Summary of the invention
The embodiment of the invention provides a kind of processing method and equipment of purpose unknown unicast message, distinguishing the purpose unknown unicast message of normal purpose unknown unicast message and attack, thereby guarantees the correct forwarding of normal purpose unknown unicast message.
In order to achieve the above object, the embodiment of the invention provides a kind of processing method of purpose unknown unicast message, is applied to comprise that the method comprises in the network equipment of forwarding chip and central processor CPU:
Described CPU receives the purpose unknown unicast message from described forwarding chip, and obtains the purpose medium access control MAC Address of described purpose unknown unicast message;
Described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
If record described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, then described CPU upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, described CPU records described target MAC (Media Access Control) address in the control table of described unknown unicast message repeating, and upgrades the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Described CPU is after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described method also comprises: when described forwarding chip arrives described CPU with purpose unknown unicast message repeating, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU sends the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip arrives described CPU with purpose unknown unicast message mirror, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then described CPU abandons the purpose unknown unicast message of this target MAC (Media Access Control) address, and is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by described forwarding chip.
Described method also comprises: if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then described CPU carries out the zero clearing processing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address in the control table of described unknown unicast message repeating; Perhaps, described CPU deletes the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described method also comprises: if the quantity that purpose unknown unicast message corresponding to target MAC (Media Access Control) address arranged greater than predetermined threshold value, then described CPU blocks the Block timer for this target MAC (Media Access Control) address arranges; Behind described Block timer expiry, described CPU sends flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, process to described CPU the purpose unknown unicast message up sending of this target MAC (Media Access Control) address.
The control table of described unknown unicast message repeating is to there being dominant record quantity, described CPU judges in the unknown unicast message repeating control table of the described network equipment whether record after the described target MAC (Media Access Control) address, described method further comprises: when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, described CPU judges whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, then carry out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating; If so, then described target MAC (Media Access Control) address is added in the appointment counter; When the target MAC (Media Access Control) address quantity of described CPU in described appointment counter reaches the predetermined number thresholding, send the warning information of the described network equipment.
The embodiment of the invention provides a kind of network equipment, is used for the processing of purpose unknown unicast message, and the described network equipment comprises forwarding chip and central processor CPU, and described CPU specifically comprises:
Receiver module is used for receiving the purpose unknown unicast message from described forwarding chip;
Acquisition module is for the purpose medium access control MAC Address of obtaining purpose unknown unicast message;
Judge module is used for judging whether the unknown unicast message repeating control table of the network equipment records described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
Maintenance module, the judged result that is used for when described judge module is that the control table of described unknown unicast message repeating records described target MAC (Media Access Control) address, then upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, in the control table of described unknown unicast message repeating, record described target MAC (Media Access Control) address, and upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Sending module, be used for after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described sending module, also be used for when described forwarding chip with purpose unknown unicast message repeating during to CPU, if have the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip with purpose unknown unicast message mirror during to CPU, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then abandon the purpose unknown unicast message of this target MAC (Media Access Control) address, sent the purpose unknown unicast message of this target MAC (Media Access Control) address by described forwarding chip with broadcast mode.
Described maintenance module, be not more than predetermined threshold value if be further used for the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address, then in the control table of described unknown unicast message repeating, the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address carried out zero clearing and process; Perhaps, delete the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described maintenance module is if the quantity that is further used for purpose unknown unicast message corresponding to target MAC (Media Access Control) address greater than predetermined threshold value, is then blocked the Block timer for this target MAC (Media Access Control) address arranges;
Described sending module, be further used for behind described Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address is processed to CPU.
The control table of described unknown unicast message repeating is to there being dominant record quantity;
Described judge module, after being further used in the unknown unicast message repeating control table of judging the described network equipment, whether recording described target MAC (Media Access Control) address, when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the described network equipment, judge whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, carried out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating by described maintenance module; If so, by described maintenance module described target MAC (Media Access Control) address is added in the appointment counter;
Described sending module when being further used for target MAC (Media Access Control) address quantity in described appointment counter and reaching the predetermined number thresholding, sends the warning information of the described network equipment.
Compared with prior art, the embodiment of the invention has the following advantages at least: in the embodiment of the invention, by maintenance purpose MAC Address in the control table of unknown unicast message repeating and receive corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address, thereby the purpose unknown unicast message (being illegal purpose unknown unicast message) that can distinguish normal purpose unknown unicast message (being legal purpose unknown unicast message) and attack, can effectively thoroughly suppress the purpose unknown unicast message of attacking, and effectively guarantee the correct forwarding of normal purpose unknown unicast message.
Embodiment
For problems of the prior art, the embodiment of the invention provides a kind of processing method of purpose unknown unicast message, the method is applied to comprise at least forwarding chip and CPU(Central Processing Unit, central processing unit) in the network equipment (as: switch, router etc.), the application scenarios schematic diagram take Fig. 1 as the embodiment of the invention; Wherein, the network equipment 1 needs to send unicast message by the network equipment 2 to the network equipment 3, so the network equipment 2 can be received the purpose unknown unicast message (its target MAC (Media Access Control) address is MAC3) from the network equipment 1; In addition, the network equipment 2 also can be received the purpose unknown unicast message (its target MAC (Media Access Control) address can be MAC4, MAC5, MAC6 etc.) of attack.
Based on above-mentioned application scenarios, as shown in Figure 2, the method may further comprise the steps:
Step 201, forwarding chip send to CPU with purpose unknown unicast message after receiving purpose unknown unicast message.Wherein, forwarding chip can be directly with purpose unknown unicast message repeating to CPU; Perhaps, forwarding chip can be with purpose unknown unicast message mirror to CPU, and namely forwarding chip copies a purpose unknown unicast message, and the purpose unknown unicast message that copies is sent to CPU.
If forwarding chip directly with purpose unknown unicast message repeating to CPU, then whether outwards transmit this message by CPU control; If to CPU, then forwarding chip can keep this purpose unknown unicast message to forwarding chip with purpose unknown unicast message mirror, and still sends this purpose unknown unicast message according to the normal process flow process.
When preventing a large amount of purpose unknown unicast messages transmitted to CPU, the impact that cpu performance is caused, in the embodiment of the invention, maximum uploading rate that can also configuration purpose unknown unicast message; Based on this maximum uploading rate, forwarding chip will send purpose unknown unicast message to CPU according to this maximum uploading rate.For example, when the maximum uploading rate of purpose unknown unicast message is 100 purpose unknown unicasts of per second message, if the purpose unknown unicast message that the forwarding chip per second is received is 130, then the forwarding chip per second only sends 100 purpose unknown unicast messages to CPU, and with other 30 purpose unknown unicasts packet loss.
Step 202, CPU receives the purpose unknown unicast message from forwarding chip, obtains the target MAC (Media Access Control) address of this purpose unknown unicast message, namely extracts target MAC (Media Access Control) address from purpose unknown unicast message.
Step 203, CPU judges in the unknown unicast message repeating control table of the network equipment whether record this target MAC (Media Access Control) address; If not, execution in step 204 then; If so, execution in step 205 then.
In the embodiment of the invention, need to safeguard the control table of unknown unicast message repeating on the network equipment, this unknown unicast message repeating control table is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address; As shown in table 1, be the example of a kind of unknown unicast message repeating control table, record current each target MAC (Media Access Control) address in this unknown unicast message repeating control table and received corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address.
Table 1
Target MAC (Media Access Control) address |
Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
MAC3 |
2 |
MAC4 |
2000 |
MAC5 |
2000 |
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC3, then record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of definite network equipment, need execution in step 205; If the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC6, then do not record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of definite network equipment, need execution in step 204.
Step 204, CPU records this target MAC (Media Access Control) address in the control table of unknown unicast message repeating, and upgrade the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address, namely the quantity of the purpose unknown unicast message that this target MAC (Media Access Control) address is corresponding adds 1 in the control table of unknown unicast message repeating.
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC6, then in the control table of unknown unicast message repeating, record this MAC6, and the quantity of the purpose unknown unicast message that this MAC6 is corresponding adds 1 in the control table of unknown unicast message repeating, obtains the unknown unicast message repeating control table shown in the table 2.
Table 2
Target MAC (Media Access Control) address |
Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
MAC3 |
2 |
MAC4 |
2000 |
MAC5 |
2000 |
MAC6 |
1 |
After this step 204, if arrive the fixed time (this fixed time can arrange according to practical experience), then carry out subsequent step 206, otherwise continue to carry out above-mentioned steps.
Step 205, CPU directly upgrades the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address (such as MAC3), namely CPU directly in the control table of unknown unicast message repeating the quantity of the purpose unknown unicast message that this target MAC (Media Access Control) address (such as MAC3) is corresponding add 1.
Based on the unknown unicast message repeating control table shown in the table 1, if the target MAC (Media Access Control) address that CPU extracts from purpose unknown unicast message is MAC3, then CPU can be directly in the unknown unicast message repeating control table shown in the table 1 quantity of the purpose unknown unicast message that this target MAC (Media Access Control) address (being MAC3) is corresponding add 1, thereby obtain the unknown unicast message repeating control table shown in the table 3.
Table 3
Target MAC (Media Access Control) address |
Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
MAC3 |
3 |
MAC4 |
2000 |
MAC5 |
2000 |
After this step 205, if arrive the fixed time (this fixed time can arrange according to practical experience), then carry out subsequent step 206, otherwise continue to carry out above-mentioned steps.
Step 206, CPU (can arrange according to practical experience in the arrival fixed time, be set to 1s such as the fixed time) after, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value (this predetermined threshold value arranges according to practical experience, as predetermined threshold value is made as 1000); If greater than (quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address namely being arranged greater than predetermined threshold value), then execution in step 207; If be not more than (namely having the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value), then execution in step 208.
CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, the quantity of the purpose unknown unicast message that then CPU statistics MAC3 is corresponding is 3, the quantity that is purpose unknown unicast message corresponding to MAC3 is not more than predetermined threshold value 1000, execution in step 208; The quantity of the purpose unknown unicast message that CPU statistics MAC4 is corresponding is 2000, and the quantity of the purpose unknown unicast message that namely MAC4 is corresponding is greater than predetermined threshold value 1000, execution in step 207; The quantity of the purpose unknown unicast message that CPU statistics MAC5 is corresponding is 2000, and the quantity of the purpose unknown unicast message that namely MAC5 is corresponding is greater than predetermined threshold value 1000, execution in step 207.
Step 207, CPU sends flow control strategy corresponding to this target MAC (Media Access Control) address to forwarding chip, and this flow control strategy is used for making forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, directly abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
For example, the quantity of the purpose unknown unicast message that CPU statistics MAC4 is corresponding is during greater than predetermined threshold value, send flow control strategy corresponding to MAC4 to forwarding chip, after this flow control strategy was used for making forwarding chip receive that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC4, abandoning the target MAC (Media Access Control) address of receiving was the purpose unknown unicast message of MAC4.In the quantity of purpose unknown unicast message corresponding to statistics MAC5 during greater than predetermined threshold value, send flow control strategy corresponding to MAC5 to forwarding chip, after this flow control strategy was used for making forwarding chip receive that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC5, abandoning the target MAC (Media Access Control) address of receiving was the purpose unknown unicast message of MAC5.
Step 208, CPU or forwarding chip send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode.For example, when the quantity of the purpose unknown unicast message that CPU statistics MAC3 is corresponding is not more than predetermined threshold value, sent the purpose unknown unicast message of MAC3 with broadcast mode by CPU or forwarding chip.
Wherein, directly purpose unknown unicast message repeating during to CPU, is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by CPU when forwarding chip; Perhaps, when forwarding chip with purpose unknown unicast message mirror during to CPU, then CPU abandons the purpose unknown unicast message of this target MAC (Media Access Control) address, is sent the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode by forwarding chip.
It should be noted that, when forwarding chip with purpose unknown unicast message mirror during to CPU, if do not receive flow control strategy corresponding to target MAC (Media Access Control) address that CPU sends to forwarding chip, then forwarding chip needs to send with broadcast mode the purpose unknown unicast message of this target MAC (Media Access Control) address always; If receive flow control strategy corresponding to target MAC (Media Access Control) address that CPU sends to forwarding chip, then forwarding chip need to stop to send with broadcast mode the purpose unknown unicast message of this target MAC (Media Access Control) address.
In the embodiment of the invention, CPU judges that whether the quantity of the purpose unknown unicast message that target MAC (Media Access Control) address is corresponding is greater than after the predetermined threshold value, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then CPU also need to carry out the zero clearing processing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address in the control table of unknown unicast message repeating; Perhaps, CPU deletes the record of this target MAC (Media Access Control) address correspondence in the control table of unknown unicast message repeating.
For example: CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, then CPU is after the quantity of purpose unknown unicast message corresponding to statistics MAC3 is not more than predetermined threshold value 1000, CPU can also carry out zero clearing to the quantity of purpose unknown unicast message corresponding to this MAC3 in the control table of unknown unicast message repeating processes, and obtains the unknown unicast message repeating control table shown in the table 4; Perhaps, CPU can also delete the record of this MAC3 correspondence in the control table of unknown unicast message repeating, obtains the unknown unicast message repeating control table shown in the table 5.
Table 4
Target MAC (Media Access Control) address |
Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
MAC3 |
0 |
MAC4 |
2000 |
MAC5 |
2000 |
Table 5
Target MAC (Media Access Control) address |
Receive the quantity of the purpose unknown unicast message of target MAC (Media Access Control) address |
In the embodiment of the invention, CPU judges that whether the quantity of the purpose unknown unicast message that target MAC (Media Access Control) address is corresponding is greater than after the predetermined threshold value, if the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address is arranged greater than predetermined threshold value, then CPU can also block for this target MAC (Media Access Control) address arranges Block() timer.Behind Block timer expiry (time-out time of this Block timer can arrange arbitrarily according to the practical experience value), CPU carries out zero clearing to the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address to be processed, and further send flow recovery policy corresponding to this target MAC (Media Access Control) address to forwarding chip, and this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, then make forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address can be processed to CPU.
In concrete implementation, if the flow control strategy is automatic reset mode, behind the Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address (being used for making forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address) by CPU to forwarding chip, to recover forwarding chip to the processing mode of purpose unknown unicast message; If the flow control strategy is manual reset mode, behind the Block timer expiry, by the processing mode of manual reversion forwarding chip to purpose unknown unicast message.
For example: CPU is after arriving the fixed time, if the control table of current unknown unicast message repeating is the unknown unicast message repeating control table shown in the table 3, then CPU is after the quantity of adding up purpose unknown unicast message corresponding to MAC4 and MAC5 is greater than predetermined threshold value 1000, CPU can also arrange the Block timer for MAC4, and the Block timer is set for MAC5.Behind the Block of MAC4 timer expiry, CPU sends flow recovery policy corresponding to MAC4 to forwarding chip, this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this MAC4, then making forwarding chip after receiving that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC4, can be that the purpose unknown unicast message up sending of MAC4 is processed to CPU with target MAC (Media Access Control) address.In addition, behind the Block of MAC5 timer expiry, CPU sends flow recovery policy corresponding to MAC5 to forwarding chip, this flow recovery policy is used for making forwarding chip remove flow control strategy corresponding to this MAC5, then making forwarding chip after receiving that target MAC (Media Access Control) address is the purpose unknown unicast message of MAC5, can be that the purpose unknown unicast message up sending of MAC5 is processed to CPU with target MAC (Media Access Control) address.
In the embodiment of the invention, for the unknown unicast message repeating control table of safeguarding on the network equipment, this unknown unicast message repeating control table can also be to there being dominant record quantity.As: when noting down 16 MAC Address at most in the control table of unknown unicast message repeating, then dominant record quantity is 16.
Based on this, CPU judges whether record the target MAC (Media Access Control) address (being step 203) that extracts in the unknown unicast message repeating control table of the network equipment afterwards from purpose unknown unicast message, if do not record this target MAC (Media Access Control) address in the unknown unicast message repeating control table of the network equipment, then CPU judges at first whether the target MAC (Media Access Control) address quantity that records in the control table of current unknown unicast message repeating reaches dominant record quantity; If not, then carry out the step (being execution in step 204) of this target MAC (Media Access Control) address of record in the control table of unknown unicast message repeating; If so, then this target MAC (Media Access Control) address is added in the appointment counter.Wherein, this appointment counter is used for the MAC Address that record can't be recorded to the control table of unknown unicast message repeating; Concrete, the target MAC (Media Access Control) address quantity that records in this unknown unicast message repeating control table can't be recorded to MAC Address in the control table of unknown unicast message repeating when reaching dominant record quantity.
Further, when the target MAC (Media Access Control) address quantity of CPU in specifying counter reaches predetermined number thresholding (can arrange according to practical experience), think that then the MAC address learning process of the network equipment goes wrong or network environment goes wrong (network equipment is always under attack), therefore can send the warning information of the network equipment, then by the webmaster personnel this network equipment be managed and safeguards.
In the embodiment of the invention, because the control table of unknown unicast message repeating is to there being dominant record quantity, therefore CPU is after target MAC (Media Access Control) address arranges the Block timer, can also know never that unicast message transmits control table and delete record corresponding to this target MAC (Media Access Control) address, to save the resource of unknown unicast message repeating control table, make the control table of unknown unicast message repeating can record the content of other target MAC (Media Access Control) address.
In sum, in the embodiment of the invention, by maintenance purpose MAC Address in the control table of unknown unicast message repeating and receive corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address, thereby the purpose unknown unicast message (being illegal purpose unknown unicast message) that can distinguish normal purpose unknown unicast message (being legal purpose unknown unicast message) and attack, can effectively thoroughly suppress the purpose unknown unicast message of attacking, and effectively guarantee the correct forwarding of normal purpose unknown unicast message.Further, when the target MAC (Media Access Control) address of the purpose unknown unicast message of a large amount of attacks did not change, the target MAC (Media Access Control) address of the purpose unknown unicast message that can go out to attack by the said method fast detecting was to get rid of the attack of purpose unknown unicast message; When the target MAC (Media Access Control) address of the purpose unknown unicast message of attacking changes, can detect the target MAC (Media Access Control) address of the purpose unknown unicast message of attack by the repeated detection process of said method, to get rid of the attack of purpose unknown unicast message.
Based on the inventive concept same with said method, a kind of network equipment also is provided in the embodiment of the invention, be used for the processing of purpose unknown unicast message, the described network equipment comprises forwarding chip and central processor CPU, as shown in Figure 3, described CPU specifically comprises:
Receiver module 11 is used for receiving the purpose unknown unicast message from described forwarding chip;
Acquisition module 12 is for the target MAC (Media Access Control) address that obtains purpose unknown unicast message;
Judge module 13 is used for judging whether the unknown unicast message repeating control table of the network equipment records described target MAC (Media Access Control) address; Wherein, the control table of described unknown unicast message repeating is used for the record target MAC (Media Access Control) address and receives corresponding relation between the quantity of purpose unknown unicast message of this target MAC (Media Access Control) address;
Maintenance module 14, the judged result that is used for when described judge module 13 is that the control table of described unknown unicast message repeating records described target MAC (Media Access Control) address, then upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address, otherwise, in the control table of described unknown unicast message repeating, record described target MAC (Media Access Control) address, and upgrade the quantity of purpose unknown unicast message corresponding to described target MAC (Media Access Control) address;
Sending module 15, be used for after arriving the fixed time, judge that whether the quantity of the purpose unknown unicast message that each target MAC (Media Access Control) address is corresponding is greater than predetermined threshold value, if greater than, then send flow control strategy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow control strategy is used for making described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, abandons the purpose unknown unicast message of this target MAC (Media Access Control) address of receiving.
Described sending module 15, also be used for when described forwarding chip with purpose unknown unicast message repeating during to CPU, if have the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then send the purpose unknown unicast message of this target MAC (Media Access Control) address with broadcast mode; Perhaps, when described forwarding chip with purpose unknown unicast message mirror during to CPU, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value in the control table of described unknown unicast message repeating, then abandon the purpose unknown unicast message of this target MAC (Media Access Control) address, sent the purpose unknown unicast message of this target MAC (Media Access Control) address by described forwarding chip with broadcast mode.
Described maintenance module 14, if there is the quantity of purpose unknown unicast message corresponding to target MAC (Media Access Control) address to be not more than predetermined threshold value, then in the control table of described unknown unicast message repeating, the quantity of purpose unknown unicast message corresponding to this target MAC (Media Access Control) address carried out zero clearing and process; Perhaps, delete the record of this target MAC (Media Access Control) address correspondence in the control table of described unknown unicast message repeating.
Described maintenance module 14 is if the quantity that is further used for purpose unknown unicast message corresponding to target MAC (Media Access Control) address greater than predetermined threshold value, is then blocked the Block timer for this target MAC (Media Access Control) address arranges;
Described sending module 15, be further used for behind described Block timer expiry, send flow recovery policy corresponding to this target MAC (Media Access Control) address to described forwarding chip, described flow recovery policy is used for making described forwarding chip remove flow control strategy corresponding to this target MAC (Media Access Control) address, and make described forwarding chip after receiving the purpose unknown unicast message of this target MAC (Media Access Control) address, the purpose unknown unicast message up sending of this target MAC (Media Access Control) address is processed to CPU.
The control table of described unknown unicast message repeating is to there being dominant record quantity;
Described judge module 13, after being further used in the unknown unicast message repeating control table of judging the described network equipment, whether recording described target MAC (Media Access Control) address, when not recording described target MAC (Media Access Control) address in the unknown unicast message repeating control table of the network equipment, judge whether the target MAC (Media Access Control) address quantity that records in the control table of described unknown unicast message repeating reaches described dominant record quantity; If not, carried out the step of the described target MAC (Media Access Control) address of record in the control table of described unknown unicast message repeating by maintenance module 14; If so, by described maintenance module 14 described target MAC (Media Access Control) address is added in the appointment counter;
Described sending module 15 when being further used for target MAC (Media Access Control) address quantity in described appointment counter and reaching the predetermined number thresholding, sends the warning information of the described network equipment.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode in a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in the accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number does not represent the quality of embodiment just to description.
Above disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.