CN106453408A - Method and device for preventing counterfeited offline attack - Google Patents
Method and device for preventing counterfeited offline attack Download PDFInfo
- Publication number
- CN106453408A CN106453408A CN201611047143.3A CN201611047143A CN106453408A CN 106453408 A CN106453408 A CN 106453408A CN 201611047143 A CN201611047143 A CN 201611047143A CN 106453408 A CN106453408 A CN 106453408A
- Authority
- CN
- China
- Prior art keywords
- terminal
- list item
- history list
- standard grade
- log
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000007711 solidification Methods 0.000 claims description 26
- 230000008023 solidification Effects 0.000 claims description 26
- 238000002372 labelling Methods 0.000 claims description 20
- 238000012545 processing Methods 0.000 claims description 14
- 230000000694 effects Effects 0.000 claims description 7
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 5
- 230000008569 process Effects 0.000 description 17
- 230000016571 aggressive behavior Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000003780 insertion Methods 0.000 description 4
- 230000037431 insertion Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000032683 aging Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000036541 health Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000686 essence Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/54—Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for preventing a counterfeited offline attack. The method comprises the steps of: after a terminal logs in and is on line, by a network access server, judging whether a number of login times in a login historical table item, which corresponds to the terminal, exceeds a preset value, wherein the login historical table item is used for recording a number of accumulative login times of the terminal in a set time period; and if yes, controlling the terminal to be kept on line in the set time period after the terminal logs in and is on line. According to the method, the terminal can be guaranteed to normally use a network when suffering from a counterfeited offline message attack, and loads brought to the network access server and an AAA server by a counterfeited offline message can be reduced.
Description
Technical field
The application is related to communication technical field, more particularly to a kind of method and apparatus for preventing counterfeit offline attack.
Background technology
There is a kind of counterfeit offline message in network, the message can be under counterfeit online terminal be initiated to network access server
Line ask, cause the online terminal to be forced offline, and be forced offline terminal may be again to network insertion service
Request of reaching the standard grade initiated by device.
Therefore, when there is counterfeit offline message aggression in network, terminal can go up repeatedly offline and cannot be normally using net
Network, and can cause network access server and checking, authorization and accounting (Authentication, Authorization,
Accounting, AAA) server be constantly under high load capacity run.
And the problem that counterfeit offline message brings is directed to, not yet propose effective solution at present.
Content of the invention
In view of this, the application provides a kind of method and apparatus for preventing counterfeit offline attack, in order to ensure that terminal is being subject to
Normally using network, and counterfeit offline message can be mitigated to network access server and AAA during counterfeit offline message aggression
The load that server brings.
Specifically, the application is achieved by the following technical solution:
A kind of the application first aspect, there is provided method for preventing counterfeit offline attack, methods described is applied to network insertion
Server, including:
After terminal logs in is reached the standard grade, judge whether the login times in the corresponding log in history list item of the terminal exceed and set
Definite value, log in history list item is used for recording accumulative login times of the terminal in setting time section;
If it is, the control terminal keeps always on logging in the setting duration after reaching the standard grade.
A kind of the application second aspect, there is provided device for preventing counterfeit offline attack, described device can apply to network
In access server, with the function of realizing said method, the function can be realized by hardware, it is also possible to held by hardware
The corresponding software of row is realized.The hardware or software include one or more modules corresponding with above-mentioned functions or unit.
In a kind of possible implementation, described device includes:
List item processing unit, for after terminal logs in is reached the standard grade, judging in the corresponding log in history list item of the terminal
Whether login times exceed setting value, and log in history list item is used for recording accumulative in setting time section of the terminal and logs in time
Number;
Terminal Control Element, for when the judging unit determines that the login times exceed setting value, control is described
Terminal keeps always on logging in the setting duration after reaching the standard grade.
In alternatively possible implementation, described device includes processor and the processor is executable to be referred to for storing
The memorizer of order, is connected with each other by bus system between the memorizer and the processor;The processor is used for executing
Hereinafter operate:
After terminal logs in is reached the standard grade, judge whether the login times in the corresponding log in history list item of the terminal exceed and set
Definite value, log in history list item is used for recording accumulative login times of the terminal in setting time section;If it is, control institute
State terminal and keep always on logging in the setting duration after reaching the standard grade.
Legal login times of the terminal within the past period of reaching the standard grade are united by the above technical scheme of the application
Meter, whether this statistical data can receive the foundation of counterfeit offline message aggression as terminal is judged, and judge terminal receipts
Ensure that terminal, normally using network, can so mitigate counterfeit offline message and connect to network to preferential during counterfeit offline message aggression
Enter the load that server and aaa server bring.And this statistical data is conducive to operation maintenance personnel investigation analysis network health
Situation.
Description of the drawings
Fig. 1 is a kind of schematic diagram of system architecture that the embodiment of the present application is provided;
Fig. 2 is a kind of flow chart of method for preventing counterfeit offline attack that the embodiment of the present application is provided;
Fig. 3 is the method flow diagram for executing during a kind of holding PPPoE terminal dialing of the embodiment of the present application offer;
Fig. 4 is a kind of functional block diagram of device for preventing counterfeit offline attack that the embodiment of the present application is provided;
Fig. 5 is a kind of hardware structure figure of device for preventing counterfeit offline attack that the embodiment of the present application is provided.
Specific embodiment
Here in detail exemplary embodiment will be illustrated, its example is illustrated in the accompanying drawings.Explained below is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.Conversely, they be only with as appended by
The example of consistent apparatus and method in terms of some that described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and " being somebody's turn to do " of singulative used in the application and appended claims is also intended to include majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein is referred to and is wrapped
Containing one or more associated any or all possible combination for listing project.
It will be appreciated that though term first, second, third, etc. may be adopted in the application describe various information, but this
A little information should not necessarily be limited by these terms.These terms are only used for same type of information is distinguished from each other out.For example, without departing from
In the case of the application scope, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
With reference to Figure of description and each embodiment, technical scheme is illustrated.
The method that the application is provided can ensure that when terminal receives counterfeit offline message aggression terminal normally can be used
Network, and mitigate the load that counterfeit offline message brings to network access server and aaa server.
The system architecture applied by the method for the application being provided below by Fig. 1 is described:
Referring to a kind of system architecture diagram that Fig. 1, Fig. 1 are provided for the application, the system architecture may include terminal, two layers of forwarding
Equipment, network access server and aaa server.
Individually below the function of each network element involved by the system framework is illustrated.
Terminal, also referred to as user equipment (User Equipment, abbreviation UE), terminal can be mobile phone, meter
Calculation machine or vehicle-mounted mobile etc..Terminal can send, to network access server, request of reaching the standard grade, and line request thereon is led to
External network is normally accessed by crossing after certification.The application is not intended to limit the authentication mode of accessing terminal to network, can such as adopt
With point-to-point protocol (Point to Point Protocol over Ethernet, the PPPoE) authentication mode of Ethernet, with
Net very much IP dialing (Internet Protocol over Ethernet, IPoE) authentication mode, door (Portal) authentication mode
Or other authentication modes etc..
Two layers of forwarding unit, for E-Packeting between terminal and network access server.Two layers of forwarding unit are permissible
Medium education (Media Access Control, MAC) address in identification message, carries out message according to MAC Address and turns
Send out.
Network access server, can be Broadband Remote Access Server (Broadband Remote Access
Server, BRAS), business router (Service Router, SR) etc..For the request of reaching the standard grade of receiving terminal, will reach the standard grade please
The authentication information for including in asking is sent to aaa server and carries out terminal identity certification, in certification by rear confirmation terminal landing
Line, so as to for terminal distribution address so that terminal is able to access that external network, and creates one for terminal and reaches the standard grade record.
Wherein, network access server can management terminal in the following ways " record of reaching the standard grade ":In local maintenance one
Online user's table is opened, after terminal landing is reached the standard grade, is that the terminal creates a record of reaching the standard grade in the online user's table for prestoring, its
In, the identity for describing terminal of reaching the standard grade, moment of reaching the standard grade, Internet protocol (Internet Protocol, IP) address etc.
Information;After terminal is offline, corresponding for terminal record of reaching the standard grade then is deleted from online user's table by network access server.
In the embodiment of the present application, network access server can be also used for counting terminal stepping within one time period of past
Land number of times, and terminal is judged when counterfeit offline message aggression is subject to based on this statistical data, limited guarantee terminal can
Network is normally used.
Aaa server, the information for having all terminals, for terminal identity certification, after certification passes through, start terminal
Online charging, and notify the network access server terminal successful log to reach the standard grade;And, it is additionally operable to receiving network insertion clothes
Business device forwarding carry out self terminal offline request when, stop online charging, and under notifying the network access server terminal successfully
Line.Aaa server has polytype, conventional aaa server have Active Directory (Active Directory, AD) server,
LDAP (Lightweight Directory Access Protocol, LDAP) server, remote subscriber
Dial in the service for checking credentials (Remote Authentication Dial in User Service, RADIUS) server etc..
So far, the description of the system architecture to Fig. 1 is completed.
The method for the application being provided below by Fig. 2 is described:
Referring to the method flow diagram that Fig. 2, Fig. 2 are provided for the application.As described in Figure 2, the flow process may include following steps:
Step 201:Network access server is judged that the terminal is corresponding and logs in history list item after terminal landing is reached the standard grade
In login times whether exceed setting value.
Wherein, the log in history list item is used for recording accumulative login times of the terminal in setting time section, example
Such as, the setting time section can be from create described in log in history list item play this log in reach the standard grade till this time period.Again
For example, the setting time section can from create described in log in history list item play the last time log in reach the standard grade till this time period.
Step 202:Exceed setting value if the log on the login times in history list item, then network access server control institute
State terminal and keep always on logging in the setting duration after reaching the standard grade.
Wherein, terminal is reached the standard grade to from request, and logging in reaches the standard grade substantially needs to experience procedure below:Terminal is to network insertion service
Device sends request of reaching the standard grade, and the request of reaching the standard grade includes the authentication information of the terminal, the such as account of the terminal and password etc..Afterwards,
The authentication information of the terminal is transmitted to aaa server and is authenticated by network access server, is serviced for different types of AAA
Device, network access server can send the authentication information using different agreements, for example, if aaa server is RADIUS
Server, then adopt radius protocol.Afterwards, recognize if aaa server is inquired in the end message for locally prestoring with this
The record of card information matches, then confirm that the terminal, by certification, so as to start the online charging of the terminal, and authentication result is led to
Know to network access server.According to the authentication result that aaa server sends, network access server confirms that terminal is successfully reached the standard grade.
The information for logging in history list item, being recorded for legal terminal of reaching the standard grade by the embodiment of the present application mentioned here, main
It is used for counting accumulative login times of the terminal within the past period, so as to counterfeit offline as judging whether terminal receives
The foundation of message aggression.
Specifically, what network access server can select when terminal landing is reached the standard grade more new terminal logs in history list item,
When terminal is offline more new terminal can also be selected logs in history list item, and the two is only operation opportunity difference, and operating process is
Identical.
For example, if select when terminal landing is reached the standard grade more new terminal log in history list item, the process of realization can be as follows:
The first step, after confirming that certain terminal is offline, network access server inquiry locally should with the presence or absence of the terminal-pair
Log in history list item.
Second step, according to the Query Result of the first step, if the existing terminal log in history list item, will inquire
The history login times for logging in the terminal described in history list item add 1.
And log in history list item if there is no the terminal, then for the terminal newly-built one log in history list item, will be new
The history login times for logging in history list item that builds are set to 1;And one effective time is set for the newly-built history list item that logs in,
When the effective time expires, delete this and newly-built log in history list item.This process can be realized by intervalometer.
Why the embodiment of the present application arranges an effective time for logging in history list item, and the history for periodically removing terminal is stepped on
Land data, one of reason is, counterfeit offline message aggression can cause terminal within certain time period frequently on offline, because
This only focuses on terminal and logs in, within recently a period of time, the characteristic that data more conform to counterfeit offline message aggression, is conducive to more
Judge whether terminal is subject to counterfeit offline message aggression exactly.
Optionally, network access server can also judge certain terminal corresponding log in history list item log in
When number of times exceedes setting value, no matter whether the effective time for logging in history list item expires, and all immediately this is logged in history list item
Delete.
In alternatively possible implementation, if select when terminal landing is reached the standard grade more new terminal log in history lists
, the process of realization can be as follows:
The first step, after confirming that certain terminal landing is reached the standard grade, network access server inquiry locally whether there is the terminal
Corresponding log in history list item.
Second step, according to the Query Result of the first step, if it is present log in inquired described in history list item
The login times of the terminal add 1.If it does not exist, then logging in history list item for newly-built one of the terminal, newly-built logging in is gone through
Login times in history list item are set to 1, and the newly-built history list item that logs in is provided with the effect time, expire in the effective time
When, then delete this and newly-built log in history list item.
If it should be noted that select when terminal landing is reached the standard grade more new terminal log in history list item, the application reality
That applies that example is not intended to limit more new terminal logs in history list item with step 201 and the execution sequence of step 202.I.e., it is possible to first inquire about
Logging in history list item and logging in history list item according to Query Result more new terminal for terminal, then inquires about logging in for terminal again and goes through
According to Query Result, history list item simultaneously determines whether that control terminal keeps always on.Or, it is also possible to first inquire about logging in for terminal
According to Query Result, history list item simultaneously determines whether that control terminal keeps always on, that then inquires about terminal again logs in history lists
And history list item logged according to Query Result more new terminal.
For example, one kind is possible is achieved in that:After certain terminal landing is reached the standard grade, network access server inquires about the end
The corresponding history list item that logs in end whether there is, if it is present continuation judges that the terminal is corresponding and logs in history list item
Whether login times exceed setting value.If it exceeds setting value, then control the terminal logging in guarantor in the setting duration after reaching the standard grade
Hold always on.If setting value is not above, inquire about that the terminal is corresponding to log in whether history list item yet suffers from again,
If it is present the history for updating the terminal logs in list item, if it does not exist, then history lists is logged in for newly-built one of the terminal
?.
It should be noted that logging in history list item and can deleted after certain time length in view of terminal, therefore exists
More new terminal log in history list item before and determine whether control terminal keep always on before, be required for inquiring about respectively
Whether also there is terminal logs in history list item, to confirm the real-time status of terminal landing history list item.
Logging in history list item in addition to the history login times that can record terminal for terminal, can also record following letter
At least one of breath, the such as MAC Address of terminal, access interface of the terminal on network access server, the void that terminal is accessed
Intend LAN (Virtual Local Area Network, VLAN).Operation maintenance personnel can go out counterfeit according to these Information Statistics
The offline message aggression i.e. interface of middle distribution or vlan information, in order to make further analyzing and processing, such as logs in next stage
Access device investigates network condition.
Based on this, network access server is when inquiry logs in history list item with the presence or absence of certain terminal is corresponding, permissible
In the VLAN that access interface by the user name of terminal, MAC Address, terminal on present networks access server, terminal are accessed
One or more as querying condition, search mate with querying condition logs in history list item.
Certainly, the information that logging in history list item includes is extendible, however it is not limited to content mentioned above.As table 1 below
Shown, be one record when terminal is offline log in history list item example.In the offline moment in table 1, can be that aaa server stops
Only surf the Net charging moment.
Table 1
| User name | User 1 |
| MAC Address | 0016-ecb7-a879 |
| Access interface | GigabitEthernet1/0/1 |
| VLAN ID | N/A |
| The offline moment | 2013-05-21 18:04:10 |
| History login times | 2 |
| Effective time | 5 |
In the embodiment of the present application, terminal logging within the past period is found in the history list item that logs in of inquiry terminal
When number of times exceedes setting value, it is believed that terminal receives counterfeit offline message aggression, so as to preferentially ensure that terminal can be normal
Using network, i.e., set in duration at ensuing one and allow terminal keep always on.
As network access server locally typically safeguards there is online user's table, when terminal landing is reached the standard grade, network
Access server can create a record of reaching the standard grade for the terminal in online user's table, after terminal is offline, can be the terminal-pair
The record of reaching the standard grade that answers is deleted from online user's table.
Therefore, a kind of make terminal setting in duration after reaching the standard grade be always maintained at online be achieved in that, using existing
Online user's table, be that the table increases a solidification attribute, when the offline requesting query according to certain terminal is reached the standard grade to corresponding
Record, it is found that when the recording mark of reaching the standard grade has solidification attribute labelling, then network access server may decide that and forbid responding under this
Line is asked.Implement process as follows:
If after certain terminal is successfully reached the standard grade, network access server inquiry finds that the terminal is corresponding and logs in history list item
In login times exceed setting value, then create for the terminal reach the standard grade record when, while the record of reaching the standard grade for creating adds admittedly
Change attribute labelling, the solidification attribute is marked at and will be deleted after one sets duration.Accordingly, whole when certain is received
During the offline request at end, the record of reaching the standard grade of the terminal is inquired about, and judges whether the record of reaching the standard grade of the terminal is marked with solidification attribute
Labelling.If it is, forbid responding the offline request of the terminal so that the terminal line recording mark has solidification attribute mark thereon
Keep in the setting duration of note always on;If it is not, then the offline request of the terminal is responded, offline process is made to the terminal.
Certainly, the recording mark of reaching the standard grade in certain terminal is possible to just to receive the terminal during having solidification attribute labelling
Often offline request, in this case, end side can first disconnect network connection, when the solidification attribute of the record of reaching the standard grade of the terminal
After labelling is deleted because of time-out, by Periodic probe mechanism, network access server can find that the terminal is not online, when the time comes again
The record of reaching the standard grade of the terminal is deleted from online user's table, and disconnects the network connection with the terminal.
In practical application, above-mentioned solidification attribute labelling can be combined with other offline mechanism and be used together.For example, it is possible to will
Solidification attribute labelling is used in combination with idle duration, such as, if the recording mark of reaching the standard grade in certain terminal has solidification attribute mark
During note, it is found that the flow service condition of the terminal less than default floor level, then can delete the solidification category of the terminal
Property labelling, or shorten the terminal solidification attribute labelling survival duration.
So far, the description to flow process shown in Fig. 2 is completed.
Can be seen that in this application by flow process shown in Fig. 2, to legal terminal stepping within the past period of reaching the standard grade
Land number of times is counted, this statistical data can as judging whether terminal receives the foundation of counterfeit offline message aggression, and
When judging that terminal receives counterfeit offline message aggression, preferential guarantee terminal can so mitigate counterfeit offline normally using network
The load that message is brought to network access server and aaa server.And this statistical data is conducive to operation maintenance personnel to investigate
Analysis Network health.
In order to be illustrated more clearly that the technical scheme of the application, below by one embodiment technique scheme is done into
The explanation of one step, it should be noted that this embodiment is only a kind of implementation of the application, does not constitute the limit to the application
Fixed.
It is the flow process for executing during PPPoE terminal dialing referring to Fig. 3, Fig. 3, comprises the following steps:
Step 301:PPPoE terminal dialing.
Dialing sends to network access server equivalent to PPPoE terminal and reaches the standard grade request, dial-up success i.e. equivalent to
PPPoE terminal successful log is reached the standard grade.
Step 302:Network access server is inquired about the corresponding history list item that logs in of the PPPoE terminal and be whether there is, if
It is then execution step 303, if otherwise execution step 311.
Step 303:History list item is logged in if there is the PPPoE terminal, then continue to judge should for network access server
Log in whether the login times in history list item exceed setting value.If it is execution step 304, if otherwise execution step
305.
Step 304:If the login times for logging in history list item exceed setting value, network access server controls
The PPPoE terminal keeps always in the setting duration after dial-up success.
That is, in the setting duration after the PPPoE terminal dialing success, network access server is forbidden responding the terminal
Offline request, until the offline request for setting the normal response terminal again after duration exceeds the time limit.
Step 305:If this logs in login times in history list item not less than setting value, network access server is held
The follow-up dialing process of row.
Follow-up dialing process includes, the account that PPPoE terminal dialing is brought by network access server and password are sent to
Aaa server is authenticated, and aaa server notifies authentication result to processes such as network access servers.
Step 306:Network access server judges the PPPoE terminal whether dial-up success, if it is execution step
308, if otherwise execution step 307.
Step 307:If dialing is unsuccessful, network access server does not refresh corresponding the logging in of PPPoE terminal and goes through
History list item.
Step 308:If dial-up success, network access server is inquired about corresponding the logging in of PPPoE terminal again and is gone through
History list item whether there is, if it is execution step 309, if otherwise execution step 310.
Inquiry, with the presence or absence of the purpose for logging in history list item, allows for logging in history list item in execution step again herein
It is possible to after 302 expire deleted because of the effective time for arranging, therefore is inquired about to confirm to log in the real-time shape of history list item again
State.
Step 309:If the history list item that logs in of the PPPoE terminal is still suffered from, network access server refreshes should
PPPoE terminal is corresponding to log in history list item, will log in the history login times described in history list item and add 1.
Step 310:If finding after inquiring about again that the corresponding history list item that logs in of the PPPoE terminal is changed into not existing,
Then network access server does not make any process.
Step 311:If the judged result of step 302 is not for existing, and the PPPoE terminal is corresponding to log in history list item,
Network access server executes follow-up dialing process.
Step 312:Network access server judges the PPPoE terminal whether dial-up success, if it is execution step
313, if otherwise execution step 314.
Step 313:If dial-up success, network access server logs in history list item for the PPPoE terminal newly-built,
This is logged in the history login times in history list item 1 is set to, and start the ageing timer for logging in history list item.
After the ageing timer time-out, logging in history list item will be deleted.
Step 314:If dialing is unsuccessful, for this, PPPoE terminal is newly-built logs in history lists for network access server
?.
The method for above the application being provided is described.The device for below the application being provided is described.
Referring to Fig. 4, the figure is a kind of functional module frame of device for preventing counterfeit offline attack that the embodiment of the present application is provided
Figure, the device is can apply in network access server.Described device includes list item processing unit 401 and Terminal Control Element
402.
The list item processing unit 401, for after terminal logs in is reached the standard grade, judging the corresponding log in history table of the terminal
Whether the login times in exceed setting value, and log in history list item is used for recording the terminal adding up in setting time section
Login times.
In the list item unit 401, the Terminal Control Element 402, for determining that the login times exceed setting value
When, control the terminal to keep always on logging in the setting duration after reaching the standard grade.
Optionally, described device can also include receiving unit;
The receiving unit, for receiving the offline request of the terminal.
Accordingly, the Terminal Control Element 402 specifically for:Create for the terminal and reach the standard grade record, and for establishment
Record of reaching the standard grade adds solidification attribute labelling;The solidification attribute is marked at and will be deleted after the setting duration;When described
When receiving unit receives the offline request of the terminal, judge whether the record of reaching the standard grade of the terminal is marked with the solidification category
Property labelling;If it is, forbid responding the offline request of the terminal, so that the terminal has admittedly in the recording mark of reaching the standard grade
Change in the setting duration of attribute labelling and keep always on.
Optionally, the Terminal Control Element 402 can be also used for:If the receiving unit receives the terminal
During offline request, the record of reaching the standard grade of the terminal is not marked with the solidification attribute labelling, then responding the offline of the terminal please
Ask, so that the terminal is offline.
Optionally, the list item processing unit 401 can be also used for:After the terminal is offline, the terminal-pair is inquired about
The history list item that logs in that answers whether there is;If it is present logging in described the login times in history list item and add 1;If no
Existing, then history list item is logged in for the terminal is newly-built, the newly-built login times for logging in history list item are set to 1, and are
The newly-built history list item that logs in is provided with the effect time, and when the effective time expires, what deletion was newly-built logs in history list item.
Optionally, the list item processing unit 401 can be also used for:If in the corresponding log in history list item of the terminal
Login times exceed setting value, then delete described in log in history list item.
Optionally, the login times in the corresponding log in history list item of the terminal is judged whether exceed setting value it
Before, the list item processing unit 401 can be also used for:Inquire about the corresponding history list item that logs in of the terminal whether there is;According to
Query Result determines that the terminal is corresponding and logs in the presence of history list item.
After whether the login times in the corresponding log in history list item of the terminal is judged exceed setting value, the table
Item processing unit 401 can be also used for:If the login times in the corresponding log in history list item of the terminal are not above setting
Definite value, then inquire about the corresponding history list item that logs in of the terminal again and whether there is;If it is present will log in history list item
Login times add 1;If it does not exist, then logging in history list item for the terminal is newly-built, newly-built is logged in history list item
Login times be set to 1, and the newly-built history list item that logs in is provided with the effect time, when the effective time expires, deletes
Newly-built logs in history list item.
It should be noted that being a kind of schematic, only logic function to the division of unit in the embodiment of the present invention
Divide, when actually realizing, can have other dividing mode.Each functional unit in embodiments herein can be integrated in
In one processing unit, or unit is individually physically present, it is also possible to which two or more units are integrated in one
In individual unit.Above-mentioned integrated unit both can be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit
Realize.As a example by implemented in software, as the device on a logical meaning, it is the process by its place network access server
Corresponding computer program instructions in memorizer are read what operation in internal memory was formed by device.From for hardware view, as Fig. 5 institute
Show, be a kind of hardware structure diagram of the device place network access server of the anti-counterfeit offline attack that the application is provided.
Wherein, can be stored with memorizer the logical order of anti-counterfeit offline attack, and the memorizer for example can right and wrong
Volatile memory (non-volatile memory).Processor can call the anti-counterfeit offline attack for executing in memorizer
Logical order, with execute above-mentioned prevent counterfeit offline attack method in network access server function.
As shown in figure 5, the embodiment of the present application also provides a kind of device for preventing counterfeit offline attack, described device includes to process
Device 501 and memorizer 502, for example, the processor 501 can be mutually interconnected by internal bus 503 with the memorizer 502
Connect.
The memorizer 502 is used for storing the executable instruction of the processor 501.
The processor 501 is used for executing following operation:
After terminal logs in is reached the standard grade, judge whether the login times in the corresponding log in history list item of the terminal exceed and set
Definite value, log in history list item is used for recording accumulative login times of the terminal in setting time section;If it is, control institute
State terminal and keep always on logging in the setting duration after reaching the standard grade.
For device embodiment, as which corresponds essentially to embodiment of the method, so related part is referring to method reality
Apply the part explanation of example.Device embodiment described above is only schematically, wherein described as separating component
The unit of explanation can be or may not be physically separate, as the part that unit shows can be or can also
It is not physical location, you can be located at a place, or can also be distributed on multiple NEs.Can be according to reality
Need to select some or all of module therein to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not in order to limit the application, all essences in the application
Within god and principle, any modification, equivalent substitution and improvement that is done etc., should be included within the scope of the application protection.
Claims (12)
1. a kind of prevent counterfeit offline attack method, it is characterised in that methods described is applied to network access server, including:
After terminal logs in is reached the standard grade, judge whether the login times in the corresponding log in history list item of the terminal exceed and set
Value, log in history list item is used for recording accumulative login times of the terminal in setting time section;
If it is, the control terminal keeps always on logging in the setting duration after reaching the standard grade.
2. the method for claim 1, it is characterised in that the control terminal is protected in the setting duration after reaching the standard grade
Hold always on including:
Create, for the terminal, record of reaching the standard grade, and the record of reaching the standard grade for creating adds solidification attribute labelling;The solidification attribute mark
Note will be deleted after the setting duration;
When the offline request of the terminal is received, judge whether the record of reaching the standard grade of the terminal is marked with the solidification attribute
Labelling;
If it is, forbid responding the offline request of the terminal, so that the terminal has solidification in the recording mark of reaching the standard grade
Keep in the setting duration of attribute labelling always on.
3. method as claimed in claim 2, it is characterised in that methods described also includes:
If receive the offline request of the terminal, the record of reaching the standard grade of the terminal is not marked with the solidification attribute mark
Note, then respond the offline request of the terminal, so that the terminal is offline.
4. the method for claim 1, it is characterised in that methods described also includes:
After the terminal is offline, inquires about the corresponding history list item that logs in of the terminal and whether there is;
If it is present logging in described the login times in history list item and add 1;
If it does not exist, then
History list item is logged in for the terminal is newly-built, the newly-built login times for logging in history list item are set to 1, and are newly-built
The history list item that logs in be provided with the effect time, when the effective time expires, delete and newly-built log in history list item.
5. the method for claim 1, it is characterised in that methods described also includes:
If the login times in the corresponding log in history list item of the terminal exceed setting value, delete described in log in history lists
?.
6. the method for claim 1, it is characterised in that stepping in the corresponding log in history list item of the terminal is judged
Before whether land number of times exceedes setting value, methods described also includes:
Inquire about the corresponding history list item that logs in of the terminal whether there is;
Determine that the terminal is corresponding according to Query Result and log in the presence of history list item;
Methods described also includes:
If the login times in the corresponding log in history list item of the terminal are not above setting value,
Inquire about the corresponding history list item that logs in of the terminal again whether there is;
If it is present adding 1 by the login times in history list item are logged in;
If it does not exist, then history list item is logged in for the terminal is newly-built, by the newly-built login times for logging in history list item
1 is set to, and the newly-built history list item that logs in is provided with the effect time, when the effective time expires, delete newly-built logging in
History list item.
7. a kind of prevent counterfeit offline attack device, it is characterised in that described device is applied to network access server, including:
List item processing unit, for after terminal logs in is reached the standard grade, judging logging in the corresponding log in history list item of the terminal
Whether number of times exceedes setting value, and log in history list item is used for recording accumulative login times of the terminal in setting time section;
Terminal Control Element, for when the list item processing unit determines that the login times exceed setting value, control is described
Terminal keeps always on logging in the setting duration after reaching the standard grade.
8. device as claimed in claim 7, it is characterised in that described device also includes receiving unit;
The receiving unit, for receiving the offline request of the terminal;
The Terminal Control Element specifically for:
Create, for the terminal, record of reaching the standard grade, and the record of reaching the standard grade for creating adds solidification attribute labelling;The solidification attribute mark
Note will be deleted after the setting duration;
When the receiving unit receives the offline request of the terminal, judge whether the record of reaching the standard grade of the terminal is marked with
The solidification attribute labelling;
If it is, forbid responding the offline request of the terminal, so that the terminal has solidification in the recording mark of reaching the standard grade
Keep in the setting duration of attribute labelling always on.
9. device as claimed in claim 8, it is characterised in that the Terminal Control Element is additionally operable to:
If the receiving unit receives the offline request of the terminal, the record of reaching the standard grade of the terminal is not marked with described
Solidification attribute labelling, then respond the offline request of the terminal, so that the terminal is offline.
10. device as claimed in claim 7, it is characterised in that the list item processing unit is additionally operable to:
After the terminal is offline, inquires about the corresponding history list item that logs in of the terminal and whether there is;
If it is present logging in described the login times in history list item and add 1;
If it does not exist, then
History list item is logged in for the terminal is newly-built, the newly-built login times for logging in history list item are set to 1, and are newly-built
The history list item that logs in be provided with the effect time, when the effective time expires, delete and newly-built log in history list item.
11. devices as claimed in claim 7, it is characterised in that the list item processing unit is additionally operable to:
If the login times in the corresponding log in history list item of the terminal exceed setting value, delete described in log in history lists
?.
12. devices as claimed in claim 7, it is characterised in that in the corresponding log in history list item of the terminal is judged
Before whether login times exceed setting value, the list item processing unit is additionally operable to:
Inquire about the corresponding history list item that logs in of the terminal whether there is;
Determine that the terminal is corresponding according to Query Result and log in the presence of history list item;
After whether the login times in the corresponding log in history list item of the terminal is judged exceed setting value, at the list item
Reason unit is additionally operable to:
If the login times in the corresponding log in history list item of the terminal are not above setting value,
Inquire about the corresponding history list item that logs in of the terminal again whether there is;
If it is present adding 1 by the login times in history list item are logged in;
If it does not exist, then history list item is logged in for the terminal is newly-built, by the newly-built login times for logging in history list item
1 is set to, and the newly-built history list item that logs in is provided with the effect time, when the effective time expires, delete newly-built logging in
History list item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611047143.3A CN106453408B (en) | 2016-11-21 | 2016-11-21 | Method and device for preventing counterfeit offline attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611047143.3A CN106453408B (en) | 2016-11-21 | 2016-11-21 | Method and device for preventing counterfeit offline attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106453408A true CN106453408A (en) | 2017-02-22 |
| CN106453408B CN106453408B (en) | 2020-01-03 |
Family
ID=58218354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611047143.3A Active CN106453408B (en) | 2016-11-21 | 2016-11-21 | Method and device for preventing counterfeit offline attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106453408B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667846A (en) * | 2018-05-18 | 2018-10-16 | 新华三信息安全技术有限公司 | A kind of method and apparatus of processing logging request |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119201A (en) * | 2007-05-30 | 2008-02-06 | 北京润汇科技有限公司 | Method for implementing conversation control and duration collection through DHCP extension |
| CN101707604A (en) * | 2009-11-20 | 2010-05-12 | 杭州华三通信技术有限公司 | Method, system and device for preventing malicious attack |
| CN102065067A (en) * | 2009-11-11 | 2011-05-18 | 杭州华三通信技术有限公司 | Method and device for preventing replay attack between portal server and client |
| US20120246303A1 (en) * | 2011-03-23 | 2012-09-27 | LogRhythm Inc. | Log collection, structuring and processing |
| CN102946385A (en) * | 2012-10-30 | 2013-02-27 | 杭州华三通信技术有限公司 | Method and equipment for preventing falsifying Release message for attack |
| CN104038424A (en) * | 2014-06-03 | 2014-09-10 | 杭州华三通信技术有限公司 | Method and device for processing offline message |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
-
2016
- 2016-11-21 CN CN201611047143.3A patent/CN106453408B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119201A (en) * | 2007-05-30 | 2008-02-06 | 北京润汇科技有限公司 | Method for implementing conversation control and duration collection through DHCP extension |
| CN102065067A (en) * | 2009-11-11 | 2011-05-18 | 杭州华三通信技术有限公司 | Method and device for preventing replay attack between portal server and client |
| CN101707604A (en) * | 2009-11-20 | 2010-05-12 | 杭州华三通信技术有限公司 | Method, system and device for preventing malicious attack |
| US20120246303A1 (en) * | 2011-03-23 | 2012-09-27 | LogRhythm Inc. | Log collection, structuring and processing |
| CN102946385A (en) * | 2012-10-30 | 2013-02-27 | 杭州华三通信技术有限公司 | Method and equipment for preventing falsifying Release message for attack |
| CN104038424A (en) * | 2014-06-03 | 2014-09-10 | 杭州华三通信技术有限公司 | Method and device for processing offline message |
| CN105592037A (en) * | 2015-07-10 | 2016-05-18 | 杭州华三通信技术有限公司 | MAC address authentication method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667846A (en) * | 2018-05-18 | 2018-10-16 | 新华三信息安全技术有限公司 | A kind of method and apparatus of processing logging request |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106453408B (en) | 2020-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109815656A (en) | Login authentication method, device, equipment and computer readable storage medium | |
| US20060109839A1 (en) | User terminal connection control method and apparatus | |
| CN103404103A (en) | System and method for combining an access control system with a traffic management system | |
| CN109104475B (en) | Connection recovery method, device and system | |
| US20140041012A1 (en) | System for the management of access points | |
| CN108900484A (en) | A kind of generation method and device of access authority information | |
| US10757099B2 (en) | System and method for providing fraud control | |
| US20080118043A1 (en) | Call Control Apparatus and Method for Controlling Call Control Apparatus | |
| CN101212375B (en) | Method and system for controlling network access via agent | |
| CN106559485A (en) | A kind of method and device of control server shutdown | |
| CN106411852A (en) | Distributed terminal access control method, and apparatus | |
| CN100450011C (en) | Device for mediating in management orders | |
| CN106453408A (en) | Method and device for preventing counterfeited offline attack | |
| CN103026687A (en) | Limiting resources consumed by rejected subscriber end stations | |
| JP2012070225A (en) | Network relay device and transfer control system | |
| US11812378B2 (en) | User management device, BNG, and BNG user internet access method and system | |
| CN114338218B (en) | PPPoE dialing method | |
| CN102801538A (en) | Authentication and accounting method, device and system for local area network user, and network equipment | |
| CN107547431A (en) | Message processing method and device | |
| CN101170562B (en) | A method for controlling access number of user device | |
| JP3703477B1 (en) | Connection position validity judgment method and apparatus | |
| JP4568857B2 (en) | Authentication transmission system | |
| CN103763144A (en) | Method and device of user for carrying out renewal to go online | |
| CN104506524B (en) | Distinguish user domain and to the transparent AAA system of network access server and method | |
| CN108156157B (en) | Self-adaptive compatible method and device for monitoring equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230626 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |