CN103634130A - Network terminal device self-protection method and system, and network terminal device - Google Patents
Network terminal device self-protection method and system, and network terminal device Download PDFInfo
- Publication number
- CN103634130A CN103634130A CN201210302941.1A CN201210302941A CN103634130A CN 103634130 A CN103634130 A CN 103634130A CN 201210302941 A CN201210302941 A CN 201210302941A CN 103634130 A CN103634130 A CN 103634130A
- Authority
- CN
- China
- Prior art keywords
- network
- termination device
- cpu
- critical value
- self
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a network terminal device self-protection method. The method comprises: receiving a data packet; incising an inspection point at the porch of a protocol stack; inspecting whether the current CPU utilization rate of a network terminal device exceeds a CPU threshold; inspecting whether the current available memory of the network terminal device is smaller than a memory threshold; and if the CPU utilization rate exceeds the CPU threshold, or the residual available memory is smaller than the memory threshold, dropping the data packet which is not forwarded yet. The invention also relates to a network terminal device self-protection system and a network terminal device comprising the system. According to the invention, the inspection point is incised at the porch of the protocol stack, the current CPU utilization rate and the current available memory size of the network terminal device are inspected, and the currently received data packet is dropped in case of insufficiency of key resources so that seemingly-dead phenomena caused by bulk-flow network processing are prevented, and downtime phenomena caused by insufficient memory of much emergent network processing are prevented.
Description
Technical field
The present invention relates to network communications technology field, particularly relate to the self-protection system of a kind of self-protecting method of network-termination device, a kind of network-termination device, also relate to a kind of network-termination device that comprises this system.
Background technology
Network-termination device generally comprises bridge terminals equipment and terminal routing device.Popularizing of network affected people's life largely in today, this point requires network-termination device that the service of safety and stability more can be provided.And the service that has high demand along with implementation and the more multipair network bandwidth of many nets unification is to the providing of user, various places operator is also more and more higher to the performance requirement of network-termination device.
Above-mentioned development trend will force network-termination device in the process of software development, to add a large amount of security attacks and high performance test case, and the restriction of network-termination device own resources has caused the exposure of a lot of problems, especially delay machine, seemingly-dead phenomenon, make user unacceptable, cause the most at last network-termination device supplier to lose to a certain extent business opportunity.
Summary of the invention
Based on this, be necessary at load, easily to occur the machine of delaying, seemingly-dead problem for traditional network-termination device when excessive, a kind of self-protecting method of network-termination device is provided.
A self-protecting method for network-termination device, comprising: receive a packet; In incision checkpoint, protocol stack porch; Check whether the current CPU usage of described network-termination device surpasses CPU critical value; Check whether the current residue free memory of described network-termination device is less than internal memory critical value; If described CPU usage surpasses CPU critical value, or described residue free memory is less than internal memory critical value, abandons the described packet not yet forwarding.
In an embodiment, the described step in incision checkpoint, protocol stack porch is specially therein: in protocol stack entrance function netif_receive_skb beginning place incision checkpoint.
Therein in an embodiment, described CPU critical value is more than or equal to 90% and be less than or equal to 97%.
In an embodiment, described CPU critical value is 95% therein.
In an embodiment, described internal memory critical value is more than or equal to 256KB and is less than or equal to 1MB therein.
In an embodiment, described internal memory critical value is 512KB therein.
Therein in an embodiment, the computational methods of described CPU usage are for to be used sum by the user model of user model, low priority and kernel mode to CPU, CPU are used to sum divided by user model, kernel mode and the system free time of user model, low priority.
The present invention also provides a kind of self-protection system of network-termination device.
A self-protection system for network-termination device, is characterized in that, comprising: packet-receiving module, for receiving packet; Check and start module, for start CPU usage checking module and residue free memory checking module in protocol stack porch; CPU usage checking module, for checking that whether the current CPU usage of described network-termination device surpasses CPU critical value, sends data packet discarding instruction if surpass; Residue free memory checking module, for checking that whether the current residue free memory of described network-termination device is less than internal memory critical value, sends described data packet discarding instruction if be less than; Data packet discarding module, for abandoning the described packet not yet forwarding when receiving described data packet discarding instruction.
Therein in an embodiment, described CPU critical value is more than or equal to 3% and be less than or equal to 10%, and described internal memory critical value is more than or equal to 256KB and is less than or equal to 1MB.
The present invention further provides a kind of network-termination device that comprises above-mentioned self-protection system.
The self-protecting method of above-mentioned network-termination device; by in incision checkpoint, protocol stack porch; check the size of the current CPU usage of network-termination device and residue free memory; when keystone resources is not enough, abandon a packet of current reception; avoided large capaciated flow network to process the generation of the seemingly-dead phenomenon causing, and the generation of the machine of the delaying phenomenon that causes because of low memory of a large amount of burst network processes.
Accompanying drawing explanation
Fig. 1 is the flow chart of the self-protecting method of network-termination device in an embodiment;
Fig. 2 is the graph of relation of CPU usage and packet receiving and the soft interruption number of giving out a contract for a project in a kind of traditional network-termination device;
Fig. 3 is that traditional network-termination device is received and dispatched the sequence chart that bag is processed;
Fig. 4 is the graph of relation that a kind of traditional network-termination device effectively forwards number and the soft interruption number of packet receiving;
Fig. 5 is the data flow figure of the network-termination device of different driving;
Fig. 6 is that the present invention and traditional network-termination device close the contrast of fastening in CPU usage and packet receiving and the soft interruption number of giving out a contract for a project;
Fig. 7 contrast that to be the present invention and traditional network-termination device effectively forwarding number and the soft interruption number of packet receiving pass and fasten.
Embodiment
For object of the present invention, feature and advantage can more be become apparent, below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in detail.
In linux kernel, the object using by resource is divided, and mainly comprises (1) interruption, is generally soft interruption; (2) process (or thread).As network-termination device, resource needs Priority Service in network, in the situation that throughput is enough, resource is nearly all by the soft interruption of packet receiving (NET_RX_SOFTIRQ) and the soft interruption (NET_TX_SOFTIRQ) of giving out a contract for a project shared (the driving packet receiving of small part network-termination device is to adopt the soft interrupt mode of TASKLET_SOFTIRQ).That notes mentioning in specification of the present invention and claims gives out a contract for a project, and generally refers to that network-termination device forwards packet.
Fig. 1 is the flow chart of the self-protecting method of network-termination device in an embodiment.Network-termination device is after often receiving a packet, and incision checkpoint starts to carry out the inspection of keystone resources.Wherein, keystone resources comprises cpu resource and memory source.This is because in security attack and high-performance test; CPU and internal memory are subject to very large challenge; the generation basic source of seemingly-dead phenomenon is in seizing less than enough cpu resources for a long time; and the most reason of the machine of delaying is from can not get enough internal memories; the direct internal memory of kernel overflows (Out of Memory, OOM) abnormal or service processes to be exited less than necessary internal memory because of application.Therefore, the inspection step of keystone resources specifically comprises:
S110, checks that whether the current CPU usage of network-termination device surpasses CPU critical value, if so, enters step S130.
CPU critical value is a default empirical value, and suggestion is not more than 97% and be not less than 90%, can within the scope of this, adjust according to the disposal ability of the CPU of network-termination device.Get in one embodiment 95%.
S120, checks that whether the current residue free memory of network-termination device is less than internal memory critical value, if so, enters step S130.
Internal memory critical value is a default empirical value, and suggestion is not more than 1MB and is not less than 256KB, can within the scope of this, adjust according to total memory size of network-termination device.Be 512KB in one embodiment.
If it is excessive that CPU critical value and internal memory critical value arrange, can waste and damage to a certain extent network performance, too littlely do not reach again effect and nonsensical.In practical operation, should, according to the actual parameter of the network terminal, with reference to number range provided by the invention, adjust flexibly.
S130, abandons the packet not yet forwarding.
According to aforementioned, in the present embodiment, after every reception one packet of network-termination device, just carry out a keystone resources inspection (performing step S110 and S120), in step S110 and S120, need only the "Yes" that judgment result is that of any one, perform step S130.Can reduce like this CPU processing time (reducing CPU usage) of current soft interruption, and discharge the shared internal memory of current data packet.Understandable, the order between step S110 and S120 does not have strict restriction, can first carry out in other embodiments S120 and carry out S110 again, can be by S110 and S120 executed in parallel yet.
And if the judged result of step S110 and S120 is "No", illustrate and check successfully, can proceed traditional transmitting-receiving package operation.
The self-protecting method of above-mentioned network-termination device; by checking the size of the current CPU usage of network-termination device and residue free memory; when keystone resources is not enough, abandon a packet of current reception; avoided large capaciated flow network to process the generation of the seemingly-dead phenomenon causing, and the generation of the machine of the delaying phenomenon that causes because of low memory of a large amount of burst network processes.
The CPU of network-termination device has privately owned spatial cache and the register of oneself, and each object is being stored in the inside, comprises user model (nice), kernel mode (system) and the system idle (idle) of user model (user), low priority.The utilization rate of CPU relates to the service condition of above-mentioned object to current C PU, and in an embodiment, the account form of CPU usage is therein:
Cpu busy percentage=100%*(user+nice+system)/(user+nice+system+idle)
Concerning application layer, can think that residue free memory is: free memory (MemFree)+high-speed cache (Cache)+buffer memory (Buffer).What but in kernel, packet applied in network layer and the level below network layer that internal memory uses substantially is GFP_ATOMIC Atom allocation mode, and applies in the buffer area that can not go to have distributed.This mode will directly remove to apply for free memory (MemFree), and in free memory, Out of Memory will directly cause Memory Allocation failure and then cause other problem.
In order to reach better the object of resource reservation, opportunity of inspection of carrying out keystone resources is extremely important.The object that therefore need to use in aforesaid resource,, in (soft) interruption and process (thread), finds suitable position to do keystone resources check processing.Please refer to Fig. 2, wherein the maximum effectively transmitting-receiving soft interruption number of bag (MAX_VALID_RTX1) refers to the data packet number being forwarded by reality.As can see from Figure 2, when packet receiving and the soft interruption number of giving out a contract for a project surpass after the soft interruption number of maximum effectively transmitting-receiving bag, CPU is substantially shared by the soft interruption of packet receiving and the soft interruption of giving out a contract for a project, to such an extent as to other the soft interruption of other low priority or process (thread) cannot obtain cpu resource, and for a long time in disabled state.
So, can be clearly the soft interruption of packet receiving (NET_RX_SOFTIRQ) and the soft interruption (NET_TX_SOFTIRQ) of giving out a contract for a project by checkpoint.
Fig. 3 is that traditional network-termination device is received and dispatched the sequence chart that bag is processed.As seen from the figure, for a normal Frame, from NET_RX_SOFTIRQ packet receiving, to NET_TX_SOFTIRQ, give out a contract for a project, only need to control source, just can control whole transmitting-receiving packet flow journey.Therefore checkpoint can further narrow down to the soft interruption of packet receiving (NET_RX_SOFTIRQ).
Fig. 4 shows the relation curve that a kind of traditional network-termination device effectively forwards number and the soft interruption number of packet receiving.Because the process of package forward is first to receive afterwards and send out, and the resource of CPU is always limited, so this relation curve is followed following rule:
(1), in the incipient stage, forwarding data bag ability (effectively forwarding number) can increase and increase along with the quantity of the soft interruption of packet receiving, substantially in a straight line rising stage.
(2) if processing the ability of the soft interruption of transmitting-receiving bag, CPU reached bottleneck, forwarding data bag ability has also just reached maximum effective forwarding number so, forwarding data bag ability can enter a relatively stable period, and the transfer capability in this stage substantially can maintain this maximum and effectively forward number.The soft interruption number of this stage packet receiving is from MAX_VALID_RX2 to MAX_VALID_RX3.In the present invention, MAX_VALID_RX2 is called to the maximum soft interruption number that effectively forwards.
(3) if the quantity of the soft interruption of packet receiving (NET_RX_SOFTIRQ) continues to strengthen, to cause the utilization rate of CPU by it, to be occupied too much, and affect the processing of CPU to soft interruption (NET_TX_SOFTIRQ) that give out a contract for a project, and then affect the actual forwarding number of packet, cause effectively forwarding number and enter a downslide phase.
Fig. 5 is the data flow figure of the network-termination device of different driving.Otherness (as XTM series, ETH, PON series) due to each network-driven, driving layer to do incision inspection to packet receiving direction, be all unilateral, may cause the inefficacy of function, and present stage also all needs to support at least two kinds of dissimilar network-driven in the DSL of main flow router and the PON router that progressively occupies Chinese market.Comprehensive above reason, then consider the versatility and actual effect that packet receiving is processed, in an embodiment, for step S110 and S120, be chosen in incision checkpoint, protocol stack porch therein.
Linux kernel protocol stack entrance function is generally netif_receive_skb, therefore in a preferred embodiment, is in protocol stack entrance function netif_receive_skb beginning place incision checkpoint.
Fig. 6 is that the present invention and traditional network-termination device close the contrast of fastening in CPU usage and packet receiving and the soft interruption number of giving out a contract for a project, Fig. 7 contrast that to be the present invention effectively forwarding the soft interruption number of number and packet receiving pass and fasten with traditional network-termination device.Wherein solid line represents curve of the present invention, and chain-dotted line represents the curve of conventional art.As seen from Figure 7, the self-protecting method of above-mentioned network-termination device makes network-termination device effective forwarding number of when very large (be the soft interruption number of packet receiving) under high load capacity can maintain a higher level, and stationarity makes moderate progress compared with conventional art.
The present invention also provides a kind of self-protection system of network-termination device, comprising:
Packet-receiving module, for receiving packet.
Check and start module, for start CPU usage checking module and residue free memory checking module in protocol stack porch.
CPU usage checking module, for checking that whether the current CPU usage of described network-termination device surpasses CPU critical value, sends data packet discarding instruction if surpass.
Residue free memory checking module, for checking that whether the current residue free memory of described network-termination device is less than internal memory critical value, sends described data packet discarding instruction if be less than.
Data packet discarding module, for abandoning the described packet not yet forwarding when receiving described data packet discarding instruction.
Wherein CPU critical value is a default empirical value, and suggestion is not more than 97% and be not less than 90%, can within the scope of this, adjust according to the disposal ability of the CPU of network-termination device.Get in one embodiment 95%.
Internal memory critical value is a default empirical value, and suggestion is not more than 1MB and is not less than 256KB, can within the scope of this, adjust according to total memory size of network-termination device.Be 512KB in one embodiment.
Cpu busy percentage adopts following formula to calculate:
Cpu busy percentage=100%*(user+nice+system)/(user+nice+system+idle)
The present invention also provides a kind of network-termination device that comprises above-mentioned self-protection system.
The above embodiment has only expressed several execution mode of the present invention, and it describes comparatively concrete and detailed, but can not therefore be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (10)
1. a self-protecting method for network-termination device, comprising:
Receive a packet;
In incision checkpoint, protocol stack porch;
Check whether the current CPU usage of described network-termination device surpasses CPU critical value;
Check whether the current residue free memory of described network-termination device is less than internal memory critical value;
If described CPU usage surpasses CPU critical value, or described residue free memory is less than internal memory critical value, abandons the described packet not yet forwarding.
2. the self-protecting method of network-termination device according to claim 1, is characterized in that, the described step in incision checkpoint, protocol stack porch is specially: in protocol stack entrance function netif_receive_skb beginning place incision checkpoint.
3. the self-protecting method of network-termination device according to claim 1, is characterized in that, described CPU critical value is more than or equal to 90% and be less than or equal to 97%.
4. the self-protecting method of network-termination device according to claim 3, is characterized in that, described CPU critical value is 95%.
5. the self-protecting method of network-termination device according to claim 1, is characterized in that, described internal memory critical value is more than or equal to 256KB and is less than or equal to 1MB.
6. the self-protecting method of network-termination device according to claim 5, is characterized in that, described internal memory critical value is 512KB.
7. according to the self-protecting method of the network-termination device described in any one in claim 1 ~ 6; it is characterized in that; the computational methods of described CPU usage are for to be used sum by the user model of user model, low priority and kernel mode to CPU, CPU are used to sum divided by user model, kernel mode and the system free time of user model, low priority.
8. a self-protection system for network-termination device, is characterized in that, comprising:
Packet-receiving module, for receiving packet;
Check and start module, for start CPU usage checking module and residue free memory checking module in protocol stack porch;
CPU usage checking module, for checking that whether the current CPU usage of described network-termination device surpasses CPU critical value, sends data packet discarding instruction if surpass;
Residue free memory checking module, for checking that whether the current residue free memory of described network-termination device is less than internal memory critical value, sends described data packet discarding instruction if be less than;
Data packet discarding module, for abandoning the described packet not yet forwarding when receiving described data packet discarding instruction.
9. the self-protection system of network-termination device according to claim 8, is characterized in that, described CPU critical value is more than or equal to 3% and be less than or equal to 10%, and described internal memory critical value is more than or equal to 256KB and is less than or equal to 1MB.
10. a network-termination device, is characterized in that, comprises self-protection system according to claim 8 or claim 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302941.1A CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302941.1A CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103634130A true CN103634130A (en) | 2014-03-12 |
| CN103634130B CN103634130B (en) | 2019-01-08 |
Family
ID=50214786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210302941.1A Active CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103634130B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109117271A (en) * | 2018-08-10 | 2019-01-01 | 普联技术有限公司 | Automatically adjust method, storage medium and the terminal device of cpu load |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6940814B1 (en) * | 1997-06-30 | 2005-09-06 | Sun Microsystems, Inc. | System and method for a quality of service in a multi-layer network element |
| CN1822593A (en) * | 2006-03-20 | 2006-08-23 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
| CN101800694A (en) * | 2009-09-16 | 2010-08-11 | 福建星网锐捷网络有限公司 | Resource warning processing method and routing switching equipment |
| CN102209028A (en) * | 2011-05-06 | 2011-10-05 | 北京傲天动联技术有限公司 | Flow control device and method for CPU (Central Processing Unit) |
-
2012
- 2012-08-23 CN CN201210302941.1A patent/CN103634130B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6940814B1 (en) * | 1997-06-30 | 2005-09-06 | Sun Microsystems, Inc. | System and method for a quality of service in a multi-layer network element |
| CN1822593A (en) * | 2006-03-20 | 2006-08-23 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN101060531A (en) * | 2007-05-17 | 2007-10-24 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
| CN101800694A (en) * | 2009-09-16 | 2010-08-11 | 福建星网锐捷网络有限公司 | Resource warning processing method and routing switching equipment |
| CN102209028A (en) * | 2011-05-06 | 2011-10-05 | 北京傲天动联技术有限公司 | Flow control device and method for CPU (Central Processing Unit) |
Non-Patent Citations (1)
| Title |
|---|
| 韩伟: "基于hadoop云计算平台下DDoS攻击防御研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109117271A (en) * | 2018-08-10 | 2019-01-01 | 普联技术有限公司 | Automatically adjust method, storage medium and the terminal device of cpu load |
| CN109117271B (en) * | 2018-08-10 | 2021-03-23 | 普联技术有限公司 | Method for automatically adjusting CPU load, storage medium and terminal equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103634130B (en) | 2019-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107852413B (en) | Network device, method and storage medium for offloading network packet processing to a GPU | |
| Handley et al. | Re-architecting datacenter networks and stacks for low latency and high performance | |
| CA2849565C (en) | Method, apparatus, and system for scheduling processor core in multiprocessor core system | |
| US9898356B2 (en) | Packet processing on a multi-core processor | |
| US7836195B2 (en) | Preserving packet order when migrating network flows between cores | |
| US20190280991A1 (en) | Quality of service traffic management in high-speed packet processing systems | |
| US9402205B2 (en) | Traffic forwarding method and system based on virtual switch cluster | |
| US8225329B1 (en) | Tail synchronized FIFO for fast user space packet access | |
| US10873882B2 (en) | System and method of a pause watchdog | |
| EP2552081A2 (en) | Interrupt management | |
| WO2015031277A1 (en) | Networking stack of virtualization software configured to support latency sensitive virtual machines | |
| CN103841052A (en) | Bandwidth resource distribution system and method | |
| CN101175033A (en) | Message order-preserving method and device thereof | |
| CN103154897A (en) | Core abstraction layer for telecommunication network applications | |
| CN102185770A (en) | Multi-core-architecture-based batch message transmitting and receiving method | |
| CN103607360A (en) | Message processing method, line card and switching equipment | |
| CA2855762A1 (en) | Network communication apparatus and method of preferential band limitation of transfer frame | |
| CN103634130A (en) | Network terminal device self-protection method and system, and network terminal device | |
| CN116233018A (en) | Message processing method and device, electronic equipment and storage medium | |
| Runge et al. | Low latency network traffic processing with commodity hardware | |
| WO2013035451A1 (en) | Communication apparatus, communication state detecting method, and communication state detecting program | |
| US9391898B2 (en) | Non-congestive loss in HSPA congestion control | |
| CN102158416A (en) | Method and equipment for processing messages based on memory allocation | |
| Zhao et al. | ZD: a scalable zero-drop network stack at end hosts | |
| US10243877B1 (en) | Network traffic event based process priority management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |