CN117834541A - Enhanced protection method for CPU management message and data message - Google Patents

Enhanced protection method for CPU management message and data message Download PDF

Info

Publication number
CN117834541A
CN117834541A CN202311796729.XA CN202311796729A CN117834541A CN 117834541 A CN117834541 A CN 117834541A CN 202311796729 A CN202311796729 A CN 202311796729A CN 117834541 A CN117834541 A CN 117834541A
Authority
CN
China
Prior art keywords
message
cpu
messages
data
efp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311796729.XA
Other languages
Chinese (zh)
Inventor
汪革
李毅
芶利平
谢坚
张剑飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Baud Communication Technology Co ltd
Original Assignee
Shanghai Baud Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Baud Communication Technology Co ltd filed Critical Shanghai Baud Communication Technology Co ltd
Priority to CN202311796729.XA priority Critical patent/CN117834541A/en
Publication of CN117834541A publication Critical patent/CN117834541A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/215Flow control; Congestion control using token-bucket

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an enhanced protection method for CPU management messages and data messages, which is used for managing the flow of various data messages entering a CPU of an exchanger, and comprises message flow data monitoring and message flow rate limiting, in particular, based on an EFP (electronic file processing) functional module of an exchanger chip, CPU data message speed limiting configuration is checked in real time, message flow data sent to the CPU in a network are monitored in real time, various messages are classified and counted, and based on the EFP functional module of the exchanger chip and matched with a token bucket algorithm of a single speed and a single bucket, the flow rate of various messages entering the CPU is limited. The scheme can effectively avoid the problem that the CPU occupancy rate is too high and the normal operation of the system is affected because a large number of useless messages impact the CPU of the switch, realizes the effective protection of the CPU and improves the running stability of the switch system.

