CN110138797A - A kind of message processing method and device - Google Patents
A kind of message processing method and device Download PDFInfo
- Publication number
- CN110138797A CN110138797A CN201910445067.9A CN201910445067A CN110138797A CN 110138797 A CN110138797 A CN 110138797A CN 201910445067 A CN201910445067 A CN 201910445067A CN 110138797 A CN110138797 A CN 110138797A
- Authority
- CN
- China
- Prior art keywords
- data message
- central processing
- processing unit
- message
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9031—Wraparound memory, e.g. overrun or underrun detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Abstract
It includes: to store received data message to buffer circle in network adapter that the application, which provides a kind of message processing method and device, the message processing method, and central processing unit reads data message from buffer circle;Central processing unit judges whether data message matches pre-generated data byte code, and data byte code is used to match the data message of doubtful attack;If so, central processing unit deletes data message from buffer circle.During above-mentioned realization, received data message is stored to buffer circle in network adapter, central processing unit reads from buffer circle and filters the data message according to pre-generated data byte code, the filtering attack data message in buffer circle, it is avoided to cache into socket, improving continually to distribute and discharge socket and cache leads to the problem of wasting computing resource and memory source.
Description
Technical field
This application involves the technical fields of network security, in particular to a kind of message processing method and device.
Background technique
Distributed denial of service (Distributed Denial of Service, DDoS) attack, refers to by means of visitor
Family/server technology, multiple computers are joined together as Attack Platform, start ddos attack to one or more targets,
To double up the power of Denial of Service attack.Usual attacker can initiate in a short time target a large amount of data
Message consumes the memory source or computing resource of target, causes target that can not handle normal data message.
Currently, the method that the method for traditional defending DDoS (Distributed Denial of Service) attacks is all based on greatly hardware firewall and software firewall,
Method based on hardware firewall be filter out a large amount of attack data message in network routing protocol layer, such as: gateway fire prevention
Wall method and relaying firewall method;Method based on software firewall is to be carried out according to specific application scenarios to attack data message
Filtering, such as: operating system included software firewall and application software firewall.Based on the method for software firewall in DDoS
In attack, most of data message all be attack data message, however these attack data messages be intended to continually distribute and
Socket caching is discharged, computing resource and memory source are wasted.Therefore, it exists in the prior art and continually distributes and discharge set
Connecing word caching leads to the problem of wasting computing resource and memory source.
Summary of the invention
The embodiment of the present application is designed to provide a kind of message processing method and device, for improve continually distribution and
Release socket caching leads to the problem of wasting computing resource and memory source.
The embodiment of the present application provides a kind of message processing method, comprising: in network adapter by received data message
It stores to buffer circle, central processing unit reads the data message from the buffer circle;The central processing unit
Judge whether the data message matches pre-generated data byte code, the data byte code is for matching doubtful attack
Data message;If so, the central processing unit deletes the data message from the buffer circle.In above-mentioned reality
During now, received data message is stored to buffer circle in network adapter, central processing unit is from loop buffer
Area reads and filters the data message according to pre-generated data byte code, the filtering attack datagram in buffer circle
Text avoids it from caching into socket, improves and continually distributes and discharge socket caching and cause to waste computing resource and interior
The problem of depositing resource.
Optionally, in the embodiment of the present application, the central processing unit judges whether the data message matches pre- Mr.
At data byte code, comprising: parse the data message and obtain message length and message format;The central processing unit judgement
Whether the message length and the message format match the data byte code.During above-mentioned realization, according to message
Length and message format match undesirable data message, have preliminarily filtered out the mismatch number in this way
According to the data message of bytecode, to effectively improve the speed being filtered to data message.
Optionally, in the embodiment of the present application, judge whether the data message matches in advance in the central processing unit
After the data byte code of generation, further includes: if the data message mismatches the data byte code, the central processing
The data message is read from the buffer circle and is stored to socket and cached by device.During above-mentioned realization, lead to
Cross data message is read from buffer circle and is stored to socket cache, improve data message socket caching in into
The speed of row matching filtering.
Optionally, in the embodiment of the present application, in the central processing unit by the data message from the loop buffer
It reads and stores to socket caching in area, further includes: the central processing unit parses the socket buffer memory
The data message, obtain protocol type and protocol fields;The central processing unit judges the protocol type and the association
Whether view field meets the first preset condition, and first preset condition is used to filter the data message of doubtful attack;If so,
The central processing unit deletes the data message from socket caching.During above-mentioned realization, it is being socketed
By the matching and filtering of the protocol fields of protocol type and data message to data message in word caching, datagram is improved
Text carries out the accuracy of matching filtering in socket caching.
Optionally, in the embodiment of the present application, the protocol type and the agreement word are judged in the central processing unit
Whether section meets after the first preset condition, further includes: if the protocol type and the protocol fields are unsatisfactory for described first
Preset condition, then the data message is read and is stored to User space from socket caching and delayed by the central processing unit
Rush area.During above-mentioned realization, by the way that data message is read from socket caching and is stored to User space buffer area,
Improve the speed that data message carries out matching filtering in User space buffer area.
Optionally, in the embodiment of the present application, the data message is delayed from the socket in the central processing unit
It deposits and reads and store to User space buffer area, further includes: the central processing unit parses the User space buffer area and deposits
The data message of storage obtains network address and the network port;If the network address and the network port meet second
Preset condition, then the central processing unit deletes the data message from the User space buffer area, and described second is default
Condition is used to filter the data message of doubtful attack.During above-mentioned realization, by data in User space buffer area
The matching and filtering of the network port of the network address and data message of message improve data message in User space buffer area
Carry out the accuracy of matching filtering.
Optionally, in the embodiment of the present application, judge whether the data message matches in advance in the central processing unit
After the data byte code of generation, further includes: if the data message mismatches the data byte code, the central processing
The data message is read from the buffer circle and is stored to User space buffer area by device.During above-mentioned realization,
By reading and storing to User space buffer area from buffer circle by data message, it is slow in User space to improve data message
It rushes in area and carries out the speed of matching filtering.
Optionally, in the embodiment of the present application, in the central processing unit by the data message from the loop buffer
It reads and stores to the User space buffer area in area, further includes: the central processing unit parses the User space buffer area
The data message of storage obtains the first mark and the second mark;If first mark and second mark meet the
Three preset conditions, then the central processing unit deletes the data message from the User space buffer area, and the third is pre-
If condition is used to filter the data message of doubtful attack.During above-mentioned realization, pass through logarithm in User space buffer area
According to the matching and filtering of the second mark of the first mark and data message of message, data message is improved in User space buffer area
In carry out matching filtering accuracy.
The embodiment of the present application also provides a kind of message process devices, comprising: the first read module, in Network adaptation
Device stores received data message to buffer circle, and central processing unit reads the datagram from the buffer circle
Text;First judgment module judges whether the data message matches pre-generated data byte for the central processing unit
Code, the data byte code are used to match the data message of doubtful attack;First removing module, if being used for the data message
With pre-generated data byte code, then the central processing unit deletes the data message from the buffer circle.
During above-mentioned realization, received data message is stored to buffer circle in network adapter, central processing unit
It is read from buffer circle and the data message is filtered according to pre-generated data byte code, filtered and attack in buffer circle
Data message is hit, it is avoided to cache into socket, improving continually to distribute and discharge socket and cache causes waste to calculate
The problem of resource and memory source.
Optionally, in the embodiment of the present application, the first judgment module includes: the first parsing module, for parsing
It states data message and obtains message length and message format;Second judgment module judges the message for the central processing unit
Whether length and the message format match the data byte code.
Optionally, in the embodiment of the present application, further includes: the second read module, if being mismatched for the data message
The data byte code, then the data message is read from the buffer circle and is stored to socket by the central processing unit
Word caching.
Optionally, in the embodiment of the present application, further includes: the second parsing module parses institute for the central processing unit
The data message of socket buffer memory is stated, protocol type and protocol fields are obtained;Third judgment module, used in described
Central processor judges the protocol type and whether the protocol fields meet the first preset condition, and first preset condition is used
In the data message for filtering doubtful attack;Second removing module, if meeting for the protocol type and the protocol fields
One preset condition, then the central processing unit deletes the data message from socket caching.
Optionally, in the embodiment of the present application, further includes: third read module, if for the protocol type and described
Protocol fields are unsatisfactory for first preset condition, then the central processing unit caches the data message from the socket
Middle reading is simultaneously stored to User space buffer area.
Optionally, in the embodiment of the present application, further includes: third parsing module parses institute for the central processing unit
The data message of User space buffer area storage is stated, network address and the network port are obtained;Third removing module, if being used for institute
It states network address and the network port and meets the second preset condition, then the central processing unit is by the data message from described
User space is deleted in buffer area, and second preset condition is used to filter the data message of doubtful attack.
Optionally, in the embodiment of the present application, further includes: the 4th read module, if being mismatched for the data message
The data byte code, then the data message is read from the buffer circle and is stored to user by the central processing unit
State buffer area.
Optionally, in the embodiment of the present application, further includes: the 4th parsing module parses institute for the central processing unit
The data message of User space buffer area storage is stated, the first mark and the second mark are obtained;4th removing module, if being used for institute
It states the first mark and second mark meets third preset condition, then the central processing unit is by the data message from described
User space is deleted in buffer area, and the third preset condition is used to filter the data message of doubtful attack.
The embodiment of the present application also provides a kind of electronic equipment, comprising: processor and memory, the memory are stored with
The processor executable machine readable instructions execute as described above when the machine readable instructions are executed by the processor
Method.
The embodiment of the present application also provides a kind of storage medium, it is stored with computer program on the storage medium, the calculating
Machine program executes method as described above when being run by processor.
Detailed description of the invention
Technical solution in ord to more clearly illustrate embodiments of the present application will make below to required in the embodiment of the present application
Attached drawing is briefly described, it should be understood that the following drawings illustrates only some embodiments of the application, therefore should not be seen
Work is the restriction to range, for those of ordinary skill in the art, without creative efforts, can be with
Other relevant attached drawings are obtained according to these attached drawings.
Fig. 1 shows the structural schematic diagram of electronic equipment provided by the embodiments of the present application;
Fig. 2 shows message processing method flow diagrams provided by the embodiments of the present application;
Fig. 3 shows the flow diagram of the matching filter method provided by the embodiments of the present application after step S120;
Fig. 4 shows message process device structural schematic diagram provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Whole description.
Referring to Figure 1, Fig. 1 shows the structural schematic diagram of electronic equipment provided by the embodiments of the present application.The application is implemented
The a kind of electronic equipment 101 that example provides, comprising: processor 102 and memory 103, memory 103 is stored with processor 102 can
The machine readable instructions of execution, machine readable instructions execute following method when being executed by processor 102.
Referring to Figure 1, the embodiment of the present application also provides a kind of storage medium 104, meter is stored on the storage medium 104
Calculation machine program, the computer program execute following method when being run by processor 102.
Wherein, storage medium 104 can be by any kind of volatibility or non-volatile memory device or their group
It closes and realizes, such as static random access memory (Static Random Access Memory, abbreviation SRAM), electric erasable can
Program read-only memory (Electrically Erasable Programmable Read-Only Memory, referred to as
EEPROM), Erasable Programmable Read Only Memory EPROM (Erasable Programmable Read Only Memory, abbreviation
EPROM), programmable read only memory (Programmable Red-Only Memory, abbreviation PROM), read-only memory
(Read-Only Memory, abbreviation ROM), magnetic memory, flash memory, disk or CD.
Before the scheme in the embodiment of the present application of introducing, first introduce below be related in the embodiment of the present application it is some general
It reads:
Internet protocol address (Internet Protocol Address, and be translated into internet protocol address), is abbreviated as IP
Address is allocated to the digital label of the equipment for the Internet protocol (Internet Protocol, IP) that user's online uses.Often
The IP address seen is divided into IPv4 and IPv6 two major classes, but the subclassification for also having other to be of little use.
Berkeley Packet Filter (Berkeley Packet Filter, BPF), is data link layer on class Unix system
A kind of clean interface, the transmitting-receiving of original link layer package is provided, in addition to this, if trawl performance support flooding mode, that
It can allow network interface card to be in such mode.Here flooding mode refers to all packets that can be received on network, regardless of them
Destination be where host.
Input and output shield project (IO Visor Project, IOVP) refers to that one is developed by community development person
Open source projects, the open source projects are intended to use innovation, exploitation and shared virtualization kernel input and output service, come realize with
The functions such as track, analysis, monitoring, safety and network.
Rapid data path (eXpress Data Path, XDP), refer in linux kernel provide a high-performance,
Programmable network data path tool is a part as IOVP.XDP is provided in bare metal (Bare Metal) data
Message processing, bare metal are that characterization is detached from operating system level and does not lose the treatment effect that programmability reaches ideal velocity.
In addition, the XDP of new version can dynamically integrate rapid data path in the case where not modifying linux kernel, to realize pair
The effect of base data message quickly handled.
Central processing unit (Central Processing Unit, CPU) is one piece of ultra-large integrated circuit, is one
The arithmetic core and control core of platform computer.Its function is mainly in interpretive machine instruction and processing computer software
Data.
Direct memory access (Direct Memory Access, DMA) refers to that the hardware device for allowing friction speed carrys out ditch
It is logical, a large amount of interrupt loads without depending on CPU.Otherwise, CPU is needed from source the document copying of each segment to temporary
Then storage is written back to them new place.In this time, CPU can not just make for others work
With.
It is Linux network core data structure that socket, which caches (socket buffer, SKB), and SKB represents one and to send out
The message for sending or handling, and through entire protocol stack.After application program transmits data to a socket, the socket
Corresponding socket caching will be created, and user data will be copied in caching.
Data plane development kit (Data Plane Development Kit, DPDK), which refers to, operates in a multi -CPU frame
A series of library of acceleration data messages load processing on structure.
First embodiment
Fig. 2 is referred to, Fig. 2 shows message processing method flow diagrams provided by the embodiments of the present application.The application is real
It applies example and provides a kind of message processing method, optionally a kind of embodiment may comprise steps of:
Step S110: storing received data message to buffer circle in network adapter, central processing unit from
Buffer circle reads data message.
Wherein, network adapter stores received data message to the concrete mode of buffer circle, can be network
Adapter stores received data message by way of DMA to buffer circle, and then, network adapter is asked again with interrupting
The mode asked notifies central processing unit data message to arrived buffer circle.Here interrupt requests (Interrupt
ReQuest, IRQ) refer to the movement that hardware interrupt request is executed in computer, for example need to read the one piece of data in hard disk
When, when reading data finishes, hard disk just notifies system by IRQ, and certainly corresponding data also have been written to specified memory
Or in caching.
Step S120: central processing unit judges whether data message matches pre-generated data byte code, data byte
Code is for matching the data message of doubtful attack.
Wherein, data byte code here can be BPF bytecode, be also possible to eBPF bytecode.Here eBPF word
Section code is the extension of BPF bytecode, and BPF bytecode and eBPF bytecode can pass through compiler instrument (such as bpftools
Tool) at BPF bytecode or eBPF bytecode, these codes are mainly for the code compilation of writing programming language (such as C language)
What the various matching filtering rules being customized by the user were constituted, such as: the message length of ether (Ethernet) frame is less than 64 words
Section, then be judged to mismatching pre-generated BPF bytecode.
In the embodiment of the present application, one of embodiment of step S120 may include steps of:
Step S121: parsing data message obtains message length and message format.
Wherein, the message format of various type of messages is for example: Ether frame, address resolution protocol (Address
Resolution Protocol, ARP) frame, Virtual Local Area Network (Virtual Local Area Network, VLAN) frame, height
Grade data link control (High-Level Data Link Control, HDLC) frame etc..Message length is with message class
Type variation and change, for example: the common message length of Ether frame (after removing upper layer load) is 18 bytes, address solution
The common message length for analysing protocol frame is 8 bytes, and the common message length of Virtual Local Area Network frame is 4 bytes, high-level data chain
The common message length of road control frame is 8 bytes etc..
Step S122: central processing unit judge message length and message format whether matched data bytecode.
Wherein, central processing unit execution judges message length using the xt_bpf module in Iptables and message format is
No matching BPF bytecode, Iptables here are the IP packet filtration program that (SuSE) Linux OS kernel integrates.Message
Length mismatches the case where BPF bytecode for example: the message length of ether (Ethernet) frame is then determined as not less than 64 bytes
Match BPF bytecode;In another example the message length of Ether frame is greater than 1518 bytes, then it is judged to mismatching BPF bytecode;Example again
If the message length of Ether frame is greater than 64 bytes and less than 1518 bytes, then it is judged to matching BPF bytecode;Transmission control protocol
The message length of (Transmission Control Protocol, TCP) is greater than 65535 bytes, then is judged to matching BPF word
Save code;If the length of TCP message less than 65535 bytes, is judged to mismatching BPF bytecode.Message format mismatches BPF word
Save code the case where for example: the check bit in check bit and data message calculated using the information of header is inconsistent,
Then it is judged to mismatching BPF bytecode, if the school in the check bit and data message calculated using the information of header
It is consistent to test position, then is judged to matching BPF bytecode.
Step S130: if the data byte code that data message matching is pre-generated, central processing unit by data message from
It is deleted in buffer circle.
Certainly, after successful match deletes data message, i.e., central processing unit deletes data message from buffer circle
Except later, the traffic requests of GateBot tool analysis triggering matching BPF bytecode can also be used, and are disposed and suspicious traffic
Request the DDoS mitigation strategy to match.Make to design create-rule mould using modular design philosophy with the aforedescribed process
Block bpftools, flow analysis engine modules Gatebot and rule execution module XDP, at the same with the organic knot of iptables
It closes, to construct the efficient defence system of the doubtful ddos attack traffic requests of matching.
During above-mentioned realization, received data message is stored to buffer circle in network adapter, center
Processor reads from buffer circle and filters the data message according to pre-generated data byte code, in buffer circle
Filtering attack data message, avoids it from caching into socket, and improving continually distribution and discharging socket caching leads to wave
The problem of taking computing resource and memory source.
Fig. 3 is referred to, Fig. 3 shows the stream of the matching filter method provided by the embodiments of the present application after step S120
Journey schematic diagram.In order to enhance the technical effect of matching filtering, in the embodiment of the present application, the matching filtering after step S120
There are two types of embodiment, the first embodiment, including two stages: the first stage is to copy data message from buffer circle
Shellfish to socket caching is filtered, and second stage again carries out data message from socket cached copies to User space buffer area
Filtering;Data message directly can be copied to User space buffer area from buffer circle and is filtered by second of embodiment.
The first embodiment, after step S120, including the first stage, data message is copied from buffer circle
The method being filtered to socket caching is as follows:
Step S140: if data message non-matched data bytecode, central processing unit is by data message from loop buffer
It reads and stores to socket and cache in area.
Wherein, data message is read in central processing unit from buffer circle and is stored to before socket caching, needed
It to be copied to operating system nucleus application SKB memory space, then by data message from buffer circle according to the size of data message
Shellfish to socket caches.
Step S150: central processing unit parses the data message of socket buffer memory, obtains protocol type and agreement word
Section.
Wherein, protocol type here is for example: transmission control protocol, User Datagram Protocol (User Datagram
Protocol, UDP), hypertext transfer protocol (HyperText Transfer Protocol, HTTP) and Hyper text transfer peace
Full agreement (Hyper Text Transfer Protocol over Secure Socket Layer or Hypertext
Transfer Protocol Secure, HTTPS) etc..By taking TCP data message as an example, the agreement word of TCP data message is obtained
Section for example: SYN field, FIN field, ACK field, PSH field, RST field and URG field etc..
Step S160: central processing unit judges whether protocol type and protocol fields meet the first preset condition.
Wherein, the first preset condition here is used to filter the data message of doubtful attack, uses the first preset condition pair
The mode that protocol type and protocol fields are filtered, such as: kernel module is developed and write, and the kernel module is injected into
In grid module, after central processing unit receives data, central processing unit stores empty to operating system nucleus application SKB
Between, central processing unit parsing SKB structural body simultaneously matches it and is filtered.Judge whether protocol type and protocol fields meet
The concrete mode of first preset condition is for example: TCP data message is provided with SYN and FIN flag simultaneously, then is judged to meeting first
Preset condition;In another example TCP data message is provided with all flag bits simultaneously, then meet the first preset condition;If TCP data
Message is only provided with SYN or FIN flag, then is judged to being unsatisfactory for the first preset condition.
Step S170: if protocol type and protocol fields meet the first preset condition, central processing unit is by data message
It is deleted from socket caching.
Wherein, after successful match deletes data message, i.e., central processing unit deletes data message from socket caching
Except later, the traffic requests of GateBot tool analysis triggering matching BPF bytecode can also be used, and are disposed and suspicious traffic
Request the DDoS mitigation strategy to match;It can also be by the flow of tool induced matching BPF bytecode, to establish the black name of ddos
Single database provides foundation.
During above-mentioned realization, pass through protocol type to data message and data message in socket caching
The matching and filtering of protocol fields improve the accuracy that data message carries out matching filtering in socket caching.
As described above, after step S120, the first embodiment further includes second stage, by data message
The method being filtered from socket cached copies to User space buffer area is as follows:
Step S180: if protocol type and protocol fields are unsatisfactory for the first preset condition, central processing unit is by datagram
Text reads from socket caching and stores to User space buffer area.
Wherein, if protocol type and protocol fields are unsatisfactory for the first preset condition, central processing unit can be by data
Message reads from the socket caching of the protocol stack of operating system nucleus and stores into User space buffer area.
Step S190: central processing unit parses the data message of User space buffer area storage, obtains network address and network
Port.
Wherein, the network address of acquisition is parsed for example so that data message is IP packet as an example here:
123.123.123.123 or 123.11.11.11, the network port is for example: 22 or 3389 etc..
Step S200: if network address and the network port meet the second preset condition, central processing unit is by data message
It is deleted from User space buffer area.
Wherein, network address and the network port meet the concrete mode of the second preset condition, can be to pass through the network port
Judge whether the default port for meeting the second preset condition, for example, the port of opening is 80 ports, and the port requested is
22 or 3389, then can set 22 or 3389 for default port here, when the port in the data message of acquisition be 22 or
3389, then determine that the data message meets the second preset condition, when the port in the data message of acquisition is 80, then determines the number
The second preset condition is unsatisfactory for according to message;Or by network address judge whether meet the second preset condition defaultly
Location, for example, there are two public network floating network address for the equipment: 123.123.123.123 and 123.11.11.11, opening
Network address is only 123.123.123.123, and the address 123.11.11.11 is only stand-by state, then can be default by here
Address is set as 123.11.11.11;When the address in the data message of acquisition is 123.11.11.11, then the datagram is determined
Text meets the second preset condition, when the address in the data message of acquisition is 123.123.123.123, then determines the data message
It is unsatisfactory for the second preset condition.It is understood that the second preset condition here is used to filter the data message of doubtful attack.
During above-mentioned realization, pass through the network address and data message to data message in User space buffer area
The network port matching and filtering, improve data message carried out in User space buffer area matching filtering accuracy.
Second of embodiment further includes directly being copied to data message from buffer circle after step S120
The method that User space buffer area is filtered is as follows:
Step S210: if data message non-matched data bytecode, central processing unit is by data message from loop buffer
It reads and stores to User space buffer area in area.
Wherein, it if data message non-matched data bytecode, will directly be counted using DPDK around kernel network protocol stack
User space buffer area is copied to from DMA buffer circle according to packet.It is understood that can be by developing and writing kernel mould
Block, and the kernel module is injected into grid module, annular delay is had stored in when central processing unit receives data
After rushing the notice in area, data message is read from buffer circle directly and is stored to User space buffer area.
Step S220: central processing unit parses the data message of User space buffer area storage, obtains the first mark and second
Mark.
Wherein, data message here can be TCP data message, and the first mark here can be SYN flag, here
The second mark can be FIN flag, it is of course also possible to be other marks, such as: ACK field, PSH field, RST field
With URG field etc..
Step S230: if the first mark and the second mark meet third preset condition, central processing unit is by data message
It is deleted from User space buffer area, third preset condition is used to filter the data message of doubtful attack.
In order to facilitate understanding and description, data message here is by taking TCP data message as an example, and the first mark here can be with
It is SYN flag, the second mark here can be FIN flag, and it is default to judge whether the first mark and the second mark meet third
The concrete mode of condition is for example: TCP data message is provided with SYN and FIN flag simultaneously, then is judged to meeting third and presets item
Part;In another example TCP data message is provided with all flag bits simultaneously, then meet third preset condition;If TCP data message is only
Provided with SYN or FIN flag, then it is judged to being unsatisfactory for third preset condition.
During above-mentioned realization, pass through the first mark and data message to data message in User space buffer area
Second mark matching and filtering, improve data message carried out in User space buffer area matching filtering accuracy.
Second embodiment
Fig. 4 is referred to, Fig. 4 shows message process device structural schematic diagram provided by the embodiments of the present application.The application is real
It applies example and provides a kind of message process device 100, which includes:
First read module 110, for received data message to be stored to buffer circle in network adapter, in
Central processor reads data message from buffer circle.
First judgment module 120 judges whether data message matches pre-generated data byte for central processing unit
Code, data byte code are used to match the data message of doubtful attack.
First removing module 130, if the data byte code pre-generated for data message matching, central processing unit will
Data message is deleted from buffer circle.
During above-mentioned realization, received data message is stored to buffer circle in network adapter, in
Central processor reads from buffer circle and filters the data message according to pre-generated data byte code, in buffer circle
Data message is attacked in middle filtering, it is avoided to cache into socket, and improving continually to distribute and discharge socket and cache causes
The problem of wasting computing resource and memory source.
Optionally, in the embodiment of the present application, first judgment module includes:
First parsing module obtains message length and message format for parsing data message.
Second judgment module, for central processing unit judge message length and message format whether matched data bytecode.
Optionally, in the embodiment of the present application, device includes:
Second read module, if be used for data message non-matched data bytecode, central processing unit by data message from
Buffer circle reads and stores to socket and caches.
Optionally, in the embodiment of the present application, device further include:
Second parsing module obtains protocol type for the data message of central processing unit parsing socket buffer memory
And protocol fields.
Third judgment module judges whether protocol type and protocol fields meet the first default item for central processing unit
Part, the first preset condition are used to filter the data message of doubtful attack.
Second removing module, if meeting the first preset condition for protocol type and protocol fields, central processing unit will
Data message is deleted from socket caching.
Optionally, in the embodiment of the present application, the device further include:
Third read module, if being unsatisfactory for the first preset condition, central processing unit for protocol type and protocol fields
Data message is read from socket caching and is stored to User space buffer area.
Optionally, in the embodiment of the present application, which can also include:
Third parsing module, for the data message of central processing unit parsing User space buffer area storage, with obtaining network
Location and the network port.
Third removing module, if meeting the second preset condition for network address and the network port, central processing unit will
Data message is deleted from User space buffer area, and the second preset condition is used to filter the data message of doubtful attack.
Optionally, in the embodiment of the present application, message process device can also include:
4th read module, if be used for data message non-matched data bytecode, central processing unit by data message from
Buffer circle reads and stores to User space buffer area.
Optionally, in the embodiment of the present application, which can also include:
4th parsing module obtains the first mark for the data message of central processing unit parsing User space buffer area storage
Will and the second mark.
4th removing module, if meeting third preset condition for the first mark and the second mark, central processing unit will
Data message is deleted from User space buffer area, and third preset condition is used to filter the data message of doubtful attack.
More than, the only specific embodiment of the embodiment of the present application, but the protection scope of the embodiment of the present application does not limit to
In this, anyone skilled in the art can readily occur in change in the technical scope that the embodiment of the present application discloses
Change or replace, should all cover within the protection scope of the embodiment of the present application.
Claims (10)
1. a kind of message processing method characterized by comprising
Received data message is stored to buffer circle in network adapter, central processing unit is from the buffer circle
Read the data message;
The central processing unit judges whether the data message matches pre-generated data byte code, the data byte code
For matching the data message of doubtful attack;
If so, the central processing unit deletes the data message from the buffer circle.
2. the method according to claim 1, wherein the central processing unit judge the data message whether
With pre-generated data byte code, comprising:
It parses the data message and obtains message length and message format;
The central processing unit judges whether the message length and the message format match the data byte code.
3. the method according to claim 1, wherein whether judging the data message in the central processing unit
After the pre-generated data byte code of matching, further includes:
If the data message mismatches the data byte code, the central processing unit is by the data message from the ring
It reads and stores to socket and cache in shape buffer area.
4. according to the method described in claim 3, it is characterized in that, in the central processing unit by the data message from described
Buffer circle reads and stores to socket caching, further includes:
The central processing unit parses the data message of the socket buffer memory, obtains protocol type and agreement word
Section;
The central processing unit judges the protocol type and whether the protocol fields meet the first preset condition, described first
Preset condition is used to filter the data message of doubtful attack;
If so, the central processing unit deletes the data message from socket caching.
5. according to the method described in claim 4, it is characterized in that, judging the protocol type and institute in the central processing unit
It states after whether protocol fields meet the first preset condition, further includes:
If the protocol type and the protocol fields are unsatisfactory for first preset condition, the central processing unit will be described
Data message reads from socket caching and stores to User space buffer area.
6. according to the method described in claim 5, it is characterized in that, in the central processing unit by the data message from described
It reads and is stored to User space buffer area in socket caching, further includes:
The central processing unit parses the data message of the User space buffer area storage, obtains network address and network-side
Mouthful;
If the network address and the network port meet the second preset condition, the central processing unit is by the datagram
Text is deleted from the User space buffer area, and second preset condition is used to filter the data message of doubtful attack.
7. the method according to claim 1, wherein whether judging the data message in the central processing unit
After the pre-generated data byte code of matching, further includes:
If the data message mismatches the data byte code, the central processing unit is by the data message from the ring
It reads and stores to User space buffer area in shape buffer area.
8. the method according to the description of claim 7 is characterized in that in the central processing unit by the data message from described
Buffer circle reads and stores to the User space buffer area, further includes:
The central processing unit parses the data message of the User space buffer area storage, obtains the first mark and the second mark
Will;
If first mark and second mark meet third preset condition, the central processing unit is by the datagram
Text is deleted from the User space buffer area, and the third preset condition is used to filter the data message of doubtful attack.
9. a kind of message process device characterized by comprising
First read module, for received data message to be stored to buffer circle in network adapter, central processing
Device reads the data message from the buffer circle;
First judgment module judges whether the data message matches pre-generated data byte for the central processing unit
Code, the data byte code are used to match the data message of doubtful attack;
First removing module, if the data byte code pre-generated for data message matching, the central processing unit
The data message is deleted from the buffer circle.
10. device according to claim 9, which is characterized in that the first judgment module includes:
First parsing module obtains message length and message format for parsing the data message;
It is described to judge whether the message length and the message format match for the central processing unit for second judgment module
Data byte code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910445067.9A CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910445067.9A CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110138797A true CN110138797A (en) | 2019-08-16 |
CN110138797B CN110138797B (en) | 2021-12-14 |
Family
ID=67581861
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910445067.9A Active CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110138797B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112153013A (en) * | 2020-09-02 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Socket data forwarding method and device, electronic equipment and storage medium |
WO2021078233A1 (en) * | 2019-10-24 | 2021-04-29 | 北京大学 | Multipath transport device and architecture |
CN113572774A (en) * | 2021-07-27 | 2021-10-29 | 杭州迪普科技股份有限公司 | Message forwarding method and device in network equipment |
CN114189455A (en) * | 2021-12-08 | 2022-03-15 | 兴业银行股份有限公司 | Container network flow monitoring and counting method and system based on ebpf technology |
TWI825763B (en) * | 2022-03-21 | 2023-12-11 | 瑞昱半導體股份有限公司 | Method for configuring network traffic and computer system thereof |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1633110A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | Flow analysis method based on Linux core |
US8112491B1 (en) * | 2009-01-16 | 2012-02-07 | F5 Networks, Inc. | Methods and systems for providing direct DMA |
CN103023914A (en) * | 2012-12-26 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Firewall system and implementation method thereof |
CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
CN103581181A (en) * | 2013-10-28 | 2014-02-12 | 清华大学 | Data packet capturing, processing and sending method and system |
CN104022998A (en) * | 2013-03-01 | 2014-09-03 | 北京瑞星信息技术有限公司 | Network transmission data virus detection processing method |
CN105260378A (en) * | 2015-09-08 | 2016-01-20 | 上海上讯信息技术股份有限公司 | Database audit method and device |
CN105281984A (en) * | 2015-11-27 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Virtual terminal and method for message capturing and filtering |
US9537972B1 (en) * | 2014-02-20 | 2017-01-03 | Fireeye, Inc. | Efficient access to sparse packets in large repositories of stored network traffic |
CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
-
2019
- 2019-05-27 CN CN201910445067.9A patent/CN110138797B/en active Active
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1633110A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | Flow analysis method based on Linux core |
US8112491B1 (en) * | 2009-01-16 | 2012-02-07 | F5 Networks, Inc. | Methods and systems for providing direct DMA |
CN103023914A (en) * | 2012-12-26 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Firewall system and implementation method thereof |
CN104022998A (en) * | 2013-03-01 | 2014-09-03 | 北京瑞星信息技术有限公司 | Network transmission data virus detection processing method |
CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
CN103581181A (en) * | 2013-10-28 | 2014-02-12 | 清华大学 | Data packet capturing, processing and sending method and system |
US9537972B1 (en) * | 2014-02-20 | 2017-01-03 | Fireeye, Inc. | Efficient access to sparse packets in large repositories of stored network traffic |
CN105260378A (en) * | 2015-09-08 | 2016-01-20 | 上海上讯信息技术股份有限公司 | Database audit method and device |
CN105281984A (en) * | 2015-11-27 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Virtual terminal and method for message capturing and filtering |
CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021078233A1 (en) * | 2019-10-24 | 2021-04-29 | 北京大学 | Multipath transport device and architecture |
CN112153013A (en) * | 2020-09-02 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | Socket data forwarding method and device, electronic equipment and storage medium |
CN113572774A (en) * | 2021-07-27 | 2021-10-29 | 杭州迪普科技股份有限公司 | Message forwarding method and device in network equipment |
CN113572774B (en) * | 2021-07-27 | 2023-04-28 | 杭州迪普科技股份有限公司 | Message forwarding method and device in network equipment |
CN114189455A (en) * | 2021-12-08 | 2022-03-15 | 兴业银行股份有限公司 | Container network flow monitoring and counting method and system based on ebpf technology |
CN114189455B (en) * | 2021-12-08 | 2023-06-06 | 兴业银行股份有限公司 | Container network flow monitoring and counting method and system based on ebpf technology |
TWI825763B (en) * | 2022-03-21 | 2023-12-11 | 瑞昱半導體股份有限公司 | Method for configuring network traffic and computer system thereof |
Also Published As
Publication number | Publication date |
---|---|
CN110138797B (en) | 2021-12-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110138797A (en) | A kind of message processing method and device | |
CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
US7685254B2 (en) | Runtime adaptable search processor | |
US8086609B2 (en) | Graph caching | |
US7904959B2 (en) | Systems and methods for detecting and inhibiting attacks using honeypots | |
US20110016154A1 (en) | Profile-based and dictionary based graph caching | |
JP2004538678A (en) | Dynamic packet filter using session tracking | |
US11349866B2 (en) | Hardware acceleration device for denial-of-service attack identification and mitigation | |
CN111355686B (en) | Method, device, system and storage medium for defending flood attacks | |
US11818099B2 (en) | Efficient matching of feature-rich security policy with dynamic content using user group matching | |
Hsu et al. | Scalable network-based buffer overflow attack detection | |
Gil | MULTOPS: A data structure for denial-of-service attack detection | |
Nife et al. | Multi-level stateful firewall mechanism for software defined networks | |
US20200145379A1 (en) | Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes | |
Ru et al. | The side-channel vulnerability in network protocol | |
Park | A study about dynamic intelligent network security systems to decrease by malicious traffic | |
US10965647B2 (en) | Efficient matching of feature-rich security policy with dynamic content | |
CN116545978B (en) | Data processing method, device and system, readable storage medium and import network card | |
CN116599716A (en) | Network security protection method, device, equipment and medium | |
Chimkode | Design of an FPGA based Embedded System for protecting the server from SYN flood attack | |
Okumura et al. | The Netnice packet filter: bridging the structural mismatches in end-host network control | |
CN116545978A (en) | Data processing method, device and system, readable storage medium and import network card | |
Chomsiri | Tree rule firewall | |
Mühlbach | Reconfigurable Architectures and Design Automation Tools for Application-Level Network Security | |
Cronin | Hardware acceleration of network intrusion detection and prevention |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |