CN109495504A - A kind of firewall box and its message processing method and medium - Google Patents

A kind of firewall box and its message processing method and medium Download PDF

Info

Publication number
CN109495504A
CN109495504A CN201811574742.XA CN201811574742A CN109495504A CN 109495504 A CN109495504 A CN 109495504A CN 201811574742 A CN201811574742 A CN 201811574742A CN 109495504 A CN109495504 A CN 109495504A
Authority
CN
China
Prior art keywords
attack
message
central processing
processing unit
core
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811574742.XA
Other languages
Chinese (zh)
Other versions
CN109495504B (en
Inventor
刘健男
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201811574742.XA priority Critical patent/CN109495504B/en
Publication of CN109495504A publication Critical patent/CN109495504A/en
Application granted granted Critical
Publication of CN109495504B publication Critical patent/CN109495504B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present application discloses a kind of firewall box, it include the central processing unit and memory corresponding with each type of central processing unit of three types in the firewall box, wherein, configured with forwarding core in first kind central processing unit, for being forwarded to normal message and abandoning the attack message of small flow to the first attack message buffer area;Attack defending specific core is configured in second class central processing unit, for being forwarded to normal message and abandoning the attack message of big flow to the second attack message buffer area;Log recording core is configured in third class central processing unit, for by reading the attack message in the first attack message buffer area and the second attack message buffer area, and generate attack logs without lock read operation.The firewall box had not only been able to achieve the normal forwarding of message, but also can defend flow attacking, moreover it is possible to while recording attack logs.

Description

A kind of firewall box and its message processing method and medium
Technical field
This application involves technical field of network security, and in particular to a kind of firewall box and its message processing method and Computer readable storage medium.
Background technique
Firewall (Firewall) is also referred to as protecting wall, is the barrier between internally positioned net and extranets, it according to The rule pre-defined controls the disengaging of message.Firewall can be understood as the first line of defence of network system, make With being the entrance for preventing illegal user.
With the fast development of science and technology, network interface card attack also upgrades therewith, easily with regard to tens good omen even good omen up to a hundred Attack emerges one after another DDOS (Distributed Denial of Service, distribution block service), therefore the report of firewall Literary processing pressure is also increasing, moreover, in order to more preferably safeguard network security, such as enterprise, firewall applications side, purchase is prevented Wall with flues, which is not only intended merely to firewall, can prevent network attack, prefer to firewall and be able to record attack logs, in order to subsequent Analysis.
However present software firewall, multicore concurrent resource competition due to and software performance limitation, very Hardly possible had not only guaranteed that normal discharge was unimpeded, but also big flow is prevented to attack, more have no idea to realize the record of attack logs.Based on this, mesh Before need to realize a kind of scheme for realizing software firewall, guarantee normal discharge it is unimpeded, prevent big flow attack while, also It can be realized the record of attack logs.
Summary of the invention
The embodiment of the present application provides a kind of firewall box, message processing method and storage medium, even if meeting with In the case that big flow is attacked, the record to attack logs also can be realized, and not to the attack defending performance of firewall and just Normal message forwarding performance impacts.
In view of this, the application first aspect provides a kind of firewall box, comprising:
The central processing unit of three types and memory corresponding with each type of central processing unit;Three type The central processing unit of type includes first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein,
Configured with forwarding core in the first kind central processing unit, the forwarding core is for receiving and identifying the first kind Message forwards normal message according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core Buffer area;
Attack defending specific core is configured in the second class central processing unit, the attack defending specific core is for receiving And identify the message of Second Type, according to recognition result forward normal message or abandon attack message to the attack defending The corresponding second attack message buffer area of specific core;
Log recording core is configured in the third class central processing unit, the log recording core is used for by reading behaviour without lock Make, reads the attack message in the first attack message buffer area and the second attack message buffer area, attacked according to described It hits message and generates attack logs.
Optionally, the forwarding core is also used to when the first attack message buffer area is saturated, and recycling described first is attacked The memory space for hitting all attack messages read by the log recording core in packet buffer area, the memory space is released It puts to the first message memory pool corresponding with the forwarding core;
The attack defending specific core is also used to when the second attack message buffer area is saturated, and recycling described second is attacked The memory space for hitting all attack messages read by the log recording core in packet buffer area, the memory space is released It puts to the second message memory pool corresponding with the attack defending specific core.
Optionally, the forwarding core is also used to when free memory accounts in the first message memory pool corresponding with the forwarding core When than being less than first threshold, all attacks read by the log recording core in the first attack message buffer area are recycled The memory space of message discharges the memory space to the first message memory pool corresponding with the forwarding core;
The attack defending specific core is also used to when in the second message memory pool corresponding with the attack defending specific core When free memory accounting is less than first threshold, recycle all by the log recording core in the second attack message buffer area The memory space of the attack message of reading discharges the memory space to the second report corresponding with the attack defending specific core Literary memory pool.
Optionally, the firewall box includes multiple first kind central processing units and multiple second class centers Processor.
Optionally, the third class central processing unit and the first kind central processing unit and the second class central processing Device shares same physical equipment respectively;Also, the log recording core in the third class central processing unit is specifically used for passing through institute It states the hyperthread that physical equipment fictionalizes and reads attack message.
Optionally, the first kind central processing unit and the second class central processing unit use same physical equipment.
Optionally, the log recording core is specifically used for starting multiple log threads, uses nothing by multiple log threads Read operation is locked, reads attack message respectively in a manner of concomitantly, wherein a log thread and first attack message Buffer area or the second attack message buffer area are corresponding, attack for reading from corresponding attack message buffer area Hit message.
Optionally, the firewall box includes multiple third class central processing units, then in each third class Log recording core in central processor starts a log thread, slow from first attack message by the log thread It deposits in area or the second attack message buffer area and reads attack message.
Optionally, the forwarding core is also used to reach the second threshold when the first attack message buffer area has write region accounting Value and log thread it is also unread when, then notify log thread read attack message;
The attack defending specific core is also used to reach second when the second attack message buffer area has write region accounting When threshold value and also unread log thread, then log thread is notified to read attack message.
Optionally, the forwarding core is also used to the size according to attack traffic, increases prompt letter in the tail portion of attack message Breath notifies log thread by the prompt information, so that log thread is adjusted according to the prompt information reads message every time Number;
The attack defending specific core is also used to the size according to attack traffic, increases prompt letter in the tail portion of attack message Breath notifies log thread by the prompt information, so that log thread is adjusted according to the prompt information reads message every time Number.
The application second aspect provides a kind of message processing method of firewall box, comprising:
First kind central processing unit receives and identifies the message of the first kind, according to identification by the forwarding core being pre-configured As a result it forwards normal message or abandons attack message to the first attack message buffer area corresponding with the forwarding core;
Second class central processing unit receives and identifies the message of Second Type by the attack defending specific core being pre-configured, Normal message is forwarded according to recognition result or abandons attack message to the second attack corresponding with the attack defending specific core Packet buffer area;
The third central processing unit passes through the log recording core being pre-configured, by reading described first and attacking without lock read operation The attack message in packet buffer area and the second attack message buffer area is hit, day of attack is generated according to the attack message Will.
Optionally, the method also includes:
The first kind central processing unit is returned by the forwarding core in the first attack message buffer area saturation The memory space for receiving all attack messages read by the log recording core in the first attack message buffer area, by institute Memory space is stated to discharge to the first message memory pool corresponding with the forwarding core;
The second class central processing unit is full in the second attack message buffer area by the attack defending specific core And when, the storage for recycling all attack messages read by the log recording core in the second attack message buffer area is empty Between, the memory space is discharged to the second message memory pool corresponding with the attack defending specific core.
Optionally, the first kind central processing unit is by the forwarding core, in the first report corresponding with the forwarding core When free memory accounting is less than first threshold in literary memory pool, recycle all described in the first attack message buffer area Log recording core read attack message memory space, by the memory space discharge to the forwarding core corresponding first Message memory pool;
The second class central processing unit is by the attack defending specific core, corresponding with the attack defending specific core The second message memory pool in free memory accounting when being less than first threshold, recycle in the second attack message buffer area and own By the log recording core read attack message memory space, by the memory space discharge to the attack defending The corresponding second message memory pool of specific core.
Optionally, the third class central processing unit starts multiple log threads, by more by the log recording core Log thread is used without lock read operation, reads attack message respectively in a manner of concomitantly, wherein in a log thread and one Central processor is corresponding, for reading attack message from corresponding central processing unit.
Optionally, the method also includes:
The first kind central processing unit has been write region when the first attack message buffer area and has been accounted for by the forwarding core When than reaching second threshold and also unread log thread, notice log thread reads attack message;
The second class central processing unit by the attack defending specific core, when the second attack message buffer area When writing region accounting and reaching second threshold and also unread log thread, notice log thread reads attack message.
Optionally, the method also includes:
The first kind central processing unit is by the forwarding core, according to the size of attack traffic, in the tail of attack message Portion increases prompt information, log thread is notified by the prompt information, so that log thread is adjusted according to the prompt information The number of message is read every time;
The second class central processing unit is being attacked by the attack defending specific core according to the size of attack traffic The tail portion of message increases prompt information, log thread is notified by the prompt information, so that log thread is according to the prompt The number of message is read in information adjustment every time.
The application third aspect provides a kind of computer readable storage medium, and the computer readable storage medium is for depositing Store up program code, the method that said program code is used to execute Message processing described in above-mentioned second aspect.
As can be seen from the above technical solutions, the embodiment of the present application has the advantage that
The embodiment of the present application provides a kind of firewall box, includes the centre of three types in the firewall box Manage device (Center Processing Unit, CPU) and memory corresponding with each type of central processing unit, three types The central processing unit of type is respectively first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein, Configured with forwarding core in first kind central processing unit, it is used to be forwarded normal message and by the attack message of small flow It abandons to the first attack message buffer area;It is configured with attack defending specific core in second class central processing unit, is used for normal Message is forwarded and abandons the attack message of big flow to the second attack message buffer area;In third class central processing unit Configured with log recording core, it is used for by reading the first attack message buffer area and the second attack message being slow without lock read operation The attack message in area is deposited, and accordingly generates attack logs.The central processing unit of three types is respectively in above-mentioned firewall box It works to independent parallel, normal message and small flow attacking is handled by forwarding core, big flow is handled by attack defending specific core Attack, actively obtains attack message by log recording core, and correspondingly generate attack logs, and Each performs its own functions by three, guarantees fire prevention Wall equipment had not only been able to achieve the normal forwarding of message, but also effectively big flow can be defendd to attack, moreover it is possible to while attack logs are recorded, have The performance for improving to effect firewall box, makes it meet the market demand.
Detailed description of the invention
Fig. 1 is a kind of structural schematic diagram of firewall box provided by the embodiments of the present application;
Fig. 2 is the structural schematic diagram of another firewall box provided by the embodiments of the present application;
Fig. 3 is the structural schematic diagram of another firewall box provided by the embodiments of the present application;
Fig. 4 is a kind of flow diagram of message processing method provided by the embodiments of the present application.
Specific embodiment
In order to make those skilled in the art more fully understand application scheme, below in conjunction in the embodiment of the present application Attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is only this Apply for a part of the embodiment, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art exist Every other embodiment obtained under the premise of creative work is not made, shall fall in the protection scope of this application.
The description and claims of this application and term " first ", " second ", " third ", " in above-mentioned attached drawing The (if present)s such as four " are to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should manage The data that solution uses in this way are interchangeable under appropriate circumstances, so as to embodiments herein described herein can in addition to Here the sequence other than those of diagram or description is implemented.In addition, term " includes " and " having " and their any deformation, Be intended to cover it is non-exclusive include, for example, containing the process, method of a series of steps or units, system, product or setting It is standby those of to be not necessarily limited to be clearly listed step or unit, but may include be not clearly listed or for these mistakes The intrinsic other step or units of journey, method, product or equipment.
In the prior art, usually select hardware firewall as the barrier between intranet and extranets, hardware firewall It is at high price, with the ability for preferably resisting attack.However, even if hardware firewall selects the preferable central processing of performance Device the factors such as is limited by the competition of multicore concurrent resource and software performance, can not generally also prevent the same of flow attacking When, attack logs are recorded.
Compared to hardware firewall, the performance that software firewall resists attack is relatively weak, can not equally attack resisting Attack logs are recorded while hitting;The reason is that software firewall is to record attack logs, wherein Forwarding core need from attack message extracting attack flow information and the attack traffic information recorded, and then will recorded It is sent to log system, if service performance occupies viewing command such as perf order and checks forwarding when big attack traffic arrives The performance occupancy situation of core, will become apparent from log system occupy at this time forwarding core largely call.
That is, forwarding core needs are performed simultaneously forwarding normal message, resist flow and attack when flow attacking arrives It hits, extracting attack flow information and the operation that attack traffic information is sent to log system, also, extracting attack flow is believed The forwarding a large amount of performance of core can be occupied by ceasing and attack traffic information being sent to log system, therefore, be arrived in flow attacking When, the performance of forwarding core itself is difficult to support forwarding normal message simultaneously, resists flow attacking and extracting attack flow information These operations.In addition, forwarding core also needs correspondingly notice days aspiration before sending attack traffic information to log system System, in the notification procedure, the mode either called using signal between different threads or called using system can Different degrees of influence is caused to the performance of forwarding core.
In order to solve above-mentioned the technical problems existing in the prior art, the embodiment of the present application provides a kind of firewall and sets It is standby, even if the firewall box also can be realized the record to attack logs, and not in the case where meeting with big flow attack The forwarding performance of attack defending performance and normal message to firewall impacts.
Specifically, in firewall box provided by the embodiments of the present application include three types central processing unit and The corresponding memory of each type of central processing unit is each configured with forwarding core in the central processing unit of these three types, attacks Hit defence specific core and log recording core, wherein forwarding core is for forwarding normal message and losing small traffic attack message It abandons to the first attack message buffer area, attack defending specific core is delayed for abandoning big flow attack message to the second attack message Area is deposited, log recording core is used for by reading the first attack message buffer area and the second attack message buffer area without lock read operation In attack message, and correspondingly generate attack logs.
Since forwarding core, attack defending specific core and log recording core three independently concurrently work, core is forwarded It is attacked dedicated for forwarding normal message and the small flow attacking of processing, attack defending specific core dedicated for processing big flow, Log recording core is dedicated for reading attack message and generating attack logs, and therefore, which, which may be performed simultaneously, turns Hair normal message resists flow attacking and generates this three operations of attack logs, even if when meeting with big flow attack, record Attack logs will not resist performance to the attack of firewall and message forwarding performance has an impact.
Firewall box provided by the present application is introduced below by embodiment.
Referring to Fig. 1, Fig. 1 is the structural schematic diagram of firewall box provided by the embodiments of the present application.As shown in Figure 1, this is anti- It include the central processing unit of three types, respectively first kind central processing unit 101, the second class central processing unit in wall with flues equipment 102 and third class central processing unit 103;It further include corresponding with the central processing unit of above-mentioned three types in the firewall box Memory, respectively corresponding to the memory 104 of first kind central processing unit 101, corresponding to the second class central processing unit 102 Memory 105 and memory 106 corresponding to third class central processing unit 103.
It should be noted that firewall box shown in FIG. 1 is only a kind of example, in practical applications, three types Central processing unit can respectively correspond to a memory respectively, can also correspond to one jointly with a plurality of types of central processing units and deposit Any two in reservoir, i.e. first kind central processing unit 101, the second class central processing unit 102 and third class central processing unit 103 Person can correspond to a memory jointly, alternatively, the central processing unit of these three types can correspond to a memory jointly.
Configured with forwarding core in first kind central processing unit 101, which is used to receive and identify the report of the first kind Text, and then normal message is forwarded according to recognition result, or abandon attack message to the first attack message corresponding with forwarding core Buffer area.
Attack defending specific core is configured in second class central processing unit 102, the attack defending specific core is for receiving simultaneously Identify Second Type message, and then according to recognition result forward normal message, or abandon attack message to and attack defending The corresponding second attack message buffer area of specific core.
Wherein, the message of the first kind specifically includes normal message and small traffic attack message;The message of Second Type has Body includes normal message and big flow attack message.Firewall box receives after extraneous message, in firewall box Network interface card can previously according to be set in trawl performance traffic characteristic rule, correspondingly identify the received report of firewall box Type belonging to text, if judgement received message feature meet the first kind message feature, correspondingly by the report Text is sent to first kind central processing unit 101, if judgement the feature that has of received message meet the message of Second Type Feature, then the message is correspondingly sent to the second class central processing unit 102.
The feature being had according to message distinguishes big flow attack message and normal message, small traffic attack message Come, big flow attack message is handled using the second class central processing unit 102 configured with attack defending specific core, it is this Operation is also referred to as black holed processing;After firewall box receives big flow attack message such as DDOS attack, directly drawn It is directed at individual thread attack defending specific core to be handled, guarantees the forwarding of normal message not by the shadow of big flow attack message It rings, while it is also ensured that the high efficiency that big flow attack message is handled.
Above-mentioned first attack message buffer area can specifically be arranged at memory corresponding with first kind central processing unit In 104, the second attack message buffer area can be specifically arranged in memory 105 corresponding with the second class central processing unit; First attack message buffer area and forwarding core are in one-to-one relationship, the second attack message buffer area and attack defending specific core In one-to-one relationship.
After first kind central processing unit 101 receives the message of the first kind, wherein the first kind is checked in the forwarding configured The message of type does further identifying processing, if identifying, the message of the first kind is normal message, correspondingly normal to this Message is forwarded, if identifying, the message of the first kind is small traffic attack message, which is abandoned to the In the corresponding memory 104 of a kind of central processing unit 101, that is, abandon the attack message to forwarding core corresponding first and attack Hit packet buffer area.
Analogously, after the second class central processing unit 102 receives the message of Second Type, wherein the attack defending configured Specific core is further processed the message of the Second Type, if identifying, the message of the Second Type is normal message, phase It forwards the normal message with answering, if the message for identifying the Second Type is big flow attack message, which is lost It abandons into the corresponding memory 105 of the second class central processing unit 102, that is, abandon the attack message to dedicated with attack defending The corresponding second attack message buffer area of core.
It should be understood that in practical applications, attack defending specific core other than it can handle big flow attack message, Normal message forwarding capability also may be implemented in it, that is to say, that the case where attack defending specific core receives normal message Under, which can also be forwarded the normal message.
It should be noted that in practical applications, in order to improve the performance of firewall box, usually can be set multiple A kind of central processing unit 101 and multiple second class central processing units 102, that is, multiple first configured with forwarding core can be set Class central processing unit 101 and multiple the second class central processing units 103 configured with attack defending specific core;Correspondingly, firewall The message forwarding performance and attack defending performance of equipment, also will be correspondingly in first kind central processing unit 101 and the second class The increase of central processor 102 and enhance;The quantity of each type of central processing unit can specifically be set according to actual needs It sets.
It should be noted that in some cases, first kind central processing unit 101 and the second class central processing unit 102 can To use same physical equipment, i.e. forwarding core and attack defending specific core can share a central processing unit, the central processing Forwarding core and attack defending specific core in device share an exclusive thread, can be realized simultaneously normal message forwarding, small stream It measures attack message processing and big flow attack message handles three kinds of functions.
Correspondingly, the attack message buffer area in firewall box (including the first attack message buffer area and second attack Packet buffer area) quantity, the quantity of forwarding core, attack defending specific core and shared central processing unit will be depended on. Assuming that there are A forwarding core, B attack defending core and N number of attack message buffer areas;If forwarding between core and attack defending core not There are shared central processing unit, then N=A+B, wherein the quantity of the first attack message buffer area is A, and the second attack message is slow The quantity for depositing area is B;If forwarding between core and attack defending core, there are C shared central processing units, N=A+B-C.
It under normal conditions, can first in memory when carrying out initialization process to the corresponding memory of central processing unit Constructing universal memory pond mubf mempool can be correspondingly from the universal memory pond after central processing unit receives message In mubf mempool application for store received message content, after message is released, by what is occupied by the message Memory is released back into universal memory pond mubf mempool.
It is needed correspondingly when carrying out initialization process to memory for firewall box provided by the embodiments of the present application Its corresponding first message memory pool common-mempool is constructed for forwarding core, it is right to construct its for attack defending specific core The the second message memory pool special-mempool answered.Specifically, can be in the corresponding memory of first kind central processing unit The first message memory pool common-mempool is constructed, after forwarding core receives message, from the first message memory pool common- In mempool application be used for stored messages memory, after message is released, by the occupied memory of message be released back into this first Message memory pool common-mempool;The second message memory pool is constructed in the corresponding memory of the second class central processing unit Special-mempool, after attack defending specific core receives message, from the second message memory pool special-mempool The occupied memory of message is released back into the second message memory after message is released by memory of the middle application for stored messages Pond special-mempool.
It should be noted that when firewall box uses nonuniform memory access framework (Non Uniform Memory Access Architecture, NUMA) central processing unit when, to the corresponding memory of first kind central processing unit carry out just Beginningization processing is substantially exactly to carry out at initialization to the corresponding memory of NUMA where first kind central processing unit itself Reason, correspondingly, it includes first kind center that the quantity of the first message memory pool common-mempool, which is equal in firewall box, The quantity of the NUMA of processor.
In order to prevent when big flow attack message arrives, because resource contention generates shadow to the processing of big flow attack message It rings;When carrying out initialization process to the corresponding memory of the second central processing unit, each attack defending specific core can be directed to Correspondingly construct a second message memory pool special-mempool, each attack defending specific core after receiving message, Apply for memory from itself corresponding second message memory pool special-mempool, guarantee each attack defending specific core it Between be not present memory source competition, correspondingly, the attack defending performance of firewall box also can be with attack defending specific core The increase of quantity and linearly enhance.
It should be understood that when first kind central processing unit corresponds to the same memory jointly with the second class central processing unit, it can With correspondingly building forwards the dedicated first message memory pool common-mempool of core and attack defending in the memory The dedicated second message memory pool special-mempool of specific core.
It should be noted that being forwarded since the number of attack defending specific core attack message to be treated is typically much deeper than The number of core message to be treated, therefore, when carrying out initialization process to memory, the second constructed message memory pool The size of special-mempool is typically much deeper than the size of the first message memory pool common-mempool, i.e. the second message The message amount that can be stored in memory pool special-mempool is much larger than in the first message memory pool common-mempool The message amount that can be stored.
When carrying out initialization process to memory, in addition to needing to construct the first message memory pool common-mempool and the Outside two message memory pool special-mempool, it is also necessary to correspondingly construct the first attack message buffer area dorp ring and Two attack packet buffer area dorp ring.Wherein, the quantity phase of the quantity of the first packet buffer area drop ring and forwarding core Deng the quantity of the second attack message buffer area drop ring is equal with the quantity of attack defending specific core.
In addition, the size of the first attack message buffer area dorp ring depends on the first message memory pool common- The size of the size of mempool, the second attack message buffer area dorp ring depends on the second message memory pool special- The size of mempool.When firewall box uses the central processing unit of NUMA architecture, the first attack message buffer area dorp The quantity for the message that can be stored in ring, depending on the message that can be stored in the first message memory pool common-mempool Quantity and a NUMA in include central processing unit quantity, it is assumed that energy in the first message memory pool common-mempool M message is enough stored, the number of central processing unit included by NUMA is A, then the first attack message buffer area dorp ring Length X=M/A.The quantity for the message that can be stored in second attack message buffer area dorp ring, still with the second message memory The message amount that can be stored in the special-mempool of pond is equal.
It should be understood that since the size of the second message memory pool special-mempool is typically much deeper than the first message memory The size of pond common-mempool, therefore, the quantity for the message that can be stored in the second attack message buffer area dorp ring Also much larger than the quantity for the message that can be stored in the first attack message buffer area dorp ring.
In third class central processing unit 103 be configured with log recording core, the log recording core be used for by without lock read operation, The attack message in the first attack message buffer area and the second attack message buffer area is read, it is raw according to read attack message At attack logs.
First kind central processing unit 101 is when judging, received message is attack message, by the packet loss to first Attack message buffer area, analogously, the second class central processing unit 102, will when judging, received message is attack message The packet loss is to the second attack message buffer area.In turn, the third class central processing unit 103 configured with log recording core, from Traversal reads the attack message that wherein stores in first attack message buffer area and the second attack message buffer area, and according to being read The attack message taken generates attack logs.
It should be noted that in order to guarantee that log recording core is cached from the first attack message buffer area and the second attack message When reading attack message in area, the reason of read attack message is dropped, the first packet buffer area and second can be known Message in packet buffer area is usually carried for marking the field for abandoning reason, such as extern_id field, is thus convenient for day Will records core and obtains discarding reason according to extern_id field, and the specific fields in extracting attack message form attack logs.
It should be noted that under normal conditions, multicore carries out read operation to the data in same buffer area simultaneously or writes behaviour It needs correspondingly to operate the data in the buffer area by Lock mode when making, between multicore, that is, needs according to each core Corresponding priority determines the sequence that data are operated in each verification buffer area, and the higher core of priority first operates, excellent It is operated after the first lower core of grade.And in technical solution provided by the embodiments of the present application, it can between log recording core and forwarding core Correspondingly to be operated using no latching mode to the data in the first attack message buffer area, i.e., attacked in forwarding core to first While attack message is written in packet buffer area, log recording core can also read attack report from the first attack message buffer area Text, forwarding both core and log recording core are independent of each other;It analogously, can also between log recording core and attack defending specific core Correspondingly to be operated using no latching mode to the data in the second attack message buffer area, i.e., attack defending specific core to While attack message is written in second attack message buffer area, log recording core can also be from the second attack message buffer area Attack message is read, both attack defending specific core and log recording core are independent of each other.
The central processing unit of three types respectively works to independent parallel in above-mentioned firewall box, is handled just by forwarding core Normal message and small flow attacking are actively obtained by log recording core and are attacked by the processing big flow attack of attack defending specific core Message, and attack logs are correspondingly generated, Each performs its own functions by three, guarantee that firewall box had both been able to achieve the normal forwarding of message, Effectively big flow can be defendd to attack again, moreover it is possible to while attack logs are recorded, the performance of firewall box is thus effectively improved, Meet the market demand.
It should be noted that log recording core is read in the first attack message buffer area and the second attack message buffer area After the attack message of storage, forwarding core can correspondingly recycle the attack message being read in the first attack message buffer area and account for Memory space to the first message memory pool, attack defending specific core can be recycled correspondingly in the second attack message buffer area The memory space that the attack message being read occupies thereby guarantees that forwarding core and attack defending are dedicated to the second message memory pool When the subsequently received message of core, the first message memory pool and the second message memory pool are capable of providing enough memory spaces and are adjusted by it With guarantee forwarding core and attack defending specific core can work normally.
In one possible implementation, forwarding core is used for the recycling first when the first attack message buffer area saturation In attack message buffer area it is all be logged core reading attack messages memory spaces, by the memory space discharge to The first message memory pool corresponding with the forwarding core;Analogously, attack defending specific core is used to cache when the second attack message When area is saturated, the memory space of all attack messages for being logged core reading in the second attack message buffer area is recycled, The memory space is discharged into the second message memory pool corresponding to the attack defending specific core.
Specifically, forwarding core can be with when the attack message that the first attack message buffer area has been forwarded core discarding fills up The memory space for being marked as the attack message read occupancy in first attack message buffer area is recycled, is marked as The attack message of reading is substantially exactly the attack message for being logged core and reading, and is recovered to what the attack message read occupied After memory space, the memory space recycled is further discharged into the first message memory pool corresponding to the forwarding core.
Analogously, when the second attack message buffer area is filled up by the attack message that attack defending specific core abandons, Attack defending specific core can be to the memory space for being marked as the attack message read occupancy in the second attack message buffer area It is recycled, being marked as the attack message read substantially is exactly the attack message for being logged core and reading, and is recovered to After the memory space that the attack message read occupies, further the memory space recycled is discharged to the attack defending specific core Corresponding second message memory pool.
In alternatively possible implementation, forwarding core is used in the first message memory pool corresponding with itself to use When memory accounting is less than first threshold, all attack reports for being logged core reading in the first attack message buffer area are recycled The memory space of text, the memory space recycled is discharged to the first message memory pool corresponding with the forwarding core;Analogously, Attack defending specific core is used to return when free memory accounting is less than first threshold in the second message memory pool corresponding with itself The memory space for receiving all attack messages for being logged core reading in the second attack message buffer area, is deposited what is recycled Storage space is discharged to the second message memory pool corresponding with attack defending specific core.
Specifically, explanation can be forwarded core when free memory accounting is less than first threshold in the first message memory pool Apply for that the memory for storing new received message is less, at this point, forwarding core can be to being marked in the first attack message buffer area It is denoted as the memory space that the attack message read occupies to be recycled, in turn, the memory space recycled is discharged to the forwarding The corresponding first message memory pool of core, to increase the free memory in the first message memory pool.
Analogously, when free memory accounting is less than first threshold in the second message memory pool, explanation can be attacked The memory that defence specific core application is used to store new received message is less, at this point, attack defending specific core can be attacked to second It hits in packet buffer area the memory space that the attack message for being marked as having read occupies to be recycled, in turn, be deposited what is recycled Storage space discharges the second message memory pool corresponding to the attack defending specific core, so that increasing can use in the second message memory pool Memory.
It should be understood that above-mentioned first threshold can be set according to actual needs, it can usually be set to total memory 1/10, correspondingly, the first threshold corresponding to the first message memory pool is the 1/10 of the first total memory of message memory pool, corresponding In the second message memory pool first threshold be the second total memory of message memory pool 1/10;Certainly, first threshold can be with root Other numerical value are set as according to actual demand, any specific restriction are not done to first threshold herein.
Above two possible implementation is in the first attack message buffer area and the second attack message buffer area Deposit into row recycling when, be all made of be batch recycling mode, i.e., when meeting Memory recycle condition, disposably to it is all by The memory space for the attack message that log recording core is read is recycled, and this way of recycling can simplify anti-to a certain extent The whole design scheme of wall with flues equipment, while the forward process performance of firewall box can also be promoted.
It should be noted that being configured at the log recording core in third class central processing unit, the first attack message is being read When attack message in buffer area and the second attack message buffer area, log recording core specifically can star multiple log threads, It is used by multiple log threads without lock read operation, reads attack message respectively in a manner of concomitantly, wherein a log thread It is corresponding with a first attack message buffer area or a second attack message buffer area, for slow from its corresponding attack message It deposits and reads attack message in area.
Specifically, log recording core is reading attack report from the first attack message buffer area and the second attack message buffer area Wen Shi, log recording core can for each attack message buffer area (including the first attack message buffer area and second attack report Literary buffer area) correspondingly start a log thread pass through the corresponding log line of each attack message buffer area in turn Journey correspondingly reads attack message from each attack message buffer area.
It should be understood that log thread and the first attack message buffer area or the second attack message buffer area herein is a pair of in one It should be related to, correspondingly, log thread and first kind central processing unit or the second class central processing unit are in one-to-one relationship, log Thread is dedicated for reading attack message from attack message buffer area corresponding with itself.
In the mechanism that this multiple log threads concurrently read attack message buffer area, log thread and attack message are slow Depositing area is correspondingly that an i.e. log thread only reads attack message from an attack message buffer area, and there is no more Therefore the case where a one attack message buffer area of log thread share, can be effectively prevented from and read attack message During, resource contention is generated between each log thread, and then guarantee that the operation of log recording core record log can be smooth It carries out.
In one possible implementation, in order to guarantee the increase with log recording nuclear volume, firewall box day Will record performance can linearly enhance, and multiple third class central processing units, each third class can be arranged in firewall box Log recording core in central processing unit starts a log thread, is cached by the log thread from first attack message Attack message is read in area or the second attack message buffer area.
Referring to fig. 2, Fig. 2 is the corresponding operation principle schematic diagram of this kind of firewall box.As shown in Fig. 2, the firewall is set It include: two central processing units configured with forwarding core in standby, two are forwarded core and during attack defending specific core shares Central processor and a central processing unit configured with attack defending specific core;In the corresponding memory of above-mentioned central processing unit In be provided with and the corresponding attack message buffer area drop ring of each central processing unit.
It further include third class central processing unit corresponding with above-mentioned each central processing unit, such as Fig. 2 in the firewall box It is shown, it include that there are five the central processing unit for being configured with log recording core, each central processing unit difference in the firewall box It is corresponding with the above-mentioned central processing unit configured with forwarding core and/or attack defending specific core.
Log recording core in each third class central processing unit is for itself corresponding first kind central processing unit or the Two class central processing units start a log thread, by log thread from the first kind central processing unit or the second class centre Attack message is read in the corresponding attack message buffer area drop ring of reason device.
It should be understood that firewall box shown in Fig. 2 is only a kind of example.In practical applications, attack message buffer area quilt In the corresponding memory of centrally disposed processor, for ease of description, Fig. 2, which has done central processing unit with memory, merges place Reason, attack message buffer area is directly arranged in central processing unit, and actually both memory and central processing unit are only mutually It is vertical;In addition, may include several first kind central processing units and the second class central processing unit in firewall box, in third class The quantity of central processor depends on the quantity of first kind central processing unit and the second class central processing unit, does not set herein to firewall The quantity for the central processing unit for including in standby is specifically limited.
It is fully parallelized between each log recording core in firewall box shown in Fig. 2, due to each log recording The resource that core is accessed is independent resource, and it is accessible that two threads are read and write to each attack message buffer area only, other Central processing unit can not access to it, therefore, can accomplish linearly to improve firewall with the increase of log recording core The log recording performance of equipment.
Support hyperthread equipment in, third class central processing unit can in first kind central processing unit and the second class Central processor shares same physical equipment respectively;Also, the log recording core in the third class central processing unit can specifically be used Attack message is read in the hyperthread fictionalized by the physical equipment.
In the equipment for supporting hyperthread, physical equipment therein can support two class central processing units to run simultaneously, tool Body, virtual unit can be created in physical equipment, be run in first kind central processing unit or the second class on the physical equipment While central processor, the operation that created virtual unit supports third class central processing unit can use.
It should be noted that the physical equipment is actually central processing unit, the operation of two class central processing units is supported, It is substantially exactly that forwarding core and log recording core can be supported to work simultaneously, or attack defending specific core and log is supported to remember simultaneously Record core work;It specifically can use the central processing unit fictionalized in central processing unit and support the work of log recording core.
It should be understood that the third class central processing unit run in same physical equipment and the first kind centre wherein run There are corresponding relationships for reason device or the second class central processing unit, run first kind central processing simultaneously even in same physical equipment Device and third class central processing, the log recording core in the third class central processing unit can be directly virtual by the physical equipment Hyperthread out reads attack message from the corresponding first attack message buffer area of the first kind central processing unit;It is similar Ground, if running the second class central processing unit and third class central processing unit simultaneously in same physical equipment, the third class center The hyperthread that log recording core in processor can be fictionalized directly by physical equipment, from the second class central processing unit pair Attack message is read in the second attack message buffer area answered.
It should be understood that the hyperthread that above-mentioned physical equipment fictionalizes substantially is log thread, the required operation executed It is identical as the operation of execution needed for log thread, i.e., for reading attack message from attack message buffer area.
Referring to Fig. 3, Fig. 3 is the working principle signal of the firewall box provided by the embodiments of the present application for supporting hyperthread Figure.It include four central processing units in the firewall box, wherein central processing unit 1 and central processing unit 2 are supported to forward simultaneously Core and log recording core work, and support attack defending specific core and log recording in central processing unit 3 and central processing unit 4 simultaneously Core work.
As shown in figure 3, fictionalized in central processing unit 1, central processing unit 2, central processing unit 3 and central processing unit 4 Hyperthread is used separately as log thread, and log recording core in central processing unit 1 and central processing unit 2, which passes through, wherein to be fictionalized Hyperthread reads attack message, central processing unit 3 and central processing unit from the corresponding first attack message buffer area of forwarding core Log recording core in 4 passes through the hyperthread wherein fictionalized, from the corresponding second attack message caching of attack defending specific core Attack message is read in area.
It should be understood that for ease of description, not shown in each central processing unit in firewall box shown in Fig. 3 The log recording core wherein run.Firewall box shown in Fig. 3 is only a kind of example.In practical applications, attack message is slow It deposits area to be arranged in the corresponding memory of central processing unit, for ease of description, Fig. 3 does central processing unit and memory Attack message buffer area is directly arranged in central processing unit, actually both memory and central processing unit by merging treatment It is independent mutually;In addition, may include the central processing unit that several support hyperthread in firewall box, herein not to firewall The quantity for the central processing unit for including in equipment is specifically limited.
In the firewall box for supporting hyperthread, forward core or attack defending specific core can be common with log recording core Using same cache memory cache, log thread can read the attack in attack message buffer area in hyperthread Message;Attack message buffer area is put into attack message by forwarding core or attack defending specific core sequence, and log recording core is inversely read Attack message therein is taken, core or attack defending specific core and log recording core is forwarded not to access same memory, log simultaneously After record core reads the attack message in attack message buffer area, the interior presence that the attack message being read occupies is released Before will not be read again, and the memory that occupies of the attack message that has been read is usually when reaching certain condition, just can quilt Batch discharges, and therefore, log recording core and forwarding core or attack defending specific core will not more occupy same resource simultaneously.This Outside, as log recording core and forwarding core or attack defending specific core performed by operation it is entirely different, make log recording Core and forwarding core or attack defending specific core share same physical equipment, and the physical equipment can be made more fully to be utilized.
Due to being not usually the relationship that works asynchronously between log recording core and forwarding core, i.e., log thread usually will not be After attack message is written in attack message buffer area, the attack message is read from attack message buffer area immediately;Accordingly, it is possible to There is log thread and is difficult to the problem of reading attack message in time.In the case where meeting with a large amount of attack messages, attack message is slow Depositing area largely may be written or be write in a short time full, and log thread may attack in still unread attack message buffer area Message is hit, a degree of influence will be caused on fire wall performance.
Above situation occurs in order to prevent, and this application provides two kinds to notify log thread to read the mode of attack message, Both modes are introduced below.
In the first implementation, it forwards core to write region accounting in the first attack message buffer area and reaches the second threshold Value, and log thread also unread attack message therein when, notice log thread read attack message;Analogously, it attacks Defence specific core has write region accounting in the second attack message buffer area and has reached second threshold, and log thread also it is unread wherein Attack message when, notice log thread read attack message.
It is monitored specifically, having write the size in region in forwarding the first attack message buffer area of verification, when monitoring the Accounting of the region in the first attack message buffer area of having write in one attack message buffer area reaches second threshold, and determines day When will thread is not also read out the attack message in the first attack message buffer area, forwarding core notice log thread is read Attack message in the first attack message buffer area.
Analogously, attack defending specific core is monitored the size that region has been write in the second attack message buffer area, When monitoring that accounting of the region in the second attack message buffer area of having write in the second attack message buffer area reach the second threshold When being worth, and determining that log thread is not also read out the attack message in the second attack message buffer area, attack defending is special The attack message in the second attack message buffer area is read with core notice log thread.
It should be understood that the size of above-mentioned second threshold can be set according to actual needs, can usually be set to 1/3, it is of course also possible to set other numerical value for the second threshold, the second threshold is not specifically limited herein.
In the second implementation, forwarding core can increase according to the size of attack traffic in the tail portion of attack message Prompt information notifies log thread by the prompt information, so that log thread was read every time according to prompt information adjustment The number of message;Analogously, attack defending specific core can also increase according to the size of attack traffic in the tail portion of attack message Add prompt information, log thread is notified by the prompt information, is read every time so that log thread is adjusted according to the prompt information The number of message.
Specifically, forwarding core is correspondingly being dropped into the first attack message buffer area according to the size of attack traffic The tail portion of attack message increase prompt information, which is used to prompt log thread how to each for reading message Number is adjusted;Correspondingly, when log thread reads the attack message, it will acquire the prompt letter carried in the attack message Breath, in turn, log thread can correspondingly be adjusted each number for reading message, and under according to the prompt information It is secondary that when reading attack message, attack message is read out according to the number of the adjustment from the first attack message buffer area.
Analogously, attack defending specific core can also be correspondingly dropped to second according to the size of attack traffic The tail portion of attack message in attack message buffer area increases prompt information, and the prompt information is for prompting log thread how right The number for reading message every time is adjusted, and correspondingly, when log thread reads the attack message, will acquire the attack report The prompt information carried in text, in turn, log thread can adjust each number for reading message according to the prompt information It is whole, and when reading attack message from the second attack message buffer area next time, according to the adjustment number to attack message into Row is read.
It should be understood that when attack traffic is more, core or attack defending specific core is forwarded to mention attack message tail portion is increased Show information, for notifying log thread to increase the number of reading message every time;When attack traffic is less, forward core or attack anti- Imperial specific core is in the increased prompt information in attack message tail portion, for notifying log thread to reduce the number of reading message every time.
Log thread is notified to carry out the attack message in attack packet buffer area by above two implementation as a result, It reads, guarantees that log thread can in time be read out the attack message in attack packet buffer area, to effectively prevent Only in the case where meeting with a large amount of attack messages, the performance of firewall box is influenced.
For firewall box described above, present invention also provides a kind of message processing method of firewall box, So that the firewall box is based on the message processing method in practical applications, itself received message is handled.
Referring to fig. 4, Fig. 4 is the flow diagram of message processing method provided by the embodiments of the present application.As shown in figure 4, should Message processing method the following steps are included:
Step 401: first kind central processing unit receives and identifies the message of the first kind by the forwarding core being pre-configured, Normal message, which is forwarded, according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core caches Area.
Step 402: the second class central processing unit receives and identifies Second Type by the attack defending specific core being pre-configured Message, normal message is forwarded according to recognition result or abandons attack message to corresponding with the attack defending specific core the Two attack packet buffer areas.
Step 403: the third central processing unit passes through the log recording core being pre-configured, by reading institute without lock read operation The attack message in the first attack message buffer area and the second attack message buffer area is stated, is generated according to the attack message Attack logs.
Optionally, the message processing method further include:
The first kind central processing unit is returned by the forwarding core in the first attack message buffer area saturation The memory space for receiving all attack messages read by the log recording core in the first attack message buffer area, by institute Memory space is stated to discharge to the first message memory pool corresponding with the forwarding core;
The second class central processing unit is full in the second attack message buffer area by the attack defending specific core And when, the storage for recycling all attack messages read by the log recording core in the second attack message buffer area is empty Between, the memory space is discharged to the second message memory pool corresponding with the attack defending specific core.
Optionally, the first kind central processing unit is by the forwarding core, in the first report corresponding with the forwarding core When free memory accounting is less than first threshold in literary memory pool, recycle all described in the first attack message buffer area Log recording core read attack message memory space, by the memory space discharge to the forwarding core corresponding first Message memory pool;
The second class central processing unit is by the attack defending specific core, corresponding with the attack defending specific core The second message memory pool in free memory accounting when being less than first threshold, recycle in the second attack message buffer area and own By the log recording core read attack message memory space, by the memory space discharge to the attack defending The corresponding second message memory pool of specific core.
Optionally, the third class central processing unit starts multiple log threads, by more by the log recording core Log thread is used without lock read operation, reads attack message respectively in a manner of concomitantly, wherein in a log thread and one Central processor is corresponding, for reading attack message from corresponding central processing unit.
Optionally, the message processing method further include:
The first kind central processing unit has been write region when the first attack message buffer area and has been accounted for by the forwarding core When than reaching second threshold and also unread log thread, notice log thread reads attack message;
The second class central processing unit by the attack defending specific core, when the second attack message buffer area When writing region accounting and reaching second threshold and also unread log thread, notice log thread reads attack message.
Optionally, the message processing method further include:
The first kind central processing unit is by the forwarding core, according to the size of attack traffic, in the tail of attack message Portion increases prompt information, log thread is notified by the prompt information, so that log thread is adjusted according to the prompt information The number of message is read every time;
The second class central processing unit is being attacked by the attack defending specific core according to the size of attack traffic The tail portion of message increases prompt information, log thread is notified by the prompt information, so that log thread is according to the prompt The number of message is read in information adjustment every time.
In the message processing method of firewall box provided by the embodiments of the present application, three types in firewall box Central processing unit respectively works to independent parallel, and handles normal message and small flow attacking by forwarding core, special by attack defending With core processing big flow attack, attack message is actively obtained by log recording core, and correspondingly generate attack logs, three respectively takes charge of Its duty guarantees that firewall box had not only been able to achieve the normal forwarding of message, but also effectively big flow can be defendd to attack, moreover it is possible to remember simultaneously Attack logs are recorded, the performance of firewall box is effectively improved, it is made to meet the market demand.
The embodiment of the present application also provides a kind of computer readable storage medium, for storing program code, the program code For executing any one embodiment in a kind of message processing method of firewall box described in foregoing individual embodiments.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, server or the network equipment etc.) executes the complete of each embodiment the method for the application Portion or part steps.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (full name in English: Read-Only Memory, english abbreviation: ROM), random access memory (full name in English: Random Access Memory, english abbreviation: RAM), the various media that can store program code such as magnetic or disk.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of firewall box characterized by comprising
The central processing unit of three types and memory corresponding with each type of central processing unit;The three types Central processing unit includes first kind central processing unit, the second class central processing unit and third class central processing unit;Wherein,
Configured with forwarding core in the first kind central processing unit, the forwarding core is used to receive and identify the report of the first kind Text forwards normal message according to recognition result or abandons attack message to the first attack message corresponding with the forwarding core and delays Deposit area;
Attack defending specific core is configured in the second class central processing unit, the attack defending specific core is for receiving and knowing The message of other Second Type, according to recognition result forward normal message or abandon attack message to the attack defending it is dedicated The corresponding second attack message buffer area of core;
In the third class central processing unit be configured with log recording core, the log recording core be used for by without lock read operation, The attack message in the first attack message buffer area and the second attack message buffer area is read, is reported according to the attack Text generates attack logs.
2. firewall box according to claim 1, which is characterized in that the third class central processing unit and described first Class central processing unit and the second class central processing unit share same physical equipment respectively;Also, the third class centre Log recording core in reason device is specifically used for the hyperthread fictionalized by the physical equipment and reads attack message.
3. firewall box according to claim 1, which is characterized in that the first kind central processing unit and described second Class central processing unit uses same physical equipment.
4. firewall box according to claim 1, which is characterized in that the log recording core is specifically used for starting multiple Log thread is used without lock read operation by multiple log threads, reads attack message respectively in a manner of concomitantly, wherein one A log thread is corresponding with the first attack message buffer area or the second attack message buffer area, for from Attack message is read in corresponding attack message buffer area.
5. firewall box according to claim 1, which is characterized in that the firewall box includes multiple thirds Class central processing unit, then the log recording core in each third class central processing unit starts a log thread, by this Log thread reads attack message from the first attack message buffer area or the second attack message buffer area.
6. firewall box according to claim 1, which is characterized in that the forwarding core is also used to when first attack When the packet buffer area region Yi Xie accounting reaches second threshold and also unread log thread, then log thread is notified to read attack Message;
The attack defending specific core is also used to reach second threshold when the second attack message buffer area has write region accounting And log thread it is also unread when, then notify log thread read attack message.
7. firewall box according to claim 1, which is characterized in that
The forwarding core is also used to the size according to attack traffic, increases prompt information in the tail portion of attack message, by described Prompt information notifies log thread, so that log thread adjusts the number for reading message every time according to the prompt information;
The attack defending specific core is also used to the size according to attack traffic, increases prompt information in the tail portion of attack message, Log thread is notified by the prompt information, so that log thread adjusts for reading message every time according to the prompt information Number.
8. a kind of message processing method of firewall box characterized by comprising
First kind central processing unit receives and identifies the message of the first kind, according to recognition result by the forwarding core being pre-configured It forwards normal message or abandons attack message to the first attack message buffer area corresponding with the forwarding core;
Second class central processing unit receives and identifies the message of Second Type by the attack defending specific core being pre-configured, according to Recognition result forwards normal message or abandons attack message to the second attack message corresponding with the attack defending specific core Buffer area;
The third central processing unit passes through the log recording core being pre-configured, by reading first attack and reporting without lock read operation Attack message in literary buffer area and the second attack message buffer area generates attack logs according to the attack message.
9. message processing method according to claim 8, which is characterized in that the third class central processing unit passes through described Log recording core starts multiple log threads, is used by more log threads without lock read operation, is read respectively in a manner of concomitantly Attack message, wherein a log thread is corresponding with a central processing unit, attacks for reading from corresponding central processing unit Hit message.
10. a kind of computer readable storage medium, which is characterized in that the computer readable storage medium is for storing program generation Code, said program code require the described in any item message processing methods of 8-9 for perform claim.
CN201811574742.XA 2018-12-21 2018-12-21 Firewall equipment and message processing method and medium thereof Active CN109495504B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811574742.XA CN109495504B (en) 2018-12-21 2018-12-21 Firewall equipment and message processing method and medium thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811574742.XA CN109495504B (en) 2018-12-21 2018-12-21 Firewall equipment and message processing method and medium thereof

Publications (2)

Publication Number Publication Date
CN109495504A true CN109495504A (en) 2019-03-19
CN109495504B CN109495504B (en) 2021-05-25

Family

ID=65711402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811574742.XA Active CN109495504B (en) 2018-12-21 2018-12-21 Firewall equipment and message processing method and medium thereof

Country Status (1)

Country Link
CN (1) CN109495504B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110224947A (en) * 2019-06-05 2019-09-10 东软集团股份有限公司 Message processing method, device and equipment in a kind of multicore repeater system
CN110545291A (en) * 2019-09-29 2019-12-06 东软集团股份有限公司 defense method for attack message, multi-core forwarding system and related products
CN113709044A (en) * 2020-05-20 2021-11-26 阿里巴巴集团控股有限公司 Data forwarding method and device, electronic equipment and storage medium
CN113890746A (en) * 2021-08-16 2022-01-04 曙光信息产业(北京)有限公司 Attack traffic identification method, device, equipment and storage medium
CN113938325A (en) * 2021-12-16 2022-01-14 紫光恒越技术有限公司 Method and device for processing aggressive traffic, electronic equipment and storage equipment
CN113991839A (en) * 2021-10-15 2022-01-28 许继集团有限公司 Device and method for improving reliability of remote control output

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080022401A1 (en) * 2006-07-21 2008-01-24 Sensory Networks Inc. Apparatus and Method for Multicore Network Security Processing
CN102497322A (en) * 2011-12-19 2012-06-13 曙光信息产业(北京)有限公司 High-speed packet filtering device and method realized based on shunting network card and multi-core CPU (Central Processing Unit)
CN102801659A (en) * 2012-08-15 2012-11-28 成都卫士通信息产业股份有限公司 Implementation method and device for security gateway based on stream strategy
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN106357726A (en) * 2016-08-24 2017-01-25 东软集团股份有限公司 Load balancing method and device
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method
CN107682312A (en) * 2017-08-25 2018-02-09 中国科学院信息工程研究所 A kind of security protection system and method
CN107864156A (en) * 2017-12-18 2018-03-30 东软集团股份有限公司 Ssyn attack defence method and device, storage medium
CN108566382A (en) * 2018-03-21 2018-09-21 北京理工大学 The fire wall adaptive ability method for improving of rule-based life cycle detection
CN108667730A (en) * 2018-04-17 2018-10-16 东软集团股份有限公司 Message forwarding method, device, storage medium based on load balancing and equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080022401A1 (en) * 2006-07-21 2008-01-24 Sensory Networks Inc. Apparatus and Method for Multicore Network Security Processing
CN102497322A (en) * 2011-12-19 2012-06-13 曙光信息产业(北京)有限公司 High-speed packet filtering device and method realized based on shunting network card and multi-core CPU (Central Processing Unit)
CN102801659A (en) * 2012-08-15 2012-11-28 成都卫士通信息产业股份有限公司 Implementation method and device for security gateway based on stream strategy
CN104202333A (en) * 2014-09-16 2014-12-10 浪潮电子信息产业股份有限公司 Implementation method of distributed firewall
CN106357726A (en) * 2016-08-24 2017-01-25 东软集团股份有限公司 Load balancing method and device
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method
CN107682312A (en) * 2017-08-25 2018-02-09 中国科学院信息工程研究所 A kind of security protection system and method
CN107864156A (en) * 2017-12-18 2018-03-30 东软集团股份有限公司 Ssyn attack defence method and device, storage medium
CN108566382A (en) * 2018-03-21 2018-09-21 北京理工大学 The fire wall adaptive ability method for improving of rule-based life cycle detection
CN108667730A (en) * 2018-04-17 2018-10-16 东软集团股份有限公司 Message forwarding method, device, storage medium based on load balancing and equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
宋志军: "基于多核(多处理单元)的防火墙架构研究与关键技术实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
张超云: "基于多核的协议分析状态检测防火墙的研究", 《中国优秀硕士论文全文数据库信息科技辑》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110224947A (en) * 2019-06-05 2019-09-10 东软集团股份有限公司 Message processing method, device and equipment in a kind of multicore repeater system
CN110545291A (en) * 2019-09-29 2019-12-06 东软集团股份有限公司 defense method for attack message, multi-core forwarding system and related products
CN113709044A (en) * 2020-05-20 2021-11-26 阿里巴巴集团控股有限公司 Data forwarding method and device, electronic equipment and storage medium
CN113890746A (en) * 2021-08-16 2022-01-04 曙光信息产业(北京)有限公司 Attack traffic identification method, device, equipment and storage medium
CN113890746B (en) * 2021-08-16 2024-05-07 曙光信息产业(北京)有限公司 Attack traffic identification method, device, equipment and storage medium
CN113991839A (en) * 2021-10-15 2022-01-28 许继集团有限公司 Device and method for improving reliability of remote control output
CN113991839B (en) * 2021-10-15 2023-11-14 许继集团有限公司 Device and method for improving remote control opening reliability
CN113938325A (en) * 2021-12-16 2022-01-14 紫光恒越技术有限公司 Method and device for processing aggressive traffic, electronic equipment and storage equipment
CN113938325B (en) * 2021-12-16 2022-03-18 紫光恒越技术有限公司 Method and device for processing aggressive traffic, electronic equipment and storage equipment

Also Published As

Publication number Publication date
CN109495504B (en) 2021-05-25

Similar Documents

Publication Publication Date Title
CN109495504A (en) A kind of firewall box and its message processing method and medium
CN109767271B (en) Lottery method and equipment based on block chain
CN109246108A (en) Mimicry honey jar fingerprint obscures system, method and its SDN network framework
Zhang et al. Ftguard: A priority-aware strategy against the flow table overflow attack in sdn
CN108632214B (en) Method and device for realizing moving target defense
Lin et al. Adversarial attacks on link prediction algorithms based on graph neural networks
CN110213207A (en) A kind of network security defence method and equipment based on log analysis
CN110071931A (en) Mimicry honey jar evolution method, device, equipment and computer readable storage medium
CN107613529A (en) Message treatment method and base station
CN112532598B (en) Filtering method for real-time intrusion detection system
CN108243191A (en) Risk behavior recognition methods, storage medium, equipment and system
CN110224947A (en) Message processing method, device and equipment in a kind of multicore repeater system
CN106453397A (en) Method of automatically identifying network ticket-robbing and intrusion through big data analysis
CN114726557A (en) Network security protection method and device
CN101272254A (en) Method for generating attack characteristic database, method for preventing network attack and device thereof
Ning et al. Trojanflow: A neural backdoor attack to deep learning-based network traffic classifiers
CN109150890A (en) The means of defence and relevant device of newly-built connection attack
Yang et al. Using randomness to improve robustness of tree-based models against evasion attacks
CN109729089B (en) Container-based intelligent network security function management method and system
CN108462715A (en) The On Network Information Filtering System of WM String matching parallel algorithms based on MPI
CN105554041B (en) A kind of method for detecting the distributed denial of service attack based on flow table timeout mechanism
CN110213301A (en) A kind of method, server and system shifting network attack face
CN103746991B (en) Safety case investigation method and system in system for cloud computing
Ramanauskaitė et al. Modelling influence of Botnet features on effectiveness of DDoS attacks
CN106302436B (en) A kind of autonomous discovery method, apparatus and equipment of attack message characteristics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant