Unlock instant, AI-driven research and patent intelligence for your innovation.

Method for realizing network attack isolation

A network attack, practical technology, applied in the field of network security, can solve the problems of reduced forwarding performance, QOS rules not working properly, inconvenient to maintain the MAC address list, etc., to achieve the effect of convenient management and maintenance

Inactive Publication Date: 2008-08-27
HUAWEI TECH CO LTD
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In this case, it is necessary to compare the MAC address of the message with the MAC addresses listed in the MAC address list, which greatly affects the efficiency of message forwarding, especially when the number of users is large, the forwarding performance will be significantly reduced
In addition, when the user changes the network card or binds with the MAC address, the user's registration and logout need to update the MAC address list in time, otherwise the QOS rules will not work normally, so this brings inconvenience to the maintenance of the MAC address list place

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for realizing network attack isolation
  • Method for realizing network attack isolation
  • Method for realizing network attack isolation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0043] This embodiment adopts a single mode, that is, performs MAC address restriction based on a class of user identifiers, and the based user identifiers may be based on ports, or based on VLANs, or based on ports and VLANs. In this embodiment, taking the port-based MAC address restriction as an example, the MAC address restriction table is searched by using the port number + 0xFFF. The specific implementation process of MAC address restriction is as follows: figure 1 Shown:

[0044] Steps 101-102: When the message enters the network device, check whether the outgoing port and the source port are the same in the source MAC address table stored in the network device itself, if the outgoing port is the same as the source port, forward it directly, and end the current processing flow ; If not the same, go to step 103.

[0045] Step 103: Check whether the port corresponding to the source MAC address is configured with MAC address restriction in the port function table set by t...

Embodiment 2

[0061] This embodiment adopts a combined mode, that is, a mode based on two types of user identifier MAC address restriction methods. This embodiment uses port-based and VLAN-based MAC address restriction as an example, and adopts port MAC address restriction→VLAN MAC address restriction, that is, first performs port-based MAC address restriction, and then performs VLAN-based MAC address restriction to restrict the MAC address. address learning. The specific process is as figure 2 shown.

[0062] Steps 201-202: the same as steps 101-102 in the first embodiment.

[0063] Step 203: According to the source MAC address of the received message, check whether port-based MAC address restriction is configured, if port-based MAC address restriction is configured, then go to step 204, otherwise go to step 209.

[0064] Steps 204-205: Same as the method of searching the MAC address restriction table and judging whether the MAC address restriction range is exceeded in steps 104-105 of...

Embodiment 3

[0077] This embodiment adopts a multi-combination mode, that is, adopts a MAC address restriction mode based on three types of user identifiers. This embodiment adopts configuration based on port, based on VLAN, and port and VLAN MAC address restriction, use port MAC address restriction→VLAN MAC address restriction→port and VLAN MAC address restriction, that means: carry out based on port MAC address restriction first, then Based on VLAN MAC address restrictions, and finally based on port and VLAN MAC address restrictions, limit the learning of MAC addresses. The specific process is as image 3 shown.

[0078] Steps 301 to 314: Same as steps 201 to 214 and related descriptions in Embodiment 2, except that the MAC address restriction based on VLAN MAC is not enabled, the limit is not exceeded, and the packet is not discarded. The learning and forwarding of the address, instead, enters step 315, and performs the judgment of enabling the MAC address restriction of the next type...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A method for realizing attack isolation includes configuring MAC address limitation table for each user identification character, judging whether MAC address limitation energizing condition based on port is configured or not according to three types of user identification characters corresponded by message source MAC address, carrying out look-up of MAC address limitation table by utilizing relevant user identification character according to specific energizing condition and carrying out MAC address-limiting according to content setting of MAC address limitation table.

Description

technical field [0001] The invention relates to network security technology, in particular to a method for realizing network attack isolation. Background technique [0002] With the rapid development of the Internet, various attack modes emerge in endlessly. A large number of attacks have caused a huge number of Medium Access Control (MAC, Medium Access Control) address learning, which seriously consumes the resources of network devices and reduces the processing capacity of devices. speed, which affects the performance of the device. The so-called MAC address learning is: MAC address learning has the characteristics of learning a bridge. When a bridge receives a message from a computer newly added to the network, the bridge will transfer the source MAC address of the message and the port and port to which the message arrives. The virtual local area network (VLAN Virtual LAN) to which this port belongs is connected and recorded in the bridge, and the packet specified to be ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L12/24H04L12/56H04L45/16
Inventor 任广涛
Owner HUAWEI TECH CO LTD