CN111641659A - Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked - Google Patents

Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked Download PDF

Info

Publication number
CN111641659A
CN111641659A CN202010519339.8A CN202010519339A CN111641659A CN 111641659 A CN111641659 A CN 111641659A CN 202010519339 A CN202010519339 A CN 202010519339A CN 111641659 A CN111641659 A CN 111641659A
Authority
CN
China
Prior art keywords
source port
message
attack
protocol
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010519339.8A
Other languages
Chinese (zh)
Inventor
王小军
王倩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Armyfly Technology Co Ltd
Original Assignee
Beijing Armyfly Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Armyfly Technology Co Ltd filed Critical Beijing Armyfly Technology Co Ltd
Priority to CN202010519339.8A priority Critical patent/CN111641659A/en
Publication of CN111641659A publication Critical patent/CN111641659A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a method, a device, equipment and a storage medium for preventing a central processing unit of a switch from being attacked, wherein the method comprises the following steps: acquiring attack messages and attribute information of the attack messages contained in a protocol message set uploaded by a switching chip; and sending an interception instruction to the switching chip according to the protocol type and the source port number of the attack message, so that the switching chip discards the attack message of the protocol type received from the source port according to the interception instruction. The method comprises the steps of sending an interception instruction to a switching chip according to the protocol type and the source port number of an attack message, only discarding a message of a specific protocol type received from a specific source port, and when a certain protocol message of a certain port is the attack message, only discarding the protocol message received from the port without influencing other types of protocol messages of the port, and not influencing the types of protocol messages of other ports.

Description

Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a method, a device, equipment and a storage medium for preventing a central processing unit of a switch from being attacked.
Background
The switch sends the protocol message to a Central Processing Unit (CPU) through a switch chip, so that the CPU performs protocol state maintenance, forwarding table entry configuration, and other required service types according to the sent protocol message, but a large number of malicious attack messages may exist in a network, resulting in a busy CPU service, interruption of normal processed services, and loss of connection of the switch. For the above problems, a hardware speed limit or a software speed limit mode is usually adopted at present.
The hardware speed limit usually configures a switching chip to limit speed for a CPU queue and a CPU port, but the problem that a plurality of protocol messages share one queue and cannot be accurately distinguished exists by adopting the mode, and in addition, if the speed limit is unreasonable, the condition that the CPU cannot be protected or normal protocol messages are submerged occurs; and if the software speed limit determines that the message received by the CPU is an attack message through software analysis, the attack message is discarded by issuing a Content Aware Processor (CAP) rule of the whole machine, but the normal protocol message entering other ports is discarded at the same time, so that the normal operation of the switch service is influenced. Therefore, the anti-attack mode of the central processing unit CPU of the existing switch can not meet the actual requirement of the user.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for preventing a central processing unit of a switch from being attacked. Therefore, the attack message is effectively intercepted, and the normal operation of the switch service is ensured.
In a first aspect, an embodiment of the present invention provides a method for preventing a central processing unit of a switch from a CPU attack, including: acquiring an attack message contained in a protocol message set uploaded by a switching chip and attribute information of the attack message, wherein the attribute information at least contains a protocol type of the attack message and a corresponding source port number;
and sending an interception instruction to the switching chip according to the protocol type and the source port number of the attack message, so that the switching chip discards the attack message of the protocol type received from the source port according to the interception instruction.
In a second aspect, an embodiment of the present invention provides an apparatus for preventing a central processing unit CPU of a switch from being attacked, including:
the attack message acquisition module is used for acquiring an attack message contained in a protocol message set uploaded by the switching chip and attribute information of the attack message, wherein the attribute information at least contains a protocol type of the attack message and a corresponding source port number;
and the attack message intercepting module is used for sending an intercepting instruction to the switching chip according to the protocol type and the source port number of the attack message so that the switching chip discards the attack message of the protocol type received from the source port according to the intercepting instruction.
In a third aspect, an embodiment of the present invention provides an apparatus, including:
one or more processors;
a memory for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the above-described methods.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium, on which a computer program is stored, which when executed by a processor implements the above method.
According to the technical scheme of the embodiment of the invention, the attack message and the attribute information of the attack message are obtained, and the interception instruction is sent to the exchange chip according to the protocol type and the source port number of the attack message to only discard the message of the specific protocol type received from the specific source port, wherein the specific source port refers to the source port for receiving the attack message, and the specific protocol type refers to the protocol type of the attack message. Therefore, when a certain protocol message received by a certain port is an attack message, only the protocol message received by the port is discarded without affecting other types of protocol messages of the port and without affecting the types of protocol messages of other ports, so that the normal operation of the switch service can be ensured under the condition of avoiding the attack of the attack message, and the actual requirements of users are met.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1(a) is a flowchart of a method for preventing a central processing unit of a switch from being attacked according to an embodiment of the present invention;
fig. 1(b) is a schematic diagram of an operating principle of a token bucket according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for preventing a central processing unit of a switch from being attacked according to a second embodiment of the present invention;
fig. 3 is a flowchart of a method for preventing a central processing unit of a switch from being attacked according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of an apparatus for preventing a central processing unit of a switch from being attacked, according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus according to a fourth embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1(a) is a flowchart of a method for implementing an anti-attack method for a central processing unit CPU of a switch, which is applicable to a case of performing an anti-attack on the central processing unit of the switch. As shown in fig. 1(a), the method specifically includes the following operations:
step 101, acquiring an attack message and attribute information of the attack message contained in a protocol message set uploaded by a switch chip.
The attribute information at least includes a protocol type of the attack packet and a source port number corresponding to a source port receiving the attack packet.
Optionally, the obtaining of the attack packet included in the protocol packet set uploaded by the switch chip may include: establishing a token bucket for each type of protocol message in a protocol message set; issuing tokens to each token bucket at regular time, wherein each time a protocol message is received, the token in the corresponding token bucket is consumed; and determining the protocol message corresponding to the token bucket with the token number smaller than the second preset threshold value in the preset time as an attack message, and acquiring the attack message.
Wherein, after acquiring the protocol message set, the CPU establishes a token bucket for each type of protocol message in the protocol message set sent by the source port, specifically establishes a token bucket for each type of protocol message in each source port, for example, a type a protocol packet and a type b protocol packet are received in the source port 1, a type a protocol packet is received in the source port 2, the CPU will establish token bucket 1 for the protocol packet of type a in source port 1, token bucket 2 for the protocol packet of type b in source port 1, token bucket 3 for the protocol packet of type a in source port 2, a token bucket is respectively established for each type of protocol message transmitted in each source port, of course, this embodiment is merely an example, and the specific values of the number of source ports and the number of token buckets are not limited. As shown in fig. 1(b), which is a schematic diagram of an operating principle of a token in this embodiment, taking token bucket 3 corresponding to type a in source port 2 as an example for explanation, a CPU may detect the number of tokens in token bucket 3, and when it is determined that token bucket 3 is not full, a timer may be started to issue tokens into token bucket 3 at a constant speed, and the CPU consumes tokens in token bucket 3 after receiving one protocol packet of type a in source port 2, so that, within a certain time, if the CPU does not receive a protocol packet of type a in source port 2, the number of tokens in token bucket 3 may continuously increase, and if the CPU receives too many protocol packets of type a in source port 2, the number of tokens in token bucket may continuously decrease. Therefore, if the number of tokens in the token bucket 3 is smaller than the second preset threshold within the preset time, it indicates that the CPU is busy when the protocol packet of type a in the source port 2 corresponding to the token bucket 3 exceeds the speed limit requirement, and determines the protocol packet of type a in the source port 2 corresponding to the token bucket 3 as an attack packet. In this embodiment, the second preset threshold is a low threshold, and the value of the second preset threshold may be 3, which is, of course, only an example in this embodiment, and the specific value of the second preset threshold is not limited, as long as the determination of the attack packet in the protocol packet set is within the protection range of this application, which is not described in detail in this embodiment.
It should be noted that after the attack packet is determined, the attribute information of the attack packet is obtained from the protocol packet set, that is, the protocol type of the attack packet and the source port number corresponding to the source port that receives the attack packet are further determined, and the attribute information is included in the protocol packet set as the additional information of the attack packet, so that the attribute information can be directly extracted from the protocol packet set.
And step 102, sending an interception instruction to the switch chip according to the protocol type and the source port number of the attack message, so that the switch chip discards the attack message of the protocol type received from the source port according to the interception instruction.
Optionally, sending an interception instruction to the switch chip according to the protocol type of the attack packet and the source port number, so that the switch chip discards the attack packet of the protocol type received from the source port according to the interception instruction, which may include: sending an interception instruction to the switching chip according to the protocol type and the source port number of the attack message, wherein the interception instruction comprises a content matching engine CAP rule modification instruction or a CAP rule creation instruction; and the exchange chip modifies or creates a CAP rule according to the interception instruction and discards the attack message of the protocol type received from the source port according to the CAP rule, wherein the CAP rule comprises the protocol type, the source port number and the processing action.
Optionally, each CAP rule is configured to establish a matching relationship between a packet of one protocol type and a plurality of source port numbers of the switch, and in the CAP rule, if an identification bit of the source port number is valid, the packet of the protocol type is received through the source port, the packet of the protocol type is processed by using a processing action included in the CAP rule, and if the identification bit of the source port number is invalid, the packet of the protocol type is received through the source port, and the packet of the protocol type is not processed by using the processing action included in the CAP rule; or each CAP rule is used to establish a matching relationship with a source port number of the switch for a protocol type message, and the CAP rule indicates that the protocol type message is processed by using a processing action contained in the CAP rule when the protocol type message is received through the source port.
Specifically, the CAP rule includes two representation modes: the first is that a CAP rule is used for establishing a matching relation with a source port number of a switch for a message of a protocol type; the second is a CAP rule used to establish a matching relationship with multiple source port numbers of a switch for a protocol type packet.
For the first case, one CAP rule only targets one source port number, and when there are multiple source port numbers, multiple CAP rules need to be established for one protocol type, as shown in table 1 below, a schematic list of multiple CAP rules for protocol class a is shown:
TABLE 1
Rule numbering Type of protocol Port number Movement of
CAP1 a Port number 1 Upload CPU
CAP2 a Port No. 2 Non-uploading CPU
In table 1, a CAP rule is established for each source port number for each protocol type a, but this embodiment is exemplified by two source port numbers, and the specific number of the source port numbers corresponding to each protocol type is not limited in practical application, and all the cases are within the protection scope of the present application as long as the number of the CAP rules corresponding to the protocol type a is the same as the number of the source port numbers.
For the second case, a CAP rule established for a protocol packet includes information of all source port numbers, the source port number in the CAP rule may be represented in a bitmap form or in a non-bitmap form, and when the source port number in the bitmap form is represented, each bit in the bitmap corresponds to an identification bit of one source port number, and the bit adopts a bit value 1 to represent that the corresponding source port number matches with the protocol type, that is, the identification bit is valid, and the bit adopts a bit value 0 to represent that the corresponding source port number does not match with the protocol type, that is, the identification bit is invalid, as shown in table 2 below, the list diagram represents the CAP rule in a bitmap form:
TABLE 2
Rule numbering Type of protocol Bitmap Movement of
CAP1 a 10 Upload CPU
Wherein, the first bit of the bitmap in the CAP rule corresponds to the source port 2, the second bit corresponds to the source port 1, the bit value of the first bit in the bitmap is 1, that is, the identification bit is valid, it indicates that the protocol type a is matched with the corresponding source port 2, and the uploading to the CPU can be completed; if the bit value in the bitmap is 0, that is, the identification bit is invalid, it indicates that the protocol type a is not matched with the corresponding source port 2, and the uploading to the CPU cannot be completed.
Table 3 below is a table diagram showing the CAP rules in the form of a non-bitmap:
TABLE 3
Figure BDA0002531368280000081
In the CAP rule in table 3, the non-bitmap representation is adopted, and the actions to be completed are specified in the CAP rule for each port number when valid.
Optionally, before acquiring the attack packet and the attribute information of the attack packet included in the protocol packet set uploaded by the switch chip, the method may further include: sending CAP rules corresponding to each preset type of protocol message to a switching chip so that the switching chip reports the preset type of protocol message according to the CAP rules corresponding to each preset type of protocol message and obtains a protocol message set;
sending an interception instruction to the switch chip according to the protocol type and the source port number of the attack packet may include: determining a CAP rule corresponding to the attack message according to the protocol type and the source port number of the attack message; sending an interception instruction to a switching chip, wherein the interception instruction comprises a protocol type of an attack message and a source port number corresponding to a source port for receiving the attack message; and the exchange chip determines a CAP rule corresponding to the attack message according to the interception instruction, and modifies the identification bit of the source port number corresponding to the source port for receiving the attack message in the CAP rule into invalid, wherein the processing action contained in the CAP rule is used as an uploading CPU.
Optionally, sending an interception instruction to the switch chip according to the protocol type and the source port number of the attack packet may include: judging whether a historical CAP rule aiming at the attack message exists according to the protocol type of the attack message;
if so, sending an interception instruction to the exchange chip, wherein the interception instruction comprises the protocol type of the attack message and a source port number corresponding to a source port for receiving the attack message; the exchange chip modifies the identification bit of the source port number corresponding to the source port receiving the attack message in the historical CAP rule into valid according to the interception instruction;
otherwise, sending an interception instruction to the switching chip so that the switching chip establishes an initial CAP rule according to the interception instruction, wherein the initial CAP rule comprises that the identification bit of the source port number corresponding to the source port for receiving the attack message is valid, and the identification bits of the rest source port numbers are invalid;
wherein the processing action contained in the historical CAP rule or the initial CAP rule is discarded.
It should be noted that, in this embodiment, when the same attack packet occurs in multiple source ports, only the identification bit corresponding to the source port number in the CAP rule needs to be modified, and the identification bit of the source port number is modified to be invalid, so that the attack packet of the protocol type is received through the source port, and the attack packet of the protocol type is not processed by the processing action included in the CAP rule any more, so that the attack packet obtained by the source port number cannot complete the action set in the CAP rule, that is, cannot complete the sending of the CPU or the discarding, and does not need the CPU to re-issue a new CAP rule, thereby saving the storage space and improving the operation efficiency.
According to the technical scheme of the embodiment of the invention, the attack message and the attribute information of the attack message are obtained, and the interception instruction is sent to the exchange chip according to the protocol type and the source port number of the attack message to only discard the message of the specific protocol type received from the specific source port, wherein the specific source port refers to the source port for receiving the attack message, and the specific protocol type refers to the protocol type of the attack message. Therefore, when a certain protocol message of a certain port is an attack message, only the protocol message received from the port is discarded, other types of protocol messages of the port are not influenced, and the types of protocol messages of other ports are not influenced, so that the normal operation of the switch service can be ensured under the condition of avoiding the attack of the attack message, and the actual requirements of users are met.
Example two
Fig. 2 is a flowchart of a method for preventing a CPU of a switch from being attacked according to a second embodiment of the present invention, where this embodiment specifically describes a manner in which an interception instruction is sent to a switch chip according to a protocol type and a source port number of an attack packet, so that the switch chip intercepts the attack packet according to the interception instruction, and specifically describes a manner in which protocol packets are collected. Correspondingly, the method of the embodiment specifically includes the following steps:
step 201, issuing a content matching engine CAP rule corresponding to each preset type of protocol message to the switch chip, so that the switch chip reports the preset type of protocol message according to the CAP rule corresponding to each preset type of protocol message, and obtains a protocol message set.
Specifically, the switch in this embodiment includes a switch chip and a CPU connected to the switch chip, where an interface between the switch chip and the CPU inside the switch is a target port, the number of the target ports is one, and the switch is connected to a plurality of external devices through source ports outside the switch, and obtains a plurality of types of protocol packets transmitted by the external devices through the source ports, where the number of the source ports may be multiple, and in this embodiment, one source port may transmit a plurality of types of protocol packets, and different source ports may also transmit the same type of protocol packets. After the switching chip in the switch acquires multiple types of protocol messages through the source port, the multiple types of protocol messages are transmitted to the CPU through the target port, and the multiple types of protocol messages can form a protocol message set.
Specifically, in this embodiment, the CPU may report the Protocol packet to the CPU by issuing a CAP rule of an entry direction to the switch chip, where the entry direction refers to entering the switch chip from the outside of the switch, and the CPU initializes and issues the CAP rule corresponding to each Protocol packet of the preset type to the switch chip, so that the switch chip reports the Protocol packet of the preset type according to the CAP rule corresponding to each Protocol packet of the preset type, where the Protocol packet of the preset type includes an Address Resolution Protocol (ARP) or a Bridge Protocol Data Unit (BPDU), and the CPU is realized by issuing the CAP rule of the entry direction to the switch chip to report the Protocol packet of the switch chip, and the Protocol packet of the preset type is characterized by an indeterminate destination Address. The CAP rule includes a protocol type, a source port number, and a processing action, the source port number may be specifically represented in the form of a bitmap, and the action set for the CAP rule is sent to the CPU.
For example, the number of source ports between the external device and the switch is two, which are respectively the source port 1 and the source port 2, it is determined that the protocol packets of the preset type are respectively the protocol type a and the protocol type b, and the CPU issues a CAP rule to the switch chip for each protocol type, so that the protocol type a may be the CAP1 rule, the protocol type b may be the CAP2 rule, and the rule may be issued in the form of a rule list, as shown in table 4 below, the rule list diagram issued by the CPU:
TABLE 4
Rule numbering Type of protocol Bitmap Movement of
CAP1 a 11 Upload CPU
CAP2 b 01 Upload CPU
The first bit of the bitmap in each CAP rule corresponds to a source port 2, the second bit corresponds to a source port 1, the bit value of the bit in the bitmap is 1, that is, the identification bit is valid, it indicates that the protocol type is matched with the corresponding source port, the bit value of the bit in the bitmap is 0, that is, the identification bit is invalid, it indicates that the protocol type is not matched with the corresponding source port, that is, the CAP rule matches ports with all physical ports with bit values of 1, and does not match ports with physical ports with bit values of 0, as can be seen from table 3, the initial time switching chip can report the protocol type a and the protocol type b received in the source port 1 to the CPU according to the rule list, and all protocol messages uploaded by the switching chip form a protocol message set. In this embodiment, two source ports are taken as an example, and the specific number of the source ports and the specific type of the protocol packet reported by each source port are not limited.
Step 202, obtaining the attack message and the attribute information of the attack message contained in the protocol message set uploaded by the switch chip.
The attribute information at least includes a protocol type of the attack packet and a source port number corresponding to a source port receiving the attack packet.
Optionally, the obtaining of the attack packet included in the protocol packet set uploaded by the switch chip may include: establishing a token bucket for each type of protocol message in a protocol message set; issuing tokens to each token bucket at regular time, wherein each time a protocol message is received, the token in the corresponding token bucket is consumed; and determining the protocol message corresponding to the token bucket with the token number smaller than the second preset threshold value in the preset time as an attack message, and acquiring the attack message.
The manner of obtaining the attack packet from the protocol packet set uploaded by the switch chip is substantially the same as that in the first embodiment, so that reference may be made to the detailed description in the first embodiment, which is not repeated herein.
Step 203, sending an interception instruction to the switch chip, so that the switch chip determines the CAP rule corresponding to the attack message according to the interception instruction, and modifies the identification bit of the source port number corresponding to the source port receiving the attack message in the CAP rule to be invalid.
The interception instruction includes a protocol type of the attack message and a source port number corresponding to a source port receiving the attack message, and the processing action included in the CAP rule is used as an uploading CPU.
Specifically, the CPU monitors each token bucket, determines that the protocol type a received by the source port 1 is an attack packet, and sends an interception instruction to the switch chip, where the interception instruction includes the protocol type a of the attack packet, and the source port 1 receives the attack packet, and the switch chip determines that the attack packet corresponds to the CAP1 rule according to the interception instruction, and modifies the flag bit corresponding to the source port 1 in the CAP1 rule, that is, the bit value in the second bit in the bitmap to 0, that is, modifies the flag bit to invalid, and at this time, the modified rule list is as shown in table 5 below:
TABLE 5
Rule numbering Type of protocol Bitmap Movement of
CAP1 a 10 Upload CPU
CAP2 b 01 Upload CPU
After the CPU issues the CAP rule to the switch chip in the form of a rule list, although both the original source port 1 and the protocol type a received in the source port 2 can report to the CPU, the bitmap corresponding to the original protocol type a is 11, when it is determined that the protocol type a in the source port 1 is an attack packet, only the bit value in the second bit in the bitmap corresponding to the source port 1 in the CAP1 rule needs to be updated, and 1 in the second bit in the bitmap is modified to 0 to form a new bitmap 10, since the source port 1 and the protocol type a are no longer matched, the identification bit of the source port 1 is modified to be invalid, and by modifying the identification bit of the source port 1 to be invalid, when the switch chip receives the attack packet with the protocol type a through the source port 1, the up-sending CPU action in the CAP1 rule is no longer executed for the attack packet, and the new CAP rule does not need to be issued again, when reporting the protocol message according to the updated CAP rule, the switching chip only reports the protocol type a received in the source port 1 and the protocol type b received in the source port 2, so that the attack message received in the source port 1 is indirectly discarded, the protocol type b in the source port 1 and the report of the protocol type a in the source port 2 are not influenced, the attack message is effectively intercepted, the attack to the CPU is avoided, and the normal work of the CPU is ensured.
It should be noted that, in this embodiment, when the same attack packet occurs in multiple source ports, only the bit value on the bit corresponding to the source port number in the CAP rule needs to be modified, and the source port number is not matched with the protocol type any more by modifying the bit value, so that the attack packet acquired by the source port number cannot complete the action set in the CAP rule, that is, cannot complete the sending of the CPU, and does not need the CPU to resend a new CAP rule, thereby saving the storage space and improving the operation efficiency.
Optionally, after sending the interception instruction to the switch chip according to the protocol type and the source port number of the attack packet, the method may further include: and when the attack message is determined to be a normal message, sending a recovery instruction aiming at the CAP rule corresponding to the attack message to the switching chip so that the switching chip modifies the identification bit of the source port number corresponding to the source port for receiving the attack message into valid according to the recovery instruction.
Optionally, the determining that the attack packet is a normal packet includes: and detecting the token bucket corresponding to the attack message, and determining that the number of tokens in the token bucket corresponding to the attack message is greater than a first preset threshold value, wherein the attack message is a normal message.
Specifically, after determining and intercepting the attack message, tokens in a token bucket corresponding to the attack message created in the CPU are increased all the time because no consumption is caused, for example, in the above example, the protocol message of type a in the source port 1 is the attack message, and the corresponding token bucket 1 in the CPU is, the token bucket 1 corresponding to the attack message is detected, since the tokens in the token bucket 1 are increased all the time after the protocol message of type a in the source port 1 is intercepted, when it is determined that the number of tokens in the token bucket is greater than a first preset threshold, it indicates that the message flow is recovered normally, at this time, the CPU issues a recovery instruction for CAP1 to the switch chip, the switch chip restores the modification of the bit value on the bit corresponding to the previous source port number according to the recovery instruction for CAP1, the source port number with the invalid identification bit is modified to be valid again, and the first preset threshold is greater than the second preset threshold, the first preset threshold in this embodiment is a high threshold, and the number of the first preset threshold may be 10.
The switch chip revises the source port number with invalid identification bit to valid according to the recovery command aiming at the CAP1 rule, that is, the bitmap 10 in the CAP1 in table 4 is recovered to 11, and at this time, the switch chip can report the protocol type a received by the source port 1 to the CPU again. Therefore, the protocol message can be reported again after the switching chip is recovered to be normal only by modifying the CAP rule corresponding to the attack message under the condition that the attack message is recovered to be the normal protocol message.
According to the technical scheme of the embodiment of the invention, the attack message and the attribute information of the attack message are obtained, and the interception instruction is sent to the exchange chip according to the protocol type and the source port number of the attack message to only discard the message of the specific protocol type received from the specific source port, wherein the specific source port refers to the source port for receiving the attack message, and the specific protocol type refers to the protocol type of the attack message. Therefore, when a certain protocol message of a certain port is an attack message, only the protocol message received from the port is discarded, other types of protocol messages of the port are not influenced, and the types of protocol messages of other ports are not influenced, so that the normal operation of the switch service can be ensured under the condition of avoiding the attack of the attack message, and the actual requirements of users are met.
EXAMPLE III
Fig. 3 is a flowchart of a method for preventing an attack by a central processing unit CPU of a switch according to a third embodiment of the present invention, where this embodiment specifically describes a manner in which an interception instruction is sent to a switch chip according to a protocol type and a source port number of an attack packet in the first embodiment, so that the switch chip intercepts the attack packet according to the interception instruction.
Correspondingly, the method of the embodiment specifically includes the following steps:
step 301, obtaining an attack packet and attribute information of the attack packet included in a protocol packet set uploaded by a switch chip.
The attribute information at least includes a protocol type of the attack packet and a source port number corresponding to a source port receiving the attack packet.
It should be noted that, in this embodiment, the switching chip is specifically configured to send the CPU in a service forwarding manner, and in this case, the difference from the second embodiment is that before the CPU obtains the attack Message included in the Protocol Message set uploaded by the switching chip, the CPU does not issue the initial CAP rule to the switching chip, so that the switching chip reports all the Protocol messages received by the source ports to the CPU, and the Protocol Message of the switching chip obtained by the switching chip of the switch through the source port may include an Internet Control Message Protocol (ICMP), and the Protocol Message in this embodiment is characterized in that the destination address is a local IP Message, for example, the destination IP is a local IP Message.
For example, it is determined that a protocol packet including the type a in the source port 1 in a protocol packet set uploaded by the switch chip is an attack packet, and a manner of determining the attack packet is specifically determined by using a token bucket.
Step 302, judging whether a historical CAP rule aiming at the attack message exists according to the protocol type of the attack message, if so, executing step 303, otherwise, executing step 304.
The historical CAP rule includes a correspondence between a protocol type of the attack packet and a source port number.
Specifically, in the present embodiment, after determining the attack packet, query is performed in the database to determine whether a historical CAP rule for the attack packet exists, and the historical CAP rule in the present embodiment is specifically an outgoing direction CAP rule, where the outgoing direction refers to whether a protocol packet of the same type as the attack packet also exists from the switch chip to the CPU, that is, before, other source ports, and is also determined as the attack packet. And the processing actions contained in the historical CAP rules are discarded.
Step 303, sending an interception instruction to the switch chip, so that the switch chip modifies the identification bit of the source port number corresponding to the source port receiving the attack packet in the historical CAP rule to be valid according to the interception instruction.
The interception instruction comprises a protocol type of the attack message and a source port number corresponding to a source port for receiving the attack message.
Specifically, when determining that there is a historical CAP rule for an attack message, it is only necessary to modify the identification bits of the source port numbers corresponding to the newly determined attack message in the CAP rule to be valid, for example, the number of the source ports between the external device and the switch is two, which are the source port 1 and the source port 2, and it has been previously determined that the message of the protocol type a in the source port 2 is an attack message, the CPU has issued the CAP rule to the switch chip, the action set for the historical CAP rule is discarding, and the switch chip stores the historical CAP rule in the form of a list, which is shown in table 6 as a historical CAP rule list schematic diagram issued by the CPU:
TABLE 6
Rule numbering Type of protocol Bitmap Movement of
CAP3 a 10 Discard the
In the CAP rule, the first bit of the bitmap corresponds to the source port 2, the second bit corresponds to the source port 1, the bit value of the bit in the bitmap is 1, that is, the flag is valid, which indicates that the protocol type is matched with the corresponding source port, the bit value of the bit in the bitmap is 0, that is, the flag is invalid, which indicates that the protocol type is not matched with the corresponding source port, as can be seen from table 6, the protocol type a in the source port 2 is an attack packet, and therefore, the switching chip discards the protocol type a received in the source port 2. And when determining that the protocol type a received in the source port 1 is an attack message according to the protocol message set uploaded by the switch chip, the CPU sends an interception instruction to the switch chip, so that the switch chip modifies the identification bit corresponding to the source port 1 in the history CAP rule, i.e. the bit value in the second bit in the bitmap, to 1 according to the interception instruction, and the modified history rule list is as shown in the following table 7:
TABLE 7
Rule numbering Type of protocol Bitmap Movement of
CAP3 a 11 Discard the
The bit value in the second bit in the bitmap is modified to 1 to form a new bitmap 11, and the source port 1 is matched with the protocol type, so that the identification bit of the source port 1 is modified to be valid, and the identification bit of the source port 1 is modified to be valid, so that when an attack message with the protocol type a is received by the source port 1, the switch chip executes a discarding action in the CAP3 rule aiming at the attack message, that is, the attack message received by the source port 1 is discarded. Since the action corresponding to the CAP rule is discarding, the switch chip discards the protocol type a received in the source port 2 and also discards the protocol type a received in the source port 1 according to the modified history rule list.
It should be noted that, in this embodiment, when the same attack packet occurs in multiple source ports, only the bit value on the bit corresponding to the source port number in the CAP rule needs to be modified, and the source port number is matched with the protocol type by modifying the bit value, so that the attack packet obtained by the source port number can complete the action set in the CAP, that is, the attack packet in the source port is discarded, and the CPU does not need to issue a new CAP again, thereby saving the storage space and improving the operation efficiency.
And step 304, sending an interception instruction to the switching chip so that the switching chip establishes an initial CAP rule according to the interception instruction.
Wherein, the initial CAP rule includes that the identification bit of the source port number corresponding to the source port receiving the attack message is valid, the identification bits of the remaining source port numbers are invalid, and the processing action contained in the initial CAP rule is discarded.
Specifically, when it is determined that there is no historical CAP rule for the attack packet, the CPU primarily sends an interception instruction to the switch chip according to the protocol type and the source port number of the determined attack packet, and the switch chip creates the CAP rule according to the interception instruction, for example, the number of the source ports between the external device and the switch is two, which are the source port 1 and the source port 2, and determines the protocol type a received in the source port 1 as the attack packet according to the protocol packet set uploaded by the switch chip this time, the CPU sends the CAP interception instruction to the switch chip, and at this time, the switch chip establishes an initial CAP rule according to the interception instruction and stores the created CAP rule in a list form, where the created rule list diagram is shown in table 8 as follows:
TABLE 8
Rule numbering Type of protocol Bitmap Movement of
CAP4 a 01 Discard the
In the CAP rule, the first bit of the bitmap corresponds to the source port 2, the second bit corresponds to the source port 1, the bit value of the bit in the bitmap is 1, which indicates that the protocol type is matched with the corresponding source port, the bit value in the bitmap is 0, which indicates that the protocol type is not matched with the corresponding source port, as can be seen from table 8, the protocol type a in the source port 1 is an attack packet, and therefore the swap chip discards the protocol type a received in the source port 1.
Optionally, after sending the interception instruction to the switch chip according to the protocol type and the source port number of the attack packet, the method may further include: and when the attack message is determined to be a normal message, sending a recovery instruction aiming at the CAP rule corresponding to the attack message to the switching chip so that the switching chip modifies the identification bit of the source port number corresponding to the source port for receiving the attack message into invalid according to the recovery instruction, wherein the first preset threshold is larger than the second preset threshold.
Optionally, the determining that the attack packet is a normal packet includes: and detecting the token bucket corresponding to the attack message, and determining that the number of tokens in the token bucket corresponding to the attack message is greater than a first preset threshold value, wherein the attack message is a normal message.
Specifically, after determining and intercepting the attack packet, tokens in a token bucket corresponding to the attack packet created in the CPU are increased all the time because no consumption is caused, for example, a protocol type a in the source port 1 in table 7 is the attack packet, a token bucket 1 in the CPU corresponds to the attack packet, the token bucket 1 corresponding to the attack packet is detected, since the protocol packet of the type a of the token in the token bucket 1 in the source port 1 is intercepted, the tokens in the token bucket 1 are increased all the time, when it is determined that the number of the tokens in the token bucket is greater than a first preset threshold, it indicates that the packet flow returns to normal, at this time, the CPU issues a recovery instruction for CAP3 to the switch chip, at this time, the switch chip changes the bit value of the second bit of the bitmap in the CAP3 rule to 0, and returns to the original bitmap 10, because the source port 1 is no longer matched with the protocol type, it is thereby achieved that the identification of source port 1 is modified to invalid, at which point the switching chip no longer discards protocol type a received from source port 1. Therefore, the protocol message can be reported again after the switching chip is recovered to be normal only by modifying the CAP rule corresponding to the attack message under the condition that the attack message is recovered to be the normal protocol message. And the first preset threshold is greater than the second preset threshold, the first preset threshold in this embodiment is a high threshold, and the number of the first preset thresholds may be 10, which is, of course, only illustrated in this embodiment, and does not limit the specific value of the first preset threshold, and it is within the protection range of this application as long as the switch chip can re-upload the attack packet to the CPU, and details are not described in this application embodiment.
According to the technical scheme of the embodiment of the invention, the attack message and the attribute information of the attack message are obtained, and the interception instruction is sent to the exchange chip according to the protocol type and the source port number of the attack message to only discard the message of the specific protocol type received from the specific source port, wherein the specific source port refers to the source port for receiving the attack message, and the specific protocol type refers to the protocol type of the attack message. Therefore, when a certain protocol message of a certain port is an attack message, only the protocol message received from the port is discarded, other types of protocol messages of the port are not influenced, and the types of protocol messages of other ports are not influenced, so that the normal operation of the switch service can be ensured under the condition of avoiding the attack of the attack message, and the actual requirements of users are met.
Example four
Fig. 4 is a schematic structural diagram of an apparatus for preventing a central processing unit of a switch from being attacked, where the apparatus includes: an attack message acquisition module 401 and an attack message interception module 402.
The attack packet obtaining module 301 is configured to obtain an attack packet included in a protocol packet set uploaded by a switch chip and attribute information of the attack packet, where the attribute information at least includes a protocol type of the attack packet and a source port number corresponding to the protocol type;
and the attack message intercepting module 302 is configured to send an intercepting instruction to the switch chip according to the protocol type and the source port number of the attack message, so that the switch chip intercepts the attack message according to the intercepting instruction.
The device can execute the method for preventing the central processing unit of the switch from being attacked provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method. For details of the technology that are not described in detail in this embodiment, reference may be made to a method for preventing a central processing unit of a switch from being attacked, which is provided in any embodiment of the present invention.
EXAMPLE five
A fifth embodiment of the present invention relates to an apparatus, as shown in fig. 5, which is a structural example of the apparatus, and includes at least one processor 501; and a memory 502 communicatively coupled to the at least one processor 501. Wherein the memory 502 stores instructions executable by the at least one processor 501, the instructions being executable by the at least one processor 501 to enable the at least one processor 501 to perform a method of protecting a central processor of a switch from attacks.
The processors 501 and the memory 502 may be connected by a bus or in other ways, and the bus may include any number of interconnected buses and bridges as an example in fig. 5, and the bus links various circuits of one or more of the processors 501 and the memory 502 together. The bus may also link various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
Those skilled in the art can understand that all or part of the steps in the method according to the above embodiments may be implemented by a program to instruct related hardware, where the program is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, etc.) or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present application.
EXAMPLE six
An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for preventing a central processing unit of a switch from being attacked, as provided in all embodiments of the present invention:
acquiring an attack message contained in a protocol message set uploaded by a switching chip and attribute information of the attack message, wherein the attribute information at least contains a protocol type of the attack message and a source port number corresponding to a source port for receiving the attack message; and sending an interception instruction to the switching chip according to the protocol type and the source port number of the attack message, so that the switching chip discards the attack message of the protocol type received from the source port according to the interception instruction.
Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments illustrated herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (12)

1. A method for preventing Central Processing Unit (CPU) of a switch from being attacked is characterized by comprising the following steps:
acquiring an attack message contained in a protocol message set uploaded by a switching chip and attribute information of the attack message, wherein the attribute information at least contains a protocol type of the attack message and a source port number corresponding to a source port for receiving the attack message;
and sending an interception instruction to the switching chip according to the protocol type of the attack message and the source port number, so that the switching chip discards the attack message of the protocol type received from the source port according to the interception instruction.
2. The method of claim 1, wherein sending an interception instruction to the switch chip according to the protocol type of the attack packet and the source port number to cause the switch chip to discard the attack packet of the protocol type received from the source port according to the interception instruction comprises:
sending an interception instruction to the switch chip according to the protocol type of the attack message and the source port number, wherein the interception instruction comprises a content matching engine (CAP) rule modification instruction or a CAP rule creation instruction;
and the exchange chip modifies or creates a CAP rule according to the interception instruction, and discards the attack message of the protocol type received from the source port according to the CAP rule, wherein the CAP rule comprises the protocol type, the source port number and the processing action.
3. The method according to claim 2, wherein each of the CAP rules is configured to establish a matching relationship between a packet of a protocol type and a plurality of source port numbers of a switch, and in the CAP rules, if an identification bit of the source port number is valid, the packet of the protocol type is received through the source port, the packet of the protocol type is processed by using a processing action included in the CAP rule, and if the identification bit of the source port number is invalid, the packet of the protocol type is received through the source port, and the packet of the protocol type is not processed by using the processing action included in the CAP rule;
or each CAP rule is used to establish a matching relationship between a packet of a protocol type and a source port number of a switch, and the CAP rule indicates that when the packet of the protocol type is received through the source port, the packet of the protocol type is processed by using a processing action included in the CAP rule.
4. The method according to claim 3, wherein before obtaining the attack packet included in the protocol packet set uploaded by the switch chip and the attribute information of the attack packet, the method further comprises:
sending a CAP rule corresponding to each preset type of protocol message to the switching chip so that the switching chip reports the preset type of protocol message according to the CAP rule corresponding to each preset type of protocol message and obtains the protocol message set;
the sending an interception instruction to the switch chip according to the protocol type of the attack packet and the source port number includes:
sending an interception instruction to the switching chip, wherein the interception instruction comprises a protocol type of an attack message and a source port number corresponding to a source port for receiving the attack message;
and the exchange chip determines a CAP rule corresponding to the attack message according to the interception instruction, and modifies the identification bit of the source port number corresponding to the source port receiving the attack message in the CAP rule into invalid, wherein the processing action contained in the CAP rule is used as an uploading CPU.
5. The method of claim 3, wherein sending an intercept instruction to the switch chip according to the protocol type of the attack packet and the source port number comprises:
judging whether a historical CAP rule aiming at the attack message exists according to the protocol type of the attack message;
if yes, sending an interception instruction to the exchange chip, wherein the interception instruction comprises a protocol type of an attack message and a source port number corresponding to a source port for receiving the attack message; the switch chip modifies the identification bit of the source port number corresponding to the source port receiving the attack message in the historical CAP rule into valid according to the interception instruction;
otherwise, sending an interception instruction to the switch chip to enable the switch chip to establish an initial CAP rule according to the interception instruction, wherein the initial CAP rule comprises that an identification bit of a source port number corresponding to a source port receiving the attack message is valid, and identification bits of the rest source port numbers are invalid;
wherein the processing action contained in the historical CAP rule or the initial CAP rule is discarded.
6. The method of claim 4, wherein after sending an intercept instruction to the switch chip according to the protocol type of the attack packet and the source port number, the method further comprises:
and when the attack message is determined to be a normal message, sending a recovery instruction aiming at the CAP rule corresponding to the attack message to the switching chip, so that the switching chip modifies the identification bit of the source port number corresponding to the source port for receiving the attack message into valid according to the recovery instruction.
7. The method of claim 5, wherein after sending an intercept instruction to the switch chip according to the protocol type of the attack packet and the source port number, the method further comprises:
and when the attack message is determined to be a normal message, sending a recovery instruction aiming at the CAP rule corresponding to the attack message to the switching chip so that the switching chip modifies the identification bit of the source port number corresponding to the source port for receiving the attack message into invalid according to the recovery instruction.
8. The method according to claim 6 or 7, wherein the determining that the attack packet is a normal packet comprises:
and detecting the token bucket corresponding to the attack message, and determining that the number of tokens in the token bucket corresponding to the attack message is greater than a first preset threshold value, wherein the attack message is a normal message.
9. The method according to claim 1, wherein the obtaining attack packets included in the protocol packet set uploaded by the switch chip comprises:
establishing a token bucket for each type of protocol message in the protocol message set;
issuing tokens to each token bucket at regular time, wherein each time a protocol message is received, the tokens in the corresponding token bucket are consumed;
and determining the protocol message corresponding to the token bucket with the token quantity smaller than a second preset threshold value in preset time as the attack message, and acquiring the attack message, wherein the second preset threshold value is smaller than the first preset threshold value.
10. An apparatus for preventing a Central Processing Unit (CPU) of a switch from being attacked, comprising:
an attack message obtaining module, configured to obtain an attack message included in a protocol message set uploaded by a switch chip and attribute information of the attack message, where the attribute information at least includes a protocol type of the attack message and a source port number corresponding to a source port that receives the attack message;
and the attack message intercepting module is used for sending an intercepting instruction to the switching chip according to the protocol type of the attack message and the source port number so that the switching chip receives the attack message of the protocol type from the source port according to the intercepting instruction.
11. An apparatus, characterized in that the apparatus comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-9.
12. A computer storage medium on which a computer program is stored, which program, when being executed by a processor, carries out the method according to any one of claims 1-9.
CN202010519339.8A 2020-06-09 2020-06-09 Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked Pending CN111641659A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010519339.8A CN111641659A (en) 2020-06-09 2020-06-09 Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010519339.8A CN111641659A (en) 2020-06-09 2020-06-09 Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked

Publications (1)

Publication Number Publication Date
CN111641659A true CN111641659A (en) 2020-09-08

Family

ID=72331361

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010519339.8A Pending CN111641659A (en) 2020-06-09 2020-06-09 Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked

Country Status (1)

Country Link
CN (1) CN111641659A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511527A (en) * 2020-11-26 2021-03-16 杭州迪普科技股份有限公司 Message transmission method and device
CN114726602A (en) * 2022-03-29 2022-07-08 中国工程物理研究院计算机应用研究所 Self-adaptive threat blocking method for enterprise intranet under network zero change condition

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1687862A (en) * 2005-06-16 2005-10-26 北京航空航天大学 Smart card safety environment control method
CN101980489A (en) * 2010-10-28 2011-02-23 中兴通讯股份有限公司 Protection method and system for preventing protocol message from attacking CPU
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets
CN106059885A (en) * 2016-06-15 2016-10-26 京信通信系统(中国)有限公司 Method and system for processing CAPWAP message by wireless controller
CN108616488A (en) * 2016-12-09 2018-10-02 腾讯科技(深圳)有限公司 A kind of defence method and defensive equipment of attack
CN109981478A (en) * 2019-02-18 2019-07-05 新华三信息安全技术有限公司 A kind of message processing method and device
CN110381006A (en) * 2018-04-12 2019-10-25 中兴通讯股份有限公司 Message processing method, device, storage medium and processor

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1687862A (en) * 2005-06-16 2005-10-26 北京航空航天大学 Smart card safety environment control method
CN101980489A (en) * 2010-10-28 2011-02-23 中兴通讯股份有限公司 Protection method and system for preventing protocol message from attacking CPU
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
CN103560973A (en) * 2013-10-14 2014-02-05 深圳市同洲电子股份有限公司 Method and device for filtering data packets
CN106059885A (en) * 2016-06-15 2016-10-26 京信通信系统(中国)有限公司 Method and system for processing CAPWAP message by wireless controller
CN108616488A (en) * 2016-12-09 2018-10-02 腾讯科技(深圳)有限公司 A kind of defence method and defensive equipment of attack
CN110381006A (en) * 2018-04-12 2019-10-25 中兴通讯股份有限公司 Message processing method, device, storage medium and processor
CN109981478A (en) * 2019-02-18 2019-07-05 新华三信息安全技术有限公司 A kind of message processing method and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112511527A (en) * 2020-11-26 2021-03-16 杭州迪普科技股份有限公司 Message transmission method and device
CN114726602A (en) * 2022-03-29 2022-07-08 中国工程物理研究院计算机应用研究所 Self-adaptive threat blocking method for enterprise intranet under network zero change condition

Similar Documents

Publication Publication Date Title
US7725938B2 (en) Inline intrusion detection
US7555774B2 (en) Inline intrusion detection using a single physical port
US20080104702A1 (en) Network-based internet worm detection apparatus and method using vulnerability analysis and attack modeling
US20120317566A1 (en) Virtual machine packet processing
US10476629B2 (en) Performing upper layer inspection of a flow based on a sampling rate
US20130269031A1 (en) Network system, network relay method, and network relay device
CN111181850B (en) Data packet flooding suppression method, device and equipment and computer storage medium
CN111641659A (en) Method, device, equipment and storage medium for preventing central processing unit of switch from being attacked
KR101200906B1 (en) High Performance System and Method for Blocking Harmful Sites Access on the basis of Network
CN111600852A (en) Firewall design method based on programmable data plane
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
CN113347186B (en) Reflection attack detection method and device and electronic equipment
CN114244610B (en) File transmission method and device, network security equipment and storage medium
CN113114588B (en) Data processing method and device, electronic equipment and storage medium
CN113328976B (en) Security threat event identification method, device and equipment
US11418537B2 (en) Malware inspection apparatus and malware inspection method
US7646724B2 (en) Dynamic blocking in a shared host-network interface
CN113572700A (en) Flow detection method, system, device and computer readable storage medium
CN111490989A (en) Network system, attack detection method and device and electronic equipment
CN115333853B (en) Network intrusion detection method and device and electronic equipment
US20070297432A1 (en) Host-Controlled Network Interface Filtering Based on Active Services, Active Connections and Active Protocols
US11805054B1 (en) Method and electronic device for saving power applied to a router
JP7067796B2 (en) Packet transfer device, packet transfer method, and packet transfer program
CN111400703B (en) Honeypot system with signature function in industrial control field

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200908

RJ01 Rejection of invention patent application after publication