Description

Enhanced protection method for CPU management message and data message
Technical Field
The invention relates to the field of Ethernet communication in data communication, in particular to an enhanced protection scheme for CPU management messages and data messages.
Background
In modern computer systems, CPUs play an important role in executing various instructions and processing data. With the development of data communication technology, the types and the number of messages existing in the existing network are increased, and a large number of messages are often required to be processed in a CPU (central processing unit) of the switch, wherein unnecessary messages are not consumed, and the processes of the CPU occupied by the large number of messages greatly reduce the processing capacity of the CPU and slow down the running speed of the system; in addition, the CPU is even paralyzed due to the impact of a CPU with large data volume, the system can not work normally, and the processing of normal service messages is affected. Therefore, how to monitor, count and limit the data messages sent to the CPU becomes an important task.
To solve this problem, there are many solutions for CPU protection in the art, such as limiting CPU traffic threshold, limiting port traffic threshold, and so on. However, most of these methods only can ensure the smooth operation of the CPU, and cannot effectively inhibit the message attack on the CPU. If the CPU is impacted by unnecessary messages, the flow thresholds set by the CPU and the ports are occupied, and other normal important service messages are discarded, so that the processing of the normal service messages by the CPU is affected.
Disclosure of Invention
Aiming at the problem that the existing protection scheme adapting to the CPU cannot effectively inhibit a large number of message attacks, the invention aims to provide an enhanced protection method for CPU management messages and data messages.
In order to achieve the above object, the present invention provides an enhanced protection method for CPU management messages and data messages, including:
(1) Message flow data monitoring:
combining Egress ContentAware Processor (EFP) function of the exchanger chip, checking CPU data message speed limit configuration in real time, monitoring message flow data sent to the CPU in the network in real time, classifying and counting various messages; abnormal traffic and attack behaviors can be found in time by monitoring traffic data, and protection can be performed in time; meanwhile, through carrying out statistical analysis on the monitored flow data, the flow distribution condition of various messages can be intuitively obtained, and a basis is provided for subsequent flow restriction;
(2) Message traffic rate limiting:
in combination with Egress ContentAware Processor (EFP) function of the switch chip, a single-speed single-bucket token bucket algorithm is adopted to limit the flow rate of various messages entering the CPU.
In some embodiments of the invention, the method can adjust the speed limit configuration of the CPU data message according to the flow rate of various messages entering the CPU.
In some embodiments of the present invention, the method performs message traffic data monitoring by creating an EFP table entry.
In some embodiments of the invention, the method can adjust the speed limit configuration of the CPU data message according to the flow rate of various messages entering the CPU.
In some embodiments of the present invention, the method performs message traffic data monitoring by creating an EFP table entry.
In some embodiments of the present invention, when the method performs packet flow rate limiting processing on packet flow data sent to the CPU, format matching rules of various protocol packets are configured in the EFP table entry, and the various protocol packets are classified by dividing fields.
In some embodiments of the present invention, the fields include various fields of a network layer, a transport layer, and an application layer.
In some embodiments of the present invention, when format matching rules of various protocol messages are set, the method sets matching corresponding priorities for various protocol messages.
In some embodiments of the invention, the priorities are of two classes: the specific message with complete format which is common in the network is high priority; other messages in the network that are unusual and difficult to define categorization are of low priority.
In some embodiments of the present invention, when the protocol message format entering the CPU is matched with two types of entries with high priority and low priority, the entry with high priority is automatically matched, otherwise, the entry with low priority is matched.
In some embodiments of the present invention, when the method performs message traffic rate limitation on the message traffic data sent to the CPU, it is determined whether to allow the message to pass according to the remaining amount of the set traffic total size.
In some embodiments of the present invention, the method can analyze the message traffic destined for the CPU during the message traffic rate limiting process, and divide the message traffic into two categories: normal messages and unknown messages.
The CPU management message and data message enhanced protection mechanism provided by the invention realizes effective management and protection of messages and data by monitoring and counting flow data, verifying and matching various message segments and limiting various message flow rates through a token bucket algorithm. The mechanism has the advantages of visualization, verification matching, rate control and the like, and is suitable for various network communication environments.
Drawings
The invention is further described below with reference to the drawings and the detailed description.
FIG. 1 is a flow chart of a configuration message speed limit command line in an example of the invention;
FIG. 2 is a flow chart of a view message statistics command line in an example of the present invention;
FIG. 3 is a table of text segment matching rules in an example of the present invention;
FIG. 4 is a flow chart of CPU management and speed limiting using the method of the present invention.
Detailed Description
The invention is further described with reference to the following detailed drawings in order to make the technical means, the creation characteristics, the achievement of the purpose and the effect of the implementation of the invention easy to understand.
By fully researching the mechanism of processing related messages by the CPU and the composition characteristics of various messages sent to the CPU, the enhanced protection scheme of CPU management messages and data messages is provided, so that the effective speed limitation aiming at various protocol message types can be realized under the condition of the original global speed limitation of the CPU, and more perfect CPU protection is realized, thereby solving the problem that the traditional scheme protects the CPU in a non-round manner.
The enhanced protection scheme of the CPU management message and the data message is mainly formed by matching two parts of message flow data monitoring and message flow rate limiting, and is realized based on a Krish command line framework, a token bucket algorithm and an EFP functional module of a switch chip.
The Klish command line framework, EFP functions, and token bucket algorithm are described first below.
Klish command line framework: krish is an interactive command line interface tool developed based on the C language, and is used for providing a creation and management command line interface, and providing a convenient interaction mode for network equipment management, system configuration and software debugging through the command line interface. The Klish command line framework can provide developer-defined commands, options, and parameters, as well as corresponding operation and output functions; the use of the Klish command line framework allows free construction of custom command line interfaces.
EFP: egress ContentAware Processor, the function of the switch chip can forward, discard, count and the like the designated message traffic in the outgoing direction, and simultaneously support the traffic control by using a token bucket algorithm.
Token bucket algorithm: for the mechanism of traffic shaping and traffic control, the rate of data transmission can be controlled, allowing a degree of bursty transmission while avoiding network congestion. The algorithm is similar to forming a container for storing tokens, and a certain capacity is preset; single speed single bucket is a method of flow measurement through one token bucket, assuming that no over-committed rate of flow occurs. Here, the token bucket is preset with a certain capacity, the system puts tokens into the bucket at a set speed, and when the bucket is full, redundant tokens overflow.
The token bucket algorithm here involves 2 main parameters:
1. CIR (committed information rate): measured in bytes of data per second promised, units: kbps.
2. CBS (committed burst size): the value >0, measured in bytes, should be at least equal to or greater than the maximum packet length, units: bit. The larger CBS means the larger burst size allowed.
When the data stream arrives at the device, the number of tokens corresponding to the data size is first fetched from the token bucket according to the data size for transmitting the data (the size defined in the RFC standard is in b/s). I.e. enough tokens in the token bucket must be guaranteed for data to be transmitted.
Therefore, tokens are placed here at the CIR rate until the number of tokens reaches CBS, and subsequent tokens are discarded.
Specifically, based on the limiting mechanism, the scheme judges whether the message is allowed to pass or not by establishing an EFP table entry and setting CIR and CBS values in an EFP link.
Further, in the specific implementation, the EFP function module of the switch chip may invoke the token bucket algorithm to perform flow control in the present solution. By way of further illustration, the specific implementation scheme for invoking the token bucket algorithm by the EFP function module of the switch chip to perform flow control is as follows:
firstly, token bucket algorithm construction and configuration are carried out:
initializing a token bucket: a maximum capacity of the token bucket (CBS) and a token insertion rate (CIR) are set, wherein the CBS should be equal to or greater than a maximum packet length to ensure that at least one maximum sized packet can be transmitted.
Token generation configuration: adding tokens into a token bucket according to the set CIR rate; if the bucket is full, the newly generated token may be discarded.
Data transmission configuration: checking whether there are enough tokens in the token bucket when a data packet arrives; if the number of tokens is greater than or equal to the size of the data packet, then the corresponding number of tokens is removed from the bucket and the data packet is allowed to pass.
Burst control configuration: the size of the CBS determines the amount of burst data allowed. The larger the CBS, the larger the burst size allowed, which means that more data can be transmitted in a short time.
Then, the EFP function module of the switch chip constructs corresponding EFP table items:
in the EFP link, constructing a corresponding EFP table item, setting corresponding CIR and CBS values in the EFP table item, and controlling the flow according to the CIR and CBS values; the specific flow is matched based on the constructed EFP table item, and a token bucket algorithm is applied for control.
Then, a flow control decision is made:
when the data packet arrives at the EFP, the system combines the set value of the EFP table item and decides whether to allow the data packet to pass or not according to the current token number and the size of the data packet. If the token is not sufficient, the packet may be delayed or discarded to maintain network stability.
By way of further illustration, the specific parameters and behavior of the token bucket algorithm in the inventive arrangements preferably follow the relevant RFC standards to ensure proper implementation of the algorithm and compatibility between network devices.
From the above, in the scheme, the EFP function module of the switch chip invokes the token bucket algorithm to control the flow, so that the network flow can be effectively smoothed, reasonable burst transmission is allowed, and excessive use of network resources is prevented.
Thus, when the message arrives, the system checks the residual quantity of CBS based on the corresponding EFP table item, if the residual quantity of CBS is enough, the message is allowed to pass through, and the CBS is correspondingly reduced; if not, the system may take corresponding processing measures, such as discarding the message, delaying the processing, etc. By the method, the flow rate of various messages can be effectively controlled, the problems of malicious attack, network congestion, resource waste and the like are prevented, and the normal transmission of the messages sent to the CPU is protected.
For example, for the corresponding packet traffic rate limitation, the scheme can be implemented by the following procedures:
(1) By inputting commands in a Krish command line interface of the switch, specific CIR values and CBS values are set for various protocol messages;
(2) When the message data is sent to the CPU, reducing the CBS of the same quantity according to the flow of the message data passing through the CPU every second;
(3) When the message data passes, the CBS is reduced, and the value of the CBS is increased every second with the set CIR until the set CBS upper limit is reached;
(4) When the CBS residual quantity is enough to forward the message, allowing the message data to pass through;
(5) And discarding the message data when the CBS residual quantity is insufficient to forward the message.
Therefore, when the message flow rate is smaller than or equal to the CIR, the CBS is not reduced; when the message flow rate is greater than the CIR, the CBS is gradually reduced; when CBS is reduced to 0, the message flow rate is limited to the CIR rate, and the rest message flow is discarded, so that the functions of limiting the flow and guaranteeing the flow burst are achieved.
The message flow data monitoring mechanism and the message flow rate limiting mechanism in the scheme of the invention are both realized by a Krish command line framework, the EFP function is combined with a token bucket algorithm, the two are mutually linked and complement each other, and the specific implementation mode is described below:
(1) Message flow data monitoring:
the scheme defines related commands and parameters in the Krish through a Krish command line framework to realize configuration and inquiry of the EFP function module.
For example, a show cpu-threshold configuration, cpu threshold packet-type command may be defined to view and configure various types of message rate limits (i.e., CIR, CBS configuration values) in the EFP function;
cpu threshold statistic/rate is defined to collect and count various traffic data (message forwarding quantity, discarding quantity and the like) monitored by the EFP, so that the traffic distribution situation of various messages is intuitively obtained, and further analysis and limitation of the traffic data of the various messages are facilitated.
On the basis of further preferable setting, when the message flow data is controlled to travel, the scheme aims at the limitation of a token bucket algorithm discarding mechanism (such as special cases of overlarge flow, etc., a token bucket is occupied and redundant messages are discarded completely, wherein the redundant messages possibly comprise normal service messages) existing in the industry, and an innovative flow control strategy is constructed:
namely classifying the messages according to the source MAC address or the source IP address, wherein the messages with the same MAC address or the same IP address are classified into one type; then judging whether the number of the CPUs sent by the same source MAC address message or source IP address message is larger than a passing threshold value, and if so, not performing operation; otherwise, the messages are discarded, the flow of the messages is controlled, the problem that the normal service messages are discarded due to the fact that the token bucket is occupied is prevented, and the purposes of preventing attack by the CPU and guaranteeing normal service message forwarding are achieved. If the flow of some message is too large, the flow control strategy is automatically started.
(2) Message traffic rate limiting:
the scheme preferably adopts a token bucket algorithm with single speed and single bucket, and combines an EFP function module of a switch chip to form limit control on the flow rate of various messages entering a CPU.
The implementation process of the scheme for realizing the limit control of the message flow rate entering the CPU by adopting the token bucket algorithm and the EFP functional module is as follows:
first, a token bucket algorithm corresponding to the configuration is constructed.
The token bucket algorithm in the scheme is configured to enable the system to add tokens into the token bucket at a fixed rate, and each message transmission needs to consume a certain amount of tokens; if there are insufficient tokens in the token bucket, the message will be discarded or buffered, thereby limiting the message traffic rate from exceeding the token generation speed.
Further configuring a single-speed single-barrel mode on the basis, wherein in the single-speed single-barrel mode, only one token barrel, namely a C barrel is arranged; the Capacity (CBS) and the token fill rate (CIR) of the C-bucket are preset; when the C bucket is full, the redundant tokens overflow; when the message arrives, if there are enough tokens in the C bucket, the message is transmitted, otherwise, the message is discarded or buffered.
And then, configuring corresponding EFP table items in the switch based on the switch chip EFP functional module.
The EFP table item is configured after the exit port of the switch flow processing flow and before entering the CPU. The EFP table item can count and analyze the message flow data which passes through the port and is sent to the CPU, including the flow size, the speed, the field and the like, and record and learn the message flow data.
Next, the CPU traffic rate is dynamically adjusted based on the configured EFP entries and the token bucket algorithm.
The EFP function module can dynamically adjust the flow rate of the CPU by carrying out operations such as discarding large-flow and repeated messages so as to prevent the CPU from being overloaded and optimize the network performance.
By the mode, the scheme can effectively limit the message flow rate and ensure reasonable distribution and utilization of network resources.
Taking a bot chip as an example, data monitoring can be achieved by establishing an EFP table entry. In this example, the EFP link for creating the EFP entry is set at a position after the exit port in the flow process of the switch and before entering the CPU. The EFP list item configured in this way can carry out flow statistics, flow rate analysis and field analysis on the message flow data which passes through the port and is sent to the CPU, record and learn the message flow data, and dynamically adjust the flow rate of the CPU by carrying out operations such as discarding large flow and repeated messages.
In some embodiments of the present invention, the established EFP entry is further configured to support processing of messages of a specified protocol type by field matching rules.
The fields referred to herein include various fields of the network layer, transport layer, application layer:
dmac (destination mac address), smac (source address), ethertype (protocol type), protocol (protocol number), dport (destination port), sport (source port), TTL (maximum number of segments allowed to pass before a packet is discarded).
Based on the above, through these field matching rules, EFP table entries are established for messages of different protocol types to cover most common network layer, transport layer and application layer protocol message types.
In the scheme, the process of establishing the EFP table entry and performing field matching on the messages of different protocol types is realized by the following steps:
determining a matching field: first, the fields for matching messages of different protocol types need to be determined. These fields may include source and destination MAC addresses, IP addresses, VLAN tags, ethernet types, protocol numbers, etc.
Defining a matching rule: and defining corresponding matching rules according to the protocol types to be monitored. For example, for ARP messages, it can be identified by matching the ethernet type field to 0x 0806. For the IP packet, the matching field may be 0x0800, and then the IP protocol number may be further matched as required to distinguish TCP, UDP or ICMP, etc.
Creating EFP table items: corresponding EFP entries are created according to defined matching rules, each of which will contain a set of condition fields for matching messages of a particular type.
The application acts: for each EFP entry, a corresponding action is defined, such as forwarding, dropping, modifying or counting, etc., which will be performed according to the matched message type.
Testing and verifying: after configuration is implemented, the configured EFP entries need to be tested to ensure that they match and process the expected message types correctly.
For example, for a two-layer class protocol, different protocols, such as ARP (0 x 0806), STP (0 x 0002), etc., may be identified by matching the protocol fields. For a three layer routing protocol, it may be identified by matching network layer protocol types, such as BGP (TCP protocol number 179), OSPF (protocol number 89), etc. For higher layer application data, such as TELNET (TCP protocol number 23), ICMP (protocol number 1), etc., matching can also be performed by the corresponding protocol number.
By the method, a complete set of EFP table entries can be established for various protocol message types in the network, and effective monitoring and management of message flow are realized.
Further, the protocol message types covered herein are as follows:
two classes:
ARP、ND、STP、LDP、LACP、8021X、DHCP、DHCPV6、IGMP、MLD RESV-MAC、BCAST
three layers of routing protocols:
BGP、PIM、PIMV6、OSPF、OSPFV3、RIP、ISIS、VRRP、VRRP6、BFD
high-level application data:
TELNET、ICMP
three layers of data:
IPMC、IPV6MC、IPUC、IPV6UC
failure processing:
TTL-FAILURE。
the scheme of the invention sets the corresponding EFP table item based on the priority matching and cooperates with the token bucket algorithm to form a message flow data monitoring mechanism and a message flow rate limiting mechanism, thereby constructing an enhanced protection method for forming CPU management messages and data messages, and realizing the operations of forwarding, discarding, counting and the like of the messages sent to the CPU before the messages are sent to the CPU.
In some embodiments, the message flow data monitoring mechanism formed by the enhanced protection method constructed by the invention can extract and record detailed message information, such as the number, the discarding number, the real-time rate, the size, the source, the destination and the like, based on the configured EFP table function. And then, establishing a visual interface in the form of a command line, and monitoring and displaying the related information of the message flow data sent to the CPU in the network in real time.
Furthermore, the message flow rate limiting mechanism formed by the enhanced protection method constructed by the invention can carry out flow statistics, flow rate analysis and field analysis on message flow data sent to the CPU based on the configured EFP table function, and record and learn the message flow rate data so as to realize the automatic optimization function of the message flow rate.
When the method is specifically applied, when the corresponding message flow data monitoring mechanism and the message flow rate limiting mechanism are configured in the switch through the Krish command line command of the switch, all the mechanisms are kept in a trigger starting state all the time, so that the real-time monitoring and analysis of the data flow are realized.
As a further explanation, the process of configuring and operating the corresponding message traffic data monitoring mechanism and message traffic rate limiting mechanism in the switch through the switch Klish command line command in the scheme of the present invention is as follows:
first, the switch Klish command line configures corresponding EFP entries in the switch. Specifically, according to the network environment and the monitoring requirement, relevant parameters are input through a Krish command line framework to control the message flow rate, and the system issues and configures the EFP table entry so as to capture and record the required message flow data.
And then, the switch performs real-time monitoring and analysis on the data flow based on the configured EFP table item matched with a token bucket algorithm. Taking a Broadcom chip as an example, real-time data monitoring is performed based on the established EFP table item; the setting of the EFP table item enables the message flow data sent to the CPU to be monitored in real time, so that the flow processed by the CPU is ensured to be in a controllable range, and the stable operation of the network is ensured.
Then, data extraction is performed. The exchanger calls the SDK data acquisition interface of the corresponding exchanger chip according to the configured EFP list items, and extracts detailed message information, such as message quantity, discard quantity, real-time rate, size, source, destination and the like, from the network flow.
Then, data recording is performed. The exchanger records the extracted message information so as to facilitate the subsequent monitoring and analysis.
Then, a command line interface is established for data display and inquiry. The monitored message flow data which is sent to the CPU is displayed in real time through the Krish command line interface, and comprises various related information, and an administrator can inquire and monitor the message flow data in real time.
Finally, flow optimization is carried out: based on the configured EFP table item and the token bucket algorithm, grouping the messages according to the source address, and if a certain group of messages exceeds a set passing threshold (defaulting to 6/s), discarding the group of messages so as to prevent the overflow of the token bucket and the CPU attack and ensure the forwarding of normal service. As a preferred arrangement, the strategy is only activated when the traffic is too high.
Therefore, when the scheme of the invention is implemented, a network administrator can be helped to better understand and control the data flow in the network, and timely discover and process problems.
As a further explanation, the message traffic rate limiting mechanism formed based on the scheme of the present invention can further divide the message traffic into two categories after analyzing the message traffic sent to the CPU: normal messages and unknown messages.
Wherein, normal message: normal service messages in the networking conform to protocol specifications, do not contain malicious or sensitive contents, and do not negatively affect the network or the equipment.
Unknown message: unknown mac messages, unknown ip messages, etc. in the networking. Possibly malicious messages.
On the basis, when a message flow rate limiting mechanism formed by the scheme of the invention is started, all unknown source MAC messages and unknown source IP messages in networking services are marked and recorded; and simultaneously, a passing threshold value (for example, default to 6 per second) of the passing number of the packets in unit time is set as a reference for judging whether the control of the message flow to the CPU is required. As further described herein, the threshold is configured to be manually modifiable.
Therefore, when the message flow to the CPU is less, the scheme does not control the flow of the unknown message in order to ensure the normal operation of the networking service as much as possible.
When the message traffic to the CPU is excessive, the token bucket (i.e., CBS) is already occupied, and the switch has started to lose packets, and meanwhile, based on the message traffic rate limiting mechanism, intelligent analysis is performed according to various message traffic sizes, packet passing rates, and fields:
firstly, classifying messages according to a source MAC address or a source IP address, wherein the messages with the same MAC address or the same IP address are classified into one type; and then judging whether the number of the CPU (Central processing Unit) sent by the same source MAC address message or source IP address message is larger than a passing threshold value, if so, not operating, otherwise, discarding the message, controlling the flow, and preventing the problem that the CBS is occupied to cause discarding of the normal service message, thereby achieving the purposes of preventing attack of the CPU and ensuring forwarding of the normal service message.
In some embodiments, the enhanced protection method constructed by the invention can also manually adjust the speed limit configuration (CIR, CBS) of different messages according to the actual flow rate of various messages entering the CPU in different networking services, thereby achieving the purpose of customizing the CPU anti-attack strategy.
In some embodiments, the enhanced protection method constructed by the invention also sets the corresponding priority of matching for each type of protocol message when setting the format matching rule of each type of protocol message, so as to ensure the accuracy of message flow classification.
For further explanation, the priorities here are of two types: the specific message with complete format, which is common in the network, has higher priority, such as ARP, STP, DHCP; other unusual messages which are difficult to define and classify in the network are classified into a large-class message range, and have lower priority, such as RESV-MAC (Dmac is a message with 01-80-c2 head), bcast (Dmac is a message with full F), and the like; when the protocol messages entering the CPU are matched with the two types of table items at the same time, the table items with high priority are automatically matched, otherwise, the table items with low priority are matched. As shown in FIG. 3, the priority is from top to bottom, namely, the ARP message priority is highest and the bcast message priority is lowest.
Here, it should be noted that, the message flow rate limiting mechanism only limits the speed of the message sent to the CPU, and meanwhile, the implementation depends on the EFP, where the EFP link is the last link before entering the CPU (in the flow forwarding process specified by the broadcom, the EFP is the last link, and is located after the VFP (Vlan ContentAware Processor: VLAN-based forwarding link) and the IFP (Ingress ContentAware Processor: ingress forwarding link), so that the scheme does not affect the operation of QOS, ACL, and other functions of limiting the speed of the message set in the VFP and the IFP links.
Compared with the prior art, the enhanced protection scheme for the CPU management message and the data message provided by the invention has the following unique characteristics:
(1) The scheme utilizes the EFP technology, can flexibly process the outgoing message flow, has the advantages of higher performance, lower resource occupation, wider application range and the like compared with other technology based on IFP or VFP, and can more effectively monitor and control the state and the behavior of the network flow.
(2) The scheme can carry out flow statistics, flow rate analysis and field analysis on message flow data sent to the CPU, record and learn the message flow data, intelligently discard malicious messages, and achieve the purposes of preventing attack by the CPU, ensuring normal service message forwarding and further optimizing system performance.
The implementation process of the enhanced protection scheme of the CPU management message and the data message and the corresponding technical characteristics provided by the invention are further described by specific examples.
The application of the scheme of the invention in a multi-chip platform switch is exemplified here, for example, the application of the scheme in a Botong chip switch.
Firstly, a command line is designed in the aspect of an application layer, so that a user can conveniently configure and issue relevant parameters of speed limit and view relevant information of message flow. The application layer command line design is shown in fig. 1 and 2.
Referring to FIG. 1, a command line flow for CPU speed limit configuration is shown. Accordingly, the corresponding command line is configured as follows:
if the packet-type is not configured, directly inputting a cpu threshold + appointed value, and then the cpu threshold + appointed value is the original global speed limit value.
If the packet-type is configured, the message type, the flow rate cir, the cir value, the total flow size cbs and the cbs value are sequentially input, and the speed limiting parameters are configured for the related message.
Meanwhile, in the aspect of a hardware adaptation layer, the information of the message type and the speed limit related parameters issued by an application layer is received, the information is matched with the format verification rules of various messages written by default at the bottom layer, and corresponding EFP table items are built according to the information.
Further, in the message format verification rule, the two-layer, three-layer and four-layer field formats and message matching priorities of each message are recorded, the fields comprise the destination MAC, the source MAC, the protocol type, the protocol number, the destination IP address, the source IP address, the port number, the TTL and the like of the message, the priorities are arranged from high to low, and the priorities of the messages which are precisely matched, such as ARP, DHCP and the like, are set to be high; fuzzy matching messages, such as IPMC, IPUC and the like, are set to be low in priority. The specific matching rules are shown in fig. 3, and cover most of the commonly used message types in the network.
When the application layer issues the speed limit related parameters of the corresponding message, the hardware adaptation layer receives the parameters, and establishes hardware table items from high to low according to the priority, so that the message speed limit management is enabled.
When a message sent to the CPU is generated, the system matches the message with a hardware table item (namely an EFP table item), the priority is from high to low, and if the message protocol sent to the CPU accords with the message protocol of the existing hardware table item, the message type is limited according to the set speed limit related parameters; otherwise, the speed limit is still carried out according to the original CPU global speed limit rule.
Input cpu threshold auto enable/disable, can open and close the automatic optimizing function of message flow rate.
And meanwhile, the message sent to the CPU is counted, a visual interface is established to display the counted content, and the flow management is facilitated.
Referring to fig. 2, a command line flow for viewing information related to a message flow is shown, which is specifically as follows:
show CPU-threshold configuration looks at the CPU speed limit configuration.
The show CPU-threshold statistics looks up the total message traffic sent to the CPU.
The show CPU-threshold rate looks up the real-time rate of the message sent to the CPU.
The attack message information is checked by the show cpu-threshold packet-type+ message type.
By way of further illustration, the specific configuration implementation flow described above is as follows:
(1) Configuring a single message type DHCP
Entering the switch global configuration mode, input CPU threshold packet-type DHCP cir 512cbs98304, represents a traffic rate cir of 512kbps and a total traffic size cbs of 98304bytes for a DHCP packet Wen Xiansu entering the CPU.
After the configuration is issued, the system establishes two hardware entries at EFP (Egress ContentAware Processor) according to the message format of DHCP, and sets 512kbps,98304bytes as the cir, cbs value. EtherType of both table entries is 0x0800, which represents IP protocol message; the protocol numbers are 17, which represents UDP protocol messages; one of the table entry port numbers is 67, and the other table entry port number is 68; priorities 0x15FFFFE2, 0x15FFFFE3 are set. The two hardware table entries can identify and match the DHCP message entering the CPU and limit the speed.
When a DHCP message passes, according to a corresponding flow control algorithm, if the message rate is higher than 512kbps, namely, the consumed rate of cbs is higher than the complementary rate of cir, the cbs capacity is completely consumed after a period of time, and the speed limit is performed at the moment; if the message rate is less than or equal to 512kbps, i.e., the consumed rate of cbs is less than or equal to the supplemental rate of cir, the cbs capacity will not be consumed and no speed limit will occur. The speed limiting method can control the message passing speed within 512kbps, and does not occupy excessive CPU.
If the automatic optimizing function of the message flow rate is started, each field of the DHCP message is analyzed when the system CPU flow rate is too high, intelligent analysis is performed according to the flow rate of each message, the flow rate ratio of each message and the fields, the flow rate is controlled, and the abnormal messages and the unknown messages which are large in flow rate, exist for a long time and are repeated are automatically discarded.
(2) Configuring all message types
Entering a global configuration mode of the switch, inputting CPU threshold packet-type all, wherein the speed limit of all messages entering the CPU, the flow rate cir and the total flow size cbs are set as default values of all messages.
After issuing the configuration, the system builds a hardware table entry for all message entries at EFP (Egress ContentAware Processor), with the matching rules shown in fig. 3. cir, cbs is set as the default value of each message. The priority of the fixed matched message types such as ARP, DHCP and the like is set to be high, and the priority of the fuzzy matched message types such as IPMC, IPUC and the like is set to be low. The priority starts from 0x15FFFFFF, and is sequentially reduced by 1, the smaller the value is, the smaller the priority is, and the accuracy of item matching is guaranteed.
(3) Look-up message statistics
Taking DHCP as an example:
1) In the global configuration mode, the configuration of the input can be viewed by inputting show cpu-threshold configuration. Such as:
in the example, the status value is enabled, which indicates that the dhcp speed limiting function is turned on, and cir and cbs are the configured flow rate and the total flow size.
2) In the global configuration mode, the information such as the passing number, the discarding number, the total traffic, the size, the source address and the like of the message can be checked by inputting the show cpu-threshold statistics. Such as:
Packet type Pass(Packet) Drop(Packet)
dhcp 1434068 11968446873
in the example, the pass value is the total number of message passing, and the drop value is the total number of message discarding. The statistics are refreshed on a 5 second round.
3) In the global configuration mode, the real-time passing rate, the real-time discarding rate and other information of the message passing through the CPU can be checked by inputting the show CPU-threshold rate. Such as:
Packet type Pass(Packet/s) Drop(Packet/s)
dhcp 485 1912127
in the example, the pass value is the real-time passing rate of the message, and the drop value is the real-time discarding rate of the message. At this time, the total flow cbs is already full, and the system performs stable CPU speed limit at the set cir rate. The statistics are refreshed on a 5 second round.
4) In the global configuration mode, the information related to abnormal messages of a certain type of message types, including source MAC address, source IP address, TTL, packet size and the like, can be checked by inputting the show cpu-threshold message packet-type+ message type. Such as:
smac is the message source MAC address, sip is the message source IP address, TTL is the message TTL forwarding value, and size is the message size. The function can accurately grasp the message information of the CPU sent by abnormality and help to locate the attack source.
Referring to fig. 4, based on the above configuration setting, the flow of the present example for the CPU to perform speed limit protection and traffic management is as follows:
(1) And setting speed limit configuration values (CIR, CBS) of various messages.
(2) When the system receives the message to be sent to the CPU, the system matches various message list items in FIG. 3, divides the message sent to the CPU, limits the speed of various messages according to the set CIR and CBS, and simultaneously counts the passing number, discarding number, size, source and destination of various messages.
(3) And the system displays the counted information in the data flow monitoring interface in real time.
(4) The system can analyze the information of various messages sent to the CPU at regular time, intelligently optimize the flow rate of the various messages sent to the CPU, and improve the CPU anti-attack strategy.
The invention carries out statistics management and speed limitation on various data messages entering the CPU of the exchanger, realizes further effective protection on the CPU on the basis of the original global speed limit of the CPU, and improves the running stability of the exchanger system.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (10)

1. An enhanced protection method for a CPU management message and a data message, comprising:
message flow data monitoring:
based on EFP function module of exchanger chip, checking speed limit configuration of CPU data message in real time, monitoring message flow data sent to CPU in network in real time, classifying and counting various messages;
message traffic rate limiting:
the EFP function module based on the switch chip is matched with the token bucket algorithm of a single speed and a single bucket to limit the flow rate of various messages entering the CPU.
2. The method for protecting the management messages and the data messages of the CPU according to claim 1, wherein the method can adjust the speed limit configuration of the data messages of the CPU according to the flow rate of various messages entering the CPU.
3. The method for enhanced protection of CPU management messages and data messages according to claim 1, wherein said method monitors message traffic data by creating EFP entries.
4. The method for protecting the CPU management messages and the data messages according to claim 3, wherein when the method carries out message flow rate limiting processing on message flow data sent to the CPU, format matching rules of various protocol messages are configured in the EFP table entry, and the various protocol messages are classified by dividing fields.
5. The method of claim 4, wherein the fields include various fields of a network layer, a transport layer, and an application layer.
6. The method for enhanced protection of CPU management messages and data messages according to claim 4, wherein when format matching rules of various protocol messages are set, corresponding priorities are set for the various protocol messages.
7. The method for enhanced protection of CPU management messages and data messages according to claim 6, wherein the priority levels are of two types: the specific message with complete format which is common in the network is high priority; other messages in the network that are unusual and difficult to define categorization are of low priority.
8. The method of claim 7, wherein when the protocol message format of the incoming CPU is matched with both high-priority and low-priority entries, the high-priority entries are automatically matched, otherwise the low-priority entries are matched.
9. The method for protecting the management messages and the data messages of the CPU according to claim 1, wherein when the method limits the message flow rate of the message flow data sent to the CPU, whether the message is allowed to pass or not is judged according to the residual quantity of the set total flow size.
10. The method for protecting the management messages and the data messages of the CPU according to claim 1, wherein the method can analyze the message flow sent to the CPU and divide the message flow into a normal message and an unknown message during the message flow rate limiting process.
CN202311796729.XA 2023-12-25 2023-12-25 Enhanced protection method for CPU management message and data message Pending CN117834541A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311796729.XA CN117834541A (en) 2023-12-25 2023-12-25 Enhanced protection method for CPU management message and data message

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311796729.XA CN117834541A (en) 2023-12-25 2023-12-25 Enhanced protection method for CPU management message and data message

Publications (1)

Publication Number Publication Date
CN117834541A true CN117834541A (en) 2024-04-05

Family

ID=90510765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311796729.XA Pending CN117834541A (en) 2023-12-25 2023-12-25 Enhanced protection method for CPU management message and data message

Country Status (1)

Country Link
CN (1) CN117834541A (en)

Similar Documents

Publication Publication Date Title
US7385985B2 (en) Parallel data link layer controllers in a network switching device
EP1551136B1 (en) Hierarchical flow-characterizing multiplexor
US9384033B2 (en) Large receive offload for virtual machines
US7697519B2 (en) Packet processing
US9769074B2 (en) Network per-flow rate limiting
US7872973B2 (en) Method and system for using a queuing device as a lossless stage in a network device in a communications network
US7724660B2 (en) Communication traffic congestion management systems and methods
US9742682B2 (en) Large receive offload for virtual machines
US9819590B2 (en) Method and apparatus for notifying network abnormality
US8284665B1 (en) Flow-based rate limiting
US9755981B2 (en) Snooping forwarded packets by a virtual machine
US20090046581A1 (en) Flow Estimator
CN111108728B (en) Method and device for processing message
CN112737914B (en) Message processing method and device, network equipment and readable storage medium
US7805535B2 (en) Parallel data link layer controllers in a network switching device
US20130107707A1 (en) Emulating network traffic shaping
US7698412B2 (en) Parallel data link layer controllers in a network switching device
US8027252B2 (en) System and method of defense against denial of service of attacks
CN115150334A (en) Data transmission method and device based on time-sensitive network and communication equipment
CN117834541A (en) Enhanced protection method for CPU management message and data message
Cisco Configuring QoS
Cisco Configuring QoS
Cisco Configuring QoS
Cisco Configuring QoS
KR20090012561A (en) Bidirectional source-end ddos protection system using per-flow statistic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination