CN114500117B - Looped network Master configuration error judgment method and device based on looped network storm flow characteristics - Google Patents

Looped network Master configuration error judgment method and device based on looped network storm flow characteristics Download PDF

Info

Publication number
CN114500117B
CN114500117B CN202210392575.7A CN202210392575A CN114500117B CN 114500117 B CN114500117 B CN 114500117B CN 202210392575 A CN202210392575 A CN 202210392575A CN 114500117 B CN114500117 B CN 114500117B
Authority
CN
China
Prior art keywords
message
switch
messages
configuration
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210392575.7A
Other languages
Chinese (zh)
Other versions
CN114500117A (en
Inventor
李亚红
侯斯尧
李强
丁欢
敖奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CRSC Research and Design Institute Group Co Ltd
Original Assignee
CRSC Research and Design Institute Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CRSC Research and Design Institute Group Co Ltd filed Critical CRSC Research and Design Institute Group Co Ltd
Priority to CN202210392575.7A priority Critical patent/CN114500117B/en
Publication of CN114500117A publication Critical patent/CN114500117A/en
Application granted granted Critical
Publication of CN114500117B publication Critical patent/CN114500117B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/42Loop networks
    • H04L12/437Ring fault isolation or reconfiguration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Abstract

The invention discloses a looped network Master configuration error judgment method and a device based on looped network storm flow characteristics, wherein the method comprises the steps of judging whether an surge message protocol is related to a service or not and a check code and time sequence information are normal; judging whether a ring network Master configuration error occurs based on a judgment result of whether the surge message protocol is related to the service and the check code and the time sequence information are normal; and determining the ring network Master configuration error according to the judgment result of whether the ring network Master configuration error occurs. The invention judges whether the surge message protocol is related to the service and the check code and the time sequence information are normal based on all the flow data characteristics after the network ring network storm; according to the judgment results of the surge message protocol and the service correlation and the check code and the time sequence information, the configuration real-time state information of each switch is collected by combining the message TTL value and the SNMP, and whether the ring network Master information configuration of each switch is abnormal is judged; and when the abnormal configuration alarm of the switch ring network Master occurs, giving out the switch position with wrong configuration.

Description

Looped network Master configuration error judgment method and device based on looped network storm flow characteristics
Technical Field
The invention relates to the technical field of network security, in particular to a looped network Master configuration error judgment method and device based on looped network storm flow characteristics.
Background
In recent years, with the progress of technology, railway industry in China is developed vigorously, and high-speed railways become beautiful 'national business cards' in China. With the increasing of the operating mileage of the railway system, the scale of each network of the network for carrying train operation data transmission of the railway system is also continuously enlarged, which brings great pressure to operation and maintenance personnel of the railway system network, so that the difficulty in positioning and solving the network problems of the railway system network is increased, and the operation and maintenance personnel can find out the network safety problems in the railway system network more and more difficult by experience or manual mode. Therefore, how to effectively assist operation and maintenance personnel to quickly and effectively position and find the reason and the position of the looped network storm in the railway train control system network is an important subject facing the current situation, so that the operation and maintenance personnel can timely process the reason and the position and restore the normal operation of the railway train control system network, and further the operation efficiency of the railway train control system network is further improved.
In a railway train control system network, the reason for generating the ring network storm is manifold, wherein the ring network storm generated by the wrong configuration of the ring network Master seriously affects the normal operation of the railway train control system network. The rail railway train control system network adopts a ring network architecture, the ring network protocol can normally operate only by correctly configuring the ring network Master configuration, however, under the condition that the network scale is continuously enlarged, operation and maintenance personnel set wrong ring network Master configuration, so that the network is transmitted into a ring, and messages are continuously transmitted in the ring network to form a ring network storm. However, in the existing railway train control system network, an analysis tool or software for the cause of the looped network storm is not provided, whether the looped network storm occurs in the network is judged only according to the flow condition of the looped network storm, when the looped network storm occurs in the network is judged, the looped network storm occurs in the network is informed to operation and maintenance personnel through a certain alarming means, then the operation and maintenance personnel check one by one according to the cause of the looped network storm, further find the cause of the storm, and recover the cause. The manual checking mode is often inefficient, and causes of inaccurate judgment and looped network storm caused by multiple positioning analysis often occur, so that great operation and maintenance pressure is brought to operation and maintenance personnel.
Disclosure of Invention
Based on the background, on the basis that the existing track railway train control system network lacks an analysis technology and method for the origin cause of the looped network storm, the invention aims to provide a looped network Master (looped network Master node) configuration error origin tracing analysis method for the looped network storm of the track railway train control system network on the basis of analyzing network basic information such as flow characteristics, configuration characteristics and the like during the origin cause of the looped network storm, so that operation and maintenance personnel of the track railway train control system network can quickly locate the reason for generating the looped network storm after the looped network storm occurs in the track railway train control system network, perform related operation, recover normal operation of the network and greatly improve the operation and maintenance efficiency of the operation and maintenance personnel.
In order to achieve the purpose, the invention provides the following technical scheme:
a looped network Master configuration error judgment method based on looped network storm flow characteristics comprises the following steps: judging whether the surge message protocol is related to the service and the check code and the time sequence information are normal; judging whether a ring network Master configuration error occurs based on a judgment result of whether the surge message protocol is related to the service and the check code and the time sequence information are normal; and determining the ring network Master configuration error according to the judgment result of whether the ring network Master configuration error occurs.
Preferably, the judging whether the surge message protocol is related to the service and the check code and the time sequence information are normally obtained based on all traffic data characteristics after the network ring network storm.
Preferably, the judging whether the surge message protocol is related to the service and the check code and the time sequence information are normal comprises extracting fingerprint characteristics of related messages and judging whether the message characteristics in a distributed denial of service (DDOS) attack library are met if the surge message protocol type is related to the service and the check code and the time sequence information are abnormal; if the protocol type of the rapid increment message is related to the service and the check code and the time sequence information are normal, acquiring the TTL values of the messages, and judging whether the TTL values of the survival time of a large number of messages are 1 or 0.
Preferably, the obtaining of the TTL value of the packet includes analyzing and obtaining the TTL value of the proliferated normal service packet; classifying the messages according to TTL values; and counting the number of various messages classified according to the TTL values.
Preferably, the judging whether a large number of messages with TTL values of 1 or 0 appear includes that the number of messages with TTL values of 1 or 0 in a normal network is small, and messages with a looped network value of 1 or 0 are increased rapidly, specifically, if the TTL values of a large number of messages are 1 or 0, the configuration real-time state information of each switch is collected through a Simple Network Management Protocol (SNMP), and whether the configuration of the looped network Master information of each switch is abnormal is judged; if the TTL values of a large number of messages are not 1 or 0, judging whether the message characteristics in the DDOS attack library are met.
Preferably, the extracting the fingerprint features of the related messages includes analyzing the proliferated messages, and calculating an MD5 value of the proliferated messages by extracting quintuple information of the messages and key field contents in the payload, so as to obtain the fingerprint features of the proliferated messages.
Preferably, the judging whether the message characteristics in the distributed denial of service (DDOS) attack library are met includes performing network attack alarm processing if the message characteristics in the DDOS attack library are met; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP) and judging whether the ring network Master information configuration of each switch is abnormal or not.
Preferably, the judging whether the information configuration of the Master of each switch looped network is abnormal includes that if the information configuration of each switch looped network is abnormal, the Master of each switch looped network is configured abnormally, an alarm is given, and a switch position with malconfiguration is given; if the ring network configuration information configuration of each switch is normal, the equipment failure is indicated.
Preferably, the analyzing of the equipment failure includes acquiring log information of the switch; judging whether the port of the switch fails or not by combining the real-time state information and the log information of the switch; and (5) alarming the abnormal equipment fault and giving the position of the equipment fault exchanger.
A looped network Master configuration error judgment device based on looped network storm flow characteristics comprises,
the judging unit is used for judging whether the surge message protocol is related to the service and the check code and the time sequence information are normal, and judging whether a ring network Master configuration error occurs according to the judgment result that whether the surge message protocol is related to the service and the check code and the time sequence information are normal;
and the determining unit is used for determining the ring network Master configuration error according to the judging result of whether the ring network Master configuration error occurs.
Preferably, the determining unit determines whether the surge message protocol is related to a service and the check code and the timing sequence information are normally obtained based on all traffic data characteristics after the network ring network storm.
Preferably, the judging unit judges whether the surge message protocol is related to the service and the check code and the time sequence information are normal, if the surge message protocol type is related to the service and the check code and the time sequence information are abnormal, relevant message fingerprint features are extracted, and whether the message features in the distributed denial of service DDOS attack library are met is judged; if the protocol type of the surge message is related to the service and the check code and the time sequence information are normal, obtaining the TTL value of the message, and judging whether the TTL values of a large number of messages are 1 or 0.
Preferably, the obtaining of the TTL value of the packet includes analyzing and obtaining the TTL value of the proliferated normal service packet; classifying the messages according to the TTL values of the survival times; and counting the number of each type of messages classified according to the TTL value of the survival time.
Preferably, the judging whether the TTL values of the plurality of messages are 1 or 0 includes, if the TTL values of the plurality of messages are 1 or 0, acquiring configuration real-time status information of each switch through a simple network management protocol SNMP, and the judging unit judging whether the configuration of the ring network Master information of each switch is abnormal; and if the TTL values of the survival time of a large number of messages are not 1 or 0, judging whether the message characteristics in the distributed denial of service DDOS attack library are met.
Preferably, the extracting the fingerprint features of the related messages includes analyzing the proliferated messages and calculating to obtain the fingerprint features of the proliferated messages.
Preferably, the judging whether the message characteristics in the distributed denial of service (DDOS) attack library are met includes performing network attack alarm processing if the message characteristics in the DDOS attack library are met; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP), and judging whether the ring network Master information configuration of each switch is abnormal or not by a judging unit.
Preferably, the judging unit judges whether the information configuration of the ring network masters of the switches is abnormal, and when the configuration of the ring network masters of the switches is abnormal, the determining unit confirms the abnormal configuration alarm of the ring network masters of the switches and gives the switch positions with malconfiguration.
The invention has the technical effects and advantages that:
1. judging whether an surge message protocol is related to a service and a check code and time sequence information are normal or not based on all flow data characteristics after a network ring network storm;
2. according to the judgment results of the surge message protocol and the service correlation and the check code and the time sequence information, the configuration real-time state information of each switch is collected by combining the message TTL value and the SNMP, and whether the ring network Master information configuration of each switch is abnormal is judged;
3. and when the abnormal configuration alarm of the switch ring network Master occurs, giving out the switch position with malposition configuration.
The invention aims to synthesize different differences of information such as flow characteristics, equipment state data and the like when a looped network storm occurs due to various reasons of the looped network on the basis of the current looped network storm cause of the railway track train control system, so that after the looped network storm occurs, the data information is automatically collected and analyzed to obtain the cause of the looped network storm of the railway track train control system, and a manager is assisted to quickly locate the cause of the looped network storm, so that the network can be quickly recovered, and the safe and stable operation of the railway track train control system network is ensured.
At present, in a railway train control system network, a method for carrying out source tracing analysis aiming at the generation reason of the looped network storm does not exist, and the invention can well fill the blank.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
FIG. 1 is a flowchart illustrating a ring network Master configuration error determination method according to the present invention;
FIG. 2 is a diagram of an apparatus for determining configuration errors of a ring network Master according to the present invention;
fig. 3 is a flow chart of a looped network storm traceability analysis.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the deficiency of the prior art, the invention has disclosed a looped network Master disposition error judgement method and apparatus based on storm flow characteristic of looped network, the method of the invention includes judging whether the surge message protocol is relevant with the business and check code and sequence information are normal; judging whether a ring network Master (ring network Master) configuration error occurs based on a judgment result that whether a surge message protocol is related to a service and a check code and time sequence information are normal; and determining the configuration error of the ring network Master (ring network Master node) according to the judgment result of whether the configuration error of the ring network Master (ring network Master node) occurs.
As can be seen from fig. 1, based on all traffic data characteristics after the network ring network storm, whether the surge message protocol is related to the service and the check code and the timing sequence information are obtained. Judging whether a surge message protocol is related to a service and the check code and the time sequence information are normal, if the surge message protocol type is related to the service and the check code and the time sequence information are abnormal, extracting related message fingerprint characteristics, wherein the extracted related message fingerprint characteristics comprise analyzing surge messages, calculating and obtaining the fingerprint characteristics of the surge messages, and further judging whether the message characteristics in a distributed denial of service DDOS attack library are met or not according to the extracted related message fingerprint characteristics; if the protocol type of the surge message is related to the service and the check code and the time sequence information are normal, acquiring message TTL values (time to live values), and judging whether the situations that the time to live TTL values of a large number of messages are 1 or 0 occur or not, wherein the acquiring of the time to live TTL values of the messages comprises analyzing and acquiring the time to live TTL values of the surge normal service messages; classifying the messages according to the TTL values of the survival times; and counting the number of various messages classified according to the TTL value of the survival time.
Further, the extracting of the fingerprint features of the relevant messages includes analyzing the proliferated messages, and calculating the MD5 value of the proliferated messages by extracting quintuple information of the messages and key field contents in the payload.
Further, the judgment of whether a large number of messages with the time-to-live TTL values of 1 or 0 appear includes that the number of messages with the time-to-live TTL values of 1 or 0 is small in a normal network situation, and a message with a ring network duration value of 1 or 0 is rapidly increased, specifically, if the time-to-live TTL values of a large number of messages are 1 or 0, the configuration real-time state information of each switch is collected through a simple network management protocol SNMP, and whether the ring network Master information configuration of each switch is abnormal is judged; if the TTL values of a large number of messages are not 1 or 0, the judgment is carried out to judge whether the message characteristics in the DDOS attack library are met,
further, the judging whether the message characteristics in the distributed denial of service DDOS attack library are met includes that if the message characteristics in the distributed denial of service DDOS attack library are met, network attack alarm processing is carried out; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP) and judging whether the ring network Master information configuration of each switch is abnormal or not.
The step of judging whether the information configuration of the ring network masters of the switches is abnormal includes the steps of if the information configuration of the ring network masters of the switches is abnormal, giving an alarm of abnormal configuration of the ring network masters of the switches and giving out the positions of the switches with malconfiguration; if the ring network configuration information configuration of each switch is normal, the equipment failure is indicated.
Analyzing the equipment fault comprises acquiring log information of the switch; judging whether the port of the switch fails or not by combining the real-time state information and the log information of the switch; and (5) alarming the abnormal equipment fault and giving the position of the equipment fault exchanger.
With reference to fig. 2, a device for judging a ring network Master configuration error based on a ring network storm flow characteristic includes a judging unit and a determining unit, where the judging unit is configured to judge whether a surge message protocol is related to a service and check codes and timing sequence information are normal, and judge whether a ring network Master configuration error occurs according to a judgment result that whether the surge message protocol is related to the service and the check codes and the timing sequence information are normal; the determining unit is used for determining the ring network Master configuration error according to the judging result of whether the ring network Master configuration error occurs. The judging unit judges whether the surge message protocol is related to the service or not and the check code and the time sequence information are normally acquired based on all flow data characteristics after the network ring network storm.
Further, the judging unit judges whether the surge message protocol is related to the service and the check code and the time sequence information are normal, if the surge message protocol type is related to the service and the check code and the time sequence information are abnormal, relevant message fingerprint features are extracted, and whether the message features in a distributed denial of service (DDOS) attack library are met is judged; if the protocol type of the surge message is related to the service and the check code and the time sequence information are normal, acquiring the TTL value of the message, and judging whether the TTL values of a large number of messages are 1 or 0.
Further, the obtaining of the TTL value of the packet includes analyzing and obtaining the TTL value of the proliferated normal service packet; classifying the messages according to the TTL values of the survival times; and counting the number of each type of messages classified according to the TTL value of the survival time.
Further, the judging whether the TTL values of the plurality of messages are 1 or 0 includes, if the TTL values of the plurality of messages are 1 or 0, acquiring configuration real-time status information of each switch through a simple network management protocol SNMP, and the judging unit judging whether the configuration of the ring network Master information of each switch is abnormal; and if the TTL values of a large number of messages are not 1 or 0, judging whether the message characteristics in the distributed denial of service DDOS attack library are met.
Further, the extracting of the fingerprint features of the related messages includes analyzing the proliferated messages, and calculating to obtain the fingerprint features of the proliferated messages.
Further, the judging whether the message characteristics in the distributed denial of service DDOS attack library are met includes that if the message characteristics in the distributed denial of service DDOS attack library are met, network attack alarm processing is carried out; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP), and judging whether the ring network Master information configuration of each switch is abnormal or not by a judging unit.
Further, the judging unit judges whether the information configuration of the ring network Master of each switch is abnormal, when the configuration of the ring network Master of each switch is abnormal, the determining unit confirms that the configuration of the ring network Master of the switch is abnormal and gives the switch position with malconfiguration.
The technical solution of the present invention will be further explained with reference to specific embodiments as follows:
the looped network storm cause judgment process is triggered after a looped network storm occurs in a railway train control system network, fig. 3 shows a looped network storm source tracing analysis flow chart, it can be known from fig. 3 that the looped network storm cause is obtained by analyzing information such as network flow characteristics, equipment logs, configuration files and the like, the looped network storm cause judgment process is mainly divided into 6 stages such as the following preprocessing stage, a switch short-circuit analysis stage, a looped network Master configuration error analysis stage, a network attack analysis stage, an equipment fault analysis stage, an unknown cause processing analysis stage and the like, and the steps of each stage are described one by one in combination with fig. 3.
First stage, pretreatment stage
The stage is automatically triggered when a ring network storm occurs in a railway train control system network of the track, and mainly completes the collection, analysis and processing of network flow after the ring network storm occurs. The method comprises the following specific steps:
step S1001, all flow data after network ring network storm is obtained
The method specifically comprises the steps of collecting flow data collected by a flow collection device mirror image arranged at each switch node in a network through a bypass, and further obtaining all the flow data of the whole network after a network storm occurs, so that data support is provided for further analysis.
Step S1002, obtaining message type, and analyzing the message according to the type
The method specifically includes preprocessing the message collected in step S1001, acquiring a protocol type of the message according to protocol field information of the message, classifying the message according to the protocol type, and finally storing classified data to wait for the next processing.
Second stage, switch short-circuit analysis stage
And the stage judges whether the switch is in short circuit connection or not by analyzing the flow characteristics and combining with LLDP configuration file information according to the data messages collected and classified in the preprocessing stage. The method comprises the following specific steps:
step S1101, whether ARP type message is increased rapidly
Specifically, the method comprises the steps of obtaining the quantity of messages of various types classified according to types, judging whether the types of the ARP messages in the network are abnormally increased or not, and rapidly increasing the ARP request messages in the ring network after the short-circuit connection of the switch occurs to far exceed the normal ARP message quantity in the network, so that the rapid increase of the ARP messages can be used as an important teaching for judging the short-circuit connection of the switch. When the ARP message in the network does not change significantly, triggering to enter a ring network Master configuration error analysis stage; and after the ARP message in the network is rapidly increased after analysis, the next step is carried out, and whether the short-circuit connection of the switch occurs or not is further determined.
Step S1102, acquiring LLDP configuration file information maintained in each switch and analyzing the information
The method is characterized in that a network acquisition device deployed at each key node collects LLDP (Link layer discovery protocol) data messages of a rail transit network switch, wherein the LLDP messages are a manufacturer-independent two-layer protocol, allow network devices to announce own device identification and performance in a local subnet, and can send information such as main capability, management address, device identification, interface identification and the like of the device to other devices of the same local area network, so that a standard link layer discovery mode is provided. And the neighbor node information of each switch port can be obtained through the LLDP configuration file information.
Step S1103, whether the neighbor node of a certain port of the switch appears is that the two ports of the switch are in the same VLAN
Specifically, the neighbor node information of each switch port is judged and determined according to the LLDP information of each switch acquired in step S1102, the neighbor node information of a certain port that is the neighbor node information of the switch when the switch short circuit occurs is the switch itself, and the VLAN information of the two ports is the same. Whether the switch is short-circuited or not can be judged by judging the neighbor node information of each switch port, if the phenomenon described in the step S1103 does not occur, the ring network storm is not caused by the short-circuit of the switch, further judgment is needed, and the ring network is triggered to enter a third-stage ring network Master configuration error analysis stage; and if the phenomenon described in the step S1103 occurs, the switch is short-circuited, and the next alarm processing is performed.
Step S1104, the short circuit connection alarm of the exchanger is given, and the position of the exchanger in short circuit connection and the two port numbers of the connection are given
Specifically, the switch short-circuit connection alarm is sent according to the switch short-circuit connection phenomenon determined in step S1103, and the switch position of the short-circuit connection and the upper port of the switch in which the short-circuit connection occurs are given according to the switch position to which the LLDP configuration file belongs, so that operation and maintenance personnel can process the switch position and the upper port of the switch in which the short-circuit connection occurs. Therefore, the analysis of the looped network storm reason caused by the short-circuit connection of the switch is completed, so that the looped network storm reason of the railway train control system is found and the process is finished.
The third stage, ring network Master configuration error analysis stage
In the stage, whether the ring network storm is caused by a ring network Master configuration error is analyzed through the flow characteristics and the related information of the switch configuration file. The method comprises the following specific steps:
step S1201, judging whether the protocol type of the surge message is related to the service and the information such as the check code, the time sequence and the like is normal
Specifically, after the step S1101 is determined as no or the step S1103 is determined as no, ring network Master configuration error analysis is triggered. When the looped network Master configuration is wrong, the network is looped, and a large number of normal messages related to services in the railway train control system network are circularly transmitted in the network until TTL is reduced to 0. Therefore, the number of each type of protocol message in the preprocessing stage needs to be acquired in the step, whether the number of messages which are related to the network protocol of the railway train control system and have normal state data such as check codes, time sequences and the like is obviously increased or not is judged, and if the number of messages is not obviously increased, the fourth stage network attack analysis stage is triggered to enter; if the number of the normal messages is increased rapidly, whether a ring network Master configuration error occurs is further determined.
Step S1202, obtaining message TTL value
Specifically, the TTL values of the rapidly-increased normal service messages are obtained through analysis, the messages are classified according to the TTL values, and the quantity of various messages is counted.
Step S1203, whether the TTL values of a large number of messages are 1 or 0
Specifically, the number of messages classified and counted according to the TTL values is obtained, and because a large number of messages with TTL values of 1 or 0 appear in the network when a loop is generated, whether the TTL values of the large number of messages are 1 or 0 is judged, and if not, the network attack analysis stage is triggered to enter a fourth stage; and if so, further determining whether a ring network Master configuration error occurs.
Step S1204, collecting configuration and real-time status information of each switch through SNMP
Specifically, information such as configuration, real-time state and the like of each switch is acquired and obtained through SNMP, and the configuration of a ring network protocol is analyzed;
step S1205, judge whether the ring network Master configuration of each exchanger is abnormal
Specifically, the ring network configuration information of each switch acquired in the analysis step S1204 is analyzed, whether a ring network Master configuration error occurs is compared and analyzed, and if not, an equipment fault analysis process in a fifth stage is performed; and if the ring network Master configuration error alarm and the like occur, processing.
Step S1206, the switch ring network Master configures abnormal alarm and gives out the switch position with wrong configuration
Specifically, it has been determined in step S1205 that the cause of the ring network storm is a ring network Master configuration error, so an alarm is given in this step, and the administrator is notified of the switch position with the configuration error, and the administrator performs further processing, and the process is finished.
Fourth stage, network attack analysis stage
In the stage, according to the flow characteristics of the track railway train control system after the network ring network storm, the flow characteristic fingerprint is extracted and compared with the message fingerprint characteristics generating DDOS attack in the attack library, and whether the network attack occurs is judged. The method comprises the following specific steps:
step S1301, extracting fingerprint characteristics of related messages
Specifically, the fingerprint characteristics of the surge message are obtained through a certain algorithm by analyzing the surge message.
Step S1302, whether the message characteristics in the DDOS attack library are met
Specifically, the extracted message characteristics are compared with fingerprints in a DDOS attack library, whether the fingerprint characteristics of the message meet the DDOS attack characteristics is judged, and if not, the step S1204 is triggered to be carried out for next judgment; and if so, entering the next alarm processing if the network is attacked by the DDOS.
Step S1303, the network is attacked and warned by DDOS
Specifically, it is determined that the network is attacked by DDOS at this step, and therefore an alarm needs to be issued for further processing by the management operation and maintenance staff, and the process is ended.
The fifth stage, equipment failure analysis stage
In the stage, whether the ring network storm is caused by the equipment port fault is judged according to the collected switch state information and the switch log alarm information. When a switch port in the network has a fault, the switch port continuously sends messages to the outside, so that the number of the sent messages at the fault port is increased rapidly, and a ring network storm is caused. The method comprises the following specific steps:
step S1401, obtain the log information of the exchanger
Specifically, log information generated by the switch is collected through syslog, and an abnormal log of the switch is searched.
Step S1402, determining whether the switch port is faulty or not by combining the switch real-time status information and the log information
The method specifically comprises the steps of checking whether a phenomenon that the sending flow of a certain port is increased suddenly through switch port real-time state information acquired through SNMP, judging whether an alarm log of port faults occurs or not by combining the switch log information, and entering a sixth stage unknown reason processing and analyzing stage to further judge the attempted reason of the ring network storm by using the assistance of an administrator if the alarm log of the port faults does not occur; and if the ring network storm occurs, the ring network storm is generated due to the equipment port fault, and the next step of alarm processing is carried out.
Step S1403, the abnormal alarm of the equipment failure is given, and the position of the equipment failure switch is given
Specifically, in the step, the reason for generating the ring network storm is judged to be caused by equipment failure, an alarm is given to a manager, and the position of the failure switch is given.
Sixth stage, unknown cause processing and analyzing stage
In this stage, after the ring network storm is judged in the above stages, the ring network storm is not generated by the above four reasons, and a manual manager is required to perform self-analysis to further determine the reason of generating the ring network storm. The method comprises the following specific steps:
step S1501, the problem that the looped network storm generated by the position reason needs to be searched by the auxiliary of the manager
Specifically, through the judgment, the looped network storm generated by the train control system network of the railway system cannot be obtained through automatic program judgment, may be a new reason, and may also be generated by combining multiple reasons, and at this time, a manager needs to assist in problem finding to finally determine the generation reason of the looped network storm.
The method utilizes the existing resources of the train control system network of the railway system as much as possible, and all data acquisition is carried out in a bypass out-of-band mode, so that the existing network architecture and layout of the train control system network of the railway system cannot be influenced, and the influence of the network bandwidth after the occurrence of the network ring storm of the train control system network of the railway system cannot be influenced, and the independence and timeliness of the source tracing analysis of the network ring storm of the train control system network of the railway system can be furthest ensured.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments or portions thereof without departing from the spirit and scope of the invention.

Claims (13)

1. A looped network Master configuration error judgment method based on looped network storm flow characteristics is characterized by comprising the following steps:
judging whether a surge message protocol is related to a service and check codes and time sequence information are normal, specifically, judging whether the surge message protocol is related to the service and the check codes and the time sequence information are normal, if the surge message protocol type is related to the service and the check codes and the time sequence information are abnormal, extracting related message fingerprint characteristics, and judging whether the surge message protocol type meets message characteristics in a distributed denial of service (DDOS) attack library; if the protocol type of the surge message is related to the service and the check code and the time sequence information are normal, acquiring the TTL values of the messages, and judging whether the TTL values of the survival time of a large number of messages are 1 or 0;
judging whether a ring network Master configuration error occurs or not based on a judgment result that whether a surge message protocol is related to a service or not and a check code and time sequence information are normal, specifically, judging whether message characteristics in a distributed denial of service (DDOS) attack library are met or not, and if the message characteristics in the DDOS attack library are met, performing network attack alarm processing; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP) and judging whether the ring network Master information configuration of each switch is abnormal or not;
and determining the ring network Master configuration error according to the judgment result of whether the ring network Master configuration error occurs.
2. The method of claim 1,
and judging whether the surge message protocol is related to the service or not and the check code and the time sequence information are normal is obtained based on all flow data characteristics after the network ring network storm.
3. The method of claim 1, wherein obtaining the time-to-live TTL value of the message comprises,
analyzing and acquiring the TTL value of the survival time of the rapidly increased normal service message;
classifying the messages according to the TTL values of the survival times;
and counting the number of various messages classified according to the TTL value of the survival time.
4. The method according to claim 1, wherein said determining whether there are a plurality of messages with TTL values of 1 or 0, including a small number of messages with TTL values of 1 or 0 in normal network conditions, and a message with a ring time value of 1 or 0 will proliferate, specifically,
if the TTL values of the survival time of a large number of messages are 1 or 0, acquiring configuration real-time state information of each switch through a Simple Network Management Protocol (SNMP), and judging whether the ring network Master information configuration of each switch is abnormal or not;
if the TTL values of a large number of messages are not 1 or 0, judging whether the message characteristics in the DDOS attack library are met.
5. The method of claim 1,
the extraction of the fingerprint characteristics of the related messages comprises the steps of analyzing the surge messages, calculating the MD5 value of the surge messages by extracting quintuple information of the messages and key field contents in the loads, and obtaining the fingerprint characteristics of the surge messages.
6. The method of claim 1, wherein said determining whether each switch ring network Master information configuration is abnormal comprises,
if the configuration of the ring network configuration information of each switch is abnormal, an abnormal configuration alarm of the Master of the ring network of the switch occurs, and the position of the switch with malconfiguration is given;
if the ring network configuration information configuration of each switch is normal, the equipment failure is indicated.
7. The method of claim 6, wherein the analysis of the equipment failure comprises,
acquiring log information of a switch;
judging whether the port of the switch fails or not by combining the real-time state information and the log information of the switch;
and (5) alarming the abnormal equipment fault and giving the position of the equipment fault exchanger.
8. A looped network Master configuration error judgment device based on looped network storm flow characteristics is characterized in that the device comprises,
the device comprises a judging unit and a judging unit, wherein the judging unit is used for judging whether a surge message protocol is related to a service and the check code and the time sequence information are normal, specifically, the judging unit judges whether the surge message protocol is related to the service and the check code and the time sequence information are normal, if the surge message protocol type is related to the service and the check code and the time sequence information are abnormal, relevant message fingerprint characteristics are extracted, and whether the message characteristics in a distributed denial of service DDOS attack library are met is judged; if the protocol type of the surge message is related to the service and the check code and the time sequence information are normal, acquiring the TTL value of the message, and judging whether the TTL values of a large number of messages are 1 or 0; judging whether a ring network Master configuration error occurs according to a judgment result that whether a surge message protocol is related to a service and a check code and time sequence information are normal, specifically, judging whether message characteristics in a distributed denial of service (DDOS) attack library are met, and if the message characteristics in the DDOS attack library are met, performing network attack alarm processing; if the DDOS attack characteristics are not met, acquiring configuration and real-time state information of each switch through a Simple Network Management Protocol (SNMP), and judging whether the ring network Master information configuration of each switch is abnormal or not by a judging unit;
and the determining unit is used for determining the ring network Master configuration error according to the judgment result of whether the ring network Master configuration error occurs.
9. The apparatus according to claim 8, wherein the determining unit determines whether the surge message protocol is related to a service and the check code and the timing information are normal based on all traffic data characteristics obtained after the network ring network storm.
10. The apparatus of claim 8, wherein obtaining the TTL value for the packet comprises,
analyzing and acquiring the TTL value of the survival time of the rapidly increased normal service message;
classifying the messages according to the TTL values of the survival times;
and counting the number of each type of messages classified according to the TTL value of the survival time.
11. The apparatus of claim 8, wherein said determining whether a time-to-live TTL value of a plurality of packets is 1 or 0 comprises,
if the TTL values of the survival time of a large number of messages are 1 or 0, acquiring configuration real-time state information of each switch through a Simple Network Management Protocol (SNMP), and judging whether the information configuration of the ring network Master of each switch is abnormal or not by a judging unit;
and if the TTL values of the survival time of a large number of messages are not 1 or 0, judging whether the message characteristics in the distributed denial of service DDOS attack library are met.
12. The apparatus according to claim 8 or 11, wherein the determining unit determines whether the configuration of the information of the ring network masters of the switches is abnormal includes,
when the configuration information of each switch ring network is abnormal, the determining unit confirms the abnormal configuration alarm of the switch ring network Master and gives the switch position with malconfiguration.
13. The apparatus of claim 8,
the extracting of the fingerprint characteristics of the related messages comprises analyzing the rapidly increased messages and calculating to obtain the fingerprint characteristics of the rapidly increased messages.
CN202210392575.7A 2022-04-15 2022-04-15 Looped network Master configuration error judgment method and device based on looped network storm flow characteristics Active CN114500117B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210392575.7A CN114500117B (en) 2022-04-15 2022-04-15 Looped network Master configuration error judgment method and device based on looped network storm flow characteristics

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210392575.7A CN114500117B (en) 2022-04-15 2022-04-15 Looped network Master configuration error judgment method and device based on looped network storm flow characteristics

Publications (2)

Publication Number Publication Date
CN114500117A CN114500117A (en) 2022-05-13
CN114500117B true CN114500117B (en) 2022-07-05

Family

ID=81488036

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210392575.7A Active CN114500117B (en) 2022-04-15 2022-04-15 Looped network Master configuration error judgment method and device based on looped network storm flow characteristics

Country Status (1)

Country Link
CN (1) CN114500117B (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101212366A (en) * 2007-12-21 2008-07-02 杭州华三通信技术有限公司 Failure detection method, system, and main node in Ethernet loop network
CN101277243A (en) * 2007-03-28 2008-10-01 华为技术有限公司 System, node as well as method for detecting MAC address collision in loop network
CN101499948A (en) * 2008-02-01 2009-08-05 杭州华三通信技术有限公司 Arbitrarily topological intersected ring network protecting method, node and intersected ring network
CN102244600A (en) * 2011-08-12 2011-11-16 华为技术有限公司 Method and device for detecting and processing link failure in RRPP (Rapid Ring Protect Protocol) ring network
CN103178975A (en) * 2011-12-21 2013-06-26 中兴通讯股份有限公司 Method and system for restraining service message storm in looped network protection
CN104079462A (en) * 2014-07-16 2014-10-01 北京华为数字技术有限公司 Ring network configuration detection method and device
CN106549820A (en) * 2015-09-23 2017-03-29 阿里巴巴集团控股有限公司 Recognize method, device, flow cleaning equipment and the system of network loop
CN107566294A (en) * 2017-07-06 2018-01-09 中国南方电网有限责任公司 A kind of network storm suppressing method suitable for IEC62439 standards
CN109347705A (en) * 2018-12-07 2019-02-15 北京东土科技股份有限公司 A kind of loop detecting method and device
CN110113242A (en) * 2019-05-07 2019-08-09 南京磐能电力科技股份有限公司 Multi-node synchronization sampling and data transmission method in ring-type communication network
CN110635940A (en) * 2019-08-27 2019-12-31 浪潮思科网络科技有限公司 Main/standby switching method of EAPS Ethernet ring network
CN113098725A (en) * 2021-06-10 2021-07-09 北京全路通信信号研究设计院集团有限公司 Dual-network interweaving abnormity detection method and system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100466583C (en) * 2007-04-06 2009-03-04 华为技术有限公司 Fast ring network method against attack based on RRPP, apparatus and system
AT517779B1 (en) * 2015-10-01 2021-10-15 B & R Ind Automation Gmbh Method for cross-traffic between two slaves in a ring-shaped data network
CN113973101A (en) * 2020-07-25 2022-01-25 华为技术有限公司 Method and device for processing table item information

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101277243A (en) * 2007-03-28 2008-10-01 华为技术有限公司 System, node as well as method for detecting MAC address collision in loop network
CN101212366A (en) * 2007-12-21 2008-07-02 杭州华三通信技术有限公司 Failure detection method, system, and main node in Ethernet loop network
CN101499948A (en) * 2008-02-01 2009-08-05 杭州华三通信技术有限公司 Arbitrarily topological intersected ring network protecting method, node and intersected ring network
CN102244600A (en) * 2011-08-12 2011-11-16 华为技术有限公司 Method and device for detecting and processing link failure in RRPP (Rapid Ring Protect Protocol) ring network
CN103178975A (en) * 2011-12-21 2013-06-26 中兴通讯股份有限公司 Method and system for restraining service message storm in looped network protection
CN104079462A (en) * 2014-07-16 2014-10-01 北京华为数字技术有限公司 Ring network configuration detection method and device
CN106549820A (en) * 2015-09-23 2017-03-29 阿里巴巴集团控股有限公司 Recognize method, device, flow cleaning equipment and the system of network loop
CN107566294A (en) * 2017-07-06 2018-01-09 中国南方电网有限责任公司 A kind of network storm suppressing method suitable for IEC62439 standards
CN109347705A (en) * 2018-12-07 2019-02-15 北京东土科技股份有限公司 A kind of loop detecting method and device
CN110113242A (en) * 2019-05-07 2019-08-09 南京磐能电力科技股份有限公司 Multi-node synchronization sampling and data transmission method in ring-type communication network
CN110635940A (en) * 2019-08-27 2019-12-31 浪潮思科网络科技有限公司 Main/standby switching method of EAPS Ethernet ring network
CN113098725A (en) * 2021-06-10 2021-07-09 北京全路通信信号研究设计院集团有限公司 Dual-network interweaving abnormity detection method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
An outdoor installation protection plan based on ring network and reliability research;Geng Zhang,Wang Donghui,Wei Hui,Wang song;《IEEE》;20201130;全文 *
铁路通信信号系统网络统一安全管控研究;李赛飞;《中国博士学位论文全文数据库工程科技II辑》;20200331;全文 *

Also Published As

Publication number Publication date
CN114500117A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
CN103370904B (en) Method, network entity for the seriousness that determines network accident
CN106209405B (en) Method for diagnosing faults and device
CN108964995A (en) Log correlation analysis method based on time shaft event
CN110808865B (en) Passive industrial control network topology discovery method and industrial control network security management system
WO2015024497A1 (en) Intelligent substation network sampling and control link self-diagnosis method
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN103430483A (en) Technique for determining correlated events in a communication system
CN114389940A (en) Failure recovery plan determination method, device and system and computer storage medium
CN111556083A (en) Network attack physical side and information side collaborative source tracing device of power grid information physical system
CN102591991A (en) Train data acquisition and management method and train data acquisition and management system
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN111131274A (en) Non-invasive intelligent substation vulnerability detection method
CN107635003A (en) The management method of system journal, apparatus and system
CN112468592A (en) Terminal online state detection method and system based on electric power information acquisition
CN106506226A (en) A kind of startup method and device of fault detect
CN113098725B (en) Dual-network interweaving abnormity detection method and system
US7421493B1 (en) Orphaned network resource recovery through targeted audit and reconciliation
CN114500117B (en) Looped network Master configuration error judgment method and device based on looped network storm flow characteristics
CN107769957A (en) A kind of domain name system failure cause analysis method and device
CN114124538B (en) Intrusion detection method and system for GOOSE and SV messages of intelligent substation
KR100964392B1 (en) System and method for managing network failure
CN114584345B (en) Rail transit network security processing method, device and equipment
CN116302862A (en) Monitoring alarm method and system under micro-service architecture
CN113285937B (en) Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow
CN113382387B (en) Network quality safety assessment method based on rail transit LTE-M system signaling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant