CN105592063B - A kind of multicast anti-attack method and device - Google Patents
A kind of multicast anti-attack method and device Download PDFInfo
- Publication number
- CN105592063B CN105592063B CN201510730727.XA CN201510730727A CN105592063B CN 105592063 B CN105592063 B CN 105592063B CN 201510730727 A CN201510730727 A CN 201510730727A CN 105592063 B CN105592063 B CN 105592063B
- Authority
- CN
- China
- Prior art keywords
- port
- link state
- multicast
- state information
- protocol module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 claims description 10
- 230000002265 prevention Effects 0.000 claims description 9
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 abstract 1
- 230000008859 change Effects 0.000 description 6
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000032683 aging Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/16—Arrangements for providing special services to substations
- H04L12/18—Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of multicast anti-attack method and devices, technical solution are as follows: when the either port of multicast equipment receives the multicast protocol message that the port can be made to become router port, judge the port with the presence or absence of risk of attacks according to the link-state information of the port, if there is risk of attacks, then forbid the port being added to router port and abandons the message, otherwise, which is added to router port.The present invention can prevent information leakage.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a multicast attack prevention device.
Background
IP Multicast (IP Multicast) is a form of packet delivery between Unicast (Unicast) and Broadcast (Broadcast), also known as IP Multicast, where IP data is generated by a single sender (Multicast source) and distributed over a network to a group of receivers.
The IP Multicast operating in the data link layer is called a two-layer Multicast, and the corresponding Multicast Protocol is called a two-layer Multicast Protocol, which includes IGMP Snooping (Internet Group Management Protocol Snooping)/MLD Snooping (Multicast Listener Discovery Protocol Snooping), and the like. The IGMP Snooping is an IPv4 two-layer multicast protocol, and the MLD Snooping is an IPv6 two-layer multicast protocol, which are basically the same, and the following description and explanation are both given by taking IPv4 as an example.
IGMP Snooping is abbreviated as IGSP, and is mainly operated on a two-layer device between an IGMP router and a host, and is used for managing and controlling a multicast group. The two-layer multicast device operating IGMP Snooping establishes a mapping relation for the port and the IP multicast address by analyzing the received IGMP message, and forwards the multicast data according to the mapping relation.
The IGSP divides the ports into two port types according to the protocol packets received by the ports, one is called a router port, and the other is called a member port. The router port is generally a port facing to an upstream three-layer multicast device, for example, a port Eth1/1 of a switch a and a port Eth1/1 of a switch B in fig. 1, and the IGSP module maintains a port receiving an IGMP common group query packet or a PIM Hello packet as the router port; the member ports are typically ports facing to downstream multicast group members, such as ports Eth1/2 and Eth1/3 of switch a and ports Eth1/2 of switch B in fig. 1, and the IGSP module maintains the ports that receive the IGMP membership report message as member ports of the corresponding multicast group.
In the existing implementation, when the IGSP module maintains a port that receives the IGMP common group query packet or the PIM Hello packet as a router port, an aging timer of the router port is also set according to a maximum response Time (Max Resp Time) field value in the IGMP common group query packet or a hold Time (Holdtime) field value in the PIM Hello packet. The two-layer multicast device running the IGSP will forward the received multicast data message to all router ports, if a malicious attacker sends a PIM Hello message with a Holdtime of new or an IGMP query message with a Max Resp Time of the maximum to a certain router port, the IGSP module will maintain the port as a router port that is never aged or has an excessively long aged Time, and will forward all the received multicast traffic unconditionally to the port, which may cause information leakage.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a multicast attack prevention method and apparatus, which can prevent information leakage.
In order to achieve the purpose, the invention provides the following technical scheme:
a multicast anti-attack method, the method comprising: when the multicast equipment receives a multicast protocol message which can enable a port of the multicast equipment to become a router port, judging whether the port has attack risk or not according to the link state information of the port, if so, forbidding adding the port as the router port, otherwise, adding the port as the router port.
An attack prevention apparatus for multicast, applied to multicast devices, the apparatus comprising: the device comprises a receiving unit, a judging unit and a processing unit;
the receiving unit is used for the multicast equipment to receive the multicast protocol message which can enable the port of the multicast equipment to become the router port;
the judging unit is used for judging whether the port has attack risk according to the link state information of the port after the multicast message is received by the multicast equipment;
and the processing unit is used for forbidding to add the port as the router port if the port has the attack risk, otherwise, adding the port as the router port.
According to the technical scheme, when the port is determined to be required to be added as the router port, whether the port has attack risk or not is judged according to the port link state information, and the port is forbidden to be added as the router port under the condition that the attack risk exists. The invention can effectively avoid information leakage, for example, when a malicious attacker sends a PIM Hello message with the hold Time of new or an IGMP query message with the Max Resp Time of the maximum value to a certain port, so that the port is always used as a router port to send a multicast message outwards to cause information leakage, the technical scheme of the invention can find that the port has malicious attack, and further, the port is cancelled to be used as the router port to avoid information leakage.
Drawings
FIG. 1 is a prior art IGSP port relationship diagram;
fig. 2 is a flowchart of a multicast anti-attack method provided in an embodiment of the present invention;
FIG. 3 is a flowchart of a multicast anti-attack method according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method for preventing two-broadcasting attack according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a multicast attack prevention apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention are described in detail below with reference to the accompanying drawings according to embodiments.
The technical scheme provided by the invention can be used in a two-layer network or between the two-layer network and a three-layer network.
Referring to fig. 2, fig. 2 is a flowchart of a multicast attack prevention method provided by an embodiment of the present invention, where the method is applied to a multicast device, and specifically includes the following steps:
step 201, receiving a multicast protocol message capable of making any port of multicast equipment a router port;
in practical application, when a port of a multicast device receives a general group query packet or a multicast routing protocol Hello packet, the port needs to be added as a router port, and thus both the general group query packet and the multicast routing protocol Hello packet belong to multicast protocol packets capable of being changed into router ports by the port. It should be noted that, in the IPv4 network, the common group query message is an IGMP common group query message, and the multicast routing protocol Hello message is a PIM Hello message; in the IPv6 network, the common group query packet is an MLD common group query packet, and the multicast routing protocol Hello packet is an IPv6 PIMHello packet.
Step 202, judging whether the port has attack risk according to the link state information of the port, if so, forbidding adding the port as a router port and discarding the message, otherwise, adding the port as the router port.
The embodiment is applied to a multicast protocol module in multicast equipment, and in an IPv4 network, the multicast protocol module in the multicast equipment is an IGMP Snooping module or a multicast protocol module implemented based on an IGMP Snooping function; in the IPv6 network, the multicast protocol module in the multicast device is an MLD Snooping module or a multicast protocol module implemented based on an MLD Snooping function.
Before this step, the multicast protocol module further needs to obtain the link state information of the port, and specifically includes: establishing the connection of a link state protocol module in multicast equipment, sending a link state query message aiming at the port to the link state protocol module through the connection, and receiving the link state information of the port returned by the link state protocol module.
In this embodiment, the link state information of the port includes: whether a link state neighbor exists. Judging whether the port has the attack risk according to the link state information of the port specifically comprises the following steps: and if the link state information of the port indicates that the port does not have a link state neighbor, determining that the port has an attack risk, otherwise, determining that the port does not have the attack risk.
When the port is determined to have the attack risk according to the link state information of the port, the port is prohibited from being added as the router port, the multicast data message received by the multicast equipment cannot be sent out from the port, and therefore the information cannot be leaked out from the port.
When determining that the port has no attack risk according to the link state information of the port, adding the port as a router port according to the processing method in the prior art, and forwarding the multicast data message received by the multicast equipment from the port.
The following describes the implementation principle of the present invention in detail with reference to two specific embodiments.
Referring to fig. 3, fig. 3 is a flowchart of a multicast attack prevention method according to an embodiment of the present invention, where the method is applied to a multicast protocol module in a multicast device, and mainly includes the following steps:
step 301, the multicast protocol module establishes a connection with a local link layer state protocol module.
The multicast device is provided with a multicast protocol module and a link state module. In a normal situation, both the multicast protocol module and the link state protocol module in the multicast device are started by default, so that the multicast protocol module can directly establish a connection with the link state protocol module.
However, considering that there may be a case that the multicast protocol module is started but the link state protocol module is not started, in order to ensure that the multicast protocol module and the link state protocol module in the multicast device can successfully establish a connection, the multicast protocol module may simultaneously trigger the start of the link state protocol module when started, so that both the multicast protocol module and the link state protocol module are started before establishing a connection with the link state protocol module.
In addition, in the adjacent multicast devices, there may be a case where the link state protocol module in one multicast device is started and the link state protocol module in another multicast device is not started. In order to ensure that the adjacent multicast devices can establish a neighbor relationship through respective link state protocol modules under normal conditions, after the multicast protocol modules in the multicast devices are started, notification messages for instructing the opposite multicast devices to start the link state protocol modules can be sent from each port of the multicast devices connected to the local area network, so that the opposite multicast devices start the link state protocol modules according to the notification messages, and thus, the link state protocol modules of the adjacent multicast devices can be ensured to be started before the neighbor connections are established. Here, the local area network must enable multicast. After the opposite end multicast device receives the notice message, the local link state protocol module is started. After the multicast device and the opposite-end multicast device start the link state protocol module, the link state protocol message interaction can be carried out. The link state protocol module periodically sends Hello messages to neighbors to maintain the link state neighbor relation.
Step 302, when any port of the multicast device receives the general group query message or the multicast routing protocol Hello message, the multicast protocol module obtains the link state information of the port through the established connection with the local link state protocol module.
In the prior art, when a multicast device receives a general group query message or a multicast routing protocol Hello message at a certain port, the port needs to be added as a router port. In this embodiment, when a port receives a general group query packet or a multicast routing protocol Hello packet, a multicast device determines whether to add the port as a router port according to whether the port has an attack risk, instead of directly adding the port as a router port.
For any port of the multicast device, the local link state protocol module can perform link state protocol interaction with the link state protocol module in the opposite-end multicast device through the port, so as to acquire the link state information of the port. And because the multicast protocol module establishes connection with the local link state protocol module, the link state information of any port in the multicast equipment can be requested to the local link state protocol module through the connection.
In this step, the multicast protocol module obtains the link state information of any port of the multicast device only when receiving the general group query message or the multicast routing protocol Hello message. In practical implementation, the multicast protocol module may also periodically acquire link state information of all ports through the established connection with the link state protocol module, so that when a message enabling the port to become a router port is received at any one of the ports, the link state information of the port does not need to be acquired temporarily, but the link state information of the port which has been acquired before is directly used to judge whether the port has an attack risk.
The connection between the multicast protocol module and the link state protocol module may be established by various existing methods, for example, an interface module is provided in the link state protocol module, and the multicast protocol module establishes the connection with the link state protocol module by calling the interface module, which belongs to the problem of engineering implementation and is not described in detail.
The specific method for the multicast protocol module to obtain the link state information of one port through the established connection with the local link state protocol module is as follows: and sending a link state query message aiming at the port to a local link state protocol module through the connection, and receiving the link state information of the port returned by the local link state protocol module.
Step 303, judging whether the port has an attack risk according to the link state information of the port, if so, executing step 304, otherwise, executing step 305.
Here, the link state information of the port includes: whether a link state neighbor exists or not may be indicated using a flag, for example, two values may be set for the flag, where one value (e.g., 1) indicates that a link state neighbor exists for the port, and another value (e.g., 0) indicates that a link state neighbor does not exist for the port.
Under normal conditions, two multicast devices establish protocol connection through respective link state protocol modules and exchange link state information through the established connection, when the connection is not disconnected, the two multicast devices are mutual link state neighbors, and in the link state information of a corresponding connection port, a mark indicating whether the port has the link state neighbor is a value corresponding to the port which has the link state neighbor; after the connection is disconnected, the two multicast devices are no longer adjacent to each other in the link state, and in the link state information of the corresponding connection port, the mark indicating whether the link state adjacent exists in the port is the value corresponding to the link state adjacent does not exist in the port.
And step 304, forbidding adding the port as a router port, discarding the received common group query message or the multicast routing protocol Hello message, and ending the process.
When a link state neighbor does not exist in a port, the port cannot be used as a router port, otherwise, the possibility of information leakage exists. Therefore, if a port of the multicast device receives a general group query message or a multicast routing protocol Hello message, if the link state information of the port indicates that no link state neighbor exists in the port, it indicates that an abnormal condition occurs, and the port may be attacked, so that there is an attack risk, and the port should not be added as a router port.
Step 305, add the port as a router port.
A port may be a router port when a link state neighbor exists for the port. Therefore, if a port of the multicast device receives a general group query message or a multicast routing protocol Hello message, if the link state information of the port indicates that the port has a link state neighbor, it indicates that the port is not attacked and there is no attack risk, and in this case, the port may be added as a router port.
Step 306, setting a timer for the port, and executing the following operations in a circulating manner: if the timer is overtime, the link state information of the port is obtained again, whether the port has attack risk or not is judged according to the link state information of the port, if the port has the attack risk, the port is cancelled as a router port, the circulation operation is ended, otherwise, the port is maintained as the router port continuously, and the timer is started again. Further, when the timer is started again, the timing duration of the timer may be unchanged or may be changed, for example, the timing duration of the timer is increased by a random value. In initially setting the timer, the timer duration may be set to a default router port aging time, and thereafter, in each round of operation, a value may be randomly selected within a preset value range (e.g., [1, 10]), and the timer duration may be increased by the random value.
After a port is added as a router port, a timer is set for the port, and link state information of the port is inquired at intervals, so that whether the port has an attack risk or not can be detected in time, and the port is cancelled as the router port (i.e. the port is deleted from a router port list) when the attack risk occurs, so that a received multicast data message is not sent out from the port, and information leakage of the port is avoided.
It should be noted that, in actual implementation, a timer may also be set for each port in the multicast device, if a port is set as a router port, the link state information of the port may be queried once within each timer time of the port, and when the link state information of the port is found to indicate that the port does not have a link state neighbor, it may be determined that the port has an attack risk, so that the port is cancelled as the router port.
Referring to fig. 4, fig. 4 is a flowchart of a multicast attack prevention method according to an embodiment of the present invention, where the method is applied to a multicast protocol module in a multicast device, and mainly includes the following steps:
step 401, the multicast protocol module establishes a connection with a local link layer state protocol module.
Step 402, when any port of the multicast device receives a general group query message or a multicast routing protocol Hello message, link state information of the port is obtained through the established connection with a local link state protocol module.
Step 403, judging whether the port has attack risk according to the link state information of the port, if so, executing step 404, otherwise, executing step 405.
Step 404, forbidding adding the port as a router port, discarding the received general group query message or the multicast routing protocol Hello message, and ending the process.
Step 405, add the port as a router port.
The steps 401-405 are respectively the same as the steps 301-305 in the first embodiment.
Step 406, register the link state information of the port with the local link state protocol module.
Registering the link state information of the port with the local link state protocol module specifically includes: and sending a registration request aiming at the link state information of the port to a local link state protocol module, and registering the link state information of the port after the local link state protocol module receives the registration request.
Because the port is added as a router port, in the link state information of the port registered to the local link state protocol module, the value of the flag for indicating whether the link state neighbor exists in the port is the flag value corresponding to the link state neighbor.
Step 407, when the local link state protocol module detects that the link state information of the port changes, it sends a notification message for indicating that the link state information of the port changes to the multicast protocol module.
When the protocol connection with the link state protocol module in the opposite-end multicast equipment of the port is disconnected, the link state neighbor on the port is deleted, and the link state neighbor does not exist in the port any more, so that the link state information of the port is changed.
After the multicast protocol module registers link state information of a certain port with a local link state protocol module, the local link state protocol module monitors the link state information of the port, and when the change of the link state information of the port (for example, whether a link state neighbor exists) is monitored, a notification message for indicating the change of the link state information of the port is sent to the multicast protocol module, the notification message carries the link state information after the change of the port, and the multicast protocol module can determine that the link state information of the port changes according to the notification message.
It should be noted that the link state protocol module may send the notification message only when detecting that the link state information of the port changes, and in this case, the multicast protocol module may cancel the port as the router port accordingly. In addition, the link state protocol module may also send a notification message when detecting that any link state information of the port changes, in this case, the multicast protocol module first determines whether the link state information of the port is: and if the link state neighbor changes, the port is cancelled as the router port, otherwise, the port is not cancelled as the router port.
It should be noted that the precondition for determining the change of the link state information is: the link state information is the presence of a link state neighbor.
Step 408, the multicast protocol module receives a notification message sent by the local link state protocol module for indicating the change of the link state information of the port, and cancels the port as the router port.
After a port is added as a router port, a local link state protocol module sends a notification message for indicating the change of the link state information of the port to a multicast protocol module in time when detecting the link state information of the port, so that whether the port has an attack risk or not can be found in time, and the port is cancelled as the router port (i.e. the port is deleted from a router port list) when the attack risk occurs, thereby avoiding information leakage from the port.
Compared with the first embodiment, the information interaction between the multicast protocol module and the link state protocol module can be effectively reduced.
The above detailed description of the multicast anti-attack method of the present invention provides a multicast anti-attack apparatus, which is described below with reference to fig. 5.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a multicast attack prevention apparatus according to an embodiment of the present invention, where the apparatus is applied to a multicast device, and as shown in fig. 5, the apparatus includes: a receiving unit 501, a judging unit 502, and a processing unit 503; wherein,
a receiving unit 501, configured to receive, at each port of a multicast device, a multicast protocol packet that enables the port to become a router port;
a determining unit 502, configured to determine, by the receiving unit 501, after receiving a general group query packet or a multicast routing protocol Hello packet at any port of the multicast device, whether the port has an attack risk according to link state information of the port;
a processing unit 503, configured to prohibit adding any port as a router port and discard the packet if the any port has an attack risk, and otherwise, add any port as a router port.
In the apparatus shown in fig. 5, the link state information of the port includes: whether a link state neighbor exists;
the judging unit is used for judging whether the port has attack risk according to the link state information of any port: and if the link state information of the port indicates that the port does not have a link state neighbor, determining that the port has an attack risk, otherwise, determining that the port does not have the attack risk.
The apparatus shown in fig. 5 further comprises an obtaining unit 504;
the obtaining unit 504 is configured to obtain the link state information of the port before the determining unit 502 determines whether the port has the attack risk according to the link state information of the port, and specifically, the obtaining unit is configured to: and sending a link state query message aiming at the port to a link state protocol module through the established connection with the link state protocol module in the multicast equipment, and receiving the link state information of the port returned by the link state protocol module.
In one embodiment of the present invention,
when the processing unit 503 adds the port as a router port, further setting a timer for the port, and executing the following operations in a loop:
if the timer is overtime, the link state information of the port is obtained again, whether the port has attack risk or not is judged according to the link state information of the port, if the attack risk exists, the port is cancelled as a router port, the circulation operation is finished, otherwise, the port is continuously maintained as the router port, and the timer is started again after the timer duration of the timer is increased by a random value.
In a further embodiment of the present invention,
when the port is added as a router port, the processing unit 503 further issues a registration request for the link state information of the port to the link state protocol module so that the link state protocol module monitors the link state information of the port, and if a notification message sent by the link state protocol module when the link state information of the port is changed is received, the port is cancelled as the router port.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A multicast anti-attack method is applied to multicast equipment, and is characterized in that the method comprises the following steps:
when multicast equipment receives a multicast protocol message which can enable a port of the multicast equipment to become a router port, judging whether the port has attack risk according to link state information of the port, if so, forbidding adding the port as the router port, otherwise, adding the port as the router port;
wherein the link state information of the port includes: whether a link state neighbor exists;
the judging whether the port has an attack risk according to the link state information of the port specifically includes: and if the link state information of the port indicates that the port does not have a link state neighbor, determining that the port has an attack risk, otherwise, determining that the port does not have the attack risk.
2. The method of claim 1, wherein the multicast device comprises a multicast protocol module and a link state protocol module; the method is applied to a multicast protocol module in multicast equipment;
before judging whether the port has an attack risk according to the link state information of the port, the method further comprises the following steps: acquiring the link state information of the port specifically includes: and establishing connection with the link state protocol module, sending a link state query message aiming at the port to the link state protocol module, and receiving link state information returned by the link state protocol module.
3. The method of claim 2, wherein the port is added as a router port, the method further comprising: setting a timer for the port, and circularly executing the following operations:
if the timer is overtime, the link state information of the port is obtained again, whether the port has attack risk or not is judged according to the link state information of the port, if the port has the attack risk, the port is cancelled as a router port, the circulation operation is ended, otherwise, the port is maintained as the router port continuously, and the timer is started again.
4. The method of claim 2, wherein the port is added as a router port, the method further comprising: and sending a registration request aiming at the link state information of the port to the link state protocol module so as to enable the link state protocol module to monitor the link state information of the port, and if receiving a notification message sent by the link state protocol module when the link state information of the port is changed, cancelling the port as a router port.
5. The method of claim 2,
and when receiving a link state query message aiming at the port and sent by the multicast protocol module, the link state protocol module queries the link state information of the port and returns the link state information of the port to the multicast protocol module.
6. The method of claim 2,
and when the link state protocol module receives a registration request of the multicast protocol module for the link state information of the port, registering the link state information of the port, and returning a notification message when the link state information of the port is changed.
7. An attack prevention apparatus for multicast, applied to multicast devices, the apparatus comprising: the device comprises a receiving unit, a judging unit and a processing unit;
the receiving unit is used for the multicast equipment to receive the multicast protocol message which can enable the port of the multicast equipment to become the router port;
the judging unit is used for judging whether the port has attack risk according to the link state information of the port after the multicast device receives the multicast protocol message;
the processing unit is configured to prohibit the port from being added as a router port if the port has an attack risk, and otherwise, add the port as a router port;
wherein, the link state information of the port comprises: whether a link state neighbor exists;
the judging unit is used for judging whether the port has attack risk according to the link state information of the port: and if the link state information of the port indicates that the port does not have a link state neighbor, determining that the port has an attack risk, otherwise, determining that the port does not have the attack risk.
8. The apparatus of claim 7, wherein the multicast device comprises a multicast protocol module and a link state protocol module; the device is applied to the multicast protocol module and also comprises an acquisition unit;
the acquiring unit is configured to acquire the link state information of the port before the determining unit determines whether the port has the attack risk according to the link state information of the port, and specifically includes: and establishing connection with the link state protocol module, sending a link state query message aiming at the port to the link state protocol module, and receiving link state information returned by the link state protocol module.
9. The apparatus of claim 8,
the processing unit adding the port as a router port, further comprising: setting a timer for the port, and circularly executing the following operations:
if the timer is overtime, the link state information of the port is obtained again, whether the port has attack risk or not is judged according to the link state information of the port, if the port has the attack risk, the port is cancelled as a router port, the circulation operation is ended, otherwise, the port is maintained as the router port continuously, and the timer is started again.
10. The apparatus of claim 8,
the processing unit adding the port as a router port, further comprising: and sending a registration request aiming at the link state information of the port to the link state protocol module so as to enable the link state protocol module to monitor the link state information of the port, and if receiving a notification message sent by the link state protocol module when the link state information of the port is changed, cancelling the port as a router port.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510730727.XA CN105592063B (en) | 2015-10-30 | 2015-10-30 | A kind of multicast anti-attack method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510730727.XA CN105592063B (en) | 2015-10-30 | 2015-10-30 | A kind of multicast anti-attack method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105592063A CN105592063A (en) | 2016-05-18 |
| CN105592063B true CN105592063B (en) | 2019-04-12 |
Family
ID=55931280
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510730727.XA Active CN105592063B (en) | 2015-10-30 | 2015-10-30 | A kind of multicast anti-attack method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105592063B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10142239B2 (en) * | 2017-02-27 | 2018-11-27 | Juniper Networks, Inc. | Synchronizing multicast state between multi-homed routers in an Ethernet virtual private network |
| CN114221775A (en) * | 2020-09-18 | 2022-03-22 | 北京金山云网络技术有限公司 | Early warning method and device for dangerous port, cloud server and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101207473A (en) * | 2006-12-18 | 2008-06-25 | 中兴通讯股份有限公司 | Method for multicast implementation of switch-in layer network in IPTV system |
| CN101547100A (en) * | 2009-05-07 | 2009-09-30 | 杭州华三通信技术有限公司 | Method and system for multicast receiving control |
| CN102111279A (en) * | 2011-02-28 | 2011-06-29 | 杭州华三通信技术有限公司 | Method and equipment for transmitting multicast data |
| CN102368707A (en) * | 2011-10-31 | 2012-03-07 | 华为技术有限公司 | Method, equipment and system for multicast control |
| CN102905199A (en) * | 2012-09-28 | 2013-01-30 | 杭州华三通信技术有限公司 | Implement method and device of multicast service and device thereof |
| CN103475591A (en) * | 2013-08-28 | 2013-12-25 | 杭州华三通信技术有限公司 | Method and device for forwarding multicast data and software defined network controller |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7742407B2 (en) * | 2005-11-10 | 2010-06-22 | Scientific-Atlanta, Llc | Quality of service management in a switched digital video environment |
-
2015
- 2015-10-30 CN CN201510730727.XA patent/CN105592063B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101207473A (en) * | 2006-12-18 | 2008-06-25 | 中兴通讯股份有限公司 | Method for multicast implementation of switch-in layer network in IPTV system |
| CN101547100A (en) * | 2009-05-07 | 2009-09-30 | 杭州华三通信技术有限公司 | Method and system for multicast receiving control |
| CN102111279A (en) * | 2011-02-28 | 2011-06-29 | 杭州华三通信技术有限公司 | Method and equipment for transmitting multicast data |
| CN102368707A (en) * | 2011-10-31 | 2012-03-07 | 华为技术有限公司 | Method, equipment and system for multicast control |
| CN102905199A (en) * | 2012-09-28 | 2013-01-30 | 杭州华三通信技术有限公司 | Implement method and device of multicast service and device thereof |
| CN103475591A (en) * | 2013-08-28 | 2013-12-25 | 杭州华三通信技术有限公司 | Method and device for forwarding multicast data and software defined network controller |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105592063A (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3367619B1 (en) | Synchronizing multicast state between multi-homed routers in an ethernet virtual private network | |
| Handley et al. | Bidirectional protocol independent multicast (BIDIR-PIM) | |
| US8539088B2 (en) | Session monitoring method, apparatus, and system based on multicast technologies | |
| CN113364610B (en) | Network equipment management method, device and system | |
| US9276898B2 (en) | Method and device for link fault detecting and recovering based on ARP interaction | |
| US20110267962A1 (en) | Method and system for predictive designated router handover in a multicast network | |
| EP2991292B1 (en) | Network collaborative defense method, device and system | |
| US8817683B2 (en) | Network relay apparatus and inter-network relay method | |
| CN101534226A (en) | VLAN-based whole network loop detection method and loop detection equipment | |
| KR20120084774A (en) | Method, apparatus and system for duplicate address detection proxy | |
| Aldrin et al. | Seamless Bidirectional Forwarding Detection (S-BFD) Use Cases | |
| CN103117935A (en) | Multicast data forwarding method and multicast data forwarding device applied to multi-homing networking | |
| CN105592063B (en) | A kind of multicast anti-attack method and device | |
| EP3291486B1 (en) | Selective transmission of bidirectional forwarding detection (bfd) messages for verifying multicast connectivity | |
| EP3059910B1 (en) | Method and system for redundancy protection | |
| EP2439876B1 (en) | Method and device for requesting multicasting, processing multicasting requests and assisting in the aforementioned process | |
| CN102064956B (en) | Method for regulating aging time, system and modulator-demodulator | |
| EP2736204B1 (en) | Rendezvous Point Convergence Method and Apparatus | |
| CN110661628B (en) | Method, device and system for realizing data multicast | |
| CN108366013B (en) | Message forwarding method and device | |
| ES2797729T3 (en) | Method and system to reduce the change in the DR of the PIM protocol | |
| US8327023B2 (en) | Querier election method, router, and network system | |
| CN104579794B (en) | Query facility fault detection method and device | |
| KR101296376B1 (en) | Method for protecting host apparatus in ipv6 network, and network management apparatus thereof | |
| WO2015120581A1 (en) | Traffic loop detection in a communication network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |