CN102014109A - Flood attack prevention method and device - Google Patents
Flood attack prevention method and device Download PDFInfo
- Publication number
- CN102014109A CN102014109A CN200910190036XA CN200910190036A CN102014109A CN 102014109 A CN102014109 A CN 102014109A CN 200910190036X A CN200910190036X A CN 200910190036XA CN 200910190036 A CN200910190036 A CN 200910190036A CN 102014109 A CN102014109 A CN 102014109A
- Authority
- CN
- China
- Prior art keywords
- message
- send
- address
- car
- addresses
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a flood attack prevention method comprising the following steps of: carrying out CAR (Committed Access Rate) limitation on messages sent to different IP addresses, and respectively arranging CAR channels; and carrying out Hash processing on messages sent by all IP addresses based on IP addresses. The embodiment also provides a flood attack prevention device comprising a CAR limitation unit and a Hash processing unit based on IP addresses. According to the embodiment, normal flow messages can be separated from attach flow messages, so that the attach flow messages are filtered by the CAR channels due to large flow rate, and the normal flow messages are sent to a CPU to be processed through the CAR channels. The normal business running of attached equipment is ensured.
Description
Technical field
The present invention relates to the computer and the communications field, relate in particular to a kind of prevention method and device of extensive aggression.
Background technology
Extensive aggression, claim flood attack, flood attack again, be meant use flood/mode of inundation (flood/flooding) attacks the communication node equipment of networking, generally be to realize denial of service (Denial of Service by increasing extra network traffic load, DoS) attack, cause the paralysis of computer or communication equipment.Common extensive aggression means comprise ARP (Address Resolution Protocol, address resolution protocol) message extensive aggression, ICMP (Internet Control Messages Protocol, ICMP) message extensive aggression, TCP SYN (Transfer Control Protocol Synchronization, transmission control protocol is synchronous) message extensive aggression etc.
Prior art promptly is difficult to cog region and tells normal discharge message and attack traffic message problem of processing ubiquity of extensive aggression message, and filters this attack traffic message, and protection gateway device and related service are unaffected.With ARP message extensive aggression is example, typical networking application scenarios as shown in Figure 1, terminal PC 1, PC2 form VLAN (Virtual Local Area Network, VLAN) 1, terminal PC 3, PC4 form virtual LAN VLAN 2, and terminal PC 5, PC6 form virtual LAN VLAN 3.Each terminal converges to gateway by Layer 2 switch.
As shown in Figure 2, black arrow is represented the attack traffic message, white arrow is represented the normal discharge message, when the assailant send attack traffic message 202 on gateway device is a large amount of, can cause ARP message up sending speed to increase severely, cause gateway on send the bandwidth at passage 203 places to be tied up by described attack message, squeeze out normal discharge message 201.In addition, gateway will be learnt wrong ARP list item therefore in a large number, cause the arp cache table to be taken by the ARP list item of mistake.
As shown in Figure 3, the processing method of prior art is: by the network processing unit of gateway device on deliver to CPU ARP message overall rate carry out CAR (Committed Access Rate, the agreement access rate) restriction, on the ARP message integral body sent the CAR passage is set.Send passage 203 places last, if ARP message up sending speed surpasses the threshold value of described CAR aisle limit, network processing unit will abandon the message of the threshold value that exceeds the CAR aisle limit.Because attack traffic message 202 mixes with normal discharge message 201, also can abandon normal discharge message 201 when attack traffic message 202 is abandoned, still business has been caused impact.
In order to address this problem, as shown in Figure 4, the literary composition 401,402,403 of delivering newspaper on the ARP that prior art is received each VLAN separately by software is added up, literary composition surpasses the threshold value of CAR aisle limit if deliver newspaper on the ARP of certain VLAN, and software will be done the CAR restriction to the ARP message of this VLAN by the informing network processor again.Scheme as shown in Figure 4 is by the CAR passage of each VLAN, the scope of ARP message extensive aggression is isolated in each VLAN, but for each VLAN, normal discharge message that it is inner and attack traffic message still can be dropped owing to the CAR restriction to each VLAN.In addition, the ARP message of each VLAN finally still must by on send passage 203 to gather together to CPU, if the quantity of VLAN is very big, though the uploading rate of the ARP message of each VLAN does not under fire all have to surpass the threshold value to the CAR aisle limit of VLAN, but send passage 203 places gathering to CPU, send total amount still very big on the ARP message, still may surpass threshold value the CAR aisle limit of sending passage 203 on whole.At this moment, part normal discharge message still can be dropped together with the attack traffic message, thus the traffic affecting normal operation.
Summary of the invention
The purpose of the embodiment of the invention is to provide a kind of prevention method and device of extensive aggression, to distinguish normal discharge message and attack traffic message, avoids the normal discharge message to be filtered, with strengthen under fire network equipment and the stability of communication network service.
For solving the problems of the technologies described above, the embodiment of the invention provides a kind of prevention method of extensive aggression, comprising:
To arrange access rate CAR restriction respectively by the message that send on the different Internet protocol IP addresses;
The message that send on described is carried out Hash Hash hash handle, make the message that send on the identical IP address enter identical CAR passage, the message that send on the different IP addresses enters different CAR passages; Described CAR passage is provided with by described CAR restriction.
The embodiment of the invention provides a kind of extensive aggression crime prevention device, comprising:
IP address-based CAR limiting unit is used for carried out the CAR restriction respectively by the message that send on the different IP addresses;
The hash processing unit is used for the address based on IP, the message that send on each IP address is carried out hash handle, and makes the message that send on the identical IP address enter identical CAR passage, and the message that send on the different IP addresses enters different CAR passages; Described CAR passage is provided with by described IP address-based CAR limiting unit.
The embodiment of the invention also provides a kind of extensive aggression crime prevention device, comprising:
Message overall rate CAR limiting unit is used for the message overall rate of sending on described is carried out the CAR restriction;
The packet loss detecting unit is used for the message that send on described is abandoned detection, judges whether described message has the packet loss counting;
IP address-based CAR limiting unit, be used for according to the packet loss counting of described packet loss detecting unit acquisition and the speed range of normal discharge message, the message that send on the different IP addresses that the gateway interface that has packet loss counting is received carries out the CAR restriction respectively, the CAR passage is set, to filter the attack traffic message that surpasses described speed range respectively;
The hash processing unit is used for the address based on IP, the message that send on described each IP address is carried out hash handle, and makes the message that send on the identical IP address enter identical CAR passage, and the message that send on the different IP addresses enters different CAR passages.
The embodiment of the invention is utilized the characteristics of the normal discharge message model of protocol massages; be the instantaneous normal discharge that sends of identical ip addresses these characteristics in a certain speed range usually; by the message that send on the different IP addresses being provided with CAR passage and dynamically HASH hash processing; cog region is told normal discharge message and attack traffic message; and filter this attack traffic message, unaffected with the protection related service.
Description of drawings
Fig. 1 is typical networking application scenarios schematic diagram;
Fig. 2 is the schematic diagram that gateway device inside is subjected to ARP message extensive aggression;
Fig. 3 be on the message overall rate the sent principle schematic of carrying out the CAR restriction;
Fig. 4 is the principle schematic of VLAN being carried out the CAR restriction;
Fig. 5 is the schematic flow sheet of the prevention method of the extensive aggression that provides of the embodiment of the invention one;
Fig. 6 is the principle schematic of the prevention method of the extensive aggression that provides of the embodiment of the invention one;
Fig. 7 is the structural representation of the extensive aggression crime prevention device that provides of the embodiment of the invention one;
Fig. 8 is the schematic flow sheet of the prevention method of the extensive aggression that provides of the embodiment of the invention two;
Fig. 9 is the structural representation of the crime prevention device of the extensive aggression that provides of the embodiment of the invention two;
Figure 10 is the schematic flow sheet of the prevention method of the extensive aggression that provides of the embodiment of the invention three;
Figure 11 is the principle schematic that the message overall rate sent on three pairs of the embodiment of the invention is carried out the CAR restriction;
Figure 12 is the principle schematic of the prevention method of the extensive aggression that provides of the embodiment of the invention three;
Figure 13 is the structural representation of the crime prevention device of the extensive aggression that provides of the embodiment of the invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one:
As shown in Figure 5, present embodiment provides a kind of prevention method of extensive aggression, comprising:
Step 501: the message that send on the different IP addresses is carried out the CAR restriction respectively, the CAR passage is set respectively.
In step 501, can carry out the CAR restriction respectively to the message that send on each IP address according to the speed range of the normal discharge message that send on the same IP address, the CAR passage is set.The threshold value of described CAR aisle limit is set according to the speed range of the normal discharge message that send on the same IP address, to filter the attack traffic message that surpasses normal discharge message rate scope.The speed range of the normal discharge message that send on the same IP address then can be calculated according to concrete application scenarios.Be applied as example with ARP, for the IP address that a subnet mask is 255.255.255.0, can share an IP address by 254 main frames at most, because the length of single ARP message is generally less than 64 bytes (byte), the peak A RP message up sending speed that can calculate same IP address in view of the above is: 254 * 64 * 8 ≈ 128kbps (kilobits per second).And under the general application scenarios, send the quantity of the main frame of ARP message can not reach peak value 254 on simultaneously under the same IP address, if with the situation of 16 main frame numbers as normal use, the speed of the normal discharge message that send on the then same IP address is 16 * 64 * 8=8kbps.In view of the above, reserve suitable allowance after, can carry out CAR restriction to the message that send on the different IP addresses respectively, be 10-12kbps with the threshold setting of CAR aisle limit.
Step 502: after receiving the message that send on described,, the message that send on each IP address is carried out hash handle based on the IP address.
The application example of step 502 as shown in Figure 6,501,502,503,504 is respectively the message that send from the different IP addresses; Black arrow is represented the attack traffic message, and white arrow is represented the normal discharge message.After the message that send on each IP address was handled through IP-based hash, the message that send on the identical ip addresses entered same CAR passage, and the message that send on the different IP addresses enters different CAR passages.Because the normal discharge message rate of sending on the same IP address is less, the CAR passage that can set by step 501, and then transmitted to CPU is handled; And the speed of the attack traffic message that send on the same IP address is bigger, has surpassed the threshold value of described CAR aisle limit, will be filtered at the CAR passage.
Step 501,502 described messages can be similarly extensive aggression flow messages such as ARP message, icmp packet, TCP SYN message.
Correspondingly, present embodiment also provides a kind of extensive aggression crime prevention device, comprising:
IP address-based CAR limiting unit 701 is used for the speed range according to the normal discharge message, and the message that send on the different IP addresses is carried out the CAR restriction respectively, and the CAR passage is set respectively, to filter the attack traffic message that surpasses described speed range;
The prevention method of a kind of extensive aggression that present embodiment provides and crime prevention device utilize the normal discharge message rate features of smaller of sending on the same IP address, the message that send on the different IP addresses is carried out the CAR restriction respectively, and based on the IP address message that send on each IP address is carried out hash and handle, make the message that send on the identical ip addresses enter same CAR passage, the message that send on the different IP addresses enters different CAR passages, thereby with normal discharge message and attack traffic message spacing, make the attack traffic message be filtered by the CAR passage because speed is big, and the normal discharge message has ensured the normal operation of appliance services under fire by sending processing on the CAR passage.
Embodiment two:
Present embodiment provides a kind of prevention method of extensive aggression, and its application scenarios is the situation of ARP message extensive aggression.As shown in Figure 1, terminal PC 1, PC2 form virtual LAN VLAN 1, and terminal PC 3, PC4 form virtual LAN VLAN 2, and terminal PC 5, PC6 form virtual LAN VLAN 3.Each terminal converges to gateway device by Layer 2 switch, and the situation of gateway device inside comprises central processor CPU, network processing unit Network Processor, arp cache table as shown in Figure 2.As shown in Figure 8, the prevention method of the extensive aggression that present embodiment provides comprises:
Step 801: on the ARP message that send carry out the legitimacy verification.
In step 801, network processing unit at first carries out the legitimacy verification to the ARP message, tentatively filters some illegal ARP messages.Described legitimacy verification comprises the classification that preestablishes illegal ARP message, judges whether described ARP message belongs to described illegal ARP message; If then can't pass through the legitimacy verification, otherwise described ARP message is by the legitimacy verification.Preferably, the classification of described illegal ARP message that can't be by the legitimacy verification comprises one or more in the following message: the arp reply message of broadcasting MAC (Media AccessControl) address, the ARP request message of unicast mac address, source IP address and purpose IP address be not at the ARP of same network segment request/response message, and source MAC is empty ARP request message.
Step 802: on the ARP message overall rate sent carry out the CAR restriction.
As shown in Figure 3, in step 802, in order to filter attack traffic message 202, on the ARP message overall rate sent carry out the CAR restriction, the CAR passage is set.At this moment, attack traffic message 202 and normal discharge message 201 enter simultaneously and send in the passage 203, and when ARP message overall rate surpasses the threshold value of CAR aisle limit, the ARP message that surpasses the threshold value of described CAR aisle limit will be dropped.
Step 803: on the ARP message that send abandon detection, judged whether ARP packet loss counting.
In step 803, on the ARP message that send obtain packet counting information based on the ARP protocol detection.According to described packet counting information, judge the vlan information whether this message has the packet loss counting and packet loss takes place.If there is the packet loss counting, then execution in step 804; If there is not the packet loss counting, then execution in step 806; Can adopt timing detection method when preferably, abandoning detection.
Step 804: the message that send on the different IP addresses in the VLAN that the ARP packet loss takes place is carried out the CAR restriction respectively, the CAR passage is set respectively.
Described step 801-803 and nonessential, the literary composition of can be in step 804 delivering newspaper on directly to different IP addresses carries out the CAR restriction respectively, and the CAR passage is set respectively.
In step 804, can carry out the CAR restriction respectively to the message that send on the different IP addresses in the VLAN that packet loss takes place according to the speed range of the normal discharge message that send on the same IP address, the CAR passage is set respectively.The threshold value of described CAR aisle limit is set according to the speed range of the normal discharge message that send on the same IP address, to filter the attack traffic message that surpasses normal discharge message rate scope.The speed range of the normal discharge message that send on the same IP address can be calculated according to concrete application scenarios.For the IP address that a subnet mask is 255.255.255.0, can share an IP address by 254 main frames at most, because the length of single ARP message is generally less than 64 bytes (byte), the peak A RP message up sending speed that can calculate same IP address in view of the above is: 254 * 64 * 8 ≈ 128kbps (kilobits per second).And under the general application scenarios, send the main frame number of ARP message can not reach peak value 254 on the same IP address, if with the situation of 16 main frame numbers as normal use, the speed of the normal discharge message that send on the then same IP address is 16 * 64 * 8=8kbps.In view of the above, reserve suitable allowance after, can carry out the CAR restriction to the message that send on the different IP addresses in the VLAN that packet loss takes place respectively, be 10-12kbps with the threshold setting of CAR aisle limit.
Step 805: after receiving message,, the message that send on each IP address is carried out hash handle based on the IP address.
The application example of step 805 as shown in Figure 6,501,502,503,504 is respectively the message that send from the different IP addresses; Black arrow is represented the attack traffic message, and white arrow is represented the normal discharge message.After the message that send on each IP address was handled through IP-based hash, the message that send on the identical ip addresses entered same CAR passage, and the message that send on the different IP addresses enters different CAR passages.Because the normal discharge message rate of sending on the same IP address is less, the CAR passage that can set by step 804, and then transmitted to CPU is handled; And the speed of the attack traffic message that send on the same IP address is bigger, has surpassed the threshold value of described CAR aisle limit, will be filtered at the CAR passage.
As shown in Figure 9, correspondingly, present embodiment also provides a kind of extensive aggression crime prevention device, comprising:
ARP message validity verification unit 901, be used on the ARP message that send carry out the legitimacy verification, filter the invalid packet in the ARP message that send on described, described invalid packet comprises one or more in the following message: the arp reply message of broadcasting MAC (Media Access Control) address, the ARP request message of unicast mac address, source IP address and purpose IP address be not at the ARP of same network segment request/response message, and source MAC is empty ARP request message;
ARP message overall rate CAR limiting unit 902 is used for the ARP message integral body of sending on described is carried out the CAR restriction;
ARP packet loss detecting unit 903 is used for the ARP message that send on described is abandoned detection, judges the vlan information whether described message has the packet loss counting and packet loss takes place;
IP address-based ARP message CAR limiting unit 904, be used for packet loss counting that obtains according to described ARP packet loss detecting unit and the vlan information that packet loss takes place, and the speed range of normal discharge message, the message that send on the different IP addresses in the VLAN of described generation packet loss is carried out the CAR restriction respectively, the CAR passage is set, to filter the attack traffic message that surpasses described speed range respectively;
ARP message hash processing unit 905 is used for the address based on IP, the ARP message that send on each IP address is carried out hash handle, and makes the message that send on the identical IP address enter identical CAR passage, and the message that send on the different IP addresses enters different CAR passages.
Need to prove that the described functional unit 901-903 of the embodiment of the invention is also nonessential, can only comprise functional unit 904,905.
Prevention method that present embodiment provides and crime prevention device by on the legitimacy verification of the ARP message that send, overall rate CAR restriction, and detect by packet loss, utilize the normal discharge message rate sent on the same IP address characteristics in a certain speed range usually, the message that send on each IP address in the VLAN that has packet loss is carried out the CAR restriction respectively, and based on the IP address message that send on each IP address is carried out hash and handle, make the message that send on the identical ip addresses enter same CAR passage, the message that send on the different IP addresses enters different CAR passages, thereby with normal discharge message and attack traffic message spacing, make the attack traffic message be filtered by the CAR passage because speed is big, and the normal discharge message has ensured the normal operation of appliance services under fire by sending processing on the CAR passage.
Embodiment three:
Present embodiment provides a kind of prevention method of extensive aggression, and its application scenarios is the situation of icmp packet extensive aggression.As shown in Figure 1, terminal PC 1, PC2 form virtual LAN VLAN 1, and terminal PC 3, PC4 form virtual LAN VLAN 2, and terminal PC 5, PC6 form virtual LAN VLAN 3.Each terminal converges to gateway by Layer 2 switch, and gateway device comprises central processor CPU, network processing unit NetworkProcessor.As shown in figure 10, the prevention method of the extensive aggression that present embodiment provides comprises:
Step 1001: on the icmp packet that send carry out the legitimacy verification.
In step 1001, network processing unit at first carries out the legitimacy verification to icmp packet, tentatively filters some illegal icmp packets.Described legitimacy verification comprises the classification that preestablishes illegal icmp packet, judges whether described icmp packet belongs to described illegal icmp packet; If then can't pass through the legitimacy verification, otherwise described icmp packet is by the legitimacy verification.Preferably, can be according to the VLAN flag information of the gateway physical interface of receiving icmp packet and described icmp packet, the icmp packet that will not have the IP address in the VLAN of access rights to send filters; Perhaps with IP address, the unmatched packet filtering of VLAN flag information of IP address, VLAN flag information and gateway in the described icmp packet.
Step 1002: on the icmp packet overall rate sent carry out the CAR restriction.
As shown in figure 11, in step 1002, after network processing unit receives that purpose IP address is the icmp packet of this machine, the CPU that delivers to this machine on the described icmp packet need be handled.In order to filter attack traffic message 1102, on the icmp packet overall rate sent carry out the CAR restriction, the CAR passage is set respectively.At this moment, attack traffic message 1102 and normal discharge message 1101 enter simultaneously and send in the passage 1103, and when the icmp packet overall rate surpasses the threshold value of CAR aisle limit, the message that surpasses the threshold value of described CAR aisle limit will be dropped.
Step 1003: on the icmp packet that send abandon detection, judged whether that icmp packet abandons counting.
In step 1003, on the icmp packet that send obtain packet counting information based on the ICMP protocol detection.According to described packet counting information, judge whether this message has the packet loss counting.If there is the packet loss counting, then execution in step 1004; If there is not the packet loss counting, then execution in step 1006; Can adopt timing detection method when preferably, abandoning detection.
Step 1004: the message that send on the different IP addresses that the gateway interface that packet loss takes place is received carries out the CAR restriction respectively, and the CAR passage is set.
In step 1004, can be according to the speed range of the normal discharge message that send on the same IP address, the message that send on the different IP addresses that the gateway interface that packet loss takes place is received carries out the CAR restriction respectively, the CAR passage is set respectively, the threshold value that is described CAR aisle limit is set according to the speed range of the normal discharge message that send on the same IP address, to filter the attack traffic message that surpasses normal discharge message rate scope.The speed range of the normal discharge message that send on the same IP address can be calculated according to concrete application scenarios.For the IP address that a subnet mask is 255.255.255.0, can share an IP address by 254 main frames at most, because the length of single icmp packet is generally less than 64 bytes (byte), the peak I CMP message up sending speed that can calculate same IP address in view of the above is: 254 * 64 * 8 ≈ 128kbps (kilobits per second).And under the general application scenarios, send the quantity of the main frame of icmp packet can not reach peak value 254 on simultaneously under the same IP address, if with the situation of 8 main frame numbers as normal use, the speed of the normal discharge message that send on the then same IP address is 8 * 64 * 8=4kbps.In view of the above, reserve suitable allowance after, can carry out the CAR restriction to the message that send on the different IP addresses in the VLAN that packet loss takes place respectively, be 6-8kbps with the threshold setting of CAR aisle limit.
Step 1005: after receiving message,, the message that send on each IP address is carried out hash handle based on the IP address.
The application example of step 1005 as shown in figure 12,1201,1202,1203,1204 is respectively the icmp packet that send from the different IP addresses; Black arrow is represented the attack traffic message, and white arrow is represented the normal discharge message.After the message that send on each IP address was handled through IP-based hash, the icmp packet that send on the identical ip addresses entered same CAR passage, and the message that send on the different IP addresses enters different CAR passages.Because the normal discharge message rate of sending on the same IP address is usually in a certain speed range, the CAR passage that can set by step 1004, and then transmitted to CPU is handled; And the speed of the attack traffic message that send on the same IP address is bigger, has surpassed the threshold value of described CAR aisle limit, will be filtered at the CAR passage.
Described step 1001-1003 and nonessential, the literary composition of can be in step 1004 delivering newspaper on directly to different IP addresses carries out the CAR restriction respectively, and the CAR passage is set respectively.
As shown in figure 13, correspondingly, present embodiment also provides a kind of extensive aggression crime prevention device, comprising:
Icmp packet legitimacy verification unit 1301, be used on the icmp packet that send carry out the legitimacy verification, filter the invalid packet in the icmp packet that send on described, described invalid packet comprises: the icmp packet that does not have the IP address in the VLAN of access rights to send filters; Perhaps with IP address, the unmatched message of VLAN flag information of IP address, VLAN flag information and gateway in the described icmp packet;
Icmp packet overall rate CAR limiting unit 1302 is used for the icmp packet overall rate of sending on described is carried out the CAR restriction.
Icmp packet abandons detecting unit 1303, is used for the icmp packet that send on described is abandoned detection, judges whether described message has the packet loss counting;
IP address-based icmp packet CAR limiting unit 1304, be used for abandoning the packet loss counting of detecting unit acquisition and the speed range of normal discharge message according to described icmp packet, the message that send on the different IP addresses in the VLAN of described generation packet loss is carried out the CAR restriction respectively, the CAR passage is set, to filter the attack traffic message that surpasses described speed range respectively;
Icmp packet hash processing unit 1305, be used for address based on IP, the icmp packet that send on each IP address is carried out hash handle, make the message that send on the identical IP address enter identical CAR passage, the message that send on the different IP addresses enters different CAR passages.
Need to prove that the described functional unit 1301-1303 of present embodiment is also nonessential, can only comprise functional unit 1304,1305.In addition, the prevention method of the extensive aggression that provides of present embodiment and the situation that crime prevention device is equally applicable to TCP SYN extensive aggression.
The prevention method of a kind of extensive aggression that present embodiment provides and crime prevention device by on the legitimacy verification of the icmp packet that send, overall rate CAR restriction, and detect by packet loss, utilize the normal discharge message rate sent on the same IP address characteristics in a certain speed range usually, the message that send on each IP address that the gateway interface that has packet loss is received carries out the CAR restriction respectively, and based on the IP address message that send on each IP address is carried out hash and handle, make the message that send on the identical ip addresses enter same CAR passage, the message that send on the different IP addresses enters different CAR passages, thereby with normal discharge message and attack traffic message spacing, make the attack traffic message be filtered by the CAR passage because speed is big, and the normal discharge message has ensured the normal operation of appliance services under fire by sending processing on the CAR passage.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
The above; only be the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.
Claims (8)
1. the prevention method of an extensive aggression is characterized in that, comprising:
To arrange access rate CAR restriction respectively by the message that send on the different Internet protocol IP addresses;
The message that send on described is carried out Ha sh Hash hash handle, make the message that send on the identical IP address enter identical CAR passage, the message that send on the different IP addresses enters different CAR passages; Described CAR passage is provided with by described CAR restriction.
2. method according to claim 1 is characterized in that, describedly also comprises: the message overall rate of sending on described is carried out the CAR restriction before the access rate CAR restriction being arranged respectively by the message that send on the different Internet protocol IP addresses;
Described to arrange access rate CAR restriction respectively by the message that send on the different Internet protocol IP addresses, specifically comprise: when there is the packet loss counting in the message that send on described, then to carry out the CAR restriction respectively by the message that send on the different IP addresses.
3. method according to claim 2 is characterized in that, also comprises before the CAR restriction the described message overall rate of sending on described is carried out: the message that send on described is carried out the legitimacy verification, filter the invalid packet in the message that send on described; Described invalid packet comprises one or more in the following message:
The address resolution protocol response message of broadcast medium accessing to control address,
The arp request message of clean culture Media Access Control address,
Source IP address and purpose IP address be at the arp request/response message of the same network segment,
The source Media Access Control address is empty arp request message,
The ICMP message that does not have the IP address in the VLAN of access rights to send,
On IP address, the unmatched message of VLAN flag information of IP address, VLAN flag information and gateway of the message that send.
4. method according to claim 1 is characterized in that, the message that send on described comprises address analysis protocol message, or the ICMP message, or transmission control protocol sync message.
5. method according to claim 1 is characterized in that, the threshold value of described CAR restriction is set according to the speed range of normal discharge message.
6. an extensive aggression crime prevention device is characterized in that, comprising:
IP address-based CAR limiting unit is used for carried out the CAR restriction respectively by the message that send on the different IP addresses;
The hash processing unit is used for the address based on IP, the message that send on each IP address is carried out hash handle, and makes the message that send on the identical IP address enter identical CAR passage, and the message that send on the different IP addresses enters different CAR passages; Described CAR passage is provided with by described IP address-based CAR limiting unit.
7. an extensive aggression crime prevention device is characterized in that, comprising:
Message overall rate CAR limiting unit is used for the message overall rate of sending on described is carried out the CAR restriction;
The packet loss detecting unit is used for the message that send on described is abandoned detection, judges whether described message has the packet loss counting;
IP address-based CAR limiting unit, be used for according to the packet loss counting of described packet loss detecting unit acquisition and the speed range of normal discharge message, the message that send on the different IP addresses that the gateway interface that has packet loss counting is received carries out the CAR restriction respectively, the CAR passage is set, to filter the attack traffic message that surpasses described speed range respectively;
The hash processing unit is used for the address based on IP, the message that send on described each IP address is carried out hash handle, and makes the message that send on the identical IP address enter identical CAR passage, and the message that send on the different IP addresses enters different CAR passages.
8. device according to claim 7 is characterized in that, also comprises:
The message validity verification unit is used for the message that send on described each IP address is carried out the legitimacy verification, filters the invalid packet in the message that send on described; Described invalid packet comprises one or more in the following message:
The address resolution protocol response message of broadcast medium accessing to control address,
The arp request message of clean culture Media Access Control address,
Source IP address and purpose IP address be at the arp request/response message of the same network segment,
The source Media Access Control address is empty arp request message,
The ICMP message that does not have the IP address in the VLAN of access rights to send,
On IP address, the unmatched message of VLAN flag information of IP address, VLAN flag information and gateway of the message that send.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910190036XA CN102014109A (en) | 2009-09-08 | 2009-09-08 | Flood attack prevention method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910190036XA CN102014109A (en) | 2009-09-08 | 2009-09-08 | Flood attack prevention method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102014109A true CN102014109A (en) | 2011-04-13 |
Family
ID=43844126
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910190036XA Pending CN102014109A (en) | 2009-09-08 | 2009-09-08 | Flood attack prevention method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102014109A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104081723A (en) * | 2012-01-17 | 2014-10-01 | 爱立信(中国)通信有限公司 | Methods and apparatus for network protection |
| CN104853001A (en) * | 2015-04-21 | 2015-08-19 | 杭州华三通信技术有限公司 | Address resolution protocol (ARP) message processing method and device |
| CN105704097A (en) * | 2014-11-26 | 2016-06-22 | 华为数字技术(苏州)有限公司 | Method and device for defending against attacks |
| CN106357641A (en) * | 2016-09-18 | 2017-01-25 | 中国科学院信息工程研究所 | Method and device for defending interest flooding attacks in information centric network |
| CN106911582A (en) * | 2017-03-07 | 2017-06-30 | 北京搜狐新媒体信息技术有限公司 | A kind of real-time traffic control method and system based on Nginx servers |
| CN103746856B (en) * | 2014-01-28 | 2017-09-19 | 华为技术有限公司 | Prevent the method and the network equipment of service disconnection |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
| CN107770123A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of central monitoring |
| CN109286594A (en) * | 2017-07-19 | 2019-01-29 | 中兴通讯股份有限公司 | The processing method and processing device of address analysis protocol message |
| CN109587288A (en) * | 2018-12-29 | 2019-04-05 | 成都西加云杉科技有限公司 | A kind of mailing address requesting method, terminal and Wireless Fidelity controller |
| CN109639699A (en) * | 2018-12-24 | 2019-04-16 | 华为技术有限公司 | A kind of network management and device |
| CN109768966A (en) * | 2018-12-17 | 2019-05-17 | 航天信息股份有限公司 | Icmp packet processing method and processing device based on terminal |
| CN110224947A (en) * | 2019-06-05 | 2019-09-10 | 东软集团股份有限公司 | Message processing method, device and equipment in a kind of multicore repeater system |
| CN111031148A (en) * | 2019-12-11 | 2020-04-17 | 中天通信技术有限公司 | Address resolution method and device, electronic equipment and storage medium |
| CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1758625A (en) * | 2004-10-09 | 2006-04-12 | 华为技术有限公司 | Method for classification processing message |
-
2009
- 2009-09-08 CN CN200910190036XA patent/CN102014109A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1758625A (en) * | 2004-10-09 | 2006-04-12 | 华为技术有限公司 | Method for classification processing message |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104081723A (en) * | 2012-01-17 | 2014-10-01 | 爱立信(中国)通信有限公司 | Methods and apparatus for network protection |
| CN103746856B (en) * | 2014-01-28 | 2017-09-19 | 华为技术有限公司 | Prevent the method and the network equipment of service disconnection |
| CN105704097A (en) * | 2014-11-26 | 2016-06-22 | 华为数字技术(苏州)有限公司 | Method and device for defending against attacks |
| CN104853001A (en) * | 2015-04-21 | 2015-08-19 | 杭州华三通信技术有限公司 | Address resolution protocol (ARP) message processing method and device |
| CN104853001B (en) * | 2015-04-21 | 2019-06-07 | 新华三技术有限公司 | A kind of processing method and equipment of ARP message |
| CN107770123A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of central monitoring |
| CN107770113A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of accurate flood attack detection method for determining attack signature |
| CN107770120A (en) * | 2016-08-15 | 2018-03-06 | 台山市金讯互联网络科技有限公司 | A kind of flood attack detection method of distributed monitoring |
| CN106357641B (en) * | 2016-09-18 | 2019-10-22 | 中国科学院信息工程研究所 | The defence method and device of interest packet flood attack in a kind of content center network |
| CN106357641A (en) * | 2016-09-18 | 2017-01-25 | 中国科学院信息工程研究所 | Method and device for defending interest flooding attacks in information centric network |
| CN106911582A (en) * | 2017-03-07 | 2017-06-30 | 北京搜狐新媒体信息技术有限公司 | A kind of real-time traffic control method and system based on Nginx servers |
| CN106911582B (en) * | 2017-03-07 | 2020-01-31 | 北京搜狐新媒体信息技术有限公司 | real-time flow control method and system based on Nginx server |
| CN109286594A (en) * | 2017-07-19 | 2019-01-29 | 中兴通讯股份有限公司 | The processing method and processing device of address analysis protocol message |
| CN109768966A (en) * | 2018-12-17 | 2019-05-17 | 航天信息股份有限公司 | Icmp packet processing method and processing device based on terminal |
| CN109639699A (en) * | 2018-12-24 | 2019-04-16 | 华为技术有限公司 | A kind of network management and device |
| CN109587288A (en) * | 2018-12-29 | 2019-04-05 | 成都西加云杉科技有限公司 | A kind of mailing address requesting method, terminal and Wireless Fidelity controller |
| CN110224947A (en) * | 2019-06-05 | 2019-09-10 | 东软集团股份有限公司 | Message processing method, device and equipment in a kind of multicore repeater system |
| CN111181850A (en) * | 2019-08-12 | 2020-05-19 | 腾讯科技(深圳)有限公司 | Data packet flooding suppression method, device and equipment and computer storage medium |
| CN111031148A (en) * | 2019-12-11 | 2020-04-17 | 中天通信技术有限公司 | Address resolution method and device, electronic equipment and storage medium |
| CN111031148B (en) * | 2019-12-11 | 2022-05-24 | 中天通信技术有限公司 | Address resolution method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102014109A (en) | Flood attack prevention method and device | |
| EP1589705B1 (en) | Method and system configured for facilitating residential broadband service | |
| US8897255B2 (en) | Dynamic VLANs in wireless networks | |
| US8953601B2 (en) | Internet protocol version six (IPv6) addressing and packet filtering in broadband networks | |
| EP1909452B1 (en) | An access device routing decive and method thereof supporting stateless address configuration in communication network | |
| US8180874B2 (en) | Facilitating defense against MAC table overflow attacks | |
| CN101552783B (en) | Method and apparatus for preventing counterfeit message attack | |
| CN101179566A (en) | Method and apparatus for preventing ARP packet attack | |
| WO2006114053A1 (en) | A method, system and apparatus for preventing from counterfeiting the mac address | |
| CN101662423A (en) | Method and device for achieving unicast reverse path forwarding | |
| CN101179603A (en) | Method and device for controlling user network access in IPv6 network | |
| CN100589434C (en) | Method for implementing anti-spurious business server address under access mode | |
| CN101321102A (en) | Detection method and access equipment of DHCP server | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| CN101951367A (en) | Method for preventing campus network from virus attacks | |
| CN102594834B (en) | Method and device for defending network attack and network equipment | |
| CN104283882A (en) | Intelligent safety protection method for router | |
| CN102347903B (en) | Data message forwarding method as well as device and system | |
| CN102137073A (en) | Method and access equipment for preventing imitating internet protocol (IP) address to attack | |
| EP2182683B1 (en) | Self-configuration of a forwarding tabel in an access node | |
| WO2010130181A1 (en) | Device and method for preventing internet protocol version 6 (ipv6) address being fraudulently attacked | |
| AU2018267626A1 (en) | Network device and controlling method thereof applicable for mesh networks | |
| CN101098290A (en) | Devices for implementing anti-spurious IP address on AN and methods therefor | |
| WO2012100494A1 (en) | Method and apparatus for improving security of neighbor discovery snooping | |
| CN100479419C (en) | Method for preventing refusal service attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110413 |
|
| WD01 | Invention patent application deemed withdrawn after publication |