CN110381175B - Security policy acceleration table construction method and device - Google Patents

Security policy acceleration table construction method and device Download PDF

Info

Publication number
CN110381175B
CN110381175B CN201910611878.1A CN201910611878A CN110381175B CN 110381175 B CN110381175 B CN 110381175B CN 201910611878 A CN201910611878 A CN 201910611878A CN 110381175 B CN110381175 B CN 110381175B
Authority
CN
China
Prior art keywords
address
domain name
cache table
security policy
system protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910611878.1A
Other languages
Chinese (zh)
Other versions
CN110381175A (en
Inventor
岳伟国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910611878.1A priority Critical patent/CN110381175B/en
Publication of CN110381175A publication Critical patent/CN110381175A/en
Application granted granted Critical
Publication of CN110381175B publication Critical patent/CN110381175B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/58Caching of addresses or names
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1036Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers

Abstract

The embodiment of the application provides a method and a device for constructing a security policy acceleration table. The scheme comprises the following steps: storing an address cache table having a plurality of address cache table entries; each address cache table entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, and the aging time of each IP address is greater than M +1 domain name address switching cycles; receiving a first domain name system protocol message; searching a first address cache table item matched with a domain name carried by a first domain name system protocol message; determining that the IP address set of the first address cache table item contains the IP address carried by the first domain name system protocol message, and not generating an event triggering refreshing of the security policy acceleration table; and refreshing the storage time of the IP address carried by the first domain name system protocol message in the IP address set of the first address cache table entry. By applying the technical scheme provided by the embodiment of the application, the consumption of memory and CPU resources can be reduced, and the probability of security policy check failure is reduced.

Description

Security policy acceleration table construction method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for constructing a security policy acceleration table.
Background
In order to improve the efficiency of message security processing, the network device uses the IP (Internet Protocol) address corresponding to the domain name of the website specified by the user as a Key, uses the security policy rule corresponding to the IP address as a Value, constructs a security policy acceleration table, calculates a hash Value according to the IP address of the domain name, and quickly finds the security policy of the domain name corresponding to the IP address of the domain name, thereby avoiding the security policy of searching the domain name in the policy table according to the IP address of the domain name by matching one by one.
In load-balanced networking, multiple servers provide the same service, which allows one domain name to correspond to multiple IP addresses, but each domain name can only be resolved into one IP address at a time. Thus, a domain name change event is generated each time a domain name is repeatedly switched between a plurality of corresponding IP addresses. When the security policy acceleration table of the network device reaches a refresh period, the security policy of the domain name and the currently used IP address are written into the security policy acceleration table according to each domain name change event. If the refresh cycle of the security policy acceleration table of the network device does not arrive, the corresponding relationship between the IP address and the security policy of each domain name with address switching at the current time cannot be written into the security policy acceleration table, which may cause the security policy check failure.
In addition, the accelerometer building process consumes a lot of memory and CPU and lasts for a long time. A network device, such as a gateway, needs to access a large number of domain names, each domain name is switched among a plurality of IP addresses, which may cause the network device to have a large number of domain name change events to be processed, and all the domain name change events to be processed may not be completed within a security policy acceleration table refresh period, and the security policy acceleration table may not be written in with the corresponding relationship between the IP addresses and the security policies at the current time, which may cause a security policy check failure.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for constructing a security policy acceleration table, so as to reduce consumption of memory and CPU resources and reduce probability of failure of security policy checking. The specific technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a method for constructing a security policy acceleration table, where the method includes:
storing an address cache table having a plurality of address cache table entries; each address cache table entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2;
receiving a first domain name system protocol message;
searching a first address cache table item matched with the domain name carried by the first domain name system protocol message;
if the IP address set of the first address cache table item contains the IP address carried by the first domain name system protocol message, generating no event triggering refreshing of a security policy acceleration table;
and refreshing the storage time of the IP address carried by the first domain name system protocol message in the IP address set of the first address cache table entry.
In a second aspect, an embodiment of the present application provides a security policy acceleration table building apparatus, where the apparatus includes:
the storage unit is used for storing an address cache table with a plurality of address cache table entries; each address cache table entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2;
a receiving unit, configured to receive a first domain name system protocol packet;
the searching unit is used for searching a first address cache table item matched with the domain name carried by the first domain name system protocol message;
a determining unit, configured to determine that an IP address set of the first address cache entry includes an IP address carried in the first domain name system protocol packet, and if an event that triggers refreshing of a security policy acceleration table is not generated;
and the refreshing unit is used for refreshing the storage time of the IP address carried by the first domain name system protocol message in the IP address set of the first address cache table entry.
In a third aspect, embodiments of the present application provide a network device, including a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: implementing any of the method steps described above.
In a fourth aspect, embodiments of the present application provide a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: implementing any of the method steps described above.
In the method and the device for constructing the security policy acceleration table, the aging time of each IP address contained in the address cache table entry is long enough, and each IP address in the cache table entry cannot be aged when the domain name is switched among a plurality of IP addresses. When the network equipment needs to access a large number of domain names and the domain names are switched among all the acquired IP addresses, an event for triggering the refreshing of the security policy acceleration table is not generated, namely, the construction of the security policy acceleration table is accelerated, the situation that the IP addresses and the domain name security policies after the domain names are switched cannot be updated to the security policy acceleration table in time is avoided, the consumption of memory and CPU resources is reduced, and the probability of failure of security policy checking is reduced.
Of course, it is not necessary for any product or method of the present application to achieve all of the above-described advantages at the same time.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a load balancing networking according to an embodiment of the present application;
fig. 2 is a first flowchart illustrating a security policy acceleration table constructing method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a preset cache table according to an embodiment of the present disclosure;
fig. 4 is a second flowchart illustrating a security policy acceleration table constructing method according to an embodiment of the present application;
fig. 5 is a third flowchart illustrating a security policy acceleration table constructing method according to an embodiment of the present application;
fig. 6 is a fourth flowchart illustrating a security policy acceleration table constructing method according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a security policy acceleration table constructing apparatus according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a network device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The words appearing in the examples of the present application are explained below.
Security policy rules: including matching items and action items. After receiving the data message, the network equipment matches the data message with the matching items, determines the matching items matched with the data message, and processes the data message according to the action items corresponding to the matching items.
Domain name change event: the network device determines that an IP address originally used by the Domain Name is different from an IP address carried in a DNS (Domain Name System) protocol packet, and generates a Domain Name change event.
In load-balanced networking, multiple servers provide the same service, which results in one domain name corresponding to multiple IP addresses. The load balancing networking shown in fig. 1 includes a user device 100, a firewall device 101, and a server 102 and 104. Wherein, the server 102 and 104 provide the same service externally, and the server 102 and 104 use a domain name, such as domain name 1. At this time, domain name 1 is associated with 3 IP addresses, i.e., IP address IP1 of server 102, IP address IP2 of server 103, and IP address IP3 of server 104, respectively. The IP address corresponding to the domain name 1 is repeatedly switched among the IP addresses IP1-IP 3. When domain name 1 is repeatedly switched among a plurality of corresponding IP addresses, the firewall device 101 generates a domain name change event every time. When the security policy acceleration table reaches the refresh period, the firewall device 101 writes the security policy of the domain name 1 and the currently used IP address into the security policy acceleration table according to each domain name change event. If the refresh cycle of the security policy acceleration table is not reached, the corresponding relation between the IP address and the security policy of the domain name 1 at the current time cannot be written into the security policy acceleration table, which may cause the security policy check failure.
In addition, the firewall device 101 needs to access a large number of domain names, each domain name is switched between a plurality of IP addresses, which may cause a large number of domain name change events to be processed in the network device, and all the domain name change events to be processed may not be completed within one security policy acceleration table refresh period, and the corresponding relationship between the IP address and the security policy at the current time may not be written into the security policy acceleration table, which may cause a security policy check failure.
In order to solve the above problem, an embodiment of the present application provides a security policy acceleration table construction method. The method can be applied to network equipment such as firewall equipment, routers and switches. Referring to fig. 2, the method includes the steps of:
step 201, storing an address cache table with a plurality of address cache table entries; each address cache table entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2.
Step 202, receiving a first DNS protocol packet.
Step 203, find out the first address cache table item matched with the domain name carried by the first DNS protocol packet.
Step 204, if it is determined that the IP address set of the first address cache table entry includes an IP address carried in the first DNS protocol packet, an event triggering the refresh of the security policy acceleration table is not generated.
Step 205, refreshing the storage time of the IP address carried by the first DNS protocol packet in the IP address set of the first address cache entry.
For example, M is 10, and the domain name address switching period is 20 seconds. The network device stores an address cache table of a plurality of address cache table entries. Each address cache entry is used to store 10 IP addresses. The aging time of each IP address in the address cache table entry is more than 20 (10+1) ═ 220 seconds.
The network device receives a DNS protocol packet 1, where the DNS protocol packet 1 carries a domain name 1 and an IP address IP 1. The network device finds the address cache entry 1 matching the domain name 1. The network equipment determines that the IP address set of the address cache table item 1 contains the IP address IP1, an event triggering the refreshing of the security policy acceleration table is not generated, and meanwhile, the storage time of the IP address IP1 in the IP address set of the address cache table item 1 is the current time.
In the method for constructing the security policy acceleration table provided by the embodiment of the application, the aging time of each IP address contained in the address cache table entry is long enough, and when the domain name is switched among a plurality of IP addresses, each IP address in the cache table entry cannot be aged. When the network equipment needs to access a large number of domain names and the domain names are switched among all the acquired IP addresses, an event for triggering the refreshing of the security policy acceleration table is not generated, namely, the construction of the security policy acceleration table is accelerated, the situation that the IP addresses and the domain name security policies after the domain names are switched cannot be updated to the security policy acceleration table in time is avoided, the consumption of memory and CPU resources is reduced, and the probability of failure of security policy checking is reduced.
In this embodiment of the present application, each IP address set is used to store M IP addresses, and the aging time of each IP address may be N times of M +1 domain name address switching cycles. N is an integer of 1 or more. For example, N is 2, M is 10, and the domain name address switching period is 20 seconds. Each IP address in the address cache entry is aged for 2 × 20 × (10+1) ═ 440 seconds.
In an embodiment of the present application, the network device detects, according to a preset period duration, whether an IP address reaching the aging time exists in an IP address set of each address cache entry in the address cache table. If the IP addresses of the address cache table entries in the address cache table reach the aging time, the network equipment deletes the IP addresses of the aging time in the IP address set of each address cache table entry in the address cache table, and generates an event for triggering the refreshing of the security policy acceleration table. And the network equipment reconstructs the security policy acceleration table according to the event triggering the refreshing of the security policy acceleration table. Specifically, the network device writes the security policy of the domain name and the IP address included in the IP address set of each address cache entry into the security policy acceleration table.
For example, the address cache table is shown in FIG. 3. The set of IP addresses for the address cache entries for which domain name 1 matches contains IP1, IP2, and IP 3. The set of IP addresses for the address cache entries for which domain name 2 matches contains IP4, IP5, and IP 6. The set of IP addresses for the address cache entries for which domain name 3 matches contains IP7, IP8, and IP 9.
Assuming that the preset cycle time is 5 minutes and the aging time is 1 hour. Every 5 minutes, the network device detects whether there is an IP address in IP1-9 whose storage duration reaches 1 hour. The storage duration is the time difference between the storage time of the IP address and the current time. If the storage time of the IP3 in the IP1-9 reaches the IP address of 1 hour, namely the IP3 reaches the aging time, the network equipment deletes the IP3 from the IP address set of the address cache table entry matched with the domain name 1. The network device writes the security policy of domain name 1 and IP1-2 into the security policy acceleration table according to an event that triggers refreshing of the security policy acceleration table.
In the embodiment of the application, if the IP address in the IP address set of each address cache entry reaches the aging time, it is indicated that the IP address is an invalid IP address, and the IP address reaching the aging time in the IP address set of each address cache entry is deleted, so that the storage resource is saved. In addition, the security policy acceleration table is reconstructed by using the IP addresses which do not reach the aging time in the IP address set of each address cache table item, so that the data message carrying invalid IP addresses is prevented from being released by using the security policy acceleration table.
Based on the security policy acceleration table construction method shown in fig. 2, an embodiment of the present application further provides a security policy acceleration table construction method, which may include the following steps, as shown in fig. 4.
Step 401, receiving a second DNS protocol packet.
Step 402, finding out a second address cache table item matched with the domain name carried by the second DNS protocol message.
Step 403, it is determined that the IP address set of the second address cache entry does not include the IP address carried in the second DNS protocol packet and the number of addresses of the IP address set of the second address cache entry is less than M.
Step 404, recording the IP address and the storage time carried by the second DNS protocol packet in the IP address set of the second address cache entry.
At step 405, an event is generated that triggers a refresh of the security policy acceleration table.
For example, M is 10, and the domain name address switching period is 20 seconds. The network device stores an address cache table of a plurality of address cache table entries. Each address cache entry is used to store 10 IP addresses. The aging time of each IP address in the address cache table entry is more than 20 (10+1) ═ 220 seconds.
The network device receives a DNS protocol packet 2, where the DNS protocol packet 2 carries a domain name 1 and an IP address IP 21. The network device finds the address cache entry 1 matching the domain name 1. The network device determines that the IP address set of the address cache table entry 1 does not contain the IP address IP21, and the number of the IP address set of the address cache table entry 1 is less than 10, then the IP address IP21 is recorded in the IP address set of the address cache table entry 1, and meanwhile, the storage time of the IP address IP21 in the IP address set of the address cache table entry 1 is refreshed to be the current time. The network device generates an event that triggers a refresh of the security policy acceleration table. And the network equipment writes all the IP addresses in the security policy set of the domain name 1 and the IP address set of the address cache table item 1 into the security policy acceleration table according to the event triggering the refreshing of the security policy acceleration table.
In this embodiment of the present application, the second address cache entry may not include any IP address, and may also include other IP addresses. This is not particularly limited.
By applying the embodiment shown in fig. 4, the network device updates the IP address after domain name switching and the security policy of the domain name to the security policy acceleration table in time, thereby avoiding that the security policy check fails due to the failure of periodically reconstructing the security policy acceleration table.
Based on the security policy acceleration table construction method shown in fig. 2, an embodiment of the present application further provides a security policy acceleration table construction method, which may include the following steps, as shown in fig. 5.
Step 501, receiving a third DNS protocol packet.
Step 502, find out the third address cache table item matching with the domain name carried by the third DNS protocol packet.
Step 503, it is determined that the IP address set of the third address cache entry does not contain the IP address carried in the third DNS protocol packet and the number of addresses of the IP address set of the third address cache entry is equal to M.
Step 504, deleting the IP address with the earliest storage time in the IP address set of the third address cache table entry.
And 505, recording the IP address and the storage time carried by the third DNS protocol packet in the IP address set of the third address cache entry.
At step 506, an event is generated that triggers a refresh of the security policy acceleration table.
For example, M is 10, and the domain name address switching period is 20 seconds. The network device stores an address cache table of a plurality of address cache table entries. Each address cache entry is used to store 10 IP addresses. The aging time of each IP address in the address cache table entry is more than 20 (10+1) ═ 220 seconds.
The network device receives a DNS protocol packet 3, where the DNS protocol packet 3 carries a domain name 1 and an IP address IP 31. The network device finds the address cache entry 1 matching the domain name 1. The network device determines that the IP address set of the address cache table entry 1 does not contain the IP address IP31, and the number of the IP address set of the address cache table entry 1 is equal to 10, and deletes the IP address stored in the IP address set of the address cache table entry 1 with the earliest time. The IP address IP31 is recorded in the IP address set of the address cache table entry 1, and meanwhile, the storage time of the IP address IP31 in the IP address set of the address cache table entry 1 is refreshed to be the current time. The network device generates an event that triggers a refresh of the security policy acceleration table. And the network equipment writes all the IP addresses in the security policy set of the domain name 1 and the IP address set of the address cache table item 1 into the security policy acceleration table according to the event triggering the refreshing of the security policy acceleration table.
By applying the embodiment shown in fig. 5, the network device deletes the IP address with the earliest storage time in the IP address set of each address cache entry, that is, deletes the most likely invalid IP address, thereby avoiding releasing the data packet carrying the invalid IP address by using the security policy acceleration table. Meanwhile, the IP address after domain name switching and the security policy of the domain name are updated to the security policy acceleration table in time, and therefore the failure of security policy inspection caused by the fact that the security policy acceleration table is reconstructed periodically is avoided.
Based on the security policy acceleration table construction method shown in fig. 1 to 5, an embodiment of the present application further provides a security policy acceleration table construction method, which may include the following steps, as shown in fig. 6.
Step 601, receiving a fourth DNS protocol packet.
Step 602, it is determined that the originally used IP address of the domain name carried in the fourth DNS protocol packet is different from the IP address carried in the fourth DNS protocol packet.
Step 603, finding out a fourth address cache table entry matched with the domain name carried in the fourth DNS protocol packet.
Step 604, if it is determined that the IP address set of the fourth address cache entry includes an IP address carried in the fourth DNS protocol packet, no event is generated that triggers the refresh of the security policy acceleration table.
Step 605, the storage time of the IP address carried by the fourth DNS protocol packet in the IP address set of the fourth address cache entry is refreshed.
Step 606, it is determined that the IP address set of the fourth address cache entry does not contain the IP address carried in the fourth DNS protocol packet and the number of addresses of the IP address set of the fourth address cache entry is less than M.
Step 607, the IP address and the storage time carried by the fourth DNS protocol packet are recorded in the IP address set of the fourth address cache entry.
At step 608, an event is generated that triggers the refresh of the security policy acceleration table.
Step 609, it is determined that the IP address set of the fourth address cache entry does not contain the IP address carried in the fourth DNS protocol packet and the number of addresses of the IP address set of the fourth address cache entry is equal to M.
Step 610, deleting the IP address with the earliest storage time in the IP address set of the fourth address cache entry. Step 607 is performed.
For example, M is 10. The network device receives a DNS protocol packet 4, where the DNS protocol packet 4 carries a domain name 1 and an IP address IP 41. The IP address originally used by the domain name carried in the fourth DNS protocol packet is IP address IP 1. The network device determines that the originally used IP address IP1 of the domain name carried in the DNS protocol packet 4 is different from the IP address IP41 carried in the fourth DNS protocol packet, and generates a DNS domain name change event. The network equipment finds the address cache table item 1 matched with the domain name 1 according to the DNS domain name change event.
The network equipment determines that the IP address set of the address cache table item 1 contains the IP address IP41, an event triggering the refreshing of the security policy acceleration table is not generated, and meanwhile, the storage time of the IP address IP41 in the IP address set of the address cache table item 1 is the current time.
The network device determines that the IP address set of the address cache table entry 1 does not contain the IP address IP41, and the number of the IP address set of the address cache table entry 1 is less than 10, then the IP address IP41 is recorded in the IP address set of the address cache table entry 1, and meanwhile, the storage time of the IP address IP41 in the IP address set of the address cache table entry 1 is refreshed to be the current time. The network device generates an event that triggers a refresh of the security policy acceleration table.
The network device determines that the IP address set of the address cache table entry 1 does not contain the IP address IP41, and the number of the IP address set of the address cache table entry 1 is equal to 10, and deletes the IP address stored in the IP address set of the address cache table entry 1 with the earliest time. The IP address IP41 is recorded in the IP address set of the address cache table entry 1, and meanwhile, the storage time of the IP address IP41 in the IP address set of the address cache table entry 1 is refreshed to be the current time. The network device generates an event that triggers a refresh of the security policy acceleration table.
In an embodiment of the present application, if the network device determines that the IP address originally used by the domain name carried in the fourth DNS protocol packet is the same as the IP address carried in the fourth DNS protocol packet, a DNS domain name change event is not generated, that is, a fourth address cache entry matching the domain name carried in the fourth DNS protocol packet is not searched, and an event triggering refreshing of the security policy acceleration table is not generated.
By applying the embodiment shown in fig. 6, when determining that a DNS domain name change event occurs, the network device does not generate an event that triggers the refresh of the security policy acceleration table, and generates an event that triggers the refresh of the security policy acceleration table only when an IP address in the IP address set of the address cache entry changes, thereby conveniently solving the problem of frequently constructing the security policy acceleration table and reducing the load of the CPU.
In one embodiment of the present application, the network device may send a DNS protocol request message to the DNS server at regular time. The DNS server acquires the IP address used by the domain name carried by the DNS protocol request message at the current time, carries the acquired IP address used by the domain name at the current time in the DNS protocol message and sends the DNS protocol message to the network equipment.
In another embodiment of the present application, the DNS server periodically carries the IP address used by each domain name at the current time in a DNS protocol packet and sends the DNS protocol packet to the network device.
In this embodiment of the present application, the first DNS protocol packet, the second DNS protocol packet, the third DNS protocol packet, and the fourth DNS protocol packet may be obtained in the above two manners, which is not limited in this embodiment of the present application.
Based on the embodiment of the method for constructing the security policy acceleration table, the embodiment of the application also provides a device for constructing the security policy acceleration table. Referring to fig. 7, fig. 7 is a schematic structural diagram of a security policy acceleration table constructing apparatus according to an embodiment of the present application. The device is applied to network equipment, and the device comprises:
a storage unit 701, configured to store an address cache table having a plurality of address cache table entries; each address cache table entry is an IP address set of different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2;
a receiving unit 702, configured to receive a first domain name system protocol packet;
a searching unit 703, configured to search for a first address cache entry matched with a domain name carried in the first domain name system protocol packet;
a determining unit 704, configured to determine that an IP address set of the first address cache entry includes an IP address carried in the first domain name system protocol packet, and if an event triggering refreshing of the security policy acceleration table is not generated;
the refreshing unit 705 is configured to refresh storage time of an IP address carried in a first domain name system protocol packet in an IP address set of the first address cache table entry.
In an optional embodiment, the receiving unit 702 may be further configured to receive a second domain name system protocol packet;
the searching unit 703 may be further configured to search for a second address cache entry that matches the domain name carried in the second domain name system protocol packet;
the determining unit 704 may be further configured to determine that the IP address set of the second address cache entry does not include an IP address carried in the second domain name system protocol packet and that the number of addresses of the IP address set of the second address cache entry is less than M;
the refreshing unit 705 unit may also be configured to record an IP address and storage time carried in the second domain name system protocol packet in an IP address set of the second address cache table entry;
the above security policy acceleration table constructing apparatus may further include:
and the generating unit is used for generating an event for triggering the refreshing of the security policy acceleration table.
In an optional embodiment, the receiving unit 702 may be further configured to receive a third domain name system protocol packet;
the searching unit 703 may be further configured to search for a third address cache entry matched with the domain name carried in the third domain name system protocol packet;
the determining unit 704 may further be configured to determine that the IP address set of the third address cache entry does not include an IP address carried in the third domain name system protocol packet and the number of addresses of the IP address set of the third address cache entry is equal to M;
the refreshing unit 705 may be further configured to delete the IP address with the earliest storage time in the IP address set of the third address cache entry; recording an IP address and storage time carried by a third domain name system protocol message in an IP address set of a third address cache table entry;
the above security policy acceleration table constructing apparatus may further include:
and the generating unit is used for generating an event for triggering the refreshing of the security policy acceleration table.
In an optional embodiment, the refreshing unit 705 may be further configured to delete an IP address reaching the aging time from an IP address set of each address cache entry in the address cache table;
the above security policy acceleration table constructing apparatus may further include:
and the generating unit is used for generating an event for triggering the refreshing of the security policy acceleration table.
In the apparatus for constructing a security policy acceleration table provided in the embodiment of the present application, the aging time of each IP address included in an address cache table entry is sufficiently long, and when a domain name is switched among multiple IP addresses, each IP address in the cache table entry is not aged. When the network equipment needs to access a large number of domain names and the domain names are switched among all the acquired IP addresses, an event for triggering the refreshing of the security policy acceleration table is not generated, namely, the construction of the security policy acceleration table is accelerated, the situation that the IP addresses and the domain name security policies after the domain names are switched cannot be updated to the security policy acceleration table in time is avoided, the consumption of memory and CPU resources is reduced, and the probability of failure of security policy checking is reduced.
Based on the foregoing embodiment of the security policy acceleration table building method, an embodiment of the present application further provides a network device, as shown in fig. 8, including a processor 801 and a machine-readable storage medium 802, where the machine-readable storage medium 802 stores machine-executable instructions that can be executed by the processor 801. The processor 801 is caused by machine executable instructions to implement any of the steps shown in fig. 2-6 described above.
In an optional embodiment, as shown in fig. 8, the network device may further include: a communication interface 803 and a communication bus 804; the processor 801, the machine-readable storage medium 802, and the communication interface 803 complete communication with each other through the communication bus 804, and the communication interface 803 is used for communication between the network device and other devices.
Based on the above embodiment of the security policy acceleration table construction method, an embodiment of the present application further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions that can be executed by a processor. The processor is caused by machine executable instructions to implement any of the steps shown in fig. 2-6 above.
The communication bus may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc.
The machine-readable storage medium may include a RAM (Random Access Memory) and a NVM (Non-Volatile Memory), such as at least one disk Memory. Additionally, the machine-readable storage medium may be at least one memory device located remotely from the aforementioned processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also DSPs (Digital Signal Processing), ASICs (Application Specific Integrated circuits), FPGAs (Field Programmable Gate arrays) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the embodiments of the security policy acceleration table construction apparatus, the network device, and the machine-readable storage medium, since they are substantially similar to the embodiments of the security policy acceleration table construction method, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the security policy acceleration table construction method.
The above description is only for the preferred embodiment of the present application, and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (10)

1. A method for constructing a security policy acceleration table, the method comprising:
storing an address cache table having a plurality of address cache table entries; each address cache table entry is a network protocol IP address set with different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2;
receiving a first domain name system protocol message;
searching a first address cache table item matched with the domain name carried by the first domain name system protocol message;
if the IP address set of the first address cache table item contains the IP address carried by the first domain name system protocol message, generating no event triggering refreshing of a security policy acceleration table;
and refreshing the storage time of the IP address carried by the first domain name system protocol message in the IP address set of the first address cache table entry.
2. The method of claim 1, further comprising:
receiving a second domain name system protocol message;
searching a second address cache table item matched with the domain name carried by the second domain name system protocol message;
determining that the IP address set of the second address cache table entry does not contain the IP address carried by the second domain name system protocol message and the address number of the IP address set of the second address cache table entry is less than M;
recording the IP address and the storage time carried by the second domain name system protocol message in the IP address set of the second address cache table item;
and generating the event triggering the refreshing of the security policy acceleration table.
3. The method of claim 1, further comprising:
receiving a third domain name system protocol message;
searching a third address cache table item matched with the domain name carried by the third domain name system protocol message;
determining that the IP address set of the third address cache table entry does not contain the IP address carried in the third domain name system protocol packet and the number of addresses of the IP address set of the third address cache table entry is equal to M;
deleting the IP address with the earliest storage time in the IP address set of the third address cache table entry;
recording the IP address and the storage time carried by the third domain name system protocol message in the IP address set of the third address cache table entry;
and generating the event triggering the refreshing of the security policy acceleration table.
4. The method of claim 1, further comprising:
deleting the IP address reaching the aging time in the IP address set of each address cache table item in the address cache table;
and generating the event triggering the refreshing of the security policy acceleration table.
5. An apparatus for security policy acceleration table construction, the apparatus comprising:
the storage unit is used for storing an address cache table with a plurality of address cache table entries; each address cache table entry is a network protocol IP address set with different domain names, each IP address set is used for storing M IP addresses, the aging time of each IP address is greater than M +1 domain name address switching cycles, and M is an integer greater than or equal to 2;
a receiving unit, configured to receive a first domain name system protocol packet;
the searching unit is used for searching a first address cache table item matched with the domain name carried by the first domain name system protocol message;
a determining unit, configured to determine that an IP address set of the first address cache entry includes an IP address carried in the first domain name system protocol packet, and if an event that triggers refreshing of a security policy acceleration table is not generated;
and the refreshing unit is used for refreshing the storage time of the IP address carried by the first domain name system protocol message in the IP address set of the first address cache table entry.
6. The apparatus of claim 5,
the receiving unit is further configured to receive a second domain name system protocol packet;
the searching unit is further configured to search a second address cache table entry matched with the domain name carried in the second domain name system protocol packet;
the determining unit is further configured to determine that the IP address set of the second address cache table entry does not include the IP address carried in the second domain name system protocol packet and that the number of addresses of the IP address set of the second address cache table entry is less than M;
the refreshing unit is further configured to record the IP address and the storage time carried by the second domain name system protocol packet in the IP address set of the second address cache table entry;
the device further comprises:
and the generating unit is used for generating the event for triggering the refreshing of the security policy acceleration table.
7. The apparatus of claim 5,
the receiving unit is further configured to receive a third domain name system protocol packet;
the searching unit is further configured to search a third address cache entry matched with the domain name carried in the third domain name system protocol packet;
the determining unit is further configured to determine that the IP address set of the third address cache entry does not include the IP address carried in the third domain name system protocol packet and that the number of addresses of the IP address set of the third address cache entry is equal to M;
the refreshing unit is further configured to delete the IP address with the earliest storage time in the IP address set of the third address cache entry; recording the IP address and the storage time carried by the third domain name system protocol message in the IP address set of the third address cache table entry;
the device further comprises:
and the generating unit is used for generating the event for triggering the refreshing of the security policy acceleration table.
8. The apparatus of claim 5,
the refreshing unit is further configured to delete an IP address reaching the aging time in an IP address set of each address cache entry in the address cache table;
the device further comprises:
and the generating unit is used for generating the event for triggering the refreshing of the security policy acceleration table.
9. A network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 4.
10. A machine-readable storage medium having stored thereon machine-executable instructions executable by a processor, the processor being caused by the machine-executable instructions to: carrying out the method steps of any one of claims 1 to 4.
CN201910611878.1A 2019-07-08 2019-07-08 Security policy acceleration table construction method and device Active CN110381175B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910611878.1A CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910611878.1A CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Publications (2)

Publication Number Publication Date
CN110381175A CN110381175A (en) 2019-10-25
CN110381175B true CN110381175B (en) 2022-02-25

Family

ID=68252333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910611878.1A Active CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Country Status (1)

Country Link
CN (1) CN110381175B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049840B (en) * 2019-12-17 2022-04-26 锐捷网络股份有限公司 Message detection method and device
CN112866438B (en) * 2021-03-26 2022-07-22 新华三信息安全技术有限公司 Address allocation method and device and address allocation server
CN114006763A (en) * 2021-11-01 2022-02-01 许昌许继软件技术有限公司 Rapid retrieval matching method and system based on rapid table
CN114050925B (en) * 2021-11-09 2024-03-01 京东科技信息技术有限公司 Access control list matching method, device, electronic equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7685254B2 (en) * 2003-06-10 2010-03-23 Pandya Ashish A Runtime adaptable search processor
US9602539B1 (en) * 2012-09-28 2017-03-21 Palo Alto Networks, Inc. Externally defined objects in security policy
CN108965337B (en) * 2018-09-17 2021-07-30 新华三信息安全技术有限公司 Rule matching method and device, firewall equipment and machine-readable storage medium
CN109617927B (en) * 2019-01-30 2021-04-16 新华三信息安全技术有限公司 Method and device for matching security policy

Also Published As

Publication number Publication date
CN110381175A (en) 2019-10-25

Similar Documents

Publication Publication Date Title
CN110381175B (en) Security policy acceleration table construction method and device
US8103915B2 (en) Failure system for domain name system client
US11044262B2 (en) Method, apparatus and system for anti-attacking in domain name system (DNS)
US8806029B2 (en) Session-cache-based HTTP acceleration
US10225231B2 (en) Method and server of remote information query
US10735461B2 (en) Method for minimizing the risk and exposure duration of improper or hijacked DNS records
US9887956B2 (en) Remote purge of DNS cache
US20130290563A1 (en) Answer augmentation system for authoritative dns servers
US9756071B1 (en) DNS denial of service attack protection
CN106888277B (en) Domain name query method and device
US20190081924A1 (en) Discovering address mobility events using dynamic domain name services
JP2007124655A (en) Method for selecting functional domain name server
CN108667946B (en) Multi-domain name mutual backup analysis management method, device and system
JP2017534110A (en) Apparatus and method for identifying resource exhaustion attack of domain name system
CN108173979B (en) Message processing method, device, equipment and storage medium
CN113055503B (en) IPv6 webpage link processing method, device, equipment and readable storage medium
US10021176B2 (en) Method and server for managing traffic-overload on a server
US20230362207A1 (en) System and method for dns misuse detection
CN111885212B (en) Domain name storage method and device
Allman On eliminating root nameservers from the DNS
US7860982B2 (en) Internet connectivity verification
US20100138917A1 (en) Refresh mechanism for rate-based statistics
CN107547295B (en) Aging method and device for domain name cache table entries
US10333966B2 (en) Quarantining an internet protocol address
CN110677439B (en) Protection method and device for ND attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant