Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, embodiment of the present invention is described further in detail below in conjunction with accompanying drawing.
The embodiment of the invention provides a kind of method of transmitting data message of controlling, and specifically comprises: receive the data message from transmit leg; From data message, extract the information of transmit leg; Whether the information of judging transmit leg is in default control range, if then transmit this data message according to control strategy.This method can be applied to fields such as filtrating mail, web browse filtration, virus scan.
Control range default in the embodiment of the invention is specially gray list, the information of putting down in writing in the gray list is the information of transmit leg, as the IP address of transmit leg, mail sender address or the like, this transmit leg is meant the transmit leg that need control the data message of forwarding by control strategy.
Referring to Fig. 1, the method for data message is transmitted in the control that the embodiment of the invention provides, and can specifically comprise:
101: obtain the filtration log information that the data message to transmit leg filters, wherein, this filtration log information includes but not limited to: the filtration daily record of the daily record of annex virus filtration, theme, text keyword, based on the filtration daily record of letter head and filtration daily record of third party's honor tissue or the like; Filter in the log information and put down in writing the historical record that the data message is filtered, as in 5 minutes in 10 data messages from some transmit legs, have 8 refusals to transmit 2 subnormal forwardings or the like.In the present embodiment, can obtain above-mentioned various filtration daily record termly, once filter log information, also can obtain above-mentioned various filtration daily record aperiodically as collecting every day.
102: according to filtering log information,, judge that number of times that the data message of this transmit leg is filtered is whether between default controlled threshold value and refusal threshold value, if then the information of this transmit leg is added in the gray list to the transmit leg of record wherein.
Further, can also generate blacklist:, when the number of times that is filtered when the data message of judging this transmit leg is higher than default refusal threshold value, the information of this transmit leg is added in the blacklist filtering the transmit leg of putting down in writing in the log information.Blacklist in the embodiment of the invention is meant the scope that need to stop, and wherein Ji Zai information is the information of transmit leg, and as the IP address of transmit leg, mail sender address or the like, this transmit leg is meant the transmit leg of the data message that need be filtered.
Above-mentioned controlled threshold value and refusal threshold value can be provided with according to actual conditions, as scope [5 is set, 10], wherein, controlled threshold value is 5, and the refusal threshold value is 10, when the number of times that the data message of some transmit legs is filtered in filtering log information is 8 times, then the information of this transmit leg is added in the gray list,, then the information of this transmit leg is added in the blacklist if the number of times that has the data message of another transmit leg to be filtered is 15 times.
The gray list that generates in the present embodiment and the information of the transmit leg in the blacklist can be for the IP address of transmit leg, as 1.1.1.1; Also can be for sender's email address, as abc@163.com.
103: receive data message from transmit leg.
104: the information of from this data message, extracting transmit leg.
105: whether the information of judging transmit leg is in default control range, and whether the information of promptly judging transmit leg in the present embodiment is in gray list, if then carry out 106; Otherwise, carry out 107.
106: transmit the data message of receiving according to control strategy, this flow process finishes.
Wherein, the forwarding of controlling the data message of receiving by control strategy includes but not limited to following several mode:
1) forges the recipient and reply ACK
At local (promptly carrying out the device that the data message method is transmitted in above-mentioned control) advanced row cache, and the recipient who forges this data message replys the ACK response message and gives transmit leg with the data message received, and then transmits this data message and give the recipient; By forging the ACK message, can make transmit leg think that the recipient has received this data message, thereby continue to send follow-up data message.
2) revise advertised window size
Revise advertised window size and be meant that transmitting this data message earlier gives the recipient, revise in the response message that the recipient replys field then, and amended response message is transmitted to transmit leg about window size, thus the transmission rate of control data message.After transmit leg is received this response message, can send follow-up data message according to advertised window size wherein.
3) revise qos field
In the agreement of using, comprise QoS (Quality of Service, service quality) during field, this field shows the grade of service of this message, is transmitted to the recipient again after the qos field in the data message of receiving by modification, can reach the purpose that reduces transmit leg priority.
Transmit the data message that receives by above-mentioned control strategy; can reduce the service priority of transmit leg; thereby reach the purpose that the control data message is transmitted; but also can protect control to transmit the equipment of data message; for example, the equipment that data message is transmitted in control is mail server, then reduce the service priority of transmit leg after; can protect mail server, prevent the mail server paralysis.
107: whether the information of judging transmit leg is in default blacklist, if then carry out 108; Otherwise, carry out 109.
108: at this moment, this data message is considered to insincere, and then refusal is transmitted this data message, if this data message is a mail, then refusal is transmitted this mail and given the addressee, and this flow process finishes.
109: at this moment, this data message is considered to believable, then transmits this data message, if this data message is a mail, then this mail is transmitted to the addressee, and this flow process finishes.
Further, said method can also comprise gray list is carried out updating steps:
Information to the arbitrary transmit leg in the gray list, when life span in gray list of the information of this transmit leg (promptly being recorded to the time that continues to current time of beginning in the gray list) when reaching the effective time (being life cycle) of appointment from this information, the information of this transmit leg of deletion from gray list, this update mode is called the mode that initiatively wears out; When the memory capacity of gray list reaches the value of appointment, from gray list, delete the information of miss at most transmit leg, this update mode is called passive aging mode; Wherein, miss be meant receive data message after, but the information of in gray list, inquiring about the transmit leg that does not inquire this data message.
In said method,, then further, can also upgrade blacklist if generated blacklist:
To the information of the arbitrary transmit leg in the blacklist, when the life span of information in gray list of this transmit leg reaches the effective time of appointment, the information of this transmit leg of deletion from blacklist, blacklist promptly initiatively wears out; When the memory capacity of blacklist reaches the value of appointment, from blacklist, delete the information of miss at most transmit leg, promptly passive aging blacklist.
Wherein, the mode that initiatively wears out and passive aging mode can adopt wherein any, also dual mode can be combined application, thereby improve the real-time and the validity of blacklist or gray list.
The IP address of gray list in the present embodiment or record transmit leg, perhaps put down in writing sender's email address, be in the said method or according to the IP address of transmit leg the data message to be filtered, perhaps the email address according to the sender filters the data message, can be called one deck and filter.Further, in actual applications, can also carry out two-layer filtration according to the information of transmit leg, two gray lists promptly are set simultaneously, first gray list of record transmit leg IP address and second gray list of record sender email address, as according to first gray list IP address of transmit leg being filtered earlier, filter according to the email address of second gray list then the sender; Perhaps filter according to the email address of second gray list earlier, according to first gray list IP address of transmit leg is filtered or the like then the sender.Wherein, no matter the second layer is that the IP address of transmit leg is filtered if filtering, and still the email address to the sender filters, and concrete filter process is all identical with filter process in the said method, repeats no more herein.
The method that present embodiment provides has been controlled the forwarding of data message effectively by the forwarding or the filtration of default control range and control strategy realization data message.Comparing with existing IP address-based filtering technique, is not to filter according to black and white lists simply, but filters according to default control range and control strategy, has improved the accuracy of filtering; Compare with existing content-based filtering technique, need not content of message is analyzed, only need to extract the information of transmit leg, the resource of greatly having saved equipment has improved the serviceability of equipment.And, generate gray list and blacklist by obtaining the filtration log information, and upgrade dynamically, reduced the maintenance difficulties of gray list and blacklist, improved validity.According to control strategy the forwarding of the data message received is controlled; with only use black and white lists in the prior art and compare; can respond to the attack that occurs in the network in advance, protect equipment, the equipment of preventing to be subjected to the attack of spam and virus etc. effectively.
In addition, the embodiment of the invention also provides another kind of control to transmit the method for data message, be with the difference of method shown in Figure 1, generate the mode difference of gray list, and behind the generation gray list data message is filtered, generates blacklist, gray list is upgraded with blacklist and all the embodiment with shown in Figure 1 is identical by step such as control strategy control data message forwarding, repeat no more herein.The mode that generates gray list in the present embodiment is mainly used in the gray list of the IP address that generates the record transmit leg, referring to Fig. 2, generates gray list in the present embodiment and further generate the process of blacklist specific as follows:
201: obtain the number of the transmit leg of the current data message correspondence of receiving, promptly current total concurrent session number also is the current linking number of setting up.
202: judge that this number is whether at default controlled total concurrent session number with refuse between total concurrent session number, if then carry out 203; If this number is lower than controlled total concurrent session number, then flow process finishes; If this number is higher than the total concurrent session number of refusal, think that then the treatable connection of equipment has reached the upper limit, carry out 204.
203: generate gray list, record all need be controlled according to control strategy the data message of the transmit leg of any IP address, and flow process finishes.
204: generate blacklist, record all needs to stop to the data message of the transmit leg of any IP address, and the then follow-up data message of receiving all can be filtered, thereby prevents that flow process finishes owing to too much connection causes the equipment paralysis.
In addition, referring to Fig. 3, can also generate gray list as follows and further generate blacklist:
301:, judge whether number that this transmit leg sends datagram or the frequency that sends datagram refuse between the threshold value, if then carry out 302 in default controlled threshold value in single transmit side and single transmit side to arbitrary transmit leg of the current data message of receiving; If number that this transmit leg sends datagram or the frequency that sends datagram are lower than the controlled threshold value in single transmit side, then flow process finishes; If number that this transmit leg sends datagram or the frequency that sends datagram are higher than single transmit side's refusal threshold value, then carry out 303.
302: the information of this transmit leg is added in the gray list, and flow process finishes.
303: the information of this transmit leg is added in the blacklist, and flow process finishes.
Above-mentioned controlled total concurrent session number and the total concurrent session number of refusal can be provided with according to actual conditions, as scope [100 is set, 200], wherein, controlled total concurrent session number is 100, refusing total concurrent session number is 200, if the current data message of receiving is from 150 transmit legs, the linking number of promptly having set up is 150, then generate the gray list of the data message of the transmit leg of controlling any IP address, if the current data message of receiving from 210 transmit legs, has promptly connected 210, then generate the blacklist of the data message of the transmit leg that stops any IP address.
In addition, be that example describes with number that single transmit leg is sent datagram or the frequency that sends datagram in the present embodiment, in actual applications, the two can also be combined and filter, promptly carry out two-layer filtration, as judging the number that single transmit leg sends datagram earlier, judge the frequency that single transmit leg sends datagram then; Perhaps judge the frequency that single transmit leg sends datagram earlier, judge number that single transmit leg sends datagram or the like then.The default controlled threshold value in single transmit side and single transmit side's refusal threshold value can be according to the actual conditions settings, and can divide the number that sends datagram and frequency and to be arranged, the scope of the number correspondence that sends datagram as setting is [50,80], wherein, 50 is the controlled threshold value in single transmit side, and 80 are single transmit side's refusal threshold value; The frequency correspondence that setting sends datagram scope be [10 times/minute, 20 times/minute], wherein, 10 times/minute is the controlled threshold value in single transmit side, is single transmit side's refusal threshold value 20 times/minute.Further, the information of single transmit leg and total concurrent session number can also be combined and judge, generate gray list and blacklist, whether the number of transmit leg of promptly judging earlier the current data message correspondence of receiving is at controlled total concurrent session number of presetting with refuse between total concurrent session number, if this number is lower than controlled total concurrent session number, the disposal ability that is system does not also reach the upper limit, then to arbitrary transmit leg of the current data message of receiving, judge number that this transmit leg sends datagram or the frequency that sends datagram whether between the default controlled threshold value in single transmit side and single transmit side's refusal threshold value, and generate corresponding gray list and blacklist according to the result who judges.
Above-mentioned according to single transmit leg information or the method that generates gray list and filter according to total concurrent session number, by default control range and control strategy the data message is filtered, controlled the forwarding of data message effectively.Comparing with existing IP address-based filtering technique, is not to filter according to black and white lists simply, but filters according to default control range and control strategy, has improved the accuracy of filtering; Compare with existing content-based filtering technique, need not content of message is analyzed, only need to extract the information of transmit leg, the resource of greatly having saved equipment has improved the serviceability of equipment.Be with the difference of embodiment shown in Figure 1, also provide another to generate the mode of gray list and blacklist, promptly generate gray list and blacklist by the switching performance information of obtaining equipment, simple and convenient, realize easily, use more flexible.And, by dynamic renewal, reduced the maintenance difficulties of gray list and blacklist, improved validity.
Referring to Fig. 4, the embodiment of the invention also provides a kind of device of transmitting data message of controlling, and specifically comprises:
Receiver module 401 is used to receive the data message from transmit leg;
Judge module 402, the data message that is used for receiving from receiver module 401 extracts the information of transmit leg, and whether the information of judging transmit leg is in the control range of presetting;
Processing module 403 is used for transmitting the data message that receiver module is received according to control strategy when information that judge module 402 is judged transmit leg is in default control range.
Control range default in the present embodiment is a gray list.
Wherein, said apparatus can also comprise:
The first gray list generation module, be used to obtain the filtration log information that the data message to transmit leg filters, to filtering the transmit leg of putting down in writing in the log information, judge that number of times that the data message of transmit leg is filtered is whether between default controlled threshold value and refusal threshold value, if then the information of transmit leg is added in the gray list.
Further, said apparatus can also comprise:
The first blacklist generation module, be used for when the first gray list generation module is judged number of times that the data message of transmit leg is filtered and is higher than the refusal threshold value, the information of transmit leg is added in the blacklist, and blacklist is used to put down in writing the information of the transmit leg of the data message that need be filtered.
In addition, said apparatus can also comprise:
The second gray list generation module, be used to obtain the number of the transmit leg of the current data message correspondence of receiving of receiver module, judge that number is whether at default controlled total concurrent session number with refuse between total concurrent session number, if, then generate gray list, and the data message of putting down in writing any transmit leg needs all to control forwarding according to control strategy in gray list.
Further, said apparatus can also comprise:
The second blacklist generation module, be used for when number that the second gray list generation module is judged the transmit leg of the current data message correspondence of receiving is higher than the total concurrent session number of refusal, generate blacklist, and the data message of putting down in writing any transmit leg needs all to filter out in blacklist.
In addition, said apparatus can also comprise:
The 3rd gray list generation module, be used for arbitrary transmit leg to the current data message of receiving, judge whether number that transmit leg sends datagram or the frequency that sends datagram refuse between the threshold value in default controlled threshold value in single transmit side and single transmit side, if then the information of transmit leg is added in the gray list.
Further, said apparatus can also comprise:
The 3rd blacklist generation module, be used for when the 3rd gray list generation module is judged the number that transmit leg sends datagram or the frequency that sends datagram and is higher than single transmit side's refusal threshold value, the information of transmit leg is added in the blacklist, and blacklist is used to put down in writing the information of the transmit leg of the data message that need be filtered.
Device in the present embodiment can also comprise:
The gray list update module is used for the information to arbitrary transmit leg of gray list, when the life span of information in gray list of this transmit leg reaches the effective time of appointment, and the information of deletion transmit leg from gray list; When the memory capacity of gray list reaches the value of appointment, from gray list, delete the information of miss at most transmit leg.
When generating blacklist, the device in the present embodiment can also comprise:
The blacklist update module is used for the information to arbitrary transmit leg of blacklist, when the life span of information in gray list of this transmit leg reaches the effective time of appointment, and the information of deletion transmit leg from blacklist; When the memory capacity of blacklist reaches the value of appointment, from blacklist, delete the information of miss at most transmit leg.
In the present embodiment, above-mentioned processing module can specifically comprise:
Processing unit, be used for when information that judge module is judged transmit leg is in default control range, the forgery recipient replys and is transmitted to the recipient after response message is given transmit leg and data cached message, perhaps transmit data message and give the recipient and revise window size field in the response message that the recipient replys, be transmitted to the recipient after perhaps revising the quality of service field in the data message.
Said apparatus has been controlled the forwarding of data message effectively by the forwarding or the filtration of default control range and control strategy realization data message.Comparing with existing IP address-based filtering technique, is not to filter according to black and white lists simply, but filters according to default control range and control strategy, has improved the accuracy of filtering; Compare with existing content-based filtering technique, need not content of message is analyzed, only need to extract the information of transmit leg, the resource of greatly having saved equipment has improved the serviceability of equipment.Generate gray list and blacklist by obtaining the switching performance information of filtering log information or obtaining equipment, and upgrade dynamically, reduced the maintenance difficulties of gray list and blacklist, improved validity, and simple and convenient, realize easily, use more flexible.According to control strategy the forwarding of the data message received is controlled; with only use black and white lists in the prior art and compare; can respond to the attack that occurs in the network in advance, protect equipment, the equipment of preventing to be subjected to the attack of spam and virus etc. effectively.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but the former is better execution mode under a lot of situation.Based on such understanding, the part that technical scheme of the present invention contributes to background technology in essence in other words can embody with the form of software product, this computer software product can be stored in the storage medium that can read, as ROM/RAM, magnetic disc, CD etc., comprise that some instructions are with so that a computer equipment (can be a personal computer, server, the perhaps network equipment etc.) carry out the described method of some part of each embodiment of the present invention or embodiment.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.