CN101547198B - Method and device for controlling connections of network security equipment - Google Patents
Method and device for controlling connections of network security equipment Download PDFInfo
- Publication number
- CN101547198B CN101547198B CN2009100768458A CN200910076845A CN101547198B CN 101547198 B CN101547198 B CN 101547198B CN 2009100768458 A CN2009100768458 A CN 2009100768458A CN 200910076845 A CN200910076845 A CN 200910076845A CN 101547198 B CN101547198 B CN 101547198B
- Authority
- CN
- China
- Prior art keywords
- connection
- predetermined value
- concurrent
- connection number
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for controlling the connections of network security equipment, which comprises the following steps: when a message for establishing new connections is received, detecting and obtaining the number of the current concurrent connections; comparing the number of the current concurrent connections with an accelerated ageing threshold value and a concurrent connection threshold value; establishing the new connections according to the comparative result; when the number of the concurrent connections reaches or exceeds the accelerated ageing threshold value, starting the accelerated ageing process; and when the number of the concurrent connections reaches the concurrent connection threshold value, releasing releasable connections first and then establishing the new connections. Thus, when reaching the maximum number of the concurrent connections, certain connections which are not closed completely and are about to overtime can be aged in advance so as to vacate the memory space for establishing the new connections so that the network security equipment is capable of establishing the new connections continuously and supporting more connections to the maximum limit, and the performance of the network security equipment can be sufficiently excavated and used.
Description
Technical field
The present invention relates to network and field of information security technology, be specifically related to a kind of connection control method and equipment of Network Security Device.
Background technology
Network Security Device (as; fire compartment wall) comprises service access rule, verification tool, packet filtering and application gateway; usually be arranged between in-house network and the extranets, between private network and the public network, protect in-house network to avoid disabled user's intrusion and malicious attack by detecting filtering packets.In order to filter invalid packet effectively, Network Security Device (fire compartment wall) needs to follow the tracks of and writes down connection status with the ability of realization to connection tracking, but consume system resources is all wanted in establishment of connection, maintenance and deletion.Along with linking number increases, searching the time that connection consumes also can increase, and therefore, after linking number reached some, the disposal ability of fire compartment wall will begin to descend.Particularly existing high-end fire compartment wall is pursued maximum number of connections simply, continues to create the new memory headroom that connects up to system and all uses up, and so very likely makes system's instability.Most typical example is exactly that the connecting-type dos attack can allow the fire compartment wall on-hook very soon.
An index weighing Network Security Device (fire compartment wall) disposal ability is the concurrent connection number of supporting, number that promptly can simultaneously treated point-to-point connection, it reflects access control ability and the connection status follow-up control of firewall box to a plurality of connections, directly has influence on the maximum number of connections that fire compartment wall can be supported.
The method of the control connection ability that provides in the prior art is the method for restriction concurrent connection number, is specially: give the threshold values of a concurrent connection number of default, newly connected with regard to no longer creating when the fire compartment wall concurrent connection number reaches this threshold values.
Traditional high-end fire compartment wall is constantly created and is all used up up to its internal memory new the connection, to improve the concurrent concatenation ability of fire compartment wall.But when Installed System Memory all uses up, can cause system's instability,, and can not tackle the problem at its root if exented memory will cause cost to increase.For this reason, if set the threshold values of a maximum concurrent connection number, when reaching this threshold values, the fire compartment wall concurrent connection number newly connected with regard to no longer creating to it.Owing to can't create new connection again, Network Security Device (fire compartment wall) just can't be handled follow-up message, and this will cause Network Security Device (fire compartment wall) cisco unity malfunction.
Summary of the invention
In view of this, the invention provides a kind of connection control method and equipment of Network Security Device, it is more multi-link to make Network Security Device support to greatest extent.
The connection control method of a kind of Network Security Device that the embodiment of the invention provides comprises:
Need create new connection when receiving message, detect and obtain current concurrent connection number;
Described concurrent connection number and first predetermined value, second predetermined value are compared, and wherein first predetermined value is less than second predetermined value;
If described concurrent connection number less than described first predetermined value, is then directly created new the connection;
If described concurrent connection number less than second predetermined value, then starts accelerated ageing process greater than described first predetermined value, create new the connection again;
If described concurrent connection number greater than described second predetermined value, is then selected and discharged a connection, create new the connection again.
The Network Security Device that the embodiment of the invention also provides a kind of may command to connect comprises:
Receiving element is used to receive message, and notice needs to create new the connection;
Detecting unit is used to detect and obtain current concurrent connection number;
Comparing unit is used for the more described concurrent connection number and first predetermined value, second predetermined value, and wherein first predetermined value is less than second predetermined value;
Connect control unit, be used for discharging connection and newly be connected with creating, and the control connection ager process;
If described concurrent connection number is less than described first predetermined value, then described connection control unit is directly created new the connection;
If less than second predetermined value, then described connection control unit starts accelerated ageing process to described concurrent connection number greater than described first predetermined value, create new the connection again;
If described concurrent connection number is greater than described second predetermined value, then described connection control unit is selected and is discharged a connection, creates new the connection again.
In sum, in the technical scheme that the embodiment of the invention provides,, then start accelerated ageing process when concurrent connection number meets or exceeds accelerated ageing threshold value; When concurrent connection number reaches concurrent connection threshold values, before creating new the connection, discharge releasable connection earlier and create new connection again.Like this, reaching under the situation of maximum concurrent connection number, some can not closed fully be about to overtime fall be connected aging in advance, vacate memory headroom and create new connection, make Network Security Device have the ability to continue to create new the connection, support is more multi-link to greatest extent, and then the performance of abundant digging utilization Network Security Device.
Description of drawings
The connection control method flow chart that Fig. 1 provides for the embodiment of the invention;
Fig. 2 constitutes schematic diagram for the Network Security Device that provides in the embodiment of the invention.
Embodiment
The connection control method of a kind of Network Security Device that the embodiment of the invention provides is reaching under the situation of maximum concurrent connection number constantly creating new the connection, has the ability to continue to create new the connection, thereby but makes the Network Security Device operate as normal.
Each network connection information in the Network Security Device comprises: source address, destination address, source port and destination interface (be called socket to), protocol type, connection status and time-out time etc., the i.e. source IP address of each session on the fire compartment wall, source port, purpose IP address, destination interface, protocol number.Packet filtering and the state-detection of fire compartment wall in order to enrich, safeguard a table of following the tracks of connection status within it in need depositing, particularly, follow the tracks of and the record connection status, fire compartment wall is first packet through network stack of each connection, generates a new linkage record item, exactly track record is carried out in generation, transmission and the termination of each such connection, table by all entries produce promptly is called the connection tracking table.After this, all belong to the packet of this connection and are all distributed to this connection uniquely, and the state of sign connection.Connection tracking is not the basis that firewall state detects, and is simultaneously the prerequisite that realizes in the address transition that source address conversion and destination address are changed yet.
Fire compartment wall can be converted to privately owned address publicly-owned address can be dealt on the internet packet, when receiving packet from the internet simultaneously, public address is converted to privately owned address.
Analyze according to statistics, concurrent connection number has 85% to be that TCP connects approximately in the Network Security Device (fire compartment wall), and these TCP have 11% to be the connection that is about to close in connecting approximately, have 8% to be to be about to overtime connection approximately, these are about to close with being about to overtime being connected is the connection that does not have data flow, that is to say, be soon can be by aging connection.
The ageing time of the present invention by quicken to shorten connecting makes to connect quick aging being discharged in advance, thereby vacates memory headroom to create new connection for system.For this reason, set in advance an accelerated ageing threshold value, when needs are created new the connection, when concurrent connection number reaches this threshold values, start the process that accelerated ageing connects, set in advance a supported concurrent connection number threshold values, when near running at full capacity, discharge original connection, provide resource for setting up new connection, obviously, accelerated ageing threshold value is less than the concurrent connection number threshold values.If current concurrent connection number reaches this concurrent connection number threshold values, illustrative system is soon running at full capacity, at this moment just look for one can d/d connection discharge the new connection of establishment again to it earlier, if can not find, then direct dropping packets, also just need not create new connection, like this, continue to create new the connection even under the situation that reaches the concurrent connection number threshold values, also can have the ability.
The connection control method of a kind of Network Security Device that the embodiment of the invention provides comprises:
Need create new connection when receiving message, detect and obtain current concurrent connection number;
Described concurrent connection number and first predetermined value, second predetermined value are compared, and wherein first predetermined value is less than second predetermined value;
If described concurrent connection number less than described first predetermined value, is then directly created new the connection;
If described concurrent connection number less than second predetermined value, then starts accelerated ageing process greater than described first predetermined value, particularly, put needs and carry out the accelerated ageing mark and be used for telling timer to want accelerated ageing to connect, create new connection again;
Described can d/d connection comprising: the TCP connection of not setting up fully, the non-TCP of one-way transmission data flow connect.
If described concurrent connection number greater than described second predetermined value, is then selected and discharged a connection, create new the connection again;
If described concurrent connection number greater than described second predetermined value, does not have releasable connection, then abandon received message.
Described first predetermined value is the accelerated ageing threshold value that sets in advance, the concurrent connection number that promptly needs accelerated ageing to connect, usually choose 75% of maximum concurrent connection number, described second predetermined value is supported concurrent connection number, according to total memory headroom capacity with whether do that address transition sets, generally get 95% of maximum and linking number.
Particularly, selection can d/d connection can be judged selection according to the sign that sets in advance, therefore, this method also comprise identify in advance described can d/d step of connecting, specifically comprise:
The TCP that will not set up fully connects, the non-TCP of one-way transmission data flow connects the mark that " can be released " is set;
The TCP of connection status connects the mark that " can not be released " on the mark for being in.Data flow is all arranged, the mark that " can not be released " on the mark for non-TCP connection and both forward and reverse directions.
For making principle of the present invention, advantage and characteristic clearer, present invention is described below in conjunction with specific embodiment.
Embodiment one
In the present embodiment, set in advance an accelerated ageing threshold value and a concurrent connection number threshold values, when needs are created new the connection, when concurrent connection number reaches this threshold values, start the process that accelerated ageing connects, set in advance and work as near running at full capacity, need to discharge original connection, provide resource for setting up new connection, at this, accelerated ageing threshold value is less than the concurrent connection number threshold values.
With reference to Fig. 1, the connection control method that the embodiment of the invention provides comprises the steps:
S01, fire compartment wall need to create new connection after receiving message, detect and obtain current concurrent connection number;
S02, more current concurrent connection number and accelerated ageing threshold value, concurrent connection number threshold values;
S03 handles connection according to comparative result, comprising: release connects, accelerates to connect ager process and newly is connected with establishment.
If current concurrent connection number less than accelerated ageing threshold value, is then directly created new the connection.
For example, the conventional timing of the synchronous regime SYN that TCP connects is 120 seconds, supposes this TCP connection just by side initiation process fire compartment wall, and its state is SYN so, and current timing is 120 seconds.Suppose that simultaneously a clock trigger signal cycle is 1 second, after receiving triggering signal, usually timer can get the current timing reduction 1 of TCP connection 119 seconds, judge then whether its current timing is zero, when this connects current timing and is 0 second, this TCP connection is discharged, can directly create new connection like this.
If current concurrent connection number is more than or equal to accelerated ageing threshold value and less than the concurrent connection number threshold values, then notify timer to want accelerated ageing to connect (being after each triggering clock signal is come) by quickening to reduce the time-to-live of current connection on the timer so that accelerated ageing is carried out in connection.
On the fire compartment wall each connects the conventional timing (being the time-to-live) that oneself is all arranged, and after the timing of certain connection status arrived, timer can be notified this is connected release.Along with the state variation of a connection, the timing of this connection can be updated to the time-to-live of new state.
When the current concurrent connection number of fire compartment wall meets or exceeds accelerated ageing threshold value, can put needs and carry out the accelerated ageing mark and be used for notifying timer to want accelerated ageing to connect.Still be connected to example with TCP, if the TCP connection status is TIME_WAIT state (promptly not having buttoned-up status), the conventional timing of its TIME_WAIT state is 120 seconds, suppose that this TCP is connected that the current time-to-live has become 80 seconds under this state, owing to put the accelerated ageing mark, need to carry out accelerated ageing after receiving clock trigger signal, timer gets 5 seconds the speed of current time-to-live reduction that TCP connects 75 seconds, reduce the time-to-live at this according to 5 times of original speed, thereby quick aging should connect, up to the time-to-live of this connection is 0 second, and the timer notice discharges the TCP connection.
Need to prove that the speed that accelerated ageing connects can be provided with as the case may be, can be according to original N times of speed reduction time-to-live, N is greater than 1.
If current concurrent connection number is more than or equal to the concurrent connection number threshold values and find one can d/dly connect, discharging one so earlier can d/dly connect, and then creates new the connection.
If current concurrent connection number is greater than the concurrent connection number threshold values and do not find one can d/dly connect, then direct dropping packets need not be created new connection.
In the embodiment of the invention, when needing to create new the connection, when concurrent connection number meets or exceeds accelerated ageing threshold value, by shortening each connection status ageing time, reaching under the situation of maximum concurrent connection number, quickening the ager process of releasable connection, creating new connection to vacate memory headroom, make Network Security Device have the ability to continue create new the connection, make the Network Security Device operate as normal.
Embodiment two
With reference to Fig. 2, the Network Security Device 200 that a kind of may command that the embodiment of the invention provides connects comprises:
Receiving element 210 is used to receive message, and notice needs to create new the connection;
Detecting unit 220 is used to detect and obtain current concurrent connection number;
Comparing unit 230 is used for the more described concurrent connection number and first predetermined value, second predetermined value, and wherein first predetermined value is less than second predetermined value;
If, then connecting control unit 240 less than described first predetermined value, current concurrent connection number directly creates new the connection;
If current concurrent connection number less than second predetermined value, then connects the ager process that control unit 240 accelerates to be released connection greater than described first predetermined value; After aging finishing, create new the connection;
Discharge at least one connection and create new the connection if current concurrent connection number, then connects control unit 240 greater than described second predetermined value.
This Network Security Device also comprises:
Judging unit 250 is used for whether identification is to be released connection;
Identify unit 260 is used to identify 250 determined can d/dly connections of judging unit.
The connection that the sign selection that connecting control unit 240 provides according to identify unit 260 discharges.
Described can d/d connection comprising:
The TCP connection of not setting up fully, the non-TCP of one-way transmission data flow connect.
Described first predetermined value is the concurrent connection number that needs accelerated ageing to connect that sets in advance, and described second predetermined value is supported concurrent connection number.
In sum, in the technical scheme that the embodiment of the invention provides, when concurrent connection number meets or exceeds accelerated ageing threshold value, by shortening each connection status ageing time; When concurrent connection number reaches concurrent connection threshold values, before creating new the connection, discharge releasable connection earlier and create new connection again.Like this, reaching under the situation of maximum concurrent connection number, some can not closed fully be about to overtime fall be connected aging in advance, vacate memory headroom and create new connection, make Network Security Device have the ability to continue to create new the connection, support is more multi-link to greatest extent, and then the performance of abundant digging utilization Network Security Device.
Obviously, those skilled in the art should be understood that, above-mentioned each unit of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of unit in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.All any modifications of being done within the spirit and principles in the present invention, be equal to replacement, improvement etc., all be included in protection scope of the present invention.
Claims (12)
1. the connection control method of a Network Security Device is characterized in that, comprising:
Need create new connection when receiving message, detect and obtain current concurrent connection number;
Described concurrent connection number and first predetermined value, second predetermined value are compared, and wherein first predetermined value is less than second predetermined value;
If described concurrent connection number less than described first predetermined value, is then directly created new the connection;
If described concurrent connection number less than second predetermined value, then starts accelerated ageing process greater than described first predetermined value, create new the connection again;
If described concurrent connection number greater than described second predetermined value, is then selected and discharged a connection, create new the connection again.
2. the method for claim 1 is characterized in that, further comprises:
If described concurrent connection number greater than described second predetermined value, does not have releasable connection, then abandon received message and do not create new connection.
3. the method for claim 1 is characterized in that, the ager process that described quickening connects specifically comprises:
Obtain the time-to-live of selected connection;
Based on periodic triggering signal according to the new stride reduction time-to-live, the N that new stride is former stride doubly, N>1.
4. method as claimed in claim 3 is characterized in that,
Described periodic triggering signal is a clock signal.
5. the method for claim 1 is characterized in that, d/d connection comprises:
The TCP connection of not setting up fully, the non-TCP of one-way transmission data flow connect.
6. the method for claim 1 is characterized in that, also comprises:
Identify d/d step of connecting in advance.
7. as each described method in the claim 1 to 5, it is characterized in that,
Described first predetermined value is the concurrent connection number that needs accelerated ageing to connect that sets in advance, and described second predetermined value is supported concurrent connection number.
8. method as claimed in claim 7 is characterized in that,
Described first predetermined value is 75% of a maximum concurrent connection number, and described second predetermined value is 95% of a maximum concurrent connection number.
9. the Network Security Device that may command connects is characterized in that, comprising:
Receiving element is used to receive message, and notice needs to create new the connection;
Detecting unit is used to detect and obtain current concurrent connection number;
Comparing unit is used for the more described concurrent connection number and first predetermined value, second predetermined value, and wherein first predetermined value is less than second predetermined value;
Connect control unit, be used for discharging connection and newly be connected with creating, and the control connection ager process;
If described concurrent connection number is less than described first predetermined value, then described connection control unit is directly created new the connection;
If less than second predetermined value, then described connection control unit starts accelerated ageing process to described concurrent connection number greater than described first predetermined value, create new the connection again;
If described concurrent connection number is greater than described second predetermined value, then described connection control unit is selected and is discharged a connection, creates new the connection again.
10. Network Security Device as claimed in claim 9 is characterized in that, also comprises:
Judging unit is used for whether identification is to be released connection;
Identify unit is used to identify that described judging unit is determined can d/dly connect;
Described connection control unit is selected and can d/dly be connected according to the sign of described identify unit.
11., it is characterized in that d/d connection comprises as claim 9 or 10 described Network Security Devices:
The TCP connection of not setting up fully, the non-TCP of one-way transmission data flow connect.
12. as claim 9 or 10 described Network Security Devices, it is characterized in that,
Described first predetermined value is the concurrent connection number that needs accelerated ageing to connect that sets in advance, and described second predetermined value is supported concurrent connection number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100768458A CN101547198B (en) | 2009-01-22 | 2009-01-22 | Method and device for controlling connections of network security equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100768458A CN101547198B (en) | 2009-01-22 | 2009-01-22 | Method and device for controlling connections of network security equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101547198A CN101547198A (en) | 2009-09-30 |
| CN101547198B true CN101547198B (en) | 2011-12-28 |
Family
ID=41194087
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100768458A Expired - Fee Related CN101547198B (en) | 2009-01-22 | 2009-01-22 | Method and device for controlling connections of network security equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101547198B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102752304B (en) * | 2012-07-06 | 2015-11-18 | 汉柏科技有限公司 | Prevent the method and system that half-connection is attacked |
| CN102761485B (en) * | 2012-07-06 | 2015-04-22 | 汉柏科技有限公司 | Method and system for processing connections by network equipment |
| CN104519027A (en) * | 2013-09-30 | 2015-04-15 | 宁夏先锋软件有限公司 | Safety equipment of computer network |
| CN106302090B (en) | 2015-05-25 | 2019-10-22 | 阿里巴巴集团控股有限公司 | A kind of message treatment method, apparatus and system |
| CN105871539B (en) * | 2016-03-18 | 2020-02-14 | 华为技术有限公司 | Key processing method and device |
| CN107172036B (en) * | 2017-05-11 | 2020-05-05 | 北京安赛创想科技有限公司 | Network scanning control method and device |
| CN109729059B (en) * | 2017-10-31 | 2020-08-14 | 华为技术有限公司 | Data processing method and device and computer |
| CN110213320B (en) * | 2019-01-02 | 2021-11-02 | 腾讯科技(深圳)有限公司 | Communication connection method and device, electronic equipment and computer readable storage medium |
| CN115334136B (en) * | 2022-07-05 | 2024-02-02 | 北京天融信网络安全技术有限公司 | Connection aging control method, system, equipment and storage medium |
-
2009
- 2009-01-22 CN CN2009100768458A patent/CN101547198B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN101547198A (en) | 2009-09-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101547198B (en) | Method and device for controlling connections of network security equipment | |
| CN101019405B (en) | Method and system for mitigating denial of service in a communication network | |
| CN101170459B (en) | Failure detection and link recovery method based on bidirectional forward link | |
| CN101060485B (en) | Topology changed messages processing method and processing device | |
| CN103117946B (en) | Traffic sharing method based on isolating device with isolation gateway connected applications | |
| EP1592197A2 (en) | Network amplification attack mitigation | |
| CN100428697C (en) | By-pass combination system and business processing method based on said system | |
| JP2015204533A (en) | Open flow switch and fault recovery method of open flow network | |
| CN109246057A (en) | Message forwarding method, device, repeater system, storage medium and electronic equipment | |
| CN101163041A (en) | Method of preventing syn flood and router equipment | |
| CN101931550A (en) | Method and device for synchronizing main and standby main control boards | |
| CN101854253B (en) | Method for automatically recovering monitoring and storing and monitoring system thereof | |
| CN101340276A (en) | Method, apparatus and exchange routing apparatus preventing IPv6 data packet attack | |
| CN104125213A (en) | Distributed denial of service DDOS attack resisting method and device for firewall | |
| JP2014220551A (en) | Node device and optical communication system | |
| CN103227733B (en) | A kind of topology discovery method and system | |
| CN102932249A (en) | Method and device for transmitting virtual router redundancy protocol (VRRP) message | |
| CN106790502B (en) | Load balancing system of IPv4 terminal and IPv6 service intercommunication service based on NAT64 prefix | |
| US7257134B2 (en) | Method of pacing the synchronization of routing information in a data switching environment | |
| CN104081743A (en) | Link management method, device and communication system | |
| CN102695254A (en) | Power supply management method and network access equipment | |
| FI127540B (en) | Communications resource control by a network node | |
| KR101139537B1 (en) | Method for detecting scanning traffic in 3g wcdma networks | |
| CN111131135A (en) | Data transmission method, system, computer readable storage medium and electronic device | |
| CN100429881C (en) | Method for preventing network state synchronous flood attack and protecting network in transparent mode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20111228 Termination date: 20180122 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |