CN115580437B - Flow monitoring method and out-of-band controller - Google Patents

Abstract

The embodiment of the application discloses a flow monitoring method and an out-of-band controller, wherein the method is applied to the out-of-band controller of computing equipment and comprises the steps of respectively acquiring unicast messages, multicast messages and broadcast messages in a first period, wherein the unicast messages, the multicast messages and the broadcast messages are received through a management network port of the computing equipment; discarding the abnormal unicast message under the condition of determining that the abnormal unicast message exists in the unicast message, or reporting the management network port flow abnormality under the condition of determining that the abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message. The embodiment of the application can monitor the message flow of the management network port, and can discover the malicious network attack aiming at the management network port in advance, thereby carrying out isolation processing in advance or reporting the problem in time, and further avoiding the unavailable BMC management function or abnormal BMC management function.

Description

Flow monitoring method and out-of-band controller

Technical Field

The present application relates to the field of computer technologies, and in particular, to a flow monitoring method and an out-of-band controller.

Background

The server generally includes a baseboard management controller (baseboard management controller, BMC) management portal that is primarily used to communicate with upper management software. The BMC management software can be presented in a webpage program or a desktop application program (APP), and can provide various monitoring and management functions so that related personnel can conveniently know the running state of the server, remotely control the server and the like.

Because the bandwidth of the BMC management network port is limited, in an actual usage scenario, if the BMC network port is subjected to a malicious network attack (such as broadcast flooding and multicast flooding attack), a serious packet loss phenomenon may occur in the BMC management network port, and thus a user may not log in the BMC management system or use related management functions (such as server reset, power-on and power-off, etc.) provided by the BMC.

Currently, with respect to the above problems, only after the problems occur (i.e. when the user finds that the BMC management system cannot be logged in or the related management function provided by the BMC cannot be used), the possible reasons for the problems are analyzed, and then corresponding adjustments are made to solve the problems, however, the user may need to use the related management function in this time. Therefore, how to discover or solve a malicious network attack for a BMC management portal in advance is a concern of a technician.

Disclosure of Invention

The embodiment of the application discloses a flow monitoring method and an out-of-band controller, which can discover malicious network attacks aiming at a BMC management network port in advance, so that the problems of isolation treatment or timely reporting can be carried out in advance, and further the problem that the BMC management function is unavailable or the BMC management function is abnormal can be avoided.

The first aspect discloses a flow monitoring method, which may be applied to an out-of-band controller (such as BMC) of a computing device (such as a server), a module (e.g., a chip) in the out-of-band controller, and a logic module or software capable of implementing all or part of the functions of the out-of-band controller, and is described below by taking application to BMC as an example. The traffic monitoring method comprises the steps of obtaining a unicast message, a multicast message and a broadcast message in a first period, wherein the unicast message, the multicast message and the broadcast message are received through a management network port of the computing device, discarding the abnormal unicast message under the condition that the abnormal unicast message is determined to exist in the unicast message, or reporting the abnormal traffic of the management network port under the condition that the abnormal multicast message and/or the abnormal broadcast message exist in the multicast message and the abnormal broadcast message are determined to exist in the multicast message and the abnormal broadcast message.

In the embodiment of the application, the BMC can monitor the message flow of the management network port and can discover the malicious network attack aiming at the BMC management network port in advance. Specifically, the BMC may analyze the unicast message, the multicast message and the broadcast message received in the first period, if the traffic of the unicast message is abnormal (i.e., all the unicast messages in the first period have abnormal unicast messages), perform isolation processing in advance, discard the abnormal unicast message, and if the traffic of the multicast and/or broadcast message is abnormal (i.e., all the multicast messages and broadcast messages in the first period have abnormal multicast messages and/or broadcast messages), report and manage the traffic abnormality of the network port in time, and notify relevant personnel to perform investigation, so that the problem that the BMC management function is unavailable or the BMC management function is abnormal can be avoided.

As a possible implementation manner, the method may further include determining that an abnormal unicast message exists in the unicast message if it is determined that a destination media access control (MEDIA ACCESS control, MAC) address is not the MAC address of the out-of-band controller.

In the embodiment of the application, the BMC can determine the unicast message of which the target MAC address is not the MAC address of the out-of-band controller in the unicast message as the abnormal unicast message, so that the abnormal unicast message can be accurately isolated, and the problem that the BMC management function is unavailable or the BMC management function is abnormal can be avoided.

As a possible implementation manner, before the determining that the destination MAC address in the unicast packet is not the MAC address of the out-of-band controller, the method may further include determining that a difference between the data amount of the unicast packet in the first period and the second standard data amount is greater than a fourth threshold.

In the embodiment of the application, the BMC can firstly determine whether the difference value between the data volume of the unicast message in the first period and the second standard data volume is larger than the fourth threshold value, and if so, determine whether the unicast message has the unicast message with the destination MAC address which is not the MAC address of the out-of-band controller, thus saving the processing resources of the BMC.

As a possible implementation manner, the method may further include updating the second standard data amount to the data amount of the unicast message in the first period in the case that it is determined that no abnormal unicast message exists in the unicast message.

In the embodiment of the application, the BMC can update the second standard data volume to the data volume of the unicast message in the first period under the condition that the difference value between the data volume of the unicast message in the first period and the second standard data volume is larger than the fourth threshold value and the unicast message in the first period does not have abnormality, so that the second standard data volume can be more accurate, and the processing resources of the BMC can be saved.

As a possible implementation manner, the method may further include determining that an abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message if it is determined that the difference between the maximum bandwidth and the bandwidth threshold in the first period is greater than a sixth threshold.

In the embodiment of the application, when the difference between the maximum bandwidth and the bandwidth threshold in the first period is greater than the sixth threshold, the BMC cannot process all messages in time, and the BMC management network port packet loss is caused, so that the multicast message and/or the broadcast message with abnormality in the broadcast message can be considered, and then the management network port flow abnormality can be reported in time to inform related personnel for investigation, thereby avoiding the problems of unavailable BMC management function or abnormal BMC management function.

As one possible implementation, before the determining that the difference between the maximum bandwidth and the bandwidth threshold in the first period is greater than the sixth threshold, the method may further include determining that the difference between the total amount of data and the third standard amount of data in the first period for the multicast message and the broadcast message is greater than the fifth threshold.

In the embodiment of the application, the BMC can firstly determine whether the difference value between the total data quantity of the multicast message and the broadcast message in the first period and the third standard data quantity is larger than the fifth threshold value, and determine whether the difference value between the maximum bandwidth in the first period and the bandwidth threshold value is larger than the sixth threshold value under the condition that the difference value is larger than the fifth threshold value, so that the processing resources of the BMC can be saved, and whether the abnormal multicast message and/or the abnormal broadcast message exist in the first period can be more accurately judged.

As a possible implementation manner, the method may further include updating the third standard data amount to a total data amount of the multicast message and the broadcast message in the first period in case it is determined that there is no abnormal multicast message and broadcast message in the multicast message and the broadcast message.

In the embodiment of the application, the BMC can update the third standard data volume into the total data volume of the multicast message and the broadcast message under the condition that the difference value between the total data volume of the multicast message and the broadcast message in the first period and the third standard data volume is larger than the fifth threshold value and no abnormal multicast message and broadcast message exists in the multicast message and the broadcast message in the first period, so that the more accurate third standard data volume can be obtained, and the processing resource of the BMC can be saved.

As a possible implementation manner, before the determining that the abnormal unicast message exists in the unicast message or before the determining that the abnormal multicast message and/or broadcast message exists in the multicast message, the method may further include determining that a difference between a total data amount of the unicast message, the multicast message and the broadcast message in the first period and a first standard data amount is greater than a first threshold.

In the embodiment of the application, the BMC can determine whether the difference value between the total data quantity of the unicast message, the multicast message and the broadcast message in the first period and the first standard data quantity is larger than the first threshold value, and determine whether the unicast message in the first period has abnormal unicast message and determine whether the multicast message and the broadcast message in the first period have abnormal multicast message and/or broadcast message under the condition that the difference value is larger than the first threshold value, so that the processing resource of the BMC can be saved.

As a possible implementation manner, the method can further comprise the steps of obtaining maximum bandwidths in a plurality of first periods, adding the maximum bandwidths in each first period into a bandwidth array to obtain a first bandwidth array when the difference between the maximum bandwidths in each first period and the first standard bandwidths is larger than a second threshold and packet loss occurs in the management network port in each first period, removing second bandwidth values in the first bandwidth array to obtain a second bandwidth array, wherein the difference between the maximum bandwidth values in the first bandwidth array and the second bandwidth values is larger than a third threshold, and determining the first duty ratio of the minimum bandwidth values in the second bandwidth array as the bandwidth threshold, and the first duty ratio is larger than 0 and smaller than 1.

In the embodiment of the application, the BMC can store the maximum bandwidth value in each packet loss period into the bandwidth array, and can eliminate the bandwidth value (namely the second bandwidth value) which is not lost due to overlarge message flow, and then the first duty ratio of the minimum bandwidth value in the rest bandwidth values in the bandwidth array can be determined as the bandwidth threshold, so that the more accurate bandwidth threshold can be obtained, and the management network port flow abnormality can be reported in time before the management network port flow reaches the bandwidth threshold, thereby avoiding the problem that the BMC management function is unavailable or the BMC management function is abnormal.

As a possible implementation manner, the method may further include updating the first standard bandwidth to the maximum bandwidth in the first period when the difference between the maximum bandwidth in the first period and the first standard bandwidth is greater than the second threshold and no packet loss occurs in the management portal in the first period.

In the embodiment of the application, the BMC can update the first standard bandwidth to the maximum bandwidth in the first period under the condition that the difference between the maximum bandwidth in the first period and the first standard bandwidth is larger than the second threshold and the packet loss does not occur in the management network port in the first period, so that the more accurate first standard bandwidth can be obtained, and the processing resource of the BMC can be saved.

A second aspect discloses an out-of-band controller comprising a processor, a memory and a communication interface for receiving information from and outputting information to other electronic devices than the out-of-band controller, the processor invoking a computer program stored in the memory to implement a method as claimed in any of claims 1-10.

A third aspect discloses a computing device (e.g., a server) comprising an out-of-band controller as disclosed in the second aspect above.

A fourth aspect discloses a computer readable storage medium having stored thereon a computer program or computer instructions which, when run, implement the flow monitoring method as disclosed in the above aspects.

A fifth aspect discloses a chip comprising a processor for executing a program stored in a memory, which when executed causes the chip to perform the flow monitoring method disclosed in the above aspects.

As a possible implementation, the memory is located off-chip.

A sixth aspect discloses a computer program product comprising computer program code which, when run, causes the flow monitoring method disclosed in the above aspects to be performed.

It will be appreciated that the out-of-band controller provided by the second aspect, the computing device provided by the third aspect, the computer readable storage medium provided by the fourth aspect, the chip provided by the fifth aspect and the computer program product provided by the sixth aspect described above are all configured to perform the traffic monitoring method provided by the first aspect of the present application and any one of the possible implementations of the first aspect. Therefore, the advantages achieved by the method can be referred to as the advantages of the corresponding method, and will not be described herein.

Drawings

The drawings in the following description will be presented to more clearly illustrate the technical solution of the embodiments of the present application, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings can be obtained according to the drawings without inventive effort for those skilled in the art.

FIG. 1 is a schematic diagram of a system architecture according to an embodiment of the present application;

FIG. 2 is a schematic diagram of another system architecture disclosed in an embodiment of the present application;

FIG. 3 is a schematic flow diagram of a solution disclosed by an embodiment of the present application;

FIG. 4 is a schematic flow chart of determining a bandwidth threshold according to an embodiment of the present application;

fig. 5 is a flow chart of a flow monitoring method according to an embodiment of the present application.

Detailed Description

The embodiment of the application discloses a flow monitoring method and an out-of-band controller, which can discover malicious network attacks aiming at a BMC management network port in advance, so that the problems of isolation treatment or timely reporting can be carried out in advance, and further the problem that the BMC management function is unavailable or the BMC management function is abnormal can be avoided. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application.

For a better understanding of the embodiments of the present application, a system architecture used in the embodiments of the present application is described below.

Referring to fig. 1, fig. 1 is a schematic diagram of a system architecture according to an embodiment of the present application. As shown in fig. 1, the system architecture may be that of a server 100, and the server 100 may include an out-of-band controller 101. The server 100 may also include a processor 102, memory 103, and the like. The server 100 is an electronic device having data processing capabilities, data transceiving capabilities and data storage capabilities. The server 100 may be a file server (FILE SERVER), a database server (database server), a mail server (MAIL SERVER), a Web server (Web server), a multimedia server (multimedia server), a communication server (communication server), a terminal server (TERMINAL SERVER), an infrastructure server (infrastructure server), and the like. In some embodiments, the server may be tower, rack, blade, etc. The server 100 may not be limited to use with an X86 architecture, a reduced instruction set computer (reduced instruction set computer, RISC) architecture, an advanced reduced instruction set machine (ADVANCED RISC MACHINE, ARM) architecture, or the like.

The out-of-band controller is an out-of-band processor that is independent of the central processor CPU. The out-of-band controller may include a monitoring management unit external to the computer device, a management system in a management chip external to the processor, a computer device baseboard management unit (baseboard management controller, BMC), a system management module (SYSTEM MANAGEMENT mode, SMM), and the like.

The out-of-band controller 101 is mainly used for performing component management, asset management, etc. of the server 100, and supports remote management (such as server reset, power-on and power-off, etc.) through a management portal. For example, the out-of-band controller 101 may monitor the status (such as humidity, temperature, voltage, current, etc.) of each hardware device in the server 100, and perform corresponding operations (such as power-on/power-off control, fan speed regulation, etc.) according to a preset policy according to the status of each hardware device, so as to ensure that the server 100 is in a healthy state. Meanwhile, when the out-of-band controller 101 detects that the server 100 is abnormal (such as the CPU temperature is too high), the out-of-band controller 101 may report relevant information (such as the abnormal device, the abnormal time, the abnormal description, the processing advice, etc.) to the upper layer management software through a simple network management protocol (simple network management protocol, SNMP), a simple mail transfer protocol (SIMPLE MAIL TRANSFER protocol, SMTP), a Redfish protocol, etc., so that relevant personnel can process in time, and the influence on the service is reduced.

In the embodiment of the present application, taking BMC as an example, the out-of-band controller takes BMC 101 as an example, and can monitor and manage network traffic of a network port in real time, analyze according to received unicast messages, multicast messages and broadcast messages, if there is an abnormality in traffic of the unicast messages, BMC 101 can isolate unicast messages with destination media access control (MEDIA ACCESS control, MAC) addresses not being MAC addresses of BMC, if there is an abnormality in traffic of multicast and broadcast messages, BMC 101 can report an abnormality in traffic of a management network port to upper layer management software, and notify relevant personnel to perform investigation. Thus, malicious network attacks aiming at the BMC management network port can be found in advance, so that isolation processing or reporting problems can be carried out in advance, and further, the problem that the BMC management function is unavailable or abnormal can be avoided. For the structure of the BMC 101, see fig. 2 below, and the specific implementation of the BMC 101 to monitor network traffic may be referred to the method embodiment shown in fig. 5 below, which is not described herein again.

It is understood that the BMC 101 may be a chip integrated on the motherboard of the server 100.

The processor 102 may be a general purpose processor, a microprocessor, an application specific integrated circuit, a field programmable gate array, or any combination thereof. In some embodiments, the processor may be a central processing unit (central processing unit, CPU).

The memory 103 may include, but is not limited to, random access memory (random access memory, RAM), read-only memory (ROM), erasable programmable read-only memory (erasable programmable read only memory, EPROM), or portable read-only memory (compact disc read-only memory, CD-ROM), etc. In some embodiments, the memory may be a solid state disk or a mechanical hard disk.

It should be appreciated that the server 100 is not limited to only including the BMC 101, the processor 102, and the memory 103 shown in FIG. 1, and that the server 100 may also include a basic input output system (basic input output system, BIOS), memory, network cards, power supplies, and the like. The BIOS stores programs for basic input and output, including a self-checking program after power-on and a system self-starting program, and can provide bottommost and most direct hardware setting and control for the server 100.

It should be noted that the system architecture shown in fig. 1 is only exemplary, and is not limited to the configuration thereof. In other embodiments of the present application, the system architecture shown in FIG. 1 may include more or fewer devices than shown, and is not limited to only including the BMC 101, processor 102, and memory 103 shown in FIG. 1.

Referring to fig. 2, fig. 2 is a schematic diagram of another system architecture according to an embodiment of the present application. As shown in fig. 2, the system architecture may be the system architecture of the BMC 101 described above, and the BMC 101 may include a processor 1011, a communication interface 1012, and a memory 1013. The processor 1011, the communication interface 1012, and the memory 1013 may be coupled to each other.

The memory 1013 is used to store a computer program (instruction) of the BMC 101, such as an Operating System (OS) of the BMC 101. In addition, the memory 1013 may further store a network traffic monitoring analysis program for the BMC management network port, etc., and the processor 1011 may read the program stored in the memory 1013 to execute the operations executed by the BMC in the method embodiments shown in fig. 4 and fig. 5, which will be described below and will not be repeated herein. The memory 1013 may include, but is not limited to, a random access memory (random access memory, RAM), a read-only memory (ROM), an erasable programmable read-only memory (erasable programmable read only memory, EPROM), or a portable read-only memory (compact disc read-only memory, CD-ROM), etc.

The processor 1011 may be a CPU, graphics processor (graphics processing unit, GPU), complex programmable logic device, general purpose processor, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, transistor logic device, hardware component, or any combination thereof. A processor may also be a combination that performs a computational function, such as a combination comprising one or more microprocessors, a combination of a digital signal processor and a microprocessor, and so forth.

The communication interface 1012 is used to receive information from other electronic devices outside the BMC 101 and to output information to other electronic devices outside the BMC 101.

It should be appreciated that the BMC 101 may use an embedded system, such as a Linux system, or the like. The BMC 101 may employ a layered architecture and may include, but is not limited to, an application layer, a system layer, a driver layer, a hardware layer, and the like.

It should be noted that the BMC 101 shown in fig. 2 is only one implementation of the embodiment of the present application, and in practical application, the BMC 101 may further include more or fewer components, which is not limited herein.

For a better understanding of the embodiments of the present application, related terms and related techniques of the embodiments of the present application are described below.

Bandwidth (i.e., network bandwidth) refers to the amount of data that can be transmitted or received in units of time (typically 1 second), and can be in bits per second (bit/s), which can also be written as bps (bit per second).

Unicast is a one-to-one communication scheme and may include a sender and a receiver. In the transmission of computer networks, the unicast communication message typically includes the address of the recipient (e.g., the recipient's internet protocol (internet protocol, IP) address, MAC address).

Multicasting is a one-to-many communication scheme and may include a sender and multiple receivers. In the transmission of computer networks, a multicast communication message typically includes a multicast address, which typically corresponds to multiple receivers.

Broadcasting is one way to send information to all devices in the broadcast domain. The broadcast may send a packet to each host in a broadcast domain, whether or not the hosts wish to receive the packet.

It will be appreciated that the server typically includes at least one BMC management portal and one service portal, where the BMC management portal is primarily configured to communicate with upper management software (i.e., BMC out-of-band management software or management system). The BMC out-of-band management software can be presented in the form of a web program or a desktop Application (APP), and can provide various monitoring and management functions so that related personnel can conveniently know the running state of the server, remotely control the server and the like. It should be appreciated that a service portal may also be referred to as a shared portal. In some embodiments, the BMC management portal and the service portal of the server may be the same portal.

Because the bandwidth of the BMC management network port is limited, in an actual usage scenario, if the BMC network port is subjected to a malicious network attack (such as broadcast flooding and multicast flooding attack), a serious packet loss phenomenon may occur in the BMC management network port, and thus a user may not log in the BMC management system or use related management functions (such as server reset, power-on and power-off, etc.) provided by the BMC. After the problem occurs, related personnel need to check possible factors such as BMC, switch and the like of the server in sequence, analyze possible reasons for the problem, then correspondingly adjust to observe whether the problem is solved, if not, continue to locate the possible reasons for the problem, then adjust, and then continue to observe whether the problem is solved.

Specifically, referring to fig. 3, fig. 3 is a schematic flow chart of a solution disclosed in an embodiment of the present application. As shown in fig. 3, the overall solution may include three steps of problem identification, problem analysis, and problem resolution. Firstly, when a user discovers that a ping test loses a packet and cannot log in a BMC management system or the BMC management function is abnormal, the user can determine that related problems (such as malicious network attack suffered by a BMC management network port) occur. The relevant personnel can analyze the possible reasons for the problem step by step and make corresponding adjustments. For example, a packet may be first grabbed on the switch of the machine room, and the grabbed packet is analyzed, and at this time, the current packet amount and the normal packet amount may be compared to determine whether the current packet amount is too large. If the current message amount is too large, different types of messages (i.e. unicast, multicast and broadcast messages) can be analyzed respectively, when abnormal unicast, multicast or broadcast messages are analyzed, abnormal messages can be isolated on the switch, networking configuration of the server can be modified, and then whether the problem is solved can be observed. If the problem is not solved or the current message quantity is normal, the conventional investigation can be continued, the hardware equipment is subjected to investigation or cross-validation and the like, if the hardware equipment is found to be abnormal, the abnormal problem of the hardware equipment can be solved first, and then whether the problem is solved can be observed continuously. If the problem is not solved or the hardware device has no abnormality, the checking of the switch can be continued, whether the message of the BMC is normally sent out and whether the vlan (virtual local area network ) setting of the switch is correct can be confirmed, if the problem exists on the switch side, the configuration of the switch can be modified, and then whether the problem is solved can be continuously observed. If the problem is not resolved or there is no problem on the exchange side, the sequence may continue to examine other causes that may cause the problem, and then make adjustments until the problem is resolved.

It can be seen that in the above process, only after the problem occurs (i.e. when the user finds that the BMC management system cannot be logged in or the related management function provided by the BMC cannot be used), the possible reasons can be analyzed for the problem, and then corresponding adjustment is performed to solve the problem, which takes a long time. And, if the problem is caused by server networking problem or malicious network attack, the user perception side is poor, and the problem may be considered as quality problem of server products. Meanwhile, aiming at the problem of network port packet loss in BMC management caused by malicious network attack, packet grabbing analysis is generally needed on a switch of a machine room, and most of the machine rooms are remote, so that packet grabbing is inconvenient, and the problem processing time is prolonged. In addition, in some cases, the user may need to perform related control on the server through the BMC management software, for example, update the firmware of the solid state disk in the server, so as to solve the problem that the solid state disk cannot correctly read and write data.

In order to solve the problems, the embodiment of the application provides a flow monitoring method, which comprises the steps of monitoring message flow of a management network port, analyzing according to received unicast messages, multicast messages and broadcast messages, isolating unicast messages with destination MAC addresses not being the MAC address of a BMC if the flow of the unicast messages is abnormal, and reporting the management network port flow abnormality to upper management software by BMC 101 if the flow of the multicast and broadcast messages is abnormal, and notifying related personnel to conduct investigation. By the method, malicious network attacks aiming at the BMC management network port can be found in advance, so that isolation processing or reporting problems can be carried out in advance, and the problem that the BMC management function is unavailable or abnormal can be avoided.

It will be appreciated that BMC management interfaces typically have a nominal maximum bandwidth (i.e., the bandwidth that BMC chip manufacturers claim to the outside). However, in the actual working process, because the BMC needs to perform tasks such as hardware management and monitoring of the server in addition to processing the message, the computing resources or processing resources of the BMC cannot be all used for processing the message, so that the BMC management network port cannot reach the rated maximum bandwidth. For example, the rated bandwidth of the BMC management interface may be 1Gbps, but in the actual working process, since the BMC needs to process other management and monitoring tasks, the BMC management interface can actually reach 200Mbps at most, that is, can only process 200Mbps of message traffic. When the traffic of the management network port is greater than 200Mbps, the BMC may not be able to process all messages in time, and a packet loss phenomenon may occur, so that a user may not be able to log in the BMC management system or use related management functions provided by the BMC.

In the embodiment of the application, the BMC can monitor the traffic of the BMC management network port and the packet loss condition, count the maximum bandwidth in the packet loss period, then screen the collected maximum bandwidths in different packet loss periods, remove the maximum bandwidth which is not caused by overlarge data quantity, and then determine the certain ratio of the minimum bandwidth in the screened bandwidths as a bandwidth threshold, such as the values of 90%,85% or 80% of the minimum bandwidth. This bandwidth threshold may be used as the maximum bandwidth that the BMC management portal can actually reach. Based on the bandwidth threshold, the BMC can report the management network port flow abnormality to the upper management software in advance before the management network port flow reaches the bandwidth threshold, and inform related personnel to check, so that the problem that the BMC management function is unavailable or abnormal can be avoided.

The process of determining the bandwidth threshold is described below. Referring to fig. 4, fig. 4 is a schematic flow chart of determining a bandwidth threshold according to an embodiment of the present application. As shown in fig. 4, the method for determining the bandwidth threshold may include, but is not limited to, the following steps:

And 401, the BMC acquires the received message according to the acquisition period, and counts the maximum bandwidth and the total data quantity of the message in the current acquisition period.

Specifically, the BMC may continuously collect the messages received by the BMC management network port, and count the messages received by the BMC management network port with a fixed collection period as a unit, so as to obtain the maximum bandwidth and the total data volume of the messages in the current collection period (i.e., the first period). In some embodiments, the acquisition period may be 3 minutes, 5 minutes, 10 minutes, etc. The acquisition period can also be obtained through testing according to actual conditions, or set according to the rated maximum bandwidth of the management network port, and the method is not limited herein.

It should be understood that the messages received by the BMC management portal may include unicast messages, multicast messages, and broadcast messages.

For a better understanding of the embodiments of the present application, an example of a 5 minute acquisition cycle is illustrated below. When the acquisition period is 5 minutes, the BMC may continuously acquire the received messages for 5 minutes from the initial acquisition time, and during the continuous acquisition, the BMC may determine the maximum bandwidth within the 5 minutes. For example, if the bandwidth of minute 20 seconds during the 5 minutes is 150Mbit/s, which is greater than the bandwidth at any other time during the 5 minutes, the BMC may determine 150Mbit/s as the maximum bandwidth currently within the 5 minutes. And at the end of the 5 minutes, the BMC can count the total data volume of the received message in the current 5 minutes. The BMC may then continue to count the maximum bandwidth and total data in the message for the next five minutes. It will be appreciated that the BMC may repeat step 401 for each acquisition cycle. The initial acquisition time may be the time when the BMC is powered up or the server is powered up.

The bmc determines whether a difference between a total data amount of the message and a first standard data amount in a current acquisition period is greater than a first threshold, performs step 403 if it is determined that the difference is greater than the first threshold, and performs step 401 if it is determined that the difference is less than or equal to the first threshold.

Specifically, the first standard data size may be the maximum total message data size that can be achieved by the management portal in one collection period under a normal condition (i.e., under a condition that the management portal is not attacked). Therefore, if the BMC determines that the difference between the total data amount of the messages and the first standard data amount in the current acquisition period is less than or equal to the first threshold, it may be considered that the difference between the maximum bandwidth and the first standard bandwidth in the current acquisition period is also less than or equal to the second threshold, so the BMC may directly wait for the next acquisition period without executing step 403, and count the maximum bandwidth and the total data amount of the messages in the next acquisition period, that is, execute step 401. If the BMC determines that the difference between the total data amount of the messages and the first standard data amount in the current acquisition period is greater than the first threshold, it cannot be determined whether the difference between the maximum bandwidth and the first standard bandwidth in the current acquisition period is less than or equal to the second threshold, and therefore, the BMC may execute step 403.

It can be understood that the first standard data amount may be set to a reasonable initial value, and then the value of the first standard data amount may be updated according to the actual situation (that is, when each collection period satisfies a specific condition), and as the number of updates increases, the first standard data amount may approach the maximum total data amount of the message that the BMC management portal can reach in a collection period under normal conditions. The initial value of the first standard data amount may be set according to the rated maximum bandwidth of the BMC management portal. In some embodiments, the initial value of the first standard data amount may be set to the total data amount of the message for the first acquisition period.

The first threshold is an integer greater than 0, which may be set according to practical circumstances, and in some embodiments, may be set to 3-5 Megabytes (MB). It is understood that the smaller the first threshold is set, the easier it is to satisfy that the difference between the total data amount of the message and the first standard data amount is greater than the first threshold in one acquisition period, so that updating of the bandwidth threshold and the first standard bandwidth can be more refined. Conversely, the larger the first threshold is set, the less likely it is that the difference between the total data volume of the message and the first standard data volume is larger than the first threshold in one acquisition period, so that the processing resource of the BMC can be saved.

In some embodiments, the BMC may perform step 403 directly without performing step 402. Accordingly, in step 401, the BMC may not count the total data amount of the message in the current acquisition period, but only need to count the maximum bandwidth in the current acquisition period.

And 403, the BMC judges whether the difference value between the maximum bandwidth in the current acquisition period and the first standard bandwidth is larger than a second threshold value, if so, step 404 is executed, and if so, step 401 is executed.

Specifically, the first standard bandwidth may be a maximum bandwidth that the BMC manages the network port without packet loss. Therefore, if the BMC determines that the difference between the maximum bandwidth in the current acquisition period and the first standard bandwidth is smaller than or equal to the second threshold, it may be considered that no packet loss occurs in the BMC management network port in the current acquisition period, and the first standard bandwidth is not updated at this time, and accordingly, the BMC may not need to execute step 404, may directly wait for the next acquisition period, and count the maximum bandwidth and the total data amount of the message in the next acquisition period, that is, execute step 401. If the BMC determines that the difference between the maximum bandwidth and the first standard bandwidth in the current acquisition period is greater than the second threshold, it may be determined that there may be a packet loss in the BMC management portal in the current acquisition period, and therefore, the BMC may execute step 404.

It can be understood that the first standard bandwidth may be set to a reasonable initial value, and then the value of the first standard bandwidth may be updated according to the actual situation (that is, when each acquisition period satisfies a specific condition, the value of the first standard bandwidth is updated), and as the update times increase, the first standard bandwidth approaches to a maximum bandwidth where the BMC manages the network port and packet loss does not occur under normal conditions. The initial value of the first standard bandwidth may be set according to the rated maximum bandwidth of the BMC management network port.

The second threshold is an integer greater than 0 and may be set according to practical situations, and in some embodiments, the second threshold may be set to 3-5Mbps. It will be appreciated that the smaller the second threshold is set, the easier it is to meet that the difference between the maximum bandwidth and the first standard bandwidth is greater than the second threshold in one acquisition period, and the finer the updating of the bandwidth threshold and the first standard bandwidth can be made. Conversely, the larger the second threshold is set, the less likely the difference between the maximum bandwidth and the first standard bandwidth is satisfied in one acquisition period is greater than the second threshold, and the processing resource of the BMC can be saved.

And (4) judging whether the BMC has packet loss in the current acquisition period, executing step 405 when no packet loss occurs, and executing step 406 when no packet loss occurs.

Specifically, the BMC may determine whether a packet loss occurs in the BMC management network port in the current acquisition period through the network card, and if no packet loss occurs, it indicates that the BMC may process a message flow smaller than or equal to the maximum bandwidth in the current acquisition period, and the BMC may execute step 405. If packet loss occurs, indicating that the BMC cannot process message traffic greater than or equal to the maximum bandwidth in the current acquisition cycle, the BMC may execute step 406.

The bmc updates the first standard bandwidth to the maximum bandwidth within the current acquisition period.

Because the first standard bandwidth can be the maximum bandwidth of the BMC management network port which does not generate packet loss, when the BMC determines that no packet loss occurs in the current acquisition period, the first standard bandwidth can be updated to be the maximum bandwidth in the current acquisition period.

Bmc adds the maximum bandwidth in the current acquisition period to the bandwidth array.

When the BMC determines that the BMC management network port in the current acquisition period loses the packet, adding the maximum bandwidth in the current acquisition period into the bandwidth array.

The bmc determines whether the number of packet losses is greater than N, if so, performs step 408, and if not, performs step 401.

The reason that the BMC manages the network port to have packet loss is probably not due to overlarge message flow, and is probably due to the fact that the message cannot be identified, and the like, so that the BMC needs to reject the bandwidth of the packet loss caused by overlarge message flow in the bandwidth array. In the embodiment of the application, the bandwidth which is not lost due to the overlarge message flow is removed by comparing the maximum value in the bandwidth array with other bandwidth values, and if the difference between the maximum value and a certain bandwidth value is larger than a third threshold value, the bandwidth which is not lost due to the overlarge message flow can be determined, and the bandwidth can be deleted from the bandwidth array, and the following step 410 can be seen. It can be seen that if there is only one value in the bandwidth array, the screening cannot be performed, and at least two values are required to perform the screening, so as to reject the non-conforming bandwidth values. Thus, N may be an integer greater than or equal to 2, for example, N may be 5. The third threshold may be set according to practical situations, and is not limited herein. In one embodiment, the third threshold may be 10Mbps.

Specifically, the BMC may record whether the BMC manages the network port to lose packets in each acquisition period, if there are N acquisition periods before the current acquisition period, it may determine that the number of times of packet loss is greater than N, and may execute step 408, otherwise, it may determine that the number of times of packet loss is less than or equal to N, and may directly wait for the next acquisition period, and count the maximum bandwidth and the total data amount of the message in the next acquisition period, that is, execute step 401.

The bmc determines whether there is M-bit data in the bandwidth array, if so, performs step 409, and if not, performs step 410.

As the collection period experienced increases, the data in the bandwidth array increases, so in order to avoid too much data stored in the bandwidth array and occupy too much memory space, the BMC may set a storage upper limit for the bandwidth array, and when the data stored in the bandwidth array exceeds the storage upper limit (i.e., the data in the bandwidth array is greater than M-1 bits), may delete the intermediate value in the bandwidth array, i.e., perform step 409. Step 410 may be performed when the amount of data stored in the bandwidth array does not exceed the upper storage limit. The above M may be an integer of 3 or more, and for example, N may be 5. In some embodiments, M may be greater than N.

Bmc deletes intermediate values in the bandwidth array.

Specifically, when M bits of data are stored in the bandwidth array, the BMC may delete intermediate values in the bandwidth array. For example, assuming M is 5, the value in the bandwidth array is 13,17,19,20,21, at which point the intermediate value 19 may be deleted, after which time the remainder of the bandwidth array remains 13,17,20,21. For another example, assuming M is 4 and the value in the bandwidth array is (13,17,19,21), either of the intermediate values 17 or 19 may be deleted, after which either (13,19,21) or (13, 17, 21) remains in the bandwidth array.

The BMC calculates a difference between a maximum value in the bandwidth array and other bandwidth values, and deletes the bandwidth value whose difference is greater than a third threshold.

The BMC needs to reject the bandwidth which is not lost due to overlarge message flow in the bandwidth array. Therefore, the BMC may calculate a difference between the maximum value in the bandwidth array and other bandwidth values, and then may determine a bandwidth value (i.e., the second bandwidth value) having a difference greater than the third threshold as a bandwidth value not causing packet loss due to excessive packet traffic, delete the bandwidth values from the bandwidth array, and then, may determine the bandwidth threshold according to the remaining bandwidth values. At this time, the bandwidth array after filtering may be referred to as a second bandwidth array.

In some embodiments, after the BMC executes step 407, step 410 may be directly executed without executing step 408 and step 409, and only the bandwidth in the bandwidth array, which is not the bandwidth lost due to the excessive packet traffic, is removed in step 410.

The bmc determines a certain duty cycle of the minimum bandwidth value in the bandwidth array as a bandwidth threshold.

After the BMC filters the bandwidth values in the bandwidth array, a certain duty cycle (i.e., a first duty cycle) of the minimum bandwidth value in the bandwidth array may be determined as the bandwidth threshold. The first ratio is more than 0 and less than 1, and may be defined by a person, for example, a value such as 90%,85%, 80%, or the like, and is not limited thereto. It should be appreciated that the first standard data amount and the bandwidth threshold may be different for different acquisition cycle sizes.

It should be noted that, in some embodiments, the BMC may also determine the first standard bandwidth or a certain duty ratio of the first standard bandwidth as the bandwidth threshold. Thus, in some embodiments, the BMC may not perform steps 406-411 described above.

Through the processing flow, the BMC can obtain the bandwidth threshold, based on the bandwidth threshold, the BMC can monitor the flow, and then report the abnormal management network port flow to the upper BMC management system in advance before the management network port flow reaches the bandwidth threshold. In addition, the BMC can also extract the destination MAC address in the message header of the unicast message while monitoring the flow, so that the unicast messages with destination MAC addresses which are not the MAC addresses of the BMC can be isolated, and further, the abnormal management function of the BMC can be avoided.

Based on the above system architecture, please refer to fig. 5, fig. 5 is a flow chart of a flow monitoring method according to an embodiment of the present application. As shown in fig. 5, the flow monitoring method may include, but is not limited to, the following steps:

and 501, the BMC acquires the received message according to the acquisition period, and counts the maximum bandwidth, the data volume of the unicast message, the data volume of the broadcast message and the data volume of the multicast message in the current acquisition period.

Specifically, the BMC may continuously collect the messages received by the BMC management network port, and count the messages received by the BMC management network port with a fixed collection period as a unit, so as to obtain the maximum bandwidth in the current collection period. And the BMC can classify the received messages to obtain the data volume of the unicast message, the data volume of the broadcast message, the data volume of the multicast message and the total data volume of the messages in the current acquisition period. For unicast messages, the BMC may extract the destination MAC address in the header. The description of the acquisition cycle may be referred to the relevant description of step 401 above. It should be understood that the acquisition period size in step 401 and step 501 may be different, for example, 3 minutes in step 401 and 5 minutes in step 501, which is not limited herein.

It should be understood that the unicast message, the multicast message, and the broadcast message may be ethernet messages, where the ethernet header includes the destination MAC address. It should also be appreciated that the BMC may repeat step 501 for each acquisition cycle. The initial acquisition time may be the time when the BMC is powered up or the server is powered up.

The bmc determines whether a difference between a sum of data amounts of the unicast message, the multicast message, and the broadcast message in the current acquisition period and the first standard data amount is greater than a first threshold, performs steps 503 and 507 if it is determined that the sum is greater than the first threshold, and performs step 501 if it is determined that the sum is less than or equal to the first threshold.

Specifically, the first standard data size may be the maximum total message data size that can be achieved by the management portal in one collection period under a normal condition (i.e., under a condition that the management portal is not attacked). Therefore, if the BMC determines that the difference between the total data volume of the messages (i.e., the sum of the data volumes of the unicast message, the multicast message, and the broadcast message) and the first standard data volume in the current collection period is less than or equal to the first threshold, it can be considered that there is no malicious network attack in the current collection period, and no abnormal management function of the BMC will be caused, so the BMC can directly wait for the next collection period, and count the maximum bandwidth in the next collection period, the data volume of the unicast message, the data volume of the broadcast message, and the data volume of the multicast message, that is, execute step 501. If the BMC determines that the difference between the total data amount of the messages in the current collection period and the first standard data amount is greater than the first threshold, it cannot be determined whether a malicious network attack exists in the current collection period, and therefore, the BMC may execute step 503 and step 507. The description of the correlation of the first standard data amount and the first threshold may be referred to the description of the correlation of step 401 described above.

In some embodiments, the BMC may not perform step 502, and may perform steps 503 and 507 directly after step 501. It should be understood that the branch corresponding to step 503 and the branch corresponding to step 507 may be performed in parallel, or may be performed in series, i.e., steps 503, 504, 505, or 506 may be performed first, and then steps 507, 508, 509, or 510 may be performed, or steps 507, 508, 509, or 510 may be performed first, and then steps 503, 504, 505, or 506 may be performed.

The bmc determines whether a difference between the data amount of the unicast message and the second standard data amount is greater than a fourth threshold, and if not, performs step 501, and if so, performs step 504.

Specifically, the second standard data size may be the maximum total data size of unicast messages that can be achieved by the management portal in a collection period under normal conditions. Therefore, if the BMC determines that the difference between the data amount of the unicast message and the second standard data amount in the current acquisition period is less than or equal to the fourth threshold, it may be determined that the data amount of the unicast message in the current acquisition period is in a normal range, where no abnormal unicast message is present, and no abnormal BMC management function is caused, so the BMC may directly wait for the next acquisition period, and count the maximum bandwidth in the next acquisition period, the data amount of the unicast message, the data amount of the broadcast message, and the data amount of the multicast message, that is, execute step 501. If the BMC determines that the difference between the data amount of the unicast message in the current acquisition period and the second standard data amount is greater than the fourth threshold, it cannot be determined whether there is an abnormal unicast message in the current acquisition period, and therefore, the BMC may execute step 504.

It can be understood that the second standard data amount may be set to a reasonable initial value, and then the value of the second standard data amount may be updated according to the actual situation (i.e. when each acquisition period satisfies a specific condition), and as the number of updates increases, the second standard data amount may approach the maximum unicast message data amount that can be reached by the management network port in a single acquisition period under normal conditions. The initial value of the second standard data amount may be set according to the rated maximum bandwidth of the BMC management portal. In some embodiments, the initial value of the second standard data amount may be set to the unicast message data amount of the first acquisition period.

The fourth threshold is an integer greater than 0, which may be set according to practical circumstances, and in some embodiments, may be set to 3-5 Megabytes (MB). It will be appreciated that the smaller the fourth threshold is set, the easier it is to satisfy that the difference between the data amount of the unicast message and the second standard data amount is greater than the fourth threshold in one acquisition period, and the finer the updating of the second standard data amount can be made. Conversely, the larger the fourth threshold is set, the less likely the difference between the data volume of the unicast message and the second standard data volume is satisfied in one acquisition period is greater than the fourth threshold, so that the processing resource of the BMC can be saved.

The BMC determines whether the destination MAC addresses of all the unicast messages in the current acquisition period are MAC addresses of the BMC, executes step 505 if the destination MAC addresses of all the unicast messages are MAC addresses of the BMC, and executes step 506 if the destination MAC addresses of all the unicast messages are not MAC addresses of the BMC.

Specifically, in the case where the destination MAC address of the unicast message is not the MAC address of the BMC, the BMC may determine that the unicast message is an abnormal unicast message (i.e., an attack message). Therefore, the BMC may determine whether there is an abnormal unicast message in the current collection period through the destination MAC addresses of all the unicast messages in the current collection period, and in the case that the destination MAC addresses of all the unicast messages are the MAC addresses of the BMC, it may be determined that there is no abnormal unicast message in the current collection period, step 505 may be performed, otherwise, it may be determined that there is an abnormal unicast message in the current collection period, and step 506 may be performed.

In some embodiments, the BMC may also determine whether a unicast message is an abnormal unicast message through the IP address of the BMC. If the destination IP address of the unicast message is the IP address of the BMC, the unicast message can be determined to be a normal unicast message, and if the destination IP address of the unicast message is not the IP address of the BMC, the unicast message can be determined to be an abnormal unicast message.

And the BMC updates the second standard data volume into the data volume of the unicast message in the current acquisition period.

When the BMC determines that no abnormal unicast message exists in the current acquisition period, the BMC can update the second standard data volume into the data volume of the unicast message in the current acquisition period because the data volume of the unicast message in the current acquisition period is larger than the second standard data volume, so that the processing of the subsequent acquisition period is facilitated.

The BMC isolates unicast messages whose destination MAC address is not the MAC address of the BMC.

When the BMC determines that there are abnormal unicast messages in the current acquisition period, the BMC may isolate (i.e., discard) unicast messages in which the destination MAC address is not the MAC address of the BMC, since these abnormal messages BMC do not need to be processed.

In addition, since the current acquisition period also includes the unicast message with the destination MAC address being the MAC address of the BMC, and the data amount of these normal messages may be larger, in some embodiments, the BMC may further determine whether the data amount of the unicast message with the destination MAC address being the MAC address of the BMC is greater than the second standard data amount, and if the data amount is greater than the second standard data amount, update the second standard data amount to be the sum of the data amounts of the unicast messages with the destination MAC address being the MAC address of the BMC, and if the data amount is less than or equal to the second standard data amount, then no processing is performed.

And 507, the BMC judges whether the difference value between the sum of the data amounts of the multicast message and the broadcast message in the current acquisition period and the third standard data amount is larger than a fifth threshold value, and if not, the step 501 is executed, and if so, the step 508 is executed.

Specifically, the third standard data size may be the total data size of the multicast message and the broadcast message that can be reached by the management portal in a single acquisition period under normal conditions. Therefore, if the BMC determines that the difference between the total data amount of the multicast message and the broadcast message in the current acquisition period and the third standard data amount is less than or equal to the fifth threshold, it may be determined that the total data amount of the multicast message and the broadcast message in the current acquisition period is in a normal range, where no abnormal multicast message and broadcast message will not cause abnormal BMC management function, so the BMC may directly wait for the next acquisition period, and count the maximum bandwidth in the next acquisition period, the data amount of the unicast message, the data amount of the broadcast message, and the data amount of the multicast message, that is, execute step 501. If the BMC determines that the difference between the total data amount of the multicast message and the broadcast message in the current acquisition period and the third standard data amount is greater than the fifth threshold, it cannot be determined whether there is an abnormal multicast message and whether there is an abnormal broadcast message in the current acquisition period, so the BMC may execute step 508.

It can be understood that the third standard data amount may be set to a reasonable initial value, and then the value of the third standard data amount may be updated according to the actual situation (i.e. when each acquisition period satisfies a specific condition), and as the number of updates increases, the third standard data amount may approach the total data amount of the multicast message and the broadcast message that can be reached by the management network port in a single acquisition period under normal conditions. The initial value of the third standard data amount may be set according to the rated maximum bandwidth of the BMC management portal. In some embodiments, the initial value of the third standard data amount may be set to the total data amount of the multicast message and the broadcast message of the first acquisition period.

The fifth threshold is an integer greater than 0, which may be set according to practical circumstances, and in some embodiments, may be set to 3-5 Megabytes (MB). It can be understood that the smaller the fifth threshold is set, the easier it is to satisfy that the difference between the total data amount of the multicast message and the broadcast message and the third standard data amount is greater than the fifth threshold in one acquisition period, so that the updating of the third standard data amount and the management of the port flooding alarm can be more refined. On the contrary, the larger the fifth threshold is set, the less likely the difference between the total data volume of the multicast message and the broadcast message and the third standard data volume is larger than the fifth threshold in one acquisition period, so that the processing resource of the BMC can be saved.

It should be appreciated that the first standard data amount may be greater than the second standard data amount and the third standard data amount, respectively. The first standard data amount, the second standard data amount, and the third standard data amount may be different in size. The larger the acquisition period is, the larger the first standard data volume, the second standard data volume and the third standard data volume are, the smaller the acquisition period is, and the smaller the first standard data volume, the second standard data volume and the third standard data volume are.

The bmc determines whether the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is greater than a sixth threshold, performs step 509 if the difference is greater than the sixth threshold, and performs step 510 if the difference is not greater than the sixth threshold.

Because the BMC cannot directly screen abnormal multicast messages and broadcast messages, the BMC can only determine whether the current message flow can cause abnormal BMC management functions according to the bandwidth threshold value, so that timely warning is realized.

Specifically, when the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold, the BMC may determine that all the messages can be processed at this time, and no packet loss will be caused in the BMC management network port, so it may be considered that no abnormal multicast messages and broadcast messages exist in the current acquisition period, and step 510 may be executed. When the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is greater than the sixth threshold, the BMC may determine that all the messages cannot be processed in time at this time, which may cause packet loss of the BMC management network port, so that it may consider that an abnormal multicast message or an abnormal broadcast message (i.e. an attack message) exists in the current acquisition period, or may consider that an abnormal multicast message and an abnormal broadcast message exist simultaneously, and step 509 may be executed.

The sixth threshold is an integer greater than 0, and may be set according to practical situations, and in some embodiments, the sixth threshold may be set to 3-5Mbps. It is understood that the smaller the sixth threshold is set, the easier it is to satisfy that the difference between the maximum bandwidth and the bandwidth threshold is greater than the sixth threshold in one acquisition period, so that the management of the port flooding alarm can be more refined.

It will be appreciated that the first, fourth, and fifth thresholds may be the same (i.e., all the same or partially the same) or different (i.e., all the different or partially the same). The second threshold value, the third threshold value, and the sixth threshold value may be the same or different.

BMC alerts BMC to manage port flooding.

When the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is greater than the sixth threshold, the BMC can report the management network port flow abnormality to the upper management software in time (namely, the management network port may have broadcast flooding and multicast flooding), can give an alarm, and notifies relevant personnel to check, so that the unavailability of the BMC management function or the abnormal BMC management function can be avoided. And then, if the management network port flow is recovered to be normal, the BMC can report an alarm for relieving the abnormality of the management network port flow.

And the BMC updates the third standard data volume to be the sum of the data volumes of the multicast message and the broadcast message in the current acquisition period.

When the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is smaller than or equal to the sixth threshold, the BMC can consider that no abnormal multicast message and broadcast message exist in the current acquisition period, and because the sum of the data amounts of the multicast message and the broadcast message in the current acquisition period is larger than the third standard data amount, the BMC can update the third standard data amount to the total data amount of the multicast message and the broadcast message in the current acquisition period, thereby being convenient for the processing of the subsequent acquisition period.

It should be noted that, in some embodiments, when the BMC performs the above step 504 and does not perform the above step 508, if the BMC determines that the destination MAC addresses of all the unicast messages are MAC addresses of the BMC in step 504, the BMC may update the first standard data size to be the total data size of the messages in the current acquisition period. Or when the BMC performs the step 508 and does not perform the step 504, if in the step 508, the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold, at this time, the BMC may also update the first standard data amount to be the total data amount of the message in the current acquisition period. Or when the BMC performs both the step 508 and the step 504, if the BMC determines that the destination MAC addresses of all the unicast messages are MAC addresses of the BMC in the step 504, and the BMC determines that the difference between the maximum bandwidth and the bandwidth threshold in the current acquisition period is less than or equal to the sixth threshold in the step 508, the BMC may also update the first standard data amount to be the total data amount of the messages in the current acquisition period. In other embodiments, the BMC may also use the sum of the second standard data amount and the third standard data amount as the first standard data amount, which is not limited herein. The execution of steps 503-504 and the execution of steps 507-508 have no temporal precedence, and may be performed simultaneously or sequentially.

Since both the above steps 401 and 501 require continuous acquisition of the received message according to the acquisition cycle, and then statistical analysis based on the message of the current acquisition cycle, in some embodiments, the BMC may perform both the above steps 401 and 501.

It can be understood that the above flow monitoring is aimed at the management network port, and accordingly, for the service network port, the above flow monitoring method can also be adopted, so that the attack message can be isolated, and before the traffic network port flow reaches the bandwidth threshold of the service network port, the traffic network port flow abnormality is reported to the upper layer BMC management system in advance. It should be further understood that the above-mentioned bandwidth measures the data amount of the management portal per unit time, and in some embodiments, the data amount of the management portal per unit time may also be measured by a data packet/second (PPS) or other criteria, which is not limited herein.

It should be noted that, the related information (i.e., the same information or similar information) and the related description in the above different embodiments may refer to each other.

It should be understood that, in fig. 4 and fig. 5, the BMC is taken as an example of the execution body of the interactive schematic to illustrate the above-mentioned process flow, but the present application is not limited to the execution body of the interactive schematic. For example, the BMC in FIGS. 4 and 5 may be a chip, a system on a chip, or a processor that supports the BMC to implement the method, or may be a logic module or software that implements all or part of the BMC functionality.

The embodiment of the application also discloses a computer readable storage medium, wherein the instructions are stored, and the instructions are executed to execute the method in the embodiment of the method.

The embodiment of the application also discloses a computer program product comprising instructions which, when executed, perform the method of the above method embodiment.

It will be apparent that the embodiments described above are only some, but not all, embodiments of the application. Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application for the embodiment. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly understand that the embodiments described herein may be combined with other embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application. The terms first, second, third and the like in the description and in the claims and in the drawings are used for distinguishing between different objects and not for describing a particular sequential order. Furthermore, the terms "comprising," "including," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion. For example, a series of steps or elements may be included, or alternatively, steps or elements not listed or, alternatively, other steps or elements inherent to such process, method, article, or apparatus may be included. It should be understood that the equal sign of the above condition judgment may be larger than one end or smaller than one end, for example, the above condition judgment for a threshold value being larger than, smaller than or equal to one end may be changed to the condition judgment for the threshold value being larger than or equal to one end or smaller than one end, which is not limited herein.

It is understood that only some, but not all, of the details relating to the application are shown in the accompanying drawings. It should be appreciated that some example embodiments are described as processes or methods depicted as flowcharts. Although a flowchart depicts operations (or steps) as a sequential process, many of the operations can be performed in parallel, concurrently, or at the same time. Furthermore, the order of the operations may be rearranged. The process may be terminated when its operations are completed, but may have additional steps not included in the figures. The processes may correspond to methods, functions, procedures, subroutines, and the like.

As used in this specification, the terms "component," "module," "system," "unit," and the like are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, a unit may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or being distributed between two or more computers. Furthermore, these units may be implemented from a variety of computer-readable media having various data structures stored thereon. The units may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., second unit data from another unit interacting with a local system, distributed system, and/or across a network).

The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present application in further detail, and are not to be construed as limiting the scope of the application, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the application.

Claims (8)

1. A traffic monitoring method, characterized in that it is applied to an out-of-band controller of a computing device, the method comprising: In a first cycle, a unicast message, a multicast message and a broadcast message are respectively obtained; wherein the unicast message, the multicast message and the broadcast message are received through the management network port of the computing device; In the case where it is determined that an abnormal unicast message exists in the unicast message, the abnormal unicast message is discarded; or, in the case where it is determined that an abnormal multicast message and/or broadcast message exists in the multicast message and the broadcast message, the abnormal traffic of the management network port is reported; In the case of determining that there is a unicast message whose destination media access control MAC address is not the MAC address of the out-of-band controller in the unicast message, determining that there is an abnormal unicast message in the unicast message; Before determining that there is a unicast message whose destination MAC address is not the MAC address of the out-of-band controller in the unicast message, the method further includes: determining that a difference between a data volume of the unicast message in the first period and a second standard data volume is greater than a fourth threshold; The method further includes: when it is determined that there is no abnormal unicast message in the unicast message, updating the second standard data volume to the data volume of the unicast message in the first period. 2. The method according to claim 1, characterized in that the method further comprises: When it is determined that the difference between the maximum bandwidth in the first period and the bandwidth threshold is greater than a sixth threshold, it is determined that abnormal multicast messages and/or broadcast messages exist in the multicast messages and the broadcast messages. 3. The method according to claim 2, characterized in that before determining that the difference between the maximum bandwidth in the first period and the bandwidth threshold is greater than a sixth threshold, the method further comprises: It is determined that a difference between a total data volume of the multicast message and the broadcast message in the first period and a third standard data volume is greater than a fifth threshold. 4. The method according to claim 3, characterized in that the method further comprises: When it is determined that there are no abnormal multicast messages and broadcast messages in the multicast messages and the broadcast messages, the third standard data volume is updated to the total data volume of the multicast messages and the broadcast messages in the first period. 5. The method according to any one of claims 1 to 4, characterized in that before determining that there is an abnormal unicast message in the unicast message, or determining that there is an abnormal multicast message and/or broadcast message in the multicast message and the broadcast message, the method further comprises: It is determined that a difference between a total data volume of the unicast message, the multicast message, and the broadcast message in the first period and a first standard data volume is greater than a first threshold. 6. The method according to any one of claims 1 to 4, characterized in that the method further comprises: obtaining a maximum bandwidth in a plurality of the first periods; When the difference between the maximum bandwidth in each of the first cycles and the first standard bandwidth is greater than the second threshold value and packet loss occurs at the management network port in each of the first cycles, the maximum bandwidth in each of the first cycles is added to the bandwidth array to obtain a first bandwidth array; Eliminating the second bandwidth value in the first bandwidth array to obtain a second bandwidth array, wherein a difference between a maximum bandwidth value in the first bandwidth array and the second bandwidth value is greater than a third threshold; A first proportion of minimum bandwidth values in the second bandwidth array is determined as the bandwidth threshold, where the first proportion is greater than 0 and less than 1. 7. The method according to claim 6, characterized in that the method further comprises: When the difference between the maximum bandwidth in the first period and the first standard bandwidth is greater than the second threshold and no packet loss occurs on the management network port in the first period, the first standard bandwidth is updated to the maximum bandwidth in the first period. 8. An out-of-band controller, characterized in that the out-of-band controller includes a processor, a memory and a communication interface, the communication interface is used to receive information from other electronic devices outside the out-of-band controller, and output information to other electronic devices outside the out-of-band controller, and the processor calls the computer program stored in the memory to implement the method described in any one of claims 1-7.