CN110138797A - A kind of message processing method and device - Google Patents

A kind of message processing method and device Download PDF

Info

Publication number
CN110138797A
CN110138797A CN201910445067.9A CN201910445067A CN110138797A CN 110138797 A CN110138797 A CN 110138797A CN 201910445067 A CN201910445067 A CN 201910445067A CN 110138797 A CN110138797 A CN 110138797A
Authority
CN
China
Prior art keywords
data message
central processing
processing unit
message
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910445067.9A
Other languages
Chinese (zh)
Other versions
CN110138797B (en
Inventor
郝立鹏
王春鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Knownsec Information Technology Co Ltd
Original Assignee
Beijing Knownsec Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Knownsec Information Technology Co Ltd filed Critical Beijing Knownsec Information Technology Co Ltd
Priority to CN201910445067.9A priority Critical patent/CN110138797B/en
Publication of CN110138797A publication Critical patent/CN110138797A/en
Application granted granted Critical
Publication of CN110138797B publication Critical patent/CN110138797B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/90Buffering arrangements
    • H04L49/9031Wraparound memory, e.g. overrun or underrun detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

It includes: to store received data message to buffer circle in network adapter that the application, which provides a kind of message processing method and device, the message processing method, and central processing unit reads data message from buffer circle;Central processing unit judges whether data message matches pre-generated data byte code, and data byte code is used to match the data message of doubtful attack;If so, central processing unit deletes data message from buffer circle.During above-mentioned realization, received data message is stored to buffer circle in network adapter, central processing unit reads from buffer circle and filters the data message according to pre-generated data byte code, the filtering attack data message in buffer circle, it is avoided to cache into socket, improving continually to distribute and discharge socket and cache leads to the problem of wasting computing resource and memory source.

Description

A kind of message processing method and device
Technical field
This application involves the technical fields of network security, in particular to a kind of message processing method and device.
Background technique
Distributed denial of service (Distributed Denial of Service, DDoS) attack, refers to by means of visitor Family/server technology, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets, To double up the power of Denial of Service attack.Usual attacker can initiate in a short time target a large amount of data Message consumes the memory source or computing resource of target, causes target that can not handle normal data message.
Currently, the method that the method for traditional defending DDoS (Distributed Denial of Service) attacks is all based on greatly hardware firewall and software firewall, Method based on hardware firewall be filter out a large amount of attack data message in network routing protocol layer, such as: gateway fire prevention Wall method and relaying firewall method;Method based on software firewall is to be carried out according to specific application scenarios to attack data message Filtering, such as: operating system included software firewall and application software firewall.Based on the method for software firewall in DDoS In attack, most of data message all be attack data message, however these attack data messages be intended to continually distribute and Socket caching is discharged, computing resource and memory source are wasted.Therefore, it exists in the prior art and continually distributes and discharge set Connecing word caching leads to the problem of wasting computing resource and memory source.
Summary of the invention
The embodiment of the present application is designed to provide a kind of message processing method and device, for improve continually distribution and Release socket caching leads to the problem of wasting computing resource and memory source.
The embodiment of the present application provides a kind of message processing method, comprising: in network adapter by received data message It stores to buffer circle, central processing unit reads the data message from the buffer circle;The central processing unit Judge whether the data message matches pre-generated data byte code, the data byte code is for matching doubtful attack Data message;If so, the central processing unit deletes the data message from the buffer circle.In above-mentioned reality During now, received data message is stored to buffer circle in network adapter, central processing unit is from loop buffer Area reads and filters the data message according to pre-generated data byte code, the filtering attack datagram in buffer circle Text avoids it from caching into socket, improves and continually distributes and discharge socket caching and cause to waste computing resource and interior The problem of depositing resource.
Optionally, in the embodiment of the present application, the central processing unit judges whether the data message matches pre- Mr. At data byte code, comprising: parse the data message and obtain message length and message format;The central processing unit judgement Whether the message length and the message format match the data byte code.During above-mentioned realization, according to message Length and message format match undesirable data message, have preliminarily filtered out the mismatch number in this way According to the data message of bytecode, to effectively improve the speed being filtered to data message.
Optionally, in the embodiment of the present application, judge whether the data message matches in advance in the central processing unit After the data byte code of generation, further includes: if the data message mismatches the data byte code, the central processing The data message is read from the buffer circle and is stored to socket and cached by device.During above-mentioned realization, lead to Cross data message is read from buffer circle and is stored to socket cache, improve data message socket caching in into The speed of row matching filtering.
Optionally, in the embodiment of the present application, in the central processing unit by the data message from the loop buffer It reads and stores to socket caching in area, further includes: the central processing unit parses the socket buffer memory The data message, obtain protocol type and protocol fields;The central processing unit judges the protocol type and the association Whether view field meets the first preset condition, and first preset condition is used to filter the data message of doubtful attack;If so, The central processing unit deletes the data message from socket caching.During above-mentioned realization, it is being socketed By the matching and filtering of the protocol fields of protocol type and data message to data message in word caching, datagram is improved Text carries out the accuracy of matching filtering in socket caching.
Optionally, in the embodiment of the present application, the protocol type and the agreement word are judged in the central processing unit Whether section meets after the first preset condition, further includes: if the protocol type and the protocol fields are unsatisfactory for described first Preset condition, then the data message is read and is stored to User space from socket caching and delayed by the central processing unit Rush area.During above-mentioned realization, by the way that data message is read from socket caching and is stored to User space buffer area, Improve the speed that data message carries out matching filtering in User space buffer area.
Optionally, in the embodiment of the present application, the data message is delayed from the socket in the central processing unit It deposits and reads and store to User space buffer area, further includes: the central processing unit parses the User space buffer area and deposits The data message of storage obtains network address and the network port;If the network address and the network port meet second Preset condition, then the central processing unit deletes the data message from the User space buffer area, and described second is default Condition is used to filter the data message of doubtful attack.During above-mentioned realization, by data in User space buffer area The matching and filtering of the network port of the network address and data message of message improve data message in User space buffer area Carry out the accuracy of matching filtering.
Optionally, in the embodiment of the present application, judge whether the data message matches in advance in the central processing unit After the data byte code of generation, further includes: if the data message mismatches the data byte code, the central processing The data message is read from the buffer circle and is stored to User space buffer area by device.During above-mentioned realization, By reading and storing to User space buffer area from buffer circle by data message, it is slow in User space to improve data message It rushes in area and carries out the speed of matching filtering.
Optionally, in the embodiment of the present application, in the central processing unit by the data message from the loop buffer It reads and stores to the User space buffer area in area, further includes: the central processing unit parses the User space buffer area The data message of storage obtains the first mark and the second mark;If first mark and second mark meet the Three preset conditions, then the central processing unit deletes the data message from the User space buffer area, and the third is pre- If condition is used to filter the data message of doubtful attack.During above-mentioned realization, pass through logarithm in User space buffer area According to the matching and filtering of the second mark of the first mark and data message of message, data message is improved in User space buffer area In carry out matching filtering accuracy.
The embodiment of the present application also provides a kind of message process devices, comprising: the first read module, in Network adaptation Device stores received data message to buffer circle, and central processing unit reads the datagram from the buffer circle Text;First judgment module judges whether the data message matches pre-generated data byte for the central processing unit Code, the data byte code are used to match the data message of doubtful attack;First removing module, if being used for the data message With pre-generated data byte code, then the central processing unit deletes the data message from the buffer circle. During above-mentioned realization, received data message is stored to buffer circle in network adapter, central processing unit It is read from buffer circle and the data message is filtered according to pre-generated data byte code, filtered and attack in buffer circle Data message is hit, it is avoided to cache into socket, improving continually to distribute and discharge socket and cache causes waste to calculate The problem of resource and memory source.
Optionally, in the embodiment of the present application, the first judgment module includes: the first parsing module, for parsing It states data message and obtains message length and message format;Second judgment module judges the message for the central processing unit Whether length and the message format match the data byte code.
Optionally, in the embodiment of the present application, further includes: the second read module, if being mismatched for the data message The data byte code, then the data message is read from the buffer circle and is stored to socket by the central processing unit Word caching.
Optionally, in the embodiment of the present application, further includes: the second parsing module parses institute for the central processing unit The data message of socket buffer memory is stated, protocol type and protocol fields are obtained;Third judgment module, used in described Central processor judges the protocol type and whether the protocol fields meet the first preset condition, and first preset condition is used In the data message for filtering doubtful attack;Second removing module, if meeting for the protocol type and the protocol fields One preset condition, then the central processing unit deletes the data message from socket caching.
Optionally, in the embodiment of the present application, further includes: third read module, if for the protocol type and described Protocol fields are unsatisfactory for first preset condition, then the central processing unit caches the data message from the socket Middle reading is simultaneously stored to User space buffer area.
Optionally, in the embodiment of the present application, further includes: third parsing module parses institute for the central processing unit The data message of User space buffer area storage is stated, network address and the network port are obtained;Third removing module, if being used for institute It states network address and the network port and meets the second preset condition, then the central processing unit is by the data message from described User space is deleted in buffer area, and second preset condition is used to filter the data message of doubtful attack.
Optionally, in the embodiment of the present application, further includes: the 4th read module, if being mismatched for the data message The data byte code, then the data message is read from the buffer circle and is stored to user by the central processing unit State buffer area.
Optionally, in the embodiment of the present application, further includes: the 4th parsing module parses institute for the central processing unit The data message of User space buffer area storage is stated, the first mark and the second mark are obtained;4th removing module, if being used for institute It states the first mark and second mark meets third preset condition, then the central processing unit is by the data message from described User space is deleted in buffer area, and the third preset condition is used to filter the data message of doubtful attack.
The embodiment of the present application also provides a kind of electronic equipment, comprising: processor and memory, the memory are stored with The processor executable machine readable instructions execute as described above when the machine readable instructions are executed by the processor Method.
The embodiment of the present application also provides a kind of storage medium, it is stored with computer program on the storage medium, the calculating Machine program executes method as described above when being run by processor.
Detailed description of the invention
Technical solution in ord to more clearly illustrate embodiments of the present application will make below to required in the embodiment of the present application Attached drawing is briefly described, it should be understood that the following drawings illustrates only some embodiments of the application, therefore should not be seen Work is the restriction to range, for those of ordinary skill in the art, without creative efforts, can be with Other relevant attached drawings are obtained according to these attached drawings.
Fig. 1 shows the structural schematic diagram of electronic equipment provided by the embodiments of the present application;
Fig. 2 shows message processing method flow diagrams provided by the embodiments of the present application;
Fig. 3 shows the flow diagram of the matching filter method provided by the embodiments of the present application after step S120;
Fig. 4 shows message process device structural schematic diagram provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Whole description.
Referring to Figure 1, Fig. 1 shows the structural schematic diagram of electronic equipment provided by the embodiments of the present application.The application is implemented The a kind of electronic equipment 101 that example provides, comprising: processor 102 and memory 103, memory 103 is stored with processor 102 can The machine readable instructions of execution, machine readable instructions execute following method when being executed by processor 102.
Referring to Figure 1, the embodiment of the present application also provides a kind of storage medium 104, meter is stored on the storage medium 104 Calculation machine program, the computer program execute following method when being run by processor 102.
Wherein, storage medium 104 can be by any kind of volatibility or non-volatile memory device or their group It closes and realizes, such as static random access memory (Static Random Access Memory, abbreviation SRAM), electric erasable can Program read-only memory (Electrically Erasable Programmable Read-Only Memory, referred to as EEPROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable Read Only Memory, abbreviation EPROM), programmable read only memory (Programmable Red-Only Memory, abbreviation PROM), read-only memory (Read-Only Memory, abbreviation ROM), magnetic memory, flash memory, disk or CD.
Before the scheme in the embodiment of the present application of introducing, first introduce below be related in the embodiment of the present application it is some general It reads:
Internet protocol address (Internet Protocol Address, and be translated into internet protocol address), is abbreviated as IP Address is allocated to the digital label of the equipment for the Internet protocol (Internet Protocol, IP) that user's online uses.Often The IP address seen is divided into IPv4 and IPv6 two major classes, but the subclassification for also having other to be of little use.
Berkeley Packet Filter (Berkeley Packet Filter, BPF), is data link layer on class Unix system A kind of clean interface, the transmitting-receiving of original link layer package is provided, in addition to this, if trawl performance support flooding mode, that It can allow network interface card to be in such mode.Here flooding mode refers to all packets that can be received on network, regardless of them Destination be where host.
Input and output shield project (IO Visor Project, IOVP) refers to that one is developed by community development person Open source projects, the open source projects are intended to use innovation, exploitation and shared virtualization kernel input and output service, come realize with The functions such as track, analysis, monitoring, safety and network.
Rapid data path (eXpress Data Path, XDP), refer in linux kernel provide a high-performance, Programmable network data path tool is a part as IOVP.XDP is provided in bare metal (Bare Metal) data Message processing, bare metal are that characterization is detached from operating system level and does not lose the treatment effect that programmability reaches ideal velocity. In addition, the XDP of new version can dynamically integrate rapid data path in the case where not modifying linux kernel, to realize pair The effect of base data message quickly handled.
Central processing unit (Central Processing Unit, CPU) is one piece of ultra-large integrated circuit, is one The arithmetic core and control core of platform computer.Its function is mainly in interpretive machine instruction and processing computer software Data.
Direct memory access (Direct Memory Access, DMA) refers to that the hardware device for allowing friction speed carrys out ditch It is logical, a large amount of interrupt loads without depending on CPU.Otherwise, CPU is needed from source the document copying of each segment to temporary Then storage is written back to them new place.In this time, CPU can not just make for others work With.
It is Linux network core data structure that socket, which caches (socket buffer, SKB), and SKB represents one and to send out The message for sending or handling, and through entire protocol stack.After application program transmits data to a socket, the socket Corresponding socket caching will be created, and user data will be copied in caching.
Data plane development kit (Data Plane Development Kit, DPDK), which refers to, operates in a multi -CPU frame A series of library of acceleration data messages load processing on structure.
First embodiment
Fig. 2 is referred to, Fig. 2 shows message processing method flow diagrams provided by the embodiments of the present application.The application is real It applies example and provides a kind of message processing method, optionally a kind of embodiment may comprise steps of:
Step S110: storing received data message to buffer circle in network adapter, central processing unit from Buffer circle reads data message.
Wherein, network adapter stores received data message to the concrete mode of buffer circle, can be network Adapter stores received data message by way of DMA to buffer circle, and then, network adapter is asked again with interrupting The mode asked notifies central processing unit data message to arrived buffer circle.Here interrupt requests (Interrupt ReQuest, IRQ) refer to the movement that hardware interrupt request is executed in computer, for example need to read the one piece of data in hard disk When, when reading data finishes, hard disk just notifies system by IRQ, and certainly corresponding data also have been written to specified memory Or in caching.
Step S120: central processing unit judges whether data message matches pre-generated data byte code, data byte Code is for matching the data message of doubtful attack.
Wherein, data byte code here can be BPF bytecode, be also possible to eBPF bytecode.Here eBPF word Section code is the extension of BPF bytecode, and BPF bytecode and eBPF bytecode can pass through compiler instrument (such as bpftools Tool) at BPF bytecode or eBPF bytecode, these codes are mainly for the code compilation of writing programming language (such as C language) What the various matching filtering rules being customized by the user were constituted, such as: the message length of ether (Ethernet) frame is less than 64 words Section, then be judged to mismatching pre-generated BPF bytecode.
In the embodiment of the present application, one of embodiment of step S120 may include steps of:
Step S121: parsing data message obtains message length and message format.
Wherein, the message format of various type of messages is for example: Ether frame, address resolution protocol (Address Resolution Protocol, ARP) frame, Virtual Local Area Network (Virtual Local Area Network, VLAN) frame, height Grade data link control (High-Level Data Link Control, HDLC) frame etc..Message length is with message class Type variation and change, for example: the common message length of Ether frame (after removing upper layer load) is 18 bytes, address solution The common message length for analysing protocol frame is 8 bytes, and the common message length of Virtual Local Area Network frame is 4 bytes, high-level data chain The common message length of road control frame is 8 bytes etc..
Step S122: central processing unit judge message length and message format whether matched data bytecode.
Wherein, central processing unit execution judges message length using the xt_bpf module in Iptables and message format is No matching BPF bytecode, Iptables here are the IP packet filtration program that (SuSE) Linux OS kernel integrates.Message Length mismatches the case where BPF bytecode for example: the message length of ether (Ethernet) frame is then determined as not less than 64 bytes Match BPF bytecode;In another example the message length of Ether frame is greater than 1518 bytes, then it is judged to mismatching BPF bytecode;Example again If the message length of Ether frame is greater than 64 bytes and less than 1518 bytes, then it is judged to matching BPF bytecode;Transmission control protocol The message length of (Transmission Control Protocol, TCP) is greater than 65535 bytes, then is judged to matching BPF word Save code;If the length of TCP message less than 65535 bytes, is judged to mismatching BPF bytecode.Message format mismatches BPF word Save code the case where for example: the check bit in check bit and data message calculated using the information of header is inconsistent, Then it is judged to mismatching BPF bytecode, if the school in the check bit and data message calculated using the information of header It is consistent to test position, then is judged to matching BPF bytecode.
Step S130: if the data byte code that data message matching is pre-generated, central processing unit by data message from It is deleted in buffer circle.
Certainly, after successful match deletes data message, i.e., central processing unit deletes data message from buffer circle Except later, the traffic requests of GateBot tool analysis triggering matching BPF bytecode can also be used, and are disposed and suspicious traffic Request the DDoS mitigation strategy to match.Make to design create-rule mould using modular design philosophy with the aforedescribed process Block bpftools, flow analysis engine modules Gatebot and rule execution module XDP, at the same with the organic knot of iptables It closes, to construct the efficient defence system of the doubtful ddos attack traffic requests of matching.
During above-mentioned realization, received data message is stored to buffer circle in network adapter, center Processor reads from buffer circle and filters the data message according to pre-generated data byte code, in buffer circle Filtering attack data message, avoids it from caching into socket, and improving continually distribution and discharging socket caching leads to wave The problem of taking computing resource and memory source.
Fig. 3 is referred to, Fig. 3 shows the stream of the matching filter method provided by the embodiments of the present application after step S120 Journey schematic diagram.In order to enhance the technical effect of matching filtering, in the embodiment of the present application, the matching filtering after step S120 There are two types of embodiment, the first embodiment, including two stages: the first stage is to copy data message from buffer circle Shellfish to socket caching is filtered, and second stage again carries out data message from socket cached copies to User space buffer area Filtering;Data message directly can be copied to User space buffer area from buffer circle and is filtered by second of embodiment.
The first embodiment, after step S120, including the first stage, data message is copied from buffer circle The method being filtered to socket caching is as follows:
Step S140: if data message non-matched data bytecode, central processing unit is by data message from loop buffer It reads and stores to socket and cache in area.
Wherein, data message is read in central processing unit from buffer circle and is stored to before socket caching, needed It to be copied to operating system nucleus application SKB memory space, then by data message from buffer circle according to the size of data message Shellfish to socket caches.
Step S150: central processing unit parses the data message of socket buffer memory, obtains protocol type and agreement word Section.
Wherein, protocol type here is for example: transmission control protocol, User Datagram Protocol (User Datagram Protocol, UDP), hypertext transfer protocol (HyperText Transfer Protocol, HTTP) and Hyper text transfer peace Full agreement (Hyper Text Transfer Protocol over Secure Socket Layer or Hypertext Transfer Protocol Secure, HTTPS) etc..By taking TCP data message as an example, the agreement word of TCP data message is obtained Section for example: SYN field, FIN field, ACK field, PSH field, RST field and URG field etc..
Step S160: central processing unit judges whether protocol type and protocol fields meet the first preset condition.
Wherein, the first preset condition here is used to filter the data message of doubtful attack, uses the first preset condition pair The mode that protocol type and protocol fields are filtered, such as: kernel module is developed and write, and the kernel module is injected into In grid module, after central processing unit receives data, central processing unit stores empty to operating system nucleus application SKB Between, central processing unit parsing SKB structural body simultaneously matches it and is filtered.Judge whether protocol type and protocol fields meet The concrete mode of first preset condition is for example: TCP data message is provided with SYN and FIN flag simultaneously, then is judged to meeting first Preset condition;In another example TCP data message is provided with all flag bits simultaneously, then meet the first preset condition;If TCP data Message is only provided with SYN or FIN flag, then is judged to being unsatisfactory for the first preset condition.
Step S170: if protocol type and protocol fields meet the first preset condition, central processing unit is by data message It is deleted from socket caching.
Wherein, after successful match deletes data message, i.e., central processing unit deletes data message from socket caching Except later, the traffic requests of GateBot tool analysis triggering matching BPF bytecode can also be used, and are disposed and suspicious traffic Request the DDoS mitigation strategy to match;It can also be by the flow of tool induced matching BPF bytecode, to establish the black name of ddos Single database provides foundation.
During above-mentioned realization, pass through protocol type to data message and data message in socket caching The matching and filtering of protocol fields improve the accuracy that data message carries out matching filtering in socket caching.
As described above, after step S120, the first embodiment further includes second stage, by data message The method being filtered from socket cached copies to User space buffer area is as follows:
Step S180: if protocol type and protocol fields are unsatisfactory for the first preset condition, central processing unit is by datagram Text reads from socket caching and stores to User space buffer area.
Wherein, if protocol type and protocol fields are unsatisfactory for the first preset condition, central processing unit can be by data Message reads from the socket caching of the protocol stack of operating system nucleus and stores into User space buffer area.
Step S190: central processing unit parses the data message of User space buffer area storage, obtains network address and network Port.
Wherein, the network address of acquisition is parsed for example so that data message is IP packet as an example here: 123.123.123.123 or 123.11.11.11, the network port is for example: 22 or 3389 etc..
Step S200: if network address and the network port meet the second preset condition, central processing unit is by data message It is deleted from User space buffer area.
Wherein, network address and the network port meet the concrete mode of the second preset condition, can be to pass through the network port Judge whether the default port for meeting the second preset condition, for example, the port of opening is 80 ports, and the port requested is 22 or 3389, then can set 22 or 3389 for default port here, when the port in the data message of acquisition be 22 or 3389, then determine that the data message meets the second preset condition, when the port in the data message of acquisition is 80, then determines the number The second preset condition is unsatisfactory for according to message;Or by network address judge whether meet the second preset condition defaultly Location, for example, there are two public network floating network address for the equipment: 123.123.123.123 and 123.11.11.11, opening Network address is only 123.123.123.123, and the address 123.11.11.11 is only stand-by state, then can be default by here Address is set as 123.11.11.11;When the address in the data message of acquisition is 123.11.11.11, then the datagram is determined Text meets the second preset condition, when the address in the data message of acquisition is 123.123.123.123, then determines the data message It is unsatisfactory for the second preset condition.It is understood that the second preset condition here is used to filter the data message of doubtful attack.
During above-mentioned realization, pass through the network address and data message to data message in User space buffer area The network port matching and filtering, improve data message carried out in User space buffer area matching filtering accuracy.
Second of embodiment further includes directly being copied to data message from buffer circle after step S120 The method that User space buffer area is filtered is as follows:
Step S210: if data message non-matched data bytecode, central processing unit is by data message from loop buffer It reads and stores to User space buffer area in area.
Wherein, it if data message non-matched data bytecode, will directly be counted using DPDK around kernel network protocol stack User space buffer area is copied to from DMA buffer circle according to packet.It is understood that can be by developing and writing kernel mould Block, and the kernel module is injected into grid module, annular delay is had stored in when central processing unit receives data After rushing the notice in area, data message is read from buffer circle directly and is stored to User space buffer area.
Step S220: central processing unit parses the data message of User space buffer area storage, obtains the first mark and second Mark.
Wherein, data message here can be TCP data message, and the first mark here can be SYN flag, here The second mark can be FIN flag, it is of course also possible to be other marks, such as: ACK field, PSH field, RST field With URG field etc..
Step S230: if the first mark and the second mark meet third preset condition, central processing unit is by data message It is deleted from User space buffer area, third preset condition is used to filter the data message of doubtful attack.
In order to facilitate understanding and description, data message here is by taking TCP data message as an example, and the first mark here can be with It is SYN flag, the second mark here can be FIN flag, and it is default to judge whether the first mark and the second mark meet third The concrete mode of condition is for example: TCP data message is provided with SYN and FIN flag simultaneously, then is judged to meeting third and presets item Part;In another example TCP data message is provided with all flag bits simultaneously, then meet third preset condition;If TCP data message is only Provided with SYN or FIN flag, then it is judged to being unsatisfactory for third preset condition.
During above-mentioned realization, pass through the first mark and data message to data message in User space buffer area Second mark matching and filtering, improve data message carried out in User space buffer area matching filtering accuracy.
Second embodiment
Fig. 4 is referred to, Fig. 4 shows message process device structural schematic diagram provided by the embodiments of the present application.The application is real It applies example and provides a kind of message process device 100, which includes:
First read module 110, for received data message to be stored to buffer circle in network adapter, in Central processor reads data message from buffer circle.
First judgment module 120 judges whether data message matches pre-generated data byte for central processing unit Code, data byte code are used to match the data message of doubtful attack.
First removing module 130, if the data byte code pre-generated for data message matching, central processing unit will Data message is deleted from buffer circle.
During above-mentioned realization, received data message is stored to buffer circle in network adapter, in Central processor reads from buffer circle and filters the data message according to pre-generated data byte code, in buffer circle Data message is attacked in middle filtering, it is avoided to cache into socket, and improving continually to distribute and discharge socket and cache causes The problem of wasting computing resource and memory source.
Optionally, in the embodiment of the present application, first judgment module includes:
First parsing module obtains message length and message format for parsing data message.
Second judgment module, for central processing unit judge message length and message format whether matched data bytecode.
Optionally, in the embodiment of the present application, device includes:
Second read module, if be used for data message non-matched data bytecode, central processing unit by data message from Buffer circle reads and stores to socket and caches.
Optionally, in the embodiment of the present application, device further include:
Second parsing module obtains protocol type for the data message of central processing unit parsing socket buffer memory And protocol fields.
Third judgment module judges whether protocol type and protocol fields meet the first default item for central processing unit Part, the first preset condition are used to filter the data message of doubtful attack.
Second removing module, if meeting the first preset condition for protocol type and protocol fields, central processing unit will Data message is deleted from socket caching.
Optionally, in the embodiment of the present application, the device further include:
Third read module, if being unsatisfactory for the first preset condition, central processing unit for protocol type and protocol fields Data message is read from socket caching and is stored to User space buffer area.
Optionally, in the embodiment of the present application, which can also include:
Third parsing module, for the data message of central processing unit parsing User space buffer area storage, with obtaining network Location and the network port.
Third removing module, if meeting the second preset condition for network address and the network port, central processing unit will Data message is deleted from User space buffer area, and the second preset condition is used to filter the data message of doubtful attack.
Optionally, in the embodiment of the present application, message process device can also include:
4th read module, if be used for data message non-matched data bytecode, central processing unit by data message from Buffer circle reads and stores to User space buffer area.
Optionally, in the embodiment of the present application, which can also include:
4th parsing module obtains the first mark for the data message of central processing unit parsing User space buffer area storage Will and the second mark.
4th removing module, if meeting third preset condition for the first mark and the second mark, central processing unit will Data message is deleted from User space buffer area, and third preset condition is used to filter the data message of doubtful attack.
More than, the only specific embodiment of the embodiment of the present application, but the protection scope of the embodiment of the present application does not limit to In this, anyone skilled in the art can readily occur in change in the technical scope that the embodiment of the present application discloses Change or replace, should all cover within the protection scope of the embodiment of the present application.

Claims (10)

1. a kind of message processing method characterized by comprising
Received data message is stored to buffer circle in network adapter, central processing unit is from the buffer circle Read the data message;
The central processing unit judges whether the data message matches pre-generated data byte code, the data byte code For matching the data message of doubtful attack;
If so, the central processing unit deletes the data message from the buffer circle.
2. the method according to claim 1, wherein the central processing unit judge the data message whether With pre-generated data byte code, comprising:
It parses the data message and obtains message length and message format;
The central processing unit judges whether the message length and the message format match the data byte code.
3. the method according to claim 1, wherein whether judging the data message in the central processing unit After the pre-generated data byte code of matching, further includes:
If the data message mismatches the data byte code, the central processing unit is by the data message from the ring It reads and stores to socket and cache in shape buffer area.
4. according to the method described in claim 3, it is characterized in that, in the central processing unit by the data message from described Buffer circle reads and stores to socket caching, further includes:
The central processing unit parses the data message of the socket buffer memory, obtains protocol type and agreement word Section;
The central processing unit judges the protocol type and whether the protocol fields meet the first preset condition, described first Preset condition is used to filter the data message of doubtful attack;
If so, the central processing unit deletes the data message from socket caching.
5. according to the method described in claim 4, it is characterized in that, judging the protocol type and institute in the central processing unit It states after whether protocol fields meet the first preset condition, further includes:
If the protocol type and the protocol fields are unsatisfactory for first preset condition, the central processing unit will be described Data message reads from socket caching and stores to User space buffer area.
6. according to the method described in claim 5, it is characterized in that, in the central processing unit by the data message from described It reads and is stored to User space buffer area in socket caching, further includes:
The central processing unit parses the data message of the User space buffer area storage, obtains network address and network-side Mouthful;
If the network address and the network port meet the second preset condition, the central processing unit is by the datagram Text is deleted from the User space buffer area, and second preset condition is used to filter the data message of doubtful attack.
7. the method according to claim 1, wherein whether judging the data message in the central processing unit After the pre-generated data byte code of matching, further includes:
If the data message mismatches the data byte code, the central processing unit is by the data message from the ring It reads and stores to User space buffer area in shape buffer area.
8. the method according to the description of claim 7 is characterized in that in the central processing unit by the data message from described Buffer circle reads and stores to the User space buffer area, further includes:
The central processing unit parses the data message of the User space buffer area storage, obtains the first mark and the second mark Will;
If first mark and second mark meet third preset condition, the central processing unit is by the datagram Text is deleted from the User space buffer area, and the third preset condition is used to filter the data message of doubtful attack.
9. a kind of message process device characterized by comprising
First read module, for received data message to be stored to buffer circle in network adapter, central processing Device reads the data message from the buffer circle;
First judgment module judges whether the data message matches pre-generated data byte for the central processing unit Code, the data byte code are used to match the data message of doubtful attack;
First removing module, if the data byte code pre-generated for data message matching, the central processing unit The data message is deleted from the buffer circle.
10. device according to claim 9, which is characterized in that the first judgment module includes:
First parsing module obtains message length and message format for parsing the data message;
It is described to judge whether the message length and the message format match for the central processing unit for second judgment module Data byte code.
CN201910445067.9A 2019-05-27 2019-05-27 Message processing method and device Active CN110138797B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910445067.9A CN110138797B (en) 2019-05-27 2019-05-27 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910445067.9A CN110138797B (en) 2019-05-27 2019-05-27 Message processing method and device

Publications (2)

Publication Number Publication Date
CN110138797A true CN110138797A (en) 2019-08-16
CN110138797B CN110138797B (en) 2021-12-14

Family

ID=67581861

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910445067.9A Active CN110138797B (en) 2019-05-27 2019-05-27 Message processing method and device

Country Status (1)

Country Link
CN (1) CN110138797B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112153013A (en) * 2020-09-02 2020-12-29 杭州安恒信息技术股份有限公司 Socket data forwarding method and device, electronic equipment and storage medium
WO2021078233A1 (en) * 2019-10-24 2021-04-29 北京大学 Multipath transport device and architecture
CN113572774A (en) * 2021-07-27 2021-10-29 杭州迪普科技股份有限公司 Message forwarding method and device in network equipment
CN114189455A (en) * 2021-12-08 2022-03-15 兴业银行股份有限公司 Container network flow monitoring and counting method and system based on ebpf technology
TWI825763B (en) * 2022-03-21 2023-12-11 瑞昱半導體股份有限公司 Method for configuring network traffic and computer system thereof

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633110A (en) * 2005-01-14 2005-06-29 中国科学院计算技术研究所 Flow analysis method based on Linux core
US8112491B1 (en) * 2009-01-16 2012-02-07 F5 Networks, Inc. Methods and systems for providing direct DMA
CN103023914A (en) * 2012-12-26 2013-04-03 北京神州绿盟信息安全科技股份有限公司 Firewall system and implementation method thereof
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
CN103581181A (en) * 2013-10-28 2014-02-12 清华大学 Data packet capturing, processing and sending method and system
CN104022998A (en) * 2013-03-01 2014-09-03 北京瑞星信息技术有限公司 Network transmission data virus detection processing method
CN105260378A (en) * 2015-09-08 2016-01-20 上海上讯信息技术股份有限公司 Database audit method and device
CN105281984A (en) * 2015-11-27 2016-01-27 上海斐讯数据通信技术有限公司 Virtual terminal and method for message capturing and filtering
US9537972B1 (en) * 2014-02-20 2017-01-03 Fireeye, Inc. Efficient access to sparse packets in large repositories of stored network traffic
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1633110A (en) * 2005-01-14 2005-06-29 中国科学院计算技术研究所 Flow analysis method based on Linux core
US8112491B1 (en) * 2009-01-16 2012-02-07 F5 Networks, Inc. Methods and systems for providing direct DMA
CN103023914A (en) * 2012-12-26 2013-04-03 北京神州绿盟信息安全科技股份有限公司 Firewall system and implementation method thereof
CN104022998A (en) * 2013-03-01 2014-09-03 北京瑞星信息技术有限公司 Network transmission data virus detection processing method
CN103391256A (en) * 2013-07-25 2013-11-13 武汉邮电科学研究院 Base station user plane data processing and optimizing method based on Linux system
CN103581181A (en) * 2013-10-28 2014-02-12 清华大学 Data packet capturing, processing and sending method and system
US9537972B1 (en) * 2014-02-20 2017-01-03 Fireeye, Inc. Efficient access to sparse packets in large repositories of stored network traffic
CN105260378A (en) * 2015-09-08 2016-01-20 上海上讯信息技术股份有限公司 Database audit method and device
CN105281984A (en) * 2015-11-27 2016-01-27 上海斐讯数据通信技术有限公司 Virtual terminal and method for message capturing and filtering
CN107181738A (en) * 2017-04-25 2017-09-19 中国科学院信息工程研究所 A kind of software implementation intruding detection system and method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021078233A1 (en) * 2019-10-24 2021-04-29 北京大学 Multipath transport device and architecture
CN112153013A (en) * 2020-09-02 2020-12-29 杭州安恒信息技术股份有限公司 Socket data forwarding method and device, electronic equipment and storage medium
CN113572774A (en) * 2021-07-27 2021-10-29 杭州迪普科技股份有限公司 Message forwarding method and device in network equipment
CN113572774B (en) * 2021-07-27 2023-04-28 杭州迪普科技股份有限公司 Message forwarding method and device in network equipment
CN114189455A (en) * 2021-12-08 2022-03-15 兴业银行股份有限公司 Container network flow monitoring and counting method and system based on ebpf technology
CN114189455B (en) * 2021-12-08 2023-06-06 兴业银行股份有限公司 Container network flow monitoring and counting method and system based on ebpf technology
TWI825763B (en) * 2022-03-21 2023-12-11 瑞昱半導體股份有限公司 Method for configuring network traffic and computer system thereof

Also Published As

Publication number Publication date
CN110138797B (en) 2021-12-14

Similar Documents

Publication Publication Date Title
CN110138797A (en) A kind of message processing method and device
CN112073411B (en) Network security deduction method, device, equipment and storage medium
US7685254B2 (en) Runtime adaptable search processor
US8086609B2 (en) Graph caching
US7904959B2 (en) Systems and methods for detecting and inhibiting attacks using honeypots
US20110016154A1 (en) Profile-based and dictionary based graph caching
JP2004538678A (en) Dynamic packet filter using session tracking
US11349866B2 (en) Hardware acceleration device for denial-of-service attack identification and mitigation
CN111355686B (en) Method, device, system and storage medium for defending flood attacks
US11818099B2 (en) Efficient matching of feature-rich security policy with dynamic content using user group matching
Hsu et al. Scalable network-based buffer overflow attack detection
Gil MULTOPS: A data structure for denial-of-service attack detection
Nife et al. Multi-level stateful firewall mechanism for software defined networks
US20200145379A1 (en) Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes
Ru et al. The side-channel vulnerability in network protocol
Park A study about dynamic intelligent network security systems to decrease by malicious traffic
US10965647B2 (en) Efficient matching of feature-rich security policy with dynamic content
CN116545978B (en) Data processing method, device and system, readable storage medium and import network card
CN116599716A (en) Network security protection method, device, equipment and medium
Chimkode Design of an FPGA based Embedded System for protecting the server from SYN flood attack
Okumura et al. The Netnice packet filter: bridging the structural mismatches in end-host network control
CN116545978A (en) Data processing method, device and system, readable storage medium and import network card
Chomsiri Tree rule firewall
Mühlbach Reconfigurable Architectures and Design Automation Tools for Application-Level Network Security
Cronin Hardware acceleration of network intrusion detection and prevention

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant