RU2779135C1 - Method for dynamic filtering of network packets by sessions - Google Patents

Abstract

FIELD: network packets dynamic filtering.

SUBSTANCE: invention relates to the methods for dynamic filtering of network packets. To resolve collisions that occur when tracking a session based on a HASH sum, one RAM cell contains records with information about four sessions. The information includes the destination IP address, the source IP address, the L4 protocol code, the destination port, the source port, the time the last session packet was received, and the code for the action to be performed on the packet. Next, the HASH sum is transmitted to the session tracking unit (106), which checks the address in the RAM memory cell, which is equal to the HASH sum, the presence of information consisting of packet header fields, which were used to calculate the HASH sum of the already received packet with such the same HASH sum, while the counter of the number of packets in the session is increased by 1 packet. If the RAM cell already contains information about the session, then it is compared with the data from the packet descriptor. If the information matches and the packet does not contain the SYN flag in the TCP header, then the packet is considered to belong to an already existing session and the action identifier stored in this RAM memory cell is added to the packet descriptor, which is an 8-bit number based on which the filter block performs packet filtering. If the information matches, but the packet contains the SYN flag in the TCP header, then a new session identifier is assigned and information about the current packet is entered into the RAM memory cell. If the information does not match, then the other three records about other sessions are checked in the same way; if there is no match, a new record is created in the RAM-memory cell.

EFFECT: invention improves throughput and performance.

1 cl, 4 dwg

Description

The invention relates to the field of building systems for monitoring and analyzing data transmission networks, and in particular to methods for high-speed search and tracking of TCP / UDP sessions in high-load networks (TCP / IP - a network model for transmitting data presented in digital form) and can be used in devices for preliminary processing for systems of deep analysis of network traffic, in particular, network packet brokers that support the TCP / IP protocol stack, as well as in devices based on a programmable logic integrated circuit (FPGA) or very large integrated circuit (VLSI). One of the key ways to improve the performance of systems for deep analysis of network traffic is to extract the packet header, transfer for processing and compare only the required fields of the packet headers. In this case, the entire packet is stored in the packet buffer and transmitted to the port determined as a result of header analysis.

Network packet brokers are specialized devices that have found the greatest use in information security systems. The rules for distribution and aggregation of traffic in network packet brokers are completely determined by the settings, they do not have standards for building forwarding tables (MAC tables) and exchange protocols with other switches (such as STP), and therefore the range of possible settings and understandable fields in them is much wider.

A broker can evenly distribute traffic from one or more input ports to a given range of output ports. You can set rules for copying, filtering, classifying, deduplicating and modifying traffic. These rules can be applied to different groups of input ports of the network packet broker, as well as applied sequentially one after the other in the device itself.

The claimed method of dynamic filtering of network packets is aimed at providing the function of filtering network packets, taking into account belonging to protocol sessions, for example, TCP or UDP, and can be applied in network traffic preprocessing devices. The traffic filtering algorithm is reduced to determining whether the packet parameters correspond to the given conditions. TCP or UDP protocols transmit data in separate parts - "packets". Each data packet has a special header. TCP and UDP are Internet transport protocols that deliver data over a connection pre-established between two computers. Both protocols in the header of the data packet indicate the port number of the recipient, as well as the outgoing port number of the sender.

The closest analogue to the proposed method is the method of dynamic packet filtering using session tracking, described in the patent for the invention JP4162210B2 (class H04L 12/66, 08.10.2008), "Dynamic packet filter using session tracking". The known method includes receiving the input stream of packets through the input interface, then passing it to the packet analysis unit, in which the Ethernet, IP and TCP / UDP headers are extracted from the packet and the descriptor is formed on their basis, the packets are stored in the packet buffer, and the descriptor is in the descriptor buffer, from which the descriptors are passed to the HASH calculation block.

The disadvantage of the known method is the large variability of network packet filtering methods, which complicates the system and reduces protection from external attacks, as well as the impossibility of filtering network packets belonging to UDP sessions, and the lack of a solution for situations where several sessions have the same HASH value. -sums, as well as the use of a common data bus, to which the constituent parts of the system do not have exclusive access, which complicates the technical implementation and reduces the performance of the solution.

The aim of the proposed invention is to eliminate the above disadvantages.

The technical result of the presented invention is to reduce the load on the information system, increase throughput and performance, as well as independence from the operation of software or system architecture, ensuring the operation of traffic pre-processing devices with the ability to filter packets based on belonging to a TCP / UDP session and use in devices based on FPGA or VLSI.

The advantage of the claimed solution is also the use of pipeline processing, in which several batches can be processed simultaneously.

The technical result is achieved by dynamic filtering of network packets by belonging to the session, including receiving the input stream of packets through the input interface, passing it to the packet analysis unit, in which the Ethernet, IP and TCP / UDP headers are extracted from the packet and the descriptor is formed on their basis. , saving packets in the packet buffer, and descriptors in the descriptor buffer, from which the descriptors are transferred to the HASH calculation block,

in the HASH calculation block, based on the packet header fields, including: the recipient's IP address, the sender's IP address, the L4 protocol code and TCP / UDP ports of the recipient and sender, the HASH sum is calculated using the counter algorithm with Galois authentication;

at the same time, to resolve collisions that occur when tracking a session based on a HASH sum, one RAM cell contains records with information about four sessions, including the recipient's IP address, the sender's IP address, the L4 protocol code, the recipient's port, and the sender's port , the time when the last packet of the session was received and the code of the action to be performed on the packet,

then the HASH sum is transferred to the session tracking block, which checks the address in the RAM memory cell, which is equal to the HASH sum, the presence of information consisting of packet header fields, which were used to calculate the HASH sum of the already received packet with the same HASH amount;

if the RAM cell already contains information about the session, then it is compared with the data from the packet descriptor,

if the information matches and the packet does not contain the SYN flag in the TCP header, then it is considered that the packet belongs to an already existing session and the counter of the number of packets in the session is increased by 1 packet, the counter of the number of packets in the session is added to the packet descriptor, based on the value of which the block filtering performs packet filtering,

if the information matches, but the packet contains the SYN flag in the TCP header, then a new session identifier is assigned and information about the current packet is entered into the RAM memory cell,

if the information does not match, then the remaining three records with information about sessions are checked in the same way, and if there is no match, a new record is created in the RAM memory cell, replacing the existing record,

for UDP sessions, the time interval between two session packets is checked, and if it exceeds the set threshold, then it is considered that the incoming packet belongs to a new session, and information about the outdated session is deleted,

if the counter of the number of packets in the session exceeds a predetermined value that determines the threshold for filtering packets in the session, then the action code "Transmission denied" is transmitted to the filtering unit,

otherwise, the action code "Transfer allowed" is transmitted,

as a result, the filtering block, depending on the action code, reads the packet from the packet buffer and transmits the packet to the output interface - "transmission is allowed" or removes the packet from the packet buffer - "transfer is prohibited".

The claimed invention is illustrated by the following graphics:

fig. 1 is a diagram illustrating the functional blocks involved in filtering network packets by belonging to a session;

Fig.2 - block diagram of dynamic filtering of packets by belonging to the session;

fig. 3 is a diagram illustrating the composition of the information stored in the descriptor;

fig. 4 is a diagram illustrating the structure of storing information about sessions in RAM memory.

System for filtering network packets by belonging to a session
(Fig. 1) contains an input interface (101), a packet analysis unit (102), a packet buffer (103), a descriptor buffer (104), a HASH calculation unit (105), a session tracking unit (106), a RAM memory (107 ), a filtering unit (108) and an output interface (109).

The input interface (101) receives the network packet, checks for compliance with the requirements of the Ethernet protocol (preamble, packet start, checksum).

Packet analysis block (102) is a block that extracts Ethernet, IP and TCP/UDP headers from the network headers of the received packet and generates a special information block on their basis. The size of the TCP header is 20 bytes. The size of the UDP header is 8 bytes.

The difference between the TCP and UDP protocols is that the TCP protocol has a mechanism for controlling the completeness of the transmitted data - if any packet was lost or damaged, then a mechanism is provided to check this fact and resend the packet. There is no such mechanism in the UDP protocol.

Packet buffer (103) is a storage block in which the entire packet is stored in the blocks for calculating the HASH sum and the session tracking block during the processing of the packet descriptor.

Descriptor buffer (104) - temporary storage where descriptors are stored while waiting for processing.

HASH calculation block (105) - a block in which the following fields are extracted from the descriptor: recipient IP address, sender IP address, L4 protocol code, recipient TCP / UDP port, sender TCP / UDP port and based on these fields a sequence is formed bytes (vector of bytes) over which the HASH sum is calculated according to the counter algorithm with Galois authentication (HASH sum calculation method). This is necessary in order to reduce the 13-byte descriptor to 4 bytes and facilitate the search for the descriptor in RAM-memory by the key, which is the HASH sum.

The counter with Galois authentication is a variation of the mode of operation of symmetric block ciphers. In the counter algorithm with Galois authentication, the input blocks of the byte vector are numbered sequentially, the block number is encoded by the block algorithm. The output of the encryption function is used in XOR operation (exclusive or) with the plaintext to get the HASH sum. The scheme is a stream cipher, so using a unique byte vector guarantees a unique HASH sum.

The HASH calculation unit (105) for calculating the HASH sum can perform, for example, a bitwise XOR operation on the corresponding bits of the destination IP address (32 bits), the source IP address (32 bits), the L4 protocol code (8 bits), the port destination (16 bits), sender port (16 bits) and sends the results of the bitwise exclusive OR (XOR) operation to the randomizer and generates a HASH sum having Y bits, where Y is a positive integer, for example, for the specified example 10 bit.

The session tracking block (106) is a block that checks the address in the RAM memory cell, which is equal to the HASH sum, the presence of information consisting of the packet header fields used to calculate the HASH sum, about the already received packet with the same HASH sum. amount, while increasing the counter of the number of packets in the session by 1 packet.

RAM-memory (107) - a block that is random access memory. The width of the memory address is equal to the length of the HASH sum, each memory cell stores information about 4 sessions. This information includes the destination IP address, the source IP address, the L4 protocol code, the destination port, the source port, the time the last session packet was received, and the code of the action performed on the packet (session received packet counter). Protocol code L4 – transport layer protocol code that defines TCP or UDP protocol.

The filtering block (108) is a block that, based on a command from the session tracking block, transfers a packet from the packet buffer to the output interface or removes the packet from the packet buffer.

Filtering is done based on the number of packets in a session, all packets exceeding a predetermined threshold are filtered.

If "Transmission enabled", then the packet is read from the packet buffer and transmitted to the egress interface (109). If "Transmission denied", then the packet is removed from the packet buffer.

Output interface (109) - performs the transmission of a network packet to the network.

The L4 protocol code indicates the protocol number in the "Protocol" field of the IPv4 packet header (what protocol the packet contains, such as TCP, UDP, or ICMP) or in the "Next Header" field of the IPv6 packet. The IP packet format is described in more detail in the RFC 791 "Internet Protocol DARPA Internet Program Protocol Specification", September 1981. The TCP protocol is described in the RFC 793 "Transmission Control Protocol" specification, September 1980, the UDP protocol is described in the RFC 768 specification " User Datagram Protocol, August 1980.

In the preferred embodiment of the invention, the above logical blocks, such as the packet analysis block (102), the HASH calculation block (105), the filtering block (108), the session tracking block (106) can be implemented or implemented on the basis of a field-programmable logic integrated circuit (FPGA) , very large integrated circuit (VLSI). It will be obvious to the person skilled in the art that the above logical blocks, processing circuits/algorithms can be implemented using a memory element that records processed data and a processing processor, which can be a general purpose processor, a computer-readable medium, a state machine, or other hardware-programmable logic device. , a discrete logic element or transistor logic, a discrete hardware component, or any combination thereof, to perform the functions described above. An FPGA or VLSI can be programmed to perform the proposed method and placed anywhere on the data center computer network or network packet brokers.

The declared method of dynamic filtering of network packets by belonging to the session is carried out as follows.

The input packet stream (FIG. 1, FIG. 2) is received sequentially through the input interface (101), which includes the functions of converting from an electrical signal to a set of serial digital values and performing a check for compliance with the requirement of the Ethernet protocol. Then the packets are transferred to the packet analysis block (102), in which the Ethernet, IP and TCP / UDP headers are extracted from each packet and a special information block (descriptor) is formed on their basis, sent to the descriptor buffer (104), in which they are being saved. For the duration of processing, the packets after the packet parser (102) are stored in the packet buffer (103).

From the descriptor buffer (104), the descriptors are transferred to the HASH calculation unit (105), in which, based on the packet header fields (IP addresses, L4 protocol code and TCP / UDP ports of the recipient and sender), the HASH sum is calculated using the counter algorithm with Galois authentication . To resolve collisions that occur when tracking a session based on a HASH sum, one RAM cell contains records with information about four sessions. The information includes the destination IP address, the source IP address, the L4 protocol code, the destination port, the source port, the time the last session packet was received, and the code for the action to be performed on the packet.

Next, the HASH sum is transferred to the session tracking unit (106), which checks in the RAM memory cell (107) the address of which is equal to the HASH sum, the presence of information consisting of the packet header fields used to calculate the HASH sum, about the already received packet with the same HASH sum, while increasing the counter of the number of packets (n) in the session by 1 packet (figure 2).

The decision on whether or not to skip network packets is made based on the number of session packets, all packets exceeding a predetermined threshold are filtered;

the counter of the number of packets in the session is stored in RAM-memory.

If there is already information about the session in the RAM memory cell (107), then it is compared with the data from the packet descriptor
(Fig. 2).

If the information matches and the packet does not contain the SYN flag (which means the beginning of a new session) in the TCP header, then the packet is considered to belong to an already existing session and the action identifier stored in this RAM memory cell, which is 8-bit, is added to the packet descriptor a number based on which the filtering unit (108) performs packet filtering.

If the information matches, but the packet contains the SYN flag in the TCP header, then a new session identifier is assigned and information about the current packet is entered into the RAM memory cell (107).

If the information does not match, then the other three records with information about sessions are checked in the same way. In this case, if the information does not match, a new entry is created in the RAM-memory cell.

For UDP sessions, the time interval between two session packets is checked, and if it exceeds the set threshold (for example, more than 30 seconds), then the incoming packet is considered to belong to a new session, and information about the outdated session is deleted, after which the filtering block (108) receives from the session tracking block the code of the action to be performed.

Packets from the packet buffer (103) enter the filtering unit (108).

If, as a result of the analysis, it was possible to determine the action code, then the filtering unit (108) transmits to the session tracking unit (106) the action code for writing to the RAM memory cell corresponding to this session “Transmission allowed” or “Transmission prohibited”.

If the action code allows further transmission, then the packet is transmitted to the egress interface (109).

If the counter exceeds a predetermined threshold (packet n), then the packet action is considered to be "transmission denied" and removed from the packet buffer.

To handle the case where multiple TCP/UDP sessions have the same HASH value, one RAM location (107) may contain an entry with information about four sessions. The information includes (FIG. 3) the destination IP address (201), the source IP address (202), the L4 protocol code (203), the destination port (204), the source port (205), the time when the last received the session package (206) and the code for the action to be performed on the package (207).

An example of the format for storing information about sessions in RAM memory, where information about 4 sessions is stored in each memory cell is presented in
fig. four.

In this case, the input stream of packets is received sequentially through the input interface (101). Then the packets are transferred to the packet analysis block (102), in which the Ethernet, IP and TCP / UDP headers are extracted from each packet and a descriptor is formed on their basis, which is sent to the descriptor buffer (104). For the duration of processing, the packets after the packet parser (102) are stored in the packet buffer (103).

From the descriptor buffer (104), the descriptors are passed to the HASH calculation block (105), in which the HASH sum is calculated based on the packet header fields. One RAM cell contains records with information about four sessions (HASH No. 1, HASH No. 2, HASH No. 3, HASH No. 4). The information includes (FIG. 3) the destination IP address, the source IP address, the L4 protocol code, the destination port, the source port, the time the last session packet was received, and the code for the action to be performed on the packet.

Next, the HASH sum is transferred to the session tracking unit (106), which checks in the RAM memory cell (107) the address of which is equal to the HASH sum, the presence of information consisting of the packet header fields used to calculate the HASH sum, about the already received packet with the same HASH sum, while the counter of the number of packets (n) in the session is increased by 1 packet.

If the information matches (Fig. 2), the SYN flag is present in the TCP packet, then a new session identifier is assigned and information about the current packet is entered into the RAM memory cell. UDP packet and the difference between the time from the record and the packet time < Limit_T= 30 sec, the number of packets (n) increases by 1 packet (Fig. 2). The number of packages n<N, where N=4. The filtering block receives from the session tracking block the code of the performed action "transfer allowed".

As a result of using the claimed invention, a reduction in the load on the information system, an increase in throughput and performance, as well as independence from the operation of the software or system architecture is achieved.

The described embodiments of the invention are not exhaustive and are provided only for the purpose of explaining and confirming industrial applicability, and specialists in the art are able to create alternative embodiments of the invention without departing from the scope of the claims, but within the essence of the invention reflected in the description.

Claims (10)

A method for dynamically filtering network packets by belonging to a session, including receiving an input stream of packets through an input interface, passing it to a packet analysis unit, in which the Ethernet, IP and TCP / UDP headers are extracted from the packet and a descriptor is formed on their basis, packets are saved in the packet buffer, and descriptors - in the descriptor buffer, from which the descriptors are transferred to the HASH calculation block, characterized in that in the HASH calculation block, based on the packet header fields, including: the recipient's IP address, the sender's IP address, the L4 protocol code and TCP / UDP ports of the recipient and sender, the HASH sum is calculated using the counter algorithm with Galois authentication; at the same time, to resolve collisions that occur when tracking a session based on a HASH sum, one RAM cell contains records with information about four sessions, including the recipient's IP address, the sender's IP address, the L4 protocol code, the recipient's port, and the sender's port , the time when the last packet of the session was received and the code of the action to be performed on the packet, then the HASH sum is transferred to the session tracking block, which checks in the RAM cell, the address of which is equal to the HASH sum, the presence of information consisting of the packet header fields used to calculate the HASH sum, about the already received packet with the same HASH -amount; if the RAM cell already contains information about the session, then it is compared with the data from the packet descriptor, if the information matches and the packet does not contain the SYN flag in the TCP header, then it is considered that the packet belongs to an already existing session and the counter of the number of packets in the session is increased by 1 packet, the counter of the number of packets in the session is added to the packet descriptor, based on the value of which the block filtering performs packet filtering, if the information matches, but the packet contains the SYN flag in the TCP header, then a new session identifier is assigned and information about the current packet is entered into the RAM memory cell, if the information does not match, then the remaining three records with information about sessions are checked in the same way, and if there is no match, a new record is created in the RAM memory cell, replacing the existing record, for UDP sessions the time interval between two session packets is checked, and if it exceeds the set threshold, then it is considered that the incoming packet belongs to a new session, and information about the outdated session is deleted, if the counter of the number of packets in the session exceeds a predetermined value that determines the threshold for filtering packets in the session, then the action code "Transmission is prohibited" is transmitted to the filtering unit, otherwise the action code "Transmission is allowed" is transmitted, as a result, the filtering block, depending on the action code, reads the packet from the packet buffer and transmits the packet to the output interface - "transmission is allowed" or removes the packet from the packet buffer - "transfer is prohibited".

Images