CN110661721B - Message anti-attack method and device - Google Patents

Message anti-attack method and device Download PDF

Info

Publication number
CN110661721B
CN110661721B CN201810712659.8A CN201810712659A CN110661721B CN 110661721 B CN110661721 B CN 110661721B CN 201810712659 A CN201810712659 A CN 201810712659A CN 110661721 B CN110661721 B CN 110661721B
Authority
CN
China
Prior art keywords
session
speed limit
car speed
message
cluster
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810712659.8A
Other languages
Chinese (zh)
Other versions
CN110661721A (en
Inventor
常静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Huawei Digital Technologies Co Ltd
Original Assignee
Beijing Huawei Digital Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Huawei Digital Technologies Co Ltd filed Critical Beijing Huawei Digital Technologies Co Ltd
Priority to CN201810712659.8A priority Critical patent/CN110661721B/en
Publication of CN110661721A publication Critical patent/CN110661721A/en
Application granted granted Critical
Publication of CN110661721B publication Critical patent/CN110661721B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Abstract

The embodiment of the application discloses a message anti-attack method and a message anti-attack device, relates to the technical field of communication, and solves the problem that when a certain established session message is attacked, other established sessions are affected by the attack to cause chain breakage in the prior art. The specific scheme is as follows: the forwarding plane equipment receives the protocol message; according to the session characteristics carried in the protocol message, if the protocol message is determined to belong to the first session, carrying out session commitment access rate CAR speed limit on the protocol message; the first session is any one of established sessions; each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated; carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit; the speed limit of the session cluster CAR corresponds to at least one established session; and sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment.

Description

Message anti-attack method and device
Technical Field
The embodiment of the application relates to the technical field of communication, in particular to a message anti-attack method and device.
Background
A router generally adopts a system architecture with a separated control plane and forwarding plane, where a Central Processing Unit (CPU) of the control plane has a relatively weak capability of Processing a packet compared with a Network Processor (NP) of the forwarding plane, and once a routing protocol local packet attack occurs, the CPU is busy in Processing, and a routing protocol session oscillates, thereby causing instability of the entire Network. Generally, a Committed Access Rate (CAR) speed limit policy is adopted in the process of sending a routing protocol message from a forwarding plane to a control plane, so that the message flow sent to a CPU is ensured to be within the CPU processing capacity range.
The existing method for preventing message attack divides the message into the message with the established session and the message without the established session, and extracts the session characteristics of the message with the established session and issues an ACL rule. When the router receives the protocol message, the router searches and compares the issued ACL rules, and the message hitting the ACL rules is sent to the CPU at the speed limit through the white list CAR. The session message which is not established can not match the ACL rule, and is sent to the CPU at the speed limit through the common CAR protocol. The white list CAR and the protocol normal CAR are isolated by limiting speed, and the white list CAR has larger bandwidth and higher priority of uploading to a CPU than the protocol normal CAR. Although the scheme ensures that the messages of the established session are not influenced by the message attack of the non-established session, the established session messages still share a white list CAR channel, so if bandwidth attack occurs to the messages of the established session, other established session messages can be influenced by the attack, and the session is broken.
Disclosure of Invention
The embodiment of the application provides a message anti-attack method and a message anti-attack device, which can avoid the occurrence of a broken link condition caused by the attack influence of other established sessions when a certain established session message is attacked.
In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:
in a first aspect of the embodiments of the present application, a method for preventing a packet from being attacked is provided, where the method includes: firstly, a forwarding plane device receives a protocol message; then, according to the session characteristics carried in the protocol message, if the protocol message is determined to belong to the first session, performing session commitment access rate CAR speed limit on the protocol message; the first session is any one of established sessions; each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated; then, the protocol message after the session CAR speed limit is subjected to session cluster CAR speed limit; the session cluster CAR speed limit corresponds to at least one established session; and finally, sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment. Based on the scheme, by carrying out two-stage speed limiting on the protocol message of the established session, the attack influence between the established session messages can be reduced, and the condition that when a certain established session is attacked, other established sessions are affected by the attack to cause chain breaking is avoided.
With reference to the first aspect, in a first possible implementation manner, the above-mentioned speed limit of the session cluster CAR corresponds to at least one established session, and includes: the speed limit of the session cluster CAR corresponds to the session of the same routing protocol or the session of different routing protocols in the established session. Specifically, if the established sessions are sessions of the same routing protocol, the session cluster CAR speed limit may correspond to all established sessions of the same routing protocol; if the established sessions are sessions of different routing protocols, the CAR speed limit of the session cluster can correspond to all the established sessions of different routing protocols, or the CAR speed limit of each session cluster can correspond to the session of the same routing protocol in the established sessions of different routing protocols. Based on the scheme, the established sessions of the same routing protocol can be used as a session cluster to carry out session cluster CAR speed limit, and the established sessions of different routing protocols can be used as a session cluster to carry out session cluster CAR speed limit.
With reference to the first aspect and the possible implementation manners, in another possible implementation manner, the CAR speed limit of the session cluster uses a double-rate three-color double-bucket trTCM and a color blind mode, and the CAR speed limit of the session cluster uses a single-rate three-color double-bucket srTCM and a color sensitive mode; wherein, the four traffic parameters of trTCM are respectively peak information rate PIR, peak burst size PBS, committed information rate CIR and committed burst size CBS; the three traffic parameters of srTCM are committed information rate CIR, committed burst size CBS and excess burst size EBS. Based on the scheme, two-stage speed limitation can be performed on the protocol message, so that when the established session is attacked, other established sessions can be affected by the attack to cause a broken link condition.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, if the CAR speed limit of the session cluster corresponds to all established sessions, the CIR of the CAR speed limit of the session cluster is greater than or equal to the sum of CIRs of all CAR speed limits of the session cluster and is less than or equal to the processing capability of the control plane device; or, if each session cluster CAR speed limit in the session cluster CAR speed limits corresponds to a session of the same routing protocol in an established session, the CIR of each session cluster CAR speed limit is greater than or equal to the sum of the CIRs of the session clusters CAR speed limits corresponding to the sessions of the same routing protocol, and the sum of the CIRs of each session cluster CAR speed limits is less than or equal to the processing capacity of the control plane device. Based on the scheme, when the protocol message marked as green after the session CAR speed limit is carried out on the session cluster CAR speed limit, tokens are all taken from the C bucket and normally pass, so that the chain breakage can not occur.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, the CIR of the CAR speed limit of the session cluster is greater than or equal to the PIR of the CAR speed limit of the session; the CBS of the speed limit of the session cluster CAR is larger than or equal to the PBS of the speed limit of the session CAR. Based on the scheme, when only one session is established, the condition that the protocol message which is not discarded when the speed limit of the session CAR is limited is avoided.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, before the forwarding plane device receives the protocol packet, the method for preventing a packet from being attacked further includes: the forwarding plane equipment extracts the session characteristics of the message of the established session and issues an Access Control List (ACL) rule; the determining that the protocol packet belongs to the first session includes: the forwarding plane equipment determines whether the protocol message hits the ACL rule according to the session characteristics carried by the protocol message; and if the protocol message hits the ACL rule, determining that the protocol message belongs to the first session. Based on the scheme, whether the received protocol message belongs to the established session can be determined according to the ACL rule of the established session.
In a second aspect of the embodiments of the present application, a device for preventing a packet from being attacked is provided, where the device includes: a receiving unit, configured to receive a protocol packet; a processing unit, configured to determine whether the protocol packet belongs to a first session according to session features carried in the protocol packet received by the receiving unit; if the protocol message belongs to the first session, the processing unit is further configured to perform session Committed Access Rate (CAR) speed limit on the protocol message; the first session is any one of established sessions; each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated; the processing unit is also used for carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit; the session cluster CAR speed limit corresponds to at least one established session; and the sending unit is used for sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment.
With reference to the second aspect, in a first possible implementation manner, the above-mentioned speed limit of the session cluster CAR corresponds to at least one established session, and includes: the speed limit of the session cluster CAR corresponds to the session of the same routing protocol or the session of different routing protocols in the established session.
With reference to the second aspect and the possible implementation manners, in another possible implementation manner, the CAR speed limit of the session cluster uses a double-rate three-color double-bucket trTCM and a color blind mode, and the CAR speed limit of the session cluster uses a single-rate three-color double-bucket srTCM and a color sensitive mode; wherein, the four traffic parameters of trTCM are respectively peak information rate PIR, peak burst size PBS, committed information rate CIR and committed burst size CBS; the three traffic parameters of srTCM are committed information rate CIR, committed burst size CBS and excess burst size EBS.
With reference to the second aspect and the foregoing possible implementation manners, in another possible implementation manner, if the CAR speed limit of the session cluster corresponds to all established sessions, the CIR of the CAR speed limit of the session cluster is greater than or equal to the sum of CIRs of all CAR speed limits of the session cluster and is less than or equal to the processing capability of the control plane device; or, if each session cluster CAR speed limit in the session cluster CAR speed limits corresponds to a session of the same routing protocol in an established session, the CIR of each session cluster CAR speed limit is greater than or equal to the sum of the CIRs of the session clusters CAR speed limits corresponding to the sessions of the same routing protocol, and the sum of the CIRs of each session cluster CAR speed limits is less than or equal to the processing capacity of the control plane device.
With reference to the second aspect and the foregoing possible implementation manners, in another possible implementation manner, the CIR of the session cluster CAR speed limit is greater than or equal to the PIR of the session CAR speed limit; the CBS of the speed limit of the session cluster CAR is larger than or equal to the PBS of the speed limit of the session CAR.
With reference to the second aspect and the possible implementation manners, in another possible implementation manner, the processing unit is further configured to extract a session feature of a packet in which a session is established, and issue an access control list ACL rule; the processing unit is specifically configured to determine whether the protocol packet hits the ACL rule according to a session feature carried by the protocol packet; if the protocol message hits the ACL rule, the processing unit is further configured to determine that the protocol message belongs to the first session.
For the above description of the effects of the second aspect and the various implementations of the second aspect, reference may be made to the description of the corresponding effects of the first aspect and the various implementations of the first aspect, and details are not repeated here.
A third aspect of the embodiments of the present application provides a computer storage medium, where a computer program code is stored in the computer storage medium, and when the computer program code runs on a processor, the processor is caused to execute the packet anti-attack method according to the first aspect or any one of possible implementation manners of the first aspect.
A fourth aspect of the embodiments of the present application provides a communication apparatus, which is applied to a forwarding plane device, and the communication apparatus includes a processor, where the processor is configured to couple with a memory, read an instruction in the memory, and execute the message anti-attack method according to the instruction in the first aspect.
In a fifth aspect of the embodiments of the present application, a computer program product is provided, where the computer program product stores computer software instructions executed by the processor, and the computer software instructions include a program for executing the solution of the above aspect.
In a sixth aspect of the embodiments of the present application, an apparatus is provided, where the apparatus exists in a product form of a chip, and the apparatus includes a processor and a memory, where the memory is configured to be coupled to the processor and store necessary program instructions and data of the apparatus, and the processor is configured to execute the program instructions stored in the memory, so that the apparatus performs the function of the message anti-attack apparatus in the foregoing method.
Drawings
Fig. 1 is a schematic structural diagram of a router according to an embodiment of the present application;
fig. 2 is a flowchart of a method for preventing a message from being attacked according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a session established between routers according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a session established between routers according to an embodiment of the present application;
fig. 5 is a flowchart of a method for preventing a message from being attacked according to an embodiment of the present application;
fig. 6 is a flowchart of another method for preventing a packet from being attacked according to the embodiment of the present application;
fig. 7 is a flowchart of another method for preventing a packet from being attacked according to the embodiment of the present application;
fig. 8 is a flowchart of another method for preventing a packet from being attacked according to the embodiment of the present application;
fig. 9 is a schematic composition diagram of a message attack prevention apparatus according to an embodiment of the present application;
fig. 10 is a schematic composition diagram of another packet anti-attack apparatus provided in the embodiment of the present application.
Detailed Description
First, some terms referred to in the embodiments of the present application are explained:
1. committed access rate CAR
The CAR acts on an entrance of the network to control the flow of a certain type of packet entering the network, allowing packets complying with the flow regulation to enter the network. The CAR can ensure that messages meeting the flow regulation enter a network, and for messages exceeding the flow regulation, direct discarding or re-marking (namely reducing the priority of the part of messages) can be selected according to the use condition of current network resources and then continuously forwarding, and when congestion occurs, the part of messages can be discarded preferentially.
CAR is implemented by the Token Bucket (Token Bucket) algorithm. The token bucket may be considered as a container for storing tokens, and the tokens may be considered as passes for messages passing through the token bucket. On one hand, the tokens are injected into the token bucket at a certain rate; on the other hand, when the message passes through the token bucket, the number of tokens equivalent to the length of the message is consumed. If the number of tokens in the bucket is not enough, the token bucket discards the message or re-marks the message and forwards the message. Therefore, the rate of the message passing through the token bucket can be controlled by controlling the rate of sending the tokens to the token bucket, so that the rate of the message entering the network is controlled. For example, the token bucket algorithm in the embodiment of the present application includes a single-rate three-color dual-bucket algorithm srTCM and a double-rate three-color dual-bucket algorithm trTCM.
2. Double-speed three-color double-barrel trTCM and color blindness mode
The four flow parameters of the double-speed three-color double-barrel trTCM are as follows: a peak information rate PIR, a peak burst size PBS associated with PIR, a committed information rate CIR, a committed burst size CBS associated with CIR, where PIR is greater than or equal to CIR.
Token buckets P and C are initially (at time 0) full with a token number Tp (0) equal to PBS, Tc (0) equal to CBS, the token number Tp incremented up to PBS at PIR times per second, and the token number Tc incremented up to CBS at CIR times per second.
When a message with size of B bytes arrives at time t, trTCM is in color blind mode, then the following operations are performed:
if tp (t) -B <0, the message is marked red, otherwise,
if Tc (t) -B <0, the message is marked yellow and Tp minus B. If not, then,
the message is marked green and B is subtracted from both Tp and Tc.
3. Single-rate three-color double-barrel srTCM and color-sensitive mode
Three flow parameters of the single-rate three-color twin-tub srTCM are: committed information rate CIR, committed burst size CBS and excess burst size EBS.
Token buckets C and E are initially (at time 0) full with a token count Tc (0) CBS and Te (0) EBS. CBS is smaller than EBS. Tc and Te update CIR every second, usually adding tokens to bucket C first, and adding tokens to bucket E after bucket C is full, when both buckets are full, the newly generated tokens will be discarded, i.e. the number of tokens is updated following the following rules:
if Tc < CBS, Tc is increased by 1, otherwise,
te is increased by 1 if Te < EBS, otherwise,
neither Tc nor Te increases.
When a message of size B bytes arrives at time t, srTCM is in color sensitive mode, then the following operations are performed:
if the message has been marked green and Tc (t) -B ≧ 0, the message is marked green and Tc minus B, otherwise,
if the message has been marked green or yellow and Te (t) -B ≧ 0, the message is marked yellow and Te minus B, otherwise,
the message is marked red and neither Tc nor Te is reduced.
4. Session CAR speed limit
The session CAR speed limit refers to the unified speed limit of protocol messages received in a session by taking the session as a unit. For example, if the session 1 receives the protocol packet 1, the protocol packet 2, and the protocol packet 3 within a certain time period, performing the session CAR speed limit on the session 1 means performing the speed limit on the protocol packet 1, the protocol packet 2, and the protocol packet 3 received within the session 1 in a unified manner.
5. Session CAR speed limit isolation
The session CAR speed limit isolation means that each session independently carries out session CAR speed limit, the session CAR speed limit between different sessions is independent and does not influence each other, and the session CAR speed limit of each session is independent. For example, the parameter settings of the session CAR speed limit of each session may be different from each other, each session limits the speed of the protocol packet received in the session according to the parameter of the session CAR speed limit corresponding to the session CAR speed limit, and when each session limits the speed of the session CAR, a plurality of sessions will not be affected by each other. For example, the CAR speed limit isolation of session 1, session 2, and session 3 means that CAR speed limit is performed separately for session 1, session 2, and session 3, the CAR speed limit parameters of session 1, session 2, and session 3 may be set to be the same or different, and when CAR speed limit is performed for session 1, session 2, and session 3, the sessions are independent from each other and do not affect each other.
6. Session cluster CAR speed limit
The CAR speed limit of the session cluster refers to that the protocol messages received in the session cluster are subjected to unified speed limit by taking the session cluster as a unit. For example, session 1, session 2, and session 3 are established sessions, session 1, session 2, and session 3 are used as a session cluster, and a set of session cluster CAR speed-limiting parameters is used for speed-limiting a protocol packet received in the session cluster.
In the embodiments of the present application, words such as "exemplary" or "for example" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
The embodiment of the application provides a message anti-attack method, which is applied to a framework, wherein the framework comprises forwarding plane equipment and control plane equipment.
The forwarding plane equipment is used for packaging and forwarding the data message. Illustratively, after the system receives the IP packet, the forwarding plane device decapsulates the IP packet, looks up the routing table, and forwards the IP packet from the egress interface. For example, the forwarding plane device may be a network processor, and the network processor may adopt a committed access rate CAR speed limit policy for a received routing protocol packet that needs to be locally processed, and then send the routing protocol local packet after speed limit to the control plane device.
The control plane device is used for transmitting instructions and calculating table items. Such as routing protocol learning, routing table entry maintenance, protocol packet forwarding, protocol table entry calculation, maintenance, etc. For example, the forwarding plane device may be a central processing unit, and the central processing unit may receive a message sent by the forwarding plane device.
It is understood that the forwarding plane device and the control plane device in the embodiments of the present application may be a processor or a chip. The forwarding plane device and the control plane device may be configured separately or in one device, which is not limited in this application. Here, the forwarding plane device and the control plane device are only configured in one device as an example, and the device may be a router.
Illustratively, the router 100 adopts a system architecture in which a control plane and a forwarding plane are separated, the forwarding plane is used for implementing a function of forwarding a packet, and the control plane is used for implementing control over packet forwarding, as shown in fig. 1, the router 100 is composed of a main control board, a switching network board, an interface board, and the like. The main control board is a control core of the router 100, and is used for completing management and control of the whole router and directly receiving an instruction of a network management center; the switch network board is used for completing high-speed data exchange in the router 100; the interface board is used for processing message forwarding. For example, in fig. 1, two interface boards are taken as an example, and the two interface boards can process packet forwarding in parallel, so that the packet forwarding capability is greatly improved. The embodiment of the present application does not limit the specific structure of the router 100.
As shown in fig. 1, the forwarding plane of the interface board of the router 100 includes: a network processor 101, a physical interface card 102 and a forwarding table entry memory 103; the control plane includes: a central processor 104.
The network processor 101: is a programmable processor specially designed for processing data packets and can be used for management of routing tables, system configuration and management. The network processor 101 is usually composed of a plurality of microcode processors and a plurality of hardware coprocessors, wherein the plurality of microcode processors are processed in parallel in the network processor, and the processing flow is controlled by a preprogrammed microcode. For complex operations (such as memory operation, routing table lookup algorithm, QoS congestion control algorithm, traffic scheduling algorithm, etc.), a hardware coprocessor is used to further improve the processing performance, thereby realizing the organic combination of service flexibility and high performance.
Physical interface card 102: provides a physical connection between the router 100 and a particular type of network medium, the interface of the physical interface card 102 can be flexibly upgraded and changed according to actual needs.
Forwarding table entry memory 103: the routing forwarding table of the router 100 is stored, the routing forwarding table is generated according to the routing table of the control plane, the table entry and the routing table entry have a direct corresponding relation, but the format of the forwarding table is different from that of the routing table, and the routing forwarding table is more suitable for realizing quick search.
In this embodiment, forwarding table entry Memory 103 may specifically include a Volatile Memory (Volatile Memory), such as a Random-Access Memory (RAM); the Memory may also include a Non-Volatile Memory (Non-Volatile Memory), a Flash Memory (Flash Memory), a Hard Disk Drive (HDD) or a Solid State Drive (SSD); the forwarding entry store 103 may also comprise a combination of memories of the kind described above.
The central processor 104: is the core component of the router and can be used for executing the instructions of the routing operating system, interpreting and executing the commands input by the user and simultaneously completing the work related to the calculation.
It is understood that fig. 1 is only an exemplary illustration, and in practical applications, the router 100 may include more or less components than those shown in fig. 1, and the structure shown in fig. 1 does not set any limit to the router provided in the embodiment of the present application.
In order to solve the problem in the background art that when a certain established session message is attacked, other established session messages are affected by the attack to cause session link breaking, embodiments of the present application provide a message attack prevention method, which can reduce the attack effect between the established session messages, and avoid the occurrence of link breaking caused by the attack effect on other established sessions when a certain established session message is attacked.
With reference to fig. 1 and as shown in fig. 2, the method for preventing a packet from being attacked provided in the embodiment of the present application may include S201 to S204.
S201, the forwarding plane equipment receives the protocol message.
Illustratively, as shown in fig. 1, the forwarding plane device may be a network processor in the router a shown in fig. 3 and 4, and the network processor may receive the protocol packet. For example, the network processor may receive messages of the same routing protocol sent by other routers, or may receive messages of different routing protocols sent by other routers.
For example, as shown in fig. 3, the network processor may receive Border Gateway Protocol (BGP) messages sent by the router B, the router C, and the router D; as shown in fig. 4, the network processor may also receive BGP protocol packets sent by the router B, the router C, and the router D, and Open Shortest Path First (OSPF) protocol packets sent by the router E and the router F. In the embodiment of the present application, the type of the protocol packet sent by another router and received by the network processor is not limited, and fig. 3 and fig. 4 are only an example of the present application. For example, the Protocol packet received by the forwarding plane device may also be a Routing Information Protocol (RIP) packet, an Interior Gateway Routing Protocol (IGRP) packet, or an Intermediate system to Intermediate system (IS-IS) Protocol packet.
S202, the forwarding plane equipment carries out session commitment access rate CAR speed limit on the protocol message according to the session characteristics carried in the protocol message if the protocol message is determined to belong to the first session.
The first conversation is any one of the established conversations, each conversation in the established conversations corresponds to a conversation CAR speed limit respectively, and the conversation CAR speed limits among different conversations are isolated.
Illustratively, the established session refers to that the routing protocols peers establish connection through interactive messages, and after the routing protocols peers finish authentication with each other, the other party is considered to be trusted and is called as the established session. For example, as shown in fig. 3, after router a establishes BGP session connections with router B, router C, and router D, respectively, the established BGP sessions 1, 2, and 3 are established sessions. Steps S202-S204 in the embodiment of the present application are all applicable to protocol packets belonging to an established session. The processing method of the protocol packet of the session that is not established is the same as that in the prior art, and is not described herein again.
For example, the forwarding plane device may determine whether the protocol packet belongs to the first session according to the session feature carried in the protocol packet.
The first session is any one of the established sessions, and each session in the established sessions corresponds to a respective ACL rule. For example, the established sessions include BGP session 1, BGP session 2, and BGP session 3, where BGP session 1, BGP session 2, and BGP session 3 correspond to respective ACL rules. The ACL rules may include five-tuple information such as source IP address, destination IP address, source port number, destination port number, IP protocol number. The content specifically included in the ACL rule in the embodiment of the present application is not limited, for example, if the protocol packet received by the forwarding plane device is a BGP protocol packet, the ACL rule may further include a VPN instance index number, and if the protocol packet received by the forwarding plane device is an OSPF protocol packet, the ACL rule may further include an interface index. The ACL rules can be obtained by extracting session features of a message of an established session for the forwarding plane device.
If the session feature carried by the protocol message hits the ACL rule of the BGP session 2, it is determined that the protocol message belongs to the BGP session 2 (first session). The embodiment of the present application does not limit the specific manner in which the forwarding plane device determines that the protocol packet belongs to the first session.
For example, the session characteristics may include a source IP address, a destination IP address, a source port number, a destination port number, an IP protocol number, and the like of the protocol packet, and the session characteristics carried in the protocol packets of different routing protocol sessions may be the same or different.
And if the protocol message is determined to belong to the first session, carrying out session CAR speed limit corresponding to the first session on the protocol message.
It should be noted that each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits between different sessions are isolated. The session CAR speed limit refers to the unified speed limit of protocol messages received in a session by taking the session as a unit. For example, the BGP session 1 receives a first BGP protocol message within a certain time period, and limits the rate of the first BGP protocol message.
The session CAR speed limit isolation means that each session independently carries out session CAR speed limit, and the session CAR speed limit between different sessions is independent and does not influence each other. For example, as shown in fig. 5, a first BGP protocol message belongs to a BGP session 1, a second BGP protocol message belongs to a BGP session 2, and a third BGP protocol message belongs to a BGP session 3, where the first BGP protocol message is subjected to session CAR speed limit of the BGP session 1, the second BGP protocol message is subjected to session CAR speed limit of the BGP session 2, and the third BGP protocol message is subjected to session CAR speed limit of the BGP session 3, and the session CAR speed limits between the BGP session 1, the BGP session 2, and the BGP session 3 are independent of each other and do not affect each other.
For example, the session CAR speed limit in the embodiment of the present application may adopt a dual-rate three-color dual-bucket trTCM and a color blind mode. The parameter settings of the speed limit of the sessions CAR of different sessions can be the same or different.
The specific process of the speed limit of the session CAR is described with reference to the scenario shown in fig. 3 as an example. As shown in fig. 3, a router a (forwarding plane device) receives a BGP protocol message i, a BGP protocol message ii, and a BGP protocol message iii sent by a router B, a router C, and a router D, respectively, where the BGP protocol message i and the BGP protocol message ii are BGP attack messages, the message traffic of the attack messages is 10Mbps, the BGP protocol message iii is a normal message, the message traffic of the normal message is 10Kbps, and when performing session CAR rate limiting on the BGP protocol message i, the BGP protocol message ii, and the BGP protocol message iii, the BGP protocol message i belongs to a BGP session 1, the BGP protocol message ii belongs to a BGP session 2, and the BGP protocol message iii belongs to a BGP session 3, and here, it is described as an example that only the parameters of the session CAR rate limiting of the BGP session 1, the BGP session 2, and the BGP session 3 are set to be the same, and the parameters of the same session are set to be the same, which is merely exemplary, the session CAR parameters for the three sessions are set as follows.
CIR 32Kbps,CBS 9000000Bytes,PIR 4Mbps,PBS 9000000Bytes。
As shown in fig. 5, the session CAR speed limit process is performed on the BGP protocol message i, the BGP protocol message ii, and the BGP protocol message iii according to the session CAR parameters of the BGP session 1, the BGP session 2, and the BGP session 3, respectively.
Illustratively, when the first BGP protocol message is subjected to session CAR rate limiting, because the message flow of the first BGP protocol message is 10Mbps, which is greater than the PIR (4Mbps) of the session CAR rate limiting of the BGP session 1, after the session CAR rate limiting, the 6Mbps message of the PIR (4Mbps) part of the first BGP protocol message, which exceeds the session CAR rate limiting of the BGP session 1, is discarded, and the remaining 4Mbps messages pass through, wherein the 32Kbps part of the remaining 4Mbps messages is marked as green, and the remaining messages are marked as yellow; when the session CAR speed limit is carried out on the BGP protocol message two, as the message flow of the BGP protocol message two is 10Mbps and is greater than the PIR (4Mbps) of the session CAR speed limit of the BGP session 2, after the session CAR speed limit is carried out, 6Mbps messages of the PIR (4Mbps) part exceeding the session CAR speed limit of the BGP session 2 in the BGP protocol message two are discarded, and the rest 4Mbps messages pass through, wherein the 32Kbps part of the rest 4Mbps messages are marked as green, and the rest messages are marked as yellow; when the rate limit of the session CAR is carried out on the BGP protocol message III, the message flow of the BGP protocol message III is 10Kbps and is smaller than the CIR (32Kbps) of the session CAR of the BGP session 3, so that after the rate limit of the session CAR, all messages of the BGP protocol message III are marked as green.
S203, the forwarding plane equipment carries out session cluster CAR speed limit on the protocol message after the session CAR speed limit.
The CAR speed limit of the session cluster refers to that the protocol messages received in the session cluster are subjected to unified speed limit by taking the session cluster as a unit. The session cluster CAR speed limit corresponds to at least one established session. For example, as shown in fig. 6, the cluster of sessions CAR is rate-limited to BGP session 1, BGP session 2, BGP session 3, OSPF session 1, and OSPF session 2; or as shown in fig. 7, one cluster of sessions CAR rate limit corresponds to BGP session 1, BGP session 2 and BGP session 3, and one cluster of sessions CAR rate limit corresponds to OSPF session 1 and OSPF session 2.
Illustratively, the cluster of sessions CAR speed limit corresponds to sessions of the same routing protocol or sessions of different routing protocols in the established sessions. For example, if the established sessions are sessions of the same routing protocol, the speed limit of the session cluster CAR may correspond to all the established sessions of the same routing protocol; if the established sessions are sessions of different routing protocols, the CAR speed limit of the session cluster can correspond to all the established sessions of different routing protocols, or the CAR speed limit of each session cluster can correspond to the session of the same routing protocol in the established sessions of different routing protocols.
The three cases will be described below.
In the first case: if the established sessions are sessions of the same routing protocol, the session cluster CAR speed limit can correspond to all established sessions of the same routing protocol.
Exemplarily, in combination with the scenario shown in fig. 3, as shown in fig. 5, when a network processor in a router a performs cluster CAR speed limitation on a BGP protocol message i, a BGP protocol message ii, and a BGP protocol message iii, the cluster CAR speed limitation corresponds to a BGP session 1, a BGP session 2, and a BGP session 3, that is, the BGP session 1, the BGP session 2, and the BGP session 3 (all sessions of which have been established with the same routing protocol) are used as a cluster, and the cluster CAR speed limitation is performed uniformly.
In the second case: if the established sessions are sessions of different routing protocols, the session cluster CAR speed limit can correspond to all the established sessions of different routing protocols.
Illustratively, in conjunction with the scenario shown in fig. 4, as shown in fig. 6, when the network processor in the router a performs cluster CAR speed limiting on the BGP protocol packet i, the BGP protocol packet ii, the BGP protocol packet iii, the OSPF protocol packet i, and the OSPF protocol packet ii, the cluster CAR speed limiting corresponds to BGP session 1, BGP session 2, BGP session 3, OSPF session 1, and OSPF session 2, that is, BGP session 1, BGP session 2, BGP session 3, OSPF session 1, and OSPF session 2 (all sessions of different established routing protocols) are used as a cluster, and the cluster speed limiting CAR is performed uniformly.
In the third case: if the established sessions are sessions of different routing protocols, the CAR speed limit of each session cluster can correspond to the sessions of the same routing protocol in the established sessions of different routing protocols.
For example, in combination with the scenario shown in fig. 4, as shown in fig. 6, when a network processor in a router a performs cluster CAR speed limiting on a BGP protocol packet i, a BGP protocol packet ii, a BGP protocol packet iii, an OSPF protocol packet i, and an OSPF protocol packet ii, a cluster CAR speed limiting corresponds to BGP session 1, BGP session 2, and BGP session 3, and a cluster CAR speed limiting corresponds to OSPF session 1 and OSPF session 2, that is, BGP session 1, BGP session 2, and BGP session 3 (sessions of BGP routing protocols in sessions of established different routing protocols) are used as a cluster, cluster CAR speed limiting is performed uniformly, OSPF session 1 and OSPF session 2 (sessions of OSPF routing protocols in sessions of established different routing protocols) are used as a cluster, and cluster CAR speed limiting is performed uniformly.
It can be understood that, the embodiment of the present application is not limited to specifically adopting which implementation manner is used by a forwarding plane device (network processor) to perform session cluster CAR speed limitation on a protocol packet, and speed limitation manners adopting any one of the above manners are within the protection range of the embodiment of the present application.
Illustratively, the speed limit of the session cluster CAR in the embodiment of the present application may adopt a single-rate three-color double-bucket srTCM, color-sensitive mode. The parameter settings for the speed limit of different clusters of sessions CAR may be the same or different.
Exemplarily, taking the scenario shown in fig. 3 as an example, a specific process of limiting the speed of the cluster of sessions CAR is described. As shown in fig. 3, a router a (forwarding plane device) performs cluster CAR speed limitation on a BGP protocol message one, a BGP protocol message two, and a BGP protocol message three after the cluster CAR speed limitation, where the cluster CAR speed limitation corresponds to a BGP session 1, a BGP session 2, and a BGP session 3, which are only exemplary, and the cluster CAR speed limitation parameters are set as follows:
CIR 4Mbps,CBS 9000000B,EBS 9000000B;
as shown in fig. 5, the process of performing cluster CAR speed limitation on a BGP protocol message i, a BGP protocol message ii, and a BGP protocol message iii according to the cluster CAR speed limitation parameter is described.
Illustratively, when the session cluster CAR speed limit is performed on a BGP protocol message I, a BGP protocol message II and a BGP protocol message III, the BGP session 1, the BGP session 2 and the BGP session 3 are used as a session cluster to perform the session cluster CAR speed limit. Because 32Kbps of the rest 4Mbps messages in the first BGP protocol message are marked as green, the rest are marked as yellow, 32Kbps of the rest 4Mbps messages in the second BGP protocol message are marked as green, the rest are marked as yellow, and all the third BGP protocol messages are marked as green, when the first BGP protocol message, the second BGP protocol message and the third BGP protocol message are subjected to cluster-of-conversation CAR speed limitation, the green messages in the first BGP protocol message, the second BGP protocol message and the third BGP protocol message are taken out of the C bucket, and the yellow messages in the first BGP protocol message and the second BGP protocol message are taken out of the E bucket. Because the size of the green-marked message in the first BGP protocol message is 32Kbps, the size of the green-marked message in the second BGP protocol message is 32Kbps, and the size of the green-marked message in the third BGP protocol message is 10Kbps, the green messages of the BGP conversation 1, the BGP conversation 2 and the BGP conversation 3 are 74Kbps and are less than the CIR (4Mbps) of the CAR speed limit of the conversation cluster, the tokens can be completely taken when the green messages in the first BGP protocol message, the second BGP protocol message and the third BGP protocol message are taken from the C bucket, and the tokens can normally pass. And when yellow messages in the BGP protocol message I and the BGP protocol message II take tokens from the E bucket, the messages which can take the tokens from the E bucket normally pass, and the messages which cannot take the tokens are discarded.
After the first BGP protocol message, the second BGP protocol message and the third BGP protocol message pass through the CAR speed limit of the session and the CAR speed limit of the session cluster, the flow of the BGP protocol message uploaded to the CPU can still be guaranteed to be limited to 4Mbps, and normal session messages (the message flow is less than the CIR) can be completely uploaded to the forwarding plane equipment for processing, so that the session is guaranteed to be not disconnected.
Illustratively, if the speed limit of the session cluster CAR corresponds to all established sessions according to the speed limit modes of the first case and the second case, the CIR of the speed limit of the session cluster CAR is greater than or equal to the sum of the CIRs of the speed limits of all the session clusters CAR and is less than or equal to the processing capacity of the control plane device.
Illustratively, if according to the speed-limiting mode of the third case, the CAR speed-limiting of each session cluster in the CAR speed-limiting of the session cluster corresponds to the session of the same routing protocol in the established session, the CIR of the CAR speed-limiting of each session cluster is greater than or equal to the sum of the CIRs of the CAR speed-limiting of the session corresponding to each session in the session of the same routing protocol, and the sum of the CIRs of the CAR speed-limiting of each session cluster is less than or equal to the processing capability of the control plane device.
Here, the description will be given taking as an example all sessions established corresponding to the speed limit of the session cluster CAR. Because the lower limit of the session cluster CAR in the embodiment of the application is the sum of CIRs of all session CAR speed limits, and the srTCM algorithm adopted by the session cluster CAR speed limits is to continuously inject tokens into the C bucket, it can be ensured that all the green messages subjected to the session CAR speed limit are taken out of the tokens and normally pass the tokens. Therefore, the message anti-attack method can avoid the chain breaking condition caused by the attack influence of other established sessions when a certain established session is attacked.
And S204, the forwarding plane equipment sends the protocol message subjected to the speed limit of the session cluster CAR to the control plane equipment.
For example, as shown in fig. 5 to fig. 7, the forwarding plane device in the router a may send the packet after the two-stage speed limit to the control plane device, where the control plane device may be a central processing unit CPU of the control plane in the router a.
It can be understood that, because the network processor performs two-stage speed limit on the received protocol message of the established session, the speed-limited protocol message can ensure that the bandwidth of the message sent to the CPU is kept unchanged, and the bandwidth of the message sent to the CPU does not increase with the number of protocol sessions.
The message anti-attack method provided by the embodiment of the application receives a protocol message through forwarding plane equipment; according to the session characteristics carried in the protocol message, if the protocol message is determined to belong to a first session, performing session CAR speed limit on the protocol message, wherein the first session is any one established session, each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated; carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit, wherein the session cluster CAR speed limit corresponds to at least one established session; and sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment. According to the method and the device, the two-stage speed limitation is carried out on the protocol message of the established session, so that the attack influence between the established session messages can be reduced, and the phenomenon that when a certain established session is attacked, other established sessions are affected by the attack to cause chain breaking is avoided; meanwhile, the bandwidth of the message uploaded to the CPU by the routing protocol is kept unchanged, and the bandwidth of the message uploaded to the CPU is not increased along with the number of protocol sessions.
The embodiment of the present application further provides a method for preventing a message from being attacked, and as shown in fig. 8, before step S201, the method further includes step S205.
S205, the forwarding plane equipment extracts the session characteristics of the message of the established session and issues an Access Control List (ACL) rule.
The message anti-attack method provided by the embodiment of the application extracts the session characteristics of the message of which the session is established through the forwarding plane equipment and issues an Access Control List (ACL) rule; the forwarding plane equipment receives a protocol message; determining whether the protocol message hits the ACL rule according to session characteristics carried in the protocol message, and determining that the protocol message belongs to a first session if the protocol message hits the ACL rule; if the protocol message is determined to belong to a first session, performing session CAR speed limit on the protocol message, wherein the first session is any one of established sessions, each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated; carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit, wherein the session cluster CAR speed limit corresponds to at least one established session; and sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment. According to the method and the device, the two-stage speed limitation is carried out on the protocol message of the established session, so that the attack influence between the established session messages can be reduced, and the phenomenon that when a certain established session is attacked, other established sessions are affected by the attack to cause chain breaking is avoided; meanwhile, the bandwidth of the message uploaded to the CPU by the routing protocol is kept unchanged, and the bandwidth of the message uploaded to the CPU is not increased along with the number of protocol sessions.
The above description has mainly introduced the scheme provided in the embodiments of the present application from the perspective of method steps. It will be appreciated that the computer, in order to carry out the above-described functions, may comprise corresponding hardware structures and/or software modules for performing the respective functions. Those of skill in the art will readily appreciate that the present application is capable of implementing the exemplary modules and algorithm steps described in connection with the embodiments disclosed herein in a combination of hardware and computer software. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, functional modules may be divided according to the above method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
In a case that each functional module is divided according to each function, as shown in fig. 9, the network processor 900 further includes: a receiving unit 901, a processing unit 902 and a transmitting unit 903. The receiving unit 901 may be configured to support the network processor 900 to execute S201 in fig. 2; the processing unit 902 may be configured to support the network processor 900 to perform S202-S203 in fig. 2, or S205 in fig. 8; the sending unit 903 is used to support the network processor 900 to execute S204 in fig. 2. All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and are not described herein again.
In the case of using an integrated unit, an embodiment of the present application further provides a network processor, as shown in fig. 10, where the network processor 1000 includes: a storage module 1001 and a processing module 1002. The processing module 1002 is used to control and manage the actions of the computer, for example, the processing module 1002 is used to support the computer to perform S201-S204 in fig. 2, or S201-S205 in fig. 8, and/or other processes for the techniques described herein. A storage module 1001 for storing program codes and data of the computer. In another implementation, the computer structure according to the above embodiments may further include a processor and an interface, the processor and the interface communicating with each other, and the processor being configured to execute the embodiments of the present invention. The processor may be a CPU, or other hardware, such as a Field-Programmable Gate Array (FPGA), etc., or a combination of both.
The embodiment of the present application further provides a device, which exists in a product form of a chip, and the structure of the device includes a processor and an interface circuit, where the processor may obtain a protocol packet sent by another router through the interface circuit, and optionally, the device may further include a memory, where the memory is configured to be coupled to the processor and store necessary program instructions and data of the device, and the processor is configured to execute the program instructions stored in the memory, so that the device performs a function of the packet anti-attack device in the foregoing method. Alternatively, the memory may be a storage module in the chip, such as a register, a cache, and the like, and the storage module may also be a storage module located outside the chip, such as a ROM or other types of static storage devices that can store static information and instructions, a RAM, and the like.
The steps of a method or algorithm described in connection with the disclosure herein may be embodied in hardware or in software instructions executed by a processor. The software instructions may be comprised of corresponding software modules that may be stored in Random Access Memory (RAM), flash Memory, Erasable Programmable read-only Memory (EPROM), Electrically Erasable Programmable read-only Memory (EEPROM), registers, a hard disk, a removable disk, a compact disc read-only Memory (CD-ROM), or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. Of course, the storage medium may also be integral to the processor. The processor and the storage medium may reside in an ASIC. Additionally, the ASIC may reside in a core network interface device. Of course, the processor and the storage medium may reside as discrete components in a core network interface device.
Those skilled in the art will recognize that in one or more of the examples described above, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.

Claims (14)

1. A message anti-attack method is characterized in that the method comprises the following steps:
the forwarding plane equipment receives the protocol message;
according to the session characteristics carried in the protocol message, if the protocol message is determined to belong to a first session, carrying out session commitment access rate CAR speed limit on the protocol message; the first session is any one established session; each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated;
carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit; the session cluster CAR speed limit corresponds to at least one established session;
and sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment.
2. The message anti-attack method according to claim 1, wherein the session cluster CAR speed limit corresponds to at least one established session, and the method comprises the following steps:
the speed limit of the session cluster CAR corresponds to the session of the same routing protocol or the session of different routing protocols in the established session.
3. The message anti-attack method according to claim 1 or 2, wherein the session CAR speed limit adopts a double-rate three-color double-bucket trTCM and a color blindness mode, and the session cluster CAR speed limit adopts a single-rate three-color double-bucket srTCM and a color sensitivity mode;
wherein, the four traffic parameters of trTCM are respectively peak information rate PIR, peak burst size PBS, committed information rate CIR and committed burst size CBS; the three flow parameters of srTCM are committed information rate CIR, committed burst size CBS and excess burst size EBS.
4. The packet anti-attack method according to any one of claims 1 to 3, wherein if the session cluster CAR speed limit corresponds to all established sessions, the CIR of the session cluster CAR speed limit is greater than or equal to the sum of the CIRs of all the session CAR speed limits and is less than or equal to the processing capacity of the control plane device;
if each session cluster CAR speed limit in the session cluster CAR speed limit corresponds to the session of the same routing protocol in the established session, the CIR of each session cluster CAR speed limit is greater than or equal to the sum of the CIRs of the session clusters CAR speed limit corresponding to the sessions of the same routing protocol, and the sum of the CIRs of each session cluster CAR speed limit is less than or equal to the processing capacity of the control plane equipment.
5. The packet anti-attack method according to any one of claims 1-4, wherein the CIR of the CAR speed limit of the session cluster is greater than or equal to the PIR of the CAR speed limit of the session; the CBS rate-limited by the Session Cluster CAR is greater than or equal to the PBS rate-limited by the Session CAR.
6. The packet anti-attack method according to any one of claims 1 to 5, wherein before the forwarding plane device receives the protocol packet, the method further comprises:
the forwarding plane equipment extracts the session characteristics of the message of the established session and issues an Access Control List (ACL) rule;
the determining that the protocol packet belongs to the first session includes:
the forwarding plane equipment determines whether the protocol message hits the ACL rule according to the session characteristics carried by the protocol message;
and if the protocol message hits the ACL rule, determining that the protocol message belongs to the first session.
7. An apparatus for preventing attack on a packet, the apparatus comprising:
a receiving unit, configured to receive a protocol packet;
the processing unit is used for determining whether the protocol message belongs to a first session according to the session characteristics carried in the protocol message received by the receiving unit; if the protocol message belongs to the first session, the processing unit is further configured to perform session Committed Access Rate (CAR) speed limit on the protocol message; the first session is any one established session; each session in the established sessions respectively corresponds to a session CAR speed limit, and the session CAR speed limits among different sessions are isolated;
the processing unit is also used for carrying out session cluster CAR speed limit on the protocol message after the session CAR speed limit; the session cluster CAR speed limit corresponds to at least one established session;
and the sending unit is used for sending the protocol message after the speed limit of the session cluster CAR to the control plane equipment.
8. The message anti-attack device according to claim 7, wherein the session cluster CAR speed limit corresponds to at least one established session, and the method comprises the following steps:
the speed limit of the session cluster CAR corresponds to the session of the same routing protocol or the session of different routing protocols in the established session.
9. The message anti-attack device according to claim 7 or 8, wherein the session CAR speed limit adopts a dual-rate three-color double-bucket trTCM and a color blindness mode, and the session cluster CAR speed limit adopts a single-rate three-color double-bucket srTCM and a color sensitivity mode;
wherein, the four traffic parameters of trTCM are respectively peak information rate PIR, peak burst size PBS, committed information rate CIR and committed burst size CBS; the three flow parameters of srTCM are committed information rate CIR, committed burst size CBS and excess burst size EBS.
10. The apparatus according to any of claims 7-9, wherein if the CAR speed limit of the session cluster corresponds to all established sessions, the CIR of the CAR speed limit of the session cluster is greater than or equal to the sum of CIRs of all the CAR speed limits of the session cluster, and is less than or equal to the processing capability of the control plane device;
if each session cluster CAR speed limit in the session cluster CAR speed limit corresponds to the session of the same routing protocol in the established session, the CIR of each session cluster CAR speed limit is greater than or equal to the sum of the CIRs of the session clusters CAR speed limit corresponding to the sessions of the same routing protocol, and the sum of the CIRs of each session cluster CAR speed limit is less than or equal to the processing capacity of the control plane equipment.
11. The packet anti-attack device according to any one of claims 7 to 10, wherein the CIR of the CAR speed limit of the session cluster is greater than or equal to the PIR of the CAR speed limit of the session; the CBS rate-limited by the Session Cluster CAR is greater than or equal to the PBS rate-limited by the Session CAR.
12. The message anti-attack device according to any one of claims 7 to 11, wherein the processing unit is further configured to extract session features of a message for which a session has been established, and issue an access control list ACL rule;
the processing unit is specifically configured to determine whether the protocol packet hits the ACL rule according to a session feature carried by the protocol packet;
if the protocol message hits the ACL rule, the processing unit is further configured to determine that the protocol message belongs to the first session.
13. A communication apparatus applied in a forwarding plane device, wherein the apparatus comprises a processor, the processor is configured to couple with a memory, read an instruction in the memory, and execute the message anti-attack method according to any one of claims 1 to 6 according to the instruction.
14. A computer storage medium having computer program code stored therein, which when run on a processor causes the processor to perform the method of message anti-attack according to any of claims 1-6.
CN201810712659.8A 2018-06-29 2018-06-29 Message anti-attack method and device Active CN110661721B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810712659.8A CN110661721B (en) 2018-06-29 2018-06-29 Message anti-attack method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810712659.8A CN110661721B (en) 2018-06-29 2018-06-29 Message anti-attack method and device

Publications (2)

Publication Number Publication Date
CN110661721A CN110661721A (en) 2020-01-07
CN110661721B true CN110661721B (en) 2022-04-22

Family

ID=69027111

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810712659.8A Active CN110661721B (en) 2018-06-29 2018-06-29 Message anti-attack method and device

Country Status (1)

Country Link
CN (1) CN110661721B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114765621A (en) * 2020-12-31 2022-07-19 华为技术有限公司 Method, device and network equipment for detecting state of BGP session

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012063478A1 (en) * 2010-11-10 2012-05-18 株式会社日立製作所 Session management method, session management system, and program
CN105743843A (en) * 2014-12-08 2016-07-06 华为技术有限公司 Processing method and device of preventing packet attack

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9729399B2 (en) * 2015-03-11 2017-08-08 Verizon Patent And Licensing Inc. Bandwidth on demand automation

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012063478A1 (en) * 2010-11-10 2012-05-18 株式会社日立製作所 Session management method, session management system, and program
CN105743843A (en) * 2014-12-08 2016-07-06 华为技术有限公司 Processing method and device of preventing packet attack

Also Published As

Publication number Publication date
CN110661721A (en) 2020-01-07

Similar Documents

Publication Publication Date Title
US8644149B2 (en) Mechanism for packet forwarding using switch pools in flow-based, split-architecture networks
US9807021B2 (en) System and method for distribution of policy enforcement point
US9736057B2 (en) Forwarding packet fragments using L4-L7 headers without reassembly in a software-defined networking (SDN) system
JP5440712B2 (en) COMMUNICATION SYSTEM, COMMUNICATION DEVICE, CONTROL DEVICE, PACKET FLOW TRANSFER ROUTE CONTROL METHOD, AND PROGRAM
EP3017569B1 (en) Virtual network
US10986021B2 (en) Flow management in networks
US8472444B2 (en) Method and apparatus for handling traffic in a data communication network
US8327014B2 (en) Multi-layer hardware-based service acceleration (MHSA)
US10356037B2 (en) Address resolution rewriting
US20160301632A1 (en) Method and system for burst based packet processing
EP3140964A1 (en) Implementing a 3g packet core in a cloud computer with openflow data and control planes
EP3437270A1 (en) Method and apparatus for adaptive flow control of link-state information from link-state source to border gateway protocol (bgp)
CN113395212B (en) Network device, method of operating the same, and non-transitory computer readable medium
US11563698B2 (en) Packet value based packet processing
US9935885B1 (en) Managing flow table entries for express packet processing based on packet priority or quality of service
US20230142425A1 (en) Virtual dual queue core stateless active queue management (agm) for communication networks
US8675669B2 (en) Policy homomorphic network extension
CN110661721B (en) Message anti-attack method and device
US7577737B2 (en) Method and apparatus for controlling data to be routed in a data communications network
RU2675212C1 (en) Adaptive load balancing during package processing
CN114095448A (en) Method and equipment for processing congestion flow
KR20160036182A (en) Hybrid OpenFlow switch, system, and method for combining legacy switch protocol function and SDN function
CN113316769A (en) Method for using event priority based on rule feedback in network function virtualization
WO2018002688A1 (en) Head drop scheduler
WO2022254246A1 (en) Method to prioritize and offload mobile edge cloud traffic in 5g

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant