CN115941255A - ARP table entry-host routing method and device, electronic equipment and storage medium - Google Patents
ARP table entry-host routing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115941255A CN115941255A CN202211297423.5A CN202211297423A CN115941255A CN 115941255 A CN115941255 A CN 115941255A CN 202211297423 A CN202211297423 A CN 202211297423A CN 115941255 A CN115941255 A CN 115941255A
- Authority
- CN
- China
- Prior art keywords
- blacklist
- message
- arp table
- switch
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 238000003860 storage Methods 0.000 title claims abstract description 17
- 238000012544 monitoring process Methods 0.000 claims abstract description 99
- 238000012806 monitoring device Methods 0.000 claims description 43
- 238000004590 computer program Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 11
- 238000010586 diagram Methods 0.000 description 16
- 238000012546 transfer Methods 0.000 description 6
- 238000009826 distribution Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000029578 entry into host Effects 0.000 description 1
- 230000008570 general process Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a device for converting ARP table items into a host routing, electronic equipment and a storage medium, which are applied to a switch, wherein the switch is connected with flow monitoring equipment, the flow monitoring equipment is connected with a terminal, and the method comprises the following steps: under the condition of receiving a first message from a terminal forwarded by traffic monitoring equipment, sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist; determining whether to switch ARP table items to host routing or not based on the first blacklist; determining to perform ARP table entry-to-host routing under the condition that the source IP address of the first message is not in the first blacklist; determining not to switch ARP table items to host routing under the condition that the source IP address of the first message is in the first blacklist; the method and the device determine whether to carry out the host computer switching route through the dynamically updated blacklist, do not need a user to manually set the host computer switching route, and avoid malicious host computer routes from being issued to a network to promote gateway load.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for forwarding an ARP entry to a host, an electronic device, and a storage medium.
Background
In the related technology, the switch is generally divided into three categories, one category is full ARP (Address Resolution Protocol) table entry to host routing, that is, all ARP table entries will be issued by host routing, the second category is to generate additional ARP table entries to forward routing according to the limitation set by the user, that is, the user can set ARP table entries according to the requirement to limit host routing issuance, the third category is to forward host routing according to the interface, that is, to set the interface of the specific host routing, only the table entries sent through the set interface are forwarded to host routing, these are all active host routing setups, that is, the user is required to actively set ARP table entries capable of forwarding host routing, so that the user operation is cumbersome, and the host routing issuance cannot be prevented in time for malicious ARP table entries.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, an electronic device and a storage medium for forwarding an ARP entry to a host, so as to solve the problems that a user needs to manually set an ARP entry to a host, the operation is complicated, and malicious ARP entry cannot be timely prevented from being issued to the host.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a ARP table entry-host routing method is applied to a switch, the switch is connected with a flow monitoring device, and the flow monitoring device is connected with a terminal and comprises the following steps:
under the condition of receiving a first message from the terminal forwarded by the traffic monitoring equipment, sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist;
determining whether to perform ARP table entry-to-host routing based on the first blacklist;
determining to perform ARP table entry-to-host routing under the condition that the source IP address of the first message is not in the first blacklist;
and under the condition that the source IP address of the first message is in the first blacklist, determining not to perform ARP table entry-to-host routing.
Further, the method further comprises:
under the condition of receiving a second message from the terminal forwarded by the traffic monitoring equipment, sending a blacklist acquisition request to the traffic monitoring equipment so as to acquire a second blacklist obtained by updating the first blacklist by the traffic monitoring equipment;
determining whether to perform ARP table entry-to-host routing based on the second blacklist;
determining to perform ARP table entry to host routing under the condition that the source IP address of the second message is not in the second blacklist;
and under the condition that the source IP address of the second message is in the second blacklist, determining not to perform ARP table entry-to-host routing.
Further, before the sending the blacklist acquisition request to the traffic monitoring device, the method further includes:
acquiring interface information of the switch;
and under the condition that the interface starts ARP table entry-to-host routing, determining the source IP address of the first message through the ARP table entry corresponding to the first message.
Further, before the sending the blacklist acquisition request to the traffic monitoring device, the method further includes:
acquiring interface information of the switch;
under the condition that the interface does not start ARP table entry to host routing, a blacklist acquisition request is not sent to the flow monitoring equipment;
the sending of the blacklist acquisition request to the traffic monitoring device includes:
and sending a blacklist acquisition request to the flow monitoring equipment under the condition of determining that the interface starts ARP table entry to host routing.
The invention also aims to provide a method for switching ARP table items to the host machine route, so as to solve the problems that the related technology needs a user to manually set the ARP table items to the host machine route, the operation is complicated, and the malicious ARP table items cannot be prevented from being switched to the host machine route to be issued in time.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a ARP table entry-host routing method is applied to flow monitoring equipment, wherein the flow monitoring equipment is respectively connected with a terminal and a switch, and the method comprises the following steps:
when receiving a first message sent by the terminal, forwarding the first message to the switch, and monitoring the flow of the first message;
obtaining a first blacklist based on the result of the flow monitoring;
and when a blacklist acquisition request sent by the switch based on the first message is received, sending the first blacklist to the switch.
Further, the method further comprises:
and updating the first blacklist in real time in the process that the flow monitoring equipment continuously receives the flow.
Further, the method further comprises:
when a second message sent by the terminal is received, forwarding the second message to the switch, and monitoring the flow of the second message;
updating the first blacklist which is updated last time based on the result of the flow monitoring to obtain a second blacklist;
updating the second blacklist in real time in the process of continuously receiving the flow;
and when a blacklist acquisition request sent by the switch based on the second message is received, sending the second blacklist updated last time to the switch.
Another objective of the present invention is to provide an ARP entry-to-host routing apparatus, so as to solve the problems that the related art requires a user to manually set an ARP entry-to-host route, the operation is complicated, and malicious ARP entries cannot be prevented from being issued to the host route in time.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the utility model provides a ARP table entry changes host computer routing device, is applied to the switch, flow monitoring equipment is connected to the switch, flow monitoring equipment connection terminal includes:
a receiving module, configured to receive a first packet from the terminal, where the first packet is forwarded by the traffic monitoring device;
an obtaining module, configured to send a blacklist obtaining request to the traffic monitoring device to obtain a first blacklist when receiving a first message from the terminal forwarded by the traffic monitoring device;
a determining module to determine whether to publish the host route based on the first blacklist;
a first determining sub-module, configured to determine to perform ARP table entry to host routing when the source IP address of the first packet is not in the first blacklist;
and a second determining submodule, configured to determine not to perform forwarding from the ARP entry to the host routing when the source IP address of the first packet is in the first blacklist.
Compared with the prior art, the ARP table entry-to-host routing device and the ARP table entry-to-host routing method have the same advantages, and are not described herein again.
Another objective of the present invention is to provide an ARP entry-to-host routing apparatus, so as to solve the problems that the related art requires a user to manually set an ARP entry-to-host route, the operation is cumbersome, and malicious ARP entries cannot be prevented from being distributed to the host route in time.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the utility model provides a ARP table entry changes host computer routing device, is applied to flow monitoring equipment, flow monitoring equipment is connected with terminal, switch respectively, includes:
the receiving module is used for receiving a first message sent by the terminal;
the forwarding module is used for forwarding a first message sent by the terminal to the switch when receiving the first message;
the traffic monitoring module is used for monitoring the traffic of the first message when receiving the first message sent by the terminal;
the determining module is used for obtaining a first blacklist based on the flow monitoring result;
and the sending module is used for sending the first blacklist to the switch when receiving a blacklist obtaining request sent by the switch based on the first message.
The ARP table entry to host routing apparatus and the ARP table entry to host routing method have the same advantages as the prior art, and are not described herein again.
Another objective of the present invention is to provide an electronic device, so as to solve the problems that the related art requires a user to manually set an ARP entry to switch to a host route, the operation is complicated, and malicious ARP entries cannot be prevented from being issued to the host route in time.
An electronic device comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor implements the steps of the ARP table entry-to-host routing method when executing the computer program.
Compared with the prior art, the advantages of the electronic device and the method for converting the ARP table entry into the host routing are the same, and are not described herein again.
Another objective of the present invention is to provide a computer-readable storage medium, so as to solve the problems that the related art requires a user to manually set an ARP entry to a host route, the operation is complicated, and malicious ARP entries cannot be prevented from being issued to the host route in time.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a computer-readable storage medium storing a computer program for executing the ARP table entry-to-host routing method described above.
The advantages of the computer readable storage medium and the ARP table entry-to-host routing method are the same as those of the prior art, and are not described herein again.
Compared with the prior art, the host routing issuing method has the following advantages that:
sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist under the condition of receiving a first message from the terminal forwarded by the traffic monitoring equipment; determining whether to perform ARP table entry-to-host routing based on the first blacklist; determining to perform ARP table entry-to-host routing under the condition that the source IP address of the first message is not in the first blacklist; determining not to perform ARP table entry-to-host routing under the condition that the source IP address of the first message is in the first blacklist; the invention obtains the blacklist of the flow monitoring record when receiving the flow message of the terminal, and determines whether to carry out the route of the host computer or not by determining whether the IP address of the flow message is in the blacklist or not. Meanwhile, the flow monitoring equipment monitors the flow sent to the exchange in real time, so that the exchanger can find malicious ARP table entries in time through a blacklist, and the malicious ARP table entries can be prevented from being forwarded to the host machine for routing and publishing in time.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 shows a schematic structural diagram of a unstacked server architecture in the prior art;
fig. 2 is a flowchart illustrating steps of a method for forwarding an ARP entry to a host routing according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating steps of a method for forwarding an ARP entry to a host routing according to a second embodiment of the present invention;
fig. 4 is a flowchart illustrating steps of a method for forwarding an ARP entry to a host routing according to a third embodiment of the present invention;
fig. 5 is a schematic diagram illustrating a control logic for switching an ARP entry to a host route on an interface of a switch according to a third embodiment of the present invention;
FIG. 6 is a diagram illustrating the result of a third provisioning server architecture according to an embodiment of the present invention;
fig. 7 shows a control logic diagram for converting ARP table entry into host routing according to a third embodiment of the present invention;
fig. 8 is a schematic structural diagram illustrating an ARP table entry-to-host routing apparatus according to a fourth embodiment of the present invention;
fig. 9 is a schematic structural diagram illustrating an ARP table entry-to-host routing apparatus according to a fifth embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments of the present invention may be combined with each other without conflict.
In the related art, S-MLAG (Simple Multi-chassis Link Aggregation Group, unstacking) is bound through a special way of LACP (Link Aggregation Control Protocol), and a server considers that access switches connected to opposite terminals are the same network device through two boundary devices. As shown in fig. 1, when one line of one of the edge devices cannot be used, in order to send data to the other server through the backup line, the data needs to be sent to the other edge device through the switch under the edge device, and in this process, the other edge device does not learn the MAC address of the other server, so that a general process needs to send an ARP request again to learn the corresponding MAC address. In the implementation manner of the S-MLAG, there is a reachable route between adjacent edge devices, which can synchronize between BGP (Border Gateway Protocol) neighbors through BGP Type2 route distribution, so that another edge device can directly learn the MAC address without sending an ARP request, thereby improving the efficiency of network transmission.
However, the existing switch usually can only transfer the ARP entry to the host route, and cannot avoid that redundant or malicious host routes are issued to the network, or only can actively set the ARP entry capable of transferring the host route by a user, which is tedious to operate.
In view of this, the applicant provides a method, an apparatus, an electronic device and a storage medium for converting an ARP entry to a host route, so as to solve the problem that it is impossible to avoid malicious host routes being issued to a network or a user needing to manually set a host-to-host route.
An ARP-host routing method, apparatus, electronic device, and storage medium according to the present invention will be described in detail with reference to the accompanying drawings.
Example one
Referring to fig. 2 and fig. 2 show an ARP to host routing method provided in an embodiment of the present invention, where the ARP to host routing method in this embodiment is applied to a switch, the switch is connected to a traffic monitoring device, and the traffic monitoring device is connected to a terminal, and the method includes:
s101, under the condition that a first message from the terminal forwarded by the traffic monitoring equipment is received, sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist.
Specifically, the switch in the embodiment of the present invention is a boundary switch device, that is, a device that can implement ARP entry-host routing. The switch is connected with the flow monitoring equipment, and the flow monitoring equipment is connected with the terminal, so that the terminal sends the message to the switch through the flow monitoring equipment for monitoring the flow sent by the terminal, and the flow monitoring equipment can monitor the flow in real time. Because the traffic monitoring equipment monitors the traffic sent to the switch in real time, blacklist data can be directly acquired from the traffic monitoring equipment, wherein the blacklist data is used for storing source IP address information of malicious traffic.
Specifically, when the ARP of the first message is learned, the blacklist data is acquired through an application program interface of the traffic monitoring device and stored, so that matching between the source IP address of the first message and the source IP address in the blacklist is facilitated.
S102, based on the first blacklist, whether ARP table entry is converted to host routing or not is determined.
Specifically, after the blacklist stored in the traffic monitoring device is acquired by the request, the source IP address of the first packet may be matched with the source IP address in the blacklist to determine whether the corresponding ARP entry can be forwarded to the host for routing issue, where step S103 is executed when the two are not matched, and step S104 is executed when the two are matched.
S103, under the condition that the source IP address of the first message is not in the first blacklist, determining to transfer ARP table items to host routing.
Specifically, when it is determined that the source IP address of the first packet is not in the first blacklist, it indicates that ARP entry is capable of being issued through the BGP protocol, and the ARP entry is issued through the BGP protocol after being routed through the host.
S104, under the condition that the source IP address of the first message is in the first blacklist, determining not to transfer the ARP table entry to the host routing.
Specifically, if the first message source IP address is in the first blacklist, it indicates that the IP address is a malicious IP or a redundant IP, and does not perform host routing, and further does not issue a host routing, thereby avoiding the problem that the load is caused on the gateway and the network efficiency is affected.
In some embodiments, when the switch receives different messages, the following operations are performed:
and S105, sending a blacklist acquisition request to the traffic monitoring equipment under the condition of receiving a second message from the terminal forwarded by the traffic monitoring equipment, so as to acquire a second blacklist obtained by updating the first blacklist by the traffic monitoring equipment.
Even if different messages sent by the same source IP address are received, blacklist matching work still needs to be carried out to avoid the situation that the IP address is changed into a malicious IP address, therefore, when a second message of the terminal is received, namely the message sent by the terminal after the first message, a blacklist obtaining request still needs to be sent to the flow monitoring equipment, and at the moment, the message sent by the flow monitoring equipment is the blacklist updated after the second message is monitored. Therefore, the blacklist can be updated in real time through the flow monitoring equipment according to the flow monitoring result of the forwarded message, so that the blacklist stored by the switch is continuously updated.
And S106, determining whether to carry out ARP table entry to host routing or not based on the second blacklist.
Because the obtained blacklist is updated in real time, when the source IP address of the second message is determined, the ARP table entry is not directly issued to the host routing according to the operation result of the first message or the ARP table entry is directly abandoned to the host routing, and whether the source IP address corresponding to the second message is in the updated blacklist is inquired again, and whether the host routing is carried out or not is judged.
Specifically, when the source IP address of the second message is determined to be in the second blacklist, host-to-host routing is not performed on the ARP entry corresponding to the second message; and when the source IP address of the second message is determined not to be in the second blacklist, the ARP table entry is converted into the host routing.
According to the embodiment of the invention, when a first message from a terminal forwarded by the flow monitoring equipment is received, the blacklist is acquired from the flow monitoring equipment, whether the ARP table entry is switched to the host machine route is determined through the blacklist acquired by the flow monitoring equipment, then when a second message from the terminal forwarded by the flow monitoring equipment is received, the blacklist is acquired from the flow monitoring equipment again, whether the ARP table entry is switched to the host machine route is determined through the updated blacklist, the safety of host machine route distribution is realized through updating the blacklist in real time, and a user does not need to manually set a specific list of the ARP table entry to the host machine route, so that the user operation is reduced, and the user experience is improved. Meanwhile, the distribution of malicious and redundant host routes is reduced, and the condition of low network efficiency caused by the fact that the redundant or malicious host routes are distributed to the gateway is also avoided.
Example two
Referring to fig. 3, fig. 3 is a flowchart illustrating a step of a method for converting an ARP entry into a host routing provided in an embodiment of the present invention, where the method for converting an ARP entry into a host routing provided in this embodiment is applied to a traffic monitoring device, and the traffic monitoring device is connected to a terminal and a switch, respectively, as shown in fig. 3, the method includes:
s201, when receiving the first message of the terminal, forwarding the first message to the switch, and monitoring the flow of the first message.
In the embodiment of the invention, when the traffic monitoring device receives the first message of the terminal, the first message is forwarded to the switch, wherein the purpose of sending the message to the switch through the traffic monitoring device is to monitor the message traffic to determine whether the message traffic is malicious traffic, and the source IP address of the malicious traffic is recorded in the blacklist so as to be conveniently acquired by the switch, thereby avoiding the situation that the switch issues a malicious host route to the network and the gateway load is improved.
S202, based on the flow monitoring result, a first blacklist is obtained.
In specific implementation, third-party traffic monitoring software may be configured in the traffic monitoring device, the traffic monitoring software monitors the message traffic forwarded by the traffic monitoring device, records a source IP address and traffic information of the message traffic, and determines whether the message traffic belongs to malicious traffic according to the traffic information, so as to record a corresponding source IP address in a blacklist when determining the malicious traffic, where the traffic monitoring software may be traffic monitoring software in the prior art, such as netflow, and the like, and the present invention is not limited in particular.
S203, when a blacklist acquisition request sent by the switch based on a first message is received, the first blacklist is sent to the switch.
Specifically, when a blacklist acquisition request sent by the switch based on the first message is received, the first blacklist is sent to the switch, so that the switch can conveniently screen the routing of the forwarding host according to the blacklist.
In specific implementation, because the traffic monitoring device continuously receives the message and forwards the message to the switch, when the traffic monitoring device receives messages of other terminal devices and the like, the traffic monitoring device monitors the message traffic of the other devices and updates the blacklist in real time to record the malicious IP address.
Wherein, under the condition that the terminal continues to send the second message, the flow monitoring equipment executes the following steps:
s204, when receiving a second message sent by the terminal, forwarding the second message to the switch, and performing flow monitoring on the second message.
The traffic monitoring equipment can continuously monitor the traffic of the sent message, so when a second message of the same source IP address is received, the traffic monitoring is still carried out according to the second message to determine whether the corresponding source IP address is in a blacklist, if the source IP address is in the blacklist and the current traffic monitoring result shows that the source IP address does not belong to malicious IP, the source IP address is deleted from the blacklist, and if the source IP address is not in the blacklist and the current traffic monitoring result shows that the IP address is traffic as malicious traffic, the source IP address corresponding to the malicious traffic is added into the blacklist.
And S205, updating the first blacklist which is updated last time based on the result of the flow monitoring to obtain a second blacklist.
Specifically, after obtaining the first blacklist according to the monitoring result of the first message, the traffic monitoring device may also continuously perform traffic monitoring on a subsequently received message, so that when a second message of the terminal is received, the blacklist updated last time is updated according to the monitoring result of the second message, instead of the first blacklist updated according to the first message.
S206, when a blacklist acquisition request sent by the switch based on the second message is received, the second blacklist which is updated last time is sent to the switch.
After receiving the second message and forwarding the second message, the traffic monitoring device continues to receive other messages, such as messages sent by other terminals and forwarding the messages, so that the second blacklist is still continuously updated after the first blacklist is updated to obtain the second blacklist. Therefore, when a blacklist acquisition request of the switch is received, the latest updated blacklist can be directly sent to the switch, so that the blacklist acquired by the switch is ensured to be the blacklist of the latest version.
The embodiment of the invention monitors the flow of the message sent to the switch by the terminal through the flow monitoring equipment, and updates the blacklist through the flow monitoring result, wherein the blacklist is updated in real time according to the flow monitoring result of the message in the process that the flow monitoring equipment continuously receives the flow, so that the dynamic update of the blacklist is realized, and the blacklist obtained by the switch is further dynamically updated, so that the switch can inquire a malicious IP address, and the malicious host route is prevented from being issued to a network to improve the gateway load, meanwhile, the condition that a user needs to manually set an ARP table entry to be transferred to the host route list is also avoided, the user operation is reduced, and the user experience is improved.
EXAMPLE III
Referring to fig. 4, fig. 4 shows a flowchart of steps of an ARP entry-to-host routing method according to an embodiment of the present invention, where the ARP-to-host routing method according to the embodiment is applied to a switch, the switch is connected to a traffic monitoring device, and the traffic monitoring device is connected to a terminal, as shown in fig. 4, the method includes:
s301, acquiring interface information of the switch under the condition of receiving the first message from the terminal forwarded by the traffic monitoring equipment.
In the embodiment of the invention, the operation of converting the host routing into the ARP table entry can be carried out only by setting the interface to start the conversion from the ARP table entry into the host routing, so that the interface information of the switch is required to be acquired before the host routing is converted so as to determine that the corresponding interface can convert the ARP table entry into the host routing.
S302, under the condition that the interface is determined to start the ARP table entry to the host routing, the source IP address of the first message is determined through the ARP table entry corresponding to the first message.
In the embodiment of the invention, under the condition that the interface is determined to start the ARP table entry to host routing, the actual query module does not learn the IP address of the message, so that the source IP address information of the message is required to be determined, at the moment, the IP address corresponding to the message is determined through the ARP table, and the 32-bit IP of the first message is calculated, so that the ARP table entry is directly converted to the host routing when the host routing can be determined.
If the interface does not start the ARP table entry to the host routing, the ARP table entry of the first message cannot be converted to the host routing, so that whether the source IP address of the first message is a malicious IP address or not does not need to be inquired.
S303, sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist.
S304, based on the first blacklist, whether to carry out ARP table entry to host routing is determined.
Specifically, matching a source IP address of the learned first message with a source IP address in a first blacklist, performing host routing conversion on a corresponding ARP table entry when the source IP address of the learned first message is not matched with the source IP address in the first blacklist, writing the ARP table entry into a routing table, and issuing the host routing; if the matching is not matched, the ARP table entry is not converted into the host routing so as to prevent the malicious host routing from being issued into the network and increase the gateway load.
Referring to fig. 5, fig. 5 shows a control logic diagram for controlling an interface to start an ARP entry to host routing, as shown in fig. 5, an ARP entry to host routing is first set for a network interface, when the setting is successful, an event that the interface starts the ARP entry to host routing is recorded in a database, and after a routing module obtains configuration update, it indicates that the data interface has started the ARP entry to host routing. For example, if the interface of Ethernet8 needs to start the host-to-host route, it records Ethernet 8: ARP _ to _ host = enable in the database, and then the routing module updates according to the database record, and after updating, the interface of Ethernet8 already starts the ARP entry to switch the host route.
In some embodiments, when the switch receives different messages, the following operations are performed:
s305, sending a blacklist obtaining request to the traffic monitoring device to obtain a second blacklist obtained by updating the first blacklist by the traffic monitoring device, when receiving a second message from the terminal forwarded by the traffic monitoring device.
When receiving the message of the same source IP address, the method does not directly abandon the ARP table entry to the host routing or directly convert the ARP table entry to the host routing, but still performs blacklist query when obtaining the message, and determines whether to perform the ARP table entry to the host routing according to the query result of the blacklist.
S306, based on the second blacklist, whether the ARP table entry is converted into the host routing is determined.
In the embodiment of the invention, when the second blacklist is obtained, whether the source IP address of the second message is in the second blacklist is determined, and whether the ARP table entry is converted into the host routing is further determined. Specifically, when the source IP address of the second message is determined to be in the second blacklist, host-to-host routing is not performed on the ARP entry corresponding to the second message; and when the source IP address of the second message is determined not to be in the second blacklist, the ARP table entry is converted into the host routing.
The above process is illustrated below by a specific example:
referring to fig. 6, fig. 6 shows a schematic control logic diagram of an embodiment of the present invention, as shown in fig. 6, where a server architecture is as shown in fig. 7, when multiple devices send a message to traffic monitoring software, the traffic monitoring software performs traffic monitoring on the message and sends the message to a border switching device, and if a traffic monitoring result of the traffic monitoring software indicates malicious traffic, a source IP address of the message is recorded in a blacklist.
When the boundary exchange equipment receives the message, it is confirmed whether to transfer ARP table item to host routing, when it is confirmed that ARP table item is needed to transfer host routing, it is confirmed whether the corresponding interface is in working state, if the interface is not in working state, host routing can not be transferred, and when it is confirmed that the interface is working normally, it is determined whether the corresponding interface starts ARP table item to host routing.
According to the control flow shown in fig. 5, when an interface starts an ARP entry to host routing, the ARP entry to host routing is recorded in the database, so that the database can be directly queried to determine whether the corresponding interface starts an ARP entry to host routing, and if the corresponding interface does not start an ARP entry to host routing, the host routing cannot be performed regardless of whether the source IP address of the packet is in the blacklist, and at this time, the blacklist query operation may not be performed.
After the corresponding interface is confirmed to start the ARP table entry to convert the host routing, blacklist query work can be carried out, the source IP address is confirmed according to the ARP table entry corresponding to the message, 32-bit IP is calculated, blacklist data is obtained to flow monitoring software according to the calculated 32-bit IP, if no blacklist data exists, all ARP table entries can be converted into the host routing, and at the moment, the ARP table entry corresponding to the message can be directly converted into the host routing and written into a routing table to be issued;
and after acquiring the blacklist, receiving blacklist data, recording the blacklist in the switch, matching the 32-bit IP obtained by calculation with the source IP address in the blacklist, and determining whether the source IP address corresponding to the message is in the blacklist.
If the source IP address of the message is inquired to be in the blacklist, the received malicious flow is indicated, therefore, the ARP table entry is not converted into the host route, so as to prevent the malicious host route from being issued to the network; and if the source IP address of the message is not in the blacklist, converting the ARP table entry into the host route and issuing the host route.
The embodiment of the invention determines whether the interface starts the ARP table entry to the host routing or not when receiving a first message from the terminal forwarded by the flow monitoring equipment, acquires the blacklist from the flow monitoring equipment under the condition that the interface starts the ARP table entry to the host routing, determines whether the ARP table entry is to the host routing or not through the blacklist acquired by the flow monitoring equipment, re-identifies the flow monitoring equipment to acquire the blacklist when receiving a second message from the terminal forwarded by the flow monitoring equipment, determines whether the ARP table entry is to the host routing or not through the updated blacklist, realizes the safety of host routing release through updating the blacklist in real time, does not need a user to manually set a specific list for ARP table entry to the host routing, reduces user operation and improves user experience. Meanwhile, the distribution of malicious and redundant host routes is reduced, and the condition of low network efficiency caused by the fact that the redundant or malicious host routes are distributed to the gateway is also avoided.
Example four
Referring to fig. 8, fig. 8 shows an ARP entry-to-host routing apparatus according to an embodiment of the present invention, where the ARP entry-to-host routing apparatus according to the embodiment is applied to a switch, the switch is connected to a traffic monitoring device, and the traffic monitoring device is connected to a terminal, as shown in fig. 8, the apparatus includes:
a receiving module 401, configured to receive a first packet from the terminal, where the first packet is forwarded by the traffic monitoring device;
an obtaining module 402, configured to send a blacklist obtaining request to the traffic monitoring device to obtain a first blacklist when receiving a first message from the terminal forwarded by the traffic monitoring device;
a determining module 403, configured to determine whether to issue the host route based on the first blacklist;
a first determining sub-module, configured to determine to perform ARP table entry to host routing when the source IP address of the first packet is not in the first blacklist;
and a second determining submodule, configured to determine not to perform forwarding from the ARP entry to the host routing when the source IP address of the first packet is in the first blacklist.
In some possible embodiments, the receiving module 401 further includes:
the first acquisition submodule is used for acquiring the interface information of the switch;
and the second obtaining sub-module is used for determining the source IP address of the first message through the ARP table entry corresponding to the first message under the condition that the interface starts the ARP table entry to convert the host route.
EXAMPLE five
Referring to fig. 9, fig. 9 shows an ARP entry-to-host routing apparatus according to an embodiment of the present invention, where the ARP entry-to-host routing apparatus according to the embodiment is applied to a traffic monitoring device, and the traffic monitoring device is respectively connected to a terminal and a switch, as shown in fig. 9, the apparatus includes:
a receiving module 501, configured to receive a first message sent by the terminal;
a forwarding module 502, configured to forward a first packet sent by the terminal to the switch when receiving the first packet;
a traffic monitoring module 503, configured to perform traffic monitoring on a first packet sent by the terminal when receiving the first packet;
a recording module 504, configured to obtain a first blacklist based on a result of the traffic monitoring;
a sending module 505, configured to send the first blacklist to the switch when receiving a blacklist acquisition request sent by the switch based on the first message.
An embodiment of the present invention further provides an electronic device, where the electronic device may include a memory, a processor, and a computer program that is stored in the memory and is executable on the processor, and the processor transfers the ARP table entry to the host routing method according to any of the above embodiments.
An embodiment of the present invention further provides a computer-readable storage medium, where instructions in the storage medium, when executed by a processor, enable the processor to perform operations performed by the ARP table entry-to-host routing method according to any of the above embodiments.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrases "comprising one of \ 8230; \8230;" does not exclude the presence of additional like elements in a process, method, article, or terminal device that comprises the element.
The ARP table entry-host routing method, device, electronic device and storage medium provided by the present invention are introduced in detail, and a specific example is applied in the present document to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (11)
1. A method for converting ARP table items to host routing is characterized in that the method is applied to a switch, the switch is connected with a flow monitoring device, the flow monitoring device is connected with a terminal, and the method comprises the following steps:
under the condition that a first message from the terminal forwarded by the traffic monitoring equipment is received, sending a blacklist acquisition request to the traffic monitoring equipment to acquire a first blacklist;
determining whether to switch ARP table items to host routing or not based on the first blacklist;
determining to perform ARP table entry-to-host routing under the condition that the source IP address of the first message is not in the first blacklist;
and determining not to perform ARP table entry to host routing under the condition that the source IP address of the first message is in the first blacklist.
2. The ARP table entry-to-host routing method of claim 1, wherein the method further comprises:
under the condition that a second message from the terminal forwarded by the traffic monitoring equipment is received, sending a blacklist acquisition request to the traffic monitoring equipment so as to acquire a second blacklist obtained by updating the first blacklist by the traffic monitoring equipment;
determining whether to perform ARP table entry-to-host routing based on the second blacklist;
determining to perform ARP table entry to host routing under the condition that the source IP address of the second message is not in the second blacklist;
and under the condition that the source IP address of the second message is in the second blacklist, determining not to perform ARP table entry-to-host routing.
3. The ARP table entry-to-host routing method of claim 1, wherein prior to the sending of the blacklist acquisition request to the traffic monitoring device, the method further comprises:
acquiring interface information of the switch;
and under the condition that the interface starts ARP table entry-to-host routing, determining the source IP address of the first message through the ARP table entry corresponding to the first message.
4. The ARP table entry-to-host routing method of claim 1, wherein prior to the sending of the blacklist acquisition request to the traffic monitoring device, the method further comprises:
acquiring interface information of the switch;
under the condition that the interface does not start ARP table entry to host routing, a blacklist acquisition request is not sent to the flow monitoring equipment;
the sending of the blacklist acquisition request to the traffic monitoring device includes:
and sending a blacklist acquisition request to the flow monitoring equipment under the condition of determining that the interface starts ARP table entry to host routing.
5. A method for converting ARP table items to host routing is characterized in that the method is applied to flow monitoring equipment, the flow monitoring equipment is respectively connected with a terminal and a switch, and the method comprises the following steps:
when receiving a first message sent by the terminal, forwarding the first message to the switch, and monitoring the flow of the first message;
obtaining a first blacklist based on the result of the flow monitoring;
and when a blacklist acquisition request sent by the switch based on the first message is received, sending the first blacklist to the switch.
6. The ARP table entry-to-host routing method of claim 5, wherein the method further comprises:
and updating the first blacklist in real time in the process that the flow monitoring equipment continuously receives the flow.
7. The ARP table entry-to-host routing method of claim 5, wherein the method further comprises:
when a second message sent by the terminal is received, forwarding the second message to the switch, and monitoring the flow of the second message;
updating the first blacklist which is updated last time based on the result of the flow monitoring to obtain a second blacklist;
updating the second blacklist in real time in the process of continuously receiving the flow;
and when a blacklist acquisition request sent by the switch based on the second message is received, sending the second blacklist updated last time to the switch.
8. The utility model provides a ARP table entry changes host computer routing device which characterized in that is applied to the switch, flow monitoring equipment is connected to the switch, flow monitoring equipment connecting terminal, the device includes:
a receiving module, configured to receive a first message from the terminal, where the first message is forwarded by the traffic monitoring device;
an obtaining module, configured to send a blacklist obtaining request to the traffic monitoring device to obtain a first blacklist when receiving a first message from the terminal forwarded by the traffic monitoring device;
a determining module to determine whether to publish the host route based on the first blacklist;
a first determining submodule, configured to determine to perform ARP table entry-to-host routing when the source IP address of the first packet is not in the first blacklist;
and a second determining sub-module, configured to determine not to perform ARP entry-to-host routing when the source IP address of the first packet is in the first blacklist.
9. The utility model provides a ARP table entry changes host computer routing device which characterized in that is applied to flow monitoring equipment, flow monitoring equipment is connected with terminal, switch respectively, the device includes:
the receiving module is used for receiving a first message sent by the terminal;
the forwarding module is used for forwarding a first message sent by the terminal to the switch when receiving the first message;
the traffic monitoring module is used for monitoring the traffic of a first message when receiving the first message sent by the terminal;
the determining module is used for obtaining a first blacklist based on the flow monitoring result;
and the sending module is used for sending the first blacklist to the switch when a blacklist obtaining request sent by the switch based on the first message is received.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing performs the steps in the ARP entry-to-host routing method of any of claims 1-4 or the ARP entry-to-host routing method of any of claims 5-7.
11. A computer-readable storage medium storing a computer program for performing the ARP table entry-to-host routing method of any of claims 1-4 or the ARP table entry-to-host routing method of any of claims 5-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211297423.5A CN115941255A (en) | 2022-10-21 | 2022-10-21 | ARP table entry-host routing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211297423.5A CN115941255A (en) | 2022-10-21 | 2022-10-21 | ARP table entry-host routing method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115941255A true CN115941255A (en) | 2023-04-07 |
Family
ID=86653307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211297423.5A Pending CN115941255A (en) | 2022-10-21 | 2022-10-21 | ARP table entry-host routing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941255A (en) |
-
2022
- 2022-10-21 CN CN202211297423.5A patent/CN115941255A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102413046B (en) | Method for forwarding flow by means of virtual router redundancy protocol backup set and equipment | |
| US9521070B2 (en) | Apparatus, information processing method and information processing system | |
| CN102025630A (en) | Load balancing method and load balancing system | |
| CN103780679A (en) | Long time delay remote invocation method based on HTTP protocol | |
| JP4332079B2 (en) | Module type packet communication node equipment | |
| WO2015006970A1 (en) | Switching device, controller, and method and system for switching device configuration and packet processing | |
| CN1607772A (en) | Method for realizing data transfer backup through address interpretation protocol messages | |
| CN107547374B (en) | Aggregation route processing method and device | |
| CN106685821B (en) | Multipath selection method and device | |
| CN101534255A (en) | A method and device for realizing oriented processing of certain request | |
| CN102067516A (en) | Method and device for requesting multicasting, processing multicasting requests and assisting in the aforementioned process | |
| CN104243304A (en) | Data processing method, device and system of locally-connected topological structure | |
| JP6566124B2 (en) | COMMUNICATION SYSTEM, FLOW CONTROL DEVICE, FLOW PROCESSING DEVICE, AND CONTROL METHOD | |
| CN109951388B (en) | Routing uninterrupted method and main control board | |
| CN115941255A (en) | ARP table entry-host routing method and device, electronic equipment and storage medium | |
| CN110661836B (en) | Message routing method, device and system, and storage medium | |
| CN101335610B (en) | ARP synchronization method in high-side Ethernet network switch | |
| JP2001117899A (en) | Multi-server system | |
| CN114520752A (en) | VXLAN protocol control plane unloading method and device based on intelligent network card | |
| CN113497830A (en) | Cloud network communication method, platform, equipment and storage medium | |
| US20150200813A1 (en) | Server connection apparatus and server connection method | |
| CN112532524B (en) | Message processing method and device | |
| CN108023801B (en) | Resource scheduling method and system for heterogeneous network | |
| WO2015034435A1 (en) | A method for managing a data center network | |
| CN114124780B (en) | Route issuing method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |