CN103368850A - Method and device for processing unicast message with unknown destination - Google Patents
Method and device for processing unicast message with unknown destination Download PDFInfo
- Publication number
- CN103368850A CN103368850A CN2013103041263A CN201310304126A CN103368850A CN 103368850 A CN103368850 A CN 103368850A CN 2013103041263 A CN2013103041263 A CN 2013103041263A CN 201310304126 A CN201310304126 A CN 201310304126A CN 103368850 A CN103368850 A CN 103368850A
- Authority
- CN
- China
- Prior art keywords
- unicast message
- address
- unknown unicast
- media access
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and device for processing a unicast message with an unknown destination. The method for processing the unicast message with the unknown destination comprises the steps that (1) a CPU receives the unicast message with the unknown destination from a forwarding chip, and obtains a destination MAC address of the unicast message with the unknown destination; (2) the CPU judges whether the destination MAC address is recorded in an unknown unicast message forwarding control table; (3) the destination MAC address is recorded in the unknown unicast message forwarding control table by the CPU when the destination MAC address is not recorded in the unknown unicast message forwarding control table, and the number of unicast messages, corresponding to the destination MAC address, with unknown destinations is updated; (4) the CPU updates the number of the unicast messages, corresponding to the destination MAC address, with the unknown destinations when the destination MAC address is recorded in the unknown unicast message forwarding control table; (5) the CPU judges whether the number of the unicast messages, corresponding to each destination MAC address, with the unknown destinations is larger than a preset threshold value when the schedule time is up, and sends a flow control strategy corresponding to each destination MAC address to the forwarding chip when the number of the unicast messages, corresponding to each destination MAC address, with the unknown destinations is larger than the preset threshold value. The method and device for processing the unicast message with the unknown destination can effectively ensure correct forwarding of the normal unicast messages with the unknown destinations.
Description
Technical field
The present invention relates to communication technical field, especially related to a kind of processing method and equipment of purpose unknown unicast message.
Background technology
Purpose unknown unicast message refers to that the network equipment (being forwarding unit) is when transmitting unicast message, purpose MAC(Media Access Control, medium access control) address can not find in the transmitting of the network equipment, thereby can not determine the unicast message of unique outbound port.Further, because the outbound port of purpose unknown unicast message can't uniquely be determined, therefore usually adopt at the VLAN(Virtual Local Area at purpose unknown unicast message place Network, VLAN) in, the mode that the eliminating source port is broadcasted sends purpose unknown unicast message, thereby reaches the purpose of transmitting purpose unknown unicast message.
As shown in Figure 1, forwarding schematic diagram for purpose unknown unicast message, when the network equipment 1 sends unicast message by the network equipment 2 to the network equipment 3, the network equipment 2 is after receiving this unicast message, if can not inquire the target MAC (Media Access Control) address of this unicast message in local the transmitting, think that then this unicast message is purpose unknown unicast message, and send this purpose unknown unicast message with broadcast mode.
Under normal circumstances, the network equipment 3 can send unicast message to the network equipment 1 by the network equipment 2, and the network equipment 2 can be learnt the MAC Address of the network equipment 3 after receiving this unicast message; Afterwards, when the network equipment 1 sends unicast message by the network equipment 2 to the network equipment 3, the network equipment 2 is after receiving this unicast message, during transmitting, this locality can inquire the target MAC (Media Access Control) address of this unicast message, thereby need to not send this unicast message with broadcast mode, and directly send this unicast message with mode of unicast.
But, for abnormal conditions such as network attacks, the network equipment 2 will be received a large amount of attack messages, and these attack messages all are purpose unknown unicast messages, thereby make a large amount of purpose unknown unicast message of the network equipment 2 broadcasting, thereby affect the forwarding of normal purpose unknown unicast message.
Summary of the invention
The embodiment of the invention provides a kind of processing method and equipment of purpose unknown unicast message, distinguishing the purpose unknown unicast message of normal purpose unknown unicast message and attack, thereby guarantees the correct forwarding of normal purpose unknown unicast message.
In order to achieve the above object, the embodiment of the invention provides a kind of processing method of purpose unknown unicast message, is applied to comprise that the method comprises in the network equipment of forwarding chip and central processor CPU:
Described CPU receives the purpose unknown unicast message from described forwarding chip, and obtains the purpose medium access control MAC Address of described purpose unknown unicast message;
Described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
If record described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, then described CPU upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, described CPU records described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, and upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Described CPU is after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described method also comprises: when described forwarding chip arrives described CPU with purpose unknown unicast message repeating, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU sends the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip arrives described CPU with purpose unknown unicast message mirror, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU abandons the purpose unknown unicast message of this target MAC (Media Access Control) address, and is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by described forwarding chip.
Described method also comprises: if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then described CPU carries out the zero clearing processing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address in the control table of described unknown unicast message repeating; Perhaps, described CPU deletes the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described method also comprises: if the quantity that purpose unknown unicast message corresponding to target MAC (Media Access Control) address arranged greater than predetermined threshold value, then described CPU blocks the Block timer for this target MAC (Media Access Control) address arranges; Behind described Block timer expiry, described CPU sends flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, process to described CPU the purpose unknown unicast message up sending of this target MAC (Media Access Control) address.
The control table of described unknown unicast message repeating is to there being dominant record quantity, described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record after the described target MAC (Media Access Control) address, described method further comprises: when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, described CPU judges whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, then carry out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating; If so, then described target MAC (Media Access Control) address is added in the appointment counter; When the target MAC (Media Access Control) address quantity of described CPU in described appointment counter reaches the predetermined number thresholding, send the warning information of the described network equipment.
The embodiment of the invention provides a kind of network equipment, is used for the processing of purpose unknown unicast message, and the described network equipment comprises forwarding chip and central processor CPU, and described CPU specifically comprises:
Receiver module is used for receiving the purpose unknown unicast message from described forwarding chip;
Acquisition module is for the purpose medium access control MAC Address of obtaining purpose unknown unicast message;
Judge module is used for judging whether the unknown unicast message repeating control table of the network equipment records described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
Maintenance module, the judged result that is used for when described judge module is that the control table of described unknown unicast message repeating records described target MAC (Media Access Control) address, then upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, in the control table of described unknown unicast message repeating, record described target MAC (Media Access Control) address, and upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Sending module, be used for after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described sending module, also be used for when described forwarding chip with purpose unknown unicast message repeating during to CPU, if have the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip with purpose unknown unicast message mirror during to CPU, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then abandon the purpose unknown unicast message of this target MAC (Media Access Control) address, sent the purpose unknown unicast message of this target MAC (Media Access Control) address by described forwarding chip with broadcast mode.
Described maintenance module, be not more than predetermined threshold value if be further used for the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address, then in the control table of described unknown unicast message repeating, the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address carried out zero clearing and process; Perhaps, delete the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described maintenance module is if the quantity that is further used for purpose unknown unicast message corresponding to target MAC (Media Access Control) address greater than predetermined threshold value, is then blocked the Block timer for this target MAC (Media Access Control) address arranges;
Described sending module, be further used for behind described Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address is processed to CPU.
The control table of described unknown unicast message repeating is to there being dominant record quantity;
Described judge module, after being further used in the unknown unicast message repeating control table of judging the described network equipment, whether recording described target MAC (Media Access Control) address, when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, judge whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, carried out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating by described maintenance module; If so, by described maintenance module described target MAC (Media Access Control) address is added in the appointment counter;
Described sending module when being further used for target MAC (Media Access Control) address quantity in described appointment counter and reaching the predetermined number thresholding, sends the warning information of the described network equipment.
Compared with prior art, the embodiment of the invention has the following advantages at least: in the embodiment of the invention, by maintenance purpose MAC Address in the control table of unknown unicast message repeating and receive corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address, thereby the purpose unknown unicast message (being illegal purpose unknown unicast message) that can distinguish normal purpose unknown unicast message (being legal purpose unknown unicast message) and attack, can effectively thoroughly suppress the purpose unknown unicast message of attacking, and effectively guarantee the correct forwarding of normal purpose unknown unicast message.
Description of drawings
Fig. 1 is the forwarding schematic diagram of purpose unknown unicast message in the prior art;
Fig. 2 is the process flow figure of a kind of purpose unknown unicast message of providing of the embodiment of the invention;
Fig. 3 is the structural representation of a kind of network equipment of providing of the embodiment of the invention.
Embodiment
For problems of the prior art, the embodiment of the invention provides a kind of processing method of purpose unknown unicast message, the method is applied to comprise at least forwarding chip and CPU(Central Processing Unit, central processing unit) in the network equipment (as: switch, router etc.), the application scenarios schematic diagram take Fig. 1 as the embodiment of the invention; Wherein, the network equipment 1 needs to send unicast message by the network equipment 2 to the network equipment 3, so the network equipment 2 can be received the purpose unknown unicast message (its target MAC (Media Access Control) address is MAC3) from the network equipment 1; In addition, the network equipment 2 also can be received the purpose unknown unicast message (its target MAC (Media Access Control) address can be MAC4, MAC5, MAC6 etc.) of attack.
Based on above-mentioned application scenarios, as shown in Figure 2, the method may further comprise the steps:
If forwarding chip directly with purpose unknown unicast message repeating to CPU, then whether outwards transmit this message by CPU control; If to CPU, then forwarding chip can keep this purpose unknown unicast message to forwarding chip with purpose unknown unicast message mirror, and still sends this purpose unknown unicast message according to the normal process flow process.
When preventing a large amount of purpose unknown unicast messages transmitted to CPU, the impact that cpu performance is caused, in the embodiment of the invention, maximum uploading rate that can also configuration purpose unknown unicast message; Based on this maximum uploading rate, forwarding chip will send purpose unknown unicast message to CPU according to this maximum uploading rate.For example, when the maximum uploading rate of purpose unknown unicast message is 100 purpose unknown unicasts of per second message, if the purpose unknown unicast message that the forwarding chip per second is received is 130, then the forwarding chip per second only sends 100 purpose unknown unicast messages to CPU, and with other 30 purpose unknown unicasts packet loss.
In the embodiment of the invention, need to safeguard the control table of unknown unicast message repeating on the network equipment, this unknown unicast message repeating control table is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address; As shown in table 1, be the example of a kind of unknown unicast message repeating control table, record current each target MAC (Media Access Control) address in this unknown unicast message repeating control table and received corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address.
Table 1
| Target MAC (Media Access Control) address | Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
| MAC3 | 2 |
| MAC4 | 2000 |
| MAC5 | 2000 |
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC3, then record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of definite network equipment, need execution in step 205; If the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC6, then do not record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of definite network equipment, need execution in step 204.
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC6, then in the control table of unknown unicast message repeating, record this MAC6, and the quantity of the purpose unknown unicast message that this MAC6 is corresponding adds 1 in the control table of unknown unicast message repeating, obtains the unknown unicast message repeating control table shown in the table 2.
Table 2
| Target MAC (Media Access Control) address | Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
| MAC3 | 2 |
| MAC4 | 2000 |
| MAC5 | 2000 |
| MAC6 | 1 |
After this step 204, if arrive the fixed time (this fixed time can arrange according to practical experience), then carry out subsequent step 206, otherwise continue to carry out above-mentioned steps.
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC3, then CPU can be directly in the unknown unicast message repeating control table shown in the table 1 quantity of the purpose unknown unicast message that this target MAC (Media Access Control) address (being MAC3) is corresponding add 1, thereby obtain the unknown unicast message repeating control table shown in the table 3.
Table 3
| Target MAC (Media Access Control) address | Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
| MAC3 | 3 |
| MAC4 | 2000 |
| MAC5 | 2000 |
After this step 205, if arrive the fixed time (this fixed time can arrange according to practical experience), then carry out subsequent step 206, otherwise continue to carry out above-mentioned steps.
CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, the quantity of the purpose unknown unicast message that then CPU statistics MAC3 is corresponding is 3, the quantity that is purpose unknown unicast message corresponding to MAC3 is not more than predetermined threshold value 1000, execution in step 208; The quantity of the purpose unknown unicast message that CPU statistics MAC4 is corresponding is 2000, and the quantity of the purpose unknown unicast message that namely MAC4 is corresponding is greater than predetermined threshold value 1000, execution in step 207; The quantity of the purpose unknown unicast message that CPU statistics MAC5 is corresponding is 2000, and the quantity of the purpose unknown unicast message that namely MAC5 is corresponding is greater than predetermined threshold value 1000, execution in step 207.
For example, the quantity of the purpose unknown unicast message that CPU statistics MAC4 is corresponding is during greater than predetermined threshold value, send flow control strategy corresponding to MAC4 to forwarding chip, after this flow control strategy was used for making forwarding chip receive that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC4, abandoning the target MAC (Media Access Control) address of receiving was the purpose unknown unicast message of MAC4.In the quantity of purpose unknown unicast message corresponding to statistics MAC5 during greater than predetermined threshold value, send flow control strategy corresponding to MAC5 to forwarding chip, after this flow control strategy was used for making forwarding chip receive that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC5, abandoning the target MAC (Media Access Control) address of receiving was the purpose unknown unicast message of MAC5.
Wherein, directly purpose unknown unicast message repeating during to CPU, is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by CPU when forwarding chip; Perhaps, when forwarding chip with purpose unknown unicast message mirror during to CPU, then CPU abandons the purpose unknown unicast message of this target MAC (Media Access Control) address, is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by forwarding chip.
It should be noted that, when forwarding chip with purpose unknown unicast message mirror during to CPU, if do not receive flow control strategy corresponding to target MAC (Media Access Control) address that CPU sends to forwarding chip, then forwarding chip needs to send with broadcast mode the purpose unknown unicast message of this target MAC (Media Access Control) address always; If receive flow control strategy corresponding to target MAC (Media Access Control) address that CPU sends to forwarding chip, then forwarding chip need to stop to send with broadcast mode the purpose unknown unicast message of this target MAC (Media Access Control) address.
In the embodiment of the invention, CPU judges that whether the quantity of the purpose unknown unicast message that target MAC (Media Access Control) address is corresponding is greater than after the predetermined threshold value, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then CPU also need to carry out the zero clearing processing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address in the control table of unknown unicast message repeating; Perhaps, CPU deletes the record of this target MAC (Media Access Control) address correspondence in the control table of unknown unicast message repeating.
For example: CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, then CPU is after the quantity of purpose unknown unicast message corresponding to statistics MAC3 is not more than predetermined threshold value 1000, CPU can also carry out zero clearing to the quantity of purpose unknown unicast message corresponding to this MAC3 in the control table of unknown unicast message repeating processes, and obtains the unknown unicast message repeating control table shown in the table 4; Perhaps, CPU can also delete the record of this MAC3 correspondence in the control table of unknown unicast message repeating, obtains the unknown unicast message repeating control table shown in the table 5.
Table 4
| Target MAC (Media Access Control) address | Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
| MAC3 | 0 |
| MAC4 | 2000 |
| MAC5 | 2000 |
Table 5
| Target MAC (Media Access Control) address | Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
| MAC4 | 2000 |
| MAC5 | 2000 |
In the embodiment of the invention, CPU judges that whether the quantity of the purpose unknown unicast message that target MAC (Media Access Control) address is corresponding is greater than after the predetermined threshold value, if the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address is arranged greater than predetermined threshold value, then CPU can also block for this target MAC (Media Access Control) address arranges Block() timer.Behind Block timer expiry (time-out time of this Block timer can arrange arbitrarily according to the practical experience value), CPU carries out zero clearing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address to be processed, and further send flow recovery policy corresponding to this target MAC (Media Access Control) address to forwarding chip, and this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, then make forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address can be processed to CPU.
In concrete implementation, if the flow control strategy is automatic reset mode, behind the Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address (being used for making forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address) by CPU to forwarding chip, to recover forwarding chip to the processing mode of purpose unknown unicast message; If the flow control strategy is manual reset mode, behind the Block timer expiry, by the processing mode of manual reversion forwarding chip to purpose unknown unicast message.
For example: CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, then CPU is after the quantity of adding up purpose unknown unicast message corresponding to MAC4 and MAC5 is greater than predetermined threshold value 1000, CPU can also arrange the Block timer for MAC4, and the Block timer is set for MAC5.Behind the Block of MAC4 timer expiry, CPU sends flow recovery policy corresponding to MAC4 to forwarding chip, this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this MAC4, then making forwarding chip after receiving that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC4, can be that the purpose unknown unicast message up sending of MAC4 is processed to CPU with target MAC (Media Access Control) address.In addition, behind the Block of MAC5 timer expiry, CPU sends flow recovery policy corresponding to MAC5 to forwarding chip, this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this MAC5, then making forwarding chip after receiving that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC5, can be that the purpose unknown unicast message up sending of MAC5 is processed to CPU with target MAC (Media Access Control) address.
In the embodiment of the invention, for the unknown unicast message repeating control table of safeguarding on the network equipment, this unknown unicast message repeating control table can also be to there being dominant record quantity.As: when noting down 16 MAC Address at most in the control table of unknown unicast message repeating, then dominant record quantity is 16.
Based on this, CPU judges whether record the target MAC (Media Access Control) address (being step 203) that extracts in the unknown unicast message repeating control table of the network equipment afterwards from purpose unknown unicast message, if do not record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of the network equipment, then CPU judges at first whether the target MAC (Media Access Control) address quantity that records in the control table of current unknown unicast message repeating reaches dominant record quantity; If not, then carry out the step (being execution in step 204) of this target MAC (Media Access Control) address of record in the control table of unknown unicast message repeating; If so, then this target MAC (Media Access Control) address is added in the appointment counter.Wherein, this appointment counter is used for the MAC Address that record can't be recorded to the control table of unknown unicast message repeating; Concrete, the target MAC (Media Access Control) address quantity that records in this unknown unicast message repeating control table can't be recorded to MAC Address in the control table of unknown unicast message repeating when reaching dominant record quantity.
Further, when the target MAC (Media Access Control) address quantity of CPU in specifying counter reaches predetermined number thresholding (can arrange according to practical experience), think that then the MAC address learning process of the network equipment goes wrong or network environment goes wrong (network equipment is always under attack), therefore can send the warning information of the network equipment, then by the webmaster personnel this network equipment be managed and safeguards.
In the embodiment of the invention, because the control table of unknown unicast message repeating is to there being dominant record quantity, therefore CPU is after target MAC (Media Access Control) address arranges the Block timer, can also know never that unicast message transmits control table and delete record corresponding to this target MAC (Media Access Control) address, to save the resource of unknown unicast message repeating control table, make the control table of unknown unicast message repeating can record the content of other target MAC (Media Access Control) address.
In sum, in the embodiment of the invention, by maintenance purpose MAC Address in the control table of unknown unicast message repeating and receive corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address, thereby the purpose unknown unicast message (being illegal purpose unknown unicast message) that can distinguish normal purpose unknown unicast message (being legal purpose unknown unicast message) and attack, can effectively thoroughly suppress the purpose unknown unicast message of attacking, and effectively guarantee the correct forwarding of normal purpose unknown unicast message.Further, when the target MAC (Media Access Control) address of the purpose unknown unicast message of a large amount of attacks did not change, the target MAC (Media Access Control) address of the purpose unknown unicast message that can go out to attack by the said method fast detecting was to get rid of the attack of purpose unknown unicast message; When the target MAC (Media Access Control) address of the purpose unknown unicast message of attacking changes, can detect the target MAC (Media Access Control) address of the purpose unknown unicast message of attack by the repeated detection process of said method, to get rid of the attack of purpose unknown unicast message.
Based on the inventive concept same with said method, a kind of network equipment also is provided in the embodiment of the invention, be used for the processing of purpose unknown unicast message, the described network equipment comprises forwarding chip and central processor CPU, as shown in Figure 3, described CPU specifically comprises:
Receiver module 11 is used for receiving the purpose unknown unicast message from described forwarding chip;
Acquisition module 12 is for the target MAC (Media Access Control) address that obtains purpose unknown unicast message;
Judge module 13 is used for judging whether the unknown unicast message repeating control table of the network equipment records described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
Maintenance module 14, the judged result that is used for when described judge module 13 is that the control table of described unknown unicast message repeating records described target MAC (Media Access Control) address, then upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, in the control table of described unknown unicast message repeating, record described target MAC (Media Access Control) address, and upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Sending module 15, be used for after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described sending module 15, also be used for when described forwarding chip with purpose unknown unicast message repeating during to CPU, if have the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip with purpose unknown unicast message mirror during to CPU, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then abandon the purpose unknown unicast message of this target MAC (Media Access Control) address, sent the purpose unknown unicast message of this target MAC (Media Access Control) address by described forwarding chip with broadcast mode.
Described maintenance module 14, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then in the control table of described unknown unicast message repeating, the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address carried out zero clearing and process; Perhaps, delete the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described maintenance module 14 is if the quantity that is further used for purpose unknown unicast message corresponding to target MAC (Media Access Control) address greater than predetermined threshold value, is then blocked the Block timer for this target MAC (Media Access Control) address arranges;
Described sending module 15, be further used for behind described Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address is processed to CPU.
The control table of described unknown unicast message repeating is to there being dominant record quantity;
Described judge module 13, after being further used in the unknown unicast message repeating control table of judging the described network equipment, whether recording described target MAC (Media Access Control) address, when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the network equipment, judge whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, carried out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating by maintenance module 14; If so, by described maintenance module 14 described target MAC (Media Access Control) address is added in the appointment counter;
Described sending module 15 when being further used for target MAC (Media Access Control) address quantity in described appointment counter and reaching the predetermined number thresholding, sends the warning information of the described network equipment.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode in a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number does not represent the quality of embodiment just to description.
Above disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. the processing method of a purpose unknown unicast message is applied to comprise in the network equipment of forwarding chip and central processor CPU, and it is characterized in that, the method may further comprise the steps:
Described CPU receives the purpose unknown unicast message from described forwarding chip, and obtains the purpose medium access control MAC Address of described purpose unknown unicast message;
Described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
If record described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, then described CPU upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, described CPU records described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, and upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Described CPU is after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
2. the method for claim 1 is characterized in that, described method also comprises:
When described forwarding chip arrives described CPU with purpose unknown unicast message repeating, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU sends the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps,
When described forwarding chip arrives described CPU with purpose unknown unicast message mirror, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU abandons the purpose unknown unicast message of this target MAC (Media Access Control) address, and is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by described forwarding chip.
3. method as claimed in claim 1 or 2 is characterized in that, described method also comprises:
If there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then described CPU carries out the zero clearing processing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address in the control table of described unknown unicast message repeating; Perhaps, described CPU deletes the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
4. method as claimed in claim 1 or 2 is characterized in that, described method also comprises:
If the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address is arranged greater than predetermined threshold value, then described CPU blocks the Block timer for this target MAC (Media Access Control) address arranges; Behind described Block timer expiry, described CPU sends flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, process to described CPU the purpose unknown unicast message up sending of this target MAC (Media Access Control) address.
5. method as claimed in claim 3, it is characterized in that, the control table of described unknown unicast message repeating be to should there being dominant record quantity, and described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record after the described target MAC (Media Access Control) address, described method further comprises:
When not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, described CPU judges whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, then carry out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating; If so, then described target MAC (Media Access Control) address is added in the appointment counter; When the target MAC (Media Access Control) address quantity of described CPU in described appointment counter reaches the predetermined number thresholding, send the warning information of the described network equipment.
6. a network equipment is used for the processing of purpose unknown unicast message, and the described network equipment comprises forwarding chip and central processor CPU, it is characterized in that, described CPU specifically comprises:
Receiver module is used for receiving the purpose unknown unicast message from described forwarding chip;
Acquisition module is for the purpose medium access control MAC Address of obtaining purpose unknown unicast message;
Judge module is used for judging whether the unknown unicast message repeating control table of the network equipment records described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
Maintenance module, the judged result that is used for when described judge module is that the control table of described unknown unicast message repeating records described target MAC (Media Access Control) address, then upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, in the control table of described unknown unicast message repeating, record described target MAC (Media Access Control) address, and upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Sending module, be used for after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
7. the network equipment as claimed in claim 6 is characterized in that,
Described sending module, also be used for when described forwarding chip with purpose unknown unicast message repeating during to CPU, if have the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip with purpose unknown unicast message mirror during to CPU, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then abandon the purpose unknown unicast message of this target MAC (Media Access Control) address, sent the purpose unknown unicast message of this target MAC (Media Access Control) address by described forwarding chip with broadcast mode.
8. such as claim 6 or the 7 described network equipments, it is characterized in that,
Described maintenance module, be not more than predetermined threshold value if be further used for the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address, then in the control table of described unknown unicast message repeating, the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address carried out zero clearing and process; Perhaps, delete the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
9. such as claim 6 or the 7 described network equipments, it is characterized in that,
Described maintenance module is if the quantity that is further used for purpose unknown unicast message corresponding to target MAC (Media Access Control) address greater than predetermined threshold value, is then blocked the Block timer for this target MAC (Media Access Control) address arranges;
Described sending module, be further used for behind described Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address is processed to CPU.
10. the network equipment as claimed in claim 8 is characterized in that, the control table of described unknown unicast message repeating is to there being dominant record quantity;
Described judge module, after being further used in the unknown unicast message repeating control table of judging the described network equipment, whether recording described target MAC (Media Access Control) address, when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, judge whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, carried out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating by described maintenance module; If so, by described maintenance module described target MAC (Media Access Control) address is added in the appointment counter;
Described sending module when being further used for target MAC (Media Access Control) address quantity in described appointment counter and reaching the predetermined number thresholding, sends the warning information of the described network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310304126.3A CN103368850B (en) | 2013-07-16 | 2013-07-16 | The processing method of a kind of purpose unknown unicast message and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310304126.3A CN103368850B (en) | 2013-07-16 | 2013-07-16 | The processing method of a kind of purpose unknown unicast message and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103368850A true CN103368850A (en) | 2013-10-23 |
| CN103368850B CN103368850B (en) | 2016-12-28 |
Family
ID=49369415
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310304126.3A Active CN103368850B (en) | 2013-07-16 | 2013-07-16 | The processing method of a kind of purpose unknown unicast message and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103368850B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107708194A (en) * | 2017-11-10 | 2018-02-16 | 珠海市魅族科技有限公司 | A kind of message filtering method and device, terminal and readable storage medium storing program for executing |
| CN112866114A (en) * | 2020-12-31 | 2021-05-28 | 锐捷网络股份有限公司 | Multicast message processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159665A (en) * | 2007-08-28 | 2008-04-09 | 杭州华三通信技术有限公司 | Method and device to implement forwarding of unknown multicast packet to router port |
| CN101426014A (en) * | 2008-12-02 | 2009-05-06 | 中兴通讯股份有限公司 | Method and system for multicast source attack prevention |
| CN101651627A (en) * | 2009-09-23 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for studying media access control (MAC) table items |
| CN103200129A (en) * | 2013-04-05 | 2013-07-10 | 张小云 | Mirroring method and device of unusual messages |
-
2013
- 2013-07-16 CN CN201310304126.3A patent/CN103368850B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159665A (en) * | 2007-08-28 | 2008-04-09 | 杭州华三通信技术有限公司 | Method and device to implement forwarding of unknown multicast packet to router port |
| CN101426014A (en) * | 2008-12-02 | 2009-05-06 | 中兴通讯股份有限公司 | Method and system for multicast source attack prevention |
| CN101651627A (en) * | 2009-09-23 | 2010-02-17 | 杭州华三通信技术有限公司 | Method and device for studying media access control (MAC) table items |
| CN103200129A (en) * | 2013-04-05 | 2013-07-10 | 张小云 | Mirroring method and device of unusual messages |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107708194A (en) * | 2017-11-10 | 2018-02-16 | 珠海市魅族科技有限公司 | A kind of message filtering method and device, terminal and readable storage medium storing program for executing |
| CN112866114A (en) * | 2020-12-31 | 2021-05-28 | 锐捷网络股份有限公司 | Multicast message processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103368850B (en) | 2016-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11115426B1 (en) | Distributed packet capture for network anomaly detection | |
| US7672245B2 (en) | Method, device, and system for detecting layer 2 loop | |
| CN101094187B (en) | Method, device, and operation board capable of learning address of medium access control | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| CN103609089B (en) | A kind of preventing is attached to the method and device of Denial of Service attack on the main frame of subnet | |
| CN107395632B (en) | SYN Flood protection method, device, cleaning equipment and medium | |
| WO2009141812A2 (en) | Method and system for identifying enterprise network hosts infected with slow and/or distributed scanning malware | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| CN109657463B (en) | Method and device for defending message flooding attack | |
| CN101945117A (en) | Method and equipment for preventing source address spoofing attack | |
| CN106301987B (en) | Message loss detection method, device and system | |
| JP2017005402A (en) | Communication device | |
| CN106657126A (en) | Device and method for detecting and defending DDos attack | |
| CN104184708A (en) | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) | |
| CN107690004B (en) | Method and device for processing address resolution protocol message | |
| CN112073376A (en) | Attack detection method and device based on data plane | |
| CN106656975B (en) | Attack defense method and device | |
| CN109617972B (en) | Connection establishing method and device, electronic equipment and storage medium | |
| CN103368850A (en) | Method and device for processing unicast message with unknown destination | |
| CN109347810B (en) | Method and device for processing message | |
| CN105515970A (en) | Method and device for transmitting message | |
| CN110290124B (en) | Switch input port blocking method and device | |
| CN111901284B (en) | Flow control method and system | |
| CN105450647A (en) | Method and system for preventing message attacks | |
| CN105635138A (en) | Method and apparatus for preventing ARP attacks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: NEW H3C TECHNOLOGIES Co.,Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: HANGZHOU H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230619 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |