CN111181850B - Data packet flooding suppression method, device and equipment and computer storage medium - Google Patents
Data packet flooding suppression method, device and equipment and computer storage medium Download PDFInfo
- Publication number
- CN111181850B CN111181850B CN201910740149.6A CN201910740149A CN111181850B CN 111181850 B CN111181850 B CN 111181850B CN 201910740149 A CN201910740149 A CN 201910740149A CN 111181850 B CN111181850 B CN 111181850B
- Authority
- CN
- China
- Prior art keywords
- data packet
- virtual machine
- packet
- flooding
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000001629 suppression Effects 0.000 title claims abstract description 161
- 238000000034 method Methods 0.000 title claims abstract description 62
- 238000012544 monitoring process Methods 0.000 claims abstract description 3
- 230000015654 memory Effects 0.000 claims description 31
- 230000006870 function Effects 0.000 claims description 25
- 230000008569 process Effects 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 21
- 238000012423 maintenance Methods 0.000 description 14
- 230000007246 mechanism Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 6
- 238000001914 filtration Methods 0.000 description 5
- 238000013507 mapping Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000005764 inhibitory process Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 101100152304 Caenorhabditis elegans tap-1 gene Proteins 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 238000010791 quenching Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 241000282326 Felis catus Species 0.000 description 1
- 101100323284 Mus musculus Ankrd27 gene Proteins 0.000 description 1
- 101100513046 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) eth-1 gene Proteins 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 238000009825 accumulation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 239000000306 component Substances 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000002401 inhibitory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/32—Flooding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/215—Flow control; Congestion control using token-bucket
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/29—Flow control; Congestion control using a combination of thresholds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses a method, a device and equipment for suppressing data packet flooding and a computer storage medium, relates to the technical field of computers, and is used for suppressing the flooding of data packets and improving the stability of a network. The method is applied to physical nodes included in a virtual local area network, wherein the virtual local area network comprises a plurality of physical nodes, and each physical node is operated with at least one virtual machine; the method comprises the following steps: when monitoring a target data packet of a set type sent by a virtual machine running on a physical node of the target data packet, intercepting the target data packet; if the target data packet is a data packet meeting the flooding suppression condition, determining whether the real-time rate of the intercepted data packet meeting the flooding suppression condition of the target virtual machine is greater than a set rate upper limit value; the target virtual machine is a virtual machine corresponding to the target data packet; and if the real-time rate is greater than the rate upper limit value, discarding the target data packet.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for suppressing packet flooding and a computer storage medium.
Background
A virtual extensible local area network (VXLAN), which is a two-layer Virtual Private Network (VPN) technology based on an internet protocol address (IP) network and adopting a "Media Access Control (MAC) in user data packet protocol (UDP)" encapsulation form.
In the VXLAN network, a plurality of physical nodes are included, each physical node runs a plurality of Virtual Machines (VMs), and when communications between VMs are required, for example, when VM a wants to communicate with VM B, if VM a does not know the MAC address of VM B, VM a needs to broadcast an Address Resolution Protocol (ARP) message in the entire VXLAN network to inquire the MAC address of VM B, that is, perform ARP message Flooding (Flooding), that is, send the ARP message of VM a to all VMs except for VM a. Because the number of VMs in the VXLAN network is huge, the resources consumed by broadcasting are large, and if a plurality of VMs are controlled to continuously broadcast the ARP message, the VXLAN network is easy to crash.
Therefore, how to perform ARP flooding suppression in the VXLAN network is an urgent problem to be solved.
Disclosure of Invention
The embodiment of the application provides a method, a device and equipment for suppressing data packet flooding and a computer storage medium, which are used for suppressing the flooding of data packets and improving the stability of a network.
In one aspect, a method for suppressing packet flooding is provided, which is applied to a physical node included in a virtual local area network, where the virtual local area network includes a plurality of physical nodes, and each physical node runs at least one virtual machine; the method comprises the following steps:
when monitoring a target data packet of a set type sent by a virtual machine running on a physical node of the target data packet, intercepting the target data packet;
if the target data packet is a data packet meeting the flooding suppression condition, determining whether the real-time rate of the intercepted data packet meeting the flooding suppression condition of the target virtual machine is greater than a set rate upper limit value; the target virtual machine is a virtual machine corresponding to the target data packet;
and if the real-time rate is greater than the rate upper limit value, discarding the target data packet.
Optionally, the method further includes:
counting the number of the discarded target data packets corresponding to each virtual machine running on the physical node of the virtual machine;
displaying the number of the discarded target data packets corresponding to each virtual machine; or,
and sending the number of the discarded target data packets corresponding to each virtual machine to a control platform.
In one aspect, a packet flooding suppression apparatus is provided, which is applied to a physical node included in a virtual local area network, where the virtual local area network includes a plurality of physical nodes, and each physical node runs at least one virtual machine; the device comprises:
the intercepting unit is used for intercepting a target data packet of a set type sent by a virtual machine running on a physical node of the intercepting unit when the target data packet is monitored;
a determining unit, configured to determine whether a real-time rate of a packet of the intercepted target virtual machine that meets the flooding suppression condition is greater than a set upper rate limit value if the target packet is a packet that meets the flooding suppression condition; the target virtual machine is a virtual machine corresponding to the target data packet;
and the execution unit is used for discarding the target data packet if the real-time rate is greater than the rate upper limit value.
Optionally, each physical node is provided with an application module and a kernel module; the apparatus further comprises an obtaining unit and a sending unit:
the obtaining unit is configured to obtain a flood suppression operation instruction, where the flood suppression operation instruction is used to instruct to perform flood suppression on a set type of data packet of a specified virtual machine;
the sending unit is configured to invoke the application module to send a flooding suppression command to the kernel module in response to the flooding suppression operation instruction, where the flooding suppression command is used to instruct the kernel module to set the flooding suppression condition, so that the kernel module executes a flooding suppression process according to the flooding suppression condition.
Optionally, the obtaining unit is configured to:
acquiring a flooding suppression operation instruction according to the flooding suppression operation performed on an application layer interface of a physical node of the node; or,
and receiving a flooding suppression operation instruction sent by a control platform of the virtual local area network.
Optionally, the apparatus further comprises a registration unit;
the registration unit is used for registering an interception function at a hook point on a forwarding path of the data packet with the set type;
the interception unit is configured to trigger the interception function to intercept the target data packet when the target data packet reaches the hook point.
Optionally, the data packet that satisfies the flooding suppression condition needs to satisfy the following conditions:
the virtual machine sending the data packet is positioned in a flooding suppression device list;
the data packet is a broadcast data packet;
the data packet is a legal data packet;
the data packet is a request data packet.
Optionally, the determining unit is configured to:
determining whether the target packet satisfies a passing condition of a token bucket filter; the token bucket filter generates tokens according to a set generation rate, the release condition is that the current token quantity in the token bucket filter is not less than the token quantity required to be consumed by the target data packet, and the generation rate is set according to a rate upper limit value of the target virtual machine.
Optionally, the data packet of the set type is an address resolution protocol ARP data packet.
In one aspect, a computer device is provided comprising a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the program, implements the method as described in the above aspect.
In one aspect, a computer-readable storage medium having stored thereon processor-executable instructions is provided,
the processor-executable instructions, when executed by a processor, are for implementing the method as described in the above aspect.
In the embodiment of the application, a data packet of a set type is monitored, when the data packet of the set type is monitored, the data packet is intercepted, whether the data packet is a data packet needing flooding suppression is judged, if yes, whether the real-time packet speed of a virtual machine corresponding to the data packet is greater than a set speed upper limit value is determined, and if the implementation packet speed of the virtual machine is greater than the set speed upper limit value, the intercepted data packet is discarded, namely, the speed of sending the data packet of a specified type by the virtual machine is limited, so that excessive data packet flooding is avoided, the whole network is unstable, and even the phenomenon of breakdown occurs.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of a VXLAN network in the prior art;
fig. 2 is a schematic diagram of a VXLAN network with a Porxy ARP added according to an embodiment of the present application;
fig. 3 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus provided in an embodiment of the present application;
fig. 5 is a schematic flowchart of a method for suppressing packet flooding according to an embodiment of the present application;
FIG. 6 is a diagram of a software architecture provided by an embodiment of the present application;
fig. 7 is a schematic diagram of a control page in a control platform terminal according to an embodiment of the present application;
fig. 8 is a schematic diagram of a page for performing flooding suppression on a physical node according to an embodiment of the present application;
fig. 9 is a schematic architecture diagram of a physical node according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a token bucket filter provided by an embodiment of the present application;
fig. 11 is a schematic flowchart of a flooding suppression process for ARP packets according to an embodiment of the present application;
fig. 12 is a diagram illustrating an effect of a method for suppressing packet flooding according to an embodiment of the present application;
fig. 13 is a schematic diagram of a flood suppression page displayed on a control platform page according to an embodiment of the present application;
fig. 14 is a schematic structural diagram of a packet flooding suppression apparatus according to an embodiment of the present application;
fig. 15 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. In the present application, the embodiments and features of the embodiments may be arbitrarily combined with each other without conflict. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
For the convenience of understanding the technical solutions provided by the embodiments of the present application, some key terms used in the embodiments of the present application are explained first:
physical node: a physical computer device in a local area network, which may also be referred to as a physical host or a physical machine, is referred to as a physical computer as opposed to a virtual machine. The physical machine may be used to provide a hardware environment for the virtual machine, which may also be referred to as a host of the virtual machine. The physical nodes can be realized by selecting a small computer, a large computer or a server cluster according to the requirements of actual application scenes.
VM: a virtual device running on a physical node may also be referred to as a cloud host. The running of a plurality of VMs can be realized on one physical node. For example, a physical node may have multiple operating systems installed (one external operating system and several operating systems in a VM), and communication may be achieved between the several operating systems as if there were multiple computers.
Virtual local area network: the virtual local area network in the embodiment of the present application may be a network based on a vlan (virtual local area network) model with a small scale, and may also be a large-scale VXLAN network.
Hook (hook): for capturing packets in kernel mode. For example, taking netfilter as an example, netfilter is a subsystem introduced by Linux system, and provides a management mechanism of a whole set of hook functions, so that functions such as packet filtering are possible. The netfilter architecture sets hook points (hooks) at several locations throughout the network flow, where relevant processing functions can be registered for processing.
Flooding: it is a data stream transmission technique used by switches and bridges to transmit data stream received from an interface to all interfaces except the interface. For the data packet, the data packet of a VM is sent to all VMs except the VM, or sent to VMs on all physical nodes except the physical node where the VM is located.
ARP message: when the host sends information, the ARP containing the target IP address requests all the hosts on the optical waveguide network, receives the returned information, and sequentially determines the physical address of the target, namely the MAC address.
In addition, the term "and/or" herein is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this document generally indicates that the preceding and following related objects are in an "or" relationship unless otherwise specified. Furthermore, references to "first" or "second", etc. herein are only used to distinguish between similar items and not to describe a particular order or sequence.
Fig. 1 is a schematic diagram of a VXLAN network. The VXLAN network comprises five physical nodes, namely Host 1-Host 5, wherein one or more VMs run on each physical node, for example, VM A and VM B run on Host1, and VM C run on Host 2. If VM A on Host1 wants to communicate with VM G on Host4, VM A needs to know the MAC address of VM G, so VM A needs to broadcast APR message in the whole VXLAN network to inquire the MAC address of VM G. However, nodes of the VXLAN network are generally many, the broadcasting cost is high, if a large number of VMs are controlled to continuously broadcast the ARP packet, due to the flooding effect of the ARP packet, great impact is brought to the platform stability, even the VXLAN network is crashed, and especially in the case of abnormal network, it is a very difficult task to locate the VMs. Even if the network is not a large-scale VXLAN model network, such as a small-scale VLAN model network, the large number of VMs sending ARP messages too violently can cause the network to be unstable. Therefore, some measure is needed to suppress the flooding of the ARP broadcast message.
Currently, the existing solution is to use L2_ position mode to suppress ARP broadcasting. The basis of the L2_ flooding mode for solving ARP packet flooding is to consider that the reason for ARP packet flooding is that there is no centralized control plane, but a database in Neutron (core component providing network service in Openstack, which implements software-based network resource management based on the idea of defining network by software) stores the mapping relationship between MAC addresses and IP addresses of all VMs, and is a natural native control plane, so it is proposed to inject the mapping relationship into the Open VSwitch (OVS) local and process ARP broadcast packets locally to avoid flooding on a tunnel, which is the idea of L2_ flooding.
In a VXLAN network, a VXLAN Tunnel endpoint (VXLAN Tunnel Endpoints, VTEP) is responsible for encapsulation and decapsulation of VXLAN packets. The pair of VTEPs corresponds to a VXLAN tunnel, the source VTEP encapsulates the message and then sends the message to the destination VTEP through the tunnel, and the destination VTEP de-encapsulates the received message. As shown in fig. 2, L2_ position provides a proxy ARP (portal ARP) function on the VTEP, so that the VTEP can know the mapping relationship between the MAC address and the IP address of the VM in the VXLAN network from the database in Neutron, and can also store the mapping relationship between the VM and the VTEP, so that when an ARP broadcast message of the local VM arrives, it can be matched in the stored ARP table entry (table), if it can match the destination IP address in the ARP broadcast message, an ARP response packet is generated and returned to the VM from the ingress port (port) of the ARP broadcast message, for example, when VM a needs to communicate with VM G, the VTEP on Host1 directly responds to the APR request of VM a to report the MAC address of VM G, so that it does not need to broadcast the entire VXLAN network to obtain the MAC address of VM. If the matching fails, the ARP broadcast message can be continuously flooded to the VXLAN network according to the original mode. Furthermore, as shown in fig. 2, since the VTEP on Host1 knows that VM G is located at Host4, the encapsulated VXLAN packet is sent directly to the VTEP of Host 4.
However, in the VXLAN network, the number of VMs is huge, after the L2_ position mode is started, the number of entries (including ARP entries and entries of mapping relationship between VM and VTEP) is greatly increased, when matching entries, more resources are consumed, which greatly affects OVS performance, and also, because the number of entries is huge, after the OVS service is restarted, because a large number of entries need to be refreshed, the network disconnection time is increased, and because the number of entries is too many, when a network problem is located, it is very labor-consuming to comb entries.
The applicant analyzes the prior art, and finds that, in the prior art, because the number of VMs is huge, the problem of huge table entry number due to L2_ position correspondence may result in a problem of resource consumption and table entry combing difficulty, and therefore, in order to solve the problem of suppressing the flooding of ARP broadcast messages and not to generate the above-mentioned various problems, an excessive number of table entries cannot be introduced, and considering that the number of ARP broadcast messages is generally not so large, i.e., not suddenly increased, in the actual application, the number of broadcast ARP messages of each VM may be considered to be limited, so as to prevent the excessive varp broadcast messages from flooding to the entire lan network, thereby affecting the stability of the network.
Based on the above analysis and consideration, an embodiment of the present application provides a method for suppressing flooding of a data packet, where the method monitors a data packet of a set type, and when the data packet of the set type is monitored, intercepts the data packet, and determines whether the data packet is a data packet that needs to be subjected to flooding suppression, if so, determines whether a real-time packet speed of a virtual machine corresponding to the data packet is greater than a set upper rate limit, and if the implementation packet speed of the virtual machine is greater than the set upper rate limit, discards the intercepted data packet, that is, limits a speed at which the virtual machine sends the data packet of a specified type, thereby avoiding excessive flooding of the data packet, and making the entire network unstable and even crash. For example, for flooding suppression of an ARP broadcast packet, the ARP broadcast packet may be monitored, and when the ARP broadcast packet is monitored, the ARP broadcast packet is intercepted, and when it is determined that the ARP broadcast packet is a packet targeted for flooding suppression and a real-time rate of a packet targeted for sending flooding suppression by a virtual machine corresponding to the ARP broadcast packet is greater than an upper rate limit, the ARP broadcast packet is discarded and no longer flooded into a VXLAN network, so that it is avoided that an excessive ARP broadcast packet is flooded into the entire VXLAN network, and stability of the network is affected.
In the embodiment of the present application, considering that the processing of the data packet is performed in a kernel state, in order to facilitate the operation of the operation and maintenance personnel, in the embodiment of the present application, an application module and a kernel module are set on each physical node, where the kernel module is used to perform the above flooding suppression process, the operation and maintenance personnel may perform necessary operations through the application module, and the application module and the kernel module may interact through a certain mechanism, thereby instructing the kernel module to perform a corresponding flooding suppression process.
In the embodiment of the application, the interception function is registered on the hook point of the forwarding path of the data packet, and when the data packet passes through the hook point, the interception function can be triggered to intercept the data packet.
In the embodiment of the application, when the packet speed limit is performed on the virtual machine, the packet speed limit can be implemented in a Token Bucket Filter (TBF) manner, so that a specified type of packet can pass at a speed not exceeding a preset speed, and a transient burst flow can be allowed to exceed a set value.
After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In a specific implementation process, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
Please refer to fig. 3, which is an application scenario to which the technical solution in the embodiment of the present application can be applied, and in the scenario, the application scenario may include a control platform terminal 10 and a plurality of physical nodes 20.
The control platform terminal 10 may be a mobile phone, a Personal Computer (PC), a tablet computer (PAD), a palmtop computer (PDA), a notebook computer, or a terminal device such as an intelligent wearable device (e.g., an intelligent watch and an intelligent bracelet). The user terminal 101 may install a VXLAN network control platform application or open a VXLAN network control platform web page (web) through a browser, and then control each physical node 20 through the application or the web, for example, may send a flooding suppression operation instruction to each physical node to instruct the corresponding physical node 20 to perform a flooding suppression process.
Each physical node 20 may run a plurality of VMs 200, and the physical node 20 may perform flooding suppression on the corresponding VM 200 by using the packet flooding suppression method provided in the embodiment of the present application based on the flooding suppression operation instruction sent by the control platform terminal 10. Of course, in addition to sending the flooding suppression operation instruction through the control platform terminal 10, the operation may be directly performed on the physical node 20, so that the physical node 20 obtains the flooding suppression operation instruction.
Fig. 4 is a schematic view of an apparatus structure of the application scenario shown in fig. 3, where fig. 4 only illustrates one physical node as an example.
Among other things, the control platform terminal 10 may include one or more processors 101, memory 102, I/O interfaces 103, and a display panel 104. The memory 102 of the control platform terminal 10 may store program instructions of the application or the web, and when the program instructions are executed by the processor 101, the program instructions can be used to implement functions provided in the application or the web, and display a corresponding display page on the display panel 104, for example, a control page that can display functions of the physical node 20, and then perform a flood suppression operation on the corresponding control page to send a flood suppression operation instruction to the corresponding physical node 20 to instruct the corresponding physical node 20 to perform a flood suppression process.
Each physical node 20 may include one or more processors 201, memory 202, and I/O interfaces 203, among others. The memory 202 may store program instructions of the method for suppressing data packet flooding provided in the embodiment of the present application, and when the program instructions are executed by the processor 201, the method for suppressing data packet flooding provided in the embodiment of the present application may be implemented, so as to perform flooding suppression on the corresponding VM 200.
The control platform terminal 10 and the physical node 20 may be communicatively connected through one or more networks, where the network may be a wired network or a wireless network, for example, the network may be a local area network, and of course, other possible networks may also be used, and the embodiment of the present application is not limited thereto.
Of course, the method provided in the embodiment of the present application is not limited to the application scenario shown in fig. 3, and may also be used in other possible application scenarios, and the embodiment of the present application is not limited. The functions that can be implemented by each device in the application scenario shown in fig. 3 will be described in the following method embodiments, and will not be described in detail herein.
Please refer to fig. 5, which is a flowchart illustrating a method for suppressing packet flooding according to an embodiment of the present application, and the method can be applied to the scenario shown in fig. 3, for example. The method can be applied to a VXLAN network or other virtual local area networks, and the VXLAN network is mainly taken as an example for introduction below. The flow of the method is described below.
Step 501: and acquiring a flooding suppression operation instruction.
In this embodiment of the present application, the flooding suppression operation instruction is used to instruct to perform flooding suppression on a data packet of a set type of a specified virtual machine.
The physical node may obtain the flooding suppression operation indication in the following manner.
Specifically, the operation and maintenance personnel can send the flooding suppression operation instruction to the physical node through the control platform. Fig. 6 is a schematic structural diagram of an embodiment of the present invention. The control platform terminal can install a control platform application, or open a control platform web through a browser to display one or more control pages of the VM, wherein the control pages can include a control page for the VM to perform flooding suppression, and the operation and maintenance personnel can perform corresponding flooding suppression operation through the control page; each physical node may include an application module and a kernel module, the kernel module is configured to execute the flooding suppression process, and the kernel module is operated in a kernel state and cannot be directly perceived by an operator, so the application module is configured to provide a control method for an operation and maintenance worker, the operation and maintenance worker may perform necessary operations through the application module, and the application module and the kernel module may interact with each other through a certain mechanism, thereby instructing the kernel module to execute the corresponding flooding suppression process.
Fig. 7 is a schematic diagram of a control page in the control platform terminal. In the control page, the flooding suppression condition, such as the version number of the currently running flooding suppression program, the start state of the speed limit function (i.e., the flooding suppression function), and information such as the ratio of the virtual machines to all the virtual machines, can be integrally checked. In addition, the details of the flooding suppression, such as the speed limit value of each virtual machine and the number of data packets actually exceeding the limit, can be checked, and certain operations can be performed on each virtual machine, such as checking the log of the flooding suppression of each virtual machine or deleting the flooding suppression of the virtual machine. In addition, virtual machines that do not flood-quench can be added to add to the flood-quench list. Specifically, the "new virtual machine" may be operated on the control page shown in fig. 7, and relevant information of the new virtual machine, such as information of a virtual machine number, a tap port, a speed limit value, and the like, is filled in, and after the "start speed limit" is operated, the new virtual machine may be added to the flooding suppression device list. Correspondingly, the control platform terminal can receive and respond to the flooding suppression operation performed by the operation and maintenance personnel, and send a flooding suppression operation instruction to the physical node where the newly-added virtual machine is located, wherein the flooding suppression operation instruction is used for instructing the specified virtual machine to perform flooding suppression on the data packet of the set type. Here, when performing addition, the addition may be performed for one virtual machine, or may be performed for a plurality of virtual machines, and when the plurality of virtual machines are located on different physical nodes, the flooding suppression operation instruction may be sent to the physical node where each virtual machine is located.
Correspondingly, the application module arranged on the physical node may receive the flooding suppression operation instruction sent by the control platform terminal, and send a flooding suppression command to the kernel module by using a communication mechanism between the application module and the kernel module in response to the flooding suppression operation instruction, where the flooding suppression command is used to instruct the kernel module to set flooding suppression conditions, such as conditions of a virtual machine and a data packet type that need flooding suppression. The application module may communicate with the kernel module through a socket (netlink) mechanism, for example.
Specifically, another way is that the operation and maintenance personnel may directly perform operations on the physical node, and then the physical node may obtain the flooding suppression operation instruction based on the operations performed on the physical node by the operation and maintenance personnel.
Fig. 8 is a schematic diagram of a page for flooding suppression on a physical node. The application module on the physical node can provide a visual operation page, relevant information of the virtual machine which needs to be subjected to flooding suppression, such as the information of a virtual machine number, a tap port, a speed limit value and the like, is input into the operation page, and after the operation of starting the speed limit, a new virtual machine can be added into a flooding suppression device list. Accordingly, the physical node may receive and respond to the flood suppression operation performed by the operation and maintenance personnel to obtain the flood suppression operation instruction.
Similarly, because the application module runs in the application layer, the application module may send a flooding suppression command to the kernel module by using a communication mechanism between the application module and the kernel module in response to the flooding suppression operation instruction, where the flooding suppression command is used to instruct the kernel module to set flooding suppression conditions, such as conditions of a virtual machine and a packet type that need flooding suppression.
Step 502: and registering the interception function at a hook point on a forwarding path of the set type of data packet.
In the embodiment of the application, the kernel module is based on the flooding suppression command, and besides the flooding suppression condition, the kernel module can also register the interception function at a hook point on a forwarding path of a set type of data packet. For example, if the set type of packet may be an ARP packet, then a netfilter ARP hook may be registered in the forwarding path for intercepting the ARP packet, that is, an ARP interception hook may be registered according to a kernel netfilter registration mechanism, and all ARP packets passing through the ARP interception hook point will trigger interception of the ARP packet; of course, the set type of data packet may include other types of data packets, and only the corresponding interception function needs to be registered, which is not limited in this embodiment of the present application.
Fig. 9 is a schematic diagram of an architecture on a physical node. Fig. 9 illustrates an OVS as an example, where a port of a VM is connected to qbr bridge (qbr bridge), qbr bridge is a linux bridge, qbr bridge may be connected to an integration bridge (br-int) through a tap interface of the OVS, and a port of br-int is connected to a channel bridge (br-tun). When sending a data packet, for example, when VM 1 needs to send the data packet, VM 1 sends the data packet to qbr 1 through a port between VM 1 and qbr 1, qbr 1 forwards the data packet to br-int by using tap1, br-int forwards the data packet to br-tun through a port between br-tun, and finally sends the data packet out through a physical port G/eth1 of br-tun. Then, a hook point may be selected on the forwarding path of the packet, and the forwarding ports shown in fig. 9 may all be used as hook points, for example, a tap port of br-int may be selected as a hook point, and then the packet sent by all VMs is intercepted on the tap port.
Step 503: whether the set type of target data packet is monitored.
Step 504: if the determination result of step 503 is yes, the target packet is intercepted.
In the embodiment of the application, after the hook point registers the interception function, the target data packet of the set type sent by the virtual machine running on the physical node of the virtual machine can be monitored, that is, whether the target data packet of the set type passes through the hook point is determined, and when the target data packet of the set type passes through the hook point, the interception function is triggered to intercept the target data packet.
Step 505: it is determined whether the target packet is a packet satisfying a flooding suppression condition.
In the embodiment of the present application, a data packet that satisfies a flooding suppression condition is an object to which the flooding suppression is directed, and a data packet other than the object to which the flooding suppression is directed does not need to be subjected to subsequent flooding suppression processing, so that the data packet other than the object to which the flooding suppression is directed can be directly released, that is, forwarded according to an original data packet forwarding manner, and therefore, after a target data packet is intercepted, it is necessary to determine whether the target data packet is a data packet that satisfies the flooding suppression condition.
The data packet satisfying the flooding suppression condition needs to satisfy the following conditions at the same time:
(1) the virtual machine that sends the packet is located in the flooding suppression device list.
After the application module sends the flooding suppression command to the kernel module, the kernel module may add the virtual machine indicated by the flooding suppression command to the flooding suppression device list, and when a target data packet is intercepted, may determine whether the corresponding virtual machine is located in the flooding suppression device list according to a source of the target data packet.
(2) The data packet is a broadcast data packet.
In the embodiment of the application, the targeted object is a broadcast data packet, and a common unicast data packet cannot cause network instability. When a packet is a broadcast packet, the destination address of the packet is usually a designated identifier, such as "FF: FF: FF: FF: FF: FF: if yes, then it can be determined whether the data packet is a broadcast data packet according to the destination address of the data packet.
(3) The data packet is a legal data packet.
When the data packet is an illegal data packet, the data packet cannot be forwarded, so that the data packet can be directly discarded. For example, a packet with an empty source address may be considered an illegal packet.
(4) The data packet is a request data packet.
In the embodiment of the present application, the data packet to be flooded into the VXLAN network is generally a request data packet, and thus the data packet is generally a request data packet.
In practical application, whether the intercepted target data packet meets the conditions or not can be sequentially determined, if one of the intercepted target data packet does not meet the conditions, the intercepted target data packet can be released as a common data packet, or the target data packet is directly discarded when the target data packet is an illegal data packet.
Step 506: if the determination result in step 505 is yes, it is determined whether the real-time rate of the data packet of the intercepted target virtual machine, which satisfies the flooding suppression condition, is greater than the set upper rate limit value.
In this embodiment of the present application, when it is determined that an intercepted target data packet is a data packet that meets a flooding suppression condition, it may be further determined whether a real-time rate of a target virtual machine corresponding to the intercepted target data packet is greater than a set upper rate limit, where the real-time rate is a real-time rate at which the intercepted target virtual machine sends the data packet that meets the flooding suppression condition, and the set upper rate limit is an upper rate limit set for the target virtual machine by an operation and maintenance worker during a flooding suppression operation. For example, the average speed of the data packets set for the target virtual machine is 5 packets per second, and the allowable upper limit of the burst of the data packets is 1 packet per second, so that the maximum number of data packets that can be sent by the target virtual machine per second and satisfy the flooding suppression condition is 6, that is, the real-time rate of sending the data packets satisfying the flooding suppression condition by the target virtual machine cannot exceed 6 packets per second.
Therefore, when the real-time rate of the target virtual machine is determined to be greater than the set rate upper limit value, the intercepted target data packet is not allowed to continue to pass through, so that the target data packet can be directly discarded, and the phenomenon that excessive data packets flood into the VXLAN network is avoided; and when the real-time speed of the target virtual machine is determined to be not greater than the set speed upper limit value, the intercepted target data packet can be allowed to continuously pass, namely, the intercepted target data packet can be released.
In practical application, when data packet speed limitation is performed on the virtual machine, the data packet speed limitation can be realized in a token bucket filter mode. Fig. 10 is a schematic diagram of a token bucket filter. Among them, the token bucket filter is essentially a simple queue specification: only packets arriving at a rate not exceeding the predetermined rate are allowed to pass, but brief bursts of traffic may be allowed to exceed the predetermined value.
In particular, the token bucket filter is implemented as a token bucket that is constantly filled with tokens at a certain rate (token rate), the most important parameter of the token bucket is its size, i.e., the number of tokens it can store, each incoming packet is assigned one or more tokens, the assigned alternative is removed from the bucket, packets with a sufficient number of tokens can be released, and conversely, packets with an insufficient number of tokens are discarded, which is equivalent to the rate at which tokens are generated by the token bucket filter to limit the number of packets that pass through the bucket, thereby throttling packets of the virtual machine that satisfy the flooding suppression condition.
As shown in fig. 10, for a virtual machine (or tap port), a token bucket filter refers to two streams, namely, a token stream and a data stream, wherein the token stream continuously generates tokens at a certain rate and transmits the tokens into a token bucket, the rate of generating the tokens (i.e., the certain rate) is set according to an upper limit value of a rate of a target virtual machine, and a data packet in the data stream is a data packet that satisfies a flooding suppression condition for the intercepted virtual machine, and in an actual operation situation, the following 3 situations may be involved:
(1) the data flow reaches the token bucket filter at a rate equal to the token flow.
In this case, each incoming destination packet can be assigned enough tokens and then passed through without delay. For example, when a target packet consumes a token, then the rate of incoming tokens may be the same as the rate of packets, and then each arriving target packet can correspond to a token and then be passed.
(2) The data flow reaches the token bucket filter at a rate less than the token flow.
In this case, the arriving destination packet consumes only a portion of the tokens, and the remaining tokens accumulate in the bucket until the bucket is full. The remaining tokens may be consumed when the data stream needs to be sent at a higher rate than the token stream, in which case burst transfers may occur.
(3) The data flow reaches the token bucket filter at a rate greater than the token flow.
In this case, tokens in the token bucket will soon be depleted, causing the token bucket filter to break for a period of time called an "over limit". If the packet continues to arrive, packet loss will occur in this case since there is no corresponding token, thus shaping the rate at which the packet passes through the filter. Accumulation of tokens can result in out-of-limit data being burst transmitted for short periods of time without packet loss, but continuing out-of-limit results in transmission delays until packet loss.
Therefore, for an intercepted target data packet, when determining that the target data packet is a data packet satisfying the flooding suppression condition, a TBF algorithm (i.e., a token bucket filter) may be further used to determine whether the real-time packet speed of a target virtual machine corresponding to the target data packet exceeds the limit, since the upper limit rate of the token bucket filter is substantially designed according to the upper limit rate, it is determined whether the target data packet satisfies the release condition of the token bucket filter, and when the release condition is satisfied, the target data packet is released, and when the release condition is not satisfied, the target data packet is discarded. The release condition is that the number of the current tokens in the token bucket is not less than the number of the tokens to be consumed by the target data packet, that is, when the target data packet arrives, a sufficient number of tokens in the token bucket can correspond to the target data packet.
Step 507: if the determination of step 506 is yes, the destination packet is discarded.
Step 508: if the determination of step 506 is negative, the destination packet is released.
And the step of releasing the target data packet refers to forwarding the target data packet according to the original forwarding mode.
Fig. 11 is a schematic flow chart illustrating ARP flooding suppression as an example to perform ARP flooding suppression on ARP packets. The process of implementing ARP flooding suppression by the kernel module is shown as an example in fig. 11.
Step 1101: registering the netlink handles callbacks.
The application layer communicates with the kernel module by utilizing a netlink mechanism so as to carry out ARP speed limit on the designated tap port, and the netlink processes callback to add the tap port to be controlled into a filtering equipment (device) list or add a virtual machine corresponding to the tap port into the filtering equipment (device) list. Besides increasing ARP speed limit for the designated tap port, the ARP speed limit can be removed from the limited tap port, or the speed limit information of the limited tap port can be modified, for example, the upper limit speed can be modified.
Step 1102: the netfilter ARP hook is registered to intercept the ARP data packet.
And registering an ARP interception hook according to a kernel netfilter registration mechanism, and intercepting the ARP data packet when the ARP data packet passes through the interception hook point.
Step 1103: it is determined whether the incoming device of the ARP packet is in the filter device list.
Specifically, it may be determined whether the incoming device of the ARP packet is in the filtering device list, so as to determine whether to release the ARP packet, and when it is determined that the incoming device of the ARP packet is in the filtering device list, the step 1104 is continuously performed, otherwise, the step 1109 is performed, that is, the ARP packet is released.
The incoming device may refer to an incoming tap port, or may refer to a virtual machine corresponding to the ARP packet.
Step 1104: it is determined whether the ARP packet is a broadcast packet.
If the ARP packet is a broadcast packet, proceed to step 1105, otherwise, go to step 1109, i.e. release the ARP packet.
Step 1105: it is determined whether the source address of the ARP packet is not null.
If the source address of the ARP packet is not null, proceed to step 1106, otherwise proceed to step 1108, i.e., discard the ARP packet.
Step 1106: it is determined whether the ARP packet is a request packet.
If the ARP packet is a request packet, proceed to step 1107, otherwise, go to step 1109, i.e., pass the ARP packet.
Step 1107: and determining whether the packet speed of the virtual machine corresponding to the ARP data packet exceeds the limit according to a TBF algorithm.
If the packet speed of the virtual machine corresponding to the ARP data packet is determined to be over-limit according to the TBF algorithm, the step 1108 is continuously executed, otherwise, the step 1109 is executed.
For example, if the average PER second of the set virtual machine or tap port of the packets satisfying the flooding limit is 100 packets PER second, the number of packets of the burst (burst) is allowed to be 10, and the token bucket filter generates 32 tokens PER jfy, that is, the creating _ PER _ JIFFY is 32. Where jiffy may be a specified period of time, for example jiffy may be the length of time during a clock cycle of a microprocessor. The real-time number of tokens, credit 3200/s, the number of tokens consumed by each ARP packet cost 320, if the number of ARP packets arriving PER second is 100, because each ARP packet consumes 320, the maximum number of tokens required PER second amounts to 320 + 100+320 + 10 32000+3200, because credit _ jisffy is 32, the number of tokens generated PER second is 32 + 1000, upon initialization, credit 3200, and amount to 32000+3200, then when the number of ARP packets exceeds 110, the 111 th ARP packet arriving has no corresponding token, and the 111 th ARP packet is discarded.
Step 1108: the ARP packet is discarded.
Step 1109: the ARP packet is cleared.
In an actual application process, the processes of step 1103 to step 1106 do not have a substantial sequence, and when executed, the processes may be executed according to the sequence shown in fig. 11, or the sequence may be adjusted.
Fig. 12 is a diagram illustrating an effect obtained after the method for suppressing packet flooding according to the embodiment of the present application is applied.
The devname is the name of the interface for flooding suppression, the override is the number of the super-flow rate packets from the start time of the flooding suppression to the cat time (data presentation time) of the interface, the average is the set allowable number of packets per second, and the burst is the set allowable number of burst packets per second.
As shown in fig. 12, when the packet flooding suppression method according to the embodiment of the present application is used to perform flooding suppression, the number of passing packets does not exceed the upper limit value in any unit time (e.g., 1 s). For example, in "01: 03: 16", only 2 ARP packets are passed, and in "01: 03: 17", 6 ARP packets are passed, and the upper limit value is not exceeded by 6, which means that the flow control effect per unit time is better.
For example, when there are 100 computing nodes (100 VXLANs) in the VXLAN network, and 1000 virtual machines are deployed on the 100 computing nodes, if the packet sending rate of each virtual machine is 1000/s, the flow rate of each net port is 1000 × 100 × 62 bytes (assuming that the packet length is 8 preambles +12 intervals +42 packet lengths) is 6.2G, and after speed limiting is performed on each virtual machine, for example, the packet sending number of each virtual machine is controlled to 5/s, the flow rate of each net port is 1000 × 5 × 100 × 62 bytes 31M, which can greatly reduce the flow rate of each net port, and effectively suppress ARP storms.
In the embodiment of the application, the flooding inhibition condition of each physical node can be counted to help the subsequent analysis of the abnormal virtual machine. For example, each physical node may count the number of discarded target packets corresponding to each virtual machine running on its own physical node, and show the number of discarded target packets corresponding to each virtual machine, and of course, in addition to the number of discarded target packets, other data may also be counted, which is not limited in this embodiment of the present application. And the operation and maintenance personnel can analyze the abnormal virtual machine according to the displayed data. In the actual presentation, the presentation may also be performed in a certain order, for example, the presentation may be performed in the order of the number of discarded target packets.
Besides being directly displayed on the physical nodes, the statistical data can be sent to the control platform, and the control platform can comprehensively analyze the data of each physical node and display the data. That is, the flooding suppression situation of each physical node can be checked, and the flooding suppression situation of the entire VXLAN network can be checked as a whole, for example, the flooding suppression situation page can be displayed through the control platform page. Fig. 13 is a schematic diagram of a flood suppression page shown on a control platform page, where fig. 13 only uses a small number of physical nodes and virtual machines as an example, and in actual applications, there may be more physical nodes and virtual machines. The operation and maintenance personnel can obtain the abnormal virtual machine through the page analysis of the flooding inhibition condition. As shown in fig. 13, the flooding suppression condition of each virtual machine of each physical node can be visually checked through the flooding suppression condition page, for example, the number of the current query by the tap1 interface of the virtual machine VM 01 on Host 01 is 300 from the last query of the overrun packets, which is the largest, so that the virtual machine may have an abnormality, and further checking may be performed. Certainly, the flooding suppression situation page can also provide functions such as ranking or screening, for example, ranking according to the number of the overrun packets, and screening out the virtual machines with the number of the overrun packets exceeding a certain threshold value, so as to help operation and maintenance personnel to perform troubleshooting of the problem virtual machines, or give an alarm when the problem virtual machines exist, and the like, so that the VXLAN network is monitored, and stable operation of the VXLAN network is maintained.
To sum up, in the embodiment of the application, an application module and a kernel module are added, the application module running in an application state registers the tap port current limiting rule into the kernel module running in the kernel state through a netlink, and the kernel module limits the speed of the ARP broadcast packet of the tap port according to the TBF algorithm, so that the purpose of inhibiting ARP storm is achieved, and the flooding inhibition of the ARP broadcast data packet is realized. In addition, through the application module, the flow control parameters (such as the upper limit rate) can be set on site and in real time, and the flow control parameters of the designated port can be dynamically adjusted.
Referring to fig. 14, based on the same inventive concept, an embodiment of the present application further provides a packet flooding suppression apparatus 140, which is applied to a physical node included in a virtual local area network, where the virtual local area network includes a plurality of physical nodes, and each physical node runs at least one virtual machine; the device includes:
an intercepting unit 1401, configured to intercept a target data packet of a set type sent by a virtual machine running on a physical node of the virtual machine when the target data packet is monitored;
a determining unit 1402, configured to determine whether a real-time rate of a data packet of the intercepted target virtual machine that meets the flooding suppression condition is greater than a set upper rate limit value if the target data packet is a data packet that meets the flooding suppression condition; the target virtual machine is a virtual machine corresponding to the target data packet;
an executing unit 1403, configured to discard the target data packet if the real-time rate is greater than the rate upper limit.
Optionally, each physical node is provided with an application module and a kernel module; the apparatus further comprises an obtaining unit 1404 and a sending unit 1405:
an obtaining unit 1404, configured to obtain a flood suppression operation instruction, where the flood suppression operation instruction is used to instruct flooding suppression on a data packet of a set type of a specified virtual machine;
a sending unit 1405, configured to, in response to the flood suppression operation instruction, invoke the application module to send a flood suppression command to the kernel module, where the flood suppression command is used to instruct the kernel module to set a flood suppression condition, so that the kernel module executes a flood suppression process according to the flood suppression condition.
Optionally, the obtaining unit 1404 is configured to:
acquiring a flooding suppression operation instruction according to the flooding suppression operation performed on an application layer interface of a physical node of the node; or,
and receiving a flooding suppression operation instruction sent by a control platform of the virtual local area network.
Optionally, the apparatus further comprises a registration unit 1406;
a registering unit 1406, configured to register an interception function at a hook point on a forwarding path of a set type of packet;
and an interception unit 1401, configured to trigger an interception function to intercept the target data packet when the target data packet reaches the hook point.
Optionally, the data packet that satisfies the flooding suppression condition needs to satisfy the following conditions:
the virtual machine sending the data packet is positioned in the flooding suppression equipment list;
the data packet is a broadcast data packet;
the data packet is a legal data packet;
the data packet is a request data packet.
Optionally, the determining unit 1402 is configured to:
determining whether the target data packet satisfies a passing condition of the token bucket filter; the token bucket filter generates tokens according to a set generation rate, the release condition is that the current token quantity in the token bucket filter is not less than the token quantity required to be consumed by the target data packet, and the generation rate is set according to the rate upper limit value of the target virtual machine.
Optionally, the type-setting data packet is an address resolution protocol ARP data packet.
The apparatus may be configured to execute the methods in the embodiments shown in fig. 5 to 13, and therefore, for functions and the like that can be realized by each functional module of the apparatus, reference may be made to the description of the embodiments shown in fig. 5 to 13, which is not repeated here. Among them, the acquisition unit 1404, the transmission unit 1405 and the registration unit 1406 are not indispensable functional units and are therefore shown by broken lines in fig. 14.
Referring to fig. 15, based on the same technical concept, an embodiment of the present application further provides a computer device 150, which may include a memory 1501 and a processor 1502.
The memory 1501 is used for storing computer programs executed by the processor 1502. The memory 1501 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to use of the computer device, and the like. The processor 1502 may be a Central Processing Unit (CPU), a digital processing unit, or the like. The specific connection medium between the memory 1501 and the processor 1502 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 1501 and the processor 1502 are connected by the bus 1503 in fig. 15, the bus 1503 is shown by a thick line in fig. 15, and the connection manner between other components is merely illustrative and not limited. The bus 1503 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 15, but this is not intended to represent only one bus or type of bus.
The memory 1501 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 1501 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD), or the memory 1501 may be any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 1501 may be a combination of the above memories.
A processor 1502 for executing the methods involved by the respective apparatuses in the embodiments shown in fig. 5 to 13 when calling the computer program stored in the memory 1501.
In some possible embodiments, various aspects of the methods provided by the present application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps of the methods according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device, for example, the computer device may perform the methods involved by the embodiments shown in fig. 5-13.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (9)
1. The method for suppressing the flooding of the data packet is applied to physical nodes included in a virtual local area network, wherein the virtual local area network comprises a plurality of physical nodes, and each physical node is provided with at least one virtual machine; the method comprises the following steps:
when monitoring a target data packet of a set type sent by a virtual machine running on a physical node of the target data packet, intercepting the target data packet;
if the target data packet is a data packet meeting the flooding suppression condition, determining whether the real-time rate of the intercepted data packet meeting the flooding suppression condition of the target virtual machine is greater than a set rate upper limit value; the target virtual machine is a virtual machine corresponding to the target data packet; wherein, the data packet meeting the flooding suppression condition needs to meet the following conditions: the virtual machine sending the data packet is positioned in a flooding suppression device list; the data packet is a broadcast data packet; the data packet is a legal data packet; the data packet is a request data packet;
and if the real-time rate is greater than the rate upper limit value, discarding the target data packet.
2. The method of claim 1, wherein each physical node has an application module and a kernel module disposed thereon; before intercepting a target data packet of a set type sent by a virtual machine running on a physical node of the virtual machine, the method further comprises the following steps:
acquiring a flooding suppression operation instruction, wherein the flooding suppression operation instruction is used for indicating that the flooding suppression is performed on a data packet of a set type of a specified virtual machine;
and responding to the flooding suppression operation instruction, calling the application module to send a flooding suppression command to the kernel module, wherein the flooding suppression command is used for instructing the kernel module to set the flooding suppression condition so that the kernel module executes a flooding suppression process according to the flooding suppression condition.
3. The method of claim 2, wherein said obtaining a flood suppression operation indication comprises:
acquiring a flooding suppression operation instruction according to the flooding suppression operation performed on an application layer interface of a physical node of the node; or,
and receiving a flooding suppression operation instruction sent by a control platform of the virtual local area network.
4. The method of claim 1, wherein before intercepting a target packet of a set type sent by a virtual machine running on its own physical node when the target packet is monitored, the method further comprises:
registering an interception function at a hook point on a forwarding path of the data packet of the set type;
the intercepting a target data packet of a set type sent by a virtual machine running on a physical node of the intercepting node comprises:
and when the target data packet reaches the hook point, triggering the interception function to intercept the target data packet.
5. The method according to any one of claims 1 to 4, wherein the determining whether the real-time rate of the intercepted data packets of the target virtual machine satisfying the flooding suppression condition is greater than a set upper rate limit value comprises:
determining whether the target packet satisfies a passing condition of a token bucket filter; the token bucket filter generates tokens according to a set generation rate, the release condition is that the current token quantity in the token bucket filter is not less than the token quantity required to be consumed by the target data packet, and the generation rate is set according to a rate upper limit value of the target virtual machine.
6. The method according to any one of claims 1 to 4, wherein the set type of packet is an ARP packet.
7. The device for suppressing the flooding of the data packet is applied to a physical node included in a virtual local area network, wherein the virtual local area network comprises a plurality of physical nodes, and each physical node is provided with at least one virtual machine; the device comprises:
the intercepting unit is used for intercepting a target data packet of a set type sent by a virtual machine running on a physical node of the intercepting unit when the target data packet is monitored;
a determining unit, configured to determine whether a real-time rate of a packet of the intercepted target virtual machine that meets the flooding suppression condition is greater than a set upper rate limit value if the target packet is a packet that meets the flooding suppression condition; the target virtual machine is a virtual machine corresponding to the target data packet; wherein, the data packet meeting the flooding suppression condition needs to meet the following conditions: the virtual machine sending the data packet is positioned in a flooding suppression device list; the data packet is a broadcast data packet; the data packet is a legal data packet; the data packet is a request data packet;
and the execution unit is used for discarding the target data packet if the real-time rate is greater than the rate upper limit value.
8. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the program, implements the method of any of claims 1-6.
9. A computer-readable storage medium having stored thereon processor-executable instructions,
the processor-executable instructions, when executed by a processor, are for implementing a method as claimed in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740149.6A CN111181850B (en) | 2019-08-12 | 2019-08-12 | Data packet flooding suppression method, device and equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910740149.6A CN111181850B (en) | 2019-08-12 | 2019-08-12 | Data packet flooding suppression method, device and equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111181850A CN111181850A (en) | 2020-05-19 |
| CN111181850B true CN111181850B (en) | 2022-03-11 |
Family
ID=70650052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910740149.6A Active CN111181850B (en) | 2019-08-12 | 2019-08-12 | Data packet flooding suppression method, device and equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111181850B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112003796B (en) * | 2020-08-07 | 2023-04-18 | 北京浪潮数据技术有限公司 | Broadcast message processing method, system, equipment and computer storage medium |
| CN113382008B (en) * | 2021-06-16 | 2022-03-25 | 桂林电子科技大学 | Flooding suppression method for ARP protocol under SDN |
| CN113489812B (en) * | 2021-09-08 | 2021-11-12 | 军事科学院系统工程研究院网络信息研究所 | IP address similarity-based address resolution protocol flooding range suppression method and device |
| CN116055398A (en) * | 2022-12-29 | 2023-05-02 | 天翼云科技有限公司 | Forwarding method and system node of VXLAN cluster system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104333882A (en) * | 2014-10-27 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Wireless network traffic control method |
| CN104796423A (en) * | 2015-04-28 | 2015-07-22 | 福建六壬网安股份有限公司 | ARP (address resolution protocol) bidirectional active defense method |
| US9577906B2 (en) * | 2013-09-06 | 2017-02-21 | Cisco Technology, Inc. | Scalable performance monitoring using dynamic flow sampling |
| CN107770062A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | A kind of data packet sending method, device and the network architecture |
| CN109257265A (en) * | 2018-08-10 | 2019-01-22 | 锐捷网络股份有限公司 | One kind floods suppressing method, VXLAN bridge, gateway and system |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102014109A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Flood attack prevention method and device |
| US9264402B2 (en) * | 2012-02-20 | 2016-02-16 | Virtustream Canada Holdings, Inc. | Systems involving firewall of virtual machine traffic and methods of processing information associated with same |
| CN104243333B (en) * | 2013-06-24 | 2018-04-10 | 阿里巴巴集团控股有限公司 | A kind of flow control methods of address analysis protocol message |
-
2019
- 2019-08-12 CN CN201910740149.6A patent/CN111181850B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9577906B2 (en) * | 2013-09-06 | 2017-02-21 | Cisco Technology, Inc. | Scalable performance monitoring using dynamic flow sampling |
| CN104333882A (en) * | 2014-10-27 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Wireless network traffic control method |
| CN104796423A (en) * | 2015-04-28 | 2015-07-22 | 福建六壬网安股份有限公司 | ARP (address resolution protocol) bidirectional active defense method |
| CN107770062A (en) * | 2016-08-16 | 2018-03-06 | 北京金山云网络技术有限公司 | A kind of data packet sending method, device and the network architecture |
| CN109327426A (en) * | 2018-01-11 | 2019-02-12 | 白令海 | A kind of firewall attack defense method |
| CN109257265A (en) * | 2018-08-10 | 2019-01-22 | 锐捷网络股份有限公司 | One kind floods suppressing method, VXLAN bridge, gateway and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111181850A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111181850B (en) | Data packet flooding suppression method, device and equipment and computer storage medium | |
| US10355949B2 (en) | Behavioral network intelligence system and method thereof | |
| CN105634998B (en) | Method and system for unified monitoring of physical machine and virtual machine in multi-tenant environment | |
| Kaufmann et al. | High performance packet processing with flexnic | |
| EP2972855B1 (en) | Automatic configuration of external services based upon network activity | |
| CN102402487B (en) | Zero copy message reception method and system | |
| US20150016252A1 (en) | Source-driven switch probing with feedback request | |
| US20170359350A1 (en) | Method for controlling permission of application program and controller | |
| CN114567481B (en) | Data transmission method and device, electronic equipment and storage medium | |
| WO2017035717A1 (en) | Distributed denial of service attack detection method and associated device | |
| CN111800441B (en) | Data processing method, system, device, user side server, user side and management and control server | |
| CN106878343B (en) | It is the system serviced that network security is provided under a kind of cloud computing environment | |
| KR20190029486A (en) | Elastic honeynet system and method for managing the same | |
| CN104735071A (en) | Network access control implementation method between virtual machines | |
| Atre et al. | SurgeProtector: Mitigating temporal algorithmic complexity attacks using adversarial scheduling | |
| WO2021135382A1 (en) | Network security protection method and protection device | |
| CN112671668B (en) | Neutron virtual network flow control method and device | |
| WO2018046985A1 (en) | Techniques for policy-controlled analytic data collection in large-scale systems | |
| US10728171B2 (en) | Governing bare metal guests | |
| CN110808967B (en) | Detection method for challenging black hole attack and related device | |
| EP4024771A1 (en) | Network measurement system and method, device and storage medium | |
| CN110381082B (en) | Mininet-based attack detection method and device for power communication network | |
| CN112003794A (en) | Floating IP current limiting method, system, terminal and storage medium | |
| CN106528267A (en) | Xen privileged domain-based network communication monitoring system and method | |
| CN114944996B (en) | Data acquisition method and device and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20240617 Address after: Room 1101, 11th Floor, Pacific International Building, No.106 Zhichun Road, Haidian District, Beijing, 100000 Patentee after: Beijing Haiyunjiexun Technology Co.,Ltd. Country or region after: China Address before: 35th floor, Tencent building, Keji Zhongyi Road, high tech Zone, Nanshan District, Shenzhen City, Guangdong Province Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd. Country or region before: China |
|
| TR01 | Transfer of patent right |