CN103618723A - Method and device for preventing looped network protocol message from attacking device CPU - Google Patents

Abstract

Translated fromChinese

本发明公开了一种防止环网协议报文攻击设备CPU的方法及装置，解决现有防止环网协议报文攻击设备CPU时，影响环网的正常运行及造成环网协议异常的问题。本方法包括：当某一设备检测自身处理的报文的数量超速时，生成用于生成环网协议特征值的随机值并发送到环网中的每台设备中，以便每台设备的硬件采用该生成的新的特征值对接收到的报文进行检测，非攻击报文时将报文发送到CPU处理。在本发明实施例中当检测到自身处理的环网协议报文超速时，开始更新环网中每台设备中的环网协议特征值，从而可以及时的过滤掉攻击报文，通过硬件进行判断的方法，可以有效防止环网协议报文对设备CPU的攻击。

The invention discloses a method and a device for preventing a ring network protocol message from attacking the CPU of a device, and solves the problems that the normal operation of the ring network is affected and the ring network protocol is abnormal when the conventional ring network protocol message is prevented from attacking the CPU of the device. The method includes: when a certain device detects that the number of messages processed by itself is overspeed, generate a random value for generating a characteristic value of the ring network protocol and send it to each device in the ring network, so that the hardware of each device adopts The generated new characteristic value detects the received message, and sends the message to the CPU for processing if it is not an attack message. In the embodiment of the present invention, when it is detected that the ring network protocol message processed by itself is overspeed, it starts to update the ring network protocol characteristic value in each device in the ring network, so that the attack message can be filtered out in time and judged by hardware This method can effectively prevent ring network protocol packets from attacking the CPU of the device.

Description

Translated fromChinese

防止环网协议报文攻击设备CPU的方法及装置Method and device for preventing ring network protocol message from attacking device CPU

技术领域technical field

本发明涉及工业以太网技术领域，尤其涉及一种防止环网协议报文攻击设备CPU的方法及装置。The invention relates to the technical field of industrial Ethernet, in particular to a method and a device for preventing a ring network protocol message from attacking the CPU of a device.

背景技术Background technique

为了保证工业以太网的安全性，使用具有快速倒换能力的环网协议进行网络规划是比较普遍的现象。环网协议是网络正常通信的保障，如果环网协议发生异常，对整个网络的正常通信将会造成很大的冲击，严重的可能会导致网络瘫痪，因此环网协议的安全性对整个网络是非常重要的。In order to ensure the security of industrial Ethernet, it is common to use the ring network protocol with fast switching capability for network planning. The ring network protocol is the guarantee for the normal communication of the network. If the ring network protocol is abnormal, it will have a great impact on the normal communication of the entire network. In severe cases, it may cause the network to be paralyzed. Therefore, the security of the ring network protocol is of great importance to the entire network. very important.

在对环网协议的攻击中，一种较严重的攻击是仿冒大量的环网协议报文冲击环网中设备的CPU。在这种攻击中，攻击者通过抓取环网中的报文，获取环网协议的特征值，仿冒该特征值的报文，或者直接将抓取的报文向设备的端口发送。虽然设备的CPU会进行报文合理性的判断，但是该攻击方法还是会对环网中设备的CPU造成一定的冲击。Among the attacks on the ring network protocol, a serious attack is to counterfeit a large number of ring network protocol packets and attack the CPU of the devices in the ring network. In this attack, the attacker obtains the characteristic value of the ring network protocol by capturing the packets in the ring network, counterfeit the packet with the characteristic value, or directly sends the captured packet to the port of the device. Although the CPU of the device will judge the validity of the packet, this attack method will still have a certain impact on the CPU of the device in the ring network.

在现有技术中为了解决这种冲击，采用了以下方式：In order to solve this impact in the prior art, the following methods are adopted:

环网中每台设备的CPU检测从每个端口接收到的环网协议报文的数量，当从某一端口接收到大量的环网协议报文时，将该端口关闭一段时间。但是这种关闭端口的方法，将会终止该端口的正常通信，影响环网的正常运行。The CPU of each device in the ring network detects the number of ring network protocol packets received from each port, and when a large number of ring network protocol packets are received from a certain port, the port is closed for a period of time. However, this method of closing the port will terminate the normal communication of the port and affect the normal operation of the ring network.

或者，还可以是环网中每台设备的CPU检测从每个端口接收到的环网协议报文的数量，当从某一端口接收到大量的环网协议报文时，对该端口上报CPU进行处理的特定协议报文进行限速，从而减小对CPU的冲击。但是采用该方法时，如果此时有大量的该特定协议报文通过该端口上报CPU，而该端口此时被限速，很多真实的该特定协议报文将被淹没，导致环网协议异常。Or, it can also be that the CPU of each device in the ring network detects the number of ring network protocol packets received from each port, and when a large number of ring network protocol packets are received from a certain port, the port reports to the CPU The rate of specific protocol packets to be processed is limited, thereby reducing the impact on the CPU. However, when this method is adopted, if a large amount of this specific protocol message is reported to the CPU through the port at this time, and the port is speed-limited at this time, many real specific protocol messages will be submerged, resulting in abnormality of the ring network protocol.

发明内容Contents of the invention

本发明实施例提供一种防止环网协议报文攻击设备CPU的方法及装置，用以解决现有技术防止环网协议报文攻击设备CPU时，影响环网的正常运行及造成环网协议异常的问题。The embodiment of the present invention provides a method and device for preventing the ring network protocol message from attacking the device CPU, which is used to solve the problem of affecting the normal operation of the ring network and causing ring network protocol abnormalities when preventing the ring network protocol message from attacking the device CPU in the prior art The problem.

本发明实施例提供一种防止环网协议报文攻击设备CPU的方法，所述方法包括：The embodiment of the present invention provides a method for preventing a ring network protocol message from attacking the CPU of a device, the method comprising:

第一环网设备检测经自身处理的环网协议报文是否超速；The first ring network device detects whether the ring network protocol message processed by itself is overspeed;

当检测到超速时，生成用于生成环网协议特征值的随机值，将所述随机值发送给环网中的其他设备；When overspeed is detected, generate a random value for generating the characteristic value of the ring network protocol, and send the random value to other devices in the ring network;

并向环网中其他设备发送启动新的特征值的通知信息，使环网中的每台设备的硬件根据生成的新的特征值对环网协议报文进行检测，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。And send notification information to start a new characteristic value to other devices in the ring network, so that the hardware of each device in the ring network detects the ring network protocol message according to the generated new characteristic value, wherein the new characteristic value Generated according to the random value, message type information, address information of each device and encryption algorithm stored in each device.

本发明实施例提供一种防止环网协议报文攻击设备CPU的装置，所述装置包括：An embodiment of the present invention provides a device for preventing a ring network protocol message from attacking the CPU of a device, the device comprising:

检测模块，用于检测经自身处理的环网协议报文是否超速；The detection module is used to detect whether the ring network protocol message processed by itself is overspeed;

第一发送模块，用于当检测到超速时，生成用于生成环网协议特征值的随机值，将所述随机值发送给环网中的其他设备；The first sending module is used to generate a random value for generating the characteristic value of the ring network protocol when overspeed is detected, and send the random value to other devices in the ring network;

第二发送模块，用于向环网中其他设备发送启动新的特征值的通知信息，使环网中的每台设备的硬件根据生成的新的特征值对环网协议报文进行检测，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。The second sending module is used to send notification information for starting a new characteristic value to other devices in the ring network, so that the hardware of each device in the ring network detects the ring network protocol message according to the generated new characteristic value, wherein The new feature value is generated according to the random value, message type information, address information of each device, and an encryption algorithm stored in each device.

本发明实施例提供一种防止环网协议报文攻击设备CPU的方法及装置，该方法包括：当环网中的某一设备检测自身处理的环网协议报文的数量超速时，生成用于生成环网协议特征值的随机值，并将该随机值发送到环网中的每台设备中，以便环网中的每台设备的硬件在接收到该设备发送的启动新的特征值的通知后，采用该生成的新的特征值对接收到的环网协议报文进行检测，只有检测该报文非攻击报文时，才将报文发送到CPU进行处理。由于在本发明实施例中当检测到自身处理的环网协议报文超速时，开始更新环网中每台设备中的环网协议特征值，从而可以及时的过滤掉攻击报文，通过硬件进行判断的方法，可以有效防止环网协议报文对设备CPU的攻击。Embodiments of the present invention provide a method and device for preventing ring network protocol packets from attacking the CPU of a device. The method includes: when a certain device in the ring network detects that the number of ring network protocol packets processed by itself exceeds Generate a random value of the characteristic value of the ring network protocol, and send the random value to each device in the ring network, so that the hardware of each device in the ring network receives the notification of starting a new characteristic value sent by the device Afterwards, the received ring network protocol message is detected by using the generated new characteristic value, and only when it is detected that the message is not an attack message, the message is sent to the CPU for processing. Since in the embodiment of the present invention, when detecting the overspeed of the ring network protocol message processed by itself, the ring network protocol characteristic value in each device in the ring network is started to be updated, so that the attack message can be filtered out in time, and the The judgment method can effectively prevent the attack of the ring network protocol message on the CPU of the device.

附图说明Description of drawings

图1为本发明实施例提供的一种防止环网协议报文攻击设备CPU的过程示意图；Fig. 1 is a kind of schematic diagram of the process of preventing ring network protocol message from attacking device CPU provided by the embodiment of the present invention;

图2为本发明实施例提供的该防止环网协议报文攻击设备CPU的一具体实施过程示意图；Fig. 2 is a schematic diagram of a specific implementation process of the device CPU for preventing ring network protocol messages from attacking provided by the embodiment of the present invention;

图3为本发明实施例提供的该防止环网协议报文攻击设备CPU的另一具体实施过程示意图；FIG. 3 is a schematic diagram of another specific implementation process of the device CPU for preventing ring network protocol messages from attacking provided by the embodiment of the present invention;

图4为本发明实施例提供的环网中各设备的组网结构示意图；FIG. 4 is a schematic diagram of the networking structure of each device in the ring network provided by an embodiment of the present invention;

图5为本发明实施例提供的基于图4的该防止环网协议报文攻击设备CPU的详细实施过程；Fig. 5 is the detailed implementation process based on Fig. 4 provided by the embodiment of the present invention to prevent the ring network protocol message from attacking the device CPU;

图6为本发明实施例提供的一种防止环网协议报文攻击设备CPU的装置，的结构示意图。FIG. 6 is a schematic structural diagram of an apparatus for preventing ring network protocol packets from attacking the CPU of a device provided by an embodiment of the present invention.

具体实施方式Detailed ways

本发明为了有效的过滤攻击报文，防止环网协议报文对设备CPU的攻击，保证环网的正常运行，提供了一种防止环网协议报文攻击设备CPU的方法及装置。In order to effectively filter attack messages, prevent ring network protocol messages from attacking equipment CPUs, and ensure normal operation of the ring network, the present invention provides a method and device for preventing ring network protocol messages from attacking equipment CPUs.

下面结合说明书附图，对本发明进行详细说明。The present invention will be described in detail below in conjunction with the accompanying drawings.

图1为本发明实施例提供的一种防止环网协议报文攻击设备CPU的过程示意图，该过程包括以下步骤：Fig. 1 is a kind of process schematic diagram that prevents ring network protocol message from attacking equipment CPU that the embodiment of the present invention provides, and this process comprises the following steps:

S101：环网中每台设备的CPU处理环网协议报文。S101: The CPU of each device in the ring network processes the ring network protocol message.

环网中每台设备都会进行报文的处理，其中环网协议报文需要经由CPU处理。Each device in the ring network processes packets, and the ring network protocol packets need to be processed by the CPU.

S102：第一设备检测经自身处理的环网协议报文是否超速，当检测到超速时，进行步骤S103，否则，继续进行步骤S102。S102: The first device detects whether the ring network protocol message processed by itself is overspeed, and if overspeed is detected, proceed to step S103; otherwise, proceed to step S102.

由于环网协议报文经由每台设备的CPU处理，因此每台设备的检测模块都可以时刻检测经自身CPU处理的环网协议报文是否超速。其中，该第一设备可以是环网中的任一设备，该检测模块是具有逻辑判断能力的智能单元，如FPGA等。Since the ring network protocol message is processed by the CPU of each device, the detection module of each device can always detect whether the ring network protocol message processed by its own CPU is overspeed. Wherein, the first device may be any device in the ring network, and the detection module is an intelligent unit with logic judgment capability, such as FPGA and the like.

S103：生成用于生成环网协议特征值的随机值，将所述随机值发送给环网中的其他设备。S103: Generate a random value for generating a characteristic value of the ring network protocol, and send the random value to other devices in the ring network.

当第一设备检测到经自身处理的环网协议报文超速时，生成一个随机值，该随机值为可用于生成环网协议特征值。当该第一设备生成该随机值后，在自身环端口任意选择一个，通过该选择的环端口将该随机值发送给环网中的其他设备。When the first device detects that the ring network protocol message processed by itself exceeds the speed, it generates a random value, and the random value can be used to generate the ring network protocol characteristic value. After the first device generates the random value, it randomly selects one of its own ring ports, and sends the random value to other devices in the ring network through the selected ring port.

为了保证将环网中的每台设备都接收到该随机值，第一设备可以设置定时器，该定时器的定时时长根据将该随机值发送到环网中每台设备中的时间确定，确定了该定时器的定时时长后，该第一设备判断是否在该定时时长中通过自身另一环端口接收到其他设备返回的随机值，当接收到时，确定环网中的每台设备接收到了该随机值，否则，在该环网中重新发送该随机值，直到每台设备都接收到该随机值。In order to ensure that each device in the ring network receives the random value, the first device can set a timer, and the timing duration of the timer is determined according to the time when the random value is sent to each device in the ring network. After determining the timing duration of the timer, the first device judges whether it receives the random value returned by other devices through another ring port of itself during the timing duration, and when it receives it, it determines that each device in the ring network has received The random value, otherwise, resend the random value in the ring network until every device receives the random value.

在本发明实施例中该第一设备在发送该随机值时，可以将该随机值携带在其他信息中发送，例如将该随机值携带在报文超速信息中发送，以便环网中的每台设备能够收到该随机值。In the embodiment of the present invention, when the first device sends the random value, it can carry the random value in other information and send it, for example, carry the random value in the packet overspeed information and send it, so that each device in the ring network The device is able to receive this random value.

S104：并向环网中其他设备发送启动新的特征值的通知信息，使环网中的每台设备的硬件根据生成的新的特征值对环网协议报文进行检测，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。S104: And send notification information of starting a new characteristic value to other devices in the ring network, so that the hardware of each device in the ring network detects the ring network protocol message according to the generated new characteristic value, wherein the new The feature value is generated according to the random value, message type information, address information of each device, and an encryption algorithm stored in each device.

当将该随机值发送给环网中的每台设备后，即可启用新的特征值，因此随后该第一设备通过该环端口向环网中的其他设备发送启用新的特征值的通知信息，使环网中的每台设备根据接收到的随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法，生成新的特征值，其中每台设备中保存的该加密算法相同。After the random value is sent to each device in the ring network, the new characteristic value can be enabled, so the first device then sends a notification message of enabling the new characteristic value to other devices in the ring network through the ring port , so that each device in the ring network generates a new characteristic value according to the received random value, message type information, address information of each device and encryption algorithm stored in each device, among which The encryption algorithm is the same.

当每台设备生成了新的特征值后，在进行报文的发送时，将新的特征值携带在环网协议报文中，并在自身的CPU处理环网协议报文之前，每台设备的硬件根据该新的特征值对待处理的环网协议报文进行判断，当判断该待处理的环网协议报文非攻击报文时，将该环网协议报文发送到CPU对该报文进行处理，否则，将该环网协议报文丢弃。After each device generates a new characteristic value, when sending the message, it will carry the new characteristic value in the ring network protocol message, and before its own CPU processes the ring network protocol message, each device The hardware of the system judges the ring network protocol message to be processed according to the new characteristic value, and when it is judged that the ring network protocol message to be processed is not an attack message, the ring network protocol message is sent to the CPU Process it, otherwise, discard the ring network protocol packet.

由于在本发明实施例中环网中的设备当检测到自身处理的环网协议报文超速时，开始更新环网中每台设备中的环网协议特征值，从而可以及时的过滤掉攻击报文，另外通过硬件对环网协议报文进行判断的方式，可以有效防止环网协议报文对设备CPU的攻击。Because in the embodiment of the present invention, when the equipment in the ring network detects that the ring network protocol message processed by itself is overspeed, it starts to update the ring network protocol characteristic value in each device in the ring network, so that the attack message can be filtered out in time , in addition, the method of judging the ring network protocol message by the hardware can effectively prevent the ring network protocol message from attacking the CPU of the device.

具体的，在本发明实施例中由于只有环网协议报文才能上报CPU，经由CPU处理，因此每台设备可以通过上报CPU处理的环网协议报文的数量，判断经CPU处理的环网协议报文是否超速，当超速时，可以认为该设备遭到了环网协议报文的攻击。Specifically, in the embodiment of the present invention, since only ring network protocol messages can be reported to the CPU and processed by the CPU, each device can determine the number of ring network protocol messages processed by the CPU by reporting the number of ring network protocol messages processed by the CPU. Whether the packet exceeds the speed. When the speed is exceeded, it can be considered that the device has been attacked by the ring network protocol packet.

为了有效的防止环网协议报文的攻击，在本发明实施例中通过修改环网协议的特征值达到防止攻击设备的攻击的目的，这是因为环网协议的特征值在环网内每台设备中都进行了更新，而外界攻击设备获取并识别该特征值需要一定的时间，因此可以在一定程度上有效的识别出攻击报文并丢弃，从而在一定程度上有效的防止环网协议报文攻击设备CPU。In order to effectively prevent the attack of the ring network protocol message, the purpose of preventing the attack of the attacking device is achieved by modifying the characteristic value of the ring network protocol in the embodiment of the present invention. This is because the characteristic value of the ring network protocol is within the ring network. The device has been updated, and it takes a certain amount of time for the external attack device to obtain and identify the characteristic value, so the attack message can be effectively identified and discarded to a certain extent, thereby effectively preventing the ring network protocol report from file to attack the CPU of the device.

在本发明实施例中由于环网中每台设备保存的加密算法相同，当根据该加密算法生成了新的特征值后，为了避免抓包后破解该加密算法，提高本方案防止环网协议报文攻击设备CPU的安全性，第一设备检测自身处理的环网协议报文超速，并通知环网中的每台设备生成了新的特征值后，所述第一环网设备向环网中的其他设备发送更新加密算法的通知信息，使环网中每台设备更新为同一新的加密算法。另外，在更新该加密算法时，也可以按照设定的周期，定期由某一台设备，向其他设备发送加密算法的更新信息，其中携带待更新的加密算法的标识信息，或者在每台设备中保存的加密算法的顺序是相同的，当设备接收到更新加密算法的通知信息后，按照保存的加密算法的顺序，依次进行更新。例如环网中的每台设备中按照顺序保存有第一加密算法、第二加密算法、第三加密算法和第四加密算法，当前如果需要生成特征值，则每台设备使用的第一加密算法对随机值进行加密从而生成。当设备接收到更新加密算法的通知信息后，环网中的每台设备之后如果需要生成特征值，则根据第二加密算法生成，之后如果再接收到更新加密算法的通知信息，则如果需要生成特征值，则根据第三加密算法生成，之后依次类推。In the embodiment of the present invention, since the encryption algorithm preserved by each device in the ring network is the same, when a new characteristic value is generated according to the encryption algorithm, in order to avoid cracking the encryption algorithm after capturing packets, this scheme is improved to prevent the ring network protocol from reporting text to attack the security of the CPU of the device, the first device detects that the ring network protocol message processed by itself is overspeed, and after notifying each device in the ring network to generate a new characteristic value, the first ring network device sends a message to the ring network The other devices in the network send notification information for updating the encryption algorithm, so that each device in the ring network is updated to the same new encryption algorithm. In addition, when updating the encryption algorithm, a certain device may periodically send the update information of the encryption algorithm to other devices according to the set cycle, which carries the identification information of the encryption algorithm to be updated, or in each device The order of the encryption algorithms saved in . For example, each device in the ring network stores the first encryption algorithm, the second encryption algorithm, the third encryption algorithm, and the fourth encryption algorithm in order. If it is necessary to generate eigenvalues, the first encryption algorithm used by each device Generated by encrypting a random value. After the device receives the notification information of updating the encryption algorithm, if each device in the ring network needs to generate a characteristic value, it will generate it according to the second encryption algorithm, and if it receives the notification information of updating the encryption algorithm, if it needs to generate The feature value is generated according to the third encryption algorithm, and so on.

为了进一步新的特征值的安全性，当第一设备检测自身处理的环网协议报文超速时，在发送用于生成环网协议特征值的随机值时，一同发送本地保存的加密算法对应的加密算法代码，环网中的每台设备根据接收到的该加密算法代码，在本地保存的加密算法中寻找该加密算法代码对应的加密算法，从而既能保证每台设备采用相同的加密算法，又能保证每次特征值切换时采用的加密算法不同。In order to further enhance the security of the new characteristic value, when the first device detects that the ring network protocol message processed by itself is overspeed, when sending the random value used to generate the characteristic value of the ring network protocol, it also sends the encryption algorithm corresponding to the local storage. Encryption algorithm code, each device in the ring network searches for the encryption algorithm corresponding to the encryption algorithm code in the encryption algorithm stored locally according to the received encryption algorithm code, so as to ensure that each device adopts the same encryption algorithm, It can also ensure that the encryption algorithm used each time the feature value is switched is different.

在本发明实施例中每台设备的特征值，根据接收到的随机值、报文类型信息、发送该报文的设备的地址信息以及每台设备中保存的加密算法生成，其中每台设备接收到的随机值及每台设备中保存的算法都相同，基于不同的报文类型，由于每台设备的地址信息不同，因此每台设备基于同一类型的报文，生成的特征值不同。当每台设备生成特征值后，将该特征值携带在环网协议报文中发送。其中，在本发明实施例中设备的信息可以为设备的IP地址信息，或设备的MAC地址信息等。In the embodiment of the present invention, the characteristic value of each device is generated according to the received random value, message type information, address information of the device sending the message, and the encryption algorithm stored in each device, wherein each device receives The received random value and the algorithm saved in each device are the same, based on different message types, and because the address information of each device is different, each device generates different characteristic values based on the same type of message. After each device generates a characteristic value, the characteristic value is carried in the ring network protocol message and sent. Wherein, in the embodiment of the present invention, the information of the device may be IP address information of the device, or MAC address information of the device, and the like.

当环网中每个设备生成了新的特征值后，将该特征值写入硬件，之后硬件根据该特征值，判断每个需要CPU处理的环网协议报文是否为攻击报文，该过程包括：After each device in the ring network generates a new eigenvalue, write the eigenvalue into the hardware, and then the hardware judges whether each ring network protocol packet that needs to be processed by the CPU is an attack packet based on the eigenvalue. include:

所述第一设备的硬件接收到待处理的环网协议报文后，识别该环网协议报文中携带的特征值；After receiving the ring network protocol message to be processed, the hardware of the first device identifies the characteristic value carried in the ring network protocol message;

根据所述特征值、发送该报文的设备的地址信息、报文类型信息及保存的加密算法，确定该环网协议报文对应的随机值；Determine the random value corresponding to the ring network protocol message according to the characteristic value, the address information of the device sending the message, the message type information and the stored encryption algorithm;

判断该随机值是否与本地保存的随机值相同；Determine whether the random value is the same as the locally saved random value;

当确定相同时，将该环网协议报文发送到CPU对该报文进行处理，否则，将所述环网协议报文丢弃。When it is determined that they are the same, the ring network protocol message is sent to the CPU to process the message, otherwise, the ring network protocol message is discarded.

其中，在本发明实施例中该硬件可以为交换芯片等硬件。Wherein, in the embodiment of the present invention, the hardware may be hardware such as a switching chip.

具体的，在本发明实施中由于环网中的每台设备在生成该特征值时，根据接收到的随机值、报文类型信息、设备的地址信息及保存的加密算法生成，当设备的硬件接收到环网协议报文后，识别该环网协议报文中携带的特征值，根据该特征值的生成过程的逆过程，即根据该特征值、发送该报文的设备的地址信息，报文类型信息，及保存的该加密算法，确定生成该特征值的随机值，从而判断该环网协议报文是否为攻击报文，因为只有该确定的随机值和本地保存的随机值相同时，该环网协议报文才非攻击报文。Specifically, in the implementation of the present invention, when each device in the ring network generates the characteristic value, it is generated according to the received random value, message type information, device address information and stored encryption algorithm, when the device's hardware After receiving the ring network protocol message, identify the characteristic value carried in the ring network protocol message, according to the reverse process of the generation process of the characteristic value, that is, according to the characteristic value and the address information of the device sending the message, report File type information, and the saved encryption algorithm, determine the random value that generates the characteristic value, so as to judge whether the ring network protocol message is an attack message, because only when the determined random value is the same as the locally stored random value, The ring network protocol message is not an attack message.

图2为本发明实施例提供的该防止环网协议报文攻击设备CPU的一具体实施过程示意图，该过程包括以下步骤：Fig. 2 is a schematic diagram of a specific implementation process of the prevention of ring network protocol message attacking equipment CPU provided by the embodiment of the present invention, and the process includes the following steps:

S201：环网中每台设备的CPU处理环网协议报文。S201: The CPU of each device in the ring network processes ring network protocol packets.

S202：第一设备检测经自身处理的环网协议报文是否超速，当检测到超速时，进行步骤S203，否则，继续进行步骤S202。S202: The first device detects whether the ring network protocol packets processed by itself are overspeed, and if overspeed is detected, proceed to step S203; otherwise, proceed to step S202.

S203：生成用于生成环网协议特征值的随机值，将所述随机值发送给环网中的其他设备，将该随机值写入硬件并使其他设备将该随机值写入硬件。S203: Generate a random value for generating a characteristic value of the ring network protocol, send the random value to other devices in the ring network, write the random value into hardware, and make other devices write the random value into the hardware.

S204：向环网中其他设备发送启动新的特征值的通知信息，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。S204: Send notification information for starting a new characteristic value to other devices in the ring network, wherein the new characteristic value is based on the random value, message type information, address information of each device, and encryption stored in each device algorithmic generation.

S205：该环网中接收到环网协议报文的设备的硬件，识别该环网协议报文中携带的特征值，根据所述特征值、发送该报文的设备的地址信息、报文类型信息及保存的加密算法，确定该环网协议报文对应的随机值。S205: The hardware of the device receiving the ring network protocol message in the ring network identifies the characteristic value carried in the ring network protocol message, and according to the characteristic value, the address information of the device sending the message, and the message type information and the saved encryption algorithm to determine the random value corresponding to the ring network protocol message.

S206：判断该随机值是否与本地保存的随机值相同，当判断相同时，进行步骤S207，否则，进行步骤S208。S206: Judging whether the random value is the same as the locally stored random value, if it is judged to be the same, go to step S207, otherwise go to step S208.

S207：该设备的硬件将该环网协议报文发送到CPU对该报文进行处理。S207: The hardware of the device sends the ring network protocol message to the CPU to process the message.

S208：该设备的硬件确认该环网协议报文为攻击报文，丢弃该环网协议报文。S208: The hardware of the device confirms that the ring network protocol packet is an attack packet, and discards the ring network protocol packet.

在本发明的上述实施例中当环网中的设备的硬件接收到环网协议报文后，根据该环网协议报文中携带的特征值，及该特征值的生成过程，可以确定生成该特征值的随机值，将该随机值及本地保存的随机值比较后，可以确定该环网协议报文是否为攻击报文，从而可以根据确定的结果判断是否将该环网协议报文发送到CPU进行处理。In the above-mentioned embodiments of the present invention, when the hardware of the device in the ring network receives the ring network protocol message, according to the characteristic value carried in the ring network protocol message and the generation process of the characteristic value, it can be determined to generate the The random value of the characteristic value. After comparing the random value with the random value stored locally, it can be determined whether the ring network protocol message is an attack message, so that it can be judged whether to send the ring network protocol message to the The CPU does the processing.

为了有效的提高攻击报文的识别速度，当设备的硬件根据报文中携带的特征值，确定生成该特征值的随机值后，为了避免每次针对该发送设备发送的携带该特征值的环网协议报文进行上述计算，在本发明实施例中还包括：当确定该环网协议报文非攻击报文，并对该报文进行处理后，所述第一设备的硬件在本地保存该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系。In order to effectively improve the identification speed of attack packets, when the hardware of the device determines the random value for generating the characteristic value according to the characteristic value carried in the packet, in order to avoid the The above calculation is performed on the network protocol message, and in the embodiment of the present invention, it also includes: when it is determined that the ring network protocol message is not an attack message, and after processing the message, the hardware of the first device locally saves the Correspondence between the characteristic value of the ring network protocol message, the address information of the device sending the message, and the message type information.

当设备的硬件确定可以由CPU对接收到的环网协议报文进行处理后，根据对该环网协议报文中特征值的鉴别，保存了该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系。当该设备的硬件再接收到待处理的环网协议报文，在识别该环网协议报文中携带的特征值之后，所述方法还包括：When the hardware of the device determines that the received ring network protocol message can be processed by the CPU, according to the identification of the characteristic value in the ring network protocol message, the characteristic value of the ring network protocol message is saved, and the message is sent. The corresponding relationship between the address information of the device in the file and the message type information. When the hardware of the device receives the ring network protocol message to be processed, after identifying the characteristic value carried in the ring network protocol message, the method further includes:

所述第一设备的硬件判断本地是否保存有所述特征值；The hardware of the first device judges whether the feature value is stored locally;

当本地保存有所述特征值时，根据保存的该特征值、发送该报文的设备的地址信息及报文类型信息的对应关系，及该待处理环网协议报文中携带的信息，判断该环网协议报文是否为攻击报文；When the feature value is stored locally, according to the stored feature value, the corresponding relationship between the address information of the device sending the message and the message type information, and the information carried in the ring network protocol message to be processed, judge Whether the ring network protocol packet is an attack packet;

当确定该环网协议报文为攻击报文时，将该环网协议报文丢弃，否则，将该环网协议报文发送到CPU对该报文进行处理。When it is determined that the ring network protocol message is an attack message, the ring network protocol message is discarded; otherwise, the ring network protocol message is sent to the CPU to process the message.

通过上述过程，每台设备的硬件可以对自身保存的该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系不断进行完善，并且随着每台设备的硬件中该对应关系不断完善，使得设备的CPU对环网协议报文的处理速度会明显提高，从而提高整个环网对环网协议报文的处理效率。Through the above process, the hardware of each device can continuously improve the corresponding relationship between the characteristic value of the ring network protocol message saved by itself, the address information of the device sending the message, and the message type information, and as each device The corresponding relationship in the hardware of the device is continuously improved, so that the processing speed of the CPU of the device for the ring network protocol message will be significantly improved, thereby improving the processing efficiency of the entire ring network for the ring network protocol message.

图3为本发明实施例提供的该防止环网协议报文攻击设备CPU的另一具体实施过程示意图，该过程包括以下步骤：Fig. 3 is a schematic diagram of another specific implementation process of the device CPU for preventing ring network protocol message attacks provided by the embodiment of the present invention, and the process includes the following steps:

S301：环网中每台设备的CPU处理环网协议报文。S301: The CPU of each device in the ring network processes the ring network protocol packets.

S302：第一设备检测经自身处理的环网协议报文是否超速，当检测到超速时，进行步骤S303，否则，继续进行步骤S302。S302: The first device detects whether the ring network protocol message processed by itself is overspeed, and if overspeed is detected, proceed to step S303; otherwise, proceed to step S302.

S303：生成用于生成环网协议特征值的随机值并写入硬件，将所述随机值发送给环网中的其他设备，使其他设备也将该随机值写入硬件。S303: Generate a random value for generating the characteristic value of the ring network protocol and write it into the hardware, and send the random value to other devices in the ring network, so that other devices also write the random value into the hardware.

S304：向环网中其他设备发送启动新的特征值的通知信息，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。S304: Send notification information of starting a new characteristic value to other devices in the ring network, wherein the new characteristic value is based on the random value, message type information, address information of each device, and encryption stored in each device algorithmic generation.

S305：该环网中接收到环网协议报文的设备的硬件，识别该环网协议报文中携带的特征值，判断本地是否保存有所述特征值，当判断本地保存该特征值时，进行步骤S306，否则，进行步骤S307。S305: The hardware of the device in the ring network that receives the ring network protocol message identifies the feature value carried in the ring network protocol message, and judges whether the feature value is stored locally. When it is judged that the feature value is stored locally, Go to step S306, otherwise go to step S307.

S306：根据保存的该特征值、发送该报文的设备的地址信息及报文类型信息的对应关系，及该待处理环网协议报文中携带的信息，判断该环网协议报文是否为攻击报文，当确定该环网协议报文为攻击报文时，将该环网协议报文丢弃，否则，将该环网协议报文发送到CPU进行处理。S306: According to the stored characteristic value, the corresponding relationship between the address information of the device sending the message and the message type information, and the information carried in the ring network protocol message to be processed, determine whether the ring network protocol message is For an attack message, when it is determined that the ring network protocol message is an attack message, the ring network protocol message is discarded; otherwise, the ring network protocol message is sent to the CPU for processing.

S307：根据所述特征值、发送该报文的设备的地址信息、报文类型信息及保存的加密算法，确定该环网协议报文对应的随机值。S307: Determine a random value corresponding to the ring network protocol message according to the characteristic value, address information of the device sending the message, message type information, and a stored encryption algorithm.

S308：判断该随机值是否与本地保存的随机值相同，当判断相同时，进行步骤S309，否则，进行步骤S310。S308: Judging whether the random value is the same as the locally stored random value, if it is judged to be the same, go to step S309; otherwise, go to step S310.

S309：将该环网协议报文发送到CPU进行处理，在本地保存该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系。S309: Send the ring network protocol message to the CPU for processing, and locally save the characteristic value of the ring network protocol message, the address information of the device sending the message, and the corresponding relationship between message type information.

S310：该设备的硬件确认该环网协议报文为攻击报文，丢弃该环网协议报文。S310: The hardware of the device confirms that the ring network protocol message is an attack message, and discards the ring network protocol message.

具体的，在本发明实施例中，当设备的硬件识别到环网协议报文中携带的特征值后，确定本地保存有该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系时，查找该特征值所在的对应关系，确定该环网协议报文的类型是否与该对应关系中的报文类型信息相同，并判断发送该环网协议报文的发送设备的地址信息是否与该对应关系中该发送设备的地址信息相同，当都相同时，将该环网协议报文发送到CPU进行处理，否则，确认该环网协议报文为攻击报文，丢弃该环网协议报文。Specifically, in the embodiment of the present invention, after the hardware of the device recognizes the characteristic value carried in the ring network protocol message, it is determined that the characteristic value of the ring network protocol message and the address of the device sending the message are locally saved. When searching for the corresponding relationship between information and message type information, search for the corresponding relationship where the feature value is located, determine whether the type of the ring network protocol message is the same as the message type information in the corresponding relationship, and determine whether to send the ring network protocol message. Whether the address information of the sending device of the text is the same as the address information of the sending device in the corresponding relationship, if they are the same, send the ring network protocol message to the CPU for processing, otherwise, confirm that the ring network protocol message is an attack message, discard the ring network protocol message.

下面以一个具体的实施例，对本发明实施例进行详细的说明。Hereinafter, a specific embodiment will be used to describe the embodiment of the present invention in detail.

图4为本发明实施例提供的环网中各设备的组网结构示意图，在该环网中包括设备A、设备B、设备C和设备D，设备之间按照图4之间的连接关系连接。每个设备启动后，开始检测经自身处理的环网协议报文是否超速。当设备A检测到自身处理的环网协议报文超速时，设备A选择第一环端口向与其连接的设备B发送报文超速信息，其中该报文超速信息中携带用于生成特征值的随机值，并且，为了保证该随机值能够发送到环网中的每个设备中，设备A启动第一定时器。Fig. 4 is a schematic diagram of the network structure of each device in the ring network provided by the embodiment of the present invention. The ring network includes device A, device B, device C and device D, and the devices are connected according to the connection relationship in Fig. 4 . After each device is started, it starts to detect whether the ring network protocol packets processed by itself are overspeed. When device A detects that the ring network protocol packet processed by itself is overspeed, device A selects the first ring port to send the packet overspeed information to device B connected to it, wherein the packet overspeed information carries the random value, and, in order to ensure that the random value can be sent to each device in the ring network, device A starts the first timer.

当设备B通过一个环端口接收到设备A发送的报文超速信息后，提取该报文超速信息中携带的随机值，并将报文超速信息发送到与其另一个环端口连接的设备C，同样的，当设备C接收到该报文超速信息后，进行与设备B相同的操作，之后接收到设备C发送的报文超速信息的设备D进行与上述相同的操作，并在提取了随机值后，将该报文超速信息发送到设备A。When device B receives the packet overspeed information sent by device A through a ring port, it extracts the random value carried in the packet overspeed information, and sends the packet overspeed information to device C connected to another ring port. Yes, when device C receives the packet overspeed information, it performs the same operation as device B, and then device D that receives the packet overspeed information sent by device C performs the same operation as above, and after extracting the random value , and send the packet overspeed information to device A.

设备A接收到该报文超速信息后，判断当前是否在该第一定时器的定时时长内，如果在该第一定时器的定时时长内，则设备A关闭该第一定时器，否则，设备A重新通过第一环端口发送该报文超速信息，在该报文超速信息中携带随机值，并重新启动第一定时器，其中此次报文超速信息中携带的随机值，可以与上次报文超速信息中携带的随机值相同，也可以不同。该设备A重复上述操作，直到在第一定时器的定时时长内接收到设备D返回的报文超速信息。After device A receives the packet overspeed information, it judges whether it is within the time limit of the first timer. If it is within the time limit of the first timer, device A closes the first timer; otherwise, device A A re-sends the message overspeed information through the first ring port, carries a random value in the message overspeed information, and restarts the first timer, wherein the random value carried in the message overspeed information this time can be the same as the last time The random values carried in the packet overspeed information are the same or different. The device A repeats the above operations until it receives the message overspeed information returned by the device D within the time period of the first timer.

当设备A在第一定时器的定时时长内接收到设备D返回的报文超速信息后，通过环端口向其他设备发送启动新的特征值的通知信息，其中设备A在发送该通知信息时，可以通过任一环端口发送，也可以同时通过每个环端口发送，并且为了保证每个设备都能接收到该通知信息，设备A在发送该通知信息后，启动第二定时器。设备A根据该随机值、每种报文类型信息、自身的IP地址或MAC地址信息、以及保存的加密算法，生成环网协议的新的特征值，并将该特征值写入硬件，此时设备A可以接收新旧特征值的环网协议报文。When device A receives the message overspeed information returned by device D within the timing of the first timer, it sends notification information to other devices through the ring port to start a new characteristic value. When device A sends the notification information, It can be sent through any ring port, and can also be sent through each ring port at the same time, and in order to ensure that each device can receive the notification information, device A starts the second timer after sending the notification information. Device A generates a new characteristic value of the ring network protocol according to the random value, information of each message type, its own IP address or MAC address information, and the saved encryption algorithm, and writes the characteristic value into the hardware. Device A can receive ring network protocol packets with old and new eigenvalues.

设备B接收到该设备A发送的启动新的特征值的通知信息，由于设备A即为之前发送随机值的设备，因此设备B可以进行后续的特征值的计算过程，并将该启动新的特征值的通知信息发送到设备C。设备B根据之前接收的随机值，每种报文的类型信息、自身的IP地址或MAC地址信息，以及保存的加密算法，生成新的特征值。Device B receives the notification message of starting a new feature value sent by device A. Since device A is the device that sent the random value before, device B can perform the subsequent calculation process of feature value and start the new feature value The notification message of the value is sent to device C. Device B generates a new feature value based on the previously received random value, the type information of each message, its own IP address or MAC address information, and the saved encryption algorithm.

设备C执行与上述设备B相同的过程，并将该启动新的特征值的通知信息发送给设备D，设备D执行的操作与上述设备B、设备C相同，并将该启动新的特征值的通知信息发送给设备A。Device C performs the same process as the above-mentioned device B, and sends the notification information of starting the new feature value to device D. Device D performs the same operation as the above-mentioned device B and device C, and sends the notification information of starting the new feature value The notification information is sent to device A.

设备A判断是否在第二定时器的定时时长内接收到该启动新的特征值的通知信息，当设备A在第二定时器的定时时长内接收到该启动新的特征值的通知信息时，将第二定时器关闭，当未在该第二定时器的定时时长内接收到该启动新的特征值的通知信息时，重新发送该启用新的特征值的通知信息，并重新启动第二定时器，直到环网内的每台设备都接收到该启用新的特征值的通知信息。Device A judges whether to receive the notification information of starting a new characteristic value within the timing duration of the second timer, and when device A receives the notification information of starting a new characteristic value within the timing duration of the second timer, Turn off the second timer, and when the notification message of starting the new characteristic value is not received within the timing duration of the second timer, resend the notification message of starting the new characteristic value, and restart the second timing until each device in the ring network receives the notification message of enabling the new characteristic value.

当环网中的每台设备接收到该启动新的特征值的通知信息后，环网中的每台设备将之前接收到的随机值写入硬件。设备A向环网中的每台设备发送环网协议特征值切换结束信息，并启动第三定时器，将自身发送的环网协议报文的特征值，修改为根据该随机值计算确定的新的特征值。After each device in the ring network receives the notification message of starting a new characteristic value, each device in the ring network writes the previously received random value into hardware. Device A sends ring network protocol eigenvalue switching completion information to each device in the ring network, and starts the third timer, and modifies the eigenvalue of the ring network protocol message sent by itself to a new value calculated and determined according to the random value. eigenvalues of .

设备B接收到该设备A发送的环网协议特征值切换结束信息，设备B将该环网协议特征值切换结束信息发送到设备C，并根据之前自身根据随机值确定的特征值，将自身发送的环网协议报文的特征值，修改为根据该随机值计算确定的新的特征值。Device B receives the ring network protocol feature value switching end message sent by device A, and device B sends the ring network protocol feature value switching end message to device C, and sends itself the The characteristic value of the ring network protocol message is modified to a new characteristic value calculated and determined according to the random value.

设备C与设备D与上述设备B进行相同的操作，并且，设备D将该环网协议特征值切换结束信息发送到设备A，设备A判断是否在第三定时器的定时时长内接收到该返回的环网协议特征值切换结束信息，当在该第三定时器的定时时长内接收到时，关闭该第三定时器，否则，重新发送该环网协议特征值切换结束信息，并重新开启第三定时器，直到环网内的每台设备都接收到该环网协议特征值切换结束信息，从而启用该新的特征值。Device C and device D perform the same operation as the above-mentioned device B, and device D sends the ring network protocol characteristic value switching end information to device A, and device A judges whether the return is received within the timing duration of the third timer When the ring network protocol feature value switching end message is received within the timing duration of the third timer, the third timer is closed, otherwise, the ring network protocol feature value switching end message is resent, and the second timer is restarted. Three timers, until each device in the ring network receives the ring network protocol feature value switching end message, so as to enable the new feature value.

当环网中每台设备启用新的特征值后，当设备的硬件接收到需要上报CPU进行处理的环网协议报文后，识别该环网协议报文中携带的特征值，根据自身保存的加密算法，发送该报文的设备的IP地址信息及该报文类型信息，确定该环网协议报文对应的随机值，判断确定的所述随机值是否与本地保存的随机值相同，当确定相同时，将该环网协议报文发送到CPU进行处理，否则，确认该环网协议报文为攻击报文，将所述环网协议报文丢弃。After each device in the ring network enables the new characteristic value, when the hardware of the device receives the ring network protocol message that needs to be reported to the CPU for processing, it will identify the characteristic value carried in the ring network protocol message, and Encryption algorithm, the IP address information of the device sending the message and the message type information, determine the random value corresponding to the ring network protocol message, and judge whether the determined random value is the same as the random value stored locally. If they are the same, send the ring network protocol message to the CPU for processing; otherwise, confirm that the ring network protocol message is an attack message, and discard the ring network protocol message.

图5为本发明实施例提供的基于图4的该防止环网协议报文攻击设备CPU的详细实施过程，该过程包括以下步骤：Fig. 5 provides for the detailed implementation process based on Fig. 4 that the embodiment of the present invention prevents the ring network protocol message attacking equipment CPU, and this process comprises the following steps:

S501：每个设备启动后，开始检测通过自身处理的环网协议报文是否超速。S501: After each device is started, it starts to detect whether the ring network protocol packets processed by itself are overspeed.

S502：设备A检测到经自身处理的环网协议报文超速时，设备A选择第一环端口向与其连接的设备B发送报文超速信息，其中该报文超速信息中携带用于生成特征值的随机值，并启动第一定时器。S502: When device A detects that the ring network protocol message processed by itself is overspeed, device A selects the first ring port to send message overspeed information to device B connected to it, wherein the message overspeed information carries the characteristic value used to generate random value and start the first timer.

S503：设备A判断当前是否在该第一定时器的定时时长内接收到设备D返回的报文超速信息，当判断结果为是时，关闭第一定时器，进行步骤S504，否则，进行步骤S502。S503: Device A judges whether the message overspeed information returned by device D is currently received within the timing duration of the first timer. If the judgment result is yes, turn off the first timer and go to step S504; otherwise, go to step S502 .

S504：设备A向设备B发送启动新的特征值的通知信息，启动第二定时器。S504: Device A sends notification information of starting a new characteristic value to device B, and starts a second timer.

设备A根据该随机值、每种报文类型信息、自身的IP地址或MAC地址信息、以及保存的加密算法，生成环网协议的新的特征值，并将该特征值写入硬件。Device A generates a new characteristic value of the ring network protocol according to the random value, information of each message type, its own IP address or MAC address information, and the saved encryption algorithm, and writes the characteristic value into the hardware.

S505：设备A判断是否在第二定时器的定时时长内接收到设备D返回的该启动新的特征值的通知信息，当判断结果为是时，关闭第二定时器，进行步骤S506，否则，进行步骤S504。S505: Device A judges whether it has received the notification information of starting a new characteristic value returned by device D within the timing duration of the second timer, and if the judgment result is yes, close the second timer and proceed to step S506, otherwise, Go to step S504.

S506：设备A向环网中的每台设备发送环网协议特征值切换结束信息，并启动第三定时器，使每台设备将该随机值写入硬件。将自身发送的环网协议报文的特征值，修改为根据该随机值计算确定的新的特征值。S506: Device A sends ring network protocol characteristic value switching completion information to each device in the ring network, and starts a third timer, so that each device writes the random value into hardware. Modify the characteristic value of the ring network protocol message sent by itself to a new characteristic value calculated and determined according to the random value.

S507：设备A判断是否在第三定时器的定时时长内接收到该返回的环网协议特征值切换结束信息，当判断结果为是时，关闭第三定时器，进行步骤S508，否则，进行步骤S506。S507: Device A judges whether it has received the returned ring network protocol characteristic value switching end information within the timing duration of the third timer, and when the judgment result is yes, close the third timer and proceed to step S508, otherwise, proceed to step S507. S506.

S508：设备A的硬件根据上报CPU进行处理的环网协议报文，识别该环网协议报文中携带的特征值，根据所述特征值、发送该报文的设备的地址信息、报文类型信息及保存的加密算法，确定该环网协议报文对应的随机值。S508: The hardware of device A identifies the feature value carried in the ring network protocol message according to the ring network protocol message reported to the CPU for processing, and according to the feature value, the address information of the device sending the message, and the message type information and the saved encryption algorithm to determine the random value corresponding to the ring network protocol message.

S509：判断该随机值是否与本地保存的随机值相同，当判断相同时，进行步骤S510，否则，进行步骤S511。S509: Judging whether the random value is the same as the locally stored random value, if it is judged to be the same, go to step S510; otherwise, go to step S511.

S510：该硬件将该环网协议报文发送到CPU进行处理。S510: The hardware sends the ring network protocol message to the CPU for processing.

S511：该硬件确认该环网协议报文为攻击报文，丢弃该环网协议报文。S511: The hardware confirms that the ring network protocol message is an attack message, and discards the ring network protocol message.

由于在本发明实施例中当检测到CPU处理的环网协议报文超速时，开始更新环网中每台设备中的环网协议特征值，从而可以及时的过滤掉攻击报文，防止环网协议报文对设备CPU的攻击。Because in the embodiment of the present invention, when detecting the overspeed of the ring network protocol message processed by the CPU, the ring network protocol characteristic value in each device in the ring network is started to be updated, so that the attack message can be filtered out in time to prevent the ring network from Protocol packets attack the device CPU.

图6为本发明实施例提供的一种防止环网协议报文攻击设备CPU的装置，的结构示意图，所述装置包括：FIG. 6 is a schematic structural diagram of a device for preventing a ring network protocol packet from attacking the CPU of a device provided by an embodiment of the present invention. The device includes:

检测模块61，用于检测经自身处理的环网协议报文是否超速；Thedetection module 61 is used to detect whether the ring network protocol message processed by itself is overspeed;

第一发送模块62，用于当检测到超速时，生成用于生成环网协议特征值的随机值，将所述随机值发送给环网中的其他设备；Thefirst sending module 62 is used to generate a random value for generating the characteristic value of the ring network protocol when overspeed is detected, and send the random value to other devices in the ring network;

第二发送模块63，用于向环网中其他设备发送启动新的特征值的通知信息，使环网中的每台设备的硬件根据生成的新的特征值对环网协议报文进行检测，其中所述新的特征值根据所述随机值、报文类型信息、每台设备的地址信息及每台设备中保存的加密算法生成。Thesecond sending module 63 is used to send notification information for starting a new characteristic value to other devices in the ring network, so that the hardware of each device in the ring network detects the ring network protocol message according to the generated new characteristic value, Wherein the new feature value is generated according to the random value, message type information, address information of each device, and an encryption algorithm stored in each device.

所述装置还包括：The device also includes:

识别模块64，用于接收到待处理的环网协议报文后，识别该环网协议报文中携带的特征值；Theidentification module 64 is configured to identify the characteristic value carried in the ring network protocol message after receiving the ring network protocol message to be processed;

确定模块65，用于根据所述特征值、发送该报文的设备的地址信息、报文类型信息及保存的加密算法，确定该环网协议报文对应的随机值，其中该随机值写入硬件；Determiningmodule 65, for determining the random value corresponding to the ring network protocol message according to the characteristic value, the address information of the device sending the message, the message type information and the preserved encryption algorithm, wherein the random value is written into hardware;

判断处理模块66，用于判断该随机值是否与本地保存的随机值相同；当确定相同时，将该环网协议报文发送到CPU对该报文进行处理，否则，将所述环网协议报文丢弃。Judgment processing module 66, is used for judging whether this random value is identical with the random value of local preservation; The packet is discarded.

具体的，该识别模块64、确认模块65和判断处理模块66可以位于环网设备该硬件的内部。Specifically, theidentification module 64,confirmation module 65 andjudgment processing module 66 may be located inside the hardware of the ring network device.

所述装置包括：The devices include:

存储模块67，用于在本地保存该环网协议报文的特征值、发送该报文的设备的地址信息及报文类型信息的对应关系。Thestorage module 67 is configured to locally store the characteristic value of the ring network protocol message, the corresponding relationship between the address information of the device sending the message and the message type information.

所述判断处理模块66，还用于判断本地是否保存有所述特征值；当本地保存有所述特征值时，根据保存的该特征值、发送该报文的设备的地址信息及报文类型信息的对应关系，及该待处理环网协议报文中携带的信息，判断该环网协议报文是否为攻击报文；当确定该环网协议报文为攻击报文时，将该环网协议报文丢弃，否则，将该环网协议报文发送到CPU对该报文进行处理。Thejudgment processing module 66 is also used to judge whether the characteristic value is saved locally; when the characteristic value is saved locally, according to the saved characteristic value, the address information of the device sending the message and the message type information, and the information carried in the ring network protocol message to be processed, it is judged whether the ring network protocol message is an attack message; when it is determined that the ring network protocol message is an attack message, the ring network The protocol message is discarded; otherwise, the ring network protocol message is sent to the CPU for processing the message.

所述第一发送模块62，还用于向环网中的其他设备发送更新加密算法的通知信息，使环网中每台设备更新为同一新的加密算法。Thefirst sending module 62 is also configured to send notification information of updating the encryption algorithm to other devices in the ring network, so that each device in the ring network is updated to the same new encryption algorithm.

本发明实施例提供一种防止环网协议报文攻击设备CPU的方法及装置，该方法包括：当环网中的某一设备检测自身处理的环网协议报文的数量超速时，生成用于生成环网协议特征值的随机值，并将该随机值发送到环网中的每台设备中，以便环网中的每台设备的硬件在接收到该设备发送的启动新的特征值的通知后，采用该生成的新的特征值对接收到的环网协议报文进行检测，只有检测该报文非攻击报文时，才将报文发送到CPU进行处理。由于在本发明实施例中当检测到自身处理的环网协议报文超速时，开始更新环网中每台设备中的环网协议特征值，从而可以及时的过滤掉攻击报文，通过硬件进行判断的方法，可以有效防止环网协议报文对设备CPU的攻击。Embodiments of the present invention provide a method and device for preventing ring network protocol packets from attacking the CPU of a device. The method includes: when a certain device in the ring network detects that the number of ring network protocol packets processed by itself exceeds Generate a random value of the characteristic value of the ring network protocol, and send the random value to each device in the ring network, so that the hardware of each device in the ring network receives the notification of starting a new characteristic value sent by the device Afterwards, the received ring network protocol message is detected by using the generated new characteristic value, and only when it is detected that the message is not an attack message, the message is sent to the CPU for processing. Since in the embodiment of the present invention, when detecting the overspeed of the ring network protocol message processed by itself, the ring network protocol characteristic value in each device in the ring network is started to be updated, so that the attack message can be filtered out in time, and the The judgment method can effectively prevent the attack of the ring network protocol message on the CPU of the device.

本领域内的技术人员应明白，本申请的实施例可提供为方法、系统、或计算机程序产品。因此，本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且，本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质（包括但不限于磁盘存储器、CD-ROM、光学存储器等）上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备（系统）、和计算机程序产品的流程图和／或方框图来描述的。应理解可由计算机程序指令实现流程图和／或方框图中的每一流程和／或方框、以及流程图和／或方框图中的流程和／或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和／或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和／或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和／或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.

尽管已描述了本申请的优选实施例，但本领域内的技术人员一旦得知了基本创造性概念，则可对这些实施例做出另外的变更和修改。所以，所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。While preferred embodiments of the present application have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, the appended claims are intended to be construed to cover the preferred embodiment and all changes and modifications which fall within the scope of the application.

显然，本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样，倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内，则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

Claims (10)

1. a method that prevents looped network protocol message aggression equipment CPU, is characterized in that, described method comprises:

Whether the looped network protocol massages that the first equipment Inspection is processed through self exceeds the speed limit;

When hypervelocity being detected, generate for generating the random value of looped network protocol characteristic value, described random value is sent to other equipment in looped network;

And send to other equipment in looped network the announcement information that starts new characteristic value, the hardware of every equipment in looped network is detected looped network protocol massages according to the new characteristic value generating, and wherein said new characteristic value generates according to the cryptographic algorithm of preserving in the address information of described random value, type of message information, every equipment and every equipment.

2. the method for claim 1, is characterized in that, described when looped network protocol massages hypervelocity that the first equipment Inspection is processed to self CPU, described method also comprises:

The first equipment generates for generating random value and the cryptographic algorithm code of looped network protocol characteristic value, and described random value and cryptographic algorithm code are sent to other equipment in looped network;

And send to other equipment in looped network the announcement information that starts new characteristic value, the hardware of every equipment in looped network is detected looped network protocol massages according to the new characteristic value generating, and wherein said new characteristic value generates according to the address information of described random value, type of message information, every equipment and cryptographic algorithm corresponding to described cryptographic algorithm code.

3. the method for claim 1, is characterized in that, described method also comprises:

The hardware of described the first equipment receives after pending looped network protocol massages, identifies the characteristic value of carrying in this looped network protocol massages;

According to the cryptographic algorithm of described characteristic value, the address information that sends the equipment of this message, type of message information and preservation, determine the random value that this looped network protocol massages is corresponding;

Judge that whether this random value is identical with the random value of this locality preservation, wherein, writes hardware by this random value;

When determining when identical, this looped network protocol massages is sent to CPU this message is processed, otherwise, described looped network protocol massages is abandoned.

4. method as claimed in claim 3, is characterized in that, described this looped network protocol massages is processed after, described method also comprises:

The hardware of described the first equipment is preserved the characteristic value of this looped network protocol massages, the address information of equipment that sends this message and the corresponding relation of type of message information in this locality.

5. method as claimed in claim 4, is characterized in that, after the characteristic value of carrying in this looped network protocol massages of described identification, described method also comprises:

The hardware of described the first equipment judges whether this locality preserves described characteristic value;

When described characteristic value is preserved in this locality, according to this characteristic value, the address information of equipment that sends this message and the corresponding relation of type of message information preserved, and the information of carrying in this pending looped network protocol massages, judge whether this looped network protocol massages is attack message;

When definite this looped network protocol massages is attack message, this looped network protocol massages is abandoned, otherwise, this looped network protocol massages is sent to CPU this message is processed.

6. a device that prevents looped network protocol message aggression equipment CPU, is characterized in that, described device comprises:

Whether detection module, exceed the speed limit for detection of the looped network protocol massages of processing through self;

The first sending module, for when hypervelocity being detected, generates for generating the random value of looped network protocol characteristic value, and described random value is sent to other equipment in looped network;

The second sending module, for sending to other equipment of looped network the announcement information that starts new characteristic value, the hardware of every equipment in looped network is detected looped network protocol massages according to the new characteristic value generating, and wherein said new characteristic value generates according to the cryptographic algorithm of preserving in the address information of described random value, type of message information, every equipment and every equipment.

7. device as claimed in claim 6, is characterized in that, described device also comprises:

The first sending module, for when hypervelocity being detected, generates for generating random value and the cryptographic algorithm code of looped network protocol characteristic value, and described random value and cryptographic algorithm code are sent to other equipment in looped network;

The first sending module, for sending to other equipment of looped network the announcement information that starts new characteristic value, the hardware of every equipment in looped network is detected looped network protocol massages according to the new characteristic value generating, and wherein said new characteristic value generates according to the address information of described random value, type of message information, every equipment and cryptographic algorithm corresponding to described cryptographic algorithm code.

8. device as claimed in claim 6, is characterized in that, described device also comprises:

Identification module, for receiving after pending looped network protocol massages, identifies the characteristic value of carrying in this looped network protocol massages;

Determination module, for according to the cryptographic algorithm of described characteristic value, the address information that sends the equipment of this message, type of message information and preservation, determines the random value that this looped network protocol massages is corresponding, and wherein this random value writes hardware;

Judging treatmenting module, for judging that whether this random value is identical with the random value of this locality preservation; When determining when identical, this looped network protocol massages is sent to CPU this message is processed, otherwise, described looped network protocol massages is abandoned.

9. device as claimed in claim 8, is characterized in that, described device comprises:

Memory module, for preserving the characteristic value of this looped network protocol massages, the address information of equipment that sends this message and the corresponding relation of type of message information in this locality.

10. device as claimed in claim 9, is characterized in that, described judging treatmenting module, also for judging whether this locality preserves described characteristic value; When described characteristic value is preserved in this locality, according to this characteristic value, the address information of equipment that sends this message and the corresponding relation of type of message information preserved, and the information of carrying in this pending looped network protocol massages, judge whether this looped network protocol massages is attack message; When definite this looped network protocol massages is attack message, this looped network protocol massages is abandoned, otherwise, this looped network protocol massages is sent to CPU this message is processed.

Images