[go: up one dir, main page]

CN102833268B - Method, equipment and system for resisting wireless network flooding attack - Google Patents

Method, equipment and system for resisting wireless network flooding attack Download PDF

Info

Publication number
CN102833268B
CN102833268B CN201210344628.4A CN201210344628A CN102833268B CN 102833268 B CN102833268 B CN 102833268B CN 201210344628 A CN201210344628 A CN 201210344628A CN 102833268 B CN102833268 B CN 102833268B
Authority
CN
China
Prior art keywords
sta
target url
access
url
request message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201210344628.4A
Other languages
Chinese (zh)
Other versions
CN102833268A (en
Inventor
陈小龙
李子泽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruijie Networks Co Ltd
Original Assignee
Fujian Star Net Communication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Star Net Communication Co Ltd filed Critical Fujian Star Net Communication Co Ltd
Priority to CN201210344628.4A priority Critical patent/CN102833268B/en
Publication of CN102833268A publication Critical patent/CN102833268A/en
Application granted granted Critical
Publication of CN102833268B publication Critical patent/CN102833268B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02ATECHNOLOGIES FOR ADAPTATION TO CLIMATE CHANGE
    • Y02A30/00Adapting or protecting infrastructure or their operation

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明实施例提供一种抵抗无线网络泛洪攻击的方法、设备及系统。本发明提供的抵抗无线网络泛洪攻击的方法,包括:第一无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录所述访问总次数与所述周期时间的比值;若比值大于预设阈值,则第一AP拒绝STA访问目标URL,向无线接入网控制器AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个第二AP拒绝STA访问目标URL。本发明实施例可以提高全网的无线接入网设备的安全性和可靠性。

Embodiments of the present invention provide a method, device and system for resisting wireless network flooding attacks. The method for resisting wireless network flooding attacks provided by the present invention includes: the first wireless access network device AP obtains the total number of times that the wireless workstation STA visits the target webpage address URL in the first period, and records the total number of times of visits and the total number of visits. The ratio of the cycle time; if the ratio is greater than the preset threshold, the first AP rejects the STA’s access to the target URL, and sends a policy execution request message including the STA’s identifier and the target URL to the radio access network controller AC, so that the AC sends At least one second AP sends an access deny message including the identifier of the STA and the target URL, so that the at least one second AP refuses the STA to access the target URL. The embodiment of the present invention can improve the security and reliability of the wireless access network equipment of the whole network.

Description

抵抗无线网络泛洪攻击的方法、设备及系统Method, device and system for resisting wireless network flooding attack

技术领域 technical field

本发明实施例涉及通信技术,尤其涉及一种抵抗无线网络泛洪攻击的方法、设备及系统。Embodiments of the present invention relate to communication technologies, and in particular to a method, device and system for resisting wireless network flooding attacks.

背景技术 Background technique

WLAN(Wireless local area network,无线局域网)是计算机网络和无线通信技术相结合的产物,用户能够通过WLAN随时、随地接入网络,从而方便的利用网络资源。WLAN (Wireless local area network, wireless local area network) is the product of the combination of computer network and wireless communication technology. Users can access the network anytime and anywhere through WLAN, so as to use network resources conveniently.

在一个WLAN中,无线网络泛洪报文的转发将会直接影响到无线网络的性能和安全性。现有技术对泛洪攻击的检测主要为:对无线移动终端进行流量监听和统计,当无线移动终端的报文流量超过预设阈值时,将无线移动终端加入黑名单,并丢弃无线移动终端发送的报文。In a WLAN, the forwarding of wireless network flood packets will directly affect the performance and security of the wireless network. The detection of flooding attacks in the prior art mainly includes: monitoring and collecting statistics on the traffic of wireless mobile terminals, when the message traffic of wireless mobile terminals exceeds a preset threshold, add wireless mobile terminals to the blacklist, and discard wireless mobile terminals to send message.

现有技术中基于流量检测的抵抗泛洪攻击方法,全网的无线接入网设备无法阻止泛洪攻击源同时还会丢弃合法的报文,导致全网的无线接入网设备安全性和可靠性低。In the existing anti-flooding attack method based on flow detection, the wireless access network equipment of the entire network cannot prevent the flooding attack source and discard legitimate packets at the same time, resulting in the safety and reliability of the wireless access network equipment of the entire network. Sex is low.

发明内容 Contents of the invention

本发明实施例提供一种抵抗无线网络泛洪攻击的方法、设备及系统,以提高全网的无线接入网设备安全性和可靠性。Embodiments of the present invention provide a method, device and system for resisting wireless network flooding attacks, so as to improve the security and reliability of wireless access network devices in the entire network.

一方面,本发明实施例提供一种抵抗无线网络泛洪攻击的方法,包括:On the one hand, an embodiment of the present invention provides a method for resisting wireless network flooding attacks, including:

第一无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录所述访问总次数与所述第一周期时间的比值;The first wireless access network device AP acquires the total number of times the wireless workstation STA visits the target webpage address URL in the first cycle, and records the ratio of the total number of times to the first cycle time;

若所述比值大于预设阈值,则所述第一AP拒绝所述STA访问所述目标URL,向无线接入网控制器AC发送包括所述STA的标识和所述目标URL的策略执行请求报文,以使所述AC向至少一个第二AP发送包括所述STA的标识和所述目标URL的拒绝访问报文,以使所述至少一个第二AP拒绝所述STA访问所述目标URL。If the ratio is greater than the preset threshold, the first AP rejects the STA’s access to the target URL, and sends a policy enforcement request message including the STA’s identifier and the target URL to the radio access network controller AC. The AC sends an access deny message including the identifier of the STA and the target URL to at least one second AP, so that the at least one second AP refuses the STA to access the target URL.

本发明实施例还提供另一种抵抗无线网络泛洪攻击的方法,包括:The embodiment of the present invention also provides another method for resisting wireless network flooding attacks, including:

无线接入网控制器AC接收第一无线接入网设备AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;The wireless access network controller AC receives the policy execution request message carrying the identification of the wireless workstation STA and the target webpage address URL sent by the first wireless access network device AP;

所述AC根据所述策略执行请求报文生成携带所述STA的标识和所述目标URL的拒绝访问报文,并将所述拒绝访问报文发送给至少一个第二AP,以使所述至少一个第二AP拒绝所述STA访问所述目标URL。The AC generates an access deny message carrying the STA identifier and the target URL according to the policy execution request message, and sends the access deny message to at least one second AP, so that the at least A second AP denies the STA access to the target URL.

另一方面,本发明实施例提供一种无线接入网设备,包括:On the other hand, an embodiment of the present invention provides a wireless access network device, including:

采集模块:用于获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录所述访问总次数与所述第一周期时间的比值;Collection module: used to obtain the total number of times the wireless workstation STA visits the target webpage address URL in the first cycle, and record the ratio of the total number of times to the first cycle time;

策略执行模块:用于若所述比值大于预设阈值,拒绝所述STA访问所述目标URL,向无线接入网控制器AC发送包括所述STA的标识和所述目标URL的策略执行请求报文,以使所述AC向至少一个其它AP发送包括所述STA的标识和所述目标URL的拒绝访问报文,以使所述至少一个其它AP拒绝所述STA访问所述目标URL。A policy enforcement module: configured to deny the STA access to the target URL if the ratio is greater than a preset threshold, and send a policy enforcement request message including the STA identifier and the target URL to the radio access network controller AC The AC sends an access deny message including the STA identifier and the target URL to at least one other AP, so that the at least one other AP refuses the STA to access the target URL.

本发明实施例还提供一种无线接入网控制器,包括:The embodiment of the present invention also provides a wireless access network controller, including:

接收模块:用于接收无线接入网设备AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;Receiving module: used to receive the policy execution request message carrying the identification of the wireless workstation STA and the target webpage address URL sent by the wireless access network device AP;

通告执行模块:用于根据所述策略执行请求报文生成携带所述STA的标识和所述目标URL的拒绝访问报文,并将所述拒绝访问报文发送给至少一个其它AP,以使所述至少一个其它AP拒绝所述STA访问所述目标URL。Notification execution module: used to generate an access deny message carrying the STA identifier and the target URL according to the policy execution request message, and send the access deny message to at least one other AP, so that all The at least one other AP denies the STA access to the target URL.

再一方面,本发明实施例还提供一种抵抗无线网络泛洪攻击的系统,包括上述任一所述的无线接入网设备和上述任一所述的无线接入网控制器。In yet another aspect, an embodiment of the present invention also provides a system for resisting flooding attacks on a wireless network, including the wireless access network device described above and the wireless access network controller described above.

本发明实施例提供的抵抗无线网络泛洪攻击的方法、设备及系统,通过第一无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,记录访问总次数与周期时间的比值,可获得STA在单位时间内访问目标URL的平均频率。在比值大于预设阈值时,第一AP拒绝STA访问目标URL,但不拒绝STA访问其它URL。第一AP向AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个第二AP拒绝STA访问目标URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。In the method, device and system for resisting wireless network flooding attacks provided by the embodiments of the present invention, the first wireless access network device AP obtains the total number of visits that the wireless workstation STA visits the target webpage address URL in the first cycle, and records the total number of visits The ratio of the STA to the cycle time can obtain the average frequency of the STA accessing the target URL per unit time. When the ratio is greater than the preset threshold, the first AP denies the STA access to the target URL, but does not deny the STA access to other URLs. The first AP sends to the AC a policy enforcement request message including the identification of the STA and the target URL, so that the AC sends an access deny message including the identification of the STA and the target URL to at least one second AP, so that at least one second AP Rejecting STA access to the target URL realizes the identification of flooding attack sources within the entire network, denies the flooding access of attack sources, and improves the security and reliability of wireless access network devices on the entire network.

附图说明 Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1为本发明抵抗无线网络泛洪攻击的方法实施例一的流程图;Fig. 1 is the flow chart of Embodiment 1 of the method for resisting wireless network flood attack of the present invention;

图2为本发明抵抗无线网络泛洪攻击的方法实施例二的流程图;FIG. 2 is a flow chart of Embodiment 2 of the method for resisting wireless network flooding attacks according to the present invention;

图3为本发明抵抗无线网络泛洪攻击的方法实施例三的流程图;FIG. 3 is a flow chart of Embodiment 3 of the method for resisting wireless network flooding attacks according to the present invention;

图4为本发明无线接入网设备实施例一的结构示意图;FIG. 4 is a schematic structural diagram of Embodiment 1 of a wireless access network device according to the present invention;

图5为本发明无线接入网设备实施例二的结构示意图;FIG. 5 is a schematic structural diagram of Embodiment 2 of a wireless access network device according to the present invention;

图6为本发明无线接入网设备实施例三的结构示意图;FIG. 6 is a schematic structural diagram of Embodiment 3 of a wireless access network device according to the present invention;

图7为本发明无线接入网控制器实施例一的结构示意图;FIG. 7 is a schematic structural diagram of Embodiment 1 of a radio access network controller according to the present invention;

图8为本发明无线接入网控制器实施例二的结构示意图;FIG. 8 is a schematic structural diagram of Embodiment 2 of a radio access network controller according to the present invention;

图9为本发明抵抗无线网络泛洪攻击的系统实施例一的结构示意图;FIG. 9 is a schematic structural diagram of Embodiment 1 of a system for resisting wireless network flooding attacks according to the present invention;

图10为本发明抵抗无线网络泛洪攻击的系统实施例二的结构示意图。FIG. 10 is a schematic structural diagram of Embodiment 2 of the system for resisting wireless network flooding attacks according to the present invention.

具体实施方式 Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

本发明的技术方案,可以应用到无线局域网WLAN中,无线局域网技术是基于电子电气工程师协会提出的802.11媒体访问控制标准,该标准定义了无线工作站(wireless station,简称STA)与无线接入网设备(Access Point,简称AP)之间的空中接口规范。STA是无线网络的客户端,具体的可以是包含有802.11无线网络接口卡的计算机。而AP类似于无线网络中的基站,它能创建一组基本的服务,将大量的STA从无线网络桥接到其他现有的网络。STA与AP间通过公用的无线信道进行通信。The technical scheme of the present invention can be applied to wireless local area network (WLAN). The wireless local area network technology is based on the 802.11 media access control standard proposed by the Institute of Electrical and Electronics Engineers. (Access Point, AP for short) air interface specification between. The STA is a client of the wireless network, specifically a computer including an 802.11 wireless network interface card. An AP is similar to a base station in a wireless network. It can create a set of basic services and bridge a large number of STAs from a wireless network to other existing networks. The STA communicates with the AP through a common wireless channel.

无线接入网控制器(Access Controller,简称AC)是一种网络设备,它是一个无线网络的核心,负责管理无线网络中的AP,对AP的管理包括:下发配置、修改相关配置参数、射频智能管理等。目前的WIFI网络覆盖,多采用AC+AP的覆盖方式,无线网络中一个AC,多个AP,有利于无线网络的集中管理。The wireless access network controller (Access Controller, referred to as AC) is a network device, which is the core of a wireless network and is responsible for managing APs in the wireless network. The management of APs includes: issuing configurations, modifying related configuration parameters, RF intelligent management, etc. The current WIFI network coverage mostly adopts the coverage mode of AC+AP, one AC and multiple APs in the wireless network, which is conducive to the centralized management of the wireless network.

图1为本发明抵抗无线网络泛洪攻击的方法实施例一的流程图,如图1所示,本实施例的方法流程可以包括:FIG. 1 is a flow chart of Embodiment 1 of the method for resisting wireless network flooding attacks according to the present invention. As shown in FIG. 1 , the method flow of this embodiment may include:

步骤101:第一AP获取STA在第一周期访问目标网页地址(UniformResource Locator,简称URL)的访问总次数,并记录访问总次数与第一周期时间的比值;Step 101: the first AP obtains the total number of visits by the STA to the target webpage address (UniformResource Locator, referred to as URL) in the first cycle, and records the ratio of the total number of visits to the time of the first cycle;

国际互联网(简称Internet)上的每一个网页都具有一个唯一的名称标识,通常称之为网页(简称Web)地址,俗称“网址”。无线工作站STA关联到第一AP后,第一AP获取STA在第一周期时间内访问目标URL的访问总次数,并记录访问总次数与周期时间的比值。例如,第一周期的周期时间为T,访问总次数为Ci,则比值K为Ci/T,即STA在单位时间内访问目标URL的平均频率。其中,第一周期的周期时间可根据实际需要而设定,在此不作特别限制。Each web page on the Internet (referred to as Internet) has a unique name identifier, which is usually called a web page (abbreviated as Web) address, commonly known as "URL". After the wireless workstation STA associates with the first AP, the first AP obtains the total number of visits by the STA to the target URL within the first cycle time, and records the ratio of the total number of visits to the cycle time. For example, the cycle time of the first cycle is T, and the total number of visits is Ci, then the ratio K is Ci/T, that is, the average frequency of STA accessing the target URL per unit time. Wherein, the cycle time of the first cycle can be set according to actual needs, and there is no special limitation here.

步骤102:若比值大于预设阈值,则第一AP拒绝STA访问目标URL,向无线接入网控制器AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个第二AP拒绝STA访问所述目标URL。上述的至少一个第二AP具体可以为全网中除第一AP以外的AP,但也可以为部分第二AP。Step 102: If the ratio is greater than the preset threshold, the first AP rejects the STA's access to the target URL, and sends a policy enforcement request message including the STA's identity and the target URL to the radio access network controller AC, so that the AC sends a request to at least one of the first APs. The two APs send an access deny message including the identifier of the STA and the target URL, so that at least one second AP refuses the STA to access the target URL. The above-mentioned at least one second AP may specifically be APs in the entire network other than the first AP, but may also be some second APs.

若步骤102中的比值K大于预设阈值,则第一AP拒绝STA访问目标URL,并向无线接入网控制器AC发送包含STA的标识和目标URL的策略执行请求报文。上述的向无线接入网控制器AC发送包括STA的标识和目标URL的策略执行请求报文可以包括两种情况:第一AP运行状态,第一AP将STA的标识和目标URL封装到请求(简称Request)报文中作为策略执行请求报文;第一AP加入AC,第一AP将STA的标识和目标URL封装到发现(简称Discover)报文中作为策略执行请求报文。上述的STA的标识可以为STA的MAC地址,还可以为IP地址等,策略执行请求报文中包含STA的标识以及所述STA访问的目标URL。AC收到策略执行请求报文后,会向第一AP发送已接收策略执行请求报文的响应报文,若第一AP等待超时,没有收到AC发送的响应报文,则重新向AC发送策略执行请求报文。若步骤102中的比值K小于预设阈值,则第一AP进入下一周期,并重新记录访问次数。If the ratio K in step 102 is greater than the preset threshold, the first AP rejects the STA's access to the target URL, and sends a policy enforcement request message including the STA's identifier and the target URL to the radio access network controller AC. The aforementioned sending of the policy enforcement request message including the STA identifier and the target URL to the radio access network controller AC may include two situations: the first AP is running, and the first AP encapsulates the STA identifier and the target URL into the request ( Request) message is used as a policy enforcement request message; when the first AP joins the AC, the first AP encapsulates the STA identifier and target URL into a Discovery (referred to as Discover) message as a policy enforcement request message. The above-mentioned STA identifier may be the MAC address of the STA, and may also be an IP address, etc., and the policy enforcement request message includes the STA identifier and the target URL accessed by the STA. After the AC receives the policy enforcement request message, it will send the response message of the received policy enforcement request message to the first AP. Policy enforcement request message. If the ratio K in step 102 is less than the preset threshold, the first AP enters the next cycle and records the number of visits again.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,通过第一无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,记录访问总次数与周期时间的比值,可获得STA在单位时间内访问目标URL的平均频率。在比值大于预设阈值时,第一AP拒绝STA访问目标URL,但不拒绝STA访问其它URL。第一AP向AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个第二AP拒绝STA访问目标URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。In the method for resisting wireless network flooding attacks provided by the embodiments of the present invention, the first wireless access network device AP obtains the total number of times that the wireless workstation STA visits the target webpage address URL in the first period, and records the total number of visits and the cycle time Ratio, the average frequency of STA accessing the target URL per unit time can be obtained. When the ratio is greater than the preset threshold, the first AP denies the STA access to the target URL, but does not deny the STA access to other URLs. The first AP sends to the AC a policy enforcement request message including the identification of the STA and the target URL, so that the AC sends an access deny message including the identification of the STA and the target URL to at least one second AP, so that at least one second AP Rejecting STA access to the target URL realizes the identification of flooding attack sources within the entire network, denies the flooding access of attack sources, and improves the security and reliability of wireless access network devices on the entire network.

图2为本发明抵抗无线网络泛洪攻击的方法实施例二的流程图,如图2所示,在第一AP获取STA在第一周期访问目标URL的访问总次数之前,还包括:Fig. 2 is the flow chart of Embodiment 2 of the method for resisting wireless network flooding attack of the present invention, as shown in Fig. 2, before the first AP acquires the total number of times the STA visits the target URL in the first cycle, it also includes:

步骤201:在STA关联到第一AP时,第一AP记录STA的标识,初始化统计记录表并开启定时器;Step 201: When the STA is associated with the first AP, the first AP records the identity of the STA, initializes the statistics recording table and starts the timer;

步骤202:第一AP判断定时器是否到时,若否,执行步骤204,若是,执行步骤203;Step 202: The first AP judges whether the timer expires, if not, execute step 204, if yes, execute step 203;

步骤203:如果定时器到时,则第一AP将STA访问目标URL的访问总次数记录在统计记录表;Step 203: if the timer expires, the first AP records the total number of times the STA visits the target URL in the statistics record table;

步骤204:如果定时器未到时,接收STA发送的至少一个超文本传送协议HTTP请求报文并解封装,获取STA的标识对应的目标URL;Step 204: If the timer has not expired, receive at least one hypertext transfer protocol HTTP request message sent by the STA and decapsulate it, and obtain the target URL corresponding to the STA's identification;

步骤205:判断至少一个HTTP的请求报文是否归属于目标URL,若是,执行步骤206,若否,返回步骤202;Step 205: judging whether at least one HTTP request message belongs to the target URL, if so, execute step 206, if not, return to step 202;

步骤206:STA访问目标URL的访问次数增加1并返回步骤202。Step 206: The number of times the STA visits the target URL is incremented by 1 and returns to Step 202.

在具体实现过程中,在步骤201中,STA关联到第一AP时,第一AP记录STA的标识,初始化统计记录表。统计记录表中记载了STA的标识,目标URL以及统计次数等。In a specific implementation process, in step 201, when the STA associates with the first AP, the first AP records the STA's identifier and initializes the statistics record table. The statistics record table records the STA's identification, target URL and statistics times.

在步骤202中,第一AP判断定时器是否到时,其中定时器的定时时间为第一周期的时间。如果定时器到时,则第一AP记录STA访问目标URL的总次数,并进行下一周期时间的计时。In step 202, the first AP judges whether the timer expires, wherein the timing time of the timer is the time of the first period. If the timer expires, the first AP records the total number of times the STA accesses the target URL, and counts the next period.

定时器未到时,则进入步骤204,第一AP接收STA发送的一个或多个超文本传输协议(hypertext transport protocol,简称HTTP)请求报文,并将该报文解封装,获取STA的标识对应的目标URL。When the timer has not expired, then enter step 204, the first AP receives one or more hypertext transport protocol (hypertext transport protocol, referred to as HTTP) request messages sent by the STA, and decapsulates the messages to obtain the identification of the STA The corresponding target URL.

在步骤205中,判断步骤204中的一个或多个HTTP报文是否归属于目标URL,若是,则进入步骤206,STA访问目标URL的访问次数增加1,同时转发该报文并返回步骤202。若否,同样回到步骤202。上述步骤循环进行,直至定时器到时为止。In step 205, determine whether one or more HTTP messages in step 204 belong to the target URL, if so, then enter step 206, the number of times the STA visits the target URL increases by 1, forwards the message and returns to step 202. If not, return to step 202 as well. The above steps are repeated until the timer expires.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,通过记录周期时间内的STA访问目标URL的访问总次数,可获得具体的STA访问特定网页地址的次数,为第一AP设备识别具体的攻击源,以及识别攻击源访问的目标URL提供可靠数据。In the method for resisting wireless network flooding attacks provided by the embodiments of the present invention, by recording the total number of visits by STAs to the target URL within a period of time, the number of times a specific STA visits a specific webpage address can be obtained, and the specific URL can be identified for the first AP device. The source of the attack and the target URL accessed by the source of the attack are identified to provide reliable data.

可选地,上述第一AP拒绝STA访问目标URL包括:在预设时间内拒绝STA访问目标URL;Optionally, the above-mentioned first AP denying the STA access to the target URL includes: denying the STA access to the target URL within a preset time;

策略执行请求报文中还包括:预设时间的信息,以使至少一个第二AP在预设时间内拒绝STA访问目标URL。The policy enforcement request message further includes: preset time information, so that at least one second AP refuses the STA to access the target URL within the preset time.

具体地,第一AP可对访问总次数与周期时间的比值超过阈值的STA访问目标URL进行一段预设时间的锁定,在该锁定时间范围内,禁止该STA访问目标URL。该锁定时间为预设时间,预设时间的长短,可根据实际需要设定,本发明在此不作特别限制。Specifically, the first AP may lock the STA's access to the target URL for a preset period of time when the ratio of the total number of visits to the cycle time exceeds a threshold, and within the locking time range, the STA is prohibited from accessing the target URL. The locking time is a preset time, and the length of the preset time can be set according to actual needs, which is not particularly limited in the present invention.

第一AP向AC发送包括预设时间的信息的策略执行请求报文,即策略执行请求报文中包括了STA的标识、目标URL及预设时间的信息,AC向至少一个第二AP发送拒绝访问报文,可以使至少一个第二AP拒绝上述访问总次数与周期时间的比值超过阈值的STA访问目标URL。The first AP sends a policy enforcement request message including preset time information to the AC, that is, the policy enforcement request message includes the STA identification, target URL and preset time information, and the AC sends a rejection message to at least one second AP The access message may cause at least one second AP to deny access to the target URL by the STA whose ratio of the total number of visits to the cycle time exceeds a threshold.

同时,在该预设时间内,第一AP还未向AC发送解除策略执行请求报文,则所有AC下挂的第二AP均拒绝上述的STA访问目标URL。At the same time, if the first AP has not sent the policy release request message to the AC within the preset time, all the second APs attached to the AC refuse the above-mentioned STA to access the target URL.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs.

在本发明抵抗无线网络泛洪攻击的方法实施例一和实施例二的基础上,在第一AP拒绝STA访问URL,向无线接入网控制器AC发送包括STA的标识和目标URL的策略执行请求报文之后,还包括:On the basis of Embodiment 1 and Embodiment 2 of the method of resisting wireless network flooding attacks of the present invention, the first AP denies STA access to the URL, and sends a policy execution including the STA identity and the target URL to the radio access network controller AC After the request message, it also includes:

经过预设时间后,第一AP允许STA访问目标URL,向AC发送包括STA的标识和目标URL的解除策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的允许访问报文,以使至少一个第二AP允许STA访问目标URL。After a preset time, the first AP allows the STA to access the target URL, and sends a policy enforcement request message including the STA's identification and the target URL to the AC, so that the AC sends the STA's identification and the target URL to at least one second AP. The access allow message, so that at least one second AP allows the STA to access the target URL.

同时,第一AP允许STA访问目标URL,并向AC发送包括STA的标识和目标URL的解除策略执行请求报文,以使AC向至少一个第二AP发送包括STA的标识和目标URL的允许访问报文,以使至少一个第二AP允许STA访问目标URL。本领域技术人员可以理解,由于策略执行报文中包括了预设时间的信息,因此,经过预设时间后,AC也可自行向第二AP发送包括STA的标识和目标URL的允许访问报文。对应地,向AC发送包括STA的标识和目标URL的解除策略执行请求报文包括两种情况:第一AP运行状态,第一AP将STA的标识和目标URL封装到请求Request报文中作为解除策略执行请求报文;第一AP加入AC,第一AP将STA的标识和目标URL封装到发现Discover报文中作为解除策略执行请求报文。At the same time, the first AP allows the STA to access the target URL, and sends to the AC a release policy enforcement request message including the STA's identification and the target URL, so that the AC sends an access permission message including the STA's identification and the target URL to at least one second AP. message, so that at least one second AP allows the STA to access the target URL. Those skilled in the art can understand that since the policy enforcement message includes the information of the preset time, after the preset time passes, the AC can also send an access permission message including the STA identifier and the target URL to the second AP by itself . Correspondingly, sending the release policy execution request message including the STA's identification and the target URL to the AC includes two situations: the first AP is running, and the first AP encapsulates the STA's identification and the target URL into the request Request message as a release request message. A policy enforcement request message: the first AP joins the AC, and the first AP encapsulates the STA identifier and the target URL into a Discover message as a release policy enforcement request message.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。通过在预设时间后,第一AP允许STA访问目标URL,向AC发送包括STA的标识和目标URL的解除策略执行请求报文,解除对STA的锁定,以使至少一个第二AP允许STA访问目标URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs. After a preset time, the first AP allows the STA to access the target URL, sends a policy enforcement request message including the STA's identification and the target URL to the AC, and unlocks the STA, so that at least one second AP allows the STA to access target URL.

在上述的方法实施例中,具体地,STA的标识为STA的媒体访问控制MAC地址。MAC地址用来定义网络设备的位置,MAC地址是传输数据时真正赖以标识发出数据的STA和接收数据的STA的地址,它一般是全球唯一的。将STA的MAC地址作为STA的标识,可精确识别STA。In the above method embodiment, specifically, the identifier of the STA is the MAC address of the STA. The MAC address is used to define the location of the network device. The MAC address is the address that really identifies the STA sending the data and the STA receiving the data when transmitting data. It is generally unique globally. Using the STA's MAC address as the STA's identifier can accurately identify the STA.

图3为本发明抵抗无线网络泛洪攻击的方法实施例三的流程图,如图3所示,本发明实施例提供的方法流程包括以下步骤:FIG. 3 is a flow chart of Embodiment 3 of the method for resisting wireless network flooding attacks according to the present invention. As shown in FIG. 3 , the method flow provided by the embodiment of the present invention includes the following steps:

步骤301:AC接收第一无线接入网设备AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;Step 301: The AC receives the policy enforcement request message carrying the identification of the wireless workstation STA and the target webpage address URL sent by the first wireless access network device AP;

步骤302:AC根据策略执行请求报文生成携带STA的标识和目标URL的拒绝访问报文,并将拒绝访问报文发送给至少一个第二AP,以使至少一个第二AP拒绝STA访问目标URL。Step 302: The AC generates an access deny message carrying the STA's identity and the target URL according to the policy execution request message, and sends the access deny message to at least one second AP, so that at least one second AP refuses the STA to access the target URL .

在具体实现过程中,AC收到第一AP发送的策略执行请求报文后,进行解封装,得到STA的标识和目标URL的参数信息,并将STA的标识和目标URL的参数信息重新生成拒绝访问报文,并将拒绝访问报文发送给至少一个第二AP,AC还可周期性的将拒绝访问报文发送给至少一个第二AP,时间周期可以为20S或30S等,具体的周期时间,本发明在此不作特别限制。上述的至少一个第二AP为第一AP以外的其它AP设备,当AC需要全网通告时,可将拒绝访问报文发送给全网的第二AP,也可根据需要发送给部分第二AP。至少一个第二AP收到拒绝访问报文后,拒绝STA访问目标网页地址URL,并向AC发送接收到拒绝访问报文的响应报文,AC通告第一AP处理完毕。In the specific implementation process, after the AC receives the policy enforcement request message sent by the first AP, it decapsulates it, obtains the STA identity and the parameter information of the target URL, and regenerates the STA identity and the parameter information of the target URL to reject access message, and send the access deny message to at least one second AP, AC can also periodically send the access deny message to at least one second AP, the time period can be 20S or 30S, etc., the specific cycle time , the present invention is not particularly limited here. The above-mentioned at least one second AP is other AP devices other than the first AP. When the AC needs to notify the whole network, it can send the access deny message to the second AP of the whole network, and can also send it to some second APs as needed. . After at least one second AP receives the access deny message, it rejects the STA's access to the target web page address URL, and sends a response message to the AC, and the AC notifies the first AP that the processing is complete.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,通过无线接入网控制器AC接收第一无线接入网设备AP发送的携带无线工作站STA的标识和目标URL的策略执行请求报文,AC根据策略执行请求报文生成携带STA的标识和目标URL的拒绝访问报文,并将拒绝访问报文发送给至少一个第二AP,以使至少一个第二AP拒绝STA访问目标网页地址URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。In the method for resisting wireless network flooding attacks provided by the embodiments of the present invention, the wireless access network controller AC receives the policy execution request message carrying the identification of the wireless workstation STA and the target URL sent by the first wireless access network device AP, The AC generates an access deny message carrying the STA's identification and the target URL according to the policy execution request message, and sends the access deny message to at least one second AP, so that at least one second AP refuses the STA to access the target webpage address URL, It realizes the identification of flooding attack source in the whole network, denies the flooding access of the attack source, and improves the security and reliability of the wireless access network equipment in the whole network.

可选地,上述策略执行请求报文中还包括:预设时间的信息,以使至少一个第二AP在预设时间内拒绝STA访问目标URL。Optionally, the policy enforcement request message further includes: preset time information, so that at least one second AP refuses the STA to access the target URL within the preset time.

具体地,AC接收第一AP发送的包括预设时间的信息的策略执行请求报文,即策略执行请求报文中包括了STA的标识、目标URL及预设时间的信息;AC向至少一个第二AP发送拒绝访问报文,可以使至少一个第二AP拒绝上述访问总次数与周期时间的比值超过阈值的STA访问目标URL。Specifically, the AC receives the policy enforcement request message including the preset time information sent by the first AP, that is, the policy enforcement request message includes the STA identifier, the target URL, and the preset time information; The access deny message sent by the two APs may cause at least one second AP to deny access to the target URL by the STA whose ratio of the total number of visits to the period time exceeds a threshold.

同时,在该预设时间内,第一AP还未向AC发送解除策略执行请求报文,则所有AC下挂的第二AP均拒绝上述的STA访问目标URL。At the same time, if the first AP has not sent the policy release request message to the AC within the preset time, all the second APs attached to the AC refuse the above-mentioned STA to access the target URL.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs.

在上述的本发明抵抗无线网络泛洪攻击的方法实施例三的基础上,AC接收第一AP发送的携带STA的标识和目标URL的策略执行请求报文之后,还包括:On the basis of Embodiment 3 of the method for resisting wireless network flooding attacks of the present invention described above, after the AC receives the policy execution request message carrying the STA identifier and the target URL sent by the first AP, it further includes:

经过预设时间后,AC接收包括STA的标识和目标URL的解除策略执行请求报文,向至少一个第二AP发送包含STA的标识和目标URL的允许访问报文,以使至少一个第二AP允许STA访问目标URL。After a preset period of time, the AC receives the policy enforcement request packet including the identifier of the STA and the target URL, and sends an access permission packet including the identifier of the STA and the target URL to at least one second AP, so that at least one second AP Allow STA to access target URL.

同时AC向至少一个第二AP发送包括STA的标识和目标URL的允许访问报文。AC还可周期性的将允许访问报文发送给至少一个第二AP,实现AC全网通告的实时性。时间周期可以为20S或30S等,具体的周期时间,本发明在此不作特别限制。至少一个第二AP接收到允许访问报文后,允许STA访问目标URL。本领域技术人员可以理解,由于策略执行报文中包括了预设时间的信息,因此,经过预设时间后,AC也可自行向第二AP发送包括STA的标识和目标URL的允许访问报文。At the same time, the AC sends an access permission message including the STA identifier and the target URL to at least one second AP. The AC can also periodically send the access permission message to at least one second AP, so as to realize the real-time performance of the network-wide notification of the AC. The time period may be 20S or 30S, etc. The specific cycle time is not particularly limited in the present invention. At least one second AP allows the STA to access the target URL after receiving the access permission message. Those skilled in the art can understand that since the policy enforcement message includes the information of the preset time, after the preset time passes, the AC can also send an access permission message including the STA identifier and the target URL to the second AP by itself .

上述的AC向其下挂的第二AP发送的拒绝访问报文和允许访问报文具体可以为无线接入点控制与供应(Controlling and Provisioning of Wireless AccessPoint,简称CAPWAP)协议的控制报文,包括IP报文头部、用户数据报协议(User Datagram Protocol,简称UDP)报文头部、CAPWAP报文头部、CAPWAP控制层以及消息内容。其中消息内容包含厂商信息、位置信息、包含STA的标识和目标URL的攻击信息以及AP运行信息,这些消息内容可通过报文类型-报文长度-报文内容(Type-Length-Value,简称TLV)格式封装到CAPWAP报文中。CAPWAP报文具有CAPWAP通道的一些优点,包括网络地址转换(Network Address Translation,简称NAT)穿透性和安全性。The access deny message and the access allow message sent by the above-mentioned AC to the second AP attached to it can be specifically control messages of the Controlling and Provisioning of Wireless Access Point (CAPWAP) protocol, including IP packet header, User Datagram Protocol (UDP) packet header, CAPWAP packet header, CAPWAP control layer and message content. The message content includes vendor information, location information, attack information including STA identification and target URL, and AP operation information. ) format into CAPWAP packets. CAPWAP messages have some advantages of CAPWAP channels, including Network Address Translation (NAT) penetration and security.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。通过在预设时间后,AC接收包括STA的标识和目标URL的解除策略执行请求报文,向至少一个第二AP发送包含STA的标识和目标URL的允许访问报文,解除对STA的锁定,以使至少一个第二AP允许STA访问目标URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs. After the preset time, the AC receives the release policy execution request message including the STA's identification and the target URL, sends an access permission message including the STA's identification and the target URL to at least one second AP, and unlocks the STA, So that at least one second AP allows the STA to access the target URL.

在上述的方法实施例中,具体地,STA的标识为STA的媒体访问控制MAC地址。将STA的MAC地址作为STA的标识,可精确识别STA。In the above method embodiment, specifically, the identifier of the STA is the MAC address of the STA. Using the STA's MAC address as the STA's identifier can accurately identify the STA.

图4为本发明无线接入网设备实施例一的结构示意图,如图4所示,本发明实施例提供的无线接入网设备AP40包括采集模块41和策略执行模块42,其中采集模块41用于获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录访问总次数与第一周期时间的比值;策略执行模块42用于若比值大于预设阈值,拒绝STA访问目标URL,向无线接入网控制器AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个其它AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个其它AP拒绝STA访问目标URL。FIG. 4 is a schematic structural diagram of Embodiment 1 of the wireless access network device of the present invention. As shown in FIG. To obtain the total number of times that the wireless workstation STA visits the target webpage address URL in the first cycle, and record the ratio of the total number of times to the first cycle time; the policy execution module 42 is used to deny STA access to the target URL if the ratio is greater than a preset threshold , sending a policy execution request message including the STA identifier and the target URL to the radio access network controller AC, so that the AC sends an access deny message including the STA identifier and the target URL to at least one other AP, so that at least one Other APs deny STA access to the target URL.

本发明实施例提供的无线接入网设备,通过采集模块获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,记录访问总次数与周期时间的比值,可获得STA在单位时间内访问目标URL的平均频率。在比值大于预设阈值时,策略执行模块拒绝STA访问目标URL,但不拒绝STA访问其它URL,并发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个其它AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个其它AP拒绝STA访问所述目标URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。The wireless access network device provided by the embodiment of the present invention obtains the total number of visits of the wireless workstation STA in the first cycle to the target webpage address URL through the acquisition module, records the ratio of the total number of visits to the cycle time, and obtains the STA's time per unit time. The average frequency of visiting the target URL. When the ratio is greater than the preset threshold, the policy enforcement module denies STA access to the target URL, but does not deny STA access to other URLs, and sends a policy execution request message including the STA's identification and target URL, so that the AC sends to at least one other AP The denial of access message including the identification of the STA and the target URL, so that at least one other AP refuses the STA to access the target URL, realizes identifying flooding attack sources within the scope of the entire network, denies the flooding access of the attacking source, and improves The security and reliability of the wireless access network equipment of the whole network.

本实施例的无线接入网设备,可以用于执行图1所示方法实施例的技术方案,其实现原理类似,此处不再赘述。The radio access network device in this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 1 , and its implementation principles are similar, so details are not repeated here.

图5为本发明无线接入网设备实施例二的结构示意图,如图5所示,本发明实施例提供的无线接入网设备在图4提供的实施例基础上,还包括记录模块43和计时模块44。FIG. 5 is a schematic structural diagram of Embodiment 2 of the wireless access network device of the present invention. As shown in FIG. 5 , the wireless access network device provided by the embodiment of the present invention further includes a recording module 43 and Timing module 44.

其中,记录模块43用于在STA关联到AP时,记录STA的标识,初始化统计记录表并开启定时器;Wherein, the recording module 43 is used to record the identification of the STA when the STA is associated with the AP, initialize the statistical recording table and start the timer;

计时模块44:用于判断定时器是否到时;如果定时器未到时,接收STA发送的至少一个超文本传送协议HTTP请求报文并解封装,获取STA的标识对应的目标URL;判断至少一个HTTP的请求报文是否归属于目标URL,若是,则STA访问目标URL的访问次数增加1并返回判断定时器是否到时的步骤;若否,返回判断定时器是否到时的步骤;如果定时器到时,则将STA访问目标URL的访问总次数记录在统计记录表。Timing module 44: for judging whether the timer expires; if the timer is not expired, receive at least one hypertext transfer protocol HTTP request message sent by the STA and decapsulate it, and obtain the target URL corresponding to the STA's identification; determine at least one Whether the HTTP request message belongs to the target URL, if so, the number of visits of the STA accessing the target URL increases by 1 and returns to the step of judging whether the timer expires; if not, returns the step of judging whether the timer expires; if the timer When the time comes, record the total number of times the STA visits the target URL in the statistics record table.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,通过计时模块记录周期时间内的STA访问目标URL的访问总次数,可获得具体的STA访问特定网页地址的次数,为AP设备识别具体的攻击源,以及识别攻击源访问的目标URL提供可靠数据。In the method for resisting wireless network flooding attacks provided by the embodiments of the present invention, the total number of times STAs access target URLs within a period of time is recorded by the timing module, and the specific number of times STAs access specific web page addresses can be obtained to identify specific URLs for AP devices. The source of the attack and the target URL accessed by the source of the attack are identified to provide reliable data.

本实施例的无线接入网设备,可以用于执行图2所示方法实施例的技术方案,其实现原理和技术效果类似,此处不再赘述。The radio access network device of this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 2 , and its implementation principle and technical effect are similar, and will not be repeated here.

可选地,上述第一AP拒绝STA访问目标URL包括:在预设时间内拒绝STA访问目标URL;Optionally, the above-mentioned first AP denying the STA access to the target URL includes: denying the STA access to the target URL within a preset time;

策略执行请求报文中还包括:预设时间的信息,以使至少一个第二AP在预设时间内拒绝STA访问目标URL。The policy enforcement request message further includes: preset time information, so that at least one second AP refuses the STA to access the target URL within the preset time.

本实施例的无线接入网设备,可以用于执行上述方法实施例的技术方案,其实现原理类似,此处不再赘述。The radio access network device in this embodiment may be used to implement the technical solutions of the foregoing method embodiments, and its implementation principles are similar, and details are not repeated here.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs.

图6为本发明无线接入网设备实施例三的结构示意图,如图6所示,本发明实施例提供的无线接入网设备在图5提供的实施例基础上,还包括解除策略执行模块45。其中解除策略执行模块45用于经过预设时间后,允许STA访问目标URL,向AC发送包括STA的标识和目标URL的解除策略执行请求报文,以使AC向至少一个其它AP发送包括STA的标识和目标URL的允许访问报文,以使至少一个其它AP允许STA访问目标URL。Fig. 6 is a schematic structural diagram of Embodiment 3 of the wireless access network device of the present invention. As shown in Fig. 6, the wireless access network device provided by the embodiment of the present invention further includes a release policy execution module on the basis of the embodiment provided in Fig. 5 45. Wherein, the policy enforcement module 45 is used to allow the STA to access the target URL after a preset time, and send a policy enforcement request message including the STA's identification and the target URL to the AC, so that the AC sends a message including the STA to at least one other AP. An access permission message of the identification and the target URL, so that at least one other AP allows the STA to access the target URL.

上述本发明抵抗无线网络泛洪攻击的方法实施例一至实施例三中的第一AP可以采用本发明实施例提供的无线接入网设备实施例一至三的无线接入网设备。The first AP in Embodiments 1 to 3 of the above-mentioned method for resisting wireless network flooding attacks of the present invention may use the wireless access network device provided in Embodiments 1 to 3 of the present invention.

本发明实施例提供的无线接入网设备,通过在预设时间后,解除策略执行模块向AC发送包括STA的标识和目标URL的解除策略执行请求报文,解除对STA预设时间的锁定,以使至少一个其它AP允许STA访问目标URL。In the radio access network device provided by the embodiment of the present invention, after the preset time, the release policy execution module sends a release policy execution request message including the STA identifier and the target URL to the AC to release the lock of the STA preset time, To enable at least one other AP to allow the STA to access the target URL.

图7为本发明无线接入网控制器实施例一的结构示意图。如图7所示,本发明实施例提供的无线接入网控制器50包括接收模块51和通告执行模块52,其中,接收模块51用于接收AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;通告执行模块52用于根据策略执行请求报文生成携带STA的标识和目标URL的响应报文,并将响应报文发送给至少一个其它AP,以使至少一个其它AP拒绝STA访问目标URL。FIG. 7 is a schematic structural diagram of Embodiment 1 of a radio access network controller according to the present invention. As shown in FIG. 7 , the wireless access network controller 50 provided by the embodiment of the present invention includes a receiving module 51 and a notification execution module 52, wherein the receiving module 51 is used to receive the identification and target webpage address of the wireless workstation STA sent by the AP A policy execution request message of the URL; the notification execution module 52 is configured to generate a response message carrying the STA's identification and the target URL according to the policy execution request message, and send the response message to at least one other AP, so that at least one other AP The AP denies the STA access to the target URL.

本发明实施例提供的无线接入网控制器,通过接收模块接收第一无线接入网设备AP发送的携带无线工作站STA的标识和目标URL的策略执行请求报文,通告执行模块根据策略执行请求报文生成携带STA的标识和目标URL的拒绝访问报文,并将拒绝访问报文发送给至少一个其它AP,以使至少一个其它AP拒绝STA访问目标网页地址URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。The wireless access network controller provided by the embodiment of the present invention receives the policy execution request message carrying the identification of the wireless workstation STA and the target URL sent by the first wireless access network device AP through the receiving module, and notifies the execution module to execute the request according to the policy The message generates an access deny message carrying the STA's identification and the target URL, and sends the access deny message to at least one other AP, so that at least one other AP refuses the STA's access to the target webpage address URL, realizing network-wide Identify flooding attack sources, deny flooding access from attack sources, and improve the security and reliability of wireless access network devices on the entire network.

本实施例的无线接入网设备,可以用于执行图3所示方法实施例的技术方案,其实现原理类似,此处不再赘述。The radio access network device in this embodiment can be used to implement the technical solution of the method embodiment shown in FIG. 3 , and its implementation principles are similar, so details are not repeated here.

可选地,上述策略执行请求报文中还包括:预设时间的信息,以使至少一个第二AP在预设时间内拒绝STA访问目标URL。Optionally, the policy enforcement request message further includes: preset time information, so that at least one second AP refuses the STA to access the target URL within the preset time.

本实施例的无线接入网设备,可以用于执行上述方法实施例的技术方案,其实现原理类似,此处不再赘述。The radio access network device in this embodiment may be used to implement the technical solutions of the foregoing method embodiments, and its implementation principles are similar, and details are not repeated here.

本发明实施例提供的抵抗无线网络泛洪攻击的方法,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。The method for resisting wireless network flooding attacks provided by the embodiments of the present invention can enable APs in the entire network to resist wireless network flooding attacks of STAs within a preset period of time, while resisting wireless network flooding attacks of STAs, only rejecting The STA accesses the target URL, and does not deny the STA access to other URLs.

图8为本发明无线接入网控制器实施例二的结构示意图,如图8所示,本发明实施例提供的无线接入网控制器在图7提供的实施例基础上,还包括通告解除模块53。其中,通告解除模块53用于经过预设时间后,接收包括STA的标识和目标URL的解除策略执行请求报文,向至少一个其它AP发送包含STA的标识和目标URL的允许访问报文,以使至少一个其它AP允许STA访问目标URL。Fig. 8 is a schematic structural diagram of Embodiment 2 of the radio access network controller of the present invention. As shown in Fig. 8 , the radio access network controller provided by the embodiment of the present invention further includes notification cancellation on the basis of the embodiment provided in Fig. 7 Module 53. Wherein, the announcement release module 53 is used to receive the release policy execution request message including the identification of the STA and the target URL after the preset time has elapsed, and send an access permission message including the identification of the STA and the target URL to at least one other AP, so as to Have at least one other AP allow the STA to access the target URL.

上述本发明抵抗无线网络泛洪攻击的方法实施例一至实施例三中的第二AP可以采用本发明实施例提供的无线接入网控制器实施例一至三的无线接入网设备。The second AP in Embodiments 1 to 3 of the method for resisting wireless network flooding attacks of the present invention may use the radio access network device of Embodiments 1 to 3 of the radio access network controller provided in the embodiments of the present invention.

本发明实施例提供的无线接入网设备,在预设时间内,可使全网的AP抵抗STA的无线网络泛洪攻击,在抵抗STA的无线网络泛洪攻击的同时,仅拒绝STA访问目标URL,并不拒绝STA访问其他URL。通过在预设时间后,通告解除模块接收包括STA的标识和目标URL的解除策略执行请求报文,向至少一个其它AP发送包含STA的标识和目标URL的允许访问报文,解除对STA的锁定,以使至少一个其它AP允许STA访问目标URL。The wireless access network equipment provided by the embodiment of the present invention can make the APs of the whole network resist the wireless network flooding attack of the STA within a preset time, and only deny the STA access target while resisting the wireless network flooding attack of the STA. URL, and does not deny STA access to other URLs. After the preset time, the notification release module receives the release policy execution request message including the STA's identification and the target URL, and sends an access permission message including the STA's identification and the target URL to at least one other AP to unlock the STA , so that at least one other AP allows the STA to access the target URL.

图9为本发明抵抗无线网络泛洪攻击的系统实施例一的结构示意图,如图9所示,本实施例的系统包括无线接入网设备40、无线接入网控制器50。其中,无线接入网设备40可以采用图4~图6任一无线接入网实施例的结构,其对应地,可以执行图1~图2中任一方法实施例的技术方案,其实现原理类似,此处不再赘述。无线接入网控制器50可以采用图7与图8任一无线接入网控制器的结构,其对应地,可以执行图3的方法实施例的技术方案,其实现原理类似,此处不再赘述。图10为本发明抵抗无线网络泛洪攻击的系统实施例二的结构示意图,图10中示出了系统中无线接入网设备40和无线接入网控制器50的具体结构示意图,以及各模块之间的关系。抵抗无线网络泛洪攻击的系统的具体实现原理和技术效果,可参照上述方法实施例和设备实施例,此处不再赘述。FIG. 9 is a schematic structural diagram of Embodiment 1 of a system for resisting wireless network flooding attacks according to the present invention. As shown in FIG. 9 , the system of this embodiment includes a wireless access network device 40 and a wireless access network controller 50 . Wherein, the wireless access network device 40 can adopt the structure of any wireless access network embodiment in FIG. 4 to FIG. 6, and correspondingly, can execute the technical solution of any method embodiment in FIG. Similar and will not be repeated here. The radio access network controller 50 can adopt the structure of any radio access network controller in FIG. 7 and FIG. 8, and correspondingly, can implement the technical solution of the method embodiment in FIG. repeat. FIG. 10 is a schematic structural diagram of Embodiment 2 of a system for resisting wireless network flooding attacks according to the present invention. FIG. 10 shows a specific structural schematic diagram of the wireless access network device 40 and the wireless access network controller 50 in the system, and each module The relationship between. For the specific implementation principles and technical effects of the system for resisting wireless network flooding attacks, reference may be made to the above-mentioned method embodiments and device embodiments, which will not be repeated here.

本发明实施例提供的抵抗无线网络泛洪攻击的系统,通过无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,记录访问总次数与第一周期时间的比值,可获得STA在单位时间内访问目标URL的平均频率。在比值大于预设阈值时,AP拒绝STA访问目标URL,但不拒绝STA访问其它URL。AP向AC发送包括STA的标识和目标URL的策略执行请求报文,以使AC向至少一个其它AP发送包括STA的标识和目标URL的拒绝访问报文,以使至少一个其它AP拒绝STA访问目标URL,实现了在全网范围内识别泛洪攻击源,拒绝攻击源的泛洪访问,提高了全网的无线接入网设备的安全性和可靠性。The system for resisting wireless network flooding attacks provided by the embodiments of the present invention obtains the total number of times that the wireless workstation STA visits the target web page address URL in the first period through the wireless access network device AP, and records the total number of visits and the first cycle time Ratio, the average frequency of STA accessing the target URL per unit time can be obtained. When the ratio is greater than the preset threshold, the AP denies the STA access to the target URL, but does not deny the STA access to other URLs. The AP sends a policy enforcement request message including the STA's identification and the target URL to the AC, so that the AC sends an access deny message including the STA's identification and the target URL to at least one other AP, so that at least one other AP refuses the STA's access to the target URL, which realizes the identification of flooding attack sources in the whole network, denies the flooding access of attack sources, and improves the security and reliability of wireless access network devices in the whole network.

本领域普通技术人员可以理解:实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一计算机可读取存储介质中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above method embodiments can be completed by program instructions and related hardware. The aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps including the above-mentioned method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: It is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the various embodiments of the present invention. scope.

Claims (12)

1.一种抵抗无线网络泛洪攻击的方法,其特征在于,包括:1. A method for resisting wireless network flooding attacks, characterized in that, comprising: 第一无线接入网设备AP获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录所述访问总次数与所述第一周期时间的比值;The first wireless access network device AP acquires the total number of times the wireless workstation STA visits the target webpage address URL in the first cycle, and records the ratio of the total number of times to the first cycle time; 若所述比值大于预设阈值,则所述第一AP拒绝所述STA访问所述目标URL,向无线接入网控制器AC发送包括所述STA的标识和所述目标URL的策略执行请求报文,以使所述AC向至少一个第二AP发送包括所述STA的标识和所述目标URL的拒绝访问报文,以使所述至少一个第二AP拒绝所述STA访问所述目标URL;If the ratio is greater than the preset threshold, the first AP rejects the STA’s access to the target URL, and sends a policy enforcement request message including the STA’s identifier and the target URL to the radio access network controller AC. A text, so that the AC sends to at least one second AP an access deny message including the identifier of the STA and the target URL, so that the at least one second AP refuses the STA to access the target URL; 其中,所述策略执行请求报文中还包括:预设时间的信息,以使所述至少一个第二AP在所述预设时间内拒绝所述STA访问所述目标URL。Wherein, the policy enforcement request message further includes: preset time information, so that the at least one second AP refuses the STA to access the target URL within the preset time. 2.根据权利要求1所述的方法,其特征在于,在所述第一AP获取STA在第一周期访问目标URL的访问总次数之前,还包括:2. The method according to claim 1, wherein, before the first AP obtains the total number of times the STA visits the target URL in the first cycle, it further includes: 在所述STA关联到所述第一AP时,所述第一AP记录所述STA的标识,初始化统计记录表并开启定时器;When the STA is associated with the first AP, the first AP records the identity of the STA, initializes a statistical recording table and starts a timer; 所述第一AP判断所述定时器是否到时;The first AP judges whether the timer expires; 如果所述定时器未到时,接收所述STA发送的至少一个超文本传送协议HTTP请求报文并解封装,获取所述STA的标识对应的所述目标URL;判断所述至少一个HTTP的请求报文是否归属于所述目标URL,若是,则所述STA访问所述目标URL的访问次数增加1并返回所述判断所述定时器是否到时的步骤;若否,返回所述判断所述定时器是否到时的步骤;If the timer has not expired, receive at least one hypertext transfer protocol HTTP request message sent by the STA and decapsulate it, and obtain the target URL corresponding to the STA's identity; determine the at least one HTTP request Whether the message belongs to the target URL, if so, the number of times the STA visits the target URL increases by 1 and returns to the step of judging whether the timer expires; if not, returns to the step of judging The step of whether the timer expires; 如果所述定时器到时,则所述第一AP将所述STA访问所述目标URL的访问总次数记录在所述统计记录表。If the timer expires, the first AP records the total number of times the STA visits the target URL in the statistics recording table. 3.根据权利要求1或2所述的方法,其特征在于:3. The method according to claim 1 or 2, characterized in that: 所述第一AP拒绝所述STA访问所述目标URL包括:在预设时间内拒绝所述STA访问所述目标URL。The first AP refusing the STA to access the target URL includes: refusing the STA to access the target URL within a preset time. 4.根据权利要求3所述的方法,其特征在于:所述第一AP拒绝所述STA访问所述URL,向无线接入网控制器AC发送包括所述STA的标识和所述目标URL的策略执行请求报文之后,还包括:4. The method according to claim 3, characterized in that: the first AP rejects the STA to access the URL, and sends a message including the STA identifier and the target URL to the radio access network controller AC. After the policy execution request message, it also includes: 经过所述预设时间后,所述第一AP允许所述STA访问所述目标URL,向所述AC发送包括所述STA的标识和所述目标URL的解除策略执行请求报文,以使所述AC向所述至少一个第二AP发送包括所述STA的标识和所述目标URL的允许访问报文,以使所述至少一个第二AP允许所述STA访问所述目标URL。After the preset time elapses, the first AP allows the STA to access the target URL, and sends a policy enforcement request message including the STA identifier and the target URL to the AC, so that all The AC sends an access permission packet including the identifier of the STA and the target URL to the at least one second AP, so that the at least one second AP allows the STA to access the target URL. 5.一种抵抗无线网络泛洪攻击的方法,其特征在于,包括:5. A method for resisting wireless network flooding attacks, comprising: 无线接入网控制器AC接收第一无线接入网设备AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;The wireless access network controller AC receives the policy execution request message carrying the identification of the wireless workstation STA and the target webpage address URL sent by the first wireless access network device AP; 所述AC根据所述策略执行请求报文生成携带所述STA的标识和所述目标URL的拒绝访问报文,并将所述拒绝访问报文发送给至少一个第二AP,以使所述至少一个第二AP拒绝所述STA访问所述目标URL;The AC generates an access deny message carrying the STA identifier and the target URL according to the policy execution request message, and sends the access deny message to at least one second AP, so that the at least a second AP denying the STA access to the target URL; 其中,所述策略执行请求报文中还包括:预设时间的信息,以使所述至少一个第二AP在所述预设时间内拒绝所述STA访问所述目标URL。Wherein, the policy enforcement request message further includes: preset time information, so that the at least one second AP refuses the STA to access the target URL within the preset time. 6.根据权利要求5所述的方法,其特征在于:所述AC接收第一AP发送的携带STA的标识和所述目标URL的策略执行请求报文之后,还包括:6. The method according to claim 5, wherein after the AC receives the policy enforcement request message carrying the STA identifier and the target URL sent by the first AP, further comprising: 经过所述预设时间后,所述AC接收包括所述STA的标识和所述目标URL的解除策略执行请求报文,向所述至少一个第二AP发送包含所述STA的标识和所述目标URL的允许访问报文,以使所述至少一个第二AP允许所述STA访问所述目标URL。After the preset time elapses, the AC receives a policy release request message including the STA identifier and the target URL, and sends a message including the STA identifier and the target URL to the at least one second AP. An access permission message of the URL, so that the at least one second AP allows the STA to access the target URL. 7.一种无线接入网设备AP,其特征在于,包括:7. A wireless access network device AP, characterized in that, comprising: 采集模块:用于获取无线工作站STA在第一周期访问目标网页地址URL的访问总次数,并记录所述访问总次数与所述第一周期时间的比值;Collection module: used to obtain the total number of times the wireless workstation STA visits the target webpage address URL in the first cycle, and record the ratio of the total number of times to the first cycle time; 策略执行模块:用于若所述比值大于预设阈值,拒绝所述STA访问所述目标URL,向无线接入网控制器AC发送包括所述STA的标识和所述目标URL的策略执行请求报文,以使所述AC向至少一个其它AP发送包括所述STA的标识和所述目标URL的拒绝访问报文,以使所述至少一个其它AP拒绝所述STA访问所述目标URL;A policy enforcement module: configured to deny the STA access to the target URL if the ratio is greater than a preset threshold, and send a policy enforcement request message including the STA identifier and the target URL to the radio access network controller AC A message, so that the AC sends to at least one other AP an access deny message including the identifier of the STA and the target URL, so that the at least one other AP refuses the STA to access the target URL; 其中,所述策略执行请求报文中还包括:预设时间的信息,以使所述至少一个第二AP在所述预设时间内拒绝所述STA访问所述目标URL。Wherein, the policy enforcement request message further includes: preset time information, so that the at least one second AP refuses the STA to access the target URL within the preset time. 8.根据权利要求7所述的无线接入网设备,其特征在于,还包括:8. The wireless access network device according to claim 7, further comprising: 记录模块:用于在所述STA关联到所述AP时,记录所述STA的标识,初始化统计记录表并开启定时器;Recording module: used to record the identity of the STA when the STA is associated with the AP, initialize the statistical recording table and start the timer; 计时模块:用于判断所述定时器是否到时;如果所述定时器未到时,接收所述STA发送的至少一个超文本传送协议HTTP请求报文并解封装,获取所述STA的标识对应的所述目标URL;判断所述至少一个HTTP的请求报文是否归属于所述目标URL,若是,则所述STA访问所述目标URL的访问次数增加1并返回所述判断所述定时器是否到时的步骤;若否,返回所述判断所述定时器是否到时的步骤;如果所述定时器到时,则将所述STA访问所述目标URL的访问总次数记录在所述统计记录表。Timing module: for judging whether the timer has expired; if the timer has not expired, receive at least one hypertext transfer protocol HTTP request message sent by the STA and decapsulate it, and obtain the identification corresponding to the STA the target URL; determine whether the at least one HTTP request message belongs to the target URL; Timely step; if not, return to the step of judging whether the timer expires; if the timer expires, record the total number of times the STA visits the target URL in the statistics record surface. 9.根据权利要求7或8所述的无线接入网设备,其特征在于,还包括:9. The radio access network device according to claim 7 or 8, further comprising: 解除策略执行模块:用于经过预设时间后,允许所述STA访问所述目标URL,向所述AC发送包括所述STA的标识和所述目标URL的解除策略执行请求报文,以使所述AC向所述至少一个其它AP发送包括所述STA的标识和所述目标URL的允许访问报文,以使所述至少一个其它AP允许所述STA访问所述目标URL。Release policy enforcement module: used to allow the STA to access the target URL after a preset time, and send a policy release request message including the STA identifier and the target URL to the AC, so that all The AC sends an access permission packet including the identifier of the STA and the target URL to the at least one other AP, so that the at least one other AP allows the STA to access the target URL. 10.一种无线接入网控制器,其特征在于,包括:10. A radio access network controller, characterized in that, comprising: 接收模块:用于接收无线接入网设备AP发送的携带无线工作站STA的标识和目标网页地址URL的策略执行请求报文;Receiving module: used to receive the policy execution request message carrying the identification of the wireless workstation STA and the target webpage address URL sent by the wireless access network device AP; 通告执行模块:用于根据所述策略执行请求报文生成携带所述STA的标识和所述目标URL的拒绝访问报文,并将所述拒绝访问报文发送给至少一个其它AP,以使所述至少一个其它AP拒绝所述STA访问所述目标URL;Notification execution module: used to generate an access deny message carrying the STA identifier and the target URL according to the policy execution request message, and send the access deny message to at least one other AP, so that all The at least one other AP denies the STA access to the target URL; 其中,所述策略执行请求报文中还包括:预设时间的信息,以使所述至少一个第二AP在所述预设时间内拒绝所述STA访问所述目标URL。Wherein, the policy enforcement request message further includes: preset time information, so that the at least one second AP refuses the STA to access the target URL within the preset time. 11.根据权利要求10所述的无线接入网控制器,其特征在于,还包括:11. The radio access network controller according to claim 10, further comprising: 通告解除模块:用于经过预设时间后,接收包括所述STA的标识和所述目标URL的解除策略执行请求报文,向所述至少一个其它AP发送包含所述STA的标识和所述目标URL的允许访问报文,以使所述至少一个其它AP允许所述STA访问所述目标URL。The notification release module is configured to receive a release policy execution request message including the STA identifier and the target URL after a preset time, and send the STA identifier and the target URL message to the at least one other AP. An access permission packet of the URL, so that the at least one other AP allows the STA to access the target URL. 12.一种抵抗无线网络泛洪攻击的系统,其特征在于,包括:权利要求7-9任一所述的无线接入网设备和权利要求10-11任一所述的无线接入网控制器。12. A system for resisting wireless network flooding attacks, characterized in that it comprises: the wireless access network device described in any one of claims 7-9 and the wireless access network control device described in any one of claims 10-11 device.
CN201210344628.4A 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack Expired - Fee Related CN102833268B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210344628.4A CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210344628.4A CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Publications (2)

Publication Number Publication Date
CN102833268A CN102833268A (en) 2012-12-19
CN102833268B true CN102833268B (en) 2015-03-11

Family

ID=47336238

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210344628.4A Expired - Fee Related CN102833268B (en) 2012-09-17 2012-09-17 Method, equipment and system for resisting wireless network flooding attack

Country Status (1)

Country Link
CN (1) CN102833268B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103118360B (en) * 2012-12-21 2015-08-19 成都科来软件有限公司 A kind of system blocking mobile radio terminal
CN104378369A (en) * 2014-11-11 2015-02-25 上海斐讯数据通信技术有限公司 Wireless flooding attack prevention method
CN104768176B (en) * 2015-04-15 2018-08-24 新华三技术有限公司 The method, apparatus that sFlow is sampled in wireless network
CN106598723A (en) * 2015-10-19 2017-04-26 北京国双科技有限公司 Configuration method and device for resources in distributed system
CN107509200A (en) * 2017-09-30 2017-12-22 北京奇虎科技有限公司 Equipment localization method and device based on wireless network invasion
CN107612924B (en) * 2017-09-30 2021-02-23 北京奇虎科技有限公司 Attacker positioning method and device based on wireless network intrusion
CN107484173A (en) * 2017-09-30 2017-12-15 北京奇虎科技有限公司 Wireless network intrusion detection method and device
CN107579997A (en) * 2017-09-30 2018-01-12 北京奇虎科技有限公司 Wireless Network Intrusion Detection System
WO2019222999A1 (en) * 2018-05-25 2019-11-28 华为技术有限公司 Access control method and device, and readable storage medium
CN111355686B (en) * 2018-12-21 2022-07-05 天翼云科技有限公司 Method, device, system and storage medium for defending flood attacks
CN112839015B (en) * 2019-11-25 2022-08-19 杭州萤石软件有限公司 Method, device and system for detecting attack Mesh node
CN111556109B (en) * 2020-04-17 2021-05-18 北京达佳互联信息技术有限公司 Request processing method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286996A (en) * 2008-05-30 2008-10-15 北京星网锐捷网络技术有限公司 Storm attack resisting method and apparatus
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN102547714A (en) * 2011-12-28 2012-07-04 福建三元达通讯股份有限公司 Method for preventing flooding attack in wireless local area network
CN102595333A (en) * 2012-02-06 2012-07-18 福建星网锐捷网络有限公司 Message transmitting method and wireless access equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013105991A2 (en) * 2011-02-17 2013-07-18 Sable Networks, Inc. Methods and systems for detecting and mitigating a high-rate distributed denial of service (ddos) attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286996A (en) * 2008-05-30 2008-10-15 北京星网锐捷网络技术有限公司 Storm attack resisting method and apparatus
CN101674293A (en) * 2008-09-11 2010-03-17 阿里巴巴集团控股有限公司 Method and system for processing abnormal request in distributed application
CN102547714A (en) * 2011-12-28 2012-07-04 福建三元达通讯股份有限公司 Method for preventing flooding attack in wireless local area network
CN102595333A (en) * 2012-02-06 2012-07-18 福建星网锐捷网络有限公司 Message transmitting method and wireless access equipment

Also Published As

Publication number Publication date
CN102833268A (en) 2012-12-19

Similar Documents

Publication Publication Date Title
CN102833268B (en) Method, equipment and system for resisting wireless network flooding attack
Arshad et al. COLIDE: A collaborative intrusion detection framework for Internet of Things
EP3863317B1 (en) Method and device for determining category information
US9173244B2 (en) Methods for establishing and using public path, M2M communication method, and systems thereof
Agarwal et al. An efficient scheme to detect evil twin rogue access point attack in 802.11 Wi-Fi networks
CN101800989B (en) Anti-replay-attack system for industrial wireless network
US11895533B2 (en) Method for controlling connection between terminal and network, and related apparatus
KR102834971B1 (en) Method and apparatus for collecting newtwork traffic in a wireless communication system
CN105681272B (en) The detection of mobile terminal fishing WiFi a kind of and resist method
CN112105053B (en) Congestion control method and device
WO2011137792A1 (en) Method and apparatus for cooperation between push devices
CN103491076B (en) The prevention method and system of a kind of network attack
CN102238049A (en) Method for detecting denial of service (DoS) attacks in media access control (MAC) layer
Metongnon et al. Fast and efficient probing of heterogeneous IoT networks
CN109428862A (en) A kind of method and apparatus detecting ARP attack in local area network
CN115567942A (en) 5G network endogenous security protection method, device, network element and storage medium
US20210409981A1 (en) Adaptive network data collection and composition
EP2955945B1 (en) Method and system for implementing authentication and accounting in interaction between wireless local area network and fixed network
WO2012100494A1 (en) Method and apparatus for improving security of neighbor discovery snooping
OConnor Detecting and responding to data link layer attacks
Ambarkar et al. A comprehensive survey of existing security techniques in the IOT protocol stack
CN106470421A (en) A kind of method and apparatus preventing malicious peer from illegally occupying resources of core network
CN119895788A (en) Suspicious behavior reporting
WO2022174780A1 (en) Ddos attack detection method and apparatus
Houben et al. MUDThread: Securing Constrained IoT Networks via Manufacturer Usage Descriptions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee after: RUIJIE NETWORKS Co.,Ltd.

Address before: Cangshan District of Fuzhou City, Fujian province 350002 Jinshan Road No. 618 Garden State Industrial Park 19 floor

Patentee before: Fujian Star-net Ruijie Network Co.,Ltd.

CP01 Change in the name or title of a patent holder
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150311

CF01 Termination of patent right due to non-payment of annual fee