WO2016041346A1 - Network data traffic control method and device - Google Patents

Network data traffic control method and device Download PDF

Info

Publication number
WO2016041346A1
WO2016041346A1 PCT/CN2015/076484 CN2015076484W WO2016041346A1 WO 2016041346 A1 WO2016041346 A1 WO 2016041346A1 CN 2015076484 W CN2015076484 W CN 2015076484W WO 2016041346 A1 WO2016041346 A1 WO 2016041346A1
Authority
WO
WIPO (PCT)
Prior art keywords
traffic
flow entry
flow
entry
blacklist
Prior art date
Application number
PCT/CN2015/076484
Other languages
French (fr)
Chinese (zh)
Inventor
黎重
张武
李辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016041346A1 publication Critical patent/WO2016041346A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/21Flow control; Congestion control using leaky-bucket

Definitions

  • This paper relates to the field of network communication flow control technology, and in particular, to a method and device for controlling network data traffic.
  • the traffic that the network system needs to process has become larger and larger, and the stability of the system decreases with the increase of traffic.
  • the abnormally large amount of traffic exceeds the load that can be withstood by the system design at the beginning of the system, and some abnormal phenomena may occur in the system, for example, the system operation efficiency may be seriously degraded, and further A serious problem that causes network congestion.
  • a leaky bucket algorithm can be used to perform traffic shaping and rate limiting on data flowing into the system using a buffer and a "leaked bucket". That is, in the case that the received message speed is too fast, the buffer is buffered, and then the buffer message is sent at a uniform speed under the control of the leaky bucket.
  • this method lacks effective filtering means for abnormal messages, and the implementation algorithm is also complicated.
  • the traffic analysis unit performs network data sample statistics on the received message, and extracts the abnormal traffic filtering rule applied to the target host by using the TCP/IP protocol header field value as an item. Through this rule, traffic control is performed on network packets sent to the target host.
  • the statistics of the message are only classified according to the Transmission Control Protocol (TCP), the User Data Packet Protocol (UDP), and the Internet Control Message Protocol (ICMP), and the control granularity is relatively large, and is adopted.
  • TCP Transmission Control Protocol
  • UDP User Data Packet Protocol
  • ICMP Internet Control Message Protocol
  • the embodiment of the invention provides a method and a device for controlling network data traffic, which can effectively monitor the source of abnormal traffic and achieve effective control of abnormal traffic.
  • a method for controlling network data traffic comprising: receiving a network packet; and receiving, according to the currently received network packet, a total traffic received by the network system and a current flow table and a current flow table.
  • the traffic of the flow entry corresponding to the received network packet is updated; if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is If the relationship between the maximum traffic thresholds of the flow entries is consistent with the predetermined requirements, the selected flow entries are blacklisted.
  • the packets corresponding to the flow entries in the blacklist are in the predetermined manner. deal with.
  • the method further includes: selecting the recorded flow entry from the blacklist; if the traffic of the selected flow entry is less than a maximum traffic threshold of the preset flow entry, and the total received by the network system If the sum of the traffic and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, the selected flow entry is removed from the blacklist.
  • updating, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table including: according to the currently received network
  • the packet obtains the corresponding flow entry in the flow table.
  • the flow entry is matched with the blacklist. If the flow entry is in the blacklist, the flow entry in the flow table is updated according to the currently received network packet. If the flow entry is not in the blacklist, the total traffic received by the network system and the traffic of the flow entry in the flow table are updated according to the currently received network packet.
  • the corresponding flow entry is obtained in the flow table according to the currently received network packet, and the method includes: searching, according to the header information of the currently received network packet, the corresponding flow entry in the flow table; If the corresponding flow entry exists in the table, the flow entry corresponding to the currently received network packet is obtained. If the flow entry does not exist in the flow table, create a new one in the flow table and the currently received network. The flow entry corresponding to the packet.
  • the selected flow entry will be blacklisted, including:
  • the selected flow table is selected. The item is added to the blacklist. If the total traffic received by the network system is greater than or equal to the preset maximum system traffic threshold, and the traffic of the selected flow entry in the flow table is greater than the preset flow.
  • the maximum traffic threshold of the entry adds the selected flow entry to the blacklist and subtracts the traffic of the blacklisted flow entry from the total traffic received by the network system; and/or if in the flow table If the traffic of all the flow entries does not exceed the maximum traffic threshold of the flow entry, the traffic entry with the largest traffic in the flow table is blacklisted and the traffic is subtracted from the total traffic received by the network system. The traffic of the entry.
  • an apparatus for controlling network data traffic comprising: a receiving module configured to receive a network message; and an updating module configured to access the network according to the currently received network message
  • the total traffic received by the system and the traffic of the flow entry corresponding to the currently received network packet are updated in the flow table;
  • the analysis module is set to the total traffic received by the network system and the preset maximum threshold of the system traffic.
  • the relationship between the traffic of the flow entry selected in the flow table and the maximum traffic threshold of the preset flow entry meets the predetermined requirements, and the selected flow entry is blacklisted; the processing module
  • the packet corresponding to the flow entry in the blacklist is set to be processed in a predetermined manner.
  • the device further includes: a selecting module, configured to select the recorded flow entry from the blacklist; and removing the module, if the traffic of the selected flow entry is less than a preset flow entry The maximum flow threshold, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
  • a selecting module configured to select the recorded flow entry from the blacklist
  • removing the module if the traffic of the selected flow entry is less than a preset flow entry The maximum flow threshold, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
  • the updating module includes: an obtaining unit, configured to obtain a corresponding flow entry in the flow table according to the currently received network packet; and the matching unit is configured to match the obtained flow entry with the blacklist;
  • the first update unit is configured to: if the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet; and the second update unit is configured to: if the flow entry is not in the blacklist, The total traffic received by the network system and the traffic of the flow entries in the flow table are updated according to the currently received network packet.
  • the obtaining unit includes: a searching unit, configured to search for a corresponding flow entry in the flow table according to the header information of the currently received network packet; and the first acquiring unit is configured to: if the flow table has a corresponding If the flow entry is obtained, the flow entry corresponding to the currently received network packet is obtained.
  • the second acquisition unit is configured to: if the flow table does not have a corresponding flow entry, create a new one in the flow table and receive the current flow The flow entry corresponding to the network packet.
  • the analyzing module includes: a first analyzing unit, configured to be received by the network system If the total traffic is smaller than the preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the maximum traffic threshold of the flow entry, the selected flow entry is added to the blacklist.
  • the second analyzing unit is configured to: if the total traffic received by the network system is greater than or equal to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the traffic of the preset flow entry. The threshold is added to the blacklist of the selected flow entry, and the traffic of the blacklisted flow entry is subtracted from the total traffic received by the network system.
  • the third analysis unit is set to be all if the flow table is If the traffic of the flow entry does not exceed the maximum traffic threshold of the flow entry, the flow entry with the largest traffic in the flow table is blacklisted and the flow table is subtracted from the total traffic received by the network system. The traffic of the item.
  • the embodiment of the invention further provides a computer readable storage medium storing program instructions, which can be implemented when the program instructions are executed.
  • the embodiment of the invention solves the problem that the network system of the related art is insufficient for a large amount of traffic processing, and realizes the effect of network traffic control by the cooperation of the flow entry processing and the blacklist processing; and can better identify the abnormal traffic source without affecting The network system handles normal traffic.
  • the abnormal system traffic can be monitored and added to the blacklist, and when the flow entry returns to normal, the network system can also remove the flow entry from the blacklist again, thereby receiving each The network packets that are sent to the network system can be handled reasonably.
  • FIG. 1 is a flowchart of a method for controlling network data traffic according to an embodiment of the present invention
  • FIG. 2 is a flowchart of updating traffic according to a current network packet according to an embodiment of the present invention
  • FIG. 3 is a flowchart of a method for obtaining a current flow entry corresponding to a network packet in a flow table according to an embodiment of the present invention
  • FIG. 4 is an application diagram of a method for controlling network data traffic according to an embodiment of the present invention.
  • FIG. 5 is a second application diagram of a method for controlling network data traffic according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of an apparatus for controlling network data traffic according to an embodiment of the present invention.
  • FIG. 1 is a flowchart of a method for controlling network data traffic according to an embodiment of the present invention, where the method includes the following steps:
  • Step 101 Receive a network packet.
  • the format of the network packet may be a Transmission Control Protocol (TCP) packet, a User Datagram Protocol (UDP) packet, or an Internet Control Message Protocol (ICMP) packet. It can be understood that, in this embodiment, The type of network message is not limited.
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • ICMP Internet Control Message Protocol
  • Step 102 Update, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table.
  • Total flow therethrough may be provided a network system receives as R m, in particular the initial stage of the network system receives a total flow rate R m may be set to zero; wherein the network system receives the total flow and the current received network packets
  • Step 201 Obtain a corresponding flow entry in the flow table according to the currently received network packet.
  • the implementation of obtaining the corresponding flow entry in the flow table according to the currently received network packet, as shown in FIG. 3, includes:
  • Step 301 Search for a corresponding flow entry in the flow table according to the header information of the currently received network packet.
  • the header information of the network packet may be: a quintuple of the network packet (the source host IP address, Destination host IP address, source host port number, destination host port number, and protocol type);
  • Step 302 If a flow entry exists in the flow table, the flow entry corresponding to the currently received network packet is obtained.
  • Step 303 If the corresponding flow entry does not exist in the flow table, create a flow entry corresponding to the currently received network packet in the flow table.
  • FIG. 3 is described below.
  • a flow entry is recorded in the flow table, and the flow size information of the recorded flow entry is marked as F s1 , F s2 ... F sn ; the currently received network packet
  • the traffic of the corresponding flow entry is F sx , and if the current flow entry corresponding to the network packet matches the flow entry recorded in the flow table, the value of the corresponding F sx is F. Any one of s1 , F s2 ... F sn ; if it cannot be matched, then a new flow entry corresponding to the current network packet is created in the flow table, and the corresponding F sx is not F s1 . Any of F s2 ... F sn , F sx may be smaller than F s1 or larger than F sn .
  • step 202 matching the obtained flow entry with the blacklist
  • the blacklist records the flow entries of the network system that have abnormal traffic within a certain period of time (for example, 20 ms).
  • Step 203 If the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet.
  • the traffic F sx of the flow entry corresponding to the currently received network packet is recorded in the flow table.
  • Step 204 If the flow entry is not in the blacklist, update the total traffic received by the network system and the traffic of the flow entry in the flow table according to the currently received network packet.
  • the traffic F sx of the current flow entry corresponding to the received network packet is recorded in the flow table, and the current receiving is simultaneously received.
  • the traffic F sx of the flow entry corresponding to the received network packet is increased within the total traffic R m received by the network system.
  • step 103 if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table and the traffic of the preset flow entry. If the relationship between the maximum thresholds meets the predetermined requirements, the selected flow entries are blacklisted;
  • system flow maximum threshold value T m which can be set system flow maximum threshold value T m, the flow rate of the flow entry maximum threshold value T s; wherein the system maximum flow threshold flow T m and the flow entry maximum threshold value T s may be a network system, the network packets in accordance with Processing capacity, set up.
  • step 103 includes:
  • the network system receives a total flow rate R m is less than the system maximum flow threshold T m is set in advance, and the flow table selected flow rate F sx flow table entry is greater than a predetermined flow rate of the flow entry maximum threshold value T s , the selected flow entry is added to the blacklist;
  • the network system receives a total flow rate R m greater than or equal to the system maximum flow threshold T m is set in advance, and the flow table selected flow rate F sx flow table entry is greater than a predetermined flow rate set in the flow entry maximum threshold value T s , the selected flow entry is blacklisted, and the traffic F sx of the blacklisted flow entry is subtracted from the total traffic R m received by the network system; and/or
  • the traffic entry with the largest traffic in the flow table is blacklisted and received from the network system.
  • the flow rate F sn of the flow entry is subtracted from the flow R m .
  • Step 104 The packet corresponding to the flow entry in the blacklist is processed in a predetermined manner.
  • the predetermined manner of processing may be that the upper layer is notified by the flow control module, and the upper layer may directly forward the packet according to specific application requirements, or may directly discard or perform other processing.
  • the problem that the related technology is insufficient for a large amount of traffic processing is solved, and the effect of the network flow control is realized by the cooperation of the flow entry processing and the blacklist processing; and the invention can better identify the abnormal traffic source. And does not affect the processing of normal traffic by the network system.
  • the traffic of the abnormal network system can be monitored and added to the blacklist, and when the flow entry is restored to normal, the network system can also remove the flow entry from the blacklist again, thus The network system received can receive reasonable network processing.
  • the selected flow entry is selected from the blacklist.
  • the selected flow entry is removed from the blacklist.
  • FIG. 4 is a schematic diagram of an application diagram of a method for controlling network data traffic according to an embodiment of the present invention, where the application map may correspond to three implementation scenarios.
  • the implementation of the scenario 1 includes the following steps:
  • Step 401 the network system checks the received total flow rate R m;
  • Step 402 Check the traffic of the flow entry.
  • Step 403 Add a flow entry with a traffic greater than T s to the blacklist.
  • step 407 return to step 402 to check the flow of other flow entries, if there is no flow entry greater than T s , proceed to step 407;
  • step 407 the flow entry flow and the total traffic received by the network system are cleared;
  • the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
  • the implementation of the scenario 2 includes the following steps:
  • Step 401 the network system checks the received total flow rate R m;
  • Step 404 Check the traffic of the flow entry.
  • Step 405 Add a flow entry with a traffic greater than T s to the blacklist.
  • step 407 the flow entry flow and the total traffic received by the network system are cleared;
  • the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
  • the specific implementation of the scenario 2 includes the following steps:
  • Step 401 the network system checks the received total flow rate R m;
  • Step 404 Check the traffic of the flow entry.
  • Step 406 Add a flow entry with the largest traffic flow in the flow table to the blacklist.
  • Step 407 the flow of the flow entry and the total traffic received by the network system are cleared
  • the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
  • FIG. 5 is a second application diagram of a method for controlling network data traffic according to an embodiment of the present invention, where the application diagram corresponds to an implementation scenario.
  • the implementation of the scenario includes the following steps:
  • Step 502 Check the traffic F km of the flow entry in the blacklist.
  • the sum of the total traffic R m received by the system and the traffic F sm of the first-class entry in the blacklist is also If it is less than or equal to T m , proceed to step 503;
  • Step 503 the flow entry of the flow entry is smaller than the flow threshold of the flow entry, and the flow entry is removed from the blacklist.
  • step 504 the flow entry flow and the total traffic received by the network system are cleared.
  • the embodiment of the present invention further provides a device for controlling network data traffic.
  • the device 60 includes:
  • the receiving module 61 is configured to receive a network packet
  • the update module 62 is configured to update, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table;
  • the analyzing module 63 is configured to: if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table and the preset flow entry If the relationship between the maximum traffic thresholds meets the predetermined requirements, the selected flow entries are blacklisted;
  • the processing module 64 is configured to process the packet corresponding to the flow entry in the blacklist in a predetermined manner.
  • the predetermined manner may be that the upper layer is notified by the flow control module, and the upper layer may directly forward the packet according to the application requirement, or may directly discard or perform other processing.
  • the device 60 further includes: a selecting module, configured to select the recorded flow entry from the blacklist; and removing the module, if the traffic of the selected flow entry is less than a preset flow entry
  • the maximum flow threshold is set, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
  • the update module 62 includes:
  • the obtaining unit 621 is configured to obtain a corresponding flow entry in the flow table according to the currently received network packet.
  • the obtaining unit 621 includes: a searching unit 6211, configured to flow according to the header information of the currently received network packet. Searching for the corresponding flow entry in the table; the first obtaining unit 6222 is configured to obtain a flow entry corresponding to the currently received network packet if the corresponding flow entry exists in the flow table; the second obtaining unit 6223, If the corresponding flow entry does not exist in the flow table, create a new flow entry corresponding to the currently received network packet in the flow table.
  • the matching unit 622 is configured to match the obtained flow entry with the blacklist.
  • the first update unit 623 is configured to: if the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet;
  • the second update unit 624 is configured to: if the flow entry is not in the blacklist, update the total traffic received by the system and the traffic of the flow entry in the flow table according to the currently received network packet.
  • the analysis module 63 includes:
  • the first analyzing unit 631 is configured to: if the total traffic received by the network system is less than a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than a maximum traffic threshold of the preset flow entry. , the selected flow entry is added to the blacklist;
  • the second analyzing unit 632 is configured to: if the total traffic received by the network system is greater than or equal to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the traffic of the preset flow entry.
  • the maximum threshold is used to add the selected flow entry to the blacklist and subtract the traffic of the blacklisted flow entry from the total traffic received by the network system.
  • the third analyzing unit 633 is configured to: if the flow rate of all flow entries in the flow table does not exceed the advance If the maximum traffic threshold of the flow entry is set, the traffic entry with the largest traffic in the flow table is added to the blacklist, and the traffic of the flow entry is subtracted from the total traffic received by the network system.
  • the problem that the related technology is insufficient for a large amount of traffic processing is solved, and the effect of the network flow control is realized by the cooperation of the flow entry processing and the blacklist processing; and the abnormal traffic source is better recognized at the same time. It does not affect the processing of normal traffic by the network system.
  • the abnormal system traffic can be monitored and added to the blacklist, and when the flow entry returns to normal, the network system can also remove the flow entry from the blacklist again, thereby receiving each The network packets that are sent to the network system can be handled reasonably.
  • All or part of the steps of the above embodiments may also be implemented using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps may be implemented as a single integrated circuit module.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
  • the embodiments of the present invention solve the problem that the related technologies are insufficient for a large amount of traffic processing, and implement the effect of network traffic control by the cooperation of the flow entry processing and the blacklist processing; and at the same time, the abnormal traffic source can be better identified without affecting The system handles normal traffic.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A network data traffic control method and device, the method comprising: receiving a network packet; according to the currently received network packet, updating the total traffic received by a network system and the traffic of a flow entry in a flow table corresponding to the currently received network packet; if the relationship between the total traffic received by the network system and a preset maximum threshold for system traffic, and the relationship between the traffic of a selected flow entry in the flow table and a preset maximum threshold for the traffic of the flow entry meet predetermined requirements, then adding the selected flow entry to a blacklist; processing packets corresponding to the flow entry added to the blacklist in a predetermined manner.

Description

一种控制网络数据流量的方法及装置Method and device for controlling network data traffic 技术领域Technical field
本文涉及网络通信流量控制技术领域,尤其涉及一种控制网络数据流量的方法及装置。This paper relates to the field of network communication flow control technology, and in particular, to a method and device for controlling network data traffic.
背景技术Background technique
随着网络的高速发展,网络系统所需要处理的流量已经越来越大,系统的稳定性伴随着流量的增加而下降。特别的,对于不采取任何流量控制机制的网络系统,由于异常大量流量的产生而超越了系统设计之初所能承受的负荷,系统会出现一些异常现象,比如会造成系统运行效率严重下降,进而造成网络拥塞的严重问题。With the rapid development of the network, the traffic that the network system needs to process has become larger and larger, and the stability of the system decreases with the increase of traffic. In particular, for a network system that does not adopt any flow control mechanism, the abnormally large amount of traffic exceeds the load that can be withstood by the system design at the beginning of the system, and some abnormal phenomena may occur in the system, for example, the system operation efficiency may be seriously degraded, and further A serious problem that causes network congestion.
相关技术包括较多流量控制方法。比如可以采用漏桶算法,使用缓冲区和“漏桶”对流入系统的数据进行流量整形和速率限制。即在接收报文速度过快情况下,让缓冲区将报文进行缓存处理,然后在漏桶控制下再以均匀的速度来发送缓冲报文。但该方法对异常报文缺少有效的过滤手段,同时实现算法也较为复杂。以通过面向目标网络的流量控制的方法为例,它通过流量分析单元对接收的报文进行网络数据样本统计,以TCP/IP协议包头字段值为项,提取应用于目标主机的异常流量过滤规则,通过这种规则来对发往目标主机的网络数据包进行流量控制。Related technologies include more flow control methods. For example, a leaky bucket algorithm can be used to perform traffic shaping and rate limiting on data flowing into the system using a buffer and a "leaked bucket". That is, in the case that the received message speed is too fast, the buffer is buffered, and then the buffer message is sent at a uniform speed under the control of the leaky bucket. However, this method lacks effective filtering means for abnormal messages, and the implementation algorithm is also complicated. Taking the method of flow control through the target-oriented network as an example, the traffic analysis unit performs network data sample statistics on the received message, and extracts the abnormal traffic filtering rule applied to the target host by using the TCP/IP protocol header field value as an item. Through this rule, traffic control is performed on network packets sent to the target host.
然而,在上述相关技术中存在以下问题:对报文统计仅仅按照传输控制协议(TCP)、用户数据包协议(UDP)和网际控制消息协议(ICMP)来区分统计,控制粒度较粗,在采取控制策略后,对目标主机所有来源的报文进行了相同处理,无法有效的监控出异常流量的来源。However, in the above related art, there is the following problem: the statistics of the message are only classified according to the Transmission Control Protocol (TCP), the User Data Packet Protocol (UDP), and the Internet Control Message Protocol (ICMP), and the control granularity is relatively large, and is adopted. After the policy is controlled, the packets from all sources of the target host are processed in the same way, and the source of abnormal traffic cannot be effectively monitored.
发明内容Summary of the invention
本发明实施例提供了一种控制网络数据流量的方法及装置,能够有效监控异常流量的来源,实现对异常流量的有效控制。 The embodiment of the invention provides a method and a device for controlling network data traffic, which can effectively monitor the source of abnormal traffic and achieve effective control of abnormal traffic.
依据本发明的一个实施例,提供了一种控制网络数据流量的方法,该方法包括:接收网络报文;根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;对列入黑名单中的流表项所对应的报文按照预定的方式处理。According to an embodiment of the present invention, a method for controlling network data traffic is provided, the method comprising: receiving a network packet; and receiving, according to the currently received network packet, a total traffic received by the network system and a current flow table and a current flow table. The traffic of the flow entry corresponding to the received network packet is updated; if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is If the relationship between the maximum traffic thresholds of the flow entries is consistent with the predetermined requirements, the selected flow entries are blacklisted. The packets corresponding to the flow entries in the blacklist are in the predetermined manner. deal with.
可选地,该方法还包括:从黑名单中选取所记录的流表项;如果所选取的流表项的流量小于预先设定的流表项的流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。Optionally, the method further includes: selecting the recorded flow entry from the blacklist; if the traffic of the selected flow entry is less than a maximum traffic threshold of the preset flow entry, and the total received by the network system If the sum of the traffic and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, the selected flow entry is removed from the blacklist.
可选地,根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新,包括:根据当前接收到的网络报文在流表中获取对应的流表项;将获取的流表项与黑名单进行匹配;如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量;如果流表项不在黑名单中,则根据当前接收到的网络报文更新网络系统接收到的总流量和流表中流表项的流量。Optionally, updating, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table, including: according to the currently received network The packet obtains the corresponding flow entry in the flow table. The flow entry is matched with the blacklist. If the flow entry is in the blacklist, the flow entry in the flow table is updated according to the currently received network packet. If the flow entry is not in the blacklist, the total traffic received by the network system and the traffic of the flow entry in the flow table are updated according to the currently received network packet.
可选地,根据当前接收到的网络报文在流表中获取对应的流表项,具体包括:根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项;如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。Optionally, the corresponding flow entry is obtained in the flow table according to the currently received network packet, and the method includes: searching, according to the header information of the currently received network packet, the corresponding flow entry in the flow table; If the corresponding flow entry exists in the table, the flow entry corresponding to the currently received network packet is obtained. If the flow entry does not exist in the flow table, create a new one in the flow table and the currently received network. The flow entry corresponding to the packet.
可选地,如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单,包括:Optionally, if the relationship between the total traffic received by the network system and the preset maximum threshold of the system traffic, and the relationship between the selected traffic in the flow table and the maximum traffic threshold of the preset flow entry are consistent with the predetermined If required, the selected flow entry will be blacklisted, including:
如果网络系统接收到的总流量小于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单;如果网络系统接收到的总流量大于或等于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流 表项的流量最大阈值,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量中减去被列入黑名单的流表项的流量;和/或如果流表中所有流表项的流量均未超过预先设定的流表项的流量最大阈值,则将流表中流量最大的流表项加入黑名单,并从网络系统接收到的总流量中减去该流表项的流量。If the total traffic received by the network system is less than the preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the maximum traffic threshold of the preset flow entry, the selected flow table is selected. The item is added to the blacklist. If the total traffic received by the network system is greater than or equal to the preset maximum system traffic threshold, and the traffic of the selected flow entry in the flow table is greater than the preset flow. The maximum traffic threshold of the entry adds the selected flow entry to the blacklist and subtracts the traffic of the blacklisted flow entry from the total traffic received by the network system; and/or if in the flow table If the traffic of all the flow entries does not exceed the maximum traffic threshold of the flow entry, the traffic entry with the largest traffic in the flow table is blacklisted and the traffic is subtracted from the total traffic received by the network system. The traffic of the entry.
依据本发明的另一个实施例,还提供了一种控制网络数据流量的装置,该装置包括:接收模块,设置为接收网络报文;更新模块,设置为根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;分析模块,设置为如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;处理模块,设置为对列入黑名单中的流表项所对应的报文按照预定的方式处理。According to another embodiment of the present invention, there is provided an apparatus for controlling network data traffic, the apparatus comprising: a receiving module configured to receive a network message; and an updating module configured to access the network according to the currently received network message The total traffic received by the system and the traffic of the flow entry corresponding to the currently received network packet are updated in the flow table; the analysis module is set to the total traffic received by the network system and the preset maximum threshold of the system traffic. And the relationship between the traffic of the flow entry selected in the flow table and the maximum traffic threshold of the preset flow entry meets the predetermined requirements, and the selected flow entry is blacklisted; the processing module The packet corresponding to the flow entry in the blacklist is set to be processed in a predetermined manner.
可选地,该装置还包括:选取模块,设置为从黑名单中选取所记录的流表项;移除模块,设置为如果所选取的流表项的流量小于预先设定的流表项的流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。Optionally, the device further includes: a selecting module, configured to select the recorded flow entry from the blacklist; and removing the module, if the traffic of the selected flow entry is less than a preset flow entry The maximum flow threshold, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
可选地,该更新模块包括:获取单元,设置为根据当前接收到的网络报文在流表中获取对应的流表项;匹配单元,设置为将获取的流表项与黑名单进行匹配;第一更新单元,设置为如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量;第二更新单元,设置为如果流表项不在黑名单中,则根据当前接收到的网络报文更新网络系统接收到的总流量和流表中流表项的流量。Optionally, the updating module includes: an obtaining unit, configured to obtain a corresponding flow entry in the flow table according to the currently received network packet; and the matching unit is configured to match the obtained flow entry with the blacklist; The first update unit is configured to: if the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet; and the second update unit is configured to: if the flow entry is not in the blacklist, The total traffic received by the network system and the traffic of the flow entries in the flow table are updated according to the currently received network packet.
可选地,该获取单元包括:查找单元,设置为根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;第一获取单元,设置为如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项;第二获取单元,设置为如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。Optionally, the obtaining unit includes: a searching unit, configured to search for a corresponding flow entry in the flow table according to the header information of the currently received network packet; and the first acquiring unit is configured to: if the flow table has a corresponding If the flow entry is obtained, the flow entry corresponding to the currently received network packet is obtained. The second acquisition unit is configured to: if the flow table does not have a corresponding flow entry, create a new one in the flow table and receive the current flow The flow entry corresponding to the network packet.
可选地,该分析模块包括:第一分析单元,设置为如果网络系统接收到 的总流量小于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单;第二分析单元,设置为如果网络系统接收到的总流量大于或等于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量中减去被列入黑名单的流表项的流量;第三分析单元,设置为如果流表中所有流表项的流量均未超过预先设定的流表项的流量最大阈值,则将流表中流量最大的流表项加入黑名单,并从网络系统接收到的总流量中减去该流表项的流量。Optionally, the analyzing module includes: a first analyzing unit, configured to be received by the network system If the total traffic is smaller than the preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the maximum traffic threshold of the flow entry, the selected flow entry is added to the blacklist. The second analyzing unit is configured to: if the total traffic received by the network system is greater than or equal to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the traffic of the preset flow entry. The threshold is added to the blacklist of the selected flow entry, and the traffic of the blacklisted flow entry is subtracted from the total traffic received by the network system. The third analysis unit is set to be all if the flow table is If the traffic of the flow entry does not exceed the maximum traffic threshold of the flow entry, the flow entry with the largest traffic in the flow table is blacklisted and the flow table is subtracted from the total traffic received by the network system. The traffic of the item.
本发明实施例还提供一种计算机可读存储介质,存储有程序指令,当该程序指令被执行时可实现上面所述的方法。The embodiment of the invention further provides a computer readable storage medium storing program instructions, which can be implemented when the program instructions are executed.
本发明实施例解决了相关技术网络系统对于大量流量处理不足的问题,通过流表项处理与黑名单处理的协作实现网络流量控制的效果;同时能较好的识别出异常流量来源,且不影响网络系统对正常流量的处理。The embodiment of the invention solves the problem that the network system of the related art is insufficient for a large amount of traffic processing, and realizes the effect of network traffic control by the cooperation of the flow entry processing and the blacklist processing; and can better identify the abnormal traffic source without affecting The network system handles normal traffic.
本发明实施例可以监控出异常系统流量,并将其加入到黑名单中,并且当流表项恢复正常情况下,网络系统也能够重新将流表项从黑名单中移出,从而对每一个接收到的网络报文,网络系统都能够进行合理的处理。In the embodiment of the present invention, the abnormal system traffic can be monitored and added to the blacklist, and when the flow entry returns to normal, the network system can also remove the flow entry from the blacklist again, thereby receiving each The network packets that are sent to the network system can be handled reasonably.
附图概述BRIEF abstract
图1为本发明实施例的控制网络数据流量的方法的流程图;1 is a flowchart of a method for controlling network data traffic according to an embodiment of the present invention;
图2为本发明实施例的根据当前网络报文更新流量的流程图;2 is a flowchart of updating traffic according to a current network packet according to an embodiment of the present invention;
图3为本发明实施例的获取当前接收到的网络报文在流表中对应的流表项的方法的流程图;3 is a flowchart of a method for obtaining a current flow entry corresponding to a network packet in a flow table according to an embodiment of the present invention;
图4为本发明实施例的控制网络数据流量的方法的应用图之一;4 is an application diagram of a method for controlling network data traffic according to an embodiment of the present invention;
图5为本发明实施例的控制网络数据流量的方法的应用图之二;以及FIG. 5 is a second application diagram of a method for controlling network data traffic according to an embodiment of the present invention; and FIG.
图6为本发明实施例的控制网络数据流量的装置的结构示意图。FIG. 6 is a schematic structural diagram of an apparatus for controlling network data traffic according to an embodiment of the present invention.
本发明的实施方式 Embodiments of the invention
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以多种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.
实施例一Embodiment 1
如图1所示,为本发明实施例的控制网络数据流量的方法的流程图,该方法包括如下步骤:FIG. 1 is a flowchart of a method for controlling network data traffic according to an embodiment of the present invention, where the method includes the following steps:
步骤101,接收网络报文;Step 101: Receive a network packet.
其中,该网络报文的格式可以是传输控制协议(TCP)报文、用户数据包协议(UDP)报文或网际控制消息协议(ICMP)报文等,当然可以理解的是,在本实施例中并不限定网络报文的类型。The format of the network packet may be a Transmission Control Protocol (TCP) packet, a User Datagram Protocol (UDP) packet, or an Internet Control Message Protocol (ICMP) packet. It can be understood that, in this embodiment, The type of network message is not limited.
步骤102,根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;Step 102: Update, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table.
其中,可设网络系统接收到的总流量为Rm,特别的初始阶段网络系统接收到的总流量Rm可以设置为0;其中,对网络系统接收到的总流量和当前接收到的网络报文对应的流表项的流量进行更新的实现,参见图2,包括:Total flow therethrough, may be provided a network system receives as R m, in particular the initial stage of the network system receives a total flow rate R m may be set to zero; wherein the network system receives the total flow and the current received network packets For the implementation of updating the traffic of the flow entry corresponding to the text, see Figure 2, including:
步骤201,根据当前接收到的网络报文在流表中获取对应的流表项;Step 201: Obtain a corresponding flow entry in the flow table according to the currently received network packet.
其中,该根据当前接收到的网络报文在流表中获取对应的流表项的实现,参见图3,包括:The implementation of obtaining the corresponding flow entry in the flow table according to the currently received network packet, as shown in FIG. 3, includes:
步骤301,根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;其中,该网络报文的报头信息可以是:网络报文的五元组(源主机IP地址,目的主机IP地址,源主机端口号,目的主机端口号,以及协议类型);Step 301: Search for a corresponding flow entry in the flow table according to the header information of the currently received network packet. The header information of the network packet may be: a quintuple of the network packet (the source host IP address, Destination host IP address, source host port number, destination host port number, and protocol type);
步骤302,如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项;Step 302: If a flow entry exists in the flow table, the flow entry corresponding to the currently received network packet is obtained.
步骤303,如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。Step 303: If the corresponding flow entry does not exist in the flow table, create a flow entry corresponding to the currently received network packet in the flow table.
下面对图3进行说明,首先,流表中记录有流表项,所记录的流表项的流量大小信息从小到大标记为Fs1,Fs2…Fsn;当前接收到的网络报文对应的流表项的流量为Fsx,其中,若当前接收到的网络报文对应的流表项与流表中所 记录的流表项可以匹配上,则相应的Fsx的取值为Fs1,Fs2…Fsn中的任意一个;若不能匹配上,则此时在流表中新建一条与当前网络报文对应的流表项,则相应的Fsx的取值不为Fs1,Fs2…Fsn中的任意一个,Fsx的取值可比Fs1小或比Fsn大。FIG. 3 is described below. First, a flow entry is recorded in the flow table, and the flow size information of the recorded flow entry is marked as F s1 , F s2 ... F sn ; the currently received network packet The traffic of the corresponding flow entry is F sx , and if the current flow entry corresponding to the network packet matches the flow entry recorded in the flow table, the value of the corresponding F sx is F. Any one of s1 , F s2 ... F sn ; if it cannot be matched, then a new flow entry corresponding to the current network packet is created in the flow table, and the corresponding F sx is not F s1 . Any of F s2 ... F sn , F sx may be smaller than F s1 or larger than F sn .
继续参见图2,步骤202,将获取的流表项与黑名单进行匹配;Continuing to refer to FIG. 2, step 202, matching the obtained flow entry with the blacklist;
其中,该黑名单中记录有网络系统在一定时间(例如20ms)内具有异常流量的流表项。The blacklist records the flow entries of the network system that have abnormal traffic within a certain period of time (for example, 20 ms).
步骤203,如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量。Step 203: If the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet.
其中,如果当前接收到的网络报文对应的流表项在黑名单中,则将当前接收到的网络报文对应的流表项的流量Fsx记录在流表中。If the current flow entry corresponding to the network packet is in the blacklist, the traffic F sx of the flow entry corresponding to the currently received network packet is recorded in the flow table.
步骤204,如果流表项不在黑名单中,则根据当前接收到的网络报文更新网络系统接收到的总流量和流表中流表项的流量。Step 204: If the flow entry is not in the blacklist, update the total traffic received by the network system and the traffic of the flow entry in the flow table according to the currently received network packet.
其中,如果当前接收到的网络报文对应的流表项不在黑名单中,则将当前接收到的网络报文对应的流表项的流量Fsx记录在流表中,并且同时将该当前接收到的网络报文对应的流表项的流量Fsx增加在网络系统接收到的总流量Rm内。If the current flow entry corresponding to the network packet is not in the blacklist, the traffic F sx of the current flow entry corresponding to the received network packet is recorded in the flow table, and the current receiving is simultaneously received. The traffic F sx of the flow entry corresponding to the received network packet is increased within the total traffic R m received by the network system.
继续参见图1,步骤103,如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;Continuing to refer to FIG. 1, step 103, if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table and the traffic of the preset flow entry. If the relationship between the maximum thresholds meets the predetermined requirements, the selected flow entries are blacklisted;
其中,可设系统流量最大阈值为Tm,流表项的流量最大阈值为Ts;其中,系统流量最大阈值Tm与流表项的流量最大阈值Ts可根据网络系统对网络报文的处理能力,进行设置。Which can be set system flow maximum threshold value T m, the flow rate of the flow entry maximum threshold value T s; wherein the system maximum flow threshold flow T m and the flow entry maximum threshold value T s may be a network system, the network packets in accordance with Processing capacity, set up.
其中,步骤103包括:Wherein, step 103 includes:
如果网络系统接收到的总流量Rm小于预先设定的系统流量最大阈值Tm,且流表中所选择的流表项的流量Fsx大于预先设定的流表项的流量最大阈值Ts,则将所选择的流表项加入黑名单;If the network system receives a total flow rate R m is less than the system maximum flow threshold T m is set in advance, and the flow table selected flow rate F sx flow table entry is greater than a predetermined flow rate of the flow entry maximum threshold value T s , the selected flow entry is added to the blacklist;
如果网络系统接收到的总流量Rm大于或等于预先设定的系统流量最大 阈值Tm,且流表中所选择的流表项的流量Fsx大于预先设定的流表项的流量最大阈值Ts,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量Rm中减去被列入黑名单的流表项的流量Fsx;和/或If the network system receives a total flow rate R m greater than or equal to the system maximum flow threshold T m is set in advance, and the flow table selected flow rate F sx flow table entry is greater than a predetermined flow rate set in the flow entry maximum threshold value T s , the selected flow entry is blacklisted, and the traffic F sx of the blacklisted flow entry is subtracted from the total traffic R m received by the network system; and/or
如果流表中所有流表项的流量均未超过预先设定的流表项的流量最大阈值Ts,则将流表中流量最大的流表项加入黑名单,并从网络系统接收到的总流量Rm中减去该流表项的流量FsnIf the traffic of all the flow entries in the flow table does not exceed the maximum traffic threshold T s of the flow entry, the traffic entry with the largest traffic in the flow table is blacklisted and received from the network system. The flow rate F sn of the flow entry is subtracted from the flow R m .
步骤104,对列入黑名单中的流表项所对应的报文按照预定的方式处理。Step 104: The packet corresponding to the flow entry in the blacklist is processed in a predetermined manner.
其中,该预定的方式处理可以是由流量控制模块通知上层,上层根据具体应用要求,可以直接转发该报文,也可以直接丢弃或做其他处理。The predetermined manner of processing may be that the upper layer is notified by the flow control module, and the upper layer may directly forward the packet according to specific application requirements, or may directly discard or perform other processing.
在本发明的实施例中,解决了相关技术对于大量流量处理不足的问题,通过流表项处理与黑名单处理的协作实现网络流量控制的效果;同时该发明能较好的识别出异常流量来源,且不影响网络系统对正常流量的处理。In the embodiment of the present invention, the problem that the related technology is insufficient for a large amount of traffic processing is solved, and the effect of the network flow control is realized by the cooperation of the flow entry processing and the blacklist processing; and the invention can better identify the abnormal traffic source. And does not affect the processing of normal traffic by the network system.
本发明实施例可以监控出异常网络系统流量,并将其加入到黑名单中,并且当流表项恢复正常情况下,网络系统也能够重新将流表项从黑名单中移出,从而对每一个接收到的网络报文,网络系统都能够进行合理的处理。In the embodiment of the present invention, the traffic of the abnormal network system can be monitored and added to the blacklist, and when the flow entry is restored to normal, the network system can also remove the flow entry from the blacklist again, thus The network system received can receive reasonable network processing.
其中,从黑名单中选取所记录的流表项;The selected flow entry is selected from the blacklist.
如果所选取的流表项的流量小于预先设定的流表项的流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。If the traffic of the selected flow entry is smaller than the maximum traffic threshold of the preset flow entry, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum system traffic. Threshold, the selected flow entry is removed from the blacklist.
参见图4,为本发明实施例的控制网络数据流量的方法的应用图之一,其中该应用图可对应着三个实施场景。FIG. 4 is a schematic diagram of an application diagram of a method for controlling network data traffic according to an embodiment of the present invention, where the application map may correspond to three implementation scenarios.
场景一scene one
首先,设定系统流量最大阈值Tm=10M,流表项的流量最大阈值Ts=1M;First, the system traffic maximum threshold T m = 10M, and the flow entry maximum threshold T s =1 M;
该场景一的实现包括如下步骤:The implementation of the scenario 1 includes the following steps:
步骤401,检查网络系统接收到的总流量Rm Step 401, the network system checks the received total flow rate R m;
此时,如果网络系统接收到的总流量Rm(比如Rm=9M)小于设定的系统流量最大阈值,则继续步骤402;At this time, if the total traffic R m (such as R m = 9M) received by the network system is less than the set system traffic maximum threshold, proceed to step 402;
步骤402,检查流表项的流量;Step 402: Check the traffic of the flow entry.
其中,若流入的网络报文对应的流表项的流量(比如Fsx=2M)大于流表 项的流量最大阈值,则继续步骤403;If the traffic of the flow entry corresponding to the incoming network packet (such as F sx = 2M) is greater than the maximum traffic threshold of the flow entry, proceed to step 403;
步骤403,把流量大于Ts的流表项加入黑名单;Step 403: Add a flow entry with a traffic greater than T s to the blacklist.
此时,返回步骤402检查继续其他流表项的流量,若没有流量大于Ts的流表项,则继续步骤407;At this point, return to step 402 to check the flow of other flow entries, if there is no flow entry greater than T s , proceed to step 407;
继续步骤407,流表项流量及网络系统接收到的总流量清零;Continuing with step 407, the flow entry flow and the total traffic received by the network system are cleared;
此时,该段时间内的异常流量得到了控制,接着重启定时器,重新进入下一时段的异常流量的监控。At this time, the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
场景二Scene two
首先,设定系统流量最大阈值Tm=10M,流表项的流量最大阈值Ts=1M;First, the system traffic maximum threshold T m = 10M, and the flow entry maximum threshold T s =1 M;
该场景二的实现包括如下步骤:The implementation of the scenario 2 includes the following steps:
步骤401,检查网络系统接收到的总流量Rm Step 401, the network system checks the received total flow rate R m;
此时,如果网络系统接收到的总流量Rm(比如Rm=13M)大于设定的系统流量最大阈值,则继续步骤404;At this time, if the total traffic R m (such as R m = 13M) received by the network system is greater than the set system traffic maximum threshold, proceed to step 404;
步骤404,检查流表项的流量;Step 404: Check the traffic of the flow entry.
其中,若流入的网络报文对应的流表项的流量(比如Fs1=2M)大于流表项的流量最大阈值,则继续步骤405;If the traffic of the flow entry corresponding to the incoming network packet (such as F s1 = 2M) is greater than the maximum traffic threshold of the flow entry, proceed to step 405;
步骤405,把流量大于Ts的流表项加入黑名单;Step 405: Add a flow entry with a traffic greater than T s to the blacklist.
接着,从网络系统接收到的总流量Rm中减去被列入黑名单的流表项的流量,继续步骤407;Next, received from the network system to the total flow volume flow by subtracting the R m entries blacklisted, continues with step 407;
继续步骤407,流表项流量及网络系统接收到的总流量清零;Continuing with step 407, the flow entry flow and the total traffic received by the network system are cleared;
此时,该段时间内的异常流量得到了控制,接着重启定时器,重新进入下一时段的异常流量的监控。At this time, the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
场景三Scene three
首先,设定系统流量最大阈值Tm=10M,流表项的流量最大阈值Ts=1M;First, the system traffic maximum threshold T m = 10M, and the flow entry maximum threshold T s =1 M;
该场景二的具体实现包括如下步骤:The specific implementation of the scenario 2 includes the following steps:
步骤401,检查网络系统接收到的总流量Rm Step 401, the network system checks the received total flow rate R m;
此时,如果网络系统接收到的总流量Rm(比如Rm=13M)大于设定的系统流量最大阈值,则继续步骤404;At this time, if the total traffic R m (such as R m = 13M) received by the network system is greater than the set system traffic maximum threshold, proceed to step 404;
步骤404,检查流表项的流量; Step 404: Check the traffic of the flow entry.
其中,若流入的网络报文对应的流表项的流量均小于流表项的流量最大阈值,则继续步骤406;If the traffic of the flow entry corresponding to the incoming network packet is smaller than the maximum traffic threshold of the flow entry, proceed to step 406;
步骤406,把流表中流量最大的流表项加入黑名单;Step 406: Add a flow entry with the largest traffic flow in the flow table to the blacklist.
接着,从网络系统接收到的总流量Rm中减去该流表项的流量Fsn,继续步骤407;Next, subtracting the flow rate F sn of the flow entry from the total traffic R m received by the network system, proceeding to step 407;
步骤407,流表项流量及网络系统接收到的总流量清零; Step 407, the flow of the flow entry and the total traffic received by the network system are cleared;
此时,该段时间内的异常流量得到了控制,接着重启定时器,重新进入下一时段的异常流量的监控。At this time, the abnormal traffic in this period of time is controlled, and then the timer is restarted, and the monitoring of the abnormal traffic in the next period is re-entered.
参见图5,为本发明实施例的控制网络数据流量的方法的应用图之二,该应用图对应着一个实施场景。FIG. 5 is a second application diagram of a method for controlling network data traffic according to an embodiment of the present invention, where the application diagram corresponds to an implementation scenario.
首先,初始阶段,设定系统流量最大阈值Tm=10M,流表项的流量最大阈值Ts=1M。First, in the initial stage, the system traffic maximum threshold T m = 10M is set, and the flow entry maximum flow threshold T s =1M.
该场景的实现包括如下步骤:The implementation of the scenario includes the following steps:
步骤501,检查系统接收到的总流量Rm(比如Rm=9M); Step 501, checking the total flow rate R m received by the system (such as R m = 9M);
步骤502,检查黑名单中流表项的流量FkmStep 502: Check the traffic F km of the flow entry in the blacklist.
此时,若黑名单中一流表项的流量Fsm(比如Fsm=0.5M)小于Ts,此时系统接收到的总流量Rm与黑名单中一流表项的流量Fsm之和也小于等于Tm,则继续步骤503;At this time, if the traffic F sm (such as F sm =0.5M) of the first-class entry in the blacklist is less than T s , the sum of the total traffic R m received by the system and the traffic F sm of the first-class entry in the blacklist is also If it is less than or equal to T m , proceed to step 503;
步骤503,把流表项的流量小于流表项的流量最大阈值的流表项移出黑名单,继续步骤504; Step 503, the flow entry of the flow entry is smaller than the flow threshold of the flow entry, and the flow entry is removed from the blacklist.
步骤504,流表项流量及网络系统接收到的总流量清零。In step 504, the flow entry flow and the total traffic received by the network system are cleared.
实施例二Embodiment 2
对应于上述实施例一中的控制网络数据流量的方法,本发明实施例还提供了一种控制网络数据流量的装置,如图6所示,该装置60包括:Corresponding to the method for controlling network data traffic in the first embodiment, the embodiment of the present invention further provides a device for controlling network data traffic. As shown in FIG. 6, the device 60 includes:
接收模块61,设置为接收网络报文;The receiving module 61 is configured to receive a network packet;
更新模块62,设置为根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;The update module 62 is configured to update, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table;
分析模块63,设置为如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项 的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;The analyzing module 63 is configured to: if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table and the preset flow entry If the relationship between the maximum traffic thresholds meets the predetermined requirements, the selected flow entries are blacklisted;
处理模块64,设置为对列入黑名单中的流表项所对应的报文按照预定的方式处理。The processing module 64 is configured to process the packet corresponding to the flow entry in the blacklist in a predetermined manner.
其中,该预定的方式处理可以是由流量控制模块通知上层,上层根据应用要求,可以直接转发该报文,也可以直接丢弃或做其他处理。The predetermined manner may be that the upper layer is notified by the flow control module, and the upper layer may directly forward the packet according to the application requirement, or may directly discard or perform other processing.
可选地,该装置60还包括:选取模块,设置为从黑名单中选取所记录的流表项;移除模块,设置为如果所选取的流表项的流量小于预先设定的流表项的流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。Optionally, the device 60 further includes: a selecting module, configured to select the recorded flow entry from the blacklist; and removing the module, if the traffic of the selected flow entry is less than a preset flow entry The maximum flow threshold is set, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
其中,该更新模块62包括:The update module 62 includes:
获取单元621,设置为根据当前接收到的网络报文在流表中获取对应的流表项;该获取单元621包括:查找单元6211,设置为根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;第一获取单元6222,设置为如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项;第二获取单元6223,设置为如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。The obtaining unit 621 is configured to obtain a corresponding flow entry in the flow table according to the currently received network packet. The obtaining unit 621 includes: a searching unit 6211, configured to flow according to the header information of the currently received network packet. Searching for the corresponding flow entry in the table; the first obtaining unit 6222 is configured to obtain a flow entry corresponding to the currently received network packet if the corresponding flow entry exists in the flow table; the second obtaining unit 6223, If the corresponding flow entry does not exist in the flow table, create a new flow entry corresponding to the currently received network packet in the flow table.
匹配单元622,设置为将获取的流表项与黑名单进行匹配;The matching unit 622 is configured to match the obtained flow entry with the blacklist.
第一更新单元623,设置为如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量;The first update unit 623 is configured to: if the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet;
第二更新单元624,设置为如果流表项不在黑名单中,则根据当前接收到的网络报文更新系统接收到的总流量和流表中流表项的流量。The second update unit 624 is configured to: if the flow entry is not in the blacklist, update the total traffic received by the system and the traffic of the flow entry in the flow table according to the currently received network packet.
该分析模块63包括:The analysis module 63 includes:
第一分析单元631,设置为如果网络系统接收到的总流量小于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单;The first analyzing unit 631 is configured to: if the total traffic received by the network system is less than a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than a maximum traffic threshold of the preset flow entry. , the selected flow entry is added to the blacklist;
第二分析单元632,设置为如果网络系统接收到的总流量大于或等于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量中减去被列入黑名单的流表项的流量;The second analyzing unit 632 is configured to: if the total traffic received by the network system is greater than or equal to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the traffic of the preset flow entry. The maximum threshold is used to add the selected flow entry to the blacklist and subtract the traffic of the blacklisted flow entry from the total traffic received by the network system.
第三分析单元633,设置为如果流表中所有流表项的流量均未超过预先 设定的流表项的流量最大阈值,则将流表中流量最大的流表项加入黑名单,并从网络系统接收到的总流量中减去该流表项的流量。The third analyzing unit 633 is configured to: if the flow rate of all flow entries in the flow table does not exceed the advance If the maximum traffic threshold of the flow entry is set, the traffic entry with the largest traffic in the flow table is added to the blacklist, and the traffic of the flow entry is subtracted from the total traffic received by the network system.
在本发明的实施例中,解决了相关技术对于大量流量处理不足的的问题,通过流表项处理与黑名单处理的协作实现网络流量控制的效果;同时能较好的识别出异常流量来源,且不影响网络系统对正常流量的处理。In the embodiment of the present invention, the problem that the related technology is insufficient for a large amount of traffic processing is solved, and the effect of the network flow control is realized by the cooperation of the flow entry processing and the blacklist processing; and the abnormal traffic source is better recognized at the same time. It does not affect the processing of normal traffic by the network system.
本发明实施例可以监控出异常系统流量,并将其加入到黑名单中,并且当流表项恢复正常情况下,网络系统也能够重新将流表项从黑名单中移出,从而对每一个接收到的网络报文,网络系统都能够进行合理的处理。In the embodiment of the present invention, the abnormal system traffic can be monitored and added to the blacklist, and when the flow entry returns to normal, the network system can also remove the flow entry from the blacklist again, thereby receiving each The network packets that are sent to the network system can be handled reasonably.
本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序流程来实现,所述计算机程序可以存储于一计算机可读存储介质中,所述计算机程序在相应的硬件平台上(如系统、设备、装置、器件等)执行,在执行时,包括方法实施例的步骤之一或其组合。One of ordinary skill in the art will appreciate that all or a portion of the steps of the above-described embodiments can be implemented using a computer program flow, which can be stored in a computer readable storage medium, such as on a corresponding hardware platform (eg, The system, device, device, device, etc. are executed, and when executed, include one or a combination of the steps of the method embodiments.
上述实施例的全部或部分步骤也可以使用集成电路来实现,这些步骤可以被分别制作成一个个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。上述实施例中的各装置/功能模块/功能单元可以采用通用的计算装置来实现,它们可以集中在单个的计算装置上,也可以分布在多个计算装置所组成的网络上。All or part of the steps of the above embodiments may also be implemented using an integrated circuit. These steps may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps may be implemented as a single integrated circuit module. The devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
上述实施例中的各装置/功能模块/功能单元以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。上述提到的计算机可读取存储介质可以是只读存储器,磁盘或光盘等。When each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium. The above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
工业实用性Industrial applicability
本发明的实施例解决了相关技术对于大量流量处理不足的的问题,通过流表项处理与黑名单处理的协作实现网络流量控制的效果;同时能较好的识别出异常流量来源,且不影响系统对正常流量的处理。 The embodiments of the present invention solve the problem that the related technologies are insufficient for a large amount of traffic processing, and implement the effect of network traffic control by the cooperation of the flow entry processing and the blacklist processing; and at the same time, the abnormal traffic source can be better identified without affecting The system handles normal traffic.

Claims (11)

  1. 一种控制网络数据流量的方法,包括:A method of controlling network data traffic, including:
    接收网络报文;Receiving network messages;
    根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;And updating, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table;
    如果网络系统接收到的总流量与预先设定的网络系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;If the relationship between the total traffic received by the network system and the preset maximum threshold of the network system traffic, and the relationship between the traffic of the flow entry selected in the flow table and the maximum traffic threshold of the preset flow entry are consistent with the predetermined Requirements, the blacklist is selected for the selected flow entry;
    对列入黑名单中的流表项所对应的报文按照预定的方式处理。The packets corresponding to the flow entries in the blacklist are processed in a predetermined manner.
  2. 根据权利要求1所述的方法,所述方法还包括:The method of claim 1 further comprising:
    从所述黑名单中选取所记录的流表项;Selecting the recorded flow entry from the blacklist;
    如果所选取的流表项的流量小于预先设定的流表项的流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。If the traffic of the selected flow entry is smaller than the maximum traffic threshold of the preset flow entry, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum system traffic. Threshold, the selected flow entry is removed from the blacklist.
  3. 根据权利要求1所述的方法,其中,所述根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新,包括:The method according to claim 1, wherein the updating the total traffic received by the network system according to the currently received network packet and the traffic of the flow entry corresponding to the currently received network packet in the flow table is updated according to the currently received network packet. ,include:
    根据当前接收到的网络报文在流表中获取对应的流表项;Obtaining a corresponding flow entry in the flow table according to the currently received network packet;
    将获取的流表项与黑名单进行匹配;Match the obtained flow entry with the blacklist.
    如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量;If the flow entry is in the blacklist, the traffic of the flow entry in the flow table is updated according to the currently received network packet.
    如果流表项不在黑名单中,则根据当前接收到的网络报文更新网络系统接收到的总流量和流表中流表项的流量。If the flow entry is not in the blacklist, the total traffic received by the network system and the traffic of the flow entry in the flow table are updated according to the currently received network packet.
  4. 根据权利要求3所述的方法,其中,所述根据当前接收到的网络报文在流表中获取对应的流表项,包括:The method according to claim 3, wherein the obtaining the corresponding flow entry in the flow table according to the currently received network packet includes:
    根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;Finding a corresponding flow entry in the flow table according to the header information of the currently received network packet;
    如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项; If the corresponding flow entry exists in the flow table, the flow entry corresponding to the currently received network packet is obtained;
    如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。If the corresponding flow entry does not exist in the flow table, create a new flow entry corresponding to the currently received network packet in the flow table.
  5. 根据权利要求1所述的方法,其中,所述如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单,包括:The method according to claim 1, wherein the relationship between the total traffic received by the network system and a preset maximum threshold of system traffic, and the traffic of the selected flow entry in the flow table are preset. If the relationship between the maximum traffic thresholds of the flow entries meets the predetermined requirements, the selected flow entries are blacklisted, including:
    如果网络系统接收到的总流量小于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单;If the total traffic received by the network system is less than the preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the maximum traffic threshold of the preset flow entry, the selected flow table is selected. Add items to the blacklist;
    如果网络系统接收到的总流量大于或等于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量中减去被列入黑名单的流表项的流量;和/或If the total traffic received by the network system is greater than or equal to the preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the maximum traffic threshold of the preset flow entry, the selected The flow entry is added to the blacklist and the traffic of the blacklisted flow entry is subtracted from the total traffic received by the network system; and/or
    如果流表中所有流表项的流量均未超过预先设定的流表项的流量最大阈值,则将流表中流量最大的流表项加入黑名单,并从系统接收到的总流量中减去该流表项的流量。If the traffic of all the flow entries in the flow table does not exceed the maximum traffic threshold of the flow entry, the traffic entry with the largest traffic in the flow table is blacklisted and subtracted from the total traffic received by the system. The traffic to the flow entry.
  6. 一种控制网络数据流量的装置,包括:A device for controlling network data traffic, comprising:
    接收模块,设置为接收网络报文;a receiving module, configured to receive a network packet;
    更新模块,设置为根据当前接收到的网络报文对网络系统接收到的总流量和流表中与当前接收到的网络报文对应的流表项的流量进行更新;The update module is configured to update, according to the currently received network packet, the total traffic received by the network system and the traffic of the flow entry corresponding to the currently received network packet in the flow table;
    分析模块,设置为如果网络系统接收到的总流量与预先设定的系统流量最大阈值的关系,以及流表中所选择的流表项的流量与预先设定的流表项的流量最大阈值的关系均符合预定的要求,则将所选择的流表项列入黑名单;以及The analysis module is configured to: if the total traffic received by the network system is related to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table and the maximum traffic threshold of the preset flow entry If the relationship meets the predetermined requirements, the selected flow entry is blacklisted;
    处理模块,设置为对列入黑名单中的流表项所对应的报文按照预定的方式处理。The processing module is configured to process the packet corresponding to the flow entry in the blacklist in a predetermined manner.
  7. 根据权利要求6所述的装置,所述装置还包括:The apparatus of claim 6 further comprising:
    选取模块,设置为从所述黑名单中选取所记录的流表项;以及Selecting a module, configured to select the recorded flow entry from the blacklist;
    移除模块,设置为如果所选取的流表项的流量小于预先设定的流表项的 流量最大阈值,且网络系统接收到的总流量与所选取的流表项的流量之和小于等于预先设定的系统流量最大阈值,则将所选取的流表项从黑名单中移出。Remove the module, if the traffic of the selected flow entry is less than the preset flow entry The maximum flow threshold, and the sum of the total traffic received by the network system and the traffic of the selected flow entry is less than or equal to the preset maximum threshold of the system traffic, and the selected flow entry is removed from the blacklist.
  8. 根据权利要求6所述的装置,其中,所述更新模块包括:The apparatus of claim 6 wherein said updating module comprises:
    获取单元,设置为根据当前接收到的网络报文在流表中获取对应的流表项;The obtaining unit is configured to obtain a corresponding flow entry in the flow table according to the currently received network packet;
    匹配单元,设置为将获取的流表项与黑名单进行匹配;The matching unit is configured to match the obtained flow entry with the blacklist.
    第一更新单元,设置为如果流表项在黑名单中,则根据当前接收到的网络报文更新流表中流表项的流量;以及The first update unit is configured to: if the flow entry is in the blacklist, update the traffic of the flow entry in the flow table according to the currently received network packet;
    第二更新单元,设置为如果流表项不在黑名单中,则根据当前接收到的网络报文更新网络系统接收到的总流量和流表中流表项的流量。The second update unit is configured to: if the flow entry is not in the blacklist, update the total traffic received by the network system and the traffic of the flow entry in the flow table according to the currently received network packet.
  9. 根据权利要求8所述的装置,其中,所述获取单元包括:The apparatus of claim 8, wherein the obtaining unit comprises:
    查找单元,设置为根据当前接收到的网络报文的报头信息在流表中查找对应的流表项;The search unit is configured to search for a corresponding flow entry in the flow table according to the header information of the currently received network packet;
    第一获取单元,设置为如果流表中存在对应的流表项,则得到与当前接收到的网络报文对应的流表项;以及a first obtaining unit, configured to: if a corresponding flow entry exists in the flow table, obtain a flow entry corresponding to the currently received network packet;
    第二获取单元,设置为如果流表中不存在对应的流表项,则在流表中新建一条与当前接收到的网络报文对应的流表项。The second obtaining unit is configured to create a flow entry corresponding to the currently received network packet in the flow table if the corresponding flow entry does not exist in the flow table.
  10. 根据权利要求6所述的装置,其中,所述分析模块包括:The apparatus of claim 6 wherein said analyzing module comprises:
    第一分析单元,设置为如果网络系统接收到的总流量小于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单;The first analyzing unit is configured to: if the total traffic received by the network system is less than a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than a maximum traffic threshold of the preset flow entry, Add the selected flow entry to the blacklist.
    第二分析单元,设置为如果网络系统接收到的总流量大于或等于预先设定的系统流量最大阈值,且流表中所选择的流表项的流量大于预先设定的流表项的流量最大阈值,则将所选择的流表项加入黑名单,并从网络系统接收到的总流量中减去被列入黑名单的流表项的流量;以及The second analyzing unit is configured to: if the total traffic received by the network system is greater than or equal to a preset maximum threshold of the system traffic, and the traffic of the selected flow entry in the flow table is greater than the traffic of the preset flow entry. The threshold is added to the blacklist of the selected flow entry, and the traffic of the blacklisted flow entry is subtracted from the total traffic received by the network system;
    第三分析单元,设置为如果流表中所有流表项的流量均未超过预先设定的流表项的流量最大阈值,则将流表中流量最大的流表项加入黑名单,并从网络系统接收到的总流量中减去该流表项的流量。 The third analysis unit is configured to add the flow entry with the largest flow rate in the flow table to the blacklist if the traffic of all the flow entries in the flow table does not exceed the maximum flow threshold of the flow entry. The traffic of the flow entry is subtracted from the total traffic received by the system.
  11. 一种计算机可读存储介质,存储有程序指令,当该程序指令被执行时可实现权利要求1-5任一项所述的方法。 A computer readable storage medium storing program instructions that, when executed, can implement the method of any of claims 1-5.
PCT/CN2015/076484 2014-09-19 2015-04-13 Network data traffic control method and device WO2016041346A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410483660.X 2014-09-19
CN201410483660.XA CN105490954A (en) 2014-09-19 2014-09-19 Method and device for controlling network data flow

Publications (1)

Publication Number Publication Date
WO2016041346A1 true WO2016041346A1 (en) 2016-03-24

Family

ID=55532513

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/076484 WO2016041346A1 (en) 2014-09-19 2015-04-13 Network data traffic control method and device

Country Status (2)

Country Link
CN (1) CN105490954A (en)
WO (1) WO2016041346A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938400A (en) * 2021-08-27 2022-01-14 曙光网络科技有限公司 Flow table management and maintenance method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075093A1 (en) * 2004-10-05 2006-04-06 Enterasys Networks, Inc. Using flow metric events to control network operation
US20060120284A1 (en) * 2004-12-02 2006-06-08 Electronics And Telecommunications Research Institute Apparatus and method for controlling abnormal traffic
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
CN101018156A (en) * 2007-02-16 2007-08-15 华为技术有限公司 Method, device and system for preventing the broadband rejection service attack
CN102355667A (en) * 2011-06-30 2012-02-15 北京邮电大学 Method and system for controlling network connection of application programs in mobile intelligent terminal system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101640666B (en) * 2008-08-01 2012-06-06 北京启明星辰信息技术股份有限公司 Device and method for controlling flow quantity facing to target network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060075093A1 (en) * 2004-10-05 2006-04-06 Enterasys Networks, Inc. Using flow metric events to control network operation
US20060120284A1 (en) * 2004-12-02 2006-06-08 Electronics And Telecommunications Research Institute Apparatus and method for controlling abnormal traffic
CN1874303A (en) * 2006-03-04 2006-12-06 华为技术有限公司 Method for implementing black sheet
CN101018156A (en) * 2007-02-16 2007-08-15 华为技术有限公司 Method, device and system for preventing the broadband rejection service attack
CN102355667A (en) * 2011-06-30 2012-02-15 北京邮电大学 Method and system for controlling network connection of application programs in mobile intelligent terminal system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113938400A (en) * 2021-08-27 2022-01-14 曙光网络科技有限公司 Flow table management and maintenance method, device and storage medium
CN113938400B (en) * 2021-08-27 2023-06-27 曙光网络科技有限公司 Method, apparatus and storage medium for managing and maintaining flow table

Also Published As

Publication number Publication date
CN105490954A (en) 2016-04-13

Similar Documents

Publication Publication Date Title
US10084713B2 (en) Protocol type identification method and apparatus
US10742722B2 (en) Server load balancing
KR100834570B1 (en) Realtime stateful packet inspection method and apparatus for thereof
US10148573B2 (en) Packet processing method, node, and system
US20180241664A1 (en) Flow routing system
US9148380B2 (en) System and method for providing a sequence numbering mechanism in a network environment
CN108476177A (en) Data plane for processing function scalability
US10567426B2 (en) Methods and apparatus for detecting and/or dealing with denial of service attacks
CN103618733B (en) A kind of data filtering system and method for being applied to mobile Internet
US10476629B2 (en) Performing upper layer inspection of a flow based on a sampling rate
US10050892B2 (en) Method and apparatus for packet classification
WO2021128927A1 (en) Message processing method and apparatus, storage medium, and electronic apparatus
CN111641585B (en) DDoS attack detection method and device
US20170359310A1 (en) Bypassing a firewall for authorized flows using software defined networking
WO2015131597A1 (en) Method and device for flow analysis
CN103281257A (en) Method and device for processing protocol message
US10873467B2 (en) Method and system for compression and optimization of in-line and in-transit information security data
CN113452676A (en) Detector allocation method and Internet of things detection system
EP2834753A2 (en) Systems and methods for selective data redundancy elimination for resource constrained hosts
CN115499230A (en) Network attack detection method and device, equipment and storage medium
KR101742894B1 (en) Communication node, control device, communication system, packet processing method, communication node control method, and program
CN110224932B (en) Method and system for rapidly forwarding data
US20150222529A1 (en) Information transmission system, information communication apparatus, and information transmission apparatus
WO2016041346A1 (en) Network data traffic control method and device
CN115190056B (en) Method, device and equipment for identifying and analyzing programmable flow protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15841897

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15841897

Country of ref document: EP

Kind code of ref document: A1