WO2022057647A1

WO2022057647A1 - Packet processing method, system, and device

Info

Publication number: WO2022057647A1
Application number: PCT/CN2021/116602
Authority: WO
Inventors: 曹晶; 张耀坤
Original assignee: 华为技术有限公司
Priority date: 2020-09-15
Filing date: 2021-09-06
Publication date: 2022-03-24
Also published as: CN114268592A

Abstract

Disclosed in embodiments of the present application are a packet processing method, a system, and a device, comprising: when a first communication device determines that the bandwidth of a first port occupied by packets having the highest forwarding priority transmitted by the first port satisfies a first condition, obtaining feature information of a first attack packet comprised in the packets having the highest forwarding priority transmitted by the first port, and sending the feature information of the first attack packet to a control management entity, such that the control management entity generates a packet processing strategy on the basis of packet features of the received attack packet, and thus the communication device can perform processing such as packet loss and/or rate limit on the packet matching the feature information of the attack packet on the basis of the packet processing strategy, thereby preventing network device congestion caused by attacks based on high-priority packets and ensuring that normal packets having the highest forwarding priority can be effectively forwarded, thus enabling the communication device to provide normal services.

Description

A message processing method, system and device

This application claims the priority of the Chinese patent application with the application number 202010966693.5 and the application title "A message processing method, system and equipment", which was submitted to the State Intellectual Property Office of China on September 15, 2020, the entire contents of which are approved by Reference is incorporated in this application.

technical field

The present application relates to the field of communication technologies, and in particular, to a message processing method, system and device.

Background technique

The network device usually forwards the to-be-forwarded packets in an orderly manner according to the forwarding priority of the to-be-forwarded packets. Among them, packets with higher forwarding priorities will be preferentially forwarded by network devices. For protocol packets, detection packets of network devices, and more important data packets, normal forwarding is very important to the normal operation of network devices. Therefore, the forwarding priority corresponding to these packets is usually set to the highest forwarding priority. level to ensure that these packets are effectively processed to ensure the normal operation of network devices.

However, if the network device receives attack packets with the highest forwarding priority, these attack packets will also be preferentially processed. Since the total bandwidth of each network device is limited, once the number of attack packets increases sharply, the total bandwidth of the packets with the highest forwarding priority exceeds the total bandwidth of the network device, and the network device will respond to the highest forwarding priority. Therefore, protocol packets, detection packets of network devices, or more important data packets may be lost, resulting in the failure of network devices to provide normal services.

At present, by manually configuring a security policy template on a network device, the network device identifies safe packets from the received packets through the security policy template, forwards the safe packets normally, and discards the unrecognized packets. , to achieve defense against attack packets to improve network security. However, in this technical solution, since the security policy template is fixed, it cannot effectively defend against changeable attack packets.

Based on this, there is an urgent need to provide a packet processing method, which enables network devices to effectively identify and process attack packets, and ensures that security packets with the highest forwarding priority are effectively forwarded.

SUMMARY OF THE INVENTION

Based on this, the embodiments of the present application provide a packet processing method, system, and device. When the attack packet with the highest forwarding priority has not caused congestion on the network device, the network device can identify and process the attack packet to ensure that Security packets with the highest forwarding priority are effectively forwarded, making it possible for network devices to provide normal services.

In a first aspect, an embodiment of the present application provides a method for processing a packet, and the method may include: when a first communication device determines that a packet with the highest forwarding priority transmitted through a first port occupies the bandwidth of the first port When the first condition is satisfied, the characteristic information of the first attack packet included in the packet with the highest forwarding priority transmitted through the first port is acquired, and the characteristic information of the first attack packet is sent to the control management entity. The first condition is a condition configured by the first communication device for the first port and used to determine whether the attack packet processing needs to be performed on the first port. In this way, the control and management entity can generate a packet processing policy based on the packet characteristics of the received first attack packet, so that the first communication device can compare the characteristics of the first attack packet with the characteristics of the first attack packet based on the packet processing policy. Packet loss and/or rate limiting are performed on packets with matching information to avoid network equipment congestion caused by attacks based on high-priority packets, and ensure that normal packets with the highest forwarding priority can be effectively forwarded, so that the first communication It becomes possible for the device to provide normal services.

In some possible implementations, after the first communication device sends the feature of the first attack packet to the control management entity, the control management entity may further generate a packet processing policy based on the feature information of the first attack packet, the first The communication device acquires the packet processing policy, where the packet processing policy is used to process the packet matching the feature information of the first attack packet. If the control management entity belongs to a functional module in the first communication device, the first communication device can obtain the message processing policy through internal data transmission; if the control management entity and the first communication device are two different devices, the first communication device A communication device can obtain a message processing policy through a message, and the message can be a Border Gateway Protocol (English: Border Gateway Protocol, referred to as: BGP) message, Path Computation Element Communication Protocol (English: Path Computation Element Communication Protocol) , referred to as: PCEP) message, telemetry (English: Telemetry) message or Network Configuration Protocol (English: Network Configuration Protocol, referred to as: NETCONF) message any kind of message, for example: the message processing policy can carry The Type Length Value (English: Type Length Value, TLV for short) field extended in the indication message carries the feature information of the first attack message. In this way, by acquiring the packet processing policy generated by the control management entity, a precondition is provided for subsequent processing of the packet matching the characteristic information of the first attack packet, so that the normal packet with the highest forwarding priority on the network device can be processed. The purpose of efficient forwarding becomes possible. It should be noted that, in the following description, the control management entity and the first communication apparatus belong to two independent network devices as an example for description.

In some other possible implementation manners, after the first communication device receives the packet processing policy, the first communication device may process the first packet based on the packet processing policy, where the first packet is A packet whose characteristic information matches the characteristic information of the first attack packet. In this way, by setting a condition and related operations triggered by the condition, it is possible to effectively suppress the attack packet before the attack packet with the highest forwarding priority has caused serious network congestion, and avoid the highest forwarding priority on the network device. A large number of attack packets occupy the bandwidth resources of normal packets, causing the normal packets with the highest forwarding priority to be discarded, thus affecting the normal operation of the network. Moreover, as the attack packets are effectively suppressed, the normal packets with the highest forwarding priority can be reduced. Packet forwarding delay to improve forwarding performance.

As an example, the first communication apparatus processing the first packet based on the packet processing policy may include: performing packet loss processing on the first packet based on the packet processing policy. Or, as another example, the first communication apparatus processes the first packet based on the packet processing policy, and may also include: performing rate-limiting processing on the first packet based on the packet processing policy. In this way, by performing suppression processing such as packet loss or rate limiting on the first packet matching the characteristic information of the first attack packet, the attack packet can effectively prevent the attack packet from occupying a large number of bandwidth resources of the normal packet with the highest forwarding priority. Reduce the forwarding delay of normal packets with the highest forwarding priority.

Wherein, in addition to sending the feature information of the first attack packet to the control management entity, the first communication device may also send indication information to the control management entity, where the indication information is used to instruct the control management entity to generate a packet processing policy. In one case, the first communication device may carry the indication information and the feature information of the first attack packet in different indication packets and deliver them to the control management entity. In another case, the first communication apparatus may carry the indication information and the feature information of the first attack packet in the same indication packet and send it to the control management entity. The indication message can be any one of the following messages: BGP message, PCEP message, Telemetry message or NETCONF message. For example, the indication information and the feature information of the first attack packet may be carried through the extended TLV field in any of the foregoing types of packets. For another example, the indication information and the characteristic information of the first attack packet may also be carried through other available fields such as a reserved (English: Reserved) field in any of the foregoing types of packets.

The first condition may include that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold. For example, the first threshold is 70%, the bandwidth of the first port is 20 megabytes per second (English: Gb/s), and the first communication device obtains the packet with the highest forwarding priority transmitted through the first port as 15Gb/s, then, the first communication device determines that the ratio of the bandwidth of the first port occupied by the packet with the highest forwarding priority on the first port is (15÷20)=75%, which is greater than the first threshold of 70%, so It is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition. Alternatively, the first condition may also include that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to the second threshold. For example, if the second threshold is 15 Gb/s, the bandwidth of the first port is 20 Gb/s, and the packet with the highest forwarding priority acquired by the first communication device through the first port is 15 Gb/s, then the first communication The device determines that the size of the message with the highest forwarding priority on the first port is equal to the second threshold of 15 Gb/s, thereby determining that the message with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port to satisfy the first port. condition.

In some possible implementation manners, the first communication apparatus may poll and detect the bandwidth occupancy status of each port. Taking the first port as an example, the first communication device can poll and detect the bandwidth occupancy of the first port, for example, it can be realized by the timer of the traffic management (English: Traffic Management, TM for short) module of the first communication device. , the TM module sets the timing of the timer to 1 second, and when the timer reaches 1 second, obtains the size of the packet transmitted through the first port once. In specific implementation, the first communication device polls and detects the bandwidth occupancy of the first port, obtains the size of all packets transmitted through the first port, and then determines that all packets transmitted through the first port occupy the first port. Whether the bandwidth of a port satisfies the second condition, if not, continue polling and detection, if so, continue to obtain the size of the packet with the highest forwarding priority transmitted through the first port, and determine that the first port Check whether the bandwidth of the first port occupied by the transmitted message with the highest forwarding priority satisfies the first condition; otherwise, continue polling and detection. The second condition may refer to that the proportion of the bandwidth of the first port occupied by all packets transmitted through the first port is greater than or equal to the third threshold, or the second condition may also mean that all packets transmitted through the first port are greater than or equal to the third threshold. equal to the fourth threshold. It can be seen that when the first communication device determines that all the packets transmitted through the first port satisfy the second condition through polling detection, it is determined that there are many packets transmitted through the first port, and there is a risk of congestion, and it is necessary to focus on the more important ones. The bandwidth occupancy of the highest forwarding priority. At this time, when it is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition, it can be considered that the highest forwarding priority transmitted on the first port is the highest bandwidth. There may be attack packets in the packets of forwarding priority, that is to say, the above-mentioned polling mechanism and the two judgment conditions, so that the normal packets with the highest forwarding priority transmitted on the first communication device through the first port can be Normal forwarding provides the premise and guarantee.

In some other possible implementation manners, for the second port of the first communication device, a third condition corresponding to the first condition of the first port is also set. For the packet processing process on the second port, for example, it may include: when the first communication device determines that the bandwidth of the second port occupied by the packet with the highest forwarding priority transmitted through the second port satisfies the third condition, obtaining the The characteristic information of the second attack packet included in the packet with the highest forwarding priority transmitted by the two ports, and the characteristic information of the second attack packet is sent to the control management entity. Wherein, the third condition may refer to that the ratio of the bandwidth of the second port occupied by the packets with the highest forwarding priority transmitted through the second port is greater than or equal to the fifth threshold; The transmitted packet with the highest forwarding priority is greater than or equal to the sixth threshold. It should be noted that, for the second port, one or more of the foregoing implementation manners can also be used to process the counterfeit attack packet with the highest forwarding priority, and the relevant description will not be repeated.

It should be noted that the feature information of the attack packet may refer to the feature information that can identify the attack packet and the attack flow to which the attack packet belongs. The characteristic information of the attack packet may specifically be all or part of the content of the quintuple of the attack packet. For example, the attack packet is an Internet Protocol (English: Internet Protocol, IP for short) packet, and the The feature information may include one or more of the following information: source IP address, destination IP address, source port number, destination port number or transport layer protocol number; for another example, the attack packet is a multi-protocol label switching (English: Multiprotocol Label Switching, MPLS for short) message, the feature information of the attack message may include one or more of the following information: MPLS label, the source media access control of the attack message (English: Media Access Control, Abbreviation: MAC address, destination MAC address, source IP address, and destination IP address.

It should be noted that, according to different operating network scenarios, the first communication device may perform the processing method provided in this embodiment of the present application on the packet with the highest forwarding priority in the network scenario transmitted through the first port. For example, the first communication device may run on the Internet Protocol version 4 (English: Internet Protocol version 4, referred to as: IPv4) network, on the Internet Protocol version 6 (English: Internet Protocol version 6, referred to as: IPv6) network, virtual private Network (English: Virtual Private Network, referred to as: VPN) network, Multiprotocol Label Switching (English: Multiprotocol Label Switching, referred to as: MPLS) network, Virtual Extended Local Area Network (English: Virtual Extensible Local Area Network, referred to as: VXLAN) and other network environments middle.

It should be noted that the first communication device may refer to any network device capable of implementing a message forwarding function, for example, the communication device may be a switch, a router, etc.; or, the first communication device may also be a network device with a message A single board, chip, etc. with the text forwarding function. The TM module may refer to a TM chip in the first communication device or a functional module capable of implementing the TM function. The port of the first communication device may be a physical port of the first communication device or a logical port of the first communication device.

In a second aspect, an embodiment of the present application further provides a method for processing a packet, the method comprising: the first communication device determines that the packet with the highest forwarding priority transmitted by the first port occupies the bandwidth of the first port and satisfies the first When the conditions are met, the packets with the highest forwarding priority transmitted through the first port are analyzed, and it is determined that the packets transmitted by the first port include attack packets with the highest forwarding priority.

As an example, when the first communication device determines that the packet transmitted by the first port includes the attack packet with the highest forwarding priority, the first communication device may also send an alarm signal to the network management, where the alarm signal is used for It is indicated that there are attack packets in the first communication device, so that the network management can perform security defense on the network to prevent the attack packets from causing greater threats to the network. In addition, in order for the network management to carry out targeted security defense, the alarm signal may also carry characteristic information of the attack.

As an example, the first communication apparatus may further acquire feature information of the attack packet after determining that the packet transmitted by the first port includes the attack packet with the highest forwarding priority. At this time, the first communication device may also send the characteristic information of the attack packet to the control management entity, and obtain a packet processing policy generated by the control management entity, where the packet processing policy is used to compare the characteristics of the attack packet with the attack packet. In this way, the first communication device can perform packet loss and/or speed limit processing on the first packet based on the packet processing policy, and the first packet is an attack packet. The characteristic information matches the packet.

The first condition may include that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold. Alternatively, the first condition may also include that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to the second threshold.

It should be noted that, for the specific implementation manner of the method provided in the second aspect and the effect achieved, reference may be made to the relevant description of the above-mentioned first aspect, and details are not repeated here.

In a third aspect, an embodiment of the present application further provides a method for processing a packet, the method may include: the first communication device determines that the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first port. Under one condition, obtain the characteristic information of the attack packet in the packet with the highest forwarding priority, and send the characteristic information of the attack packet to the control management entity; at this time, the control management entity can be based on the characteristics of the attack packet The information generates a packet processing policy, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet.

As an example, the method may further include: the first communication device obtains a packet processing policy generated by the control and management device, so that the first communication device processes the first packet based on the packet processing policy, where the first packet is Packets matching the feature information of attack packets.

As another example, the method may further include: controlling the management device to send a packet processing policy to the second communication apparatus, so that the second communication apparatus processes the second packet based on the packet processing policy, and the second packet is Packets matching the feature information of attack packets.

It should be noted that, for the specific implementation manner of the method provided in the third aspect and the effect achieved, reference may be made to the relevant description of the first aspect or the second aspect, and details are not repeated here.

In a fourth aspect, an embodiment of the present application further provides a system for processing a message. The system may include at least a first communication device and a control management entity, wherein the first communication device is configured to determine the highest value transmitted through the first port. When the bandwidth of the first port occupied by the packet of the forwarding priority satisfies the first condition, acquire and send the characteristic information of the attack packet in the packet with the highest forwarding priority to the control management entity; the control management entity uses According to the packet feature information of the attack packet, a packet processing policy is generated, and the packet processing policy is used to process the packet matching the characteristic information of the attack packet.

As an example, the control and management device is further configured to send the packet processing policy to the first communication apparatus. Then, the first communication device is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.

As another example, the system may further include a second communication apparatus, which controls a management device, and is further configured to send the packet processing policy to the second communication apparatus. Then, the second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matching the feature information of the attack packet.

It should be noted that, for the specific implementation manner of the system provided by the fourth aspect and the effect achieved, reference may be made to the relevant descriptions of the above-mentioned first aspect, second aspect or third aspect, which will not be repeated here.

In a fifth aspect, the present application further provides a first communication device, including a transceiver unit and a processing unit. Wherein, the transceiver unit is configured to perform the transceiver operation in the method provided in the first aspect, any possible implementation manner of the first aspect, the second aspect, or any possible implementation manner of the second aspect, or for performing The transceiving operation of the first communication device in the method provided by the third aspect or any possible implementation manner of the third aspect; the processing unit is configured to execute the first aspect, any possible implementation manner of the first aspect, and the second Other operations other than the transceiving operation in the method provided by the aspect or any possible implementation manner of the second aspect, or for performing the first aspect in the method provided by the third aspect or any possible implementation manner of the third aspect. Other operations of the communication device other than transceiving operations. For example: when the first communication device executes the method described in the first aspect, the transceiver unit is configured to send the feature information of the first attack packet to the control management entity; the processing unit is configured to determine A packet with the highest forwarding priority transmitted by a port occupies the bandwidth of the first port and satisfies the first condition; the processing unit is further configured to acquire the information included in the packet with the highest forwarding priority transmitted through the first port The feature information of the first attack packet.

In a sixth aspect, an embodiment of the present application further provides a first communication apparatus, including a first communication interface and a processor. The first communication interface is used to perform the sending operation in the method provided by the first aspect, any possible implementation manner of the first aspect, the second aspect, or any possible implementation manner of the second aspect, or, using the sending operation of the first communication device in performing the method provided by the third aspect or any of the possible implementations of the third aspect; the processor is configured to execute the first aspect or any of the possible implementations of the first aspect , other operations other than the receiving and sending operations in the method provided by the second aspect or any possible implementation manner of the second aspect, or, for performing the above-mentioned third aspect or any one of the possible implementations of the third aspect Other operations other than the receiving and sending operations of the first communication apparatus in the method provided by the implementation manner are implemented. In addition, the first communication device may further include a second communication interface, and the second communication interface is used to perform the receiving operation of the aforementioned first communication device.

In a seventh aspect, an embodiment of the present application further provides a first communication apparatus, where the first communication apparatus includes a memory and a processor. Wherein, the memory includes computer-readable instructions; a processor in communication with the memory is configured to execute the computer-readable instructions, so that the first communication device is configured to execute the first aspect and any possible implementation of the first aspect manner, the method provided by the second aspect or any possible implementation manner of the second aspect, or the method implemented by the first communication device for performing the method provided by the third aspect or any possible implementation manner of the third aspect method.

In an eighth aspect, embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium runs on a computer, the computer is configured to execute the above first aspect, The method provided by any possible implementation manner of the first aspect, the second aspect or any possible implementation manner of the second aspect, or, for implementing the third aspect or any possible implementation manner of the third aspect. The method is implemented by the first communication device.

In a ninth aspect, the embodiments of the present application also provide a computer program product, including a computer program or computer-readable instructions, when the computer program or the computer-readable instructions are run on a computer, the computer is made to execute the above first aspect, The method provided by any possible implementation manner of the first aspect, the second aspect or any possible implementation manner of the second aspect, or, for implementing the third aspect or any possible implementation manner of the third aspect. The method is implemented by the first communication device.

In a tenth aspect, an embodiment of the present application further provides a communication system, where the communication system includes the first communication device provided in the fifth aspect, the sixth aspect or the seventh aspect, and the corresponding method in the third aspect. A control management entity (or a control management entity in the system provided by the fourth aspect).

It should be noted that, the communication device in the foregoing embodiment may be a network device for executing the foregoing method, or may refer to a single board, a line card, a chip, or the like for executing the foregoing method.

Description of drawings

FIG. 1 is a schematic structural diagram of a network 10 to which this embodiment of the application is applied;

FIG. 2 is a schematic flowchart of performing packet processing in the network 10 according to an embodiment of the present application;

FIG. 3 is a schematic flowchart of a method 100 for processing a message in an embodiment of the present application;

FIG. 4 is a schematic flowchart of another packet processing method 200 in an embodiment of the present application;

FIG. 5 is a schematic flowchart of another method 300 for processing a message in an embodiment of the present application;

FIG. 6 is a schematic flowchart of another method 400 for processing a message in an embodiment of the present application;

FIG. 7 is a schematic structural diagram of a message processing system 700 according to an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a first communication apparatus 800 according to an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a first communication apparatus 900 in an embodiment of the present application;

FIG. 10 is a schematic structural diagram of a first communication apparatus 1000 according to an embodiment of the present application.

detailed description

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings. The network architecture and service scenarios described in the embodiments of the present application are for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.

In this application, ordinal numbers such as "1", "2", "3", "first", "second" and "third" are used to distinguish multiple objects, and are not used to limit the order of multiple objects .

"A and/or B" mentioned in this application should be understood to include the following situations: only A, only B, or both A and B are included.

After the source network device of the packet carries the priority in the packet, each network device forwards the packet according to the priority carried in the packet. Among them, the more important packets correspond to the higher priority packets, and the network device preferentially forwards the higher priority packets compared to the lower priority packets. In order to ensure that the network provides normal business services, the highest priority is usually set for the packets that affect the normal operation of network equipment, such as protocol packets, detection packets of network equipment, and more important data packets, to ensure that these packets are processed Efficient processing. Since the priority carried in the packet is used to instruct the network device to perform the forwarding processing on the packet, the priority is referred to as the forwarding priority in the embodiment of this application, and the forwarding priority mentioned in this application refers to The priority of the packet indicated by the priority field carried in the packet. For example, when the packet is an Internet Protocol (English: Internet Protocol, referred to as: IP) packet, the forwarding priority of the packet can be determined by the IP The value of the type of service (English: Type of Service, referred to as: TOS) field in the packet indicates; for another example, when the packet is a Multiprotocol Label Switching (English: Multiprotocol Label Switching, referred to as: MPLS) packet, the packet The forwarding priority of the message may be indicated by the value of the experimental bits (English: Experimental Bits, EXP for short) field in the MPLS message.

If a network device receives attack packets that carry the highest forwarding priority, these attack packets will also be prioritized for processing by the network device, occupying the bandwidth of the network device. Since the total bandwidth of each network device is limited, the received attack packets will quickly cause network device congestion. For example, the total bandwidth of the received packets to be forwarded exceeds the total bandwidth of the network device. In this case, even the to-be-processed packets corresponding to the highest forwarding priority will be discarded by the network device, causing the network device to lose the protocol. Packets, detection packets, or more important data packets cause network devices to be attacked by a large number of attack packets, affecting the normal operation of network devices.

Faced with the above scenario, in the current security defense mechanism, a security policy template is manually configured on the network device, and the security policy template is used to identify secure packets. The packets are normally forwarded, and the packets that cannot be identified by the security policy template are regarded as attack packets, and the attack packets are discarded. However, in this security defense mechanism, since the security policy template is fixed, on the one hand, if the attack packet is forged into a format that can be recognized by the security policy template, the attack packet cannot be effectively defended; on the other hand, the attack packet cannot be effectively defended. On the one hand, if there is a new service in the network, the security policy template needs to be modified so that the security policy module can identify the packets corresponding to the new service, otherwise the packets corresponding to the new service will be discarded, and the implementation process is relatively complex.

Based on this, an embodiment of the present application provides a packet processing method. When the communication device determines that the packet with the highest forwarding priority transmitted through a certain port occupies the bandwidth of the port and satisfies the condition, that is, when the highest forwarding priority is configured When the attack packets of the highest priority have not yet caused congestion on the network device, the characteristic information of the attack packets in the packets with the highest forwarding priority is obtained, and the characteristic information of the attack packets is sent to the control management entity. Thus, the control management entity can generate a message processing strategy based on the message characteristics of the received attack message, and send the message processing strategy to the communication device. Packets with matching feature information are processed (eg packet loss and/or rate limiting). The security defense mechanism provided by this application can effectively identify and process attack packets, effectively avoid network equipment congestion caused by attacks based on high-priority packets, and ensure that normal packets with the highest forwarding priority can be effectively forwarded , making it possible for the communication device to provide normal services.

For example, taking the network 10 shown in FIG. 1 as an example, the network 10 includes a network device 110 , a network device 120 , . . . , a network device 130 , and a control management entity 200 . Each network device includes a traffic management (English: Traffic Management, TM for short) module. For example, the network device 110 includes a TM module 111 , the network device 120 includes a TM module 121 , and the network device 130 includes a TM module 131 . The TM module is used to manage the traffic in the network device to which it belongs, for example, to count the bandwidth of the packets of each forwarding priority corresponding to each port on the network device. Each network device at least has the function of message forwarding; the control and management entity 200 can perform data interaction with each network device, so as to realize the management and control of the network device. It should be noted that the number of network devices included in the network 10 is not specifically limited in this embodiment of the present application, for example, there may be more than three network devices, that is, in addition to the above-mentioned network device 110 , network device 120 , and network device 130 , other network devices are also included; or, the number of network devices included in the network 10 may also be less than 3.

As an example, assuming that the network device 120 includes port 1, the bandwidth of port 1 is c, the threshold Th1=80% of the bandwidth of port 1 is occupied by all packets transmitted through port 1, and the highest forwarding priority transmitted through port 1 The threshold Th2 = 70% of the bandwidth of the port 1 is occupied by the packets. For specific implementation, referring to the schematic flowchart shown in FIG. 2 , the processing process of the attack packet may include: S11, the TM module 121 of the network device 120 periodically acquires (for example, once every 1 second) the packet transmitted through the port 1 bandwidth a; S12, the TM module 121 judges whether (a÷c)≥Th1 is satisfied, if so, execute the following S13, otherwise, return to execute S11; S13, the TM module 121 obtains the highest forwarding priority transmitted through port 1 Bandwidth b of the class packet; S14, the TM module 121 judges whether (b÷c)≥Th2 is satisfied, if so, execute the following S15, otherwise, return to execute S11; The quintuple of the attack packet in the packet with the highest forwarding priority (that is, the source Internet Protocol (English: Internet Protocol, IP) address, destination IP address, source port number, destination port number and protocol version number); S16, the network device 120 sends the quintuple of the attack packet to the control management entity 200; S17, the control management entity 200 generates a packet processing policy based on the quintuple of the attack packet; S18, control management The entity 200 sends the packet processing policy to the network device 120; S19, the network device 120 discards packets that match the quintuple of the attack packet in the packets received through the port 1 based on the packet processing policy or speed limit, etc. In this way, by setting the threshold and the above processing flow, the attack packets with the highest forwarding priority can be effectively suppressed before the attack packets with the highest forwarding priority cause serious network congestion, so as to avoid a large number of the highest forwarding priority on the network device. Attack packets occupy the bandwidth resources of normal packets, causing normal packets with the highest forwarding priority to be discarded, which affects the normal operation of the network. Moreover, with the effective suppression of attack packets, normal packets with the highest forwarding priority can be reduced. It can be seen that the method provided by the embodiment of the present application makes it possible for the network device to still operate normally when there are attack packets.

It can be understood that the above scenario is only an example of a scenario provided by the embodiment of the present application, and the embodiment of the present application is not limited to this scenario.

It should be noted that the communication device in this embodiment of the present application may refer to any network device capable of implementing a message forwarding function. For example, the communication device may be a switch, a router, etc.; or, the communication device may also be an internal network device. A single board, chip, etc. with the packet forwarding function. The control management entity may be any device or functional entity capable of controlling the communication device, for example, the control management entity may be a network cloud engine (English: Network Cloud Engine, NCE for short), a server or a router with control functions; Alternatively, the control management entity may also be a functional entity integrated in any communication device, and the functional entity may be embodied in the form of hardware or in the form of software. The TM module in the communication device may refer to a TM chip in the communication device or a functional module capable of realizing the TM function.

It should be noted that, the port of the communication device in the embodiment of the present application may be a physical port of the communication device or a logical port of the communication device.

A specific implementation manner of a packet processing method in an embodiment of the present application will be described in detail below with reference to the accompanying drawings.

A method 100 for processing a packet provided in an embodiment of the present application is implemented by a first communication device, where the first communication device may be any network device with a packet forwarding function in the network or a single board in the network device , chip, etc. For example, in the scenario shown in FIG. 1 , the network device 110 , the network device 120 , and the network device 130 can all be used as the first communication apparatus to implement the method 100 . FIG. 3 is a schematic flowchart of a packet processing method 100 according to an embodiment of the present application. Referring to FIG. 3, the method 100 may include, for example:

S101. Determine that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition.

The forwarding priority carried in the message is used to indicate the priority of the communication device that forwards the message to forward the message. The higher the forwarding priority, the more important the message is, and the more important the communication device is to forward the message. Arts. For example, the forwarding priorities of the packets can be divided into priority 0 to priority 7, and the packet with priority 7 is the packet with the highest forwarding priority. It should be noted that the forwarding priority and the highest forwarding priority of a packet may be backward compatible, and the highest forwarding priority referred to in the embodiments of this application may be the highest packet priority in any scenario that occurs later.

The forwarding priority of the packet may be carried in the priority field of the packet, and the first communication device may determine the forwarding priority to which the packet belongs by parsing the priority field of the received packet.

The first condition is a condition defined by the first communication device for the first port and used to determine whether the attack packet processing needs to be performed on the first port. In addition, the first communication device may also set a corresponding condition for each port. For example, the first communication device may set a corresponding third condition for the second port, and the third condition and the first condition may be the same or different. In the application embodiments, a certain port on the first communication device is used as an example for description.

As an example, the first condition may be that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold. The first threshold is a trigger condition for executing the following S102 and S103 correspondingly set in advance on the first communication device for the first port. For example, the first threshold is 70%, the bandwidth of the first port is 20 megabytes per second (English: Gb/s), and the first communication device obtains the packet with the highest forwarding priority transmitted through the first port as 15Gb/s, then, the first communication device determines that the ratio of the bandwidth of the first port occupied by the packet with the highest forwarding priority on the first port is (15÷20)=75%, which is greater than the first threshold of 70%, so It is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition. Correspondingly, the third condition may be that the ratio of the bandwidth of the second port occupied by the packets with the highest forwarding priority transmitted through the second port is greater than or equal to the fifth threshold, where the fifth threshold may be equal to the first threshold, or not equal to the first threshold.

As another example, the first condition may also be that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to the second threshold. Wherein, the second threshold is a trigger condition for executing the following S102 and S103 correspondingly set in advance on the first communication device for the first port. For example, if the second threshold is 15 Gb/s, the bandwidth of the first port is 20 Gb/s, and the packet with the highest forwarding priority acquired by the first communication device through the first port is 15 Gb/s, then the first communication The device determines that the size of the message with the highest forwarding priority on the first port is equal to the second threshold of 15 Gb/s, thereby determining that the message with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port to satisfy the first port. condition. Correspondingly, the third condition may be that the packet with the highest forwarding priority transmitted through the second port is greater than or equal to the sixth threshold, where the sixth threshold may or may not be equal to the second threshold.

In some possible implementations, the first communication device may periodically (for example, 100 milliseconds) obtain the size of the packet with the highest forwarding priority transmitted through the first port, and determine the highest forwarding priority transmitted through the first port Whether the bandwidth occupied by the packets of the first port satisfies the first condition. Similarly, the first communication device may also periodically obtain the size of the packet with the highest forwarding priority transmitted through the second port, and determine that the packet with the highest forwarding priority transmitted through the second port occupies the size of the second port. Whether the bandwidth satisfies the second condition. In this way, the first communication device can timely find out that the packet with the highest forwarding priority transmitted through each port occupies the bandwidth of each port. Therefore, the following processes S102 to S103 are performed on the port, so as to prevent the congestion of the port from affecting the forwarding of normal packets with the highest forwarding priority.

In some other possible implementation manners, the first communication device may also, based on an event trigger, acquire the size of the packet with the highest forwarding priority transmitted through the first port, and determine the packet with the highest forwarding priority transmitted through the first port. Whether the bandwidth occupied by the file on the first port satisfies the first condition. For example, the event triggering the execution of S101 includes but is not limited to: the first communication device determines that all packets transmitted through the first port satisfy the second condition, where the second condition is defined by the first communication device for the first port , a condition for determining whether to measure the packet with the highest forwarding priority on the first port. When it is determined that the bandwidth of the first port occupied by all packets transmitted through the first port satisfies the second condition, it means that the occupancy rate on the first port is relatively large, and it is necessary to obtain the highest forwarding priority transmitted through the first port. and determine whether the bandwidth of the first port occupied by the packet with the highest forwarding priority on the first port satisfies the first condition, so as to ensure that the normal packet with the highest forwarding priority can be normally forwarded. In addition, the first communication device may also set a corresponding event-triggered condition for each port. For example, the first communication device may set a corresponding fourth condition for the second port, and the fourth condition and the second condition may be the same or the same Differently, in the embodiments of the present application, a certain port on the first communication device is used as an example for description.

As an example, the second condition may be that the proportion of all packets transmitted through the first port occupying the bandwidth of the first port is greater than or equal to the third threshold. The third threshold is a threshold corresponding to the first port pre-set on the first communication device. For example, the third threshold is 80%, the bandwidth of the first port is 20 megabytes per second (English: Gb/s), and the first communication device obtains all packets transmitted through the first port as 17 Gb/s, Then, the first communication device determines that the proportion of all packets on the first port occupying the bandwidth of the first port is (17÷20)=85%, which is greater than the third threshold of 80%, so as to determine that the packets transmitted through the first port are The bandwidth occupied by all packets on the first port satisfies the second condition. The magnitude relationship between the third threshold and the first threshold is not specifically limited. Correspondingly, the fourth condition may be that the proportion of all packets transmitted through the second port occupying the bandwidth of the second port is greater than or equal to the seventh threshold, where the seventh threshold may be equal to the third threshold, or may not be equal to the third threshold. threshold.

As another example, the second condition may also be that all packets transmitted through the first port are greater than or equal to the fourth threshold. The fourth threshold is a threshold corresponding to the first port set in advance on the first communication device. For example, if the fourth threshold is 18 Gb/s, the bandwidth of the first port is 20 Gb/s, and the first communication device acquires that all packets transmitted through the first port are 18.5 Gb/s, the first communication device determines that the The size of all the packets transmitted on the first port is greater than the fourth threshold of 18 Gb/s, so it is determined that the bandwidth of the first port occupied by all the packets transmitted through the first port satisfies the second condition. The magnitude relationship between the fourth threshold and the second threshold is not specifically limited. Correspondingly, the fourth condition may be that all packets transmitted through the second port are greater than or equal to the eighth threshold, where the eighth threshold may or may not be equal to the fourth threshold.

For example, if the first communication device is set with a first threshold of 70% and a third threshold of 80%, then, before S101, the method 100 may further include: S21, the first communication device polls the first port, and obtains information through the first communication device. The size of all packets transmitted by the port; S22, the first communication device determines whether the ratio of all packets transmitted through the first port to the bandwidth of the first port is greater than or equal to a third threshold, and if greater than or equal to, then, Execute S23, otherwise, continue to poll according to this S21; S23, the first communication device obtains the size of the message with the highest forwarding priority transmitted through the first port; S24, the first communication device determines to transmit through the first port Whether the proportion of the bandwidth of the first port occupied by the packets with the highest forwarding priority of the The bandwidth occupied by the packet on the first port satisfies the first condition.

The polling in S21 may be specifically implemented by the timer of the TM module of the first communication device. For example, the timing of the timer is set to 1 second, and when the timer counts up to 1 second, a pass through the first time is obtained. The size of the packet with the highest forwarding priority transmitted by a port.

Wherein, the first communication device obtains the size of all packets transmitted through the first port, and obtains the size of the packet with the highest forwarding priority transmitted through the first port, both of which may be obtained by the first communication device through its own TM module This is achieved by performing a measurement operation on the first port.

Wherein, the first communication device may monitor and process the packets with the highest forwarding priority in the network scenario transmitted through the first port according to different operating network scenarios. For example, the first communication device may run on the Internet Protocol version 4 (English: Internet Protocol version 4, referred to as: IPv4) network, on the Internet Protocol version 6 (English: Internet Protocol version 6, referred to as: IPv6) network, virtual private Network (English: Virtual Private Network, referred to as: VPN) network, Multiprotocol Label Switching (English: Multiprotocol Label Switching, referred to as: MPLS) network, Virtual Extended Local Area Network (English: Virtual Extensible Local Area Network, referred to as: VXLAN) and other network environments middle. Taking the first communication device running on an IPv6 network as an example, the first condition may be that the proportion of the bandwidth of the first port occupied by the IPv6 packet with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold; A condition may also be that the IPv6 packet with the highest forwarding priority transmitted through the first port is greater than or equal to the second threshold. In this embodiment, the second condition may be that the proportion of the bandwidth of the first port occupied by all IPv6 packets transmitted through the first port is greater than or equal to the third threshold; or, the second condition may also be that the bandwidth of the first port is transmitted through the first port. All IPv6 packets are greater than or equal to the fourth threshold.

It can be seen that when the first communication device determines that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition, it can be considered that there are many packets transmitted on the first port, and the first port has more packets. There may be attack packets in the packets transmitted on a port, and important packets such as protocol packets and test packets with the highest forwarding priority on the first port may be lost, thereby affecting the security of the first communication device. normal operation. In order to ensure that the normal packet with the highest forwarding priority transmitted on the first communication device through the first port can be normally forwarded, the first communication device may process the attack packet by executing the following S102-S103.

S102: Acquire feature information of a first attack packet in the packet with the highest forwarding priority transmitted through the first port.

The characteristic information of the attack packet refers to characteristic information that can identify the attack packet and the attack flow to which the attack packet belongs. The characteristic information of the attack packet may specifically be all or part of the contents of the five-tuple of the attack packet. For example, if the attack packet is an IP packet, the characteristic information of the attack packet may include one of the following information or Multiple: source IP address, destination IP address, source port number, destination port number or transport layer protocol number; for another example, if the attack packet is an MPLS packet, the characteristic information of the attack packet may include one of the following information or multiple: MPLS label, source media access control (English: Media Access Control, MAC for short) address of the attack packet, destination MAC address, source IP address, and destination IP address.

As an example, the characteristic information of the attack packet may be a source IP address, a destination IP address, a source port number, a destination port number, and a transport layer protocol number. In the packet, the first attack packet is determined according to the source IP address, destination IP address, source port number, destination port number and transport layer protocol number of each packet, so as to obtain the source IP address, The destination IP address, source port number, destination port number, and transport layer protocol number are used as feature information of the first attack packet in the packet with the highest forwarding priority obtained in S102.

As another example, the characteristic information of the attack packet may be the source port number and the destination port number, and the first communication device selects the source port number of each packet from the packets with the highest forwarding priority transmitted through the first port. and the destination port number to determine the first attack packet, so as to obtain the source port number and destination port number of the first attack packet, as the first attack packet in the packet with the highest forwarding priority obtained in S102. characteristic information. For example, a packet whose source port number and destination port number are constantly changing may be determined by the first communication device as the first attack packet.

As another example, the characteristic information of the attack packet may be the source MAC address and the destination MAC address, and the first communication device selects the source MAC address of each packet from the packets with the highest forwarding priority transmitted through the first port. and the destination MAC address to determine the first attack packet, so as to obtain the source MAC address and destination MAC address of the first attack packet, as the first attack packet in the packet with the highest forwarding priority obtained in S102. characteristic information. For example, a packet in which the source MAC address and the destination MAC address change may be determined by the first communication device as the first attack packet.

During specific implementation, the TM module of the first communication device may determine the first attack packet from the packets with the highest forwarding priority transmitted through the first port, and obtain feature information of the first attack packet, which is used for subsequent The processing of the first attack packet provides a basis, so that the first attack packet can be sensed and suppressed, and conditions are provided for the normal operation of the first communication device.

S103: Send the feature information of the first attack packet to the control management entity.

When specifically implemented, S103 may be, for example, that the first communication device sends an indication message to the control management entity, where the indication message carries the feature information of the first attack message acquired in S102.

Wherein, the indication message can be any one of the following messages: Border Gateway Protocol (English: Border Gateway Protocol, referred to as: BGP) message, Path Computation Element Communication Protocol (English: Path Computation Element Communication Protocol, referred to as: BGP) message : PCEP) message, telemetry (English: Telemetry) message or Network Configuration Protocol (English: Network Configuration Protocol, referred to as: NETCONF) message. For example, the characteristic information of the first attack packet may be carried through an extended type length value (English: Type Length Value, TLV for short) field in any of the foregoing types of packets. For another example, the feature information of the first attack packet may also be carried through other available fields such as a reserved (English: Reserved) field in any of the foregoing types of packets.

If the control management entity and the first communication device belong to two different devices respectively, taking the indication message as a Telemetry message as an example, before executing S103, it is also necessary to implement a network between the first communication device and the control management entity through a routing protocol. Layer connectivity, and configure and enable the Telemetry function on the first communication device and the control management entity, so that after S102, the first communication device can carry the feature information of the first attack packet in the Telemetry packet and send it to Control management entity.

In some possible implementations, the first communication device may periodically send the attack detection result to the control management entity, and the control management entity may take the initiative to determine that the received attack detection result includes the feature information of the first attack packet. generates a packet processing policy for the first attack packet. Alternatively, the first communication device sends the feature information of the first attack packet to the control management entity only when the first attack packet is detected. At this time, the control management entity may also actively generate a report against the first attack packet message processing policy.

In some other possible implementation manners, in addition to sending the feature information of the first attack packet to the control management entity, the first communication device may also send indication information to the control management entity for instructing the control management entity to generate packet processing policy, where the packet processing policy is used to process packets matching the feature information of the first attack packet. It should be noted that the first communication device may carry the indication information and the characteristic information of the first attack packet in an indication packet and send it to the control management entity, or the first communication device may send the indication information and the first attack packet to the control management entity. The feature information of the message is carried in different indication messages and sent to the control management entity respectively. The indication message for carrying the indication information may be any one of the following messages: a BGP message, a PCEP message, a Telemetry message or a NETCONF message.

If the control management entity and the first communication device belong to one network device respectively, taking the indication message as an example of a Telemetry message, before executing S103, the first communication device and the control management entity need to be configured and enabled with the Telemetry function. After S102, the first communication device may send the feature information of the first attack packet to the control management entity in the form of Telemetry data.

It can be seen that with the method 100 provided in this embodiment of the present application, the first communication device can obtain the highest forwarding priority when it is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition The feature information of the first attack packet in the packets of the highest level is sent to the control management entity. Therefore, the control management entity can generate a message processing strategy based on the message characteristics of the received first attack message, and send the message processing strategy to the communication device, so that the communication device that receives the message processing strategy The packet that matches the characteristic information of the first attack packet can be processed based on the packet processing policy (for example, packet loss and/or speed limit), so that the first attack packet does not cause the port of the first communication device In the case of congestion that threatens the security of the first communication device, the security defense mechanism can effectively identify and process attack packets to ensure that the attack packets will not cause the communication device to be congested, thereby ensuring that the security packets with the highest forwarding priority can be transmitted. Effective forwarding makes it possible for the first communication device to provide normal services.

The above takes the processing of the attack packet in the packet with the highest forwarding priority transmitted on the first port as an example, and describes the implementation and effect of the packet processing method provided in the embodiment of the present application. Similarly, this The method can be applied to other ports. For example, when it is determined that the bandwidth of the packet with the highest forwarding priority transmitted through the second port occupies the bandwidth of the second port and satisfies the third condition, the highest forwarding priority transmitted through the second port is obtained. The characteristic information of the second attack packet in the packets of the advanced level is sent to the control management entity. Among them, the "first" and "second" in the first attack packet and the second attack packet are only to distinguish the attack packets with the highest forwarding priority transmitted on different ports, and do not refer to a certain packet. .

In some other possible implementation manners, the first communication apparatus may analyze the packet transmitted through the first port when determining that the bandwidth of the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition. For the packets with the highest forwarding priority, it is determined that the packets with the highest forwarding priority transmitted through the first port include attack packets. In this implementation manner, the first communication device may also send an alarm signal to the network management device to notify the network management that there is an attack packet on the first communication device, so that the network management can respond to the first communication device and the communication device that may transmit attack packets. Manage and control to ensure network security.

In addition, the embodiment of the present application also provides another method 200 for processing attack packets. As shown in FIG. 4 , in the method 200, after S103 of the above method 100, the method may further include:

S104, the control and management entity generates a packet processing policy based on the characteristic information of the first attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the first attack packet.

The packet processing strategy may include, for example, feature information and a processing strategy of the first attack packet. The characteristic information of the first attack packet is used to describe the characteristic information of the to-be-processed packet, so that the second communication device executing the packet processing policy can determine the attack packet to be processed according to the processing policy. The processing strategy refers to the specific processing operation performed on the to-be-processed packet. For example, it can be a packet loss operation, that is, packet loss processing is performed on the packet matching the characteristic information of the first attack packet; for example, it can be a rate-limiting operation. , that is, performing rate-limiting processing on the packets matching the characteristic information of the first attack packet. Whether it is packet loss or rate limiting, it can effectively reduce the preemption of network resources by attack packets, especially the probability of insufficient bandwidth resources for normal packets with the highest forwarding priority.

Wherein, for the processing strategy, any current algorithm for packet loss and/or rate limiting processing may be adopted, which is not specifically limited in this embodiment of the present application.

S105, the control management entity sends a message processing policy to the second communication apparatus.

The second communication apparatus and the first communication apparatus may belong to the same network device, or may belong to two different network devices.

Specifically, the control management entity may carry the message processing policy in a BGP message, a PCEP message, a Telemetry message or a NETCONF message and send it to the second communication device.

In addition, the control and management entity may also send indication information to the second communication device for instructing the second communication device to process the packet matching the feature information of the first attack packet according to the packet processing policy.

S106, the second communication apparatus processes the packet matching the feature information of the first attack packet based on the packet processing policy.

When specifically implemented, S106 may, for example, include: the second communication device obtains the first packet; then, judging whether the packet characteristics of the first packet and the packet characteristics of the first attack packet in the packet processing policy match, if If they match, the first packet is processed based on the processing policy in the packet processing policy. The processing of the first packet based on the packet processing policy may, for example, include: performing packet loss processing on the first packet based on the processing policy in the packet processing policy, or processing based on the processing policy in the packet processing policy The policy performs rate-limiting processing on the first packet.

When the first communication device and the second communication device belong to one network device, S106 may include, for example: the second communication device determines that the packet transmitted through the first port matches the packet characteristic of the first attack packet in the packet processing policy , if it matches, then, based on the processing policy in the packet processing policy, packet loss or speed limit processing is performed on the packet transmitted through the first port, so that the first communication device can be prevented from being caused by the first attack packet. The normal packet with the highest forwarding priority is lost, ensuring the effective forwarding of the normal packet by the first communication device

When the first communication device and the second communication device belong to different network devices, the second communication device may be any network device controlled by the control management entity, so that even if the first attack packet attacks a network device in the network Other communication devices can also prevent the normal packets with the highest forwarding priority from being lost by other communication devices due to the first attack packet, and ensure effective forwarding of normal packets by other communication devices.

As an example, the second communication device may belong to the previous hop node of the network device where the first communication device is located on the transmission path of the attack packet. In this way, the control and management entity sends the packet processing policy to the second communication device. For a communication device, the first attack packet can be suppressed from the source as much as possible, so that the first attack packet no longer occupies the bandwidth resources of the first communication device, and the effect of the first attack packet on the first communication device is eliminated. influence.

In this example, in order to suppress the first attack packet more effectively and thoroughly, while executing S106, the control management entity may also send the packet processing policy to the first communication device; then, the first communication device may also use the The packet processing policy is to process packets received from the first port that match the feature information of the attack packets.

In order to prevent other communication devices in the network from being affected by the first attack packet, the control management entity may also send the packet processing policy to all communication devices in the network connected to the control management entity, so that each communication device receives When there is a packet matching the feature information of the first attack packet in the packet processing policy, the packet can be determined as an attack packet, and based on the processing policy in the packet processing policy Packet loss or rate limit processing. In this way, the transmission of the first attack packet between multiple communication devices in the network to attack the multiple communication devices can be effectively avoided, which greatly improves network security.

It can be seen that through the method 200 provided in this embodiment of the present application, the control management entity generates a packet processing policy based on the feature information of the first attack packet reported by the first communication device and sends it to the second communication device, and the second communication device can The packet that matches the feature information of the first attack packet is processed, so that the security defense mechanism is effective under the condition that the attack packet does not cause port congestion of the first communication device and threaten the security of the first communication device The attack packets are identified and processed to ensure that the attack packets will not cause congestion of the communication device, thereby ensuring that the security packets with the highest forwarding priority can be effectively forwarded, making it possible for the first communication device to provide normal services.

The above takes the processing of the attack packet in the packet with the highest forwarding priority transmitted on the first port as an example, and describes the implementation and effect of the packet processing method provided in the embodiment of the present application. Similarly, this The method 200 can be applied to other ports. For example, after executing the embodiment shown in the method 100 on the second port, the method may further include: the control management entity generates a packet processing policy based on the feature information of the second attack packet, and the packet The message processing policy is used to process the message matching the feature information of the second attack message; the control management entity sends the message processing policy to the third communication device; the third communication device, based on the message processing policy, The packets matching the characteristic information of the attack packets are processed. The third communication apparatus and the first communication apparatus may belong to the same network device, or may belong to two different network devices.

FIG. 5 shows a schematic flowchart of a packet processing method 300 in an embodiment of the present application. Referring to FIG. 5 , the method 300 takes the first communication device as the execution subject, and the method 300 may include, for example:

S301, the first communication device determines that a packet with the highest forwarding priority transmitted by the first port occupies the bandwidth of the first port and satisfies the first condition;

S302, analyze the highest forwarding priority packet transmitted through the first port;

S303: Determine that the packet transmitted by the first port includes the attack packet with the highest forwarding priority.

As another example, the first communication apparatus may further acquire feature information of the attack packet after determining that the packet transmitted by the first port includes the attack packet with the highest forwarding priority. At this time, the first communication device may also send the characteristic information of the attack packet to the control management entity, and obtain a packet processing policy generated by the control management entity, where the packet processing policy is used to compare the characteristics of the attack packet with the attack packet. In this way, the first communication device can perform packet loss and/or speed limit processing on the first packet based on the packet processing policy, and the first packet is an attack packet. The characteristic information matches the packet.

It should be noted that, for the specific implementation manner of the method 300 and the effect achieved, reference may be made to the relevant descriptions of the above-mentioned method 100 and method 200, and details are not repeated here.

FIG. 6 shows a schematic flowchart of a packet processing method 400 in an embodiment of the present application. Referring to FIG. 6 , the method 400 is described with the interaction between the first communication device and the control management entity. For example, the method 400 may include:

S401, when the first communication device determines that the bandwidth of the first port occupied by the message with the highest forwarding priority transmitted through the first port satisfies the first condition, obtain characteristic information of the attack message in the message with the highest forwarding priority;

S402, the first communication device sends the characteristic information of the attack packet to the control management entity;

S402: The control and management entity generates a packet processing policy based on the characteristic information of the attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet.

As an example, the method 400 may further include: the first communication apparatus obtains a packet processing policy generated by the control and management device, so that the first communication apparatus processes the first packet based on the packet processing policy, and the first packet It is a packet matching the feature information of the attack packet.

As another example, the method 400 may further include: controlling the management device to send a packet processing policy to the second communication apparatus, so that the second communication apparatus processes the second packet based on the packet processing policy, and the second packet It is a packet matching the feature information of the attack packet.

It should be noted that, for the specific implementation manner of the method 400 and the effect achieved, reference may be made to the relevant descriptions of the above-mentioned methods 100 to 300, and details are not repeated here.

In addition, an embodiment of the present application further provides a system 700 for processing a message, as shown in FIG. 7 . The system 700 may include at least a first communication device 701 and a control management entity 702 . in,

The first communication device 701 is configured to obtain and send the highest forwarding priority to the control management entity 702 when determining that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies a first condition The characteristic information of the attack packet in the packet;

The control and management entity 702 is configured to generate a packet processing policy according to the packet characteristic information of the attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet.

As an example, the control and management device 702 is further configured to send the packet processing policy to the first communication apparatus. Then, the first communication device 701 is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.

As another example, the system 700 may further include a second communication apparatus, a control and management device 702, which is further configured to send the packet processing policy to the second communication apparatus. Then, the second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matching the feature information of the attack packet.

It should be noted that, for the specific implementation manner and effects of the system 700, reference may be made to the relevant descriptions of the above-mentioned methods 100 to 400, or, to the relevant descriptions of the embodiments shown in FIG. 1 and FIG. Repeat.

In addition, an embodiment of the present application further provides a first communication apparatus 800, as shown in FIG. 8 . The first communication apparatus 800 includes a processing unit 801 and a sending unit 802 . The processing unit 801 is configured to execute the processing operation performed by the first communication device in any of the embodiments shown in FIG. 3 to FIG. 6 ; the sending unit 802 is configured to execute any of the embodiments shown in FIG. 3 to FIG. 6 above. The sending operation performed by the first communication device in . For example, the processing unit 801 may perform the operations in the embodiment in FIG. 3 : determine that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition; Feature information of the first attack packet included in the transmitted packet with the highest forwarding priority. For example, the sending unit 802 may perform the operation in the embodiment in FIG. 3: send the feature information of the first attack packet to the control management entity.

In addition, an embodiment of the present application further provides a first communication apparatus 900, as shown in FIG. 9 . The first communication device 900 includes a first communication interface 901 , a second communication interface 902 and a processor 903 . The first communication interface 901 is used to perform the aforementioned receiving operation performed by the first communication device in any of the embodiments shown in FIG. 3 to FIG. 6 ; the second communication interface 902 is used to perform the aforementioned FIG. 3 to FIG. 6 . The sending operation performed by the first communication apparatus in any of the embodiments shown in FIG. 6; the processor 903 is configured to perform the above-mentioned any of the embodiments shown in FIG. 3 to FIG. 6 except the receiving operation and the sending operation performed by the first communication apparatus. other operations. For example, the processor 903 may perform the operations in the embodiment of FIG. 3 to determine that the bandwidth of the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition; The feature information of the first attack packet included in the packet with the highest forwarding priority.

In addition, an embodiment of the present application further provides a first communication apparatus 1000, as shown in FIG. 10 . The first communication device 1000 includes a memory 1001 and a processor 1002 in communication with the memory 1001 . The memory 1001 includes computer-readable instructions; the processor 1002 is configured to execute the computer-readable instructions, so that the first communication device 1000 executes the execution of the first communication device in any of the embodiments shown in FIG. 3 to FIG. 6 . Methods.

It can be understood that, in the above embodiment, the processor may be a central processing unit (English: central processing unit, abbreviation: CPU), a network processor (English: network processor, abbreviation: NP) or a combination of CPU and NP. The processor may also be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), a field programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), a general-purpose array logic (English: generic array logic, abbreviation: GAL) or any combination thereof. A processor may refer to a single processor or may include multiple processors. The memory may include volatile memory (English: volatile memory), such as random-access memory (English: random-access memory, abbreviation: RAM); the memory may also include non-volatile memory (English: non-volatile memory), For example, read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviation: HDD) or solid-state hard disk (English: solid-state drive, Abbreviation: SSD); the memory may also comprise a combination of the above-mentioned kinds of memory. The memory may refer to one memory, or may include multiple memories. In a specific embodiment, computer-readable instructions are stored in the memory, and the computer-readable instructions include a plurality of software modules, such as a sending module, a processing module and a receiving module. After executing each software module, the processor can perform corresponding operations according to the instructions of each software module. In this embodiment, the operation performed by a software module actually refers to the operation performed by the processor according to the instruction of the software module. After the processor executes the computer-readable instructions in the memory, it can execute all operations that can be performed by the first communication device in the packet processing method according to the instructions of the computer-readable instructions.

It can be understood that, in the above embodiment, the second communication interface 902 of the first communication device 900 can be specifically used as the sending unit 802 in the first communication device 800 to realize the communication between the first communication device and the control management entity. Data communication; the first communication interface 901 of the first communication apparatus 900 may be specifically used as a receiving unit in the first communication apparatus 800, for example, may be used to receive a message sent by an upstream network device.

In addition, an embodiment of the present application further provides a communication system, and the first communication apparatus in the communication system may be, for example, the above-mentioned first communication apparatus 800 , 900 or 1000 . For example, if the communication system is the processing system 700 of the above-mentioned message, then the first communication device is the first communication device 701 , and the control management entity is the control management entity 702 .

In addition, an embodiment of the present application also provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium runs on a computer, the computer is made to execute the implementation shown in FIG. 3 to FIG. 6 above. The processing method of the message in the example.

In addition, the embodiments of the present application also provide a computer program product, including a computer program or computer-readable instructions, when the computer program or the computer-readable instructions are run on a computer, the computer is made to execute the above-mentioned FIG. 3 to FIG. 6 . The method for processing the packet in the example embodiment.

From the description of the above embodiments, those skilled in the art can clearly understand that all or part of the steps in the methods of the above embodiments can be implemented by means of software plus a general hardware platform. Based on this understanding, the technical solution of the present application can be embodied in the form of a software product, and the computer software product can be stored in a storage medium, such as read-only memory (English: read-only memory, ROM)/RAM, magnetic disk, An optical disc, etc., includes several instructions for causing a computer device (which may be a personal computer, a server, or a network communication device such as a router) to execute the methods described in various embodiments or some parts of the embodiments of the present application.

Each embodiment in this specification is described in a progressive manner, and the same and similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiments and device embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and reference may be made to some descriptions of the method embodiments for related parts. The device and system embodiments described above are only schematic, wherein the modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical modules, that is, they may be located in One place, or it can be distributed over multiple network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution in this embodiment. Those of ordinary skill in the art can understand and implement it without creative effort.

The above descriptions are only preferred embodiments of the present application, and are not intended to limit the protection scope of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the present application, several improvements and modifications can also be made, and these improvements and modifications should also be regarded as the protection scope of the present application.

Claims

A method for processing a message, wherein the method is executed by a first communication device, comprising:

It is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition;

acquiring feature information of the first attack packet included in the packet with the highest forwarding priority transmitted through the first port;

The feature information of the first attack packet is sent to the control management entity.
The method according to claim 1, wherein the method further comprises:

A packet processing policy generated by the control management entity is acquired, where the packet processing policy is used to process packets matching the feature information of the first attack packet.
The method according to claim 2, wherein the method further comprises:

Based on the packet processing policy, a first packet is processed, where the first packet is a packet matching the feature information of the first attack packet.
The method according to claim 3, wherein the processing the first packet based on the packet processing policy comprises:

Based on the packet processing policy, packet loss processing is performed on the first packet.
The method according to claim 3, wherein the processing the first packet based on the packet processing policy comprises:

Based on the packet processing policy, rate-limit processing is performed on the first packet.
The method according to any one of claims 1-5, wherein the method further comprises:

Sending indication information to the control management entity, where the indication information is used to instruct the control management entity to generate a packet processing policy.
The method according to any one of claims 1 to 6, wherein the first condition comprises that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The method according to any one of claims 1-6, wherein the first condition includes that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port is greater than or equal to second threshold.
The method according to any one of claims 1-8, characterized in that before said determining that the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition, the The method also includes:

It is determined that all packets transmitted through the first port satisfy the second condition.
The method according to claim 9, wherein the second condition comprises that the proportion of the bandwidth of the first port occupied by all the packets transmitted through the first port is greater than or equal to a third threshold.
The method according to claim 9, wherein the second condition comprises that all the packets transmitted through the first port are greater than or equal to a fourth threshold.
The method according to any one of claims 1-11, characterized in that before said determining that the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition, the The method also includes:

Polling to detect the bandwidth occupancy status of the first port.
The method according to any one of claims 1-12, wherein the method further comprises:

It is determined that the bandwidth of the packet with the highest forwarding priority transmitted through the second port occupies the bandwidth of the second port and satisfies the third condition;

acquiring feature information of the second attack packet included in the packet with the highest forwarding priority transmitted through the second port;

Send the feature information of the second attack packet to the control management entity.
The method according to claim 13, wherein the third condition comprises that the ratio of the bandwidth of the second port occupied by the packets with the highest forwarding priority transmitted through the second port is greater than or equal to a fifth threshold .
The method according to claim 13, wherein the third condition comprises that the packet with the highest forwarding priority transmitted through the second port is greater than or equal to a sixth threshold.
The method according to any one of claims 1-15, wherein the sending the feature information of the first attack packet to the control management entity comprises:

Send a message to the control management entity, where the message carries the feature information of the first attack message.
The method according to claim 16, wherein the message is any one of the following messages:

Border Gateway Protocol BGP packets, Path Computation Element Communication Protocol PCEP packets, Telemetry Telemetry packets, or Network Configuration Protocol NETCONF packets.
The method according to any one of claims 1-17, wherein the characteristic information of the first attack packet includes one or more of the following information:

Source Internet Protocol IP address, destination IP address, source port number, destination port number or transport layer protocol number of the first attack packet.
The method according to any one of claims 1-18, wherein the first communication device operates on a fourth version of the Internet Protocol IPv4 network, the sixth version of the Internet Protocol IPv6 network or a virtual private network VPN.
A method for processing a message, wherein the method is executed by a first communication device, comprising:

It is determined that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted by the first port satisfies the first condition;

analyzing the highest forwarding priority message transmitted through the first port;

It is determined that the packet transmitted by the first port includes the attack packet with the highest forwarding priority.
The method of claim 20, wherein the method further comprises:

In response to determining that the packet transmitted by the first port includes an attack packet with the highest forwarding priority, an alarm signal is sent.
The method according to claim 20 or 21, wherein the method further comprises:

Obtain feature information of the attack packet.
The method of claim 22, wherein the method further comprises:

The characteristic information of the attack packet is sent to the control management entity.
The method of claim 23, wherein the method further comprises:

A packet processing policy generated by the control management entity is acquired, where the packet processing policy is used to process packets matching the feature information of the attack packets.
The method of claim 22, wherein the method further comprises:

Based on the characteristic information of the attack packet, a packet processing policy is generated, and the packet processing policy is used to process the packet matching the characteristic information of the attack packet.
The method according to claim 24 or 25, wherein the method further comprises:

Based on the packet processing policy, a first packet is processed, where the first packet is a packet matching the characteristic information of the attack packet.
The method according to claim 26, wherein the processing the first packet based on the packet processing policy comprises:

Based on the packet processing policy, packet loss processing is performed on the first packet.
The method according to claim 26, wherein the processing the first packet based on the packet processing policy comprises:

Based on the packet processing policy, rate-limit processing is performed on the first packet.
The method according to any one of claims 20 to 28, wherein the first condition comprises that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The method according to any one of claims 20-28, wherein the first condition includes that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to a second threshold.
A message processing method, characterized in that the method comprises:

When the first communication device determines that the bandwidth of the packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition, obtain characteristic information of the attack packet in the packet with the highest forwarding priority ;

sending, by the first communication device, the feature information of the attack packet to the control management entity;

The control and management entity generates a packet processing policy according to the packet characteristic information of the attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet.
The method of claim 31, wherein the method further comprises:

The control and management device sends the message processing policy to the first communication apparatus.
The method of claim 32, wherein the method further comprises:

The first communication device processes a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.
The method of claim 31, wherein the method further comprises:

The control and management device sends the message processing policy to the second communication apparatus.
The method of claim 34, wherein the method further comprises:

The second communication device processes a second packet based on the packet processing policy, where the second packet is a packet matching the feature information of the attack packet.
The method according to any one of claims 31 to 35, wherein the first condition includes that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The method according to any one of claims 31-35, wherein the first condition comprises that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to a second threshold.
A first communication device, comprising:

a processing unit, configured to determine that a packet with the highest forwarding priority transmitted through the first port occupies the bandwidth of the first port and satisfies the first condition;

The processing unit is further configured to acquire feature information of the first attack packet included in the packet with the highest forwarding priority transmitted through the first port;

A transceiver unit, configured to send the feature information of the first attack packet to the control management entity.
The apparatus of claim 38, wherein:

The processing unit is further configured to acquire a packet processing policy generated by the control management entity, where the packet processing policy is used to process the packet matching the feature information of the first attack packet.
The apparatus of claim 39, wherein

The processing unit is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the first attack packet.
The apparatus according to claim 40, wherein the processing unit is specifically configured to:

Based on the packet processing policy, packet loss processing is performed on the first packet.
The apparatus according to claim 40, wherein the processing unit is specifically configured to:

Based on the packet processing policy, rate-limit processing is performed on the first packet.
The device according to any one of claims 38-42, characterized in that,

The transceiver unit is further configured to send indication information to the control management entity, where the indication information is used to instruct the control management entity to generate a message processing policy.
The apparatus according to any one of claims 38 to 43, wherein the first condition comprises that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The apparatus according to any one of claims 38 to 43, wherein the first condition includes that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port is greater than or equal to second threshold.
The device according to any one of claims 38-45, characterized in that,

The processing unit is further configured to determine all packets transmitted through the first port before the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port satisfies the first condition. The text satisfies the second condition.
The apparatus according to claim 46, wherein the second condition comprises that the proportion of the bandwidth of the first port occupied by all the packets transmitted through the first port is greater than or equal to a third threshold.
The apparatus of claim 46, wherein the second condition comprises that all packets transmitted through the first port are greater than or equal to a fourth threshold.
The device according to any one of claims 38-48, characterized in that,

The processing unit is further configured to poll and detect the bandwidth occupancy of the first port before the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies the first condition condition.
The device according to any one of claims 38-49, characterized in that,

The processing unit is further configured to determine that the bandwidth of the second port occupied by the packet with the highest forwarding priority transmitted through the second port satisfies the third condition;

The processing unit is further configured to acquire feature information of the second attack packet included in the packet with the highest forwarding priority transmitted through the second port;

The transceiver unit is further configured to send the feature information of the second attack packet to the control management entity.
The apparatus according to claim 50, wherein the third condition comprises that a proportion of the bandwidth of the second port occupied by the packets with the highest forwarding priority transmitted through the second port is greater than or equal to a fifth threshold .
The apparatus according to claim 50, wherein the third condition comprises that the packet with the highest forwarding priority transmitted through the second port is greater than or equal to a sixth threshold.
The device according to any one of claims 38-52, wherein the transceiver unit is specifically configured to:

Send a message to the control management entity, where the message carries the feature information of the first attack message.
The device according to claim 53, wherein the message is any one of the following messages:

Border Gateway Protocol BGP packets, Path Computation Element Communication Protocol PCEP packets, Telemetry Telemetry packets, or Network Configuration Protocol NETCONF packets.
The apparatus according to any one of claims 38-54, wherein the feature information of the first attack packet includes one or more of the following information:

Source Internet Protocol IP address, destination IP address, source port number, destination port number or transport layer protocol number of the first attack packet.
The device according to any one of claims 38 to 55, wherein the first communication device operates on a fourth version of the Internet Protocol IPv4 network, the sixth version of the Internet Protocol IPv6 network or a virtual private network VPN.
A first communication device, comprising:

a processing unit, configured to determine that the packet with the highest forwarding priority transmitted by the first port occupies the bandwidth of the first port and satisfies the first condition;

The processing unit is further configured to analyze the highest forwarding priority message transmitted through the first port;

The processing unit is further configured to determine that the packet transmitted by the first port includes an attack packet with the highest forwarding priority.
The apparatus of claim 57, wherein the apparatus further comprises:

A transceiver unit, configured to send an alarm signal in response to determining that the packet transmitted by the first port includes an attack packet with the highest forwarding priority.
The device according to claim 57 or 58, characterized in that,

The processing unit is further configured to acquire feature information of the attack packet.
The apparatus of claim 59, wherein

The transceiver unit is further configured to send the feature information of the attack packet to the control management entity.
The apparatus of claim 60, wherein:

The processing unit is further configured to acquire a packet processing policy generated by the control management entity, where the packet processing policy is used to process packets matching the characteristic information of the attack packets.
The apparatus of claim 59, wherein

The processing unit is further configured to generate a packet processing policy based on the characteristic information of the attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet.
The device according to claim 61 or 62, characterized in that,

The processing unit is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.
The device according to claim 63, wherein the processing unit is specifically configured to:

Based on the packet processing policy, packet loss processing is performed on the first packet.
The device according to claim 63, wherein the processing unit is specifically configured to:

Based on the packet processing policy, rate-limit processing is performed on the first packet.
The apparatus according to any one of claims 57 to 65, wherein the first condition comprises that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The apparatus according to any one of claims 57-65, wherein the first condition comprises that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to a second threshold.
A message processing system, characterized in that the system includes a first communication device and a control management entity, wherein,

The first communication device is configured to obtain and send the highest forwarding priority to the control management entity when determining that the bandwidth of the first port occupied by the packet with the highest forwarding priority transmitted through the first port satisfies a first condition Feature information of attack packets in priority packets;

The control management entity is configured to generate a packet processing policy according to the packet characteristic information of the attack packet, where the packet processing policy is used to process the packet matching the characteristic information of the attack packet .
The system of claim 68, wherein:

The control and management device is further configured to send the message processing policy to the first communication apparatus.
The system of claim 69, wherein:

The first communication device is further configured to process a first packet based on the packet processing policy, where the first packet is a packet matching the feature information of the attack packet.
The system of claim 68, wherein the system further comprises a second communication device,

The control and management device is further configured to send the message processing policy to the second communication apparatus.
The system of claim 71, wherein:

The second communication device is further configured to process a second packet based on the packet processing policy, where the second packet is a packet matching the feature information of the attack packet.
The system according to any one of claims 68 to 72, wherein the first condition includes that the ratio of the bandwidth of the first port occupied by the packets with the highest forwarding priority transmitted through the first port is greater than or equal to the first threshold.
The system according to any one of claims 68-72, wherein the first condition includes that the packet with the highest forwarding priority transmitted through the first port is greater than or equal to a second threshold.
A communication device, comprising:

a memory including computer-readable instructions;

A processor in communication with the memory, the processor for executing the computer readable instructions causing the communication means to perform the method of any of claims 1-19.
A communication device, comprising:

a memory including computer-readable instructions;

A processor in communication with the memory, the processor for executing the computer readable instructions causing the communication means for performing the method of any of claims 20-30.
A communication system, characterized in that the communication system includes a first communication device and a control management entity,

The first communication device is configured to perform the operation performed by the first communication device in the method of any one of claims 31-37;

The control management entity is configured to perform the operations performed by the control management entity in the method according to any one of claims 31-37.
A computer-readable storage medium comprising computer-readable instructions, characterized in that, when the computer-readable instructions are executed on a computer, the computer is made to implement the method of any one of claims 1-37.