Method and network equipment preventing media access control (MAC) address table from overflowing and attacking

Abstract

The invention discloses a method preventing a media access control (MAC) address table form overflowing and attacking. The method comprises that according to a preset time period, network equipment obtains the amount of learning Mac address table items by ports in the time period, when the amount of learned Mac address table items by any port in the time period is up to first threshold value, the port is marked as a suspicious port, when the amount of the learned Mac address table items by the network equipment is up to second threshold value and the amount of the learned Mac address table items by the suspicious port exceeds threshold value of the Mac address table item amount allocated by the suspicious port, the Mac address table items which exceed the threshold value cover the earliest-learning corresponding amount of the Mac address table items in a current Mac address table, and the second threshold value is larger than the first threshold value. The invention further discloses the network equipment which can effectively prevent the MAC address table form overflowing and attacking.

Description

Technical field [0001] This application relates to the field of network security technology, and in particular to a method and network equipment for preventing MAC address table overflow attacks. Background technique [0002] With the birth and development of new technologies, the convenience of Layer 2 forwarding has become more and more obvious. Therefore, new technologies such as Ethernet virtual interconnection EVI, shortest path bridge SPB, multi-link transparent interconnection Trill and other new technologies all adopt the generalized Layer 2 Forwarding the message, so that the attack at the access layer has a tendency to shift from the layer 3 Ethernet address resolution protocol ARP attack to the layer 2 media access control Mac attack. [0003] The Mac address table overflow attack is to use the Mac address table entries of network devices such as switches and routers to have a certain capacity to send packets of source Mac address changes to the network equipment. The ne...

AI Technical Summary

Problems solved by technology

[0003] The Mac address table overflow attack is to use the Mac address table entries of switches, routers and other network devices to have a certain capacity, and send packets with source Mac address changes to the network devices, and the network devices will continuously learn the source Mac address entries and port interfaces, If the Mac address entry is full, at this time, when continuing to send any unicast message to the network device, the network device cannot learn the Mac address of the unicast message, and the unicast message becomes an unknown unicast message. In Layer 2 forwarding, facing the forwarding of unknown unicast packets, the network device uses the broadcast method to forward unknown unicast packets to each port in the member. The device broadcasts all received unicast packets as unknown unicast packets, causing flooding of unknown unicast packets, and other ports also receive packets, occupying a large amount of service bandwidth, resulting in a waste of bandwidth At the same time, it also occupies resources such as the CPU and Mac address entries of the network device, and even threatens the security of the LAN, because the Mac address cannot be learned, which may cause other private messages to be considered by the network device. Unknown unicast packets are broadcast and sent, causing unnecessary risks

[0004] Therefore, the Mac address table overflow attack will cause the occupation of business bandwidth, waste resources such as the CPU of network devices and Mac address table entries, and even threaten the security of the LAN.

Images