CN105227480A

CN105227480A - Message forwarding method and relevant apparatus and communication system

Info

Publication number: CN105227480A
Application number: CN201410265789.3A
Authority: CN
Inventors: 白惊涛; 邹鹏
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd; Tencent Cloud Computing Beijing Co Ltd
Priority date: 2014-06-13
Filing date: 2014-06-13
Publication date: 2016-01-06
Anticipated expiration: 2034-06-13
Also published as: CN105227480B

Abstract

The embodiment of the invention discloses message forwarding method and relevant apparatus and communication system.A kind of message forwarding method comprises: the first three-layer switching equipment receives the message of pending distributed denial of service attack identification; First three-layer switching equipment determines the first second line of a couplet physical port E-Packeted from multiple second line of a couplet physical ports of the first three-layer switching equipment based on preset strategy; If first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, the first three-layer switching equipment is E-Packeted to the second three-layer switching equipment by the first second line of a couplet physical port determined.The technical scheme that the embodiment of the present invention provides is conducive to the protection flow increasing ddos attack protected network framework.

Description

Message forwarding method and relevant apparatus and communication system

Technical field

The present invention relates to networking technology area, specifically relate generally to a kind of message forwarding method and relevant apparatus and communication system.

Background technology

Current, along with the develop rapidly of the Internet, network security problem is also on the rise.Such as distributed denial of service (DDoS, DistributedDenialofService) is attacked is exactly one very common attack mode in network.

Pass the imperial examinations at the provincial level see Fig. 1, Fig. 1 and exemplify existing a kind of network architecture of destination host being carried out to ddos attack protection.Wherein, be forwarded on certain DDoS safeguard through router before message arrival destination host and carry out ddos attack identification, the message identified as ddos attack will be dropped, and the message identifying not ddos attack will be forwarded to destination host.

The present inventor finds in research and practice process, at least there is following technical problem in prior art: carries out message distribution by 1 router in existing ddos attack protected network framework, down hop route entry quantity due to router is very limited (the entry upper limit is generally 8), this flow upper limit just making its ddos attack protect less (general maximum accessible 8 ddos attack safeguards), some is had to the destination host of very large discharge, existing ddos attack protected network framework is difficult to meet requirement of shelter usually.

Summary of the invention

The embodiment of the present invention provides message forwarding method and relevant apparatus and communication system, to increasing the protection flow of ddos attack protected network framework.

First aspect, a kind of message forwarding method, comprising:

First three-layer switching equipment receives the message of pending distributed denial of service attack identification;

Described first three-layer switching equipment determines the first second line of a couplet physical port forwarding described message from multiple second line of a couplet physical ports of described first three-layer switching equipment based on preset strategy;

If described first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, described first three-layer switching equipment forwards described message by described first second line of a couplet physical port determined to described second three-layer switching equipment;

If described first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard, described first three-layer switching equipment forwards described message to described distributed denial of service attack safeguard, so that described distributed denial of service attack safeguard carries out distributed denial of service attack identification to described message by described first second line of a couplet physical port determined.

Second aspect, a kind of three-layer switching equipment, comprising:

Receiving element, for receiving the message of pending distributed denial of service attack identification;

Determining unit, for determining the first second line of a couplet physical port forwarding described message from multiple second line of a couplet physical ports of described three-layer switching equipment based on preset strategy;

Message repeating unit, if be the second three-layer switching equipment for described first second line of a couplet physical port second line of a couplet, forwards described message by described first second line of a couplet physical port determined to described second three-layer switching equipment; If described first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard, described message is forwarded to described distributed denial of service attack safeguard, so that described distributed denial of service attack safeguard carries out distributed denial of service attack identification to described message by described first second line of a couplet physical port determined.

The third aspect, a kind of communication system, comprising: at least 1 three-layer switching equipment of core router, the core router second line of a couplet and at least 1 distributed denial of service attack safeguard of the described three-layer switching equipment second line of a couplet;

Described core router, for receiving the message of pending distributed denial of service attack identification; Among multiple second line of a couplet physical ports of described core router, the first second line of a couplet physical port forwarding described message is determined based on preset strategy; Described message is forwarded to the second three-layer switching equipment in described at least 1 three-layer switching equipment by described first second line of a couplet physical port determined;

Described second three-layer switching equipment, for receiving described message; Among multiple second line of a couplet physical ports of described second three-layer switching equipment, the second second line of a couplet physical port forwarding described message is determined based on preset strategy; Described message is forwarded to distributed denial of service attack safeguard by described second second line of a couplet physical port determined;

Described distributed denial of service attack safeguard, for carrying out distributed denial of service attack identification to described message.

Can find out, in the technical scheme of some embodiments of the invention, the first three-layer switching equipment, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, the first three-layer switching equipment forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, such scheme of the present invention is conducive to the protection flow increasing ddos attack protected network framework.

Accompanying drawing explanation

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

Fig. 1 is the schematic diagram of the ddos attack protected network framework that the embodiment of the present invention provides;

Fig. 2 is the schematic flow sheet of a kind of message forwarding method that the embodiment of the present invention provides;

Fig. 3-a is the schematic diagram of a kind of ddos attack protected network framework that the embodiment of the present invention provides;

Fig. 3-b is the schematic flow sheet of the another kind of message forwarding method that the embodiment of the present invention provides;

Fig. 4-a is the schematic diagram of a kind of ddos attack protected network framework that the embodiment of the present invention provides;

Fig. 4-b is the schematic flow sheet of the another kind of message forwarding method that the embodiment of the present invention provides;

Fig. 5-a is the schematic diagram of a kind of ddos attack protected network framework that the embodiment of the present invention provides;

Fig. 5-b is the schematic flow sheet of the another kind of message forwarding method that the embodiment of the present invention provides;

Fig. 6 is the schematic diagram of a kind of three-layer switching equipment that the embodiment of the present invention provides;

Fig. 7 is the schematic diagram of the another kind of three-layer switching equipment that the embodiment of the present invention provides;

Fig. 8 is the schematic diagram of the another kind of three-layer switching equipment that the embodiment of the present invention provides;

Fig. 9 is the schematic diagram of a kind of communication equipment that the embodiment of the present invention provides.

Embodiment

The embodiment of the present invention provides a kind of message forwarding method and relevant apparatus and communication system.

The present invention program is understood better in order to make those skilled in the art person, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the embodiment of a part of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, should belong to the scope of protection of the invention.

Below be described in detail respectively.

Term " first ", " second ", " the 3rd ", " the 4th " etc. in specification of the present invention and claims and above-mentioned accompanying drawing are for distinguishing different objects, instead of for describing particular order.In addition, term " comprises " and " having " and their any distortion, and intention is to cover not exclusive comprising.Such as contain the process of series of steps or unit, method, system, product or equipment and be not defined in the step or unit listed, but also comprise the step or unit do not listed alternatively, or also comprise alternatively for other intrinsic step of these processes, method, product or equipment or unit.

An embodiment of message forwarding method of the present invention, a kind of message forwarding method comprises: the first three-layer switching equipment receives the message of pending distributed denial of service attack identification; First three-layer switching equipment determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical ports of the first three-layer switching equipment based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, the first three-layer switching equipment forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment; If above-mentioned first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard, above-mentioned first three-layer switching equipment forwards above-mentioned message to above-mentioned distributed denial of service attack safeguard, so that above-mentioned distributed denial of service attack safeguard carries out distributed denial of service attack identification to above-mentioned message by above-mentioned first second line of a couplet physical port determined.

Refer to Fig. 2, the schematic flow sheet of a kind of message forwarding method that Fig. 2 provides for one embodiment of the present of invention.Wherein, as shown in Figure 1, a kind of message forwarding method that one embodiment of the present of invention provide can comprise following content:

201, the first three-layer switching equipment receives the message of pending distributed denial of service attack identification.

Optionally, in possible execution modes more of the present invention, the message that above-mentioned first three-layer switching equipment receives pending ddos attack identification can comprise: above-mentioned first three-layer switching equipment receives the message from the pending ddos attack identification of the 4th three-layer switching equipment; Or above-mentioned first three-layer switching equipment receives the message from the pending ddos attack identification of outer net; Or above-mentioned first three-layer switching equipment receives the message of the pending ddos attack identification from destination host or other equipment.

Wherein, the main frame of above-mentioned purpose main frame corresponding to the destination address of the message of above-mentioned pending ddos attack identification.

Wherein, various embodiments of the present invention three-layer switching equipment may for router or switch or other there is the equipment of L3 Switching function.

202, above-mentioned first three-layer switching equipment determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical ports of above-mentioned first three-layer switching equipment based on preset strategy.

Wherein, described preset strategy can comprise the preset strategy such as random selection strategy, poll selection strategy or load balancing.

Concrete example such as, above-mentioned first three-layer switching equipment can determine based on random selection strategy the first second line of a couplet physical port forwarding above-mentioned message at random from multiple second line of a couplet physical port.Concrete example such as, above-mentioned first three-layer switching equipment can determine based on poll selection strategy the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port again.Concrete example such as, above-mentioned first three-layer switching equipment can determine based on load balancing the first second line of a couplet physical port that the present load that forwards above-mentioned message is minimum or less from multiple second line of a couplet physical port again.

If 203 above-mentioned first second line of a couplet physical port second lines of a couplet is the second three-layer switching equipment, above-mentioned first three-layer switching equipment forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.

If 204 first second line of a couplet physical port second lines of a couplet is ddos attack safeguard, above-mentioned first three-layer switching equipment forwards above-mentioned message to above-mentioned ddos attack safeguard, so that above-mentioned ddos attack safeguard carries out ddos attack identification to above-mentioned message by above-mentioned first second line of a couplet physical port determined.

Wherein, ddos attack safeguard is to provide the safety means of anti-ddos attack.If message is identified as ddos attack message by ddos attack safeguard, this message discardable; If message is identified as non-ddos attack message by ddos attack safeguard, then this message can be fed back to destination host.

Can find out, the present embodiment first three-layer switching equipment, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, the first three-layer switching equipment forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, such scheme of the present invention is conducive to the protection flow increasing ddos attack protected network framework.

Optionally, in some possible execution modes of the present invention, above-mentioned first three-layer switching equipment determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical ports of above-mentioned first three-layer switching equipment based on preset strategy, can comprise: above-mentioned first three-layer switching equipment determines the first second line of a couplet logic port forwarding above-mentioned message from multiple second line of a couplet logic ports of above-mentioned first three-layer switching equipment based on preset strategy, from multiple second line of a couplet physical ports that above-mentioned first second line of a couplet logic port comprises, the first second line of a couplet physical port forwarding above-mentioned message is determined based on preset strategy.Wherein, multiple second line of a couplet logic ports of the first three-layer switching equipment divide into groups by the first three-layer switching equipment, multiple second line of a couplet physical ports of same group are aggregated into a second line of a couplet logic port, managing second line of a couplet physical port by introducing second line of a couplet logic port, being conducive to simplifying Port Management complexity.

Optionally, in some possible execution modes of the present invention, the message that above-mentioned first three-layer switching equipment receives from the pending ddos attack identification of the 4th three-layer switching equipment comprises: above-mentioned first three-layer switching equipment receives the message from the pending ddos attack identification of the 4th three-layer switching equipment by the first first line of a couplet physical port.

Wherein, first three-layer switching equipment determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical ports of the first three-layer switching equipment based on preset strategy, can comprise: based on the mapping relations between the virtual three-layer switching equipment of above-mentioned first three-layer switching equipment and first line of a couplet logic port, determine the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to above-mentioned first virtual three-layer switching equipment, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.Wherein, by introducing virtualization, first three-layer switching equipment can fictionalize multiple virtual three-layer switching equipment, such as, multiple first line of a couplet logic port one_to_one corresponding of the multiple virtual three-layer switching equipment that the first three-layer switching equipment fictionalizes and the first three-layer switching equipment, by introducing virtual three-layer switching equipment, the down hop route entry quantity of the first three-layer switching equipment can be increased, and then be conducive under the first three-layer switching equipment, accessing greater number first three-layer switching equipment or ddos attack safeguard.

Optionally, in some possible execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is ddos attack safeguard, above-mentioned message forwarding method also can comprise further: above-mentioned first three-layer switching equipment sets up Border Gateway Protocol session by each second line of a couplet physical port respectively from the different ddos attack safeguards of the second line of a couplet.That is, the Border Gateway Protocol session that each ddos attack safeguard is corresponding different, such as, first three-layer switching equipment passes through 100 second line of a couplet physical port second lines of a couplet, 100 ddos attack safeguards, and the first three-layer switching equipment sets up Border Gateway Protocol session respectively by 100 ddos attack safeguards of 100 second line of a couplet physical ports and the second line of a couplet.Wherein, the ddos attack safeguard of the second line of a couplet, second line of a couplet physical port and Border Gateway Protocol session one_to_one corresponding.

Optionally, in some possibility execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, above-mentioned message forwarding method also can comprise further: above-mentioned first three-layer switching equipment sets up Border Gateway Protocol session respectively by the three-layer switching equipment of each second line of a couplet logic port and the second line of a couplet.That is, the Border Gateway Protocol session that each second line of a couplet logic port is corresponding different, such as the first three-layer switching equipment sets up Border Gateway Protocol session respectively by the three-layer switching equipment of 10 second line of a couplet logic ports and the second line of a couplet.Wherein, second line of a couplet logic port and Border Gateway Protocol session one_to_one corresponding, or second line of a couplet logic port, the three-layer switching equipment of the second line of a couplet and Border Gateway Protocol session one_to_one corresponding.

For ease of better understanding and implement the such scheme of the embodiment of the present invention, be illustrated below by some scenes.

A kind of ddos attack protected network framework is shown see Fig. 3-a, Fig. 3-a.Among ddos attack protected network framework shown in Fig. 3-a, destination host is connected with core router, core router is by 8 second line of a couplet physical port second lines of a couplet, 8 three-tier switch, and each three-tier switch is 8 ddos attack safeguards respectively by 8 second line of a couplet physical port second lines of a couplet.

See the schematic flow sheet of the another kind of message forwarding method that Fig. 3-b, Fig. 3-b provides for an alternative embodiment of the invention.Wherein, the message forwarding method shown in Fig. 3-b specifically can be implemented in framework shown in Fig. 3-a.As shown in Fig. 3-b, the another kind of message forwarding method that an alternative embodiment of the invention provides can comprise following content:

301, core router receives the message from the pending ddos attack identification of outer net.

302, core router determines the first second line of a couplet physical port forwarding above-mentioned message from 8 second line of a couplet physical ports of core router based on preset strategy.Core router forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to the second three-tier switch.

Wherein, the second three-tier switch is one of them in above-mentioned 8 three-tier switch.

Concrete example such as, core router can determine based on random selection strategy the first second line of a couplet physical port forwarding above-mentioned message at random from 8 second line of a couplet physical ports of core router.Again such as, core router can determine based on poll selection strategy the first second line of a couplet physical port forwarding above-mentioned message from 8 second line of a couplet physical ports of core router.Concrete example such as, core router can determine based on load balancing the first second line of a couplet physical port that the present load that forwards above-mentioned message is minimum or less from 8 second line of a couplet physical ports of core router again.

303, the second three-tier switch receives above-mentioned message, can determine the second second line of a couplet physical port forwarding above-mentioned message based on preset strategy from 8 second line of a couplet physical ports of the second three-tier switch; Second three-tier switch, by above-mentioned second second line of a couplet physical port determined, forwards above-mentioned message to the first ddos attack safeguard.

Wherein, the first ddos attack safeguard is one of them in 8 ddos attack safeguards of the second three-tier switch second line of a couplet.

304, the first ddos attack safeguard receives above-mentioned message, and the first ddos attack safeguard carries out ddos attack identification to above-mentioned message.

If it is ddos attack message that the first ddos attack safeguard identifies above-mentioned message, then discardable above-mentioned message.

If it is non-ddos attack message that the first ddos attack safeguard identifies above-mentioned message, then step 305 can be performed.

305, the first ddos attack safeguard forwards above-mentioned message to the second three-tier switch.

306, the second three-tier switch forwards above-mentioned message to core router.

307, core router forwards above-mentioned message to destination host.

Optionally, in some possible execution modes of the present invention, above-mentioned second three-tier switch sets up Border Gateway Protocol session by each second line of a couplet physical port respectively from the different ddos attack safeguards of the second line of a couplet.Concrete, the Border Gateway Protocol session that each ddos attack safeguard is corresponding different, such as the second three-tier switch sets up Border Gateway Protocol session respectively by 8 ddos attack safeguards of 8 second line of a couplet physical ports and the second line of a couplet.Wherein, the ddos attack safeguard of 8 second lines of a couplet, 8 these second line of a couplet physical ports of the second three-tier switch and 8 Border Gateway Protocol session one_to_one corresponding.

Optionally, in some possibility execution modes of the present invention, above-mentioned core router sets up Border Gateway Protocol session respectively by the three-tier switch of its 8 second line of a couplet physical ports and 8 second lines of a couplet.Wherein, 8 second line of a couplet physical ports of core router and 8 Border Gateway Protocol session one_to_one corresponding, these 8 Border Gateway Protocol sessions and these 8 three-tier switch one_to_one corresponding.

Can find out, in the present embodiment, core router, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; Core router forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, the such scheme of the present embodiment is conducive to the protection flow increasing ddos attack protected network framework.

A kind of ddos attack protected network framework is shown see Fig. 4-a, Fig. 4-a.Among ddos attack protected network framework shown in Fig. 4-a, destination host is connected with core router, core router is by 8 second line of a couplet physical port second lines of a couplet, 1 three-tier switch, and this three-tier switch is 64 ddos attack safeguards respectively by 64 second line of a couplet physical port second lines of a couplet.

See the schematic flow sheet of the another kind of message forwarding method that Fig. 4-b, Fig. 4-b provides for an alternative embodiment of the invention.Wherein, the message forwarding method shown in Fig. 4-b specifically can be implemented in framework shown in Fig. 4-a.As shown in Fig. 4-b, the another kind of message forwarding method that an alternative embodiment of the invention provides can comprise following content:

401, core router receives the message from the pending ddos attack identification of outer net.

402, core router determines the second second line of a couplet physical port forwarding above-mentioned message from 8 second line of a couplet physical ports of core router based on preset strategy.Core router forwards above-mentioned message by above-mentioned second second line of a couplet physical port determined to three-tier switch.

Concrete example such as, core router can determine based on random selection strategy the second second line of a couplet physical port forwarding above-mentioned message at random from 8 second line of a couplet physical ports of core router.Again such as, core router can determine based on poll selection strategy the second second line of a couplet physical port forwarding above-mentioned message from 8 second line of a couplet physical ports.Concrete example such as, core router can determine based on load balancing the second second line of a couplet physical port that the present load that forwards above-mentioned message is minimum or less from 8 second line of a couplet physical ports again.

403, above-mentioned three-tier switch receives above-mentioned message by the first first line of a couplet physical port.

Mapping relations between the virtual three-tier switch that above-mentioned three-tier switch can fictionalize based on above-mentioned three-tier switch and the first line of a couplet logic port of above-mentioned three-tier switch, determine the first virtual three-tier switch corresponding to the first first line of a couplet physical port of above-mentioned three-tier switch; From 8 down hop route entrys corresponding to above-mentioned first virtual three-tier switch, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.

Above-mentioned three-tier switch, by above-mentioned first second line of a couplet physical port determined, forwards above-mentioned message to the first ddos attack safeguard.

Wherein, by introducing virtualization, above-mentioned three-tier switch can fictionalize 8 virtual three-tier switch, such as, 8 first line of a couplet physical port one_to_one corresponding of 8 virtual three-tier switch that the first three-tier switch fictionalizes and above-mentioned three-tier switch, by introducing virtual three-tier switch, the down hop route entry quantity of above-mentioned three-tier switch can be increased, and then be conducive to the ddos attack safeguard accessing greater number under above-mentioned three-tier switch.

Wherein, one of them in 8 ddos attack safeguards of 8 second line of a couplet physical port second lines of a couplet of the first ddos attack safeguard corresponding to the first virtual three-tier switch.

404, the first ddos attack safeguard receives above-mentioned message, and the first ddos attack safeguard carries out ddos attack identification to above-mentioned message.

If it is non-ddos attack message that the first ddos attack safeguard identifies above-mentioned message, then step 405 can be performed.

405, the first ddos attack safeguard forwards above-mentioned message to above-mentioned three-tier switch.

406, above-mentioned three-tier switch forwards above-mentioned message to core router.

407, core router forwards above-mentioned message to destination host.

Optionally, in some possible execution modes of the present invention, above-mentioned three-tier switch sets up Border Gateway Protocol session by each second line of a couplet physical port respectively from the different ddos attack safeguards of the second line of a couplet.Concrete, the Border Gateway Protocol session that each ddos attack safeguard is corresponding different, such as above-mentioned three-tier switch sets up Border Gateway Protocol session respectively by 64 ddos attack safeguards of 64 second line of a couplet physical ports and the second line of a couplet.Wherein, the ddos attack safeguard of 64 second lines of a couplet, 64 these second line of a couplet physical ports of above-mentioned three-tier switch and 64 Border Gateway Protocol session one_to_one corresponding.

Optionally, in some possibility execution modes of the present invention, above-mentioned core router sets up Border Gateway Protocol session respectively by its 8 second line of a couplet physical ports and above-mentioned three-tier switch.Wherein, 8 second line of a couplet physical ports of core router and 8 Border Gateway Protocol session one_to_one corresponding.

Can find out, in the present embodiment, core router, after the message receiving pending ddos attack identification, determines the second second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; Core router forwards above-mentioned message by above-mentioned second second line of a couplet physical port determined to three-tier switch.Owing to introducing three-tier switch cascade, the message of pending ddos attack identification can be distributed between core router and three-tier switch, by at least two-layer three-tier switch cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, the such scheme of the present embodiment is conducive to the protection flow increasing ddos attack protected network framework.

A kind of ddos attack protected network framework is shown see Fig. 5-a, Fig. 5-a.Among ddos attack protected network framework shown in Fig. 5-a, destination host is connected with core router, core router is by 64 second line of a couplet physical port second lines of a couplet, 1 three-tier switch, and this three-tier switch is 64 ddos attack safeguards respectively by 64 second line of a couplet physical port second lines of a couplet.

See the schematic flow sheet of the another kind of message forwarding method that Fig. 5-b, Fig. 5-b provides for an alternative embodiment of the invention.Wherein, the message forwarding method shown in Fig. 5-b specifically can be implemented in framework shown in Fig. 4-a.As shown in Fig. 5-b, the another kind of message forwarding method that an alternative embodiment of the invention provides can comprise following content:

501, core router receives the message from the pending ddos attack identification of outer net.

502, core router determines the second second line of a couplet logic port forwarding above-mentioned message from 8 second line of a couplet logic ports of core router based on preset strategy.Core router determines the 3rd second line of a couplet physical port forwarding above-mentioned message from 8 second line of a couplet physical ports that the second second line of a couplet logic port comprises based on preset strategy.

Wherein, core router forwards above-mentioned message by above-mentioned 3rd second line of a couplet physical port determined to three-tier switch.

Wherein, each second line of a couplet logic port in 8 second line of a couplet logic ports of core router comprises 8 second line of a couplet physical ports.

503, above-mentioned three-tier switch receives above-mentioned message by the first first line of a couplet physical port.

Mapping relations between the virtual three-tier switch that above-mentioned three-tier switch can fictionalize based on above-mentioned three-tier switch and the first line of a couplet logic port of above-mentioned three-tier switch, determine the first virtual three-tier switch corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port of above-mentioned three-tier switch; From 8 down hop route entrys corresponding to above-mentioned first virtual three-tier switch, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.

Wherein, by introducing virtualization, above-mentioned three-tier switch can fictionalize 8 virtual three-tier switch, such as, 8 first line of a couplet physical port one_to_one corresponding of 8 virtual three-tier switch that three-tier switch fictionalizes and above-mentioned three-tier switch, by introducing virtual three-tier switch, the down hop route entry quantity of above-mentioned three-tier switch can be increased, and then be conducive to the ddos attack safeguard accessing greater number under above-mentioned three-tier switch.

504, the first ddos attack safeguard receives above-mentioned message, and the first ddos attack safeguard carries out ddos attack identification to above-mentioned message.

If it is non-ddos attack message that the first ddos attack safeguard identifies above-mentioned message, then step 505 can be performed.

505, the first ddos attack safeguard forwards above-mentioned message to above-mentioned three-tier switch.

506, above-mentioned three-tier switch forwards above-mentioned message to core router.

507, core router forwards above-mentioned message to destination host.

Can find out, in the present embodiment, core router, after the message receiving pending ddos attack identification, determines the 3rd second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; Core router forwards above-mentioned message by above-mentioned 3rd second line of a couplet physical port determined to three-tier switch.Owing to introducing three-tier switch cascade, the message of pending ddos attack identification can be distributed between core router and three-tier switch, by at least two-layer three-tier switch cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, the such scheme of the present embodiment is conducive to the protection flow increasing ddos attack protected network framework.

See Fig. 6, the embodiment of the present invention provides a kind of three-layer switching equipment 600, can comprise: receiving element 610, determining unit 620 and message repeating unit 630.

Receiving element 610, for receiving the message of pending ddos attack identification;

Determining unit 620, for determining the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical ports of three-layer switching equipment 600 based on preset strategy;

Message repeating unit 630, if be the second three-layer switching equipment for above-mentioned first second line of a couplet physical port second line of a couplet, forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment; If above-mentioned first second line of a couplet physical port second line of a couplet is ddos attack safeguard, above-mentioned message is forwarded to above-mentioned ddos attack safeguard, so that above-mentioned ddos attack safeguard carries out ddos attack identification to above-mentioned message by above-mentioned first second line of a couplet physical port determined.

Optionally, the present invention some may in execution modes, receiving element 610 specifically for, receive the message of the pending ddos attack identification from the 4th three-layer switching equipment; Or, receive the message of the pending ddos attack identification from outer net; Or, receive the message of the pending ddos attack identification from destination host.

Optionally, in some possibility execution modes of the present invention, determining unit 620 specifically for, from multiple second line of a couplet logic port, determine the first second line of a couplet logic port forwarding above-mentioned message based on preset strategy, from multiple second line of a couplet physical ports that above-mentioned first second line of a couplet logic port comprises, determine the first second line of a couplet physical port forwarding above-mentioned message based on preset strategy.

Optionally, in some possibility execution modes of the present invention, in the message of above-mentioned reception from the pending ddos attack identification of the 4th three-layer switching equipment, above-mentioned receiving element 610 can be specifically for, receives the message from the pending ddos attack identification of the 4th three-layer switching equipment by the first first line of a couplet physical port.

Wherein, above-mentioned determining unit 620 specifically for, based on the mapping relations between the virtual three-layer switching equipment of above-mentioned three-layer switching equipment 600 and the first line of a couplet logic port of three-layer switching equipment 600, determine the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to above-mentioned first virtual three-layer switching equipment, select the first down hop route entry based on preset strategy, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.

Optionally, in some possibility execution modes of the present invention, above-mentioned first second line of a couplet physical port second line of a couplet be ddos attack safeguard, above-mentioned three-layer switching equipment 600 can also comprise: conversation element, sets up Border Gateway Protocol session respectively for the ddos attack safeguard different from the second line of a couplet by each second line of a couplet physical port.

Optionally, in some possibility execution modes of the present invention, above-mentioned first second line of a couplet physical port second line of a couplet be the second three-layer switching equipment, wherein, above-mentioned three-layer switching equipment also comprises: conversation element, for setting up Border Gateway Protocol session respectively by the three-layer switching equipment of each second line of a couplet logic port and the second line of a couplet.

Be understandable that, the function of each functional module of the three-layer switching equipment 600 of the present embodiment can according to the method specific implementation in said method embodiment, and its specific implementation process with reference to the associated description of said method embodiment, can repeat no more herein.

Can find out, the present embodiment three-layer switching equipment 600, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, three-layer switching equipment 600 forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, such scheme of the present invention is conducive to the protection flow increasing ddos attack protected network framework.

See Fig. 7, the schematic diagram of the three-layer switching equipment 700 that Fig. 7 provides for the embodiment of the present invention, at least one memory 703 that three-layer switching equipment 700 can comprise at least one bus 701, at least one processor 702 be connected with bus 701 and be connected with bus 701.

Wherein, processor 702, by bus 701, calls the code of storage in memory 703 for the message receiving pending distributed denial of service attack identification; From multiple second line of a couplet physical ports of three-layer switching equipment 700, the first second line of a couplet physical port forwarding above-mentioned message is determined based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, forward above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment; If above-mentioned first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard, above-mentioned message is forwarded to above-mentioned distributed denial of service attack safeguard, so that above-mentioned distributed denial of service attack safeguard carries out distributed denial of service attack identification to above-mentioned message by above-mentioned first second line of a couplet physical port determined.

Optionally, in possible execution modes more of the present invention, processor 702 can be used for receiving the message from the pending ddos attack identification of the 4th three-layer switching equipment; Or, receive the message of the pending ddos attack identification from outer net; Or, receive the message of the pending ddos attack identification from destination host or other equipment.

Wherein, above-mentioned 4th three-layer switching equipment may be core router or switching equipment machine.

Concrete example such as, processor 702 can be used for can determining based on random selection strategy the first second line of a couplet physical port forwarding above-mentioned message at random from multiple second line of a couplet physical port.

Concrete example such as, processor 702 can be used for determine based on poll selection strategy the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port again.

Concrete example such as, processor 702 can be used for from multiple second line of a couplet physical port, determining based on load balancing the first second line of a couplet physical port that forward above-mentioned message present load is minimum or less again.

Optionally, in some possible execution modes of the present invention, processor 702 can be used for from multiple second line of a couplet logic ports of three-layer switching equipment 700, determining based on preset strategy the first second line of a couplet logic port forwarding above-mentioned message, determines the first second line of a couplet physical port forwarding above-mentioned message based on preset strategy from multiple second line of a couplet physical ports that above-mentioned first second line of a couplet logic port comprises.Wherein, its multiple second line of a couplet logic port divides into groups by three-layer switching equipment 700, multiple second line of a couplet physical ports of same group are aggregated into a second line of a couplet logic port, managing second line of a couplet physical port by introducing second line of a couplet logic port, being conducive to simplifying Port Management complexity.

Optionally, in some possible execution modes of the present invention, processor 702 can be used for by the message of the first first line of a couplet physical port reception from the pending ddos attack identification of the 4th three-layer switching equipment.

Wherein, processor 702 can be used for, based on the mapping relations between the virtual three-layer switching equipment of above-mentioned three-layer switching equipment 700 and first line of a couplet logic port, determining the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to above-mentioned first virtual three-layer switching equipment, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.

Optionally, in some possible execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is ddos attack safeguard, processor 702 also can be used for setting up Border Gateway Protocol session by the second line of a couplet physical port of each three-layer switching equipment 700 respectively from the different ddos attack safeguards of the second line of a couplet.That is, the Border Gateway Protocol session that each ddos attack safeguard is corresponding different, such as processor 702 passes through 100 second line of a couplet physical port second lines of a couplet of three-layer switching equipment 700,100 ddos attack safeguards, and processor 702 sets up Border Gateway Protocol session respectively by 100 second line of a couplet physical ports of three-layer switching equipment 700 and 100 ddos attack safeguards of the second line of a couplet.Wherein, the ddos attack safeguard of 100 second lines of a couplet, 100 second line of a couplet physical ports and 100 Border Gateway Protocol session one_to_one corresponding.

Optionally, in some possibility execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, processor 702 also can be used for setting up Border Gateway Protocol session respectively by the three-layer switching equipment of each second line of a couplet logic port and the second line of a couplet.That is, the Border Gateway Protocol session that each second line of a couplet logic port is corresponding different, such as processor 702 is also for setting up Border Gateway Protocol session respectively by 10 second line of a couplet logic ports of three-layer switching equipment 700 and the three-layer switching equipment of the second line of a couplet.Wherein, 10 second line of a couplet logic ports and 10 Border Gateway Protocol session one_to_one corresponding, or 10 second line of a couplet logic ports, the three-layer switching equipment of 10 second lines of a couplet and 10 Border Gateway Protocol session one_to_one corresponding.

Be understandable that, the function of each functional module of the three-layer switching equipment 700 of the present embodiment can according to the method specific implementation in said method embodiment, and its specific implementation process with reference to the associated description of said method embodiment, can repeat no more herein.

Can find out, the present embodiment three-layer switching equipment 700, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, three-layer switching equipment 700 forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, such scheme of the present invention is conducive to the protection flow increasing ddos attack protected network framework.

See the structured flowchart that Fig. 8, Fig. 8 are the three-layer switching equipments 800 that another embodiment of the present invention provides.Wherein, three-layer switching equipment 800 can comprise: at least 1 processor 801, at least 1 network interface 804 or other user interfaces 803, memory 805, at least 1 communication bus 802.Communication bus 802 is for realizing the connection communication between these assemblies.Wherein, this three-layer switching equipment 800 optionally can comprise user interface 803, such as comprise display (such as, touch-screen, LCD, CRT, holographic imaging (Holographic) or projection (Projector) etc.), pointing device (such as mouse, trace ball (trackball) touch-sensitive plate or touch-screen etc.), camera and/or sound pick up equipment etc.

Wherein, memory 802 can comprise read-only memory and random access memory, and provides instruction and data to processor 801.A part in memory 802 can also comprise nonvolatile RAM (NVRAM).

In some embodiments, memory 805 stores following element, executable module or data structure, or their subset, or their superset:

Operating system 8051, comprises various system program, for realizing various basic business and processing hardware based task.

Application program module 8052, comprises various application program, for realizing various applied business.

In an embodiment of the present invention, by calling program or the instruction of memory 808 storage, processor 801 receives the message of pending distributed denial of service attack identification; From multiple second line of a couplet physical ports of three-layer switching equipment 800, the first second line of a couplet physical port forwarding above-mentioned message is determined based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, forward above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment; If above-mentioned first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard, above-mentioned message is forwarded to above-mentioned distributed denial of service attack safeguard, so that above-mentioned distributed denial of service attack safeguard carries out distributed denial of service attack identification to above-mentioned message by above-mentioned first second line of a couplet physical port determined.

Optionally, in possible execution modes more of the present invention, processor 801 can be used for receiving the message from the pending ddos attack identification of the 4th three-layer switching equipment; Or, receive the message of the pending ddos attack identification from outer net; Or, receive the message of the pending ddos attack identification from destination host or other equipment.

Concrete example such as, processor 801 can be used for can determining based on random selection strategy the first second line of a couplet physical port forwarding above-mentioned message at random from multiple second line of a couplet physical port.

Concrete example such as, processor 801 can be used for determine based on poll selection strategy the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port again.

Concrete example such as, processor 801 can be used for from multiple second line of a couplet physical port, determining based on load balancing the first second line of a couplet physical port that forward above-mentioned message present load is minimum or less again.

Optionally, in some possible execution modes of the present invention, processor 801 can be used for from multiple second line of a couplet logic port, determining based on preset strategy the first second line of a couplet logic port forwarding above-mentioned message, determines the first second line of a couplet physical port forwarding above-mentioned message based on preset strategy from multiple second line of a couplet physical ports that above-mentioned first second line of a couplet logic port comprises.Wherein, its multiple second line of a couplet logic port divides into groups by three-layer switching equipment 800, multiple second line of a couplet physical ports of same group are aggregated into a second line of a couplet logic port, managing second line of a couplet physical port by introducing second line of a couplet logic port, being conducive to simplifying Port Management complexity.

Optionally, in some possible execution modes of the present invention, processor 801 can be used for by the message of the first first line of a couplet physical port reception from the pending ddos attack identification of the 4th three-layer switching equipment.

Wherein, processor 801 can be used for, based on the mapping relations between the virtual three-layer switching equipment of above-mentioned three-layer switching equipment 800 and first line of a couplet logic port, determining the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to above-mentioned first virtual three-layer switching equipment, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to above-mentioned first down hop route entry is the second line of a couplet physical port of the above-mentioned message of forwarding determined.

Optionally, in some possible execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is ddos attack safeguard, processor 801 also can be used for setting up Border Gateway Protocol session by the second line of a couplet physical port of each three-layer switching equipment 800 respectively from the different ddos attack safeguards of the second line of a couplet.That is, the Border Gateway Protocol session that each ddos attack safeguard is corresponding different, such as processor 801 passes through 100 second line of a couplet physical port second lines of a couplet of three-layer switching equipment 800,100 ddos attack safeguards, and processor 801 sets up Border Gateway Protocol session respectively by 100 second line of a couplet physical ports of three-layer switching equipment 800 and 100 ddos attack safeguards of the second line of a couplet.Wherein, the ddos attack safeguard of 100 second lines of a couplet, 100 second line of a couplet physical ports and 100 Border Gateway Protocol session one_to_one corresponding.

Optionally, in some possibility execution modes of the present invention, if above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, processor 801 also can be used for setting up Border Gateway Protocol session respectively by the three-layer switching equipment of each second line of a couplet logic port and the second line of a couplet.That is, the Border Gateway Protocol session that each second line of a couplet logic port is corresponding different, such as processor 801 is also for setting up Border Gateway Protocol session respectively by 10 second line of a couplet logic ports of three-layer switching equipment 800 and the three-layer switching equipment of the second line of a couplet.Wherein, 10 second line of a couplet logic ports and 10 Border Gateway Protocol session one_to_one corresponding, or 10 second line of a couplet logic ports, the three-layer switching equipment of 10 second lines of a couplet and 10 Border Gateway Protocol session one_to_one corresponding.

Be understandable that, the function of each functional module of the three-layer switching equipment 800 of the present embodiment can according to the method specific implementation in said method embodiment, and its specific implementation process with reference to the associated description of said method embodiment, can repeat no more herein.

Can find out, the present embodiment three-layer switching equipment 800, after the message receiving pending ddos attack identification, determines the first second line of a couplet physical port forwarding above-mentioned message from multiple second line of a couplet physical port based on preset strategy; If above-mentioned first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, three-layer switching equipment 800 forwards above-mentioned message by above-mentioned first second line of a couplet physical port determined to above-mentioned second three-layer switching equipment.Owing to introducing three-layer switching equipment cascade, the message of pending ddos attack identification can be distributed between three-layer switching equipment, by at least two-layer three-layer switching equipment cascade, be conducive to carrying out flexible expansion to ddos attack protected network framework, and then be conducive to the ddos attack safeguard accessing greater number.Visible, use a router to distribute for the message of pending ddos attack identification to ddos attack safeguard relative in prior art, such scheme of the present invention is conducive to the protection flow increasing ddos attack protected network framework.

See Fig. 9, the embodiment of the present invention provides a kind of communication system, can comprise:

At least 1 three-layer switching equipment 920 of core router 910, core router 910 second line of a couplet and at least 1 distributed denial of service attack safeguard 930 of three-layer switching equipment 920 second line of a couplet.

Core router 910, for receiving the message of pending distributed denial of service attack identification; Among multiple second line of a couplet physical ports of described core router 910, the first second line of a couplet physical port forwarding described message is determined based on preset strategy; Described message is forwarded to the second three-layer switching equipment in described at least 1 three-layer switching equipment 920 by described first second line of a couplet physical port determined;

Second three-layer switching equipment 920, for receiving described message; Among multiple second line of a couplet physical ports of described second three-layer switching equipment, the second second line of a couplet physical port forwarding described message is determined based on preset strategy; Described message is forwarded to distributed denial of service attack safeguard by described second second line of a couplet physical port determined;

Distributed denial of service attack safeguard 930, for carrying out distributed denial of service attack identification to described message.

The embodiment of the present invention also provides a kind of computer-readable storage medium, and wherein, this computer-readable storage medium can have program stored therein, and comprises the part or all of step of the message forwarding method recorded in said method embodiment when this program performs.

It should be noted that, for aforesaid each embodiment of the method, in order to simple description, therefore it is all expressed as a series of combination of actions, but those skilled in the art should know, the present invention is not by the restriction of described sequence of movement, because according to the present invention, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in specification all belongs to preferred embodiment, and involved action and module might not be that the present invention is necessary.

In the above-described embodiments, the description of each embodiment is all emphasized particularly on different fields, in certain embodiment, there is no the part described in detail, can see the associated description of other embodiments.

In several embodiments that the application provides, should be understood that, disclosed device, the mode by other realizes.Such as, device embodiment described above is only schematic, the such as division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical or other form.

The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.

In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.

If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprises all or part of step of some instructions in order to make a computer equipment (can be personal computer, server or the network equipment etc.) perform method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, read-only memory (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), portable hard drive, magnetic disc or CD etc. various can be program code stored medium.

The above, above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment to invention has been detailed description, those of ordinary skill in the art is to be understood that: it still can be modified to the technical scheme described in foregoing embodiments, or carries out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of various embodiments of the present invention technical scheme.

Claims

1. a message forwarding method, is characterized in that, comprising:

2. method according to claim 1, is characterized in that, described first three-layer switching equipment receives the message of pending distributed denial of service attack identification, comprising:

Described first three-layer switching equipment receives the message from the pending distributed denial of service attack identification of the 4th three-layer switching equipment; Or described first three-layer switching equipment receives the message from the pending distributed denial of service attack identification of outer net; Or described first three-layer switching equipment receives the message from the pending distributed denial of service attack identification of destination host.

3. method according to claim 1 and 2, is characterized in that,

Described first three-layer switching equipment determines the first second line of a couplet physical port forwarding described message from multiple second line of a couplet physical ports of described first three-layer switching equipment based on preset strategy, comprising:

Described first three-layer switching equipment determines the first second line of a couplet logic port forwarding described message from multiple second line of a couplet logic ports of described first three-layer switching equipment based on preset strategy, determine the first second line of a couplet physical port forwarding described message based on preset strategy from multiple second line of a couplet physical ports that described first second line of a couplet logic port comprises.

4. method according to claim 2, it is characterized in that, the message that described first three-layer switching equipment receives from the pending distributed denial of service attack identification of the 4th three-layer switching equipment comprises: described first three-layer switching equipment receives the message from the pending distributed denial of service attack identification of the 4th three-layer switching equipment by the first first line of a couplet physical port;

Wherein, described first three-layer switching equipment determines the first second line of a couplet physical port forwarding described message from multiple second line of a couplet physical ports of described first three-layer switching equipment based on preset strategy, comprising:

Based on the mapping relations between the virtual three-layer switching equipment of described first three-layer switching equipment and the first line of a couplet logic port of described first three-layer switching equipment, determine the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to described first virtual three-layer switching equipment, the first down hop route entry is selected based on preset strategy, wherein, the first second line of a couplet physical port corresponding to described first down hop route entry is the second line of a couplet physical port of the described message of forwarding determined.

5. the method according to any one of Claims 1-4, is characterized in that,

If described first second line of a couplet physical port second line of a couplet is distributed denial of service attack safeguard,

Described method also comprises: described first three-layer switching equipment, by each second line of a couplet physical port of described first three-layer switching equipment, sets up Border Gateway Protocol session respectively with the different distributions formula Denial of Service attack safeguard of the second line of a couplet.

6. the method according to any one of Claims 1-4, it is characterized in that, if described first second line of a couplet physical port second line of a couplet is the second three-layer switching equipment, described method also comprises: described first three-layer switching equipment, by each second line of a couplet logic port of described first three-layer switching equipment, sets up Border Gateway Protocol session respectively with the three-layer switching equipment of the second line of a couplet.

7. a three-layer switching equipment, is characterized in that, comprising:

8. three-layer switching equipment according to claim 7, is characterized in that,

Described receiving element specifically for, receive the message of the pending distributed denial of service attack identification from the 4th three-layer switching equipment; Or the message received from the pending distributed denial of service attack identification of outer net; Or the message received from the pending distributed denial of service attack identification of destination host.

9. the three-layer switching equipment according to claim 7 or 8, is characterized in that,

Described determining unit specifically for, from multiple second line of a couplet logic ports of described three-layer switching equipment, determine the first second line of a couplet logic port forwarding described message based on preset strategy, from multiple second line of a couplet physical ports that described first second line of a couplet logic port comprises, determine the first second line of a couplet physical port forwarding described message based on preset strategy.

10. three-layer switching equipment according to claim 8, it is characterized in that, in the message of described reception from the pending distributed denial of service attack identification of the 4th three-layer switching equipment, described receiving element specifically for, receive from the message of the pending distributed denial of service attack identification of the 4th three-layer switching equipment by the first first line of a couplet physical port;

Wherein, described determining unit specifically for, based on the mapping relations between the virtual three-layer switching equipment of described three-layer switching equipment and the first line of a couplet logic port of described three-layer switching equipment, determine the first virtual three-layer switching equipment corresponding to the first first line of a couplet logic port belonging to the first first line of a couplet physical port; From many down hop route entrys corresponding to described first virtual three-layer switching equipment, select the first down hop route entry based on preset strategy, the first second line of a couplet physical port corresponding to described first down hop route entry is the second line of a couplet physical port of the described message of forwarding determined.

11. according to any one of claim 7 to 10 three-layer switching equipment, it is characterized in that, described first second line of a couplet physical port second line of a couplet be distributed denial of service attack safeguard, described three-layer switching equipment also comprises: conversation element, for each second line of a couplet physical port by described three-layer switching equipment, Border Gateway Protocol session set up respectively by the distributed denial of service attack safeguard different from the second line of a couplet.

12. according to any one of claim 7 to 10 three-layer switching equipment, it is characterized in that, described first second line of a couplet physical port second line of a couplet be the second three-layer switching equipment, wherein, described three-layer switching equipment also comprises: conversation element, for setting up Border Gateway Protocol session respectively by each second line of a couplet logic port of described three-layer switching equipment and the three-layer switching equipment of the second line of a couplet.

13. 1 kinds of communication systems, is characterized in that, comprising: at least 1 three-layer switching equipment of core router, the core router second line of a couplet and at least 1 distributed denial of service attack safeguard of the described three-layer switching equipment second line of a couplet;