The development of the Internet has reached a high-speed take-off stage, and the Ethernet metropolitan area network is also growing accordingly rapidly to meet needs of persons for accessing a network anytime anywhere in everyday life. In the Ethernet metropolitan area network, masses of personal users or enterprises access the Internet through the Ethernet metropolitan area network. To forward packets quickly, an Ethernet metropolitan area network switch needs to learn and maintain a medium access control (MAC, Medium Access Control) address table. Entries of the MAC address table include an MAC address of a device connected with the Ethernet switch, a port number of the Ethernet switch connected with the device, and an identity of a virtual local area network (VLAN ID, Virtual Local Area Network Identity) to which the device belongs. The MAC address table enables the Ethernet metropolitan area network switch to find an egress for a forwarded packet accurately without necessity for broadcasting.
By making use of the feature that a switch learns the MAC address actively, an attacker on the network constructs numerous packets with fake MAC address information and send the packets with the fake MAC address information to the switch, so that limited resources in the MAC address table are occupied by the futile fake MAC address information, while MAC address information of a packet of another normal network node cannot be learned by the switch, and a user of a normal network node is unable to get online, or the switch has to perform broadcasting and search for a packet forwarding route, which causes network performance to deteriorate dramatically.
Currently, a method for preventing this kind of attack is mainly to quicken aging of the MAC address table in the switch. Quickening aging of the MAC address table refers to shortening an aging period of the MAC address table, so as to make a time of keeping the MAC address information faked by the attacker in the MAC address table as short as possible, thereby reducing the time of attacks on the switch.
However, according to the foregoing method for preventing attacks, the MAC address information of the attacker cannot be distinguished from the MAC address information of a normal user node, and aging of the MAC address information of the normal user node is also quickened when aging of the MAC address information faked by the attacker is quickened, which results is that the probability of the MAC address information of the normal user node being deleted mistakenly is also high, and a MAC address table of normal user nodes is always in the cycle of “creating-aging-creating”. Creating and aging the MAC address table consume processor resources drastically. Therefore, according to the method for preventing attacks by quickening aging of the MAC address table in the switch in the prior art, a processing load of the switch is increased, and a normal user node is made get offline abnormally or even be unable to get online at all because the aging of the MAC address table is too quick.