CN109246057B

CN109246057B - Message forwarding method, device, forwarding system, storage medium and electronic equipment

Info

Publication number: CN109246057B
Application number: CN201710558091.4A
Authority: CN
Inventors: 刘健男; 党丽娜
Original assignee: Neusoft Corp
Current assignee: Neusoft Corp
Priority date: 2017-07-10
Filing date: 2017-07-10
Publication date: 2021-01-08
Anticipated expiration: 2037-07-10
Also published as: CN109246057A

Abstract

The present disclosure relates to a message forwarding method, a message forwarding apparatus, a forwarding system, a storage medium, and an electronic device, wherein the method comprises: under the condition that the forwarding system is determined to be attacked, if the received message is of a syn type, determining whether the received message is a potential attack message; and when the message is determined to be a potential attack message, sending the message to an anti-attack CPU in the forwarding system, so that the anti-attack CPU forwards the message. In the technical scheme, under the condition that the forwarding system is determined to be attacked, the potential attack message is sent to the anti-attack CPU for processing, so that when the whole forwarding system is determined to be attacked, the anti-attack CPU can be ensured to process the attack message, the forwarding CPU can also process the normal message, the performance of the forwarding CPU is ensured not to be influenced, and the robustness of the forwarding system is improved.

Description

Message forwarding method, device, forwarding system, storage medium and electronic equipment

Technical Field

The present disclosure relates to the field of network security, and in particular, to a method, an apparatus, a system, a storage medium, and an electronic device for forwarding a packet.

Background

For security manufacturers, the firewall has the function of attack defense, and the firewall can take the effect of attack prevention after starting corresponding attack detection. In other words, only when the firewall opens the attack defense mode, the attack message can be discarded. However, for a firewall without opening an attack defense mode, when the firewall is attacked, an overload attack message needs to be processed, and the firewall is likely to be paralyzed due to resource exhaustion, which affects normal message forwarding.

The user can manually set whether to turn on the syn attack defense mode of the firewall. If the firewall is used as a forwarding device and is attacked by the syn flow but the syn attack defense mode is not started, the firewall may be subjected to the syn flow attack to cause the resource to be exhausted and cannot process normal messages, and the firewall is subjected to the syn flow attack to cause the function to be paralyzed. For the firewall forwarding device, a session table is basically established based on a five-tuple (source ip address, source port number, destination ip address, destination port number, transport protocol) of the packet, and the packet is forwarded based on the session table. When syn flood attack happens, because the firewall does not start the syn attack defense mode, the firewall can process the attack message and the normal message by using the same processing logic, thereby leading the session table to be quickly full and being incapable of establishing new connection; under the condition that the attack message is not stopped, the normal message basically cannot ensure normal forwarding, and the basic function of a firewall is lost.

Aiming at the scene, a user can manually start a syn attack defense mode of the firewall so as to deal with the syn flood attack. However, once the user forgets to turn on the syn attack defense mode of the firewall, the system may be subject to the above-mentioned problems when the syn flood attack is encountered. In addition, in many scenarios, the syn attack packet may also need to be forwarded normally. For example, there are some schools, scientific research institutions, or military parties, and when some experiments based on syn flow attacks need to be performed, the attack messages may be required to be sent out through firewall forwarding equipment. Under the condition, if the firewall starts a syn attack defense mode, the syn attack message is discarded, so that an experiment cannot be made; if the firewall does not start the syn attack defense mode, the firewall may be in a paralyzed state, and the firewall may not work normally.

Disclosure of Invention

The invention aims to provide a message forwarding method, a message forwarding device, a message forwarding system, a medium and an electronic device, which can forward an attack message and simultaneously do not influence the processing of a normal message when a firewall does not start an attack defense mode.

In order to achieve the above object, the present disclosure provides a packet forwarding method, applied to a forwarding CPU in a forwarding system, the method including: under the condition that the forwarding system is determined to be attacked, if the received message is of a syn type, determining whether the received message is a potential attack message; and when the message is determined to be a potential attack message, sending the message to an anti-attack CPU in the forwarding system, so that the anti-attack CPU forwards the message.

Optionally, the determining whether the received packet is a potential attack packet includes: determining whether a source ip address of the message is in an ip address white list; when the source ip address of the message is not in the ip address white list, determining that the message is a potential attack message; and when the source ip address of the message is in the ip address white list, determining that the message is a normal message.

Optionally, the method further comprises: when the message is determined to be a normal message, the message is sent to a logic CPU (central processing unit) corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the message according to a matching strategy; and responding to the successful matching of the logic CPU to the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

Optionally, the method further comprises: if the received message is of a non-syn type, inquiring a common session table established in the forwarding CPU according to the message; when a common session table corresponding to the message is inquired, forwarding the message based on the inquired common session table; when a common session table corresponding to the message is not inquired, inquiring a simple session table established in the anti-attack CPU according to the message, wherein the information contained in the simple session table is one part of the information contained in the common session table; and when the simple session table corresponding to the message is inquired, carrying out corresponding forwarding processing on the message according to the type of the message.

Optionally, when the simple session table corresponding to the packet is queried, performing corresponding forwarding processing on the packet according to the type of the packet, where the forwarding processing includes: when the simple session table corresponding to the message is inquired, if the received message is of a syn-ack type, forwarding the message based on the inquired simple session table; if the received message is of an ack type, sending the message to a logic CPU (central processing unit) corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the message according to a matching strategy; and responding to the successful matching of the logic CPU to the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

Optionally, the method further comprises: if the received message is of ack type, the method further comprises: sending a deleting instruction to the anti-attack CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and/or adding the source ip address of the message to an ip address white list.

Optionally, the forwarding system is determined to be under attack when one of the following occurs: the proportion of the number of the ordinary session tables established by the forwarding CPU to the total number of the creatable ordinary session tables in the forwarding CPU reaches a first preset proportion, and the proportion of the number of the ordinary session tables in an abnormal state in the forwarding CPU to the number of the established ordinary session tables in the forwarding CPU reaches a second preset proportion; the proportion of the number of the established common session tables in the current period of the forwarding CPU to the average value of the total number of the common session tables in all the forwarding CPUs in the same period of the history reaches a third preset proportion, and the proportion of the number of the abnormal common session tables in the forwarding CPU to the number of the established common session tables in the forwarding CPU reaches a fourth preset proportion.

According to a second aspect of the present disclosure, a packet forwarding method is provided, which is applied to an anti-attack CPU in a forwarding system, and the method includes: under the condition that the forwarding system is determined to be attacked, receiving a syn type message sent by a forwarding CPU in the forwarding system, wherein the syn type message is determined as a potential attack message by the forwarding CPU; creating a simple session table aiming at the message in the anti-attack CPU, wherein the information contained in the simple session table is one part of the information contained in a common session table created by the forwarding CPU; and forwarding the message based on the created simple session table.

Optionally, the method further comprises: receiving a deleting instruction sent by the forwarding CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and responding to the deleting instruction, and deleting the simple session table corresponding to the message.

According to a third aspect of the present disclosure, there is provided a packet forwarding apparatus applied to a forwarding CPU in a forwarding system, the apparatus including: the first determining module is used for determining whether the received message is a potential attack message or not if the received message is of a syn type under the condition that the forwarding system is determined to be attacked; and the first sending module is used for sending the message to an anti-attack CPU in the forwarding system when the message is determined to be a potential attack message, so that the anti-attack CPU forwards the message.

Optionally, the first determining module includes: a first determining submodule, configured to determine whether a source ip address of the packet is in an ip address white list; a second determining submodule, configured to determine that the packet is a potential attack packet when a source ip address of the packet is not in the ip address white list; and when the source ip address of the message is in the ip address white list, determining that the message is a normal message.

Optionally, the apparatus further comprises: the second sending module is used for sending the message to a logic CPU corresponding to the forwarding CPU in the forwarding system when the message is determined to be a normal message, so that the logic CPU matches the message according to a matching strategy; and the first forwarding module is used for responding to the successful matching of the logic CPU on the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

Optionally, the apparatus further comprises: the first query module is used for querying a common session table established in the forwarding CPU according to the message if the received message is of a non-syn type; the second forwarding module is used for forwarding the message based on the inquired common session table when the common session table corresponding to the message is inquired; the second query module is used for querying a simple session table established in the anti-attack CPU according to the message when a common session table corresponding to the message is not queried, wherein the information contained in the simple session table is one part of the information contained in the common session table; and the third forwarding module is used for performing corresponding forwarding processing on the message according to the type of the message when the simple session table corresponding to the message is inquired.

Optionally, the third forwarding module includes: the first forwarding sub-module is used for forwarding the message based on the inquired simple session table if the received message is of a syn-ack type when the simple session table corresponding to the message is inquired; the sending submodule is used for sending the message to a logic CPU (central processing unit) in the forwarding system and corresponding to the forwarding CPU if the received message is of an ack type when the simple session table corresponding to the message is inquired, so that the logic CPU matches the message according to a matching strategy; and the second forwarding submodule is used for responding to the successful matching of the logic CPU on the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

Optionally, the apparatus further comprises: the instruction sending module is used for sending a deleting instruction to the anti-attack CPU if the received message is of an ack type when the simple session table corresponding to the message is inquired, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and/or the updating module is used for adding the source ip address of the message to an ip address white list if the received message is of an ack type when the simple session table corresponding to the message is inquired.

Optionally, the forwarding system is determined to be under attack when one of the following occurs: the proportion of the number of the ordinary session tables established by the forwarding CPU to the total number of the creatable ordinary session tables in the forwarding CPU reaches a first preset proportion, and the proportion of the number of the ordinary session tables in an abnormal state in the forwarding CPU to the number of the established ordinary session tables in the forwarding CPU reaches a second preset proportion;

the proportion of the number of the established common session tables in the current period of the forwarding CPU to the average value of the total number of the common session tables in all the forwarding CPUs in the same period of the history reaches a third preset proportion, and the proportion of the number of the abnormal common session tables in the forwarding CPU to the number of the established common session tables in the forwarding CPU reaches a fourth preset proportion.

According to a fourth aspect of the present disclosure, there is provided a packet forwarding apparatus, applied to an anti-attack CPU in a forwarding system, the apparatus including: a first receiving module, configured to receive a syn-type message sent by a forwarding CPU in a forwarding system under a condition that the forwarding system is determined to be attacked, where the syn-type message is determined by the forwarding CPU to be a potential attack message; a simple session table creating module, configured to create a simple session table for the packet in the attack prevention CPU, where information included in the simple session table is a part of information included in a common session table created by the forwarding CPU; and the fourth forwarding module is used for forwarding the message based on the created simple session table.

Optionally, the apparatus further comprises: a second receiving module, configured to receive a deletion instruction sent by the forwarding CPU, where the deletion instruction is used to delete the simple session table corresponding to the packet in the attack-prevention CPU; and the deleting module is used for responding to the deleting instruction and deleting the simple session table corresponding to the message.

According to a fifth aspect of the present disclosure, there is provided a forwarding system, the system comprising: a network card; a forwarding CPU, which is communicated with the network card, wherein the forwarding CPU comprises the message forwarding device of the third aspect; an anti-attack CPU, which is communicated with the network card and the forwarding CPU, wherein the anti-attack CPU comprises the message forwarding device of the fourth aspect; and the logic CPUs are in one-to-one correspondence with the forwarding CPUs, each logic CPU is used for receiving the message sent by the corresponding forwarding CPU, matching the message according to a matching strategy, and sending a matching success message to the corresponding forwarding CPU when the matching is successful so that the corresponding forwarding CPU responds to the matching success message to create a common session table aiming at the message.

Optionally, each of the logic CPUs is further configured to discard the packet when the matching fails.

Optionally, there are a plurality of forwarding CPUs and a plurality of logic CPUs; and; the network card is used for sending a received syn type message to a first forwarding CPU in the forwarding system under the condition that the forwarding system is determined to be attacked, wherein the first forwarding CPU is any forwarding CPU in a plurality of forwarding CPUs, and the first forwarding CPU is fixed during the attack; and sending the received message of the non-syn type to any other forwarding CPU except the first forwarding CPU in the forwarding system.

According to a sixth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the first aspect of the present disclosure.

According to a seventh aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the second aspect of the present disclosure.

According to an eighth aspect of the present disclosure, there is provided an electronic apparatus comprising: a computer-readable storage medium according to a sixth aspect of the present disclosure; and one or more processors for executing the program in the computer-readable storage medium.

According to a ninth aspect of the present disclosure, there is provided an electronic apparatus comprising: the computer-readable storage medium of the seventh aspect of the present disclosure; and one or more processors for executing the program in the computer-readable storage medium.

In the technical scheme, under the condition that the forwarding system is determined to be attacked, the potential attack message is sent to the anti-attack CPU for processing. Therefore, when the whole forwarding system is determined to be attacked, the potential attack message can be forwarded by the attack-prevention CPU, namely the syn attack message can be forwarded, and the syn attack message cannot be directly discarded to influence the forwarding of the syn attack message when a firewall starts a syn attack defense mode in the prior art. Meanwhile, because the potential attack message is sent to the anti-attack CPU for processing, the syn attack message can not be processed through the forwarding CPU, so that the forwarding CPU can process the normal message without being influenced by the syn attack message, and the performance of the forwarding CPU is not influenced. By the technical scheme, the normal message and the syn attack message can be forwarded, and the phenomenon that the normal message is influenced to be processed, so that the performance of a forwarding system is reduced and even a forwarding system is paralyzed is avoided when the syn attack message is forwarded, so that the robustness of the forwarding system is effectively improved.

Additional features and advantages of the disclosure will be set forth in the detailed description which follows.

Drawings

The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure without limiting the disclosure. In the drawings:

fig. 1 is a schematic diagram of a forwarding system provided in accordance with one embodiment of the present disclosure;

fig. 2 is a flowchart of a message forwarding method according to an embodiment of the present disclosure;

FIG. 3 is a flow diagram of an example implementation of determining whether a received message is a potential attack message;

fig. 4 is a flowchart of a message forwarding method according to another embodiment of the present disclosure;

fig. 5 is a flowchart of a message forwarding method according to another embodiment of the present disclosure;

fig. 6A is a flowchart of a message forwarding method according to another embodiment of the present disclosure;

FIG. 6B is a flow diagram of an example implementation of a corresponding forwarding process for a packet according to the type of the packet when a simplified session table corresponding to the packet is queried;

fig. 7A is a flowchart of a message forwarding method according to another embodiment of the present disclosure;

fig. 7B is a schematic diagram illustrating a correspondence relationship between a network card, a forwarding CPU, a logic CPU, and an attack-prevention CPU in the forwarding system according to an embodiment of the present disclosure;

fig. 8 is a flowchart of a message forwarding method according to another embodiment of the present disclosure;

fig. 9 is a block diagram of a message forwarding device provided according to an embodiment of the present disclosure;

fig. 10 is a block diagram of a first determination module in a message forwarding device provided according to an embodiment of the present disclosure;

fig. 11 is a block diagram of a message forwarding device provided in accordance with another embodiment of the present disclosure;

fig. 12 is a block diagram of a message forwarding device provided in accordance with another embodiment of the present disclosure;

fig. 13 is a block diagram of a message forwarding device provided in accordance with another embodiment of the present disclosure;

fig. 14 is a block diagram of a message forwarding device provided in accordance with another embodiment of the present disclosure;

fig. 15 is a block diagram of a message forwarding device provided in accordance with another embodiment of the present disclosure;

FIG. 16 is a block diagram illustrating an electronic device in accordance with an exemplary embodiment;

FIG. 17 is a block diagram illustrating an electronic device in accordance with an example embodiment.

Detailed Description

The following detailed description of specific embodiments of the present disclosure is provided in connection with the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.

In the TCP/IP transport protocol, the TCP protocol provides reliable connection service, that is, a three-way handshake is used to establish a connection of a session table:

first handshake: when the connection is established, the client sends a syn type message (syn j) to the server, and the state of the session table is a syn _ send state at the moment, and waits for the server to confirm;

second handshake: the server receives the syn type message, must confirm syn (ack ═ j +1) of the customer end, the server also sends a syn type message (syn ═ k) at the same time, namely syn-ack type message, the state of the session table is syn _ recv state at this moment;

third handshake: the client receives a syn-ack type message of the server, and sends an ack type confirmation message (ack ═ k +1) to the server, at this time, the state of the session table is an estabilished (connection establishment completion) state, three-way handshake is completed, and the connection is successfully established between the client and the server. Wherein j and k are natural numbers.

The Syn flood attack is an attack against the process of establishing a connection by the three-way handshake: the client continuously sends the syn-type messages without responding to the syn-ack type messages from the server, so that the created session table is in a syn _ recv state, the number of the session tables in the syn _ recv state is rapidly increased, and finally the session table of the server waits for the queue to reach the maximum number, and then a new session table cannot be created to accept new connection.

The firewall is used as an intermediate forwarding device, and if a syn attack defense mode is not started and a syn flow attack is suffered, the influence of the firewall mainly has two aspects: on one hand, resources are consumed, because the session table established aiming at the attack message occupies the number of normal session tables, when the resources are exhausted, the firewall is paralyzed and cannot process other normal messages; on the other hand, the CPU is excessively occupied, and because the attack messages are very many, the normal messages cannot be normally processed in the processing process. Therefore, when the firewall is attacked by syn flow, the forwarding function of the firewall is broken down because too many session tables in the semi-connected state need to be maintained. When the firewall starts the syn attack defense mode, the syn attack message to be forwarded is discarded, and the user requirements are difficult to meet.

In order to solve the above problem, when the firewall does not start the syn attack defense mode, in order to ensure that the forwarding of the syn attack message does not affect the processing of the forwarding system on the normal message, the present disclosure provides a forwarding system. Fig. 1 is a schematic diagram of a forwarding system according to an embodiment of the present disclosure. As shown in fig. 1, the system includes:

network cards, such as network card 1-network card 2 in fig. 1;

the forwarding CPUs, such as CPU0 to CPU3 in fig. 1, communicate with the network card, and are configured to receive and forward a message from the network card, and use a DPDK (Data Plane Development Kit) Development platform to quickly process the message, and operate in a user mode.

The anti-attack CPU, such as the CPUs in fig. 1, is responsible for processing potential attack messages, communicates with the network card and the forwarding CPU, and is configured to receive a message from the forwarding CPU, forward the message through the network card, and operate in a user mode.

The logic CPUs, such as CPUs 4 to 7 in fig. 1, are in one-to-one correspondence with the forwarding CPUs, and are responsible for matching the received messages according to the matching policy thereof, and operate in a kernel state.

For example, the forwarding system provided by the present disclosure may be a heterogeneous platform based forwarding system. In the forwarding system, the CPU is assigned with roles, and different role CPUs have specific functions, namely, one type of CPU only executes the corresponding function, but does not need to execute the functions of other types of CPUs.

Fig. 2 is a flowchart of a message forwarding method according to an embodiment of the present disclosure, where the method may be applied to a forwarding CPU in the forwarding system shown in fig. 1, and as shown in fig. 2, the method includes:

in S21, if it is determined that the forwarding system is attacked, if the received message is of syn type, it is determined whether the received message is a potential attack message.

Fig. 3 shows an example implementation manner of determining whether a received packet is a potential attack packet, and as shown in fig. 3, the implementation manner includes:

in S31, it is determined whether the source ip address of the packet is in the ip address white list, and if the source ip address of the packet is not in the ip address white list, the process proceeds to S32.

The ip address white list is a shared resource and can be read and written by any forwarding CPU. The ip address in the ip address white list is the ip address of which the connection is successfully established.

In S32, the message is determined to be a potential attack message.

When the source ip address of the message is not in the ip address white list, it indicates that the connection has not been established before the source ip address of the message, and at this time, it cannot be determined whether the source ip address is safe, and the message from the ip address can be determined as a potential attack message. By the technical scheme, the ip address white list is in the process of continuous updating, the message from the ip address which is not connected yet is used as the potential attack message, the potential attack message can be quickly determined, and the risk that the forwarding system is degraded in performance and even paralyzed due to the fact that the forwarding system forwards the attack message as a normal message is effectively avoided.

In S22, when it is determined that the packet is a potential attack packet, the packet is sent to an attack prevention CPU in a forwarding system, so that the attack prevention CPU forwards the packet.

In the logic CPUs in the forwarding system disclosed by the present disclosure, any logic CPU is selected as an anti-attack CPU to specially process a potential attack packet.

In the technical scheme, under the condition that the forwarding system is determined to be attacked, the potential attack message is sent to the anti-attack CPU for processing. Therefore, when the whole forwarding system is determined to be attacked, the potential attack message can be forwarded by the attack-prevention CPU, namely the syn attack message can be normally forwarded, and the syn attack message cannot be directly discarded to influence the forwarding of the syn attack message when a firewall starts a syn attack defense mode in the prior art. Meanwhile, because the potential attack message is sent to the anti-attack CPU for processing, the syn attack message can not be processed through the forwarding CPU, so that the forwarding CPU can process the normal message without being influenced by the syn attack message, and the performance of the forwarding CPU is not influenced. By the technical scheme, the normal message and the syn attack message can be forwarded, and the phenomenon that the normal message is influenced to be processed, so that the performance of a forwarding system is reduced and even a forwarding system is paralyzed is avoided when the syn attack message is forwarded, so that the robustness of the forwarding system is effectively improved.

Fig. 4 is a flowchart of a message forwarding method according to another embodiment of the present disclosure, where the method may be applied to an anti-attack CPU in the forwarding system shown in fig. 1, and as shown in fig. 4, the method includes:

in S41, in a case where it is determined that the forwarding system is attacked, a syn-type message sent by a forwarding CPU in the forwarding system is received. Wherein the received syn type message is determined as a potential attack message by the forwarding CPU.

In S42, a simplified session table for the packet is created in the attack prevention CPU, where information included in the simplified session table is a part of information included in the normal session table created by the forwarding CPU.

In the present disclosure, the session table includes two types, one is a common session table, which is the same as the session table established in the prior art and contains all information required for forwarding the packet, for example, it may include a quintuple, a complete state machine, various packet capturing policies, application types, and so on. One is a simple session table that contains information that is part of the information contained in a normal session table, e.g., it may be a session table that contains only five tuples and a simple state machine. The simple session table is used for judging whether the connection can be successfully established between the source ip address and the destination ip address in the quintuple, namely whether the potential attack message is a real attack message. Therefore, the simple state machine contained in the simple session table only needs to contain the state conversion in the connection establishment process of the session table, and the complete state machine in the common session table also contains the state conversion in the disconnection process of the session table besides the state conversion in the connection establishment process of the session table. Therefore, the size of the simple session table is only about one tenth of that of the ordinary session table, and the number of the ordinary session tables of each forwarding CPU is not occupied. The number of easy session tables that the attack-prevention CPU can create (i.e., the upper limit of the number of easy session tables) is set based on License.

In S43, the packet is forwarded based on the created easy session table.

In the technical scheme, when the forwarding CPU determines the potential attack message, the potential attack message is sent to the anti-attack CPU for processing. When the anti-attack CPU processes the potential attack message, the forwarding CPU can process the normal message, and the potential attack message in the anti-attack CPU can not influence the performance of the forwarding CPU, so that the overall concurrent performance of the forwarding system is improved, and the robustness of the system is effectively improved. Meanwhile, the number of the simple session tables which can be established in the anti-attack CPU is limited, so that the problem of resource exhaustion possibly caused by syn flood attack can be effectively avoided, and the stability of the forwarding system is further improved.

Optionally, as shown in fig. 3, when the method is applied to the forwarding CPU in the forwarding system shown in fig. 1, the method may further include:

in S31, when the source ip address of the packet is in the ip address white list, go to S33.

In S33, the message is determined to be a normal message.

When the source ip address of the message is in the ip address white list, the connection is successfully established before the source ip address, that is, the possibility that the source ip address is used as the source ip address of the syn attack message can be eliminated, and the message from the ip address can be determined to be a normal message.

In S34, the packet is sent to a logic CPU corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the packet according to the matching policy.

In the forwarding system, each logic CPU is configured to receive a packet sent by a corresponding forwarding CPU, match the packet according to a matching policy, and send a matching success message to the corresponding forwarding CPU when matching is successful, so that the corresponding forwarding CPU creates a common session table for the packet in response to the matching success message.

Fig. 5 is a flowchart of a message forwarding method according to an embodiment of the present disclosure, where the method may be applied to a logic CPU in the forwarding system shown in fig. 1. As shown in fig. 5, the method includes:

in S51, the message sent by the forwarding CPU corresponding to the logical CPU in the forwarding system is received.

In S52, the messages are matched according to the matching policy.

At S53, it is judged whether or not the matching is successful, and when the matching is judged to be successful, the process proceeds to S54.

In S54, a matching success message is sent to the forwarding CPU so that the forwarding CPU creates a normal session table for the packet in response to the matching success message.

In the present disclosure, the normal session table is a per-core resource, i.e., each forwarding CPU has a fixed number of normal session table resources, which is set based on License. Because the common session table is a resource of each core, the problem of resource competition can not occur when each forwarding CPU creates the common session table, so that the processing flow of the forwarding CPU can be free from locking, and the performance of the forwarding system under the multi-core can be ensured to be linearly increased.

The logic CPU includes a matching policy that can preliminarily determine whether the packet received from the forwarding CPU is legitimate, that is, whether a common session table can be created according to the packet. When the logic CPU receives the message from the forwarding CPU, whether a session table can be established according to the message is judged according to the matching strategy, and when the matching strategy is successfully matched, a matching success message is sent to the corresponding forwarding CPU, so that the forwarding CPU responds to the matching success message to establish a common session table aiming at the message.

In the technical scheme, the forwarding CPU sends the message determined to be normal to the logic CPU for matching. And the logic CPU matches the received message and sends a matching success message to the forwarding CPU when the matching is successful. Therefore, when the logic CPU performs the strategy matching of the message, the forwarding of the message by the forwarding CPU is not influenced, and the concurrence performance of the forwarding system is effectively improved.

Optionally, each logical CPU is further configured to discard the packet when matching of the packet fails. When the logic CPU fails to match the received message according to the matching strategy, the message is represented as illegal, and at the moment, the message can be directly discarded without the need of the forwarding CPU to establish a common session table aiming at the message, so that the waste of common session table resources is effectively avoided, and the processing efficiency of a forwarding system is improved.

When message interaction is carried out between the forwarding CPU and the logic CPU, an inter-core queue is established between the forwarding CPU and the logic CPU. For example, in the present disclosure, the numbers of the forwarding CPUs and the logic CPUs may be equal, and the forwarding CPUs and the logic CPUs are in a one-to-one correspondence relationship, so that the number of queues between cores is ensured to be minimum, and the problem of resource contention is not involved when the multi-core forwarding CPU and the logic CPU perform message interaction (locking is not required when the forwarding CPU and the logic CPU perform message interaction), thereby avoiding the influence on the performance of the forwarding system when the multi-core contention for the same resource occurs.

Turning back to fig. 3, in S35, in response to the logical CPU successfully matching the packet, a normal session table for the packet is created in the forwarding CPU, and the packet is forwarded based on the created normal session table.

And when the logic CPU is successfully matched with the received message, the logic CPU sends a message of successful matching to the forwarding CPU. After receiving the successfully matched message, the forwarding CPU creates a common session table for the message and forwards the message based on the common session table.

In the above technical solution, since the ip address in the ip address white list is the source ip address for which the connection has been successfully established before, when it is determined that the forwarding system is attacked, for a syn-type packet with the source ip address in the ip address white list, it may be determined that the packet is a normal packet, and the packet is sent to the logic CPU for policy matching. And when the logic CPU is successfully matched, sending a matching success message to the forwarding CPU, then creating a common session table aiming at the message by the forwarding CPU, and forwarding the message based on the common session table. Through the technical scheme, the message of the syn type determined to be normal can be directly processed by the forwarding CPU without being sent to the anti-attack CPU, and the workload of the anti-attack CPU can be effectively reduced on the premise of ensuring that the forwarding CPU is not influenced by the syn attack message. Meanwhile, the forwarding CPU sends the normal message to the logic CPU for matching, so that the forwarding of the message by the forwarding CPU is not influenced when the logic CPU performs strategy matching of the message, that is, the forwarding efficiency of the forwarding system is improved, and the concurrent processing efficiency of the system is effectively improved, thereby improving the overall performance of the forwarding system.

Optionally, as shown in fig. 6A, when the method is applied to the forwarding CPU in the forwarding system shown in fig. 1, the method may further include:

in S61, if the received message is of non-syn type, the ordinary session table established in the forwarding CPU is queried according to the message.

In S62, it is determined whether the normal session table corresponding to the packet is found, and if the normal session table corresponding to the packet is found, the process proceeds to S63, otherwise, the process proceeds to S64.

In S63, the message is forwarded based on the queried normal session table.

In S64, the simplified session table established in the attack-prevention CPU is queried according to the message, where the information included in the simplified session table is a part of the information included in the normal session table.

In S65, when the simplified session table corresponding to the packet is found, the packet is forwarded according to the type of the packet.

Fig. 6B shows an example implementation manner of performing corresponding forwarding processing on the packet according to the type of the packet when the easy session table corresponding to the packet is queried in S65, and as shown in fig. 6B, the step may include:

in S66, when the simple session table corresponding to the message is inquired, the type of the received message is judged, when the message type is syn-ack type, the process is switched to S67, and when the message type is ack type, the process is switched to S68;

in S67, the message is forwarded based on the queried abbreviated session table.

In S68, the packet is sent to a logic CPU corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the packet according to the matching policy.

In S69, in response to the logical CPU successfully matching the packet, a normal session table for the packet is created in the forwarding CPU, and the packet is forwarded based on the created normal session table.

As described above, after a session table is created for a syn-type message, for a normal message, there are a syn-ack type message and an ack type acknowledgment message corresponding to the message, and other messages in a communication process based on the session table; for attack messages, there may be a syn-ack type of message corresponding to the message. When the message received by the forwarding CPU is a non-syn type message, the forwarding CPU is indicated to create a session table (a common session table or a simple session table) corresponding to the received message.

Illustratively, the message received by the forwarding CPU is a subsequent message corresponding to the normal message, and when receiving the message, the ordinary session table is first queried. Because the session table created for the normal packet is the common session table, the common session table can be queried according to the packet, and then the packet is forwarded based on the queried common session table.

The anti-attack CPU has the write operation authority of the simple session table, but any forwarding CPU has the read operation authority of the simple session table. Illustratively, the message received by the forwarding CPU is a subsequent message corresponding to the potential attack message. When receiving the message, firstly, the ordinary session table is inquired. Because the session table created for the potential attack packet is a simple session table, it is not found that the ordinary session table is queried according to the packet. And then, inquiring the simple session table according to the message, wherein the simple session table can be inquired according to the message. Then, the type of the message can be judged, and if the type of the message is a syn-ack type, the message is forwarded based on the inquired simple session table; if the type of the message is ack, it can indicate that the connection corresponding to the message is successfully established, and then the message is sent to the logic CPU for policy matching and subsequent steps are executed.

Optionally, when the simple session table corresponding to the packet is queried, if the received packet is of an ack type, the method may further include: sending a deleting instruction to the anti-attack CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and/or adding the source ip address of the message to an ip address white list. Correspondingly, the anti-attack CPU receives a deleting instruction sent by the forwarding CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and responding to the deleting instruction, and deleting the simple session table corresponding to the message.

The life cycle of the simple session table created aiming at the potential attack message has two types, one type is that when the ack type message is received, the ack type message is deleted after the successful establishment of connection (namely non-syn flow attack) is confirmed, which indicates that the potential attack message is not a real attack message; one is that the connection waiting time of the simple session table is deleted after being overtime (syn flood attack), which indicates that the potential attack message is a real attack message.

The anti-attack CPU has two receiving queues, one is a syn type message receiving queue, which is called syn queue for short, and is used for receiving the syn type message from the forwarding CPU. And the queue is used for receiving a deletion instruction sent by the forwarding CPU, and is called an ack queue for short. The priority of the ack queue is higher than that of the syn queue, namely, the attack-prevention CPU preferentially selects to receive the deletion instruction sent by the forwarding CPU.

And when the simple session table corresponding to the message is inquired and the received message is of the ack type, the connection corresponding to the message of the ack type can be successfully established, and at the moment, the forwarding CPU sends a deletion instruction to the anti-attack CPU. And the anti-attack CPU receives the deleting instruction and deletes the simple session table corresponding to the message. Alternatively or additionally, since the connection corresponding to the ack-type packet may be successfully established, which indicates that the packet from the source ip address of the ack-type packet is not a syn attack packet, at this time, the ip address may be added to the ip address white list to update the ip address white list.

Through the technical scheme, only the potential attack message needs to be sent to the anti-attack CPU for processing, and the subsequent message corresponding to the potential attack message is processed in the forwarding CPU, so that the load of the anti-attack CPU can be effectively reduced, and the overall concurrency performance of the forwarding system can be effectively improved. Meanwhile, the potential attack message can be quickly and simply judged by adding the successfully-established ip address into the ip address white list, and the efficiency of the forwarding system is further improved.

In summary, when it is determined that the forwarding system is attacked, the forwarding CPU receives a syn-type packet, determines whether the packet is a potential attack packet, and sends the packet to the attack-prevention CPU for processing when determining that the packet is a potential attack packet. When the anti-attack CPU receives the message, the simple session table can be created according to the message, and the message is forwarded based on the simple session table. When receiving the ack type message corresponding to the message after forwarding the CPU, the simple session table indicates that the connection can be successfully established, i.e. the syn type message is not an attack message. The forwarding CPU sends the ack type message to the logic CPU, so that the logic CPU matches the ack type message according to a matching strategy, and sends the matching success message to the forwarding CPU when the matching is successful, at the moment, the forwarding CPU can create a common session table aiming at the message, and forward the subsequent message based on the common session table.

Fig. 7A is a flowchart of a message forwarding method according to another embodiment of the present disclosure, where the method may be applied to a network card in the forwarding system. As shown in fig. 7A, the method includes:

in S71, under the condition that the forwarding system is determined to be attacked, the type of the received message is judged, and when the type of the received message is syn type, the step is switched to S72, and when the type of the received message is non-syn type, the step is switched to S73;

in S72, sending the packet to a first forwarding CPU in the forwarding system, where the first forwarding CPU is any forwarding CPU in the forwarding system, and the first forwarding CPU is fixed during the current attack period;

in S73, the message is sent to any other forwarding CPU in the forwarding system except the first forwarding CPU.

When the forwarding system is determined to be attacked, the hardware filtering mode can be started at the same time, that is, the network card can receive the syn type messages into the same queue by adding the filtering information of all the syn type messages into the hardware filter of the network card. Because the interactive queue between the network card and the forwarding CPU and the corresponding relation of the forwarding CPU are one-to-one, the same message is received by the same forwarding CPU, which is equivalent to all syn types. As shown in fig. 7B, in a case that it is determined that the forwarding system is attacked, each network card may be configured to receive a syn-type message and filter the syn-type message into a queue 0, that is, all potential attack messages are received by the CPU0 at this time. For the non-syn type message, a receiving queue (queue 1, queue 2, queue 3 are configured randomly) may be configured randomly, that is, the non-syn type message may be sent to any other forwarding CPU in the forwarding system except the first forwarding CPU, such as CPU1 to CPU 3.

Illustratively, when the CPU0 receives a syn-type message, the CPU0 needs to interact with the attack-prevention CPU: and sending the message of which the source ip address is not in the ip address white list to the anti-attack CPU. Because the syn type message is received by only 1 CPU (i.e., CPU0), the message received by the syn queue of the attack-prevention CPU is also a message only from CPU0, i.e., there is a one-to-one correspondence between CPU0 and the attack-prevention CPU, and the queue is a one-to-one queue without any lock conflict and resource contention. Only the CPU0 in the syn queue of the anti-attack CPU sends a message to the syn queue, so that the performance of the forwarding system under the multi-core can be linearly increased, normal message processing is not affected, attack defense can be achieved on the attack message, and the stability of the forwarding system is improved.

And a sending queue is arranged between the anti-attack CPU and the network card, so that the anti-attack CPU can directly forward the message based on the simple session table. But no direct receiving queue exists between the anti-attack CPU and the network card. The forwarding CPU is responsible for receiving messages from the network card, and when the forwarding system is determined to be attacked, the forwarding CPU judges potential attack messages and sends the potential attack messages to the anti-attack CPU for processing; when the syn flood attack does not exist, the anti-attack CPU basically does not need to work, and the overall performance of the forwarding system is not affected. Therefore, the anti-attack CPU has no influence on the forwarding system when no attack exists, and can defend the attack when the attack exists.

Optionally, as shown in fig. 8, when the method is applied to the forwarding CPU in the forwarding system shown in fig. 1, the method may further include:

in S81, in the case where it is not determined that the forwarding system is attacked, the ordinary session table established in the forwarding CPU is queried based on the received message.

In S82, it is determined whether or not the normal session table corresponding to the packet is found, and if the normal session table corresponding to the packet is found, the process proceeds to S83, and if the normal session table corresponding to the packet is not found, the process proceeds to S84.

In S83, the message is forwarded based on the queried normal session table.

In S84, the packet is sent to a logic CPU corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the packet according to the matching policy.

Illustratively, the forwarding CPU and the logical CPU may be in a one-to-one correspondence.

In S85, in response to the logical CPU successfully matching the packet, a normal session table for the packet is created in the forwarding CPU, and the packet is forwarded based on the created normal session table.

In the above technical solution, when it is not determined that the forwarding system is attacked, the forwarding CPU queries the normal session table according to the message when receiving the message, and when querying the normal session table corresponding to the message, forwards the message based on the queried normal session table. And when the common session table corresponding to the message is not inquired, the message is sent to a logic CPU for matching, and when the matching is successful, a forwarding CPU creates the common session table aiming at the message and forwards the message based on the created common session table. Through the technical scheme, the anti-attack CPU only needs to work when the forwarding system is determined to be attacked, and does not work when the forwarding system is not determined to be attacked, so that the overall performance of the forwarding system is not affected when the forwarding system is not determined to be attacked, and meanwhile, when a common session table corresponding to the message is not inquired, the message is sent to the logic CPU for matching, so that the concurrency performance of the forwarding system can be linearly increased.

Optionally, the forwarding system is determined to be under attack when one of the following occurs:

the proportion of the number of the ordinary session tables established by the forwarding CPU to the total number of the creatable ordinary session tables in the forwarding CPU (namely, the upper limit of the number of the ordinary session tables) reaches a first preset proportion, and the proportion of the number of the ordinary session tables in an abnormal state in the forwarding CPU to the number of the established ordinary session tables in the forwarding CPU reaches a second preset proportion.

The ordinary session table in the abnormal state refers to the ordinary session table in the syn _ recv state, and indicates that the ordinary session table is in the semi-connected state at the moment and waits for an ack type acknowledgement message. The total number of creatable normal session tables in the forwarding CPU is set based on License. For example, the first preset ratio may be 80%, and the second preset ratio may be 1/3. And when the forwarding CPU creates the common session table, counting the number of the common session table which is currently established by the forwarding CPU. If the number of the ordinary session tables currently established by the forwarding CPU reaches 80% of the total number of the ordinary session tables which can be established by the forwarding CPU, the number of the ordinary session tables in abnormal states in the ordinary session tables currently established by the forwarding CPU is judged to be in proportion. If the number of the normal session tables in the abnormal state reaches 1/3 of the number of the normal session tables which are currently established, it is determined that the forwarding system is attacked.

And (II) the proportion of the number of the ordinary session tables established by the forwarding CPU in the current period to the average value of the total number of the ordinary session tables in all the forwarding CPUs in the same period in the history reaches a third preset proportion, and the proportion of the number of the ordinary session tables in abnormal states in the forwarding CPU to the number of the ordinary session tables established in the forwarding CPU reaches a fourth preset proportion.

Illustratively, the third preset ratio may be 5, and the fourth preset ratio may be 1/3.

The average value of the total number of the ordinary session tables in all the forwarding CPUs in the period of each day is calculated as follows:

n represents the total number of days of the history to be counted in the same period;

e represents the average of the total number of ordinary session tables in all forwarding CPUs in the period of n days (i.e., all history in the same period);

CPU_i,jindicating the number of common session tables created by the jth forwarding CPU in the ith day in the time period;

n represents the total number of forwarding CPUs;

and e (i) the average value of the number of the ordinary session tables created by all the forwarding CPUs in the period of the ith day.

And after the forwarding CPU creates the ordinary session table, counting the number of the ordinary session tables established by the forwarding CPU in the current period. And if the number of the ordinary session tables established by the forwarding CPU in the current period reaches 5 times of the average value of the total number of the ordinary session tables in all the forwarding CPUs in the current period every day, judging that the number of the ordinary session tables in the abnormal state in the ordinary session tables established by the forwarding CPU currently accounts for a ratio. If the number of the normal session tables in the abnormal state reaches 1/3 of the number of the normal session tables which are currently established, it is determined that the forwarding system is attacked.

In the above technical solution, when the forwarding system is attacked but the system is not yet aware of the attack, that is, it is not determined that the forwarding system is attacked, the forwarding CPU processes the attack packet as a normal packet, so that a plurality of normal session tables for the attack packet are created in a short time, and the normal session tables for the attack packet are in an abnormal state because connection cannot be successfully established. Therefore, after each ordinary session table is created by the forwarding CPU, the number of the ordinary session tables which are currently established by the forwarding CPU is counted, and when the number exceeds the threshold value, the number of the ordinary session tables in the abnormal state in the ordinary session tables which are currently established by the forwarding CPU is counted, so that the whole forwarding system can be determined to be attacked when the situation that the forwarding system can be determined to be attacked occurs. By the technical scheme, whether the forwarding system is currently attacked by syn flood can be accurately and quickly determined according to the number of the ordinary session tables established by the forwarding CPU currently and the number of the ordinary session tables in abnormal states in the ordinary session tables established by the forwarding CPU currently, so that the forwarding system can defend the attack in time, the risk that the forwarding system is paralyzed when the forwarding system can determine that the forwarding system is attacked by syn flood when the forwarding system is judged according to a single parameter is avoided, and the stability of the forwarding system is favorably maintained.

Optionally, in a case where it is determined that the forwarding system is attacked, a connection latency of the normal session table in the abnormal state is shortened.

Under the condition that the forwarding system is determined to be attacked, part of the normal session table in the abnormal state in the forwarding CPU is created aiming at the attack message, so that the connection waiting time of the normal session table in the abnormal state is shortened, the resources of the normal session table in the abnormal state can be released as soon as possible, and the processing efficiency of the forwarding system is improved.

Alternatively, when the simple session table established in the attack-prevention CPU satisfies a preset condition, it may be determined that the forwarding system is no longer under attack. The preset condition may be that it is determined that the duration of the attack on the forwarding system exceeds a first threshold, and an occupation ratio of the number of established easy session tables in the attack-prevention CPU to the total number of the established easy session tables (i.e., an upper limit value of the number of easy session tables) is less than or equal to a fifth preset proportion.

Wherein the total number of the simple session tables which can be created by the anti-attack CPU is set based on License. For example, the first threshold may be 10 minutes, and the fifth preset ratio may be 1/50. When it is determined that the forwarding system is under attack, a timer is started. When the time length of the forwarding system subjected to the attack is determined to exceed 10 minutes, the number of the simple session tables currently established by the attack-prevention CPU can be counted. The connection cannot be successfully established aiming at the simple session table created by the attack message, therefore, when the ratio of the number of the currently established simple session tables in the anti-attack CPU to the total number of the creatable simple session tables is smaller than or equal to a fifth preset proportion, the forwarding system can be judged to be not attacked at this moment, namely when the ratio of the number of the currently established simple session tables in the anti-attack CPU to the total number of the creatable simple session tables is smaller than or equal to 1/50, the forwarding system can be determined to be not attacked any more.

After determining that the forwarding system is not attacked any more, counting the number of the simple session tables in the anti-attack CPU, and if the number of the simple session tables is 0 at this time, processing the received message through a common session table until determining that the forwarding system is attacked again. If the number of the simple session tables is not 0, namely the simple session tables in the semi-connection state still exist in the anti-attack CPU, the processing logic of the received syn-ack type and ack type messages is the same as the corresponding processing logic when the forwarding system is determined to be attacked again, until the number of the simple session tables is 0 (the simple session tables are deleted after the connection is successfully established and deleted overtime is possible); and for the message of the syn type received later, processing the message according to the processing logic when the forwarding system is not determined to be attacked.

In the above technical solution, since the simple session table is established for the attack packet, whether the forwarding system is currently attacked can be quickly and accurately determined by judging the number of the simple session table. After the forwarding system is determined not to be attacked, the number of the current simple session table is counted, so that the subsequent messages are processed according to the number, and the stability and the forwarding efficiency of the forwarding system are effectively improved.

The present disclosure also provides a message forwarding apparatus, which is applied to a forwarding CPU in a forwarding system, as shown in fig. 9, the apparatus 100 may include:

a first determining module 101, configured to determine, when it is determined that the forwarding system is attacked, whether a received message is a potential attack message if the received message is of a syn type;

a first sending module 102, configured to send the packet to an anti-attack CPU in the forwarding system when it is determined that the packet is a potential attack packet, so that the anti-attack CPU forwards the packet.

Optionally, fig. 10 is a block diagram of a first determining module in a message forwarding apparatus according to an embodiment of the present disclosure. As shown in fig. 10, the first determining module 101 may include:

a first determining sub-module 1011, configured to determine whether a source ip address of the packet is in an ip address white list;

a second determining sub-module 1012, configured to determine that the packet is a potential attack packet when the source ip address of the packet is not in the ip address white list; and when the source ip address of the message is in the ip address white list, determining that the message is a normal message.

Optionally, fig. 11 is a block diagram of a message forwarding apparatus according to another embodiment of the present disclosure. As shown in fig. 11, the apparatus 100 may further include:

a second sending module 103, configured to send the packet to a logic CPU in the forwarding system corresponding to the forwarding CPU when the packet is determined to be a normal packet, so that the logic CPU matches the packet according to a matching policy;

a first forwarding module 104, configured to, in response to that the logic CPU successfully matches the packet, create a common session table for the packet in the forwarding CPU, and forward the packet based on the created common session table.

Optionally, fig. 12 is a block diagram of a message forwarding apparatus according to another embodiment of the present disclosure. As shown in fig. 12, the apparatus 100 may further include:

a first query module 105, configured to query, according to a received message, a common session table established in the forwarding CPU if the received message is of a non-syn type;

a second forwarding module 106, configured to forward the packet based on the queried common session table when the common session table corresponding to the packet is queried;

a second query module 107, configured to query, according to the packet, a simplified session table established in the attack-prevention CPU when a common session table corresponding to the packet is not queried, where information included in the simplified session table is a part of information included in the common session table;

and a third forwarding module 108, configured to, when the simple session table corresponding to the packet is queried, perform corresponding forwarding processing on the packet according to the type of the packet.

Optionally, the third forwarding module 108 includes:

the first forwarding sub-module is used for forwarding the message based on the inquired simple session table if the received message is of a syn-ack type when the simple session table corresponding to the message is inquired;

the sending submodule is used for sending the message to a logic CPU (central processing unit) in the forwarding system and corresponding to the forwarding CPU if the received message is of an ack type when the simple session table corresponding to the message is inquired, so that the logic CPU matches the message according to a matching strategy;

and the second forwarding submodule is used for responding to the successful matching of the logic CPU on the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

Optionally, the apparatus 100 may further comprise at least one of:

the instruction sending module is used for sending a deleting instruction to the anti-attack CPU if the received message is of an ack type when the simple session table corresponding to the message is inquired, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU;

and the updating module is used for adding the source ip address of the message to an ip address white list if the received message is of an ack type when the simple session table corresponding to the message is inquired.

Optionally, the apparatus may further include:

a third query module, configured to query, according to the received message, a common session table established in the forwarding CPU under a condition that it is not determined that the forwarding system is attacked;

a third sending module, configured to send the packet to a logic CPU in the forwarding system corresponding to the forwarding CPU when a common session table corresponding to the packet is not queried, so that the logic CPU matches the packet according to a matching policy;

and the response module is used for responding to the successful matching of the logic CPU to the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

the proportion of the number of the ordinary session tables established by the forwarding CPU to the total number of the general session tables which can be established in the forwarding CPU reaches a first preset proportion, and the proportion of the number of the ordinary session tables in an abnormal state in the forwarding CPU to the number of the ordinary session tables established in the forwarding CPU reaches a second preset proportion;

Optionally, the apparatus may further include:

and the processing module is used for shortening the connection waiting time of the ordinary session table in the abnormal state under the condition that the forwarding system is determined to be attacked.

The present disclosure also provides a message forwarding device, which is applied to an anti-attack CPU in a forwarding system. As shown in fig. 13, the apparatus 200 may include:

a first receiving module 201, configured to receive a syn type message sent by a forwarding CPU in the forwarding system when it is determined that the forwarding system is attacked;

a simplified session table creating module 202, configured to create a simplified session table for the packet in the attack-prevention CPU, where information included in the simplified session table is a part of information included in a common session table created by the forwarding CPU;

a fourth forwarding module 203, configured to forward the packet based on the created easy session table.

Optionally, the apparatus 200 may further include:

a second receiving module, configured to receive a deletion instruction sent by the forwarding CPU, where the deletion instruction is used to delete the simple session table corresponding to the packet in the attack-prevention CPU;

and the deleting module is used for responding to the deleting instruction and deleting the simple session table corresponding to the message.

The present disclosure also provides a message forwarding apparatus, which is applied to a logic CPU in a forwarding system. As shown in fig. 14, the apparatus 300 may include:

a third receiving module 301, configured to receive a packet sent by a forwarding CPU corresponding to the logic CPU in the forwarding system;

a matching module 302, configured to match the messages according to a matching policy;

a fourth sending module 303, configured to send a matching success message to the forwarding CPU when matching is successful, so that the forwarding CPU creates a common session table for the packet in response to the matching success message.

Optionally, the apparatus 300 may further include:

and the message discarding module is used for discarding the message when the matching fails.

The present disclosure also provides a message forwarding device, which is applied to a network card in a forwarding system. As shown in fig. 15, the apparatus 400 may include:

a fifth sending module 401, configured to send the received syn-type packet to a first forwarding CPU in the forwarding system when it is determined that the forwarding system is attacked, where the first forwarding CPU is any forwarding CPU in the forwarding system, and during the current attack, the first forwarding CPU is fixed;

a sixth sending module 402, configured to send the received non-syn type packet to any other forwarding CPU in the forwarding system except the first forwarding CPU.

With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.

Fig. 16 is a block diagram illustrating an electronic device 1600 in accordance with an example embodiment. As shown in fig. 16, the electronic device 1600 may include: a processor 1601, a memory 1602, multimedia components 1603, input/output (I/O) interfaces 1604, and a communications component 1605.

The processor 1601 is configured to control the overall operation of the electronic device 1600, so as to complete all or part of the steps in the message forwarding method applied to the forwarding CPU, or the attack-prevention CPU, or the logic CPU, or the network card in the forwarding system. The memory 1602 is used to store various types of data to support operation at the electronic device 1600, such as instructions for any application or method operating on the electronic device 1600, and application-related data, such as contact data, messaging, pictures, audio, video, and so forth. The Memory 1602 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM), Read-Only Memory (ROM), magnetic Memory, flash Memory, magnetic disk or optical disk. Multimedia components 1603 may include screen and audio components. Wherein the screen may be, for example, a touch screen and the audio component is used for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signals may further be stored in memory 1602 or transmitted through communications component 1605. The audio assembly also includes at least one speaker for outputting audio signals. The I/O interface 1604 provides an interface between the processor 1601 and other interface modules, such as a keyboard, a mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 1605 is used for wired or wireless communication between the electronic device 1600 and other devices. Wireless Communication, such as Wi-Fi, bluetooth, Near Field Communication (NFC), 2G, 3G, or 4G, or a combination of one or more of them, so that the corresponding Communication component 1605 may include: Wi-Fi module, bluetooth module, NFC module.

In an exemplary embodiment, the electronic Device 1600 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, microcontrollers, microprocessors or other electronic components, for executing the message forwarding method applied to the forwarding CPUs, or attack prevention CPUs, or Logic CPUs, or network cards in the forwarding system.

In another exemplary embodiment, a computer readable storage medium comprising program instructions, such as the memory 1602 comprising program instructions, is also provided, which are executable by the processor 1601 of the electronic device 1600 to implement the message forwarding method described above applied to a forwarding CPU, or an anti-attack CPU, or a logic CPU, or a network card in a forwarding system.

Fig. 17 is a block diagram illustrating an electronic device 1700 in accordance with an example embodiment. For example, the electronic device 1700 may be provided as a server. Referring to fig. 17, electronic device 1700 includes a processor 1722, which can be one or more in number, and a memory 1732 for storing computer programs that are executable by processor 1722. The computer programs stored in memory 1732 may include one or more modules that each correspond to a set of instructions. Further, the processor 1722 may be configured to execute the computer program to execute the message forwarding method applied to the forwarding CPU, or the attack prevention CPU, or the logic CPU, or the network card in the forwarding system.

Additionally, electronic device 1700 may also include a power component 1726, which power component 1726 may be configured to perform power management for electronic device 1700, and a communication component 1750, which communication component 1750 may be configured to enable communication for electronic device 1700, e.g., wired or wireless communication. In addition, the electronic device 1700 may also include input/output (I/O) interfaces 1758. The electronic device 1700 may operate based on an operating system, such as Windows Server, Mac OS XTM, UnixTM, Linux, etc., stored in the memory 1732.

In another exemplary embodiment, a computer readable storage medium including program instructions, such as the memory 1732 including program instructions, which are executable by the processor 1722 of the electronic device 1700 to implement the message forwarding method applied to the forwarding CPU, or the anti-attack CPU, or the logic CPU, or the network card in the forwarding system is also provided.

The preferred embodiments of the present disclosure are described in detail with reference to the accompanying drawings, however, the present disclosure is not limited to the specific details of the above embodiments, and various simple modifications may be made to the technical solution of the present disclosure within the technical idea of the present disclosure, and these simple modifications all belong to the protection scope of the present disclosure.

It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, various possible combinations will not be separately described in this disclosure.

In addition, any combination of various embodiments of the present disclosure may be made, and the same should be considered as the disclosure of the present disclosure, as long as it does not depart from the spirit of the present disclosure.

Claims

1. A message forwarding method is applied to a forwarding CPU in a forwarding system, and is characterized in that the method comprises the following steps:

under the condition that the forwarding system is determined to be attacked, if the received message is of a syn type, determining whether the received message is a potential attack message;

when the message is determined to be a potential attack message, the message is sent to an anti-attack CPU in the forwarding system, so that the anti-attack CPU forwards the message;

if the received message is of a non-syn type, inquiring a common session table established in the forwarding CPU according to the message;

when a common session table corresponding to the message is inquired, forwarding the message based on the inquired common session table;

when a common session table corresponding to the message is not inquired, inquiring a simple session table established in the anti-attack CPU according to the message, wherein the information contained in the simple session table is one part of the information contained in the common session table;

when the simple session table corresponding to the message is inquired, carrying out corresponding forwarding processing on the message according to the type of the message;

when the simple session table corresponding to the packet is queried, performing corresponding forwarding processing on the packet according to the type of the packet, including:

when the simple session table corresponding to the message is inquired, if the received message is of a syn-ack type, forwarding the message based on the inquired simple session table;

if the received message is of an ack type, sending the message to a logic CPU (central processing unit) corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the message according to a matching strategy;

and responding to the successful matching of the logic CPU to the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

2. The method of claim 1, wherein determining whether the received message is a potential attack message comprises:

determining whether a source ip address of the message is in an ip address white list;

when the source ip address of the message is not in the ip address white list, determining that the message is a potential attack message;

and when the source ip address of the message is in the ip address white list, determining that the message is a normal message.

3. The method according to claim 1 or 2, characterized in that the method further comprises:

when the message is determined to be a normal message, the message is sent to a logic CPU (central processing unit) corresponding to the forwarding CPU in the forwarding system, so that the logic CPU matches the message according to a matching strategy;

4. The method of claim 1, wherein if the received message is of the ack type, the method further comprises:

sending a deleting instruction to the anti-attack CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and/or

And adding the source ip address of the message to an ip address white list.

5. The method of claim 1, wherein the forwarding system is determined to be under attack when one of:

the proportion of the number of the ordinary session tables established by the forwarding CPU to the total number of the creatable ordinary session tables in the forwarding CPU reaches a first preset proportion, and the proportion of the number of the ordinary session tables in an abnormal state in the forwarding CPU to the number of the established ordinary session tables in the forwarding CPU reaches a second preset proportion;

6. A message forwarding method is applied to an anti-attack CPU in a forwarding system, and is characterized in that the method comprises the following steps:

under the condition that the forwarding system is determined to be attacked, receiving a syn type message sent by a forwarding CPU in the forwarding system, wherein the syn type message is determined as a potential attack message by the forwarding CPU;

creating a simple session table aiming at the message in the anti-attack CPU, wherein the information contained in the simple session table is one part of the information contained in a common session table created by the forwarding CPU, and a simple state machine contained in the simple session table only contains state conversion in the process of establishing connection by using the session table;

and forwarding the message based on the created simple session table.

7. The method of claim 6, further comprising:

receiving a deleting instruction sent by the forwarding CPU, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU;

and responding to the deleting instruction, and deleting the simple session table corresponding to the message.

8. A message forwarding device is applied to a forwarding CPU in a forwarding system, and is characterized in that the device comprises:

the first determining module is used for determining whether the received message is a potential attack message or not if the received message is of a syn type under the condition that the forwarding system is determined to be attacked;

the first sending module is used for sending the message to an anti-attack CPU in the forwarding system when the message is determined to be a potential attack message, so that the anti-attack CPU forwards the message;

the first query module is used for querying a common session table established in the forwarding CPU according to the message if the received message is of a non-syn type;

the second forwarding module is used for forwarding the message based on the inquired common session table when the common session table corresponding to the message is inquired;

the second query module is used for querying a simple session table established in the anti-attack CPU according to the message when a common session table corresponding to the message is not queried, wherein the information contained in the simple session table is one part of the information contained in the common session table;

the third forwarding module is used for performing corresponding forwarding processing on the message according to the type of the message when the simple session table corresponding to the message is inquired;

wherein the third forwarding module includes:

9. The apparatus of claim 8, wherein the first determining module comprises:

a first determining submodule, configured to determine whether a source ip address of the packet is in an ip address white list;

a second determining submodule, configured to determine that the packet is a potential attack packet when a source ip address of the packet is not in the ip address white list; and when the source ip address of the message is in the ip address white list, determining that the message is a normal message.

10. The apparatus of claim 8 or 9, further comprising:

the second sending module is used for sending the message to a logic CPU corresponding to the forwarding CPU in the forwarding system when the message is determined to be a normal message, so that the logic CPU matches the message according to a matching strategy;

and the first forwarding module is used for responding to the successful matching of the logic CPU on the message, creating a common session table aiming at the message in the forwarding CPU, and forwarding the message based on the created common session table.

11. The apparatus of claim 8, further comprising:

the instruction sending module is used for sending a deleting instruction to the anti-attack CPU if the received message is of an ack type when the simple session table corresponding to the message is inquired, wherein the deleting instruction is used for deleting the simple session table corresponding to the message in the anti-attack CPU; and/or

12. The apparatus of claim 8, wherein the forwarding system is determined to be under attack when one of:

13. A message forwarding device is applied to an anti-attack CPU in a forwarding system, and is characterized in that the device comprises:

a first receiving module, configured to receive a syn-type message sent by a forwarding CPU in a forwarding system under a condition that the forwarding system is determined to be attacked, where the syn-type message is determined by the forwarding CPU to be a potential attack message;

a simple session table creating module, configured to create a simple session table for the packet in the anti-attack CPU, where information included in the simple session table is a part of information included in a common session table created by the forwarding CPU, and a simple state machine included in the simple session table only includes state conversion in a session table connection establishment process;

and the fourth forwarding module is used for forwarding the message based on the created simple session table.

14. The apparatus of claim 13, further comprising:

15. A forwarding system, the system comprising:

a network card;

a forwarding CPU in communication with the network card, the forwarding CPU comprising the message forwarding device of any one of claims 8-12;

an attack prevention CPU in communication with the network card and the forwarding CPU, the attack prevention CPU comprising the message forwarding device of claim 13 or 14;

and the logic CPUs are in one-to-one correspondence with the forwarding CPUs, each logic CPU is used for receiving the message sent by the corresponding forwarding CPU, matching the message according to a matching strategy, and sending a matching success message to the corresponding forwarding CPU when the matching is successful so that the corresponding forwarding CPU responds to the matching success message to create a common session table aiming at the message.

16. The system of claim 15, wherein each of the logical CPUs is further configured to discard the packet when the matching fails.

17. The forwarding system of claim 15 wherein the forwarding CPUs are plural, and the logical CPU is plural; and;

the network card is used for sending a received syn type message to a first forwarding CPU in the forwarding system under the condition that the forwarding system is determined to be attacked, wherein the first forwarding CPU is any forwarding CPU in a plurality of forwarding CPUs, and the first forwarding CPU is fixed during the attack; and sending the received message of the non-syn type to any other forwarding CPU except the first forwarding CPU in the forwarding system.

18. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.

19. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method as claimed in claim 6 or 7.

20. An electronic device, comprising:

the computer-readable storage medium recited in claim 18; and

one or more processors to execute the program in the computer-readable storage medium.

21. An electronic device, comprising:

the computer-readable storage medium recited in claim 19; and