, and are not intended to limit the present embodiment or the present invention.
  • the Layer 2 switch here can also be a Layer 3 switch, routing device or other network device capable of implementing QinQ access.
  • the networking diagram shown in Figure 1 Take the networking diagram shown in Figure 1 as an example. Configure the user VLAN ID for all users A, B, and C. This step is basically the same as the normal access configuration. Assume that the IP address of user A is 192.168.0.10, and the VLAN ID of user A (that is, the VLAN ID of user A) is 100. The IP address of user B is 192.168.0.11, and the VLAN number of user B is 101. User B's VLAN ID); User C's IP address is 192.168.0.12, and user C's VLAN number is 102 (ie, user C's VLAN ID).
  • the task of configuring the user VLAN ID for all users A, B, and C can be manually configured by the network administrator or set by the system.
  • the IP addresses of users A, B, and C can be manually configured by the network administrator or set by the system.
  • Configure the ARP packet suppression rate of each access user on the user access interface that is, the upper limit of the rate of ARP packets for each access user.
  • the network shown in Figure 1 is used as an example.
  • the users who need to set the ARP packet suppression rate include users A, B, and C. In actual networking, you may include more users or user terminals.
  • Configuration content is as follows:
  • arp-speed-limit 15 that is, the upper limit of the rate of ARP packets sent from VLAN 100 to VLAN 102 is 15 / sec.
  • the network diagram shown in Figure 1 has users eight, B, and C. If only user A is configured with a limit. Therefore, the restrictions of users B and C are based on the default behavior.
  • the default action, the default action can include discarding or unrestricted, such as:
  • the Layer 2 switch configures different VLAN IDs, that is, inner VLAN IDs, for users or user groups of different security policy domains, and may also be different users or users with the same security policy.
  • the group is configured with different VLAN IDs.
  • the edge router encapsulates the packets entering the same interface with the outer VLAN ID. In this way, packets from different users or user groups can be identified on the edge router based on different inner VLAN IDs.
  • the edge router configures the ARP packet rate suppression according to the inner VLAN ID and configures the default action.
  • the Layer 2 switch can be used to configure the VLAN ID.
  • the Layer 2 switch is used to implement QinQ access.
  • the edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks.
  • the interface can be a physical interface or a logical interface.
  • FIG. 3 is a flowchart of a method for preventing an attack according to another embodiment of the present invention. As shown in FIG. 3, when a user packet enters an edge router, the processing steps of the edge router include:
  • step 30 Determine whether the received packet is an ARP packet. If it is not an ARP packet, go to step 36. Otherwise, go to step 32.
  • the edge router identifies the ARP packet rate limit for the user based on the inner VLAN ID. If the rate limit is not configured, go to step 38. For the user configured to limit the rate of ARP packets, go to step 34.
  • the engine For the user configured to limit the rate of ARP packets, the engine records the timestamp of the last ARP packet and compares the difference between the current time and the last recorded time. Compare the rate and the configured maximum rate of receiving ARP packets. If the rate limit of the ARP packet is not reached, go to Step 36 and process the timestamp according to the normal ARP packet process. Otherwise, discard the packet and keep the timestamp of the last record unchanged.
  • Step 38 Determine the default action to perform the default action. If the default action is to discard, the user ARP packets are not configured to be insecure. The ARP packets are considered to be insecure. For the security ARP packet, go to Step 36.
  • the discarded ARP packet can be counted for further analysis. If it is judged whether it is attacked according to the rate of counting growth, send an alarm, log, and so on to the NMS. Further, the inner VLAN ID of the discarded ARP packet can be recorded to track the attack source.
  • edge router calculates the ARP packet rate, it calculates the rate of ARP packets sent by each user according to different inner VLAN IDs.
  • ARP packet rate calculates the rate of ARP packets sent by each user according to different inner VLAN IDs.
  • discarding ARP packets only ARP packets with a specific inner VLAN ID are discarded. Therefore, when any user sends an attack packet, it does not affect the normal connection of other users or user groups with different user VLAN IDs on the same access interface, and does not affect users on other access interfaces.
  • the identification of different users on the edge router is based on the inner VLAN ID of the packet and has no relationship with the IP address of the packet. It is difficult to circumvent the router's protection policy regardless of how the attacker changes the IP address.
  • the maximum number is 4k. In this way, the resources occupied on the edge router are within the controllable range, and the hardware is not required to be too high.
  • the edge road The administrator can control the number of IP addresses that users can access by configuring ARP entries that are allowed to be generated by each user.
  • the embodiment of the present invention further provides an apparatus for preventing an attack.
  • the apparatus 4 includes a configuration unit 41, a speed limit determination unit 42, a speed limit upper limit determination unit 43, and an execution unit 44, where
  • the configuration unit 41 is configured to configure the QinQ mode access on the user access interface of the edge router, and configure the suppression rate and default behavior of the ARP packet according to the user VLAN ID of the inner layer of the QinQ packet.
  • the rate limit determining unit 42 is configured to determine whether the ARP packet has been configured with the ARP packet rate limit. If the rate limit of the ARP packet is configured, the speed limit upper limit determining unit 43 determines the Whether the rate of the ARP packet reaches the upper limit of the rate, the executing unit 44 performs an action according to the determination result of the rate limit upper limit determining unit 43; if the rate limiting determining unit 42 determines that the received ARP packet is not configured with the ARP packet, After the speed limit is reached, the execution unit 44 performs the default action.
  • the message determining unit 45 is further configured to determine whether the received message is The ARP packet, if yes, is sent to the rate limiting determining unit 42 to determine whether the ARP packet is configured with a rate limit; otherwise, the executing unit 44 performs a normal processing procedure.
  • the step of performing the action includes: if the speed limit upper limit determining unit 43 determines that the rate of the ARP packet has reached the upper limit of the rate, discards the message, otherwise, the process is performed according to a normal process.
  • the VLAN ID configuration unit 46 may be further configured to configure a user VLAN ID for the user equipment.
  • the edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks.
  • the interface can be a physical interface or a logical interface.
  • Another embodiment of the present invention is directed to a computer readable medium having stored therein a sequence of instructions for performing a method of preventing an attack, the method comprising:
  • the device determines whether the received packet is an ARP packet. If the packet is not an ARP packet, the packet is processed according to the normal process. Otherwise, the ARP packet is configured to limit the rate of the ARP packet.
  • the edge router determines whether the ARP packet is configured for the rate limit based on the inner VLAN ID. If the rate limit is not configured, the default action is determined to perform the default action. If the default action is to discard, the ARP packets of the user that are not configured with the rate limit are considered to be insecure ARP packets, and all the received ARP packets are discarded. If the user ARP packet is not configured with the rate limit, the device processes the packet according to the normal process.
  • the device determines whether the ARP packet rate is up to the upper limit. If the ARP packet rate is set, the engine records the timestamp of the last ARP packet. The difference between the current time and the last recorded time is compared to the rate of received ARP packets. If the rate limit is exceeded, the rate of the ARP packet is received. If the rate is not reached, the timestamp is processed and the timestamp is updated. Otherwise, the packet is discarded and the timestamp of the last record is kept unchanged.
  • the edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks.
  • the interface can be a physical interface or a logical Interface.
  • the ARP packet attack can be automatically defended without manual intervention. Even if an attack occurs, the scope of the attack can be narrowed down to a specific user without affecting other devices on the same interface.
  • the ARP packet attack can prevent the network segment scanning attack.
  • the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
  • a non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a computer device may It is a personal computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A network configuring method for preventing attack, a method and device for preventing attack. In the network configuring method for preventing attack, the network comprises a route device and a user device, the user device communicates with the network of access operator through the route device. The method for configuring the network comprises: configuring VLAN ID of the user for the user device; configuring the user device to access in the QinQ way at the user access interface of the route device; encapsulating the message of the user device into the QinQ message and sending the QinQ message; configuring the suppressing rate and default behavior of particular type of message based on VLAN ID of the user in the inner layer of QinQ message.

Description

防止攻击的网络的配置方法、 防止攻击的方法和装置 本申请要求于 2008 年 3 月 31 日提交中国专利局, 申请号为 200810066440.1 , 发明名称为 "防止攻击的网络的配置方法、 防止攻 击的方法和装置"的中国专利申请的优先权, 其全部内容通过引用结 合在本申请中。 技术领域  Method for configuring network to prevent attacks, method and device for preventing attacks This application claims to be filed on March 31, 2008, the Chinese Patent Office, the application number is 200810066440.1, and the invention name is "the method for preventing attacks and the method for preventing attacks" The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference. Technical field
本发明实施例涉及通信领域,尤其涉及一种防止攻击的网络的配 置方法、 防止攻击的方法和装置。 背景技术  The embodiments of the present invention relate to the field of communications, and in particular, to a method for configuring an attack prevention network and a method and apparatus for preventing attacks. Background technique
ARP ( Address Resolution Protocol, 地址解析协议)攻击是针对 网络设备的一种常见攻击形式, 具体的攻击方式有: (1 ) 向网关设 备发送大量的 ARP请求 /应答报文, 此攻击方式会占用设备端口带宽、 网关设备忙于处理 ARP报文, 占用设备的 CPU资源, 引起网络能力下 降, 中断等故障; (2 ) 向网关设备发送目的地址连续变化的扫描报 文, 如 PING包; 此攻击方式会引起网关设备产生大量的 ARP miss报 文(表示 ARP表项不存在的消息) , 占用设备 CPU资源, 引起网络能 力下降、 中断等故障。  The ARP (Address Resolution Protocol) attack is a common attack mode for network devices. The specific attack modes are as follows: (1) Sending a large number of ARP request/response packets to the gateway device. This attack mode will occupy the device. The port bandwidth, the gateway device is busy processing ARP packets, occupies the CPU resources of the device, causing network capacity degradation, interruption, etc.; (2) Sending scanning packets whose destination address changes continuously, such as the PING packet, to the gateway device; The gateway device generates a large number of ARP-snoop packets (messages indicating that ARP entries do not exist), occupies the CPU resources of the device, and causes network capability degradation and interruption.
现有技术中, 在网络设备上使用访问控制列表( Access Control List, ACL )可以按照源、 目的地址过滤进入网络设备的报文。 当 ARP 攻击发生时, 通过人工干预识别出攻击来源, 再按照攻击报文的特征 配置 ACL规则将攻击报文过滤掉。 该方案需要人工干预, 难以实现在 攻击发生时自动保护; 而且攻击者变换报文的源、 目的地址后即可避 开 ACL规则的过滤。  In the prior art, an access control list (ACL) is used on the network device to filter packets entering the network device according to the source and destination addresses. When an ARP attack occurs, the source of the attack is identified by manual intervention. Then, the ACL rule is configured to filter the attack packets according to the characteristics of the attack packets. This solution requires manual intervention, which is difficult to achieve automatic protection when an attack occurs. Moreover, the attacker can filter the source and destination addresses of the packets to avoid filtering of ACL rules.
另一种现有技术是按源、 目的地址限制 ARP报文的速率。 网络 管理员按照网络的实际情况配置一个合理的 ARP报文的速率上限, 当某个源地址或目的地址的 ARP报文速率超过了设置的速率上限时 认为发生了 ARP攻击,这时超过限制速率上限部分的报文将被丟弃, 其他的 ARP报文不受影响。 由于此方案必须要保留所有的 ARP报文 的访问时间, 因此消耗的资源较大, 而且在攻击者的地址频繁变化的 时候可能失效。 发明内容 Another prior art is to limit the rate of ARP packets by source and destination addresses. The network administrator configures a reasonable ARP packet rate limit according to the actual situation of the network. When the rate of ARP packets of a source or destination address exceeds the upper limit. If an ARP attack occurs, the packets that exceed the upper limit of the rate limit will be discarded. Other ARP packets are not affected. Because this solution must retain the access time of all ARP packets, it consumes a large amount of resources and may fail when the attacker's address changes frequently. Summary of the invention
本发明的实施方式提供防止攻击的网络的配置方法、防止攻击的 方法和装置, 解决目前通信网络中防止特定类型报文攻击的问题。  Embodiments of the present invention provide a method for configuring an attack prevention network, a method and apparatus for preventing an attack, and solving the problem of preventing a specific type of packet attack in a current communication network.
为解决上述技术问题,本发明的一个实施方式提供了一种防止攻 击的网络的配置方法, 该网络包括路由设备和用户设备, 所述用户设 备通过所述路由设备与接入运营商网络通信, 配置该网络的方法包 括: 为所述用户设备配置用户 VLAN ID; 在所述路由设备的用户接入 接口为所述用户设备配置 QinQ方式接入; 该用户设备报文封装为 QinQ报文后发送; 根据 QinQ报文内层的用户 VLAN ID配置特定类型 的报文的抑制速率和缺省行为。  To solve the above technical problem, an embodiment of the present invention provides a method for configuring a network for preventing an attack, where the network includes a routing device and a user equipment, where the user equipment communicates with an access carrier network through the routing device. The method for configuring the network includes: configuring a user VLAN ID for the user equipment; configuring QinQ mode access for the user equipment on the user access interface of the routing device; and sending the user equipment packet as a QinQ message Configure the suppression rate and default behavior of specific types of packets based on the user VLAN ID of the inner layer of the QinQ packet.
为解决上述技术问题,本发明的另一个实施方式提供了一种防止 攻击的方法, 该方法用于配置 QinQ接入的网络中, 根据 QinQ内层的 用户 VLAN ID来识别用户,该方法包括: 判断收到的特定类型的 4艮文 是否已经配置了报文限速, 如果是, 则判断该特定类型的报文的速率 是否达到速率上限, 如果是, 则丟弃该报文; 如果收到的特定类型的 报文没有配置报文限速, 则执行缺省动作。  To solve the above technical problem, another embodiment of the present invention provides a method for preventing an attack. The method is used to configure a QinQ access network, and identify a user according to a user VLAN ID of an inner layer of the QinQ. The method includes: Determining whether the rate of the packet of the specified type has been configured, and if so, determining whether the rate of the packet of the specific type reaches the upper limit of the rate. If yes, discarding the packet; The default action is performed if the packet rate limit is not configured for a specific type of packet.
为解决上述技术问题,本发明的另一个实施方式提供了一种防止 攻击的装置, 包括配置单元、 限速判断单元、 限速上限判断单元、 执 行单元, 其中, 所述配置单元, 用于在路由设备的用户接入接口配置 QinQ方式接入, 根据 QinQ报文内层的用户 VLAN ID配置特定类型才艮 文的速率上限和缺省动作; 所述限速判断单元, 用于判断收到的特定 类型报文是否已经配置了报文限速, 如果是, 则交由所述限速上限判 断单元判断该特定类型的报文的速率是否达到所述速率上限,所述执 行单元根据所述限速上限判断单元的判断结果执行动作;如果所述限 速判断单元确定收到的特定类型报文没有配置报文限速,则转执行单 元执行所述缺省动作。 In order to solve the above technical problem, another embodiment of the present invention provides an apparatus for preventing an attack, including a configuration unit, a speed limit determination unit, a speed limit upper limit determination unit, and an execution unit, where the configuration unit is configured to The user access interface of the routing device is configured to access the QinQ mode, and the rate limit and the default action of the specific type are configured according to the user VLAN ID of the inner layer of the QinQ packet. The rate limiting determining unit is configured to determine the received Whether the rate limit of the packet has been configured for a specific type of packet, and if yes, the rate limit determination unit determines whether the rate of the packet of the specific type reaches the upper limit of the rate. The row unit performs an action according to the determination result of the speed limit upper limit determining unit; if the speed limit determining unit determines that the received specific type message does not have the configured message speed limit, the execution unit performs the default action.
与现有技术相比, 采用本发明的实施方式, 组网配置完成后可以 自动防护特定类型报文攻击, 不需人工干预; 即使发生攻击, 也可以 将攻击影响的范围缩小到特定用户,不会影响到同一接口下其他拥有 不同 VLAN ID的用户或用户群的正常网络连接; 攻击者变换源、 目 的 IP地址也难以规避安全策略的防护, 同时不会带来额外的性能开 销; 根据连接的用户配置防护策略, 系统资源的消耗有限, 减小对硬 件性能的压力; 防止特定类型报文攻击的同时可以阻断网段扫描攻 击。 附图说明  Compared with the prior art, the embodiment of the present invention can automatically protect a specific type of packet attack after the network configuration is completed, without manual intervention; even if an attack occurs, the scope of the attack can be narrowed down to a specific user, It affects the normal network connection of other users or user groups with different VLAN IDs on the same interface; it is difficult for an attacker to change the source and destination IP addresses to avoid the protection of the security policy, and does not bring additional performance overhead; The user configures the protection policy, which reduces the consumption of system resources and reduces the pressure on the hardware performance. It can prevent network type scanning attacks while blocking certain types of packet attacks. DRAWINGS
图 1为本发明一个实施方式的组网图;  1 is a networking diagram of an embodiment of the present invention;
图 2为本发明一个实施方式防止攻击的配置方法流程图; 图 3为本发明另一实施方式防止攻击的方法流程图;  2 is a flowchart of a method for preventing an attack according to an embodiment of the present invention; FIG. 3 is a flowchart of a method for preventing an attack according to another embodiment of the present invention;
图 4为本发明另一实施方式防止攻击的装置流程图。 具体实施方式 在 IEEE 802.1Q标准中, 对 Ethernet帧格式进行了修改, 在源 MAC 地址(Source Address ) 字段和协议长度 /类型字段( Length/Typee ) 之间加入了 4字节的 802.1Q Tag , 其中使用了 12bit标识不同的 VID ( Virtual Local Area Network Identifier, 虚拟局域网标识符) , 如表 1 中阴影部分报文字段所示。
Figure imgf000006_0001
4 is a flow chart of an apparatus for preventing an attack according to another embodiment of the present invention. DETAILED DESCRIPTION OF THE INVENTION In the IEEE 802.1Q standard, the Ethernet frame format is modified, and a 4-byte 802.1Q Tag is added between the source MAC address field and the protocol length/type field (Length/Typee). The 12-bit ID (Virtual Local Area Network Identifier) is used, as shown in the shaded message field in Table 1.
Figure imgf000006_0001
6 bytes 6 bytes 4 bytes 2 bytes 46-1517 bytes 4 bytes 基于 802.1Q的 VLAN帧格式 随着网络规模的不断扩大, 4K的 VLAN ID已经不能满足现在的 组网应用,为了实现更多的用户接入,各厂家都推出自己的解决方案, QinQ是其中的一种。 QinQ就是在原来的 802.1 Q标签之外再添加一个 802.1Q标签, 用两层 VLAN ID标识一个用户, 即 802.1Q in 802.1Q, 在 802.1Q标签报文的基础上再增加一层 802.1Q的标签头来达到扩展 VLAN空间的功能。  6 bytes 6 bytes 4 bytes 2 bytes 46-1517 bytes 4 bytes 802.1Q-based VLAN frame format As the network scale continues to expand, the 4K VLAN ID can no longer meet the current networking applications, in order to achieve more user access. Each manufacturer has launched its own solution, and QinQ is one of them. QinQ adds an 802.1Q tag in addition to the original 802.1 Q tag. It identifies a user with a two-layer VLAN ID, that is, 802.1Q in 802.1Q. Adds an 802.1Q tag to the 802.1Q tag packet. Head to the function of extending the VLAN space.
最早的 QinQ是为了实现一种类似 VPN ( Virtual Private Network, 虚拟专用网) 的应用, 即报文内层为用户 VLAN ID, 外层为运营商 的 VLAN ID。 报文使用外层 VLAN ID穿越运营商网络, 用内层 VLAN ID实现用户互通。 现在 QinQ技术已经更多的成为对用户的标识。 在 本发明实施方式的技术方案中就是使用 QinQ的这一特点作为接入用 到保护的目的。  The earliest QinQ is to implement a VPN-like (Virtual Private Network) application, that is, the inner layer of the packet is the user VLAN ID, and the outer layer is the VLAN ID of the carrier. The outer VLAN ID of the packet traverses the carrier network and uses the inner VLAN ID to implement user interworking. Now QinQ technology has become more of a logo for users. In the technical solution of the embodiment of the present invention, this feature of QinQ is used as the purpose of access protection.
本发明一个实施方式的组网图如图 1所示。 该网络包括接入运营 商网络、 边缘路由器、 二层交换机和用户 A、 用户 B、 用户 C。 用户 A、 用户 B、 用户 C通过交换机和边缘路由器与接入运营商网络通信。 假 设用户 A的 IP地址为 192.168.0.10 , 所属的 VLAN编号 (即用户 A的 VLAN ID )为 100; 用户 B的 IP地址为 192.168.0.11 , 所属的 VLAN编号 (即用户 B的 VLAN ID )为 101; 用户 C的 IP地址为 192.168.0.12, 所属 的 VLAN编号(即用户 C的 VLAN ID )为 102; 与用户 A、 B、 C和边缘 路由器通信的二层交换机中与用户 A、 B、 C通信的端口为 Tmnkl00 ~ 110, 边缘路由器的 IP地址为 192.168.0.1 , QinQ接入的外层 VLAN ID 为 10。 其中用户八、 B、 C中的任何一个可以是单一用户, 也可以是一 个用户网络的出口, 下面有多个用户设备, 只要用户网络出口下面的 这些用户设备都在一个安全策略域内即可。 图 1中标出的 IP地址和 VLAN编号是为了说明组网方式而举的例子, 并不作为对本实施方式 或本发明的限制。 此处的二层交换机也可以是能够实现 QinQ接入功 能的三层交换机、 路由设备或其它网络设备。 A networking diagram of an embodiment of the present invention is shown in FIG. 1. The network includes an access carrier network, an edge router, a Layer 2 switch, and User A, User B, and User C. User A, User B, and User C communicate with the access carrier network through switches and edge routers. Assume that the IP address of user A is 192.168.0.10, the VLAN ID of the user A (that is, the VLAN ID of user A) is 100, the IP address of user B is 192.168.0.11, and the VLAN ID of the user B (that is, the VLAN ID of user B) is 101. The IP address of user C is 192.168.0.12, the VLAN number to which it belongs (that is, the VLAN ID of user C) is 102; and the Layer 2 switch that communicates with users A, B, C, and edge routers communicates with users A, B, and C. The port is Tmnkl00 ~ 110, the IP address of the edge router is 192.168.0.1, and the outer VLAN ID of QinQ is 10. Any one of the users 8, B, and C may be a single user, or may be an outlet of a user network, and there are multiple user devices below, as long as the user network exits below These user devices are all within a single security policy domain. The IP address and the VLAN number indicated in FIG. 1 are examples for explaining the networking mode, and are not intended to limit the present embodiment or the present invention. The Layer 2 switch here can also be a Layer 3 switch, routing device or other network device capable of implementing QinQ access.
配置边缘路由器的流程如图 2所示, 包括步骤:  The process of configuring an edge router is shown in Figure 2, including the steps:
20、 为用户配置用户 VLAN ID  20. Configure the user VLAN ID for the user.
以图 1所示的组网图为例,是为所有用户 A、 B、 C配置用户 VLAN ID, 这一步骤和普通的接入配置基本相同。 假设此处用户 A的 IP地址 为 192.168.0.10, 配置用户 A的 VLAN编号 (即用户 A的 VLAN ID ) 为 100; 用户 B的 IP地址为 192.168.0.11 , 配置用户 B的 VLAN编号为 101 (即用户 B的 VLAN ID ) ; 用户 C的 IP地址为 192.168.0.12, 配置用户 C的 VLAN编号为 102 (即用户 C的 VLAN ID ) 。 为所有用户 A、 B、 C 配置用户 VLAN ID的工作可以由网络管理员手工配置完成,或者由系 统设置完成。用户 A、 B、 C的 IP地址可以由网络管理员手工配置完成, 或者由系统设置完成。  Take the networking diagram shown in Figure 1 as an example. Configure the user VLAN ID for all users A, B, and C. This step is basically the same as the normal access configuration. Assume that the IP address of user A is 192.168.0.10, and the VLAN ID of user A (that is, the VLAN ID of user A) is 100. The IP address of user B is 192.168.0.11, and the VLAN number of user B is 101. User B's VLAN ID); User C's IP address is 192.168.0.12, and user C's VLAN number is 102 (ie, user C's VLAN ID). The task of configuring the user VLAN ID for all users A, B, and C can be manually configured by the network administrator or set by the system. The IP addresses of users A, B, and C can be manually configured by the network administrator or set by the system.
22、 在用户接入接口配置 QinQ方式接入  22. Configure QinQ access on the user access interface.
以图 1所示的网络为例, 是将边缘路由器的用户接入接口配置为 QinQ接入。  Take the network shown in Figure 1 as an example. Configure the user access interface of the edge router as QinQ access.
24、 才艮据用户 VLAN ID配置 ARP报文的抑制速率, 并配置缺省 的行为模式  24. Configure the suppression rate of ARP packets based on the user VLAN ID and configure the default behavior mode.
根据用户 VLAN ID , 在用户接入接口配置每个接入用户的 ARP 报文抑制速率, 也就是配置每个接入用户的 ARP报文的速率上限。 以 图 1所示的组网图为例, 需要配置 ARP报文抑制速率的用户包括用户 A、 B、 C, 实际组网中, 可能包括更多用户或用户终端。 配置内容举 例如:  Configure the ARP packet suppression rate of each access user on the user access interface, that is, the upper limit of the rate of ARP packets for each access user. The network shown in Figure 1 is used as an example. The users who need to set the ARP packet suppression rate include users A, B, and C. In actual networking, you may include more users or user terminals. Configuration content is as follows:
- remote-host vlan 100 to 102 arp- speed-limit 15,即配置 VLAN100 到 VLAN102的接入用户 ARP报文的速率上限为 15个 /秒;  - remote-host vlan 100 to 102 arp-speed-limit 15, that is, the upper limit of the rate of ARP packets sent from VLAN 100 to VLAN 102 is 15 / sec.
对于未配置的限制用户的 1^>¾文可以配置缺省的行为模式,如 图 1所示的组网图中有用户八、 B、 C, 如果只对用户 A配置了限制命 令, 用户 B、 C的限制就按照缺省行为进行。 缺省行为即缺省动作可 以包括丟弃或不加限制, 比如: You can configure the default behavior mode for the unconfigured user's 1^>3⁄4 text. The network diagram shown in Figure 1 has users eight, B, and C. If only user A is configured with a limit. Therefore, the restrictions of users B and C are based on the default behavior. The default action, the default action, can include discarding or unrestricted, such as:
- remote-host default pass 其他用户的 ARP4艮文允许通过, 不作 限制。  - remote-host default pass The ARP4 text of other users is allowed to pass without restriction.
- remote-host default drop 其他用户的 ARP报文全部丟弃, 不允 许通过。  - remote-host default drop All ARP packets of other users are discarded and are not allowed to pass.
在本发明的一个实施方式中,二层交换机将不同安全策略域的用 户或用户群的报文配置不同的 VLAN ID, 即内层 VLAN ID, 当然也可 能为具有相同安全策略的不同用户或用户群配置不同的 VLAN ID;边 缘路由器将同一接口进入的报文封装上外层 VLAN ID。这样,在边缘 路由器上就可以根据不同的内层 VLAN ID识别来自不同的用户或用 户群发来的报文。 边缘路由器按内层 VLAN ID配置 ARP报文速率抑 制, 并配置缺省动作。 实际上, 当该边缘路由器下的用户或用户群都 有 VLAN ID时,可以不需要二层交换机来配置 VLAN ID,二层交换机 用于实现 QinQ接入。 该边缘路由器也可以替换为普通路由器。 该方 法也可以用于防止其他特定类型的报文攻击。所述的接口可以是物理 接口或逻辑接口。  In an embodiment of the present invention, the Layer 2 switch configures different VLAN IDs, that is, inner VLAN IDs, for users or user groups of different security policy domains, and may also be different users or users with the same security policy. The group is configured with different VLAN IDs. The edge router encapsulates the packets entering the same interface with the outer VLAN ID. In this way, packets from different users or user groups can be identified on the edge router based on different inner VLAN IDs. The edge router configures the ARP packet rate suppression according to the inner VLAN ID and configures the default action. In fact, when the user or the user group of the edge router has a VLAN ID, the Layer 2 switch can be used to configure the VLAN ID. The Layer 2 switch is used to implement QinQ access. The edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks. The interface can be a physical interface or a logical interface.
图 3为本发明另一实施方式防止攻击的方法流程图, 如图 3所示, 当用户报文进入边缘路由器时, 边缘路由器的处理步骤包括:  FIG. 3 is a flowchart of a method for preventing an attack according to another embodiment of the present invention. As shown in FIG. 3, when a user packet enters an edge router, the processing steps of the edge router include:
30、 判断收到的报文是否 ARP报文, 如不是 ARP报文, 则转步骤 36, 否则转步骤 32。  30. Determine whether the received packet is an ARP packet. If it is not an ARP packet, go to step 36. Otherwise, go to step 32.
32、 判断是否配置 ARP报文限速。  32. Determine whether to limit the rate of ARP packets.
边缘路由器根据内层 VLAN ID识别针对此用户是否配置了 ARP 报文限速, 如未配置限速则转步骤 38; 对于配置了 ARP报文限速的用 户, 转步骤 34。  The edge router identifies the ARP packet rate limit for the user based on the inner VLAN ID. If the rate limit is not configured, go to step 38. For the user configured to limit the rate of ARP packets, go to step 34.
34、 判断 ARP报文的速率是否达到限速配置的上限。  34. Determine whether the rate of ARP packets reaches the upper limit of the rate limit configuration.
对于配置了 ARP报文限速的用户, 引擎记录上一次 ARP报文达到 的时间戳, 比较当前时间和上次记录时间的差值, 换算为接收到的 ARP报文的速率。 比较此速率和配置的允许接收 ARP报文速率上限, 如未到达 ARP报文的速率上限则转步骤 36按照正常 ARP报文流程处 理并刷新时间戳, 否则丟弃报文并保留上次记录的时间戳不变。 For the user configured to limit the rate of ARP packets, the engine records the timestamp of the last ARP packet and compares the difference between the current time and the last recorded time. Compare the rate and the configured maximum rate of receiving ARP packets. If the rate limit of the ARP packet is not reached, go to Step 36 and process the timestamp according to the normal ARP packet process. Otherwise, discard the packet and keep the timestamp of the last record unchanged.
36、 按照正常流程处理该报文。  36. Process the message according to the normal process.
38、判断缺省动作,以便执行该缺省动作。如果缺省动作为丟弃, 则认为所有未配置限速的用户 ARP报文为不安全的 ARP报文,转步骤 380; 如果缺省动作为通过, 则认为所有未配置限速的用户 ARP报文 为安全 ARP报文, 转步骤 36。  38. Determine the default action to perform the default action. If the default action is to discard, the user ARP packets are not configured to be insecure. The ARP packets are considered to be insecure. For the security ARP packet, go to Step 36.
380, 全部丟弃收到的该用户的 ARP>¾文。  380, all the received ARP>3⁄4 text of the user is discarded.
当然, 在丟弃收到的某个用户的 ARP>¾文时, 还可以对丟弃的 ARP报文进行计数, 以做进一步的分析处理。 如根据计数增长的速率 判断是否遭到攻击, 向网管发送告警、 记录日志等。 更进一步可以记 录丟弃的 ARP报文的内层 VLAN ID, 用以跟踪攻击源。  Of course, when discarding a received user's ARP>3⁄4 text, the discarded ARP packet can be counted for further analysis. If it is judged whether it is attacked according to the rate of counting growth, send an alarm, log, and so on to the NMS. Further, the inner VLAN ID of the discarded ARP packet can be recorded to track the attack source.
这样, 当边缘路由器下的某个用户发起 ARP报文攻击时, 攻击者 发送的大量 ARP报文会因超出正常通讯所需的 ARP速率而被丟弃, 因 此这些攻击报文不会影响到边缘路由器以及运营商网络的稳定。由于 边缘路由器在计算 ARP报文速率时是根据不同的内层 VLAN ID分别 计算各个用户的发送 ARP报文速率, 而丟弃 ARP报文时也只丟弃带有 特定内层 VLAN ID的 ARP报文, 因此任一个用户发送攻击报文时, 不 会影响到同一个接入接口下其他拥有不同的用户 VLAN ID的用户或 用户群的正常连接, 更不会影响其他接入接口下的用户。  In this way, when a user of the edge router initiates an ARP packet attack, the large number of ARP packets sent by the attacker will be discarded because the ARP rate exceeds the ARP rate required for normal communication. Therefore, these attack packets will not affect the edge. The stability of the router and the carrier network. When an edge router calculates the ARP packet rate, it calculates the rate of ARP packets sent by each user according to different inner VLAN IDs. When discarding ARP packets, only ARP packets with a specific inner VLAN ID are discarded. Therefore, when any user sends an attack packet, it does not affect the normal connection of other users or user groups with different user VLAN IDs on the same access interface, and does not affect users on other access interfaces.
由于在边缘路由器上识别不同用户是根据报文的内层 VLAN ID, 与报文的 IP地址没有关系, 无论攻击者如何变换 IP地址都难以规避路 由器的防护策略。  The identification of different users on the edge router is based on the inner VLAN ID of the packet and has no relationship with the IP address of the packet. It is difficult to circumvent the router's protection policy regardless of how the attacker changes the IP address.
由于一个接入接口下的用户或用户群数目是有限的,而且有相同 入接口上需要记录的用户信息有限, 通常情况下, 最多为 4k条。 这样 在边缘路由器上占用的资源在可以控制的范围之内,不会对硬件提出 过高的要求。  Since the number of users or user groups under one access interface is limited, and the user information that needs to be recorded on the same inbound interface is limited, usually, the maximum number is 4k. In this way, the resources occupied on the edge router are within the controllable range, and the hardware is not required to be too high.
本发明的实施方式的方法中, 以图 1所示的组网图为例, 边缘路 由器管理员可以通过配置允许每个用户生成的 ARP表项来控制用户 可以访问的 IP地址数目。 In the method of the embodiment of the present invention, taking the networking diagram shown in FIG. 1 as an example, the edge road The administrator can control the number of IP addresses that users can access by configuring ARP entries that are allowed to be generated by each user.
当攻击者发起网络攻击前通常会进行网段地址的扫描,即发送大 量的目的地址连续变化的 PING"¾文来判断可以访问的地址有哪些, 再确定下一步的攻击方式。 在发送 PING包之前会先发送 ARP请求报 文,因为使用不同的用户 VLAN ID的用户不能在二层交换机上做到二 层互通, 如果图 1中的交换机为二层交换机, 需要通过边缘路由器才  When an attacker initiates a network attack, it usually scans the network segment address, that is, sends a large number of PING messages whose destination address changes continuously to determine which addresses can be accessed, and then determines the next attack mode. ARP request packets are sent before, because users with different user VLAN IDs cannot communicate with each other on Layer 2 switches. If the switch in Figure 1 is a Layer 2 switch, you need to pass the edge router.
可以根据用户的 VLAN ID配置允许生成表项的上限值,达到上限后就 不许再生成。 但是, 如果将图 1中的二层交换机替换为三层交换机或 路由器, 则即使这些用户使用不同的用户 VLAN ID,仍然可以实现这 些用户的互通, 这时, 可以在该三层交换机或路由器上限制每个用户 可以生成的 ARP表项来控制每个用户可以同时访问的 IP地址来阻断 网段扫描攻击。比如可以根据用户的用户 VLAN ID配置允许生成表项 的上限值, 达到上限后就不许再生成。 You can configure the upper limit of the allowed entry based on the VLAN ID of the user. After the upper limit is reached, it cannot be generated again. However, if the Layer 2 switch in Figure 1 is replaced with a Layer 3 switch or router, even if these users use different user VLAN IDs, the interworking of these users can be achieved. In this case, on the Layer 3 switch or router. Limit the ARP entries that each user can generate to control the IP addresses that each user can access at the same time to block network segment scanning attacks. For example, you can configure the upper limit of the allowed entry based on the user VLAN ID of the user. After the upper limit is reached, it cannot be generated.
本发明的实施方式还提供一种防止攻击的装置, 如图 4所示, 该 装置 4包括配置单元 41、 限速判断单元 42、 限速上限判断单元 43和执 行单元 44, 其中,  The embodiment of the present invention further provides an apparatus for preventing an attack. As shown in FIG. 4, the apparatus 4 includes a configuration unit 41, a speed limit determination unit 42, a speed limit upper limit determination unit 43, and an execution unit 44, where
所述配置单元 41 , 用于在边缘路由器的用户接入接口配置 QinQ 方式接入, 根据 QinQ报文内层的用户 VLAN ID配置 ARP报文的抑制 速率和缺省行为;  The configuration unit 41 is configured to configure the QinQ mode access on the user access interface of the edge router, and configure the suppression rate and default behavior of the ARP packet according to the user VLAN ID of the inner layer of the QinQ packet.
所述限速判断单元 42,用于判断收到的 ARP报文是否已经配置了 ARP报文限速, 如果已经配置了 ARP报文限速, 则交由所述限速上限 判断单元 43判断该 ARP报文的速率是否达到速率上限,所述执行单元 44根据所述限速上限判断单元 43的判断结果执行动作;如果所述限速 判断单元 42确定收到的 ARP报文没有配置 ARP报文限速, 则转执行单 元 44执行缺省动作。  The rate limit determining unit 42 is configured to determine whether the ARP packet has been configured with the ARP packet rate limit. If the rate limit of the ARP packet is configured, the speed limit upper limit determining unit 43 determines the Whether the rate of the ARP packet reaches the upper limit of the rate, the executing unit 44 performs an action according to the determination result of the rate limit upper limit determining unit 43; if the rate limiting determining unit 42 determines that the received ARP packet is not configured with the ARP packet, After the speed limit is reached, the execution unit 44 performs the default action.
优选地, 还可以包括报文判断单元 45, 用于判断收到的报文是否 ARP报文, 若是, 则交由所述限速判断单元 42判断该 ARP报文是否配 置了 ARP报文限速; 否则, 交由所述执行单元 44执行正常处理流程。 果执行动作的步骤包括:如果所述限速上限判断单元 43判断该 ARP报 文的速率已经达到速率上限,则丟弃该报文,否则按照正常流程执行。 Preferably, the message determining unit 45 is further configured to determine whether the received message is The ARP packet, if yes, is sent to the rate limiting determining unit 42 to determine whether the ARP packet is configured with a rate limit; otherwise, the executing unit 44 performs a normal processing procedure. The step of performing the action includes: if the speed limit upper limit determining unit 43 determines that the rate of the ARP packet has reached the upper limit of the rate, discards the message, otherwise, the process is performed according to a normal process.
优选地,如果用户设备没有 VLAN ID, 还可以包括 VLAN ID配置 单元 46, 用于为所述用户设备配置用户 VLAN ID。  Preferably, if the user equipment does not have a VLAN ID, the VLAN ID configuration unit 46 may be further configured to configure a user VLAN ID for the user equipment.
实际上, 该边缘路由器也可以替换为普通路由器。 该方法也可以 用于防止其他特定类型的报文攻击。所述的接口可以是物理接口或逻 辑接口。  In fact, the edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks. The interface can be a physical interface or a logical interface.
本发明的另一实施方式涉及一种计算机可读介质,该计算机可读 介质中保存有执行防止攻击的方法的指令序列, 该方法包括:  Another embodiment of the present invention is directed to a computer readable medium having stored therein a sequence of instructions for performing a method of preventing an attack, the method comprising:
判断收到的报文是否为 ARP报文, 如不是 ARP报文, 则按照正常 流程处理该报文, 否则进一步判断该 ARP报文是否已经配置了 ARP报 文限速;  The device determines whether the received packet is an ARP packet. If the packet is not an ARP packet, the packet is processed according to the normal process. Otherwise, the ARP packet is configured to limit the rate of the ARP packet.
边缘路由器根据内层 VLAN ID识别针对此用户是否配置了 ARP 报文限速, 如未配置限速则判断缺省动作, 以便执行该缺省动作。 如 果缺省动作为丟弃,则认为所有未配置限速的用户 ARP报文为不安全 的 ARP报文, 全部丟弃收到的该用户的 ARP报文; 如果缺省动作为通 过, 则认为所有未配置限速的用户 ARP报文为安全 ARP报文, 则按照 正常流程处理该报文。  The edge router determines whether the ARP packet is configured for the rate limit based on the inner VLAN ID. If the rate limit is not configured, the default action is determined to perform the default action. If the default action is to discard, the ARP packets of the user that are not configured with the rate limit are considered to be insecure ARP packets, and all the received ARP packets are discarded. If the user ARP packet is not configured with the rate limit, the device processes the packet according to the normal process.
对于配置了 ARP报文限速的用户, 则进一步判断 ARP报文的发送 速率是否达到限速配置的上限; 对于配置了 ARP报文限速的用户, 引 擎记录上一次 ARP报文达到的时间戳, 比较当前时间和上次记录时间 的差值, 换算为接收到的 ARP报文的速率。 比较此速率和配置的允许 接收 ARP报文速率上限,如未到达速率上限则按照正常报文流程处理 并刷新时间戳, 否则丟弃报文并保留上次记录的时间戳不变。  If the ARP packet rate limit is set, the device determines whether the ARP packet rate is up to the upper limit. If the ARP packet rate is set, the engine records the timestamp of the last ARP packet. The difference between the current time and the last recorded time is compared to the rate of received ARP packets. If the rate limit is exceeded, the rate of the ARP packet is received. If the rate is not reached, the timestamp is processed and the timestamp is updated. Otherwise, the packet is discarded and the timestamp of the last record is kept unchanged.
实际上, 该边缘路由器也可以替换为普通路由器。 该方法也可以 用于防止其他特定类型的报文攻击。所述的接口可以是物理接口或逻 辑接口。 In fact, the edge router can also be replaced with a normal router. This method can also be used to prevent other specific types of packet attacks. The interface can be a physical interface or a logical Interface.
采用本发明的实施方式,组网配置完成后可以自动防护 ARP报文 攻击, 不需人工干预; 即使发生攻击, 也可以将攻击影响的范围缩小 到特定用户, 不会影响到同一接口下其他拥有不同的用户 VLAN ID 的用户或用户群的正常网络连接; 攻击者变换源、 目的 IP地址也难以 规避安全策略的防护, 同时不会带来额外的性能开销; 根据连接的用 户配置防护策略, 系统资源的消耗有限, 减小对硬件性能的压力; 防 止 ARP报文攻击的同时可以阻断网段扫描攻击。 通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明可以通过硬件实现,也可以可借助软件加必要的通用硬件平 台的方式来实现基于这样的理解,本发明的技术方案可以以软件产品 的形式体现出来, 该软件产品可以存储在一个非易失性存储介质(可 以是 CD-ROM, U盘, 移动硬盘等) 中, 包括若干指令用以使得一 台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行 本发明各个实施例所述的方法。  After the configuration of the network is complete, the ARP packet attack can be automatically defended without manual intervention. Even if an attack occurs, the scope of the attack can be narrowed down to a specific user without affecting other devices on the same interface. The normal network connection of users or user groups with different user VLAN IDs; it is difficult for an attacker to change the source and destination IP addresses to circumvent the protection of the security policy without incurring additional performance overhead; configuring the protection policy according to the connected users, the system The resource consumption is limited, and the pressure on the hardware performance is reduced. The ARP packet attack can prevent the network segment scanning attack. Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种防止攻击的网络的配置方法, 其特征在于, 该网络包括 路由设备和用户设备,所述用户设备通过所述路由设备与接入运营商 网络通信, 配置该网络的方法包括: A method for configuring a network for preventing attacks, wherein the network includes a routing device and a user equipment, where the user equipment communicates with the network of the access carrier by using the routing device, and the method for configuring the network includes:
为所述用户设备配置用户 VLAN ID;  Configuring a user VLAN ID for the user equipment;
在所述路由设备的用户接入接口为所述用户设备配置 QinQ方式 接入; 该用户设备报文封装为 QinQ报文后发送;  The user access interface of the routing device configures the QinQ mode for the user equipment; the user equipment packet is encapsulated into a QinQ packet and then sent;
根据 QinQ报文内层的用户 VLAN ID配置特定类型的报文的抑制 速率和缺省行为。  Configure the suppression rate and default behavior of packets of a specific type based on the user VLAN ID of the inner layer of the QinQ packet.
2、 如权利要求 1所述的方法, 其特征在于, 所述配置方式是由所 述路由设备的管理员手工配置完成或者系统设置完成的。  2. The method according to claim 1, wherein the configuration manner is manually configured by an administrator of the routing device or the system is configured.
3、 如权利要求 1所述的方法, 其特征在于, 所述的特定类型的报 文为 ARP报文。  3. The method according to claim 1, wherein the specific type of message is an ARP message.
4、 如权利要求 1所述的方法, 其特征在于, 所述的缺省行为模式 包括: 允许该特定类型的报文通过或者丟弃该特定类型的报文。  The method according to claim 1, wherein the default behavior mode comprises: allowing the specific type of packet to pass or discard the specific type of packet.
5、 如权利要求 1所述的方法, 其特征在于, 安全策略不同的所述 用户设备位于不同的 VLAN内, 具有不同的 VLAN ID。  The method according to claim 1, wherein the user equipments with different security policies are located in different VLANs and have different VLAN IDs.
6、 如权利要求 1所述的方法, 其特征在于, 所述用户设备为具有 相同 VLAN ID的至少一个网络设备。  The method according to claim 1, wherein the user equipment is at least one network device having the same VLAN ID.
7、 如权利要求 1所述的方法, 其特征在于, 所述路由设备为普通 路由器或边缘路由器。  7. The method according to claim 1, wherein the routing device is a normal router or an edge router.
8、 如权利要求 1所述的方法, 其特征在于, 所述网络还包括实现 QinQ接入的交换设备, 所述用户设备通过该交换设备与所述路由设 备通信。  8. The method according to claim 1, wherein the network further comprises a switching device that implements QinQ access, and the user equipment communicates with the routing device through the switching device.
9、 如权利要求 8所述的方法, 其特征在于, 所述交换设备为二层 交换机、 三层交换机或路由设备。  The method according to claim 8, wherein the switching device is a Layer 2 switch, a Layer 3 switch, or a routing device.
10、 一种防止攻击的方法, 其特征在于, 该方法用于配置 QinQ 接入的网络中, 根据 QinQ内层的用户 VLAN ID来识别用户, 该方法 包括: A method for preventing an attack, the method is configured to configure a QinQ access network, and identify a user according to a user VLAN ID of an inner layer of the QinQ, the method Includes:
判断收到的特定类型的报文是否已经配置了报文限速, 如果是, 则判断该特定类型的报文的速率是否达到速率上限, 如果是, 则丟弃 该报文; 如果收到的特定类型的报文没有配置报文限速, 则执行缺省 动作。  Determining whether the rate of the specified type of packet has been configured, and if so, determining whether the rate of the packet of the specific type reaches the upper limit of the rate. If yes, discarding the packet; If the packet rate limit is not configured for a specific type of packets, the default action is performed.
11、如权利要求 10所述的方法,其特征在于,所述缺省动作包括: 允许所述该特定类型的报文通过或者丟弃所述该特定类型的报文。  The method of claim 10, wherein the default action comprises: allowing the particular type of message to pass or discard the particular type of message.
12、 如权利要求 11所述的方法, 其特征在于, 当执行的缺省动作 为丟弃所述该特定类型的报文时, 所述方法还包括:  The method of claim 11, wherein when the default action is performed to discard the packet of the specific type, the method further includes:
对丟弃的该特定类型的报文进行计数。  Counts the specific type of packets discarded.
13、 如权利要求 11所述的方法, 其特征在于, 执行的缺省动作为 丟弃该用户设备的该特定类型的报文时, 所述方法还包括:  The method of claim 11, wherein the default action is to discard the specific type of the packet of the user equipment, the method further comprising:
记录丟弃的该特定类型的报文的 VLAN ID。  Record the VLAN ID of the specified type of packet discarded.
14、 如权利要求 10所述的方法, 其特征在于, 所述判断收到的该 特定类型的报文是否已经配置了报文限速之前, 还包括:  The method according to claim 10, wherein, before the determining whether the received packet of the specific type has been configured with the rate limit of the packet, the method further includes:
判断收到的报文是否为该特定类型的报文, 如果是, 则进一步判 断收到的该特定类型的报文是否已经配置了报文限速;否则按照正常 流程处理该报文。  It is determined whether the received packet is the specific type of packet. If yes, it is further determined whether the received packet has been configured with the rate limit of the packet; otherwise, the packet is processed according to a normal process.
15、 如权利要求 10所述的方法, 其特征在于, 所述特定类型的报 文为 ARP报文。  The method according to claim 10, wherein the specific type of message is an ARP message.
16、 一种防止攻击的装置, 其特征在于, 包括配置单元、 限速判 断单元、 限速上限判断单元、 执行单元, 其中,  A device for preventing an attack, comprising: a configuration unit, a speed limit determination unit, a speed limit upper limit determination unit, and an execution unit, wherein
所述配置单元, 用于在路由设备的用户接入接口配置 QinQ方式 接入, 根据 QinQ报文内层的用户 VLAN ID配置特定类型报文的速率 上限和缺省动作;  The configuration unit is configured to configure a QinQ mode access on a user access interface of the routing device, and configure a rate limit and a default action of the packet of a specific type according to the user VLAN ID of the inner layer of the QinQ packet;
所述限速判断单元,用于判断收到的特定类型报文是否已经配置 了报文限速, 如果是, 则交由所述限速上限判断单元判断该特定类型 的报文的速率是否达到所述速率上限,所述执行单元根据所述限速上 限判断单元的判断结果执行动作; 如果所述限速判断单元确定收到的特定类型报文没有配置报文 限速, 则转执行单元执行所述缺省动作。 The speed limit determining unit is configured to determine whether the rate limit of the received packet is configured, and if yes, the speed limit upper determining unit determines whether the rate of the specific type of packet is reached. The upper limit of the rate, the execution unit performs an action according to the determination result of the speed limit upper limit determining unit; If the rate limit determination unit determines that the received specific type of message does not have a configured message rate limit, the execution unit performs the default action.
17、 如权利要求 16所述的装置, 其特征在于, 还包括报文判断单 元, 用于判断收到的报文是否是特定类型报文, 若是, 则交由所述限 速判断单元判断该特定类型报文是否配置了报文限速; 否则, 交由所 述执行单元执行正常处理流程。  The device according to claim 16, further comprising: a message determining unit, configured to determine whether the received message is a specific type of message, and if yes, submit the speed limit determining unit to determine Whether the packet rate limit is configured for a specific type of packet; otherwise, the execution unit performs a normal processing flow.
18、 如权利要求 16所述的装置, 其特征在于, 所述根据所述限速 上限判断单元的判断结果执行动作, 包括:  The device according to claim 16, wherein the performing the action according to the determination result of the speed limit upper limit determining unit comprises:
如果所述限速上限判断单元判断该特定类型报文的速率已经达 到速率上限, 则丟弃该报文, 否则按照正常流程执行。  If the rate limit determination unit determines that the rate of the specific type of packet has reached the upper rate limit, the packet is discarded, otherwise it is executed according to a normal procedure.
19、 如权利要求 16所述的装置, 其特征在于, 所述特定类型的报 文为 ARP报文。  The device according to claim 16, wherein the specific type of message is an ARP message.
20、 如权利要求 16所述的装置, 其特征在于, 所述路由设备为普 通路由器或边缘路由器。  20. The apparatus of claim 16, wherein the routing device is a general router or an edge router.
21、 如权利要求 16所述的装置, 其特征在于, 还包括 VLAN ID 配置单元, 用于为所述用户的用户设备配置用户 VLAN ID。  The device according to claim 16, further comprising a VLAN ID configuration unit, configured to configure a user VLAN ID for the user equipment of the user.
PCT/CN2009/070564 2008-03-31 2009-02-27 Network configuring method for preventing attack, method and device for preventing attack WO2009121253A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2008100664401A CN101257379B (en) 2008-03-31 2008-03-31 Network configuration method for preventing attacks, method and device for preventing attacks
CN200810066440.1 2008-03-31

Publications (1)

Publication Number Publication Date
WO2009121253A1 true WO2009121253A1 (en) 2009-10-08

Family

ID=39891874

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/070564 WO2009121253A1 (en) 2008-03-31 2009-02-27 Network configuring method for preventing attack, method and device for preventing attack

Country Status (2)

Country Link
CN (1) CN101257379B (en)
WO (1) WO2009121253A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102523224A (en) * 2011-12-21 2012-06-27 余姚市供电局 ARP (address resolution protocol) flow control method and ARP flow control system

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257379B (en) * 2008-03-31 2010-12-08 华为技术有限公司 Network configuration method for preventing attacks, method and device for preventing attacks
CN104702560A (en) * 2013-12-04 2015-06-10 华为技术有限公司 Method and device for preventing message attack
CN106102122A (en) * 2016-05-16 2016-11-09 杭州华三通信技术有限公司 MAC Address list item update method and device
CN108076068B (en) * 2017-12-27 2021-05-07 新华三技术有限公司 Anti-attack method and device
CN111935198B (en) * 2020-10-15 2021-01-15 南斗六星系统集成有限公司 Visual V2X network security defense method and equipment
CN112383549A (en) * 2020-11-13 2021-02-19 国网冀北电力有限公司张家口供电公司 Dynamic defense method based on dichotomy
CN112671783B (en) * 2020-12-28 2021-08-10 上海自恒信息科技有限公司 Host IP scanning prevention method based on VLAN user group
CN113810398B (en) * 2021-09-09 2023-09-26 新华三信息安全技术有限公司 Attack protection method, device, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411209A (en) * 2002-03-29 2003-04-16 华为技术有限公司 Method of detecting and monitoring malicious user host machine attack
CN1767495A (en) * 2004-10-28 2006-05-03 华为技术有限公司 Method for Ensuring Data Security of Layer 2 Ethernet Switches in Metropolitan Area Transmission Equipment
CN1941775A (en) * 2006-07-19 2007-04-04 华为技术有限公司 Method and apparatus against Internet message attack
CN101257379A (en) * 2008-03-31 2008-09-03 华为技术有限公司 Network configuration method for preventing attacks, method and device for preventing attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1411209A (en) * 2002-03-29 2003-04-16 华为技术有限公司 Method of detecting and monitoring malicious user host machine attack
CN1767495A (en) * 2004-10-28 2006-05-03 华为技术有限公司 Method for Ensuring Data Security of Layer 2 Ethernet Switches in Metropolitan Area Transmission Equipment
CN1941775A (en) * 2006-07-19 2007-04-04 华为技术有限公司 Method and apparatus against Internet message attack
CN101257379A (en) * 2008-03-31 2008-09-03 华为技术有限公司 Network configuration method for preventing attacks, method and device for preventing attacks

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102523224A (en) * 2011-12-21 2012-06-27 余姚市供电局 ARP (address resolution protocol) flow control method and ARP flow control system
CN102523224B (en) * 2011-12-21 2015-06-17 余姚市供电局 ARP (address resolution protocol) flow control method and ARP flow control system

Also Published As

Publication number Publication date
CN101257379A (en) 2008-09-03
CN101257379B (en) 2010-12-08

Similar Documents

Publication Publication Date Title
WO2009121253A1 (en) Network configuring method for preventing attack, method and device for preventing attack
US8904514B2 (en) Implementing a host security service by delegating enforcement to a network device
US8055800B1 (en) Enforcing host routing settings on a network device
US7873038B2 (en) Packet processing
CN101411156B (en) Automated containment of network intruder
US8255681B2 (en) Security for mobile devices in a wireless network
JP5880560B2 (en) Communication system, forwarding node, received packet processing method and program
US9935974B2 (en) Hardware-logic based flow collector for distributed denial of service (DDoS) attack mitigation
US7379423B1 (en) Filtering subscriber traffic to prevent denial-of-service attacks
US9231911B2 (en) Per-user firewall
US8893256B2 (en) System and method for protecting CPU against remote access attacks
CN102461089B (en) Method and apparatus for policy enforcement using tags
CN102415062B (en) Hierarchical rate limiting of control packets
US7490351B1 (en) Controlling ARP traffic to enhance network security and scalability in TCP/IP networks
EP2748981B1 (en) Network environment separation
CN101288272A (en) Tunneled Security Group
EP3800842B1 (en) Method for sending bgp message, method for receiving bgp message, and device
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
US10050937B1 (en) Reducing impact of network attacks in access networks
Cisco setsn_su
Cisco setsn_su
Alabady Design and implementation of a network security model using static VLAN and AAA server
Cisco setsn_su
WO2013064057A1 (en) Data packet processing method, device, and system
Guruprasad et al. Security features in Ethernet switches for access networks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09728697

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09728697

Country of ref document: EP

Kind code of ref document: A1