CN102263664A - Session flow processing method and device - Google Patents
Session flow processing method and device Download PDFInfo
- Publication number
- CN102263664A CN102263664A CN2011102290749A CN201110229074A CN102263664A CN 102263664 A CN102263664 A CN 102263664A CN 2011102290749 A CN2011102290749 A CN 2011102290749A CN 201110229074 A CN201110229074 A CN 201110229074A CN 102263664 A CN102263664 A CN 102263664A
- Authority
- CN
- China
- Prior art keywords
- session
- session flow
- network device
- address
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000005111 flow chemistry technique Methods 0.000 title claims abstract description 12
- 238000012545 processing Methods 0.000 claims description 35
- 230000003993 interaction Effects 0.000 abstract description 9
- 239000008280 blood Substances 0.000 abstract 1
- 210000004369 blood Anatomy 0.000 abstract 1
- 230000000977 initiatory effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 239000003999 initiator Substances 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a session flow processing method and device. The session flow processing method and device are used for solving the problem of the prior art that the safety of information interaction of network equipments is reduced. The session flow processing method comprises the steps: a first network equipment receives a session message sent from a second network equipment; when the unoccupied capacity of a session flow table is not smaller than a set threshold, or the second network equipment is a management equipment, a session flow table entry is created for the session flow corresponding to the session message; and when the occupied capacity of the session flow table is smaller than the set threshold, and the second network equipment is not a management equipment, a session flow table entry is not created. In the embodiment of the invention, when the unoccupied capacity of the session flow table is smaller than the set threshold, the session flow table entry is created for the session flow initiated by the management equipment, thus the session flow initiated by the management equipment at any time can be ensured to be accepted, and further the session configuration information sent by the management equipment is received so as to block the session flows attacked by blood, therefore, the safety of information interaction of the network equipments is improved.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for processing a session stream.
Background
Information interaction is generally performed between network devices in a network through a session flow, and one session flow comprises a plurality of session messages. When a network device receives a session flow initiated by another network device, a session flow entry corresponding to the session flow needs to be created for the session flow in its own session flow table according to the saved session configuration information, so as to manage the session flow. The session flow entry corresponding to the session flow contains a processing policy for processing the session flow, including information on whether to block the session flow, and other additional processing operation information.
And, usually, a management device performs remote session management on each network device through a network, specifically, the management device sends session configuration information to each network device through the network for storage, where the session configuration information includes type information of a session flow to be blocked, and the session flow to be blocked is an attack session flow that may be initiated by a lawbreaker. Meanwhile, the management device can also monitor the session flow of each network device, automatically identify which session flows of each network device are attack session flows, if the attack session flows are identified, and determine that the type information of the attack session flows needing to be blocked, which is contained in the session configuration information sent to each network device, does not include the identified type information of the attack session flows, add the identified type information of the attack session flows into the session configuration information and send the session configuration information to each network device, and each network device correspondingly updates the stored session configuration information.
If a certain network device receives the type information of the session flow initiated by other network devices, and the type information of the session flow needing to be blocked is contained in the stored session configuration information, the processing policy contained in the session flow entry created by the certain network device for the session flow is to block the session flow.
Fig. 1 is a session flow processing procedure of a network device in the prior art, which specifically includes the following steps:
s101: the first network equipment receives the session message sent by the second network equipment.
When the second network device initiates a session flow to the first network device, the second network device sends a plurality of session messages included in the session flow to the first network device in sequence.
S102: the first network device judges whether a session flow table entry corresponding to the identification information of the session flow exists in a session flow table of the first network device according to the identification information of the session flow carried by the session message, if so, the step S104 is performed, otherwise, the step S103 is performed.
Each session packet included in the session stream carries identification information of the session stream, where the identification information of the session stream includes a source Internet Protocol (IP) address, a destination IP address, a Protocol number, a Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) source port number, and a TCP/UDP destination port number.
If the session packet is the first session packet of the session flow, that is, the session request packet of the session flow, at this time, the first network device has not yet created a session flow entry corresponding to the session flow in its own session flow table, and if the session packet is not the first session packet of the session flow, at this time, the first network device must have created a session flow entry corresponding to the session flow in its own session flow table. Therefore, in this step, the first network device determines whether a session flow table entry corresponding to the identification information of the session flow exists in its session flow table, that is, whether the session packet is the first session packet of the session flow.
