CN106357652A - Method and device for preventing attack of VXLAN message - Google Patents

Method and device for preventing attack of VXLAN message Download PDF

Info

Publication number
CN106357652A
CN106357652A CN201610850351.0A CN201610850351A CN106357652A CN 106357652 A CN106357652 A CN 106357652A CN 201610850351 A CN201610850351 A CN 201610850351A CN 106357652 A CN106357652 A CN 106357652A
Authority
CN
China
Prior art keywords
vxlan message
vxlan
threshold
message
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610850351.0A
Other languages
Chinese (zh)
Other versions
CN106357652B (en
Inventor
王洋
王琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201610850351.0A priority Critical patent/CN106357652B/en
Publication of CN106357652A publication Critical patent/CN106357652A/en
Application granted granted Critical
Publication of CN106357652B publication Critical patent/CN106357652B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention provides a method and a device for preventing attack of a VXLAN (virtual extensible local area network) message. The method and the device are applied to VTEP (VXLAN tunneling end point) of a VXLAN tunnel terminal. The method comprises the following steps of calculating the number of abnormal conditions of the received VXLAN messages carrying the nonlocal VN1; judging whether the calculated number of abnormal conditions of is greater than the preset first threshold value or not within the preset first unit time; when the number of abnormal conditions of is greater than the preset first threshold value, reducing the maximum number of processed VXLAN messages each second to the preset value. The method provided by the embodiment has the advantage that when the possible attack of the VXLAN message is determined, the maximum number of processed VXLAN messages each second is limited, so that the VTEP equipment can process the normal messages, thereby solving the problem of failure to process the messages (except the VXLAN messages) caused by the VTEP equipment always processing the faked VXLAN messages when a large amount of faked VXLAN messages is processed.

Description

A kind of method and apparatus of vxlan message attack protection
Technical field
The application is related to communication technical field, particularly to a kind of method and apparatus of vxlan message attack protection.
Background technology
With the fast development of cloud computing, the virtualization degree more and more higher of data center, the requirement to physical network Increasingly harsher, such as tor switch needs to support big specification mac address table;4094 vlan (virtual local area Network, VLAN) magnanimity virtual machine cannot be divided;Need to support Network Isolation of multi-tenant etc..Exactly these demands Make stacking network technology vxlan (virtual extensible local area network, virtual expansible LAN) Arise at the historic moment.
However, in actual applications, may there is the attack of counterfeit vxlan message, attacker passes through counterfeit a large amount of Vxlan message sends to vtep (vxlan tunneling end point, vxlan tunneling termination), counterfeit vxlan message The process resource of vtep equipment can be taken so that vtep equipment does not have enough process resources to process the vxlan report receiving Other messages beyond literary composition.
Content of the invention
In view of this, the application provides a kind of method and apparatus of vxlan message attack protection, a large amount of when existing for solving During counterfeit vxlan message, counterfeit vxlan message takies the process resource of vtep equipment, leads to vtep equipment not enough The problem to process the message beyond vxlan message for the process resource.
Specifically, the application is achieved by the following technical solution:
A kind of method of vxlan message attack protection, is applied to the vtep equipment of vxlan termination point of a tunnel, described vtep equipment With its other vtep equipment neighbours each other in a network, methods described includes:
Count the abnormal quantity of the vxlan message carrying non-local vni receiving;
Judge whether the described abnormal quantity within default first unit interval counting is more than default first threshold Value;
When described abnormal quantity is more than described first threshold, by the maximum quantity of process vxlan message per second for this equipment It is reduced to preset value.
In the method for described vxlan message attack protection, also include:
When described abnormal quantity is less than or equal to described first threshold, normal process vxlan message.
In the method for described vxlan message attack protection, also include:
After the maximum quantity of process vxlan message that this equipment is per second is reduced to preset value, judge count pre- If the second unit interval in described abnormal quantity whether be less than default Second Threshold;
When this abnormal quantity is less than described Second Threshold, will be extensive for the maximum quantity of process vxlan message per second for this equipment It is initial value again.
In the method for described vxlan message attack protection, also include:
When this abnormal quantity is more than or equal to described Second Threshold, stop processing vxlan message;Or, stopping is processed Vxlan message n second, and normal process vxlan message again after the n second.
In the method for described vxlan message attack protection, also include:
When stopping processing vxlan message, send alarm prompt;Described alarm prompt is used for pointing out user's investigation to attack Source.
A kind of device of vxlan message attack protection, is applied to the vtep equipment of vxlan termination point of a tunnel, described vtep equipment With its other vtep equipment neighbours each other in a network, described device includes:
Statistic unit, for counting the abnormal quantity of the vxlan message carrying non-local vni receiving;
Judging unit, whether the described abnormal quantity within default first unit interval for judging to count is more than Default first threshold;
Arranging unit, for when described abnormal quantity is more than described first threshold, process vxlan per second for this equipment being reported The maximum quantity of literary composition is reduced to preset value.
In the device of described vxlan message attack protection, also include:
Processing unit, for when described abnormal quantity is less than or equal to described first threshold, normal process vxlan is reported Literary composition.
In the device of described vxlan message attack protection, also include:
Described judging unit, be further used for the maximum quantity of process vxlan message per second for this equipment is reduced to pre- If after value, judge whether the described abnormal quantity within default second unit interval counting is less than default second threshold Value;
Recovery unit, for when this abnormal quantity is less than described Second Threshold, by process vxlan message per second for this equipment Maximum quantity revert to initial value.
In the device of described vxlan message attack protection, also include:
Terminate unit, for when this abnormal quantity is more than or equal to described Second Threshold, stopping processing vxlan message; Or, stop processing the vxlan message n second, and normal process vxlan message again after the n second.
In the device of described vxlan message attack protection, also include:
Alarm Unit, for when stopping processing vxlan message, sending alarm prompt;Described alarm prompt is used for pointing out User investigates attack source.
In the embodiment of the present application, vtep equipment passes through the exception of the vxlan message carrying non-local vni that statistics receives Quantity, and judge whether the described abnormal quantity within default first unit interval counting is more than default first threshold Value, if described abnormal quantity is more than described first threshold, the maximum quantity of process vxlan message per second for this equipment is reduced To preset value.Achieve the abnormal quantity by counting the vxlan message carrying non-local vni receiving, to determine possibility The vxlan message aggression existing, and determine there may be vxlan message aggression when, limit process vxlan message per second Maximum quantity, thus solving when there is vxlan message counterfeit in a large number, counterfeit vxlan message takies vtep equipment Process resource, leads to vtep equipment not have enough process resources to process the problem of the message beyond vxlan message.
Brief description
Fig. 1 is the flow chart of a kind of method of vxlan message attack protection shown in the application;
Fig. 2 is a kind of logic diagram of the device of vxlan message attack protection shown in the application;
Fig. 3 is a kind of hardware structure diagram of the device of vxlan message attack protection shown in the application.
Specific embodiment
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make the present invention real Apply the above-mentioned purpose of example, feature and advantage can become apparent from understandable, below in conjunction with the accompanying drawings to prior art and the present invention Technical scheme in embodiment is described in further detail.
Vxlan encapsulates complete internal layer ether using udp (user datagram protocol, UDP) Frame, common ether network packet is encapsulated in transmission in udp message.Because vxlan uses 24 vxlan network identifiers, therefore Vxlan is maximum to support 16000000 logical addresses, much larger than maximum 4094 logical addresses supported of vlan, can be at some Under applied environment (for example: extensive cloud computing center), preferably meet demand.
In vxlan network, according to the package mode of vxlan, a kind of network coverage of tunnel mode can be regarded as Technology, endpoint of a tunnel vtep is used for the encapsulation of vxlan message and decapsulates, and passes through tunnel at one end to the other end after encapsulated message Vtep sends the message of encapsulation.
Vtep equipment, after receiving message, judges the purpose udp port numbers of this message header and locally configured vxlan Whether dedicated port numbers are consistent, if the purpose udp port numbers of this message header and locally configured vxlan dedicated port numbers one Cause it is determined that this message is vxlan message.Vni (vxlan network in vtep equipment and then parsing vxlan header Identifier, virtual expansible local net network identity), if the vni in header is identical with local vni, normally locate Manage this vxlan message;If the vni in header is different from local vni, abandon this vxlan message.
However, in actual applications, network there may be the attack of counterfeit vxlan message, attacker can be counterfeit big Amount vxlan message, counterfeit message is sent to vtep equipment, and counterfeit vxlan message can take the process money of vtep equipment Source, leads to vtep equipment not have enough process resources to process the other messages beyond vxlan message.
For solving the above problems, the technical scheme of the embodiment of the present application, by determining that there may be vxlan message attacks When hitting, limit the maximum quantity of process vxlan message per second so that in this case, the process resource of vtep equipment will not Taken by counterfeit vxlan message, also process resource is used for processing normal message, thus solving counterfeit in a large number when existing During vxlan message, counterfeit vxlan message takies the process resource of vtep equipment, leads to vtep equipment not have enough process Resource is processing the problem of the message beyond vxlan message.
Referring to Fig. 1, it is an embodiment flow chart of the method for the application vxlan message attack protection, the holding of this embodiment Row main body is vtep equipment, this vtep equipment with its other vtep equipment neighbours each other in a network;Methods described includes Following steps:
Step 101: count the abnormal quantity of the vxlan message carrying non-local vni receiving.
Step 102: judge the described abnormal quantity within default first unit interval counting whether more than default First threshold.
Step 103: when described abnormal quantity is more than described first threshold, by process vxlan message per second for this equipment Maximum quantity is reduced to preset value.
Above-mentioned vtep equipment, can support multiple vxlan networks, for being packaged to the message from multiple vxlan And decapsulation.
Above-mentioned non-local vni, refers to the other vxlan in addition to the multiple vxlan networks that vtep equipment is supported Network identifier.Vtep equipment, after receiving the vxlan message carrying non-local vni, can abandon this vxlan message.
In the related, because the safety in existing vxlan implementation, not designing counterfeit vxlan message is prevented Shield, therefore vtep equipment generally cannot protect the attack of counterfeit vxlan message, when there is vxlan counterfeit in a large number on network During message, probably due to processing vxlan message to lead to do not have enough process resources to process the other in addition to vxlan message Message.
For solving the above problems, in this example, the vxlan message carrying non-local vni that can be received by statistics Abnormal quantity, to determine vxlan message aggression that may be present, and in the case of there may be vxlan message aggression, limit The maximum quantity making process vxlan message per second is so that vtep, when receiving vxlan message counterfeit in a large number, can have foot Enough process resources are processing the message beyond vxlan message.
In this example, after vtep equipment receives message, may determine that purpose udp port numbers and the basis of this message first Whether the vxlan dedicated port numbers of ground configuration are consistent;
If the purpose udp port numbers of this message header are consistent with locally configured vxlan dedicated port numbers, show this report Literary composition is vxlan message, and for this vxlan message, vtep equipment can parse vni in the heading of this vxlan message further The vni carrying in field, to determine whether the vni carrying in this vxlan message is non-local vni.
On the one hand, if arbitrary in the vni carrying in the vni field in heading and locally-supported multiple vxlan The vni of vxlan is identical, shows that the message receiving is normal vxlan message, now can be with this vxlan message of normal process.
On the other hand, if the vni in header is all different from the vni of locally-supported multiple vxlan, show to receive Message is probably counterfeit vxlan message.
When receive carry non-local vni vxlan message when, now vtep equipment can enter detection state, right The abnormal quantity of the vxlan message carrying non-local vni receiving is counted, and abandon after statistics completes carry non- The vxlan message of local vni.
Wherein, when statistics carries the abnormal quantity of vxlan message of non-local vni, can be by enabling a counting Enumerator, when receiving a vxlan message carrying non-local vni, now can plus one, by that analogy, by this by device The mode of kind, can count to the vxlan message carrying non-local vni in real time.
In this example, vtep equipment, after carrying out statistics a period of time, can judge according to default first unit interval Whether the above-mentioned abnormal quantity within this first unit interval is more than default first threshold;Wherein, the first unit interval and One threshold value can be configured according to specific applied environment, and for example, the first unit interval can be 5 minutes, and first threshold can To be 15000, when vtep equipment is to carrying the vxlan counting messages of non-local vni by 5 minutes, judge in this period Whether abnormal quantity is more than 15000.
Wherein, when the abnormal quantity in the first unit interval is less than or equal to first threshold, that is, vtep equipment was at 5 minutes When the abnormal quantity that interior statistics obtains is less than or equal to 15000, vtep equipment maintains detection state, continues what statistics received Carry the abnormal quantity of the vxlan message of non-local vni, and normal process vxlan message.
In addition, when the abnormal quantity in the first unit interval is more than first threshold, that is, vtep equipment counted in 5 minutes When the abnormal quantity arriving is more than 15000, illustrate in network, to there may be the attack of counterfeit vxlan message.
In this case, vtep equipment can be switched to monitor state from detection state, counterfeit to may face The attack of vxlan message carries out security protection.
In this example, after being switched to monitor state, vtep equipment can be by process vxlan message per second for vtep equipment Maximum quantity is reduced to preset value.Wherein, this preset value is obviously smaller than the initial of the maximum quantity of process vxlan message per second Value, can be configured according to applied environment, for example, this preset value can be 1000.
It can be seen that, in this way, when the attack of counterfeit vxlan message that may be present in networking, vtep equipment can With the maximum quantity by limiting process vxlan message per second, it is that the message beyond vxlan message reserves certain process money Source, makes vtep equipment have enough process resources to go to process normal message, thus solving as presence vxlan counterfeit in a large number During message, the problem of the message beyond impact vtep equipment process vxlan message.
In this example, vtep equipment switches to monitor state, the maximum quantity of process vxlan message per second is reduced to pre- If after value, now vtep equipment can continue to count the abnormal quantity of the vxlan message carrying non-local vni receiving, and After statistics a period of time, the above-mentioned exception within this second unit interval can be judged according to default second unit interval Whether quantity is less than default Second Threshold.
Wherein, the second unit interval and Second Threshold can be configured according to specific applied environment, during the second unit Between can identical with above-mentioned first unit interval it is also possible to differ.For example, it is assumed that the first unit interval was 5 minutes, then permissible Second unit interval was also configured as 5 minutes.It is of course also possible to the second unit interval was set to one is more than or less than the The value of one unit interval.The application ring being lowered due to the maximum quantity that Second Threshold is directed to process vxlan message per second Border, so the ratio of Second Threshold and the second unit interval is less than the ratio of first threshold and the first unit interval.
For example, in one example, can be set to 6 minutes the second unit interval, Second Threshold is set to 12000.When vtep equipment is after being reduced to 1000 by the maximum quantity of process vxlan message per second, can continue to count 6 minutes The abnormal quantity of the vxlan message carrying non-local vni inside receiving, and after the completion of statistics, judge above-mentioned abnormal quantity Whether it is less than 12000.
Wherein, when the abnormal quantity in the second unit interval is less than Second Threshold, that is, vtep equipment counted in 6 minutes When the abnormal quantity arriving is less than 12000, the attack that may there is not counterfeit vxlan message in network is described, now, Vtep equipment can switch back into detection state from monitor state, and the maximum quantity of process vxlan message per second is reverted to initially Value, normal process message, and continue to count the abnormal quantity of the vxlan message carrying non-local vni receiving.
In addition, when the abnormal quantity in the second unit interval is more than or equal to Second Threshold, that is, vtep equipment is in 6 minutes When counting the abnormal quantity obtaining more than or equal to 12000, then show in network, to yet suffer from attacking of counterfeit vxlan message Hit.
When vtep equipment determines the attack that there is counterfeit vxlan message in network, in one case, vtep equipment Process vxlan message can be suspended, and send alarm prompt, point out user's investigation attack source.
It can be seen that, process vxlan message by suspending, and send alarm, user can be pointed out to there is currently attack, by user Attack source is investigated in time out.
Wherein, the time out of vtep equipment can be configured according to the situation of practical application.Such as, can be temporary by this It is set to a long period that be enough to make user can exclude attack source in this time out between the stopping time.
After the time out of vtep equipment terminates, no matter whether user investigates out attack source, and vtep equipment all can recover To detection state, while normal process message, continue the different of the vxlan message carrying non-local vni that statistics receives Constant amount.
For example, it is assumed that time out is the n second, then vtep equipment, when determination has vxlan message aggression, can stop locating Reason vxlan message n second, and normal process vxlan message again after the n second.
If user is unsuccessful investigates attack source, when vtep equipment checks again for out this attack source, still can be to per second The maximum quantity processing vxlan message is reduced to preset value, and then again pauses for processing vxlan message.So, deposit in a network In the case of the attack of counterfeit vxlan message, vtep equipment can limit to the process resource processing vxlan message, The impact attacked to this equipment of counterfeit vxlan message is made to be down to minimum.
Certainly, if user successfully investigates attack source, now vtep equipment still may proceed to potential attack is carried out Detection is it is ensured that internet security.
In another case, when vtep equipment determines the attack that there is counterfeit vxlan message in network, except can Process vxlan message to suspend, can also completely stop processing vxlan message (i.e. the value of above-mentioned n is infinitely great), and send announcement Alert prompting prompting user's investigation attack source.
In the attack confirming to there is counterfeit vxlan message, stop process vxlan message and can save unnecessary place The waste of reason resource, and send alarm prompt and user can be allowed to know the attack of presence, attack source is investigated by user, thus eliminating The attack of counterfeit vxlan message.After user solves attack source, vtep equipment can be with the instruction of receive user, again Start to process vxlan message.
In sum, vtep equipment passes through the abnormal quantity of the vxlan message carrying non-local vni that statistics receives, To determine vxlan message aggression that may be present, and when there may be vxlan message aggression, to limit process vxlan report per second The maximum quantity of literary composition, a step card of going forward side by side whether there is vxlan message aggression, is determining the situation that there is vxlan message aggression Under, suspend and process vxlan message, and send alarm prompt and allow user's investigation measure such as attack source, make vxlan message aggression pair Minimum is down in the impact of vtep equipment, solves when there is vxlan message counterfeit in a large number, vtep equipment processes counterfeit always Vxlan message, lead to the problem that the message beyond vxlan message cannot be processed.
Corresponding with the embodiment of the method for vxlan message attack protection of the present invention, present invention also offers for execution State the embodiment of the device of embodiment of the method.
Referring to Fig. 2, it is an embodiment block diagram of the device of vxlan message attack protection of the present invention:
As shown in Fig. 2 the device 20 of this vxlan message attack protection includes:
Statistic unit 210, for counting the abnormal quantity of the vxlan message carrying non-local vni receiving.
Whether judging unit 220, for judging the described abnormal quantity within default first unit interval that counts More than default first threshold.
Arranging unit 230, for when described abnormal quantity is more than described first threshold, by process per second for this equipment The maximum quantity of vxlan message is reduced to preset value.
In this example, described device also includes:
Processing unit 240, for when described abnormal quantity be less than or equal to described first threshold when, normal process vxlan Message.
In this example, described device also includes:
Described judging unit 220, is further used for being reduced to the maximum quantity of process vxlan message per second for this equipment After preset value, judge whether the described abnormal quantity within default second unit interval counting is less than default second threshold Value.
Recovery unit 250, for when this abnormal quantity is less than described Second Threshold, by process vxlan per second for this equipment The maximum quantity of message reverts to initial value.
In this example, described device also includes:
Terminate unit 260, for when this abnormal quantity is more than or equal to described Second Threshold, stopping processing vxlan report Literary composition;Or, stop processing the vxlan message n second, and normal process vxlan message again after the n second.
In this example, described device also includes:
Alarm Unit 270, for when stopping processing vxlan message, sending alarm prompt;Described alarm prompt is used for carrying Show user's investigation attack source.
The embodiment of the device of the application vxlan message attack protection can be applied on vtep equipment.Device embodiment can To be realized by software it is also possible to realize in the way of by hardware or software and hardware combining.As a example implemented in software, as one Device on logical meaning, is by computer journey corresponding in nonvolatile memory by the processor of its place vtep equipment Sequence instruction reads and runs formation in internal memory.For hardware view, as shown in figure 3, being the application vxlan message attack protection Device place vtep equipment a kind of hardware structure diagram, except the processor shown in Fig. 3, internal memory, network interface and non-easily Outside the property lost memorizer, the reality of the device generally according to this vxlan message attack protection for the vtep equipment at device place in embodiment Border function, can also include other hardware, this is repeated no more.
In said apparatus, the process of realizing of the function of unit and effect specifically refers to corresponding step in said method Realize process, will not be described here.
For device embodiment, because it corresponds essentially to embodiment of the method, thus real referring to method in place of correlation The part applying example illustrates.Device embodiment described above is only schematically, wherein said as separating component The unit illustrating can be or may not be physically separate, as the part that unit shows can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to actual Need to select the purpose to realize application scheme for some or all of module therein.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and to implement.
The foregoing is only the preferred embodiment of the application, not in order to limit the application, all essences in the application Within god and principle, any modification, equivalent substitution and improvement done etc., should be included within the scope of the application protection.

Claims (10)

1. a kind of method of vxlan message attack protection, is applied to the vtep equipment of vxlan termination point of a tunnel, described vtep equipment with Its other vtep equipment in a network each other neighbours it is characterised in that methods described includes:
Count the abnormal quantity of the vxlan message carrying non-local vni receiving;
Judge whether the described abnormal quantity within default first unit interval counting is more than default first threshold;
When described abnormal quantity is more than described first threshold, the maximum quantity of process vxlan message per second for this equipment is reduced To preset value.
2. method according to claim 1 is it is characterised in that methods described also includes:
When described abnormal quantity is less than or equal to described first threshold, normal process vxlan message.
3. method according to claim 1 is it is characterised in that methods described also includes:
After the maximum quantity of process vxlan message that this equipment is per second is reduced to preset value, judge count default Whether the described abnormal quantity in the second unit interval is less than default Second Threshold;
When this abnormal quantity is less than described Second Threshold, the maximum quantity of process vxlan message per second for this equipment is reverted to Initial value.
4. method according to claim 3 is it is characterised in that methods described also includes:
When this abnormal quantity is more than or equal to described Second Threshold, stop processing vxlan message;Or, stop processing vxlan Message n second, and normal process vxlan message again after the n second.
5. method according to claim 4 is it is characterised in that methods described also includes:
When stopping processing vxlan message, send alarm prompt;Described alarm prompt is used for pointing out user's investigation attack source.
6. a kind of device of vxlan message attack protection, is applied to the vtep equipment of vxlan termination point of a tunnel, described vtep equipment with Its other vtep equipment in a network each other neighbours it is characterised in that described device includes:
Statistic unit, for counting the abnormal quantity of the vxlan message carrying non-local vni receiving;
Whether judging unit, for judging the described abnormal quantity within default first unit interval counting more than default First threshold;
Arranging unit, for when described abnormal quantity is more than described first threshold, by process vxlan message per second for this equipment Maximum quantity is reduced to preset value.
7. device according to claim 6 is it is characterised in that described device also includes:
Processing unit, for when described abnormal quantity be less than or equal to described first threshold when, normal process vxlan message.
8. device according to claim 6 is it is characterised in that described device also includes:
Described judging unit, is further used for for the maximum quantity of process vxlan message per second for this equipment being reduced to preset value Afterwards, judge whether the described abnormal quantity within default second unit interval counting is less than default Second Threshold;
Recovery unit, for when this abnormal quantity be less than described Second Threshold when, by process vxlan message per second for this equipment Big quantity reverts to initial value.
9. device according to claim 8 is it is characterised in that described device also includes:
Terminate unit, for when this abnormal quantity is more than or equal to described Second Threshold, stopping processing vxlan message;Or, Stop processing the vxlan message n second, and normal process vxlan message again after the n second.
10. device according to claim 9 is it is characterised in that described device also includes:
Alarm Unit, for when stopping processing vxlan message, sending alarm prompt;Described alarm prompt is used for pointing out user Investigation attack source.
CN201610850351.0A 2016-09-26 2016-09-26 Method and device for preventing VXLAN message from being attacked Active CN106357652B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610850351.0A CN106357652B (en) 2016-09-26 2016-09-26 Method and device for preventing VXLAN message from being attacked

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610850351.0A CN106357652B (en) 2016-09-26 2016-09-26 Method and device for preventing VXLAN message from being attacked

Publications (2)

Publication Number Publication Date
CN106357652A true CN106357652A (en) 2017-01-25
CN106357652B CN106357652B (en) 2019-12-06

Family

ID=57858748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610850351.0A Active CN106357652B (en) 2016-09-26 2016-09-26 Method and device for preventing VXLAN message from being attacked

Country Status (1)

Country Link
CN (1) CN106357652B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107204896A (en) * 2017-05-22 2017-09-26 迈普通信技术股份有限公司 Handle method, device and the VTEP equipment of VXLAN messages
CN110519265A (en) * 2019-08-27 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of defensive attack
CN112887317A (en) * 2021-01-30 2021-06-01 北京中安星云软件技术有限公司 Method and system for protecting database based on VXLAN network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355419A (en) * 2008-08-22 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN105591841A (en) * 2015-12-31 2016-05-18 盛科网络(苏州)有限公司 Connectivity detection method of VXLAN tunnel

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101355419A (en) * 2008-08-22 2009-01-28 成都市华为赛门铁克科技有限公司 Method and apparatus for avoiding network attack
CN105591841A (en) * 2015-12-31 2016-05-18 盛科网络(苏州)有限公司 Connectivity detection method of VXLAN tunnel

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SEBASTIAN JEUK等: "Network segmentation in the cloud a novel architecture based on UCC and IID", 《2015 IEEE 4TH INTERNATIONAL CONFERENCE ON CLOUD NETWORKING》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107204896A (en) * 2017-05-22 2017-09-26 迈普通信技术股份有限公司 Handle method, device and the VTEP equipment of VXLAN messages
CN110519265A (en) * 2019-08-27 2019-11-29 新华三信息安全技术有限公司 A kind of method and device of defensive attack
CN112887317A (en) * 2021-01-30 2021-06-01 北京中安星云软件技术有限公司 Method and system for protecting database based on VXLAN network

Also Published As

Publication number Publication date
CN106357652B (en) 2019-12-06

Similar Documents

Publication Publication Date Title
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
CN104601568B (en) Virtualization security isolation method and device
CN108551446A (en) SYN message processing methods, device, fire wall and the storage medium of attack protection
US20120317566A1 (en) Virtual machine packet processing
CN107395632B (en) SYN Flood protection method, device, cleaning equipment and medium
JP2008165796A (en) Network security element utilizing end point resource
US11689501B2 (en) Data transfer method and virtual switch
CN104137513A (en) Protection method and device against attacks
CN107360182B (en) Embedded active network defense system and defense method thereof
CN106357652A (en) Method and device for preventing attack of VXLAN message
CN107241294B (en) Network flow processing method and device, cleaning equipment and network equipment
CN114567481B (en) Data transmission method and device, electronic equipment and storage medium
CN105429975B (en) A kind of data safety system of defense, method and cloud terminal security system based on cloud terminal
CN113923273A (en) Data packet control method and related device
CN112887312B (en) Slow protocol message processing method and related device
US9591025B2 (en) IP-free end-point management appliance
EP3133790B1 (en) Message sending method and apparatus
CN114640574B (en) Main and standby equipment switching method and device
CN102546387B (en) Method, device and system for processing data message
CN102986194B (en) Network security processing method, system and network interface card
CN113259387B (en) Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN104348785B (en) The method, apparatus and system for preventing host PMTU from attacking in IPv6 nets
CN114598675A (en) Control method, device, equipment and medium for realizing host blocking based on ARP
CN106067864B (en) Message processing method and device
CN113992347B (en) Message processing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
CB02 Change of applicant information

Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant after: Hangzhou Dipu Polytron Technologies Inc

Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building

Applicant before: Hangzhou Dipu Technology Co., Ltd.

CB02 Change of applicant information
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant