Method and network equipment for preventing mac address table overflow attack

Abstract

The invention discloses a method preventing a media access control (MAC) address table form overflowing and attacking. The method comprises that according to a preset time period, network equipment obtains the amount of learning Mac address table items by ports in the time period, when the amount of learned Mac address table items by any port in the time period is up to first threshold value, the port is marked as a suspicious port, when the amount of the learned Mac address table items by the network equipment is up to second threshold value and the amount of the learned Mac address table items by the suspicious port exceeds threshold value of the Mac address table item amount allocated by the suspicious port, the Mac address table items which exceed the threshold value cover the earliest-learning corresponding amount of the Mac address table items in a current Mac address table, and the second threshold value is larger than the first threshold value. The invention further discloses the network equipment which can effectively prevent the MAC address table form overflowing and attacking.

Description

technical field [0001] The application relates to the technical field of network security, in particular to a method and network equipment for preventing MAC address table overflow attacks. Background technique [0002] With the birth and development of new technologies, the convenience of Layer 2 forwarding has become more and more obvious. Therefore, new technologies such as Ethernet virtualization interconnection EVI, shortest path bridge SPB, and multi-link transparent interconnection Trill all use the generalized Layer 2 Packets are forwarded, so that the attack on the access layer tends to shift from Layer 3 Ethernet Address Resolution Protocol (ARP) attack to Layer 2 Media Access Control Mac attack. [0003] The Mac address table overflow attack is to use the Mac address table entries of switches, routers and other network devices to have a certain capacity, and send packets with source Mac address changes to the network devices, and the network devices will continuou...

AI Technical Summary

Problems solved by technology

[0003] The Mac address table overflow attack is to use the Mac address table entries of switches, routers and other network devices to have a certain capacity, and send packets with source Mac address changes to the network devices, and the network devices will continuously learn the source Mac address entries and port interfaces, If the Mac address entry is full, at this time, when continuing to send any unicast message to the network device, the network device cannot learn the Mac address of the unicast message, and the unicast message becomes an unknown unicast message. In Layer 2 forwarding, facing the forwarding of unknown unicast packets, the network device uses the broadcast method to forward unknown unicast packets to each port in the member. The device broadcasts all received unicast packets as unknown unicast packets, causing flooding of unknown unicast packets, and other ports also receive packets, occupying a large amount of service bandwidth, resulting in a waste of bandwidth At the same time, it also occupies resources such as the CPU and Mac address entries of the network device, and even threatens the security of the LAN, because the Mac address cannot be learned, which may cause other private messages to be considered by the network device. Unknown unicast packets are broadcast and sent, causing unnecessary risks

[0004] Therefore, the Mac address table overflow attack will cause the occupation of business bandwidth, waste resources such as the CPU of network devices and Mac address table entries, and even threaten the security of the LAN.

Images