Nothing Special   »   [go: up one dir, main page]

CN104601578B - A kind of attack message recognition methods, device and core equipment - Google Patents

A kind of attack message recognition methods, device and core equipment Download PDF

Info

Publication number
CN104601578B
CN104601578B CN201510025919.0A CN201510025919A CN104601578B CN 104601578 B CN104601578 B CN 104601578B CN 201510025919 A CN201510025919 A CN 201510025919A CN 104601578 B CN104601578 B CN 104601578B
Authority
CN
China
Prior art keywords
message
request packet
authentication request
duration
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510025919.0A
Other languages
Chinese (zh)
Other versions
CN104601578A (en
Inventor
刘丽敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201510025919.0A priority Critical patent/CN104601578B/en
Publication of CN104601578A publication Critical patent/CN104601578A/en
Application granted granted Critical
Publication of CN104601578B publication Critical patent/CN104601578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of attack message recognition methods, device and core equipment, including:For the authentication request packet of unverified mistake, the session duration of authentication request packet is determined;By the session duration of authentication request packet compared with default conversation aging duration;When the session duration of authentication request packet is more than the default conversation aging duration, it is attack message to determine the authentication request packet.Using scheme provided in an embodiment of the present invention, the treatment effeciency of certification request is improved.

Description

A kind of attack message recognition methods, device and core equipment
Technical field
The present invention relates to a kind of network communication technology field more particularly to attack message recognition methods, device and cores to set It is standby.
Background technology
With international, domestic network security incident continuous upgrading, the safety of network and credible increasingly closed by people Note.Particularly in colleges and universities, since its user group is intensive and active, it is frequently present of premeditated attack and destroys so that campus network becomes " severely afflicated area " of safety problem, management is also very complicated, difficult.
In order to ensure the security of network, in user access network, it is necessary to carry out access authentication to user, pass through certification To judge the legitimacy of user.At present, due to web authentication mode dispose conveniently, using it is simple the characteristics of, obtained in campus network Extensive use.
It is existing to be to the mode that user identity is authenticated:The certification of the interface user terminal of core switch please After seeking message, the physical layer (PHY, Physical Layer) of business module obtains the source network association carried in authentication request packet Discuss (IP, Internet Protocal) address, medium education (MAC, Media Access Control) address, port Number, in the information, with user list of reaching the standard grade such as VLAN ID (VID, Virtual Local Area Network ID) Information is matched, if successful match, determines that the user has passed through certification;If it fails to match, determine that the user does not recognize It demonstrate,proved.For the authentication request packet that the user of unverified mistake sends, line card end central processing unit (CPU, Central are sent to Processing Unit) after without processing, directly through sending management engine CPU in control channel.
Management engine CPU is given in the authentication request packet whole sent due to unauthenticated user terminal, when unverified use Family terminal causes peak period to generate substantial amounts of attack report because poisoning or application software frequently initiate update, malicious attack Text so that the management engine cpu load of core switch is overweight, and the certification request of part terminal cannot be caused by timely processing User authentication even waits authenticated time time-out the problem of not upper certification slowly, and the treatment effeciency of certification request is low.Therefore, core How interchanger identifies that the authentication request packet of reception is attack message, reduces the number that attack message is reported to management engine Amount, is a problem urgently to be resolved hurrily during to authenticating user identification.
The content of the invention
The embodiment of the present invention provides a kind of attack message recognition methods, device and core equipment, to solve the prior art Present in when carrying out authentication, due to receiving a large amount of attack messages of authentication request packet inlet, identity is caused to recognize Card is slow or authentification failure caused by certification request treatment effeciency it is low the problem of.
The embodiment of the present invention provides a kind of attack message recognition methods, including:
For the authentication request packet of unverified mistake, the session duration of the authentication request packet is determined;
By the session duration of the authentication request packet compared with default conversation aging duration;
When the session duration of the authentication request packet is more than the default conversation aging duration, determine that the certification please It is attack message to seek message.
By the above method provided in an embodiment of the present invention, during by the session of authentication request packet that judges unverified mistake The attack message in the authentication request packet of unverified mistake was identified in the long magnitude relationship with default conversation aging duration Filter, authentication caused by avoiding a large amount of attack messages is slow or the problem of authentification failure, improves the processing effect of certification request Rate.
Further, determine the message that the authentication request packet is unverified mistake, specifically include:
Obtain the attribute information in the authentication request packet;
Search whether that there are the attribute information in the authentication request packet, the users that reaches the standard grade in user list of reaching the standard grade The attribute information of the authentication request packet by certification is preserved in list;
When not finding the attribute information in the authentication request packet, it is unverified to determine the authentication request packet The message crossed.
In this way, reached the standard grade user list by safeguarding, it may be determined that authentication request packet whether be unverified mistake message.
Further, after determining the authentication request packet for the message of unverified mistake, further include:
According to the address information in the authentication request packet, described address letter is searched from refusal service conversation list Breath;
When not finding described address information, allow to carry out the corresponding session of the authentication request packet.
Further, the above method further includes:
By the session duration of the authentication request packet compared with default Noise Identification duration;
When the session duration of the authentication request packet is more than default Noise Identification duration, the certification request report is determined Text is noise message, and the default Noise Identification duration is less than the default conversation aging duration;
The transmission rate pending that management engine is sent to the authentication request packet limits;
When the session duration of the authentication request packet is not more than default Noise Identification duration, the certification request is determined Message is normal message.
This way it is possible to avoid in real network, occur that link failure, cessation reaction be slow, certification clothes due to working as access device Be engaged in device pressure it is excessive wait whens, normal request session timeout and cause normal authentication request packet being mistaken for attack message.
Further, the above method further includes:
Classify to authentication request packet;
Sorted message is reported to the management engine.
In this way, by carrying out classification processing to authentication request packet, the load pressure of follow-up management engine can be mitigated, carried High Message Processing efficiency.
Further, it is described to classify to authentication request packet, it specifically includes:
After confirming the authentication request packet for noise message or normal message, determine in the authentication request packet Whether the address of purpose IP address and certificate server is identical;If identical, the authentication request packet is determined to need in certification Line class message;If it is different, the authentication request packet is determined to need pseudo- connection class message;Or
Before the session duration of the authentication request packet is determined, request message is received;It determines in the request message Purpose IP address and certificate server address it is whether identical;If identical, the authentication request packet is determined to need certification Class of reaching the standard grade message;If it is not the same, determining whether carry authentication information in the request message, carried when in the request message During authentication information, the request message is determined as authentication request packet, when not carrying authentication information in the request message, really The fixed request message is attached most importance to orientation class message.
The embodiment of the present invention additionally provides a kind of attack message identification device, including:
First determination unit for being directed to the authentication request packet of unverified mistake, determines the meeting of the authentication request packet Talk about duration;
First comparing unit, for the session duration of the authentication request packet and default conversation aging duration to be compared Compared with;
Second determination unit, for working as the session duration of the authentication request packet more than the default conversation aging duration When, it is attack message to determine the authentication request packet.
By above device provided in an embodiment of the present invention, during by the session of authentication request packet that judges unverified mistake The attack message in the authentication request packet of unverified mistake was identified in the long magnitude relationship with default conversation aging duration Filter, authentication caused by avoiding a large amount of attack messages is slow or the problem of authentification failure, improves the processing effect of certification request Rate.
Further, first determination unit, specifically for obtaining the attribute information in the authentication request packet; It reaches the standard grade and searches whether in user list there are the attribute information in the authentication request packet, preserved in the user list of reaching the standard grade Pass through the attribute information of the authentication request packet of certification;When not finding the attribute information in the authentication request packet, Determine the message that the authentication request packet is unverified mistake.
In this way, reached the standard grade user list by safeguarding, it may be determined that authentication request packet whether be unverified mistake message.
Further, above device further includes:
Searching unit, after in the definite authentication request packet for the message of unverified mistake, according to the certification Address information in request message searches described address information from refusal service conversation list;
Allow conversation element, for when not finding described address information, allowing to carry out the authentication request packet pair The session answered.
Further, above device further includes:
Second comparing unit, for the session duration of the authentication request packet and default Noise Identification duration to be compared Compared with;
3rd determination unit, for when the session duration of the authentication request packet is more than default Noise Identification duration, The authentication request packet is determined as noise message, the default Noise Identification duration is less than the default conversation aging duration;
Limiting unit, the transmission rate pending for being sent to management engine to the authentication request packet limit;
4th determination unit is not more than default Noise Identification duration for working as the session duration of the authentication request packet When, it is normal message to confirm the authentication request packet.
This way it is possible to avoid in real network, occur that link failure, cessation reaction be slow, certification clothes due to working as access device Be engaged in device pressure it is excessive wait whens, normal request session timeout and cause normal authentication request packet being mistaken for attack message.
Further, above device further includes:
Taxon, for classifying to authentication request packet;
Reporting unit, for sorted message to be reported to the management engine.
In this way, by carrying out classification processing to authentication request packet, the load pressure of follow-up management engine can be mitigated, carried High Message Processing efficiency.
Further, the taxon, specifically for confirming the authentication request packet for noise message or normal After message, determine whether the address of purpose IP address in the authentication request packet and certificate server is identical;If identical, The authentication request packet is determined as certification is needed to reach the standard grade class message;If it is different, the authentication request packet is determined to need pseudo- connect Connect class message;Or
The taxon, specifically for before the session duration of the authentication request packet is determined, receiving request report Text;Determine whether the address of purpose IP address in the request message and certificate server is identical;If identical, determine described Authentication request packet is reached the standard grade class message to need certification;If it is not the same, determine whether carry authentication information in the request message, When carrying authentication information in the request message, the request message is determined as authentication request packet, when the request message In when not carrying authentication information, determine that the request message is attached most importance to orientation class message.
An embodiment of the present invention provides a kind of core equipment, line card and management engine, wherein:
The line card, attack message identification device described above;
The management engine for receiving the sorted message that the line card end CPU is sent, and is located accordingly Reason.
By core equipment provided in an embodiment of the present invention, during by the session of authentication request packet that judges unverified mistake The attack message in the authentication request packet of unverified mistake was identified in the long magnitude relationship with default conversation aging duration Filter, authentication caused by avoiding a large amount of attack messages is slow or the problem of authentification failure, improves the processing effect of certification request Rate.
Other features and advantage will illustrate in the following description, also, partly become from specification It obtains it is clear that being understood by implementing the application.The purpose of the application and other advantages can be by the explanations write Specifically noted structure is realized and obtained in book, claims and attached drawing.
Description of the drawings
Attached drawing is used for providing a further understanding of the present invention, and a part for constitution instruction, implements with the present invention Example for explaining the present invention, is not construed as limiting the invention together.In the accompanying drawings:
Fig. 1 is the flow chart of attack message recognition methods provided in an embodiment of the present invention;
Fig. 2 is the flow chart for the attack message recognition methods that the embodiment of the present invention 1 provides;
Fig. 3 is the flow chart for the attack message recognition methods that the embodiment of the present invention 2 provides;
Fig. 4 is the structure diagram for the attack message identification device that the embodiment of the present invention 3 provides;
Fig. 5 is the structure diagram for the core equipment that the embodiment of the present invention 4 provides.
Specific embodiment
In order to provide the implementation for the treatment effeciency for improving certification request, an embodiment of the present invention provides a kind of attack reports Literary recognition methods, device and core equipment illustrate the preferred embodiment of the present invention below in conjunction with Figure of description, should Understand, preferred embodiment described herein is merely to illustrate and explain the present invention, is not intended to limit the present invention.And not In the case of conflict, the feature in embodiment and embodiment in the application can be mutually combined.
The embodiment of the present invention provides a kind of attack message recognition methods, as shown in Figure 1, including:
Step 101, the authentication request packet for unverified mistake determine the session duration of the authentication request packet.
Step 102, by the session duration of the authentication request packet compared with default conversation aging duration.
Step 103, when the session duration of authentication request packet is more than the default conversation aging duration, determine that the certification please It is attack message to seek message.
In the embodiment of the present invention, when user needs authentication and accesses network, core equipment please to the certification reported Message is asked to be authenticated, wherein, partial authentication request message is that the terminal of authenticated mistake is sent, and also has partial authentication please The terminal that seek message be unverified mistake is sent.Unverified terminal frequently initiates update, malice due to poisoning or application software Attack causes peak period to generate substantial amounts of attack message, leads to the problem of that authentication is slow or authentification failure, therefore, of the invention Attack message in authentication request packet of the embodiment by identifying unverified mistake, subsequently can to the attack message that identifies into Row processing.
Further, the line card end of the core equipment in the embodiment of the present invention can realize the identification to attack message, right The authentication request packet of core equipment inlet is filtered, and prevents the message aggression of inlet.
Below in conjunction with the accompanying drawings, method and device provided by the invention and corresponding system are retouched in detail with specific embodiment It states.
Embodiment 1:
Fig. 2 is the flow chart for the attack message recognition methods that the embodiment of the present invention 1 provides, and specifically includes following processing step Suddenly:
Step 201, the line card of core equipment receive authentication request packet.
Gateway of the core equipment as overall network user will be received in the certification of overall network, carry out centralized management, by The line card of core equipment receives authentication request packet.
Step 202, line card obtain the attribute information of the authentication request packet.
In this step, the attribute information of the authentication request packet includes the source network agreement carried in the authentication request packet (IP, Internet Protocal) address, media access control (MAC, Media Access Control) address, certification end Mouth PORT, VLAN ID (VID, Virtual Local Area Network ID).
Step 203, line card search whether in user list of reaching the standard grade there are the attribute information in the authentication request packet, such as Fruit is to enter step 204, if not, entering step 205.
Wherein, the attribute information of the authentication request packet by certification, attribute information are preserved in the user list of reaching the standard grade Including:Source IP address, MAC Address, PORT, VID.Core equipment will be remembered by the attribute information of the authentication request packet of certification Record is in user list of reaching the standard grade.
Step 204, line card determine that the authentication request packet by certification, allows the terminal for sending the authentication request packet Network is accessed, and the flow of the terminal is directly forwarded by forwarding.
Step 205, line card determine the message that the authentication request packet is unverified mistake.
Further, core equipment is when carrying out authentication, for terminal of those transmissions with aggressive message, note The relevant information for recording the terminal is considered attack message to service conversation list, all messages which is sent are refused, because This determines the message that the authentication request packet is unverified mistake in line card, can further check the session of the authentication request packet Whether in service conversation list is refused.
The address information of step 206, line card in the authentication request packet, being searched from refusal service conversation list is It is no there are the address information, if so, 207 are entered step, if not, entering step 208.
Wherein, preserved in the refusal service conversation list and be considered to have aggressive source IP address and corresponding destination IP Address.Address information in authentication request packet is source IP address and purpose IP address.
Step 207, line card abandon the authentication request packet.
In this step, when line card finds the address information from refusal service conversation list, illustrate the certification request The session of message is considered to have aggressiveness, therefore line card directly abandons the authentication request packet.Further, for refusal Each source IP address and corresponding purpose IP address in service conversation list distribute a refusal Session Timer, when refusing After exhausted Session Timer time-out, the source IP address and corresponding purpose IP address are deleted from the refusal service conversation list.
Step 208, line card allow the corresponding session of the certification request.
Further, line card is for each authentication request packet, for the source IP address and mesh in the authentication request packet One group session of IP address unique mark, i.e. each source IP address and the corresponding session of purpose IP address have unique mark.
Step 209, line card determine whether the session duration of the authentication request packet is more than default Noise Identification duration, if It is no, 210 are entered step, if so, entering step 211.
Wherein, which can bear to press according to the number of users of peak time, certificate server Power is flexibly set.
Step 210, line card determine that the authentication request packet is normal message.
Line card is sent out after the definite authentication request packet is normal message, by the authentication request packet with normal message rate Give management engine.
Step 211, line card determine that for noise message, management engine is sent to authentication request packet for the authentication request packet Transmission rate pending limited.
In real network, when link failure, cessation reaction are slow, certificate server pressure is excessive etc. occurs in access device When, there is a situation where normal request session timeout, in order to avoid normal authentication request packet is mistaken for attack message, to attack Message control effectively, and the session duration of authentication request packet is more than the message of default Noise Identification duration as noise report Text, noise message include the normal request message of normal request session timeout, can also include the attack for being truly present threat Message since, there may be attack message, these attack messages will seize the bandwidth of normal users in noise message, reduces equipment Process performance, therefore, this step in definite authentication request packet for after noise message, to the message up sending to management engine Transmission rate pending is limited, and transmission rate pending is lowered so that the transmission rate of noise message is than the transmission speed of normal message Rate is low, reduces noise message and is reported to management engine bandwidth usage.
Step 212, line card determine whether the session duration of the authentication request packet is more than default conversation aging duration, if It is to enter step 213, if not, entering step 214.
Wherein, which can bear to press according to the number of users of peak time, certificate server Power is flexibly set, which is more than default Noise Identification duration.
Step 213, line card determine that the authentication request packet for attack message, disconnects the session of the authentication request packet, and The address of the authentication request packet and purpose IP address are recorded in refusal service conversation list, open refusal session timing Device.
Purpose of the above-mentioned steps 209 by the session duration of the authentication request packet compared with default Noise Identification duration be Second line of a couplet user is when cessation reaction is slow, second line of a couplet packet loss of link seriously causes the session of authentication request packet due in order to prevent Long is more than default Noise Identification duration, causes authentication request packet being mistaken for attack message.It is confirmed as recognizing for noise message Request message is demonstrate,proved, more than default Noise Identification duration and less than between default conversation aging duration, speed is sent though being limited Rate, but the process of certification request is had no effect on, if within this time, the user is also not authenticated to reach the standard grade, then is confirmed as Attack message.
Since line card carries out noise message and attack message identification to the flow of inlet, and to the above-mentioned management of noise message The transmission rate of engine is limited, and attack message is refused to service, there are malicious attack and peak period, can prevent into The interference of mouth noise message ensures that user can normally surf the Internet in certification, so as to improve the treatment effeciency of certification request.
The process of above-mentioned steps 201-213 identification attack messages can specifically be carried out by the Noise Identification module of line card Reason.
It further, can also be to knowing after line card carries out attack message identification to the authentication request packet of unverified mistake The noise message and normal message not gone out carry out classification processing, and sorted message is sent to management engine, mitigate management and draw The authentication request packet for being confirmed as noise message or normal message can be saved in different delay by the load pressure held up first It rushes in pond, noise message is put into noise message buffering pond, and normal message is put into normal message buffer pool, is determined for each For noise message or normal message authentication request packet, specific classification process following steps 214-216:
Step 214, line card determine the authentication request packet purpose IP address and certificate server address it is whether identical, If not, 215 are entered step, if so, entering step 216.
Step 215, line card determine the type of the authentication request packet to need pseudo- connection class message.
Step 216, line card determine the type of the authentication request packet as certification is needed to reach the standard grade class message.
Further, the noise message and normal message that line card determines after can not only being identified to attack message are classified All messages of reception can also be carried out classification processing by processing, be reported for each request that core equipment inlet receives Text determines whether the address of purpose IP address in the request message and certificate server is identical, if it is not the same, determine should please Message is sought to need pseudo- connection class message;It if identical, further determines that whether the request message carries authentication information, i.e., whether is Authentication request packet, if so, the request message is determined as certification is needed to reach the standard grade class message, if not, determining that the request message is Redirect class message.
The above-mentioned process that classification processing is carried out to message can specifically be handled by the web proxy module of line card.
Further, after the web proxy module of line card is to message classification processing, by the key message in message after classification, Such as source IP address, MAC Address, PORT, VID etc. are packaged into the identifiable message format of management engine, and sent out through control channel The Web modules of management engine are given, the Web modules of management engine need to only handle the simple message that line card reports, accelerate and disappear The speed of transmission is ceased, the pressure of management engine is alleviated, improves Message Processing efficiency.
The above method provided by the embodiment of the present invention 1, due to the authentication request packet by judging unverified mistake The magnitude relationship of session duration and default conversation aging duration carries out the attack message in the authentication request packet of unverified mistake Identification filtering, authentication caused by avoiding a large amount of attack messages is slow or the problem of authentification failure, improves certification request Treatment effeciency.And by carrying out classification processing to noise message and normal message, the load pressure of management engine is alleviated, into One step improves the treatment effeciency of certification request.
Embodiment 2:
Fig. 3 is the flow chart for the attack message recognition methods that the embodiment of the present invention 2 provides, and specifically includes following processing step Suddenly:
Step 301, the line card of core equipment receive request message.
Step 302, line card classify to the request message received.
Specifically, for each request message that core equipment inlet receives, the purpose in the request message is determined Whether the address of IP address and certificate server is identical, if it is not the same, determining the request message to need pseudo- connection class message;Such as Whether fruit is identical, further determines that whether the request message carries authentication information, i.e., be authentication request packet, if so, determining The request message is needs certification to reach the standard grade class message, if not, determining that the request message is attached most importance to orientation class message.Line card will redirect Class message and the pseudo- connection class message of need are reported to management engine, and management engine handles this two classes message accordingly;It determines The certification class message of reaching the standard grade that needs be authentication request packet.
The process that classification processing is carried out to message can specifically be handled by the web proxy module of line card.
Step 303, for classification treated authentication request packet, obtain the attribute information of the authentication request packet.
In this step, the attribute information of the authentication request packet includes the source network agreement carried in the authentication request packet (IP, Internet Protocal) address, media access control (MAC, Media Access Control) address, certification end Mouth PORT, VLAN ID (VID, Virtual Local Area Network ID).
Step 304, line card search whether in user list of reaching the standard grade there are the attribute information in the authentication request packet, such as Fruit is to enter step 305, if not, entering step 306.
Wherein, the attribute information of the authentication request packet by certification, attribute information are preserved in the user list of reaching the standard grade Including:Source IP address, MAC Address, PORT, VID.Core equipment will be remembered by the attribute information of the authentication request packet of certification Record is in user list of reaching the standard grade.
Step 305, line card determine that the authentication request packet by certification, allows the terminal for sending the authentication request packet Network is accessed, and the flow of the terminal is directly forwarded by forwarding.
Step 306, line card determine the message that the authentication request packet is unverified mistake.
Further, core equipment is when carrying out authentication, for terminal of those transmissions with aggressive message, note The relevant information for recording the terminal is considered attack message to service conversation list, all messages which is sent are refused, because This determines the message that the authentication request packet is unverified mistake in line card, can further check the session of the authentication request packet Whether in service conversation list is refused.
The address information of step 307, line card in the authentication request packet, being searched from refusal service conversation list is It is no there are the address information, if so, 308 are entered step, if not, entering step 309.
Wherein, preserved in the refusal service conversation list and be considered to have aggressive source IP address and corresponding destination IP Address.Address information in authentication request packet is source IP address and purpose IP address.
Step 308, line card abandon the authentication request packet.
In this step, when line card finds the address information from refusal service conversation list, illustrate the certification request The session of message is considered to have aggressiveness, therefore line card directly abandons the authentication request packet.Further, for refusal Each source IP address and corresponding purpose IP address in service conversation list distribute a refusal Session Timer, when refusing After exhausted Session Timer time-out, the source IP address and corresponding purpose IP address are deleted from the refusal service conversation list.
Step 309, line card allow the corresponding session of the certification request.
Further, line card is for each authentication request packet, for the source IP address and mesh in the authentication request packet One group session of IP address unique mark, i.e. each source IP address and the corresponding session of purpose IP address have unique mark.
Step 310, line card determine whether the session duration of the authentication request packet is more than default Noise Identification duration, if It is no, 311 are entered step, if so, entering step 312.
Wherein, which can bear to press according to the number of users of peak time, certificate server Power is flexibly set.
Step 311, line card determine that the authentication request packet is normal message.
Line card is sent out after the definite authentication request packet is normal message, by the authentication request packet with normal message rate Give management engine.
Step 312, line card determine that for noise message, management engine is sent to authentication request packet for the authentication request packet Transmission rate pending limited.
In real network, when link failure, cessation reaction are slow, certificate server pressure is excessive etc. occurs in access device When, there is a situation where normal request session timeout, in order to avoid normal authentication request packet is mistaken for attack message, to attack Message control effectively, and the session duration of authentication request packet is more than the message of default Noise Identification duration as noise report Text, noise message include the normal request message of normal request session timeout, can also include the attack for being truly present threat Message since, there may be attack message, these attack messages will seize the bandwidth of normal users in noise message, reduces equipment Process performance, therefore, this step in definite authentication request packet for after noise message, to the message up sending to management engine Transmission rate pending is limited, and transmission rate pending is lowered so that the transmission rate of noise message is than the transmission speed of normal message Rate is low, reduces noise message and is reported to management engine bandwidth usage.
Step 313, line card determine whether the session duration of the authentication request packet is more than default conversation aging duration, if It is to enter step 314, if not, entering step 315.
Wherein, which can bear to press according to the number of users of peak time, certificate server Power is flexibly set, which is more than default Noise Identification duration.
Step 314, line card determine that the authentication request packet for attack message, disconnects the session of the authentication request packet, and The address of the authentication request packet and purpose IP address are recorded in refusal service conversation list, open refusal session timing Device.
Step 315, line card determine that the authentication request packet is noise message and is non-attack message.
Purpose of the above-mentioned steps 310 by the session duration of the authentication request packet compared with default Noise Identification duration be Second line of a couplet user is when cessation reaction is slow, second line of a couplet packet loss of link seriously causes the session of authentication request packet due in order to prevent Long is more than default Noise Identification duration, causes authentication request packet being mistaken for attack message.It is confirmed as recognizing for noise message Request message is demonstrate,proved, more than default Noise Identification duration and less than between default conversation aging duration, speed is sent though being limited Rate, but the process of certification request is had no effect on, if within this time, the user is also not authenticated to reach the standard grade, then is confirmed as Attack message.
Since line card carries out noise message and attack message identification to the flow of inlet, and to the above-mentioned management of noise message The transmission rate of engine is limited, and attack message is refused to service, there are malicious attack and peak period, can prevent into The interference of mouth noise message ensures that user can normally surf the Internet in certification, so as to improve the treatment effeciency of certification request.
The process of above-mentioned steps 303-314 identification attack messages can specifically be carried out by the Noise Identification module of line card Reason.
The above method provided by the embodiment of the present invention 1, due to the authentication request packet by judging unverified mistake The magnitude relationship of session duration and default conversation aging duration carries out the attack message in the authentication request packet of unverified mistake Identification filtering, authentication caused by avoiding a large amount of attack messages is slow or the problem of authentification failure, improves certification request Treatment effeciency.And by carrying out classification processing to noise message and normal message, the load pressure of management engine is alleviated, into One step improves the treatment effeciency of certification request.
Embodiment 3:
Based on same inventive concept, the attack message recognition methods that above-described embodiment provides according to the present invention, correspondingly, this Inventive embodiments 3 additionally provide a kind of attack message identification device, and structure diagram is as shown in figure 4, specifically include:
First determination unit 401 for being directed to the authentication request packet of unverified mistake, determines the authentication request packet Session duration;
First comparing unit 402, for by the session duration of the authentication request packet and progress during default conversation aging Row compares;
Second determination unit 403, for working as the session duration of the authentication request packet more than the default conversation aging During duration, it is attack message to determine the authentication request packet.
Further, the first determination unit 401, specifically for obtaining the attribute information in the authentication request packet; It reaches the standard grade and searches whether in user list there are the attribute information in the authentication request packet, preserved in the user list of reaching the standard grade Pass through the attribute information of the authentication request packet of certification;When not finding the attribute information in the authentication request packet, Determine the message that the authentication request packet is unverified mistake.
Further, above device further includes:
Searching unit 404, for after determining the authentication request packet for the message of unverified mistake, being recognized according to described The address information in request message is demonstrate,proved, described address information is searched from refusal service conversation list;
Allow conversation element 405, for when not finding described address information, allowing to carry out the authentication request packet Corresponding session.
Further, above device further includes:
Second comparing unit 406, for by the session duration of the authentication request packet and progress during default Noise Identification Row compares;
3rd determination unit 407 is more than default Noise Identification duration for working as the session duration of the authentication request packet When, the authentication request packet is determined as noise message, when the default Noise Identification duration is less than the default conversation aging It is long;
Limiting unit 408, the transmission rate pending for being sent to management engine to the authentication request packet limit;
4th determination unit 409, for when the session duration of the authentication request packet is not more than default Noise Identification When long, it is normal message to confirm the authentication request packet.
Further, above device further includes:
Taxon 410, for classifying to authentication request packet;
Reporting unit 411, for sorted message to be reported to the management engine.
Further, taxon 410, specifically for confirming the authentication request packet for noise message or normal report Wen Hou determines whether the address of purpose IP address in the authentication request packet and certificate server is identical;If identical, really The fixed authentication request packet is reached the standard grade class message to need certification;If it is different, the authentication request packet is determined to need pseudo- connection Class message;Or
Taxon 410, specifically for before the session duration of the authentication request packet is determined, receiving request report Text;Determine whether the address of purpose IP address in the request message and certificate server is identical;If identical, determine described Authentication request packet is reached the standard grade class message to need certification;If it is not the same, determine whether carry authentication information in the request message, When carrying authentication information in the request message, the request message is determined as authentication request packet, when the request message In when not carrying authentication information, determine that the request message is attached most importance to orientation class message.
The function of above-mentioned each unit may correspond to the respective handling step in flow shown in Fig. 1 or Fig. 2, no longer superfluous herein It states.
Embodiment 4:
Based on same inventive concept, the attack message recognition methods that above-described embodiment provides according to the present invention, correspondingly, this Inventive embodiments 4 additionally provide a kind of core equipment, structure diagram as shown in figure 5, including:Line card 501 and management engine 502, wherein:
The line card 501 for being directed to the authentication request packet of unverified mistake, determines the session of the authentication request packet Duration;By the session duration of the authentication request packet compared with default conversation aging duration;When the certification request report When the session duration of text is more than the default conversation aging duration, it is attack message to determine the authentication request packet;When described When the session duration of authentication request packet is not more than the default conversation aging duration, determine that the authentication request packet is attacked to be non- Hit message;Classification processing is carried out to the non-attack message;Sorted message is sent to the management engine.
The management engine 502 for receiving the sorted message, and is handled accordingly.
The above-mentioned core equipment as shown in Figure 5 provided in the embodiment of the present invention 4, wherein included line card 501 and pipe 502 further function of engine is managed, may correspond to the respective handling step in Fig. 1, Fig. 2, shown flow, details are not described herein.
In conclusion scheme provided in an embodiment of the present invention, including:For the authentication request packet of unverified mistake, determine The session duration of authentication request packet;By the session duration of authentication request packet compared with default conversation aging duration;When When the session duration of authentication request packet is more than the default conversation aging duration, determine that the authentication request packet is reported for attack Text.Using scheme provided in an embodiment of the present invention, the treatment effeciency of certification request is improved.
The attack message identification device that embodiments herein is provided can be realized by computer program.Art technology Personnel are it should be appreciated that above-mentioned module dividing mode is only one kind in numerous module dividing modes, if being divided into it His module or non-division module, if attack message identification device have the function of it is above-mentioned, all should be in the protection domain of the application Within.
The application is with reference to the flow according to the method for the embodiment of the present application, equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided The processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted Series of operation steps is performed on calculation machine or other programmable devices to generate computer implemented processing, so as in computer or The instruction offer performed on other programmable devices is used to implement in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art God and scope.In this way, if these modifications and changes of the present invention belongs to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising including these modification and variations.

Claims (11)

1. a kind of attack message recognition methods, which is characterized in that including:
For no certification by authentication request packet, determine the session duration of the authentication request packet;
By the session duration of the authentication request packet compared with default conversation aging duration;
When the session duration of the authentication request packet is more than the default conversation aging duration, the certification request report is determined Text is attack message;
By the session duration of the authentication request packet compared with default Noise Identification duration;
When the session duration of the authentication request packet is more than default Noise Identification duration, determine that the authentication request packet is Noise message, the default Noise Identification duration are less than the default conversation aging duration;
The transmission rate pending that management engine is sent to the authentication request packet limits;
When the session duration of the authentication request packet is not more than default Noise Identification duration, the authentication request packet is determined For normal message.
2. the method as described in claim 1, which is characterized in that determine the message that the authentication request packet is unverified mistake, It specifically includes:
Obtain the attribute information in the authentication request packet;
Search whether that there are the attribute information in the authentication request packet, the user lists of reaching the standard grade in user list of reaching the standard grade The middle attribute information for preserving the authentication request packet by certification;
When not finding the attribute information in the authentication request packet, determine the authentication request packet for unverified mistake Message.
3. method as claimed in claim 2, which is characterized in that in the message for determining that the authentication request packet is unverified mistake Afterwards, further include:
According to the address information in the authentication request packet, described address information is searched from refusal service conversation list;
When not finding described address information, allow to carry out the corresponding session of the authentication request packet.
4. the method as described in claim 1, which is characterized in that further include:
Classify to authentication request packet;
Sorted message is reported to the management engine.
5. method as claimed in claim 4, which is characterized in that it is described to classify to authentication request packet, it specifically includes:
After confirming the authentication request packet for noise message or normal message, the purpose in the authentication request packet is determined Whether the address of IP address and certificate server is identical;If identical, the authentication request packet is determined as certification is needed to reach the standard grade class Message;If it is different, the authentication request packet is determined to need pseudo- connection class message;Or
Before the session duration of the authentication request packet is determined, request message is received;Determine the mesh in the request message IP address and certificate server address it is whether identical;If identical, the authentication request packet is determined as certification is needed to reach the standard grade Class message;If it is not the same, determine whether carry authentication information in the request message, when carrying certification in the request message During information, determine that the request message for authentication request packet, when not carrying authentication information in the request message, determines institute Request message is stated to attach most importance to orientation class message.
6. a kind of attack message identification device, which is characterized in that including:
First determination unit, for be directed to no certification by authentication request packet, determine the meeting of the authentication request packet Talk about duration;
First comparing unit, for by the session duration of the authentication request packet compared with default conversation aging duration;
Second determination unit, for when the session duration of the authentication request packet be more than the default conversation aging duration when, It is attack message to determine the authentication request packet;
Second comparing unit, for by the session duration of the authentication request packet compared with default Noise Identification duration;
3rd determination unit, for when the session duration of the authentication request packet is more than default Noise Identification duration, determining The authentication request packet is noise message, and the default Noise Identification duration is less than the default conversation aging duration;
Limiting unit, the transmission rate pending for being sent to management engine to the authentication request packet limit;
4th determination unit, for when the session duration of the authentication request packet is not more than default Noise Identification duration, really The authentication request packet is recognized for normal message.
7. device as claimed in claim 6, which is characterized in that first determination unit, specifically for obtaining the certification Attribute information in request message;Search whether that there are the letters of the attribute in the authentication request packet in user list of reaching the standard grade It ceases, the attribute information of the authentication request packet by certification is preserved in the user list of reaching the standard grade;Described recognize when not finding When demonstrate,proving the attribute information in request message, the message that the authentication request packet is unverified mistake is determined.
8. device as claimed in claim 7, which is characterized in that further include:
Searching unit, after in the definite authentication request packet for the message of unverified mistake, according to the certification request Address information in message searches described address information from refusal service conversation list;
Allow conversation element, it is corresponding for when not finding described address information, allowing to carry out the authentication request packet Session.
9. device as claimed in claim 6, which is characterized in that further include:
Taxon, for classifying to authentication request packet;
Reporting unit, for sorted message to be reported to the management engine.
10. device as claimed in claim 9, which is characterized in that the taxon, specifically for confirming that the certification please Message is sought after noise message or normal message, to determine purpose IP address in the authentication request packet and certificate server Whether address is identical;If identical, the authentication request packet is determined as certification is needed to reach the standard grade class message;If it is different, determine institute Authentication request packet is stated to need pseudo- connection class message;Or
The taxon, specifically for before the session duration of the authentication request packet is determined, receiving request message;Really Whether the address of purpose IP address and certificate server in the fixed request message is identical;If identical, the certification is determined Request message is reached the standard grade class message to need certification;If it is not the same, determining whether carry authentication information in the request message, work as institute State when authentication information is carried in request message, determine the request message as authentication request packet, when in the request message not When carrying authentication information, determine that the request message is attached most importance to orientation class message.
11. a kind of core equipment, which is characterized in that including:Line card and management engine, wherein:
The line card, the device as described in claim 6-10 any one;
The management engine for receiving the sorted message that the line card end CPU is sent, and is handled accordingly.
CN201510025919.0A 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment Active CN104601578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510025919.0A CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510025919.0A CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Publications (2)

Publication Number Publication Date
CN104601578A CN104601578A (en) 2015-05-06
CN104601578B true CN104601578B (en) 2018-05-22

Family

ID=53127084

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510025919.0A Active CN104601578B (en) 2015-01-19 2015-01-19 A kind of attack message recognition methods, device and core equipment

Country Status (1)

Country Link
CN (1) CN104601578B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187538A (en) * 2015-09-14 2015-12-23 北京星网锐捷网络技术有限公司 Web authentication noise processing method and processing device
CN105553971B (en) * 2015-12-11 2019-06-14 福建星网锐捷网络有限公司 A kind of processing message identifying method, apparatus and system
CN111865876B (en) 2019-04-29 2021-10-15 华为技术有限公司 Network access control method and equipment
CN110071939B (en) * 2019-05-05 2021-06-29 江苏亨通工控安全研究院有限公司 Improvement method for SYN FLOOD protection of traditional DDOS firewall in industrial network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603557B2 (en) * 2004-04-15 2009-10-13 Panasonic Corporation Communication device, communication system and authentication method
CN101018233B (en) * 2007-03-20 2011-08-24 杭州华三通信技术有限公司 Session control method and control device
CN101567848B (en) * 2009-06-01 2012-01-25 北京星网锐捷网络技术有限公司 Safety control method and exchanger
CN103457953A (en) * 2013-09-11 2013-12-18 重庆大学 Handling mechanism preventing 802.1X protocol attack under security access mode of port
CN104113548B (en) * 2014-07-24 2018-01-09 新华三技术有限公司 A kind of message identifying processing method and processing device

Also Published As

Publication number Publication date
CN104601578A (en) 2015-05-06

Similar Documents

Publication Publication Date Title
US8495726B2 (en) Trust based application filtering
CN101248613B (en) Authentic device admission scheme for a secure communication network, especially a secure ip telephony network
US10341350B2 (en) Actively identifying and neutralizing network hot spots
US20150304350A1 (en) Detection of malware beaconing activities
JP2019175478A (en) Session security partitioning and application profiler
CN104601578B (en) A kind of attack message recognition methods, device and core equipment
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
CN109167780B (en) Method, device, system and medium for controlling resource access
US9237143B1 (en) User authentication avoiding exposure of information about enumerable system resources
WO2021151335A1 (en) Network event processing method and apparatus, and readable storage medium
CN109067937A (en) Terminal admittance control method, device, equipment, system and storage medium
CN106899561B (en) TNC (network node controller) authority control method and system based on ACL (Access control List)
KR20100040792A (en) A method for neutralizing the arp spoofing attack by using counterfeit mac addresses
CN105592180B (en) A kind of method and apparatus of Portal certification
CN110830446A (en) SPA security verification method and device
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
CN101567883B (en) Realization method for preventing MAC address forgery
CN106453321A (en) Authentication server, system and method, and to-be-authenticated terminal
EP4091313A1 (en) Wireless lan (wlan) public identity federation trust architecture
CN105812324A (en) Method, device and system for IDC information safety management
CN106537962B (en) Wireless network configuration, access and access method, device and equipment
Salim et al. Preventing ARP spoofing attacks through gratuitous decision packet
CN105391720A (en) User terminal login method and device
CN106209894A (en) A kind of method based on NGINX unified certification and system
Sedaghat The Forensics of DDoS Attacks in the Fifth Generation Mobile Networks Based on Software-Defined Networks.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS CO., LTD.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Beijing Star-Net Ruijie Networks Co.,Ltd.