CN103368858B - The flow cleaning method that many strategy combinations load and device - Google Patents

The flow cleaning method that many strategy combinations load and device Download PDF

Info

Publication number
CN103368858B
CN103368858B CN201210096528.4A CN201210096528A CN103368858B CN 103368858 B CN103368858 B CN 103368858B CN 201210096528 A CN201210096528 A CN 201210096528A CN 103368858 B CN103368858 B CN 103368858B
Authority
CN
China
Prior art keywords
strategy
empty
entity
combination
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210096528.4A
Other languages
Chinese (zh)
Other versions
CN103368858A (en
Inventor
刘涛
刘宁
张�诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN201210096528.4A priority Critical patent/CN103368858B/en
Publication of CN103368858A publication Critical patent/CN103368858A/en
Application granted granted Critical
Publication of CN103368858B publication Critical patent/CN103368858B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention proposes a kind of flow cleaning method that many strategy combinations load, comprise the steps: that User space agent client Establishment strategy combines, wherein, strategy combination comprises at least one empty strategy, empty strategy comprises one or more entity strategy, and each entity strategy comprises one or more data characteristics; Strategy combination is passed to kernel state by User space agent client; By at least one empty policy registration in strategy combination to processing data packets framework; Processing data packets framework carries out function readjustment to each entity strategy in empty strategy, and communication data packet and at least one empty strategy is compared, and when communication data packet meets the whole entity strategy at least one empty strategy, abandons communication data packet.The present invention also proposes the flow cleaning device that a kind of many strategy combinations load.The present invention utilizes this strategy combination to clean flow, thus meets the application scenarios that multiple tactful complex combination cleans flow, and range of application is wider.

Description

The flow cleaning method that many strategy combinations load and device
Technical field
The present invention relates to Internet technical field, the flow cleaning method of particularly a kind of many strategy combination loadings and device.
Background technology
Flow cleaning service is available to rents IDC (InternetDataCenter, Internet data center) the government and enterprises client that serves, for the DOS (DenialofService that it is initiated, denial of service) monitoring that/DDOS (DistributedDenialofservice, distributed denial of service attack) attacks, alarm and protection a kind of Network Security Service.This service is monitored in real time to the data traffic entering Customer ID C, and Timeliness coverage comprises the abnormal flow of dos attack.Under the prerequisite not affecting regular traffic, wash abnormal flow.Effectively meet client and successional requirement is operated to IDC.This service simultaneously promotes the observability of customer network flow and the clarity of safe condition by service content such as time notice, analytical statements.
The cleaning framework that daily traffic filtering system often takes filtering policy to judge one by one, thus cause flow only by certain policy filtering, between filtering policy be or relation, do not filter implement flow cleaning by meeting several simultaneously.But business may require more, the multiple tactful complex combination of demand fulfillment just cleans the application scenarios of flow.Traditional traffic filtering method is invalid for such application scenarios.
Traditional flow cleaning system only provides the loading of single strategy, user can load each strategy successively, flow cleaning system cleans flow one by one according to each strategy, thus only support to judge whether to carry out flow cleaning according to single strategy, do not support to judge whether to carry out flow cleaning by multiple strategy combination.
Summary of the invention
Object of the present invention is intended at least solve one of above-mentioned technological deficiency.
For this reason, first object of the present invention is a kind of flow cleaning method providing many strategy combinations to load, and the method can realize the combination of strategy arbitrarily, thus meets multiple filtration enforcement flow cleaning.Second object of the present invention is the flow cleaning device providing many strategy combinations to load.
For achieving the above object, the embodiment of first aspect present invention proposes a kind of flow cleaning method of many strategy combination loadings, comprises the steps:
User space agent client Establishment strategy combines, and wherein, described strategy combination comprises at least one empty strategy, and described empty strategy comprises one or more entity strategy, and each described entity strategy comprises one or more data characteristics;
Described strategy combination is passed to kernel state by described User space agent client;
By at least one empty policy registration described in described strategy combination to processing data packets framework; And
Described processing data packets framework carries out function readjustment to each entity strategy in described empty strategy, and communication data packet and at least one empty strategy described are compared, when described communication data packet meets the whole entity strategy at least one empty strategy described, abandon described communication data packet.
According to the flow cleaning method that many strategy combinations of the embodiment of the present invention load, user can select the strategy combination with multiple strategy, utilize this strategy combination to clean flow, thus meet the application scenarios that multiple tactful complex combination cleans flow, range of application is wider.
The embodiment of second aspect present invention provides a kind of flow cleaning device of many strategy combination loadings, comprise User space agent client, kernel state module and processing data packets framework, wherein, described User space agent client is used for Establishment strategy combination, wherein, described strategy combination comprises at least one empty strategy, and described empty strategy comprises one or more entity strategy, and each described entity strategy comprises one or more data characteristics; Described kernel state module for receiving described strategy combination, and by least one empty policy registration described in described strategy combination to described processing data packets framework; Described processing data packets framework is used for carrying out function readjustment to each entity strategy in described empty strategy, and communication data packet and at least one empty strategy described are compared, when described communication data packet meets the whole entity strategy at least one empty strategy described, abandon described communication data packet.
According to the flow cleaning device that many strategy combinations of the embodiment of the present invention load, user can select the strategy combination with multiple strategy, utilize this strategy combination to clean flow, thus meet the application scenarios that multiple tactful complex combination cleans flow, range of application is wider.
The aspect that the present invention adds and advantage will part provide in the following description, and part will become obvious from the following description, or be recognized by practice of the present invention.
Accompanying drawing explanation
The present invention above-mentioned and/or additional aspect and advantage will become obvious and easy understand from the following description of the accompanying drawings of embodiments, wherein:
Fig. 1 is the flow chart of the flow cleaning method loaded according to many strategy combinations of the embodiment of the present invention;
Fig. 2 is the frame diagram of the flow cleaning method loaded according to many strategy combinations of the embodiment of the present invention;
Fig. 3 is the flow chart of data processing figure of the void strategy according to the embodiment of the present invention; And
Fig. 4 is the schematic diagram of the flow cleaning device loaded according to many strategy combinations of the embodiment of the present invention.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Disclosing hereafter provides many different embodiments or example is used for realizing different structure of the present invention.Of the present invention open in order to simplify, hereinafter the parts of specific examples and setting are described.Certainly, they are only example, and object does not lie in restriction the present invention.In addition, the present invention can in different example repeat reference numerals and/or letter.This repetition is to simplify and clearly object, itself does not indicate the relation between discussed various embodiment and/or setting.In addition, the various specific technique that the invention provides and the example of material, but those of ordinary skill in the art can recognize the property of can be applicable to of other techniques and/or the use of other materials.In addition, fisrt feature described below second feature it " on " structure can comprise the embodiment that the first and second features are formed as directly contact, also can comprise other feature and be formed in embodiment between the first and second features, such first and second features may not be direct contacts.
With reference to description below and accompanying drawing, these and other aspects of embodiments of the invention will be known.Describe at these and in accompanying drawing, specifically disclose some particular implementation in embodiments of the invention, representing some modes of the principle implementing embodiments of the invention, but should be appreciated that the scope of embodiments of the invention is not limited.On the contrary, embodiments of the invention comprise fall into attached claims spirit and intension within the scope of all changes, amendment and equivalent.
The flow cleaning method that the many strategy combinations describing the embodiment of the present invention below with reference to Fig. 1 to Fig. 3 load.
As shown in Figure 1, the flow cleaning method of many strategy combinations loadings of the embodiment of the present invention, comprises the steps:
Step S101: User space agent client Establishment strategy combines.
Strategy combination comprises at least one empty strategy, and wherein, empty strategy comprises one or more entity strategy, and each entity strategy comprises one or more data characteristics.
In one embodiment of the invention, in strategy combination, also comprise entity strategy, and entity strategy does not belong to empty strategy.
In yet another embodiment of the present invention, strategy combination comprises multiple empty strategy, and wherein, multiple empty strategy shares at least one entity strategy.
Step S102: strategy combination is passed to kernel state by User space agent client.
In one embodiment of the invention, empty strategy is passed to kernel state by netlink sockets interface by User space agent client.
Particularly, loading empty strategy is realized by the communication interface mode netlink of kernel state and User space.The policy data packet format of the embodiment of the present invention defines based on netlink socket data-interface.Wherein, message format adopts the individual-layer data message format of similar protocol stack, as shown in table 1.
Table 1
Following three relatively independent levels drawn together by policy data handbag:
Netlink link layer (nlmsghdr): the transmitting-receiving work being responsible for netlink data message.
Service layer (Service_hdr): be responsible for and serve relevant establishment, deletion and the function such as enable.
Strategic layer (Strategyinfo): the establishment of the corresponding strategies of repetition measurement server entity, deletion, amendment and the function such as enable.
In the message structure of service layer and strategic layer, respectively define relevant order ID to instruct foundation, inquiry, amendment and to delete service entities and policy entity.Wherein, service layer's data of message and strategic layer data are resolved by service layer and strategic layer working function and are processed respectively.Table 2 and table 3 respectively illustrate the command type of partial service layer and strategic layer.
CMD_ID Macrodefinition Describe
0x01 BCS_SVC_CMD_CREATE Create new service entities
0x02 BCS_SVC_CMD_MOD Amendment service entity information
0x03 BCS_SVC_CMD_DEL Delete service entities
Table 2
CMD_ID Macrodefinition Describe
0x01 BCS_STG_CMD_CREATE Create new policy entity
0x02 BCS_STG_CMD_MOD Amendment policy entity information
0x03 BCS_STG_CMD_DEL Deletion strategy entity
Table 3
Below the process of establishing of strategy combination is described.
First, user can select arbitrarily by if conditional statement, and (with), or (or) strategy combination that forms.
Such as:
Table 4
Then, the strategy combination utilizing User space client user to be specified carries out conversion processing, removes if condition judgment statement, form between outer tactful group for or relation, between strategy group inner strategy for the form of relation.
Due to arbitrarily by if conditional statement, the condition judgment structure that and, or are formed equivalence can convert following form to:
(AandB)||(CandD)
Strategy combination in table 4 can be expressed as (A & B & C) || and (A & B & D) || the form of (E).Wherein, this strategy combination comprises three empty strategies, is respectively (A & B & C), (A & B & D) and (E).A, B, C, D and E are respectively entity strategy.
Can find out, entity strategy E is separately as a strategy, and therefore entity strategy E can not as a part for other empty strategies.Empty strategy (A & B & C) comprises entity strategy A, B and C, and empty strategy (A & B & D) comprises entity strategy A, B and D.Wherein, entity strategy A and B is the shared entity strategy of above-mentioned two empty strategies.
Each empty strategy is passed to kernel state by netlink sockets interface by User space agent client, and kernel state receives each empty strategy successively, resolves according to custom protocol, loads each empty strategy, thus loads strategy combination.When all empty strategies are all transferred to after kernel state sets up complete empty policy entity, then realize the flow cleaning system to user-defined how tactful combination in any.
Step S103: by least one empty policy registration in strategy combination to processing data packets framework.
As shown in Figure 2, by empty at least one in strategy combination policy registration to processing data packets framework.Wherein, processing data packets framework can be SoftIRQ weaken rock bag process framework.
In one embodiment of the invention, because entity strategy can separately as a strategy, and then entity strategy can directly be registered in processing data packets framework.
As from the foregoing, entity strategy and void strategy all can be registered in processing data packets framework.
Step S104: processing data packets framework carries out function readjustment to each entity strategy in empty strategy, and communication data packet and at least one empty strategy are compared, when communication data packet meets the whole entity strategy at least one empty strategy, abandon communication data packet.
When communication data packet is come interim, processing data packets framework carries out function readjustment to strategy.As shown in Figure 2, processing data packets framework to empty strategy and can be adjusted back as the entity strategy of strategy separately.
Processing data packets framework abandons judgement according to adjusting back the strategy obtained to communication data packet.If communication data packet meets the whole entity strategies at least one empty strategy, then abandon logical packet.Such as, strategy combination is (A & B & C) || (A & B & D) || and (E), if communication data packet meets whole entity strategy A, B and C in empty strategy (A & B & C), then will abandon this communication data packet.
When not meeting any one the entity strategy at least one empty strategy when communication data packet, then protocol stack is sent to process this communication data packet.
In one embodiment of the invention, when the empty strategy of deletion one, the entity strategy that this empty strategy comprises will no longer work, thus meet the use habit of user.
The flow chart of data processing of empty strategy is described below with reference to Fig. 3.
Step S301: by the tactful processing function entrance of void, judges whether empty strategy activates, and if so, then performs step S302, otherwise performs step S305.
Step S302: judge whether entity strategy in addition, if had, then performs step S303, otherwise performs step S305.
Step S303: call entity strategy bag process function.
Step S304: judge whether entity strategy returns and abandon communication data packet, if so, then return and perform step S302, otherwise perform step S305.
Step S305: communication data packet filtering statistical.
Step S306: judge whether to abandon communication data packet according to empty strategy, if so, then performs step S307, otherwise performs step S308.
If communication data packet meets the whole entity strategies in empty strategy, then perform step S307, otherwise perform step S308.
Step S307: return and abandon communication data packet.
Step S308: return received communication packet.
Being comprised by communication data transfers to protocol stack to process.
According to the flow cleaning method that many strategy combinations of the embodiment of the present invention load, user can select the strategy combination with multiple strategy, utilize this strategy combination to clean flow, thus meet the application scenarios that multiple tactful complex combination cleans flow, range of application is wider.
The flow cleaning device 400 loaded according to many strategy combinations of the embodiment of the present invention is described below with reference to Fig. 4.
As shown in Figure 4, the flow cleaning device 400 that many strategy combinations of the embodiment of the present invention load comprises User space agent client 410, kernel state module 420 and processing data packets framework 430.
User space agent client 410 is for Establishment strategy combination, and wherein strategy combination comprises at least one empty strategy.Empty strategy comprises one or more entity strategy, and each entity strategy comprises one or more data characteristics.Wherein, empty strategy is passed to kernel state module 420 by netlink sockets interface by User space agent client 410.
In one embodiment of the invention, in strategy combination, also comprise entity strategy, and entity strategy does not belong to empty strategy.
In yet another embodiment of the present invention, strategy combination comprises multiple empty strategy, and wherein multiple virtual policy shares at least one entity strategy.
Kernel state module 420 for receiving strategy combination, and by least one empty policy registration in strategy combination to processing data packets framework 430.
Particularly, loading empty strategy is realized by the communication interface mode netlink of kernel state and User space.The policy data packet format of the embodiment of the present invention defines based on netlink socket data-interface.Wherein, message format adopts the individual-layer data message format of similar protocol stack.
Following three relatively independent levels drawn together by policy data handbag:
Netlink link layer (nlmsghdr): the transmitting-receiving work being responsible for netlink data message.
Service layer (Service_hdr): be responsible for and serve relevant establishment, deletion and the function such as enable.
Strategic layer (Strategyinfo): the establishment of the corresponding strategies of repetition measurement server entity, deletion, amendment and the function such as enable.
In the message structure of service layer and strategic layer, respectively define relevant order ID to instruct foundation, inquiry, amendment and to delete service entities and policy entity.Wherein, service layer's data of message and strategic layer data are resolved by service layer and strategic layer working function and are processed respectively.
Below the process of establishing of strategy combination is described.
First, user can select arbitrarily by if conditional statement, and (with), or (or) strategy combination that forms.Then, the strategy combination utilizing User space agent client 410 user to be specified carries out conversion processing, removes if condition judgment statement, form between outer tactful group for or relation, between strategy group inner strategy for the form of relation.
Due to arbitrarily by if conditional statement, the condition judgment structure that and, or are formed equivalence can convert following form to:
(AandB)||(CandD)
Such as: strategy combination is (A & B & C) || (A & B & D) || the form of (E).Wherein, this strategy combination comprises three empty strategies, is respectively (A & B & C), (A & B & D) and (E).A, B, C, D and E are respectively entity strategy.
Can find out, entity strategy E is separately as a strategy, and therefore entity strategy E can not as a part for other empty strategies.Empty strategy (A & B & C) comprises entity strategy A, B and C, and empty strategy (A & B & D) comprises entity strategy A, B and D.Wherein, entity strategy A and B is the shared entity strategy of above-mentioned two empty strategies.
Each empty strategy is passed to kernel state module 420 by netlink sockets interface by User space agent client 410, kernel state module 420 receives each empty strategy successively, resolve according to custom protocol, load each empty strategy, thus loading strategy combination, until all empty strategies are all transferred to kernel state module 420 set up complete empty policy entity.
As shown in Figure 2, kernel state module 420 by empty at least one in strategy combination policy registration to processing data packets framework 430.Wherein, processing data packets framework 430 can be SoftIRQ weaken rock bag process framework.
In one embodiment of the invention, because entity strategy can separately as a strategy, and then entity strategy can directly be registered in processing data packets framework 430.
As from the foregoing, entity strategy and void strategy all can be registered in processing data packets framework 430.
Processing data packets framework 430 is for carrying out function readjustment to each entity strategy in empty strategy, and communication data packet and at least one empty strategy are compared, the whole entity strategies met at least one empty strategy when communication data packet abandon communication data packet.
When communication data packet is come interim, processing data packets framework 430 carries out function readjustment to strategy.Processing data packets framework 430 to empty strategy and can be adjusted back as the entity strategy of strategy separately.
Processing data packets framework 430 abandons judgement according to adjusting back the strategy obtained to communication data packet.If communication data packet meets the whole entity strategies at least one empty strategy, then abandon logical packet.Such as, strategy combination is (A & B & C) || (A & B & D) || and (E), if communication data packet meets whole entity strategy A, B and C in empty strategy (A & B & C), then will abandon this communication data packet.
When not meeting any one the entity strategy at least one empty strategy when communication data packet, then this communication data packet sends to protocol stack to process by processing data packets framework 430.
In one embodiment of the invention, when the empty strategy of deletion one, the entity strategy that this empty strategy comprises will no longer work, thus meet the use habit of user.
According to the flow cleaning device that many strategy combinations of the embodiment of the present invention load, user can select the strategy combination with multiple strategy, utilize this strategy combination to clean flow, thus meet the application scenarios that multiple tactful complex combination cleans flow, range of application is wider.
Describe and can be understood in flow chart or in this any process otherwise described or method, represent and comprise one or more for realizing the module of the code of the executable instruction of the step of specific logical function or process, fragment or part, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can not according to order that is shown or that discuss, comprise according to involved function by the mode while of basic or by contrary order, carry out n-back test, this should understand by embodiments of the invention person of ordinary skill in the field.
In flow charts represent or in this logic otherwise described and/or step, such as, the sequencing list of the executable instruction for realizing logic function can be considered to, may be embodied in any computer-readable medium, for instruction execution system, device or equipment (as computer based system, comprise the system of processor or other can from instruction execution system, device or equipment instruction fetch and perform the system of instruction) use, or to use in conjunction with these instruction execution systems, device or equipment.With regard to this specification, " computer-readable medium " can be anyly can to comprise, store, communicate, propagate or transmission procedure for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically (non-exhaustive list) of computer-readable medium comprises following: the electrical connection section (electronic installation) with one or more wiring, portable computer diskette box (magnetic device), random access memory (RAM), read-only memory (ROM), erasablely edit read-only memory (EPROM or flash memory), fiber device, and portable optic disk read-only memory (CDROM).In addition, computer-readable medium can be even paper or other suitable media that can print described program thereon, because can such as by carrying out optical scanner to paper or other media, then carry out editing, decipher or carry out process with other suitable methods if desired and electronically obtain described program, be then stored in computer storage.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, multiple step or method can with to store in memory and the software performed by suitable instruction execution system or firmware realize.Such as, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: the discrete logic with the logic gates for realizing logic function to data-signal, there is the application-specific integrated circuit (ASIC) of suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is that the hardware that can carry out instruction relevant by program completes, described program can be stored in a kind of computer-readable recording medium, this program perform time, step comprising embodiment of the method one or a combination set of.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, also can be that the independent physics of unit exists, also can be integrated in a module by two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and the form of software function module also can be adopted to realize.If described integrated module using the form of software function module realize and as independently production marketing or use time, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium mentioned can be read-only memory, disk or CD etc.
In the description of this specification, specific features, structure, material or feature that the description of reference term " embodiment ", " some embodiments ", " example ", " concrete example " or " some examples " etc. means to describe in conjunction with this embodiment or example are contained at least one embodiment of the present invention or example.In this manual, identical embodiment or example are not necessarily referred to the schematic representation of above-mentioned term.And the specific features of description, structure, material or feature can combine in an appropriate manner in any one or more embodiment or example.
Although illustrate and describe embodiments of the invention, for the ordinary skill in the art, be appreciated that and can carry out multiple change, amendment, replacement and modification to these embodiments without departing from the principles and spirit of the present invention, scope of the present invention is by claims and equivalency thereof.

Claims (10)

1. the flow cleaning method that strategy combination more than loads, is characterized in that, comprise the steps:
User space agent client Establishment strategy combines, and wherein, described strategy combination comprises at least one empty strategy, and described empty strategy comprises one or more entity strategy, and each described entity strategy comprises one or more data characteristics;
Described strategy combination is passed to kernel state by described User space agent client;
By at least one empty policy registration described in described strategy combination to processing data packets framework; And
Described processing data packets framework carries out function readjustment to each entity strategy in described empty strategy, and communication data packet and at least one empty strategy described are compared, when described communication data packet meets the whole entity strategy at least one empty strategy described, abandon described communication data packet.
2. flow cleaning method as claimed in claim 1, is characterized in that, also comprise the steps: also to comprise entity strategy in described strategy combination, and described entity strategy does not belong to described empty strategy.
3. flow cleaning method as claimed in claim 1, is characterized in that, described strategy combination comprises multiple empty strategy, and wherein, described multiple empty strategy shares at least one entity strategy.
4. the flow cleaning method according to any one of claim 1-3, is characterized in that, further comprising the steps of:
When described communication data packet does not meet any one the entity strategy at least one empty strategy described, then protocol stack is sent to process described communication data packet.
5. the flow cleaning method according to any one of claim 1-3, is characterized in that, described empty strategy is passed to described kernel state by netlink sockets interface by described User space agent client.
6. the flow cleaning device that strategy combination more than loads, is characterized in that, comprising: User space agent client, kernel state module and processing data packets framework, wherein,
Described User space agent client is used for Establishment strategy combination, and wherein, described strategy combination comprises at least one empty strategy, and described empty strategy comprises one or more entity strategy, and each described entity strategy comprises one or more data characteristics;
Described kernel state module for receiving described strategy combination, and by least one empty policy registration described in described strategy combination to described processing data packets framework;
Described processing data packets framework is used for carrying out function readjustment to each entity strategy in described empty strategy, and communication data packet and at least one empty strategy described are compared, when described communication data packet meets the whole entity strategy at least one empty strategy described, abandon described communication data packet.
7. flow cleaning device as claimed in claim 6, is characterized in that, also comprise entity strategy in described strategy combination, and described entity strategy does not belong to described empty strategy.
8. flow cleaning device as claimed in claim 6, is characterized in that, described strategy combination comprises multiple empty strategy, and wherein, described multiple empty strategy shares at least one entity strategy.
9. the flow cleaning device according to any one of claim 6-8, it is characterized in that, when described communication data packet does not meet any one the entity strategy at least one empty strategy described, then described communication data packet sends to protocol stack to process by described processing data packets framework.
10. the flow cleaning device according to any one of claim 6-8, is characterized in that, described empty strategy is passed to described kernel state module by netlink sockets interface by described User space agent client.
CN201210096528.4A 2012-04-01 2012-04-01 The flow cleaning method that many strategy combinations load and device Active CN103368858B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210096528.4A CN103368858B (en) 2012-04-01 2012-04-01 The flow cleaning method that many strategy combinations load and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210096528.4A CN103368858B (en) 2012-04-01 2012-04-01 The flow cleaning method that many strategy combinations load and device

Publications (2)

Publication Number Publication Date
CN103368858A CN103368858A (en) 2013-10-23
CN103368858B true CN103368858B (en) 2016-01-20

Family

ID=49369422

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210096528.4A Active CN103368858B (en) 2012-04-01 2012-04-01 The flow cleaning method that many strategy combinations load and device

Country Status (1)

Country Link
CN (1) CN103368858B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534063B (en) * 2016-09-27 2019-11-12 上海红阵信息科技有限公司 A kind of device, method and apparatus encapsulating isomery function equivalence body
CN106549935A (en) 2016-09-27 2017-03-29 上海红阵信息科技有限公司 A kind of isomery function equivalence body generating means and method
CN111181910B (en) * 2019-08-12 2021-10-08 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN114584391B (en) * 2022-03-22 2024-02-09 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for generating abnormal flow processing strategy

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101404658A (en) * 2008-10-31 2009-04-08 北京锐安科技有限公司 Method and system for detecting bot network
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN101447996A (en) * 2008-12-31 2009-06-03 成都市华为赛门铁克科技有限公司 Defending method for distributed service-refusing attack and system and device thereof
CN102195843A (en) * 2010-03-02 2011-09-21 中国移动通信集团公司 Flow control system and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040148520A1 (en) * 2003-01-29 2004-07-29 Rajesh Talpade Mitigating denial of service attacks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101404658A (en) * 2008-10-31 2009-04-08 北京锐安科技有限公司 Method and system for detecting bot network
CN101431449A (en) * 2008-11-04 2009-05-13 中国科学院计算技术研究所 Network flux cleaning system
CN101447996A (en) * 2008-12-31 2009-06-03 成都市华为赛门铁克科技有限公司 Defending method for distributed service-refusing attack and system and device thereof
CN102195843A (en) * 2010-03-02 2011-09-21 中国移动通信集团公司 Flow control system and method

Also Published As

Publication number Publication date
CN103368858A (en) 2013-10-23

Similar Documents

Publication Publication Date Title
CN101019403B (en) Resource access filtering system and method
CN103959712B (en) Time control in large-scale firewall cluster
CN104601597B (en) Device and method for Firewall Group collected state data sharing
CN102724189B (en) A kind of method and device controlling user URL access
CN103368858B (en) The flow cleaning method that many strategy combinations load and device
CN106452955B (en) A kind of detection method and system of abnormal network connection
US20070195776A1 (en) System and method for channeling network traffic
CN102170424A (en) Mobile medium safety protection system based on three-level security architecture
CN109714206A (en) Electric power monitoring system Generating Network Topology Map, network bus topological diagram
CN105407099A (en) Authentication Sharing In A Firewall Cluster
CN106020997A (en) Method and system used for data transmission between virtual machines
CN108234657A (en) A kind of high performance information safe processing system based on Internet of Things
CN102484600A (en) Mobile node assignement to a router in a wpan
CN102271331A (en) Method and system for detecting reliability of service provider (SP) site
CN108965006A (en) A kind of communication reliability improvement method and device
US20070036165A1 (en) Method and Network Element Configured for Limiting the Number of Virtual Local Area Networks Creatable by GVRP
CN102801640B (en) A kind of method and apparatus of message examination & verification
Ganesh et al. On the connectivity and diameter of small-world networks
CN107517206A (en) A kind of method, apparatus of secure communication, computer-readable recording medium and storage control
Okimoto et al. Cyber security problem based on multi-objective distributed constraint optimization technique
CN101707535B (en) Method and device for detecting counterfeit network equipment
CN100499599C (en) Rubbish mail filtration system and method based on email server
CN110287390A (en) Wechat public's account management system and method
Hooper Strategic and intelligent smart grid systems engineering
CN113965401B (en) Message forwarding method and device and electronic equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant