CN112165428B - Traffic cleaning method and device and first boundary routing equipment - Google Patents

Traffic cleaning method and device and first boundary routing equipment Download PDF

Info

Publication number
CN112165428B
CN112165428B CN202011148214.5A CN202011148214A CN112165428B CN 112165428 B CN112165428 B CN 112165428B CN 202011148214 A CN202011148214 A CN 202011148214A CN 112165428 B CN112165428 B CN 112165428B
Authority
CN
China
Prior art keywords
interface
routing device
traffic
bgp
cleaning
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011148214.5A
Other languages
Chinese (zh)
Other versions
CN112165428A (en
Inventor
王阳
廖以顺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202011148214.5A priority Critical patent/CN112165428B/en
Publication of CN112165428A publication Critical patent/CN112165428A/en
Application granted granted Critical
Publication of CN112165428B publication Critical patent/CN112165428B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • H04L45/04Interdomain routing, e.g. hierarchical routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/18Loop-free operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention provides a traffic cleaning method and device and first boundary routing equipment. Wherein the method comprises the following steps: establishing a tunnel with a first interface as a source node and a second interface as a tail node, wherein the first interface is an interface which is learned to be used for sending a message to second boundary routing equipment through BGP (border gateway protocol); and forwarding the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning. The first border routing device and the second border routing device can establish a tunnel between the first border routing device and the second border routing device, so that the first border routing device and the second border routing device have two different routes, namely a route learned through BGP and the established tunnel, and the traffic received by interfaces of different classes is transmitted through the different routes, so that the border routing device can transmit cleaned traffic and uncleaned traffic through the different routes, and a loop is prevented from being formed in a BGP network.

Description

Traffic cleaning method and device and first boundary routing equipment
Technical Field
The present invention relates to the field of information technologies, and in particular, to a method and an apparatus for traffic cleaning and a first border routing device.
Background
The Flow Specification (Flow Specification, Flow spec) technology may be used to filter and patrol illegal flows in a BGP (Border Gateway Protocol) network, so as to mitigate the influence of illegal attacks such as DOS (Denial of Service) attacks and ddos (distributed Denial of Service) attacks on the BGP network.
Illustratively, as shown in fig. 1, a BGP network may include a flow specification controller (hereinafter referred to as a controller) 101 and a plurality of flow specification border routing devices (hereinafter referred to as border routing devices). For convenience of description, in fig. 1, four border routing devices are respectively denoted as a border routing device 1, a border routing device 2, a border routing device 3, and a border routing device 4, where the border routing device 3 is connected to the cleaning server 103, the border routing device 2 and the border routing device 4 are connected to a preset network, and the border routing device 4 is connected to the user terminal 104.
To enable the cleansing server 103 to perform traffic cleansing on traffic sent by a preset network to the user terminal 104. In the related art, the controller 101 may issue a flow specification rule to each border routing device, where the flow specification rule may include that the received traffic is traffic of an external network, and each border routing device enables a flow specification function of each interface to perform flow specification rule matching on the traffic received by each interface, and forwards the traffic to the cleaning server if the traffic hits the flow specification rule.
However, the purged traffic sent by the purge server 103 hits the flow specification rule, so the border routing device will send the purged traffic sent by the purge server 103 to the purge server 103 again, resulting in a loop of traffic, and the user terminal 104 cannot correctly receive the purged traffic.
Disclosure of Invention
Embodiments of the present invention provide a traffic cleaning method and apparatus, and a first border routing device, so as to avoid forming a traffic loop in a BGP network during a traffic cleaning process.
In a first aspect of the embodiments of the present invention, a traffic cleansing method is provided, which is applied to a first border routing device in a border gateway protocol BGP network, where the BGP network further includes a second border routing device, a second interface of the second border routing device has access to a cleansing server, and the second border routing device forwards traffic received by interfaces that do not establish a BGP neighbor, except the second interface, to the cleansing server, and the method includes:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, wherein the first interface is an interface which is learned through BGP and used for sending a message to second boundary routing equipment;
and forwarding the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning.
In a possible embodiment, after the establishing a tunnel with a first interface as a source node and a second interface as a tail node, the method further includes:
generating a first route which takes the address of the cleaning server as a destination address and the tunnel as an outgoing interface, wherein the priority of the first route is higher than that of a second route which is learned by the first border routing equipment through BGP and is used for sending flow to the cleaning server;
the sending the traffic received by the interface without the BGP neighbor to the cleaning server through the tunnel for traffic cleaning includes:
changing the destination address of the flow received by the interface without establishing the BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
and sending the flow with the changed destination address to the cleaning server through the determined output interface for cleaning the flow.
In one possible embodiment, the method further comprises:
and forwarding the flow received by the interface established with the BGP neighbor according to the destination address of the flow.
In a second aspect of the embodiments of the present invention, a traffic cleaning method is provided, where the traffic cleaning method is applied to a second border routing device in a border gateway protocol BGP network, a second interface of the second border routing device has access to a cleaning server, and the BGP network further includes a first border routing device, where the method includes:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, so that a first border routing device sends out traffic received by an interface without establishing a BGP neighbor through the tunnel, wherein the first interface is an interface which is learned by the first border routing device through BGP and used for sending a message to the second border routing device;
and sending the traffic received by the interfaces which do not establish the BGP neighbor except the second interface to the cleaning server through the tunnel for traffic cleaning.
In a possible embodiment, the method further comprises:
and forwarding the traffic received by the second interface according to the destination address of the traffic.
In a third aspect of the embodiments of the present invention, a traffic cleansing apparatus is provided, which is applied to a first border routing device in a border gateway protocol BGP network, where the BGP network further includes a second border routing device, a second interface of the second border routing device is accessed to a cleansing server, and the second border routing device forwards traffic received by interfaces that do not establish a BGP neighbor except the second interface to the cleansing server, and the apparatus includes:
a first tunnel establishing module, configured to establish a tunnel using a first interface as a source node and the second interface as a tail node, where the first interface is an interface learned through BGP and used to send a packet to a second border routing device;
and the first forwarding module is used for forwarding the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning.
In a possible embodiment, the first tunnel establishing module is further configured to, after a tunnel with a first interface as a source node and the second interface as a tail node is established, generate a first route with an address of the cleaning server as a destination address and the tunnel as an egress interface, where a priority of the first route is higher than a second route learned by the first border routing device through BGP and used for sending traffic to the cleaning server;
the first forwarding module sends the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning, and the method comprises the following steps:
changing the destination address of the flow received by the interface of the non-established BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
sending the flow with the destination address changed to the cleaning server through the determined output interface for cleaning the flow
In a possible embodiment, the first forwarding module is further configured to forward traffic received by the interface where the BGP neighbor is established according to a destination address of the traffic.
In a fourth aspect of the embodiments of the present invention, a traffic cleaning apparatus is provided, where the traffic cleaning apparatus is applied to a second border routing device in a border gateway protocol BGP network, a second interface of the second border routing device has access to a cleaning server, and the BGP network further includes a first border routing device, and the apparatus includes:
a second tunnel establishing module, configured to establish a tunnel using a first interface as a source node and a second interface as a tail node, so that a first border routing device sends traffic received by an interface that does not establish a BGP neighbor through the tunnel, where the first interface is an interface that the first border routing device learns from BGP to send a packet to a second border routing device;
and the second forwarding module is used for sending the traffic received by the interfaces of other non-established BGP neighbors except the second interface to the cleaning server through the tunnel for traffic cleaning.
In a possible embodiment, the second forwarding module is further configured to forward the traffic received by the second interface according to a destination address of the traffic.
In a fifth aspect of the embodiments of the present invention, a first border routing device is provided, which is applied to a border gateway protocol BGP network, and includes:
a first memory for storing a computer program;
a first processor, configured to implement the method steps of any one of the first aspect when executing a program stored in the first memory.
In a sixth aspect of the embodiments of the present invention, a second border routing device is provided, which is applied to a border gateway protocol BGP network, and is connected to a cleaning server, where the cleaning server is configured to clean traffic of a target network, and the second border routing device includes:
a second memory for storing a computer program;
a second processor, configured to implement the method steps of any one of the above second aspects when executing the program stored in the second memory.
In a seventh aspect of embodiments of the present invention, a computer-readable storage medium is provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the method steps of any one of the first or second aspects.
The embodiment of the invention has the following beneficial effects:
the traffic cleaning method, the traffic cleaning device, and the first border routing device provided in the embodiments of the present invention can establish a tunnel between the first border routing device and the second border routing device, so that two different routes, namely, a route learned through BGP and the established tunnel, are provided between the first border routing device and the second border routing device, and traffic received by interfaces of different types is transmitted through different routes, so that the border routing device can transmit cleaned traffic and uncleaned traffic through different routes, and a loop is prevented from being formed in a BGP network.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other embodiments can be obtained by using the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a BGP network according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a traffic cleaning method applied to a first border routing device according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a BGP network with tunnels established according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a comparison between a flow path in a flow cleaning method according to an embodiment of the present invention and a flow path in the related art;
fig. 5 is a schematic flowchart of a traffic cleaning method applied to a second border routing device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a flow cleaning apparatus applied to a first border routing device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a traffic cleaning apparatus applied to a second border routing device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a border routing device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 2, fig. 2 is a schematic flow chart of a flow cleaning method according to an embodiment of the present invention, which may include:
s201, a tunnel with a first interface as a source node and a second interface as a tail node is established, wherein the first interface is an interface which is learned to be used for sending a message to a second boundary routing device through BGP.
S202, the flow received by the interface of the non-established BGP neighbor is forwarded to a cleaning server through a tunnel for cleaning the flow.
With the embodiment, a tunnel may be established between the first border routing device and the second border routing device, so that two different routes, namely, a route learned through BGP and the established tunnel, are provided between the first border routing device and the second border routing device, and traffic received by interfaces of different classes is transmitted through the different routes, so that the border routing devices may transmit cleaned traffic and unwashed traffic through the different routes, and a loop is prevented from being formed in a BGP network.
In S201, the second interface is an interface of the second border routing device, and the second interface of the second border routing device is accessed with the cleaning server. The second border routing device may determine whether the received traffic hits a flow specification rule whenever the traffic is received through another interface other than the second interface, and if the received traffic hits the flow specification rule, send the received traffic to the cleaning server for traffic cleaning, where the flow specification rule may include: the interface receiving the flow is the interface of the non-established BGP neighbor. The second border routing device may prohibit the flow specification function of the second interface, thereby rejecting the flow specification rule matching for the flow received by the second interface, and directly forwarding the flow received by the second interface according to the destination address of the flow.
The first border routing device may establish the tunnel based on the address of the first interface and the address of the second interface. The following describes how to obtain the address of the first interface and the address of the second interface:
for the address of the first interface, the first border routing device may search a route learned through BGP after receiving a control instruction issued by the controller, so as to obtain the address of the first interface, in the first border routing device, used for sending traffic to the address of the cleaning server. For convenience of description, it is assumed that a BGP network is as shown in fig. 1, and it is assumed that a first border routing device is a border routing device 2 therein, and an address of an interface in the cleaning server for accessing the BGP network is 20.1.1.2, in theory, the border routing device 1 may search a route with a destination address of 20.1.1.2 from routes learned through BGP, determine an outgoing interface in the searched route as the first interface, and after determining the first interface, the first border routing device may obtain the address of the first interface.
The address of the second interface may be sent to the first border routing device by the second border routing device, may be directly sent to the first border routing device by the second border routing device, or may be indirectly sent to the first border routing device by the second border routing device.
For convenience of description, assuming that the address of the first interface is 10.1.1.1 and the address of the second interface is 20.1.1.1, a tunnel with the source node address of the tunnel being 10.1.1.1 and the tail node address of the tunnel being 20.1.1.1 may be established. The established tunnel is a logical tunnel. The first border routing device may send traffic to the second border routing device through the established tunnel.
In S202, the second border routing device may determine whether the received traffic hits the flow specification rule each time the traffic is received, and send the received traffic to the target cleaning server through the tunnel for traffic cleaning if the received traffic hits the flow specification rule.
The flow specification rule includes that the interface receiving the flow is an interface of an unestablished BGP neighbor. It can be understood that BGP neighbors are established between network devices in the BGP network, and BGP neighbors are not established between network devices in the BGP network and network devices in the non-BGP network. Therefore, if the interface receiving the traffic is an interface of an unestablished BGP neighbor, the traffic may be considered as external traffic. If the interface receiving the traffic is the interface establishing the BGP neighbor, the traffic may be considered as internal traffic of the BGP network.
As described above, if the received traffic hits the flow specification rule, it can be considered that the traffic is the traffic sent to the BGP network by the predetermined network and needs to be cleaned, so that the traffic can be sent to the cleaning server through the tunnel for cleaning.
For example, in one possible embodiment, after establishing a tunnel, the first border routing device may generate a route with an address of the cleansing server as a destination address, the tunnel as an outgoing interface, and a priority of the route being a first priority, where the first priority is a priority higher than a second priority, and the second priority is a route learned by the first border routing device through BGP for sending traffic to the cleansing server.
Then, in theory, the first border routing device includes two routes for sending traffic to the cleansing server, taking the BGP network shown in fig. 1 as an example, and assuming that the address of the interface in the cleansing server for accessing the BGP network is 20.1.1.2, the address of the interface in the border routing device 3 for accessing the border routing device 1 is 10.1.1.2, and the tunnel established by the first border routing device is denoted as tunnel 1, then the first border routing device, that is, border routing device 1, includes two routes shown in the following table:
destination address/mask Routing protocol type Priority level Next hop address Outlet interface
20.1.1.2/24 Static First priority level 0.0.0.0 Tunnel 1
20.1.1.2/24 BGP Second priority 10.1.1.2 First interface
The first priority and the second priority may be set according to actual requirements, for example, if the higher the value of the priority, the lower the priority, the first priority may be set to 1, and the second priority may be set to 255.
In this embodiment, if the received traffic hits the flow specification rule, the first border routing device may change a destination address of the received traffic to an address of the cleansing server, search a routing table in the first border routing device, determine an egress interface that sends the traffic to the address of the cleansing server, and send the received traffic to the cleansing server through the determined egress interface for cleansing the traffic. For example, the first border routing device may decapsulate the traffic, thereby changing the destination address of the traffic. In the routing table of the first border routing device, in the routing taking the address of the cleaning server as the destination address, the priority of the routing taking the established tunnel as the output interface is higher, so that the first border routing device sends the traffic to the cleaning server through the established tunnel for traffic cleaning, and does not send the traffic to the cleaning server through the first interface for traffic cleaning.
For traffic that misses the flow specification rule, the first border routing device may forward the received traffic according to the destination address.
To more clearly describe the traffic cleaning method provided in the embodiment of the present invention, in the following, description will be made with reference to each network device in the BGP network in a specific application scenario, and for convenience of description, the BGP network shown in fig. 1 is taken as an example below, and it is assumed that a traffic sent to the user terminal 104 by a preset network is sent to the BGP network through the border routing device 2, and the traffic needs to be cleaned by the cleaning server 103 and then sent to the user terminal 104.
In this application scenario, the border routing device 1, the border routing device 2, and the border routing device 4 may all be used as a first border routing device, and the border routing device 3 is a second border routing device. For convenience of description, only the service logic of the boundary routing device 2, the boundary routing device 3, and the controller 101 is described below, and since the boundary routing device 1, the boundary routing device 4, and the boundary routing device 2 are the same as the first boundary routing device, the service logic is the same as the boundary routing device 2, and is not described again.
The controller 101 may issue a flow specification policy to each border routing device in the BGP network, where the flow specification policy is used to indicate that all traffic sent from the preset network to the user terminal 104 is sent to the cleaning server 103 for traffic cleaning, and exemplarily, the flow specification policy may include a flow specification rule, where the flow specification rule may include that an interface receiving the traffic is an interface where a BGP neighbor is not established, and the flow specification policy may control each border routing device to send the traffic to the cleaning server 103 after receiving the traffic hitting the flow specification rule.
Then, upon receiving the flow specification policy, the edge routing device 3 may determine an outgoing interface, i.e., the second interface, when sending the traffic to the cleansing server 103, and assume that the address of the second interface is 20.1.1.1. The border routing device 3 may send the address of the second interface to border route 1, border route 2, and border route 4. And the border routing device 3 disables the flow specification function of the second interface.
After receiving the flow specification policy, the edge routing device 2 may determine an outgoing interface, i.e., the first interface, when sending the traffic to the cleansing server 103, and assume that the address of the first interface is 10.1.1.1.1. After determining the first interface and receiving the address of the second interface sent by the border routing device 3, the border routing device 3 may establish a tunnel using the address of the first interface as a source node address and using the address of the second interface as a tail node address, that is, a tunnel using the source node address with 10.1.1.1 bits and using 20.1.1.1 as a tail node address is established, and for convenience of description, the tunnel is denoted as tunnel 1, and then after establishing the tunnel, the BGP network structure may be as shown in fig. 3.
Similarly, a tunnel may also be established between the border routing device 1 and the border routing device 3, a tunnel may also be established between the border routing device 4 and the border routing device 3, and a process of establishing a tunnel is the same as a process of establishing a tunnel between the border routing device 2 and the border routing device 3, and therefore, details are not described here again.
The transfer path of the flow in the flow cleaning flow will be explained below.
For example, referring to fig. 3, assuming that the unwashed traffic sent by the predetermined network to the user terminal 104 is sent to the BGP network through the border routing device 2, since the interface in the border routing device 2 for accessing the predetermined network does not establish a BGP neighbor, the unwashed traffic hits the traffic specification rule, and the border routing device 2 sends the unwashed traffic to the cleaning server 103 through the tunnel 1.
Since the address of the tail node of the tunnel 1 is 20.1.1.1, which is the address of the second interface in the border routing device 3, the unwashed traffic sent by the border routing device 2 through the tunnel 1 will be received by the border routing device 3, and since the tunnel 1 is not a route learned by the border routing device 3 through BGP, the tunnel 1 is an interface for which a BGP neighbor is not established, a specification rule of the flow is hit, and the border routing device 3 sends the unwashed traffic to the cleaning server 103.
The cleaning server 103 sends the cleaned traffic to the border routing device 2 after cleaning the unwashed traffic, the border routing device 2 receives the cleaned traffic through the second interface, because the border routing device 2 has prohibited the flow specification function of the second interface, the border routing device 2 forwards the cleaned traffic according to the destination address of the cleaned traffic, and because the destination address of the cleaned traffic is the address of the user terminal 104, the border routing device 2 can send the cleaned traffic to the border routing device 4.
The border routing device 4 receives the cleaned traffic through the interface connected to the border routing device 3, and a BGP neighbor relationship is established between the border routing device 4 and the border routing device 3, so that the interface in the border routing device 4 used for connecting to the border routing device 3 is the interface established with the BGP neighbor relationship, and the flow specification rule is not hit, so that the border routing device 4 forwards the cleaned traffic according to the destination address of the cleaned traffic, and because the destination address of the cleaned traffic is the address of the user terminal 104, the border routing device 4 can send the cleaned traffic to the user terminal 104 through the interface used for connecting to the user terminal 104, and a traffic loop is not formed in the process.
In the same way, it is known that, in the case where the unwashed traffic sent by the predetermined network to the user terminal 104 is sent to the BGP network through the border routing device 4 or the border routing device 1, a traffic loop is not formed. To more clearly show the difference between the flow cleaning method provided by the embodiment of the present application and the related art, reference may be made to fig. 4, where fig. 4 is a schematic diagram illustrating a comparison between flow paths in the flow cleaning method provided by the embodiment of the present invention and flow paths in the related art, where a thin solid line with an arrow represents a flow path in the related art, and a thick solid line with an arrow represents a flow path in the flow cleaning method provided by the embodiment of the present invention.
An embodiment of the present invention further provides a traffic cleaning method, which is applied to a second border routing device in a border gateway protocol BGP network, where a second interface of the second border routing device is accessed to a cleaning server, and the BGP network further includes a first border routing device, and the method may include, as shown in fig. 5:
s501, a tunnel with a first interface as a source node and a second interface as a tail node is established, so that the first border routing equipment sends out traffic received by the interface without establishing a BGP neighbor through the tunnel, and the first interface is an interface which is learned by the first border routing equipment through BGP and used for sending a message to the second border routing equipment.
And S502, sending the traffic received by the interfaces of other non-established BGP neighbors except the second interface to a cleaning server through a tunnel for cleaning the traffic.
With the embodiment, a tunnel is established between the first border routing device and the second border routing device, so that the first border routing device and the second border routing device have two different routes, namely a route learned through BGP and the established tunnel, and traffic received by interfaces of different types is transmitted through the different routes, so that the border routing device can transmit cleaned traffic and uncleaned traffic through the different routes, and a loop is prevented from being formed in a BGP network.
In one possible embodiment, the method further comprises:
and forwarding the traffic received by the second interface according to the destination address of the traffic.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a flow cleaning apparatus according to an embodiment of the present invention, and the flow cleaning apparatus may include:
a first tunnel establishing module 601, configured to establish a tunnel with a first interface as a source node and a second interface as a tail node, where the first interface is an interface learned through BGP and used to send a packet to a second border routing device;
a first forwarding module 602, configured to forward, through a tunnel, traffic received by an interface where a BGP neighbor is not established to a cleaning server for traffic cleaning.
In a possible embodiment, the first tunnel establishing module 601 is further configured to, after establishing a tunnel with a first interface as a source node and a second interface as a tail node, generate a first route with an address of the cleaning server as a destination address and the tunnel as an egress interface, where a priority of the first route is higher than a second route learned by the first border routing device through BGP and used for sending traffic to the cleaning server;
the first forwarding module 602 sends traffic received by an interface where a BGP neighbor is not established to a cleaning server through a tunnel for traffic cleaning, including:
changing the destination address of the flow received by the interface of the non-established BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
sending the flow with the destination address changed to a cleaning server through the determined output interface for cleaning the flow
In a possible embodiment, the first forwarding module 601 is further configured to forward traffic received by the interface where the BGP neighbor is established according to a destination address of the traffic.
Referring to fig. 7, fig. 7 is a schematic structural diagram of a traffic cleansing apparatus according to an embodiment of the present invention, where the traffic cleansing apparatus is applied to a second border routing device in a border gateway protocol BGP network, where the second border routing device is connected to a cleansing server, and the cleansing server is used to cleanse traffic of a target network, and the traffic cleansing apparatus may include:
a second tunnel establishing module 701, configured to establish a tunnel with a first interface as a source node and a second interface as a tail node, so that a first border routing device sends traffic received by an interface where a BGP neighbor is not established through the tunnel, where the first interface is an interface where the first border routing device learns a packet to be sent to a second border routing device through BGP;
a second forwarding module 702, configured to send traffic received through interfaces other than the second interface where no BGP neighbor is established to the cleaning server through the tunnel for performing traffic cleaning.
In a possible embodiment, the second forwarding module 702 is further configured to forward the traffic received by the second interface according to a destination address of the traffic.
An embodiment of the present invention further provides a border routing device, as shown in fig. 8, including:
a memory 801 for storing a computer program;
the processor 802 is configured to execute the program stored in the memory 801, and when the border routing device is a first border routing device, the following steps may be implemented:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, wherein the first interface is an interface which is learned to send a message to second boundary routing equipment through BGP (border gateway protocol);
and forwarding the traffic received by the interface without the BGP neighbor to a cleaning server through a tunnel for cleaning the traffic.
In a possible embodiment, after establishing the tunnel with the first interface as the source node and the second interface as the tail node, the method further includes:
generating a first route which takes the address of the cleaning server as a destination address and a tunnel as an outgoing interface, wherein the priority of the first route is higher than that of a second route which is learned by the first border routing equipment through BGP and is used for sending flow to the cleaning server;
sending the traffic received by the interface without establishing the BGP neighbor to a cleaning server through a tunnel for cleaning the traffic, wherein the method comprises the following steps:
changing the destination address of the flow received by the interface of the non-established BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
and sending the flow with the changed destination address to a cleaning server through the determined output interface for cleaning the flow.
In one possible embodiment, the method further comprises:
and forwarding the flow received by the interface established with the BGP neighbor according to the destination address of the flow.
When the border routing device is a second border routing device, the following steps may be implemented:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, so that a first border routing device sends out traffic received by an interface without establishing a BGP neighbor through the tunnel, wherein the first interface is an interface which is learned by the first border routing device through BGP and used for sending a message to a second border routing device;
and sending the traffic received by the interfaces of other non-established BGP neighbors except the second interface to a cleaning server through a tunnel for cleaning the traffic.
In one possible embodiment, the method further comprises:
and forwarding the flow received by the second interface according to the destination address of the flow.
The communication bus mentioned in the above boundary routing device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Alternatively, the memory may be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above flow cleaning methods.
In yet another embodiment provided by the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the flow cleansing methods of the above embodiments.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the apparatus, the border routing device, the computer-readable storage medium, and the computer program product, since they are substantially similar to the method embodiments, the description is relatively simple, and in relation to the description, reference may be made to some of the description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (13)

1. A method for cleaning flow is characterized in that the method is applied to a first border routing device in a Border Gateway Protocol (BGP) network, the BGP network also comprises a second border routing device, a second interface of the second border routing device is accessed with a cleaning server, the second border routing device forwards the flow received by other interfaces which are not provided with BGP neighbors except the second interface to the cleaning server, the first border routing device forwards the flow received by the interface which is provided with the BGP neighbors according to the destination address of the flow, and the second border routing device forwards the flow received by the second interface according to the destination address of the flow, the method comprises the following steps:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, wherein the first interface is an interface which is learned through BGP and used for sending a message to second boundary routing equipment;
and forwarding the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning.
2. The method of claim 1, wherein after the establishing the tunnel with the first interface as a source node and the second interface as a tail node, the method further comprises:
generating a first route which takes the address of the cleaning server as a destination address and the tunnel as an outgoing interface, wherein the priority of the first route is higher than that of a second route which is learned by the first border routing equipment through BGP and is used for sending flow to the cleaning server;
the sending the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning comprises:
changing the destination address of the flow received by the interface without establishing the BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
and sending the flow with the changed destination address to the cleaning server through the determined output interface for cleaning the flow.
3. The method of claim 1, further comprising:
and forwarding the flow received by the interface established with the BGP neighbor according to the destination address of the flow.
4. A method for cleaning flow is characterized in that the method is applied to a second border routing device in a Border Gateway Protocol (BGP) network, a second interface of the second border routing device is accessed with a cleaning server, the BGP network also comprises a first border routing device, the first border routing device forwards the flow received by the interface established with a BGP neighbor according to a destination address of the flow, and the second border routing device forwards the flow received by the second interface according to the destination address of the flow, the method comprises the following steps:
establishing a tunnel with a first interface as a source node and a second interface as a tail node, so that a first border routing device sends out traffic received by an interface without establishing a BGP neighbor through the tunnel, wherein the first interface is an interface which is learned by the first border routing device through BGP and used for sending a message to a second border routing device;
and sending the flow received by the interfaces of other non-established BGP neighbors except the second interface to the cleaning server for cleaning the flow.
5. The method of claim 4, further comprising:
and forwarding the traffic received by the second interface according to the destination address of the traffic.
6. A flow cleaning device is applied to a first border routing device in a Border Gateway Protocol (BGP) network, the BGP network further comprises a second border routing device, a second interface of the second border routing device is accessed with a cleaning server, the second border routing device forwards flows received by other interfaces which do not establish BGP neighbors to the cleaning server except the second interface, the first border routing device forwards the flows received by the interfaces which establish BGP neighbors according to destination addresses of the flows, and the second border routing device forwards the flows received by the second interface according to the destination addresses of the flows, the device comprises:
a first tunnel establishing module, configured to establish a tunnel using a first interface as a source node and the second interface as a tail node, where the first interface is learned through BGP and is used to send a packet to a second border routing device;
and the first forwarding module is used for forwarding the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning.
7. The apparatus according to claim 6, wherein the first tunnel establishment module is further configured to, after establishing a tunnel with a first interface as a source node and the second interface as a tail node, generate a first route with an address of the cleansing server as a destination address and the tunnel as an egress interface, where the first route has a higher priority than a second route learned by the first border routing device through BGP and used for sending traffic to the cleansing server;
the first forwarding module sends the traffic received by the interface without establishing the BGP neighbor to the cleaning server through the tunnel for traffic cleaning, and the traffic cleaning comprises the following steps:
changing the destination address of the flow received by the interface without establishing the BGP neighbor into the address of the cleaning server;
searching a routing table in the first boundary routing equipment, and determining an output interface for sending flow to the address of the cleaning server;
and sending the flow with the destination address changed to the cleaning server through the determined output interface for cleaning the flow.
8. The apparatus of claim 6, wherein the first forwarding module is further configured to forward traffic received by the interface with the established BGP neighbor according to a destination address of the traffic.
9. A flow cleaning device is characterized in that the device is applied to a second border routing device in a Border Gateway Protocol (BGP) network, a second interface of the second border routing device is accessed with a cleaning server, the BGP network also comprises a first border routing device, the first border routing device forwards the flow received by the interface established with a BGP neighbor according to a destination address of the flow, and the second border routing device forwards the flow received by the second interface according to the destination address of the flow, the device comprises:
a second tunnel establishing module, configured to establish a tunnel using a first interface as a source node and a second interface as a tail node, so that a first border routing device sends traffic received by an interface where a BGP neighbor is not established through the tunnel, where the first interface is an interface where the first border routing device learns a packet to be sent to a second border routing device through BGP;
and the second forwarding module is used for sending the traffic received by the interfaces of other non-established BGP neighbors except the second interface to the cleaning server for traffic cleaning.
10. The apparatus of claim 9, wherein the second forwarding module is further configured to forward the traffic received by the second interface according to a destination address of the traffic.
11. A first border routing device, for use in a Border Gateway Protocol (BGP) network, comprising:
a first memory for storing a computer program;
a first processor arranged to implement the method steps of any of claims 1 to 3 when executing the program stored in the first memory.
12. A second border routing device, applied to a BGP network, connected to a cleansing server, where the cleansing server is configured to cleanse traffic of a target network, and the second border routing device includes:
a second memory for storing a computer program;
a second processor arranged to implement the method steps of any of claims 4 to 5 when executing the program stored in the second memory.
13. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 3 or 4 to 5.
CN202011148214.5A 2020-10-23 2020-10-23 Traffic cleaning method and device and first boundary routing equipment Active CN112165428B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011148214.5A CN112165428B (en) 2020-10-23 2020-10-23 Traffic cleaning method and device and first boundary routing equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011148214.5A CN112165428B (en) 2020-10-23 2020-10-23 Traffic cleaning method and device and first boundary routing equipment

Publications (2)

Publication Number Publication Date
CN112165428A CN112165428A (en) 2021-01-01
CN112165428B true CN112165428B (en) 2022-07-22

Family

ID=73866132

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011148214.5A Active CN112165428B (en) 2020-10-23 2020-10-23 Traffic cleaning method and device and first boundary routing equipment

Country Status (1)

Country Link
CN (1) CN112165428B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113904867B (en) * 2021-10-30 2023-07-07 杭州迪普科技股份有限公司 Flow processing method and system for VXLAN two-layer networking

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN103401796A (en) * 2013-07-09 2013-11-20 北京百度网讯科技有限公司 Network traffic cleaning system and method
CN103491095A (en) * 2013-09-25 2014-01-01 中国联合网络通信集团有限公司 Flow cleaning framework and device and flow lead and reinjection method
CN106685823A (en) * 2016-12-16 2017-05-17 杭州迪普科技股份有限公司 Flow cleaning method and flow cleaning device
CN107241294A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 The processing method and processing device of network traffics, cleaning equipment, the network equipment
CN109995714A (en) * 2017-12-29 2019-07-09 中移(杭州)信息技术有限公司 A kind of methods, devices and systems for disposing flow
CN110430076A (en) * 2019-07-31 2019-11-08 新华三技术有限公司合肥分公司 A kind of route management method and device
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9331941B2 (en) * 2013-08-12 2016-05-03 Cisco Technology, Inc. Traffic flow redirection between border routers using routing encapsulation

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN103401796A (en) * 2013-07-09 2013-11-20 北京百度网讯科技有限公司 Network traffic cleaning system and method
CN103491095A (en) * 2013-09-25 2014-01-01 中国联合网络通信集团有限公司 Flow cleaning framework and device and flow lead and reinjection method
CN107241294A (en) * 2016-03-28 2017-10-10 阿里巴巴集团控股有限公司 The processing method and processing device of network traffics, cleaning equipment, the network equipment
CN106685823A (en) * 2016-12-16 2017-05-17 杭州迪普科技股份有限公司 Flow cleaning method and flow cleaning device
CN109995714A (en) * 2017-12-29 2019-07-09 中移(杭州)信息技术有限公司 A kind of methods, devices and systems for disposing flow
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system
CN110430076A (en) * 2019-07-31 2019-11-08 新华三技术有限公司合肥分公司 A kind of route management method and device

Also Published As

Publication number Publication date
CN112165428A (en) 2021-01-01

Similar Documents

Publication Publication Date Title
US11595433B2 (en) Event driven route control
CN108965137B (en) Message processing method and device
CN110519265B (en) Method and device for defending attack
JP7434504B2 (en) Route handling methods and network devices
US8855113B2 (en) Link state identifier collision handling
CN101945117A (en) Method and equipment for preventing source address spoofing attack
CN109495369B (en) Message forwarding method and device
CN112929241A (en) Network testing method and device
CN112165428B (en) Traffic cleaning method and device and first boundary routing equipment
CN113285918A (en) ACL (access control list) filtering table item establishing method and device for network attack
CN109347810B (en) Method and device for processing message
JP2020113869A (en) Transfer device
CN110677343B (en) Data transmission method and system, electronic equipment and storage medium
CN109617920B (en) Message processing method and device, router and firewall equipment
CN114374637B (en) Routing processing method and device
CN113347084B (en) Message forwarding method and device
CN112637053B (en) Method and device for determining backup forwarding path of route
CN109218199B (en) Message processing method and device
CN113472667A (en) Message forwarding method, device, node equipment and storage medium
JP2007208575A (en) Unauthorized traffic managing device and system
CN114978995B (en) Message forwarding path selection method and device
CN113438158B (en) Message forwarding method and device
CN113992566B (en) Message broadcasting method and device
CN112866031B (en) Route configuration method, device, equipment and computer readable storage medium
CN113852572B (en) Message processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant