CN107547535B - Anti-attack MAC address learning method and device and network equipment - Google Patents
Anti-attack MAC address learning method and device and network equipment Download PDFInfo
- Publication number
- CN107547535B CN107547535B CN201710739080.6A CN201710739080A CN107547535B CN 107547535 B CN107547535 B CN 107547535B CN 201710739080 A CN201710739080 A CN 201710739080A CN 107547535 B CN107547535 B CN 107547535B
- Authority
- CN
- China
- Prior art keywords
- mac
- mac address
- table entry
- message
- entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The disclosure provides an anti-attack MAC address learning method, device and network equipment; the method comprises the following steps: when a forwarding chip of the network equipment receives a message, analyzing a source MAC address and a destination MAC address of the message; using the source MAC address and the target MAC address to search the MAC list item of the forwarding chip; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry; if the matching table entry of the destination MAC address is found in the MAC temporary table entry, refreshing the matching table entry into an MAC formal table entry, and establishing the MAC formal table entry for the source MAC address; and if the source MAC address and the destination MAC address are not found in the MAC temporary table entry, establishing the MAC temporary table entry for the source MAC address. The method and the device can quickly release the table entry storage space in the device, thereby improving the anti-attack capability of the network device.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to an anti-attack MAC (Media Access Control) address learning method, apparatus, and network device.
Background
In network equipment such as an exchanger, the corresponding relation between an MAC address and a port in the equipment is maintained by analyzing and learning a source MAC address of a received message, and the corresponding relation is stored in a chip of the network equipment in a form of a table entry. When the network equipment forwards the message, searching a destination MAC address of the message in the table entry to obtain a forwarding port of the message; if the destination MAC address is not found in the table entry, the message is forwarded to all ports in a broadcast mode.
However, in the MAC address learning process, there is an attack vulnerability of the source MAC address, for example, an attacker continuously transforms the source MAC address to send a malicious message, and the switch or the router continuously learns the source MAC address, so that a large amount of garbage entries are newly created on the network device, and the space for storing the entries is quickly occupied, so that the normal MAC cannot be learned.
Disclosure of Invention
In view of this, an object of the present disclosure is to provide an anti-attack MAC address learning method, apparatus and network device, so as to improve the anti-attack capability of the network device.
In order to achieve the above purpose, the technical scheme adopted by the disclosure is as follows:
in a first aspect, the present disclosure provides an anti-attack MAC address learning method, including: when a forwarding chip of the network equipment receives a message, analyzing a source MAC address and a destination MAC address of the message; using the source MAC address and the destination MAC address to search the MAC table entry of the forwarding chip; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry; if the matching table entry of the destination MAC address is found in the MAC temporary table entry, refreshing the matching table entry into an MAC formal table entry, and establishing the MAC formal table entry for the source MAC address; and if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing the MAC temporary table entry for the source MAC address.
In a second aspect, the present disclosure provides an attack-prevention MAC address learning apparatus, including: the analysis module is used for analyzing a source MAC address and a destination MAC address of a message when a forwarding chip of the network equipment receives the message; the searching module is used for searching the MAC table entry of the forwarding chip by using the source MAC address and the destination MAC address; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry; the first table item establishing module is used for refreshing the matched table item into an MAC formal table item and establishing the MAC formal table item for the source MAC address if the matched table item of the destination MAC address is found in the MAC temporary table item; and the second table item establishing module is used for establishing the MAC temporary table item for the source MAC address if the matching table item of the source MAC address and the destination MAC address is not found in the MAC temporary table item.
In a third aspect, the present disclosure provides a network device comprising a memory and a processor; the memory is used for storing one or more computer instructions, and the one or more computer instructions are executed by the processor to realize the anti-attack MAC address learning method.
In a fourth aspect, the present disclosure provides a machine-readable storage medium having stored thereon machine-executable instructions that, when invoked and executed by a processor, cause the processor to implement the above-described anti-attack MAC address learning method.
The present disclosure brings the following beneficial effects:
according to the anti-attack MAC address learning method, device, network equipment and machine readable storage medium, the MAC table entry comprises the MAC temporary table entry and the MAC formal table entry; if the destination MAC address of the message is in the MAC temporary table entry, setting both the destination MAC address and the source MAC address of the message as formal table entries; if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing a temporary table entry for the source MAC address of the message; because the aging time of the temporary table entry is short, for the MAC address arranged in the temporary list, if a reverse message which takes the MAC address as a destination address is not received in the aging time, the MAC address can be deleted quickly; when the source MAC is attacked in a traversing way, the MAC address learning mode of setting the interaction of the temporary table items and the bidirectional messages can quickly release the table item storage space in the equipment, thereby improving the anti-attack capability of the network equipment.
Additional features and advantages of the disclosure will be set forth in the description which follows, or in part may be learned by the practice of the above-described techniques of the disclosure, or may be learned by practice of the disclosure.
In order to make the aforementioned objects, features and advantages of the present disclosure more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a schematic application environment diagram of a MAC address learning method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an anti-attack MAC address learning method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of another anti-attack MAC address learning method provided in the embodiments of the present disclosure;
fig. 4 is a schematic diagram of another anti-attack MAC address learning process provided in the embodiment of the present disclosure;
fig. 5 is a flowchart of another anti-attack MAC address learning method provided in the embodiments of the present disclosure;
fig. 6 is a schematic diagram of another anti-attack MAC address learning process provided in the embodiment of the present disclosure;
fig. 7 is a flowchart of another anti-attack MAC address learning method provided in the embodiments of the present disclosure;
fig. 8 is a schematic diagram of another anti-attack MAC address learning process provided in the embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of an attack-prevention MAC address learning apparatus according to an embodiment of the present disclosure;
fig. 10 is a schematic structural diagram of a network device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the embodiments of the present disclosure will be described clearly and completely with reference to the accompanying drawings, and it is to be understood that the described embodiments are some, but not all embodiments of the present disclosure. All other embodiments, which can be derived by one of ordinary skill in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
Referring to fig. 1, an application environment diagram of a MAC address learning method is shown; wherein, PORT1 of the network equipment receives message 1 sent by PC A to PC C, if the MAC address table entry of PC C is not stored in the network equipment, then the message 1 is sent to all other PORTs (including PORT 2 and PORT 3), and the source MAC address of PC A is learned in the MAC table entry; PORT 3 of the network equipment receives message 2 sent to PC A by PC C, and if the MAC address of PC A is already stored in the network equipment, then the message 2 is sent to PORT (PORT1) corresponding to the MAC address of PC A. If the network equipment comprises a plurality of chips, the MAC address table entry pair is synchronously stored in each chip. In the learning mode of the source MAC address, when the source MAC address is attacked by traversal, the switch or the router can continuously learn the source MAC address, so that a large number of garbage table entries are newly built on the network equipment, the space for storing the table entries is quickly occupied, and the normal MAC cannot be learned.
In order to improve the anti-attack capability of the network device, a more efficient and stable MAC address learning method needs to be established in the network device; based on the purpose, the disclosed embodiment provides an anti-attack MAC address learning method, an anti-attack MAC address learning device, network equipment and a machine readable storage medium; the technology can be widely applied to network equipment such as switches, routers, gateways and the like, and other network equipment needing to learn MAC addresses continuously; the techniques may be implemented in associated software or hardware, as described below by way of example.
In one embodiment, refer to a flowchart of an attack-resistant MAC address learning method shown in fig. 2; the method can be applied to network equipment. Generally, a network device is provided with a central processing unit CPU and one or more forwarding chips connected to the CPU; each forwarding chip is connected with a communication port of the network equipment; when the forwarding chips are multiple, the multiple communication ports of the network equipment belong to different forwarding chips respectively; in the network device, the CPU generally controls the forwarding chip to perform the learning of the MAC address and the forwarding process of the packet.
The method may be performed by a CPU in a network device, the method comprising the steps of:
step S202, when a forwarding chip of the network equipment receives the message, analyzing a source MAC address and a destination MAC address of the message;
the message is a data unit exchanged and transmitted in the network, i.e. a data block sent by a data sending or forwarding station once. The message contains data to be sent and also contains other additional information, such as destination IP address, destination MAC address, source IP address, source MAC address, data length, encryption and other information carried in the message header; by parsing the message, the network device may obtain the relevant additional information.
Step S204, using the source MAC address and the destination MAC address to search the MAC table entry of the forwarding chip; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry;
the aging time of this embodiment is used to delete a corresponding entry, and when learning a corresponding relationship (MAC entry) between an MAC address and each port in a device, a network device may set an aging time for the corresponding relationship, and when the time for storing the corresponding relationship reaches the aging time, delete the corresponding relationship to save the storage space occupied by the corresponding relationship.
In practical implementation, two lists can be set in the chip, the MAC temporary table entry and the MAC formal table entry are respectively stored, and the aging time of the table entries in the lists is respectively set according to the form of the table entries; the temporary table entries and the formal table entries can be stored in a list in the chip, and each table entry is distinguished from the formal table entry by setting different aging time for each table entry.
Step S206, if the matching item of the destination MAC address is found in the MAC temporary item, refreshing the matching item into an MAC formal item, and establishing the MAC formal item for the source MAC address;
step S208, if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing an MAC temporary table entry for the source MAC address.
In this embodiment, the finding of the matching entry of the destination MAC address in the MAC temporary entry may include: the matching table entry of the destination MAC address is an MAC formal table entry, or neither the MAC temporary table entry nor the MAC formal table entry has a table entry matched with the destination MAC address.
For the case that both the source MAC address and the destination MAC address are in the MAC formal entry, the message forwarding or the related processing is directly performed according to the prior art, and the MAC address learning process is not required, which is not described herein again.
In actual implementation, the step S206 and the step S208 may be executed at the same time, or the step S208 may be executed first and then the step S206 may be executed.
For example, when the device receives the message 1 with the source MAC being 1-1-1, the device finds that the temporary table entry or the formal table entry does not establish the table entry of 1-1-1, and establishes the temporary table entry for 1-1-1 first; when the equipment receives a message 2 with a source MAC of 2-2-2 and a target MAC of 1-1-1, 1-1-1 table items are found in the temporary table items, the 1-1-1 is refreshed into formal table items, and the formal table items are established for 2-2-2. As can be seen from the above, the destination MAC of the message 2 is the source MAC of the message 1, which indicates that the message 2 is the reverse message of the message 1; when the reverse message is received, it is indicated that 1-1-1 and 2-2-2 are both reliable MAC addresses, and the probability that the messages related to 1-1-1 and 2-2-2 are spam messages is low.
Certainly, after formal entries are established for 1-1-1 and 2-2-2, if the messages related to 1-1-1 and 2-2-2 are received again, the device does not learn the MAC address of the message any more, and normally sends the message according to the destination MAC address of the message.
For another example, after the temporary table entry is established for 1-1-1, in the aging time of 1-1-1, no message with the destination MAC of 1-1-1 is received, that is, no reverse message of the message 1 appears, which indicates that the message related to 1-1-1 is likely to be a spam message, and that 1-1-1 is likely to be an MAC with suspicion of attack; because the aging time of the temporary table entry is short, the 1-1-1 is deleted quickly, and the problem that a large number of aggressive MAC occupies the table entry storage space of the forwarding chip is avoided.
In the MAC address learning method for preventing attack provided by the embodiment of the disclosure, the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry; if the destination MAC address of the message is in the MAC temporary table entry, setting both the destination MAC address and the source MAC address of the message as formal table entries; if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing a temporary table entry for the source MAC address of the message; because the aging time of the temporary table entry is short, for the MAC address arranged in the temporary list, if a reverse message which takes the MAC address as a destination address is not received in the aging time, the MAC address can be deleted quickly; when the source MAC is attacked in a traversing way, the MAC address learning mode of setting the interaction of the temporary table items and the bidirectional messages can quickly release the table item storage space in the equipment, thereby improving the anti-attack capability of the network equipment.
In another embodiment, refer to a flowchart of another anti-attack MAC address learning method shown in fig. 3 and a schematic diagram of a second anti-attack MAC address learning process shown in fig. 4; in order to save storage space on the basis of improving the anti-attack capability of the network device, the step of refreshing the matching entry into the MAC regular entry if the matching entry of the destination MAC address is found in the MAC temporary entry specifically includes: if the matching table item of the target MAC address is found in the MAC temporary table item and the message is a broadcast message of the switching network side, checking whether the port of the matching table item belongs to the port of the forwarding chip; if yes, refreshing the matched table entry into an MAC formal table entry; if not, discarding the message and ending the current process.
In this embodiment, a network device includes three forwarding chips, which are a chip a, a chip B, and a chip C; in the initial state, no table entry is stored in any of the chip a, the chip B and the chip C.
Referring to fig. 3 and 4, the method includes the steps of:
step S302, when a chip A of the network equipment receives a message 1, analyzing a source MAC address 1-1-1 and a destination MAC address 2-2-2 of the message 1;
step S304, in the chip A, no matching table entry exists because no table entry is stored in the chip A, and a temporary table entry is established for the source MAC address 1-1-1, in the embodiment, the identifier of the forwarding chip where the port is located is taken as the port identifier, then the temporary table entry comprises the MAC address 1-1-1 and the port identifier A, and the message 1 is broadcasted in the switching network, so that the switching network broadcasts the message 1 to the chip B and the chip C under the current VLAN (Virtual Local area network);
the message 1 may be a broadcast message on the switching network side or a unicast message on the interface side; in order to enable the message 1 to be sent in a broadcast form in the switching network, if the message is a unicast message on the interface side, the unicast message is sent through the switching network, and the specific sending form may be a broadcast form.
Step S306, when the chip B and the chip C receive the message 1, analyzing the source MAC address 1-1-1 and the destination MAC address 2-2-2 of the message 1;
step S308, in chip B and chip C, respectively establishing temporary table entries for the source MAC address 1-1-1, and forwarding the message 1;
because no table entry is stored in the chip A, the chip B and the chip C, and the message 1 is the first message received by the network equipment, all the chips learn the source MAC address in the message 1; after learning is finished, the message 1 is forwarded; at this point, the MAC address learning process for message 1 is finished.
Step S310, when the chip C of the network equipment receives the message 2, the source MAC address 2-2-2 and the destination MAC address 1-1-1 of the message 2 are analyzed; it can be known that the message 2 is a reverse message of the message 1;
step S312, using the destination MAC address 1-1-1 in the message 2 to search the MAC table entry in the chip C;
step S314, finding out the matching table entry of the MAC address 1-1-1 in the temporary table entry of the chip C, refreshing the 1-1-1 into a formal table entry, establishing the formal table entry for the source MAC address 2-2-2, and broadcasting the message 2 in the switching network;
step S316, when the chip A and the chip B receive the message 2, the source MAC address 2-2-2 and the destination MAC address 1-1-1 of the message 2 are analyzed;
step S318, after finding the matching table entry with the destination MAC address of 1-1-1 in the temporary table entries of the chip A and the chip B, checking whether the port of the 1-1-1 table entry in the temporary table entries of the chip A and the chip B belongs to the port of the forwarding chip, in the embodiment, checking whether the port identification in the table entry is consistent with the identification of the forwarding chip, and determining whether the port corresponding to the port identification belongs to the port of the forwarding chip;
according to the embodiment, the table entry stores the corresponding relationship between the MAC address and each port identifier in the device; because the message 1 is received by the chip A, the port identifier A corresponding to the MAC address 1-1-1 is recorded in the temporary table entry of 1-1-1 in each chip; therefore, for the case that the forwarding chip is chip a, in the temporary table entry of chip a, if the port identifier a in the 1-1-1 table entry is consistent with the identifier a of the forwarding chip (i.e. chip a), it is determined that the port corresponding to the MAC address 1-1-1 belongs to the own port of the forwarding chip a; for the case that the forwarding chip is a chip B, if the port identifier A in the 1-1-1 table entry is not consistent with the identifier B of the forwarding chip (chip B) in the temporary table entry of the chip B, it is determined that the port corresponding to the MAC address 1-1-1 does not belong to the port of the forwarding chip B; based on this, the following steps S320 and S322 are performed;
step S320, the port corresponding to the 1-1-1 in the temporary table entry of the chip A belongs to the port of the forwarding chip, and the matching table entry of the 1-1-1 is refreshed into an MAC formal table entry; and setting the source MAC address 2-2-2 of the message 2 as a formal table entry.
After the corresponding table entries of 1-1-1 and 2-2-2 are refreshed into formal table entries, the current packet 2 is forwarded (the specific forwarding manner may be performed according to the prior art, and is not described herein again); and when the interface side receives the message with the destination MAC address of 1-1-1 or 2-2-2 again, the message is sent in a unicast mode.
Step S322, the port corresponding to the 1-1-1 in the temporary table entry of the chip B does not belong to the port of the forwarding chip, the message 2 is discarded, and the current flow is ended.
In fig. 4, solid arrows indicate the flow direction of the message 1; the dotted arrow represents the flow direction of message 2; the message 1 enters through the communication port to which the chip A belongs, and after the processing of the steps S302-S308, temporary table entries of 1-1-1 are established in the chip A, the chip B and the chip C; entering a message 2 through a communication port of the chip C, and establishing formal table entries of 1-1-1 and 2-2-2 in the chip A and the chip C after the processing of the steps S310 to S322; because the communication ports of the message 1 and the message 2 do not belong to the chip B, no formal table entry is established in the chip B; the temporary table entry of 1-1-1 of the chip B is deleted after the aging time of the temporary table entry is expired.
In the MAC address learning method for preventing attack provided by the embodiment of the disclosure, the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry; when the port identifier in the matching list item of the destination MAC address of the message belongs to the identifier of the port of the forwarding chip, refreshing the matching list item of the destination MAC address into a formal list item; otherwise, the forwarding chip discards the message; in the mode, the chip only establishes the MAC formal table item belonging to the port of the chip, and other chips without bidirectional forwarding flow can quickly release the storage space, so that the anti-attack capability of the network equipment is improved.
In another embodiment, refer to a flowchart of another anti-attack MAC address learning method shown in fig. 5 and a schematic diagram of another anti-attack MAC address learning process shown in fig. 6; in this embodiment, a network device is described as including three forwarding chips, which are a chip a, a chip B, and a chip C.
The method comprises the following steps:
step S502, when the chip A of the network equipment receives the message, the source MAC address and the destination MAC address of the message are analyzed;
step S504, using the source MAC address and the destination MAC address to search the MAC table entry of the forwarding chip;
step S506, if the source MAC address does not have a matching table entry in the MAC table entry (the MAC table entry comprises the MAC temporary table entry and the MAC formal table entry), and the matching table entry of the destination MAC address is the MAC formal table entry, establishing the MAC temporary table entry for the source MAC address;
as shown in FIG. 6, formal entries of 1-1-1 and 2-2-2 have been stored in chip A and chip C; when the chip A receives a message with a source MAC address of traversal MAC and a destination address of 2-2-2; even if the formal table entries of 2-2-2 are stored in the chip A and the chip C, the source MAC address of the message is not matched with the table entries, the message is not considered to be a reverse message of other messages, and only the source MAC address of the message is learned as a temporary table entry; when the reverse message of the message is received subsequently, the source MAC address is refreshed into a formal table entry.
Step S508, if neither the source MAC address nor the destination MAC address matches a table entry in the MAC table entry, a MAC temporary table entry is established for the source MAC address. In actual implementation, the steps S506 and S508 may be executed at the same time, or the steps S508 and S506 may be executed first.
In the MAC address learning method for preventing attack provided by the embodiment of the disclosure, the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry; when the source MAC address of the message is traversal MAC, even if the destination MAC address is a formal table entry, the source MAC address of the message is learned as a temporary table entry; when the reverse message of the message is received subsequently, the source MAC address is refreshed into a formal table entry. When the source MAC is attacked in a traversing way, the MAC address learning mode of setting the interaction of the temporary table items and the bidirectional messages can quickly release the table item storage space in the equipment, thereby improving the anti-attack capability of the network equipment.
In another embodiment, refer to a flowchart of another anti-attack MAC address learning method shown in fig. 7 and a schematic diagram of another anti-attack MAC address learning process shown in fig. 8; in order to improve the efficiency of MAC entry learning and the stability of MAC entries in the network device, the MAC address learning method further includes the following steps: and if the message is a broadcast message of the switching network side, and the matching table items of the source MAC address and the destination MAC address are both MAC formal table items, refreshing the MAC formal table items of the source MAC address into MAC temporary table items.
In this embodiment, a network device includes three forwarding chips, which are a chip a, a chip B, and a chip C; formal table entries of MAC addresses 1-1-1 and 2-2-2 are stored in the chip A; the chip B does not store MAC table entries; chip C loses the MAC entry.
The method comprises the following steps:
step S702, when the chip C of the network equipment receives the message 3, the chip C analyzes the source MAC address 2-2-2 and the destination MAC address 1-1-1 of the message 3;
step S704, in the chip C, because the chip C loses the MAC table entry, no matching table entry exists, a temporary table entry is established for the source MAC address 2-2-2, and the message 3 is broadcasted in the exchange network, so that the exchange network broadcasts the message 3 to the chip A and the chip B under the current VLAN;
step S706, when the chip A and the chip B receive the message 3, the source MAC address 2-2-2 and the destination MAC address 1-1-1 of the message 3 are analyzed;
step S708, in the chip B, as the chip B does not store the MAC table entry, no matching table entry exists, and temporary table entries are respectively established for the source MAC address 2-2-2; refreshing 2-2-2 into a temporary table entry in the chip A;
the chip A broadcasts the received message 3 through the switching network, and in the chip A, the matching table items of the source MAC address and the destination MAC address of the message are MAC formal table items; under normal conditions, messages of which the matching table items of the source MAC address and the destination MAC address are both MAC formal table items are sent in a unicast forwarding mode, and the message 3 is sent in a broadcast mode, which indicates that a certain chip in the network equipment loses the MAC table items, and at the moment, the chip A refreshes the MAC formal table items of the source MAC address into MAC temporary table items.
When the chip a receives the reverse packet of the packet 3, because the source MAC address of the packet 3 is a temporary entry, the reverse packet is sent in a broadcast form, and the chip C losing the MAC entry learns the MAC entry again through the broadcast reverse packet, which is shown in the following steps S710 to S720.
Step S710, according to the destination MAC address of the message 3, the message 3 is forwarded;
step S712, when the chip A of the network device receives the message 4, the chip A analyzes the source MAC address 1-1-1 and the destination MAC address 2-2-2 of the message 4; it can be known that the message 4 is a reverse message of the message 3;
step S714, using the destination MAC address 2-2-2 in the message 4 to search the MAC table entry in the chip A;
step S716, finding the matching table entry of the MAC address 2-2-2 in the temporary table entry of the chip A, refreshing the 2-2-2 into a formal table entry, and broadcasting the message 4 in the switching network;
step S718, when the chip C receives the message 4, the chip C analyzes the source MAC address 1-1-1 and the destination MAC address 2-2-2 of the message 4;
step S720, refreshing the matching table entry of 2-2-2 in the chip C into an MAC formal table entry; and setting the source MAC address 1-1-1 of the message 4 as a formal table entry.
In fig. 8, the dashed arrow indicates the flow direction of the message 3; the solid arrow represents the flow direction of the message 4; a message 3 enters through a communication port to which the chip C belongs, after the messages are processed in the steps S702-S710, temporary table entries of 2-2-2 are established in the chip B and the chip C, and the table entries of 2-2-2 in the chip A are refreshed into the temporary table entries from formal table entries; and the message 4 enters through the communication port to which the chip A belongs, after the processing of the steps S712-S720, the table entry of 2-2-2 in the chip A is refreshed into the formal table entry again, and the formal table entries of 1-1-1 and 2-2-2 are established in the chip C.
In the MAC address learning method for preventing attack provided by the embodiment of the disclosure, the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry; when the MAC table entry in a certain chip in the network equipment is lost, the formal table entries in other chips are refreshed into the form of temporary table entries, so that the message is broadcast and sent, and the chip learns the MAC table entry again. In the method, when the MAC table entry in the network equipment is abnormal, the MAC table entry can be synchronously learned again by refreshing the table entry states of other chips, so that the learning efficiency of the MAC table entry and the stability of the MAC table entry in the network equipment are improved.
Furthermore, in the anti-attack MAC address learning method, the learning and simultaneous process of the MAC address can not occupy the time of processing the message by the CPU, thereby reducing the occupancy rate of the CPU.
In another embodiment, corresponding to the above method embodiment, see a schematic structural diagram of an attack-prevention MAC address learning apparatus shown in fig. 9; the device comprises the following parts:
the analysis module 90 is configured to analyze a source MAC address and a destination MAC address of a message when a forwarding chip of the network device receives the message;
a searching module 91, configured to search an MAC entry of the forwarding chip by using the source MAC address and the destination MAC address; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry;
a first table item establishing module 92, configured to refresh a matching table item into an MAC formal table item if the matching table item of the destination MAC address is found in the MAC temporary table item, and establish the MAC formal table item for the source MAC address;
the second table entry establishing module 93 is configured to establish an MAC temporary table entry for the source MAC address if a matching table entry between the source MAC address and the destination MAC address is not found in the MAC temporary table entry.
According to the attack-prevention MAC address learning device provided by the embodiment of the disclosure, the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry; if the destination MAC address of the message is in the MAC temporary table entry, setting both the destination MAC address and the source MAC address of the message as formal table entries; if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing a temporary table entry for the source MAC address of the message; because the aging time of the temporary table entry is short, for the MAC address arranged in the temporary list, if a reverse message which takes the MAC address as a destination address is not received in the aging time, the MAC address can be deleted quickly; when the source MAC is attacked in a traversing way, the MAC address learning mode of setting the interaction of the temporary table items and the bidirectional messages can quickly release the table item storage space in the equipment, thereby improving the anti-attack capability of the network equipment.
The second table entry establishing module is configured to: if the source MAC address does not have a matching table entry in the MAC table entry and the matching table entry of the destination MAC address is an MAC formal table entry, establishing an MAC temporary table entry for the source MAC address; if neither the source MAC address nor the destination MAC address has a matching entry in the MAC entry, an MAC temporary entry is established for the source MAC address.
Further, the apparatus further includes a refreshing module, configured to refresh the MAC formal table entry of the source MAC address into an MAC temporary table entry if the packet is a broadcast packet of the switching network side and the matching table entries of the source MAC address and the destination MAC address are both MAC formal table entries.
Further, the first table entry establishing module is configured to: if the matching table item of the target MAC address is found in the MAC temporary table item and the message is a broadcast message of the switching network side, checking whether the port of the matching table item belongs to the port of the forwarding chip; if yes, refreshing the matched table entry into an MAC formal table entry; if not, discarding the message and ending the current process.
Further, the message is a broadcast message on the switching network side or a unicast message on the interface side; the device also comprises a conversion sending module used for sending the unicast message through the switching network if the message is the unicast message of the interface side.
Referring to fig. 10, a schematic diagram of a network device is shown; the device comprises a memory 100 and a processor 101; the memory 100 is used for storing one or more computer instructions, and the one or more computer instructions are executed by the processor to implement the above-mentioned anti-attack MAC address learning method.
Further, the network management device shown in fig. 10 further includes a bus 102 and a communication interface 103, and the processor 101, the communication interface 103 and the memory 100 are connected through the bus 102.
The Memory 100 may include a high-speed Random Access Memory (RAM) and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 103 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The bus 102 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 10, but this does not indicate only one bus or one type of bus.
The processor 101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 101. The Processor 101 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA), or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 100, and the processor 101 reads the information in the memory 100, and completes the steps of the method of the foregoing embodiment in combination with the hardware thereof.
Further, the embodiment of the present invention also provides a machine-readable storage medium, which stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the machine-executable instructions cause the processor to implement the above-mentioned anti-attack MAC address learning method.
The attack-prevention MAC address learning method, apparatus, and computer program product of a network device provided in the embodiments of the present disclosure include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and will not be described herein again.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the present disclosure has been described in detail with reference to the foregoing embodiments, it should be understood by those skilled in the art that: any person skilled in the art can modify or easily conceive of the technical solutions described in the foregoing embodiments or equivalent technical features thereof within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present disclosure, and should be construed as being included therein. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.
Claims (12)
1. An anti-attack MAC address learning method is characterized by comprising the following steps:
when a forwarding chip of the network equipment receives a message, analyzing a source MAC address and a destination MAC address of the message;
searching the MAC table entry of the forwarding chip by using the source MAC address and the destination MAC address; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry; and for the MAC address set in the MAC temporary table entry, if the reverse message with the MAC address as the destination address is not received within the aging time, deleting the MAC address;
if the matching table entry of the destination MAC address is found in the MAC temporary table entry, refreshing the matching table entry into an MAC formal table entry, and establishing the MAC formal table entry for the source MAC address;
and if the matching table entry of the source MAC address and the destination MAC address is not found in the MAC temporary table entry, establishing an MAC temporary table entry for the source MAC address.
2. The method of claim 1, wherein if no matching entry between the source MAC address and the destination MAC address is found in the MAC temporary entry, the step of establishing a MAC temporary entry for the source MAC address comprises:
if the source MAC address does not have a matching table entry in the MAC table entry and the matching table entry of the destination MAC address is the MAC formal table entry, establishing an MAC temporary table entry for the source MAC address;
and if the source MAC address and the destination MAC address do not have a matching table entry in the MAC table entry, establishing an MAC temporary table entry for the source MAC address.
3. The method of claim 2, further comprising:
and if the message is a broadcast message of the switching network side, and the matching table items of the source MAC address and the destination MAC address are the MAC formal table items, refreshing the MAC formal table items of the source MAC address into MAC temporary table items.
4. The method according to claim 1, wherein the step of refreshing the matching entry to the MAC regular entry if the matching entry of the destination MAC address is found in the MAC temporary entry comprises:
if the matching table entry of the destination MAC address is found in the MAC temporary table entry and the message is a broadcast message of a switching network side, checking whether a port of the matching table entry belongs to a port of the forwarding chip;
if yes, refreshing the matched table entry into an MAC formal table entry;
if not, discarding the message and ending the current process.
5. The method according to any of claims 1-4, wherein the message is a broadcast message on a switching network side or a unicast message on an interface side;
the method further comprises the following steps: and if the message is a unicast message at the interface side, sending the unicast message through the switching network.
6. An attack-resistant MAC address learning apparatus, comprising:
the analysis module is used for analyzing a source MAC address and a destination MAC address of a message when a forwarding chip of the network equipment receives the message;
a searching module, configured to search an MAC entry of the forwarding chip using the source MAC address and the destination MAC address; the MAC table entry comprises an MAC temporary table entry and an MAC formal table entry, and the aging time of the MAC temporary table entry is less than that of the MAC formal table entry; and for the MAC address set in the MAC temporary table entry, if the reverse message with the MAC address as the destination address is not received within the aging time, deleting the MAC address;
a first table item establishing module, configured to refresh a matching table item into an MAC formal table item and establish the MAC formal table item for the source MAC address if the matching table item of the destination MAC address is found in the MAC temporary table item;
and the second table item establishing module is used for establishing the MAC temporary table item for the source MAC address if the matching table item of the source MAC address and the destination MAC address is not found in the MAC temporary table item.
7. The apparatus of claim 6, wherein the second entry creation module is configured to:
if the source MAC address does not have a matching table entry in the MAC table entry and the matching table entry of the destination MAC address is the MAC formal table entry, establishing an MAC temporary table entry for the source MAC address;
and if the source MAC address and the destination MAC address do not have a matching table entry in the MAC table entry, establishing an MAC temporary table entry for the source MAC address.
8. The apparatus according to claim 7, further comprising a refreshing module, configured to refresh the MAC formal table entry of the source MAC address into an MAC temporary table entry if the packet is a broadcast packet on a switching network side and the matching table entries of the source MAC address and the destination MAC address are both the MAC formal table entries.
9. The apparatus of claim 6, wherein the first entry creation module is configured to:
if the matching table entry of the destination MAC address is found in the MAC temporary table entry and the message is a broadcast message of a switching network side, checking whether a port of the matching table entry belongs to a port of the forwarding chip; if yes, refreshing the matched table entry into an MAC formal table entry; if not, discarding the message and ending the current process.
10. The apparatus according to any one of claims 6-9, wherein the packet is a broadcast packet on a switching network side or a unicast packet on an interface side;
the device also comprises a conversion sending module used for sending the unicast message through the switching network if the message is the unicast message of the interface side.
11. A network device comprising a memory and a processor; wherein the memory is to store one or more computer instructions that are executed by the processor to implement the method of any one of claims 1 to 5.
12. A machine-readable storage medium having stored thereon machine-executable instructions which, when invoked and executed by a processor, cause the processor to implement the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710739080.6A CN107547535B (en) | 2017-08-24 | 2017-08-24 | Anti-attack MAC address learning method and device and network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710739080.6A CN107547535B (en) | 2017-08-24 | 2017-08-24 | Anti-attack MAC address learning method and device and network equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107547535A CN107547535A (en) | 2018-01-05 |
| CN107547535B true CN107547535B (en) | 2021-01-01 |
Family
ID=60958938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710739080.6A Active CN107547535B (en) | 2017-08-24 | 2017-08-24 | Anti-attack MAC address learning method and device and network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107547535B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108712449A (en) * | 2018-07-12 | 2018-10-26 | 新华三技术有限公司 | Prevent the method, apparatus and electronic equipment of MAC Address extensive aggression |
| CN111526108B (en) * | 2019-02-01 | 2021-08-20 | 华为技术有限公司 | Method and device for preventing network attack |
| US11212279B1 (en) | 2019-02-04 | 2021-12-28 | Cisco Technology, Inc. | MAC address theft detection in a distributed link layer switched network based on trust level comparison |
| CN111934969B (en) * | 2020-07-28 | 2022-03-18 | 锐捷网络股份有限公司 | Maintenance method and device of MAC forwarding table |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494280A (en) * | 2002-11-02 | 2004-05-05 | ��Ϊ��������˾ | Method of control message transmission in network equipment |
| CN1996948A (en) * | 2006-12-28 | 2007-07-11 | 杭州华为三康技术有限公司 | Message forwarding method and device based on the media access control layer |
| CN101043433A (en) * | 2006-06-24 | 2007-09-26 | 华为技术有限公司 | Method for aging MAC address learning list of bridge mode resilient packet ring |
| CN101047670A (en) * | 2006-04-14 | 2007-10-03 | 华为技术有限公司 | MAC address table ageing, operation method and process system thereof |
| CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
| CN101764753A (en) * | 2009-12-28 | 2010-06-30 | 中兴通讯股份有限公司 | Method and device for preventing switch ports from MAC address transfer |
| CN102355610A (en) * | 2011-10-28 | 2012-02-15 | 烽火通信科技股份有限公司 | Method for implementing circuit identification in optical network unit (ONU) system based on EOC (Ethernet over Coaxial cable) |
| CN104184708A (en) * | 2013-05-22 | 2014-12-03 | 杭州华三通信技术有限公司 | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) |
| CN105791248A (en) * | 2014-12-26 | 2016-07-20 | 中兴通讯股份有限公司 | Network attack analysis method and device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5088162B2 (en) * | 2008-02-15 | 2012-12-05 | 富士通株式会社 | Frame transmission apparatus and loop determination method |
-
2017
- 2017-08-24 CN CN201710739080.6A patent/CN107547535B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1494280A (en) * | 2002-11-02 | 2004-05-05 | ��Ϊ��������˾ | Method of control message transmission in network equipment |
| CN101047670A (en) * | 2006-04-14 | 2007-10-03 | 华为技术有限公司 | MAC address table ageing, operation method and process system thereof |
| CN101043433A (en) * | 2006-06-24 | 2007-09-26 | 华为技术有限公司 | Method for aging MAC address learning list of bridge mode resilient packet ring |
| CN101098291A (en) * | 2006-06-29 | 2008-01-02 | 中兴通讯股份有限公司 | Method for preventing disturbance of medium accessing control address table on access equipment |
| CN1996948A (en) * | 2006-12-28 | 2007-07-11 | 杭州华为三康技术有限公司 | Message forwarding method and device based on the media access control layer |
| CN101764753A (en) * | 2009-12-28 | 2010-06-30 | 中兴通讯股份有限公司 | Method and device for preventing switch ports from MAC address transfer |
| CN102355610A (en) * | 2011-10-28 | 2012-02-15 | 烽火通信科技股份有限公司 | Method for implementing circuit identification in optical network unit (ONU) system based on EOC (Ethernet over Coaxial cable) |
| CN104184708A (en) * | 2013-05-22 | 2014-12-03 | 杭州华三通信技术有限公司 | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) |
| CN105791248A (en) * | 2014-12-26 | 2016-07-20 | 中兴通讯股份有限公司 | Network attack analysis method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107547535A (en) | 2018-01-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107547535B (en) | Anti-attack MAC address learning method and device and network equipment | |
| Geravand et al. | Bloom filter applications in network security: A state-of-the-art survey | |
| US20160308770A1 (en) | Packet Processing Method, Node, and System | |
| CN108848034B (en) | Network equipment and table entry learning method | |
| US8713169B2 (en) | Distributed IPv6 neighbor discovery for large datacenter switching systems | |
| CN106921578B (en) | Method and device for generating forwarding table item | |
| CN110830371B (en) | Message redirection method and device, electronic equipment and readable storage medium | |
| CN108600109B (en) | Message forwarding method and device | |
| CN107547391B (en) | Message transmission method and device | |
| US20130064246A1 (en) | Packet Forwarding Using an Approximate Ingress Table and an Exact Egress Table | |
| CN106685827B (en) | Downlink message forwarding method and AP (access point) equipment | |
| CN109714274B (en) | Method for acquiring corresponding relation and routing equipment | |
| EP2894812B1 (en) | Method and apparatus for establishing a virtual interface for a set of mutual-listener devices | |
| CN108390954B (en) | Message transmission method and device | |
| EP3832960B1 (en) | Establishment of fast forwarding table | |
| WO2018001020A1 (en) | Aggregated link based message forwarding method and device | |
| US10270607B2 (en) | Method and system for roamed client device handling | |
| CN107566293B (en) | Method and device for limiting message speed | |
| CN109981819B (en) | mDNS message processing method, device and networking system | |
| US9270593B2 (en) | Prediction based methods for fast routing of IP flows using communication/network processors | |
| US20080130503A1 (en) | Method and system for forwarding ethernet frames over redundant networks with all links enabled | |
| CN109039947B (en) | Network packet duplication removing method and device, network distribution equipment and storage medium | |
| US9985926B2 (en) | Address acquiring method and network virtualization edge device | |
| CN113162855B (en) | Multicast message detection method, network equipment and system | |
| CN111010362B (en) | Monitoring method and device for abnormal host |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230620 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |