CN106254252B - Flow spec route issuing method and device - Google Patents

Flow spec route issuing method and device Download PDF

Info

Publication number
CN106254252B
CN106254252B CN201610807846.5A CN201610807846A CN106254252B CN 106254252 B CN106254252 B CN 106254252B CN 201610807846 A CN201610807846 A CN 201610807846A CN 106254252 B CN106254252 B CN 106254252B
Authority
CN
China
Prior art keywords
address
network device
flow spec
route
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610807846.5A
Other languages
Chinese (zh)
Other versions
CN106254252A (en
Inventor
余清炎
刘永奎
代瑞强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
New H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Technologies Co Ltd filed Critical New H3C Technologies Co Ltd
Priority to CN201610807846.5A priority Critical patent/CN106254252B/en
Publication of CN106254252A publication Critical patent/CN106254252A/en
Application granted granted Critical
Publication of CN106254252B publication Critical patent/CN106254252B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/14Routing performance; Theoretical aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention provides a Flow spec route issuing method and a device, wherein the method comprises the following steps: obtaining a Flow spec route; if the Flow spec route contains a source IP address, judging whether a neighbor network device issuing the route of the source IP address is a network device in an operator network; and if so, refusing to issue the Flow spec route to a forwarding chip. By the technical scheme of the invention, the number of the Flow spec routes issued on the forwarding chip can be reduced, the table resource of the Flow spec routes is saved, the scheduling process of a CPU is reduced, and the performance of the system is improved.

Description

Flow spec route issuing method and device
Technical Field
The invention relates to the technical field of communication, in particular to a method and a device for issuing a Flow spec route.
Background
as an attack method, a Distributed Denial of Service (DDoS) attack refers to launching a DDoS attack on one or more targets by combining a plurality of computers as an attack platform by means of a client/server technology, thereby exponentially improving the power of the DDoS attack.
as shown in fig. 1, in order to prevent a networking schematic diagram of DDoS attack, it is assumed that a host 2 sends a message to a host 1, and the message can be received on a user side device connected to the host 1. If the message is identified as an attack message, a Flow spec (data Flow description) route for the message is generated.
the user side device sends the Flow spec route to the network device 1, and the network device 1 sends the Flow spec route to the forwarding chip after receiving the Flow spec route, so that when the forwarding chip receives the message matching the Flow spec route again, the message is identified as an attack message, and the message is discarded. Further, the network device 1 transmits the Flow spec route to the network device 2 and the network device 3. After receiving the Flow spec route, the network device 2/the network device 3 issues the Flow spec route to a forwarding chip of the network device, so that when the forwarding chip receives a message matching the Flow spec route again, the message is identified as an attack message, and the message is discarded.
With the development of the technology, the scale of DDoS attack is larger and larger, and the number of generated Flow spec routes is also larger and larger, so that a large number of Flow spec routes need to be sent down and up on a forwarding chip of each network device, and a large amount of resources are consumed.
Disclosure of Invention
The invention provides a Flow spec route issuing method, which is applied to network equipment in an operator network and comprises the following steps:
Acquiring a Flow spec route for filtering the attack message;
If the Flow spec route contains a source IP address, judging whether a neighbor network device issuing the route of the source IP address is a network device in the operator network;
and if so, refusing to issue the Flow spec route to a forwarding chip of the network equipment.
The invention provides a Flow spec route issuing device, which is applied to network equipment in an operator network, and specifically comprises the following steps:
The obtaining module is used for obtaining a Flow spec route for filtering the attack message;
a judging module, configured to judge whether a neighbor network device that issues a route of a source IP address is a network device in the operator network when the Flow spec route includes the source IP address;
And the processing module is used for refusing to issue the Flow spec route to a forwarding chip of the network equipment when the judgment result is yes.
Based on the technical scheme, in the embodiment of the invention, after the network device obtains the Flow spec route, the Flow spec route is not directly issued to the forwarding chip, but the Flow spec route is issued to the forwarding chip only when the neighbor network device issuing the route of the source IP address is not the network device in the operator network, and the Flow spec route is not issued to the forwarding chip when the neighbor network device issuing the route of the source IP address is the network device in the operator network, so that the number of the Flow spec routes issued on the forwarding chip is reduced, and the table resource of the Flow spec route is saved. Moreover, the network device can send Flow spec routes to the forwarding chip less, so that the scheduling process of a Central Processing Unit (CPU) can be reduced, and the performance of the system can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments of the present invention or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a networking diagram of prevention of DDoS attacks;
Fig. 2 is a flowchart of a Flow spec route issuing method according to an embodiment of the present invention;
Fig. 3 is a flowchart of a Flow spec route issuing method according to another embodiment of the present invention;
FIG. 4 is a hardware block diagram of a network device in one embodiment of the invention;
Fig. 5 is a configuration diagram of a Flow spec route issuing device according to an embodiment of the present invention.
Detailed Description
the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present invention. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
Referring to fig. 2, a flowchart of a Flow spec route issuing method provided in an embodiment of the present invention is shown, where the method may be applied to a network device in an operator network, and the method includes the following steps:
Step 201, a Flow spec route for filtering the attack message is obtained.
In one example, the Flow spec route (i.e., the Flow route) may carry some characteristics of the packet to be filtered, such as five-tuple information, a control field, and the like, and is used to filter the packet matched to the Flow spec route. The quintuple information may include a source IP address, a source port identifier, a destination IP address, a destination port identifier, a Protocol type identifier, and the like, and the Control field may include a message length, a TCP (Transmission Control Protocol) flag bit, a fragment identifier, QoS (Quality of Service) information, and the like.
in one example, BGP (Border Gateway Protocol) neighbors may be established between network devices in the operator network, and BGP messages carrying Flow spec routes may be transmitted between the network devices. Based on this, the process of obtaining the Flow spec route may include, but is not limited to, the following ways: after receiving the BGP message, analyzing the Flow spec route from the BGP message, and sending the BGP message to a BGP neighbor. BGP is a dynamic routing protocol that may be used between different ASs (Autonomous systems) or within the same AS. As a protocol standard for Internet external routing, ISP (Internet Service Provider) is widely used.
Step 202, if the Flow spec route includes the source IP address, it is determined whether the neighbor network device that issues the route of the source IP address is a network device in the operator network.
If yes, go to step 203; if not, step 204 is performed.
With reference to step 202, in an example, the process of determining whether the neighbor network device that issues the route of the source IP address is a network device in the operator network may specifically include, but is not limited to, the following manners: and acquiring a routing table item matched with the source IP address from the local routing table, acquiring a neighbor address from the routing table item, and inquiring a pre-configured address table through the neighbor address. The IP addresses of all network devices in the operator network may be recorded in the address table. Based on this, if the neighbor address is in the address table, it may be determined that the neighbor network device is a network device in the operator network, otherwise, it may be determined that the neighbor network device is not a network device in the operator network.
For example, when the operator network includes the network device 1, the network device 2, and the network device 3, each network device is configured with an address table, and the IP address of the network device 1, the IP address of the network device 2, and the IP address of the network device 3 are recorded in the address table. Based on this, after the neighbor address is obtained, it may be determined whether the neighbor address is an IP address of the network device 1, an IP address of the network device 2, and an IP address of the network device 3, and it is determined whether the neighbor network device is a network device in the operator network according to the determination result.
And 203, refusing to issue the Flow spec route to a forwarding chip of the network equipment.
and 204, sending the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters the message by using the Flow spec route, that is, the forwarding chip can filter the message matched to the Flow spec route.
In one example, if the Flow spec route includes a source IP address, but there is no route entry matching the source IP address in the local route table, the Flow spec route may be directly issued to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
In one example, if the Flow spec route does not include the source IP address, the Flow spec route may be directly issued to a forwarding chip of the network device, so that the forwarding chip filters the packet by using the Flow spec route.
Based on the technical scheme, in the embodiment of the invention, after the network device obtains the Flow spec route, the Flow spec route is not directly issued to the forwarding chip, but the Flow spec route is issued to the forwarding chip only when the neighbor network device issuing the route of the source IP address is not the network device in the operator network, and the Flow spec route is not issued to the forwarding chip when the neighbor network device issuing the route of the source IP address is the network device in the operator network, so that the number of the Flow spec routes issued on the forwarding chip is reduced, and the table resource of the Flow spec route is saved. And the network equipment can send Flow spec routes to the forwarding chip less, so that the scheduling process of a CPU (central processing unit) can be reduced, the performance of the system can be improved, and a good defense effect can be achieved for DDoS (distributed denial of service) attack.
In another example, referring to fig. 3, the Flow spec route issuing method includes the following steps:
Step 301, after receiving the BGP message, parses the Flow spec route from the BGP message.
Step 302, judging whether the Flow spec route contains a source IP address; if yes, go to step 303; if not, step 307 is performed. The Flow spec routing may include, but is not limited to, one or any combination of the following: source IP address, source port identification, destination IP address, destination port identification, protocol type identification, packet length, TCP flag bit, fragmentation identification, QoS information, etc. Therefore, the Flow spec route may contain the source IP address, and step 303 is executed; the Flow spec route may not include the source IP address, and step 307 is executed.
Step 303, judging whether a routing table entry matched with the source IP address exists in the local routing table; if so, go to step 304; if not, step 307 is performed. The network device may maintain a routing table in a conventional manner, where the routing table includes a plurality of routing table entries, and each routing table entry may include information such as an IP address, a neighbor address, and an egress interface. If the source IP address is matched with the IP address in a certain routing table item, indicating that the routing table item matched with the source IP address exists in the routing table; if the source IP address is not matched with all the routing table entries, it indicates that no routing table entry matched with the source IP address exists in the routing table.
Step 304, selecting the neighbor address corresponding to the source IP address from the routing table entry.
Step 305, determine if the neighbor address is an IP address of a network device in the operator network. If so, go to step 306; if not, step 307 is performed.
Wherein, if the neighbor address is the IP address of the network device in the operator network, it indicates that the neighbor network device having the neighbor address (i.e. the neighbor network device that issued the route of the source IP address) is the network device in the operator network. If the neighbor address is not the IP address of a network device in the carrier network, it indicates that the neighbor network device with the neighbor address is not a network device in the carrier network.
And step 306, refusing to send the Flow spec route to the forwarding chip of the network device.
step 307, the Flow spec route is sent to a forwarding chip of the network device, so that the forwarding chip filters the packet by using the Flow spec route, that is, the forwarding chip can filter the packet matched to the Flow spec route.
The following describes an embodiment of the present invention in detail with reference to the application scenario shown in fig. 1.
As shown in fig. 1, the network device 2, and the network device 3 are network devices in an operator network, the user-side device 1, the user-side device 2, and the user-side device 3 are network devices outside the operator network, and each network device may be a router, a switch, or other devices. In addition, the user side device 1 establishes a BGP neighbor with the network device 1, the network device 1 establishes a BGP neighbor with the network device 2, the network device 1 establishes a BGP neighbor with the network device 3, the network device 2 establishes a BGP neighbor with the user side device 2, and the network device 3 establishes a BGP neighbor with the user side device 3.
In the application scenario, for the packet sent by the host 2(2.2.2.2/32) to the host 1(1.1.1.1/32), the corresponding processing flow may include: host 2(2.2.2.2/32) sends a message to host 1 (1.1.1.1/32). Wherein, the source IP address of the message is 2.2.2.2, and the destination IP address is 1.1.1.1. After receiving the message, the user side device 2 may forward the message by using the destination IP address of the message. After receiving the packet, the network device 2 may query all local Flow spec routes, and since there is no Flow spec route matching the packet, forward the packet to the network device 1. The process of querying the Flow spec route and forwarding the packet by the network device 2 may be executed by a forwarding chip on the network device 2.
after receiving the message, the network device 1 queries all local Flow spec routes, and since there is no Flow spec route matching with the message, the network device can forward the message by using the destination IP address of the message. The process of querying the Flow spec route and forwarding the packet by the network device 1 is executed by a forwarding chip on the network device 1.
After receiving the message, the user side device 1 identifies that the message is an attack message. In an example, an identification policy may be configured in advance on the user-side device 1, where the identification policy is used to identify whether a packet is an attack packet, and the identification policy may be configured according to actual needs. For example, if the host 1 provides an HTTP (Hyper Text Transfer Protocol) service, the identification policy may be to determine whether the packet is an HTTP packet. If the message is an HTTP message, the message is identified not to be an attack message, and the message is forwarded to the host 1. If the message is not the HTTP message, the message is identified to be an attack message, the message is discarded, and the subsequent steps are executed. In practical application, the identification policy may also be other types of identification policies, and the content of the identification policy is not limited in the embodiment of the present invention.
The user side device 1 generates a Flow spec route for the packet, where the Flow spec route may include, but is not limited to, one or any combination of the following: source IP address, source port identification, destination IP address, destination port identification, protocol type identification, message length, TCP marking bit, fragment identification and QoS information. For convenience of description, the Flow spec route includes a source IP address 2.2.2.2 and a destination IP address 1.1.1.1 as an example.
the user side device 1 sends the BGP message carrying the Flow spec route to the network device 1. The network device 1 sends the BGP message carrying the Flow spec route to the network device 2 and the network device 3, and issues the Flow spec route to the forwarding chip or rejects issuing the Flow spec route to the forwarding chip. In addition, after receiving the BGP message, the network device 2 may issue the Flow spec route to a forwarding chip or refuse to issue the Flow spec route to the forwarding chip. After receiving the BGP message, the network device 3 may issue the Flow spec route to a forwarding chip or refuse to issue the Flow spec route to the forwarding chip.
the network device 1, the network device 2, and the network device 3 all determine to issue the Flow spec route to the forwarding chip or refuse to issue the Flow spec route to the forwarding chip by executing steps 301 to 307.
For the network device 1, in step 301, after receiving the BGP message, the network device 1 parses a Flow spec route from the BGP message, where the Flow spec route includes a source IP address 2.2.2.2 and a destination IP address 1.1.1.1. In step 302, it is determined that the Flow spec route includes the source IP address. In step 303, assuming that the routing table is as shown in table 1, a routing table entry matching the source IP address 2.2.2.2 exists in the routing table, and since the routing table entry is learned from the network device 2, the neighbor address is the IP address 2 of the network device 2. In step 304, a neighbor address (IP address 2) corresponding to the source IP address 2.2.2.2 is selected from the routing table entry. In step 305, since the IP address 2 is the IP address of the network device 2, it is the IP address of the network device in the operator network. In step 306, the Flow spec route is rejected to be sent to the forwarding chip of the network device 1.
TABLE 1
IP address Neighbor address Outlet interface
2.2.2.2 IP address 2 Interface A
for the network device 3, in step 301, after receiving the BGP message, the network device 3 parses a Flow spec route from the BGP message, where the Flow spec route includes a source IP address 2.2.2.2 and a destination IP address 1.1.1.1. In step 302, it is determined that the Flow spec route includes the source IP address. In step 303, assuming that the routing table is as shown in table 2, a routing table entry matching the source IP address 2.2.2.2 exists in the routing table, and since the routing table entry is learned from the network device 2, the neighbor address is the IP address 2 of the network device 2. In step 304, a neighbor address (IP address 2) corresponding to the source IP address 2.2.2.2 is selected from the routing table entry. In step 305, since the IP address 2 is the IP address of the network device 2, it is the IP address of the network device in the operator network. In step 306, the Flow spec route is rejected to be sent to the forwarding chip of the network device 3.
TABLE 2
IP address neighbor address outlet interface
2.2.2.2 IP address 2 Interface B
For the network device 2, in step 301, after receiving the BGP message, the network device 2 parses a Flow spec route from the BGP message, where the Flow spec route includes a source IP address 2.2.2.2 and a destination IP address 1.1.1.1. In step 302, it is determined that the Flow spec route includes the source IP address. In step 303, assuming that the routing table is as shown in table 3, a routing table entry matching the source IP address 2.2.2.2 exists in the routing table, and since the routing table entry is learned from the user-side device 2, the neighbor address is the IP address 5 of the user-side device 2. In step 304, a neighbor address (IP address 5) corresponding to the source IP address 2.2.2.2 is selected from the routing table entry. In step 305, the IP address 5 is the IP address of the user-side device 2 and is therefore not the IP address of the network device in the operator network. In step 307, the Flow spec route is sent to the forwarding chip of the network device.
TABLE 3
IP address Neighbor address outlet interface
2.2.2.2 IP address 5 Interface C
Based on the above flow, when the host 2(2.2.2.2/32) sends the message to the host 1(1.1.1.1/32) again, the user side device 2 forwards the message to the network device 2 after receiving the message. After receiving the packet, the network device 2 queries all local Flow spec routes, and since there is a Flow spec route matching the packet currently, the packet can be directly discarded without forwarding the packet to the network device 1. The process of querying the Flow spec route and discarding the packet is performed by the forwarding chip on the network device 2.
it can be seen from the above Flow that, as long as the Flow spec route including the source IP address 2.2.2.2 and the destination IP address 1.1.1.1 is issued on the forwarding chip of the network device 2, the attack packet sent by the host 2 to the host 1 can be filtered on the network device 2 without issuing the Flow spec route including the source IP address 2.2.2.2 and the destination IP address 1.1.1.1 on the forwarding chip of the network device 1, or issuing the Flow spec route including the source IP address 2.2.2.2 and the destination IP address 1.1.1.1 on the forwarding chip of the network device 3, so that the number of the Flow spec routes issued on the forwarding chip can be reduced, and the entry resource of the Flow spec route can be saved. In addition, the CPU of the network device can send Flow spec routes to the forwarding chip less, so that the scheduling process of the CPU can be reduced, the system performance can be improved, and a good defense effect can be achieved for DDoS attack.
In an example, after receiving the BGP message carrying the Flow spec route, the network device 2 may further send the BGP message to the user-side device 2, but since the user-side device 2 is not a network device in the operator network, whether the user-side device 2 filters the packet based on the Flow spec route is determined by the operator, and the operator cannot control the Flow spec route, the Flow spec route including the source IP address 2.2.2.2 and the destination IP address 1.1.1.1 needs to be issued on a forwarding chip of the network device 2. In addition, after receiving the BGP message carrying the Flow spec route, the network device 3 may also send the BGP message to the user-side device 3, which is not described in detail here.
In an example, the above-mentioned operator network may include, but is not limited to, an MPLS (Multi Protocol Label Switching) network, and the network device 1, the network device 2, and the network device 3 may be PE (Provider Edge) devices in the MPLS network, one or more P (Provider core) devices may be further included between the network device 1 and the network device 2, one or more P devices may be further included between the network device 1 and the network device 3, and one or more P devices may be further included between the network device 2 and the network device 3. The user-side device 1, the user-side device 2, and the user-side device 3 may be CE (client Edge) devices.
based on the same inventive concept as the method, the embodiment of the present invention further provides a Flow spec route issuing device, which is applied to a network device in an operator network. The Flow spec route issuing device can be realized by software, or by hardware or a combination of the software and the hardware. Taking a software implementation as an example, as a logical means, the device is formed by reading a corresponding computer program instruction in the nonvolatile memory through a processor of the network device where the device is located. From a hardware aspect, as shown in fig. 4, for a hardware structure diagram of a network device where a Flow spec route issuing device is located according to the present invention, in addition to the processor and the nonvolatile memory shown in fig. 4, the network device may further include other hardware, such as a forwarding chip, a network interface, and a memory, which are responsible for processing a packet; in terms of hardware structure, the network device may also be a distributed device, and may include a plurality of interface cards, so as to perform an extension of the message processing at the hardware level.
As shown in fig. 5, a structure diagram of a Flow spec route issuing device provided by the present invention includes:
An obtaining module 11, configured to obtain a Flow spec route used for filtering the attack packet;
A determining module 12, configured to determine, when the Flow spec route includes a source IP address, whether a neighbor network device that issues the route of the source IP address is a network device in the operator network;
And the processing module 13 is configured to refuse to issue the Flow spec route to a forwarding chip of the network device if the determination result is yes.
The determining module 12 is specifically configured to, in the process of determining whether a neighboring network device that issues a route of the source IP address is a network device in the operator network, obtain a routing table entry that matches the source IP address from a local routing table, obtain a neighboring address from the routing table entry, and query a preconfigured address table by using the neighboring address; wherein, the address table records the IP addresses of all network devices in the operator network; if the neighbor address is in the address table, determining that the neighbor network device is a network device in the operator network, and if the neighbor address is not in the address table, determining that the neighbor network device is not a network device in the operator network.
In an example, the processing module 13 is further configured to, when there is no routing table entry matching the source IP address in the local routing table, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
in an example, the processing module 13 is further configured to, when the Flow spec route does not include a source IP address, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
In an example, the processing module 13 is further configured to, when the neighboring network device is not a network device in the operator network, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present invention may be implemented by software plus a necessary general hardware platform, and certainly may also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present invention may be substantially or partially embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present invention.
those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above disclosure is only for a few specific embodiments of the present invention, but the present invention is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present invention.

Claims (10)

1. a method for issuing a Flow spec route is applied to a network device in an operator network, and comprises the following steps:
Acquiring a Flow spec route for filtering the attack message;
If the Flow spec route contains a source IP address, judging whether a neighbor network device issuing the route of the source IP address is a network device in the operator network;
And if so, refusing to issue the Flow spec route to a forwarding chip of the network equipment.
2. The method according to claim 1, wherein the determining whether the neighbor network device that issues the route of the source IP address is a network device in the operator network specifically includes:
acquiring a routing table item matched with the source IP address from a local routing table, acquiring a neighbor address from the routing table item, and inquiring a pre-configured address table through the neighbor address; wherein, the address table records the IP addresses of all network devices in the operator network; if the neighbor address is in the address table, determining that the neighbor network device is a network device in the operator network, otherwise, determining that the neighbor network device is not a network device in the operator network.
3. The method of claim 1, wherein the determining whether the neighbor network device that issued the route for the source IP address is a network device in the operator network, further comprises:
judging whether a routing table item matched with the source IP address exists in a local routing table or not;
If not, the Flow spec route is sent to a forwarding chip of the network equipment, so that the forwarding chip filters the message by using the Flow spec route;
If yes, the operation of judging whether the neighbor network equipment issuing the route of the source IP address is the network equipment in the operator network is executed.
4. The method of claim 1, further comprising:
and if the Flow spec route does not contain the source IP address, the Flow spec route is issued to a forwarding chip of the network equipment, so that the forwarding chip utilizes the Flow spec route to filter the message.
5. The method of claim 1, further comprising:
and if the neighbor network equipment is not the network equipment in the operator network, the Flow spec route is issued to a forwarding chip of the network equipment, so that the forwarding chip filters the message by using the Flow spec route.
6. an issuing device of a Flow spec route is characterized in that the issuing device is applied to network equipment in an operator network, and the issuing device specifically comprises:
the obtaining module is used for obtaining a Flow spec route for filtering the attack message;
A judging module, configured to judge whether a neighbor network device that issues a route of a source IP address is a network device in the operator network when the Flow spec route includes the source IP address;
And the processing module is used for refusing to issue the Flow spec route to a forwarding chip of the network equipment when the judgment result is yes.
7. The apparatus of claim 6,
The determining module is specifically configured to, in the process of determining whether a neighboring network device that issues a route of the source IP address is a network device in the operator network, obtain a routing table entry that matches the source IP address from a local routing table, obtain a neighboring address from the routing table entry, and query a preconfigured address table by using the neighboring address; wherein, the address table records the IP addresses of all network devices in the operator network; if the neighbor address is in the address table, determining that the neighbor network device is a network device in the operator network, and if the neighbor address is not in the address table, determining that the neighbor network device is not a network device in the operator network.
8. The apparatus of claim 6,
The processing module is further configured to determine whether a routing table entry matching the source IP address exists in a local routing table, and if not, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route;
If yes, informing the judging module to judge whether the neighbor network device issuing the route of the source IP address is the network device in the operator network.
9. The apparatus of claim 6,
The processing module is further configured to, when the Flow spec route does not include a source IP address, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
10. The apparatus of claim 6,
The processing module is further configured to, when the neighbor network device is not a network device in the operator network, issue the Flow spec route to a forwarding chip of the network device, so that the forwarding chip filters a packet by using the Flow spec route.
CN201610807846.5A 2016-09-06 2016-09-06 Flow spec route issuing method and device Active CN106254252B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610807846.5A CN106254252B (en) 2016-09-06 2016-09-06 Flow spec route issuing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610807846.5A CN106254252B (en) 2016-09-06 2016-09-06 Flow spec route issuing method and device

Publications (2)

Publication Number Publication Date
CN106254252A CN106254252A (en) 2016-12-21
CN106254252B true CN106254252B (en) 2019-12-06

Family

ID=57599305

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610807846.5A Active CN106254252B (en) 2016-09-06 2016-09-06 Flow spec route issuing method and device

Country Status (1)

Country Link
CN (1) CN106254252B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632173B (en) * 2017-03-16 2020-09-08 南方银谷科技有限公司 Resource access system and resource access method based on local area network
CN108199965B (en) * 2017-12-28 2021-01-01 新华三技术有限公司 Flow spec table item issuing method, network device, controller and autonomous system
CN108616451B (en) * 2018-04-25 2020-12-29 新华三技术有限公司 Flow Spec route validation method, device and network equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8391276B2 (en) * 2008-10-03 2013-03-05 At&T Intellectual Property I, Lp Methods and apparatus to form secure cross-virtual private network communications sessions
CN105915465A (en) * 2016-06-30 2016-08-31 华为技术有限公司 Method, device and system for adjusting priority of BGP (Border Gateway Protocol) flow-spec table

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8391276B2 (en) * 2008-10-03 2013-03-05 At&T Intellectual Property I, Lp Methods and apparatus to form secure cross-virtual private network communications sessions
CN105915465A (en) * 2016-06-30 2016-08-31 华为技术有限公司 Method, device and system for adjusting priority of BGP (Border Gateway Protocol) flow-spec table

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"一种基于Flow-Spec的网络异常流量";黄卓君;《通信热点》;20120515;第20-23页 *
"关于抗D服务,不能不说的秘密";科技商业;《www.sohu.com/35764129_157611》;20151015;全文 *
"基于流量属性实现分布式拒绝服务流量清洗";丁晋等;《技术与实践》;20150815(第4期);第70-72页 *

Also Published As

Publication number Publication date
CN106254252A (en) 2016-12-21

Similar Documents

Publication Publication Date Title
US10027626B2 (en) Method for providing authoritative application-based routing and an improved application firewall
EP3229407B1 (en) Application signature generation and distribution
US10084713B2 (en) Protocol type identification method and apparatus
US10484278B2 (en) Application-based network packet forwarding
US10999319B2 (en) Event driven route control
EP3449600B1 (en) A data driven intent based networking approach using a light weight distributed sdn controller for delivering intelligent consumer experiences
CN106341423B (en) Message processing method and device
KR102536676B1 (en) Packet processing method and apparatus, and related devices
US8589503B2 (en) Prioritizing network traffic
US9560017B2 (en) Methods and apparatus to route traffic in a virtual private network
US10291536B2 (en) Tiered services in border gateway protocol flow specification
CN106936811B (en) Security device, system and method
EP3062466B1 (en) Network security method and device
WO2017107814A1 (en) Method, apparatus and system for propagating qos policies
CN106130962B (en) Message processing method and device
EP3723329A1 (en) Data transmission method, node and system
CN106254252B (en) Flow spec route issuing method and device
CN107690004B (en) Method and device for processing address resolution protocol message
US20160277293A1 (en) Application-based network packet forwarding
WO2020052499A1 (en) Method, device, and system for anti-phishing attack check
CN115086056B (en) Method, device and equipment for classifying and counting vehicle-mounted Ethernet firewall
JP2018082317A (en) Routing system and routing method
JP6711786B2 (en) Communication system and communication method
EP2940944B1 (en) Method and device for processing packet in trill network
JP3711126B2 (en) Cut-through control method, apparatus, and program

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant after: Xinhua three Technology Co., Ltd.

Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Applicant before: Huasan Communication Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant