CN110798382A - Port storm threshold control method and device - Google Patents

Port storm threshold control method and device Download PDF

Info

Publication number
CN110798382A
CN110798382A CN201911041874.0A CN201911041874A CN110798382A CN 110798382 A CN110798382 A CN 110798382A CN 201911041874 A CN201911041874 A CN 201911041874A CN 110798382 A CN110798382 A CN 110798382A
Authority
CN
China
Prior art keywords
target port
value
storm
threshold value
speed value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911041874.0A
Other languages
Chinese (zh)
Other versions
CN110798382B (en
Inventor
张隆伟
陈烈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Maipu Communication Technology Co Ltd
Original Assignee
Maipu Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Maipu Communication Technology Co Ltd filed Critical Maipu Communication Technology Co Ltd
Priority to CN201911041874.0A priority Critical patent/CN110798382B/en
Publication of CN110798382A publication Critical patent/CN110798382A/en
Application granted granted Critical
Publication of CN110798382B publication Critical patent/CN110798382B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/16Multipoint routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a port storm threshold control method and device, and relates to the technical field of communication. The method comprises the following steps: entering an observation period with preset duration, and setting the storm threshold of the target port according to the first speed value, the lowest preset storm threshold and the update record of the storm threshold of the target port when the first speed value of the message is smaller than the initial waterline threshold of the target port; when the first speed value is larger than or equal to the initial waterline threshold value, setting a storm threshold value of the target port according to the speed value of a message passing through the target port in a subsequent observation period; and when the preset duration is reached, setting the storm threshold as the storm threshold at the end of the preset duration, entering the operation period, and keeping the current storm threshold. The method updates the storm threshold in real time through the port actual message volume in the observation period, and performs normal message receiving and sending in the operation period, thereby improving the accuracy and the adaptability of the setting of the storm threshold.

Description

Port storm threshold control method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for controlling a port storm threshold.
Background
Due to the design and connection problems of the network topology or other reasons, the broadcast is largely copied in the network segment, and data frames are spread, so that the network performance is reduced, even the network is paralyzed, which is the network storm. Therefore, the storm suppression function is usually turned on in the network device with a large message volume, and the port is allowed to filter the network storm occurring on the network.
However, in the existing storm suppression mode, a pre-configuration mode is adopted to implement when the storm threshold is deployed, and even the storm threshold is unified for all scenes in order to improve the usability. Therefore, the problem that the storm threshold is not suitable in different scenes is caused.
Disclosure of Invention
In view of this, an object of the present invention is to provide a method and an apparatus for controlling a port storm threshold, so as to solve the problem in the prior art that a storm threshold is not applicable in different scenarios.
The embodiment of the application provides a method for controlling a port storm threshold, which comprises the following steps: reading a first speed value of a broadcast or multicast message passing through a target port when entering an observation period with a preset duration; when the first speed value is smaller than the initial waterline threshold value of the target port, setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port; when the first speed value is larger than or equal to the initial waterline threshold value, setting a storm threshold value of the target port according to the speed value of a message passing through the target port in a subsequent observation period, wherein the subsequent observation period is a period from a first moment when the first speed value is read to a preset second moment; and when the preset duration is reached, setting the storm threshold of the target port as the storm threshold of the preset duration when the preset duration is ended, entering the operation period, and keeping the storm threshold of the target port.
In the implementation mode, an observation period and an operation period are set, the storm threshold is updated in real time based on the actual network flow of the target port in the observation period, and then the operation period is entered to enable the target port to stably receive and transmit messages, so that the adaptability adjustment of the storm threshold is realized based on the actual message receiving and transmitting and attack conditions, the change of the network conditions can be responded immediately, and the adaptability and the accuracy of the storm suppression mode are improved.
Optionally, before entering the observation period with the duration of the preset duration, the method further comprises: and starting a storm suppression function, and configuring an initial waterline threshold of the target port.
Optionally, setting the storm threshold of the target port according to the first speed value, the lowest preset storm threshold, and the update record of the storm threshold of the target port includes: when the lowest preset storm threshold value is larger than the first speed value and is smaller than or equal to the initial waterline threshold value, setting the storm threshold value of the target port as the lowest preset storm threshold value; when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value and the storm threshold value of the target port is not updated, setting the storm threshold value of the target port as a second speed value, wherein the second speed value is larger than the first speed value by a first elastic value; and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is larger than the current storm threshold value of the target port minus a value of a second elasticity value, updating the storm threshold value of the target port to be a third speed value, wherein the third speed value is larger than the first speed value by a third elasticity value.
In the implementation manner, when the current actual first speed value of the target port is smaller than the initial waterline threshold value of the target port, the target port is updated based on the first speed value, the lowest preset storm threshold value and whether the storm threshold value of the target port is updated, so that a proper storm threshold value can be set when the real-time message receiving and sending quantity of the target port is small, that is, the normal message receiving and sending is not influenced due to too sensitive message receiving and sending quantity, and accurate storm suppression can be performed on abnormal conditions such as attack and the like.
Optionally, the method further comprises: and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is smaller than or equal to the value obtained by subtracting a second elasticity value from the current storm threshold value of the target port, the storm threshold value of the target port is maintained.
In the implementation manner, when the storm threshold of the target port is updated, the storm threshold is prevented from being frequently updated with poor effect through the second elasticity value.
Optionally, setting the storm threshold of the target port according to the speed value of the packet passing through the target port in the subsequent observation period includes: when the first speed value is larger than the initial waterline threshold value and smaller than or equal to a preset multiple of the initial waterline threshold value, reading a broadcast or multicast message passing through the target port in the subsequent observation period, wherein the first time to the second time are the subsequent observation period; when the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is greater than the initial waterline threshold and less than or equal to a preset multiple of the initial waterline threshold, packet capture analysis is performed on the message passing through the target port from the second moment to obtain an analysis result, wherein the duration of the packet capture analysis is the same as the subsequent observation period; when the packet capturing analysis result shows that the IP of the message passing through the target port is a continuous value, maintaining the storm threshold value of the target port, and generating an alarm log; and when the packet capture analysis result shows that the IP of the message passing through the target port is a discontinuous value, updating the storm threshold value of the target port to the first speed value read at the first moment.
In the above implementation, when the current actual first speed value of the target port is greater than the initial waterline threshold of the target port, it is indicated that the target port may be attacked or the amount of message transmission and reception increases. The target port is further judged to be attacked or the message receiving and sending quantity is increased through the comparison of the actual message receiving and sending speed in the subsequent observation period and the preset multiple of the initial waterline threshold value and whether the message IP received and sent by the target port is continuous or not, so that the adaptability and the safety of storm suppression are improved.
Optionally, reading the broadcast or multicast packet that passes through the target port in the subsequent observation period includes: judging whether the alarm condition that the speed value of the broadcast or multicast message passing through the target port is larger than the preset multiple of the initial waterline threshold value continuously appears for preset times or not during the subsequent observation period; when the alarm condition continuously occurs for a preset number of times, maintaining the storm threshold value of the target port, and feeding back the speed value of the broadcast or multicast message continuously read through the target port between the subsequent observation periods; and reading the broadcast or multicast message passing through the target port until the second moment when the alarm condition does not continuously occur for the preset times.
In the implementation manner, when the first speed value of the target port indicates that abnormal conditions of message receiving and sending may occur, the specific conditions of the target port are further judged through the message receiving and sending speeds continuously collected from the first time to the second time, so that the accuracy and the safety of storm suppression are improved.
Optionally, after reading the broadcast or multicast packet that passes through the target port in the subsequent observation period, the method further includes: and when a fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is smaller than or equal to the initial waterline threshold value, updating the storm threshold value of the target port to a fifth speed value, wherein the fifth speed value is larger than the fourth speed value by a third elastic value.
In the implementation manner, when the fourth speed passing through the target port in the subsequent observation period is less than or equal to the initial waterline threshold, it is determined that the first speed is a sudden and discontinuous message receiving and sending amount change, and the storm threshold of the target port is slightly increased, so that the storm suppression is prevented from being too sensitive.
Optionally, setting the storm threshold of the target port according to the speed value of the packet passing through the target port in the subsequent observation period, further comprising: maintaining a storm threshold for the target port when the first velocity value is greater than the preset multiple of the initial waterline threshold; and generating an alarm log.
In the implementation manner, when the first speed value is greater than the preset multiple of the initial waterline threshold of the target port, it is determined that the target port is possibly attacked or in other abnormal states, an alarm log is generated, the storm threshold is not updated, the storm threshold is prevented from being set incorrectly, and meanwhile, the safety of the target port is ensured.
Optionally, the method further comprises: after entering the operation period, reading the speed statistic value of the broadcast or multicast message passing through the target port; generating the alarm log in a preset adjusting time length based on the same mode as the observation period according to the read rate statistic value, and keeping the storm threshold value of the target port; and entering the observation period when the generated number of the alarm logs is larger than the preset number of the logs, and taking the current storm threshold of the target port as the initial waterline threshold of the target port.
In the implementation process, whether to enter the observation period again is determined based on the alarm log in the operation period, so that the problem that the message receiving and sending speed of the target port cannot be adjusted in real time when the message receiving and sending speed is abnormal in the operation period is avoided, and the applicability and the accuracy of storm suppression are further improved.
An embodiment of the present application provides a port storm threshold control device, the device includes: the first speed value acquisition module is used for reading a first speed value of a broadcast or multicast message passing through a target port when entering an observation period with preset duration; the safety mode execution module is used for setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port when the first speed value is smaller than the initial waterline threshold value of the target port; a non-secure mode execution module, configured to set a storm threshold of the target port according to a speed value of a packet passing through the target port in a subsequent observation period when the first speed value is greater than or equal to the initial waterline threshold, where the subsequent observation period is a period from a first time when the first speed value is read to a preset second time; and the operation period execution module is used for setting the storm threshold of the target port as the storm threshold when the preset duration is reached, entering the operation period and keeping the storm threshold of the target port.
In the implementation mode, an observation period and an operation period are set, the storm threshold is updated in real time based on the actual network flow of the target port in the observation period, and then the operation period is entered to enable the target port to stably receive and transmit messages, so that the adaptability adjustment of the storm threshold is realized based on the actual message receiving and transmitting and attack conditions, the change of the network conditions can be responded immediately, and the adaptability and the accuracy of the storm suppression mode are improved.
Optionally, the apparatus further comprises: and the threshold module is used for starting a storm suppression function and configuring an initial waterline threshold of the target port before entering an observation period with the duration being a preset duration.
Optionally, the secure mode execution module is specifically configured to: when the lowest preset storm threshold value is larger than the first speed value and is smaller than or equal to the initial waterline threshold value, setting the storm threshold value of the target port as the lowest preset storm threshold value; when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value and the storm threshold value of the target port is not updated, setting the storm threshold value of the target port as a second speed value, wherein the second speed value is larger than the first speed value by a first elastic value; and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is larger than the current storm threshold value of the target port minus a value of a second elasticity value, updating the storm threshold value of the target port to be a third speed value, wherein the third speed value is larger than the first speed value by a third elasticity value.
In the implementation manner, when the current actual first speed value of the target port is smaller than the initial waterline threshold value of the target port, the target port is updated based on the first speed value, the lowest preset storm threshold value and whether the storm threshold value of the target port is updated, so that a proper storm threshold value can be set when the real-time message receiving and sending quantity of the target port is small, that is, the normal message receiving and sending is not influenced due to too sensitive message receiving and sending quantity, and accurate storm suppression can be performed on abnormal conditions such as attack and the like.
Optionally, the secure mode execution module is further specifically configured to: and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is smaller than or equal to the value obtained by subtracting a second elasticity value from the current storm threshold value of the target port, the storm threshold value of the target port is maintained.
In the implementation manner, when the storm threshold of the target port is updated, the storm threshold is prevented from being frequently updated with poor effect through the second elasticity value.
Optionally, the non-secure mode execution module is specifically configured to: when the first speed value is larger than the initial waterline threshold and smaller than a preset multiple of the initial waterline threshold, reading a broadcast or multicast message passing through the target port in the subsequent observation period, wherein the first time to the second time are the subsequent observation period; when the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is greater than the initial waterline threshold and less than or equal to a preset multiple of the initial waterline threshold, packet capture analysis is performed on the message passing through the target port from the second moment to obtain an analysis result, wherein the duration of the packet capture analysis is the same as the subsequent observation period; when the packet capturing analysis result shows that the IP of the message passing through the target port is a continuous value, maintaining the storm threshold value of the target port, and generating an alarm log; and when the packet capturing analysis result shows that the IP of the message passing through the target port is not a continuous value, updating the storm threshold value of the target port to the first speed value read at the first moment.
In the above implementation, when the current actual first speed value of the target port is greater than the initial waterline threshold of the target port, it is indicated that the target port may be attacked or the amount of message transmission and reception increases. The target port is further judged to be attacked or the message receiving and sending quantity is increased through the comparison of the actual message receiving and sending speed in the subsequent observation period and the preset multiple of the initial waterline threshold value and whether the message IP received and sent by the target port is continuous or not, so that the adaptability and the safety of storm suppression are improved.
Optionally, the non-secure mode execution module is further specifically configured to: judging whether the alarm condition that the speed value of the broadcast or multicast message passing through the target port is larger than the preset multiple of the initial waterline threshold value continuously appears for preset times or not during the subsequent observation period; when the alarm condition continuously occurs for a preset number of times, maintaining the storm threshold value of the target port, and feeding back the speed value of the broadcast or multicast message continuously read through the target port between the subsequent observation periods; and reading the broadcast or multicast message passing through the target port until the second moment when the alarm condition does not continuously occur for the preset times.
In the implementation manner, when the first speed value of the target port indicates that abnormal conditions of message receiving and sending may occur, the specific conditions of the target port are further judged through the message receiving and sending speeds continuously collected from the first time to the second time, so that the accuracy and the safety of storm suppression are improved.
Optionally, the non-secure mode execution module is further specifically configured to: and when a fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is smaller than or equal to the initial waterline threshold value, updating the storm threshold value of the target port to a fifth speed value, wherein the fifth speed value is larger than the fourth speed value by a third elastic value.
In the implementation manner, when the fourth speed passing through the target port in the subsequent observation period is less than or equal to the initial waterline threshold, it is determined that the first speed is a sudden and discontinuous message receiving and sending amount change, and the storm threshold of the target port is slightly increased, so that the storm suppression is prevented from being too sensitive.
Optionally, the non-secure mode execution module is further specifically configured to: maintaining a storm threshold for the target port when the first velocity value is greater than the preset multiple of the initial waterline threshold; and generating an alarm log.
In the implementation manner, when the first speed value is greater than the preset multiple of the initial waterline threshold of the target port, it is determined that the target port is possibly attacked or in other abnormal states, an alarm log is generated, the storm threshold is not updated, the storm threshold is prevented from being set incorrectly, and meanwhile, the safety of the target port is ensured.
Optionally, the non-secure mode execution module is further specifically configured to: after entering the operation period, reading the speed statistic value of the broadcast or multicast message passing through the target port; generating the alarm log in a preset adjusting time length based on the same mode as the observation period according to the read rate statistic value, and keeping the storm threshold value of the target port; and entering the observation period when the generated number of the alarm logs is larger than the preset number of the logs, and taking the current storm threshold of the target port as the initial waterline threshold of the target port.
In the implementation process, whether to enter the observation period again is determined based on the alarm log in the operation period, so that the problem that the message receiving and sending speed of the target port cannot be adjusted in real time when the message receiving and sending speed is abnormal in the operation period is avoided, and the applicability and the accuracy of storm suppression are further improved.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores program instructions, and the processor executes any one of the port storm threshold control methods when reading and running the program instructions.
The embodiment of the application also provides a storage medium, wherein computer program instructions are stored in the storage medium, and when the computer program instructions are read and run by a processor, the method for controlling the storm threshold of any one port is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a method for controlling a port storm threshold according to an embodiment of the present disclosure;
fig. 2 is a schematic flow chart illustrating a storm threshold setting manner in a security mode according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart illustrating a storm threshold setting manner in an unsecure mode according to an embodiment of the present disclosure;
fig. 4 is a block diagram of a port storm threshold control apparatus according to an embodiment of the present application.
Icon: 20-port storm threshold control; 21-a first speed value acquisition module; 22-secure mode execution module; 23-non-secure mode execution module; 24-runtime execution module.
Detailed Description
The technical solution in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The applicant researches and discovers that when the storm threshold is set in the existing storm suppression mode, the setting of the storm threshold is usually carried out through pre-configuration in advance, even the same storm threshold is uniformly configured for different scenes, the configuration of the storm threshold is not set based on the actual message receiving and sending quantity of the port, and the problems that the storm threshold is not matched with the actual message receiving and sending quantity, and the applicability is poor exist. Specifically, when a storm suppression alarm occurs, it is not possible to determine whether the actual message receiving and sending volume of the port really has a broadcast storm problem, and when a broadcast storm really occurs, it is also not possible to perform correction conforming to reality on the storm threshold.
In order to solve the above problem, an embodiment of the present application provides a storm threshold control method. Referring to fig. 1, fig. 1 is a schematic flow chart of a storm threshold control method according to an embodiment of the present application, where the method includes the following specific steps:
step S12: and when entering an observation period with preset duration, reading a first speed value of a broadcast or multicast message passing through a target port.
It should be appreciated that an initial configuration of storm suppression for the network device is also required before entering the observation period, such as: the storm suppression function is turned on while the initial waterline threshold for each port is configured. For convenience of description and understanding, in this embodiment, any port in the network device is taken as a target port, and this step should configure the initial waterline threshold of the target port.
The network storm usually occurs on a network communication device such as a router, a switch, etc., and therefore the target port in the embodiment may be any port in the network communication device such as a router, a switch, etc.
The preset duration is set for the observation period, so that the storm threshold is adjusted in real time based on actual network conditions in the observation period, the storm threshold can rapidly enter the operation period, and stable receiving and sending of subsequent messages are guaranteed. Alternatively, the preset duration may be 6 hours, 12 hours, 24 hours, 36 hours, or any other suitable duration.
Optionally, the messaging speed of the target port in this embodiment, for example, the first speed, may be represented by a packet forwarding rate, which indicates the size of the capability of the switch to forward the data packet, and the unit is generally pps (packet per second).
Step S14: and when the first speed value is smaller than the initial waterline threshold value of the target port, setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port.
When the first speed value is smaller than the initial waterline threshold value of the target port, the message receiving and sending speed of the target port can be considered to be normal, and only small adjustment needs to be carried out based on the first speed value.
Specifically, referring to fig. 2, fig. 2 is a schematic flowchart of a storm threshold setting mode in a security mode according to an embodiment of the present application, which specifically includes the following steps:
step S14.1: and judging whether the first speed value is less than or equal to the lowest preset storm threshold value.
The security mode in this embodiment may be a mode in which when the first speed value is smaller than the current storm threshold of the target port, it is determined that the target port has no abnormal condition.
The lowest preset storm threshold value is the lowest value for avoiding the influence on normal message receiving and sending caused by the fact that the storm suppressing function of the target port is too sensitive.
It should be appreciated that the first velocity value must be less than or equal to the initial waterline threshold when less than or equal to the lowest preset storm threshold.
Step S14.2: and when the first speed value is less than or equal to the lowest preset storm threshold value, setting the storm threshold value of the target port as the lowest preset storm threshold value.
Step S14.3: and when the first speed value is larger than the lowest preset storm threshold value, judging whether the storm threshold value of the target port is updated.
Step S14.4: and when the storm threshold value of the target port is not updated, setting the storm threshold value of the target port as a second speed value, wherein the second speed value is larger than the first speed value by a first elastic value.
The first elasticity value is set to prevent the storm threshold value of the target port from being too low and sensitive to influence the normal receiving and sending of the message. Alternatively, the first elasticity value in this embodiment may be any value that matches the actual network condition, such as 5, 10, 20, 25, 30.
Step S14.5: and when the storm threshold value of the target port is updated, judging whether the first speed value is larger than the value obtained by subtracting the second elastic value from the current storm threshold value of the target port.
The current storm threshold is a real-time storm threshold of the target port when the first speed value is obtained, and the current storm threshold may be an initial waterline threshold or may have been updated in an observation period.
Step S14.6: and when the first speed value is larger than the value obtained by subtracting the second elasticity value from the current storm threshold value, updating the storm threshold value of the target port to a third speed value, wherein the third speed value is larger than the first speed value by a third elasticity value.
The magnitude of the third elasticity value and the second elasticity value may be specifically adjusted according to the magnitude of the initial waterline threshold, the first elasticity value, and the like, and in this embodiment, the second elasticity value and the third elasticity value may be 5, 10, 20, or equal to the first elasticity value.
When the target port is updated, it is indicated that there is a certain fluctuation in the message transceiving speed of the target port before, and if the storm threshold is adjusted in each small-range fluctuation, the normal message transceiving may be affected, so that the storm threshold of the target port is updated only when the storm threshold is updated and the first speed value satisfies the size condition shown in step S14.5.
Further, this embodiment may further include:
step S14.7: maintaining the storm threshold of the target port when the first velocity value is less than or equal to the initial waterline threshold minus the second elasticity value.
And keeping the storm threshold of the target port, namely not changing the storm threshold of the target port, and still setting the storm threshold of the target port as the current storm threshold.
For example, when the storm threshold of the target port is updated, the current port initial waterline threshold is 60, the read first speed value is 70, the second elasticity value and the third elasticity value are both 10, the storm threshold of the target port needs to be updated, and is set to 70+ 10-80, otherwise, the storm threshold is not updated. When the storm threshold of the target port is updated, the current storm threshold of the target port is 80, the read first speed value is 70, and the storm threshold of the target port is not updated.
Step S16: and when the first speed value is greater than or equal to the current storm threshold value, setting the storm threshold value of the target port according to the speed value of the message passing through the target port in the subsequent observation period.
In this embodiment, a case where the first speed value is greater than or equal to the initial waterline threshold may be taken as a non-secure mode, and in the non-secure mode, the target port may be attacked, looped or otherwise abnormal.
It should be understood that the non-secure mode is divided into two cases, one is a case that the network may be abnormal, and the other is a case that the network is determined to be abnormal, and this determination limit can be implemented by a preset multiple of the initial waterline threshold, and the network can be determined to be abnormal by a preset multiple larger than the initial waterline threshold. Wherein the preset times can be 2 times, 3 times, 4 times and the like.
Specifically, referring to fig. 3, fig. 3 is a schematic flow chart of a storm threshold setting mode in a non-secure mode according to an embodiment of the present application, which specifically includes the following steps:
step S16.1: and judging whether the first speed value is larger than the initial waterline threshold value and smaller than or equal to the preset multiple of the initial waterline threshold value.
Step S16.2: and when the first speed value is greater than the initial waterline threshold value and less than or equal to the preset multiple of the initial waterline threshold value, reading a broadcast or multicast message passing through the target port between subsequent observation periods of the first speed value, wherein the first time to the second time are the subsequent observation periods.
And the second moment is the moment when the message with the speed value larger than the initial waterline threshold value and smaller than or equal to the preset multiple of the initial waterline threshold value is acquired again.
Optionally, in this embodiment, there may be a case where no subsequent velocity value is larger than the initial waterline threshold and smaller than or equal to the preset multiple of the initial waterline threshold, at this time, a subsequent reading time limit is set to end the packet acquisition in the subsequent observation period, which may be 30 minutes, 40 minutes, and the like, and the velocity value obtained last by the subsequent reading time limit plus an elastic value is adopted as a new storm threshold, so as to update the storm threshold of the target port.
Because the target port of the network device may encounter network conditions such as burst and accidental network fluctuation, and it cannot be determined whether the message receiving and sending amount is continuously too high or an attack is encountered, under such conditions, the network condition under the condition needs to be further analyzed through the message receiving and sending speed of the target port in a subsequent observation period, and further, the specific situation of the target port is determined.
Step S16.3: and judging whether the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is less than or equal to the initial waterline threshold, greater than the initial waterline threshold and less than or equal to the preset multiple of the initial waterline threshold or greater than the preset multiple of the initial waterline threshold.
Step S16.4: and when the fourth speed value is less than or equal to the initial waterline threshold value, setting a storm threshold value of the target port based on the safety mode.
Step S16.5: and when the fourth speed value is greater than the initial waterline threshold and less than or equal to the preset multiple of the initial waterline threshold, packet capture analysis is performed on the message passing through the target port from the second moment to obtain an analysis result, and the duration of the packet capture analysis is the same as the subsequent observation period.
Step S16.6: when the packet capture analysis result indicates that the source IP (internet protocol Address) or the destination IP of the packet passing through the target port is a continuous value, the storm threshold of the target port is maintained, and an alarm log is generated.
If the source IP or the destination IP of the packet on the destination port is a continuous value, for example, the IP mantissa is incremented from.1 to.254, it may be determined that the source IP or the destination IP is caused by an abnormal factor such as a virus, an alarm log may be generated, and the storm threshold is not updated.
It should be understood that if it is determined that the message transmission and reception of the target port is abnormal due to malicious attack through other characteristics of the message, an alarm log may also be generated as in step S16.6, without updating the storm threshold.
Step S16.7: and when the packet capture analysis result shows that the source IP or the destination IP of the message passing through the target port is not a continuous value, updating the storm threshold of the target port to the first speed value read at the first moment.
Step S16.8: and when the fourth speed value is greater than the preset multiple of the initial waterline threshold, adding 1 to the over-range times, when the over-range times is greater than or equal to the preset times, keeping the storm threshold of the target port, feeding back the speed value of the broadcast or multicast message passing through the target port read in the subsequent observation period, and when the over-range times is less than the preset times, reading the broadcast or multicast message passing through the target port until the second moment.
When the message transceiving speed value of the target port is continuously and repeatedly greater than the preset multiple of the initial waterline threshold value, the setting of the current storm threshold value is over-small, so that the storm threshold value of the target port is improved, the sensitivity of the storm threshold value is reduced, and message transceiving is normally finished.
Step S16.9: and when the first speed value is greater than the preset multiple of the initial waterline threshold value, maintaining the storm threshold value of the target port, and generating an alarm log.
Step S18 is performed next.
Step S18: and when the preset duration is reached, setting the storm threshold of the target port as the storm threshold when the preset duration is ended, entering the operation period, and keeping the storm threshold of the target port.
After the operation period is started, the speed statistic of the broadcast or multicast message passing through the target port is read, and according to the read speed statistic, an alarm log is generated in a mode of generating the alarm log in a safety mode or a non-safety mode within a preset adjustment time duration, but the storm threshold of the target port is not updated, and the storm threshold of the target port is maintained, so that normal message receiving and sending are ensured.
Further, when the number of the generated alarm logs is larger than the preset number of logs, the observation period is entered again, so that the storm threshold of the target port is updated again when the message transceiving speed is not matched with the current storm threshold.
And after the observation period is entered again, taking the updated current storm threshold value of the target port as the initial waterline threshold value of the target port.
In order to better implement the storm threshold control method, the embodiment of the present application further provides a port storm threshold control device 20.
Referring to fig. 4, fig. 4 is a block diagram illustrating a port storm threshold control apparatus according to an embodiment of the present disclosure.
The port storm threshold control device 20 includes:
a first speed value obtaining module 21, configured to read a first speed value of a broadcast or multicast packet passing through a target port when an observation period of a preset duration is entered;
the safe mode execution module 22 is configured to, when the first speed value is smaller than the initial waterline threshold of the target port, set the storm threshold of the target port according to the first speed value, the lowest preset storm threshold, and the update record of the storm threshold of the target port;
the non-secure mode execution module 23 is configured to set a storm threshold of the target port according to a speed value of a message passing through the target port in a subsequent observation period when the first speed value is greater than or equal to the initial waterline threshold, where the subsequent observation period is a period from a first time when the first speed value is read to a preset second time;
and the operation period executing module 24 is configured to set the storm threshold of the target port as the storm threshold at the end of the preset duration when the preset duration is reached, enter the operation period, and maintain the storm threshold of the target port.
Optionally, the port storm threshold controlling apparatus 20 further comprises: and the threshold module is used for starting a storm suppression function and configuring an initial waterline threshold of the target port before entering an observation period with the duration being a preset duration.
The secure mode execution module 22 is specifically configured to: when the lowest preset storm threshold value is larger than the first speed value and is smaller than or equal to the initial waterline threshold value, setting the storm threshold value of the target port as the lowest preset storm threshold value; when the first speed value is smaller than the initial waterline threshold value and larger than the lowest preset storm threshold value and the storm threshold value of the target port is not updated, setting the storm threshold value of the target port as a second speed value, wherein the second speed value is larger than the first speed value by a first elastic value; and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is larger than the current storm threshold value of the target port minus the value of the second elasticity value, the storm threshold value of the target port is updated to be a third speed value, and the third speed value is larger than the first speed value by a third elasticity value.
The secure mode execution module 22 is further specifically configured to: and when the first speed value is smaller than the initial waterline threshold value and larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is smaller than or equal to the value obtained by subtracting the second elasticity value from the current storm threshold value of the target port, the storm threshold value of the target port is maintained.
The non-secure mode execution module 23 is specifically configured to: reading a broadcast or multicast message passing through a target port in a subsequent observation period when the first speed value is greater than an initial waterline threshold value and less than a preset multiple of the initial waterline threshold value; when the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is greater than the initial waterline threshold and less than or equal to the preset multiple of the initial waterline threshold, packet capturing analysis is performed on the message passing through the target port from the second moment to obtain an analysis result, and the duration of the packet capturing analysis is the same as the subsequent observation period; when the packet capture analysis result shows that the IP of the message passing through the target port is a continuous value, maintaining the storm threshold value of the target port, and generating an alarm log; and when the packet capturing analysis result shows that the IP of the message passing through the target port is not a continuous value, updating the storm threshold value of the target port to the first speed value read at the first moment.
The non-secure mode execution module 23 is further specifically configured to: reading a broadcast or multicast message passing through a target port between subsequent observation periods, comprising: judging whether the alarm condition that the speed value of the broadcast or multicast message passing through the target port is larger than the preset multiple of the initial waterline threshold value continuously appears for preset times or not in the subsequent observation period; when the alarm condition continuously occurs for a preset number of times, maintaining the storm threshold value of the target port, and feeding back the speed value of continuously reading the broadcast or multicast message passing through the target port in the subsequent observation period; and reading the broadcast or multicast message passing through the target port until the second moment when the alarm condition does not continuously occur for the preset times.
The non-secure mode execution module 23 is further specifically configured to: after reading the broadcast or multicast packet passing through the target port between subsequent observation periods, the method further comprises: and when the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is less than or equal to the initial waterline threshold value, updating the storm threshold value of the target port to a fifth speed value, wherein the fifth speed value is greater than the fourth speed value by a third elastic value.
The non-secure mode execution module 23 is further specifically configured to: when the first speed value is larger than a preset multiple of the initial waterline threshold value, keeping the storm threshold value of the target port; and generating an alarm log.
Further, the non-secure mode execution module 23 is further specifically configured to: after entering the operation period, reading the speed statistic value of the broadcast or multicast message passing through the target port; according to the read rate statistic value, generating an alarm log in a preset adjusting time length based on the same mode as that in the observation period, and keeping the storm threshold of the target port; and entering an observation period when the number of the generated alarm logs is larger than the preset number of the logs, and taking the current storm threshold value of the target port as the initial waterline threshold value of the target port.
An embodiment of the present application further provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes steps in any one of the methods of the storm threshold control method provided in this embodiment.
It should be understood that the electronic device may be a Personal Computer (PC), a tablet PC, a smart phone, a Personal Digital Assistant (PDA), or other electronic device having a logical computing function. Further, with the storm threshold control method in this embodiment, the electronic device may specifically be a network device having a communication function, such as a router and a switch.
The embodiment of the application also provides a readable storage medium, wherein computer program instructions are stored in the readable storage medium, and the computer program instructions are read by a processor and executed to execute the steps in the storm threshold control method.
To sum up, the embodiment of the present application provides a method and an apparatus for controlling a port storm threshold, where the method includes: entering an observation period with preset duration, and reading a first speed value of a broadcast or multicast message passing through a target port; when the first speed value is smaller than the initial waterline threshold value of the target port, setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port; when the first speed value is larger than or equal to the initial waterline threshold value, setting a storm threshold value of the target port according to the speed value of a message passing through the target port in a subsequent observation period, wherein the subsequent observation period is a period from a first moment when the first speed value is read to a preset second moment; and when the preset duration is reached, setting the storm threshold of the target port as the storm threshold of the preset duration when the preset duration is ended, entering the operation period, and keeping the storm threshold of the target port.
In the implementation mode, an observation period and an operation period are set, the storm threshold is updated in real time based on the actual network flow of the target port in the observation period, and then the operation period is entered to enable the target port to stably receive and transmit messages, so that the adaptability adjustment of the storm threshold is realized based on the actual message receiving and transmitting and attack conditions, the change of the network conditions can be responded immediately, and the adaptability and the accuracy of the storm suppression mode are improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. The apparatus embodiments described above are merely illustrative, and for example, the block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Therefore, the present embodiment further provides a readable storage medium, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the computer program instructions perform the steps of any of the block data storage methods. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a RanDOm Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A method for port storm threshold control, the method comprising:
reading a first speed value of a broadcast or multicast message passing through a target port when entering an observation period with a preset duration;
when the first speed value is smaller than the initial waterline threshold value of the target port, setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port;
when the first speed value is larger than or equal to the initial waterline threshold value, setting a storm threshold value of the target port according to the speed value of a message passing through the target port in a subsequent observation period, wherein the subsequent observation period is a period from a first moment when the first speed value is read to a preset second moment;
and when the preset duration is reached, setting the storm threshold of the target port as the storm threshold of the preset duration when the preset duration is ended, entering the operation period, and keeping the storm threshold of the target port.
2. The method of claim 1, wherein prior to entering the observation period of the preset duration, the method further comprises:
and starting a storm suppression function, and configuring an initial waterline threshold of the target port.
3. The method of claim 1, wherein setting the storm threshold of the destination port based on the updated record of the first speed value, the lowest preset storm threshold, and the storm threshold of the destination port comprises:
when the lowest preset storm threshold value is larger than the first speed value and is smaller than or equal to the initial waterline threshold value, setting the storm threshold value of the target port as the lowest preset storm threshold value;
when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value and the storm threshold value of the target port is not updated, setting the storm threshold value of the target port as a second speed value, wherein the second speed value is larger than the first speed value by a first elastic value;
and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is larger than the current storm threshold value of the target port minus a value of a second elasticity value, updating the storm threshold value of the target port to be a third speed value, wherein the third speed value is larger than the first speed value by a third elasticity value.
4. The method of claim 3, further comprising:
and when the first speed value is smaller than the initial waterline threshold value, larger than the lowest preset storm threshold value, the storm threshold value of the target port is updated, and the first speed value is smaller than or equal to the value obtained by subtracting a second elasticity value from the current storm threshold value of the target port, the storm threshold value of the target port is maintained.
5. The method of claim 1, wherein setting the storm threshold of the destination port according to the speed value of the packets passing through the destination port in the subsequent observation period comprises:
when the first speed value is larger than the initial waterline threshold value and smaller than or equal to a preset multiple of the initial waterline threshold value, reading a broadcast or multicast message passing through the target port in the subsequent observation period;
when the fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is greater than the initial waterline threshold and less than or equal to the preset multiple of the initial waterline threshold, packet capture analysis is performed on the message passing through the target port from the second moment to obtain a packet capture analysis result, wherein the duration of the packet capture analysis is the same as the subsequent observation period;
when the packet capturing analysis result shows that the IP of the message passing through the target port is a continuous value, maintaining the storm threshold value of the target port, and generating an alarm log;
and when the packet capturing analysis result shows that the IP of the message passing through the target port is not a continuous value, updating the storm threshold value of the target port to the first speed value read at the first moment.
6. The method of claim 5, wherein reading the broadcast or multicast packet that passed through the target port in the subsequent observation period comprises:
judging whether the alarm condition that the speed value of the broadcast or multicast message passing through the target port is larger than the preset multiple of the initial waterline threshold value continuously appears for preset times or not during the subsequent observation period;
when the alarm condition continuously occurs for a preset number of times, maintaining the storm threshold value of the target port, and feeding back the speed value of the broadcast or multicast message which passes through the target port and is read between the subsequent observation periods;
and reading the broadcast or multicast message passing through the target port until the second moment when the alarm condition does not continuously occur for the preset times.
7. The method of claim 5, wherein after reading the broadcasted or multicasted packet that passed through the target port in the subsequent observation period, the method further comprises:
and when a fourth speed value of the broadcast or multicast message passing through the target port in the subsequent observation period is smaller than or equal to the initial waterline threshold value, updating the storm threshold value of the target port to a fifth speed value, wherein the fifth speed value is larger than the fourth speed value by a third elastic value.
8. The method of claim 1, wherein setting the storm threshold of the target port according to a speed value of a packet passing through the target port in a subsequent observation period further comprises:
when the first speed value is larger than a preset multiple of the initial waterline threshold value, keeping the storm threshold value of the target port;
and generating an alarm log.
9. The method according to any one of claims 1-8, further comprising:
after entering the operation period, reading the speed statistic value of the broadcast or multicast message passing through the target port;
generating an alarm log in a preset adjusting time length based on the same mode as the observation period according to the read rate statistic value, and keeping the storm threshold value of the target port;
and entering the observation period when the generated number of the alarm logs is larger than the preset number of the logs, and taking the current storm threshold of the target port as the initial waterline threshold of the target port.
10. A port storm threshold control apparatus, the apparatus comprising:
the first speed value acquisition module is used for reading a first speed value of a broadcast or multicast message passing through a target port when entering an observation period with preset duration;
the safety mode execution module is used for setting the storm threshold value of the target port according to the first speed value, the lowest preset storm threshold value and the update record of the storm threshold value of the target port when the first speed value is smaller than the initial waterline threshold value of the target port;
a non-secure mode execution module, configured to set a storm threshold of the target port according to a speed value of a packet passing through the target port in a subsequent observation period when the first speed value is greater than or equal to the initial waterline threshold, where the subsequent observation period is a period from a first time when the first speed value is read to a preset second time;
and the operation period execution module is used for setting the storm threshold of the target port as the storm threshold when the preset duration is reached, entering the operation period and keeping the storm threshold of the target port.
11. An electronic device comprising a memory having stored therein program instructions and a processor that, when executed, performs the method of port storm threshold control of any of claims 1-9.
12. A storage medium having stored thereon computer program instructions which, when executed by a processor, perform the method of any one of claims 1 to 9.
CN201911041874.0A 2019-10-29 2019-10-29 Port storm threshold control method and device, electronic equipment and storage medium Active CN110798382B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911041874.0A CN110798382B (en) 2019-10-29 2019-10-29 Port storm threshold control method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911041874.0A CN110798382B (en) 2019-10-29 2019-10-29 Port storm threshold control method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110798382A true CN110798382A (en) 2020-02-14
CN110798382B CN110798382B (en) 2022-02-22

Family

ID=69441952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911041874.0A Active CN110798382B (en) 2019-10-29 2019-10-29 Port storm threshold control method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110798382B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464492A (en) * 2020-02-24 2020-07-28 北京龙鼎源科技股份有限公司 Control method and device for suppressing network storm, storage medium and processor
CN111581052A (en) * 2020-04-26 2020-08-25 中国工商银行股份有限公司 Alarm data processing method and device
CN113938414A (en) * 2021-11-11 2022-01-14 杭州和利时自动化有限公司 Network storm processing method, system, equipment and computer storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895446A (en) * 2010-08-11 2010-11-24 广东省电力调度中心 Detection method of broadcast storm and device thereof
CN102882707A (en) * 2012-09-04 2013-01-16 大唐移动通信设备有限公司 Method and device for detecting and inhibiting Ethernet link storm
CN103780488A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Broadcast message processing method and device
US8824297B2 (en) * 2012-04-26 2014-09-02 Cisco Technology, Inc. Adaptive storm control
CN105591968A (en) * 2016-01-25 2016-05-18 盛科网络(苏州)有限公司 Realization method of compensated Ethernet network storm inhibition
CN106789177A (en) * 2016-11-30 2017-05-31 武汉船舶通信研究所 A kind of system of dealing with network breakdown

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101895446A (en) * 2010-08-11 2010-11-24 广东省电力调度中心 Detection method of broadcast storm and device thereof
US8824297B2 (en) * 2012-04-26 2014-09-02 Cisco Technology, Inc. Adaptive storm control
CN102882707A (en) * 2012-09-04 2013-01-16 大唐移动通信设备有限公司 Method and device for detecting and inhibiting Ethernet link storm
CN103780488A (en) * 2012-10-23 2014-05-07 中国电信股份有限公司 Broadcast message processing method and device
CN105591968A (en) * 2016-01-25 2016-05-18 盛科网络(苏州)有限公司 Realization method of compensated Ethernet network storm inhibition
CN106789177A (en) * 2016-11-30 2017-05-31 武汉船舶通信研究所 A kind of system of dealing with network breakdown

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111464492A (en) * 2020-02-24 2020-07-28 北京龙鼎源科技股份有限公司 Control method and device for suppressing network storm, storage medium and processor
CN111581052A (en) * 2020-04-26 2020-08-25 中国工商银行股份有限公司 Alarm data processing method and device
CN111581052B (en) * 2020-04-26 2023-11-24 中国工商银行股份有限公司 Alarm data processing method and device
CN113938414A (en) * 2021-11-11 2022-01-14 杭州和利时自动化有限公司 Network storm processing method, system, equipment and computer storage medium
CN113938414B (en) * 2021-11-11 2023-09-12 杭州和利时自动化有限公司 Network storm processing method, system, equipment and computer storage medium

Also Published As

Publication number Publication date
CN110798382B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
CN110798382B (en) Port storm threshold control method and device, electronic equipment and storage medium
US9461963B2 (en) Systems and methods for detecting undesirable network traffic content
US10621339B2 (en) Monitor apparatus, method, and non-transitory computer readable storage medium thereof
Ponomarev et al. Industrial control system network intrusion detection by telemetry analysis
US8046833B2 (en) Intrusion event correlation with network discovery information
EP2127301B1 (en) Method and apparatus for filtering data packets
CN108737447B (en) User datagram protocol flow filtering method, device, server and storage medium
US7617526B2 (en) Blocking of spam e-mail at a firewall
KR20110061784A (en) Method and apparatus for preventing network attacks, method and apparatus for processing transmission and receipt of packet comprising the same
US20080005316A1 (en) Method and apparatus for detecting zombie-generated spam
US11665179B2 (en) Threat detection method and apparatus
CN112511517B (en) Mail detection method, device, equipment and medium
US20060250954A1 (en) Method and apparatus for controlling connection rate of network hosts
CN114205126A (en) Method, device and medium for attack detection in industrial system
CN108737344B (en) Network attack protection method and device
US7761915B2 (en) Terminal and related computer-implemented method for detecting malicious data for computer network
WO2022183794A1 (en) Traffic processing method and protection system
Masumi et al. Towards efficient labeling of network incident datasets using tcpreplay and snort
CN110198290B (en) Information processing method, equipment, device and storage medium
Yan et al. Catching Instant Messaging Worms with Change-Point Detection Techniques.
CN109889470B (en) Method and system for defending DDoS attack based on router
CN113821410A (en) Log processing method and device
Ponomarev Intrusion Detection System of industrial control networks using network telemetry
CN114679320A (en) Server protection method and device and readable storage medium
CN114553562A (en) Security management method, device, equipment and machine readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant