CN109639699B - Network management method and device - Google Patents

Abstract

The present application provides a network management method and device, which can solve the problem that when a network device is attacked, it cannot receive legal packets sent by other network devices. The method is as follows: the first network device determines that the first communication channel of the first network device is in an attacked state, and sends a first message, where the first message includes a first TLV, and the first TLV includes feature information of the attack message; A network device receives a second packet from a second network device, the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device; the first network device according to the third packet The feature information of the message generates a second communication channel, the second communication channel is different from the first communication channel, and the first network device receives the third message through the second communication channel. The embodiments of the present application are applied in the network management process of the autonomous system.

Description

A network management method and device

technical field

The present application relates to the field of communications, and in particular, to a network management method and apparatus.

Background technique

As shown in FIG. 1 , network device A, network device B, and network device C are in the same interior gateway protocol (Interior Gateway Protocol, IGP) domain. It is assumed that the network device A is being attacked by a Label Distribution Protocol (Label Distribution Protocol, LDP) packet of the attacking server, and the network device C needs to send a packet (for example, a legal LDP packet) to the network device A. At this time, due to the huge number of LDP attack packets sent by the attack server, the communication channel sent by network device A is congested, and network device A cannot receive the legitimate LDP packets sent by network device C. Therefore, network device C cannot communicate with the network. Device A successfully establishes an LDP session.

As shown in FIG. 2 , at present, the upload channel of the network device may include a common upload channel and a whitelist upload channel. If two network devices establish an LDP session, LDP packets can directly enter the whitelisted channel. If the two network devices do not establish an LDP session, LDP packets enter the common upload channel. In order to defend against attack packets, as shown in Figure 3, when the attack packets enter the common upload channel, resulting in congestion and packet loss on the common upload channel, you can sample the attack packets on the common upload channel to identify the attack. The characteristics of the packet (such as source port/protocol number and other information) are generated, and then a limited and specific bandwidth upload channel is specially used to transmit attack packets that meet the above characteristics. In this way, when the characteristics of the attack packets are completely different from those of the legitimate packets, the legitimate packets enter the normal transmission channel, and the attack packets enter the restricted transmission channel, which does not affect the receiving of the legitimate packets by the attacked network device.

However, when the attack packet uses the spoofing attack of source address traversal, the characteristics of the attack packet (such as source port/protocol number and other information) include (forged) the characteristics of legitimate packets (that is, non-attack packets), causing network devices The attack packets cannot be identified, because the large number of attack packets will cause congestion on the communication channel sent by the attacked network device, so that the attacked network device cannot receive legitimate packets sent by other network devices.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a network management method and device, which can solve the problem that when a network device is attacked, it cannot receive legal packets sent by other network devices.

In a first aspect, an embodiment of the present application provides a network management method, including: a first network device determines that a first communication channel of the first network device is in an attacked state, and the first network device sends a first packet; wherein the first The packet includes a first type length value (type-length-value, TLV), and the first TLV includes feature information of the attack packet; the first network device receives the second packet from the second network device; wherein, the second packet Including a second TLV, the second TLV includes feature information of the third message to be sent by the second network device; the first network device generates a second communication channel according to the feature information of the third message, and the second communication channel communicates with the first The channels are different, and the first network device receives the third packet through the second communication channel.

Based on the method provided in this application, the first network device may receive the third packet through the second communication channel. Since the second communication channel is different from the first communication channel (that is, the second communication channel is independent of the first communication channel), it is not affected by the attack packet, so the first network device can successfully receive the third packet, which solves the problem of network problems. When a device (for example, a first network device) is attacked, it cannot receive legitimate packets sent by other network devices (for example, a second network device).

In a possible implementation manner, the characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameters: Ethernet type, protocol type, source port, destination port, source Internet Protocol (Internet Protocol) , IP) address, destination IP address, source media access control (Media Access Control, MAC), destination MAC address, time to live (time to live, TTL), packet length or priority requirements; The characteristic information of the three packets is different or different from the characteristic information of the attack packet.

In a possible implementation manner, the characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes. For example, the characteristic information of the attack packet may include: protocol number=Protocol Independent Multicast (PIM) (103); the characteristic information of the third packet may include: protocol number=PIM (103), destination IP address = IP address of the first network device, source IP address = IP address of the second network device, packet length = 100.

In a possible implementation manner, the feature information of the third packet to be sent and the feature information of the attack packet include at least one parameter with different values. For example, the characteristic information of the attack packet may include: protocol number=PIM(103), source IP address=1.0.0.0/8; the characteristic information of the third packet may include: protocol number=PIM(103), source IP address = Source IP address of the second network device (2.0.0.1/32).

In a possible implementation manner, the first packet or the second packet is a link state protocol data unit (LSP) packet or a link state advertisement (link-state advertisement, LSA) packet .

In a possible implementation manner, the second TLV further includes at least one of a bandwidth requirement or a priority requirement of the second communication channel. In this way, if the rate requirement of the third packet to be sent is relatively high, the bandwidth requirement of the second communication channel can be set to be larger, so that the terminal device can establish a larger bandwidth third packet according to the bandwidth requirement of the second communication channel. Two communication channels, so as to meet the rate requirement of the third packet. If the priority of the third packet to be sent is higher, the priority of the second communication channel can be set higher, so that after the terminal device establishes the second communication channel, it preferentially processes the third packet in the second communication channel. message.

In a possible implementation manner, when the first network device determines that the first communication channel is in a congested state, the first network device determines that the first communication channel is in an attacked state; or, when the first network device determines that the first communication channel is in a congested state When the number of error packets reaches the first threshold or the rate of error packets reaches the second threshold, the first network device determines that the first communication channel is in an attacked state; or, when the first network device determines that the first communication channel is in an attacked state; When the number of packets of a characteristic reaches the third threshold or the rate of packets of the first characteristic reaches the second threshold, the first network device determines that the first communication channel is in an attacked state.

In a second aspect, an embodiment of the present application provides a network management method, including: a second network device receiving a first packet; wherein the first packet includes a first TLV, and the first TLV includes feature information of an attack packet; The second network device sends a second packet; wherein, the second packet includes a second TLV, and the second TLV includes feature information of the third packet to be sent by the second network device; the second network device is based on the characteristics of the third packet The information sends a third message to the first network device.

Based on the method provided in this application, the second network device can send the third packet to the first network device based on the feature information of the third packet, that is, the second network device can send the third packet to the first network device through the second communication channel message. Since the second communication channel is different from the first communication channel (that is, the second communication channel is independent of the first communication channel), it is not affected by the attack packet, so the first network device can successfully receive the third packet, which solves the problem of network problems. When a device (for example, a first network device) is attacked, it cannot receive legitimate packets sent by other network devices (for example, a second network device).

In a possible implementation manner, the characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameters: ether type, protocol type, source port, destination port, source IP address, destination IP address, source MAC address, destination MAC address, TTL, packet length or priority requirements; wherein, the characteristic information of the third packet to be sent is different from the characteristic information of the attack packet.

In a possible implementation manner, the characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet; or, the characteristic information of the third packet to be sent The feature information of the attack packet includes at least one parameter with a different value.

In a possible implementation manner, the first packet or the second packet is an LSP packet or an LSA packet.

In a possible implementation manner, the second TLV further includes at least one of a bandwidth requirement or a priority requirement of the second communication channel.

In a third aspect, an embodiment of the present application provides a first network device, including: a determining unit configured to determine that a first communication channel of the first network device is in an attacked state; a sending unit configured to send a first packet; The first packet includes a first TLV, and the first TLV includes feature information of the attack packet; the receiving unit is configured to receive the second packet from the second network device; wherein the second packet includes the second TLV, and the first packet includes the second TLV. The second TLV includes characteristic information of the third packet to be sent by the second network device; the processing unit is configured to generate a second communication channel according to the characteristic information of the third packet. The second communication channel is different from the first communication channel, and the first communication channel is different from the first communication channel. The network device receives the third packet through the second communication channel.

In a possible implementation manner, the characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameters: ether type, protocol type, source port, destination port, source IP address, destination IP address, source MAC address, destination MAC address, TTL, packet length or priority requirements; wherein, the characteristic information of the third packet to be sent is different from the characteristic information of the attack packet.

In a possible implementation manner, the characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet; or, the characteristic information of the third packet to be sent The feature information of the attack packet includes at least one parameter with a different value.

In a possible implementation manner, the determining unit is configured to: when it is determined that the first communication channel is in a congested state, determine that the first communication channel is in an attacked state; or, when it is determined that the number of error packets of the first communication channel reaches When the first threshold or the rate of error packets reaches the second threshold, it is determined that the first communication channel is in an attacked state; or, when it is determined that the number of packets of the first characteristic of the first communication channel reaches the third threshold or the first characteristic When the rate of the packets reaches the second threshold, it is determined that the first communication channel is in an attacked state.

In a fourth aspect, an embodiment of the present application provides a second network device, characterized by comprising: a receiving unit configured to receive a first packet; wherein the first packet includes a first TLV, and the first TLV includes an attack feature information of the message; a sending unit, configured to send a second message; wherein, the second message includes a second TLV, and the second TLV includes feature information of a third message to be sent by the second network device; the sending unit, It is also used for sending a third packet to the first network device based on the feature information of the third packet.

In a possible implementation manner, the characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameters: ether type, protocol type, source port, destination port, source IP address, destination IP address, source MAC address, destination MAC address, TTL, packet length or priority requirements; wherein, the characteristic information of the third packet to be sent is different from the characteristic information of the attack packet.

In a possible implementation manner, the characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet; or, the characteristic information of the third packet to be sent The feature information of the attack packet includes at least one parameter with a different value.

In a fifth aspect, an embodiment of the present application provides a device, the device exists in the form of a chip product, and the structure of the device includes a processor and a memory, and the memory is used for coupling with the processor and storing necessary program instructions of the device and data, the processor is used to execute the program instructions stored in the memory, so that the apparatus executes the first aspect of the above method and the first network device in any implementation manner or the second aspect and the second network in any implementation manner function of the device.

In a sixth aspect, the embodiments of the present application provide a first network device and a second network device. The first network device and the second network device can implement the corresponding functions in the above method embodiments, and the functions can be implemented by hardware, or The corresponding software implementation can be performed by hardware. The hardware or software includes one or more modules corresponding to the above functions.

In a possible design, the structure of the first network device or the second network device includes a processor and a communication interface, and the processor is configured to support the first network device or the second network device to perform the corresponding method in the above method. function. The communication interface is used to support communication between the first network device or the second network device and other network elements. The first network device or the second network device may also include a memory for coupling with the processor and storing necessary program instructions and data for the first network device or the second network device.

In a seventh aspect, an embodiment of the present application provides a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to execute any one of the methods provided in the first aspect or the second aspect.

In an eighth aspect, an embodiment of the present application provides a computer program product containing instructions, which, when executed on a computer, causes the computer to execute any one of the methods provided in the first aspect or the second aspect.

In a ninth aspect, a system for network management is provided, the system including the first network device provided in the third aspect and the second network device provided in the fourth aspect. in:

The first network device is used to: determine that the first communication channel of the first network device is in an attacked state, and send a first packet; wherein the first packet includes a first TLV, and the first TLV includes feature information of the attack packet;

The second network device is used for: receiving the first message;

The second network device is further configured to: send a second packet; wherein the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device;

The first network device is further configured to: receive the second packet from the second network device;

The first network device is further configured to: generate a second communication channel according to the feature information of the third packet, where the second communication channel is different from the first communication channel;

The second network device is further configured to: send a third packet to the first network device based on the feature information of the third packet;

The first network device is further configured to: receive the third packet through the second communication channel.

Description of drawings

1 is a schematic diagram of an IGP domain in the prior art;

Fig. 2 is the schematic diagram of a kind of upstream channel in the prior art;

Fig. 3 is a schematic diagram of another upstream channel in the prior art;

4 is a schematic diagram of a system architecture applicable to a network management method provided by an embodiment of the present application;

FIG. 5 is a schematic diagram of signal interaction applicable to a network management method according to an embodiment of the present application;

FIG. 6 is a schematic structural diagram of a first network device according to an embodiment of the present application;

FIG. 7 is a schematic structural diagram of still another first network device provided by an embodiment of the present application;

FIG. 8 is a schematic structural diagram of a second network device according to an embodiment of the present application;

FIG. 9 is a schematic structural diagram of still another second network device provided by an embodiment of the present application;

FIG. 10 is a schematic diagram of a network management system according to an embodiment of the present application.

Detailed ways

In order to describe the following embodiments clearly and concisely, a brief introduction of related concepts or technologies is first given:

Communication channel: A network device may include a hardware processing unit and a software processing unit. When the network device receives the data packet, the hardware processing unit first parses the packet header of the data packet to determine whether it needs to be sent to the software processing unit of the network device for processing. If not required, the data packet can be directly forwarded to other network devices. If necessary, the communication channel between the hardware processing unit and the software processing unit (also referred to as the upload channel or transmission channel, hereinafter collectively referred to as the communication channel ) sends the data message to the software processing unit for processing. It should be noted that since the processing capability of the hardware processing unit is much higher than that of the software processing unit, the communication channel is often limited in speed to prevent the software processing unit from being too late to process a large number of data packets and causing the network equipment to be paralyzed.

LSP message: In the intermediate system to intermediate system (ISIS) protocol, when a network device (eg, router) initializes or when the network structure changes (eg, link state changes), the network device You can send LSP packets to notify other network devices.

LSA packet: In the Open Shortest Path First (OSPF) protocol, when a network device (for example, a router) is initialized or when the network structure changes (for example, a link state changes), the network device LSA packets can be sent to notify other network devices.

TLV: TLV includes T field, L field and V field. Among them, the T field represents the message type, the L field represents the message length, and the V field is often used to store the content of the message. TLVs can be carried in LSP packets and LSP packets.

LDP: Control and maintain label allocation by establishing LDP sessions and sending LDP information. This protocol can be carried by Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

PIM: Indicates that a static route or a unicast routing table generated by any unicast routing protocol (eg, OSPF protocol or ISIS protocol, etc.) can be used to provide routes for IP multicast. Multicast routing has nothing to do with the unicast routing protocol used, as long as the corresponding multicast routing table entry can be generated through the unicast routing protocol.

The embodiment of the present application provides a network management method, which is applied in the network management process of an autonomous system (autonomous system, AS). In this autonomous system, IGP (including ISIS protocol and OSPF protocol), LDP, PIM and BGP can be used.

As shown in FIG. 4 , a schematic diagram of a system architecture applicable to a network management method provided by an embodiment of the present application includes a first network device, a second network device, and an attack server. The first network device and the second network device may communicate through the IGP protocol. The attack server may attack the communication channel of the first network device by using an attack packet (for example, an LDP packet, a PIM packet, or a BGP packet).

The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings in the embodiments of the present application. Wherein, in the description of the present application, unless otherwise specified, "at least one" refers to one or more, and "a plurality" refers to two or more than two. In addition, in order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, words such as "first" and "second" are used to distinguish the same or similar items with basically the same function and effect. Those skilled in the art can understand that the words "first", "second" and the like do not limit the quantity and execution order, and the words "first", "second" and the like are not necessarily different.

For ease of understanding, the network management method provided by the embodiments of the present application will be specifically introduced below with reference to the accompanying drawings.

As shown in FIG. 5 , an embodiment of the present application provides a network management method, including:

501. The first network device determines that the first communication channel of the first network device is in an attacked state.

When the first network device determines that the first communication channel cannot normally process services (receive and receive packets), the first network device determines that the first communication channel is in an attacked state.

In a possible design, when the first network device determines that the number of error packets of the first communication channel reaches the first threshold or the rate of error packets reaches the second threshold, the first network device determines that the first communication channel is in attacked state. The error message satisfies at least one of the following conditions: the password of the message is incorrect, the community field in the Simple Network Management Protocol (SNMP) is incorrect, the UDP checksum is incorrect, or a necessary header is missing.

In a possible design, when the first network device determines that the number of packets of the first characteristic of the first communication channel reaches a third threshold or the rate of packets of the first characteristic reaches a second threshold, the first network device It is determined that the first communication channel is under attack. The packets of the first feature may be packets with the same source IP address, or packets with the same source port, or packets with the same protocol number, and so on.

In a possible design, when the first network device determines that the first communication channel is in a congested state (detects that the number or rate of all packets of the first communication channel reaches a fifth threshold), or, when the first network device When it is determined that the congestion duration of the first communication channel reaches the sixth threshold, the first network device determines that the first communication channel is in an attacked state.

Wherein, the first threshold to the sixth threshold may be preset by the first network device, and may be adjusted accordingly according to service changes.

502. The first network device sends a first packet.

In this embodiment of the present application, sending the first packet by the first network device may also flood the first packet for the first network device. Alternatively, the first packet may be the first flooding packet.

The first packet may be an LSP packet or an LSA packet. The first packet includes a first TLV, and the first TLV includes feature information of the attack packet. The first network device may notify other network devices in the IGP domain of the attacked state of the first network device by sending the first packet. In a possible design, the first TLV may include characteristic information of the first communication channel, and the characteristic information of the first communication channel includes characteristic information of the attack packet. Optionally, the characteristic information of the first communication channel may further include at least one of a bandwidth requirement or a priority requirement of the first communication channel. More fine-grained characteristics of the attacked first communication channel may be acquired according to bandwidth requirements or priority requirements of the first communication channel.

The characteristic information of the attack packet includes at least one of the following parameters of the attack packet: Ethernet type, protocol type, source port, destination port, source IP address, destination IP address, source MAC address, destination MAC address, TTL, text length or priority requirements. Optionally, each parameter can be represented by a specific field. For example, the packet length (parameter) of the attack packet can be represented by the total length field of the IP header. Alternatively, each parameter can be represented by positional features (eg, using offset, length, and value). For example, the packet length (parameter) of an attack packet can be represented by a position feature with an offset of 4, a length of 1, and a value of 84.

Exemplarily, the format of the first TLV is shown in Table 1:

Table 1

Type (1 byte) Length (1 byte) Value Feature information of attack packets Length of SUB_TLV SUB_TLV

That is to say, Type in the first TLV indicates a parameter used in the second packet to describe the feature information of the attack packet, Value is SUB_TLV, and Length is filled according to the length of Value (that is, Length is the length of SUB_TLV).

The SUB_TLV includes specific feature information of the attack packet, such as parameter values. Assuming that the attack packet is an LDP packet, the format of SUB_TLV can be shown in Table 2:

Table 2

Type (1 byte) Length (1 byte) Value Ether type (ETH_TYPE) 1 0x0800 Protocol type (PROTO) 1 17 Source port (S_PORT) 1 646 Destination Port (D_PORT) 1 646 ... ... ...

The parameters included in the SUB_TLV and their corresponding values are determined according to the type of the attack packet.

Exemplarily, assuming that the first communication channel of the first network device is attacked by an LDP packet, the Type in the SUB_TLV may include an ether type (ETH_TYPE), a protocol type (PROTO), a source port (S_PORT), a destination port (D_PORT), etc. Wait. The value of ETH_TYPE may be 0x0800 (0x0800 represents that the Ethernet type is the fourth version of the Internet protocol (internet protocol version 4, IPV4)). The value of PROTO can be 17 (17 means the protocol type is UDP). The value of S_PORT and D_PORT can be 646 (the protocol specifies that the value of S_PORT and D_PORT of the HELLO packet of LDP is 646).

For another example, assuming that the first network device is attacked by a BGP SYN packet, the SUB_TLV may include PROTO and DPORT. The value of PROTO can be 6 (6 represents that the protocol type is TCP), and the value of D_PORT can be 179 (the protocol specifies that the D_PORT corresponding to the BGPSYN message is 179).

For another example, assuming that the first network device is attacked by a PIM packet, the SUB_TLV may include PROTO. The value of PROTO can be 103 (103 means the protocol type is PIM).

503. The second network device receives the first packet.

In this embodiment of the present application, the second network device receiving the first packet may be the second network device receiving the first flooding packet sent by the first network device, or the second network device receiving the first network device flooding 's first message.

The second network device may determine, according to the first message, that the first communication channel of the first network device is in an attacked state. The second network device can learn that the first packet is a packet used to describe the characteristic information of the attack packet according to the Type field in the first packet, and can learn the specific attack packet according to the Value field in the first packet characteristic information. The second network device may determine, according to the characteristic information of the attack packet, that the communication channel attacked by the attack packet is the first communication channel, that is, determine that the first communication channel of the first network device is in an attacked state.

504. The second network device sends a second packet.

When the second network device needs to send a (legitimate) third packet (for example, a routing protocol packet) to the first network device, in order to prevent the third packet from entering the attacked first communication channel, the first network device Unable to receive the third packet, the second network device can send the second packet, so that the first network device can generate a communication channel independent of the first communication channel (that is, be The second communication channel of the communication channel attacked by the attack packet). In this embodiment of the present application, sending the second packet by the second network device may also flood the second packet for the second network device. Alternatively, the second packet may be a second flooding packet.

The second packet may be an LSP packet or an LSA packet. The second packet includes the second TLV, and the second TLV includes feature information of the third packet to be sent by the second network device. In a possible design, the second TLV includes characteristic information of the second communication channel, and the characteristic information of the second communication channel includes characteristic information of the third packet to be sent by the second network device.

Optionally, the characteristic information of the second communication channel may further include at least one of a bandwidth requirement or a priority requirement of the second communication channel. In this way, if the rate requirement of the third packet to be sent is relatively high, the bandwidth requirement of the second communication channel can be set to be larger, so that the terminal device can establish a larger bandwidth third packet according to the bandwidth requirement of the second communication channel. Two communication channels, so as to meet the rate requirement of the third packet. If the priority of the third packet to be sent is higher, the priority of the second communication channel can be set higher, so that after the terminal device establishes the second communication channel, it preferentially processes the third packet in the second communication channel. message.

The feature information of the third packet includes at least one of the following parameters of the third packet: Ethernet type, protocol type, source port, destination port, destination IP address, source IP address, destination MAC address, source MAC address, TTL, packet length or priority requirements. Optionally, each parameter can be represented by a specific field (for example, the packet length (parameter) of the attack packet can be represented by the total length field of the IP header); or, each parameter can be represented by a location feature (for example, Use offset, length and value) to represent (for example, the packet length (parameter) of an attack packet can be represented by a position feature with an offset of 4, a length of 1, and a value of 84).

Exemplarily, the format of the second TLV is shown in Table 3:

table 3

Type (1 byte) Length (1 byte) Value Feature information of the third packet Length of SUB_TLV SUB_TLV

That is, Type in the second TLV indicates that the second packet is used to describe feature information of the third packet, Value is SUB_TLV, and Length is filled according to the length of VALUE (that is, Length is the length of SUB_TLV).

The SUB_TLV includes specific feature information of the third packet. Assuming that the third packet to be sent by the second network device is an LDP packet, the format of the SUB_TLV may be as shown in Table 4:

Table 4

Type (1 byte) Length (1 byte) Value Ether type (ETH_TYPE) 1 0x0800 Destination IP address (D_IP) 1 192.168.0.1 Source IP address (S_IP) 1 192.168.0.2 Protocol type (PROTO) 1 17 Destination Port (D_PORT) 1 646 Source port (S_PORT) 1 646 Bandwidth Requirements (PPS) 1 10 PRIORITY 1 6 ... ... ...

The parameters included in the SUB_TLV and their corresponding values are determined according to the type of the attack packet.

Exemplarily, assuming that the third packet to be sent by the second network device is an LDP packet, the SUB_TLV may include S_IP, D_IP, PROTO, S_PORT, D_PORT, PPS, and PRIORITY. Wherein, S_IP represents the source IP address of the third packet, that is, the IP address of the second network device. D_IP represents the destination IP address of the third packet, that is, the IP address of the first network device. PPS indicates the exchange rate of LDP sessions based on empirical values. PRIORITY indicates the priority occupied by the third packet on the transmission channel of the opposite end (ie, the first network device). For other parameters, reference may be made to the relevant description of step 502, which will not be repeated here.

For another example, assuming that the third packet to be sent by the second network device is a BGP SYN protocol packet, the SUB_TLV may include S_IP, D_IP, PROTO, D_PORT, PPS, and PRIORITY. The value of PROTO may be 6 (6 represents that the protocol type is TCP), and the value of D_PORT may be 179 (the D_PORT corresponding to the BGP SYN message is 179 according to the protocol). For parameters such as S_IP, D_IP, PPS, and PRIORITY, please refer to the relevant description above.

In a possible implementation manner, the characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes. The characteristic information of the third packet to be sent and the characteristic information of the attack packet may include one or more of the same parameter type. For example, the characteristic information of the attack packet may include: protocol number=PIM (103); the characteristic information of the third packet may include: protocol number=PIM (103), destination IP address=IP address of the first network device, source IP address=IP address of the second network device, and packet length=100. The characteristic information of the third packet to be sent may also include more parameter types than the characteristic information of the attack packet.

In this way, the characteristic information of the third packet to be sent includes more parameter types, and the characteristic information of the third packet can be restricted more finely, so that the first network device can preferentially process the third packet .

In a possible implementation manner, the feature information of the third packet to be sent and the feature information of the attack packet include at least one parameter with different values. For example, the feature information of the third packet to be sent and the feature information of the attack packet may include N identical parameter types, wherein M parameter types of the N parameter types have different values. N is an integer greater than or equal to 1, and M is an integer less than or equal to N. For example, assuming N=2, M=1, the characteristic information of the attack packet may include: protocol number=PIM(103), source IP address=1.0.0.0/8; the characteristic information of the third packet may include: protocol number =PIM (103), source IP address = source IP address of the second network device (2.0.0.1/32).

In this way, when the parameter type included in the characteristic information of the third packet is the same as the parameter type included in the characteristic information of the attack packet, the third packet and the attack packet can be distinguished by different parameter values, so that the third packet and the attack packet can be distinguished. A network device can preferentially process the third packet.

505. The first network device receives the second packet.

In this embodiment of the present application, the first network device receiving the second packet may be the first network device receiving the second flooding packet sent by the second network device, or the first network device receiving the second network device flooding the second message.

506. The first network device generates a second communication channel according to the feature information of the third packet, where the second communication channel is different from the first communication channel.

The first network device may generate a second communication channel independent of the first communication channel (ie, the communication channel attacked by the attack packet) according to the feature information of the third packet, and the second communication channel will not be affected by the attack packet.

It can be understood that the second channel may be a whitelist channel. The first network device and the second network device complete the negotiation process through the second packet, thereby generating the whitelist channel.

507. The second network device sends a third packet to the first network device based on the feature information of the third packet.

The third packet may be various protocol packets applicable to the autonomous system. For example, the third packet may be an LDP packet, a PIM packet or a BGP packet.

508. The first network device receives the third packet through the second communication channel.

Since the second communication channel is independent of the first communication channel and is not affected by the attack packet, the first network device can normally receive the third packet sent by the second network device, and perform corresponding processing on the third packet.

It should be noted that, there is no necessary execution sequence between steps 501 to 508, and this embodiment does not specifically limit the execution sequence of each step.

In this embodiment of the present application, when the first network device determines that the first communication channel of the first network device is in an attacked state, the first network device may notify the IGP domain of the attacked state of the first network device by sending a first packet other network devices. If the second network device needs to send a (legal) third packet to the first network device, the second network device may notify the first network device of the feature information of the third packet to be sent by the second network device by sending the second packet a network device. So that the first network device generates a second communication channel independent of the first communication channel according to the feature information of the third packet. Since the second communication channel is independent of the first communication channel and is not affected by the attack packet, the first network device can receive the third packet through the second communication channel. This solves the problem that when a network device (eg, the first network device) is attacked, it cannot receive legal packets (third packets) sent by other network devices (eg, the second network device).

The foregoing mainly introduces the solutions provided by the embodiments of the present application from the perspectives of the first network device and the second network device. It can be understood that, in order to implement the above-mentioned functions, the first network device and the second network device include corresponding hardware structures and/or software modules for performing each function. Those skilled in the art should easily realize that the algorithm steps described in conjunction with the embodiments disclosed herein can be implemented in hardware or in the form of a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

In this embodiment of the present application, the first network device and the second network device may be divided into functional modules according to the foregoing method examples. For example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one in the processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.

In the case where each functional module is divided according to each function, FIG. 6 shows a possible schematic structural diagram of the first network device 6 involved in the above-mentioned embodiment. The first network device includes: a determining unit 601 and a sending unit 602 , a receiving unit 603 and a processing unit 604 . In this embodiment of the present application, the determining unit 601 may be configured to determine (whether) the first communication channel of the first network device is in an attacked state. The sending unit 602 is configured to send a first packet, wherein the first packet includes a first TLV, and the first TLV includes feature information of the attack packet. The receiving unit 603 may be configured to receive a second packet from the second network device, wherein the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device. The processing unit 604 may be configured to generate a second communication channel according to feature information of the third packet, where the second communication channel is different from the first communication channel, and the first network device receives the third packet through the second communication channel.

The first network device in FIG. 6 may be the first network device in FIG. 4 and FIG. 5 , and may implement the functions of the first network device in FIG. 5 . The determining unit 601 may be configured to support the first network device to perform the process 501 in FIG. 5 . The sending unit 602 is configured to support the first network device to perform the process 502 in FIG. 5 . The receiving unit 603 may be configured to support the first network device to perform the processes 505 and 508 in FIG. 5 . The processing unit 604 may be configured to support the first network device to perform the process 506 in FIG. 5 .

Referring to FIG. 7 , an embodiment of the present application provides a first network device 700 .

The first network device 700 includes: a processor 702 , a transceiver 703 , a memory 701 and a bus 704 . The processor 702 , the transceiver 703 and the memory 701 are connected to each other through a bus 704 .

Wherein, the processor 702 may be a central processing unit (central processing unit, CPU), micro processing unit, general processing unit, digital signal processing unit (digital signal processor, DSP), application-specific integrated circuit (application-specific integrated circuit, ASIC) ), field programmable gate array (FPGA), or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof.

Memory 701 may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types of information and instructions It can also be an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM), or other optical disk storage, optical disk storage ( including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being stored by a computer any other medium taken, but not limited to this.

The transceiver 703 may be a transceiver circuit or a communication interface or the like.

The bus 704 may be a peripheral component interconnect (PCI) bus, an extended industry standard architecture (EISA) bus, or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 7, but it does not mean that there is only one bus or one type of bus.

The first network device 700 may implement the functions of the first network device in the embodiment shown in FIG. 5 . The processor 702 and the transceiver 703 may perform corresponding functions of the first network device in the above method examples. The transceiver 703 is used to support the first network device 700 to perform the processes 502, 505 and 508 in FIG. 5 . Processor 702 is configured to support first network device 700 to perform processes 501 and 506 in FIG. 5, and/or other processes performed by the first network device in the techniques described herein. The memory 701 is used for storing program codes and data of the first network device 700 . For the specific execution process, please refer to the detailed description of the corresponding steps in the above-mentioned embodiment shown in FIG. 5 , which will not be repeated here.

In the case where each functional module is divided according to each function, FIG. 8 shows a possible schematic structural diagram of the second network device 8 involved in the above embodiment. The second network device includes: a receiving unit 801 and a sending unit 802. In this embodiment of the present application, the receiving unit 801 is configured to receive a first packet, where the first packet includes a first TLV, and the first TLV includes feature information of the attack packet. A sending unit 802, configured to send a second packet, wherein the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device. The sending unit 802 is further configured to send a third packet to the first network device based on the feature information of the third packet.

The second network device in FIG. 8 may be the second network device in FIG. 4 and FIG. 5 , and may implement the functions of the second network device in FIG. 5 . The receiving unit 801 may be configured to support the second network device to perform the process 503 in FIG. 5 . The sending unit 802 may be configured to support the second network device to perform the processes 504 and 507 in FIG. 5 .

In a possible design, the second network device may be implemented by the structure (apparatus or system) in FIG. 9 .

Referring to FIG. 9 , an embodiment of the present application provides a second network device 900 . The second network device 900 includes: a processor 902 , a transceiver 903 , a memory 901 and a bus 904 . The processor 902 , the transceiver 903 and the memory 901 are connected to each other through a bus 904 .

The processor 902 may be a CPU, a micro-processing unit, a general-purpose processing unit, a DSP, an ASIC, an FPGA or other programmable logic devices, transistor logic devices, hardware components, or any combination thereof.

The memory 901 can be ROM) or other types of static storage devices that can store static information and instructions, RAM or other types of dynamic storage devices that can store information and instructions, or EEPROM, CD-ROM or other optical disk storage, optical disks. storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of being accessed by Any other medium accessed by the computer, but not limited to this.

The transceiver 903 may be a transceiver circuit or a communication interface or the like.

The bus 904 may be a PCI bus, an EISA bus, or the like. The bus can be divided into an address bus, a data bus, a control bus, and the like. For ease of presentation, only one thick line is used in FIG. 9, but it does not mean that there is only one bus or one type of bus.

The second network device 900 may implement the functions of the second network device in the embodiment shown in FIG. 5 . The processor 902 and the transceiver 903 may perform corresponding functions of the second network device in the above method examples. The transceiver 903 is used to support the second network device 900 to perform the processes 503, 504 and 507 in FIG. 5 . The processor 902 is used to support the second network device 900 to perform other processes performed by the second network device in the techniques described herein. The memory 901 is used for storing program codes and data of the second network device 900 . For the specific execution process, please refer to the detailed description of the corresponding steps in the above-mentioned embodiment shown in FIG. 5 , which will not be repeated here.

Embodiments of the present application further provide a computer-readable storage medium, including instructions, which, when executed on a computer, cause the computer to execute the foregoing network management method.

Embodiments of the present application also provide a computer program product containing instructions, which, when running on a computer, cause the computer to execute the above-mentioned network management method.

The embodiment of the present application also provides a device, the device exists in the form of a chip product, the device includes a processor, a memory and a transceiver component, the transceiver component includes an input and output circuit, the memory is used for storing computer execution instructions, and the processor executes The computer-executed instructions stored in the memory implement the network management method described above. In this case, the execution body for executing the method provided by the embodiment of the present application may be a chip.

Referring to FIG. 10 , an embodiment of the present application provides a network management system 1000 suitable for a network management method, and the system 1000 is used to implement the network management method in the foregoing method embodiments. The system 1000 includes a first network device 1001 and a second network device 1002 .

The first network device 1001 and the second network device 1002 may respectively implement the functions of the first network device and the second network device in the embodiment shown in FIG. 5 . For example, first network device 1001 is used to perform processes 501, 502, 505, 506, and 508 in FIG. 5, and/or other processes performed by the first network device in the techniques described herein. A second network device 1002 for performing processes 503, 504, and 507 in FIG. 5, and/or for other processes performed by the second network device in the techniques described herein.

Those skilled in the art should appreciate that, in one or more of the above examples, the functions described in this application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present application in detail. It should be understood that the above descriptions are only specific embodiments of the present application, and are not intended to limit the The protection scope, any modifications, equivalent replacements, improvements, etc. made on the basis of the technical solutions of the present application shall be included within the protection scope of the present application.

Those skilled in the art should understand that the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, apparatuses (systems), and computer program products according to the embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processing unit of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

Obviously, those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the present application. Thus, if these modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to include these modifications and variations.

Claims (17)

1. a network management method, is characterized in that, comprises: The first network device determines that the first communication channel of the first network device is in an attacked state; The first network device sends a first packet, where the first packet includes a first type length value TLV, and the first TLV includes feature information of the attack packet; The first network device receives a second packet from the second network device, the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device , the characteristic information of the third packet to be sent is different from the characteristic information of the attack packet; The first network device generates a second communication channel according to the feature information of the third packet, the second communication channel is different from the first communication channel, and the first network device passes the second communication channel receiving the third message. 2. The network management method according to claim 1, wherein, The characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameter types: Ethernet type, protocol type, source port, destination port, source IP address, destination IP address, source media access control MAC address, destination MAC address, time-to-live TTL, packet length or priority requirements; The characteristic information of the third packet to be sent is different from the characteristic information of the attack packet, including the parameter type included in the characteristic information of the third packet to be sent and the characteristic information of the attack packet. The parameter types are different, or the value of the parameter included in the feature information of the third packet to be sent is different from the value of the parameter included in the feature information of the attack packet. 3. The network management method according to claim 2, wherein, The characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes; or The characteristic information of the third packet to be sent and the characteristic information of the attack packet include at least one parameter with different values. 4. The network management method according to any one of claims 1-3, wherein determining, by the first network device, that the first communication channel of the first network device is in an attacked state comprises: When the first network device determines that the first communication channel is in a congested state, the first network device determines that the first communication channel is in an attacked state; or When the first network device determines that the number of error packets of the first communication channel reaches a first threshold or the rate of the error packets reaches a second threshold, the first network device determines that the first communication channel The channel is under attack; or When the first network device determines that the number of packets of the first characteristic of the first communication channel reaches a third threshold or that the rate of packets of the first characteristic reaches a second threshold, the first network device It is determined that the first communication channel is in an attacked state. 5. A network management method, characterized in that, comprising: The second network device receives the first packet, the first packet includes a first type length value TLV, and the first TLV includes feature information of the attack packet; The second network device sends a second packet, the second packet includes a second TLV, the second TLV includes feature information of a third packet to be sent by the second network device, the second The TLV is used to trigger the first network device to generate a second communication channel according to the feature information of the third packet to be sent, where the second communication channel is different from the first communication channel in the attacked state; the to-be-sent The characteristic information of the third packet is different from the characteristic information of the attack packet; The second network device sends the third packet to the first network device based on the feature information of the third packet. 6. The network management method according to claim 5, wherein, The characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameter types: Ethernet type, protocol type, source port, destination port, source IP address, destination IP address, source media access control MAC address, destination MAC address, time-to-live TTL, packet length or priority requirements; the to-be-sent The characteristic information of the third packet is different from the characteristic information of the attack packet, including that the parameter type included in the characteristic information of the third packet to be sent is different from the parameter type included in the characteristic information of the attack packet, Or the value of the parameter included in the feature information of the third packet to be sent is different from the value of the parameter included in the feature information of the attack packet. 7. The network management method according to claim 6, wherein, The characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes; or The characteristic information of the third packet to be sent and the characteristic information of the attack packet include at least one parameter with different values. 8. A first network device, comprising: a determining unit, configured to determine that the first communication channel of the first network device is in an attacked state; a sending unit, configured to send a first packet, where the first packet includes a first type length value TLV, and the first TLV includes feature information of the attack packet; a receiving unit, configured to receive a second packet from a second network device, where the second packet includes a second TLV, and the second TLV includes feature information of a third packet to be sent by the second network device, The characteristic information of the third packet to be sent is different from the characteristic information of the attack packet; a processing unit, configured to generate a second communication channel according to the characteristic information of the third packet, the second communication channel is different from the first communication channel, and the first network device receives the second communication channel through the second communication channel the third message. 9. The first network device according to claim 8, wherein, The characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameter types: Ether type, protocol type, source port, destination port, source Internet Protocol IP address, destination IP address, source MAC address, destination MAC address, time-to-live TTL, packet length or priority requirements; the third packet to be sent The characteristic information of the message is different from the characteristic information of the attack packet, including the parameter type included in the characteristic information of the third packet to be sent and the parameter type included in the characteristic information of the attack packet, or the parameter type included in the characteristic information of the third packet to be sent. The parameter values included in the characteristic information of the sent third packet are different from the parameter values included in the characteristic information of the attack packet. 10. The first network device according to claim 9, wherein, The characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes; or The characteristic information of the third packet to be sent and the characteristic information of the attack packet include at least one parameter with different values. 11. The first network device according to any one of claims 8-10, wherein the determining unit is configured to: When it is determined that the first communication channel is in a congested state, determining that the first communication channel is in an attacked state; or When it is determined that the number of error packets of the first communication channel reaches a first threshold or the rate of the error packets reaches a second threshold, it is determined that the first communication channel is in an attacked state; or When it is determined that the number of packets of the first characteristic of the first communication channel reaches a third threshold or the rate of packets of the first characteristic reaches a second threshold, it is determined that the first communication channel is in an attacked state. 12. A second network device, comprising: a receiving unit, configured to receive a first packet, where the first packet includes a first type length value TLV, and the first TLV includes feature information of the attack packet; a sending unit, configured to send a second packet, where the second packet includes a second TLV, the second TLV includes feature information of a third packet to be sent by the second network device, and the second TLV It is used to trigger the first network device to generate a second communication channel according to the feature information of the third packet to be sent, where the second communication channel is different from the first communication channel in the attacked state; the first communication channel to be sent is different. The characteristic information of the three packets is different from the characteristic information of the attack packet; The sending unit is further configured to send the third packet to the first network device based on the feature information of the third packet. 13. The second network device according to claim 12, wherein, The characteristic information of the attack packet or the characteristic information of the third packet to be sent includes at least one of the following parameter types: Ether type, protocol type, source port, destination port, source Internet Protocol IP address, destination IP address, source MAC address, destination MAC address, time-to-live TTL, packet length or priority requirements; the third packet to be sent The characteristic information of the message is different from the characteristic information of the attack packet, including the parameter type included in the characteristic information of the third packet to be sent and the parameter type included in the characteristic information of the attack packet, or the parameter type included in the characteristic information of the third packet to be sent. The parameter values included in the characteristic information of the sent third packet are different from the parameter values included in the characteristic information of the attack packet. 14. The second network device according to claim 13, wherein, The characteristic information of the third packet to be sent includes more types of parameters than the characteristic information of the attack packet includes; or The characteristic information of the third packet to be sent and the characteristic information of the attack packet include at least one parameter with different values. 15. A computer-readable storage medium, comprising instructions, wherein, when the instructions are executed on a computer, the instructions cause the computer to execute the network management method according to any one of claims 1 to 4. 16. A computer-readable storage medium, comprising instructions, wherein, when the instructions are executed on a computer, the instructions cause the computer to execute the network management method according to any one of claims 5 to 7. 17. A network management system, characterized in that the system comprises the first network device according to any one of the preceding claims 8 to 11 and the second network device according to any one of the preceding claims 12 to 14.

Images