CN100454895C - Method for raising network security via message processing - Google Patents

Method for raising network security via message processing Download PDF

Info

Publication number
CN100454895C
CN100454895C CNB2005100801640A CN200510080164A CN100454895C CN 100454895 C CN100454895 C CN 100454895C CN B2005100801640 A CNB2005100801640 A CN B2005100801640A CN 200510080164 A CN200510080164 A CN 200510080164A CN 100454895 C CN100454895 C CN 100454895C
Authority
CN
China
Prior art keywords
message
priority
cpu
buffer queue
forwarding plane
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2005100801640A
Other languages
Chinese (zh)
Other versions
CN1889510A (en
Inventor
周澜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhifang Intellectual Property Management Co.,Ltd.
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2005100801640A priority Critical patent/CN100454895C/en
Publication of CN1889510A publication Critical patent/CN1889510A/en
Application granted granted Critical
Publication of CN100454895C publication Critical patent/CN100454895C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for raising network safety by utilizing message treatment includes placing message in buffer queue with relevant priority level and at channel between central processing unit and hardware retransmission plane separately according to priority level of message, carrying out treatment on message in buffer queue by central processing unit according to dispatch rule, carrying out treatment on message not required to be processed by control processing unit according to property of message and identifying those message according to specific rule for raising antiattack ability of network device.

Description

A kind of method that improves internet security of handling by message
Technical field
The present invention relates to a kind of network communications technology, relate in particular to a kind of method that improves internet security of handling by message.
Background technology
Network attack is the behavior of a kind of malicious sabotage network, harm internet security.Common network attack has two types, and one type is meant intrusion or destroys online server (main frame); Another type is directly to destroy the network attack of the network equipment.Along with The development in society and economy, the relation of network and people's production and life is close further, and the harm that network attack may cause is also increasing.Especially to the attack of the network equipment, go wrong as equipment, may cause whole network service unusual, this has also just proposed higher requirement to the anti-attack ability of the network equipment.
Existing middle-and high-end network device substantially all adopts hardware Forwarding plane and the framework that CPU (CPU) upper layer software (applications) plane combines, and to the attack of the network equipment, is primarily aimed at the upper layer software (applications) plane of equipment.Normally the assailant sends unusual data message to the network equipment, sees through the strick precaution of equipment, on give equipment CPU, cause great pressure to cpu performance.
Although adopted the technology of similar CPU Flow Control mostly in prior network device, control hardware is submitted the absolute speed of message to the software plane, guarantees that CPU can not paralyse fully because of overload.But under the bigger situation of abnormal data flow, exception message can be seized and submit software plane passages bandwidth, consumes limited cpu resource and normal message is abandoned in a large number.Therefore, finally cause the response speed of the network equipment to reduce greatly, the service of normal users can't be guaranteed, even network interrupts.
In the prior art, another kind prevents that the method for network attack from being to adopt ACL (Access Control List (ACL)) method, this method is in the network equipment message to be filtered, by some critical fielies in the data message (as the protocol type of message, IP address, port numbers etc.) and the rule of acl definition are mated, check whether message characteristic meets rule.And according to rule message is handled according to the action of ACL correspondence, as situations such as transmitting, abandon.
Obviously, use ACL to realize equipment attack protection function, at first will analyze the feature of illegal message, design corresponding acl rule then and distinguish legal message and invalid packet, and these messages are handled respectively, as legal message is passed through, invalid packet is abandoned.Thereby guarantee that legal message obtains correct processing, and illegal message conductively-closed.
Yet there is potential safety hazard in this method, can not effectively prevent to forge the situation that legal data message form is attacked.Present network attack means are more and more hidden, much attack data flow and can be forged and be legal data message form, as situations such as normal ARP (address resolution protocol), PPP (point-to-point protocol) protocol negotiation messages.Though the format content of these messages is normal, under the situation of unusual big flow, also can cause the network equipment unusual.Secondly, configuration of ACL specification and maintenance work more complicated.The mode of network attack is varied, and the new attack means also constantly occur, at this moment just need be at the new acl rule of new attack message design, and therefore, the plant maintenance workload is bigger.
Summary of the invention
At the above-mentioned defective of prior art, the purpose of this invention is to provide a kind of method, thereby improved the anti-attack ability of network by message processing raising internet security, and simple to operate.
The present invention is achieved through the following technical solutions, and the invention provides a kind of method by message processing raising internet security, and described method comprises:
The hardware Forwarding plane is discerned the message that receives;
Needs are submitted the message of central processing unit for processing, execution in step:
A, respectively message is put in the buffer queue of the respective priority of message passage between CPU and the hardware Forwarding plane according to priority of messages, described priority is for to divide according to the message protocol type,
B, CPU are handled the message in the buffer queue according to scheduling rule;
To not needing to submit the message of central processing unit for processing, execution in step:
Legal message is transmitted by the hardware Forwarding plane, the illegal message that maybe can not discern is directly abandoned.
Described hardware Forwarding plane is discerned further the message that receives and comprised: the hardware Forwarding plane judges whether the destination address of message, content of message meet predetermined requirement.
Described scheduling rule is: CPU is carried out priority treatment to the message of the higher buffer queue of priority.
Described scheduling rule also comprises: take into account the lower formation of priority.
Described A step also comprises: when corresponding buffer queue is full, directly abandon the message of waiting to put into this buffer queue.
According to the present invention, by message being discerned, the message that needs CPU to handle is distinguished priority according to ad hoc rules, and put it into message passage between hardware and the Forwarding plane according to priority of messages with the corresponding buffer queue of priority in.Thereby make important protocol massages obtain the priority treatment of CPU, can guarantee the stable operation of important message in the network equipment.Therefore, the anti-attack ability of the network equipment and the reliability of network have been improved.
Description of drawings
Fig. 1 shows the schematic diagram of processing message of the present invention;
Fig. 2 shows the flow chart of processing message of the present invention.
Embodiment
Understand and realization the present invention the existing embodiments of the invention of describing in conjunction with the accompanying drawings for the ease of persons skilled in the art.
As shown in Figure 1, basic thought of the present invention is: hardware is discerned the message that receives, needs are submitted the message that CPU handles, carry out prioritization by the message protocol type, put into message passage between CPU and the hardware Forwarding plane with the corresponding buffer queue of priority in; To not needing to submit the message that CPU handles,, otherwise can not discern or illegal message directly abandons other if normal message is directly transmitted.To describe the processing by message of the present invention below in detail and improve the method that prevents the network attack ability.
With reference to Fig. 2, Fig. 2 is the flow chart of processing message of the present invention.
Step 21: hardware receives the data message that sends to the network equipment.
Step 22: hardware can judge whether needs are submitted CPU software plane treatment to message according to ad hoc rules.
For example, can according to field in the destination address of message, the message etc. content judge whether needs are submitted CPU software plane treatment to message.For example, if the destination address of message points to this equipment or agreement multicast address, then this message is submitted CPU software plane; Also can judging whether that message is submitted CPU software plane according to the special option that message has, as, if message has IP header extension option, message can be submitted CPU software plane; Perhaps the content of other protocol fields that comprises according to message determines whether message is submitted CPU software plane; Also above-mentioned three kinds of determination methods can be combined and judge whether message is submitted CPU software plane.If message meets above-mentioned Rule of judgment, then execution in step 23; Otherwise execution in step 25 is not handled if message does not need to submit CPU, and then normal message is directly transmitted, otherwise other nonrecognition or illegal message are directly abandoned.
Step 23: needs are submitted the message that CPU handles, adopt definite priority of messages by its protocol type.
The method of so that ESR (edge service router) is example, clearly deciding message priority.The distinguishing rule of priority can be provided with on equipment, distinguish such as pressing protocol type, the definition priority orders is that the ppp negotiation message priority is the highest, Routing Protocol and the ARP message takes second place, other PING, TELNET message etc. can be provided with lower priority.
Below only be that a kind of that priority is divided gives an example, can also distinguish message priority according to other more protocol fields content in the specific implementation.
Step 24:, message is put into and the corresponding formation of priority by priority of messages.
By queue mechanism, make equipment can bear of short duration bursts of traffic, adapt to the actual conditions of Model of network traffic.Promptly needing to submit CPU handles message flow moment surpasses when submitting the cpu access bandwidth, the message that has little time to handle can be temporarily stored in the buffering area, and normal if ensuing flow recovers, CPU just can in time handle the message in the formation.And Traffic Anomaly is continued excessive situation, be likely then attack to have occurred that abandon this type of message after buffer queue is full, cpu resource avoids waste.
CPU can handle the message in each formation according to scheduling rule, and described scheduling rule is meant the message in the higher buffer queue of CPU priority treatment priority, and takes into account the message in other priority buffer queue.Promptly at first ought higher formation carry out priority treatment to priority, when priority is carried out first predetermined timeslice (as 5 timeslices) processing than the message in the high queue after, also to distribute second predetermined timeslice (as 1 timeslice) formation that processing priority is lower, therefore, guaranteed that not only important business preferentially obtains handling, but also looked after the message of lower priority, when the message priority of being attacked is higher, after CPU handles this attack message of first scheduled time sheet, CPU can handle other normal message, thereby guaranteed the normal operation of communication system, in addition, when CPU handles the message of lower priority, have a large amount of attack messages and be dropped, also greatly reduce the attack message attacking ability, thereby improved the fail safe of network.
According to the present invention,, can at the network equipment under the exception of network traffic situation, guarantee important professional stable operation by to protocol massages multipriority queue processing scheme.Thereby the anti-attack ability of the network equipment and the reliability of network have been improved.
Though described the present invention by embodiment, those of ordinary skills know, without departing from the spirit and substance in the present invention, just can make the present invention that many distortion and variation are arranged, and scope of the present invention is limited to the appended claims.

Claims (5)

1. the method by message processing raising internet security is characterized in that, comprising:
The hardware Forwarding plane is discerned the message that receives;
Needs are submitted the message of central processing unit for processing, execution in step:
A, respectively message is put in the buffer queue of the respective priority of message passage between CPU and the hardware Forwarding plane according to priority of messages, described priority is for to divide according to the message protocol type,
B, CPU are handled the message in the buffer queue according to scheduling rule;
To not needing to submit the message of central processing unit for processing, execution in step:
Legal message is transmitted by the hardware Forwarding plane, the illegal message that maybe can not discern is directly abandoned.
2. the method that improves internet security of handling by message according to claim 1, it is characterized in that described hardware Forwarding plane is discerned further the message that receives and comprised: the hardware Forwarding plane judges whether the destination address of message, content of message meet predetermined requirement.
3. the method by message processing raising internet security according to claim 1, it is characterized in that described scheduling rule is: CPU is carried out priority treatment to the message of the higher buffer queue of priority.
4. the method by message processing raising internet security according to claim 3 is characterized in that described scheduling rule also comprises: take into account the lower formation of priority.
5. the method by message processing raising internet security according to claim 1 is characterized in that described A step also comprises: when corresponding buffer queue is full, directly abandon the message of waiting to put into this buffer queue.
CNB2005100801640A 2005-06-30 2005-06-30 Method for raising network security via message processing Active CN100454895C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100801640A CN100454895C (en) 2005-06-30 2005-06-30 Method for raising network security via message processing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100801640A CN100454895C (en) 2005-06-30 2005-06-30 Method for raising network security via message processing

Publications (2)

Publication Number Publication Date
CN1889510A CN1889510A (en) 2007-01-03
CN100454895C true CN100454895C (en) 2009-01-21

Family

ID=37578769

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100801640A Active CN100454895C (en) 2005-06-30 2005-06-30 Method for raising network security via message processing

Country Status (1)

Country Link
CN (1) CN100454895C (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022414B (en) * 2007-03-08 2010-11-03 华为技术有限公司 Message retransmitting method and apparatus
CN101184095B (en) * 2007-12-06 2011-09-21 中兴通讯股份有限公司 Network anti-attack method and system based on strategy control listing of CPU
CN101355567B (en) * 2008-09-03 2012-05-09 中兴通讯股份有限公司 Method for protecting safety of route-exchanging device central processing unit
CN102316022B (en) * 2011-07-05 2014-06-18 杭州华三通信技术有限公司 Protocol message forwarding method and communication equipment
CN102638403B (en) * 2012-04-01 2015-04-29 华为技术有限公司 Method and device for processing messages
CN103118015B (en) * 2013-01-17 2015-08-05 苏州亿倍信息技术有限公司 A kind of implementation method of terminal security strategy and system
CN104202261B (en) * 2014-08-27 2019-02-05 华为技术有限公司 A kind of service request processing method and device
CN105490961A (en) * 2014-09-19 2016-04-13 杭州迪普科技有限公司 Message processing method, and device and network device
CN105357184A (en) * 2015-10-08 2016-02-24 上海斐讯数据通信技术有限公司 Secondary protection method for CPU (Central Processing Unit) of switch
CN107547416A (en) * 2016-06-28 2018-01-05 中兴通讯股份有限公司 A kind of processing method and processing device of protocol massages
CN111917769A (en) * 2020-07-30 2020-11-10 中盈优创资讯科技有限公司 Automatic handling method and device of security event and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001037511A2 (en) * 1999-11-18 2001-05-25 Secureworks, Inc. Method and system for remotely configuring and monitoring a communication device
US6499107B1 (en) * 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
CN1466306A (en) * 2002-06-27 2004-01-07 中联绿盟信息技术(北京)有限公司 Method for preventing network state synchronous flood attack and protecting network in transparent mode
JP2004320461A (en) * 2003-04-16 2004-11-11 Nippon Telegr & Teleph Corp <Ntt> Method, device, and program for preventing attack on network, and recording medium having program recorded therein

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499107B1 (en) * 1998-12-29 2002-12-24 Cisco Technology, Inc. Method and system for adaptive network security using intelligent packet analysis
WO2001037511A2 (en) * 1999-11-18 2001-05-25 Secureworks, Inc. Method and system for remotely configuring and monitoring a communication device
CN1466306A (en) * 2002-06-27 2004-01-07 中联绿盟信息技术(北京)有限公司 Method for preventing network state synchronous flood attack and protecting network in transparent mode
JP2004320461A (en) * 2003-04-16 2004-11-11 Nippon Telegr & Teleph Corp <Ntt> Method, device, and program for preventing attack on network, and recording medium having program recorded therein

Also Published As

Publication number Publication date
CN1889510A (en) 2007-01-03

Similar Documents

Publication Publication Date Title
CN100454895C (en) Method for raising network security via message processing
CN100558089C (en) A kind of content filtering gateway implementation method of filter Network Based
US7725938B2 (en) Inline intrusion detection
US7870611B2 (en) System method and apparatus for service attack detection on a network
CN101083563B (en) Method and apparatus for preventing distributed refuse service attack
CN101547187B (en) Network attack protection method for broadband access equipment
CN102055674B (en) Internet protocol (IP) message as well as information processing method and device based on same
US20080178278A1 (en) Providing A Generic Gateway For Accessing Protected Resources
CN104767748B (en) Opc server security protection system
US20040093520A1 (en) Firewall system combined with embedded hardware and general-purpose computer
CA2496064A1 (en) System, method and computer program product for monitoring and controlling network connections from a supervisory operating system
CN102006307A (en) Application proxy-based network management system isolation control device
JP2007006054A (en) Packet repeater and packet repeating system
CN103124226A (en) Household broadband net-system play monitoring system and method
CN102882894A (en) Method and device for identifying attack
CN101355567B (en) Method for protecting safety of route-exchanging device central processing unit
KR100773416B1 (en) Method and system for controlling network traffic of p2p and instant messenger
CN101043465A (en) Dynamic host configuration protocol service managing method and system thereof
EP2007066A9 (en) A policy enforcement point and a linkage method and system for intrude detection system
CN101547127B (en) Identification method of inside and outside network messages
CN108768841A (en) AFDX security gateway systems and its transmission method
CN104601578A (en) Recognition method and device for attack message and core device
CN101771575B (en) Method, device and system for processing IP partitioned message
JP2003289337A (en) Communication network, router, and distributed service refusal attack detection and defense method
CN115208690A (en) Screening processing system based on data classification and classification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230413

Address after: Room 910, 9th Floor, Building 1, No. 22 Jianguomenwai Street (Saite Building), Chaoyang District, Beijing, 100022

Patentee after: Beijing Zhifang Intellectual Property Management Co.,Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right