CN109495504A - A kind of firewall box and its message processing method and medium - Google Patents
A kind of firewall box and its message processing method and medium Download PDFInfo
- Publication number
- CN109495504A CN109495504A CN201811574742.XA CN201811574742A CN109495504A CN 109495504 A CN109495504 A CN 109495504A CN 201811574742 A CN201811574742 A CN 201811574742A CN 109495504 A CN109495504 A CN 109495504A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- central processing
- processing unit
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present application discloses a kind of firewall box, it include the central processing unit and memory corresponding with each type of central processing unit of three types in the firewall box, wherein, configured with forwarding core in first kind central processing unit, for being forwarded to normal message and abandoning the attack message of small flow to the first attack message buffer area;Attack defending specific core is configured in second class central processing unit, for being forwarded to normal message and abandoning the attack message of big flow to the second attack message buffer area;Log recording core is configured in third class central processing unit, for by reading the attack message in the first attack message buffer area and the second attack message buffer area, and generate attack logs without lock read operation.The firewall box had not only been able to achieve the normal forwarding of message, but also can defend flow attacking, moreover it is possible to while recording attack logs.
Description
Technical field
This application involves technical field of network security, and in particular to a kind of firewall box and its message processing method and
Computer readable storage medium.
Background technique
Firewall (Firewall) is also referred to as protecting wall, is the barrier between internally positioned net and extranets, it according to
The rule pre-defined controls the disengaging of message.Firewall can be understood as the first line of defence of network system, make
With being the entrance for preventing illegal user.
With the fast development of science and technology, network interface card attack also upgrades therewith, easily with regard to tens good omen even good omen up to a hundred
Attack emerges one after another DDOS (Distributed Denial of Service, distribution block service), therefore the report of firewall
Literary processing pressure is also increasing, moreover, in order to more preferably safeguard network security, such as enterprise, firewall applications side, purchase is prevented
Wall with flues, which is not only intended merely to firewall, can prevent network attack, prefer to firewall and be able to record attack logs, in order to subsequent
Analysis.
However present software firewall, multicore concurrent resource competition due to and software performance limitation, very
Hardly possible had not only guaranteed that normal discharge was unimpeded, but also big flow is prevented to attack, more have no idea to realize the record of attack logs.Based on this, mesh
Before need to realize a kind of scheme for realizing software firewall, guarantee normal discharge it is unimpeded, prevent big flow attack while, also
It can be realized the record of attack logs.
Summary of the invention
The embodiment of the present application provides a kind of firewall box, message processing method and storage medium, even if meeting with
In the case that big flow is attacked, the record to attack logs also can be realized, and not to the attack defending performance of firewall and just
Normal message forwarding performance impacts.
In view of this, the application first aspect provides a kind of firewall box, comprising:
The central processing unit of three types and memory corresponding with each type of central processing unit;Three type
The central processing unit of type includes first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein,
Configured with forwarding core in the first kind central processing unit, the forwarding core is for receiving and identifying the first kind
Message forwards normal message according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core
Buffer area;
Attack defending specific core is configured in the second class central processing unit, the attack defending specific core is for receiving
And identify the message of Second Type, according to recognition result forward normal message or abandon attack message to the attack defending
The corresponding second attack message buffer area of specific core;
Log recording core is configured in the third class central processing unit, the log recording core is used for by reading behaviour without lock
Make, reads the attack message in the first attack message buffer area and the second attack message buffer area, attacked according to described
It hits message and generates attack logs.
Optionally, the forwarding core is also used to when the first attack message buffer area is saturated, and recycling described first is attacked
The memory space for hitting all attack messages read by the log recording core in packet buffer area, the memory space is released
It puts to the first message memory pool corresponding with the forwarding core;
The attack defending specific core is also used to when the second attack message buffer area is saturated, and recycling described second is attacked
The memory space for hitting all attack messages read by the log recording core in packet buffer area, the memory space is released
It puts to the second message memory pool corresponding with the attack defending specific core.
Optionally, the forwarding core is also used to when free memory accounts in the first message memory pool corresponding with the forwarding core
When than being less than first threshold, all attacks read by the log recording core in the first attack message buffer area are recycled
The memory space of message discharges the memory space to the first message memory pool corresponding with the forwarding core;
The attack defending specific core is also used to when in the second message memory pool corresponding with the attack defending specific core
When free memory accounting is less than first threshold, recycle all by the log recording core in the second attack message buffer area
The memory space of the attack message of reading discharges the memory space to the second report corresponding with the attack defending specific core
Literary memory pool.
Optionally, the firewall box includes multiple first kind central processing units and multiple second class centers
Processor.
Optionally, the third class central processing unit and the first kind central processing unit and the second class central processing
Device shares same physical equipment respectively;Also, the log recording core in the third class central processing unit is specifically used for passing through institute
It states the hyperthread that physical equipment fictionalizes and reads attack message.
Optionally, the first kind central processing unit and the second class central processing unit use same physical equipment.
Optionally, the log recording core is specifically used for starting multiple log threads, uses nothing by multiple log threads
Read operation is locked, reads attack message respectively in a manner of concomitantly, wherein a log thread and first attack message
Buffer area or the second attack message buffer area are corresponding, attack for reading from corresponding attack message buffer area
Hit message.
Optionally, the firewall box includes multiple third class central processing units, then in each third class
Log recording core in central processor starts a log thread, slow from first attack message by the log thread
It deposits in area or the second attack message buffer area and reads attack message.
Optionally, the forwarding core is also used to reach the second threshold when the first attack message buffer area has write region accounting
Value and log thread it is also unread when, then notify log thread read attack message;
The attack defending specific core is also used to reach second when the second attack message buffer area has write region accounting
When threshold value and also unread log thread, then log thread is notified to read attack message.
Optionally, the forwarding core is also used to the size according to attack traffic, increases prompt letter in the tail portion of attack message
Breath notifies log thread by the prompt information, so that log thread is adjusted according to the prompt information reads message every time
Number;
The attack defending specific core is also used to the size according to attack traffic, increases prompt letter in the tail portion of attack message
Breath notifies log thread by the prompt information, so that log thread is adjusted according to the prompt information reads message every time
Number.
The application second aspect provides a kind of message processing method of firewall box, comprising:
First kind central processing unit receives and identifies the message of the first kind, according to identification by the forwarding core being pre-configured
As a result it forwards normal message or abandons attack message to the first attack message buffer area corresponding with the forwarding core;
Second class central processing unit receives and identifies the message of Second Type by the attack defending specific core being pre-configured,
Normal message is forwarded according to recognition result or abandons attack message to the second attack corresponding with the attack defending specific core
Packet buffer area;
The third central processing unit passes through the log recording core being pre-configured, by reading described first and attacking without lock read operation
The attack message in packet buffer area and the second attack message buffer area is hit, day of attack is generated according to the attack message
Will.
Optionally, the method also includes:
The first kind central processing unit is returned by the forwarding core in the first attack message buffer area saturation
The memory space for receiving all attack messages read by the log recording core in the first attack message buffer area, by institute
Memory space is stated to discharge to the first message memory pool corresponding with the forwarding core;
The second class central processing unit is full in the second attack message buffer area by the attack defending specific core
And when, the storage for recycling all attack messages read by the log recording core in the second attack message buffer area is empty
Between, the memory space is discharged to the second message memory pool corresponding with the attack defending specific core.
Optionally, the first kind central processing unit is by the forwarding core, in the first report corresponding with the forwarding core
When free memory accounting is less than first threshold in literary memory pool, recycle all described in the first attack message buffer area
Log recording core read attack message memory space, by the memory space discharge to the forwarding core corresponding first
Message memory pool;
The second class central processing unit is by the attack defending specific core, corresponding with the attack defending specific core
The second message memory pool in free memory accounting when being less than first threshold, recycle in the second attack message buffer area and own
By the log recording core read attack message memory space, by the memory space discharge to the attack defending
The corresponding second message memory pool of specific core.
Optionally, the third class central processing unit starts multiple log threads, by more by the log recording core
Log thread is used without lock read operation, reads attack message respectively in a manner of concomitantly, wherein in a log thread and one
Central processor is corresponding, for reading attack message from corresponding central processing unit.
Optionally, the method also includes:
The first kind central processing unit has been write region when the first attack message buffer area and has been accounted for by the forwarding core
When than reaching second threshold and also unread log thread, notice log thread reads attack message;
The second class central processing unit by the attack defending specific core, when the second attack message buffer area
When writing region accounting and reaching second threshold and also unread log thread, notice log thread reads attack message.
Optionally, the method also includes:
The first kind central processing unit is by the forwarding core, according to the size of attack traffic, in the tail of attack message
Portion increases prompt information, log thread is notified by the prompt information, so that log thread is adjusted according to the prompt information
The number of message is read every time;
The second class central processing unit is being attacked by the attack defending specific core according to the size of attack traffic
The tail portion of message increases prompt information, log thread is notified by the prompt information, so that log thread is according to the prompt
The number of message is read in information adjustment every time.
The application third aspect provides a kind of computer readable storage medium, and the computer readable storage medium is for depositing
Store up program code, the method that said program code is used to execute Message processing described in above-mentioned second aspect.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
The embodiment of the present application provides a kind of firewall box, includes the centre of three types in the firewall box
Manage device (Center Processing Unit, CPU) and memory corresponding with each type of central processing unit, three types
The central processing unit of type is respectively first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein,
Configured with forwarding core in first kind central processing unit, it is used to be forwarded normal message and by the attack message of small flow
It abandons to the first attack message buffer area;It is configured with attack defending specific core in second class central processing unit, is used for normal
Message is forwarded and abandons the attack message of big flow to the second attack message buffer area;In third class central processing unit
Configured with log recording core, it is used for by reading the first attack message buffer area and the second attack message being slow without lock read operation
The attack message in area is deposited, and accordingly generates attack logs.The central processing unit of three types is respectively in above-mentioned firewall box
It works to independent parallel, normal message and small flow attacking is handled by forwarding core, big flow is handled by attack defending specific core
Attack, actively obtains attack message by log recording core, and correspondingly generate attack logs, and Each performs its own functions by three, guarantees fire prevention
Wall equipment had not only been able to achieve the normal forwarding of message, but also effectively big flow can be defendd to attack, moreover it is possible to while attack logs are recorded, have
The performance for improving to effect firewall box, makes it meet the market demand.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of firewall box provided by the embodiments of the present application;
Fig. 2 is the structural schematic diagram of another firewall box provided by the embodiments of the present application;
Fig. 3 is the structural schematic diagram of another firewall box provided by the embodiments of the present application;
Fig. 4 is a kind of flow diagram of message processing method provided by the embodiments of the present application.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application
Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only this
Apply for a part of the embodiment, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art exist
Every other embodiment obtained under the premise of creative work is not made, shall fall in the protection scope of this application.
The description and claims of this application and term " first ", " second ", " third ", " in above-mentioned attached drawing
The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage
The data that solution uses in this way are interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to
Here the sequence other than those of diagram or description is implemented.In addition, term " includes " and " having " and their any deformation,
Be intended to cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or setting
It is standby those of to be not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for these mistakes
The intrinsic other step or units of journey, method, product or equipment.
In the prior art, usually select hardware firewall as the barrier between intranet and extranets, hardware firewall
It is at high price, with the ability for preferably resisting attack.However, even if hardware firewall selects the preferable central processing of performance
Device the factors such as is limited by the competition of multicore concurrent resource and software performance, can not generally also prevent the same of flow attacking
When, attack logs are recorded.
Compared to hardware firewall, the performance that software firewall resists attack is relatively weak, can not equally attack resisting
Attack logs are recorded while hitting;The reason is that software firewall is to record attack logs, wherein
Forwarding core need from attack message extracting attack flow information and the attack traffic information recorded, and then will recorded
It is sent to log system, if service performance occupies viewing command such as perf order and checks forwarding when big attack traffic arrives
The performance occupancy situation of core, will become apparent from log system occupy at this time forwarding core largely call.
That is, forwarding core needs are performed simultaneously forwarding normal message, resist flow and attack when flow attacking arrives
It hits, extracting attack flow information and the operation that attack traffic information is sent to log system, also, extracting attack flow is believed
The forwarding a large amount of performance of core can be occupied by ceasing and attack traffic information being sent to log system, therefore, be arrived in flow attacking
When, the performance of forwarding core itself is difficult to support forwarding normal message simultaneously, resists flow attacking and extracting attack flow information
These operations.In addition, forwarding core also needs correspondingly notice days aspiration before sending attack traffic information to log system
System, in the notification procedure, the mode either called using signal between different threads or called using system can
Different degrees of influence is caused to the performance of forwarding core.
In order to solve above-mentioned the technical problems existing in the prior art, the embodiment of the present application provides a kind of firewall and sets
It is standby, even if the firewall box also can be realized the record to attack logs, and not in the case where meeting with big flow attack
The forwarding performance of attack defending performance and normal message to firewall impacts.
Specifically, in firewall box provided by the embodiments of the present application include three types central processing unit and
The corresponding memory of each type of central processing unit is each configured with forwarding core in the central processing unit of these three types, attacks
Hit defence specific core and log recording core, wherein forwarding core is for forwarding normal message and losing small traffic attack message
It abandons to the first attack message buffer area, attack defending specific core is delayed for abandoning big flow attack message to the second attack message
Area is deposited, log recording core is used for by reading the first attack message buffer area and the second attack message buffer area without lock read operation
In attack message, and correspondingly generate attack logs.
Since forwarding core, attack defending specific core and log recording core three independently concurrently work, core is forwarded
It is attacked dedicated for forwarding normal message and the small flow attacking of processing, attack defending specific core dedicated for processing big flow,
Log recording core is dedicated for reading attack message and generating attack logs, and therefore, which, which may be performed simultaneously, turns
Hair normal message resists flow attacking and generates this three operations of attack logs, even if when meeting with big flow attack, record
Attack logs will not resist performance to the attack of firewall and message forwarding performance has an impact.
Firewall box provided by the present application is introduced below by embodiment.
Referring to Fig. 1, Fig. 1 is the structural schematic diagram of firewall box provided by the embodiments of the present application.As shown in Figure 1, this is anti-
It include the central processing unit of three types, respectively first kind central processing unit 101, the second class central processing unit in wall with flues equipment
102 and third class central processing unit 103;It further include corresponding with the central processing unit of above-mentioned three types in the firewall box
Memory, respectively corresponding to the memory 104 of first kind central processing unit 101, corresponding to the second class central processing unit 102
Memory 105 and memory 106 corresponding to third class central processing unit 103.
It should be noted that firewall box shown in FIG. 1 is only a kind of example, in practical applications, three types
Central processing unit can respectively correspond to a memory respectively, can also correspond to one jointly with a plurality of types of central processing units and deposit
Any two in reservoir, i.e. first kind central processing unit 101, the second class central processing unit 102 and third class central processing unit 103
Person can correspond to a memory jointly, alternatively, the central processing unit of these three types can correspond to a memory jointly.
Configured with forwarding core in first kind central processing unit 101, which is used to receive and identify the report of the first kind
Text, and then normal message is forwarded according to recognition result, or abandon attack message to the first attack message corresponding with forwarding core
Buffer area.
Attack defending specific core is configured in second class central processing unit 102, the attack defending specific core is for receiving simultaneously
Identify Second Type message, and then according to recognition result forward normal message, or abandon attack message to and attack defending
The corresponding second attack message buffer area of specific core.
Wherein, the message of the first kind specifically includes normal message and small traffic attack message;The message of Second Type has
Body includes normal message and big flow attack message.Firewall box receives after extraneous message, in firewall box
Network interface card can previously according to be set in trawl performance traffic characteristic rule, correspondingly identify the received report of firewall box
Type belonging to text, if judgement received message feature meet the first kind message feature, correspondingly by the report
Text is sent to first kind central processing unit 101, if judgement the feature that has of received message meet the message of Second Type
Feature, then the message is correspondingly sent to the second class central processing unit 102.
The feature being had according to message distinguishes big flow attack message and normal message, small traffic attack message
Come, big flow attack message is handled using the second class central processing unit 102 configured with attack defending specific core, it is this
Operation is also referred to as black holed processing;After firewall box receives big flow attack message such as DDOS attack, directly drawn
It is directed at individual thread attack defending specific core to be handled, guarantees the forwarding of normal message not by the shadow of big flow attack message
It rings, while it is also ensured that the high efficiency that big flow attack message is handled.
Above-mentioned first attack message buffer area can specifically be arranged at memory corresponding with first kind central processing unit
In 104, the second attack message buffer area can be specifically arranged in memory 105 corresponding with the second class central processing unit;
First attack message buffer area and forwarding core are in one-to-one relationship, the second attack message buffer area and attack defending specific core
In one-to-one relationship.
After first kind central processing unit 101 receives the message of the first kind, wherein the first kind is checked in the forwarding configured
The message of type does further identifying processing, if identifying, the message of the first kind is normal message, correspondingly normal to this
Message is forwarded, if identifying, the message of the first kind is small traffic attack message, which is abandoned to the
In the corresponding memory 104 of a kind of central processing unit 101, that is, abandon the attack message to forwarding core corresponding first and attack
Hit packet buffer area.
Analogously, after the second class central processing unit 102 receives the message of Second Type, wherein the attack defending configured
Specific core is further processed the message of the Second Type, if identifying, the message of the Second Type is normal message, phase
It forwards the normal message with answering, if the message for identifying the Second Type is big flow attack message, which is lost
It abandons into the corresponding memory 105 of the second class central processing unit 102, that is, abandon the attack message to dedicated with attack defending
The corresponding second attack message buffer area of core.
It should be understood that in practical applications, attack defending specific core other than it can handle big flow attack message,
Normal message forwarding capability also may be implemented in it, that is to say, that the case where attack defending specific core receives normal message
Under, which can also be forwarded the normal message.
It should be noted that in practical applications, in order to improve the performance of firewall box, usually can be set multiple
A kind of central processing unit 101 and multiple second class central processing units 102, that is, multiple first configured with forwarding core can be set
Class central processing unit 101 and multiple the second class central processing units 103 configured with attack defending specific core;Correspondingly, firewall
The message forwarding performance and attack defending performance of equipment, also will be correspondingly in first kind central processing unit 101 and the second class
The increase of central processor 102 and enhance;The quantity of each type of central processing unit can specifically be set according to actual needs
It sets.
It should be noted that in some cases, first kind central processing unit 101 and the second class central processing unit 102 can
To use same physical equipment, i.e. forwarding core and attack defending specific core can share a central processing unit, the central processing
Forwarding core and attack defending specific core in device share an exclusive thread, can be realized simultaneously normal message forwarding, small stream
It measures attack message processing and big flow attack message handles three kinds of functions.
Correspondingly, the attack message buffer area in firewall box (including the first attack message buffer area and second attack
Packet buffer area) quantity, the quantity of forwarding core, attack defending specific core and shared central processing unit will be depended on.
Assuming that there are A forwarding core, B attack defending core and N number of attack message buffer areas;If forwarding between core and attack defending core not
There are shared central processing unit, then N=A+B, wherein the quantity of the first attack message buffer area is A, and the second attack message is slow
The quantity for depositing area is B;If forwarding between core and attack defending core, there are C shared central processing units, N=A+B-C.
It under normal conditions, can first in memory when carrying out initialization process to the corresponding memory of central processing unit
Constructing universal memory pond mubf mempool can be correspondingly from the universal memory pond after central processing unit receives message
In mubf mempool application for store received message content, after message is released, by what is occupied by the message
Memory is released back into universal memory pond mubf mempool.
It is needed correspondingly when carrying out initialization process to memory for firewall box provided by the embodiments of the present application
Its corresponding first message memory pool common-mempool is constructed for forwarding core, it is right to construct its for attack defending specific core
The the second message memory pool special-mempool answered.Specifically, can be in the corresponding memory of first kind central processing unit
The first message memory pool common-mempool is constructed, after forwarding core receives message, from the first message memory pool common-
In mempool application be used for stored messages memory, after message is released, by the occupied memory of message be released back into this first
Message memory pool common-mempool;The second message memory pool is constructed in the corresponding memory of the second class central processing unit
Special-mempool, after attack defending specific core receives message, from the second message memory pool special-mempool
The occupied memory of message is released back into the second message memory after message is released by memory of the middle application for stored messages
Pond special-mempool.
It should be noted that when firewall box uses nonuniform memory access framework (Non Uniform Memory
Access Architecture, NUMA) central processing unit when, to the corresponding memory of first kind central processing unit carry out just
Beginningization processing is substantially exactly to carry out at initialization to the corresponding memory of NUMA where first kind central processing unit itself
Reason, correspondingly, it includes first kind center that the quantity of the first message memory pool common-mempool, which is equal in firewall box,
The quantity of the NUMA of processor.
In order to prevent when big flow attack message arrives, because resource contention generates shadow to the processing of big flow attack message
It rings;When carrying out initialization process to the corresponding memory of the second central processing unit, each attack defending specific core can be directed to
Correspondingly construct a second message memory pool special-mempool, each attack defending specific core after receiving message,
Apply for memory from itself corresponding second message memory pool special-mempool, guarantee each attack defending specific core it
Between be not present memory source competition, correspondingly, the attack defending performance of firewall box also can be with attack defending specific core
The increase of quantity and linearly enhance.
It should be understood that when first kind central processing unit corresponds to the same memory jointly with the second class central processing unit, it can
With correspondingly building forwards the dedicated first message memory pool common-mempool of core and attack defending in the memory
The dedicated second message memory pool special-mempool of specific core.
It should be noted that being forwarded since the number of attack defending specific core attack message to be treated is typically much deeper than
The number of core message to be treated, therefore, when carrying out initialization process to memory, the second constructed message memory pool
The size of special-mempool is typically much deeper than the size of the first message memory pool common-mempool, i.e. the second message
The message amount that can be stored in memory pool special-mempool is much larger than in the first message memory pool common-mempool
The message amount that can be stored.
When carrying out initialization process to memory, in addition to needing to construct the first message memory pool common-mempool and the
Outside two message memory pool special-mempool, it is also necessary to correspondingly construct the first attack message buffer area dorp ring and
Two attack packet buffer area dorp ring.Wherein, the quantity phase of the quantity of the first packet buffer area drop ring and forwarding core
Deng the quantity of the second attack message buffer area drop ring is equal with the quantity of attack defending specific core.
In addition, the size of the first attack message buffer area dorp ring depends on the first message memory pool common-
The size of the size of mempool, the second attack message buffer area dorp ring depends on the second message memory pool special-
The size of mempool.When firewall box uses the central processing unit of NUMA architecture, the first attack message buffer area dorp
The quantity for the message that can be stored in ring, depending on the message that can be stored in the first message memory pool common-mempool
Quantity and a NUMA in include central processing unit quantity, it is assumed that energy in the first message memory pool common-mempool
M message is enough stored, the number of central processing unit included by NUMA is A, then the first attack message buffer area dorp ring
Length X=M/A.The quantity for the message that can be stored in second attack message buffer area dorp ring, still with the second message memory
The message amount that can be stored in the special-mempool of pond is equal.
It should be understood that since the size of the second message memory pool special-mempool is typically much deeper than the first message memory
The size of pond common-mempool, therefore, the quantity for the message that can be stored in the second attack message buffer area dorp ring
Also much larger than the quantity for the message that can be stored in the first attack message buffer area dorp ring.
In third class central processing unit 103 be configured with log recording core, the log recording core be used for by without lock read operation,
The attack message in the first attack message buffer area and the second attack message buffer area is read, it is raw according to read attack message
At attack logs.
First kind central processing unit 101 is when judging, received message is attack message, by the packet loss to first
Attack message buffer area, analogously, the second class central processing unit 102, will when judging, received message is attack message
The packet loss is to the second attack message buffer area.In turn, the third class central processing unit 103 configured with log recording core, from
Traversal reads the attack message that wherein stores in first attack message buffer area and the second attack message buffer area, and according to being read
The attack message taken generates attack logs.
It should be noted that in order to guarantee that log recording core is cached from the first attack message buffer area and the second attack message
When reading attack message in area, the reason of read attack message is dropped, the first packet buffer area and second can be known
Message in packet buffer area is usually carried for marking the field for abandoning reason, such as extern_id field, is thus convenient for day
Will records core and obtains discarding reason according to extern_id field, and the specific fields in extracting attack message form attack logs.
It should be noted that under normal conditions, multicore carries out read operation to the data in same buffer area simultaneously or writes behaviour
It needs correspondingly to operate the data in the buffer area by Lock mode when making, between multicore, that is, needs according to each core
Corresponding priority determines the sequence that data are operated in each verification buffer area, and the higher core of priority first operates, excellent
It is operated after the first lower core of grade.And in technical solution provided by the embodiments of the present application, it can between log recording core and forwarding core
Correspondingly to be operated using no latching mode to the data in the first attack message buffer area, i.e., attacked in forwarding core to first
While attack message is written in packet buffer area, log recording core can also read attack report from the first attack message buffer area
Text, forwarding both core and log recording core are independent of each other;It analogously, can also between log recording core and attack defending specific core
Correspondingly to be operated using no latching mode to the data in the second attack message buffer area, i.e., attack defending specific core to
While attack message is written in second attack message buffer area, log recording core can also be from the second attack message buffer area
Attack message is read, both attack defending specific core and log recording core are independent of each other.
The central processing unit of three types respectively works to independent parallel in above-mentioned firewall box, is handled just by forwarding core
Normal message and small flow attacking are actively obtained by log recording core and are attacked by the processing big flow attack of attack defending specific core
Message, and attack logs are correspondingly generated, Each performs its own functions by three, guarantee that firewall box had both been able to achieve the normal forwarding of message,
Effectively big flow can be defendd to attack again, moreover it is possible to while attack logs are recorded, the performance of firewall box is thus effectively improved,
Meet the market demand.
It should be noted that log recording core is read in the first attack message buffer area and the second attack message buffer area
After the attack message of storage, forwarding core can correspondingly recycle the attack message being read in the first attack message buffer area and account for
Memory space to the first message memory pool, attack defending specific core can be recycled correspondingly in the second attack message buffer area
The memory space that the attack message being read occupies thereby guarantees that forwarding core and attack defending are dedicated to the second message memory pool
When the subsequently received message of core, the first message memory pool and the second message memory pool are capable of providing enough memory spaces and are adjusted by it
With guarantee forwarding core and attack defending specific core can work normally.
In one possible implementation, forwarding core is used for the recycling first when the first attack message buffer area saturation
In attack message buffer area it is all be logged core reading attack messages memory spaces, by the memory space discharge to
The first message memory pool corresponding with the forwarding core;Analogously, attack defending specific core is used to cache when the second attack message
When area is saturated, the memory space of all attack messages for being logged core reading in the second attack message buffer area is recycled,
The memory space is discharged into the second message memory pool corresponding to the attack defending specific core.
Specifically, forwarding core can be with when the attack message that the first attack message buffer area has been forwarded core discarding fills up
The memory space for being marked as the attack message read occupancy in first attack message buffer area is recycled, is marked as
The attack message of reading is substantially exactly the attack message for being logged core and reading, and is recovered to what the attack message read occupied
After memory space, the memory space recycled is further discharged into the first message memory pool corresponding to the forwarding core.
Analogously, when the second attack message buffer area is filled up by the attack message that attack defending specific core abandons,
Attack defending specific core can be to the memory space for being marked as the attack message read occupancy in the second attack message buffer area
It is recycled, being marked as the attack message read substantially is exactly the attack message for being logged core and reading, and is recovered to
After the memory space that the attack message read occupies, further the memory space recycled is discharged to the attack defending specific core
Corresponding second message memory pool.
In alternatively possible implementation, forwarding core is used in the first message memory pool corresponding with itself to use
When memory accounting is less than first threshold, all attack reports for being logged core reading in the first attack message buffer area are recycled
The memory space of text, the memory space recycled is discharged to the first message memory pool corresponding with the forwarding core;Analogously,
Attack defending specific core is used to return when free memory accounting is less than first threshold in the second message memory pool corresponding with itself
The memory space for receiving all attack messages for being logged core reading in the second attack message buffer area, is deposited what is recycled
Storage space is discharged to the second message memory pool corresponding with attack defending specific core.
Specifically, explanation can be forwarded core when free memory accounting is less than first threshold in the first message memory pool
Apply for that the memory for storing new received message is less, at this point, forwarding core can be to being marked in the first attack message buffer area
It is denoted as the memory space that the attack message read occupies to be recycled, in turn, the memory space recycled is discharged to the forwarding
The corresponding first message memory pool of core, to increase the free memory in the first message memory pool.
Analogously, when free memory accounting is less than first threshold in the second message memory pool, explanation can be attacked
The memory that defence specific core application is used to store new received message is less, at this point, attack defending specific core can be attacked to second
It hits in packet buffer area the memory space that the attack message for being marked as having read occupies to be recycled, in turn, be deposited what is recycled
Storage space discharges the second message memory pool corresponding to the attack defending specific core, so that increasing can use in the second message memory pool
Memory.
It should be understood that above-mentioned first threshold can be set according to actual needs, it can usually be set to total memory
1/10, correspondingly, the first threshold corresponding to the first message memory pool is the 1/10 of the first total memory of message memory pool, corresponding
In the second message memory pool first threshold be the second total memory of message memory pool 1/10;Certainly, first threshold can be with root
Other numerical value are set as according to actual demand, any specific restriction are not done to first threshold herein.
Above two possible implementation is in the first attack message buffer area and the second attack message buffer area
Deposit into row recycling when, be all made of be batch recycling mode, i.e., when meeting Memory recycle condition, disposably to it is all by
The memory space for the attack message that log recording core is read is recycled, and this way of recycling can simplify anti-to a certain extent
The whole design scheme of wall with flues equipment, while the forward process performance of firewall box can also be promoted.
It should be noted that being configured at the log recording core in third class central processing unit, the first attack message is being read
When attack message in buffer area and the second attack message buffer area, log recording core specifically can star multiple log threads,
It is used by multiple log threads without lock read operation, reads attack message respectively in a manner of concomitantly, wherein a log thread
It is corresponding with a first attack message buffer area or a second attack message buffer area, for slow from its corresponding attack message
It deposits and reads attack message in area.
Specifically, log recording core is reading attack report from the first attack message buffer area and the second attack message buffer area
Wen Shi, log recording core can for each attack message buffer area (including the first attack message buffer area and second attack report
Literary buffer area) correspondingly start a log thread pass through the corresponding log line of each attack message buffer area in turn
Journey correspondingly reads attack message from each attack message buffer area.
It should be understood that log thread and the first attack message buffer area or the second attack message buffer area herein is a pair of in one
It should be related to, correspondingly, log thread and first kind central processing unit or the second class central processing unit are in one-to-one relationship, log
Thread is dedicated for reading attack message from attack message buffer area corresponding with itself.
In the mechanism that this multiple log threads concurrently read attack message buffer area, log thread and attack message are slow
Depositing area is correspondingly that an i.e. log thread only reads attack message from an attack message buffer area, and there is no more
Therefore the case where a one attack message buffer area of log thread share, can be effectively prevented from and read attack message
During, resource contention is generated between each log thread, and then guarantee that the operation of log recording core record log can be smooth
It carries out.
In one possible implementation, in order to guarantee the increase with log recording nuclear volume, firewall box day
Will record performance can linearly enhance, and multiple third class central processing units, each third class can be arranged in firewall box
Log recording core in central processing unit starts a log thread, is cached by the log thread from first attack message
Attack message is read in area or the second attack message buffer area.
Referring to fig. 2, Fig. 2 is the corresponding operation principle schematic diagram of this kind of firewall box.As shown in Fig. 2, the firewall is set
It include: two central processing units configured with forwarding core in standby, two are forwarded core and during attack defending specific core shares
Central processor and a central processing unit configured with attack defending specific core;In the corresponding memory of above-mentioned central processing unit
In be provided with and the corresponding attack message buffer area drop ring of each central processing unit.
It further include third class central processing unit corresponding with above-mentioned each central processing unit, such as Fig. 2 in the firewall box
It is shown, it include that there are five the central processing unit for being configured with log recording core, each central processing unit difference in the firewall box
It is corresponding with the above-mentioned central processing unit configured with forwarding core and/or attack defending specific core.
Log recording core in each third class central processing unit is for itself corresponding first kind central processing unit or the
Two class central processing units start a log thread, by log thread from the first kind central processing unit or the second class centre
Attack message is read in the corresponding attack message buffer area drop ring of reason device.
It should be understood that firewall box shown in Fig. 2 is only a kind of example.In practical applications, attack message buffer area quilt
In the corresponding memory of centrally disposed processor, for ease of description, Fig. 2, which has done central processing unit with memory, merges place
Reason, attack message buffer area is directly arranged in central processing unit, and actually both memory and central processing unit are only mutually
It is vertical;In addition, may include several first kind central processing units and the second class central processing unit in firewall box, in third class
The quantity of central processor depends on the quantity of first kind central processing unit and the second class central processing unit, does not set herein to firewall
The quantity for the central processing unit for including in standby is specifically limited.
It is fully parallelized between each log recording core in firewall box shown in Fig. 2, due to each log recording
The resource that core is accessed is independent resource, and it is accessible that two threads are read and write to each attack message buffer area only, other
Central processing unit can not access to it, therefore, can accomplish linearly to improve firewall with the increase of log recording core
The log recording performance of equipment.
Support hyperthread equipment in, third class central processing unit can in first kind central processing unit and the second class
Central processor shares same physical equipment respectively;Also, the log recording core in the third class central processing unit can specifically be used
Attack message is read in the hyperthread fictionalized by the physical equipment.
In the equipment for supporting hyperthread, physical equipment therein can support two class central processing units to run simultaneously, tool
Body, virtual unit can be created in physical equipment, be run in first kind central processing unit or the second class on the physical equipment
While central processor, the operation that created virtual unit supports third class central processing unit can use.
It should be noted that the physical equipment is actually central processing unit, the operation of two class central processing units is supported,
It is substantially exactly that forwarding core and log recording core can be supported to work simultaneously, or attack defending specific core and log is supported to remember simultaneously
Record core work;It specifically can use the central processing unit fictionalized in central processing unit and support the work of log recording core.
It should be understood that the third class central processing unit run in same physical equipment and the first kind centre wherein run
There are corresponding relationships for reason device or the second class central processing unit, run first kind central processing simultaneously even in same physical equipment
Device and third class central processing, the log recording core in the third class central processing unit can be directly virtual by the physical equipment
Hyperthread out reads attack message from the corresponding first attack message buffer area of the first kind central processing unit;It is similar
Ground, if running the second class central processing unit and third class central processing unit simultaneously in same physical equipment, the third class center
The hyperthread that log recording core in processor can be fictionalized directly by physical equipment, from the second class central processing unit pair
Attack message is read in the second attack message buffer area answered.
It should be understood that the hyperthread that above-mentioned physical equipment fictionalizes substantially is log thread, the required operation executed
It is identical as the operation of execution needed for log thread, i.e., for reading attack message from attack message buffer area.
Referring to Fig. 3, Fig. 3 is the working principle signal of the firewall box provided by the embodiments of the present application for supporting hyperthread
Figure.It include four central processing units in the firewall box, wherein central processing unit 1 and central processing unit 2 are supported to forward simultaneously
Core and log recording core work, and support attack defending specific core and log recording in central processing unit 3 and central processing unit 4 simultaneously
Core work.
As shown in figure 3, fictionalized in central processing unit 1, central processing unit 2, central processing unit 3 and central processing unit 4
Hyperthread is used separately as log thread, and log recording core in central processing unit 1 and central processing unit 2, which passes through, wherein to be fictionalized
Hyperthread reads attack message, central processing unit 3 and central processing unit from the corresponding first attack message buffer area of forwarding core
Log recording core in 4 passes through the hyperthread wherein fictionalized, from the corresponding second attack message caching of attack defending specific core
Attack message is read in area.
It should be understood that for ease of description, not shown in each central processing unit in firewall box shown in Fig. 3
The log recording core wherein run.Firewall box shown in Fig. 3 is only a kind of example.In practical applications, attack message is slow
It deposits area to be arranged in the corresponding memory of central processing unit, for ease of description, Fig. 3 does central processing unit and memory
Attack message buffer area is directly arranged in central processing unit, actually both memory and central processing unit by merging treatment
It is independent mutually;In addition, may include the central processing unit that several support hyperthread in firewall box, herein not to firewall
The quantity for the central processing unit for including in equipment is specifically limited.
In the firewall box for supporting hyperthread, forward core or attack defending specific core can be common with log recording core
Using same cache memory cache, log thread can read the attack in attack message buffer area in hyperthread
Message;Attack message buffer area is put into attack message by forwarding core or attack defending specific core sequence, and log recording core is inversely read
Attack message therein is taken, core or attack defending specific core and log recording core is forwarded not to access same memory, log simultaneously
After record core reads the attack message in attack message buffer area, the interior presence that the attack message being read occupies is released
Before will not be read again, and the memory that occupies of the attack message that has been read is usually when reaching certain condition, just can quilt
Batch discharges, and therefore, log recording core and forwarding core or attack defending specific core will not more occupy same resource simultaneously.This
Outside, as log recording core and forwarding core or attack defending specific core performed by operation it is entirely different, make log recording
Core and forwarding core or attack defending specific core share same physical equipment, and the physical equipment can be made more fully to be utilized.
Due to being not usually the relationship that works asynchronously between log recording core and forwarding core, i.e., log thread usually will not be
After attack message is written in attack message buffer area, the attack message is read from attack message buffer area immediately;Accordingly, it is possible to
There is log thread and is difficult to the problem of reading attack message in time.In the case where meeting with a large amount of attack messages, attack message is slow
Depositing area largely may be written or be write in a short time full, and log thread may attack in still unread attack message buffer area
Message is hit, a degree of influence will be caused on fire wall performance.
Above situation occurs in order to prevent, and this application provides two kinds to notify log thread to read the mode of attack message,
Both modes are introduced below.
In the first implementation, it forwards core to write region accounting in the first attack message buffer area and reaches the second threshold
Value, and log thread also unread attack message therein when, notice log thread read attack message;Analogously, it attacks
Defence specific core has write region accounting in the second attack message buffer area and has reached second threshold, and log thread also it is unread wherein
Attack message when, notice log thread read attack message.
It is monitored specifically, having write the size in region in forwarding the first attack message buffer area of verification, when monitoring the
Accounting of the region in the first attack message buffer area of having write in one attack message buffer area reaches second threshold, and determines day
When will thread is not also read out the attack message in the first attack message buffer area, forwarding core notice log thread is read
Attack message in the first attack message buffer area.
Analogously, attack defending specific core is monitored the size that region has been write in the second attack message buffer area,
When monitoring that accounting of the region in the second attack message buffer area of having write in the second attack message buffer area reach the second threshold
When being worth, and determining that log thread is not also read out the attack message in the second attack message buffer area, attack defending is special
The attack message in the second attack message buffer area is read with core notice log thread.
It should be understood that the size of above-mentioned second threshold can be set according to actual needs, can usually be set to
1/3, it is of course also possible to set other numerical value for the second threshold, the second threshold is not specifically limited herein.
In the second implementation, forwarding core can increase according to the size of attack traffic in the tail portion of attack message
Prompt information notifies log thread by the prompt information, so that log thread was read every time according to prompt information adjustment
The number of message;Analogously, attack defending specific core can also increase according to the size of attack traffic in the tail portion of attack message
Add prompt information, log thread is notified by the prompt information, is read every time so that log thread is adjusted according to the prompt information
The number of message.
Specifically, forwarding core is correspondingly being dropped into the first attack message buffer area according to the size of attack traffic
The tail portion of attack message increase prompt information, which is used to prompt log thread how to each for reading message
Number is adjusted;Correspondingly, when log thread reads the attack message, it will acquire the prompt letter carried in the attack message
Breath, in turn, log thread can correspondingly be adjusted each number for reading message, and under according to the prompt information
It is secondary that when reading attack message, attack message is read out according to the number of the adjustment from the first attack message buffer area.
Analogously, attack defending specific core can also be correspondingly dropped to second according to the size of attack traffic
The tail portion of attack message in attack message buffer area increases prompt information, and the prompt information is for prompting log thread how right
The number for reading message every time is adjusted, and correspondingly, when log thread reads the attack message, will acquire the attack report
The prompt information carried in text, in turn, log thread can adjust each number for reading message according to the prompt information
It is whole, and when reading attack message from the second attack message buffer area next time, according to the adjustment number to attack message into
Row is read.
It should be understood that when attack traffic is more, core or attack defending specific core is forwarded to mention attack message tail portion is increased
Show information, for notifying log thread to increase the number of reading message every time;When attack traffic is less, forward core or attack anti-
Imperial specific core is in the increased prompt information in attack message tail portion, for notifying log thread to reduce the number of reading message every time.
Log thread is notified to carry out the attack message in attack packet buffer area by above two implementation as a result,
It reads, guarantees that log thread can in time be read out the attack message in attack packet buffer area, to effectively prevent
Only in the case where meeting with a large amount of attack messages, the performance of firewall box is influenced.
For firewall box described above, present invention also provides a kind of message processing method of firewall box,
So that the firewall box is based on the message processing method in practical applications, itself received message is handled.
Referring to fig. 4, Fig. 4 is the flow diagram of message processing method provided by the embodiments of the present application.As shown in figure 4, should
Message processing method the following steps are included:
Step 401: first kind central processing unit receives and identifies the message of the first kind by the forwarding core being pre-configured,
Normal message, which is forwarded, according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core caches
Area.
Step 402: the second class central processing unit receives and identifies Second Type by the attack defending specific core being pre-configured
Message, normal message is forwarded according to recognition result or abandons attack message to corresponding with the attack defending specific core the
Two attack packet buffer areas.
Step 403: the third central processing unit passes through the log recording core being pre-configured, by reading institute without lock read operation
The attack message in the first attack message buffer area and the second attack message buffer area is stated, is generated according to the attack message
Attack logs.
Optionally, the message processing method further include:
The first kind central processing unit is returned by the forwarding core in the first attack message buffer area saturation
The memory space for receiving all attack messages read by the log recording core in the first attack message buffer area, by institute
Memory space is stated to discharge to the first message memory pool corresponding with the forwarding core;
The second class central processing unit is full in the second attack message buffer area by the attack defending specific core
And when, the storage for recycling all attack messages read by the log recording core in the second attack message buffer area is empty
Between, the memory space is discharged to the second message memory pool corresponding with the attack defending specific core.
Optionally, the first kind central processing unit is by the forwarding core, in the first report corresponding with the forwarding core
When free memory accounting is less than first threshold in literary memory pool, recycle all described in the first attack message buffer area
Log recording core read attack message memory space, by the memory space discharge to the forwarding core corresponding first
Message memory pool;
The second class central processing unit is by the attack defending specific core, corresponding with the attack defending specific core
The second message memory pool in free memory accounting when being less than first threshold, recycle in the second attack message buffer area and own
By the log recording core read attack message memory space, by the memory space discharge to the attack defending
The corresponding second message memory pool of specific core.
Optionally, the third class central processing unit starts multiple log threads, by more by the log recording core
Log thread is used without lock read operation, reads attack message respectively in a manner of concomitantly, wherein in a log thread and one
Central processor is corresponding, for reading attack message from corresponding central processing unit.
Optionally, the message processing method further include:
The first kind central processing unit has been write region when the first attack message buffer area and has been accounted for by the forwarding core
When than reaching second threshold and also unread log thread, notice log thread reads attack message;
The second class central processing unit by the attack defending specific core, when the second attack message buffer area
When writing region accounting and reaching second threshold and also unread log thread, notice log thread reads attack message.
Optionally, the message processing method further include:
The first kind central processing unit is by the forwarding core, according to the size of attack traffic, in the tail of attack message
Portion increases prompt information, log thread is notified by the prompt information, so that log thread is adjusted according to the prompt information
The number of message is read every time;
The second class central processing unit is being attacked by the attack defending specific core according to the size of attack traffic
The tail portion of message increases prompt information, log thread is notified by the prompt information, so that log thread is according to the prompt
The number of message is read in information adjustment every time.
In the message processing method of firewall box provided by the embodiments of the present application, three types in firewall box
Central processing unit respectively works to independent parallel, and handles normal message and small flow attacking by forwarding core, special by attack defending
With core processing big flow attack, attack message is actively obtained by log recording core, and correspondingly generate attack logs, three respectively takes charge of
Its duty guarantees that firewall box had not only been able to achieve the normal forwarding of message, but also effectively big flow can be defendd to attack, moreover it is possible to remember simultaneously
Attack logs are recorded, the performance of firewall box is effectively improved, it is made to meet the market demand.
The embodiment of the present application also provides a kind of computer readable storage medium, for storing program code, the program code
For executing any one embodiment in a kind of message processing method of firewall box described in foregoing individual embodiments.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application
Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (full name in English: Read-Only
Memory, english abbreviation: ROM), random access memory (full name in English: Random Access Memory, english abbreviation:
RAM), the various media that can store program code such as magnetic or disk.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of firewall box characterized by comprising
The central processing unit of three types and memory corresponding with each type of central processing unit;The three types
Central processing unit includes first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein,
Configured with forwarding core in the first kind central processing unit, the forwarding core is used to receive and identify the report of the first kind
Text forwards normal message according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core and delays
Deposit area;
Attack defending specific core is configured in the second class central processing unit, the attack defending specific core is for receiving and knowing
The message of other Second Type, according to recognition result forward normal message or abandon attack message to the attack defending it is dedicated
The corresponding second attack message buffer area of core;
In the third class central processing unit be configured with log recording core, the log recording core be used for by without lock read operation,
The attack message in the first attack message buffer area and the second attack message buffer area is read, is reported according to the attack
Text generates attack logs.
2. firewall box according to claim 1, which is characterized in that the third class central processing unit and described first
Class central processing unit and the second class central processing unit share same physical equipment respectively;Also, the third class centre
Log recording core in reason device is specifically used for the hyperthread fictionalized by the physical equipment and reads attack message.
3. firewall box according to claim 1, which is characterized in that the first kind central processing unit and described second
Class central processing unit uses same physical equipment.
4. firewall box according to claim 1, which is characterized in that the log recording core is specifically used for starting multiple
Log thread is used without lock read operation by multiple log threads, reads attack message respectively in a manner of concomitantly, wherein one
A log thread is corresponding with the first attack message buffer area or the second attack message buffer area, for from
Attack message is read in corresponding attack message buffer area.
5. firewall box according to claim 1, which is characterized in that the firewall box includes multiple thirds
Class central processing unit, then the log recording core in each third class central processing unit starts a log thread, by this
Log thread reads attack message from the first attack message buffer area or the second attack message buffer area.
6. firewall box according to claim 1, which is characterized in that the forwarding core is also used to when first attack
When the packet buffer area region Yi Xie accounting reaches second threshold and also unread log thread, then log thread is notified to read attack
Message;
The attack defending specific core is also used to reach second threshold when the second attack message buffer area has write region accounting
And log thread it is also unread when, then notify log thread read attack message.
7. firewall box according to claim 1, which is characterized in that
The forwarding core is also used to the size according to attack traffic, increases prompt information in the tail portion of attack message, by described
Prompt information notifies log thread, so that log thread adjusts the number for reading message every time according to the prompt information;
The attack defending specific core is also used to the size according to attack traffic, increases prompt information in the tail portion of attack message,
Log thread is notified by the prompt information, so that log thread adjusts for reading message every time according to the prompt information
Number.
8. a kind of message processing method of firewall box characterized by comprising
First kind central processing unit receives and identifies the message of the first kind, according to recognition result by the forwarding core being pre-configured
It forwards normal message or abandons attack message to the first attack message buffer area corresponding with the forwarding core;
Second class central processing unit receives and identifies the message of Second Type by the attack defending specific core being pre-configured, according to
Recognition result forwards normal message or abandons attack message to the second attack message corresponding with the attack defending specific core
Buffer area;
The third central processing unit passes through the log recording core being pre-configured, by reading first attack and reporting without lock read operation
Attack message in literary buffer area and the second attack message buffer area generates attack logs according to the attack message.
9. message processing method according to claim 8, which is characterized in that the third class central processing unit passes through described
Log recording core starts multiple log threads, is used by more log threads without lock read operation, is read respectively in a manner of concomitantly
Attack message, wherein a log thread is corresponding with a central processing unit, attacks for reading from corresponding central processing unit
Hit message.
10. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium is for storing program generation
Code, said program code require the described in any item message processing methods of 8-9 for perform claim.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811574742.XA CN109495504B (en) | 2018-12-21 | 2018-12-21 | Firewall equipment and message processing method and medium thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811574742.XA CN109495504B (en) | 2018-12-21 | 2018-12-21 | Firewall equipment and message processing method and medium thereof |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109495504A true CN109495504A (en) | 2019-03-19 |
CN109495504B CN109495504B (en) | 2021-05-25 |
Family
ID=65711402
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811574742.XA Active CN109495504B (en) | 2018-12-21 | 2018-12-21 | Firewall equipment and message processing method and medium thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109495504B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110224947A (en) * | 2019-06-05 | 2019-09-10 | 东软集团股份有限公司 | Message processing method, device and equipment in a kind of multicore repeater system |
CN110545291A (en) * | 2019-09-29 | 2019-12-06 | 东软集团股份有限公司 | defense method for attack message, multi-core forwarding system and related products |
CN113709044A (en) * | 2020-05-20 | 2021-11-26 | 阿里巴巴集团控股有限公司 | Data forwarding method and device, electronic equipment and storage medium |
CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN113938325A (en) * | 2021-12-16 | 2022-01-14 | 紫光恒越技术有限公司 | Method and device for processing aggressive traffic, electronic equipment and storage equipment |
CN113991839A (en) * | 2021-10-15 | 2022-01-28 | 许继集团有限公司 | Device and method for improving reliability of remote control output |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080022401A1 (en) * | 2006-07-21 | 2008-01-24 | Sensory Networks Inc. | Apparatus and Method for Multicore Network Security Processing |
CN102497322A (en) * | 2011-12-19 | 2012-06-13 | 曙光信息产业(北京)有限公司 | High-speed packet filtering device and method realized based on shunting network card and multi-core CPU (Central Processing Unit) |
CN102801659A (en) * | 2012-08-15 | 2012-11-28 | 成都卫士通信息产业股份有限公司 | Implementation method and device for security gateway based on stream strategy |
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
CN106357726A (en) * | 2016-08-24 | 2017-01-25 | 东软集团股份有限公司 | Load balancing method and device |
CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
CN107682312A (en) * | 2017-08-25 | 2018-02-09 | 中国科学院信息工程研究所 | A kind of security protection system and method |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
CN108667730A (en) * | 2018-04-17 | 2018-10-16 | 东软集团股份有限公司 | Message forwarding method, device, storage medium based on load balancing and equipment |
-
2018
- 2018-12-21 CN CN201811574742.XA patent/CN109495504B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080022401A1 (en) * | 2006-07-21 | 2008-01-24 | Sensory Networks Inc. | Apparatus and Method for Multicore Network Security Processing |
CN102497322A (en) * | 2011-12-19 | 2012-06-13 | 曙光信息产业(北京)有限公司 | High-speed packet filtering device and method realized based on shunting network card and multi-core CPU (Central Processing Unit) |
CN102801659A (en) * | 2012-08-15 | 2012-11-28 | 成都卫士通信息产业股份有限公司 | Implementation method and device for security gateway based on stream strategy |
CN104202333A (en) * | 2014-09-16 | 2014-12-10 | 浪潮电子信息产业股份有限公司 | Implementation method of distributed firewall |
CN106357726A (en) * | 2016-08-24 | 2017-01-25 | 东软集团股份有限公司 | Load balancing method and device |
CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
CN107682312A (en) * | 2017-08-25 | 2018-02-09 | 中国科学院信息工程研究所 | A kind of security protection system and method |
CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
CN108667730A (en) * | 2018-04-17 | 2018-10-16 | 东软集团股份有限公司 | Message forwarding method, device, storage medium based on load balancing and equipment |
Non-Patent Citations (2)
Title |
---|
宋志军: "基于多核(多处理单元)的防火墙架构研究与关键技术实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
张超云: "基于多核的协议分析状态检测防火墙的研究", 《中国优秀硕士论文全文数据库信息科技辑》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110224947A (en) * | 2019-06-05 | 2019-09-10 | 东软集团股份有限公司 | Message processing method, device and equipment in a kind of multicore repeater system |
CN110545291A (en) * | 2019-09-29 | 2019-12-06 | 东软集团股份有限公司 | defense method for attack message, multi-core forwarding system and related products |
CN113709044A (en) * | 2020-05-20 | 2021-11-26 | 阿里巴巴集团控股有限公司 | Data forwarding method and device, electronic equipment and storage medium |
CN113890746A (en) * | 2021-08-16 | 2022-01-04 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN113890746B (en) * | 2021-08-16 | 2024-05-07 | 曙光信息产业(北京)有限公司 | Attack traffic identification method, device, equipment and storage medium |
CN113991839A (en) * | 2021-10-15 | 2022-01-28 | 许继集团有限公司 | Device and method for improving reliability of remote control output |
CN113991839B (en) * | 2021-10-15 | 2023-11-14 | 许继集团有限公司 | Device and method for improving remote control opening reliability |
CN113938325A (en) * | 2021-12-16 | 2022-01-14 | 紫光恒越技术有限公司 | Method and device for processing aggressive traffic, electronic equipment and storage equipment |
CN113938325B (en) * | 2021-12-16 | 2022-03-18 | 紫光恒越技术有限公司 | Method and device for processing aggressive traffic, electronic equipment and storage equipment |
Also Published As
Publication number | Publication date |
---|---|
CN109495504B (en) | 2021-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109495504A (en) | A kind of firewall box and its message processing method and medium | |
CN109767271B (en) | Lottery method and equipment based on block chain | |
CN109246108A (en) | Mimicry honey jar fingerprint obscures system, method and its SDN network framework | |
Zhang et al. | Ftguard: A priority-aware strategy against the flow table overflow attack in sdn | |
CN108632214B (en) | Method and device for realizing moving target defense | |
Lin et al. | Adversarial attacks on link prediction algorithms based on graph neural networks | |
CN110213207A (en) | A kind of network security defence method and equipment based on log analysis | |
CN110071931A (en) | Mimicry honey jar evolution method, device, equipment and computer readable storage medium | |
CN107613529A (en) | Message treatment method and base station | |
CN112532598B (en) | Filtering method for real-time intrusion detection system | |
CN108243191A (en) | Risk behavior recognition methods, storage medium, equipment and system | |
CN110224947A (en) | Message processing method, device and equipment in a kind of multicore repeater system | |
CN106453397A (en) | Method of automatically identifying network ticket-robbing and intrusion through big data analysis | |
CN114726557A (en) | Network security protection method and device | |
CN101272254A (en) | Method for generating attack characteristic database, method for preventing network attack and device thereof | |
Ning et al. | Trojanflow: A neural backdoor attack to deep learning-based network traffic classifiers | |
CN109150890A (en) | The means of defence and relevant device of newly-built connection attack | |
Yang et al. | Using randomness to improve robustness of tree-based models against evasion attacks | |
CN109729089B (en) | Container-based intelligent network security function management method and system | |
CN108462715A (en) | The On Network Information Filtering System of WM String matching parallel algorithms based on MPI | |
CN105554041B (en) | A kind of method for detecting the distributed denial of service attack based on flow table timeout mechanism | |
CN110213301A (en) | A kind of method, server and system shifting network attack face | |
CN103746991B (en) | Safety case investigation method and system in system for cloud computing | |
Ramanauskaitė et al. | Modelling influence of Botnet features on effectiveness of DDoS attacks | |
CN106302436B (en) | A kind of autonomous discovery method, apparatus and equipment of attack message characteristics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |