CN110661721B - Method and device for preventing packet attacks - Google Patents

Abstract

The embodiments of the present application disclose a packet attack prevention method and device, which relate to the field of communication technologies, and solve the problem that when a packet of an established session in the prior art is attacked, other established sessions will be affected by the attack and cause interruptions. chain problem. The specific solution is as follows: the forwarding plane device receives the protocol packet; according to the session characteristics carried in the protocol packet, if it is determined that the protocol packet belongs to the first session, the session commitment access rate CAR is performed on the protocol packet; wherein, the first session Any session that has been established; each session in the established session corresponds to a session CAR rate limit, and the session CAR rate limit between different sessions is isolated; the session cluster CAR is performed on the protocol packets after the session CAR rate limit. Rate limit; the session cluster CAR rate limit corresponds to at least one established session; the protocol packets after the session cluster CAR rate limit are sent to the control plane device.

Description

Method and device for preventing packet attacks

technical field

The embodiments of the present application relate to the field of communications technologies, and in particular, to a method and device for preventing packet attacks.

Background technique

A router generally adopts a system architecture in which the control plane and the forwarding plane are separated, in which the central processing unit (CPU) of the control plane has the capability to process packets relative to the network processor (NP) of the forwarding plane to process packets. The capability is weak. Once the local packet attack of the routing protocol occurs, the CPU will be busy, and the session of the routing protocol will be flapped, thereby causing the entire network to be unstable. In general, when routing protocol packets are sent from the forwarding plane to the control plane, the Committed Access Rate (CAR) rate limit policy is adopted to ensure that the traffic of the packets sent to the CPU is within the processing capacity of the CPU. .

An existing method for preventing packet attacks is to divide packets into packets with established sessions and packets without sessions, and extract session characteristics for packets with established sessions and issue ACL rules. When the router receives protocol packets, it searches and compares the delivered ACL rules, and the packets matching the ACL rules are sent to the CPU through the whitelist CAR to limit the rate. Unestablished session packets cannot match ACL rules, and are sent to the CPU through the common CAR rate limit protocol. Speed limit isolation between whitelist CAR and protocol common CAR. Whitelist CAR has larger bandwidth and higher priority for sending to CPU than protocol common CAR. Although this solution ensures that the packets of established sessions are not affected by the attacks of packets without established sessions, since the packets of established sessions still share a whitelisted CAR channel, if there are packets of established sessions, bandwidth attacks will occur. , other established session packets will be affected by the attack, resulting in session disconnection.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a packet attack prevention method and device, which can avoid that when a packet of an established session is attacked, other established sessions will be affected by the attack, resulting in a chain disconnection.

In order to achieve the above purpose, the embodiment of the present application adopts the following technical solutions:

A first aspect of the embodiments of the present application provides a method for preventing packet attacks. The method includes: first, a forwarding plane device receives a protocol packet; then, according to a session feature carried in the protocol packet, if it is determined that the protocol packet The message belongs to the first session, and the session commitment access rate CAR rate limit is performed on the protocol packet; wherein, the first session is any session that has been established; each session in the established session corresponds to a session CAR rate limit, respectively. And the session CAR rate limit between different sessions is isolated; then the session cluster CAR rate limit is performed on the protocol packets after the session CAR rate limit; the session cluster CAR rate limit corresponds to at least one established session; finally, the session cluster CAR rate limit is The rate-limited protocol packets are sent to the control plane device. Based on this solution, by performing two-level rate limiting on the protocol packets of established sessions, the impact of attacks between packets of established sessions can be reduced, and when an attack occurs on an established session, other established sessions will be affected by the attack. The impact of the attack causes a broken link to occur.

In combination with the first aspect, in a first possible implementation manner, the above-mentioned session cluster CAR rate limit corresponds to at least one established session, including: the session cluster CAR rate limit corresponds to a session of the same routing protocol or a different session in the established session. routing protocol session. Specifically, if the established sessions are sessions of the same routing protocol, the session cluster CAR rate limit can correspond to all established sessions of the same routing protocol; if the established sessions are sessions of different routing protocols, the session cluster CAR rate limit can be Corresponds to all established sessions of different routing protocols, or each session cluster CAR rate limit may correspond to sessions of the same routing protocol among established sessions of different routing protocols. Based on this solution, the established sessions of the same routing protocol can be used as a session cluster for session cluster CAR rate limiting, and the established sessions of different routing protocols can be regarded as a session cluster for session cluster CAR rate limitation.

Combining the first aspect and the above possible implementation manners, in another possible implementation manner, the session CAR speed limit adopts a two-rate three-color double-bucket trTCM and colorblind mode, and the session cluster CAR speed limit adopts a single-rate three-color double-color mode. Bucket srTCM, color-sensitive mode; among them, the four traffic parameters of trTCM are peak information rate PIR, peak burst size PBS, committed information rate CIR, committed burst size CBS; three traffic parameters of srTCM are committed information rate CIR, Committed Burst Size CBS and Excess Burst Size EBS. Based on this solution, two-level rate limiting can be implemented for protocol packets, so that when an attack occurs on an established session, other established sessions will be affected by the attack, resulting in a broken link.

Combining the first aspect and the above possible implementation manners, in another possible implementation manner, if the above session cluster CAR rate limit corresponds to all established sessions, the session cluster CAR rate limit CIR is greater than or equal to the all session CAR limit. The sum of the CIRs of the speed limit is less than or equal to the processing capability of the control plane device; or, if each session cluster CAR speed limit in the above session cluster CAR speed limit corresponds to the session of the same routing protocol in the established session, each session The rate-limited CIR of the cluster CAR is greater than or equal to the sum of the CIRs of the session CAR rate-limited corresponding to each session in the sessions of the same routing protocol, and the sum of the CIRs of the cluster CAR rate-limited of each session is less than or equal to the processing of the control plane device ability. Based on this solution, it can be ensured that protocol packets marked green after the session CAR rate limit are all received tokens in the C bucket when the session cluster CAR rate is limited, and pass through normally, so that no chain disconnection occurs.

Combining the first aspect and the above possible implementation manner, in another possible implementation manner, the CIR of the above-mentioned session cluster CAR rate-limiting is greater than or equal to the PIR of the above-mentioned session CAR rate-limiting; the CBS of the above-mentioned session cluster CAR rate-limiting is greater than or equal to PBS equal to the session CAR rate limit. Based on this solution, when only one session has been established, the protocol packets that are not discarded when the session CAR rate is limited can be prevented from being discarded when the session cluster CAR rate is limited.

Combining the first aspect and the above possible implementation manner, in another possible implementation manner, before the forwarding plane device receives the protocol message, the packet attack prevention method further includes: the forwarding plane device extracts the message of the established session. Session characteristics, and issue access control list ACL rules; the above-mentioned determining that the protocol packet belongs to the first session includes: the forwarding plane device determines whether the protocol packet hits the ACL rule according to the session characteristics carried by the protocol packet; if the protocol packet matches the ACL rule; If the protocol packet hits the ACL rule, it is determined that the protocol packet belongs to the first session. Based on this solution, it can be determined whether the received protocol packet belongs to the established session according to the ACL rule of the established session.

In a second aspect of the embodiments of the present application, there is provided a packet attack prevention device, the device includes: a receiving unit, configured to receive a protocol packet; feature, to determine whether the protocol packet belongs to the first session; if the protocol packet belongs to the first session, the processing unit is further configured to perform session commitment access rate CAR rate limit on the protocol packet; wherein, the first session is Any session that has been established; each session in the established session corresponds to a session CAR rate limit, and the session CAR rate limit between different sessions is isolated; the above processing unit is also used for the protocol after the session CAR rate limit. The session cluster CAR rate limit is applied to packets; the session cluster CAR rate limit corresponds to at least one established session; the sending unit is used to send the protocol packets after the session cluster CAR rate limit to the control plane device.

In combination with the second aspect, in a first possible implementation manner, the session cluster CAR rate limit corresponds to at least one established session, including: the session cluster CAR rate limit corresponds to a session of the same routing protocol or a different session in the established session. routing protocol session.

Combining the second aspect and the above possible implementation manners, in another possible implementation manner, the session CAR speed limit adopts a dual-rate three-color dual-bucket trTCM and color blind mode, and the session cluster CAR speed limit adopts a single-rate three-color dual-color mode. Bucket srTCM, color-sensitive mode; among them, the four traffic parameters of trTCM are peak information rate PIR, peak burst size PBS, committed information rate CIR, committed burst size CBS; three traffic parameters of srTCM are committed information rate CIR, Committed Burst Size CBS and Excess Burst Size EBS.

Combining the second aspect and the above possible implementation manner, in another possible implementation manner, if the above session cluster CAR rate limit corresponds to all established sessions, the session cluster CAR rate limit CIR is greater than or equal to the all session CAR limit. The sum of the CIRs of the speed limit is less than or equal to the processing capability of the control plane device; or, if each session cluster CAR speed limit in the above session cluster CAR speed limit corresponds to the session of the same routing protocol in the established session, each session The rate-limited CIR of the cluster CAR is greater than or equal to the sum of the CIRs of the session CAR rate-limited corresponding to each session in the sessions of the same routing protocol, and the sum of the CIRs of the cluster CAR rate-limited of each session is less than or equal to the processing of the control plane device ability.

Combining the second aspect and the above possible implementation manner, in another possible implementation manner, the CIR of the session cluster CAR rate-limiting is greater than or equal to the PIR of the session CAR rate-limiting; the CBS of the session cluster CAR rate-limiting is greater than or equal to PBS equal to the session CAR rate limit.

In combination with the second aspect and the above possible implementation manner, in another possible implementation manner, the above processing unit is also used to extract the session feature of the message of the established session, and issue the ACL rule of the access control list; the above processing unit, which is specifically configured to determine whether the protocol packet hits the above-mentioned ACL rule according to the session characteristics carried in the protocol packet; if the protocol packet hits the above-mentioned ACL rule, the above-mentioned processing unit is further configured to determine that the protocol packet belongs to the above-mentioned first session. .

For the description of the effects of the second aspect and various implementations of the second aspect, reference may be made to the description of the corresponding effects of the first aspect and various implementations of the first aspect, and details are not repeated here.

In a third aspect of the embodiments of the present application, a computer storage medium is provided, where computer program codes are stored in the computer storage medium, and when the computer program codes are executed on a processor, the processor is caused to execute the first aspect Or the packet attack defense method described in any one of the possible implementation manners of the first aspect.

In a fourth aspect of the embodiments of the present application, a communication apparatus is provided, which is applied to a forwarding plane device. The communication apparatus includes a processor, and the processor is configured to be coupled to a memory, read instructions in the memory, and execute instructions according to the instructions. Perform the packet attack defense method described in the first aspect above.

A fifth aspect of the embodiments of the present application provides a computer program product, where the program product stores computer software instructions executed by the processor, and the computer software instructions include a program for executing the solution described in the above aspect.

A sixth aspect of the embodiments of the present application provides a device, the device exists in the form of a chip product, and the structure of the device includes a processor and a memory, and the memory is used for coupling with the processor and storing necessary programs of the device Instructions and data, the processor is used to execute the program instructions stored in the memory, so that the device executes the function of the device for preventing message attacks in the above method.

Description of drawings

1 is a schematic structural diagram of a router according to an embodiment of the present application;

FIG. 2 is a flowchart of a method for preventing packet attacks according to an embodiment of the present application;

3 is a schematic structural diagram of establishing a session between routers according to an embodiment of the present application;

FIG. 4 is another schematic structural diagram of establishing a session between routers according to an embodiment of the present application;

FIG. 5 is a flowchart of a method for preventing packet attacks according to an embodiment of the present application;

FIG. 6 is a flowchart of another packet attack defense method provided by an embodiment of the present application;

FIG. 7 is a flowchart of another packet attack prevention method provided by an embodiment of the present application;

FIG. 8 is a flowchart of another packet attack prevention method provided by an embodiment of the present application;

FIG. 9 is a schematic diagram of the composition of a device for preventing packet attacks according to an embodiment of the present application;

FIG. 10 is a schematic diagram of the composition of another device for preventing packet attacks according to an embodiment of the present application.

Detailed ways

First, some terms involved in the embodiments of the present application are explained:

1. Committed access rate CAR

CAR acts at the entrance of the network and is used to control the traffic of a certain type of packets entering the network, allowing packets that meet the traffic regulations to enter the network. CAR can ensure that the packets that meet the traffic regulations enter the network. For the packets that exceed the traffic regulations, according to the current network resource usage, you can choose to directly discard them, or re-mark (that is, reduce the priority of this part of the packets) and then continue. Forwarding, when congestion occurs, this part of the packets will be discarded preferentially.

CAR is implemented through the Token Bucket algorithm. A token bucket can be regarded as a container for storing tokens, and a token can be regarded as a pass for packets to pass through the token bucket. On the one hand, the token is injected into the token bucket at a certain rate; on the other hand, when the packet passes through the token bucket, the number of tokens equal to the length of the packet will be consumed. If the number of tokens in the bucket is insufficient, the token bucket will discard the packet or remark the packet and forward it. In this way, the rate of packets passing through the token bucket can be controlled by controlling the rate at which tokens are sent to the token bucket, thereby controlling the rate at which packets enter the network. For example, the token bucket algorithm in this embodiment of the present application includes a single-rate three-color two-bucket algorithm srTCM and a two-rate three-color two-bucket algorithm trTCM.

2. Double-rate, three-color, two-barrel trTCM, color-blind mode

The four traffic parameters of the two-rate three-color two-bucket trTCM are: peak information rate PIR, peak burst size PBS associated with PIR, committed information rate CIR, and committed burst size CBS associated with CIR, where PIR is greater than or equal to CIR.

Token buckets P and C are initially full (at time 0), and the number of tokens Tp(0) = PBS, Tc(0) = CBS, and the number of tokens Tp is incremented at the rate of PIR times per second until it reaches PBS, the number of tokens Tc is incremented at the rate of CIR times per second until CBS is reached.

When a packet of size B bytes arrives at time t, trTCM is in colorblind mode, then the following operations are performed:

If Tp(t)-B<0, then the packet is marked red, otherwise,

If Tc(t)-B<0, then the packet is marked yellow and Tp is subtracted from B. otherwise,

Packets are marked in green, and B is subtracted from both Tp and Tc.

3. Single-rate three-color dual-barrel srTCM, color-sensitive mode

The three traffic parameters of the single-rate, three-color, two-bucket srTCM are: Committed Information Rate CIR, Committed Burst Size CBS, and Excess Burst Size EBS.

Token buckets C and E are both initially (at time 0) full, with their number of tokens Tc(0)=CBS, Te(0)=EBS. CBS is smaller than EBS. Tc and Te update the CIR times per second. Usually, tokens are added to bucket C first, and when bucket C is full, tokens are added to bucket E. When both buckets are full, the newly generated Tokens will be discarded, i.e. the number of tokens is updated according to the following rules:

Tc is incremented by 1 if Tc < CBS, otherwise,

If Te < EBS, then Te is incremented by 1, otherwise,

Neither Tc nor Te increase.

When a packet of size B bytes arrives at time t, and the srTCM is in color-sensitive mode, the following operations are performed:

If the packet has been marked green and Tc(t)-B ≥ 0, then the packet is marked green and Tc minus B, otherwise,

If the packet has been marked green or yellow and Te(t)-B ≥ 0, then the packet is marked yellow and Te minus B, otherwise,

Packets are marked red and neither Tc nor Te is degraded.

4. Session CAR speed limit

Session CAR rate limiting means that the rate of protocol packets received in a session is uniformly limited on a session-by-session basis. For example, if session 1 receives protocol packet 1, protocol packet 2, and protocol packet 3 within a certain period of time, the session CAR rate limit for session 1 refers to protocol packets 1, 2 and 3 received in session 1. The rate of protocol packet 2 and protocol packet 3 is uniformly limited.

5. Session CAR speed limit isolation

Session CAR rate limit isolation means that each session performs session CAR rate limit independently, and the session CAR rate limits of different sessions are independent of each other and do not affect each other. The session CAR rate limits of each session are independent. For example, the parameter settings of the session CAR rate limit for each session can be different from each other. Each session limits the rate of the protocol packets received in the session according to the corresponding session CAR rate limit parameters. When the rate is limited, multiple sessions will not affect each other. For example, session CAR rate limit isolation for session 1, session 2, and session 3 means that session 1, session 2, and session 3 are individually session CAR rate-limited, and the session CAR rate-limit parameters for session 1, session, and session 3 The settings can be the same or different. When CAR rate limiting is performed on session 1, session 2, and session 3, the sessions are independent of each other and will not affect each other.

6. Session cluster CAR rate limit

The session cluster CAR rate limit means that the rate of protocol packets received in the session cluster is uniformly limited by the session cluster. For example, session 1, session 2, and session 3 are established sessions, and session 1, session 2, and session 3 are regarded as a session cluster, and the protocol packets received in the session cluster are processed by a set of session cluster CAR rate limiting parameters. speed limit.

In the embodiments of the present application, words such as "exemplary" or "for example" are used to represent examples, illustrations or illustrations. Any embodiments or designs described in the embodiments of the present application as "exemplary" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present the related concepts in a specific manner.

An embodiment of the present application provides a packet attack defense method, and the method is applied to an architecture, where the architecture includes a forwarding plane device and a control plane device.

The forwarding plane device is used to encapsulate and forward data packets. Exemplarily, after the system receives the IP packet, the forwarding plane device decapsulates the IP packet, checks the routing table, and forwards the IP packet from the outgoing interface. For example, the forwarding plane device may be a network processor, and the network processor may adopt a committed access rate CAR rate limit policy for the received routing protocol packets that need to be processed locally, and then send the rate-limited routing protocol local packets to the control surface device.

The control plane device is used to transmit instructions and calculate table entries. For example, routing protocol learning, routing entry maintenance, protocol packet forwarding, protocol entry calculation, and maintenance. Exemplarily, the forwarding plane device may be a central processing unit, and the central processing unit may receive a packet sent by the forwarding plane device.

It can be understood that the forwarding plane device and the control plane device in this embodiment of the present application may be a processor or a chip. The forwarding plane device and the control plane device may be configured separately, or may be configured in one device, which is not limited in this application. Here, only the forwarding plane device and the control plane device are configured in one device for description, and the device may be a router by way of example.

Exemplarily, the router 100 adopts a system architecture in which the control plane and the forwarding plane are separated, the forwarding plane is used to implement the function of packet forwarding, and the control plane is used to implement the control of packet forwarding. As shown in FIG. 1 , the router 100 It consists of main control board, switching network board and interface board. The main control board is the control core of the router 100, which is used to complete the management and control of the entire router and directly receive the instructions of the network management center; the switching network board is used to complete high-speed data exchange in the router 100; the interface board is used to process the report Text forwarding. Illustratively, two interface boards are used as an example in FIG. 1 . The two interface boards can process packet forwarding in parallel, so that the packet forwarding capability is greatly improved. This embodiment of the present application does not limit the specific structure of the router 100 .

As shown in FIG. 1 , the forwarding plane of the interface board of the router 100 includes: a network processor 101 , a physical interface card 102 and a forwarding table entry memory 103 ; the control plane includes: a central processing unit 104 .

Network processor 101: It is a programmable processor specially designed for processing data packets, and can be used for routing table management, system configuration and management. The inside of the network processor 101 is usually composed of several microcode processors and several hardware co-processors. Multiple microcode processors are processed in parallel inside the network processor, and the processing flow is controlled by pre-programmed microcodes. For complex operations (such as memory operations, routing table lookup algorithms, QoS congestion control algorithms, traffic scheduling algorithms, etc.), hardware coprocessors are used to further improve processing performance, thus achieving an organic combination of business flexibility and high performance. .

Physical interface card 102: Provides a physical connection between the router 100 and a specific type of network medium, and the interface of the physical interface card 102 can be flexibly upgraded and changed according to actual needs.

The forwarding table entry storage 103: stores the routing forwarding table of the router 100. The routing forwarding table is generated according to the routing table of the control plane. The format is different, it is more suitable for fast lookup.

In this embodiment of the present application, the forwarding entry memory 103 may specifically include a volatile memory (Volatile Memory), such as a random-access memory (Random-Access Memory, RAM); the memory may also include a non-volatile memory (Non-Volatile Memory). Memory), flash memory (Flash Memory), hard disk (Hard Disk Drive, HDD) or solid-state drive (Solid-State Drive, SSD); the forwarding table entry memory 103 may also include a combination of the above types of memory.

The central processing unit 104: is the core component of the router, and can be used to execute the instructions of the routing operating system, interpret and execute the commands input by the user, and complete the work related to the calculation at the same time.

It can be understood that FIG. 1 is only an exemplary illustration, and in practical applications, the router 100 may include more or less components than those shown in FIG. 1 , and the structure shown in FIG. 1 does not constitute any limitation to the router provided by this embodiment of the present application. .

In order to solve the problem in the background art that when a certain established session packet is attacked, other established session packets will be affected by the attack, resulting in session disconnection, an embodiment of the present application provides a packet attack defense method, The method can reduce the impact of attacks between established session packets, and avoid the situation that when an established session packet is attacked, other established sessions will be affected by the attack, resulting in a chain disconnection.

With reference to FIG. 1 , as shown in FIG. 2 , the packet attack defense method provided by the embodiment of the present application may include S201-S204.

S201. The forwarding plane device receives the protocol packet.

Exemplarily, as shown in FIG. 1 , the forwarding plane device may be a network processor in router A shown in FIG. 3 and FIG. 4 , and the network processor may receive protocol packets. Exemplarily, the network processor may receive packets of the same routing protocol sent by other routers, or may receive packets of different routing protocols sent by other routers.

Exemplarily, as shown in FIG. 3 , the network processor may receive Border Gateway Protocol (Border Gateway Protocol, BGP) packets sent by router B, router C, and router D; as shown in FIG. 4 , the network processor also It can receive BGP protocol packets sent by router B, router C, and router D, and Open Shortest Path First (OSPF) protocol packets sent by router E and router F. This embodiment of the present application does not limit the types of protocol packets received by the network processor and sent by other routers. FIG. 3 and FIG. 4 are only examples of the present application. For example, the protocol packet received by the forwarding plane device may also be a Route Information Protocol (Route Information Protocol, RIP) packet, or an Interior Gateway Routing Protocol (Interior Gateway Routing Protool, IGRP) packet, or an intermediate system-to-intermediate system ( Intermediate system to intermediate system, IS-IS) protocol message.

S202. According to the session feature carried in the protocol packet, if it is determined that the protocol packet belongs to the first session, the forwarding plane device performs a session commitment access rate CAR rate limit on the protocol packet.

The first session is any session that has been established, and each session in the established sessions corresponds to a session CAR rate limit, and the session CAR rate limits between different sessions are isolated.

Exemplarily, an established session refers to that a connection is established between routing protocol peers by exchanging messages. After routing protocol peers complete authentication to each other, they consider each other to be credible, which is called an established session. Exemplarily, as shown in FIG. 3 , after router A establishes BGP session connections with router B, router C, and router D respectively, the established BGP session 1, BGP session 2, and BGP session 3 are established sessions. Steps S202-S204 in this embodiment of the present application are all applicable to protocol packets belonging to established sessions. The processing manner of the protocol message of the unestablished session is the same as that in the prior art, which is not repeated here.

Exemplarily, the forwarding plane device may determine whether the protocol packet belongs to the first session according to the session feature carried in the protocol packet.

The first session is any established session, and each session in the established session corresponds to its own ACL rule. For example, the established sessions include BGP session 1, BGP session 2 and BGP session 3, and the BGP session 1, BGP session 2 and BGP session 3 respectively correspond to respective ACL rules. The ACL rule may include five-tuple information, such as source IP address, destination IP address, source port number, destination port number, and IP protocol number. This embodiment of the present application does not limit the specific content of the ACL rule. For example, if the protocol packet received by the forwarding plane device is a BGP protocol packet, the ACL rule may also include the VPN instance index number. The received protocol packet is an OSPF protocol packet, and the ACL rule may also include an interface index. The ACL rule can be obtained by extracting the session feature of the packet of the established session for the forwarding plane device.

If the session feature carried in the protocol packet matches the ACL rule of the BGP session 2, it is determined that the protocol packet belongs to the BGP session 2 (the first session). This embodiment of the present application does not limit the specific manner in which the forwarding plane device determines that the protocol packet belongs to the first session.

Exemplarily, the session characteristics may include the source IP address, destination IP address, source port number, destination port number, IP protocol number, etc. of the protocol packet, and the session characteristics carried in the protocol packets of different routing protocol sessions may be the same, Can also be different.

If it is determined that the protocol packet belongs to the first session, a session CAR rate limit corresponding to the first session is performed on the protocol packet.

It should be noted that each session in the established sessions corresponds to a session CAR rate limit, and the session CAR rate limits between different sessions are isolated. Session CAR rate limiting means that the rate of protocol packets received in a session is uniformly limited on a session-by-session basis. For example, BGP session 1 receives BGP protocol packet 1 within a certain period of time, and the rate of the BGP protocol packet 1 is limited.

Session CAR rate limit isolation means that each session performs session CAR rate limit independently, and the session CAR rate limits of different sessions are independent of each other and do not affect each other. For example, as shown in Figure 5, BGP protocol packet 1 belongs to BGP session 1, BGP protocol packet 2 belongs to BGP session 2, and BGP protocol packet 3 belongs to BGP session 3, and BGP protocol packet 1 belongs to BGP session 1. CAR rate limiting, BGP session 2 session CAR rate limiting for BGP protocol packet 2, BGP session 3 session CAR rate limiting for BGP protocol packet 3, and between BGP session 1, BGP session 2, and BGP session 3 The session CAR speed limits are independent of each other and do not affect each other.

Exemplarily, the session CAR rate limit in this embodiment of the present application may adopt a dual-rate, three-color, dual-bucket trTCM, and a color-blind mode. The parameter settings of the session CAR rate limit for different sessions can be the same or different.

Taking the scenario shown in Figure 3 as an example, the specific process of session CAR rate limiting is described. As shown in Figure 3, router A (forwarding plane device) receives BGP protocol packet 1, BGP protocol packet 2, and BGP protocol packet 3 sent by router B, router C, and router D respectively. Among them, BGP protocol packet 1 BGP protocol packet 2 and BGP protocol packet 2 are BGP attack packets. The packet traffic of this attack packet is 10Mbps. BGP protocol packet 3 is normal packet. The packet traffic of this normal packet is 10Kbps. 1. When BGP protocol packet 2 and BGP protocol packet 3 perform session CAR rate limit, BGP protocol packet 1 belongs to BGP session 1, BGP protocol packet 2 belongs to BGP session 2, and BGP protocol packet 3 belongs to BGP session 3. Here, only the parameters of session CAR rate limiting of BGP session 1, BGP session 2 and BGP session 3 are set to be the same as an example for description, which is only an example. , the session CAR parameters of the three sessions are set as follows.

CIR 32Kbps, CBS 9000000Bytes, PIR 4Mbps, PBS 9000000Bytes.

As shown in Figure 5, according to the respective session CAR parameters of BGP session 1, BGP session 2 and BGP session 3, the session CAR rate limit is performed for BGP protocol packet 1, BGP protocol packet 2 and BGP protocol packet 3 respectively. process.

Exemplarily, when session CAR rate limiting is performed on BGP protocol packet 1, since the packet traffic of BGP protocol packet 1 is 10 Mbps, which is greater than the PIR (4 Mbps) of the session CAR rate limiting rate of BGP session 1, the session CAR After the rate is limited, the 6Mbps packets in BGP protocol packet 1 that exceed the PIR (4Mbps) part of the session CAR rate limit of BGP session 1 will be discarded, and the remaining 4Mbps packets will pass. Some packets of 32 Kbps are marked in green, and other packets are marked in yellow; when the session CAR rate limit is performed on BGP protocol packet 2, the packet traffic of BGP protocol packet 2 is 10 Mbps, which is greater than that of BGP session 2. The session CAR rate-limited PIR (4Mbps), so after the session CAR rate-limiting, the 6Mbps packets in the BGP protocol packet 2 that exceed the session CAR rate-limited PIR (4Mbps) of BGP session 2 will be discarded, and the remaining 4Mbps packets will be discarded. The packets pass through, among which, some of the 32Kbps packets in the remaining 4Mbps packets are marked in green, and the rest of the packets are marked in yellow; The packet traffic of Wen 3 is 10 Kbps, which is less than the CIR of the session CAR of BGP session 3 (32 Kbps). Therefore, after the session CAR rate is limited, all BGP protocol packets 3 are marked in green.

S203 , the forwarding plane device performs session cluster CAR rate limiting on the protocol packets whose session CAR rate is limited.

The session cluster CAR rate limit means that the rate of protocol packets received in the session cluster is uniformly limited by the session cluster. The session cluster CAR rate limit corresponds to at least one established session. For example, as shown in Figure 6, a session cluster CAR rate limit corresponds to BGP session 1, BGP session 2, BGP session 3, OSPF session 1, and OSPF session 2; or as shown in Figure 7, a session cluster CAR rate limit corresponds to BGP sessions 1. BGP session 2 and BGP session 3, a session cluster CAR rate limit corresponds to OSPF session 1 and OSPF session 2.

Exemplarily, the session cluster CAR rate limit corresponds to sessions of the same routing protocol or sessions of different routing protocols in the established sessions. For example, if the established sessions are sessions of the same routing protocol, the session cluster CAR rate limit can correspond to all established sessions of the same routing protocol; if the established sessions are sessions of different routing protocols, the session cluster CAR rate limit can correspond to All established sessions of different routing protocols, or each session cluster CAR rate limit may correspond to sessions of the same routing protocol among the established sessions of different routing protocols.

The above three cases are described below.

Case 1: If the established sessions are sessions of the same routing protocol, the session cluster CAR rate limit can correspond to all established sessions of the same routing protocol.

Exemplarily, with reference to the scenario shown in FIG. 3 and as shown in FIG. 5 , when the network processor in router A performs session cluster CAR rate limiting on BGP protocol packets 1, BGP protocol packets 2, and BGP protocol packets 3 , the CAR rate limit of the session cluster corresponds to BGP session 1, BGP session 2 and BGP session 3, that is, BGP session 1, BGP session 2 and BGP session 3 (all established sessions of the same routing protocol) are regarded as a session cluster. Session cluster CAR rate limit.

Case 2: If the established sessions are sessions of different routing protocols, the session cluster CAR rate limit can correspond to all established sessions of different routing protocols.

Exemplarily, in combination with the scenario shown in FIG. 4 and as shown in FIG. 6 , the network processor in router A compares BGP protocol packet 1, BGP protocol packet 2, BGP protocol packet 3, OSPF protocol packet 1 and When OSPF protocol packet 2 performs session cluster CAR rate limiting, the session cluster CAR rate limiting corresponds to BGP session 1, BGP session 2, BGP session 3, OSPF session 1 and OSPF session 2, namely BGP session 1, BGP session 2, BGP session 2 Session 3, OSPF session 1, and OSPF session 2 (all established sessions with different routing protocols) are used as a session cluster, and the session cluster CAR rate limit is uniformly performed.

Case 3: If the established sessions are sessions of different routing protocols, the CAR rate limit of each session cluster can correspond to the sessions of the same routing protocol among the established sessions of different routing protocols.

Exemplarily, in combination with the scenario shown in FIG. 4 and as shown in FIG. 6 , the network processor in router A compares BGP protocol packet 1, BGP protocol packet 2, BGP protocol packet 3, OSPF protocol packet 1, and OSPF protocol packet 1. When protocol packet 2 is rate-limited by session cluster CAR, one session cluster CAR rate limit corresponds to BGP session 1, BGP session 2, and BGP session 3, and one session cluster CAR rate limit corresponds to OSPF session 1 and OSPF session 2, that is, BGP session 1. , BGP session 2 and BGP session 3 (the sessions of the BGP routing protocol in the established sessions of different routing protocols) are used as a session cluster, and the session cluster CAR rate limit is unified, and the OSPF session 1 and OSPF session 2 (established different In the session of the routing protocol, the session of the OSPF routing protocol) is regarded as a session cluster, and the session cluster CAR rate limit is uniformly performed.

It can be understood that which of the above-mentioned implementation methods is used by the forwarding plane device (network processor) to perform session cluster CAR rate limit on protocol packets is not limited in this embodiment of the present application, and the rate-limiting method in any of the above cases is not limited. Within the protection scope of the embodiments of the present application, in practical applications, a specific speed limiting mode may be determined according to actual conditions.

Exemplarily, the session cluster CAR rate limit in this embodiment of the present application may adopt a single-rate, three-color, two-bucket srTCM and a color-sensitive mode. The parameter settings of the CAR rate limit for different session clusters can be the same or different.

Exemplarily, taking the scenario shown in FIG. 3 as an example, the specific process of the session cluster CAR rate limiting will be described. As shown in Figure 3, router A (forwarding plane device) performs session cluster CAR rate limiting on BGP protocol packets 1, BGP protocol packets 2, and BGP protocol packets 3 after session CAR rate limitation. The session cluster CAR rate limitation corresponds to BGP session 1, BGP session 2, and BGP session 3 are only examples, and the parameter settings for the CAR rate limit of the session cluster are as follows:

CIR 4Mbps, CBS 9000000B, EBS 9000000B;

As shown in Figure 5, it is the process of implementing session cluster CAR rate limiting for BGP protocol packets 1, BGP protocol packets 2 and BGP protocol packets 3 according to the parameters of session cluster CAR rate limiting.

Exemplarily, when the session cluster CAR rate limit is performed on BGP protocol packets 1, BGP protocol packets 2, and BGP protocol packets 3, BGP session 1, BGP session 2, and BGP session 3 are used as a session cluster to perform session clustering. CAR speed limit. Since some of the 32Kbps packets in the remaining 4Mbps packets in the BGP protocol packet 1 are marked in green, and the rest of the packets are marked in yellow, the 32Kbps part in the remaining 4Mbps packets in the BGP protocol packet 2 is marked as green. BGP protocol packets are marked green, other packets are marked yellow, and all BGP protocol packets are marked green. When the speed is high, the green packets in BGP protocol packet 1, BGP protocol packet 2, and BGP protocol packet 3 get the token from bucket C, and the yellow packets in BGP protocol packet 1 and BGP protocol packet 2 are from the bucket C. Get the token from the E bucket. Since the size of the packet marked green in BGP protocol packet 1 is 32Kbps, and the size of the packet marked green in BGP protocol packet 2 is 32Kbps, the size of the packet marked green in BGP protocol packet 3 is Therefore, the green packets of BGP session 1, BGP session 2, and BGP session 3 total 74 Kbps, which is less than the CIR (4 Mbps) of the session cluster CAR rate limit. Therefore, BGP protocol packet 1, BGP protocol packet 2, and BGP protocol packet The green packets in text 3 can get all the tokens when they get tokens from bucket C and pass normally. However, when the yellow packets in BGP protocol packet 1 and BGP protocol packet 2 get the token from the E bucket, the packets that can get the token in the E bucket pass normally, and the packets that cannot get the token are rejected. throw away.

After BGP protocol packet 1, BGP protocol packet 2, and BGP protocol packet 3 pass the session CAR rate limit and the session cluster CAR rate limit, the traffic of BGP protocol packets sent to the CPU can still be guaranteed to be limited to 4 Mbps, and the normal All session packets (the packet flow rate is less than the CIR) can be sent to the forwarding plane device for processing to ensure the continuous chaining of sessions.

Exemplarily, if according to the rate limiting methods in the first and second cases above, the session cluster CAR rate limiting corresponds to all established sessions, and the session cluster CAR rate limiting CIR is greater than or equal to the CAR rate limiting of all sessions. The sum of the CIRs is less than or equal to the processing capability of the control plane devices.

Exemplarily, according to the rate limiting method in the third case, the rate limiting of each session cluster CAR in the session cluster CAR rate limiting corresponds to the session of the same routing protocol in the established session, and the rate limiting rate of each session cluster CAR is The CIR is greater than or equal to the sum of the CAR rate-limited CIRs of each session in the same routing protocol session, and the sum of the CAR rate-limited CIRs of each session cluster is less than or equal to the processing capability of the control plane device.

Here, the description is given by taking the session cluster CAR rate limit corresponding to all established sessions as an example. Since the lower limit of the session cluster CAR in the embodiment of this application is the sum of the CIRs of all session CAR rate limits, and the srTCM algorithm adopted for the session cluster CAR rate limit is to continuously inject tokens into the C bucket first, it can be guaranteed that the session All green packets after the CAR rate limit get tokens and pass normally. Therefore, by adopting the packet attack defense method of the embodiment of the present application, when an attack occurs on a certain established session, other established sessions will be affected by the attack, resulting in the occurrence of chain disconnection.

S204: The forwarding plane device sends the protocol packet after the session cluster CAR rate-limited to the control plane device.

Exemplarily, as shown in FIG. 5-FIG. 7, the forwarding plane device in router A can send the packets after two levels of rate limit to the control plane device, and the control plane device can be the center of the control plane in router A. Processor CPU.

It is understandable that since the network processor implements two-level rate limiting on the received protocol packets of the established session, the protocol packets after the rate limiting can ensure that the bandwidth of the packets sent to the CPU remains unchanged, and the packets sent to the CPU are sent to the CPU. The bandwidth does not increase with the number of protocol sessions.

In the packet attack defense method provided by the embodiment of the present application, a protocol packet is received through a forwarding plane device; according to the session characteristics carried in the protocol packet, if it is determined that the protocol packet belongs to the first session, a session is performed on the protocol packet. CAR rate limit, where the first session is any session that has been established, each session in the established sessions corresponds to a session CAR rate limit, and the session CAR rate limits between different sessions are isolated; The rate-limited protocol packets are subjected to session cluster CAR rate-limiting, which corresponds to at least one established session; the protocol packets after the session-cluster CAR rate-limited are sent to the control plane device. In this embodiment of the present application, by performing two-level rate limiting on protocol packets of established sessions, the impact of attacks between packets of established sessions can be reduced, and when an attack occurs on an established session, other established sessions will be affected by other established sessions. The impact of the attack leads to the disconnection of the link. At the same time, ensure that the bandwidth of the packets sent to the CPU by the routing protocol remains unchanged, and the bandwidth of the packets sent to the CPU will not increase with the number of protocol sessions.

This embodiment of the present application further provides a method for preventing packet attacks. As shown in FIG. 8 , the method further includes step S205 before step S201 .

S205. The forwarding plane device extracts the session feature of the packet of the established session, and issues an access control list ACL rule.

In the packet attack prevention method provided by the embodiment of the present application, the forwarding plane device extracts the session feature of the packet of the established session, and issues an access control list ACL rule; the forwarding plane device receives the protocol packet; The session characteristics carried, determine whether the protocol packet matches the ACL rule. If the protocol packet matches the ACL rule, determine that the protocol packet belongs to the first session; if it is determined that the protocol packet belongs to the first session, the protocol packet belongs to the first session. The packets are subject to session CAR rate limiting, where the first session is any established session, each session in the established sessions corresponds to a session CAR rate limiting, and the session CAR rate limiting between different sessions is isolated; Session-cluster CAR rate-limiting is performed on protocol packets after session CAR rate-limiting, and the session-cluster CAR rate-limiting corresponds to at least one established session; the protocol packets with session-cluster CAR rate-limiting rate-limited are sent to the control plane device. In this embodiment of the present application, by performing two-level rate limiting on protocol packets of established sessions, the impact of attacks between packets of established sessions can be reduced, and when an attack occurs on an established session, other established sessions will be affected by other established sessions. The impact of the attack leads to the disconnection of the link. At the same time, ensure that the bandwidth of the packets sent to the CPU by the routing protocol remains unchanged, and the bandwidth of the packets sent to the CPU will not increase with the number of protocol sessions.

The solutions provided by the embodiments of the present application are described above mainly from the perspective of method steps. It can be understood that, in order to realize the above functions, the computer includes corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that, the modules and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented in the present application in the form of a combination of hardware and computer software. Skilled artisans may implement the described functionality using different methods for each particular application, but such implementations should not be considered beyond the scope of this application.

In this embodiment of the present application, the computer can be divided into functional modules according to the above method examples. For example, each functional module can be divided corresponding to each function, or two or more functions can be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.

In the case where each functional module is divided corresponding to each function, an embodiment of the present application further provides a network processor. As shown in FIG. 9 , the network processor 900 includes: a receiving unit 901 , a processing unit 902 and a sending unit 903 . The receiving unit 901 can be used to support the network processor 900 to perform S201 in FIG. 2; the processing unit 902 can be used to support the network processor 900 to perform S202-S203 in FIG. 2, or S205 in FIG. 8; the sending unit 903 is used for The support network processor 900 executes S204 in FIG. 2 . Wherein, all relevant contents of the steps involved in the above method embodiments can be cited in the functional descriptions of the corresponding functional modules, which will not be repeated here.

In the case of using an integrated unit, an embodiment of the present application further provides a network processor. As shown in FIG. 10 , the network processor 1000 includes: a storage module 1001 and a processing module 1002 . The processing module 1002 is used to control and manage the actions of the computer, for example, the processing module 1002 is used to support the computer to perform S201-S204 in FIG. 2, or S201-S205 in FIG. 8, and/or for the techniques described herein other processes. The storage module 1001 is used to store program codes and data of the computer. In another implementation, the computer structure involved in the above embodiments may also include a processor and an interface, the processor communicates with the interface, and the processor is used to execute the embodiments of the present invention. The processor may be a CPU, or other hardware, such as a field-programmable gate array (Field-Programmable Gate Array, FPGA), etc., or a combination of the two.

The embodiment of the present application also provides a device, the device exists in the form of a chip product, the structure of the device includes a processor and an interface circuit, and the processor can obtain protocol packets sent by other routers through the interface circuit. Optionally, The device may further include a memory, which is used for coupling with the processor to store necessary program instructions and data of the device, and the processor is used for executing the program instructions stored in the memory, so that the device executes the message attack prevention device in the above method. function. Optionally, the memory may be a storage module in the chip, such as a register, a cache, etc., and the storage module may also be a storage module located outside the chip, such as a ROM or other storage modules that can store static information and instructions. Types of static storage devices, RAM, etc.

The steps of the methods or algorithms described in conjunction with the disclosure of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions. The software instructions can be composed of corresponding software modules, and the software modules can be stored in random access memory (Random Access Memory, RAM), flash memory, Erasable Programmable Read-Only Memory (Erasable Programmable ROM, EPROM), electrically erasable programmable Programmable read only memory (Electrically EPROM, EEPROM), registers, hard disk, removable hard disk, compact disk read only (CD-ROM) or any other form of storage medium well known in the art. An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage medium may reside in an ASIC. Alternatively, the ASIC may be located in the core network interface device. Of course, the processor and the storage medium may also exist in the core network interface device as discrete components.

Those skilled in the art should appreciate that, in one or more of the above examples, the functions described in this application may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

The specific embodiments described above further describe the purpose, technical solutions and beneficial effects of the present application in detail. It should be understood that the above descriptions are only specific embodiments of the present application, and are not intended to limit the The protection scope, any modifications, equivalent replacements, improvements, etc. made on the basis of the technical solutions of the present application shall be included within the protection scope of the present application.

Claims (14)

1. A packet attack prevention method, wherein the method comprises: The forwarding plane device receives the protocol packet; According to the session feature carried in the protocol packet, if it is determined that the protocol packet belongs to the first session, the session commitment access rate CAR is performed on the protocol packet; wherein, the first session is an established session. Any session; each session in the established session corresponds to a session CAR rate limit, and the session CAR rate limit isolation between different sessions; Perform session cluster CAR rate limiting on protocol packets after session CAR rate limiting; the session cluster CAR rate limiting corresponds to at least one established session; Send the protocol packets with the rate-limited session cluster CAR to the control plane device. 2. The packet attack prevention method according to claim 1, wherein the session cluster CAR rate limit corresponds to at least one established session, comprising: The session cluster CAR rate limit corresponds to sessions of the same routing protocol or sessions of different routing protocols in the established sessions. 3. The packet attack prevention method according to claim 1 and 2, the session CAR speed limit adopts dual-rate three-color dual-barrel trTCM, color blind mode, and the session cluster CAR speed-limit adopts single-rate three-color dual-barrel srTCM. , color sensitive mode; The four traffic parameters of the trTCM are respectively the peak information rate PIR, the peak burst size PBS, the committed information rate CIR, and the committed burst size CBS; the three traffic parameters of the srTCM are respectively the committed information rate CIR, committed Burst Size CBS and Excess Burst Size EBS. 4. The packet attack defense method according to any one of claims 1-3, if the session cluster CAR rate limit corresponds to all established sessions, the CIR of the session cluster CAR rate limit is greater than or equal to all of the The sum of the CIRs of the session CAR rate limit is less than or equal to the processing capability of the control plane device; If each session cluster CAR rate limit in the session cluster CAR rate limit corresponds to the session of the same routing protocol in the established session, the CIR of each session cluster CAR rate limit is greater than or equal to the session of the same routing protocol The sum of the CIR rate-limited by the session CAR corresponding to each session in , the sum of the CIR rate-limited by the CAR rate of each session cluster is less than or equal to the processing capability of the control plane device. 5. The packet attack prevention method according to any one of claims 1-4, wherein the CIR of the session cluster CAR rate-limiting is greater than or equal to the PIR of the session CAR rate-limiting; the CBS rate-limited of the session cluster CAR PBS greater than or equal to the session CAR rate limit. 6. The packet attack prevention method according to any one of claims 1-5, before the forwarding plane device receives the protocol packet, the method further comprises: The forwarding plane device extracts the session feature of the message of the established session, and issues an access control list ACL rule; The determining that the protocol packet belongs to the first session includes: The forwarding plane device determines whether the protocol packet matches the ACL rule according to the session feature carried in the protocol packet; If the protocol packet hits the ACL rule, it is determined that the protocol packet belongs to the first session. 7. A message anti-attack device, characterized in that the device comprises: a receiving unit for receiving protocol messages; a processing unit, configured to determine whether the protocol packet belongs to the first session according to the session feature carried in the protocol packet received by the receiving unit; if the protocol packet belongs to the first session, the The processing unit is further configured to perform session commitment access rate CAR rate limiting on the protocol message; wherein, the first session is any session that has been established; each session in the established sessions corresponds to a session CAR rate limiting respectively , and the session CAR rate limit isolation between different sessions; The processing unit is further configured to perform session cluster CAR rate limiting on the protocol packets after session CAR rate limiting; the session cluster CAR rate limiting corresponds to at least one established session; The sending unit is used to send the protocol packets after the rate limit of the session cluster CAR to the control plane device. 8. The message anti-attack device according to claim 7, wherein the session cluster CAR rate limit corresponds to at least one established session, comprising: The session cluster CAR rate limit corresponds to sessions of the same routing protocol or sessions of different routing protocols in the established sessions. 9. The device for preventing packet attacks according to claim 7 or 8, wherein the session CAR speed limit adopts dual-rate three-color dual-barrel trTCM and color blind mode, and the session cluster CAR speed-limit adopts single-rate three-color dual-barrel srTCM , color sensitive mode; The four traffic parameters of the trTCM are respectively the peak information rate PIR, the peak burst size PBS, the committed information rate CIR, and the committed burst size CBS; the three traffic parameters of the srTCM are respectively the committed information rate CIR, committed Burst Size CBS and Excess Burst Size EBS. 10. The packet attack prevention device according to any one of claims 7-9, if the session cluster CAR rate limit corresponds to all established sessions, the CIR of the session cluster CAR rate limit is greater than or equal to all of the The sum of the CIRs of the session CAR rate limit is less than or equal to the processing capability of the control plane device; If each session cluster CAR rate limit in the session cluster CAR rate limit corresponds to the session of the same routing protocol in the established session, the CIR of each session cluster CAR rate limit is greater than or equal to the session of the same routing protocol The sum of the CIR rate-limited by the session CAR corresponding to each session in , the sum of the CIR rate-limited by the CAR rate of each session cluster is less than or equal to the processing capability of the control plane device. 11. The packet attack prevention device according to any one of claims 7-10, wherein the CIR of the session cluster CAR rate-limited is greater than or equal to the PIR of the session CAR rate-limited; the CBS of the session cluster CAR rate-limited PBS greater than or equal to the session CAR rate limit. 12. The packet attack prevention device according to any one of claims 7-11, wherein the processing unit is further configured to extract session characteristics of packets of established sessions, and issue access control list ACL rules; The processing unit is specifically configured to determine whether the protocol packet hits the ACL rule according to the session feature carried in the protocol packet; If the protocol packet hits the ACL rule, the processing unit is further configured to determine that the protocol packet belongs to the first session. 13. A communication apparatus, applied in a forwarding plane device, characterized in that the apparatus comprises a processor, and the processor is configured to be coupled to a memory, read instructions in the memory, and execute the claims according to the instructions. The packet attack prevention method described in any one of 1-6 is required. 14. A computer storage medium, wherein computer program codes are stored in the computer storage medium, wherein when the computer program codes are executed on a processor, the processor is caused to perform any one of claims 1-6. The packet attack defense method described in one item.

Images