CN100574182C - The method of tracing to secondary layer switch port - Google Patents
The method of tracing to secondary layer switch port Download PDFInfo
- Publication number
- CN100574182C CN100574182C CNB2006100992286A CN200610099228A CN100574182C CN 100574182 C CN100574182 C CN 100574182C CN B2006100992286 A CNB2006100992286 A CN B2006100992286A CN 200610099228 A CN200610099228 A CN 200610099228A CN 100574182 C CN100574182 C CN 100574182C
- Authority
- CN
- China
- Prior art keywords
- address
- layer
- port
- switch
- tracing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present invention relates to a kind of method of tracing to secondary layer switch port, the method comprising the steps of: after network management device receives the request message of tracing to the source, find the three-layer switching equipment of the network segment under the described IP address according to the IP address in the described request message of tracing to the source, obtain the physical address of the main frame of described IP address correspondence, and the following port that connects of described three-layer switching equipment; Described network management device reads the described physical address table that connects down in the Layer 2 switch that port connects, and obtains the layer 2-switched port numbers that connects on the described main frame according to described physical address table and described physical address.By the present invention, can find the layer 2-switched port that connects on any one IP address of host of wanting to trace to the source in the network.
Description
Technical field
The present invention relates to a kind of method of tracing to secondary layer switch port, particularly a kind of three layers of switching network that are used for complexity utilize Simple Network Management Protocol (SNMP) to be traceable to the directly method of continuous Layer 2 switch access interface of destination host.
Background technology
Because the opening of IP network environment and IPv4 lack the consideration to safety problem when design, the security situation of IP network is very severe, from the code red of calendar year 2001, blue code,, all caused more serious consequence to worm-type viruses such as shock waves in 2004, Sassers.When in the face of pernicious worm and extensive Denial of Service attack, a very important job is exactly accurately to orient flow from where sending, and promptly this type of abnormal flow traces to the source.
As shown in Figure 1, in three-layer network, the tracing to the source of big flow that malicious attack, virus etc. is caused is fairly simple.Three-layer network is operated in three layers the network equipment by router-A, three-tier switch B etc. to be formed, and each three-layer equipment all has information such as routing table, ARP (Address ResolutionProtocol, address resolution protocol) table.In three-layer network, as long as find the source IP address that sends attack, virus, just can be according to the routing iinformation in the three-layer equipment, one jumps the source of finding out the flow initiation, up to the port of the three-layer equipment on three-layer network border.The method that obtains source IP address and routing iinformation has a lot, commonplace is: the source IP address that obtains flow by technology such as NetFlow/cFlowd/Sflow/NetStream, set up BGP (Border Gateway Protocol with the network equipment, Border Gateway Protocol) neighborhood obtains routing iinformation, just can finish tracing to the source in three-layer network after both combinations.Wherein, the NetFlow NetStream Data Analyzer is an embedded function of Cisco ios device, has comprised source address and destination address in the netflow data record, information such as employed agreement of end-to-end session and port.
But the edge router of three-layer network seldom directly connects main frame D, but is connected more main frame by Layer 2 switch C with three-tier switch B.The port of therefore being traceable to three-layer equipment can't directly find the main frame that sends attack, virus.
Summary of the invention
The objective of the invention is to deficiency, provide a kind of method of tracing to secondary layer switch port, the layer 2-switched port that can find main frame to insert at above-mentioned prior art existence.
For achieving the above object, the invention provides a kind of method of tracing to secondary layer switch port, may further comprise the steps:
After step 1, network management device receive the request message of tracing to the source, find the three-layer switching equipment of the network segment under the described IP address according to the IP address in the described request message of tracing to the source;
Step 2, when described three-layer switching equipment is router, described network management device obtains described IP address physical address corresponding according to the address resolution table in the described three-layer switching equipment, finds the following port that connects of described router according to the network segment under the described IP address;
When described three-layer switching equipment is three-tier switch, described network management device obtains described IP address physical address corresponding according to the address resolution table in the three-tier switch, and then, find the following port that connects of described three-tier switch according to the physical address table in the described three-tier switch;
Step 3, described network management device read the physical address table in the Layer 2 switch that connects the port connection for described time;
Step 4, described network management device are according to the layer 2-switched port numbers that connects on physical address table in the described Layer 2 switch and the described physical address acquisition main frame.
Read address resolution table in the described three-layer equipment by network management device, the physical address of the main frame that acquisition will be traced to the source, and layer 2-switched hunting zone is reduced to minimum according to described IP address, thereby improve the efficient of tracing to the source, physical address and the physical address table in the Layer 2 switch according to the described main frame that obtains finds the port that connects described main frame simultaneously.
In the such scheme, described network management device utilizes Simple Network Management Protocol to read address resolution table and/or physical address table in three-layer switching equipment or the Layer 2 switch.Also comprise before the described step 1: the IP address that utilizes NetStream Data Analyzer to obtain to send the main frame of flow, promptly at first obtain the IP address send suspicious traffic, so just can further the layer 2-switched port that its main frame connects be traceable in the IP address of sending attack, virus, thereby find the Web Grafiti root.
By the present invention, can find the layer 2-switched port that connects on any one IP address of host of wanting to trace to the source in the network.
Below by drawings and Examples, technical scheme of the present invention is described in further detail.
Description of drawings
Fig. 1 is the network topological diagram in the background technology of tracing to secondary layer switch port method of the present invention;
Fig. 2 is the flow chart of a preferred embodiment of tracing to secondary layer switch port method of the present invention;
Fig. 3 is the flow chart of another preferred embodiment of tracing to secondary layer switch port method of the present invention.
Embodiment
How the present invention solves in switching network, is traceable to the Layer 2 switch access interface that main frame directly links to each other according to source IP address.ARP table and/or MAC that network management device uses SNMP (SimpleNetwork Management Protocol, Simple Network Management Protocol) to read in the switching equipment show.Use the present invention to trace to the source to want arbitrarily in the network IP address of host of tracing to the source.Fig. 2 is the flow chart of the preferred embodiment of the method for tracing to secondary layer switch port of the present invention, if a certain IP address 64.1.0.6 in the known network specifically is traceable to the layer 2-switched port that its main frame connects by carrying out following steps.
It is after tracing to the source of 64.1.0.6 asked that step 11, network management device receive the IP address, obtains the three-layer switching equipment of 64.1.0.6 according to routing table;
If this three-layer switching equipment of step 12 is a router, and the network segment of the port Ethernet 3 of this router is 64.1.0.0/6, then network management device utilizes SNMP to read ARP table in this router, obtains the MAC Address such as the 0009.6bc4.d4bf of 64.1.0.6 correspondence;
At this moment, network management device has been traceable to the port of the Layer 2 switch access of 64.1.0.6 connection, can be traceable to the main frame of 64.1.0.6 by port 40.
Fig. 3 is the flow chart of another preferred embodiment of tracing to secondary layer switch port method of the present invention, and the three-layer switching equipment that present embodiment inserts with the IP address that will trace to the source is that three-tier switch is embodiment, specifically carries out following steps:
It is that the three-layer switching equipment that obtains 64.1.0.6 according to routing table was a three-tier switch after tracing to the source of 64.1.0.6 asked that step 21, network management device receive the IP address;
The MAC that step 23, network management device utilize SNMP to read in the Layer 2 switch that inserts 9 times companies of three-tier switch port one shows;
Equally, network management device also has been traceable to the port of the Layer 2 switch access of 64.1.0.6 connection, can be traceable to the main frame of 64.1.0.6 by port 40.
Launch a offensive or during the IP address of virus, before step 11, can also at first obtain the bigger suspicious IP address of flow by NetStream Data Analyzer when system will trace to the source, execution in step 11 and step 12 then just can be traceable to and be launched a offensive or viral main frame.
In addition, behind the network management device tracing to secondary layer switch port, the IP address of tracing to the source, the MAC Address of main frame and the number of secondary layer switch port can also be stored correspondingly, be obtained dynamic three's mapping table.
It should be noted last that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, although the present invention is had been described in detail with reference to preferred embodiment, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not break away from the spirit and scope of technical solution of the present invention.
Claims (4)
1, a kind of method of tracing to secondary layer switch port is characterized in that carrying out following steps:
After step 1, network management device receive the request message of tracing to the source, find the three-layer switching equipment of the network segment under the described IP address according to the IP address in the described request message of tracing to the source;
Step 2, when described three-layer switching equipment is router, described network management device obtains described IP address physical address corresponding according to the address resolution table in the described router, finds the following port that connects of described router according to the network segment under the described IP address;
When described three-layer switching equipment is three-tier switch, described network management device obtains described IP address physical address corresponding according to the address resolution table in the three-tier switch, and then, find the following port that connects of described three-tier switch according to the physical address table in the described three-tier switch;
Step 3, described network management device read the physical address table in the Layer 2 switch that connects the port connection for described time;
Step 4, described network management device are according to the layer 2-switched port numbers that connects on physical address table in the described Layer 2 switch and the described physical address acquisition main frame.
2, the method for tracing to secondary layer switch port according to claim 1 is characterized in that also comprising before the described step 1: the IP address that utilizes NetStream Data Analyzer to obtain to send the main frame of flow.
3, the method for tracing to secondary layer switch port according to claim 1 is characterized in that, described network management device reads address resolution table and/or physical address table in three-layer switching equipment or the Layer 2 switch by Simple Network Management Protocol.
4, according to the method for any described tracing to secondary layer switch port of claim 1-3, it is characterized in that also further comprising after the described step 4: described network management device is with the MAC Address and the layer 2-switched port numbers corresponding stored of described IP address, described main frame.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100992286A CN100574182C (en) | 2006-07-21 | 2006-07-21 | The method of tracing to secondary layer switch port |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006100992286A CN100574182C (en) | 2006-07-21 | 2006-07-21 | The method of tracing to secondary layer switch port |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101110668A CN101110668A (en) | 2008-01-23 |
| CN100574182C true CN100574182C (en) | 2009-12-23 |
Family
ID=39042578
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006100992286A Active CN100574182C (en) | 2006-07-21 | 2006-07-21 | The method of tracing to secondary layer switch port |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100574182C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904741A (en) * | 2011-07-29 | 2013-01-30 | 蓬莱中柏京鲁船业有限公司 | Network equipment and setting method thereof |
| CN106470213A (en) * | 2016-10-17 | 2017-03-01 | 杭州迪普科技股份有限公司 | A kind of source tracing method of attack message and device |
| CN107888563B (en) * | 2017-10-17 | 2020-07-14 | 北京北信源软件股份有限公司 | Method and device for determining terminal access position |
| CN108769055A (en) * | 2018-06-14 | 2018-11-06 | 北京神州绿盟信息安全科技股份有限公司 | A kind of falseness source IP detection method and device |
-
2006
- 2006-07-21 CN CNB2006100992286A patent/CN100574182C/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101110668A (en) | 2008-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683682B (en) | DDoS attack detection and defense method and system based on software defined network | |
| Kiravuo et al. | A survey of Ethernet LAN security | |
| US7920548B2 (en) | Intelligent switching for secure and reliable voice-over-IP PBX service | |
| EP2346205B1 (en) | A method and device for preventing network attack | |
| US7565426B2 (en) | Mechanism for tracing back anonymous network flows in autonomous systems | |
| EP2782309B1 (en) | Bidirectional forwarding detection (bfd) session negotiation method, device and system | |
| EP1463239A3 (en) | Protection of network infrastructure and secure communication of control information thereto | |
| US20080127324A1 (en) | DDoS FLOODING ATTACK RESPONSE APPROACH USING DETERMINISTIC PUSH BACK METHOD | |
| US20060209852A1 (en) | Automated host discovery and path tracing by network management server | |
| CN104954367A (en) | Internet omnidirectional cross-domain DDoS (distributed denial of service) attack defense method | |
| CN100574182C (en) | The method of tracing to secondary layer switch port | |
| CN102594834B (en) | Method and device for defending network attack and network equipment | |
| CN102916897A (en) | Method and equipment for realizing VRRP load sharing | |
| CN102739526A (en) | Realization method of efficient distributed routing list realizing method | |
| Mahmood et al. | Network security issues of data link layer: An overview | |
| CN108881315B (en) | Method and system for detecting and recovering double LSA attack OSPF protocol based on NFV | |
| Wong et al. | Network infrastructure security | |
| CN113194027A (en) | Safety communication gateway system for industrial internet of automatic wharf | |
| Andersen et al. | Holding the Internet Accountable. | |
| Chen et al. | Preventing DRDoS attacks in 5G networks: a new source IP address validation approach | |
| CN109167774B (en) | Data message and data stream safety mutual access method on firewall | |
| KR102092015B1 (en) | Method, apparatus and computer program for recognizing network equipment in a software defined network | |
| Carp et al. | Practical analysis of IPv6 security auditing methods | |
| Mönnich et al. | Mitigation of IPv6 Router Spoofing Attacks with P4 | |
| CN101155034A (en) | Method for preventing specific package attack on network appliance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |