CN114268592A

CN114268592A - Message processing method, system and equipment

Info

Publication number: CN114268592A
Application number: CN202010966693.5A
Authority: CN
Inventors: 曹晶; 张耀坤
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-09-15
Filing date: 2020-09-15
Publication date: 2022-04-01
Also published as: WO2022057647A1

Abstract

The embodiment of the application discloses a method, a system and equipment for processing a message, which comprise the following steps: when the first communication device determines that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition, acquiring the characteristic information of a first attack message included in the message with the highest forwarding priority transmitted through the first port, and transmits the feature information of the first attack packet to the control management entity, so that the control management entity can generate a packet processing policy based on the packet feature of the received attack packet, and thus, the communication device can generate a packet processing policy based on the packet processing policy, the packet loss and/or speed limit processing is carried out on the packet matched with the characteristic information of the attack packet, so that the congestion of network equipment caused by the attack based on the high-priority packet is avoided, the normal packet with the highest forwarding priority can be effectively forwarded, and the communication device can provide normal services.

Description

Message processing method, system and equipment

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method, a system, and a device for processing a packet.

Background

The network device usually forwards the packet to be forwarded in order according to the forwarding priority of the packet to be forwarded. Wherein, the message with higher forwarding priority is forwarded by the network device preferentially. For protocol messages, detection messages of network equipment and more important data messages, normal forwarding is very important for normal operation of the network equipment, so that forwarding priorities corresponding to the messages are generally set to be the highest forwarding priority, and the messages are ensured to be effectively processed, so that normal operation of the network equipment is ensured.

However, if the network device receives the attack message with the highest forwarding priority, the attack message is also processed preferentially. Because the total bandwidth of each network device is limited, once the number of attack messages increases suddenly, the total bandwidth of the message with the highest forwarding priority exceeds the total bandwidth of the network device, and the network device will perform packet loss processing on the message corresponding to the highest forwarding priority, so that protocol messages, detection messages of the network device or more important data messages are likely to be lost, and the network device cannot provide normal services.

At present, a security policy template is manually configured on a network device, and the network device identifies a secure packet from a received packet through the security policy template, normally forwards the secure packet, and discards an unidentified packet, thereby implementing defense against an attack packet and improving network security. However, in the technical scheme, since the security policy template is fixed and unchanged, the variable attack message cannot be effectively defended.

Based on this, it is desirable to provide a method for processing a packet, so that a network device can effectively identify and process an attack packet, and ensure that a security packet with the highest forwarding priority is effectively forwarded.

Disclosure of Invention

Based on this, embodiments of the present application provide a method, a system, and a device for processing a packet, where when an attack packet with the highest forwarding priority does not cause congestion of a network device, the network device can identify and process the attack packet, and ensure that a security packet with the highest forwarding priority is effectively forwarded, so that it is possible for the network device to provide a normal service.

In a first aspect, an embodiment of the present application provides a method for processing a packet, where the method may include: when determining that the bandwidth of the first port occupied by the highest forwarding priority message transmitted through the first port meets a first condition, the first communication device acquires the characteristic information of a first attack message included in the highest forwarding priority message transmitted through the first port, and transmits the characteristic information of the first attack message to a control management entity. The first condition is a condition that the first communication device is configured for the first port and is used for determining whether to implement processing of the attack message on the first port. Therefore, the control management entity can generate a message processing strategy based on the message characteristics of the received first attack message, so that the first communication device can process the message matched with the characteristic information of the first attack message based on the message processing strategy, the packet loss and/or the speed limit and the like, the congestion of network equipment caused by the attack based on the high-priority message is avoided, the normal message with the highest forwarding priority can be effectively forwarded, and the first communication device can provide normal services.

In some possible implementation manners, after the first communication device sends the feature of the first attack packet to the control management entity, the control management entity may further generate a packet processing policy based on the feature information of the first attack packet, and the first communication device obtains the packet processing policy, where the packet processing policy is used to process a packet that matches the feature information of the first attack packet. If the control management entity belongs to a functional module in the first communication device, the first communication device can acquire the message processing strategy through internal data transmission; if the control management entity and the first Communication device are two different devices, the first Communication device may obtain the message processing policy by using a message, where the message may specifically be any one of a Border Gateway Protocol (BGP) message, a Path Computation Element Communication Protocol (PCEP) message, a Telemetry (telemeasurement) message, or a Network Configuration Protocol (NETCONF) message, for example: the message processing policy may carry a Type Length Value (TLV) field extended in the indication message, where the TLV field carries the feature information of the first attack message. Therefore, by acquiring the message processing strategy generated by the control management entity, a premise is provided for subsequently processing the message matched with the characteristic information of the first attack message, so that the aim of effectively forwarding the normal message with the highest forwarding priority on the network equipment becomes possible. It should be noted that, the following description is made by taking an example in which the control management entity and the first communication apparatus belong to two independent network devices.

In other possible implementation manners, after the first communication device receives the message processing policy, the first communication device may process a first message based on the message processing policy, where the first message is a message whose feature information matches with the feature information of the first attack message. Therefore, by setting conditions and relevant operations triggered by the conditions, the attack messages can be effectively inhibited when severe network congestion is not caused by imitating the attack messages with the highest forwarding priority, the bandwidth resources of normal messages are prevented from being occupied by a large number of attack messages with the highest forwarding priority on network equipment, the normal messages with the highest forwarding priority are discarded, the normal operation of the network is influenced, the forwarding time delay of the normal messages with the highest forwarding priority can be reduced along with the effective inhibition of the attack messages, and the forwarding performance is improved.

As an example, the processing, by the first communication device, the first packet based on the packet processing policy may include: and performing packet loss processing on the first message based on the message processing strategy. Or, as another example, the processing, by the first communication device, the first packet based on the packet processing policy may also include: and carrying out speed limit processing on the first message based on the message processing strategy. Therefore, the first message matched with the characteristic information of the first attack message is subjected to suppression processing such as packet loss or speed limit, so that the attack message is effectively prevented from largely seizing the bandwidth resource of the normal message with the highest forwarding priority, and the forwarding delay of the normal message with the highest forwarding priority is reduced.

The first communication device may send, to the control management entity, indication information for indicating the control management entity to generate a message processing policy, in addition to sending, to the control management entity, the feature information of the first attack message. In one case, the first communication device may carry the indication information and the feature information of the first attack packet in different indication packets, respectively, and send the indication messages and the feature information to the control management entity. In another case, the first communication device may carry the indication information and the feature information of the first attack packet in the same indication packet and send the indication packet and the feature information to the control management entity. The indication message may be any one of the following messages: BGP message, PCEP message, telemetric message or NETCONF message. For example, the indication information and the feature information of the first attack packet may be carried by a TLV field extended in any type of packet. For another example, the indication information and the feature information of the first attack packet may also be carried by other available fields such as a Reserved (english: Reserved) field in any type of packet.

The first condition may include that a ratio of a bandwidth of the first port occupied by a packet with a highest forwarding priority transmitted through the first port is greater than or equal to a first threshold. For example, the first threshold is 70%, the bandwidth of the first port is 20 megabytes per second (Gb/s), and the first communication device obtains that the highest forwarding priority packet transmitted through the first port is 15Gb/s, then the first communication device determines that the ratio of the highest forwarding priority packet on the first port occupying the bandwidth of the first port is (15 ÷ 20) ═ 75%, and is greater than the first threshold 70%, so as to determine that the highest forwarding priority packet transmitted through the first port occupies the bandwidth of the first port and meets the first condition. Alternatively, the first condition may also include that the highest forwarding priority packet transmitted through the first port is greater than or equal to the second threshold. For example, the second threshold is 15Gb/s, the bandwidth of the first port is 20Gb/s, and the first communication device obtains that the message with the highest forwarding priority transmitted through the first port is 15Gb/s, then the first communication device determines that the size of the message with the highest forwarding priority on the first port is equal to the second threshold 15Gb/s, so as to determine that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets the first condition.

In some possible implementations, the first communication device may poll for bandwidth occupancy of each port. Taking the first port as an example, the first communication device may poll and detect the bandwidth occupation condition of the first port, for example, the bandwidth occupation condition may be implemented by a timer of a Traffic Management (TM) module of the first communication device, the TM module sets a timing time of the timer to 1 second, and when the timer counts for 1 second, the size of a message transmitted through the first port at a time is obtained. In specific implementation, a first communication device polls and detects the bandwidth occupation condition of a first port, acquires the size of all messages transmitted through the first port, then judges whether the bandwidth of the first port occupied by all the messages transmitted through the first port meets a second condition, if not, continues polling and detecting, if so, continues acquiring the size of the message with the highest forwarding priority transmitted through the first port, and judges whether the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition, otherwise, continues polling and detecting. The second condition may mean that the ratio of the bandwidth of the first port occupied by all the packets transmitted through the first port is greater than or equal to a third threshold, or the second condition may mean that the ratio of the bandwidth of the first port occupied by all the packets transmitted through the first port is greater than or equal to a fourth threshold. It can be seen that, when the first communication device determines that all the messages transmitted through the first port satisfy the second condition through polling detection, it is determined that there are many messages transmitted through the first port, and there is a risk of congestion, and it is necessary to pay close attention to the bandwidth occupation condition of the highest forwarding priority, which is important, at this time, when it is determined that the bandwidth of the first port occupied by the message of the highest forwarding priority transmitted through the first port satisfies the first condition, it may be considered that there is an attack message in the message of the highest forwarding priority transmitted through the first port, that is, the polling mechanism and the two determination conditions provide a precondition and guarantee that the normal message of the highest forwarding priority transmitted through the first port on the first communication device can be normally forwarded.

In further possible implementations, a third condition corresponding to the first condition of the first port is also set for the second port of the first communication device. For the message processing procedure on the second port, for example, the following steps may be included: and when the first communication device determines that the bandwidth of the second port occupied by the message with the highest forwarding priority transmitted through the second port meets a third condition, acquiring the characteristic information of a second attack message included in the message with the highest forwarding priority transmitted through the second port, and sending the characteristic information of the second attack message to the control management entity. The third condition may mean that the ratio of the bandwidth of the second port occupied by the highest forwarding priority packet transmitted through the second port is greater than or equal to a fifth threshold; alternatively, the third condition may also mean that the packet with the highest forwarding priority transmitted through the second port is greater than or equal to the sixth threshold. It should be noted that, for the second port, the processing of the spoofed attack packet with the highest forwarding priority can also be achieved through one or more of the above implementation manners, and relevant descriptions are not repeated.

It should be noted that the characteristic information of the attack packet may refer to characteristic information that can identify the attack packet and an attack flow to which the attack packet belongs. The characteristic information of the attack packet may specifically be all or part of the content in the five-tuple of the attack packet, for example, the attack packet is an Internet Protocol (IP) packet, and the characteristic information of the attack packet may include one or more of the following information: a source IP address, a destination IP address, a source port number, a destination port number, or a transport layer protocol number; for another example, the attack packet is a Multiprotocol Label Switching (MPLS) packet, and the feature information of the attack packet may include one or more of the following information: MPLS label, source Media Access Control (MAC) address of the attack message, destination MAC address, source IP address and destination IP address.

It should be noted that, according to different operating network scenarios, the first communication device may perform the processing method provided in the embodiment of the present application on the packet with the highest forwarding priority in the network scenario transmitted through the first port. For example, the first communication device may operate in a Network environment such as an Internet Protocol version 4 (IPv 4), an Internet Protocol version 6 (IPv 6), a Virtual Private Network (VPN), a multi-Protocol Label Switching (MPLS), and a Virtual extended Local Area Network (VXLAN).

It should be noted that the first communication device may refer to any network device capable of implementing a message forwarding function, for example, the communication device may be a switch, a router, or the like; alternatively, the first communication device may also be a board, a chip, or the like having a message forwarding function in the network device. The TM module may refer to a TM chip or a functional module capable of implementing a TM function in the first communication device. The port of the first communication device may be a physical port of the first communication device or a logical port of the first communication device.

In a second aspect, an embodiment of the present application further provides a method for processing a packet, where the method includes: when the first communication device determines that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted by the first port meets a first condition, the first communication device analyzes the message with the highest forwarding priority transmitted by the first port, and determines that the message transmitted by the first port comprises an attack message with the highest forwarding priority.

As an example, when the first communication device determines that the message transmitted by the first port includes the attack message with the highest forwarding priority, the first communication device may further send an alarm signal to the network manager, where the alarm signal is used to indicate that the first communication device has the attack message, so that the network manager may perform security defense on the network, and avoid a greater threat to the network caused by the attack message. In addition, in order to enable the webmaster to perform security defense in a targeted manner, the alarm signal may also carry feature information of an attack.

As an example, the first communication device may further obtain feature information of the attack packet after determining that the packet transmitted by the first port includes the attack packet with the highest forwarding priority. At this time, the first communication device may further send the feature information of the attack packet to the control management entity, and obtain a packet processing policy generated by the control management entity, where the packet processing policy is used to process a packet matching the feature information of the attack packet, so that the first communication device may perform packet loss and/or speed limit processing on a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.

The first condition may include that a ratio of a bandwidth of the first port occupied by a packet with a highest forwarding priority transmitted through the first port is greater than or equal to a first threshold. Alternatively, the first condition may also include that the highest forwarding priority packet transmitted through the first port is greater than or equal to the second threshold.

It should be noted that, for the specific implementation manner and the achieved effect of the method provided by the second aspect, reference may be made to the related description of the first aspect, and details are not described herein again.

In a third aspect, an embodiment of the present application further provides a method for processing a packet, where the method may include: when determining that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition, the first communication device acquires the characteristic information of an attack message in the message with the highest forwarding priority, and sends the characteristic information of the attack message to a control management entity; at this time, the control management entity may generate a message processing policy based on the feature information of the attack message, where the message processing policy is used to process the message matched with the feature information of the attack message.

As an example, the method may further comprise: the first communication device obtains a message processing strategy generated by the control management equipment, so that the first communication device processes a first message based on the message processing strategy, wherein the first message is a message matched with the characteristic information of the attack message.

As yet another example, the method may further comprise: and the control management equipment sends the message processing strategy to the second communication device, so that the second communication device processes a second message based on the message processing strategy, wherein the second message is a message matched with the characteristic information of the attack message.

It should be noted that, for the specific implementation manner and the achieved effect of the method provided by the third aspect, reference may be made to the related description of the first aspect or the second aspect, and details are not described herein again.

In a fourth aspect, an embodiment of the present application further provides a system for processing a packet, where the system may include at least a first communication device and a control management entity, where the first communication device is configured to, when it is determined that a bandwidth of a first port occupied by a packet with a highest forwarding priority transmitted through the first port meets a first condition, obtain and send feature information of an attack packet in the packet with the highest forwarding priority to the control management entity; and the control management entity is used for generating a message processing strategy according to the message characteristic information of the attack message, and the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

As an example, the control management device is further configured to send the message processing policy to the first communication apparatus. Then, the first communication device is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matched with the feature information of the attack packet.

As another example, the system may further include a second communication device, a control management device, and a processor, configured to send the message processing policy to the second communication device. Then, the second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matched with the feature information of the attack packet.

It should be noted that, for a specific implementation manner and an achieved effect of the system provided by the fourth aspect, reference may be made to the related description of the first aspect, the second aspect, or the third aspect, and details are not described herein again.

In a fifth aspect, the present application further provides a first communication device, which includes a transceiver unit and a processing unit. The receiving and sending unit is configured to perform a receiving and sending operation in the method provided by any one of the first aspect, any one of the possible implementation manners of the first aspect, the second aspect, or any one of the possible implementation manners of the second aspect, or is configured to perform a receiving and sending operation of a first communication device in the method provided by any one of the third aspect, or any one of the possible implementation manners of the third aspect; the processing unit is configured to perform other operations besides a transceiving operation in the method provided in any one of the first aspect, any one of the possible implementations of the first aspect, the second aspect, or any one of the possible implementations of the second aspect, or perform other operations besides a transceiving operation in the first communication device in the method provided in any one of the third aspect or any one of the possible implementations of the third aspect. For example: when the first communication device executes the method of the first aspect, the transceiver unit is configured to send feature information of a first attack packet to a control management entity; the processing unit is used for determining that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition; the processing unit is further configured to obtain feature information of a first attack packet included in the highest forwarding priority packet transmitted through the first port.

In a sixth aspect, an embodiment of the present application further provides a first communication device, which includes a first communication interface and a processor. The first communication interface is configured to perform a sending operation in the method provided by any one of the first aspect, any one of the possible implementation manners of the first aspect, the second aspect, or any one of the possible implementation manners of the second aspect, or is configured to perform a sending operation of a first communication device in the method provided by any one of the third aspect, or any one of the possible implementation manners of the third aspect; a processor, configured to perform other operations than the receiving and sending operations in the method provided in any of the first aspect, any of the possible implementations of the first aspect, the second aspect, or any of the possible implementations of the second aspect, or perform other operations than the receiving and sending operations of the first communication apparatus in the method provided in any of the third aspect or any of the possible implementations of the third aspect. In addition, the first communication device may further include a second communication interface for performing the receiving operation of the first communication device.

In a seventh aspect, an embodiment of the present application further provides a first communication device, where the first communication device includes a memory and a processor. Wherein the memory comprises computer readable instructions; the processor, in communication with the memory, is configured to execute the computer readable instructions, so that the first communication device is configured to perform the method provided in any one of the above first aspect, any one of the possible implementations of the first aspect, the second aspect, or any one of the possible implementations of the second aspect, or the method implemented by the first communication device in the method provided in any one of the above third aspect or any one of the possible implementations of the third aspect.

In an eighth aspect, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is configured to execute the method provided by any one of the above first aspect, any one of the possible implementations of the first aspect, the second aspect, or any one of the possible implementations of the second aspect, or the method implemented by the first communication apparatus in the method provided by any one of the above third aspect or any one of the possible implementations of the third aspect.

In a ninth aspect, this embodiment of the present application further provides a computer program product, which includes a computer program or computer readable instructions, and when the computer program or the computer readable instructions runs on a computer, the computer executes the method provided in any one of the above first aspect, the first possible implementation manner, the second aspect, or the second possible implementation manner, or the method implemented by the first communication apparatus in the method provided in any one of the above third aspect or the third possible implementation manner.

In a tenth aspect, an embodiment of the present application further provides a communication system, where the communication system includes the first communication apparatus provided in the fifth aspect, the sixth aspect, or the seventh aspect, and a corresponding control management entity in the method provided in the third aspect (or a control management entity in the system provided in the fourth aspect).

The communication device in the above embodiment may be a network device for executing the above method, or may refer to a board, a line card, a chip, or the like for executing the above method.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.

Fig. 1 is a schematic structural diagram of a network 10 to which an embodiment of the present application is applicable;

fig. 2 is a schematic flowchart illustrating a process of performing message processing in the network 10 according to an embodiment of the present application;

fig. 3 is a flowchart illustrating a method 100 for processing a packet in an embodiment of the present application;

fig. 4 is a flowchart illustrating another message processing method 200 according to an embodiment of the present application;

fig. 5 is a flowchart illustrating a further message processing method 300 according to an embodiment of the present application;

fig. 6 is a flowchart illustrating a further message processing method 400 according to an embodiment of the present application;

fig. 7 is a schematic structural diagram of a message processing system 700 according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a first communication device 800 according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a first communication device 900 according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a first communication device 1000 according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings. The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

In the present application, ordinal numbers such as "1", "2", "3", "first", "second", and "third" are used to distinguish a plurality of objects, and are not used to limit the sequence of the plurality of objects.

Reference to "a and/or B" in this application should be understood to include the following: including only a, only B, or both a and B.

After the source end network device of the message carries the priority in the message, each network device forwards the message according to the priority carried in the message. Wherein, the more important messages correspond to messages with higher priority, and compared with messages with lower priority, the network device preferentially forwards the messages with high priority. In order to ensure that the network provides normal service, the protocol messages, the detection messages of the network device, and the more important data messages, which affect the normal operation of the network device, are usually set with the highest priority to ensure that these messages are processed effectively. Because the priority carried in the message is used to instruct the network device to forward the priority of the message, in the embodiment of the present application, the priority is referred to as a forwarding priority, and the forwarding priority described in the present application refers to the priority of the message indicated by the priority field carried in the message, for example, when the message is an Internet Protocol (IP) message, the forwarding priority of the message may be indicated by the value of a Type of Service (TOS) field in the IP message; for another example, when the packet is a Multiprotocol Label Switching (MPLS) packet, the forwarding priority of the packet may be indicated by a value of an Experimental bit (EXP) field in the MPLS packet.

If the network device receives the attack packet, the attack packet also carries the highest forwarding priority, and then the attack packets also become the objects to be processed by the network device preferentially, and occupy the bandwidth of the network device. Since the total bandwidth of each network device is limited, the received attack packets quickly result in network device congestion. For example, the total bandwidth of the received to-be-forwarded message exceeds the total bandwidth of the network device, and at this time, even the to-be-processed message corresponding to the highest forwarding priority is subjected to packet loss processing by the network device, so that the network device loses protocol messages, detection messages or more important data messages, and is attacked by a large number of attack messages, thereby affecting the normal operation of the network device.

In view of the above scenario, in the current security defense mechanism, a security policy template is manually configured on a network device, and the security policy template is used for identifying a secure packet, so that the network device can normally forward the secure packet identified by the security policy template, and discard an attack packet regarding a packet that cannot be identified by the security policy template as an attack packet. However, in the security defense mechanism, since the security policy template is fixed, on one hand, if the attack packet is copied into a format of the security packet that can be identified by the security policy template, the attack packet cannot be effectively defended; on the other hand, if there is a new service in the network, the security policy template needs to be modified so that the security policy module can identify the packet corresponding to the new service, otherwise, the packet corresponding to the new service is discarded as a whole, and the implementation process is complex.

Based on this, an embodiment of the present application provides a method for processing a packet, where a communication device obtains feature information of an attack packet in a packet with a highest forwarding priority when it is determined that a bandwidth of a port occupied by the packet with the highest forwarding priority transmitted through the port satisfies a condition, that is, when an attack packet configured with the highest forwarding priority does not cause congestion of network equipment, and sends the feature information of the attack packet to a control management entity. Therefore, the control management entity can generate a message processing strategy based on the message characteristics of the received attack message, and send the message processing strategy to the communication device, and the communication device processes the message (such as packet loss and/or speed limit) matched with the characteristic information of the attack message based on the message processing strategy. Through the security defense mechanism provided by the application, the attack message can be effectively identified and processed, and the network equipment congestion caused by the attack based on the high-priority message is effectively avoided, so that the normal message with the highest forwarding priority can be effectively forwarded, and the communication device can provide normal services possibly.

For example, taking the network 10 shown in fig. 1 as an example, the network 10 includes a network device 110, network devices 120 and …, a network device 130, and a control management entity 200. Each network device includes a Traffic Management (TM) module, for example, network device 110 includes TM module 111, network device 120 includes TM module 121, and network device 130 includes TM module 131. The TM module is used to manage the traffic in the network device, for example, count the bandwidth of the packet of each forwarding priority corresponding to each port on the network device. Each network device at least has a message forwarding function; the control management entity 200 can perform data interaction with each network device, so as to manage and control the network device. It should be noted that the number of network devices included in the network 10 is not specifically limited in the embodiment of the present application, for example, the number of network devices may be more than 3, that is, other network devices may be included in addition to the network device 110, the network device 120, and the network device 130; alternatively, the number of network devices included in the network 10 may be less than 3.

As an example, suppose that the network device 120 includes port 1, the bandwidth of port 1 is c, the threshold Th1 of the bandwidth of port 1 occupied by all packets transmitted through port 1 is 80%, and the threshold Th2 of the bandwidth of port 1 occupied by the packet with the highest forwarding priority transmitted through port 1 is 70%. In specific implementation, referring to the flowchart shown in fig. 2, the processing procedure of the attack packet may include: s11, the TM module 121 of the network device 120 periodically obtains (for example, obtains once every 1 second) the bandwidth a of the packet transmitted through the port 1; s12, the TM module 121 judges whether (a ÷ c) ≧ Th1 is satisfied, if yes, the following S13 is executed, otherwise, the execution returns to S11; s13, the TM module 121 obtains the bandwidth b of the highest forwarding priority packet transmitted through the port 1; s14, the TM module 121 judges whether (b/c) is equal to or more than Th2, if yes, the following S15 is executed, otherwise, the execution returns to S11; s15, the TM module 121 obtains the quintuple of the attack message (i.e. the source Internet Protocol (IP) address, the destination IP address, the source port number, the destination port number and the Protocol version number of the attack message) in the message with the highest forwarding priority transmitted through the port 1; s16, the network device 120 sends the five-tuple of the attack packet to the control management entity 200; s17, the control management entity 200 generates a message processing policy based on the quintuple of the attack message; s18, the control management entity 200 sends the message processing policy to the network device 120; s19, the network device 120 performs packet loss or speed limit processing on the packet, which is matched with the quintuple of the attack packet, in the packet received through the port 1 based on the packet processing policy. Therefore, by setting the threshold and the processing flow, the attack message can be effectively inhibited when the attack message imitating the highest forwarding priority does not cause serious network congestion, so that the situation that the bandwidth resource of the normal message is occupied by a large number of attack messages of the highest forwarding priority on the network equipment and the normal message of the highest forwarding priority is discarded to influence the normal operation of the network is avoided, and the forwarding time delay of the normal message of the highest forwarding priority can be reduced and the forwarding performance is improved along with the effective inhibition of the attack message.

It is to be understood that the above scenario is only one example of a scenario provided in the embodiment of the present application, and the embodiment of the present application is not limited to this scenario.

It should be noted that the communication device in the embodiment of the present application may refer to any network device capable of implementing a message forwarding function, for example, the communication device may be a switch, a router, or the like; alternatively, the communication device may be a board or a chip having a message forwarding function in the network device. The control management entity may be any device or functional entity capable of controlling the communication device, for example, the control management entity may be a Network Cloud Engine (NCE) with a control function, a server or a router, etc.; alternatively, the control management entity may be a functional entity integrated in any communication device, and the functional entity may be embodied in a hardware form or a software form. The TM module in the communication device may refer to a TM chip in the communication device or a functional module capable of implementing a TM function.

It should be noted that, in the embodiment of the present application, the port of the communication apparatus may be a physical port of the communication apparatus or a logical port of the communication apparatus.

A specific implementation manner of a message processing method in the embodiment of the present application is described in detail below with reference to the accompanying drawings.

In the method 100 for processing a packet provided in this embodiment of the present application, the method 100 is implemented by a first communication apparatus, and the first communication apparatus may be any network device having a packet forwarding function in a network or a board, a chip, and the like in the network device, for example, in a scenario shown in fig. 1, a network device 110, a network device 120, and a network device 130 may all be implemented as the first communication apparatus to implement the method 100. Fig. 3 is a flowchart illustrating a method 100 for processing a packet in an embodiment of the present application. Referring to fig. 3, the method 100 may include, for example:

s101, determining that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition.

The forwarding priority carried in the message is used for indicating the priority degree of the communication device forwarding the message, the higher the forwarding priority is, the more important the message is represented, and the more priority the communication device needs to forward the message. For example, the forwarding priority of the packet may be divided into priority 0 to priority 7, and the packet of priority 7 is the packet with the highest forwarding priority. It should be noted that the forwarding priority and the highest forwarding priority of the packet may be backward compatible, and the highest forwarding priority referred to in this embodiment may be the highest packet priority in any subsequent scenario.

The forwarding priority of the message can be carried by the priority field of the message, and the first communication device can determine the forwarding priority of the message by analyzing the priority field of the received message.

The first condition is a condition defined by the first communication device for the first port, and used for determining whether to implement processing of the attack packet on the first port. In addition, the first communication device may set a corresponding condition for each port, for example, the first communication device may set a corresponding third condition for the second port, and the third condition may be the same as or different from the first condition.

As an example, the first condition may be that a ratio of a bandwidth of a first port occupied by a highest forwarding priority packet transmitted through the first port is greater than or equal to a first threshold. The first threshold is a trigger condition, which is set in advance on the first communication device for the first port to execute the following S102 and S103. For example, the first threshold is 70%, the bandwidth of the first port is 20 megabytes per second (Gb/s), and the first communication device obtains that the highest forwarding priority packet transmitted through the first port is 15Gb/s, then the first communication device determines that the ratio of the highest forwarding priority packet on the first port occupying the bandwidth of the first port is (15 ÷ 20) ═ 75%, and is greater than the first threshold 70%, so as to determine that the highest forwarding priority packet transmitted through the first port occupies the bandwidth of the first port and meets the first condition. Correspondingly, the third condition may be that the ratio of the bandwidth of the second port occupied by the highest forwarding priority packet transmitted through the second port is greater than or equal to a fifth threshold, where the fifth threshold may be equal to the first threshold, or may not be equal to the first threshold.

As another example, the first condition may be that the highest forwarding priority packet transmitted through the first port is greater than or equal to the second threshold. The second threshold is a trigger condition, which is set in advance on the first communication device for the first port to execute the following S102 and S103. For example, the second threshold is 15Gb/s, the bandwidth of the first port is 20Gb/s, and the first communication device obtains that the message with the highest forwarding priority transmitted through the first port is 15Gb/s, then the first communication device determines that the size of the message with the highest forwarding priority on the first port is equal to the second threshold 15Gb/s, so as to determine that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets the first condition. Correspondingly, the third condition may be that the packet with the highest forwarding priority transmitted through the second port is greater than or equal to a sixth threshold, where the sixth threshold may be equal to the second threshold, or may not be equal to the second threshold.

In some possible implementations, the first communication device may periodically (for example, 100 milliseconds) acquire the size of the packet with the highest forwarding priority transmitted through the first port, and determine whether the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition. Similarly, the first communication device may also periodically obtain the size of the highest forwarding priority packet transmitted through the second port, and determine whether the bandwidth of the second port occupied by the highest forwarding priority packet transmitted through the second port meets the second condition. In this way, the first communication device can timely find that the highest forwarding priority message transmitted through each port occupies the bandwidth of each port, and if the highest forwarding priority message transmitted on a certain port occupies more bandwidth of the port, the following processing from S102 to S103 is performed on the port, so that the port is prevented from being congested to influence the forwarding of the highest forwarding priority normal message.

In other possible implementation manners, the first communication device may also obtain, based on the event trigger, the size of the packet with the highest forwarding priority transmitted through the first port, and determine whether the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition. For example, the event triggering the execution of S101 includes, but is not limited to: the first communication device determines that all messages transmitted through the first port satisfy a second condition, wherein the second condition is a condition defined by the first communication device for the first port and used for determining whether a message with the highest forwarding priority on the first port needs to be measured. When it is determined that the bandwidth of the first port occupied by all the messages transmitted through the first port meets the second condition, it indicates that the occupancy rate on the first port is large, and it is necessary to acquire the message with the highest forwarding priority transmitted through the first port and determine whether the bandwidth of the first port occupied by the message with the highest forwarding priority on the first port meets the first condition, so as to ensure that the normal message with the highest forwarding priority can be normally forwarded. In addition, the first communication device may set a corresponding event-triggered condition for each port, for example, the first communication device may set a corresponding fourth condition for the second port, and the fourth condition may be the same as or different from the second condition.

As an example, the second condition may be that a proportion of the bandwidth of the first port occupied by all messages transmitted through the first port is greater than or equal to a third threshold. The third threshold is a threshold which is preset on the first communication device and is corresponding to the first port. For example, the third threshold is 80%, the bandwidth of the first port is 20 megabytes per second (Gb/s), and the first communication device obtains 17Gb/s of all messages transmitted through the first port, and then the first communication device determines that the ratio of the bandwidth of the first port occupied by all messages on the first port is 85% (17 ÷ 20) —, which is greater than the third threshold 80%, so as to determine that the bandwidth of the first port occupied by all messages transmitted through the first port satisfies the second condition. The magnitude relationship between the third threshold and the first threshold is not particularly limited. Correspondingly, the fourth condition may be that the ratio of the bandwidth of the second port occupied by all the messages transmitted through the second port is greater than or equal to a seventh threshold, where the seventh threshold may be equal to the third threshold, or may not be equal to the third threshold.

As another example, the second condition may be that all messages transmitted through the first port are greater than or equal to the fourth threshold. The fourth threshold is a threshold that is preset on the first communication device and is corresponding to the first port. For example, the fourth threshold is 18Gb/s, the bandwidth of the first port is 20Gb/s, and the first communication device obtains that all messages transmitted through the first port are 18.5Gb/s, then the first communication device determines that the sizes of all messages transmitted on the first port are greater than the fourth threshold 18Gb/s, so as to determine that the bandwidth of the first port occupied by all messages transmitted through the first port satisfies the second condition. The magnitude relationship between the fourth threshold and the second threshold is not particularly limited. Correspondingly, the fourth condition may be that all messages transmitted through the second port are greater than or equal to an eighth threshold, where the eighth threshold may be equal to the fourth threshold, or may not be equal to the fourth threshold.

For example, the first threshold value of 70% and the third threshold value of 80% are set on the first communication device, then, before S101, the method 100 may further include: s21, the first communication device polls the first port to obtain the size of all messages transmitted through the first port; s22, the first communication device judges whether the proportion of all messages transmitted by the first port to the bandwidth of the first port is larger than or equal to a third threshold value, if so, executing S23, otherwise, continuing to poll according to the S21; s23, the first communication device obtains the size of the message with the highest forwarding priority transmitted through the first port; s24, the first communication device determines whether the ratio of the bandwidth of the first port occupied by the highest forwarding priority packet transmitted through the first port is greater than or equal to a first threshold, and if so, executes S101, that is, determines that the bandwidth of the first port occupied by the highest forwarding priority packet transmitted through the first port satisfies a first condition.

The polling in S21 may be specifically implemented by a timer of the TM module of the first communication device, for example, setting the timing time of the timer to 1 second, and when the timer counts for 1 second, acquiring the size of the message with the highest forwarding priority transmitted through the first port at a time.

The first communication device may obtain the size of all the messages transmitted through the first port, and obtain the size of the message with the highest forwarding priority transmitted through the first port, where both the size and the size are achieved by the first communication device performing a measurement operation on the first port through its TM module.

The first communication device may monitor and process the packet with the highest forwarding priority in the network scenario transmitted through the first port according to different network scenarios. For example, the first communication device may operate in a Network environment such as an Internet Protocol version 4 (IPv 4), an Internet Protocol version 6 (IPv 6), a Virtual Private Network (VPN), a multi-Protocol Label Switching (MPLS), and a Virtual extended Local Area Network (VXLAN). Taking the first communication device operating in an IPv6 network as an example, the first condition may be that a ratio of the highest forwarding priority IPv6 packet transmitted through the first port to the bandwidth of the first port is greater than or equal to a first threshold; alternatively, the first condition may be that the IPv6 message with the highest forwarding priority transmitted through the first port is greater than or equal to the second threshold. In this embodiment, the second condition may be that the proportion of the bandwidth of the first port occupied by all IPv6 messages transmitted through the first port is greater than or equal to a third threshold; alternatively, the second condition may be that all IPv6 messages transmitted through the first port are greater than or equal to the fourth threshold.

It can be seen that, when the first communication device determines that the bandwidth of the first port occupied by the highest forwarding priority packet transmitted through the first port satisfies the first condition, it may be considered that there are many packets transmitted on the first port, an attack packet may exist in the packet transmitted on the first port, and important packets such as a protocol packet and a test packet of the highest forwarding priority on the first port may be lost, so as to affect the normal operation of the first communication device. In order to ensure that the normal packet with the highest forwarding priority transmitted through the first port on the first communication device can be forwarded normally, the first communication device may perform processing of an attack packet by performing the following S102 to S103.

S102, obtaining the characteristic information of the first attack message in the message with the highest forwarding priority transmitted through the first port.

The feature information of the attack packet refers to feature information capable of identifying the attack packet and an attack flow to which the attack packet belongs. The characteristic information of the attack packet may specifically be all or part of the content in the five-tuple of the attack packet, for example, the attack packet is an IP packet, and the characteristic information of the attack packet may include one or more of the following information: a source IP address, a destination IP address, a source port number, a destination port number, or a transport layer protocol number; for another example, the attack packet is an MPLS packet, and the feature information of the attack packet may include one or more of the following information: MPLS label, source Media Access Control (MAC) address of the attack message, destination MAC address, source IP address and destination IP address.

As an example, the feature information of the attack packet may be a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol number, and the first communication device determines the first attack packet according to the source IP address, the destination IP address, the source port number, the destination port number, and the transport layer protocol number of each packet from the packet with the highest forwarding priority transmitted through the first port, so as to obtain the source IP address, the destination IP address, the source port number, the destination port number, and the transport layer protocol number of the first attack packet, as the feature information of the first attack packet in the packet with the highest forwarding priority obtained in S102.

As another example, the feature information of the attack packet may be a source port number and a destination port number, and the first communication device determines the first attack packet according to the source port number and the destination port number of each packet from the packet with the highest forwarding priority transmitted through the first port, so as to obtain the source port number and the destination port number of the first attack packet, which are the feature information of the first attack packet in the packet with the highest forwarding priority obtained in S102. For example, a message whose source port number and destination port number are jumping continuously may be determined as a first attack message by the first communication device.

As another example, the feature information of the attack packet may be a source MAC address and a destination MAC address, and the first communication device determines the first attack packet from the packet with the highest forwarding priority transmitted through the first port according to the source MAC address and the destination MAC address of each packet, so as to obtain the source MAC address and the destination MAC address of the first attack packet as the feature information of the first attack packet in the packet with the highest forwarding priority obtained in S102. For example, a message with a changed source MAC address and destination MAC address may be determined by the first communication device as a first attack message.

In specific implementation, the TM module of the first communication device may determine the first attack packet from the highest forwarding priority packet transmitted through the first port, and obtain the feature information of the first attack packet, so as to provide a basis for subsequent processing of the first attack packet, enable the first attack packet to be perceived and suppressed, and provide conditions for normal operation of the first communication device.

S103, sending the characteristic information of the first attack message to a control management entity.

In a specific implementation, S103 may be, for example: and the first communication device sends an indication message to the control management entity, wherein the indication message carries the characteristic information of the first attack message acquired by the S102.

The indication message may be any one of the following messages: border Gateway Protocol (BGP) messages, Path computing Element Communication Protocol (PCEP) messages, Telemetry (telemeasurement) messages, or Network Configuration Protocol (NETCONF) messages. For example, the feature information of the first attack packet may be carried by a Type Length Value (TLV) field extended in any Type of packet. For another example, the feature information of the first attack packet may also be carried by other available fields such as a Reserved (english: Reserved) field in any type of packet.

If the control management entity and the first communication device belong to two different devices, taking the indication message as a telemetric message as an example, before S103 is executed, it is further required that the first communication device and the control management entity realize network layer communication through a routing protocol, and a telemetric function is configured and started on the first communication device and the control management entity, so that after S102, the first communication device can carry the feature information of the first attack message in the telemetric message and send the telemetric message to the control management entity.

In some possible implementation manners, the first communication device may periodically send an attack detection result to the control management entity, and after the control management entity determines that the received attack detection result includes the feature information of the first attack packet, the control management entity may actively generate a packet processing policy for the first attack packet. Or, the first communication device sends the feature information of the first attack packet to the control management entity only when detecting the first attack packet, and at this time, the control management entity may also actively generate a packet processing policy for the first attack packet.

In other possible implementation manners, in addition to sending the feature information of the first attack packet to the control management entity, the first communication device may also send indication information to the control management entity, where the indication information is used to indicate the control management entity to generate a packet processing policy, and the packet processing policy is used to process a packet that matches the feature information of the first attack packet. It should be noted that the first communication device may carry the indication information and the feature information of the first attack packet in one indication packet and send the indication packet to the control management entity, or the first communication device may carry the indication information and the feature information of the first attack packet in different indication packets respectively and send the indication packet and the feature information of the first attack packet to the control management entity respectively. The indication message for carrying the indication information may be any one of the following messages: BGP message, PCEP message, telemetric message or NETCONF message.

If the control management entity and the first communication apparatus belong to one network device respectively, taking the indication message as a telemetric message as an example, before executing S103, the first communication apparatus and the control management entity need to configure and start a telemetric function, so that after S102, the first communication apparatus can send the feature information of the first attack message to the control management entity in the form of telemetric data.

As can be seen, according to the method 100 provided in this embodiment of the present application, when it is determined that the bandwidth of the first port occupied by the highest forwarding priority packet transmitted through the first port satisfies the first condition, the first communication device can obtain the feature information of the first attack packet in the highest forwarding priority packet, and send the feature information of the first attack packet to the control management entity. Therefore, the control management entity can generate a message processing strategy based on the message characteristics of the received first attack message and send the message processing strategy to the communication device, so that the communication device receiving the message processing strategy can process (for example, packet loss and/or speed limit) the message matched with the characteristic information of the first attack message based on the message processing strategy, and thus, under the condition that the first attack message does not cause port congestion of the first communication device and threatens the safety of the first communication device, the security defense mechanism can effectively identify and process the attack message and ensure that the attack message does not cause the congestion of the communication device, thereby ensuring that the security message with the highest forwarding priority can be effectively forwarded and enabling the first communication device to provide normal services.

The above is an example of processing an attack packet in a highest forwarding priority packet transmitted on a first port, and the implementation and effect of the packet processing method provided in this embodiment of the present application are described, and similarly, the method may be applied to other ports, for example, when it is determined that a bandwidth of a second port occupied by the highest forwarding priority packet transmitted through the second port satisfies a third condition, the method obtains feature information of a second attack packet in the highest forwarding priority packet transmitted through the second port, and sends the feature information of the second attack packet to a control management entity. The first and second attack messages in the first attack message and the second attack message are only used for distinguishing the attack message with the highest forwarding priority transmitted on different ports, and a certain message is not specified.

In other possible implementations, the first communication device may analyze the message with the highest forwarding priority transmitted through the first port and determine that the message with the highest forwarding priority transmitted through the first port includes an attack message when it is determined that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port satisfies the first condition. In this implementation, the first communication device may further send an alarm signal to the network manager, so as to notify the network manager that the first communication device has the attack packet, so that the network manager can manage and control the first communication device and the communication device that may transmit the attack packet, thereby ensuring network security.

In addition, another method 200 for processing an attack packet is further provided in this embodiment, as shown in fig. 4, in the method 200, after S103 of the method 100, the method may further include:

and S104, the control management entity generates a message processing strategy based on the characteristic information of the first attack message, wherein the message processing strategy is used for processing the message matched with the characteristic information of the first attack message.

The message processing policy may include, for example, feature information and a processing policy of the first attack message. The feature information of the first attack packet is used for explaining the feature information of the packet to be processed, so that the second communication device executing the packet processing strategy can determine the attack packet to be processed according to the processing strategy. The processing policy refers to a specific processing operation performed on the packet to be processed, and may be, for example, a packet loss operation, that is, performing packet loss processing on the packet matched with the feature information of the first attack packet; for another example, the speed limiting operation may be a speed limiting operation, that is, the speed limiting process is performed on the packet matched with the feature information of the first attack packet. No matter packet loss or speed limit, the occupation of the attack message on network resources can be effectively reduced, and particularly, the probability of insufficient bandwidth resources of the normal message with the highest forwarding priority is reduced.

For the processing strategy, any current packet loss and/or rate limit processing algorithm may be adopted, and is not specifically limited in the embodiment of the present application.

S105, the control management entity sends the message processing strategy to the second communication device.

The second communication device and the first communication device may belong to the same network device, or may belong to two different network devices.

The control management entity may specifically carry the message processing policy in a BGP message, a PCEP message, a telemeasure message, or a NETCONF message, and send the message processing policy to the second communication device.

In addition, the control management entity may also send instruction information to the second communication device, so as to instruct the second communication device to process the packet matched with the feature information of the first attack packet according to the packet processing policy.

And S106, the second communication device processes the message matched with the characteristic information of the first attack message based on the message processing strategy.

In a specific implementation, S106 may include, for example: the second communication device acquires a first message; and then, judging whether the message characteristics of the first message are matched with the message characteristics of the first attack message in the message processing strategy, and if so, processing the first message based on the processing strategy in the message processing strategy. The processing the first packet based on the packet processing policy may include, for example: and performing packet loss processing on the first message based on a processing strategy in the message processing strategy, or performing speed limit processing on the first message based on the processing strategy in the message processing strategy.

When the first communication apparatus and the second communication apparatus belong to one network device, S106 may include, for example: the second communication device determines that the message transmitted through the first port is matched with the message characteristics of the first attack message in the message processing strategy, if so, the packet loss or speed limit processing is carried out on the message transmitted through the first port based on the processing strategy in the message processing strategy, thus, the normal message with the highest forwarding priority on the first communication device due to the first attack message can be prevented from being lost, and the first communication device is ensured to effectively forward the normal message

When the first communication device and the second communication device belong to different network devices, the second communication device may be any network device controlled by the control management entity, so that even if the first attack packet attacks other communication devices in the network, the normal packet with the highest forwarding priority can be prevented from being lost by other communication devices due to the first attack packet, and the other communication devices can be ensured to effectively forward the normal packet.

As an example, the second communication device may belong to a previous hop node of the network device where the first communication device is located on the attack packet transmission path, and thus, the control management entity sends the packet processing policy to the second communication device, and for the first communication device, the first attack packet can be suppressed as much as possible from the source, so that the first attack packet no longer occupies the bandwidth resource of the first communication device, and the influence of the first attack packet on the first communication device is eliminated.

In this example, in order to more effectively and thoroughly suppress the first attack packet, while performing S106, the control management entity may further send the packet processing policy to the first communication device; then, the first communication device may also process the message received from the first port and matching the feature information of the attack message based on the message processing policy.

In order to avoid that other communication devices in the network are affected by the first attack packet, the control management entity may further send the packet processing policy to all communication devices connected to the control management entity in the network, so that each communication device may determine the packet as an attack packet when receiving the packet matching with the feature information of the first attack packet in the packet processing policy, and perform packet loss or rate-limiting processing on the determined attack packet based on the processing policy in the packet processing policy. Therefore, the first attack message can be effectively prevented from being transmitted among the plurality of communication devices in the network to attack the plurality of communication devices, and the network security is greatly improved.

It can be seen that, according to the method 200 provided in this embodiment of the present application, the control management entity generates a packet processing policy based on the feature information of the first attack packet reported by the first communication device and sends the packet processing policy to the second communication device, and the second communication device can process the packet matching with the feature information of the first attack packet, so that, under the condition that the attack packet does not cause the port of the first communication device to be congested and threaten the security of the first communication device, the security defense mechanism effectively identifies and processes the attack packet, and ensures that the attack packet does not cause the communication device to be congested, thereby ensuring that the security packet with the highest forwarding priority can be effectively forwarded, and making it possible for the first communication device to provide normal services.

In the above, taking the processing of the attack packet in the packet with the highest forwarding priority transmitted on the first port as an example, the implementation and effect of the packet processing method provided in the embodiment of the present application are described, and similarly, the method 200 may be applied to other ports, for example, after the embodiment shown in the method 100 is executed on the second port, the method may further include: the control management entity generates a message processing strategy based on the characteristic information of the second attack message, wherein the message processing strategy is used for processing the message matched with the characteristic information of the second attack message; the control management entity sends a message processing strategy to the third communication device; and the third communication device processes the message matched with the characteristic information of the second attack message based on the message processing strategy. The third communication device and the first communication device may belong to the same network device, or may belong to two different network devices.

Fig. 5 is a flowchart illustrating a method 300 for processing a packet in the embodiment of the present application. Referring to fig. 5, the method 300 is executed by a first communication device, and the method 300 may include:

s301, a first communication device determines that bandwidth occupied by a message with the highest forwarding priority transmitted by a first port and transmitted by the first port meets a first condition;

s302, analyzing the highest forwarding priority message transmitted through the first port;

s303, determining that the messages transmitted by the first port include the attack message with the highest forwarding priority.

As another example, the first communication device may further obtain feature information of the attack packet after determining that the packet transmitted by the first port includes the attack packet with the highest forwarding priority. At this time, the first communication device may further send the feature information of the attack packet to the control management entity, and obtain a packet processing policy generated by the control management entity, where the packet processing policy is used to process a packet matching the feature information of the attack packet, so that the first communication device may perform packet loss and/or speed limit processing on a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.

It should be noted that, for the specific implementation manner and the achieved effect of the method 300, reference may be made to the related description of the method 100 and the method 200, and details are not described herein again.

Fig. 6 is a flowchart illustrating a method 400 for processing a packet in an embodiment of the present application. Referring to fig. 6, the method 400 is described in terms of interaction between a first communication device and a control management entity, the method 400 may include, for example:

s401, when determining that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port meets a first condition, the first communication device acquires the characteristic information of an attack message in the message with the highest forwarding priority;

s402, the first communication device sends the characteristic information of the attack message to the control management entity;

s402, the control management entity generates a message processing strategy based on the characteristic information of the attack message, and the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

As an example, the method 400 may further include: the first communication device obtains a message processing strategy generated by the control management equipment, so that the first communication device processes a first message based on the message processing strategy, wherein the first message is a message matched with the characteristic information of the attack message.

As yet another example, the method 400 may further include: and the control management equipment sends the message processing strategy to the second communication device, so that the second communication device processes a second message based on the message processing strategy, wherein the second message is a message matched with the characteristic information of the attack message.

It should be noted that, for the specific implementation manner and the achieved effect of the method 400, reference may be made to the related descriptions of the methods 100 to 300, and details are not described herein again.

In addition, an embodiment of the present application further provides a system 700 for processing a message, which is shown in fig. 7. The system 700 may comprise at least a first communication means 701 and a control management entity 702. Wherein the content of the first and second substances,

a first communication device 701, configured to obtain and send feature information of an attack packet in a packet with a highest forwarding priority to a control management entity 702 when it is determined that bandwidth of a first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies a first condition;

and the control management entity 702 is configured to generate a message processing policy according to the message characteristic information of the attack message, where the message processing policy is used to process a message matched with the characteristic information of the attack message.

As an example, the control management device 702 is further configured to send the message processing policy to the first communication apparatus. Then, the first communication device 701 is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matched with the feature information of the attack packet.

As another example, the system 700 may further include a second communication apparatus, the control management device 702, and further configured to send the message processing policy to the second communication apparatus. Then, the second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matched with the feature information of the attack packet.

It should be noted that, for a specific implementation manner and achieved effects of the system 700, reference may be made to the related descriptions of the methods 100 to 400, or refer to the related descriptions of the embodiments shown in fig. 1 and fig. 2, which are not described herein again.

In addition, the embodiment of the present application further provides a first communication device 800, which is shown in fig. 8. The first communication device 800 comprises a processing unit 801 and a transmitting unit 802. The processing unit 801 is configured to perform the processing operations performed by the first communication device in any one of the embodiments shown in fig. 3 to 6; the transmitting unit 802 is configured to perform the transmitting operation performed by the first communication apparatus in any of the embodiments shown in fig. 3 to 6. For example: the processing unit 801 may perform the operations in the embodiment of fig. 3: determining that bandwidth of a first port occupied by a message with the highest forwarding priority transmitted through the first port meets a first condition; and acquiring the characteristic information of the first attack message included in the message with the highest forwarding priority transmitted through the first port. For example: the sending unit 802 may perform the operations in the embodiment of fig. 3: and sending the characteristic information of the first attack message to a control management entity.

In addition, the embodiment of the present application further provides a first communication apparatus 900, which is shown in fig. 9. The first communication device 900 comprises a first communication interface 901, a second communication interface 902 and a processor 903. The first communication interface 901 is configured to execute the foregoing receiving operation executed by the first communication device in any one of the embodiments shown in fig. 3 to fig. 6; the second communication interface 902 is used for performing the sending operation performed by the first communication device in any of the embodiments shown in fig. 3 to 6; the processor 903 is configured to perform other operations than the receiving operation and the transmitting operation performed by the first communication apparatus in any of the embodiments shown in fig. 3 to 6. For example: the processor 903 may perform the operations in the embodiment in fig. 3 to determine that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port meets the first condition; and acquiring the characteristic information of the first attack message included in the message with the highest forwarding priority transmitted through the first port.

In addition, the embodiment of the present application also provides a first communication device 1000, which is shown in fig. 10. The first communication device 1000 includes a memory 1001 and a processor 1002 in communication with the memory 1001. Wherein memory 1001 includes computer readable instructions; the processor 1002 is configured to execute the computer readable instructions, so that the first communication device 1000 executes the method performed by the first communication device in any one of the embodiments shown in fig. 3 to fig. 6.

It is understood that in the above embodiments, the processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of CPU and NP. The processor may also be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. The processor may refer to one processor or may include a plurality of processors. The memory may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (ROM), such as a read-only memory (ROM), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory may also comprise a combination of memories of the kind described above. The memory may refer to one memory, or may include a plurality of memories. In one embodiment, the memory has stored therein computer-readable instructions comprising a plurality of software modules, such as a sending module, a processing module, and a receiving module. After the processor executes each software module, the processor can perform corresponding operation according to the instruction of each software module. In the present embodiment, the operation performed by one software module actually refers to an operation performed by the processor according to the instruction of the software module. After the processor executes the computer readable instructions in the memory, all operations that the first communication device can perform in the message processing method can be performed according to the instructions of the computer readable instructions.

It is understood that, in the above embodiments, the second communication interface 902 of the first communication apparatus 900 may be specifically used as the sending unit 802 in the first communication apparatus 800, so as to implement data communication between the first communication apparatus and the control management entity; the first communication interface 901 of the first communication apparatus 900 may be specifically used as a receiving unit in the first communication apparatus 800, and may be used for receiving a message sent by an upstream network device, for example.

In addition, an embodiment of the present application further provides a communication system, and the first communication device in the communication system may be, for example, the first communication device 800, 900, or 1000 described above. For example, the communication system is the processing system 700 of the message, and then the first communication device is the first communication device 701, and the control management entity is the control management entity 702.

In addition, an embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the computer is caused to execute the method for processing the packet in the embodiments shown in fig. 3 to fig. 6.

In addition, an embodiment of the present application further provides a computer program product, which includes a computer program or computer readable instructions, and when the computer program or the computer readable instructions runs on a computer, the computer is caused to execute the method for processing the message in the foregoing embodiments shown in fig. 3 to fig. 6.

As can be seen from the above description of the embodiments, those skilled in the art can clearly understand that all or part of the steps in the above embodiment methods can be implemented by software plus a general hardware platform. Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a storage medium, such as a read-only memory (ROM)/RAM, a magnetic disk, an optical disk, or the like, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network communication device such as a router) to execute the method according to the embodiments or some parts of the embodiments of the present application.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, system embodiments and device embodiments are substantially similar to method embodiments and are therefore described in a relatively simple manner, where relevant reference may be made to some descriptions of method embodiments. The above-described embodiments of the apparatus and system are merely illustrative, wherein modules described as separate parts may or may not be physically separate, and parts shown as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

The above description is only a preferred embodiment of the present application and is not intended to limit the scope of the present application. It should be noted that, for a person skilled in the art, several improvements and modifications can be made without departing from the scope of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.

Claims

1. A method for processing a packet, the method being performed by a first communications device and comprising:

determining that bandwidth of a first port occupied by a message with the highest forwarding priority transmitted through the first port meets a first condition;

acquiring characteristic information of a first attack message included in the message with the highest forwarding priority transmitted through the first port;

and sending the characteristic information of the first attack message to a control management entity.

2. The method of claim 1, further comprising:

and acquiring a message processing strategy generated by the control management entity, wherein the message processing strategy is used for processing the message matched with the characteristic information of the first attack message.

3. The method of claim 2, further comprising:

and processing a first message based on the message processing strategy, wherein the first message is matched with the characteristic information of the first attack message.

4. The method of claim 3, wherein processing the first packet based on the packet processing policy comprises:

and performing packet loss processing on the first message based on the message processing strategy.

5. The method of claim 3, wherein processing the first packet based on the packet processing policy comprises:

and carrying out speed-limiting processing on the first message based on the message processing strategy.

6. The method according to any one of claims 1-5, further comprising:

and sending indication information to the control management entity, wherein the indication information is used for indicating the control management entity to generate a message processing strategy.

7. The method according to any of claims 1-6, wherein the first condition comprises that the proportion of the bandwidth of the first port occupied by the highest forwarding priority packet transmitted through the first port is greater than or equal to a first threshold.

8. The method according to any of claims 1-6, wherein the first condition comprises that the highest forwarding priority packet transmitted through the first port occupies a bandwidth of the first port that is greater than or equal to a second threshold.

9. The method according to any of claims 1-8, wherein before the determining that the highest forwarding priority packet transmitted through the first port occupies the bandwidth of the first port to satisfy the first condition, the method further comprises:

determining that all messages transmitted through the first port satisfy a second condition.

10. The method of claim 9, wherein the second condition comprises a proportion of the bandwidth of the first port occupied by all packets transmitted through the first port being greater than or equal to a third threshold.

11. The method of claim 9, wherein the second condition comprises all packets transmitted through the first port being greater than or equal to a fourth threshold.

12. The method according to any of claims 1-11, wherein before said determining that the highest forwarding priority packet transmitted through the first port occupies the bandwidth of the first port to satisfy the first condition, the method further comprises:

and polling to detect the bandwidth occupation condition of the first port.

13. The method according to any one of claims 1-12, further comprising:

determining that the bandwidth of a second port occupied by the message with the highest forwarding priority transmitted through the second port meets a third condition;

acquiring characteristic information of a second attack message included in the message with the highest forwarding priority transmitted through a second port;

and sending the characteristic information of the second attack message to the control management entity.

14. The method of claim 13, wherein the third condition comprises a ratio of bandwidth of the second port occupied by the highest forwarding priority packet transmitted through the second port being greater than or equal to a fifth threshold.

15. The method of claim 13, wherein the third condition comprises the highest forwarding priority packet transmitted via the second port being greater than or equal to a sixth threshold.

16. The method according to any one of claims 1 to 15, wherein the sending the feature information of the first attack packet to the control management entity includes:

and sending a message to the control management entity, wherein the message carries the characteristic information of the first attack message.

17. The method according to claim 16, wherein the message is any one of the following:

a BGP message, a PCEP message, a telesensing survey Telemetry message or a NETCONF message.

18. The method according to any of claims 1-17, wherein the characteristic information of the first attack packet comprises one or more of the following information:

and the source Internet Protocol (IP) address, the destination IP address, the source port number, the destination port number or the transport layer protocol number of the first attack message.

19. The method of any of claims 1-18, wherein the first communication device operates in an internet protocol version four, IPv4, network, an internet protocol version six, IPv6, or a virtual private network, VPN.

20. A method for processing a packet, the method being performed by a first communications device and comprising:

determining that bandwidth of a first port occupied by a message with the highest forwarding priority transmitted by the first port meets a first condition;

analyzing the highest forwarding priority message transmitted through the first port;

and determining that the messages transmitted by the first port comprise the attack message with the highest forwarding priority.

21. The method of claim 20, further comprising:

and sending an alarm signal in response to the fact that the messages transmitted by the first port comprise the attack messages with the highest forwarding priority.

22. The method according to claim 20 or 21, further comprising:

and acquiring the characteristic information of the attack message.

23. The method of claim 22, further comprising:

and sending the characteristic information of the attack message to a control management entity.

24. The method of claim 23, further comprising:

and acquiring a message processing strategy generated by the control management entity, wherein the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

25. The method of claim 22, further comprising:

and generating a message processing strategy based on the characteristic information of the attack message, wherein the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

26. The method of claim 24 or 25, further comprising:

and processing a first message based on the message processing strategy, wherein the first message is matched with the characteristic information of the attack message.

27. The method of claim 26, wherein processing the first packet based on the packet processing policy comprises:

28. The method of claim 26, wherein processing the first packet based on the packet processing policy comprises:

29. The method according to any of claims 20-28, wherein the first condition comprises that the highest forwarding priority packet transmitted via the first port occupies a proportion of the bandwidth of the first port that is greater than or equal to a first threshold.

30. The method according to any of claims 20-28, wherein the first condition comprises that the highest forwarding priority packet transmitted via the first port is greater than or equal to a second threshold.

31. A method for processing a message is characterized in that the method comprises the following steps:

the method comprises the steps that when a first communication device determines that the bandwidth of a first port occupied by a message with the highest forwarding priority transmitted through the first port meets a first condition, characteristic information of an attack message in the message with the highest forwarding priority is obtained;

the first communication device sends the characteristic information of the attack message to the control management entity;

and the control management entity generates a message processing strategy according to the message characteristic information of the attack message, wherein the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

32. The method of claim 31, further comprising:

and the control management equipment sends the message processing strategy to the first communication device.

33. The method of claim 32, further comprising:

and the first communication device processes a first message based on the message processing strategy, wherein the first message is matched with the characteristic information of the attack message.

34. The method of claim 31, further comprising:

and the control management equipment sends the message processing strategy to a second communication device.

35. The method of claim 34, further comprising:

and the second communication device processes a second message based on the message processing strategy, wherein the second message is matched with the characteristic information of the attack message.

36. The method according to any of claims 31-35, wherein the first condition comprises that the highest forwarding priority packet transmitted via the first port occupies a proportion of the bandwidth of the first port that is greater than or equal to a first threshold.

37. The method according to any of claims 31-35, wherein the first condition comprises that the highest forwarding priority packet transmitted via the first port is greater than or equal to a second threshold.

38. A system for processing messages, the system comprising a first communication device and a control management entity, wherein,

the first communication device is configured to acquire and send feature information of an attack packet in a packet with a highest forwarding priority to the control management entity when it is determined that bandwidth of a first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies a first condition;

and the control management entity is used for generating a message processing strategy according to the message characteristic information of the attack message, and the message processing strategy is used for processing the message matched with the characteristic information of the attack message.

39. The system of claim 38,

the control management device is further configured to send the message processing policy to the first communication apparatus.

40. The system of claim 39,

the first communication device is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matched with the feature information of the attack packet.

41. The system of claim 38, further comprising a second communication device,

the control management device is further configured to send the message processing policy to the second communication apparatus.

42. The system of claim 41,

the second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matched with the feature information of the attack packet.

43. The system according to any of claims 38-42, wherein said first condition comprises a proportion of said first port bandwidth occupied by said highest forwarding priority packet transmitted via said first port being greater than or equal to a first threshold.

44. The system according to any of claims 38-42, wherein said first condition comprises said highest forwarding priority packet transmitted via said first port being greater than or equal to a second threshold.

45. A communications apparatus, comprising:

a memory comprising computer readable instructions;

a processor in communication with the memory, the processor to execute the computer readable instructions to cause the communication device to perform the method of any of claims 1-19.

46. A communications apparatus, comprising:

a memory comprising computer readable instructions;

a processor in communication with the memory, the processor to execute the computer readable instructions to cause the communication device to perform the method of any of claims 20-30.

47. A communication system, characterized in that the communication system comprises a first communication device and a control management entity,

the first communications device is configured to perform the operations performed by the first communications device in the method of any of claims 31-37;

the control management entity is configured to perform the operations performed by the control management entity in the method of any one of claims 31-37.

48. A computer readable storage medium comprising computer readable instructions which, when run on a computer, cause the computer to implement the method of any one of claims 1-37.