Method and device for preventing denial service attack in access network
A denial of service attack and access device technology, which is applied in the field of communication technology security, can solve the problems of being unable to respond to external requests in a timely manner, not really eliminating the security impact of illegal DOS attack hosts, and being unable to process other normal requests in a timely manner on the attacked host.
Active Publication Date: 2012-11-07
ALCATEL LUCENT SHANGHAI BELL CO LTD
View PDF3 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
This kind of attack will lead to the lack of resources, no matter how fast the computer's processing speed, how big the memory capacity is, and how fast the network bandwidth is, the consequences of this kind of attack cannot be avoided.
[0003] Representative DoS attack methods include Ping of Death, TearDrop, SYNFlood, Land Attack, IP Spoofing DoS, etc. Although the specific implementation methods are ever-changing, they all have the same thing as above, that is, their fundamental purpose is to prevent the victim host or network from receiving And handle external requests, or fail to respond to external requests in a timely manner
Its specific manifestations are as follows: 1). Create a large flow of useless data, causing network congestion to the attacked host, making the attacked host unable to communicate with the outside world normally
2). Utilize the service provided by the attacked host or the defect of handling repeated connections in the transmission protocol, and repeatedly send out aggressive repeated service requests at high frequency, so that the attacked host cannot process other normal requests in time
In addition, after the user port isolation is restored, the illegal DOS attacking host can continue to launch DOS attacks and affect the communication under the user port, so this method does not really eliminate the potential security impact of the illegal DOS attacking host
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment approach
[0040] One embodiment, the judgment processing unit 312 records the user host 23 corresponding to the port N in the port configuration table 311 (the corresponding IP / MAC address is 192.168.1.120->06:0F:B8:88:21:2D) To be deleted, the option of the user port "dynamic port address learning" is set to "no", and start the corresponding timer 313 to restore this option after a certain period of time to be "yes", then the control device 33 will be in the set The address learning of all user hosts under the user port is prohibited within the time range; this method may affect the addition of new legitimate user hosts under the user port within the set time range, but it will not affect the legitimate user hosts that are communicating. Prevented DOS from attacking the user host 23 through IP / MAC address spoofing or obtaining other IP address accesses to continue attacking.
[0041] In another embodiment, the judgment processing unit 312 sets the "blacklist" option of the correspondin...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention provides a method and a device for preventing denial service attack in communication network access equipment. The method comprises the following steps: (a) detecting a data communication protocol message from a user port; (b) recognizing an illegal user host generating denial service attack at the user port and updating user port configuration so as to isolate the illegal user host; and (c) supplying communication service to a legal user host according to the user port configuration. The invention can effectively distinguish a real DOS attack user host at the user port of network access equipment and isolate the DOS attack user host and can not influence the communication service of other normal user hosts.
Description
technical field [0001] The invention relates to the security field of communication technology, in particular to a method for preventing DOS (denial of service attack) in access network equipment and a corresponding device. Background technique [0002] DoS attack refers to the deliberate attack on network protocol implementation defects to exhaust the resources of the attacked object, the purpose is to make the target computer or network unable to provide normal services or resource access, so that the target system service system stops responding or even crashes, these service resources include network Bandwidth, file system space capacity, open processes or connections allowed. This kind of attack will lead to the lack of resources, no matter how fast the processing speed of the computer is, how big the memory capacity is, and how fast the network bandwidth is, the consequences of this kind of attack cannot be avoided. [0003] Representative DoS attack methods include P...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): H04L12/26H04L29/06H04L12/56H04L12/28
Inventor 郑大勇赵喜鸿吕小鹏
Owner ALCATEL LUCENT SHANGHAI BELL CO LTD