S103: according to the saved session configuration information, a session flow entry corresponding to the session flow is created in the session flow table of the mobile terminal, and step S104 is executed.
When the first network device determines that the session flow table entry corresponding to the identification information of the session flow does not exist in the session flow table of the first network device, the first network device determines that the session message is the first session message of the session flow, that is, the session request message of the session flow, and creates the session flow table entry corresponding to the session flow in the session flow table of the first network device according to the stored session configuration information.
S104: and processing the session message according to the processing strategy contained in the session flow entry corresponding to the session flow.
When the first network device determines that the session flow table entry corresponding to the identification information of the session flow exists in the session flow table of the first network device, the first network device determines that the session message is not the first session message of the session flow, and processes the session message according to a processing strategy contained in the session flow table entry corresponding to the session flow. Or,
and when the first network device determines that the session message is the first session message of the session flow and creates a session flow entry corresponding to the session flow, processing the session message according to a processing strategy contained in the created session flow entry corresponding to the session flow.
And when the session message is a first session message of the session flow and the processing policy contained in the created session flow entry corresponding to the session flow is to block the session flow, the first network device blocks the session flow initiated by the second network device and releases the created session flow entry corresponding to the session flow.
However, for the network device, the capacity of the session flow table is limited, and when the network device is under a flood attack and each session flow of the flood attack is not blocked, the network device may create a corresponding session flow entry in the session flow table for each session flow of the flood attack, so that the capacity of the session flow table may be quickly occupied by the session flow entry corresponding to the session flow of the flood attack, which causes the network device to block other normal session flows because the network device cannot create session flow entries for other normal session flows.
In the prior art, although the management device configures the type information of the session flow that needs to be blocked in the session configuration information sent to each network device, the type information of the session flow under the flood attack is various, and it is impossible for the management device to foresee all possible attack session flows at one time and configure the type information of all possible attack session flows in the session configuration information. Therefore, during the information interaction process of the network device through the session flow, the type information of the attack session flow which is not considered may always occur.
If an unaccounted for flood attack session flow occurs, that is, the type information of the flood attack session flow is not included in the type information of the session flow to be blocked included in the session configuration information, the flood attack session flow still consumes the entire capacity of the session flow table of the network device. If the management device monitors the session flow of the network device, identifies the flood attack, and adds the type information of the session flow of the flood attack to the session configuration information, because the process of sending the session configuration information to the network device by the management device is also performed based on initiating the session flow to the network device, but the entire capacity of the session flow table of the network device is already consumed by the flood attack at this time, and the session flow initiated by the management device cannot be accepted, the management device cannot send the updated session configuration information to the network device even if the session configuration information is updated, so that the management device blocks the session flow of the flood attack.
In summary, based on the session flow processing method in the prior art, the network devices cannot effectively resist the flood attack, so that the security of information interaction between the network devices is reduced.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for processing a session stream, so as to solve the problem that, in the prior art, network devices cannot effectively resist flood attacks, so that security of information interaction between the network devices is reduced.
The embodiment of the invention provides a method for processing a session stream, which comprises the following steps:
a first network device receives a session message sent by a second network device; and are
Judging whether the unoccupied capacity in the session flow table of the second network device is not less than a set threshold value, and judging whether the second network device is a management device according to the identification information of the session flow carried by the received session message;
when the first network device judges that the unoccupied capacity in the session flow table of the first network device is not less than a set threshold value and the second network device is established for at least one of the management devices, creating a session flow table entry corresponding to the session flow in the session flow table of the first network device;
and when the first network equipment judges that the unoccupied capacity in the session flow table of the first network equipment is smaller than a set threshold value and judges that the second network equipment is not the management equipment, the session flow table entry corresponding to the session flow is not created.
An embodiment of the present invention provides a session stream processing apparatus, including:
the receiving module is used for receiving the session message sent by the second network equipment;
the first judgment module is used for judging whether the unoccupied capacity in the conversation flow table of the first judgment module is not less than a set threshold value or not;
the second judging module is used for judging whether the second network equipment is management equipment or not according to the identification information of the session stream carried by the received session message;
and the processing module is used for creating a session flow table entry corresponding to the session flow in the session flow table of the processing module when judging that the unoccupied capacity in the session flow table of the processing module is not less than a set threshold value and judging that the second network device is at least one of the management devices, and not creating the session flow table entry corresponding to the session flow when judging that the unoccupied capacity in the session flow table of the processing module is less than the set threshold value and judging that the second network device is not a management device.
The network device provided by the embodiment of the invention comprises the session flow processing device.
The embodiment of the invention provides a method and a device for processing a session flow, wherein a first network device receives a session message sent by a second network device, when judging that the unoccupied capacity in a session flow table of the first network device is not less than a set threshold value or judging that the second network device is a management device, a session flow table item is created for the session flow corresponding to the session message, and when judging that the occupied capacity in the session flow table of the first network device is less than the set threshold value and the second network device is not the management device, the session flow table item is not created. In the embodiment of the invention, when the unoccupied capacity in the session flow table is smaller than the set threshold, only the session flow table entry is created for the session flow initiated by the management device, and the session flow table entry is not created for the session flows initiated by other network devices any more, so that the session flow initiated by the management device can be received at any time, and the updated session configuration information sent by the management device can be received to block the session flow under the flood attack, therefore, the flood attack can be effectively resisted, and the safety of information interaction between the network devices is improved.
Drawings
FIG. 1 is a process for testing software according to an embodiment of the present invention;
FIG. 2 is a state path diagram according to an embodiment of the present invention;
fig. 3 is a schematic process diagram for determining a connection relationship of each piece of state information and determining a state path according to each piece of state information of the software to be tested and each operation instruction input by the user according to the embodiment of the present invention;
FIG. 4 is a detailed process for testing software according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a testing apparatus according to an embodiment of the present invention.
Detailed Description
The flood attack means that an attacker consumes the session flow capacity of the network equipment by launching a large number of attack session flows, so that other normal session flows are blocked, and the purpose of attack is achieved. In the embodiment of the invention, in order to prevent flood attack from consuming the whole session flow capacity of the network device, the network device can block the session flow initiated by the management device because the network device can not create the session flow table entry for the session flow initiated by the management device, a threshold value is set in the network device, when the unoccupied capacity in the session flow table, namely the free capacity in the session flow table, is not less than the set threshold value, the session flow table entry is created for all the session flows, when the free capacity in the session flow table is less than the set threshold value, the session flow table entry is only created for the session flow initiated by the management device, the session flow table entry is not created for the session flows initiated by other network devices, and the network device can perform normal session with the management device at any time.
The following detailed description of embodiments of the invention refers to the accompanying drawings.
Fig. 2 is a process of processing a session flow according to an embodiment of the present invention, which specifically includes the following steps:
s201: the first network equipment receives the session message sent by the second network equipment.
S202: the first network device determines whether the unoccupied capacity in its own session flow table is not less than a set threshold, if so, step S204 is performed, otherwise, step S203 is performed.
In the embodiment of the present invention, after receiving a session packet sent by a second network device, a first network device determines whether an unoccupied capacity in its own session flow table is not less than a set threshold, that is, determines whether an idle capacity in its own session flow table is not less than the set threshold, or determines whether there is enough idle capacity in the session flow table, where the set threshold may be set as needed.
S203: the first network device determines whether the second network device is a management device according to the identification information of the session stream carried by the received session packet, if so, step S204 is performed, otherwise, step S205 is performed.
If the free capacity in the session flow table of the first network device is smaller than the set threshold, it indicates that the free capacity in the session flow table is insufficient, and therefore, further according to the identification information of the session flow carried by the session packet, it is determined whether the second network device is a management device, that is, it is determined whether the initiator initiating the session flow is a management device.
S204: the first network device creates a session flow table entry corresponding to the session flow in its own session flow table.
When the first network device judges that the unoccupied capacity in the session flow table of the first network device is not less than the set threshold, it indicates that there is enough free capacity in the session flow table, so that a corresponding session flow table entry is created for the session flow corresponding to the session message. Or,
when the first network device determines that the second network device initiating the session flow is the management device, a corresponding session flow table entry is also created for the session flow, so that the first network device and the management device perform normal session to receive the updated session configuration information sent by the management device, and block the corresponding session flow according to the type information of the session flow to be blocked, which is configured in the session configuration information, so as to achieve the purpose of resisting flood attack.
S205: a session flow entry corresponding to the session flow is not created.
When the first network device judges that the unoccupied capacity in the session flow table of the first network device is smaller than a set threshold value, that is, when the session flow table does not have enough free capacity, and judges that the second network device is not a management device, that is, the initiator initiating the session flow is not a management device, a corresponding session flow table entry is not created for the session flow, and the session message is discarded.
In the above process, the execution sequence of step S202 and step S203 is not sequential, that is, it may be determined whether the second network device is a management device first, and then it is determined whether the unoccupied capacity in the session flow table is not less than the set threshold, as shown in fig. 3.
Fig. 3 is another process of processing a session flow according to an embodiment of the present invention, which specifically includes the following steps:
s301: the first network equipment receives the session message sent by the second network equipment.
S302: the first network device determines whether the second network device is a management device according to the identification information of the session flow carried in the session packet, if so, step S304 is performed, otherwise, step S303 is performed.
S303: the first network device determines whether the unoccupied capacity in its own session flow table is not less than a set threshold, if so, step S304 is performed, otherwise, step S305 is performed.
S304: the first network device creates a session flow table entry corresponding to the session flow in its own session flow table.
S305: a session flow entry corresponding to the session flow is not created.
In the processes shown in fig. 2 and fig. 3, the first network device receives a session packet sent by the second network device, and when it is determined that the unoccupied capacity in its own session flow table is not less than the set threshold and the second network device is established as at least one of the management devices, creates a session flow table entry for the session flow corresponding to the session packet, and when it is determined that the occupied capacity in its own session flow table is less than the set threshold and the second network device is not a management device, does not create a session flow table entry.
In the embodiment of the invention, when the unoccupied capacity in the session flow table is smaller than the set threshold, only the session flow table entry is created for the session flow initiated by the management device, and the session flow table entry is not created for the session flows initiated by other network devices any more, so that when the unaccounted flood attack session flow occurs, the session flow table of the first network device cannot be fully occupied by the flood attack session flow, and normal session with the management device can still be ensured. Furthermore, after the management device identifies the session flow of the flood attack and adds the type information of the identified session flow to the session configuration information, the updated session configuration information may still be sent to the first network device based on the session with the first network device, and the first network device may block the session flow of the flood attack according to the type information of the session flow to be blocked, which is configured in the updated session configuration information. Therefore, the session flow processing method provided by the embodiment of the invention can effectively resist flood attack and improve the safety of information interaction between network devices.
In the embodiment of the present invention, in order to improve the efficiency of a session, after receiving a session packet sent by a second network device, a first network device determines whether an unoccupied capacity in a session flow table of the first network device is not smaller than a set threshold, and determines whether the second network device is a management device according to identification information of a session flow carried by the received session packet before determining whether the second network device is a management device according to the identification information of the session flow carried by the received session packet, and determines that a session flow table entry corresponding to the identification information of the session flow does not exist in a session flow table of the first network device. That is, the session packet is determined to be the first session packet of the session flow, or the session packet is determined to be the session request packet of the session flow. When determining that the session flow table entry corresponding to the identification information of the session flow exists in the session flow table of the device, it is indicated that the received session message is not the first session message of the session flow, and the session message is processed directly according to the processing policy contained in the session flow table entry corresponding to the session flow.
In the embodiment of the present invention, the method for determining, by a first network device, whether a second network device is a management device according to identification information of a session flow carried in a received session packet specifically includes determining, according to a stored IP address of the management device, whether a source IP address included in identification information of the session flow carried in the session packet is the same as an IP address of the management device, and if so, determining that the second network device is the management device, otherwise, determining that the second network device is not the management device.
In addition, a priority corresponding to the IP address of the management device and a priority corresponding to the IP address of each network device may be set in the first network device, where the priority corresponding to the IP address of the management device is set as a highest priority, and the priority corresponding to the IP address of each network device is lower than the highest priority. At this time, the method for the first network device to determine whether the second network device is the management device may further be that, according to the source IP address included in the identification information of the session stream carried in the received session packet, the priority corresponding to the source IP address is searched, and it is determined whether the priority corresponding to the searched source IP address is the highest priority, when the determination result is yes, the second network device is determined to be the management device, otherwise, the second network device is determined not to be the management device. That is, when the first network device determines that the unoccupied capacity in its own session flow table is not less than the set threshold, a session flow table entry is created for the session flows of all priorities, otherwise, only a session flow table entry is created for the session flow of the highest priority, which is the priority corresponding to the IP address of the management device.
In addition, after the first network device receives the session packet sent by the second network device, when the priority corresponding to the source IP address is not found according to the source IP address included in the identification information of the session stream carried in the session packet, it indicates that the network device corresponding to the source IP address may be a network device newly added in the network, and the priority corresponding to the source IP address may be set to any priority lower than the highest priority. Specifically, the priority corresponding to the source IP address may be set as a default priority, where the default priority is lower than the highest priority.
Of course, corresponding priorities may also be configured on the management device and other network devices in the network, and similarly, the priority configured for the management device is the highest priority, and the priorities configured for the other network devices are all lower than the highest priority. At this time, when a certain network device initiates a session flow to a first network device, the session message of the session flow carries priority information corresponding to the certain network device, and the first network device judges whether the priority is the highest priority according to the priority information carried in the received session message, if so, the certain network device is determined to be a management device, otherwise, the certain network device is determined not to be the management device.
Fig. 4 is a detailed process of session stream processing provided in the embodiment of the present invention, which specifically includes the following steps:
s401: the first network equipment receives the session message sent by the second network equipment.
S402: and judging whether a session flow table entry corresponding to the identification information of the session flow exists in a session flow table of the session flow table according to the identification information of the session flow carried by the session message, if so, performing step S403, and otherwise, performing step S404.
S403: and processing the session message according to the processing strategy contained in the session flow entry corresponding to the identification information of the session flow.
S404: and judging whether the unoccupied capacity in the own session flow table is not less than a set threshold value, if so, performing step S407, and otherwise, performing step S405.
S405: and searching the priority corresponding to the source IP address according to the source IP address contained in the identification information of the session stream carried by the session message.
S406: and judging whether the searched priority is the highest priority, if so, performing step S407, and otherwise, performing step S408.
S407: creating a session flow table entry corresponding to the session flow in a session flow table of the session message, and processing the session message according to a processing strategy contained in the created session flow table entry.
S408: and discarding the session message without creating a session flow table entry corresponding to the session flow.
Fig. 5 is a session flow processing apparatus provided in an embodiment of the present invention, which specifically includes:
a receiving module 501, configured to receive a session packet sent by a second network device;
a first judging module 502, configured to judge whether an unoccupied capacity in a session flow table of the first judging module is not less than a set threshold;
a second determining module 503, configured to determine whether the second network device is a management device according to identification information of a session flow carried in the received session packet;
the processing module 504 is configured to create a session flow entry corresponding to the session flow in the session flow table of the network device when it is determined that the unoccupied capacity in the session flow table of the network device is not less than a set threshold and it is determined that the second network device is at least one of the management devices, and not create the session flow entry corresponding to the session flow when it is determined that the unoccupied capacity in the session flow table of the network device is less than the set threshold and it is determined that the second network device is not a management device.
The device further comprises:
the determining module 505 is configured to determine that a session flow entry corresponding to the identifier information of the session flow does not exist in the session flow table of the determining module before determining whether the unoccupied capacity in the session flow table is not smaller than a set threshold and determining whether the second network device is a management device according to the identifier information of the session flow carried by the received session packet and before determining whether the second network device is a management device according to the identifier information of the session flow carried by the session packet.
The second determining module 503 is specifically configured to determine, according to the stored internet protocol IP address of the management device, whether a source IP address included in the identification information of the session stream carried in the session packet is the same as an IP address of the management device, and when the determination result is yes, determine that the second network device is the management device, otherwise, determine that the second network device is not the management device.
The second determining module 503 includes:
a priority storing unit 5031, configured to store a priority corresponding to an internet protocol IP address of the management device and a priority corresponding to an IP address of each network device, where the priority corresponding to the IP address of the management device is a highest priority, and the priority corresponding to the IP address of each network device is lower than the highest priority;
a searching unit 5032, configured to search, according to a source IP address included in identification information of a session flow carried in the session packet, a priority corresponding to the source IP address;
a determining unit 5033, configured to determine whether the priority corresponding to the found source IP address is the highest priority, determine that the second network device is a management device if the determination result is yes, and determine that the second network device is not a management device if the determination result is not yes.
The searching unit 5032 is further configured to, when the priority corresponding to the source IP address is not found, set the priority corresponding to the source IP address to any priority lower than the highest priority.
In addition, an embodiment of the present invention further provides a network device, which includes the above-mentioned session stream processing apparatus, and the network device may specifically be a firewall device, a gateway device, a flow control device, and the like in a network.
The embodiment of the invention provides a method and a device for processing a session flow, wherein a first network device receives a session message sent by a second network device, when judging that the unoccupied capacity in a session flow table of the first network device is not less than a set threshold value or judging that the second network device is a management device, a session flow table item is created for the session flow corresponding to the session message, and when judging that the occupied capacity in the session flow table of the first network device is less than the set threshold value and the second network device is not the management device, the session flow table item is not created. In the embodiment of the invention, when the unoccupied capacity in the session flow table is smaller than the set threshold, only the session flow table entry is created for the session flow initiated by the management device, and the session flow table entry is not created for the session flows initiated by other network devices any more, so that the session flow initiated by the management device can be received at any time, and the updated session configuration information sent by the management device can be received to block the session flow under the flood attack, therefore, the flood attack can be effectively resisted, and the safety of information interaction between the network devices is improved.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (11)
1. A method for processing a session stream, comprising:
a first network device receives a session message sent by a second network device; and are
Judging whether the unoccupied capacity in the session flow table of the second network device is not less than a set threshold value, and judging whether the second network device is a management device according to the identification information of the session flow carried by the received session message;
when the first network device judges that the unoccupied capacity in the session flow table of the first network device is not less than a set threshold value and the second network device is established for at least one of the management devices, creating a session flow table entry corresponding to the session flow in the session flow table of the first network device;
and when the first network equipment judges that the unoccupied capacity in the session flow table of the first network equipment is smaller than a set threshold value and judges that the second network equipment is not the management equipment, the session flow table entry corresponding to the session flow is not created.
2. The method according to claim 1, wherein it is determined whether an unoccupied capacity in its own session flow table is not less than a set threshold, and it is determined whether the second network device is a management device according to the identification information of the session flow carried by the received session packet, and the method further includes:
and the first network equipment determines that a session flow table entry corresponding to the identification information of the session flow does not exist in a session flow table of the first network equipment according to the identification information of the session flow carried by the session message.
3. The method according to claim 1, wherein determining whether the second network device is a management device according to identification information of a session flow carried in the received session packet specifically includes:
the first network equipment judges whether a source IP address contained in identification information of a session stream carried by the session message is the same as an IP address of the management equipment or not according to the stored Internet protocol IP address of the management equipment; and are
And when the judgment result is yes, determining that the second network equipment is the management equipment, otherwise, determining that the second network equipment is not the management equipment.
4. The method of claim 1, wherein the first network device stores a priority corresponding to an internet protocol IP address of the management device and a priority corresponding to an IP address of each network device, wherein the priority corresponding to the IP address of the management device is a highest priority, and the priority corresponding to the IP address of each network device is lower than the highest priority;
judging whether the second network device is a management device according to the identification information of the session stream carried by the received session packet, specifically including:
the first network equipment searches for the priority corresponding to the source IP address according to the source IP address contained in the identification information of the session stream carried by the session message; and are
Judging whether the priority corresponding to the searched source IP address is the highest priority or not; and
and when the judgment result is yes, determining that the second network equipment is the management equipment, otherwise, determining that the second network equipment is not the management equipment.
5. The method of claim 4, wherein when the first network device does not find the priority corresponding to the source IP address, the priority corresponding to the source IP address is set to any priority lower than the highest priority.
6. A conversation flow processing apparatus, comprising:
the receiving module is used for receiving the session message sent by the second network equipment;
the first judgment module is used for judging whether the unoccupied capacity in the conversation flow table of the first judgment module is not less than a set threshold value or not;
the second judging module is used for judging whether the second network equipment is management equipment or not according to the identification information of the session stream carried by the received session message;
and the processing module is used for creating a session flow table entry corresponding to the session flow in the session flow table of the processing module when judging that the unoccupied capacity in the session flow table of the processing module is not less than a set threshold value and judging that the second network device is at least one of the management devices, and not creating the session flow table entry corresponding to the session flow when judging that the unoccupied capacity in the session flow table of the processing module is less than the set threshold value and judging that the second network device is not a management device.
7. The apparatus of claim 6, wherein the apparatus further comprises:
and the determining module is used for determining that a session flow table entry corresponding to the identification information of the session flow does not exist in the session flow table of the determining module before judging whether the unoccupied capacity in the session flow table is not less than a set threshold value and judging whether the second network device is a management device according to the received identification information of the session flow carried by the session message and before judging whether the second network device is the management device according to the identification information of the session flow carried by the session message.
8. The apparatus according to claim 6, wherein the second determining module is specifically configured to determine, according to a stored internet protocol IP address of the management device, whether a source IP address included in the identification information of the session flow carried in the session packet is the same as an IP address of the management device, and when a determination result is yes, determine that the second network device is the management device, otherwise determine that the second network device is not the management device.
9. The apparatus of claim 6, wherein the second determination module comprises:
the priority storage unit is used for storing the priority corresponding to the Internet protocol IP address of the management equipment and the priority corresponding to the IP address of each network equipment, wherein the priority corresponding to the IP address of the management equipment is the highest priority, and the priority corresponding to the IP address of each network equipment is lower than the highest priority;
a searching unit, configured to search, according to a source IP address included in identification information of a session flow carried in the session packet, a priority corresponding to the source IP address;
and the judging unit is used for judging whether the priority corresponding to the searched source IP address is the highest priority, and if so, determining that the second network equipment is the management equipment, otherwise, determining that the second network equipment is not the management equipment.
10. The apparatus of claim 9, wherein the lookup unit is further configured to set the priority corresponding to the source IP address to any priority lower than the highest priority when the priority corresponding to the source IP address is not found.
11. A network device comprising a session flow processing apparatus according to any one of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102290749A CN102263664A (en) | 2011-08-11 | 2011-08-11 | Session flow processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011102290749A CN102263664A (en) | 2011-08-11 | 2011-08-11 | Session flow processing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102263664A true CN102263664A (en) | 2011-11-30 |
Family
ID=45010133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011102290749A Pending CN102263664A (en) | 2011-08-11 | 2011-08-11 | Session flow processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102263664A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220225A (en) * | 2012-05-21 | 2013-07-24 | 华为技术有限公司 | Message processing method, device and system |
| CN104767634A (en) * | 2014-01-06 | 2015-07-08 | 韩国电子通信研究院 | Method and device for managing flow tables |
| CN104869064A (en) * | 2014-02-21 | 2015-08-26 | 华为技术有限公司 | Flow table updating method and device |
| CN104871499A (en) * | 2012-12-19 | 2015-08-26 | 日本电气株式会社 | Communication node, control device, method for managing control information entries, and program |
| CN104871501A (en) * | 2012-12-19 | 2015-08-26 | 日本电气株式会社 | Packet processing device, flow entry arrangement method and program |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119324A (en) * | 2007-09-21 | 2008-02-06 | 杭州华三通信技术有限公司 | Network address converting attribute self-adaptive method and apparatus |
| CN101345755A (en) * | 2008-08-29 | 2009-01-14 | 中兴通讯股份有限公司 | Method and system for preventing address analysis protocol message attack |
| US20100183033A1 (en) * | 2009-01-20 | 2010-07-22 | Nokia Corporation | Method and apparatus for encapsulation of scalable media |
| CN101800707A (en) * | 2010-04-22 | 2010-08-11 | 华为技术有限公司 | Method for establishing stream forwarding list item and data communication equipment |
-
2011
- 2011-08-11 CN CN2011102290749A patent/CN102263664A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101119324A (en) * | 2007-09-21 | 2008-02-06 | 杭州华三通信技术有限公司 | Network address converting attribute self-adaptive method and apparatus |
| CN101345755A (en) * | 2008-08-29 | 2009-01-14 | 中兴通讯股份有限公司 | Method and system for preventing address analysis protocol message attack |
| US20100183033A1 (en) * | 2009-01-20 | 2010-07-22 | Nokia Corporation | Method and apparatus for encapsulation of scalable media |
| CN101800707A (en) * | 2010-04-22 | 2010-08-11 | 华为技术有限公司 | Method for establishing stream forwarding list item and data communication equipment |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220225A (en) * | 2012-05-21 | 2013-07-24 | 华为技术有限公司 | Message processing method, device and system |
| CN103220225B (en) * | 2012-05-21 | 2015-07-08 | 华为技术有限公司 | Message processing method, device and system |
| US9385948B2 (en) | 2012-05-21 | 2016-07-05 | Huawei Technologies Co., Ltd. | Packet processing method, device and system |
| US9742667B2 (en) | 2012-05-21 | 2017-08-22 | Huawei Technologies Co., Ltd. | Packet processing method, device and system |
| CN104871499A (en) * | 2012-12-19 | 2015-08-26 | 日本电气株式会社 | Communication node, control device, method for managing control information entries, and program |
| CN104871501A (en) * | 2012-12-19 | 2015-08-26 | 日本电气株式会社 | Packet processing device, flow entry arrangement method and program |
| US9843516B2 (en) | 2012-12-19 | 2017-12-12 | Nec Corporation | Communication node, control apparatus, method for management of control information entries and program |
| US9876716B2 (en) | 2012-12-19 | 2018-01-23 | Nec Corporation | Packet processing apparatus, flow entry configuration method and program |
| CN104767634A (en) * | 2014-01-06 | 2015-07-08 | 韩国电子通信研究院 | Method and device for managing flow tables |
| CN104869064A (en) * | 2014-02-21 | 2015-08-26 | 华为技术有限公司 | Flow table updating method and device |
| CN104869064B (en) * | 2014-02-21 | 2018-03-16 | 华为技术有限公司 | A kind of flow table update method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102904975B (en) | Method and associated device for message processing | |
| CN102368736A (en) | Message sending method and equipment | |
| EP3032798A1 (en) | Processing method and apparatus for preventing packet attack | |
| CN102263664A (en) | Session flow processing method and device | |
| US8910267B2 (en) | Method for managing connections in firewalls | |
| CN111431871B (en) | Processing method and device of TCP (Transmission control protocol) semi-transparent proxy | |
| US9231916B1 (en) | Protection against rule map update attacks | |
| CN106656857B (en) | Message speed limiting method and device | |
| US9800479B2 (en) | Packet processing method, forwarder, packet processing device, and packet processing system | |
| CN101635731A (en) | Method and equipment for defending MAC address deception attack | |
| CN104754070A (en) | Method and device for learning address resolution protocol table entries and network device | |
| CN102510385A (en) | Method for preventing fragment attack of IP (Internet Protocol) datagram | |
| KR20190065439A (en) | Method for a communication network, and electronic control unit | |
| CN109729059B (en) | Data processing method and device and computer | |
| EP4050859A1 (en) | Network security protection method and protection device | |
| CN110912912B (en) | Method and device for switching IP credit detection mode | |
| CN101800677B (en) | Processing device and method of bidirectional forwarding detection (BFD) messages | |
| CN107222403A (en) | A kind of data transmission method, system and electronic equipment | |
| CN113507431B (en) | Message management method, device, equipment and machine-readable storage medium | |
| CN102739462A (en) | Test message sending method and device | |
| CN113890746B (en) | Attack traffic identification method, device, equipment and storage medium | |
| CN107409427B (en) | Data transmission method and device of data service | |
| US20150085666A1 (en) | Communication Apparatus, Control Apparatus, Communication System, Communication Method, Method for Controlling Communication Apparatus, and Program | |
| EP2504959A1 (en) | Data packet priority level management | |
| US20200186564A1 (en) | Method for managing a memory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20111130 |