CN1145318C - Method for implementing safety guard to internet service provider - Google Patents
Method for implementing safety guard to internet service providerInfo
- Publication number
- CN1145318C CN1145318C CNB011188685A CN01118868A CN1145318C CN 1145318 C CN1145318 C CN 1145318C CN B011188685 A CNB011188685 A CN B011188685A CN 01118868 A CN01118868 A CN 01118868A CN 1145318 C CN1145318 C CN 1145318C
- Authority
- CN
- China
- Prior art keywords
- data flow
- isp
- message
- address
- configuration information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention discloses a method for realizing safety protection of an Internet service provider (ISP). The method comprises that an ISP keeper on an ISP outlet router monitors and processes a data stream flowing into a local area network from outside in real time; each data stream is automatically recognized and recorded; whether the flux of the current data stream and the total flux of the data streams is normal is judged according to the configuration information, if true, a received message is forwarded to a corresponding network device, else, the current message is discarded. The method can effectively defend against a hacker attacking the flux of the ISP and can improve the service reliability of the ISP.
Description
Technical field
The present invention relates to the safety protection technique of a kind of ISP, espespecially a kind ofly on egress router, the data flow that flows into the purpose network is carried out Real Time Monitoring and processing, can effectively resist the ISP safety protecting method that ISP suffers flow attacking.
Background technology
Along with the develop rapidly of internet (Internet) with popularize, the network user is more and more, so Intenet ISP (ISP) arises at the historic moment. The typical networking structure of ISP in the ISP LAN, generally is comprised of switch, access server and Web server as shown in Figure 1, the up ISP egress router that is connected to of switch; The ISP egress router has converged the Business Stream of access server and each individual line subscriber, is connected to key IP network by ATM, POS or GE interface.
In the ISP network, the Business Stream that mainly comprises is: the dial user accesses local Web server; The dial user accesses external network; Individual line subscriber is accessed local Web server; External user is accessed local Web server. So, in the process to the Web server access, just being mingled with network hacker to the attack of ISP website, they adopt various means to attack the website of ISP, cause the system of ISP destroyed, even collapse, make it provide service for the user.
From the operation situation of present global ISP, the most normal attack form that is subject to assault of ISP is flow attacking. The method of flow attacking is very simple, be exactly that all over the world multiple devices in an organized way send to target machine (certain dial user IP address) simultaneously and disturb message, produce googol according to flow, cause that the ISP LAN is busy, access server can't work, the mode of employing is distributed attack method. The Main Means that present Some Domestic ISP is attacked adopts flow attacking exactly, and the hacker to the large message of certain dialup ip address PING, causes the ISP LAN busy by multiple devices, affects the normal operation of access server, makes normal dialing user online extremely slow.
Certainly, ISP also can be subject to some other forms of attacks except being subject to above-mentioned flow attacking, such as DOS, eavesdropping message and TCP, IP address spoofing, source routing attack, application layer attack etc.
For above-mentioned assault mode, the most frequently used safety prevention measure is at present: the egress router at ISP uses the technology such as fire wall, address transition and flow-control (CAR). Although, for implementing effectively control by technology such as existing fire wall, address transition, authentication, data encryptions such as eavesdropping the attack patterns such as message and TCP, IP address spoofing, source routing attack, application layer attack. But for this main attack pattern of flow attacking, because the characteristics such as distributed, random of the business model of ISP and attack, these safety protection technique are problems of various degrees all in actual applications:
1) fire wall is that application memory control tabulation (ACL) comes filtering packets on interface, can solve the problem of access control, but not possess the flow-control ability.
2) address transition, so-called address transition refers to before message sends to extranets, this user's private net address is done conversion by egress router first, that is: (source address-private network, the source port) with message is converted to (source address-public network, source port new), and this router keeps this mapping; When message returned, conversion was returned again. Because the dynamic mapping table that router keeps may be very large, generally adopts HASH to search.
The method mainly solves the problem of in-house network information hiding and IP Address Run Short, but, during some are used at FTP, SNMP, SMTP etc., also comprise address information in the content of its message, so it is otiose only changing the source address of message, also need to change the address information in the application of electronic report layer, this also does easily to some standard agreements, and just can't realize for some proprietary protocols, therefore the type of service of its support is restricted. And the method also can't be implemented Flow Control.
3) flow-control, CAR can implement Flow Control to specific Business Stream, but its configuration is complicated, efficient is low, autgmentability is poor, considers the dynamic assignment of dial user IP address, and it uses very difficult in practice.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of implementation method of ISP security protection, the flow attacking that can the more effective ISP of resisting be subjected to, and implement simple and convenient, flexibility and reliability.
For achieving the above object, technical scheme of the present invention specifically is achieved in that
The implementation method of a kind of ISP (ISP) security protection, the method comprises the steps: at least
A. when the ISP manager (ISPKeeper) in the ISP egress router will be to the current message that receives of purpose forwarded, at first judge that by the HASH algorithm whether data flow under this message is the existing record among the ISPKeeper, if so, then enter step c; Otherwise, enter step b;
If the message that b. will transmit belongs to a new data flow, then mate the configuration information of the affiliated data flow of this message and judge whether that the match is successful, if the match is successful, then will mate the configuration information stored record of resulting this data flow; The match is successful if do not have, and then searches whether to have defined default value in the configuration information, if having, then with default configuration information stored record, then enters step c; If do not define default value, then by ISPKeeper the current message that receives directly is transmitted to the corresponding purpose network equipment;
C. detect current data stream flow and whether satisfy user configured parameter, if do not satisfy, then with current packet loss of receiving, if flow meets the demands, then continue to detect the total data flow and judge whether total configuration parameter normal? if undesired, then abandon this message, otherwise, if normal, then give the corresponding purpose network equipment by ISPKeeper with current message repeating.
Purpose network described in the step a is ISP LAN or Metropolitan Area Network (MAN) or wide area network. User's configuration parameter described in the step c comprises the transmission bandwidth of individual traffic or Mean Speed, burst-length at least. Total configuration parameter described in the step c comprises overall average speed and total burst-length of data flow at least. Described data flow is the data flow of visiting from outside purpose network apparatus in networks, or the data flow of returning for dial user online.
The configuration information of the matched data stream among the step a further may further comprise the steps: at first find corresponding IP address field definition according to the purpose IP address of data flow under this message in configuration information, find again the configuration information of this address field according to the definition of address field, and with this configuration information stored record in the relevant position of data flow configuration information array.
The method also further may further comprise the steps: when initializing egress router, set in advance the array of a memorying data flow configuration information. Wherein, this array size is to hold the array of all data flow in the IP address realm that will identify, and each element of array is corresponding one by one with a purpose IP address.
The method also further comprises the steps: when initializing egress router, the configuration information of preliminary setting data stream. Configuration information wherein comprises start ip address, end ip address, the interface configuration mode of data flow at least; The transmission bandwidth of each data flow or Mean Speed, burst-length; And the overall average flow of total data stream, total burst-length.
HASH algorithm described in the step a refers to according to rear 16 the respective element positions that this message navigated to data flow configuration information array in each message purpose IP address in the data flow. When by the HASH algorithm data flow message of receiving being navigated to data respective element position, and this moment, this position data with existing was banishd when putting information, then set up a data link table in this position, by front 16 data flow configuration informations of sequentially storing correspondence of purpose IP address.
Can find out from above-mentioned implementation, the present invention is by the realization thought of fire wall, address transition and three kinds of technology of flow-control, search the thought of the control flow among thought, the CAR, message matching idea in the fire wall such as: the HASH in the address transition, effectively combine, and improved, be referred to as ISP manager (ISPKeeper). Its key is: ISPKeeper is positioned on the egress router, flow to the data flow that enters the purpose network carries out real-time analysis and monitoring, ISPKeeper each data flow of the automatic identification record of HASH algorithm, whether and it is normal to detect the flow of each data flow and total data stream according to predefined configuration information, if undesired with regard to dropping packets, just send to corresponding Web server or other network equipment when normal. When the data flow message of receiving belongs to a new data stream, mate first this message, and record the configuration information of this data flow, and then process, and other message of this data flow does not need to mate again.
This shows that the implementation method of ISP security protection provided by the present invention combines fire wall, address transition and three kinds of technology of flow-control, can more effectively prevent hacker's attack, realize the security protection of ISP. See also shown in the table one, show a pair of method of the present invention and made one comprehensively relatively with three kinds of at present general safety protecting methods, can find out that the present invention has stronger protective capacities, the more recognition methods of simple and flexible.
| All kinds of technology/comparison content | ISPKeeper | Fire wall | Address transition | CAR |
| Resist the flow attacking that ISP is subject to | Can automatically identify and record each data flow, and implement flow-control for each data flow on this basis, therefore can resist well flow attacking. | Special problem with solving access control is come filtering packets by using ACL at interface, does not have the ability of Flow Control, therefore can't resist flow attacking. | Special problem with solving information hiding and IP Address Run Short does not have the ability of Flow Control, so can't resist flow attacking. | Can implement Flow Control to specific Business Stream (describing with ACL), but the source address of assault message and destination address all are dynamic changes in the reality, therefore in practice CAR substantially unavailable, can't resist flow attacking. |
| Configuration complexity | Very simple | Complexity needs configuration ACL, also need dispose access group command on interface. | Simply | Very complicated, need configuration ACL and RLACL, on interface, also need dispose complicated rate-limit order. |
| Efficient and autgmentability | Adopt the HASH technology, efficient is high. | Use traffic classification, efficient is low, and autgmentability is poor. | Adopt the HASH technology, efficient is high. | Use traffic classification, efficient is low, and autgmentability is poor. |
| Supported data stream | 250,000 | General tens, no | 250,000 | General tens, |
| Number | Then performance is had a strong impact on. | Otherwise performance is had a strong impact on. | ||
| Information Statistics | Abundant, can obtain the information based on stream | Limited | Abundant, can obtain the information based on stream | Limited |
| Alarm is carried out in assault | Produce Syslog after the data flow that notes abnormalities | Produce Syslog for the message of forbidding | Nothing | Nothing |
| The router of supporting | The NE of Huawei series router | The NE of Huawei series router, Cisco's 75 series routers etc. | The NE of Huawei series router, Cisco's 75 series routers etc. | The NE of Huawei series router, Cisco's 75 series routers etc. |
The comparison of several security protections of table one
Description of drawings
Fig. 1 is the typical networking structure schematic diagram of ISP;
Fig. 2 is the typical attack form schematic diagram that ISP is subject to;
Fig. 3 is for flowing into the traffic flow analysis figure of ISP LAN;
Fig. 4 is the flow chart that the inventive method realizes;
Fig. 5 is one embodiment of the invention networking structure schematic diagram;
Fig. 6 is another embodiment of the present invention networking structure schematic diagram.
The specific embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Prevent that key that the hacker attacks ISP from being to carry out Real Time Monitoring and in time process the source of the data flow that enters ISP and flow, by the improper data of effective means elimination, to guarantee the online demand of normal users. Referring to shown in Figure 2, the Business Stream that flows into the ISP LAN is divided into two classes substantially:
1) data flow returned of user online. This data flow is distinguished with purpose IP address, and each data flow takies certain bandwidth, and such as the maximum 128K of Internet user's Mean Speed, the data flow number is controlled, configurable;
2) data flow of access Web server. The purpose IP address of this data flow belongs to the particular address section, such as 10.110.1.0/0.0.0.255, distinguish with IP five-tuple (source address, destination address, protocol type, source port, destination interface), the total bandwidth that these data flow take is controlled, configurable, and the data flow number is controlled, configurable.
Controlled, configurable referring to recited above can set in advance its rational scope by configuration parameter, and a threshold value namely is set, and exceeds this value and then thinks unreasonable, should prohibit to fall. Give an example: the data flow that online is returned for PSTN or ISDN, its average discharge should be 128kbps, so, if flow surpass 128kbps just think irrational, should prohibit to fall. Can be by following statement specific implementation:
Ispkeeper-group 10 single 128,000 16000 these orders guarantee that the average discharge of each data flow and burst-length are fixed value, the average discharge of namely setting each independent data flow is up to 128Kbps, and burst-length mostly is 16Kbyte most. As for the concrete configuration of the inventive method when the practical application, depend primarily on the selected discharge model of ISP, the value of parameters itself does not have any restriction.
In order to realize that the present invention judges processing to the data flow of receiving, at first will be on egress router in advance to the bandwidth of each data flow or Mean Speed, burst-length, and the average discharge of total data stream and the isoparametric zone of reasonableness of burst-length are configured.
Such as: arrange flow into from the outside in the ISP LAN, purpose IP address is 10.110.1.*Data flow, i.e. the data flow of external reference Web server, ftp server etc., its bandwidth or Mean Speed that takies the ISP LAN mostly is 5M most, the bursty data amount is the 800K byte, data flow adds up to 1000. Other is set simultaneously flows into data flow in the ISP LAN from the outside, i.e. the data flow that user's online is returned, each bandwidth (Mean Speed), bursty data amount that can only take at most LAN 128K is the 8K byte, data flow adds up to 20000. Can be by the above-mentioned configuration of following statement specific implementation:
ispkeeper 10.110.1.0 0.0.0.255 5000000 800000 1000
ispkeeper default 131012 8000 20000
Secondly, also on egress router, generate in advance a data flow configuration information array that is enough to hold traffic flow information in lower all the IP address realms that will identify, each element of this array is corresponding one by one with an IP address, is used for storing the configuration information of different purpose IP address date streams. Such as: identify, record destination address each data flow in 10.110.0.0~10.110.255.255 scope, then generate first an array that 65536 elements are arranged, the corresponding IP address of each array element. After receiving a message, directly according to rear 16 respective element that navigate to data flow configuration information array of this message destination address, record the relevant information of this data flow. In actual mechanical process, for each data flow of receiving, search whether have this record in the array with the HASH algorithm, if being arranged, direct location reads its information, if no, then use first message purpose IP address location, then coupling and recording configuration information. If find this position when this message navigates to correspondence position the record of a data flow has been arranged, then set up a data chained list in this position, front 16 configuration informations that sequentially record each data flow by purpose IP address, the message of this data flow back need not to mate again, and not resembling the fire wall mode needs coupling to each message. Very easy, efficient is very high.
The essential idea of the inventive method is: for an address field that is made of given initial address and end address, by being the configuration of Mean Speed and the burst-length of individual traffic to the configuration of the total data stream Mean Speed of all addresses in the arrival address section and total burst-length and to single ip address in address field, utilize token bucket (Token Bucket) algorithm to carry out the control of flow. So-called Token Bucket algorithm refers to: set a leaky bucket, the speed (namely disposing given data flow Mean Speed) that given this leaky bucket flows out, and leaky bucket bucket long (being burst-length), the a certain moment data flow, if this data flow Length Ratio leaky bucket bucket is grown up, show that leaky bucket will overflow, then this data flow will abandon, otherwise, according to the time of last data arrival and this time interval, calculate the length that leaky bucket flows out, obtain the actual length of vacating of leaky bucket, if the actual length of vacating of the Length Ratio leaky bucket of data flow is large, show also that then leaky bucket will overflow, then this data flow will abandon, if the actual length of vacating of the Length Ratio leaky bucket of data flow is little, then data flow is put into leaky bucket, waits pending.
To ISP Business Stream construction analysis, cooperate simultaneously shown in Figure 4ly for top, the specific implementation of the inventive method comprises the steps: at least
1) when ISPKeeper will transmit a message that receives to the ISP LAN, at first judge by the HASH algorithm whether the data flow under this message belongs to the existing record of ISPKeeper, namely search configuration parameter and the statistical information whether existing this IP address date flows according to rear 16 relevant positions to memorying data flow configuration information array of purpose IP address? if have, then enter step 3); Otherwise, enter step 2).
2) if the message that will transmit belongs to a new data flow, be that the affiliated data flow of current message is not stored any information in the relevant position of memorying data flow configuration information array, then find first corresponding IP address field definition according to its IP address field information, find the configuration information of this address field to mate according to the definition of address field again, and judge whether that the match is successful? if the match is successful, the relevant position that the configuration parameter of this IP address field data flow that will obtain after then will mating and statistical information store data flow configuration information array into. If the existing data flow data in this position this moment, and the IP address of this data flow and current data stream address rear 16 identical, then front 16 with purpose IP address sequentially set up a storage of linked list traffic flow information in this position. The match is successful if do not have, namely in configuration information, do not find the definition of this IP address field, then search whether defined default value in the configuration information, if having, then default configuration information is placed into the relevant position of data flow configuration information array, then enters step 3); If no, then give the corresponding purpose network equipment by ISPKeeper with current message repeating.
3) utilize Token Bucket algorithm to detect current data stream flow and whether satisfy user configured parameter (single Mean Speed, single burst-length), if do not meet the demands, with this packet loss, if flow meets the demands, continue to detect total data stream, namely according to the address field under this data flow, data flow to all addresses in this address field is asked summation, whether configuration parameter one overall average speed and total burst-length according to the data flow that is configured to the assigned address section under the interface configuration mode normal by Token Bucket algorithm detection total flow? if do not meet the demands, then abandon this message, otherwise, if satisfied by ISPKeeper will current message repeating to the corresponding purpose network equipment.
When adopting said method that single ISP is implemented security protection, as shown in Figure 5, wherein, the IP address field of accessing the data flow of this ISP LAN is 10.111.*.
*, the IP address field of accessing this ISP dial user's data flow is 10.110.*.
* For ISP among the figure is implemented protection, at first create the array that 65535 elements are arranged at the ISP egress router, simultaneously, do following configuration at the ISP egress router:
Ispkeeper-list 1 this order of 10.111.0.0 10.111.255.255/* has determined that the data flow * of access ISP LAN/interface eth 1/0/0/* enters total average discharge that this order of Ethernet interface configuration mode */Ispkeeper-group 1 total 5,000,000 80000/* that links to each other with the ISP LAN accesses the data flow of ISP LAN and is set to 5Mbps, dashes forward Sending out length is set to 80Kbyte*/ispkeeper-default single 128,000 8000/* and should orders the average discharge of each data flow of remaining being accessed dial user's data flow<br/>Be set to 128Kbps, burst-length be set to 8Kbyte*/
Above-mentioned configuration has provided the upper limit of individual traffic average discharge, and the average discharge of total data stream. So, after ISP receives a data flow message, in data flow configuration information array, search the record that whether has this data flow by the HASH algorithm first, if have, whether just detect the average discharge of this data flow less than or equal to 128K, and whether the flow that detects its total data stream within 5Mbps, if just transmit this message to the purpose network equipment, otherwise abandons this message. If there is not this record in the array,, in array, and then determine to transmit or dropping packets according to flow then according to this message of above-mentioned configurations match, and with corresponding configuration information record.
Method of the present invention not only can for an ISP LAN, also can be implemented security protection to a plurality of ISP in a Metropolitan Area Network (MAN) or the wide area network. Take certain networking structure of economizing net as example, this province's net is made of a plurality of ISP, and its networking structure as shown in Figure 6. The operation principle of its enforcement security protection and implementation procedure and single ISP are identical, just in advance configuration is set not too identical, data flow IP address field and the parameter that will relate to each ISP among a plurality of ISP are respectively set, and detect according to different configuration information corresponding to IP address field data flow when flow is judged. The concrete configuration of a plurality of ISP is set and can be realized by following statement among Fig. 6:
Ispkeeper-list 10 10.110.0.0 10.110.255.255<!--SIPO<dP n="10">--<dp n="d10"/>Access ISP1 has been determined in this order of/*, and namely the IP address field is dial user's data of 10.110.*.* Access ISP1 has been determined in stream */Ispkeeper-list 11 these orders of 10.111.0.0 10.111.255.255/*, and namely the IP address field is the LAN data stream of 10.111.*.* */and Ispkeeper-list 20 these orders of 20.110.0.0 20.110.255.255/* have determined access ISP2, namely the IP address field is dial user's data of 20.110.*.*<br/>Access ISP2 has been determined in stream */Ispkeeper-list 21 these orders of 20.111.0.0 20.111.255.255/*, and namely the IP address field is the LAN data stream of 20.111.*.*<br/>*/interface atm 1/0/0/* enter with total average discharge of economizing this order of ATM interface configuration */Ispkeeper-group 11 total 5,000,000 80000/* that in-house network links to each other and accessing the data flow of ISP1 LAN be set to 5Mbps, Burst-length is set to this order of 80Kbyte*/Ispkeeper-group 10 single 128,000 8000/* and will accesses the average discharge of each data flow of ISP1 dial user's data flow and establish Be set to 128Kbps, burst-length be set to this order of 8Kbyte*/Ispkeeper-group 21 total 5,000,000 80000/* access total average discharge of the data flow of ISP2 LAN be set to 5Mbps, Burst-length is set to this order of 80Kbyte*/Ispkeeper-group 20 single 128,000 8000/* and will accesses the average discharge of each data flow of ISP2 dial user's data flow and establish<br/>Be set to 128Kbps, burst-length be set to 8Kbyte*/
The present invention namely banishs the information array of putting to data and carries out the burin-in process aspect in data maintenance, is regularly to detect each customer traffic by system, mainly contains dual mode:
(1) Timing Processing. In given interval, detect each customer traffic, if surpassing on the average discharge given when disposing, average discharge prescribes a time limit, when unusual (large data flow is arranged) namely having occurred, need by Syslog outputting alarm information.
(2) bag drives, not configurable automatic detection. It is divided into again two kinds of situations: a kind of for detected customer traffic every 15 minutes, if a certain user is long-time countless according to arrival, show that this data flow is in idle condition, then remove this user data stream information, another kind is to a certain data flow, if in configuration item, can not find the flow parameter of coupling, then directly remove the information of this data flow.
Method ISPKeeper of the present invention has mainly adopted the technology such as Token Bucket and Hash, has continued to use address transition and has disposed easily style, and configuration is simple, flexible, and operation is efficient, and abundant statistical information and log information is provided. By on ISP egress router and interface that the ISP LAN links to each other, or dispose ISPKeeper on ISP egress router and the interface that key IP network links to each other, can resist well the flow attacking that the hacker carries out ISP.
The present invention is on the basis that fully takes into account the networking structure of ISP, business model and assault characteristics, the technology such as existing fire wall, address transition and CAR are combined effectively, complementary its weak point, thus the flow attacking that ISP suffers more effectively resisted.
Claims (12)
1, the implementation method of a kind of ISP security protection is characterized in that the method comprises the steps: at least
A. when the ISP manager ISPKeeper in the ISP of the ISP egress router will be to the current message that receives of purpose forwarded, at first judge that by the HASH algorithm whether data flow under this message is the existing record among the ISPKeeper, if so, then enter step c; Otherwise, enter step b;
If the message that b. will transmit belongs to a new data flow, then mate the configuration information of the affiliated data flow of this message and judge whether that the match is successful, if the match is successful, then will mate the configuration information stored record of resulting this data flow; The match is successful if do not have, and then searches whether to have defined default value in the configuration information, if having, then with default configuration information stored record, then enters step c; If do not define default value, then by ISPKeeper the current message that receives directly is transmitted to the corresponding purpose network equipment;
C. detect current data stream flow and whether satisfy user configured parameter, if do not satisfy, then with current packet loss of receiving, if flow meets the demands, then continue to detect the total data flow and judge whether total configuration parameter is normal, if undesired, then abandon this message, otherwise, if normal, then give the corresponding purpose network equipment by ISPKeeper with current message repeating.
2, implementation method according to claim 1 is characterized in that: the purpose network described in the step a is ISP LAN or Metropolitan Area Network (MAN) or wide area network.
3, implementation method according to claim 1 is characterized in that: described data flow is the data flow of visiting from outside purpose network apparatus in networks, or the data flow of returning for dial user online.
4, implementation method according to claim 1, it is characterized in that: the configuration information of the matched data stream among the step a further may further comprise the steps: at first find corresponding IP address field definition according to the purpose IP address of data flow under this message in configuration information, find again the configuration information of this address field according to the definition of address field, and with this configuration information stored record in the relevant position of data flow configuration information array.
5, implementation method according to claim 1 is characterized in that the method also further may further comprise the steps: when initializing egress router, set in advance the array of a memorying data flow configuration information.
6, implementation method according to claim 5 is characterized in that: described array size is to hold the array of all data flow in the IP address range that will identify, and each element of array is corresponding one by one with a purpose IP address.
7, implementation method according to claim 1 is characterized in that the method also further comprises the steps: when initializing egress router, the configuration information of preliminary setting data stream.
8, according to claim 1 or 4 or 7 described implementation methods, it is characterized in that: described configuration information comprises start ip address, end ip address, the interface configuration mode of data flow at least; The transmission bandwidth of each data flow or Mean Speed, burst-length; And the overall average flow of total data stream, total burst-length.
9, implementation method according to claim 1 is characterized in that: the HASH algorithm described in the step a refers to according to rear 16 the respective element positions that this message navigated to data flow configuration information array in each message purpose IP address in the data flow.
10, implementation method according to claim 9, it is characterized in that the method also can further may further comprise the steps: when by the HASH algorithm data flow message of receiving being navigated to data respective element position, and this moment, this position data with existing was banishd when putting information, then set up a data link table in this position, by front 16 data flow configuration informations of sequentially storing correspondence of purpose IP address.
11, implementation method according to claim 1 is characterized in that: the user's configuration parameter described in the step c comprises the transmission bandwidth of individual traffic or Mean Speed, burst-length at least.
12, implementation method according to claim 1 is characterized in that: the total configuration parameter described in the step c comprises overall average speed and total burst-length of data flow at least.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011188685A CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011188685A CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1394041A CN1394041A (en) | 2003-01-29 |
| CN1145318C true CN1145318C (en) | 2004-04-07 |
Family
ID=4663469
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011188685A Expired - Fee Related CN1145318C (en) | 2001-06-26 | 2001-06-26 | Method for implementing safety guard to internet service provider |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1145318C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968272B (en) * | 2005-10-17 | 2011-08-10 | 阿尔卡特公司 | Method used for remitting denial of service attack in communication network and system |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7650634B2 (en) * | 2002-02-08 | 2010-01-19 | Juniper Networks, Inc. | Intelligent integrated network security device |
| US7467202B2 (en) * | 2003-09-10 | 2008-12-16 | Fidelis Security Systems | High-performance network content analysis platform |
| US7725035B2 (en) * | 2004-04-20 | 2010-05-25 | Fujitsu Limited | Method and system for managing network traffic |
| CA2619653A1 (en) * | 2004-08-21 | 2006-03-02 | Ko-Cheng Fang | Computer data protecting method |
| US7643468B1 (en) * | 2004-10-28 | 2010-01-05 | Cisco Technology, Inc. | Data-center network architecture |
| CN100454839C (en) * | 2005-11-24 | 2009-01-21 | 华为技术有限公司 | Antiattacking apparatus and method based on user |
| CN101127695B (en) * | 2006-08-17 | 2011-08-24 | 中兴通讯股份有限公司 | A processing method for reducing invalid transmission of network traffic |
| CN101034975B (en) * | 2007-04-05 | 2010-05-26 | 华为技术有限公司 | Method and device for preventing the small message attack |
| CN101309216B (en) * | 2008-07-03 | 2011-05-04 | 中国科学院计算技术研究所 | IP packet classification method and apparatus |
| CN103746928A (en) * | 2013-12-30 | 2014-04-23 | 迈普通信技术股份有限公司 | Method and system for controlling flow rate by utilizing access control list |
| CN104796291B (en) * | 2015-04-27 | 2018-05-29 | 清华大学 | The detection method and system of core Route Area intradomain router forwarding behavioural norm |
| CN105763560A (en) * | 2016-04-15 | 2016-07-13 | 北京思特奇信息技术股份有限公司 | Web Service interface flow real-time monitoring method and system |
| CN106483918B (en) * | 2016-11-15 | 2019-01-04 | 武汉企鹅能源数据有限公司 | A kind of energy consumption monitoring analysis method and its system based on token bucket algorithm |
| CN111930078B (en) * | 2020-06-21 | 2024-04-19 | 中国舰船研究设计中心 | Network testing device for nuclear control system |
| CN114978563B (en) * | 2021-02-26 | 2024-05-24 | ***通信集团广东有限公司 | Method and device for blocking IP address |
| CN113596050B (en) * | 2021-08-04 | 2023-06-30 | 四川英得赛克科技有限公司 | Abnormal flow separation and filtration method, system, storage medium and electronic equipment |
-
2001
- 2001-06-26 CN CNB011188685A patent/CN1145318C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1968272B (en) * | 2005-10-17 | 2011-08-10 | 阿尔卡特公司 | Method used for remitting denial of service attack in communication network and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1394041A (en) | 2003-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1145318C (en) | Method for implementing safety guard to internet service provider | |
| Yaar et al. | Pi: A path identification mechanism to defend against DDoS attacks | |
| CN101529386B (en) | Behavior-based traffic differentiation to defend against distributed denial of service(DDOS) attacks | |
| Abdelsayed et al. | An efficient filter for denial-of-service bandwidth attacks | |
| US7331060B1 (en) | Dynamic DoS flooding protection | |
| US7043759B2 (en) | Architecture to thwart denial of service attacks | |
| US20060191003A1 (en) | Method of improving security performance in stateful inspection of TCP connections | |
| US7302705B1 (en) | Method and apparatus for tracing a denial-of-service attack back to its source | |
| WO2008148099A1 (en) | Method and system to mitigate low rate denial of service (dos) attacks | |
| WO2002021296A1 (en) | Statistics collection for network traffic | |
| CN102263788A (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
| Hong et al. | Dynamic threshold for DDoS mitigation in SDN environment | |
| Xing et al. | Isolation forest-based mechanism to defend against interest flooding attacks in named data networking | |
| Udhayan et al. | Demystifying and rate limiting ICMP hosted DoS/DDoS flooding attacks with attack productivity analysis | |
| Chen et al. | Isolation forest based interest flooding attack detection mechanism in ndn | |
| Cui et al. | Feedback-based content poisoning mitigation in named data networking | |
| Perrig et al. | StackPi: a new defense mechanism against IP spoofing and DDoS attacks | |
| Feng et al. | Research on the active DDoS filtering algorithm based on IP flow | |
| Paruchuri et al. | TTL based packet marking for IP traceback | |
| Yuste et al. | Inerte: integrated nexus-based real-time fault injection tool for embedded systems | |
| Khanna et al. | Adaptive selective verification | |
| Gong et al. | Single packet IP traceback in AS-level partial deployment scenario | |
| CN116389120A (en) | Novel DDOS attack defense system and method based on IP and topology confusion | |
| Kim et al. | High-speed router filter for blocking TCP flooding under DDoS attack | |
| Wang et al. | A more efficient hybrid approach for single-packet IP traceback |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040407 Termination date: 20110626 |