CN115580437A - Flow monitoring method and out-of-band controller - Google Patents

Abstract

The embodiment of the application discloses a flow monitoring method and an out-of-band controller, wherein the method is applied to the out-of-band controller of computing equipment, and comprises the following steps: in a first period, respectively acquiring a unicast message, a multicast message and a broadcast message, wherein the unicast message, the multicast message and the broadcast message are received through a management network port of the computing equipment; under the condition that the abnormal unicast message exists in the unicast message, discarding the abnormal unicast message; or reporting the abnormal traffic of the management network port under the condition of determining that the abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message. According to the embodiment of the application, the message flow of the management network port can be monitored, and malicious network attacks aiming at the management network port can be found in advance, so that the problems can be isolated in advance or reported in time, and further the condition that the BMC management function is unavailable or abnormal can be avoided.

Description

Flow monitoring method and out-of-band controller

Technical Field

The present application relates to the field of computer technologies, and in particular, to a flow monitoring method and an out-of-band controller.

Background

The server generally includes a Baseboard Management Controller (BMC) management interface, which is mainly used for communicating with upper management software. The BMC management software may be presented in a form of a web program or a desktop Application (APP), and may provide various monitoring and management functions, so that relevant persons may conveniently know an operating state of the server and perform remote control on the server.

Because the bandwidth of the BMC management portal is limited, in an actual usage scenario, if the BMC portal is attacked by a malicious network (e.g., broadcast flooding or multicast flooding attack), a serious packet loss phenomenon may occur in the BMC management portal, and thus, a user may not log in the BMC management system or may not use a related management function (e.g., server reset, power on/off, etc.) provided by the BMC.

At present, for the above problems, only after the problem occurs (i.e. when the user finds that the user cannot log in the BMC management system or cannot use the related management function provided by the BMC), the possible cause is analyzed for the problem, and then the problem is solved by performing corresponding adjustment, however, the user may urgently need to use the related management function at this time. Therefore, how to discover or solve a malicious network attack on the BMC management portal in advance is a concern for technicians.

Disclosure of Invention

The embodiment of the application discloses a traffic monitoring method and an out-of-band controller, which can find malicious network attacks aiming at a BMC management network port in advance, so that the problems can be isolated or reported in time in advance, and further the unavailability of a BMC management function or the abnormity of the BMC management function can be avoided.

The first aspect discloses a traffic monitoring method, which may be applied to an out-of-band controller (e.g., BMC) of a computing device (e.g., server), a module (e.g., chip) in the out-of-band controller, and a logic module or software that can implement all or part of the functions of the out-of-band controller, and is described below as being applied to the BMC. The flow monitoring method can comprise the following steps: in a first period, acquiring a unicast message, a multicast message and a broadcast message; wherein, the unicast message, the multicast message and the broadcast message are received through a management network port of the computing equipment; under the condition that the abnormal unicast message exists in the unicast message, discarding the abnormal unicast message; or reporting the management network port flow abnormity under the condition of determining that the abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message.

In the embodiment of the application, the BMC can monitor the message flow of the management network port and can discover malicious network attacks aiming at the BMC management network port in advance. Specifically, the BMC may analyze the unicast message, the multicast message, and the broadcast message received in the first period, if the traffic of the unicast message is abnormal (i.e., all unicast messages in the first period have abnormal unicast messages), may perform isolation processing in advance, discard the abnormal unicast message, and if the traffic of the multicast and/or broadcast message is abnormal (i.e., all multicast messages and broadcast messages in the first period have abnormal multicast and/or broadcast messages), may report the management gateway traffic abnormality in time, and notify relevant personnel to perform troubleshooting, so as to avoid the problem of unavailable BMC management function or abnormal BMC management function.

As a possible implementation, the method may further include: and under the condition that the unicast message with the destination Media Access Control (MAC) address not being the MAC address of the out-of-band controller exists in the unicast message, determining that the abnormal unicast message exists in the unicast message.

In the embodiment of the application, the BMC can determine the unicast message of which the target MAC address in the unicast message is not the MAC address of the out-of-band controller as the abnormal unicast message, so that the abnormal unicast message can be accurately isolated, and the problems that the BMC management function is unavailable or the BMC management function is abnormal can be avoided.

As a possible implementation manner, before the determining that the destination MAC address in the unicast message is not the MAC address of the out-of-band controller, the method may further include: and determining that the difference value between the data volume of the unicast message in the first period and the second standard data volume is greater than a fourth threshold value.

In this embodiment of the application, the BMC may first determine whether a difference between the data volume of the unicast message in the first period and the second standard data volume is greater than a fourth threshold, and determine whether a unicast message whose destination MAC address is not the MAC address of the out-of-band controller exists in the unicast message only when it is determined that the difference is greater than the fourth threshold, so that the processing resource of the BMC may be saved.

As a possible implementation, the method may further include: and updating the second standard data volume to the data volume of the unicast message in the first period under the condition that the unicast message is determined not to have abnormal unicast messages.

In this embodiment of the application, the BMC may update the second standard data amount to the data amount of the unicast message in the first period when it is determined that the difference between the data amount of the unicast message in the first period and the second standard data amount is greater than the fourth threshold and the unicast message in the first period does not have an abnormal unicast message, so that a more accurate second standard data amount may be obtained, and thus, processing resources of the BMC may be saved.

As a possible implementation, the method may further include: and under the condition that the difference value between the maximum bandwidth and the bandwidth threshold value in the first period is larger than a sixth threshold value, determining that abnormal multicast messages and/or abnormal broadcast messages exist in the multicast messages and the broadcast messages.

In this embodiment of the application, when the difference between the maximum bandwidth and the bandwidth threshold in the first period is greater than the sixth threshold, the BMC cannot process all messages in time, and packet loss of the BMC management gateway may be caused, so that it may be considered that an abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message, and then an abnormal traffic of the management gateway may be reported in time, and relevant personnel may be notified to perform troubleshooting, thereby avoiding a problem that a BMC management function is unavailable or a BMC management function is abnormal.

As a possible implementation, before the determining that the difference between the maximum bandwidth in the first period and the bandwidth threshold is greater than the sixth threshold, the method may further include: and determining that the difference value between the total data volume of the multicast message and the broadcast message in the first period and a third standard data volume is greater than a fifth threshold value.

In this embodiment of the application, the BMC may first determine whether a difference between the total data amount of the multicast packet and the broadcast packet in the first period and the third standard data amount is greater than a fifth threshold, and determine whether a difference between the maximum bandwidth and the bandwidth threshold in the first period is greater than a sixth threshold if the difference is greater than the fifth threshold.

As a possible implementation, the method may further include: and updating the third standard data volume to a total data volume of the multicast message and the broadcast message in the first period under the condition that the multicast message and the broadcast message are determined not to have abnormal multicast message and broadcast message.

In this embodiment of the application, the BMC may update the third standard data volume to the total data volume of the multicast packet and the broadcast packet when it is determined that the difference between the total data volume of the multicast packet and the broadcast packet in the first period and the third standard data volume is greater than the fifth threshold and the multicast packet and the broadcast packet in the first period do not have an abnormal multicast packet and broadcast packet.

As a possible implementation manner, before the determining that there is an abnormal unicast message in the unicast message, or before the determining that there is an abnormal multicast message and/or broadcast message in the multicast message and the broadcast message, the method may further include: and determining that the difference value between the total data volume of the unicast message, the multicast message and the broadcast message in the first period and a first standard data volume is greater than a first threshold value.

In this embodiment of the application, the BMC may first determine whether a difference between a total data amount of the unicast message, the multicast message, and the broadcast message in the first period and the first standard data amount is greater than a first threshold, and determine whether an abnormal unicast message exists in the unicast message in the first period and determine whether an abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message in the first period if the difference is greater than the first threshold, so that processing resources of the BMC may be saved.

As a possible implementation, the method may further include: acquiring a plurality of maximum bandwidths in the first period; adding the maximum bandwidth in each first period into a bandwidth array to obtain a first bandwidth array under the condition that the difference between the maximum bandwidth in each first period and a first standard bandwidth is greater than a second threshold and packet loss occurs to the management network port in each first period; removing a second bandwidth value in the first bandwidth array to obtain a second bandwidth array, wherein a difference value between a maximum bandwidth value in the first bandwidth array and the second bandwidth value is greater than a third threshold value; and determining a first ratio of the minimum bandwidth values in the second bandwidth array as the bandwidth threshold, wherein the first ratio is greater than 0 and less than 1.

In this embodiment of the application, the BMC may store the maximum bandwidth value in each packet loss period in the bandwidth array, and may eliminate a bandwidth value (i.e., a second bandwidth value) that does not cause packet loss due to an excessively large packet flow, and then may determine a first ratio of a minimum bandwidth value among remaining bandwidth values in the bandwidth array as the bandwidth threshold, so that a more accurate bandwidth threshold may be obtained, and thus, it may be convenient to report a management portal flow anomaly in time before the management portal flow reaches the bandwidth threshold, and thereby may avoid a problem that the BMC management function is unavailable or the BMC management function is abnormal.

As a possible implementation, the method may further include: and updating the first standard bandwidth to the maximum bandwidth in the first period when the difference between the maximum bandwidth in the first period and the first standard bandwidth is greater than the second threshold and no packet loss occurs to the management gateway in the first period.

In this embodiment of the application, the BMC may update the first standard bandwidth to the maximum bandwidth in the first period when it is determined that the difference between the maximum bandwidth in the first period and the first standard bandwidth is greater than the second threshold and the management portal does not lose packets in the first period, so that the more accurate first standard bandwidth may be obtained, and the processing resource of the BMC may be saved.

A second aspect discloses an out-of-band controller comprising a processor, a memory, and a communication interface for receiving information from and outputting information to an electronic device other than the out-of-band controller, the processor invoking a computer program stored in the memory to implement the method of any of claims 1-10.

A third aspect discloses a computing device (e.g. a server) comprising an out-of-band controller as disclosed in the second aspect above.

A fourth aspect discloses a computer-readable storage medium having stored thereon a computer program or computer instructions which, when executed, implement the flow monitoring method as disclosed in the above aspects.

A fifth aspect discloses a chip comprising a processor for executing a program stored in a memory, which program, when executed, causes the chip to perform the traffic monitoring method disclosed in the above aspects.

As a possible implementation, the memory is located off-chip.

A sixth aspect discloses a computer program product comprising computer program code which, when executed, causes the flow monitoring method disclosed in the above aspects to be performed.

It is to be understood that the out-of-band controller provided in the second aspect, the computing device provided in the third aspect, the computer-readable storage medium provided in the fourth aspect, the chip provided in the fifth aspect, and the computer program product provided in the sixth aspect are all configured to execute the flow monitoring method provided in any one of the first aspect and any one of the possible implementations of the first aspect of the present application. Therefore, the beneficial effects achieved by the method can refer to the beneficial effects in the corresponding method, and are not described herein again.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings used in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the description below are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.

FIG. 1 is a schematic diagram of a system architecture disclosed in an embodiment of the present application;

FIG. 2 is a schematic diagram of another system architecture disclosed in an embodiment of the present application;

FIG. 3 is a schematic flow chart of a solution disclosed in an embodiment of the present application;

FIG. 4 is a schematic flow chart illustrating a method for determining a bandwidth threshold according to an embodiment of the present disclosure;

fig. 5 is a schematic flowchart of a flow monitoring method disclosed in an embodiment of the present application.

Detailed Description

The embodiment of the application discloses a traffic monitoring method and an out-of-band controller, which can find malicious network attacks aiming at a BMC management network port in advance, so that the problems can be isolated or reported in time in advance, and further the unavailability of a BMC management function or the abnormity of the BMC management function can be avoided. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.

For better understanding of the embodiments of the present application, a description will be given below of a system architecture used in the embodiments of the present application.

Referring to fig. 1, fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present disclosure. As shown in fig. 1, the system architecture may be that of a server 100, and the server 100 may include an out-of-band controller 101. The server 100 may also include a processor 102, memory 103, and the like. The server 100 is an electronic device having data processing capability, data transceiving capability, and data storage capability. The Server 100 may be a file Server (file Server), a database Server (database Server), a mail Server (mail Server), a Web Server (Web Server), a multimedia Server (multimedia Server), a communication Server (communication Server), a terminal Server (terminal Server), an infrastructure Server (infrastructure Server), or the like. In some embodiments, the servers may be towers, racks, blades, and the like. The server 100 may not be limited to employing an X86 architecture, a Reduced Instruction Set Computer (RISC) architecture, an advanced reduced instruction set machine (ARM) architecture, or the like.

The out-of-band controller is an out-of-band processor independent of the central processor CPU. The out-of-band controller may include a monitoring management unit outside the computer device, a management system in a management chip outside the processor, a computer device Board Management Controller (BMC), a System Management Module (SMM), and the like.

The out-of-band controller 101 is mainly used to perform component management, asset management, and the like of the server 100, and supports remote management (such as server reset, power on/off, and the like) through a management portal. For example, the out-of-band controller 101 may monitor the status (e.g., humidity, temperature, voltage, current, etc.) of each hardware device in the server 100, and perform corresponding operations (e.g., power-on/power-off control, fan speed regulation, etc.) according to the status of the hardware devices according to a preset policy, so as to ensure that the server 100 is in a healthy state. Meanwhile, when the out-of-band controller 101 detects that the server 100 is abnormal (for example, the CPU temperature is too high), the out-of-band controller 101 may report related information (for example, an abnormal device, time when an abnormality occurs, an abnormality description, a processing suggestion, and the like) to the upper management software through a Simple Network Management Protocol (SNMP), a Simple Mail Transfer Protocol (SMTP), a Redfish protocol, and the like, so that related personnel can process the information in time, and the influence on the service is reduced.

In this embodiment, the out-of-band controller takes the BMC as an example, the BMC 101 may monitor a network flow of the management gateway in real time, perform analysis according to a received unicast message, a multicast message, and a broadcast message, if the flow of the unicast message is abnormal, the BMC 101 may isolate a unicast message whose destination Media Access Control (MAC) address is not an MAC address of the BMC, and if the flow of the multicast and broadcast messages is abnormal, the BMC 101 may report the abnormal flow of the management gateway to the upper management software to notify relevant personnel to perform troubleshooting. Therefore, malicious network attacks aiming at the BMC management network port can be found in advance, so that problems can be isolated or reported in advance, and further the condition that the BMC management function is unavailable or abnormal can be avoided. For the structure of the BMC 101, reference may be made to fig. 2 below, and for specific implementation of the BMC 101 monitoring network traffic, reference may be made to the method embodiment shown in fig. 5 below, which is not described herein again.

It is understood that the BMC 101 can be a chip integrated on the motherboard of the server 100.

The processor 102 may be a general purpose processor, a microprocessor, an application specific integrated circuit, a field programmable gate array, or any combination thereof. In some embodiments, the processor may be a Central Processing Unit (CPU).

The memory 103 may include, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a portable read-only memory (CD-ROM), or the like. In some embodiments, the memory may be a solid state disk or a mechanical hard disk.

It should be understood that the server 100 is not limited to only including the BMC 101, the processor 102, and the memory 103 shown in fig. 1, and the server 100 may further include a Basic Input Output System (BIOS), a memory, a network card, a power supply, and the like. The BIOS stores programs for basic input and output, including a post-power-on self-test program and a system self-boot program, and may provide the bottommost and most direct hardware setting and control for the server 100.

It should be noted that the system architecture shown in fig. 1 is only an exemplary one, and is not limited thereto. In other embodiments of the present application, the system architecture shown in FIG. 1 may include more or fewer devices than those shown, and is not limited to including only the BMC 101, the processor 102, and the memory 103 shown in FIG. 1.

Referring to fig. 2, fig. 2 is a schematic diagram of another system architecture disclosed in the embodiment of the present application. As shown in fig. 2, the system architecture may be that of the BMC 101, and the BMC 101 may include a processor 1011, a communication interface 1012 and a memory 1013. Processor 1011, communication interface 1012, and memory 1013 may be coupled to one another.

The memory 1013 is used to store computer programs (instructions) of the BMC 101, such as an Operating System (OS) of the BMC 101. In addition, the memory 1013 may further store a network traffic monitoring analysis program and the like for the BMC management gateway, and the processor 1011 may read the program stored in the memory 1013 and execute the operation performed by the BMC in the method embodiments shown in fig. 4 and fig. 5, which may refer to the following description and are not described herein again. The memory 1013 may include, but is not limited to, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), a portable read-only memory (CD-ROM), and the like.

The processor 1011 may be a CPU, graphics Processing Unit (GPU), complex programmable logic device, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. A processor may also be a combination of computing functions, e.g., a combination of one or more microprocessors, a digital signal processor and a microprocessor, or the like.

Communication interface 1012 is used to receive information from and output information to other electronic devices outside of BMC 101.

It should be understood that the BMC 101 may use an embedded system, such as a Linux system or the like. BMC 101 may employ a layered architecture that may include, but is not limited to, an application layer, a system layer, a driver layer, and a hardware layer, among others.

It should be noted that the BMC 101 shown in fig. 2 is only one implementation manner of the embodiment of the present application, and in practical applications, the BMC 101 may further include more or less components, which is not limited herein.

For a better understanding of the embodiments of the present application, the following description is provided for words and related arts related to the embodiments of the present application.

Bandwidth (i.e., network bandwidth) refers to the amount of data that can be transmitted or received in a unit of time (typically 1 second), and the unit of bandwidth may be bits/second (bit/s), which may also be written as bps (bit per second).

Unicast is a one-to-one communication method, and may include one sender and one receiver. In computer network transmission, the unicast message usually includes the address of the receiver (e.g. the Internet Protocol (IP) address, MAC address of the receiver).

Multicast is a one-to-many communication method, and may include one sender and multiple receivers. In the transmission of computer networks, the messages of multicast communication usually include a multicast address, which generally corresponds to a plurality of receivers.

Broadcast is one way to send information to all devices in the broadcast domain. A broadcast may send a packet to each host in a broadcast domain regardless of whether the hosts wish to receive the packet.

It will be appreciated that the server typically includes at least a BMC management portal for communicating primarily with upper level management software (i.e., BMC out-of-band management software or management system) and a service portal. The BMC out-of-band management software may be presented in a web program or a desktop Application (APP), and may provide various monitoring and management functions, so that relevant persons may conveniently know the operating state of the server and perform remote control on the server, and the like. It should be understood that a traffic portal may also be referred to as a shared portal. In some embodiments, the BMC management portal of the server and the service portal may be the same portal.

Because the bandwidth of the BMC management portal is limited, in an actual usage scenario, if the BMC portal is attacked by a malicious network (e.g., broadcast flooding or multicast flooding attack), a serious packet loss phenomenon may occur in the BMC management portal, and further, a user may not log in the BMC management system or may not use a related management function (e.g., server reset, power on/off, etc.) provided by the BMC. After a problem occurs, related personnel need to sequentially investigate possible factors such as the BMC, the switch and the like of the server, analyze possible reasons of the problem, then perform corresponding adjustment, observe whether the problem is solved, if not, need to continuously position the possible reasons of the problem, then perform adjustment, and then continuously observe whether the problem is solved.

Specifically, please refer to fig. 3, fig. 3 is a schematic flow chart of a solution disclosed in the embodiment of the present application. As shown in fig. 3, the entire solution may include three steps of problem identification, problem analysis, and problem resolution. Firstly, when a user finds that the ping test packet is lost, the user cannot log in the BMC management system or the BMC management function is abnormal, the user can determine that a relevant problem (such as malicious network attack suffered by a BMC management network port) occurs. After that, the relevant personnel can analyze the possible reasons of the problems step by step and adjust accordingly. For example, packet capturing may be performed on the switch of the machine room first, and the captured packet may be analyzed, at this time, the current packet amount may be compared with the normal packet amount, so as to determine whether the current packet amount is too large. If the current message volume is too large, different types of messages (namely unicast, multicast and broadcast messages) can be analyzed respectively, when the abnormal unicast, multicast or broadcast messages are analyzed, the abnormal messages can be isolated on the switch, the networking configuration of the server can be modified, and then whether the problem is solved can be observed. If the problem is not solved or the current message volume is normal, conventional troubleshooting can be continuously carried out, hardware equipment can be debugged or cross validation and the like can be carried out, if the hardware equipment is found to be abnormal, the abnormal problem of the hardware equipment can be solved firstly, and then whether the problem is solved or not can be continuously observed. If the problem is not solved or the hardware device is not abnormal, the switch can be checked continuously, whether the BMC message is sent normally and whether the vlan (virtual local area network) setting of the switch is correct can be determined, if it is determined that the switch side has a problem, the configuration of the switch can be modified, and then whether the problem is solved can be observed continuously. If the problem is not solved or there is no problem on the exchange side, it can continue to sequentially troubleshoot other causes that may cause the problem to occur, and then make adjustments until the problem is solved.

Therefore, in the above process, only after the problem occurs (i.e., when the user finds that the user cannot log in the BMC management system or cannot use the related management function provided by the BMC), the possible cause is analyzed for the problem, and then the problem is solved by performing corresponding adjustment, which is time-consuming. Moreover, if the problem is caused by a server networking problem or a malicious network attack, the user perception side is poor, and the problem may be considered as a quality problem of a server product. Meanwhile, for the problem of packet loss of the BMC management network interface caused by malicious network attack, packet capturing analysis needs to be performed on a switch of a machine room generally, and most machine rooms are far away, so that packet capturing is inconvenient, and the time for problem processing is prolonged. In addition, in some cases, a user may urgently need to perform related control on the server through BMC management software, for example, update firmware of a solid state disk in the server, and solve a problem that the solid state disk cannot correctly read and write data.

In order to solve the above problem, an embodiment of the present application provides a traffic monitoring method, where the method includes: monitoring the message flow of the management network port, analyzing according to the received unicast message, multicast message and broadcast message, if the flow of the unicast message is abnormal, isolating the unicast message of which the destination MAC address is not the MAC address of the BMC, and if the flow of the multicast message and the broadcast message is abnormal, the BMC 101 can report the abnormal flow of the management network port to upper management software and inform related personnel of troubleshooting. By the method, malicious network attacks aiming at the BMC management network port can be found in advance, so that isolation processing or reporting problems can be carried out in advance, and further the unavailability of a BMC management function or the abnormity of the BMC management function can be avoided.

It is understood that a BMC management portal typically has a nominal maximum bandwidth (i.e., the bandwidth that is declared by the BMC chip manufacturer). However, in an actual working process, because the BMC needs to process tasks such as hardware management and monitoring of the server in addition to the message processing, the computing resources or processing resources of the BMC cannot be used for message processing, so that the BMC management port cannot reach a rated maximum bandwidth. For example, the rated bandwidth of the BMC management port may be 1Gbps, but in an actual working process, since the BMC needs to process other management and monitoring tasks, the BMC management port can actually reach 200Mbps at most, that is, only can process message traffic of 200 Mbps. When the traffic of the management network port is greater than 200Mbps, the BMC may not process all messages in time, and at this time, a packet loss phenomenon may occur, so that a user may not log in the BMC management system or may not use a related management function provided by the BMC.

In this embodiment of the application, the BMC may monitor traffic of the BMC management network port and packet loss conditions, count the maximum bandwidth in the packet loss period, then screen the collected maximum bandwidths in different packet loss periods, and remove the maximum bandwidth in which packet loss is not caused by an excessive data amount, and then determine a certain ratio of the minimum bandwidth in the screened bandwidths as a bandwidth threshold, such as 90%,85%, or 80% of the minimum bandwidth. This bandwidth threshold may be taken as the maximum bandwidth that the BMC management portal can actually reach. Based on the bandwidth threshold, before the management network port flow reaches the bandwidth threshold, the BMC can report the management network port flow abnormity to upper management software in advance and inform related personnel to perform troubleshooting, so that the condition that the BMC management function is unavailable or abnormal can be avoided.

The process of determining the bandwidth threshold is described below. Referring to fig. 4, fig. 4 is a schematic flowchart illustrating a process of determining a bandwidth threshold according to an embodiment of the present disclosure. As shown in fig. 4, the method for determining the bandwidth threshold may include, but is not limited to, the following steps:

and 401, the BMC acquires the received message according to the acquisition period, and counts the maximum bandwidth and the total data volume of the message in the current acquisition period.

Specifically, the BMC may continuously collect the messages received by the BMC management gateway, and count the messages received by the BMC management gateway in a fixed collection period as a unit to obtain the maximum bandwidth and the total data volume of the messages in the current collection period (i.e., the first period). In some embodiments, the acquisition period may be 3 minutes, 5 minutes, 10 minutes, and the like. The acquisition period may also be obtained through testing according to actual conditions, or set according to a rated maximum bandwidth of the management network port, which is not limited herein.

It should be understood that the messages received by the BMC management portal may include unicast messages, multicast messages, and broadcast messages.

For better understanding of the present examples, the following example is given for an acquisition period of 5 minutes. When the acquisition period is 5 minutes, the BMC may continuously acquire messages received within 5 minutes from the initial acquisition time, and during the continuous acquisition, the BMC may determine the maximum bandwidth within the 5 minutes. For example, if the bandwidth of the 2 nd minute 20 th second in the 5 minutes is 150Mbit/s, which is greater than the bandwidth at any other time in the 5 minutes, the BMC may determine 150Mbit/s as the current maximum bandwidth in the 5 minutes. And when the 5 minutes are finished, the BMC may count the total data volume of the messages received in the current 5 minutes. And then, the BMC can continuously count the maximum bandwidth and the total data volume of the message in the next five minutes. It is understood that the BMC may repeatedly perform step 401 during each acquisition cycle. The initial acquisition time may be a time for powering on the BMC or the server.

And 402, the BMC judges whether the difference value between the total data volume of the message in the current acquisition period and the first standard data volume is larger than a first threshold, executes the step 403 under the condition that the difference value is larger than the first threshold, and executes the step 401 under the condition that the difference value is smaller than or equal to the first threshold.

Specifically, the first standard data size may be a maximum total data size of the packet that can be reached by the management portal in an acquisition period under a normal condition (that is, under a condition that the management portal is not attacked). Therefore, if the BMC determines that the difference between the total data amount of the message in the current acquisition period and the first standard data amount is smaller than or equal to the first threshold, it may be considered that the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is also smaller than or equal to the second threshold, and therefore, the BMC may directly wait for the next acquisition period without executing step 403, and count the maximum bandwidth and the total data amount of the message in the next acquisition period, that is, execute step 401. If the BMC determines that the difference between the total data amount of the message in the current acquisition period and the first standard data amount is greater than the first threshold, it cannot be determined whether the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is less than or equal to the second threshold, and therefore, the BMC may perform step 403.

It can be understood that a reasonable initial value may be set for the first standard data amount, and then the value of the first standard data amount may be updated according to an actual situation (that is, updated when each acquisition cycle meets a specific condition), and as the number of updates increases, the first standard data amount may approach to a maximum total data amount of the message that the BMC management port may reach in one acquisition cycle under a normal situation. The initial value of the first standard data amount may be set according to a rated maximum bandwidth of the BMC management port. In some embodiments, the initial value of the first standard data amount may be set as the total data amount of the message in the first collection period.

The first threshold is an integer greater than 0, and may be set according to practical situations, and in some embodiments, the first threshold may be set to 3-5 Megabytes (MB). It can be understood that, the smaller the first threshold is set, the easier it is to satisfy that the difference between the total data volume of the message and the first standard data volume is greater than the first threshold in one acquisition period, so that the updating of the bandwidth threshold and the first standard bandwidth can be more refined. On the contrary, the larger the first threshold is set, the more difficult the difference between the total data volume of the message and the first standard data volume is to be satisfied within one acquisition period is to be greater than the first threshold, so that the processing resources of the BMC can be saved.

In some embodiments, the BMC may perform step 403 directly without performing step 402. Accordingly, in step 401, the BMC may not count the total data amount of the packet in the current acquisition period, but only needs to count the maximum bandwidth in the current acquisition period.

And 403, the bmc determines whether the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is greater than a second threshold, executes step 404 if it is determined that the difference is greater than the second threshold, and executes step 401 if it is determined that the difference is less than or equal to the second threshold.

Specifically, the first standard bandwidth may be a maximum bandwidth at which the BMC management network port does not generate packet loss. Therefore, if the BMC determines that the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is smaller than or equal to the second threshold, it may be considered that packet loss does not occur in the BMC management portal in the current acquisition period, and at this time, the first standard bandwidth does not need to be updated, and accordingly, the BMC may not need to execute step 404, may directly wait for the next acquisition period, and may count the maximum bandwidth and the total data amount of the packet in the next acquisition period, that is, execute step 401. If the BMC determines that the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is greater than the second threshold, it may be determined that packet loss may exist at the BMC management portal in the current acquisition period, and therefore the BMC may perform step 404.

It can be understood that a reasonable initial value may be set for the first standard bandwidth, and then the value of the first standard bandwidth may be updated according to an actual situation (that is, updated when each acquisition cycle meets a specific condition), and as the number of updates increases, the first standard bandwidth approaches a normal situation, and the maximum bandwidth for packet loss may not be generated by the BMC management gateway. The initial value of the first standard bandwidth may be set according to a rated maximum bandwidth of the BMC management port.

The second threshold is an integer greater than 0, and may be set according to practical situations, and in some embodiments, the second threshold may be set to 3-5Mbps. It can be understood that the smaller the second threshold is set, the easier it is to satisfy that the difference between the maximum bandwidth and the first standard bandwidth is greater than the second threshold in one acquisition cycle, and the update of the bandwidth threshold and the first standard bandwidth can be made more fine. On the contrary, the larger the second threshold is set, the more difficult the difference between the maximum bandwidth and the first standard bandwidth is to be satisfied within one acquisition period is, the greater the second threshold is, and the processing resources of the BMC can be saved.

And 404, the BMC judges whether packet loss occurs in the current acquisition period, executes the step 405 under the condition that the packet loss does not occur, and executes the step 406 under the condition that the packet loss does not occur.

Specifically, the BMC may determine whether a packet loss occurs in the BMC management port in the current acquisition period through the network card, and if the packet loss does not occur, it indicates that the BMC may process the message traffic smaller than or equal to the maximum bandwidth in the current acquisition period, and the BMC may execute step 405. If packet loss occurs, indicating that the BMC cannot process the message traffic greater than or equal to the maximum bandwidth in the current acquisition period, the BMC may execute step 406.

And 405, updating the first standard bandwidth to the maximum bandwidth in the current acquisition period by the BMC.

Because the first standard bandwidth may be a maximum bandwidth at which the BMC management network port does not generate packet loss, when the BMC determines that packet loss does not occur in the current acquisition period, the first standard bandwidth may be updated to the maximum bandwidth in the current acquisition period.

And 406, adding the maximum bandwidth in the current acquisition period into the bandwidth array by the BMC.

And when the BMC determines that packet loss occurs to the BMC management network port in the current acquisition period, adding the maximum bandwidth in the current acquisition period into the bandwidth array.

And 407. The bmc determines whether the number of times of packet loss is greater than N, if so, performs step 408, and if not, performs step 401.

Because the reason that packet loss occurs at the BMC management network port may not be due to too large message traffic, may be due to the reason that the message cannot be identified, and the like, the BMC needs to eliminate the bandwidth in the bandwidth array that is not due to packet loss caused by too large message traffic. In the embodiment of the present application, the manner of removing the bandwidth that is not lost due to too large message traffic is as follows: comparing the maximum value in the bandwidth array with other bandwidth values, if the difference between the maximum value and a certain bandwidth value is greater than a third threshold, it may be determined that the bandwidth value is not the bandwidth to be lost due to the excessively large packet traffic, and may be deleted from the bandwidth array, which may be referred to as step 410 below. Therefore, if only one value exists in the bandwidth array, the screening cannot be carried out, at least two values are needed to carry out the screening, and the non-conforming bandwidth values are eliminated. Thus, N may be an integer greater than or equal to 2, for example, N may be 5. The third threshold may be set according to practical situations, and is not limited herein. In one embodiment, the third threshold may be 10Mbps.

Specifically, the BMC may record whether the BMC manages the network port to lose packets in each acquisition cycle, and if there are N acquisition cycles before the current acquisition cycle and packet loss occurs, may determine that the number of times of packet loss occurrence is greater than N, and may execute step 408, otherwise, may determine that the number of times of packet loss occurrence is less than or equal to N, may directly wait for the next acquisition cycle, and count the maximum bandwidth and the total data amount of the packet in the next acquisition cycle, that is, execute step 401.

The bmc determines whether there is M-bit data in the bandwidth array, and if there is M-bit data, performs step 409, and if there is no M-bit data, performs step 410.

As the experienced acquisition cycles are more and more, the data in the bandwidth array is more and more, and therefore, in order to avoid that too much data is stored in the bandwidth array and too much storage space is occupied, the BMC may set a storage upper limit for the bandwidth array, and when the data stored in the bandwidth array exceeds the storage upper limit (that is, when the data in the bandwidth array is greater than M-1 bits), the intermediate value in the bandwidth array may be deleted, that is, step 409 is executed. When the amount of data stored in the bandwidth array does not exceed the upper storage limit, step 410 may be performed. The above M may be an integer of 3 or more, and for example, N may be 5. In some embodiments, M may be greater than N.

And 409, deleting the intermediate value in the bandwidth array by the BMC.

Specifically, when M bits of data are stored in the bandwidth array, the BMC may delete the middle value in the bandwidth array. For example, assuming that M is 5 and the values in the bandwidth array are (13, 17,19,20, 21), the intermediate value 19 may be deleted, and then the remaining (13, 17,20, 21) in the bandwidth array. As another example, assuming M is 4 and the values in the bandwidth array are (13, 17,19, 21), either of the intermediate values 17 or 19 may be deleted, followed by the remainder of the bandwidth array (13, 19, 21) or (13, 17, 21).

And 410, calculating the difference value between the maximum value in the bandwidth array and other bandwidth values by the BMC, and deleting the bandwidth value of which the difference value is larger than a third threshold value.

The BMC needs to eliminate the bandwidth which is not lost due to overlarge message flow in the bandwidth array. Therefore, the BMC may calculate a difference between the maximum value in the bandwidth array and other bandwidth values, then may determine that the bandwidth value whose difference is greater than the third threshold (i.e., the second bandwidth value) is not a bandwidth value that causes packet loss due to excessive packet traffic, delete the bandwidth values from the bandwidth array, and then the BMC may determine the bandwidth threshold according to the remaining bandwidth values. At this time, the bandwidth array after being filtered may be referred to as a second bandwidth array.

In some embodiments, after the BMC performs step 407, step 410 may be directly performed without performing step 408 and step 409, and only the bandwidth that is not lost due to excessive packet traffic in the bandwidth array is removed in step 410.

And 411, the BMC determines a certain ratio of the minimum bandwidth value in the bandwidth array as a bandwidth threshold.

After the BMC filters the bandwidth values in the bandwidth array, a certain ratio (i.e., a first ratio) of a minimum bandwidth value in the bandwidth array may be determined as the bandwidth threshold. The first ratio is greater than 0 and less than 1, and may be artificially defined, for example, may be a value such as 90%,85%, or 80%, and is not limited herein. It should be understood that the size of the acquisition period may be different, and the first standard data amount and the bandwidth threshold may be different.

It should be noted that, in some embodiments, the BMC may also determine the first standard bandwidth or a certain proportion of the first standard bandwidth as the bandwidth threshold. Thus, in some embodiments, the BMC may not perform steps 406-411 described above.

Through the processing flow, the BMC can obtain a bandwidth threshold, based on the bandwidth threshold, the BMC can monitor the flow, and then can report the abnormal flow of the management internet access to an upper-layer BMC management system in advance before the flow of the management internet access reaches the bandwidth threshold. In addition, the BMC can extract the target MAC address in the message header of the unicast message while monitoring the flow, thereby isolating the unicast message of which the target MAC address is not the MAC address of the BMC, and further avoiding the abnormal management function of the BMC.

Based on the above system architecture, please refer to fig. 5, and fig. 5 is a schematic flow chart of a traffic monitoring method according to an embodiment of the present disclosure. As shown in fig. 5, the flow monitoring method may include, but is not limited to, the following steps:

and 501, the BMC acquires the received message according to the acquisition period, and counts the maximum bandwidth, the data volume of the unicast message, the data volume of the broadcast message and the data volume of the multicast message in the current acquisition period.

Specifically, the BMC may continuously acquire messages received by the BMC management gateway, and count the messages received by the BMC management gateway in a fixed acquisition period as a unit to obtain the maximum bandwidth in the current acquisition period. In addition, the BMC may classify the received packet to obtain the data volume of the unicast packet, the data volume of the broadcast packet, the data volume of the multicast packet, and the total data volume of the packet in the current acquisition period. For unicast messages, the BMC may extract the destination MAC address in the header. The description of the acquisition cycle may refer to the description related to step 401 above. It should be understood that the size of the acquisition period in step 401 and step 501 may be different, for example, 3 minutes in step 401 and 5 minutes in step 501, which is not limited herein.

It should be understood that the unicast message, the multicast message, and the broadcast message may be ethernet messages, and the ethernet message header includes a destination MAC address. It should also be appreciated that the BMC may repeat step 501 during each acquisition cycle. The initial acquisition time may be the time for powering on the BMC or the server.

502, the bmc determines whether a difference between a sum of data amounts of the unicast message, the multicast message, and the broadcast message in the current acquisition period and the first standard data amount is greater than a first threshold, performs step 503 and step 507 if it is determined that the difference is greater than the first threshold, and performs step 501 if it is determined that the difference is less than or equal to the first threshold.

Specifically, the first standard data size may be a maximum total data size of the packet that can be reached by the management portal in an acquisition period under a normal condition (that is, under a condition that the management portal is not attacked). Therefore, if the BMC determines that the difference between the total data amount of the packet (i.e., the sum of the data amounts of the unicast packet, the multicast packet, and the broadcast packet) in the current acquisition period and the first standard data amount is less than or equal to the first threshold, it may be considered that there is no malicious network attack in the current acquisition period, and the BMC management function is not abnormal, so the BMC may directly wait for the next acquisition period, and count the maximum bandwidth, the data amount of the unicast packet, the data amount of the broadcast packet, and the data amount of the multicast packet in the next acquisition period, that is, perform step 501. If the BMC determines that the difference between the total data amount of the packet in the current acquisition period and the first standard data amount is greater than the first threshold, it is not possible to determine whether a malicious network attack exists in the current acquisition period, and therefore, the BMC may perform step 503 and step 507. The description of the correlation between the first standard data amount and the first threshold value may refer to the description of step 401 above.

In some embodiments, the BMC may not perform step 502, and directly perform step 503 and step 507 after step 501. It should be understood that the branch corresponding to step 503 and the branch corresponding to step 507 may be executed in parallel, or may be executed in series, that is, step 503, 504, 505, or 506 may be executed first, and then step 507, 508, 509, or 510 is executed, or step 507, 508, 509, or 510 may be executed first, and then step 503, 504, 505, or 506 is executed.

And 503, the bmc determines whether the difference between the data volume of the unicast message and the second standard data volume is greater than a fourth threshold, if not, performs step 501, and if so, performs step 504.

Specifically, the second standard data size may be a maximum total data size of the unicast packet that can be reached by the management network port in one acquisition period under a normal condition. Therefore, if the BMC determines that the difference between the data amount of the unicast message in the current acquisition period and the second standard data amount is less than or equal to the fourth threshold, it may be determined that the data amount of the unicast message in the current acquisition period is within a normal range, where there is no abnormal unicast message and the BMC management function is not abnormal, so that the BMC may directly wait for the next acquisition period, and count the maximum bandwidth, the data amount of the unicast message, the data amount of the broadcast message, and the data amount of the multicast message in the next acquisition period, that is, perform step 501. If the BMC determines that the difference between the data amount of the unicast message in the current acquisition period and the second standard data amount is greater than the fourth threshold, it is not possible to determine whether an abnormal unicast message exists in the current acquisition period, and therefore, the BMC may execute step 504.

It can be understood that a reasonable initial value may be set for the second standard data amount, and then the value of the second standard data amount may be updated according to the actual situation (i.e., updated when each acquisition cycle satisfies a specific condition), and as the number of updates increases, the second standard data amount may approach the normal situation, and the maximum unicast packet data amount that the management network port may reach in one acquisition cycle may be managed. The initial value of the second standard data size may be set according to a rated maximum bandwidth of the BMC management port. In some embodiments, the initial value of the second standard data amount may be set to the unicast packet data amount of the first collection period.

The fourth threshold is an integer greater than 0, and may be set according to practical circumstances, and in some embodiments, the fourth threshold may be set to 3-5 Megabytes (MB). It can be understood that, the smaller the fourth threshold is set, the easier it is to satisfy that the difference between the data volume of the unicast message and the second standard data volume is greater than the fourth threshold in one acquisition cycle, so that the update of the second standard data volume can be more refined. Conversely, the larger the fourth threshold is set, the more difficult the difference between the data volume of the unicast message and the second standard data volume is to be satisfied in one acquisition cycle is, the greater the fourth threshold is, and the processing resources of the BMC can be saved.

504, the BMC determines whether the destination MAC addresses of all unicast messages in the current acquisition period are the MAC addresses of the BMC, executes step 505 if the destination MAC addresses of all unicast messages are the MAC addresses of the BMC, and executes step 506 if the destination MAC addresses of all unicast messages are not the MAC addresses of the BMC.

Specifically, when the destination MAC address of the unicast message is not the MAC address of the BMC, the BMC may determine that the unicast message is an abnormal unicast message (i.e., an attack message). Therefore, the BMC may determine whether an abnormal unicast message exists in the current acquisition period through the destination MAC addresses of all unicast messages in the current acquisition period, and may determine that an abnormal unicast message does not exist in the current acquisition period under the condition that the destination MAC addresses of all unicast messages are the MAC address of the BMC, and may perform step 505, otherwise, may determine that an abnormal unicast message exists in the current acquisition period, and may perform step 506.

In some embodiments, the BMC may also determine whether a unicast message is an abnormal unicast message according to the IP address of the BMC. If the destination IP address of the unicast message is the IP address of the BMC, it may be determined that the unicast message is a normal unicast message, and if the destination IP address of the unicast message is not the IP address of the BMC, it may be determined that the unicast message is an abnormal unicast message.

And 505, updating the second standard data volume to the data volume of the unicast message in the current acquisition period by the BMC.

When the BMC determines that no abnormal unicast message exists in the current acquisition period, the BMC can update the second standard data volume to the data volume of the unicast message in the current acquisition period because the data volume of the unicast message in the current acquisition period is larger than the second standard data volume, so that the processing of the subsequent acquisition period is facilitated.

And 506. The BMC isolates the unicast message of which the destination MAC address is not the MAC address of the BMC.

When the BMC determines that there is an abnormal unicast message in the current acquisition period, since the abnormal message BMC does not need to process, the BMC may isolate (i.e., discard) the unicast message in which the destination MAC address is not the MAC address of the BMC.

In addition, because the current acquisition cycle also includes the unicast message whose destination MAC address is the MAC address of the BMC, and the data volume of these normal messages may be relatively large, in some embodiments, the BMC may further determine whether the data volume of the unicast message whose destination MAC address is the MAC address of the BMC is greater than the second standard data volume, update the second standard data volume to the sum of the data volumes of the unicast messages whose destination MAC address is the MAC address of the BMC when the data volume of the unicast message is greater than the second standard data volume, and do not perform processing when the data volume of the unicast message is less than or equal to the second standard data volume.

507, the bmc determines whether a difference between a sum of data amounts of the multicast message and the broadcast message in the current acquisition period and the third standard data amount is greater than a fifth threshold, if not, performs step 501, and if so, performs step 508.

Specifically, the third standard data amount may be a maximum total data amount of the multicast packet and the broadcast packet that can be reached by the management network interface in one acquisition period under a normal condition. Therefore, if the BMC determines that the difference between the total data amount of the multicast packet and the broadcast packet in the current acquisition period and the third standard data amount is less than or equal to the fifth threshold, it may be determined that the total data amount of the multicast packet and the broadcast packet in the current acquisition period is within a normal range, where there is no abnormal multicast packet and broadcast packet, and no abnormal BMC management function is caused, so the BMC may directly wait for the next acquisition period, and count the maximum bandwidth, the data amount of the unicast packet, the data amount of the broadcast packet, and the data amount of the multicast packet in the next acquisition period, that is, execute step 501. If the BMC determines that the difference between the total data amount of the multicast packet and the broadcast packet in the current acquisition period and the third standard data amount is greater than the fifth threshold, it is not possible to determine whether an abnormal multicast packet and an abnormal broadcast packet exist in the current acquisition period, and therefore, the BMC may perform step 508.

It can be understood that a reasonable initial value may be set for the third standard data volume, and then the value of the third standard data volume may be updated according to the actual situation (i.e., updated when each acquisition cycle satisfies a specific condition), and as the number of updates increases, the third standard data volume may approach to the maximum total data volume of the multicast packet and the broadcast packet that can be reached by the management gateway in an acquisition cycle under a normal condition. The initial value of the third standard data amount may be set according to a rated maximum bandwidth of the BMC management port. In some embodiments, the initial value of the third standard data amount may be set as the total data amount of the multicast packet and the broadcast packet of the first collection period.

The fifth threshold is an integer greater than 0, and may be set according to practical circumstances, and in some embodiments, the fifth threshold may be set to 3-5 Megabytes (MB). It can be understood that the smaller the fifth threshold is set, the easier it is to satisfy that the difference between the total data volume of the multicast packet and the broadcast packet and the third standard data volume is greater than the fifth threshold in one acquisition period, so that the updating of the third standard data volume and the management of the network port flooding alarm can be more refined. On the contrary, the larger the fifth threshold is set, the more difficult it is in an acquisition cycle that the difference between the total data volume of the multicast message and the broadcast message and the third standard data volume is greater than the fifth threshold, and the processing resources of the BMC can be saved.

It should be understood that the first standard data amount described above may be larger than the second standard data amount and the third standard data amount, respectively. And, the size of the acquisition cycle is different, and the size of the first standard data volume, the second standard data volume and the third standard data volume may be different. The larger the acquisition period is, the larger the first standard data amount, the second standard data amount and the third standard data amount are, the smaller the acquisition period is, and the smaller the first standard data amount, the second standard data amount and the third standard data amount are.

508, the bmc determines whether the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is greater than a sixth threshold, if so, performs step 509, and if not, performs step 510.

Because the BMC cannot directly screen out the abnormal multicast message and broadcast message, the BMC can only determine whether the current message flow causes the abnormal BMC management function according to the bandwidth threshold, thereby realizing the timely warning.

Specifically, when the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold, the BMC may determine that all messages can be processed at this time, and packet loss of the BMC management gateway is not caused, so that it may be considered that there is no abnormal multicast message or broadcast message in the current acquisition period, and may execute step 510. When the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is greater than the sixth threshold, the BMC may determine that all messages cannot be processed in time at this time, and packet loss of the BMC management interface may be caused, so that it may be considered that an abnormal multicast message or an abnormal broadcast message (i.e., an attack message) exists in the current acquisition period, or it may be considered that the abnormal multicast message and the abnormal broadcast message exist at the same time, and may perform step 509.

The sixth threshold is an integer greater than 0, and may be set according to practical situations, and in some embodiments, the sixth threshold may be set to 3 to 5Mbps. It can be understood that the smaller the sixth threshold is set, the easier it is to satisfy that the difference between the maximum bandwidth and the bandwidth threshold is greater than the sixth threshold in one acquisition period, so that the management network port flooding alarm can be more refined.

It is understood that the first threshold, the fourth threshold, and the fifth threshold may be the same (i.e., all the same or partially the same), or may be different (i.e., all the different or partially different). The second threshold, the third threshold, and the sixth threshold may be the same or different.

509.BMC alerts BMC to manage portal flooding.

When the BMC determines that the difference value between the maximum bandwidth and the bandwidth threshold value in the current acquisition period is larger than the sixth threshold value, the BMC can report the abnormal flow of the management network port to upper management software in time (namely the broadcast flooding and the multicast flooding may exist in the management network port), can give an alarm and inform related personnel to perform investigation, so that the condition that the BMC management function is unavailable or the BMC management function is abnormal can be avoided. And then, if the management network port flow is recovered to be normal, the BMC can report an alarm for relieving the management network port flow abnormality.

And 510, updating the third standard data volume to be the sum of the data volumes of the multicast message and the broadcast message in the current acquisition period by the BMC.

When the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold, it may be considered that there is no abnormal multicast packet and broadcast packet in the current acquisition period, and since the sum of the data amounts of the multicast packet and the broadcast packet in the current acquisition period is greater than the third standard data amount, the BMC may update the third standard data amount to the total data amount of the multicast packet and the broadcast packet in the current acquisition period, which facilitates the processing in the subsequent acquisition period.

It should be noted that, in some embodiments, when the BMC performs the step 504 and does not perform the step 508, if the BMC determines that the destination MAC addresses of all unicast messages are the MAC address of the BMC in the step 504, the BMC may update the first standard data size to the total data size of the message in the current collection period. Or, when the BMC performs the step 508 and does not perform the step 504, if the BMC determines in the step 508 that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold, the BMC may also update the first standard data size to the total data size of the message in the current acquisition period. Or, when the BMC performs both the step 508 and the step 504, if the BMC determines that the destination MAC addresses of all unicast messages are the MAC addresses of the BMC in the step 504, and the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold in the step 508, the BMC may update the first standard data size to the total data size of the messages in the current acquisition period. In other embodiments, the BMC may also use the sum of the second standard data amount and the third standard data amount as the first standard data amount, which is not limited herein. The execution of steps 503-504 and the execution of steps 507-508 have no chronological precedence, and can be executed simultaneously or sequentially.

Since the step 401 and the step 501 both need to continuously acquire the received messages according to the acquisition period, and then perform statistical analysis based on the messages of the current acquisition period, in some embodiments, the BMC may simultaneously perform the step 401 and the step 501.

It can be understood that the traffic monitoring is for a management port, and accordingly, for a service port, the traffic monitoring method may also be adopted, so as to isolate the attack message, and report the traffic anomaly of the service port to the upper-layer BMC management system in advance before the traffic of the service port reaches the bandwidth threshold of the service port. It is also understood that, the above mentioned measure the data amount of the management network port per unit time by the bandwidth, in some embodiments, the data amount of the management network port per unit time may also be measured by a Packet Per Second (PPS) or other criteria, which is not limited herein.

It should be noted that, the related information (i.e. the same information or similar information) and the related description in the different embodiments described above may be referred to each other.

It should be understood that, in the above fig. 4 and fig. 5, the BMC is taken as an example of an execution main body of the interaction schematic to illustrate the above processing flow, but the application does not limit the execution main body of the interaction schematic. For example, the BMC in fig. 4 and 5 may also be a chip, a chip system, or a processor supporting the BMC to implement the method, and may also be a logic module or software capable of implementing all or part of the BMC function.

The embodiment of the application also discloses a computer readable storage medium, which stores instructions that when executed perform the method in the embodiment of the method.

The embodiment of the application also discloses a computer program product comprising instructions, and the instructions are executed to execute the method in the embodiment of the method.

It should be apparent that the above-described embodiments are only some of the embodiments of the present application, and not all of the embodiments. Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those skilled in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. The terms "first," "second," "third," and the like in the description and claims of this application and in the accompanying drawings are used for distinguishing between different objects and not necessarily for describing a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process may comprise a sequence of steps or elements, or may alternatively comprise steps or elements not listed, or may alternatively comprise other steps or elements inherent to such process, method, article, or apparatus. It is to be understood that the equal sign of the above condition judgment may be greater than one end or less than one end, for example, the above condition judgment that a threshold is greater than, less than or equal to may be changed to the condition judgment that the threshold is greater than, equal to or less than, and is not limited herein.

It is to be understood that only some, but not all, of the material pertinent to the present application is shown in the drawings. It should be understood that some example embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently or simultaneously. In addition, the order of the operations may be re-arranged. The process may be terminated when its operations are completed, but could have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.

As used in this specification, the terms "component," "module," "system," "unit," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a unit may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or distributed between two or more computers. In addition, these units can execute from various computer readable media having various data structures stored thereon. The units may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., from a second unit of data interacting with another unit in a local system, distributed system, and/or across a network.

The above-mentioned embodiments, objects, technical solutions and advantages of the present application are further described in detail, it should be understood that the above-mentioned embodiments are only examples of the present application, and are not intended to limit the scope of the present application, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present application should be included in the scope of the present application.

Claims (11)

1. A method for monitoring flow, the method being applied to an out-of-band controller of a computing device, the method comprising:

respectively acquiring a unicast message, a multicast message and a broadcast message in a first period; wherein the unicast message, the multicast message and the broadcast message are received through a management network port of the computing device;

under the condition that the abnormal unicast message exists in the unicast message, discarding the abnormal unicast message;

or reporting the management network port flow abnormity under the condition of determining that the abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message.

2. The method of claim 1, further comprising:

and under the condition that the unicast message of which the target Media Access Control (MAC) address is not the MAC address of the out-of-band controller exists in the unicast message, determining that the abnormal unicast message exists in the unicast message.

3. The method of claim 2, wherein prior to the determining that there is a unicast message in the unicast message whose destination MAC address is not the MAC address of the out-of-band controller, the method further comprises:

and determining that the difference value between the data volume of the unicast message in the first period and a second standard data volume is greater than a fourth threshold value.

4. The method of claim 3, further comprising:

and updating the second standard data volume to the data volume of the unicast message in the first period under the condition that the unicast message is determined not to have abnormal unicast messages.

5. The method of claim 1, further comprising:

and under the condition that the difference value between the maximum bandwidth and the bandwidth threshold value in the first period is larger than a sixth threshold value, determining that abnormal multicast messages and/or abnormal broadcast messages exist in the multicast messages and the broadcast messages.

6. The method of claim 5, wherein prior to the determining that the difference between the maximum bandwidth and the bandwidth threshold for the first period is greater than a sixth threshold, the method further comprises:

determining that a difference value between a total data volume of the multicast packet and the broadcast packet in the first period and a third standard data volume is greater than a fifth threshold.

7. The method of claim 6, further comprising:

and updating the third standard data volume to a total data volume of the multicast message and the broadcast message in the first period under the condition that the multicast message and the broadcast message are determined not to have abnormal multicast message and broadcast message.

8. The method according to any of claims 1-7, wherein before said determining that there is an abnormal unicast packet in said unicast packet, or before said determining that there is an abnormal multicast and/or broadcast packet in said multicast and broadcast packets, said method further comprises:

determining that a difference value between a total data volume of the unicast message, the multicast message and the broadcast message in the first period and a first standard data volume is greater than a first threshold.

9. The method according to any one of claims 4-8, further comprising: acquiring maximum bandwidths in a plurality of first periods;

adding the maximum bandwidth in each first period into a bandwidth array to obtain a first bandwidth array under the condition that the difference between the maximum bandwidth in each first period and a first standard bandwidth is greater than a second threshold and packet loss occurs to the management network port in each first period;

removing a second bandwidth value in the first bandwidth array to obtain a second bandwidth array, wherein a difference value between a maximum bandwidth value in the first bandwidth array and the second bandwidth value is greater than a third threshold value;

and determining a first ratio of the minimum bandwidth values in the second bandwidth array as the bandwidth threshold, wherein the first ratio is greater than 0 and less than 1.

10. The method of claim 9, further comprising:

and updating the first standard bandwidth to the maximum bandwidth in the first period when the difference between the maximum bandwidth in the first period and the first standard bandwidth is greater than the second threshold and no packet loss occurs at the management gateway in the first period.

11. An out-of-band controller, comprising a processor, a memory, and a communication interface for receiving information from and outputting information to an electronic device other than the out-of-band controller, the processor invoking a computer program stored in the memory to implement the method of any one of claims 1-10.

Images