CN102761542B - Method and equipment for preventing multicast data from attacking - Google Patents
Method and equipment for preventing multicast data from attacking Download PDFInfo
- Publication number
- CN102761542B CN102761542B CN201210209172.0A CN201210209172A CN102761542B CN 102761542 B CN102761542 B CN 102761542B CN 201210209172 A CN201210209172 A CN 201210209172A CN 102761542 B CN102761542 B CN 102761542B
- Authority
- CN
- China
- Prior art keywords
- multicast data
- multicast
- illegal
- message filtering
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000001914 filtration Methods 0.000 claims description 178
- 230000032683 aging Effects 0.000 claims description 12
- 230000008676 import Effects 0.000 abstract 1
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000003116 impacting effect Effects 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and equipment for preventing multicast data from attacking. The method comprises the following steps of: after multicast data is received by three-layer multicast equipment, matching with a message filter policy by utilizing a source address, a group address and an import interface of the multicast data; when the multicast data is matched with the message filter policy, setting an illegal identification for the multicast data by the three-layer multicast equipment; and discarding the multicast data after an illegal message filter table entry with the illegal identification is queried through the illegal identification. In the embodiment of the invention, the consumption of drive resources can be reduced.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for preventing multicast data attacks.
Background
The Multicast (Multicast) technology can solve the problems of single-point transmission and multi-point reception, realize the high-efficiency data transmission of point to multi-point in the network, save a large amount of network bandwidth and reduce the network load; the multicast transmission is characterized by comprising the following steps: (1) the multicast group is a receiver set identified by using an IP multicast address, and the host becomes a member of the multicast group by joining the multicast group, so as to receive multicast data sent to the multicast group; (2) one multicast source can simultaneously send information to a plurality of multicast groups, and a plurality of multicast sources can also simultaneously send information to one multicast group; (3) the host joining the multicast group is a member of the multicast group, the member in the multicast group is dynamic, and the host can join or leave the multicast group at any time; (4) the router or the three-layer switch supporting the three-layer multicast function is a multicast router (or a three-layer multicast device), and the multicast router can provide the multicast routing function and the management function of the multicast group members on a terminal network segment connected with a user.
In the multicast implementation, the entry related to multicast forwarding includes: (1) each Multicast routing Protocol has a Protocol routing table, such as a PIM (Protocol Independent Multicast) routing table; (2) the multicast routing information of each multicast routing protocol is synthesized to form a total multicast routing table; (3) the multicast forwarding table will be used directly to control the forwarding of multicast packets. It should be noted that the above protocol routing table and multicast routing table are maintained in the control layer, and the multicast forwarding table (i.e. multicast source group) needs to be issued to the driver, and the (S, G) entries in the multicast forwarding table are established by the multicast data driver, and the establishment and storage of each (S, G) entry consumes the driving resources.
In the prior art, a dummy table mode is adopted to prevent multicast data of an illegal multicast source from being forwarded; specifically, after multicast data is received at a port enabling three-layer multicast, a dummy table is established; if the multicast data can meet the RPF (Reverse Path Forwarding) check rule, converting the dummy table into a formal multicast Forwarding table; if the multicast data can not meet the RPF check rule, the dummy table is kept, and the subsequently received multicast data corresponding to the dummy table is discarded, so that the unknown multicast data is prevented from impacting a Central Processing Unit (CPU).
Because the dummy tables and the multicast forwarding tables consume the same driving resources, the method cannot effectively control the occupation of the driving resources, if an attacker constructs a large number of illegal multicast sources, a large number of dummy tables can be kept in the prior art, a large number of driving resources can be consumed, the driving resources cannot be guaranteed not to be exhausted, and once the system driving resources are exhausted, the multicast service cannot be continuously provided.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for preventing multicast data attack, so as to reduce consumption of driving resources and continue to provide a multicast service normally.
In order to achieve the above object, an embodiment of the present invention provides a method for preventing multicast data attack, where the method includes:
after receiving multicast data, the three-layer multicast equipment utilizes a source address, a group address and an input interface of the multicast data to match a message filtering strategy; the message filtering strategy is used for filtering multicast data matched with a source address, a group address and an input interface;
when the multicast data is matched with the message filtering strategy, the three-layer multicast equipment sets an illegal identifier for the multicast data, and discards the multicast data after inquiring an illegal message filtering table item with the illegal identifier through the illegal identifier.
The three-layer multicast device utilizes the source address, the group address and the incoming interface of the multicast data to match with the message filtering strategy, and then the method further comprises the following steps:
when the multicast data is not matched with the message filtering strategy, the three-layer multicast equipment establishes a temporary table entry by using a source address, a group address and an input interface of the multicast data and judges whether the multicast data is illegal multicast data or not;
if the multicast data is illegal, the three-layer multicast equipment sets an illegal identifier for the multicast data and judges whether an illegal message filtering table item with the illegal identifier exists at present;
if an illegal message filtering table item with an illegal identification exists, the three-layer multicast equipment discards the multicast data, deletes the temporary table item, and sets a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
if the illegal message filtering table item with the illegal identification does not exist, the three-layer multicast equipment establishes the illegal message filtering table item with the illegal identification, discards the multicast data, deletes the temporary table item, and sets a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
and if the multicast data is not illegal multicast data, the three-layer multicast equipment converts the temporary table entry into a legal multicast forwarding table entry.
The three-layer multicast device sets a message filtering strategy by using the source address, the group address and the input interface of the multicast data, and then the method further comprises the following steps:
after judging that the multicast data is not illegal multicast data, the three-layer multicast equipment deletes a message filtering strategy set by using a source address, a group address and an input interface of the multicast data; or,
after a message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, the three-layer multicast equipment sets an aging timer for the message filtering strategy, and after the aging timer is overtime, the three-layer multicast equipment deletes the message filtering strategy set by using the source address, the group address and the input interface of the multicast data.
The process that the three-layer multicast device judges whether the multicast data is illegal multicast data further comprises the following steps:
when the source address of the multicast data is in a set multicast source address range, the group address of the multicast data is in a set multicast group address range, and after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, the fact that no route of the source address of the multicast data exists is known, and when an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
The process that the three-layer multicast device judges whether the multicast data is illegal multicast data further comprises the following steps:
the three-layer multicast equipment judges whether the source address of the multicast data is in a set multicast source address range, if so, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; or,
the three-layer multicast equipment judges whether the group address of the multicast data is in a set multicast group address range, and if so, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; or,
after the three-layer multicast equipment enables a three-layer multicast interface to receive multicast data of a non-direct-connection multicast source, if the route of a source address of the multicast data does not exist and an inlet interface of the multicast data is the same as a route interface pointing to a rendezvous point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
The illegal message filtering table entry with the illegal identification specifically comprises: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal message filtering table entry with the illegal identification is provided; and the multicast data with the illegal identification can be matched with the illegal message filtering table item, and the multicast data matched with the illegal message filtering table item can be determined to be illegal data based on the information that the output interface is empty.
An embodiment of the present invention provides a three-layer multicast device, including:
the matching module is used for matching a message filtering strategy by using a source address, a group address and an input interface of the multicast data after receiving the multicast data; the message filtering strategy is used for filtering multicast data matched with a source address, a group address and an input interface;
and the first processing module is used for setting an illegal identifier for the multicast data when the received multicast data is matched with the message filtering strategy, and discarding the multicast data after inquiring an illegal message filtering table item with the illegal identifier through the illegal identifier.
Further comprising: the second processing module is used for establishing a temporary table entry by using a source address, a group address and an input interface of the multicast data when the multicast data is not matched with the message filtering strategy, and judging whether the multicast data is illegal multicast data or not;
if the multicast data is illegal, the second processing module is further used for setting an illegal identifier for the multicast data and judging whether an illegal message filtering table item with the illegal identifier exists at present;
if an illegal message filtering table entry with an illegal identifier exists, the second processing module is further used for discarding the multicast data, deleting the temporary table entry, and setting a message filtering strategy by using a source address, a group address and an access interface of the multicast data;
if the illegal message filtering table item with the illegal identification does not exist, the second processing module is also used for establishing the illegal message filtering table item with the illegal identification, discarding the multicast data, deleting the temporary table item and setting a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
and if the multicast data is not illegal, the second processing module is further used for converting the temporary table entry into a legal multicast forwarding table entry.
Further comprising: a deleting module, configured to delete the message filtering policy set by using the source address, the group address, and the incoming interface of the multicast data after setting the message filtering policy by using the source address, the group address, and the incoming interface of the multicast data and after judging that the multicast data is not illegal multicast data; or after a message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, an aging timer is set for the message filtering strategy, and after the aging timer is overtime, the message filtering strategy set by using the source address, the group address and the input interface of the multicast data is deleted.
The second processing module is further configured to, when judging whether the multicast data is illegal multicast data, determine that the multicast data is not illegal multicast data when a source address of the multicast data is within a set multicast source address range and a group address of the multicast data is within a set multicast group address range, and know that a route of the source address of the multicast data does not exist after an interface enabling three-layer multicast receives multicast data of a non-direct connection multicast source, where an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point; otherwise, determining that the multicast data is illegal multicast data.
The second processing module is further configured to determine whether a source address of the multicast data is within a set multicast source address range when determining whether the multicast data is illegal multicast data, and if so, determine that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or, judging whether the group address of the multicast data is in a set multicast group address range, if so, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, if the route of a source address of the multicast data does not exist and an input interface of the multicast data is the same as a route interface pointing to a rendezvous point, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data.
The illegal message filtering table entry with the illegal identification specifically comprises: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal message filtering table entry with the illegal identification is provided.
Compared with the prior art, the embodiment of the invention at least has the following advantages:
in the embodiment of the invention, the number of temporary table entries (i.e. dummy tables) maintained by the three-layer multicast equipment can be reduced, and the drive resources occupied by the dummy tables are reduced, so that the consumption of the drive resources is reduced, the drive resources are prevented from being exhausted, and the multicast service is continuously and normally provided.
Drawings
Fig. 1 is a schematic flowchart of a method for preventing a multicast data attack according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of another method for preventing multicast data attack according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an application scenario of an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a three-layer multicast device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
An embodiment of the present invention provides a method for preventing multicast data attack, which is used for filtering illegal multicast data on a three-layer multicast device (or a multicast router), and as shown in fig. 1, the method includes:
step 101, after receiving multicast data, a three-layer multicast device matches a message filtering strategy by using a source address, a group address and an input interface of the multicast data; the message filtering strategy is used for filtering the multicast data matched with the source address, the group address and the input interface.
Step 102, when the multicast data matches the message filtering policy (that is, the source address, the group address, and the incoming interface of the multicast data are the same as the source address, the group address, and the incoming interface recorded in the message filtering policy), the three-layer multicast device sets an illegal identifier for the multicast data, and discards the multicast data after querying an illegal message filtering table entry with the illegal identifier through the illegal identifier. For the established illegal message filtering table item with the illegal identification, the multicast data with the illegal identification can be matched with the illegal message filtering table item, and then the multicast data can be discarded.
An embodiment of the present invention provides another method for preventing multicast data attack, which is used for filtering illegal multicast data on a three-layer multicast device (or a multicast router), and as shown in fig. 2, the method includes:
step 201, after receiving multicast data, a three-layer multicast device matches a message filtering strategy by using a source address, a group address and an input interface of the multicast data; the message filtering policy is used to filter the multicast data matched to the source address, the group address and the input interface, and the specific generation process of the message filtering policy will be described in detail in the subsequent steps, which is not described herein again.
In the embodiment of the present invention, if the message filtering policy is not matched, step 202 is executed, and if the message filtering policy is matched, step 209 is executed.
It should be noted that, in order to filter the multicast data matched to the source address, the group address and the ingress interface through the message filtering policy, the source address, the group address and the ingress interface need to be recorded in the message filtering policy, and when the source address, the group address and the ingress interface of the multicast data are completely matched to the source address, the group address and the ingress interface recorded in the message filtering policy, it indicates that the message filtering policy is matched by using the source address, the group address and the ingress interface of the multicast data, otherwise, it indicates that the message filtering policy is not matched.
For example, the current packet filtering policy has the following records: a source address a, a group address a, and an ingress interface a (which is used to filter multicast data matched to the source address a, the group address a, and the ingress interface a); a source address B, a group address B, and an ingress interface B (which is used to filter multicast data matched to the source address B, the group address B, and the ingress interface B); a source address C, a group address C, and an ingress interface C (which is used to filter multicast data matched to the source address C, the group address C, and the ingress interface C); based on the above records, if the received multicast data corresponds to the source address a, the group address a and the ingress interface a, it indicates that the message filtering policy is matched, and step 209 is executed; if the received multicast data corresponds to the source address D, the group address D and the ingress interface D, it indicates that the message filtering policy is not matched, and step 202 is executed.
Step 202, the three-layer multicast device establishes a temporary table entry by using a source address, a group address and an input interface of multicast data; the temporary table entry is a dummy table entry, and information such as a source address, a group address, an access interface and the like of the multicast data needs to be recorded in the dummy table entry.
It should be noted that, when the multicast data is not matched to the packet filtering policy, based on the implementation manner in the prior art, a dummy entry needs to be established for the multicast data on the interface board, as shown in table 1, for example, the dummy entry needs to record at least information such as a source address, a group address, an ingress interface, and the like of the multicast data, and for other information, the information may be recorded according to actual needs.
TABLE 1
Step 203, the three-layer multicast equipment judges whether the multicast data is illegal multicast data; if not, go to step 204; if so, step 205 is performed.
In the embodiment of the invention, considering the occupation situation of the multicast data to the driving resource, in the step, whether the multicast data is illegal multicast data is judged by the following three ways:
judging whether the source address of the multicast data is in a set multicast source address range (realized by configuring a multicast source filtering function) by the three-layer multicast equipment, and if so, determining that the multicast data is not illegal multicast data by the three-layer multicast equipment; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
The second mode and the third layer multicast equipment judge whether the group address of the multicast data is in a set multicast group address range (realized by configuring a multicast group boundary function), if so, the third layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
After the three-layer multicast equipment enables the interface of the three-layer multicast to directly receive the multicast data of the non-direct-connection multicast source, if the route of the source address of the multicast data does not exist and the inlet interface of the multicast data is the same as the route interface pointing to the convergent point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
Specifically, after an interface enabling three-layer Multicast directly receives Multicast data of a non-direct-connection Multicast source, default processing of PIM-SM (Protocol Independent Multicast-Sparse Mode, Sparse Mode Independent Multicast Protocol) is to establish an RPT (Rendezvous Point Tree, shared Tree) Forwarding Tree, at this time, (S, G) table entries of an RPF (Reverse Path Forwarding) interface pointing to a Rendezvous Point are established, wherein S are Multicast sources, G is a Multicast group, and the (S, G) table entries are formal table entries, but only the function is to prevent unknown Multicast data from impacting a CPU, cannot really direct Forwarding, and are table entries without Forwarding function but occupy driving resources; therefore, when the route of the source address of the multicast data does not exist and the incoming interface of the multicast data is the same as the route interface pointing to the rendezvous point, the multicast data can be determined to be not illegal multicast data; otherwise, it may be determined that the multicast data is illegal multicast data.
In view of the above three implementation manners, in a preferred implementation manner of the embodiment of the present invention, the three-layer multicast device may further determine whether the multicast data is illegal multicast data by: when a source address of multicast data is in a set multicast source address range, a group address of the multicast data is in a set multicast group address range, and after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, it is known that a route of the source address of the multicast data does not exist, and when an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast device determines that the multicast data is illegal multicast data.
In a specific implementation, the three-layer multicast device is not limited to determine whether the multicast data is the illegal multicast data by the above-mentioned method, and may also determine whether the multicast data is the illegal multicast data by a combination of any two of the above-mentioned first method, second method, and third method, for example, for the first method and the second method, when the source address of the multicast data is in the set multicast source address range, and the group address of the multicast data is in the set multicast group address range, the three-layer multicast device determines that the multicast data is not the illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; for the first and third modes, when the source address of the multicast data is within the set multicast source address range and the interface enabling the three-layer multicast receives the multicast data of the non-direct-connection multicast source, it is known that there is no route of the source address of the multicast data, and when the incoming interface of the multicast data is the same as the route interface pointing to the rendezvous point, the three-layer multicast device determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; for the second mode and the third mode, when the group address of the multicast data is within the set multicast group address range and the interface enabling the three-layer multicast receives the multicast data of the non-direct connection multicast source, it is known that the route of the source address of the multicast data does not exist, and when the incoming interface of the multicast data is the same as the route interface pointing to the rendezvous point, the three-layer multicast device determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast device determines that the multicast data is illegal multicast data.
Step 204, the three-layer multicast device converts the temporary table entry into a legal multicast forwarding table entry, that is, deletes the temporary table entry, generates a legal multicast forwarding table entry, and the process is ended. The subsequent process is the existing processing mode, and the invention is not described in detail.
In step 205, the three-layer multicast device sets an illegal flag (i.e. adds a flag bit in the multicast data) for the multicast data (i.e. the illegal multicast data).
Step 206, the three-layer multicast equipment judges whether an illegal message filtering table item with an illegal identification exists at present; if so, go to step 208; if not, step 207 is performed.
In the embodiment of the present invention, the illegal message filtering table entry with the illegal identifier specifically includes: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty and the illegal message filtering table entry with the illegal identification is provided; as shown in table 2, an example of an illegal message filtering table entry is shown; the multicast source address is arbitrary (may be set to 0.0.0.0 for implementation), the multicast group address is arbitrary (may be set to 0.0.0.0 for implementation), and the FLAG (FLAG) is set to a predefined illegal FLAG, for example, the predefined illegal FLAG is all 1 s of a binary system, which is called a black hole type.
TABLE 2
Step 207, the three-layer multicast device establishes an illegal message filtering table item with an illegal identification. After this step, step 208 is performed.
In step 208, the three-layer multicast device discards the multicast data, deletes the temporary entry (i.e., the dummy entry established in step 202), and sets a message filtering policy by using the source address, the group address, and the ingress interface of the multicast data, i.e., sets the message filtering policy used in step 201, and the process is ended.
For example, when the currently received multicast data corresponds to the source address D, the group address D, and the ingress interface D, the source address D, the group address D, and the ingress interface D are recorded in the message filtering policy, and the record in the message filtering policy is used to filter the multicast data matched to the source address D, the group address D, and the ingress interface D.
Step 209, the three-layer multicast device sets an illegal identifier for the multicast data, determines the multicast data as illegal data after querying an illegal message filtering table entry with the illegal identifier through the illegal identifier, discards the multicast data, and ends the process; for the established illegal message filtering table item with the illegal identification, the multicast data with the illegal identification can be matched with the illegal message filtering table item, and then the multicast data can be discarded.
In the embodiment of the invention, an illegal message filtering table item with an illegal identifier is established (namely, the illegal message filtering table item is triggered and established through the illegal identifier), and as for the multicast data matched with the message filtering strategy, as the multicast data is the illegal multicast data, the illegal multicast data can be matched with the illegal message filtering table item by setting the illegal identifier for the illegal multicast data, and the multicast data matched with the illegal message filtering table item is determined to be the illegal multicast data based on the information that an output interface is empty.
Further, for the illegal message filtering table entry with the illegal identification, because the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal identification is provided, for the multicast data of different illegal multicast sources, only one illegal message filtering table entry with the illegal identification (namely, dummy table entry of black hole type) needs to be maintained on the three-layer multicast device to filter the illegal multicast data (in the prior art, one dummy table entry needs to be maintained for each illegal multicast source to filter the illegal multicast data), thereby reducing the number of the dummy table entries maintained by the three-layer multicast device, reducing the drive resources occupied by the dummy table entries, and reducing the consumption of the drive resources.
In the embodiment of the invention, after the three-layer multicast equipment sets a message filtering strategy by using the source address and the group address of the multicast data and the input interface: after judging that the multicast data is not illegal multicast data, the three-layer multicast equipment deletes a message filtering strategy set by using a source address and a group address of the multicast data and an input interface; or after the message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, the three-layer multicast equipment sets an aging timer for the message filtering strategy, and deletes the message filtering strategy set by using the source address, the group address and the input interface of the multicast data after the aging timer is overtime.
In view of the above-mentioned "after judging that the multicast data is not the illegal multicast data, the three-layer multicast device deletes the message filtering policy set using the source address, the group address, and the ingress interface of the multicast data", it is assumed that a message filtering policy for filtering the multicast data matched to the source address D, the group address D, and the ingress interface D currently exists, and then if judging that the multicast data of the source address D, the group address D, and the ingress interface D is not the illegal multicast data, the three-layer multicast device needs to delete the message filtering policy for filtering the multicast data matched to the source address D, the group address D, and the ingress interface D.
Further, in order to know the above situation (that is, when there is a message filtering policy for filtering multicast data matched to the source address D, the group address D, and the ingress interface D, it is known that the multicast data of the source address D, the group address D, and the ingress interface D is not illegal multicast data), then:
in the first mode of judging whether the multicast data is illegal multicast data, after judging that a certain multicast data is illegal multicast data, if the range of the set multicast source address is adjusted, the multicast data which is subsequently sent and is the same as the multicast source address of the multicast data may not be illegal multicast data any more, so that a message filtering strategy corresponding to the multicast data does not need to be maintained any more, and the corresponding message filtering strategy is deleted;
in the second method for judging whether the multicast data is illegal multicast data, after judging that a certain multicast data is illegal multicast data, if the set multicast group address range is adjusted, the multicast data which is subsequently sent and is positioned in the multicast group address range of the multicast data may not be illegal multicast data any more, so that the corresponding message filtering strategy of the multicast data does not need to be maintained any more, and the message filtering strategy of the multicast data needs to be deleted;
in the third method of determining whether multicast data is illegal multicast data, after determining that a certain multicast data is illegal multicast data, if multicast data or a registration message is received from a rendezvous point interface, multicast data whose incoming interface is the rendezvous point interface and which is subsequently sent may no longer be illegal multicast data, and therefore a message filtering policy corresponding to the multicast data does not need to be maintained, and a message filtering policy corresponding to the multicast data needs to be deleted.
In addition, in practical application, for the established illegal message filtering table entry, the three-layer multicast device can always store the illegal message filtering table entry, and the three-layer multicast device can also delete the illegal message filtering table entry when no message filtering strategy exists currently.
The following further describes an embodiment of the present invention with reference to a three-layer multicast application scenario shown in fig. 3.
Application scenario 1
Aiming at the first mode in the step 203, a multicast source filtering strategy is configured on the router route2, and the multicast source address of 100.1.1.0/24 is matched; and constructing multicast data with a source address of 200.1.1.2 and a destination address of 225.0.5.5 on the multicast source2, and sending the multicast data to an RP (rendezvous point) (200.1.1.2, 225.0.5.5); for the multicast data sent by source2 to RP for the first time, a message filtering policy is not matched in step 201, and in step 203, the multicast data can be determined to be illegal multicast data, and a message filtering policy is set for the multicast data; for the multicast data sent by source2 to the RP for the second time and later, in step 201, in order to match the message filtering policy, the multicast data may be matched to an illegal message filtering entry, so as to prohibit forwarding the multicast data.
If the time for the (S, G) entry to exist is 210 seconds, during this period, if the route2 is configured without the multicast source filtering policy, it is determined that the multicast data (200.1.1.2, 225.0.5.5) is not illegal multicast data, and the multicast data (200.1.1.2, 225.0.5.5) does not match the illegal packet filtering entry, and the process is changed to a normal flow.
Application scenario 2
Aiming at the second mode in the step 203, a multicast boundary is configured at a port connected with the router 2 and the multicast source2, and the matching range is 225.0.1.0/24; constructing multicast data with a source address of 200.1.1.2 and a destination address of 225.0.5.5 on the source2, and sending the multicast data to the RP (200.1.1.2, 225.0.5.5); for the multicast data sent by source2 to RP for the first time, a message filtering policy is not matched in step 201, and in step 203, the multicast data can be determined to be illegal multicast data, and a message filtering policy is set for the multicast data; for the multicast data sent to the RP for the second time and later by source2, the matching to the message filtering policy in step 201 is performed, that is, the multicast data may be matched to an illegal message filtering entry, so as to prohibit forwarding the multicast data.
If the time of existence of the (S, G) entry is 210 seconds, during this period, if the configuration of the multicast boundary is removed from route2, it is determined that the multicast data (200.1.1.2, 225.0.5.5) is not illegal multicast data, and the multicast data (200.1.1.2, 225.0.5.5) does not match the illegal packet filtering entry, and the process goes to normal flow.
Application scenario 3
Aiming at the third mode in the step 203, the router route1 learns the RP address and the route leading to the RP, and constructs multicast data at the multicast source1, where the source address does not belong to any route (including a direct route) existing in route1, and at this time, generates a policy for prohibiting the multicast data on the device, and issues the policy to a port receiving the multicast data; assuming that the existence time of the (S, G) entry is 210 seconds, during this period, if the device receives the same group registration packet or multicast data from the RP direction, it is determined that the received multicast data from source1 is not illegal multicast data, and the illegal packet filtering entry is not matched, and the process is changed to a normal process.
Based on the same inventive concept as the above method, the present invention further provides a three-layer multicast device, as shown in fig. 4, the three-layer multicast device includes:
the matching module 11 is configured to match a packet filtering policy by using a source address, a group address, and an ingress interface of multicast data after receiving the multicast data; the message filtering strategy is used for filtering multicast data matched with a source address, a group address and an input interface;
the first processing module 12 is configured to set an illegal identifier for the multicast data when the received multicast data matches the packet filtering policy, and discard the multicast data after querying an illegal packet filtering entry having the illegal identifier through the illegal identifier.
The three-layer multicast device further comprises: a second processing module 13, configured to, when the multicast data does not match the message filtering policy, establish a temporary entry by using a source address, a group address, and an ingress interface of the multicast data, and determine whether the multicast data is illegal multicast data;
if the multicast data is illegal, the second processing module 13 is further configured to set an illegal identifier for the multicast data, and determine whether an illegal message filtering entry with the illegal identifier exists currently;
if an illegal message filtering table entry with an illegal identifier exists, the second processing module 13 is further configured to discard the multicast data, delete the temporary table entry, and set a message filtering policy by using a source address, a group address, and an ingress interface of the multicast data;
if there is no illegal message filtering table entry with illegal identification, the second processing module 13 is further configured to establish an illegal message filtering table entry with illegal identification, discard the multicast data, delete the temporary table entry, and set a message filtering policy by using a source address, a group address, and an ingress interface of the multicast data;
if the multicast data is not illegal, the second processing module 13 is further configured to convert the temporary entry into a legal multicast forwarding entry.
The three-layer multicast device further comprises: a deleting module 14, configured to delete the message filtering policy set by using the source address, the group address, and the ingress interface of the multicast data after setting the message filtering policy by using the source address, the group address, and the ingress interface of the multicast data and after judging that the multicast data is not illegal multicast data; or after a message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, an aging timer is set for the message filtering strategy, and after the aging timer is overtime, the message filtering strategy set by using the source address, the group address and the input interface of the multicast data is deleted.
The second processing module 13 is further configured to, when determining whether the multicast data is illegal multicast data, determine that the multicast data is not illegal multicast data when a source address of the multicast data is within a set multicast source address range and a group address of the multicast data is within a set multicast group address range, and know that a route of the source address of the multicast data does not exist after an interface enabling three-layer multicast receives multicast data of a non-direct connection multicast source, where an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point; otherwise, determining that the multicast data is illegal multicast data.
The second processing module 13 is further configured to determine whether a source address of the multicast data is within a set multicast source address range when determining whether the multicast data is illegal multicast data, and if so, determine that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or, judging whether the group address of the multicast data is in a set multicast group address range, if so, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, if the route of a source address of the multicast data does not exist and an input interface of the multicast data is the same as a route interface pointing to a rendezvous point, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data.
In the embodiment of the present invention, the illegal message filtering table entry with the illegal identifier specifically includes: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal message filtering table entry with the illegal identification is provided.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which can be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
The above-mentioned serial numbers of the present invention are for description only and do not represent the merits of the embodiments.
The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.
Claims (10)
1. A method for preventing multicast data attacks, the method comprising:
after receiving multicast data, the three-layer multicast equipment utilizes a source address, a group address and an input interface of the multicast data to match a message filtering strategy; the message filtering strategy is used for filtering multicast data matched with a source address, a group address and an input interface;
when the multicast data is matched with the message filtering strategy, the three-layer multicast equipment sets an illegal identifier for the multicast data, and discards the multicast data after an illegal message filtering table item with the illegal identifier is inquired through the illegal identifier;
the illegal message filtering table entry with the illegal identifier specifically includes: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal message filtering table entry with the illegal identification is provided.
2. The method of claim 1, wherein the three-layer multicast device matches a packet filtering policy using a source address, a group address, and an ingress interface of the multicast data, and then further comprising:
when the multicast data is not matched with the message filtering strategy, the three-layer multicast equipment establishes a temporary table entry by using a source address, a group address and an input interface of the multicast data and judges whether the multicast data is illegal multicast data or not;
if the multicast data is illegal, the three-layer multicast equipment sets an illegal identifier for the multicast data and judges whether an illegal message filtering table item with the illegal identifier exists at present;
if an illegal message filtering table item with an illegal identification exists, the three-layer multicast equipment discards the multicast data, deletes the temporary table item, and sets a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
if the illegal message filtering table item with the illegal identification does not exist, the three-layer multicast equipment establishes the illegal message filtering table item with the illegal identification, discards the multicast data, deletes the temporary table item, and sets a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
and if the multicast data is not illegal multicast data, the three-layer multicast equipment converts the temporary table entry into a legal multicast forwarding table entry.
3. The method of claim 2, wherein the three-layer multicast device sets a message filtering policy using a source address, a group address, and an ingress interface of the multicast data, and then further comprising:
after judging that the multicast data is not illegal multicast data, the three-layer multicast equipment deletes a message filtering strategy set by using a source address, a group address and an input interface of the multicast data; or,
after a message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, the three-layer multicast equipment sets an aging timer for the message filtering strategy, and after the aging timer is overtime, the three-layer multicast equipment deletes the message filtering strategy set by using the source address, the group address and the input interface of the multicast data.
4. The method according to claim 2 or 3, wherein the process of the three-layer multicast device determining whether the multicast data is illegal multicast data further comprises:
when the source address of the multicast data is in a set multicast source address range, the group address of the multicast data is in a set multicast group address range, and after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, the fact that no route of the source address of the multicast data exists is known, and when an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
5. The method according to claim 2 or 3, wherein the process of the three-layer multicast device determining whether the multicast data is illegal multicast data further comprises:
the three-layer multicast equipment judges whether the source address of the multicast data is in a set multicast source address range, if so, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; or,
the three-layer multicast equipment judges whether the group address of the multicast data is in a set multicast group address range, and if so, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data; or,
after the three-layer multicast equipment enables a three-layer multicast interface to receive multicast data of a non-direct-connection multicast source, if the route of a source address of the multicast data does not exist and an inlet interface of the multicast data is the same as a route interface pointing to a rendezvous point, the three-layer multicast equipment determines that the multicast data is not illegal multicast data; otherwise, the three-layer multicast equipment determines that the multicast data is illegal multicast data.
6. A three-layer multicast apparatus, comprising:
the matching module is used for matching a message filtering strategy by using a source address, a group address and an input interface of the multicast data after receiving the multicast data; the message filtering strategy is used for filtering multicast data matched with a source address, a group address and an input interface;
the first processing module is used for setting an illegal identifier for the multicast data when the received multicast data is matched with the message filtering strategy, and discarding the multicast data after inquiring an illegal message filtering table item with the illegal identifier through the illegal identifier;
the illegal message filtering table entry with the illegal identifier specifically includes: the multicast source address is arbitrary, the multicast group address is arbitrary, the input interface is arbitrary, the output interface is empty, and the illegal message filtering table entry with the illegal identification is provided.
7. The triple-layer multicast apparatus of claim 6, further comprising:
the second processing module is used for establishing a temporary table entry by using a source address, a group address and an input interface of the multicast data when the multicast data is not matched with the message filtering strategy, and judging whether the multicast data is illegal multicast data or not;
if the multicast data is illegal, the second processing module is further used for setting an illegal identifier for the multicast data and judging whether an illegal message filtering table item with the illegal identifier exists at present;
if an illegal message filtering table entry with an illegal identifier exists, the second processing module is further used for discarding the multicast data, deleting the temporary table entry, and setting a message filtering strategy by using a source address, a group address and an access interface of the multicast data;
if the illegal message filtering table item with the illegal identification does not exist, the second processing module is also used for establishing the illegal message filtering table item with the illegal identification, discarding the multicast data, deleting the temporary table item and setting a message filtering strategy by using a source address, a group address and an input interface of the multicast data;
and if the multicast data is not illegal, the second processing module is further used for converting the temporary table entry into a legal multicast forwarding table entry.
8. The triple-layer multicast apparatus of claim 7, further comprising:
a deleting module, configured to delete the message filtering policy set by using the source address, the group address, and the incoming interface of the multicast data after setting the message filtering policy by using the source address, the group address, and the incoming interface of the multicast data and after judging that the multicast data is not illegal multicast data; or,
after a message filtering strategy is set by using the source address, the group address and the input interface of the multicast data, an aging timer is set for the message filtering strategy, and after the aging timer is overtime, the message filtering strategy set by using the source address, the group address and the input interface of the multicast data is deleted.
9. The triple-layer multicast apparatus of claim 7 or 8,
the second processing module is further configured to, when judging whether the multicast data is illegal multicast data, determine that the multicast data is not illegal multicast data when a source address of the multicast data is within a set multicast source address range and a group address of the multicast data is within a set multicast group address range, and know that a route of the source address of the multicast data does not exist after an interface enabling three-layer multicast receives multicast data of a non-direct connection multicast source, where an incoming interface of the multicast data is the same as a route interface pointing to a rendezvous point; otherwise, determining that the multicast data is illegal multicast data.
10. The triple-layer multicast apparatus of claim 7 or 8,
the second processing module is further configured to determine whether a source address of the multicast data is within a set multicast source address range when determining whether the multicast data is illegal multicast data, and if so, determine that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or, judging whether the group address of the multicast data is in a set multicast group address range, if so, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data; or after an interface enabling three-layer multicast receives multicast data of a non-direct-connection multicast source, if the route of a source address of the multicast data does not exist and an input interface of the multicast data is the same as a route interface pointing to a rendezvous point, determining that the multicast data is not illegal multicast data; otherwise, determining that the multicast data is illegal multicast data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210209172.0A CN102761542B (en) | 2012-06-25 | 2012-06-25 | Method and equipment for preventing multicast data from attacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210209172.0A CN102761542B (en) | 2012-06-25 | 2012-06-25 | Method and equipment for preventing multicast data from attacking |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102761542A CN102761542A (en) | 2012-10-31 |
| CN102761542B true CN102761542B (en) | 2015-04-15 |
Family
ID=47055863
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210209172.0A Active CN102761542B (en) | 2012-06-25 | 2012-06-25 | Method and equipment for preventing multicast data from attacking |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102761542B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561001A (en) * | 2013-10-21 | 2014-02-05 | 华为技术有限公司 | Safety protection method and routing device |
| CN104753796A (en) * | 2013-12-30 | 2015-07-01 | 上海斐讯数据通信技术有限公司 | Method for optimizing multicast routing table building |
| CN108600110B (en) * | 2018-04-24 | 2020-12-29 | 新华三技术有限公司 | PIM message processing method and device |
| US20210044445A1 (en) * | 2019-08-08 | 2021-02-11 | Hewlett Packard Enterprise Development Lp | Group-based policy multicast forwarding |
| CN115514693B (en) * | 2022-09-23 | 2023-09-12 | 北京东土军悦科技有限公司 | Maintenance of chip multicast table, multicast forwarding method, device, router and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051923A (en) * | 2007-04-05 | 2007-10-10 | 中兴通讯股份有限公司 | Multicast control method in ether passive optical network |
| CN101572712A (en) * | 2009-06-09 | 2009-11-04 | 杭州华三通信技术有限公司 | Method for preventing attack of counterfeit message and repeater equipment thereof |
| CN101789905A (en) * | 2010-02-05 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and equipment for preventing unknown multicast from attacking CPU (Central Processing Unit) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060174324A1 (en) * | 2005-01-28 | 2006-08-03 | Zur Uri E | Method and system for mitigating denial of service in a communication network |
-
2012
- 2012-06-25 CN CN201210209172.0A patent/CN102761542B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051923A (en) * | 2007-04-05 | 2007-10-10 | 中兴通讯股份有限公司 | Multicast control method in ether passive optical network |
| CN101572712A (en) * | 2009-06-09 | 2009-11-04 | 杭州华三通信技术有限公司 | Method for preventing attack of counterfeit message and repeater equipment thereof |
| CN101789905A (en) * | 2010-02-05 | 2010-07-28 | 杭州华三通信技术有限公司 | Method and equipment for preventing unknown multicast from attacking CPU (Central Processing Unit) |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102761542A (en) | 2012-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7646739B2 (en) | Multicast routing over unidirectional links | |
| US9031069B2 (en) | Method, system, and apparatus for extranet networking of multicast virtual private network | |
| US7590116B2 (en) | Method for forwarding multicast message in network communication | |
| CN102761542B (en) | Method and equipment for preventing multicast data from attacking | |
| CN101286990B (en) | Forwarding method and apparatus of double-layer multicast | |
| US8817792B2 (en) | Data forwarding method, data processing method, system and relevant devices | |
| US9160616B2 (en) | Multicast packet transmission method, related device and system | |
| CN102075422B (en) | Multicast management method and two-layer equipment | |
| CN103220255B (en) | It is a kind of to realize the method and device that reversal path of unicast forwarding URPF is checked | |
| EP3767880B1 (en) | Optimizing information related to a route and/or a next hop for multicast traffic | |
| CN101459536A (en) | Port configuration method and switching device | |
| CN101651609A (en) | Method and device for realizing multicast load sharing | |
| CN100407704C (en) | Method of dynamically learning address on MAC layer | |
| US7940765B2 (en) | Limiting unauthorized sources in a multicast distribution tree | |
| CN105227465B (en) | A kind of CPU agent method and the network equipment | |
| WO2019196562A1 (en) | Message processing method and device, storage medium and processor | |
| US20140241351A1 (en) | Dynamic determination of the root node of an mldp tunnel | |
| US7327730B2 (en) | Data packet transmission method and network switch applying same thereto | |
| US10608931B1 (en) | Selective multicasting of traffic flows in multiprotocol label switching virtual private networks | |
| US8509233B2 (en) | Method and apparatus for requesting multicast, processing and assisting multicast request | |
| CN101729363B (en) | Method for initializing resource, device and system | |
| CN101729420B (en) | Data processing method and data processing device | |
| CN101547110A (en) | Method, system and device for registering multicast source | |
| CN1925468B (en) | Internet set managerial protocol report inhibiting method and communications network system | |
| CN102394813A (en) | Multicast routing table item management method and router |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230602 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |