CN107147585B - Flow control method and device - Google Patents

Flow control method and device Download PDF

Info

Publication number
CN107147585B
CN107147585B CN201710210707.9A CN201710210707A CN107147585B CN 107147585 B CN107147585 B CN 107147585B CN 201710210707 A CN201710210707 A CN 201710210707A CN 107147585 B CN107147585 B CN 107147585B
Authority
CN
China
Prior art keywords
target
flow
determining
traffic
discarded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710210707.9A
Other languages
Chinese (zh)
Other versions
CN107147585A (en
Inventor
吴杰珂
陈雷
汪亚雷
杨成伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN201710210707.9A priority Critical patent/CN107147585B/en
Publication of CN107147585A publication Critical patent/CN107147585A/en
Application granted granted Critical
Publication of CN107147585B publication Critical patent/CN107147585B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/12Avoiding congestion; Recovering from congestion
    • H04L47/125Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Abstract

The embodiment of the invention provides a flow control method and a flow control device. The method comprises the following steps: obtaining a target total flow, wherein the target total flow is a mirror image flow of an outer net flow needing to be guided to the splitter; judging whether the target total flow is greater than or equal to a first preset threshold value or not; if so, determining a first flow to be discarded from the target total flow based on the communication sessions, and discarding the first flow to be discarded, wherein data corresponding to the first flow to be discarded is complete data contained in at least one communication session. The flow control is carried out through the scheme provided by the embodiment of the invention, so that the accuracy of safety analysis can be improved.

Description

Flow control method and device
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a flow control method and apparatus.
Background
The current common virtual network firewall is generally arranged on an external network switch, and can directly manage external network flow led in through the external network switch through the virtual network firewall, but some virtual network firewalls, such as a sinking type virtual network firewall, are arranged in the external network switch, the external network flow and the internal flow of the external network switch are mixed together, and the management is complex.
As shown in fig. 1, the sunk virtual Network firewall includes a splitter, an analyzer, and an SDN (software defined Network) controller, wherein the extranet switch first directs extranet traffic into an LB (load balancing) cluster, then copies mirror traffic of the extranet traffic to obtain the above extranet traffic, and directs the mirror traffic into the splitter, and the splitter sends the mirror traffic directed by the extranet switch to the analyzer for security analysis, and finally, the analyzer obtains a result of the security analysis, and feeds the result of the security analysis back to the extranet switch and the LB cluster through the SDN controller, so that the extranet switch and the LB cluster can control access of extranet traffic to internal services according to the result of the security analysis.
In practical applications, when the external network traffic is greater than the total flow of the current-limiting of the splitter, packet loss occurs, for example, the external network traffic is 30G, while the splitter can only allow 20G traffic to pass, 10G traffic is dropped, and in the prior art, packets are generally randomly dropped, i.e., the 10G packets that need to be dropped in the above example are randomly selected packets, which may result in dropping portions of data for a communication session, and, as such, in performing the security analysis, for one communication session, it is likely that only "handshake" related data packets are collected, but is considered by the analyzer as a "handshake" without "data transfer" to tie up malicious traffic of the server, i.e. invalid extranet traffic that cannot be used for security analysis, thereby reducing the effective extranet traffic for security analysis resulting in low accuracy of security analysis.
Disclosure of Invention
The embodiment of the invention aims to provide a flow control method and a flow control device so as to improve the accuracy of safety analysis. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present invention provides a flow control method, where the method includes:
obtaining a target total flow, wherein the target total flow is a mirror image flow of an outer net flow which needs to be guided to the splitter;
judging whether the target total flow is greater than or equal to a first preset threshold value or not;
if so, determining a first flow to be discarded from the target total flow based on the communication sessions, and discarding the first flow to be discarded, wherein data corresponding to the first flow to be discarded is complete data contained in at least one communication session.
Optionally, the step of determining a first to-be-discarded flow from the target total flow includes:
determining a target load balancing cluster;
determining a first flow to be discarded from target mirror flows, wherein the target mirror flows are as follows: and leading mirror image flow of the external network flow of the target load balancing cluster into the target total flow.
Optionally, the step of determining a first to-be-discarded traffic from the target mirror traffic includes:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
Optionally, the step of determining a target load balancing cluster includes:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
Optionally, the preset ratio is 1/Num; and Num is the number of ports occupied by the target load balancing cluster.
Optionally, the step of determining the first to-be-discarded flow from the target mirror flow according to the preset ratio includes:
determining a target port from the ports occupied by the target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first flow to be discarded.
Optionally, the step of determining a first to-be-discarded flow from the target total flow includes:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as first traffic to be discarded.
Optionally, the flow control method provided in the embodiment of the present invention further includes:
determining a target intranet access switch;
acquiring the congestion degree of the uplink bandwidth corresponding to the target intranet access switch;
determining a target sampling weight value according to the congestion degree of the uplink bandwidth;
determining second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value, and discarding the second to-be-discarded traffic; the target flow is the target total flow or the flow derived by the shunt corresponding to the target intranet access switch; and the data corresponding to the second flow to be discarded is complete data contained in at least one communication session.
Optionally, the step of obtaining the uplink bandwidth congestion degree corresponding to the target intranet access switch includes:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure BDA0001260907650000031
wherein, L is the congestion degree of the uplink bandwidth, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTTijAnd j is identification information of the size of the data packet for the flow delay, and RTT is a preset initial value and is related to j.
Optionally, the step of determining a target sampling weight value according to the congestion degree of the uplink bandwidth includes:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein, WsAnd for the target sampling weight value, L is the congestion degree of the uplink bandwidth, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
In a second aspect, an embodiment of the present invention provides a flow control device, including:
the system comprises a first obtaining module, a second obtaining module and a control module, wherein the first obtaining module is used for obtaining a target total flow, and the target total flow is a mirror image flow of an outer net flow which needs to be guided to a flow divider;
the judging module is used for judging whether the target total flow is greater than or equal to a first preset threshold value or not;
a first determining module, configured to determine, based on a communication session, a first to-be-discarded traffic from the target total traffic if a determination result of the determining module is yes;
the first discarding module is configured to discard the first to-be-discarded traffic, where data corresponding to the first to-be-discarded traffic is complete data included in at least one communication session.
Optionally, the first determining module includes:
the first determining submodule is used for determining a target load balancing cluster;
a second determining submodule, configured to determine a first to-be-discarded flow from target mirror flows, where the target mirror flows are: and leading mirror image flow of the external network flow of the target load balancing cluster into the target total flow.
Optionally, the second determining submodule is specifically configured to:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
Optionally, the first determining submodule is specifically configured to:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
Optionally, the preset ratio is 1/Num; and Num is the number of ports occupied by the target load balancing cluster.
Optionally, the second determining submodule is specifically configured to:
determining a target port from the ports occupied by the target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first flow to be discarded.
Optionally, the first determining module is specifically configured to:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as first traffic to be discarded.
Optionally, the flow control device provided in the embodiment of the present invention further includes:
the second determination module is used for determining a target intranet access switch;
a second obtaining module, configured to obtain an uplink bandwidth congestion degree corresponding to the target intranet access switch;
the third determining module is used for determining a target sampling weight value according to the congestion degree of the uplink bandwidth;
the second discarding module is used for determining second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value and discarding the second to-be-discarded traffic; the target flow is the target total flow or the flow derived by the shunt corresponding to the target intranet access switch; and the data corresponding to the second flow to be discarded is complete data contained in at least one communication session.
Optionally, the second obtaining module is specifically configured to:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure BDA0001260907650000051
wherein, L is the congestion degree of the uplink bandwidth, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTTijAnd j is identification information of the size of the data packet for the flow delay, and RTT is a preset initial value and is related to j.
Optionally, the third determining module is specifically configured to:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein, WsAnd for the target sampling weight value, L is the congestion degree of the uplink bandwidth, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
In the flow control scheme provided in the embodiment of the present invention, a mirror flow of an extranet flow that needs to be guided to the splitter, that is, a target total flow, may be obtained first, and then it is determined whether the target total flow is greater than or equal to a first preset threshold, and if so, a first flow to be discarded is determined from the target total flow based on a communication session, and the first flow to be discarded is discarded, where data corresponding to the first flow to be discarded is complete data included in at least one communication session. It can be seen that, by applying the technical solution provided by the embodiment of the present invention, traffic can be lost based on a communication session, and discarded are all complete data packets of one communication session, so that, when performing security analysis, for one communication session, malicious traffic of a server is not occupied by only collecting data packets related to "handshake", but is mistaken by an analyzer as "handshake" without data transfer ", and discarded.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a diagram of a sunken virtual network firewall in the prior art;
fig. 2 is a schematic flow chart of a flow control method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a network architecture of a sunken virtual network firewall in the prior art;
fig. 4 is another schematic flow chart of a flow control method according to an embodiment of the present invention;
FIG. 5 is a network architecture diagram of an implementation of the embodiment of the invention shown in FIG. 4;
FIG. 6 is a schematic diagram of an embodiment of a flow control device;
fig. 7 is a schematic structural diagram of another flow control device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to improve the accuracy of security analysis, the embodiment of the invention provides a flow control method and a flow control device.
First, a flow control method according to an embodiment of the present invention is described below.
As shown in fig. 2, a flow control method provided in an embodiment of the present invention includes the following steps:
and S201, obtaining the target total flow.
The target total flow is a mirror image flow of the outer net flow needing to be guided to the flow divider. It is understood that a splitter, i.e. a Network splitter (Network Tap), is a hardware device, and is usually connected in series to a Network, in the embodiment of the present invention, the splitter is used to send a mirror traffic of an external Network traffic to an analyzer, and the analyzer is used to perform security analysis on an imported traffic.
In an implementation manner of the present application, when there is an external network traffic visit, the external network traffic can be all guided to the splitter in a full mirror image manner, and then, all traffic of a splitter port is dynamically acquired based on the SDN controller, where the acquired traffic is a target total traffic, and it can be understood that the splitter is directly connected to the external network switch; the target total traffic is dynamically changed with the continuous visit of the external network traffic, the processing of data packet discarding and the like. The SDN controller is a bridge connecting the underlying network switching equipment and an upper application, and on one hand, the SDN controller performs centralized management, state monitoring, forwarding decision and processing and scheduling of data plane flow on the underlying network switching equipment through a southbound interface protocol; on the other hand, the SDN controller opens multiple levels of programmability to the upper layer application through the northbound interface, allowing a network user to flexibly make various network policies according to specific application scenarios, and it should be noted that all flows of the SDN controller and how to obtain the splitter port based on the SDN controller are prior art, and details are not repeated here.
S202, judging whether the target total flow is larger than or equal to a first preset threshold value, if so, executing S203.
Specifically, if the target total traffic is greater than or equal to the first preset threshold, it indicates that the target total traffic cannot be normally transmitted, and in order to ensure normal transmission of data and avoid data congestion, S203 may be executed to perform packet loss processing.
The first preset threshold may be determined according to the magnitude of the current limiting of the shunt, or may be set by a developer according to experience, which is not limited in this application.
S203, based on the communication session, determining a first to-be-discarded traffic from the target total traffic, and discarding the first to-be-discarded traffic.
It should be noted that, if the determination result in S202 is yes, the first to-be-discarded traffic may be determined based on the communication session according to the relationship between the size of the target total traffic and the first preset threshold, and the determined first to-be-discarded traffic is discarded, that is, the sampling and the current limiting of the target total traffic are implemented.
Based on the communication session, it is indicated that the data corresponding to the first to-be-discarded traffic is complete data included in at least one communication session, that is, the first to-be-discarded traffic is data with the communication session as a granularity, and then the traffic data used for analysis is also with the communication session as a granularity.
It should be noted that the target total traffic is a mirror traffic of the extranet traffic led into the load balancing cluster, and has a corresponding relationship with the traffic led into the load balancing cluster, and the traffic led into the same load balancing cluster usually has a certain same attribute, for example, destination addresses all correspond to a certain specific internal service, so that, in order to quickly and easily determine the traffic to be discarded, the traffic to be discarded may be directly determined from the target total traffic based on a certain load balancing cluster according to the characteristics of the extranet traffic led into the load balancing cluster, and the traffic to be discarded does not need to be determined across the load balancing cluster in other manners.
In a first implementation, the step of determining a first to-be-discarded flow from the target total flow may include:
determining a target load balancing cluster;
determining a first flow to be discarded from target mirror flow, wherein the target mirror flow is as follows: and leading mirror image traffic of the external network traffic of the target load balancing cluster into the target total traffic.
To achieve the control of the sampling flow limitation more flexibly, the step of determining the first to-be-discarded flow from the target mirror flow may include:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
It can be understood that the target total traffic is dynamically changed, wherein since the splitter is like a funnel, when the traffic is dropped due to a blockage, the splitter continuously exports the traffic, thereby resulting in a relative decrease of the target total traffic, so that only a part of the mirror traffic of the extranet traffic imported into the target load balancing cluster can be dropped at a time, if the dropped target total traffic is still greater than or equal to the first preset threshold, the above steps can be repeated, and a part of the target total traffic is dropped again, so that the total traffic that actually needs to be dropped can be reduced, that is, further decrease of the effective extranet traffic for security analysis is prevented, and the accuracy of the security analysis is improved.
It should be noted that, when the target load balancing cluster is the load balancing cluster with the largest introduced traffic, the first to-be-discarded traffic determined according to the preset proportion is also relatively large, so that the extranet traffic can be introduced into the splitter more quickly and transmitted to the analyzer for safety analysis. Therefore, the step of determining the target load balancing cluster may include:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
And determining the load balancing cluster with the maximum import flow as a target load balancing cluster, so that the discarding speed of the flow can be increased to a certain extent, and the convergence speed of the flow control process is increased.
It should be noted that, when a LB cluster is connected to an external network switch, it may occupy ports of multiple external network switches, and since one port includes multiple VIPs (Virtual IP, Virtual network addresses), and one VIP corresponds to multiple complete communication sessions, and thus one port corresponds to multiple complete communication sessions, the determination of the first traffic to be dropped based on the communication sessions may be implemented based on the ports.
When the first flow to be discarded is determined based on the port, the preset proportion can be 1/Num; wherein Num is the number of ports occupied by the target load balancing cluster; correspondingly, the step of determining the first to-be-discarded flow from the target mirror flow according to the preset ratio may include:
determining a target port from ports occupied by a target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first to-be-discarded flow.
It can be understood that, since the traffic corresponding to each port occupied by the target load balancing cluster is the same, the target port may be any one of the ports occupied by the target load balancing cluster.
In a second implementation, since one VIP corresponds to a plurality of complete communication sessions, the determining of the first to-be-dropped traffic based on the communication sessions may be implemented based on the VIP, and in particular, the step of determining the first to-be-dropped traffic from the target total traffic may include:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as the first traffic to be discarded.
It should be noted that, since one VIP includes a plurality of communication sessions, the data corresponding to the determined first to-be-dropped traffic includes complete communication session data with the VIP as the granularity.
In the flow control scheme provided in the embodiment shown in fig. 2, mirror flows of extranet flows that need to be guided to the splitter, that is, a target total flow, may be obtained first, then it is determined whether the target total flow is greater than or equal to a first preset threshold, if so, a first flow to be discarded is determined from the target total flow based on the communication sessions, and the first flow to be discarded is discarded, where data corresponding to the first flow to be discarded is complete data included in at least one communication session. It can be seen that, by applying the technical solution provided by the embodiment of the present invention, traffic can be lost based on a communication session, and discarded are all complete data packets of one communication session, so that, when performing security analysis, for one communication session, malicious traffic of a server is not occupied by only collecting data packets related to "handshake", but is mistaken by an analyzer as "handshake" without data transfer ", and discarded.
In an implementation manner of the present application, as shown in fig. 3, an external network switch is connected to a plurality of LB clusters and splitters, an external network traffic of a visit is guided into the LB clusters through the external network switch and is copied into one splitter, and a traffic led out by each splitter is guided into a corresponding analyzer through an internal network access switch for security analysis, where the analyzer is connected to the internal network access switch.
In order to solve the above problem, on the basis of the embodiment shown in fig. 2, as shown in fig. 4, the flow control method provided in the embodiment of the present invention may further include the following steps:
and S204, determining a target intranet access switch.
The target intranet access switch can be any intranet access switch connected with an analyzer, and can also be an intranet access switch needing to monitor the congestion degree of the uplink bandwidth, and the method is not limited in the application.
And S205, acquiring the congestion degree of the uplink bandwidth corresponding to the target intranet access switch.
In an implementation manner, a Payload method may be adopted according to an ICMP (Internet Control Message Protocol) Protocol to evaluate a traffic delay of an intranet link corresponding to a target intranet access switch. Because the concurrency degree of the request is higher in general and the payload (payload) having the requirement on performance does not exceed 64 MTUs, 1MTU or 64 MTUs can be adopted to represent the uplink bandwidth congestion degree corresponding to the target intranet access switch when a small data packet and a large data packet are transmitted. Specifically, the step of obtaining the uplink bandwidth congestion degree corresponding to the target intranet access switch may include:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure BDA0001260907650000111
wherein, L is the congestion degree of the uplink bandwidth corresponding to the target intranet access switch, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTT is the number of sampling points in the preset time windowijAnd j is identification information of the size of a data packet, and RTT is a preset initial value and is related to j.
More specifically, n is limited to a predetermined time window, j is 1MTU or 64MTU corresponding to a scenario when a small data packet or a large data packet is transmitted, respectively, and RTT is a predetermined initial value corresponding to j. In the Payload method, how to obtain the traffic delay corresponding to the target intranet access switch is the prior art, and details are not described here.
Specifically, m is generally set to 3 by default, so that the situation of network jitter can be filtered. Accordingly, the above formula is:
Figure BDA0001260907650000112
if L is equal to or greater than 1, L is equal to 1, and finally, the value of L belongs to [0,1], and it can be understood that the closer the value of L is to 0, the heavier the uplink bandwidth congestion degree is.
And S206, determining a target sampling weight value according to the congestion degree of the uplink bandwidth.
The target sampling weight value can be determined according to the congestion degree of the uplink bandwidth corresponding to the target intranet access switch.
Specifically, the step of determining the target sampling weight value according to the congestion degree of the uplink bandwidth may include:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein, WsAnd the value is a target sampling weight value, L is the uplink bandwidth congestion degree corresponding to the target intranet access switch, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
For example, if the available uplink bandwidth of the target intranet access switch is 40G, and the actual traffic is 20G, then B is 50%, it can be understood that B may be directly read from the target intranet access switch through the SDN controller, and details are not described herein.
And S207, determining second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value, and discarding the second to-be-discarded traffic.
The data corresponding to the second flow to be discarded is complete data contained in at least one communication session; the target flow is a target total flow or a flow derived by a splitter corresponding to a target intranet access switch, that is, the mirror flow for security analysis can be sampled and limited on the extranet access switch or the target intranet access switch based on a communication session according to a target sampling weight value, so as to prevent the normal service from being affected by an excessive flow.
In a specific implementation process, the position of the intranet access switch connected with the analyzer may be determined according to information such as an IP and an asset record or a rack related to the intranet access switch, then, on the basis of fig. 3, as shown in fig. 5, an evaluation test server is added at the same position, a method from S204 to S206 is applied by the evaluation test server to determine a target sampling weight value, and then, the target sampling weight value is fed back to the extranet access switch or the corresponding intranet access switch to perform the sampling current limiting operation corresponding to S207. The evaluation test server may be a physical host or a virtual machine, which is not limited herein.
On the basis of the embodiment shown in fig. 2, in the flow control method provided in the embodiment shown in fig. 4, an uplink bandwidth congestion degree corresponding to any target intranet access switch connected to the analyzer may also be obtained for the target intranet access switch, then a target sampling weight value is determined according to the uplink bandwidth congestion degree, a second flow to be discarded is determined from the target flows based on the communication session according to the target sampling weight value, and the second flow to be discarded is discarded. Therefore, when the flow derived by the shunt is led into the analyzer through the intranet access switch, bandwidth competition generated by the flow and the service flow corresponding to the switch is reduced, and the phenomenon that the normal service flow transmission is influenced due to congestion of an uplink port of the intranet switch, so that service access is overtime or unstable is prevented.
Corresponding to the above method embodiment, an embodiment of the present invention provides a flow control device, corresponding to the flow shown in fig. 2, as shown in fig. 6, including:
a first obtaining module 601, configured to obtain a target total flow, where the target total flow is a mirror image flow of an external network flow that needs to be guided to a splitter;
a determining module 602, configured to determine whether the target total flow is greater than or equal to a first preset threshold;
a first determining module 603, configured to determine, based on a communication session, a first to-be-discarded traffic from the target total traffic if a determination result of the determining module is yes;
a first discarding module 604, configured to discard the first traffic to be discarded, where data corresponding to the first traffic to be discarded is complete data included in at least one communication session.
In the flow control device provided in the embodiment of the invention shown in fig. 6, a mirror flow of the extranet flow that needs to be guided to the splitter, that is, a target total flow, may be obtained first, then it is determined whether the target total flow is greater than or equal to a first preset threshold, if so, a first flow to be discarded is determined from the target total flow based on the communication sessions, and the first flow to be discarded is discarded, where data corresponding to the first flow to be discarded is complete data included in at least one communication session. It can be seen that, by applying the technical solution provided by the embodiment of the present invention, traffic can be lost based on a communication session, and discarded are all complete data packets of one communication session, so that, when performing security analysis, for one communication session, malicious traffic of a server is not occupied by only collecting data packets related to "handshake", but is mistaken by an analyzer as "handshake" without data transfer ", and discarded.
Specifically, the first determining module 603 may include:
the first determining submodule is used for determining a target load balancing cluster;
a second determining submodule, configured to determine a first to-be-discarded flow from target mirror flows, where the target mirror flows are: and leading mirror image flow of the external network flow of the target load balancing cluster into the target total flow.
Specifically, the second determining submodule may be specifically configured to:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
Specifically, the first determining submodule may be specifically configured to:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
Specifically, the preset ratio may be 1/Num; and Num is the number of ports occupied by the target load balancing cluster.
Specifically, the second determining submodule may be specifically configured to:
determining a target port from the ports occupied by the target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first flow to be discarded.
Specifically, the first determining module 603 may be specifically configured to:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as first traffic to be discarded.
Further, on the basis of including the first obtaining module 601, the determining module 602, the first determining module 603, and the first discarding module 604, as shown in fig. 7, which corresponds to the flow shown in fig. 4, the flow control apparatus according to the embodiment of the present invention may further include:
a second determining module 605, configured to determine a target intranet access switch;
a second obtaining module 606, configured to obtain an uplink bandwidth congestion degree corresponding to the target intranet access switch;
a third determining module 607, configured to determine a target sampling weight value according to the uplink bandwidth congestion degree;
a second discarding module 608, configured to determine a second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value, and discard the second to-be-discarded traffic; the target flow is the target total flow or the flow derived by the shunt corresponding to the target intranet access switch; and the data corresponding to the second flow to be discarded is complete data contained in at least one communication session.
Based on the embodiment of the present invention shown in fig. 6, in the flow control device provided in the embodiment of the present invention shown in fig. 7, an uplink bandwidth congestion degree corresponding to any target intranet access switch connected to the analyzer may also be obtained, then a target sampling weight value is determined according to the uplink bandwidth congestion degree, and then a second flow to be discarded is determined from the target flows based on the communication session according to the target sampling weight value, and the second flow to be discarded is discarded. Therefore, when the flow derived by the shunt is led into the analyzer through the intranet access switch, bandwidth competition generated by the flow and the service flow corresponding to the switch is reduced, and the phenomenon that the normal service flow transmission is influenced due to congestion of an uplink port of the intranet switch, so that service access is overtime or unstable is prevented.
Specifically, the second obtaining module 606 may be specifically configured to:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure BDA0001260907650000151
wherein, L is the congestion degree of the uplink bandwidth, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTTijAnd j is identification information of the size of the data packet for the flow delay, and RTT is a preset initial value and is related to j.
Specifically, the third determining module 607 may be specifically configured to:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein, WsAnd for the target sampling weight value, L is the congestion degree of the uplink bandwidth, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (18)

1. A method of flow control, the method comprising:
obtaining a target total flow, wherein the target total flow is a mirror image flow of an outer net flow which needs to be guided to the splitter;
judging whether the target total flow is greater than or equal to a first preset threshold value or not;
if yes, determining a first flow to be discarded from the target total flow based on the communication session, and discarding the first flow to be discarded, wherein data corresponding to the first flow to be discarded is complete data contained in at least one communication session;
the method further comprises the following steps:
determining a target intranet access switch;
acquiring the congestion degree of the uplink bandwidth corresponding to the target intranet access switch;
determining a target sampling weight value according to the congestion degree of the uplink bandwidth;
determining second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value, and discarding the second to-be-discarded traffic; the target flow is the target total flow or the flow derived by the shunt corresponding to the target intranet access switch; and the data corresponding to the second flow to be discarded is complete data contained in at least one communication session.
2. The method of claim 1, wherein the step of determining a first to-be-discarded flow from the target total flow comprises:
determining a target load balancing cluster;
determining a first flow to be discarded from target mirror flows, wherein the target mirror flows are as follows: and leading mirror image flow of the external network flow of the target load balancing cluster into the target total flow.
3. The method of claim 2, wherein the step of determining the first to-be-dropped traffic from the target mirror traffic comprises:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
4. The method of claim 3, wherein the step of determining the target load balancing cluster comprises:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
5. The method of claim 3, wherein the predetermined ratio is 1/Num; and Num is the number of ports occupied by the target load balancing cluster.
6. The method of claim 5, wherein the step of determining the first to-be-discarded traffic from the target mirror traffic at the predetermined ratio comprises:
determining a target port from the ports occupied by the target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first flow to be discarded.
7. The method of claim 1, wherein the step of determining a first to-be-discarded flow from the target total flow comprises:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as first traffic to be discarded.
8. The method according to claim 1, wherein the step of obtaining the uplink bandwidth congestion level corresponding to the target intranet access switch includes:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure FDA0002180600300000021
wherein, L is the congestion degree of the uplink bandwidth, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTTijAnd j is identification information of the size of the data packet for the flow delay, and RTT is a preset initial value and is related to j.
9. The method of claim 8, wherein the step of determining a target sampling weight value according to the uplink bandwidth congestion level comprises:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein the content of the first and second substances,Wsand for the target sampling weight value, L is the congestion degree of the uplink bandwidth, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
10. A flow control device, the device comprising:
the system comprises a first obtaining module, a second obtaining module and a control module, wherein the first obtaining module is used for obtaining a target total flow, and the target total flow is a mirror image flow of an outer net flow which needs to be guided to a flow divider;
the judging module is used for judging whether the target total flow is greater than or equal to a first preset threshold value or not;
a first determining module, configured to determine, based on a communication session, a first to-be-discarded traffic from the target total traffic if a determination result of the determining module is yes;
the first discarding module is configured to discard the first to-be-discarded traffic, where data corresponding to the first to-be-discarded traffic is complete data included in at least one communication session;
the device further comprises:
the second determination module is used for determining a target intranet access switch;
a second obtaining module, configured to obtain an uplink bandwidth congestion degree corresponding to the target intranet access switch;
the third determining module is used for determining a target sampling weight value according to the congestion degree of the uplink bandwidth;
the second discarding module is used for determining second to-be-discarded traffic from the target traffic based on the communication session according to the target sampling weight value and discarding the second to-be-discarded traffic; the target flow is the target total flow or the flow derived by the shunt corresponding to the target intranet access switch; and the data corresponding to the second flow to be discarded is complete data contained in at least one communication session.
11. The apparatus of claim 10, wherein the first determining module comprises:
the first determining submodule is used for determining a target load balancing cluster;
a second determining submodule, configured to determine a first to-be-discarded flow from target mirror flows, where the target mirror flows are: and leading mirror image flow of the external network flow of the target load balancing cluster into the target total flow.
12. The apparatus according to claim 11, wherein the second determining submodule is specifically configured to:
and determining a first flow to be discarded from the target mirror flow according to a preset proportion.
13. The apparatus according to claim 12, wherein the first determining submodule is specifically configured to:
and determining the load balancing cluster with the maximum imported flow as a target load balancing cluster.
14. The apparatus of claim 12, wherein the predetermined ratio is 1/Num; and Num is the number of ports occupied by the target load balancing cluster.
15. The apparatus according to claim 14, wherein the second determining submodule is specifically configured to:
determining a target port from the ports occupied by the target load balancing cluster;
and determining mirror flow of the external network flow led into the target port in the target total flow as first flow to be discarded.
16. The apparatus of claim 10, wherein the first determining module is specifically configured to:
determining a target virtual network address;
and determining the traffic of which the virtual network address is the target virtual network address in the target total traffic as first traffic to be discarded.
17. The apparatus according to claim 10, wherein the second obtaining module is specifically configured to:
obtaining the flow delay corresponding to the target intranet access switch;
determining the congestion degree of the uplink bandwidth corresponding to the target intranet access switch according to the following formula:
Figure FDA0002180600300000041
wherein, L is the congestion degree of the uplink bandwidth, n is the number of sampling points in a preset time window, m is the number of preset smooth points, and RTTijAnd j is identification information of the size of the data packet for the flow delay, and RTT is a preset initial value and is related to j.
18. The apparatus of claim 17, wherein the third determining module is specifically configured to:
obtaining the flow rate of the internal network north-south upper connection port of the target internal network access switch;
determining a target sampling weight value according to the following formula:
Ws=Max(1-L,B)
wherein, WsAnd for the target sampling weight value, L is the congestion degree of the uplink bandwidth, B is the traffic ratio, and Max (,) is a function for solving the maximum value.
CN201710210707.9A 2017-03-31 2017-03-31 Flow control method and device Active CN107147585B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710210707.9A CN107147585B (en) 2017-03-31 2017-03-31 Flow control method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710210707.9A CN107147585B (en) 2017-03-31 2017-03-31 Flow control method and device

Publications (2)

Publication Number Publication Date
CN107147585A CN107147585A (en) 2017-09-08
CN107147585B true CN107147585B (en) 2020-02-18

Family

ID=59784170

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710210707.9A Active CN107147585B (en) 2017-03-31 2017-03-31 Flow control method and device

Country Status (1)

Country Link
CN (1) CN107147585B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110198275B (en) * 2018-03-28 2022-03-29 腾讯科技(深圳)有限公司 Flow control method, system, server and storage medium
CN111654493B (en) * 2020-06-02 2022-04-12 浪潮云信息技术股份公司 Method, system, storage medium and electronic device for intercepting specified flow in Openstack
CN111901195B (en) * 2020-07-23 2022-02-15 电子科技大学 SDN flow dynamic distribution method and system

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1839591A (en) * 2003-09-11 2006-09-27 艾利森电话股份有限公司 Method for discarding all segments corresponding to the same packet in a buffer
CN101159677A (en) * 2007-10-25 2008-04-09 华为技术有限公司 Packet transmission method and network node device
CN102075423A (en) * 2011-01-10 2011-05-25 中国人民解放军国防科学技术大学 Hardware multi-level table-based method for controlling output traffic
CN103166926A (en) * 2011-12-14 2013-06-19 中国科学院沈阳计算技术研究所有限公司 Session initiation protocol (SIP) distributed denial of service (DDoS) attack distributed defensive system and load balancing method thereof
CN103763212A (en) * 2014-01-02 2014-04-30 河南科技大学 Method for regulating network congestion
CN104125159A (en) * 2014-07-29 2014-10-29 福建星网锐捷网络有限公司 Congestion bandwidth detection method, congestion control method, device and system
CN104811398A (en) * 2015-04-17 2015-07-29 北京奇艺世纪科技有限公司 Method and device for load balancing
CN106302200A (en) * 2015-05-14 2017-01-04 华为技术有限公司 A kind of method processing network congestion and switch
CN106375160A (en) * 2016-10-28 2017-02-01 上海优刻得信息科技有限公司 Flow monitoring system and flow monitoring method

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1839591A (en) * 2003-09-11 2006-09-27 艾利森电话股份有限公司 Method for discarding all segments corresponding to the same packet in a buffer
CN101159677A (en) * 2007-10-25 2008-04-09 华为技术有限公司 Packet transmission method and network node device
CN102075423A (en) * 2011-01-10 2011-05-25 中国人民解放军国防科学技术大学 Hardware multi-level table-based method for controlling output traffic
CN103166926A (en) * 2011-12-14 2013-06-19 中国科学院沈阳计算技术研究所有限公司 Session initiation protocol (SIP) distributed denial of service (DDoS) attack distributed defensive system and load balancing method thereof
CN103763212A (en) * 2014-01-02 2014-04-30 河南科技大学 Method for regulating network congestion
CN104125159A (en) * 2014-07-29 2014-10-29 福建星网锐捷网络有限公司 Congestion bandwidth detection method, congestion control method, device and system
CN104811398A (en) * 2015-04-17 2015-07-29 北京奇艺世纪科技有限公司 Method and device for load balancing
CN106302200A (en) * 2015-05-14 2017-01-04 华为技术有限公司 A kind of method processing network congestion and switch
CN106375160A (en) * 2016-10-28 2017-02-01 上海优刻得信息科技有限公司 Flow monitoring system and flow monitoring method

Also Published As

Publication number Publication date
CN107147585A (en) 2017-09-08

Similar Documents

Publication Publication Date Title
US8149705B2 (en) Packet communications unit
US9654395B2 (en) SDN-based service chaining system
CN106464577B (en) Network system, control device, communication device and communication control method
EP2241058B1 (en) Method for configuring acls on network device based on flow information
AU2014340233B2 (en) A system and method for observing and controlling a programmable network using a remote network manager
US8863269B2 (en) Frontend system and frontend processing method
US9998357B2 (en) Multipath transmission based packet traffic control method and apparatus
WO2016101783A1 (en) Attack packet processing method, apparatus, and system
US20150281085A1 (en) Method and system of large flow control in communication networks
CN106972985B (en) Method for accelerating data processing and forwarding of DPI (deep packet inspection) equipment and DPI equipment
JP2016528630A (en) Application-aware network management
JP4988632B2 (en) Packet relay device and traffic monitoring system
US20120173712A1 (en) Method and device for identifying p2p application connections
CN107147585B (en) Flow control method and device
WO2017035717A1 (en) Distributed denial of service attack detection method and associated device
KR101527377B1 (en) Service chaining system based on software defined networks
KR101712168B1 (en) Method for controling packet-in message, switch and controller thereof
CN110855741B (en) Service self-adaptive access method and device, storage medium and electronic device
CN113037731A (en) Network flow control method and system based on SDN architecture and honey network
RU2602333C2 (en) Network system, packet processing method and storage medium
EP2938028B1 (en) Communication node, control device, method for managing control information entries, and program
CN110391988A (en) Method for controlling network flow, system and safety device
CN110881023A (en) Method for providing network differentiated security service based on SDN/NFV
CN111245740A (en) Service quality strategy method and device for configuration service and computing equipment
Mauricio et al. Aclflow: An nfv/sdn security framework for provisioning and managing access control lists

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant