CN103634130B - The self-protecting method and system and network-termination device of network-termination device - Google Patents
The self-protecting method and system and network-termination device of network-termination device Download PDFInfo
- Publication number
- CN103634130B CN103634130B CN201210302941.1A CN201210302941A CN103634130B CN 103634130 B CN103634130 B CN 103634130B CN 201210302941 A CN201210302941 A CN 201210302941A CN 103634130 B CN103634130 B CN 103634130B
- Authority
- CN
- China
- Prior art keywords
- network
- termination device
- cpu
- critical value
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The present invention relates to a kind of self-protecting methods of network-termination device, comprising: receives a data packet;Checkpoint is cut in protocol stack inlet;Check the current CPU usage of the network-termination device whether more than CPU critical value;Check whether the current remaining free memory of the network-termination device is less than memory critical value;If the CPU usage is more than that CPU critical value or the remaining free memory are less than memory critical value, the data packet not yet forwarded is abandoned.The invention further relates to a kind of self-protection system of network-termination device and including the network-termination device of the system.The present invention is by cutting checkpoint in protocol stack inlet, check the size of the current CPU usage of network-termination device and remaining free memory, a currently received data packet is abandoned in keystone resources deficiency, avoid the generation of seemingly-dead phenomenon caused by big flow network processes, and a large amount of nonbursty network processing is because of the generation of delay machine phenomenon caused by low memory.
Description
Technical field
The present invention relates to network communication technology field, more particularly to a kind of network-termination device self-protecting method,
A kind of self-protection system of network-termination device, further relates to a kind of network-termination device including the system.
Background technique
Network-termination device generally comprises bridge terminals equipment and terminal routing device.Popularizing for network is very big in today
People's lives are affected to degree, this point requirement network-termination device is capable of providing the service of more safety and stability.And with
The implementations of more net unifications and the offers for the service for user for more having high demand to network bandwidth, various regions operator it is also right
The performance requirement of network-termination device is higher and higher.
Above-mentioned development trend will force network-termination device that a large amount of security attacks and height are added during software development
The test case of performance, and the limitation of network-termination device own resources results in the exposure of many problems, especially delay machine, vacation
Dead phenomenon, makes user unacceptable, finally will lead to network-termination device supplier and loses business opportunity to a certain extent.
Summary of the invention
Based on this, it is necessary to be easy to appear delay machine when load is excessive for traditional network-termination device, seemingly-dead ask
Topic, provides a kind of self-protecting method of network-termination device.
A kind of self-protecting method of network-termination device, comprising: receive a data packet;It cuts and examines in protocol stack inlet
It makes an inventory of;Check the current CPU usage of the network-termination device whether more than CPU critical value;Check that the network terminal is set
Whether standby current remaining free memory is less than memory critical value;If the CPU usage is more than CPU critical value or described surplus
Remaining free memory is less than memory critical value, then abandons the data packet not yet forwarded.
It is described the step of checkpoint is cut in protocol stack inlet in one of the embodiments, specifically: in protocol stack
Checkpoint is cut at entrance function netif_receive_skb beginning.
The CPU critical value is greater than or equal to 90% and is less than or equal to 97% in one of the embodiments,.
The CPU critical value is 95% in one of the embodiments,.
The memory critical value is greater than or equal to 256KB and is less than or equal to 1MB in one of the embodiments,.
The memory critical value is 512KB in one of the embodiments,.
The calculation method of the CPU usage is by the user of user mode, low priority in one of the embodiments,
Mode and kernel mode the sum of use CPU, except in user mode, the user mode of low priority, kernel mode and system it is empty
Spare time the sum of uses CPU.
The present invention also provides a kind of self-protection systems of network-termination device.
A kind of self-protection system of network-termination device characterized by comprising packet-receiving module, for connecing
Receive data packet;Starting module is checked, for checking module and remaining free memory inspection in protocol stack inlet starting CPU usage
Look into module;CPU usage checks module, for checking whether the current CPU usage of the network-termination device faces more than CPU
Dividing value issues data packet discarding instruction if being more than;Remaining free memory checks module, for checking the network-termination device
Whether current remaining free memory is less than memory critical value, and the data packet discarding instruction is issued if being less than;Data packet is lost
Module is abandoned, for abandoning the data packet not yet forwarded when receiving data packet discarding instruction.
The CPU critical value is greater than or equal to 90% and less than or equal to 97% in one of the embodiments, described interior
Critical value is deposited more than or equal to 256KB and is less than or equal to 1MB.
The present invention further provides a kind of network-termination devices including above-mentioned self-protection system.
The self-protecting method of above-mentioned network-termination device checks network by cutting checkpoint in protocol stack inlet
The size of the current CPU usage of terminal device and remaining free memory, abandons currently received one in keystone resources deficiency
Data packet avoids the generation of seemingly-dead phenomenon caused by big flow network processes, and a large amount of nonbursty network processing because of memory
The generation of delay machine phenomenon caused by deficiency.
Detailed description of the invention
Fig. 1 is the flow chart of the self-protecting method of network-termination device in an embodiment;
Fig. 2 is the relation curve of CPU usage and packet receiving and traps number of giving out a contract for a project in a kind of traditional network-termination device
Figure;
Fig. 3 is the sequence chart that traditional network-termination device carries out send and receive packets processing;
Fig. 4 is the graph of relation of a kind of effective forwarding number of traditional network-termination device and packet receiving traps number;
Fig. 5 is the data flow figure of the network-termination device of different driving;
Fig. 6 is the present invention and traditional network-termination device in CPU usage and packet receiving and gives out a contract for a project in traps number relationship
Comparison;
Fig. 7 is pair of the present invention with traditional network-termination device in effective forwarding number and packet receiving traps number relationship
Than.
Specific embodiment
It is understandable to enable objects, features and advantages of the present invention to become apparent, with reference to the accompanying drawing to tool of the invention
Body embodiment is described in detail.
It in linux kernel, is divided by the object that resource uses, mainly includes that (1) is interrupted, generally traps;(2) into
Journey (or thread).As network-termination device, resource needs Priority Service in network, in the enough situations of handling capacity, resource
Nearly all (the small part net occupied by packet receiving traps (NET_RX_SOFTIRQ) and traps of giving out a contract for a project (NET_TX_SOFTIRQ)
The driving packet receiving of network terminal device is using TASKLET_SOFTIRQ traps mode).Notice that description of the invention and right are wanted
It asks that mentions in book to give out a contract for a project, generally refers to network-termination device and data packet is forwarded.
Fig. 1 is the flow chart of the self-protecting method of network-termination device in an embodiment.Network-termination device connects often
After receiving a data packet, incision checkpoint starts to carry out the inspection of keystone resources.Wherein, keystone resources include cpu resource and
Memory source.This is because in security attack and high-performance test, CPU and memory by very big challenge, seemingly-dead phenomenon
Basic source is generated in being seized for a long time less than enough cpu resources, and the most of reason of delay machine is from cannot get in enough
It deposits, the direct memory of kernel overflows (Out of Memory, OOM) exception or service processes and moves back because applying less than necessary memory
Out.Therefore, the checking step of keystone resources specifically includes:
S110 checks the current CPU usage of network-termination device whether more than CPU critical value, if so, entering step
S130。
CPU critical value is a preset empirical value, it is proposed that, can be according to network end no more than 97% and not less than 90%
The processing capacity of the CPU of end equipment adjusts within this range.95% is taken in one embodiment.
S120, checks whether the current remaining free memory of network-termination device is less than memory critical value, if so, into
Step S130.
Memory critical value is a preset empirical value, it is proposed that no more than 1MB and it is not less than 256KB, it can be according to network
Total memory size of terminal device adjusts within this range.It is in one embodiment 512KB.
If CPU critical value and memory critical value setting are excessive, it can waste and damage network performance to a certain extent, too
It is small and effect is not achieved without meaning.It should be provided according to the actual parameter of the network terminal with reference to the present invention in practical operation
Numberical range be flexibly adjusted.
S130 abandons the data packet not yet forwarded.
According to aforementioned, in the present embodiment, with regard to carrying out a keystone resources after network-termination device one data packet of every reception
It checks (i.e. execution step S110 and S120), as long as the judging result of any one in step S110 and S120 is "Yes", holds
Row step S130.The CPU processing time (i.e. reduction CPU usage) of current traps can be reduced in this way, and is discharged current
The occupied memory of data packet.It should be understood that there is no stringent restrictions for the sequence between step S110 and S120, other
S120 can be first carried out in embodiment and executes S110 again, S110 and S120 can also be executed parallel.
And if the judging result of step S110 and S120 are "No", illustrate to check successfully, tradition can be continued
Transmitting-receiving package operation.
The self-protecting method of above-mentioned network-termination device, by check the current CPU usage of network-termination device and
The size of remaining free memory abandons a currently received data packet in keystone resources deficiency, avoids at big flow network
The generation of seemingly-dead phenomenon caused by managing, and the processing of a large amount of nonbursty network is because of the generation of delay machine phenomenon caused by low memory.
The CPU of network-termination device has the privately owned spatial cache and register of oneself, and the inside stores each object, packet
It is idle (idle) to include user mode (user), the user mode (nice) of low priority, kernel mode (system) and system.
The utilization rate of CPU is related to above-mentioned object to the service condition of current CPU, in one of the embodiments, the meter of CPU usage
Calculation mode are as follows:
Cpu busy percentage=100%* (user+nice+system)/(user+nice+system+idle)
For application layer, it is believed that remaining free memory are as follows: free memory (MemFree)+cache (Cache)
+ caching (Buffer).But data packet applies for that memory substantially uses in network layer and network layer level below in kernel
Be GFP_ATOMIC Atom allocation mode, apply without going in the buffer area distributed.This mode will be direct
Application free memory (MemFree) is gone, Out of Memory will result directly in Memory Allocation failure and then cause other in free memory
The problem of.
In order to preferably achieve the purpose that resource reservation, the opportunity for carrying out the inspection of keystone resources is extremely important.Therefore it needs
The object to use in resource above-mentioned, i.e., (soft) interruption find suitable position and do keystone resources inspection in process (thread)
Investigate and prosecute reason.Fig. 2 is please referred to, wherein maximum effectively send and receive packets traps number (MAX_VALID_RTX1) refers to the number actually forwarded
According to packet quantity.From fig. 2 it can be seen that after packet receiving and traps number of giving out a contract for a project are more than maximum effectively send and receive packets traps number, CPU
Substantially packet receiving traps and given out a contract for a project occupied by traps, so that the other traps of other low priorities or process (thread) nothing
Method obtains cpu resource, and is chronically at disabled state.
So clearly can be packet receiving traps (NET_RX_SOFTIRQ) and the traps (NET_TX_ that gives out a contract for a project by checkpoint
SOFTIRQ)。
Fig. 3 is the sequence chart that traditional network-termination device carries out send and receive packets processing.As seen from the figure, normal for one
Data frame is given out a contract for a project from NET_RX_SOFTIRQ packet receiving to NET_TX_SOFTIRQ, it is only necessary to be controlled source, just be can control entire receipts
Give out a contract for a project process.Therefore checkpoint can further reduce packet receiving traps (NET_RX_SOFTIRQ).
Fig. 4 shows the relation curve of a kind of effective forwarding number of traditional network-termination device and packet receiving traps number.Cause
Process for data packet forwarding is first to receive to send out afterwards, and the resource of CPU is always limited, therefore the relation curve follows following rule
Rule:
(1) in the incipient stage, forward data packet ability (i.e. effective forwarding number) can be as the quantity of packet receiving traps increases
And increase, it is substantially at one and ramps the phase.
(2) if the ability of CPU processing send and receive packets traps has reached bottleneck, forwarding data packet ability also just reaches
Maximum effective forwarding number, forwarding data packet ability can enter relatively stable period, and the transfer capability in this stage substantially can
Maintain the effective forwarding number of the maximum.The stage packet receiving traps number is from MAX_VALID_RX2 to MAX_VALID_RX3.This hair
It is bright middle by the referred to as maximum effectively forwarding traps number of MAX_VALID_RX2.
(3) if the quantity of packet receiving traps (NET_RX_SOFTIRQ) continues to increase, the utilization rate that will lead to CPU is excessive
Ground is occupied by it, and influences processing of the CPU to traps of giving out a contract for a project (NET_TX_SOFTIRQ), and then the reality for influencing data packet turns
Number is sent out, effective forwarding number is caused to enter a downslide phase.
Fig. 5 is the data flow figure of the network-termination device of different driving.Due to otherness (such as XTM of each network-driven
Series, ETH, PON series), driving layer to packet receiving direction do incision check all be it is unilateral, may cause the failure of function,
And the PON router at this stage also in the DSL router of mainstream and gradually occupying Chinese market requires to support at least two
The different types of network-driven of kind.For the above reasons, the versatility and actual effect of packet receiving processing are considered further that, wherein a reality
It applies in example, for step S110 and S120, selection cuts checkpoint in protocol stack inlet.
Linux kernel protocol stack entrance function is generally netif_receive_skb, therefore in a preferred embodiment,
It is the incision checkpoint at protocol stack entrance function netif_receive_skb beginning.
Fig. 6 is the present invention and traditional network-termination device in CPU usage and packet receiving and gives out a contract for a project in traps number relationship
Comparison, Fig. 7 is comparison of the present invention with traditional network-termination device in effective forwarding number and packet receiving traps number relationship.
Wherein solid line indicates that curve of the invention, chain-dotted line indicate the curve of traditional technology.As seen from Figure 7, the above-mentioned network terminal
The self-protecting method of equipment makes effective forwarding of the network-termination device under high loads (when i.e. packet receiving traps number is very big)
Number can maintain a higher level, and stationarity makes moderate progress compared with traditional technology.
The present invention also provides a kind of self-protection systems of network-termination device, comprising:
Packet-receiving module wraps for receiving data.
Starting module is checked, for checking module and remaining free memory inspection in protocol stack inlet starting CPU usage
Look into module.
Whether CPU usage checks module, for checking the current CPU usage of the network-termination device more than CPU
Critical value issues data packet discarding instruction if being more than.
Remaining free memory checks module, for checking whether the current remaining free memory of the network-termination device is small
In memory critical value, the data packet discarding instruction is issued if being less than.
Data packet discarding module, for abandoning the data not yet forwarded when receiving data packet discarding instruction
Packet.
Wherein CPU critical value is a preset empirical value, it is proposed that, can be according to net no more than 97% and not less than 90%
The processing capacity of the CPU of network terminal device adjusts within this range.95% is taken in one embodiment.
Memory critical value is a preset empirical value, it is proposed that no more than 1MB and it is not less than 256KB, it can be according to network
Total memory size of terminal device adjusts within this range.It is in one embodiment 512KB.
Cpu busy percentage is calculated using following formula:
Cpu busy percentage=100%* (user+nice+system)/(user+nice+system+idle)
The present invention also provides a kind of network-termination devices including above-mentioned self-protection system.
The embodiments described above only express several embodiments of the present invention, and the description thereof is more specific and detailed, but simultaneously
Limitations on the scope of the patent of the present invention therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention
Protect range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (9)
1. a kind of self-protecting method of network-termination device, comprising:
Receive a data packet;
Cut checkpoint in protocol stack inlet, to carry out the inspection of keystone resources, the keystone resources include cpu resource with it is interior
Deposit resource;
Check the current CPU usage of the network-termination device whether more than CPU critical value;
Check whether the current remaining free memory of the network-termination device is less than memory critical value;
The CPU critical value and the memory critical value are preset empirical value, if the CPU usage is more than CPU critical
Value or the remaining free memory are less than memory critical value, then abandon the data packet not yet forwarded;
It is described protocol stack inlet cut checkpoint the step of specifically: in protocol stack entrance function netif_receive_
Checkpoint is cut at skb beginning.
2. the self-protecting method of network-termination device according to claim 1, which is characterized in that the CPU critical value
More than or equal to 90% and it is less than or equal to 97%.
3. the self-protecting method of network-termination device according to claim 2, which is characterized in that the CPU critical value
It is 95%.
4. the self-protecting method of network-termination device according to claim 1, which is characterized in that the memory critical value
More than or equal to 256KB and it is less than or equal to 1MB.
5. the self-protecting method of network-termination device according to claim 4, which is characterized in that the memory critical value
For 512KB.
6. the self-protecting method of network-termination device described according to claim 1~any one of 5, which is characterized in that
The calculation method of the CPU usage is that user mode, the user mode of low priority and kernel mode are used it to CPU
With, except in user mode, the user mode of low priority, kernel mode and system free time the sum of use CPU.
7. a kind of self-protection system of network-termination device characterized by comprising
Packet-receiving module wraps for receiving data;
Inspection starting module, for when receiving a data packet, starting CPU usage to check module and remains in protocol stack inlet
Remaining free memory checks module, and to carry out the inspection of keystone resources, the keystone resources include cpu resource and memory source;
CPU usage checks module, for checking whether the current CPU usage of the network-termination device is critical more than CPU
Value, issues data packet discarding instruction if being more than, and the CPU critical value is preset empirical value;
Remaining free memory checks module, in checking whether the current remaining free memory of the network-termination device is less than
Critical value is deposited, the data packet discarding instruction is issued if being less than, the memory critical value is preset empirical value;
Data packet discarding module, for abandoning the data packet not yet forwarded when receiving data packet discarding instruction;
The inspection starting module, for checking module and remaining free memory inspection in protocol stack inlet starting CPU usage
Module is looked into, when inspection to carry out keystone resources, cuts and checks at protocol stack entrance function netif_receive_skb beginning
Point.
8. the self-protection system of network-termination device according to claim 7, which is characterized in that the CPU critical value
More than or equal to 90% and less than or equal to 97%, the memory critical value is greater than or equal to 256KB and is less than or equal to 1MB.
9. a kind of network-termination device, which is characterized in that including self-protection system according to claim 7 or 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302941.1A CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302941.1A CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103634130A CN103634130A (en) | 2014-03-12 |
| CN103634130B true CN103634130B (en) | 2019-01-08 |
Family
ID=50214786
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210302941.1A Active CN103634130B (en) | 2012-08-23 | 2012-08-23 | The self-protecting method and system and network-termination device of network-termination device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103634130B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109117271B (en) * | 2018-08-10 | 2021-03-23 | 普联技术有限公司 | Method for automatically adjusting CPU load, storage medium and terminal equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800694A (en) * | 2009-09-16 | 2010-08-11 | 福建星网锐捷网络有限公司 | Resource warning processing method and routing switching equipment |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6094435A (en) * | 1997-06-30 | 2000-07-25 | Sun Microsystems, Inc. | System and method for a quality of service in a multi-layer network element |
| CN100531213C (en) * | 2006-03-20 | 2009-08-19 | 赵洪宇 | Network safety protective method for preventing reject service attack event |
| CN101060531B (en) * | 2007-05-17 | 2010-10-13 | 华为技术有限公司 | A method and device for avoiding the attack of network equipment |
| CN102209028A (en) * | 2011-05-06 | 2011-10-05 | 北京傲天动联技术有限公司 | Flow control device and method for CPU (Central Processing Unit) |
-
2012
- 2012-08-23 CN CN201210302941.1A patent/CN103634130B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800694A (en) * | 2009-09-16 | 2010-08-11 | 福建星网锐捷网络有限公司 | Resource warning processing method and routing switching equipment |
Non-Patent Citations (1)
| Title |
|---|
| 基于hadoop云计算平台下DDoS攻击防御研究;韩伟;《中国优秀硕士学位论文全文数据库 信息科技辑》;20111015;全文 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103634130A (en) | 2014-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9703589B2 (en) | Networking stack of virtualization software configured to support latency sensitive virtual machines | |
| CA2849565C (en) | Method, apparatus, and system for scheduling processor core in multiprocessor core system | |
| EP2865147B1 (en) | Guarantee of predictable and quantifiable network performance | |
| JP4636583B2 (en) | Method and apparatus for dynamically scheduling class-based packets | |
| Xu et al. | Small is better: Avoiding latency traps in virtualized data centers | |
| US20210112002A1 (en) | Receiver-based precision congestion control | |
| US8462802B2 (en) | Hybrid weighted round robin (WRR) traffic scheduling | |
| US9019826B2 (en) | Hierarchical allocation of network bandwidth for quality of service | |
| Wu et al. | The performance analysis of Linux networking–packet receiving | |
| EP2645674A1 (en) | Interrupt management | |
| EP2670085B1 (en) | System for performing Data Cut-Through | |
| US11159443B2 (en) | Queue management in a forwarder | |
| US8510403B2 (en) | Self clocking interrupt generation in a network interface card | |
| CN105978821B (en) | The method and device that network congestion avoids | |
| CN108965148A (en) | A kind of processor and message processing method | |
| WO2016131299A1 (en) | Packet reception method and apparatus for processor network interface inside device | |
| Li et al. | Prioritizing soft real-time network traffic in virtualized hosts based on xen | |
| CN103634130B (en) | The self-protecting method and system and network-termination device of network-termination device | |
| US9413672B2 (en) | Flow control for network packets from applications in electronic devices | |
| CN110557432A (en) | cache pool balance optimization method, system, terminal and storage medium | |
| US9705698B1 (en) | Apparatus and method for network traffic classification and policy enforcement | |
| Alvarez et al. | Specializing the network for scatter-gather workloads | |
| Zhang et al. | Performance management challenges for virtual network functions | |
| CN116233018A (en) | Message processing method and device, electronic equipment and storage medium | |
| Indiresan et al. | Receive livelock elimination via intelligent interface backoff |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |