CN102195887B - Message processing method, device and network security equipment - Google Patents

Message processing method, device and network security equipment Download PDF

Info

Publication number
CN102195887B
CN102195887B CN 201110144331 CN201110144331A CN102195887B CN 102195887 B CN102195887 B CN 102195887B CN 201110144331 CN201110144331 CN 201110144331 CN 201110144331 A CN201110144331 A CN 201110144331A CN 102195887 B CN102195887 B CN 102195887B
Authority
CN
China
Prior art keywords
session
flow
entry
stream
index
Prior art date
Application number
CN 201110144331
Other languages
Chinese (zh)
Other versions
CN102195887A (en
Inventor
陈平平
Original Assignee
北京星网锐捷网络技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京星网锐捷网络技术有限公司 filed Critical 北京星网锐捷网络技术有限公司
Priority to CN 201110144331 priority Critical patent/CN102195887B/en
Publication of CN102195887A publication Critical patent/CN102195887A/en
Application granted granted Critical
Publication of CN102195887B publication Critical patent/CN102195887B/en

Links

Abstract

本发明提供一种报文处理方法、装置和网络安全设备,方法包括:当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中;对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流;当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中。 The present invention provides a packet processing method, apparatus and network security devices, the method comprising: when receiving a first packet session flow, stream flow entry to create a session the session, and the session flow entry added to the dispersed general index list; streams of the session policy matching and audit process, to determine whether the session flow is legal or illegal session session flow stream; session flow when the session flow is illegal, the session flow index entry is added to the recovered auxiliary table, and the result of policy matching and audit illegal updating session stream to the flow entry in the session. 装置包括创建模块、审核模块和添加模块。 Apparatus includes a creation module, the audit module and adding modules. 网络安全设备包括上述报文处理装置。 Network security device comprises the above-described packet processing apparatus. 本发明避免了当攻击流数目较大时耗尽流表项资源,同时保持较高的系统性能。 The present invention avoids attacking the number of streams is large when the flow entry depletion of resources, while maintaining high system performance.

Description

报文处理方法、装置和网络安全设备 Packet processing method, apparatus and network security devices

技术领域 FIELD

[0001] 本发明涉及通信技术,尤其涉及一种报文处理方法、装置和网络安全设备。 [0001] The present invention relates to communication technology, particularly to a packet processing method, apparatus and network security devices.

背景技术 Background technique

[0002] 在网络安全设备中,普遍采用会话流状态跟踪技术来实现对经过设备的通信流量的监控管理,以对特定的非可信通信流量进行识别和阻断。 [0002] In the network security device, commonly used streaming session state tracking technique be achieved through monitoring communication traffic management device, and to identify a particular block of non-trusted traffic. 在这种会话流状态跟踪技术框架下,一个报文的处理过程为:对于会话流的首个报文,建立一个新的会话流表项,并添加到流表中;对该会话流进行策略匹配和审核,并将处理策略更新到会话流表项中。 In this session flow state tracking technology framework, process a packet as follows: For the first session packet streams, establish a new session flow table entries, and added to the flow table; the conversation flow for policy matching and auditing, and processing strategy session to update the flow table entries. 对于非首个报文,在流表中已经存有该会话流的信息,则直接查找流表,获取该会话流的处理策略并执行。 For non-first message in the conversation flow table information flow has been there, look directly flow sheet for the session stream processing strategy and execution. 在上述报文处理过程中,安全策略可能众多,则策略匹配和审核的速率相对很慢,而只有会话流的首个报文才需要执行完整的策略匹配和审核,因此能够获得较高的报文转发速率。 In the packet processing, security policy may be numerous, the policy review and rate matching is relatively slow, and only the first session flow of packets whose need to perform a complete audit policy match and therefore can obtain a higher reported forwarding rate. 然而,当设备受到恶意的洪水攻击(攻击者通过发起大量非法链接,消耗网络安全设备和服务器的硬件资源,从而达到攻击的目的)时,即使攻击流被安全策略阻断,但由于延迟老化,处于阻断状态的攻击流仍会占满流表资源,则使得正常的会话流不能建立流表项,造成网络中断。 However, when the device is subjected to a malicious flood attack (the attacker by launching a large number of illegal links, consume network resources, hardware security devices and servers to achieve the purpose of attack), even if the attack flow is blocked security policy, but due to the delay aging, in the blocking state of attack traffic flow will fill the resource table, so that the normal flow of conversation can not create flow entry, resulting in network outages.

[0003] 在现有技术中,为了解决上述问题,对于会话流的首个报文,则先执行策略匹配和审核操作,通过审核后才允许创建流表项,对于审核失败的会话流,则直接丢弃该报文,不允许创建流表项。 [0003] In the prior art, in order to solve the above problem, for the first session packet streams, the first execution policy matching and audit operations, approved after the entry allows you to create flow, flow of conversation for audit failures, the directly discards the packet is not allowed to create a stream entry.

[0004] 然而,现有技术中需要对攻击流的报文进行完整的策略匹配和审核过程,当攻击流数目较大时,导致系统性能下降,从而影响整体系统吞吐量。 [0004] However, the prior art need for packet attacks stream of a complete match strategy and review process, when a large number of streams attack, degrade system performance, thus affecting the overall system throughput.

发明内容 SUMMARY

[0005] 本发明提供一种报文处理方法、装置和网络安全设备,避免当攻击流数目较大时耗尽流表项资源,同时可以保持较高的系统性能,提高整体系统吞吐率。 [0005] The present invention provides a packet processing method, apparatus and network security devices, to avoid large when the number of depletion attack traffic flow entry resources, while maintaining a high system performance, improve overall system throughput.

[0006] 本发明提供一种报文处理方法,包括: [0006] The present invention provides a packet processing method, comprising:

[0007] 当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中; [0007] Upon receiving the first packet of a session flow, stream flow entry to create a session to the session, and the session flow index entry is added to the list of generic dispersed;

[0008] 对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流; [0008] streams of the session policy matching and audit process, to determine whether the session flow is legal or illegal session session flow stream;

[0009] 当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中。 [0009] When the streaming session is a session flow illegal, the session index added to the recovered flow entry in the secondary table, and the result of policy matching illegal and audit session stream to the session update flow table items.

[0010] 本发明提供一种报文处理装置,包括: [0010] The present invention provides a packet processing apparatus, comprising:

[0011] 创建模块,用于当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中; [0011] creating module, configured to, when receiving the first packet of a session flow, the flow stream to create a session table entry for the session, and the session flow index entry is added to the list of generic dispersed;

[0012] 审核模块,用于对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流;[0013] 添加模块,用于当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中。 [0012] Audit module for matching the session policy flow and audit process, to determine whether the session flow is legal or illegal session session flow stream; [0013] adding module, configured to, when the session is illegal flow when the session flow, add the index of the session to the recovery flow entry in the secondary table, and the result of policy matching and audit illegal updating session stream to the flow entry in the session.

[0014] 本发明提供一种网络安全设备,包括上述报文处理装置。 [0014] The present invention provides a network security device, comprising the above-described packet processing apparatus.

[0015] 本发明提供的报文处理方法、装置和网络安全设备,通过新增回收辅助表,当接收到会话流的首个报文时,先为该会话流创建会话流表项,将该会话流表项的索引添加到通用流散列表中,通过策略匹配和审核处理获知该会话流为非法会话流时,还将该会话流表项的索引添加到回收辅助表中;本实施例通过回收辅助表来保存非法会话流的会话流表项的索引信息,以备后续资源紧张时使用,避免了当攻击流数目较大时耗尽流表项资源,同时可以保持较闻的系统性能,提闻了整体系统吞吐率。 [0015] The packet processing method, apparatus and network security apparatus of the present invention provides, by recovering additional auxiliary table, when receiving a first packet stream session, create a table entry for that session session flow stream, the session flow index entry is added to the list of generic dispersed, and the audit process by the matching policy is known session flow when the illegal session flow, the flow index of the session will be added to the recovery sub entry table; embodiment of the present embodiment by recovering auxiliary table to store the index information flow of conversation session flow illegal entry, to prepare for subsequent resource constraints, to avoid depletion of resources when the flow entry attack a larger number of streams, while maintaining the system performance than the smell, mention Wen overall system throughput.

附图说明 BRIEF DESCRIPTION

[0016] 为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。 [0016] In order to more clearly illustrate the technical solutions in the embodiments or the prior art embodiment of the present invention, the accompanying drawings for illustrating the prior art described or needed to be used in an embodiment will be briefly introduced hereinafter, the description below the figures show some embodiments of the present invention, those of ordinary skill in the art is concerned, without any creative effort, and can obtain other drawings based on these drawings.

[0017] 图1为本发明报文处理方法实施例一的流程图; [0017] Figure 1 is a packet processing method of the invention a message flow diagram embodiment;

[0018] 图2为本发明报文处理方法实施例二的流程图; Example II flowchart [0018] FIG 2 is a message packet processing method according to the invention;

[0019] 图3为本发明报文处理方法实施例二中的双散列表结构示意图; [0019] FIG 3 packet processing method of the present invention, bis message hash list structure schematic diagram according to embodiment II;

[0020] 图4为本发明报文处理装置实施例一的结构示意图; [0020] FIG. 4 is a message packet processing apparatus according to the invention schematic diagram of a configuration of the embodiment;

[0021] 图5为本发明报文处理装置实施例二的结构示意图。 [0021] FIG. 5 is a schematic structural diagram of message processing packets invention according to a second embodiment of the apparatus.

具体实施方式 Detailed ways

[0022] 为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。 [0022] In order that the invention object, technical solutions, and advantages of the embodiments more clearly, the following the present invention in the accompanying drawings, technical solutions of embodiments of the present invention are clearly and completely described, obviously, the described the embodiment is an embodiment of the present invention is a part, but not all embodiments. 基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, those of ordinary skill in the art to make all other embodiments without creative work obtained by, it falls within the scope of the present invention.

[0023] 图1为本发明报文处理方法实施例一的流程图,如图1所示,本实施例提供了一种报文处理方法,可以具体包括如下步骤: [0023] Figure 1 is a message packet processing method of the invention a flow chart of Example 1, the present embodiment provides a packet processing method may includes the following steps:

[0024] 步骤101,当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中。 [0024] Step 101, when receiving the first packet of a session flow, stream flow entry to create a session to the session, and the session flow index entry is added to the list of generic dispersed.

[0025] 在本实施例中,在创建一个会话流时,可以在接收到该会话流的首个报文时为该会话流创建会话流表项,并将该会话流表项的索引添加到通用流散列表中。 Create session session flow when the flow entry [0025] In the present embodiment, when creating a session flow, can be received in the first packet stream for the session, the session index and added to the flow entry General diaspora list. 此处的会话流为端到端的数据连接,在传输控制协议(Transport Control Protocol ;以下简称:TCP)/IP协议中,通常使用五元组信息来识别一个流,五元组信息包括源IP地址、目的IP地址、协议号、TCP/用户数据包协议(User Datagram Protocol ;以下简称:UDP)源端口号和TCP/UDP目的端口号。 Session data stream here is connected end to end, in a transmission control protocol (Transport Control Protocol; hereinafter referred to as: TCP) / IP protocol, using the five-tuple generally identifies a stream of information, quintuple includes a source IP address , destination IP address, protocol number, TCP / user Datagram protocol (user Datagram protocol; hereinafter referred to as: UDP) source port number and a TCP / UDP destination port number. 传统的设备通常使用一张散列表来管理众多的会话流,并存储各会话流的处理策略(如阻断、通过或其他附加处理操作),散列表(Hash table,也称哈希表)为根据关键码值(Key value)直接进行访问的数据结构,即通过将关键码值映射到表中一个位置来访问记录,以加快查找的速度,通常称这种数据结构为“会话流状态跟踪表”,以下可以简称为“流表”。 The conventional devices typically use a hash table to manage a large number of session flow, and stores the session stream processing strategy (e.g., blocking, or by other additional processing operations), a hash table (Hash table, also known as a hash table) for the direct access to the data structure according to the value of key (key value), i.e., by the key value mapped to a table in a position to access the records to find the speed, this data structure is typically referred to as "flow state tracking session table "the following may be referred to as" flow table. " 本步骤在为会话流建立一个新的会话流表项后,将该会话流表项添加到通用流散列表中,具体为将该会话流表项的索引添加到通用流散列表中。 In this step, after the establishment of a new session flow flow entry for a session, the session is added to the general flow entry list dispersed, particularly the session flow index entry is added to the list of generic dispersed. 本步骤中在创建会话流时,具体先创建会话流表项,再进行会话流审核,则在会话流的首个报文到达时,无论其为合法会话流或非法会话流,均为其创建对应的会话流表项,并将会话流表项的索引添加到通用流散列表中。 This step when you create a session flow, create specific session flow table entries, and then review session flow, the flow in the session's first packet arrives, whether it is legal or illegal flow of conversation session flow, are property of their creation corresponding flow entry session, and the session flow index entry is added to the list of generic dispersed.

[0026] 具体地,本实施例中除了通用流散列表外,还设置有一个回收辅助表,该回收辅助表用于保存非法会话流的会话流表项的索引信息。 [0026] Specifically, the present embodiment except a list of generic dispersed, but also provided with a recovering auxiliary table, the table for storing secondary recovered index information flow of conversation session flow illegal entry. 本实施例中的上述步骤101可以具体包括如下步骤:当接收到会话流的首个报文时,判断当前的空闲表项池中是否存在空闲表项资源;若当前的空闲表项池中存在空闲表项资源时,采用该空闲表项资源为会话流创建会话流表项;若当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中回收一个会话流表项资源;采用回收的会话流表项资源为该会话流创建会话流表项。 Examples of the above-described step 101 of the present embodiment may specifically include the following steps of: when receiving a first packet session flow, determines whether there is a free entry in the free resources of the current cell entry; if the current entry is present in the cell free idle entries, the entries using the free flow of resources to create a session for a session flow entry; if the resource is idle entry does not exist the current free pool entry, recovered from the recovery session flow a secondary table entry resources; using recycled flow of conversation session flow table entry resources to create a session flow table entry for.

[0027] 更具体地,本实施例在回收回收辅助表中的会话流表项资源时,具体可以获取待删除会话流表项索引,将该待删除会话流表项索引同时从通用流散列表和回收辅助表中删除,以将该会话流表项索引对应的会话流表项资源回收到空闲表项池中,以备新的会话流的创建使用。 When [0027] More specifically, the present embodiment session flow entry resources in the recovery of the recovery sub-table embodiment, may obtain the specific session stream to be deleted entry index, the flow entry to be deleted session index list and simultaneously from a common dispersed recovering auxiliary table is deleted, the resource flow entry to the session table entry index the session recovery corresponding to the free flow entry pool used to prepare create a new session flow. 具体地,该待删除会话流表项索引可以具体为最早加入所述回收辅助表中的会话流表项索引。 In particular, the flow entry to be deleted session index may be embodied as the first to join the session flow table entry index of the recovery of secondary table.

[0028] 步骤102,对会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流。 [0028] Step 102, the session streams matching policy and audit process, to determine whether the session flow is legal or illegal session session flow stream.

[0029] 在为会话流创建会话流表项后,对该会话流进行策略匹配和审核处理,以判断该会话流为合法会话流或非法会话流。 [0029] After you create a session flow table entry for the session flow, the flow of conversation for the policy match and audit process to determine the flow of conversation is legal or illegal flow of conversation session flow. 本实施例通过先建立会话流表项,再执行策略匹配和审核处理,且在会话流的首个报文到达时执行上述过程,则可以避免对会话流的非首个报文进行冗余的策略匹配和审核处理等操作而引起的报文处理速率降低的缺陷。 In this embodiment, first establish a session flow table entry, and then perform matching policy audit process, and performs the above-described procedure when the first session stream packet arrives, the session stream to avoid the first non-redundant packet packet processing rate matching strategies to reduce defects and audit processing operations caused.

[0030] 步骤103,当会话流为非法会话流时,将会话流表项的索引添加到回收辅助表中,并将非法会话流的策略匹配和审核结果更新到会话流表项中。 [0030] Step 103, when the session is illegal session flow stream, will be added, then the index entry to the recovery flow secondary table, and update policies and audit results matching session stream illegal entry to the session flow.

[0031] 通过上述策略匹配和审核处理,当确定会话流为非法会话流时,将步骤101中为该会话流创建的会话流表项的索引添加到回收辅助表中,即通用流散列表和回收辅助表中均添加了非法会话流的会话流表项的索引信息,并将非法会话流的策略匹配和审核结果更新到会话流表项中,以备该会话流的后续报文直接提取使用。 [0031] By the above-described matching policy and audit process, when it is determined to be illegal session flow stream session, add index entries in a session flow streams for the session recovery step 101 to create secondary table, i.e. a list of generic and dispersed recovery auxiliary tables are added to the index information session flow of illegal flow of conversation entry and illegal session policies and audit results match the flow of the session to update the flow table entry, to prepare for subsequent packets of the session flow directly extracted using.

[0032] 进一步地,本实施例提供的报文处理方法还可以包括如下步骤:当所述会话流为合法会话流时,将所述合法会话流的策略匹配和审核结果更新到所述会话流表项中,以备该会话流的后续报文直接提取使用。 [0032] Further, the packet processing method provided in this embodiment may further include the step of: when the session is valid session flow stream, and audit policy matching result update the valid session to the session flow stream entry, for subsequent packets of the session stream extracted directly used.

[0033] 本实施例提供了一种报文处理方法,通过新增回收辅助表,当接收到会话流的首个报文时,先为该会话流创建会话流表项,将该会话流表项的索引添加到通用流散列表中,通过策略匹配和审核处理获知该会话流为非法会话流时,还将该会话流表项的索引添加到回收辅助表中;本实施例通过回收辅助表来保存非法会话流的会话流表项的索引信息,以备后续资源紧张时使用,避免了当攻击流数目较大时耗尽流表项资源,同时可以保持较高的系统性能,提高整体系统吞吐率。 [0033] The present embodiment provides a packet processing method, by recovering additional auxiliary table, when receiving a first packet stream session, create a table entry for that session stream streaming session, the session flow table index entry is added to the list of generic dispersed, and the audit process by the matching policy is known session flow when the flow illegal session, the session will flow index entry is added to the recycled secondary table; in this embodiment, the auxiliary recovery table save the illegal flow of index information session conversation flow entry, to prepare for the subsequent use of resource constraints, when the number of attacks to avoid large depleted stream flow table entry resources, while maintaining high system performance, improve overall system throughput rate.

[0034] 图2为本发明报文处理方法实施例二的流程图,如图2所示,本实施例提供了一种报文处理方法,可以具体包括如下步骤:[0035] 步骤201,当接收到会话流的首个报文时,判断当前的空闲表项池中是否存在空闲表项资源,如果是,则执行步骤202,否则执行步骤204。 [0034] FIG 2 is a flowchart of packet processing method of the invention packets of a second embodiment, shown in Figure 2, the present embodiment provides a packet processing method may includes the following steps: [0035] Step 201, when the upon receipt of the first packet session flow, to determine whether there is a free entry resources currently free entry pool, and if so, step 202 is performed, otherwise step 204.

[0036] 在本实施例中,当接收到会话流的首个报文时,为该会话流创建会话流表项,则先判断当前的空闲表项池中是否存在空闲表项资源,以试图获取空闲表项资源。 [0036] In the present embodiment, when receiving the first packet of a session flow, creating session table entry for that session flow stream, it is first determined whether there is a free entry in the free entry of the current resource pool, in an attempt to get free entry resources. 如果当前的空闲表项池中存在空闲表项资源时,则执行步骤202,如果当前的空闲表项池中不存在空闲表项资源时,则执行步骤204。 If the current idle entry pool entry existence of idle resources, step 202, if the current idle entry pool resources idle entry does not exist, step 204 is performed.

[0037] 步骤202,采用所述空闲表项资源为所述会话流创建会话流表项。 [0037] Step 202, using the free resources for the session entry created session stream flow entry.

[0038] 当空闲表项池中存在空闲表项资源时,则本实施例可以直接采用该空闲表项资源为该会话流创建会话流表项。 [0038] When there is a free entry in the pool resource is free entry, then the present embodiment can be directly used the free flow table entry for the session entry created session stream.

[0039] 步骤203,将该会话流表项的索引添加到通用流散列表中。 [0039] Step 203, the session index entry is added to the stream of dispersed general list.

[0040] 在为会话流创建会话流表项后,可以为该会话流表项分配一个索引,并将该会话流表项的索引添加到通用流散列表中。 [0040] After creating a session for a session entry flow stream may be assigned a session index for the flow table entry, and add the session index to a general flow entry list dispersed.

[0041] 步骤204,从回收辅助表中回收会话流表项资源。 [0041] Step 204, the session recovering resources from the recovered flow entry in the secondary table.

[0042] 当空闲表项池中不存在空闲表项资源,即当前无空闲表项可用时,本实施例从设置的回收辅助表中回收会话流表项资源,该回收辅助表用于保存非法会话流的会话流表项的索引信息。 [0042] When the free resources there is no empty entry pool entries, i.e. entries currently no available idle, embodiments of the present session recovery from the recovery flow entry resources provided in the secondary table, the table for storing the recovery sub illicit index information session stream flow of conversation entries. 具体可以为从回收辅助表中获取最先添加到该回收辅助表中的会话流表项的索引,由于回收辅助表中保存的非法会话流的会话流表项的索引同时也保存在通用流散列表中,则本步骤同时删除通用流散列表和回收辅助表中的该最先添加到该回收辅助表中的会话流表项的索引,具体将该索引对应的会话流表项回收到空闲表项池中,并将该索引对应的会话流表项执行终止操作,即不再将该会话流表项参与后续的数据包转发等操作。 DETAILED recovery may be obtained from the first secondary table to the index of the session recovery flow entry in a secondary table, because the index table stored in the auxiliary recycling flow of conversation session flow illegal entry is also stored in a common list dispersed in general this step deletes dispersed and recovering the auxiliary table listing the first session added to the index of the recovery flow entry in a secondary table, the index corresponding to the particular session recovery flow entry to the free pool entry , and the execution of the session flow table entry corresponding to index termination operation, i.e. no longer participate in the subsequent session flow entry packet forwarding and other operations.

[0043] 步骤205,采用回收的会话流表项资源为所述会话流创建会话流表项。 [0043] Step 205, the session entry flow stream to create a session using the session recovery flow entry resources.

[0044] 在完成会话流表项资源的回收后,本实施例可以采用回收的会话流表项资源为步骤201中的会话流创建会话流表项。 [0044] After completion of the recovery stream session entry resources, the present embodiment session recycling flow entry may be employed in step 201 a session for the streaming session created flow entry. 本实施例通过建立回收辅助表,对判定为非法会话流的会话流表项的索引进行保存,通过该回收辅助表可以索引到所有的非法会话流,本实施例中的非法会话流可以包括攻击流。 The present embodiment, for determining illegal session flow index session flow entry will be stored by creating the recovery sub-table, through the recovery sub-table can index to all illegal session flow, the present embodiment illegal session flow embodiment may include attack flow. 当流表资源紧张时,可通过对该回收辅助表回收利用其中的流表项资源,将其进行释放重利用,以优先满足正常合法会话流的需要。 When the flow table resource constraints, by recycling resources flow entry therein, which was released reuse to meet the needs of the priority flow to the normal legal session recovered auxiliary table.

[0045] 步骤206,对该会话流进行策略匹配和审核,判断该会话流是否为合法会话流,如果是,则执行步骤207,否则执行步骤208。 [0045] Step 206, the session streams audit policy matching and determines whether the session is valid session flow stream, if so, step 207 is executed, otherwise, step 208 is executed.

[0046] 在完成对会话流的会话流表项的创建后,本实施例对该会话流进行策略匹配和审核处理,以判断该会话流是否为合法会话流,如果是,则执行步骤207,否则执行步骤208。 [0046] After completion of the creation of the session flow stream entry session, the present embodiment performs policy matching the session flow and audit process, to determine whether the session is valid session flow stream, if so, step 207 is executed, otherwise step 208. 本实施例通过只在会话流的首个报文到达时对会话流进行完整的会话流表项建立以及策略匹配和审核操作,则避免了所有报文均进行策略匹配和审核所带来的时间浪费。 This embodiment will be complete session flow table entries and establish policies and audit operations by matching only when the flow of the first session packet arrives on the session flow, then it avoids all the messages are time-matching policies and audit brought waste.

[0047] 步骤207,将该合法会话流的策略匹配和审核结果更新到该合法会话流对应的会话流表项中。 [0047] Step 207, the result of policy matching and audit update legitimate session stream to the corresponding stream legitimate session flow entry in the session.

[0048] 通过审核,当会话流为合法会话流时,则将该合法会话流的策略匹配和审核结果更新到该合法会话流对应的会话流表项中,以备该会话流的后续报文直接提取使用。 [0048] is approved, flow is legal when the session session flow, the result of policy matching the legitimate and audits session stream to the valid session to update the corresponding stream flow entry in the session, for subsequent packets of the session stream extracted directly use.

[0049] 步骤208,将该会话流表项的索引添加到回收辅助表中。 [0049] Step 208, the session index entry is added to the stream recovered secondary table.

[0050] 通过审核,当会话流为非法会话流时,则将该会话流的会话流表项的索引添加到回收辅助表中,由于在之前建立会话流表项时已将其添加到通用流散列表中,因此此时在通用流散列表和回收辅助表中均保存有非法会话流的会话流表项的索引信息,则可以从两张表中均可以索引并查找到非法会话流的会话流表项。 [0050] When the session flow illegal session flow, then the flow of conversation session flow index entry is added to the recovered auxiliary table approved, since it has the session is established before the flow entry is added to the dispersed general list, so this time the general diaspora list and the recovery sub-tables are stored index information illegally session flow of conversation flow entry, it can can be an index from the two tables and find session stream entry of illegal session flow. 图3为本发明报文处理方法实施例二中的双散列表结构示意图,如图3所示,本实施例中合法会话流的会话流表项的索引信息保存在通用流散列表中,非法会话流的会话流表项的索引信息保存在通用流散列表和回收辅助表中。 Double schematic configuration diagram of a hash table 3 message packet processing method of the present invention according to the second embodiment in FIG. 3, the present embodiment example the index information valid session session stream flow entry is stored in a common list dispersed, illegal session index information stream flow of conversation entries stored in a common list of the diaspora and recycling secondary table.

[0051] 步骤209,将非法会话流的策略匹配和审核结果更新到该非法会话流对应的会话流表项中。 [0051] Step 209, the result of policy matching and review the illegal updating session stream to the corresponding stream session illegal entry session stream.

[0052] 在将非法会话流的会话流表项的索引添加到通用流散列表和回收辅助表中后,将该非法会话流的策略匹配和审核结果,也更新到该非法会话流对应的会话流表项中。 [0052] After adding the index illegal session stream session to a general flow entry list dispersed and recovering a secondary table, the result of policy matching and audit illegal session flow, are also updated to correspond to the illegal flow of conversation session flow entry.

[0053] 本实施例提供了一种报文处理方法,通过新增回收辅助表,当接收到会话流的首个报文时,先为该会话流创建会话流表项,将该会话流表项的索引添加到通用流散列表中,通过策略匹配和审核处理获知该会话流为非法会话流时,还将该会话流表项的索引添加到回收辅助表中;本实施例通过回收辅助表来保存非法会话流的会话流表项的索引信息,以备后续资源紧张时从回收辅助表中回收使用相应的流表项资源,避免了当攻击流数目较大时耗尽流表项资源,同时可以保持较高的系统性能,提高整体系统吞吐率。 [0053] The present embodiment provides a packet processing method, by recovering additional auxiliary table, when receiving a first packet stream session, create a table entry for that session stream streaming session, the session flow table index entry is added to the list of generic dispersed, and the audit process by the matching policy is known session flow when the flow illegal session, the session will flow index entry is added to the recycled secondary table; in this embodiment, the auxiliary recovery table save session flow index illegal information flow entry session, to prepare for subsequent resource constraints recovered from the recovered auxiliary table using the corresponding flow entry resources, to avoid depletion of resources when the flow entry attack larger number of streams, while you can maintain high system performance, improve overall system throughput.

[0054] 本领域普通技术人员可以理处理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:R0M、RAM、磁碟或者光盘等各种可以存储程序代码的介质。 [0054] Those of ordinary skill in the art will be appreciated that the processor: all or part of the steps of the above process embodiments may be implemented by a program instructing relevant hardware to complete, the program may be stored in a computer readable storage medium, the program when executed, perform the steps comprising the above-described method of the embodiment; and the storage medium comprising: a variety of medium may store program codes R0M, RAM, magnetic disk, or optical disk.

[0055] 图4为本发明报文处理装置实施例一的结构示意图,如图4所示,本实施例提供了一种报文处理装置,可以具体执行上述方法实施例一中的各个步骤,此处不再赘述。 [0055] FIG. 4 is a message packet processing apparatus according to the invention schematic diagram of a configuration of the embodiment shown in Figure 4, the present embodiment provides a packet processing apparatus, the method may perform the above respective steps specific embodiment of embodiment a, not repeat them here. 本实施例提供的报文处理装置可以包括创建模块401、审核模块402和添加模块403。 Packet processing device provided in this embodiment may include a creation module 401, the audit module 402 and module 403 is added. 其中,创建模块401用于当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中。 Wherein the creating module 401 when receiving the first session packet streams, stream flow entry to create a session the session and the session index for the flow entry is added to the list of generic dispersed. 审核模块402用于对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流。 Audit module 402 is used to match the session policy flow and audit process, to determine whether the session flow is legal or illegal session session flow stream. 添加模块403用于当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中。 Adding module 403 is used when the session flow illegal session flow, the session index added to the recovered flow entry in the secondary table, and the result of policy matching illegal and audit session stream to update the session flow table entries.

[0056] 图5为本发明报文处理装置实施例二的结构示意图,如图5所示,本实施例提供了一种报文处理装置,可以具体执行上述方法实施例二中的各个步骤,此处不再赘述。 [0056] FIG. 5 is a schematic structural diagram of message processing packets invention according to a second embodiment of the apparatus, shown in FIG. 5, the present embodiment provides a packet processing apparatus, performing the above method may be embodied in two steps each of Example not repeat them here. 本实施例提供的报文处理装置在上述图4所示的基础之上,创建模块401可以具体包括判断单元411、第一创建单元421、回收单元431和第二创建单元441。 Packet processing apparatus according to the present embodiment is provided based on the above-described FIG. 4 shown above, creation module 401 may include a determination unit 411 specifically, the first creating unit 421, the recovery unit 431 and a second creating unit 441. 其中,判断单元411用于当接收到会话流的首个报文时,判断当前的空闲表项池中是否存在空闲表项资源。 Wherein the determination unit 411 when receiving the first packet of a session flow, determines whether there is a free entry in the free entry of the current resource pool. 第一创建单元421用于若所述当前的空闲表项池中存在空闲表项资源时,采用所述空闲表项资源为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中。 The first creating unit 421 for entry if the existence of idle current free resource pool entry, using the free resources for the session entry created stream flow entry session, and the session flow entry the index added to the list of generic diaspora. 回收单元431用于若所述当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中回收会话流表项资源。 The recovery unit 431 for entry if the resource does not exist an idle current free entry pool resource recovery session flow entry from the recovered secondary table. 第二创建单元441用于采用回收的会话流表项资源为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中。 Second creating unit 441 using session flow entry resources for the session recovery flow stream table entry to create a session, the session index and flow entry is added to the list of generic dispersed.

[0057] 更具体地,回收单元431可以具体包括获取子单元4311、删除子单元4312和回收子单元4313。 [0057] More specifically, the recovery unit 431 may specifically include obtaining subunit 4311, 4312 and deleting sub-unit recovery subunit 4313. 其中,获取子单元4311用于若所述当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中获取待删除会话流表项索引。 Wherein, when the obtaining subunit 4311 for entry if the resource does not exist an idle current free pool entry, acquiring session flow entry to be deleted from the recovered secondary table index. 删除子单元4312用于删除所述通用流散列表和所述回收辅助表中的所述待删除会话流表项索引。 Remove subunit 4312 for deleting the common list and the dispersed auxiliary table recovering the flow entry to be deleted session index. 回收子单元4313用于将所述会话流表项索弓I对应的会话流表项资源回收到空闲表项池中。 Recovery means for recovering subunit 4313 session of the session resource flow entry flow entry corresponding to the index I bow to the free pool entry.

[0058] 具体地,获取子单元4311获取的所述待删除会话流表项索引为最早加入所述回收辅助表中的会话流表项索引。 [0058] In particular, the obtaining sub-unit 4311 acquires the session flow entry to be deleted is the first to join the session flow index entry index of the recovery of secondary table.

[0059] 进一步地,本实施例提供的报文处理装置还可以包括更新模块404,更新模块404用于当所述会话流为合法会话流时,将所述合法会话流的策略匹配和审核结果更新到所述会话流表项中。 [0059] Further, the packet processing apparatus provided by the present embodiment may further include an update module 404, an updating module 404 is used when the stream is a valid session stream session, the session policy to match the flow of legitimate and audits the results session to update the flow table entry.

[0060] 本实施例提供了一种报文处理装置,通过新增回收辅助表,当接收到会话流的首个报文时,先为该会话流创建会话流表项,将该会话流表项的索引添加到通用流散列表中,通过策略匹配和审核处理获知该会话流为非法会话流时,还将该会话流表项的索引添加到回收辅助表中;本实施例通过回收辅助表来保存非法会话流的会话流表项的索引信息,以备后续资源紧张时从回收辅助表中回收使用相应的流表项资源,避免了当攻击流数目较大时耗尽流表项资源,同时可以保持较高的系统性能,提高整体系统吞吐率。 [0060] The present embodiment provides a packet processing apparatus, by recovering additional auxiliary table, when receiving a first packet stream session, create a table entry for that session stream streaming session, the session flow table index entry is added to the list of generic dispersed, and the audit process by the matching policy is known session flow when the flow illegal session, the session will flow index entry is added to the recycled secondary table; in this embodiment, the auxiliary recovery table save session flow index illegal information flow entry session, to prepare for subsequent resource constraints recovered from the recovered auxiliary table using the corresponding flow entry resources, to avoid depletion of resources when the flow entry attack larger number of streams, while you can maintain high system performance, improve overall system throughput.

[0061] 本实施例还提供了一种网络安全设备,如防火墙等产品,可以具体包括上述实施例中的报文处理装置。 [0061] The present embodiment further provides a network security devices, such as firewalls and other products, may specifically include the message processing apparatus of the above embodiment.

[0062] 最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。 [0062] Finally, it should be noted that: the above embodiments are intended to illustrate the present invention, rather than limiting;. Although the present invention has been described in detail embodiments, those of ordinary skill in the art should be understood: may still be made to the technical solutions described in each embodiment of the modified or part of the technical features equivalents; as such modifications or replacements do not cause the essence of corresponding technical solutions to depart from the technical solutions of the embodiments of the present invention and scope.

Claims (9)

1.一种报文处理方法,其特征在于,包括: 当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中; 对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流; 当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中; 其中,所述当接收到会话流的首个报文时,为所述会话流创建会话流表项包括: 当接收到会话流的首个报文时,判断当前的空闲表项池中是否存在空闲表项资源;若所述当前的空闲表项池中存在空闲表项资源时,采用所述空闲表项资源为所述会话流创建会话流表项; 若所述当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中回收会话流表项资源; 采用 A packet processing method, comprising: when receiving a first packet session flow, stream flow entry to create a session to the session, and the session index entry is added to the stream General dispersed list; streams of the session policy matching and audit process, to determine whether the session flow is legal or illegal session session flow stream; session flow when the illegal session flow, the flow entry session recovery index added to the secondary table, and the result of policy matching and audit illegal updating session stream to the flow entry in the session; wherein, when receiving the first packet of a session flow for the said session flow stream to create a session entry comprising: when receiving a first packet session flow, determines whether there is a free entry in the free resources of the current cell entry; if the current entry is present in the cell free freelist when resource item using the free resources for the session entry created session stream flow entry; if the resource is idle entry does not exist the current free pool entry, recovered from the recovered session flow entry in the secondary table resources; the use of 回收的会话流表项资源为所述会话流创建会话流表项。 Create the session stream recovered session flow entry flow entry session resources.
2.根据权利要求1所述的方法,其特征在于,所述从回收辅助表中回收会话流表项资源包括: 从回收辅助表中获取待删除会话流表项索引; 删除所述通用流散列表和所述回收辅助表中的所述待删除会话流表项索引; 将所述会话流表项索引对应的会话流表项资源回收到空闲表项池中。 2. The method according to claim 1, characterized in that the session recovery flow entry resources from the recovered secondary table comprises: obtaining session flow entry to be deleted from the recovered secondary table index; deleting the list of generic dispersed and said secondary table to be recovered the delete session flow table entry index; the session flow table entry corresponding to the index entry session recycling flow entry to the free pool.
3.根据权利要求2所述的方法,其特征在于,所述待删除会话流表项索引为最早加入所述回收辅助表中的会话流表项索引。 3. The method according to claim 2, wherein the session flow entry to be deleted is the first to join the session flow index entry index of the recovery of secondary table.
4.根据权利要求1所述的方法,其特征在于,还包括: 当所述会话流为合法会话流时,将所述合法会话流的策略匹配和审核结果更新到所述会话流表项中。 In the session when the flow stream is a valid session, the audit policy matching result and updating the valid session stream to the flow entry session: 4. The method according to claim 1, characterized in that, further comprising .
5.一种报文处理装置,其特征在于,包括: 创建模块,用于当接收到会话流的首个报文时,为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中; 审核模块,用于对所述会话流进行策略匹配和审核处理,以判断所述会话流是合法会话流或非法会话流; 添加模块,用于当所述会话流为非法会话流时,将所述会话流表项的索引添加到回收辅助表中,并将所述非法会话流的策略匹配和审核结果更新到所述会话流表项中; 其中,所述创建模块包括: 判断单元,用于当接收到会话流的首个报文时,判断当前的空闲表项池中是否存在空闲表项资源; 第一创建单元,用于若所述当前的空闲表项池中存在空闲表项资源时,采用所述空闲表项资源为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中; 回收单 A packet processing apparatus, characterized by comprising: a creating module, configured to, when receiving the first packet of a session flow, stream flow entry to create a session to the session, and the session flow table index entry is added to the list of generic dispersed; audit module configured to stream the session policy matching and audit process, to determine whether the session flow is legal or illegal session session flow stream; adding module, configured to, when the when the session flow stream illegal session, the session index added to the recovered flow entry in the secondary table, and the result of policy matching illegal and audit session stream to the session update flow table entry; wherein the said creation module comprises: a judging unit, when receiving the first packet of a session flow, determines whether there is a free entry in the free entry of the current resource pool; a first creating unit configured to, if the current free when there is a free resource entry pool entry, using the free resources for the session entry created stream flow entry session, and the session flow index entry is added to the dispersed general list; recovery unit ,用于若所述当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中回收会话流表项资源;第二创建单元,用于采用回收的会话流表项资源为所述会话流创建会话流表项,并将所述会话流表项的索引添加到通用流散列表中。 When idle entries for the resource if there is no current entry pool idle session resources flow entry in the secondary table recovered from the recovery; a second creating unit configured session flow table entry is recovered using the resource said session flow flow entry to create a session, the session index and flow entry is added to the list of generic dispersed.
6.根据权利要求5所述的装置,其特征在于,所述回收单元包括: 获取子单元,用于若所述当前的空闲表项池中不存在空闲表项资源时,从回收辅助表中获取待删除会话流表项索引; 删除子单元,用于删除所述通用流散列表和所述回收辅助表中的所述待删除会话流表项索引; 回收子单元,用于将所述会话流表项索引对应的会话流表项资源回收到空闲表项池中。 If the resource does not exist free entry current free pool entry, from the recovered secondary table acquisition sub-unit, configured to: 6. The apparatus as claimed in claim 5, wherein said recovery means comprises obtaining session stream to be deleted entry index; delete subunit, for deleting the common list and the dispersed auxiliary table in the session to be deleted recovery flow table entry index; and recovering subunit, for the session flow entry corresponding to the index entry session recycling flow entry to the free pool.
7.根据权利要求6所述的装置,其特征在于,所述获取子单元获取的所述待删除会话流表项索引为最早加入所述回收辅助表中的会话流表项索引。 7. The device according to claim 6, wherein said acquiring session flow entry to be deleted is the index of the first sub-unit is obtained by addition of the secondary session flow table entry index of the recovery.
8.根据权利要求5所述的装置,其特征在于,还包括: 更新模块,用于当所述会话流为合法会话流时,将所述合法会话流的策略匹配和审核结果更新到所述会话流表项中。 8. The device as claimed in claim 5, characterized in that, further comprising: an updating module, configured to, when the session is valid session flow stream, and audit policy matching result of the valid session to update the stream session flow table entries.
9.一种网络安全设备,其特征在于,包括上述权利要求5-8中任一项所述的报文处理>jU ρςα装直。 A network security device, characterized by comprising processing a packet according to any of the preceding claims 5-8> jU ρςα fitted straight.
CN 201110144331 2011-05-31 2011-05-31 Message processing method, device and network security equipment CN102195887B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201110144331 CN102195887B (en) 2011-05-31 2011-05-31 Message processing method, device and network security equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201110144331 CN102195887B (en) 2011-05-31 2011-05-31 Message processing method, device and network security equipment

Publications (2)

Publication Number Publication Date
CN102195887A CN102195887A (en) 2011-09-21
CN102195887B true CN102195887B (en) 2014-03-12

Family

ID=44603295

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201110144331 CN102195887B (en) 2011-05-31 2011-05-31 Message processing method, device and network security equipment

Country Status (1)

Country Link
CN (1) CN102195887B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103490937B (en) * 2013-10-12 2017-02-01 北京奇虎科技有限公司 Monitoring data filtering method and apparatus
CN104660565B (en) * 2013-11-22 2018-07-20 华为技术有限公司 Method and apparatus for detecting malicious attacks
CN103746918B (en) * 2014-01-06 2018-01-12 深圳市星盾网络技术有限公司 Packet forwarding system and packet forwarding method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003067810A1 (en) 2002-02-08 2003-08-14 Netscreen Technologies, Inc. Multi-method gateway-based network security systems and methods
CN101340275A (en) 2008-08-27 2009-01-07 深圳华为通信技术有限公司 Data card, data processing and transmitting method
CN101370019A (en) 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003067810A1 (en) 2002-02-08 2003-08-14 Netscreen Technologies, Inc. Multi-method gateway-based network security systems and methods
CN101340275A (en) 2008-08-27 2009-01-07 深圳华为通信技术有限公司 Data card, data processing and transmitting method
CN101370019A (en) 2008-09-26 2009-02-18 北京星网锐捷网络技术有限公司 Method and switchboard for preventing packet cheating attack of address analysis protocol

Also Published As

Publication number Publication date
CN102195887A (en) 2011-09-21

Similar Documents

Publication Publication Date Title
US9237132B2 (en) Load balancing in a network with session information
US8095983B2 (en) Platform for analyzing the security of communication protocols and channels
US8325607B2 (en) Rate controlling of packets destined for the route processor
US7853998B2 (en) Firewall propagation
US9407557B2 (en) Methods and systems to split equipment control between local and remote processing units
US20040013112A1 (en) Dynamic packet filter utilizing session tracking
US7831822B2 (en) Real-time stateful packet inspection method and apparatus
US20160359897A1 (en) Determining a reputation of a network entity
US20070022479A1 (en) Network interface and firewall device
US20050229246A1 (en) Programmable context aware firewall with integrated intrusion detection system
US9800503B2 (en) Control plane protection for various tables using storm prevention entries
US9461967B2 (en) Packet classification for network routing
US8897134B2 (en) Notifying a controller of a change to a packet forwarding configuration of a network element over a communication channel
EP1966977B1 (en) Method and system for secure communication between a public network and a local network
US20070022474A1 (en) Portable firewall
US8964747B2 (en) System and method for restricting network access using forwarding databases
KR20140106547A (en) A streaming method and system for processing network metadata
US7706378B2 (en) Method and apparatus for processing network packets
US7917621B2 (en) Method and system for network access control
US20060230442A1 (en) Method and apparatus for reducing firewall rules
US20100107250A1 (en) Method and apparatus for defending against arp spoofing attacks
US8134934B2 (en) Tracking network-data flows
CN101656677B (en) Message diversion processing method and device
US9407602B2 (en) Methods and apparatus for redirecting attacks on a network
US20050111460A1 (en) State-transition based network intrusion detection

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance