CN115941223A - BGP Flowspec route issuing method and device, storage medium and electronic equipment - Google Patents

BGP Flowspec route issuing method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN115941223A
CN115941223A CN202111130040.4A CN202111130040A CN115941223A CN 115941223 A CN115941223 A CN 115941223A CN 202111130040 A CN202111130040 A CN 202111130040A CN 115941223 A CN115941223 A CN 115941223A
Authority
CN
China
Prior art keywords
port
extended community
community attribute
attribute field
bgp flowspec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111130040.4A
Other languages
Chinese (zh)
Inventor
胡媛媛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN202111130040.4A priority Critical patent/CN115941223A/en
Priority to PCT/CN2022/119622 priority patent/WO2023045865A1/en
Publication of CN115941223A publication Critical patent/CN115941223A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to the field of communication, in particular to a BGP Flowspec route issuing method and a device, wherein the method comprises the following steps: the sampled flow and address information of at least one port are combined and sent to a server, so that the server creates an extended group attribute field corresponding to the abnormal flow port when detecting that the flow of any port is abnormal; receiving a message which is sent by a server and contains a BGPFlowspec route and at least one extended community attribute field; and under the condition that the address information of the port included in the extended community attribute field is the address information of the local port, transmitting the BGP Flowspec route to the port corresponding to the extended community attribute field. The method controls the flow of the port under attack by sending the flow control strategy and the address information of the port to the local equipment together and applying the flow control strategy to the corresponding port by the local equipment according to pertinence, thereby improving the network security and usability and saving hardware resources.

Description

BGP Flowspec route issuing method and device, storage medium and electronic equipment
Technical Field
The invention relates to the technical field of communication, in particular to a BGP Flowspec route issuing method and device, a storage medium and electronic equipment.
Background
Both Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are network attacks that prevent legitimate users from accessing services normally, and DoS/DDoS attacks refer to malicious attacks that continuously send a large number of useless messages to a port of a device to occupy a target bandwidth and a host resource and generate huge attack traffic, so that the device cannot be used normally or even the system is broken down. The traditional protection method is to perform flow cleaning on all the devices in the system through flow control when a certain device is attacked.
However, the above method for preventing the device from being attacked cannot accurately identify the attacked device, and it is difficult to control the flow of the attacked device in a targeted manner; on the other hand, when a certain device is subjected to traffic attack, traffic cleaning is performed on all devices, which easily causes resource waste and affects normal operation of the system. Therefore, it is desirable to provide a method for accurately and timely identifying and controlling the traffic of the port under attack, so as to ensure the network security and ensure the normal operation of the communication service.
Disclosure of Invention
The invention aims to provide a BGP Flowspec route issuing method and device, a storage medium and electronic equipment, so that the problem that the equipment cannot be controlled in a targeted manner when being attacked by flow due to the limitation and defect of related technologies is overcome at least to a certain extent, the waste of resources is avoided, and the normal work of a system is ensured.
According to an aspect of the present invention, a BGP Flowspec route issuing method is provided, including:
the method comprises the steps that sampled flow and address information of at least one port are combined and sent to a server, so that the server creates an extended community attribute field corresponding to a flow abnormal port when detecting that the flow of any port is abnormal, wherein the extended community attribute field comprises the address information of the corresponding port;
receiving a message which is sent by the server and contains a BGP Flowspec route and at least one extended community attribute field;
and when the address information of the port included in the extended community attribute field is the address information of a local port, sending the BGP Flowspec route to the port corresponding to the extended community attribute field.
According to another aspect of the present invention, there is provided a BGP Flowspec route issuing method, including:
receiving at least one port flow and address information combination sampled by at least one device;
when detecting that the flow of any port is abnormal, creating an extended community attribute field corresponding to the abnormal port of the flow, wherein the extended community attribute field comprises the address information of the corresponding port;
and sending a message containing a BGP Flowspec route and at least one extended community attribute field to each device, so that the device sends the BGP Flowspec route to a port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is the address information of a local port.
According to another aspect of the present invention, there is provided a BGP Flowspec route issuing apparatus including:
the system comprises a sending module, a receiving module and a processing module, wherein the sending module is used for sending a combination of sampled flow and address information of at least one port to a server, so that the server can create an extended group attribute field corresponding to a port with abnormal flow when detecting that the flow of any port is abnormal, and the extended group attribute field comprises the address information of the corresponding port;
a receiving module, configured to receive a packet sent by the server and including a BGP Flowspec route and at least one extended community attribute field;
and the issuing module is used for issuing the BGP Flowspec route to the port corresponding to the extended community attribute field under the condition that the address information of the port included in the extended community attribute field is the address information of a local port.
According to another aspect of the present invention, there is provided a BGP Flowspec route issuing device, including:
the receiving module is used for receiving at least one port flow and address information combination sampled by at least one device;
the system comprises a creating module, a sending module and a processing module, wherein the creating module is used for creating an extended community attribute field corresponding to a port with abnormal traffic when the traffic of any port is detected to be abnormal, and the extended community attribute field comprises address information of the corresponding port;
and the sending module is used for sending a message containing the BGP Flowspec route and at least one extended community attribute field to each device, so that the device sends the BGP Flowspec route to a port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is the address information of a local port.
According to another aspect of the present invention, there is provided an electronic apparatus comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the BGP Flowspec route issuance method described above.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the BGP Flowspec route issuing method described above.
The invention provides a BGP Flowspec route issuing method and a device, wherein the BGP Flowspec route issuing method sends a BGP Flowspec route containing a flow control strategy and address information of a port containing a flow abnormal port to local equipment, and the local equipment pertinently applies the flow control strategy to the corresponding port according to the address information of the port, thereby realizing the flow control of the port subjected to attack, avoiding the situation of flow control of all ports, enabling the flow control of the equipment port to be more flexible, improving the network security and availability and saving hardware resources.
Drawings
Fig. 1 is a schematic diagram of an application scenario of a BGP Flowspec route issuing method in an embodiment of the present invention;
fig. 2 is a flowchart of a BGP Flowspec route issuing method according to an embodiment of the present invention;
FIG. 3 is a diagram of an extended community attribute field in an embodiment of the invention;
fig. 4 is a flowchart of a BGP Flowspec route issuing method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a BGP Flowspec route issuing device in the embodiment of the present invention;
fig. 6 is a schematic structural diagram of a BGP Flowspec route issuing device in another embodiment of the present invention.
Detailed Description
In order to make the objects, features and advantages of the present invention more apparent and understandable, the embodiments of the present invention will be described in detail and fully with reference to the accompanying drawings. The exemplary embodiments, however, may be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the invention.
Furthermore, the drawings are merely schematic illustrations of the invention and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Although the steps of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the steps must be performed in this particular order, or that all of the depicted steps must be performed, to achieve desirable results. The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the steps. For example, some steps may be decomposed, some steps may be combined or partially combined, and thus the actual execution order may be changed according to the actual situation. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.
Both Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are network attack modes for preventing a legitimate user from accessing a Service normally, and DoS/DDoS attacks refer to malicious attacks that a large number of useless messages are continuously sent to target equipment to occupy target bandwidth and host resources and generate huge attack traffic, so that the target equipment cannot be used normally or even a system is broken down. The conventional method for detecting DoS/DDoS attacks generally performs traffic cleaning on all devices when detecting that a certain device is attacked by traffic.
One method for preventing DoS and DDoS attacks in the related art is to use BGP Flowspec routing to control all ports of each device for traffic cleaning. The BGP Flowspc peer-to-peer relationship is established between the device for transmitting the BGP Flowspc route and the network entrance device, and when the BGP Flowspc peer-to-peer receives the BGP Flowspc route, the optimized route is converted into a flow control strategy of a forwarding layer, so that the purpose of controlling the attack flow is achieved. For example, the dynamic BGP Flowspec implements real-time monitoring of the network and fast response to attack traffic by deploying a traffic analysis server, and the static BGP Flowspec creates a BGP Flowspec route according to the characteristics of common attack traffic to implement pre-protection of common attack traffic. The BGP Flowspec route comprises network layer reachable information used for a flow matching rule and extended community attributes used for flow processing behaviors, and each device in the system generates a flow control strategy according to the BGP Flowspec route after receiving the BGP Flowspec route and applies the flow control strategy to each port of the device so as to realize the flow control of each port. BGP (Border Gateway Protocol) is a dynamic routing Protocol used between Autonomous Systems (AS), and is mainly used to exchange reachability routing information between Ases (AS), construct a propagation path between Ases (AS), prevent generation of routing loops, and apply some routing policies at the AS level. BGP is widely used between internet service providers as a standard for internet external routing protocols.
In the method, after receiving the BGP Flowspec route, the attacked device cannot acquire whether the attacked port exists on the device and which port suffers from the traffic attack, and thus cannot apply the traffic control policy to the port suffering from the traffic attack in a targeted manner. However, applying the flow control policy to all ports results in waste of system resources on one hand, and on the other hand, the system cannot work normally due to the fact that all ports are cleaned of flow.
In view of the above problems in the prior art, the present invention provides a BGP Flowspec route issuing method, which includes: the method comprises the steps that sampled flow and address information of at least one port are combined and sent to a server, so that the server creates an extended community attribute field corresponding to a flow abnormal port when detecting that the flow of any port is abnormal, wherein the extended community attribute field comprises the address information of the corresponding port; receiving a message which is sent by the server and contains a BGP Flowspec route and at least one extended community attribute field; and if the address information of the port included in the extended community attribute field is the address information of a local port, issuing the BGP Flowspec route to the port corresponding to the extended community attribute field. The BGP Flowspc route issuing method acquires the address information of a port subjected to flow attack while detecting that equipment is subjected to flow attack, and sends the BGP Flowspc route containing the flow control strategy and an extended community attribute field containing the address information of the port subjected to the flow attack to each equipment in a system after determining the flow control strategy applied to the port; the device receiving the extended group attribute field can judge whether the local device has a corresponding port according to the address information contained in the extended group attribute field, so that the flow control of the attacked port by applying a flow control strategy is realized in a targeted manner, the situation of flow control of all ports is avoided, the flow control of the device port is more flexible, the network safety and the usability are improved, and the hardware resource is saved.
The BGP Flowspec route issuing method and apparatus in this exemplary embodiment are mainly applied to network devices with BGP Flowspec capability, such as a service router, a core router, and other network devices. Fig. 1 is a schematic diagram illustrating an exemplary application scenario architecture to which a BGP Flowspec route issuing method according to an embodiment of the present invention may be applied. As shown in fig. 1, the border routers R3 and R4 (i.e., devices that may be attacked by traffic) are border routers connected to the autonomous systems R1 and R2, respectively, and the traffic analysis server receives traffic sampling information of each port of the border routers R3 and R4, and sends a message including BGP Flowspec routing and an extended community attribute to the border routers R3 and R4 when detecting abnormal traffic information; optionally, a Route Reflector R5 (Flow Reflector, abbreviated as Flow RR) is further disposed between the traffic analysis server and the boundary routers R3 and R4 and the router R6, peer relationships are established between the R5 and the boundary routers R3, R4, R6 and the traffic analysis server, and the traffic analysis server sends the packet to each boundary router through the Route Reflector R5, so that bandwidth capacity required for the traffic analysis server to directly send the packet to multiple routers can be avoided, and performance of the traffic analysis server is accordingly improved. Alternatively, the AS300 may be an intranet in which a traffic analysis server is interconnected with a plurality of terminal devices such AS R3, R4, and R6, and the R1 and R2 may be extranets AS autonomous systems. The BGP Flowspec route issuing method in this exemplary embodiment may be executed by the border router R3 and/or R4, or may be executed by the traffic analysis server, which is not particularly limited in this exemplary embodiment.
An exemplary embodiment of the present invention is described in detail as an example in which the BGP Flowspec route distribution method is executed by the border router R3 and/or R4. Fig. 2 is a flowchart of a BGP Flowspec route issuing method according to an embodiment of the present invention; as shown in fig. 2, the BGP Flowspec route issuing method includes the following steps:
step S21: the method comprises the steps that a sampled combination of at least one port flow and address information is sent to a server, so that the server creates an extended community attribute field corresponding to a flow abnormal port when detecting that the flow of any port is abnormal, wherein the extended community attribute field comprises the address information of the corresponding port;
in the application scenario shown in fig. 1, the border routers R3, R4 are connected to the autonomous system through a plurality of ports for traffic transmission. The sampling information can be used for sampling the flow of each port by arranging a sampling module in the boundary router, or can be used for sampling the flow of each port by an externally arranged sampling module, and after the sampling data is obtained, the boundary router can send the sampling data of each port and the address information of the corresponding port to the flow analysis server. Alternatively, the address information of the port may be information directly located to a specific port of a specific router, or may be combination information including address information of a border router and a port index value.
In an exemplary embodiment, the traffic anomaly may be detected by a method of setting a threshold, and the step S21 of causing the server to create the extended community attribute field corresponding to the traffic anomaly port when detecting that traffic of any port is anomalous may specifically include:
and when detecting that the flow of any port is greater than a preset value, the server creates an extended community attribute field corresponding to the port with the flow greater than the preset value.
In an exemplary embodiment, the extended community attribute field is shown in FIG. 3, which comprises eight bytes; the first byte is an extended community attribute type (type), and the value is 0x07 or 0x47;
the second byte is a Sub-category (Sub-Type) of the extended community attribute, and the value is 0x03;
the third and fourth bytes are physical index values of ports for receiving flow, and take values of 1-65535; optionally, the identification address of the device port is used with attribute inressphysicalnface field No. 252 in IPFIX sampling protocol.
The fifth byte to the eighth byte are the device address and are used for representing the ip address of the device; preferably, the device address is a loopback interface address, which can improve the stability of the network system; optionally, the source Address of the device is sampled using the attribute 130 exportipv 4Address in the IPFIX sampling protocol.
Step S23: receiving a message which is sent by the server and contains a BGP Flowspec route and at least one extended community attribute field;
in an exemplary embodiment, a route reflector R5 is further disposed between the traffic server and the border router, and the traffic analysis server sends a packet including a BGP Flowspec route and at least one extended community attribute field to the route reflector, step S23 may include: the border server receives a packet forwarded by the route reflector that includes a BGP Flowspec route and at least one extended community attribute field. In this embodiment, the route reflector is set as the forwarding device, so that the bandwidth occupancy rate of the traffic analysis server can be reduced, and the communication performance of the traffic analysis server is improved.
In step S23, the packet received by the border router may include one extended community attribute field, or may include a plurality of extended community attribute fields. In an exemplary embodiment, when a traffic analysis server detects that a plurality of ports have traffic anomalies, a plurality of extended community attribute fields are correspondingly created, after any border router receives a message containing the plurality of extended community attribute fields, all the extended community attribute fields need to be analyzed one by one, and if the currently detected extended community attribute field contains address information of a local port, after the flow control is performed on the port corresponding to the currently detected extended community attribute field, the next extended community attribute field is analyzed until the detection of all the extended community attribute fields is completed.
Step S25: and under the condition that the address information of the port included in the extended community attribute field is the address information of a local port, the BGP Flowspec route is issued to the port corresponding to the extended community attribute field.
In an exemplary embodiment, if the address information of the port is combination information including address information of a border router and a port index value, the determining whether the address information of the port included in the extended community attribute field is address information of a local port may include: judging whether the address information of the boundary router contained in the extended community attribute field is the address of the local equipment (namely the boundary router for receiving the message); if the address is not the address of the local device, the port corresponding to the extended community attribute field is not on the local device, and the processing of the extended community attribute field can be finished and the processing of the next extended community attribute field can be carried out; if the address is the address of the local device, it can be determined that the port corresponding to the extended community attribute field is on the local device, and further, the corresponding port is determined according to the port index value contained in the extended community attribute field. In another exemplary embodiment, the address information of the port is not information respectively located to the border router and the port, for example, the ports of all border routers have uniquely corresponding encoding information, and the port corresponding to the extended community attribute field can be directly located through the encoding information, that is, whether a corresponding interface exists on the local device can be directly determined according to the address information of the port included in the extended community attribute field.
In an exemplary embodiment, the issuing the BGP Flowspec route to the port corresponding to the extended community attribute field further includes: generating a flow control strategy according to the BGP Flowspec route; and issuing the flow control strategy to a port corresponding to the extended community attribute field.
The BGP Flow Spec route is a BGP route defined based on RFC5575 standard, and includes a BGP network layer reachability information type (BGP Flow Spec NLRI) and an extended community attribute. The BGP Flowspec route is used to transfer the flow control policy to the border router, and may carry, through the network layer reachability information and the extended community attribute, the matching condition of the flow and the action to be executed after the flow is matched. The RFC5575 standard defines 12 common traffic matching rules, such as a destination address, a source address, an IP protocol number, a port number, a destination port number, a source port number, an ICMP type, an ICMP code, a flag bit of TCP, a DSCP, a fragmentation type, and the like, and the traffic matching rules are encapsulated in a BGP Flow Specification route as network layer reachable information; the RFC5575 standard also defines 4 commonly used traffic processing behaviors such as dropping traffic, limiting traffic speed, modifying a DSCP value of a message, redirecting Actions (redirect Actions), and the like, and the traffic processing behaviors are carried and encapsulated in a BGP Flow Spec route as extended community attributes. In summary, after determining an attacked port according to the extended community attribute field, the border router determines a flow control policy applied to the port according to a flow matching rule and a flow processing behavior included in the BGP Flowspec route, and further applies the flow control policy to perform flow control on the port, so as to solve the problem that the port is too large in flow and difficult to operate normally.
Another exemplary embodiment of the present invention provides a BGP Flowspec route issuing method that uses a traffic analysis server as an execution subject. Fig. 4 is a flowchart of a BGP Flowspec route issuing method according to an embodiment of the present invention; as shown in fig. 4, the BGP Flowspec route issuing method includes the following steps:
step S41: receiving at least one port flow and address information combination sampled by at least one device;
step S43: when detecting that the flow of any port is abnormal, creating an extended community attribute field corresponding to the abnormal port of the flow, wherein the extended community attribute field comprises the address information of the corresponding port;
step S45: and sending a message containing a BGP Flowspec route and at least one extended community attribute field to each device, so that the device sends the BGP Flowspec route to a port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is the address information of a local port.
It can be understood that the embodiments of the BGP Flowspec route issuing method using the border router as the execution subject may also be correspondingly applied to the BGP Flowspec route issuing method using the traffic analysis server as the execution subject, and details are not described here.
Another exemplary embodiment of the present invention provides a BGP Flowspec route issuing device, and fig. 5 is a schematic structural diagram of a BGP Flowspec route issuing device in an embodiment of the present invention. As shown in fig. 5, the BGP Flowspec route issuing device 50 includes:
a sending module 52, configured to send a combination of the sampled traffic and address information of at least one port to a server, so that when detecting that traffic of any port is abnormal, the server creates an extended community attribute field corresponding to the port with abnormal traffic, where the extended community attribute field includes address information of the corresponding port;
a receiving module 54, configured to receive a packet sent by the server and including a BGP Flowspec route and at least one extended community attribute field;
and an issuing module 56, configured to issue the BGP Flowspec route to the port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is address information of a local port.
In an exemplary embodiment, the issuing module 56 includes: and the route issuing module is used for issuing the BGP Flowspec route to a port corresponding to the extended community attribute field according to a port index value in the extended community attribute field when the equipment address included in the extended community attribute field is the address of the equipment.
In an exemplary embodiment, the issuing module 56 includes: the flow control strategy generating module is used for generating a flow control strategy according to the BGP Flowspec route; and
and the flow control strategy issuing module is used for issuing the flow control strategy to a port corresponding to the extended community attribute field.
In an exemplary embodiment, the receiving module 54 includes: and the forwarding receiving module is used for receiving the message which is forwarded by the route reflector and contains the BGP Flowspec route and at least one extended community attribute field.
In an exemplary embodiment, the BGP Flowspec route issuing device 50 further includes: a detection module, configured to detect the N extended community attribute fields one by one when the packet includes the N extended community attribute fields until the extended community attribute field including the address information of the local port is detected or detection of all the extended community attribute fields is completed; wherein N is a positive integer greater than 1.
Another exemplary embodiment of the present invention provides a BGP Flowspec route issuing device, and fig. 6 is a schematic structural diagram of the BGP Flowspec route issuing device in the embodiment of the present invention. As shown in fig. 6, the BGP Flowspec route issuing device 60 includes:
a receiving module 62, configured to receive at least one port traffic and address information combination sampled by at least one device;
a creating module 64, configured to create, when it is detected that traffic of any port is abnormal, an extended community attribute field corresponding to the abnormal traffic port, where the extended community attribute field includes address information of the corresponding port;
a sending module 66, configured to send a packet including a BGP Flowspec route and at least one extended community attribute field to each device, so that when address information of a port included in the extended community attribute field is address information of a local port, the device sends the BGP Flowspec route to the port corresponding to the extended community attribute field.
The specific details of each module/unit in the BGP Flowspec-based route issuing device have been described in detail in the corresponding BGP Flowspec route issuing method section, and are not described herein again. It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit according to embodiments of the invention. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In addition to the above described methods and apparatus, embodiments of the invention may also be computer program products comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps in the methods according to various embodiments of the invention described in the "exemplary methods" section of this specification above.
The computer program product may write program code for carrying out operations for embodiments of the present invention in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
Another embodiment of the present invention provides an electronic device, which may be used to execute all or part of the steps of the method or the network control method described in this exemplary embodiment. The device comprises: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform steps in a method according to various embodiments of the present invention described in the "exemplary method" section above.
Another embodiment of the present invention provides a computer-readable storage medium having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform the steps in the method according to various embodiments of the present invention described in the "exemplary method" above in this specification.
The computer readable storage medium may take any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The basic principles of the present invention have been described above with reference to specific embodiments, but it should be noted that the advantages, effects, etc. mentioned in the present invention are only examples and are not limiting, and the advantages, effects, etc. must not be considered to be possessed by various embodiments of the present invention. Furthermore, the foregoing disclosure of specific details is for the purpose of illustration and description and is not intended to be limiting, since the invention is not limited to the specific details described above.
The block diagrams of devices, apparatuses, systems involved in the present invention are only given as illustrative examples and are not intended to require or imply that the connections, arrangements, configurations, etc. must be made in the manner shown in the block diagrams. These devices, apparatuses, devices, systems may be connected, arranged, configured in any manner, as will be appreciated by one skilled in the art. Words such as "including," "comprising," "having," and the like are open-ended words that mean "including, but not limited to," and are used interchangeably therewith. As used herein, the words "or" and "refer to, and are used interchangeably with, the word" and/or, "unless the context clearly dictates otherwise. The word "such as" is used herein to mean, and is used interchangeably with, the phrase "such as but not limited to".
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This invention is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.

Claims (13)

1. A BGP Flowspec route issuing method is characterized by comprising the following steps:
the method comprises the steps that sampled flow and address information of at least one port are combined and sent to a server, so that the server creates an extended community attribute field corresponding to a flow abnormal port when detecting that the flow of any port is abnormal, wherein the extended community attribute field comprises the address information of the corresponding port;
receiving a message which is sent by the server and contains a BGP Flowspec route and at least one extended community attribute field;
and under the condition that the address information of the port included in the extended community attribute field is the address information of a local port, the BGP Flowspec route is issued to the port corresponding to the extended community attribute field.
2. The BGP Flowspec route issuing method according to claim 1, wherein the creating, by the server, the extended community attribute field corresponding to a traffic-abnormal port when detecting that traffic of any port is abnormal includes:
and when detecting that the flow of any port is greater than a preset value, the server creates an extended community attribute field corresponding to the port with the flow greater than the preset value.
3. The BGP Flowspec route distribution method of claim 1, wherein the address information includes a device address and a port index value.
4. The BGP Flowspec route forwarding method of claim 3, wherein, in the case that the address information of the port included in the extended community attribute field is the address information of a local port, the forwarding the BGP Flowspec route to the port corresponding to the extended community attribute field includes:
and if the equipment address included in the extended community attribute field is the address of the equipment, issuing the BGP Flowspec route to a port corresponding to the extended community attribute field according to a port index value in the extended community attribute field.
5. The BGP Flowspec route issuing method according to claim 3,
the extended community attribute field comprises eight bytes; the first byte is the extended community attribute category, the second byte is the sub-category, the third and fourth bytes are the port index value, and the fifth to eighth bytes are the device address.
6. The BGP Flowspec route issuing method according to claim 1, wherein the issuing the BGP Flowspec route to the port corresponding to the extended community attribute field includes:
generating a flow control strategy according to the BGP Flowspec route;
and issuing the flow control strategy to a port corresponding to the extended community attribute field.
7. The BGP Flowspec route issuing method according to claim 1, wherein the receiving the packet sent by the server and including the BGP Flowspec route and at least one of the extended community attribute fields includes:
receiving the message forwarded by the route reflector, the message comprising BGP Flowspec routes and at least one extended community attribute field.
8. The BGP Flowspec route issuing method according to any of claims 1 to 7, wherein the packet includes N extended community attribute fields, where N is a positive integer greater than 1;
after the receiving the packet sent by the server and containing the BGP Flowspec route and the at least one extended community attribute field, the method further includes:
and detecting the N extended community attribute fields one by one until the extended community attribute fields including the address information of the local port are detected or the detection of all the extended community attribute fields is completed.
9. A BGP Flowspec route issuing method is characterized by comprising the following steps:
receiving at least one port flow and address information combination sampled by at least one device;
when detecting that the flow of any port is abnormal, establishing an extended community attribute field corresponding to the abnormal flow port, wherein the extended community attribute field comprises the address information of the corresponding port;
and sending a message containing a BGP Flowspec route and at least one extended community attribute field to each device, so that the device sends the BGP Flowspec route to a port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is the address information of a local port.
10. A BGP Flowspec route issuing device is characterized by comprising:
the system comprises a sending module, a receiving module and a processing module, wherein the sending module is used for sending a combination of sampled flow and address information of at least one port to a server, so that the server creates an extended community attribute field corresponding to a flow abnormal port when detecting that the flow of any port is abnormal, and the extended community attribute field comprises the address information of the corresponding port;
a receiving module, configured to receive a packet sent by the server and including a BGP Flowspec route and at least one extended community attribute field;
and the issuing module is used for issuing the BGP Flowspec route to the port corresponding to the extended community attribute field under the condition that the address information of the port included in the extended community attribute field is the address information of a local port.
11. A BGP Flowspec route issuing device is characterized by comprising:
the receiving module is used for receiving at least one port flow and address information combination sampled by at least one device;
the system comprises a creating module, a sending module and a processing module, wherein the creating module is used for creating an extended community attribute field corresponding to a port with abnormal traffic when the traffic of any port is detected to be abnormal, and the extended community attribute field comprises address information of the corresponding port;
and the sending module is used for sending a message containing the BGP Flowspec route and at least one extended community attribute field to each device, so that the device sends the BGP Flowspec route to a port corresponding to the extended community attribute field when the address information of the port included in the extended community attribute field is the address information of a local port.
12. An electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the BGP Flowspec route distribution method of any of claims 1 to 8 or to perform the BGP Flowspec route distribution method of claim 9.
13. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements the BGP Flowspec route distribution method of any of claims 1 to 8, or implements the BGP Flowspec route distribution method of claim 9.
CN202111130040.4A 2021-09-26 2021-09-26 BGP Flowspec route issuing method and device, storage medium and electronic equipment Pending CN115941223A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111130040.4A CN115941223A (en) 2021-09-26 2021-09-26 BGP Flowspec route issuing method and device, storage medium and electronic equipment
PCT/CN2022/119622 WO2023045865A1 (en) 2021-09-26 2022-09-19 Bgp flowspec route issuing method and apparatus, and storage medium, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111130040.4A CN115941223A (en) 2021-09-26 2021-09-26 BGP Flowspec route issuing method and device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN115941223A true CN115941223A (en) 2023-04-07

Family

ID=85720039

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111130040.4A Pending CN115941223A (en) 2021-09-26 2021-09-26 BGP Flowspec route issuing method and device, storage medium and electronic equipment

Country Status (2)

Country Link
CN (1) CN115941223A (en)
WO (1) WO2023045865A1 (en)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106713162B (en) * 2015-11-17 2020-01-21 中国移动通信集团公司 Method and device for counting BGP community attributes or expanding community attribute flow values
CN108881041A (en) * 2017-05-15 2018-11-23 中国移动通信有限公司研究院 A kind of method and system controlling flow
US10594592B1 (en) * 2017-09-29 2020-03-17 Juniper Networks, Inc. Controlling advertisements, such as Border Gateway Protocol (“BGP”) updates, of multiple paths for a given address prefix
CN108199965B (en) * 2017-12-28 2021-01-01 新华三技术有限公司 Flow spec table item issuing method, network device, controller and autonomous system
CN110324241B (en) * 2018-03-30 2022-05-31 北京华为数字技术有限公司 Flow forwarding path adjusting method, message forwarding method and device
CN115484201A (en) * 2018-10-19 2022-12-16 华为技术有限公司 Border Gateway Protocol (BGP) for routing policy distribution
CN111294365B (en) * 2020-05-12 2020-08-18 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium

Also Published As

Publication number Publication date
WO2023045865A1 (en) 2023-03-30

Similar Documents

Publication Publication Date Title
US8949459B1 (en) Methods and apparatus for distributed backbone internet DDOS mitigation via transit providers
US7237267B2 (en) Policy-based network security management
US7877599B2 (en) System, method and computer program product for updating the states of a firewall
US20150067764A1 (en) Whitelist-based network switch
US20010039623A1 (en) System, method and apparatus for preventing transmission of data on a network
KR20110089179A (en) Network intrusion protection
US10397225B2 (en) System and method for network access control
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
US8964763B2 (en) Inter-router communication method and module
CN110191104A (en) A kind of method and device of security protection
CN112583850A (en) Network attack protection method, device and system
JP4620070B2 (en) Traffic control system and traffic control method
US9298175B2 (en) Method for detecting abnormal traffic on control system protocol
CN115941223A (en) BGP Flowspec route issuing method and device, storage medium and electronic equipment
WO2019035488A1 (en) Control device, communication system, control method, and computer program
Purohit et al. The Impact of ICMP Attacks in Software-Defined Network Environments
US10616094B2 (en) Redirecting flow control packets
JP2007208575A (en) Unauthorized traffic managing device and system
CN115333853B (en) Network intrusion detection method and device and electronic equipment
KR102162991B1 (en) Integrated security router for idc and integrated secutiry service based on traffic shaping and ips fusion implementation
CN114301707B (en) Data packet sequence feature extraction method, device, equipment and medium
WO2024185163A1 (en) Information processing system, information processing method, and information processing program
WO2023222028A1 (en) Network programming technology processing method and system, and storage medium
US20240146694A1 (en) Automatic firewall configuration for control systems in critical infrastructure
JP2011523822A (en) Access level security device and security system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination