CN100454895C - Method for raising network security via message processing - Google Patents
Method for raising network security via message processing Download PDFInfo
- Publication number
- CN100454895C CN100454895C CNB2005100801640A CN200510080164A CN100454895C CN 100454895 C CN100454895 C CN 100454895C CN B2005100801640 A CNB2005100801640 A CN B2005100801640A CN 200510080164 A CN200510080164 A CN 200510080164A CN 100454895 C CN100454895 C CN 100454895C
- Authority
- CN
- China
- Prior art keywords
- message
- priority
- cpu
- buffer queue
- forwarding plane
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for raising network safety by utilizing message treatment includes placing message in buffer queue with relevant priority level and at channel between central processing unit and hardware retransmission plane separately according to priority level of message, carrying out treatment on message in buffer queue by central processing unit according to dispatch rule, carrying out treatment on message not required to be processed by control processing unit according to property of message and identifying those message according to specific rule for raising antiattack ability of network device.
Description
Technical field
The present invention relates to a kind of network communications technology, relate in particular to a kind of method that improves internet security of handling by message.
Background technology
Network attack is the behavior of a kind of malicious sabotage network, harm internet security.Common network attack has two types, and one type is meant intrusion or destroys online server (main frame); Another type is directly to destroy the network attack of the network equipment.Along with The development in society and economy, the relation of network and people's production and life is close further, and the harm that network attack may cause is also increasing.Especially to the attack of the network equipment, go wrong as equipment, may cause whole network service unusual, this has also just proposed higher requirement to the anti-attack ability of the network equipment.
Existing middle-and high-end network device substantially all adopts hardware Forwarding plane and the framework that CPU (CPU) upper layer software (applications) plane combines, and to the attack of the network equipment, is primarily aimed at the upper layer software (applications) plane of equipment.Normally the assailant sends unusual data message to the network equipment, sees through the strick precaution of equipment, on give equipment CPU, cause great pressure to cpu performance.
Although adopted the technology of similar CPU Flow Control mostly in prior network device, control hardware is submitted the absolute speed of message to the software plane, guarantees that CPU can not paralyse fully because of overload.But under the bigger situation of abnormal data flow, exception message can be seized and submit software plane passages bandwidth, consumes limited cpu resource and normal message is abandoned in a large number.Therefore, finally cause the response speed of the network equipment to reduce greatly, the service of normal users can't be guaranteed, even network interrupts.
In the prior art, another kind prevents that the method for network attack from being to adopt ACL (Access Control List (ACL)) method, this method is in the network equipment message to be filtered, by some critical fielies in the data message (as the protocol type of message, IP address, port numbers etc.) and the rule of acl definition are mated, check whether message characteristic meets rule.And according to rule message is handled according to the action of ACL correspondence, as situations such as transmitting, abandon.
Obviously, use ACL to realize equipment attack protection function, at first will analyze the feature of illegal message, design corresponding acl rule then and distinguish legal message and invalid packet, and these messages are handled respectively, as legal message is passed through, invalid packet is abandoned.Thereby guarantee that legal message obtains correct processing, and illegal message conductively-closed.
Yet there is potential safety hazard in this method, can not effectively prevent to forge the situation that legal data message form is attacked.Present network attack means are more and more hidden, much attack data flow and can be forged and be legal data message form, as situations such as normal ARP (address resolution protocol), PPP (point-to-point protocol) protocol negotiation messages.Though the format content of these messages is normal, under the situation of unusual big flow, also can cause the network equipment unusual.Secondly, configuration of ACL specification and maintenance work more complicated.The mode of network attack is varied, and the new attack means also constantly occur, at this moment just need be at the new acl rule of new attack message design, and therefore, the plant maintenance workload is bigger.
Summary of the invention
At the above-mentioned defective of prior art, the purpose of this invention is to provide a kind of method, thereby improved the anti-attack ability of network by message processing raising internet security, and simple to operate.
The present invention is achieved through the following technical solutions, and the invention provides a kind of method by message processing raising internet security, and described method comprises:
The hardware Forwarding plane is discerned the message that receives;
Needs are submitted the message of central processing unit for processing, execution in step:
A, respectively message is put in the buffer queue of the respective priority of message passage between CPU and the hardware Forwarding plane according to priority of messages, described priority is for to divide according to the message protocol type,
B, CPU are handled the message in the buffer queue according to scheduling rule;
To not needing to submit the message of central processing unit for processing, execution in step:
Legal message is transmitted by the hardware Forwarding plane, the illegal message that maybe can not discern is directly abandoned.
Described hardware Forwarding plane is discerned further the message that receives and comprised: the hardware Forwarding plane judges whether the destination address of message, content of message meet predetermined requirement.
Described scheduling rule is: CPU is carried out priority treatment to the message of the higher buffer queue of priority.
Described scheduling rule also comprises: take into account the lower formation of priority.
Described A step also comprises: when corresponding buffer queue is full, directly abandon the message of waiting to put into this buffer queue.
According to the present invention, by message being discerned, the message that needs CPU to handle is distinguished priority according to ad hoc rules, and put it into message passage between hardware and the Forwarding plane according to priority of messages with the corresponding buffer queue of priority in.Thereby make important protocol massages obtain the priority treatment of CPU, can guarantee the stable operation of important message in the network equipment.Therefore, the anti-attack ability of the network equipment and the reliability of network have been improved.
Description of drawings
Fig. 1 shows the schematic diagram of processing message of the present invention;
Fig. 2 shows the flow chart of processing message of the present invention.
Embodiment
Understand and realization the present invention the existing embodiments of the invention of describing in conjunction with the accompanying drawings for the ease of persons skilled in the art.
As shown in Figure 1, basic thought of the present invention is: hardware is discerned the message that receives, needs are submitted the message that CPU handles, carry out prioritization by the message protocol type, put into message passage between CPU and the hardware Forwarding plane with the corresponding buffer queue of priority in; To not needing to submit the message that CPU handles,, otherwise can not discern or illegal message directly abandons other if normal message is directly transmitted.To describe the processing by message of the present invention below in detail and improve the method that prevents the network attack ability.
With reference to Fig. 2, Fig. 2 is the flow chart of processing message of the present invention.
Step 21: hardware receives the data message that sends to the network equipment.
Step 22: hardware can judge whether needs are submitted CPU software plane treatment to message according to ad hoc rules.
For example, can according to field in the destination address of message, the message etc. content judge whether needs are submitted CPU software plane treatment to message.For example, if the destination address of message points to this equipment or agreement multicast address, then this message is submitted CPU software plane; Also can judging whether that message is submitted CPU software plane according to the special option that message has, as, if message has IP header extension option, message can be submitted CPU software plane; Perhaps the content of other protocol fields that comprises according to message determines whether message is submitted CPU software plane; Also above-mentioned three kinds of determination methods can be combined and judge whether message is submitted CPU software plane.If message meets above-mentioned Rule of judgment, then execution in step 23; Otherwise execution in step 25 is not handled if message does not need to submit CPU, and then normal message is directly transmitted, otherwise other nonrecognition or illegal message are directly abandoned.
Step 23: needs are submitted the message that CPU handles, adopt definite priority of messages by its protocol type.
The method of so that ESR (edge service router) is example, clearly deciding message priority.The distinguishing rule of priority can be provided with on equipment, distinguish such as pressing protocol type, the definition priority orders is that the ppp negotiation message priority is the highest, Routing Protocol and the ARP message takes second place, other PING, TELNET message etc. can be provided with lower priority.
Below only be that a kind of that priority is divided gives an example, can also distinguish message priority according to other more protocol fields content in the specific implementation.
Step 24:, message is put into and the corresponding formation of priority by priority of messages.
By queue mechanism, make equipment can bear of short duration bursts of traffic, adapt to the actual conditions of Model of network traffic.Promptly needing to submit CPU handles message flow moment surpasses when submitting the cpu access bandwidth, the message that has little time to handle can be temporarily stored in the buffering area, and normal if ensuing flow recovers, CPU just can in time handle the message in the formation.And Traffic Anomaly is continued excessive situation, be likely then attack to have occurred that abandon this type of message after buffer queue is full, cpu resource avoids waste.
CPU can handle the message in each formation according to scheduling rule, and described scheduling rule is meant the message in the higher buffer queue of CPU priority treatment priority, and takes into account the message in other priority buffer queue.Promptly at first ought higher formation carry out priority treatment to priority, when priority is carried out first predetermined timeslice (as 5 timeslices) processing than the message in the high queue after, also to distribute second predetermined timeslice (as 1 timeslice) formation that processing priority is lower, therefore, guaranteed that not only important business preferentially obtains handling, but also looked after the message of lower priority, when the message priority of being attacked is higher, after CPU handles this attack message of first scheduled time sheet, CPU can handle other normal message, thereby guaranteed the normal operation of communication system, in addition, when CPU handles the message of lower priority, have a large amount of attack messages and be dropped, also greatly reduce the attack message attacking ability, thereby improved the fail safe of network.
According to the present invention,, can at the network equipment under the exception of network traffic situation, guarantee important professional stable operation by to protocol massages multipriority queue processing scheme.Thereby the anti-attack ability of the network equipment and the reliability of network have been improved.
Though described the present invention by embodiment, those of ordinary skills know, without departing from the spirit and substance in the present invention, just can make the present invention that many distortion and variation are arranged, and scope of the present invention is limited to the appended claims.
Claims (5)
1. the method by message processing raising internet security is characterized in that, comprising:
The hardware Forwarding plane is discerned the message that receives;
Needs are submitted the message of central processing unit for processing, execution in step:
A, respectively message is put in the buffer queue of the respective priority of message passage between CPU and the hardware Forwarding plane according to priority of messages, described priority is for to divide according to the message protocol type,
B, CPU are handled the message in the buffer queue according to scheduling rule;
To not needing to submit the message of central processing unit for processing, execution in step:
Legal message is transmitted by the hardware Forwarding plane, the illegal message that maybe can not discern is directly abandoned.
2. the method that improves internet security of handling by message according to claim 1, it is characterized in that described hardware Forwarding plane is discerned further the message that receives and comprised: the hardware Forwarding plane judges whether the destination address of message, content of message meet predetermined requirement.
3. the method by message processing raising internet security according to claim 1, it is characterized in that described scheduling rule is: CPU is carried out priority treatment to the message of the higher buffer queue of priority.
4. the method by message processing raising internet security according to claim 3 is characterized in that described scheduling rule also comprises: take into account the lower formation of priority.
5. the method by message processing raising internet security according to claim 1 is characterized in that described A step also comprises: when corresponding buffer queue is full, directly abandon the message of waiting to put into this buffer queue.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100801640A CN100454895C (en) | 2005-06-30 | 2005-06-30 | Method for raising network security via message processing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100801640A CN100454895C (en) | 2005-06-30 | 2005-06-30 | Method for raising network security via message processing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889510A CN1889510A (en) | 2007-01-03 |
| CN100454895C true CN100454895C (en) | 2009-01-21 |
Family
ID=37578769
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100801640A Active CN100454895C (en) | 2005-06-30 | 2005-06-30 | Method for raising network security via message processing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100454895C (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101022414B (en) * | 2007-03-08 | 2010-11-03 | 华为技术有限公司 | Message retransmitting method and apparatus |
| CN101184095B (en) * | 2007-12-06 | 2011-09-21 | 中兴通讯股份有限公司 | Network anti-attack method and system based on strategy control listing of CPU |
| CN101355567B (en) * | 2008-09-03 | 2012-05-09 | 中兴通讯股份有限公司 | Method for protecting safety of route-exchanging device central processing unit |
| CN102316022B (en) * | 2011-07-05 | 2014-06-18 | 杭州华三通信技术有限公司 | Protocol message forwarding method and communication equipment |
| CN102638403B (en) * | 2012-04-01 | 2015-04-29 | 华为技术有限公司 | Method and device for processing messages |
| CN103118015B (en) * | 2013-01-17 | 2015-08-05 | 苏州亿倍信息技术有限公司 | A kind of implementation method of terminal security strategy and system |
| CN104202261B (en) * | 2014-08-27 | 2019-02-05 | 华为技术有限公司 | A kind of service request processing method and device |
| CN105490961A (en) * | 2014-09-19 | 2016-04-13 | 杭州迪普科技有限公司 | Message processing method, and device and network device |
| CN105357184A (en) * | 2015-10-08 | 2016-02-24 | 上海斐讯数据通信技术有限公司 | Secondary protection method for CPU (Central Processing Unit) of switch |
| CN107547416A (en) * | 2016-06-28 | 2018-01-05 | 中兴通讯股份有限公司 | A kind of processing method and processing device of protocol massages |
| CN111917769A (en) * | 2020-07-30 | 2020-11-10 | 中盈优创资讯科技有限公司 | Automatic handling method and device of security event and electronic equipment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001037511A2 (en) * | 1999-11-18 | 2001-05-25 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
| US6499107B1 (en) * | 1998-12-29 | 2002-12-24 | Cisco Technology, Inc. | Method and system for adaptive network security using intelligent packet analysis |
| CN1466306A (en) * | 2002-06-27 | 2004-01-07 | 中联绿盟信息技术(北京)有限公司 | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
| JP2004320461A (en) * | 2003-04-16 | 2004-11-11 | Nippon Telegr & Teleph Corp <Ntt> | Method, device, and program for preventing attack on network, and recording medium having program recorded therein |
-
2005
- 2005-06-30 CN CNB2005100801640A patent/CN100454895C/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6499107B1 (en) * | 1998-12-29 | 2002-12-24 | Cisco Technology, Inc. | Method and system for adaptive network security using intelligent packet analysis |
| WO2001037511A2 (en) * | 1999-11-18 | 2001-05-25 | Secureworks, Inc. | Method and system for remotely configuring and monitoring a communication device |
| CN1466306A (en) * | 2002-06-27 | 2004-01-07 | 中联绿盟信息技术(北京)有限公司 | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
| JP2004320461A (en) * | 2003-04-16 | 2004-11-11 | Nippon Telegr & Teleph Corp <Ntt> | Method, device, and program for preventing attack on network, and recording medium having program recorded therein |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1889510A (en) | 2007-01-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100454895C (en) | Method for raising network security via message processing | |
| CN100558089C (en) | A kind of content filtering gateway implementation method of filter Network Based | |
| US7725938B2 (en) | Inline intrusion detection | |
| US7870611B2 (en) | System method and apparatus for service attack detection on a network | |
| CN101547187B (en) | Network attack protection method for broadband access equipment | |
| CN102055674B (en) | Internet protocol (IP) message as well as information processing method and device based on same | |
| US20080178278A1 (en) | Providing A Generic Gateway For Accessing Protected Resources | |
| CN104767748B (en) | Opc server security protection system | |
| US20040093520A1 (en) | Firewall system combined with embedded hardware and general-purpose computer | |
| CA2496064A1 (en) | System, method and computer program product for monitoring and controlling network connections from a supervisory operating system | |
| CN102006307A (en) | Application proxy-based network management system isolation control device | |
| CN101083563A (en) | Method and apparatus for preventing distributed refuse service attack | |
| CN101286996A (en) | Storm attack resisting method and apparatus | |
| JP2007006054A (en) | Packet repeater and packet repeating system | |
| CN102882894A (en) | Method and device for identifying attack | |
| CN101035058A (en) | Transfer method and device of the virtual router redundancy protocol message | |
| CN101355567B (en) | Method for protecting safety of route-exchanging device central processing unit | |
| KR100773416B1 (en) | Method and system for controlling network traffic of p2p and instant messenger | |
| EP2007066A9 (en) | A policy enforcement point and a linkage method and system for intrude detection system | |
| CN108768841A (en) | AFDX security gateway systems and its transmission method | |
| CN104601578A (en) | Recognition method and device for attack message and core device | |
| JP2003289337A (en) | Communication network, router, and distributed service refusal attack detection and defense method | |
| CN101547127B (en) | Identification method of inside and outside network messages | |
| CN1996960B (en) | A filtering method for instant communication message and instant communication system | |
| CN101043465A (en) | Dynamic host configuration protocol service managing method and system thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230413 Address after: Room 910, 9th Floor, Building 1, No. 22 Jianguomenwai Street (Saite Building), Chaoyang District, Beijing, 100022 Patentee after: Beijing Zhifang Intellectual Property Management Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |