CN110138797B - Message processing method and device - Google Patents
Message processing method and device Download PDFInfo
- Publication number
- CN110138797B CN110138797B CN201910445067.9A CN201910445067A CN110138797B CN 110138797 B CN110138797 B CN 110138797B CN 201910445067 A CN201910445067 A CN 201910445067A CN 110138797 B CN110138797 B CN 110138797B
- Authority
- CN
- China
- Prior art keywords
- data message
- data
- message
- processing unit
- central processing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/90—Buffering arrangements
- H04L49/9031—Wraparound memory, e.g. overrun or underrun detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a message processing method and a device, and the message processing method comprises the following steps: after the network adapter stores the received data message into the annular buffer area, the central processing unit reads the data message from the annular buffer area; the central processing unit judges whether the data message is matched with a pre-generated data byte code, wherein the data byte code is used for matching the suspected attacked data message; if yes, the central processing unit deletes the data message from the ring buffer. In the implementation process, after the network adapter stores the received data message into the ring buffer, the central processing unit reads the data message from the ring buffer and filters the data message according to the pre-generated data byte code, and the attack data message is filtered in the ring buffer, so that the attack data message is prevented from entering the socket cache, and the problem of wasting computing resources and memory resources caused by frequently allocating and releasing the socket cache is solved.
Description
Technical Field
The present application relates to the technical field of network security, and in particular, to a method and an apparatus for processing a packet.
Background
Distributed Denial of Service (DDoS) attacks refer to a combination of multiple computers as an attack platform by means of a client/server technology, and DDoS attacks are launched on one or more targets, so that the power of the DDoS attacks is multiplied. Usually, an attacker can launch a large amount of data messages to a target in a short time, and consume memory resources or computing resources of the target, so that the target cannot process normal data messages.
At present, most of the traditional methods for defending against DDoS attacks are based on hardware firewalls and software firewalls, and the method based on the hardware firewalls is to filter out a large amount of attack data messages at a network routing protocol layer, for example: a gateway firewall method and a relay firewall method; the method based on the software firewall is to filter attack data messages according to specific application scenarios, for example: and the operating system is provided with a software firewall and an application software firewall. In DDoS attack, most data messages are attack data messages, however, socket caches are frequently allocated and released for the attack data messages, which wastes computational resources and memory resources. Therefore, the problem of wasting computing resources and memory resources due to frequent allocation and release of the socket cache exists in the prior art.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method and an apparatus for processing a packet, which are used to solve the problem of wasting computing resources and memory resources due to frequently allocating and releasing a socket cache.
The embodiment of the application provides a message processing method, which comprises the following steps: after the network adapter stores the received data message into a ring buffer area, a central processing unit reads the data message from the ring buffer area; the central processing unit judges whether the data message is matched with a pre-generated data byte code, wherein the data byte code is used for matching a suspected attacked data message; if yes, the central processing unit deletes the data message from the ring buffer. In the implementation process, after the network adapter stores the received data message into the ring buffer area, the central processing unit reads the data message from the ring buffer area and filters the data message according to the pre-generated data byte code, and the attack data message is filtered in the ring buffer area, so that the attack data message is prevented from entering the socket cache, and the problem of wasting computing resources and memory resources caused by frequently distributing and releasing the socket cache is solved.
Optionally, in this embodiment of the present application, the determining, by the central processing unit, whether the data packet matches a pre-generated data bytecode includes: analyzing the data message to obtain the message length and the message format; and the central processing unit judges whether the message length and the message format are matched with the data byte code. In the implementation process, the data messages which do not match the data byte codes are preliminarily filtered out in the mode according to the data messages with the message length and the message format matching not meeting the requirements, so that the speed of filtering the data messages is effectively increased.
Optionally, in this embodiment of the present application, after the central processing unit determines whether the data packet matches a pre-generated data bytecode, the method further includes: and if the data message does not match the data byte code, the central processing unit reads the data message from the annular buffer area and stores the data message into a socket cache. In the implementation process, the data message is read from the ring buffer and stored in the socket cache, so that the speed of matching and filtering the data message in the socket cache is increased.
Optionally, in this embodiment of the application, after the central processing unit reads and stores the data packet from the ring buffer to the socket cache, the method further includes: the central processing unit analyzes the data message stored in the socket cache to obtain a protocol type and a protocol field; the central processing unit judges whether the protocol type and the protocol field meet a first preset condition, wherein the first preset condition is used for filtering data messages suspected to be attacked; and if so, deleting the data message from the socket cache by the central processing unit. In the implementation process, the matching and filtering of the protocol type of the data message and the protocol field of the data message are performed in the socket cache, so that the accuracy of the matching and filtering of the data message in the socket cache is improved.
Optionally, in this embodiment of the present application, after the central processing unit determines whether the protocol type and the protocol field satisfy a first preset condition, the method further includes: and if the protocol type and the protocol field do not meet the first preset condition, the central processing unit reads the data message from the socket cache and stores the data message in a user mode buffer area. In the implementation process, the data message is read from the socket cache and stored in the user mode buffer area, so that the speed of matching and filtering the data message in the user mode buffer area is increased.
Optionally, in this embodiment of the application, after the central processing unit reads and stores the data packet from the socket cache to the user-mode buffer, the method further includes: the central processing unit analyzes the data message stored in the user mode buffer area to obtain a network address and a network port; and if the network address and the network port meet a second preset condition, deleting the data message from the user mode buffer area by the central processing unit, wherein the second preset condition is used for filtering the data message suspected to be attacked. In the implementation process, the network address of the data message and the network port of the data message are matched and filtered in the user mode buffer area, so that the accuracy of the matching and filtering of the data message in the user mode buffer area is improved.
Optionally, in this embodiment of the present application, after the central processing unit determines whether the data packet matches a pre-generated data bytecode, the method further includes: and if the data message does not match the data byte code, the central processing unit reads the data message from the annular buffer area and stores the data message into a user mode buffer area. In the implementation process, the data message is read from the ring buffer and stored in the user state buffer, so that the speed of matching and filtering the data message in the user state buffer is increased.
Optionally, in this embodiment of the application, after the central processing unit reads and stores the data packet from the ring buffer to the user mode buffer, the method further includes: the central processing unit analyzes the data message stored in the user mode buffer area to obtain a first mark and a second mark; and if the first mark and the second mark meet a third preset condition, deleting the data message from the user mode buffer area by the central processing unit, wherein the third preset condition is used for filtering the data message suspected to be attacked. In the implementation process, the first mark of the data message and the second mark of the data message are matched and filtered in the user mode buffer area, so that the accuracy of the matching and filtering of the data message in the user mode buffer area is improved.
An embodiment of the present application further provides a packet processing apparatus, including: the first reading module is used for reading the data message from the annular buffer area by the central processing unit after the network adapter stores the received data message into the annular buffer area; the first judgment module is used for judging whether the data message is matched with a pre-generated data byte code or not by the central processing unit, wherein the data byte code is used for matching a suspected attacking data message; and the first deleting module is used for deleting the data message from the ring buffer by the central processing unit if the data message is matched with a pre-generated data byte code. In the implementation process, after the network adapter stores the received data message into the ring buffer area, the central processing unit reads the data message from the ring buffer area and filters the data message according to the pre-generated data byte code, and the attack data message is filtered in the ring buffer area, so that the attack data message is prevented from entering the socket cache, and the problem of wasting computing resources and memory resources caused by frequently distributing and releasing the socket cache is solved.
Optionally, in this embodiment of the present application, the first determining module includes: the first analysis module is used for analyzing the data message to obtain the message length and the message format; and the second judgment module is used for judging whether the message length and the message format are matched with the data byte code or not by the central processing unit.
Optionally, in an embodiment of the present application, the method further includes: and the second reading module is used for reading the data message from the annular buffer area and storing the data message into a socket cache if the data message does not match the data byte code.
Optionally, in an embodiment of the present application, the method further includes: the second analysis module is used for analyzing the data message stored in the socket cache by the central processing unit to obtain a protocol type and a protocol field; a third judging module, configured to judge, by the central processing unit, whether the protocol type and the protocol field satisfy a first preset condition, where the first preset condition is used to filter a data packet suspected of being attacked; and the second deleting module is used for deleting the data message from the socket cache by the central processing unit if the protocol type and the protocol field meet a first preset condition.
Optionally, in an embodiment of the present application, the method further includes: and a third reading module, configured to, if the protocol type and the protocol field do not satisfy the first preset condition, read and store the data packet from the socket cache to a user mode buffer by the central processing unit.
Optionally, in an embodiment of the present application, the method further includes: the third analysis module is used for analyzing the data message stored in the user mode buffer area by the central processing unit to obtain a network address and a network port; and the third deleting module is configured to delete the data packet from the user mode buffer by the central processing unit if the network address and the network port meet a second preset condition, where the second preset condition is used to filter data packets suspected of attack.
Optionally, in an embodiment of the present application, the method further includes: and the fourth reading module is used for reading the data message from the annular buffer area and storing the data message into a user state buffer area if the data message does not match the data byte code.
Optionally, in an embodiment of the present application, the method further includes: the fourth analysis module is used for analyzing the data message stored in the user mode buffer area by the central processing unit to obtain a first mark and a second mark; a fourth deleting module, configured to delete the data packet from the user mode buffer if the first flag and the second flag meet a third preset condition, where the third preset condition is used to filter data packets suspected of being attacked.
An embodiment of the present application further provides an electronic device, including: a processor and a memory storing machine-readable instructions executable by the processor, the machine-readable instructions when executed by the processor performing the method as described above.
The embodiment of the present application also provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method as described above is executed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 shows a schematic structural diagram of an electronic device provided in an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating a message processing method according to an embodiment of the present application;
fig. 3 is a schematic flowchart illustrating a matching filtering method after step S120 according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of a message processing apparatus according to an embodiment of the present application.
Detailed Description
The technical solution in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. An electronic device 101 provided in an embodiment of the present application includes: a processor 102 and a memory 103, the memory 103 storing machine readable instructions executable by the processor 102, the machine readable instructions when executed by the processor 102 performing the following method.
Referring to fig. 1, the embodiment of the present application further provides a storage medium 104, where the storage medium 104 stores a computer program, and the computer program is executed by the processor 102 to perform the following method.
The storage medium 104 may be implemented by any type of volatile or nonvolatile storage device or combination thereof, such as a Static Random Access Memory (SRAM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), an Erasable Programmable Read-Only Memory (EPROM), a Programmable Read-Only Memory (PROM), a Read-Only Memory (ROM), a magnetic Memory, a flash Memory, a magnetic disk, or an optical disk.
Before describing the solution in the embodiments of the present application, some concepts related to the embodiments of the present application are described below:
an Internet Protocol Address (also translated to an Internet Protocol Address), abbreviated to an IP Address, is a digital label assigned to an Internet Protocol (IP) device used by a user to access the Internet. Common IP addresses fall into two broad categories, IPv4 and IPv6, but there are other small categories that are not common.
The Berkeley Packet Filter (BPF), which is a raw interface of the data link layer in a Unix-like system, provides the original link layer Packet to receive and transmit, and in addition, if the network card driver supports the flooding mode, it can make the network card in this mode. Flooding mode here means that all packets on the network can be received, regardless of whether their destination is the host or not.
An input output shield Project (IOVP) refers to an open source Project developed by a community developer, which is intended to implement functions such as tracking, analyzing, monitoring, security, and networking in order to use innovation, development, and sharing of virtualized kernel i/o services.
The fast Data Path (XDP) is intended to provide a high-performance, programmable network Data Path facility in the Linux kernel as part of IOVP. XDP provides for data message processing on Bare Metal (Bare Metal), which is a processing effect that characterizes a departure from the operating system level and achieves an ideal speed without losing programmability. In addition, the XDP of the new version can dynamically integrate a fast data path under the condition of not modifying a Linux kernel so as to realize the effect of fast processing of the data of the bottom layer.
A Central Processing Unit (CPU) is an ultra-large scale integrated circuit, and is an operation core and a control core of a computer. Its functions are mainly to interpret computer instructions and to process data in computer software.
Direct Memory Access (DMA) refers to allowing hardware devices of different speeds to communicate without relying on a large interrupt load of the CPU. Otherwise, the CPU needs to copy each piece of data from the source to the register and then write them back to the new place again. During this time, the CPU is unavailable for other tasks.
A socket buffer (SKB) is a Linux network core data structure, and the SKB represents a message to be sent or processed and runs through the entire protocol stack. When an application transfers data to a socket, the socket creates a corresponding socket cache and copies the user data to the cache.
A Data Plane Development Kit (DPDK) refers to a series of libraries running on a multi-CPU architecture to accelerate Data packet load processing.
First embodiment
Referring to fig. 2, fig. 2 is a schematic flowchart illustrating a message processing method according to an embodiment of the present disclosure. An embodiment of the present application provides a message processing method, and an optional implementation manner may include the following steps:
step S110: after the network adapter stores the received data message in the ring buffer, the central processing unit reads the data message from the ring buffer.
The specific way in which the network adapter stores the received data packet in the ring buffer may be that the network adapter stores the received data packet in the ring buffer in a DMA manner, and then the network adapter notifies the central processing unit that the data packet has reached the ring buffer in an interrupt request manner. Here, the Interrupt ReQuest (IRQ) refers to an operation of executing a hardware Interrupt ReQuest in a computer, for example, when a piece of data in a hard disk needs to be read, the hard disk informs the system through the IRQ when the data reading is completed, and of course, the corresponding data is also written into a designated memory or a cache.
Step S120: the central processing unit judges whether the data message is matched with a pre-generated data byte code, wherein the data byte code is used for matching the suspected attacked data message.
The data bytecode here may be a BPF bytecode or an eBPF bytecode. The eBPF bytecode herein is an extension of the BPF bytecode, and both the BPF bytecode and the eBPF bytecode can compile codes written by a programming language (e.g., C language) into BPF bytecode or eBPF bytecode through a compiler tool (e.g., bpftools tool), and the codes are mainly composed of various matching filtering rules customized by a user, for example: if the packet length of the Ethernet frame is less than 64 bytes, it is determined that the packet length does not match the pre-generated BPF bytecode.
In the embodiment of the present application, one implementation of step S120 may include the following steps:
step S121: and analyzing the data message to obtain the message length and the message format.
The message formats of the various message types are, for example: ethernet frames, Address Resolution Protocol (ARP) frames, Virtual Local Area Network (VLAN) frames, High-Level Data Link Control (HDLC) frames, and so on. The length of the message varies with the type of the message, for example: the common message length of the ethernet frame (after removing the upper layer load) is 18 bytes, the common message length of the address resolution protocol frame is 8 bytes, the common message length of the virtual local area network frame is 4 bytes, the common message length of the high level data link control frame is 8 bytes, and so on.
Step S122: the central processing unit judges whether the message length and the message format are matched with the data byte code.
The central processing unit judges whether the message length and the message format are matched with the BPF byte code by using an xt _ BPF module in the Iptables, wherein the Iptables is an IP information packet filter program integrated by a Linux operating system kernel. The case where the message length does not match the BPF bytecode is, for example: if the message length of the Ethernet frame is less than 64 bytes, the BPF byte code is judged not to be matched; if the message length of the Ethernet frame is larger than 1518 bytes, it is determined that the BPF byte codes are not matched; for example, if the message length of the ethernet frame is greater than 64 bytes and less than 1518 bytes, it is determined that the BPF bytecode is matched; if the message length of a Transmission Control Protocol (TCP) is greater than 65535 bytes, determining that the BPF byte codes are matched; if the length of the TCP message is less than 65535 bytes, the TCP message is judged not to match the BPF byte codes. The case where the message format does not match the BPF bytecode is, for example: and if the check bit calculated by using the information of the message header is consistent with the check bit in the data message, determining that the BPF byte code is not matched.
Step S130: if the data message matches the pre-generated data byte code, the central processing unit deletes the data message from the ring buffer.
Certainly, after the data message is successfully deleted by matching, that is, after the central processing unit deletes the data message from the ring buffer, a GateBot tool can be used to analyze and trigger a traffic request matching the BPF bytecode, and a DDoS mitigation measure matching the suspicious traffic request is deployed. The method is used for designing a generation rule module bpftools, a traffic analysis engine module Gatebot and a rule execution module XDP by adopting a modular design idea, and is organically combined with iptables at the same time, so that an efficient defense system matched with a suspected DDoS attack traffic request is constructed.
In the implementation process, after the network adapter stores the received data message into the ring buffer area, the central processing unit reads the data message from the ring buffer area and filters the data message according to the pre-generated data byte code, and the attack data message is filtered in the ring buffer area, so that the attack data message is prevented from entering the socket cache, and the problem of wasting computing resources and memory resources caused by frequently distributing and releasing the socket cache is solved.
Referring to fig. 3, fig. 3 is a schematic flowchart illustrating a matching filtering method after step S120 according to an embodiment of the present application. In order to enhance the technical effect of the matched filtering, in the embodiment of the present application, there are two implementations of the matched filtering after step S120, and the first implementation includes two stages: the first stage is to copy the data message from the ring buffer to the socket buffer for filtering, and the second stage is to copy the data message from the socket buffer to the user buffer for filtering; in the second embodiment, the data packet can be directly copied from the ring buffer to the user-mode buffer for filtering.
In a first embodiment, after step S120, the method includes a first stage of copying the data packet from the ring buffer to the socket buffer for filtering, as follows:
step S140: if the data message does not match the data byte code, the central processing unit reads the data message from the ring buffer area and stores the data message into the socket cache.
Before the central processing unit reads the data message from the ring buffer area and stores the data message into the socket cache, the SKB storage space needs to be applied to the kernel of the operating system according to the size of the data message, and then the data message is copied from the ring buffer area to the socket cache.
Step S150: the central processing unit analyzes the data message stored in the socket cache to obtain the protocol type and the protocol field.
The protocol types here are, for example: transmission control Protocol, User Datagram Protocol (UDP), HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure Socket Layer or HyperText Transfer Protocol Secure (HTTPs), and the like. Taking a TCP data packet as an example, the protocol field of the TCP data packet is obtained as follows: a SYN field, an FIN field, an ACK field, a PSH field, a RST field, and a URG field, etc.
Step S160: the central processing unit judges whether the protocol type and the protocol field meet a first preset condition.
The first preset condition is used for filtering a suspected attack data packet, and the protocol type and the protocol field are filtered by using the first preset condition, for example: developing and compiling a kernel module, injecting the kernel module into a system network module, applying an SKB storage space to an operating system kernel by the central processing unit after the central processing unit receives data, and analyzing and matching and filtering the SKB structure by the central processing unit. The specific way of determining whether the protocol type and the protocol field satisfy the first preset condition is, for example: setting SYN and FIN marks in the TCP data message at the same time, and judging that the first preset condition is met; for example, if all flag bits are set in the TCP data packet at the same time, the first preset condition is satisfied; if only the SYN or FIN flag is set in the TCP data message, it is determined that the first preset condition is not satisfied.
Step S170: and if the protocol type and the protocol field meet the first preset condition, the central processing unit deletes the data message from the socket cache.
After the data message is successfully matched and deleted, namely the central processing unit deletes the data message from the socket cache, a gateway tool can be used for analyzing and triggering a flow request matched with a BPF byte code, and DDoS relieving measures matched with a suspicious flow request are deployed; the flow matching with the BPF byte codes can be derived through the tool, and a basis is provided for building a ddos blacklist database.
In the implementation process, the matching and filtering of the protocol type of the data message and the protocol field of the data message are performed in the socket cache, so that the accuracy of the matching and filtering of the data message in the socket cache is improved.
As described above, after step S120, the first embodiment further includes a second stage, in which the method for copying the data packet from the socket cache to the user-mode buffer for filtering is as follows:
step S180: and if the protocol type and the protocol field do not meet the first preset condition, the central processing unit reads the data message from the socket cache and stores the data message in the user mode buffer area.
If the protocol type and the protocol field do not meet the first preset condition, the central processing unit can read the data message from a socket cache of a protocol stack of an operating system kernel and store the data message into a user mode buffer area.
Step S190: the central processing unit analyzes the data message stored in the user mode buffer area to obtain a network address and a network port.
Here, taking the data packet as an IP packet as an example, the network address obtained by analyzing is, for example: 123.123.123.123 or 123.11.11.11, network ports such as: 22 or 3389, etc.
Step S200: and if the network address and the network port meet the second preset condition, deleting the data message from the user mode buffer area by the central processing unit.
The specific manner in which the network address and the network port satisfy the second preset condition may be that the network port determines whether the preset port satisfies the second preset condition, for example, the port opened to the outside is an 80 port, and the requested port is 22 or 3389, the preset port may be set to 22 or 3389, when the port in the obtained data packet is 22 or 3389, it is determined that the data packet satisfies the second preset condition, and when the port in the obtained data packet is 80, it is determined that the data packet does not satisfy the second preset condition; the preset address may also be a preset address that determines whether the second preset condition is satisfied through the network address, for example, the device has two public network floating network addresses: 123.123.123.123 and 123.11.11.11, the network address open to the outside is only 123.123.123.123, and the 123.11.11.11 address is only in standby state, the preset address can be set to 123.11.11.11; and when the address in the obtained data message is 123.11.11.11, judging that the data message meets the second preset condition, and when the address in the obtained data message is 123.123.123.123, judging that the data message does not meet the second preset condition. It is understood that the second preset condition is used for filtering the data packet suspected to be attacked.
In the implementation process, the network address of the data message and the network port of the data message are matched and filtered in the user mode buffer area, so that the accuracy of the matching and filtering of the data message in the user mode buffer area is improved.
In a second embodiment, after step S120, the method for directly copying the data packet from the ring buffer to the user-mode buffer for filtering includes the following steps:
step S210: if the data message does not match the data byte code, the central processing unit reads the data message from the ring buffer area and stores the data message in the user mode buffer area.
If the data message does not match the data byte code, the DPDK is used for bypassing the kernel network protocol stack to directly copy the data packet from the DMA ring buffer area to the user mode buffer area. It can be understood that, by developing and writing the kernel module and injecting the kernel module into the system network module, after the central processing unit receives the notification that the data is already stored in the ring buffer, the data packet is directly read from the ring buffer and stored in the user mode buffer.
Step S220: the central processing unit analyzes the data message stored in the user mode buffer area to obtain a first mark and a second mark.
The data packet may be a TCP data packet, the first flag may be a SYN flag, the second flag may be a FIN flag, or other flags, for example: ACK field, PSH field, RST field, and URG field, etc.
Step S230: and if the first mark and the second mark meet a third preset condition, deleting the data message from the user mode buffer area by the central processing unit, wherein the third preset condition is used for filtering the data message suspected to be attacked.
For convenience of understanding and description, the data packet herein takes a TCP data packet as an example, the first flag may be a SYN flag, the second flag may be a FIN flag, and a specific manner of determining whether the first flag and the second flag satisfy the third preset condition is, for example: if the TCP data message is simultaneously provided with SYN and FIN marks, judging that a third preset condition is met; for example, if all flag bits are set in the TCP data packet at the same time, the third preset condition is satisfied; if only the SYN or FIN flag is set in the TCP data message, it is determined that the third preset condition is not satisfied.
In the implementation process, the first mark of the data message and the second mark of the data message are matched and filtered in the user mode buffer area, so that the accuracy of the matching and filtering of the data message in the user mode buffer area is improved.
Second embodiment
Referring to fig. 4, fig. 4 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application. An embodiment of the present application provides a packet processing apparatus 100, which includes:
the first reading module 110 is configured to, after the network adapter stores the received data packet in the ring buffer, the central processing unit reads the data packet from the ring buffer.
The first determining module 120 is configured to determine whether the data packet matches a pre-generated data bytecode, where the data bytecode is used for matching a suspected-attack data packet.
A first deleting module 130, configured to delete the data packet from the ring buffer if the data packet matches a pre-generated data bytecode.
In the implementation process, after the network adapter stores the received data message into the ring buffer area, the central processing unit reads the data message from the ring buffer area and filters the data message according to the pre-generated data byte code, and the attack data message is filtered in the ring buffer area, so that the attack data message is prevented from entering the socket cache, and the problem of wasting computing resources and memory resources caused by frequently distributing and releasing the socket cache is solved.
Optionally, in this embodiment of the present application, the first determining module includes:
and the first analysis module is used for analyzing the data message to obtain the message length and the message format.
And the second judgment module is used for judging whether the message length and the message format are matched with the data byte code or not by the central processing unit.
Optionally, in an embodiment of the present application, the apparatus includes:
and the second reading module is used for reading the data message from the annular buffer area and storing the data message into the socket cache if the data message does not match the data byte code.
Optionally, in an embodiment of the present application, the apparatus further includes:
and the second analysis module is used for analyzing the data message stored in the socket cache by the central processing unit to obtain the protocol type and the protocol field.
And the third judgment module is used for judging whether the protocol type and the protocol field meet a first preset condition or not by the central processing unit, wherein the first preset condition is used for filtering the suspected attack data message.
And the second deleting module is used for deleting the data message from the socket cache by the central processing unit if the protocol type and the protocol field meet the first preset condition.
Optionally, in an embodiment of the present application, the apparatus further includes:
and the third reading module is used for reading the data message from the socket cache and storing the data message into the user mode buffer area if the protocol type and the protocol field do not meet the first preset condition.
Optionally, in this embodiment of the present application, the apparatus may further include:
and the third analysis module is used for analyzing the data message stored in the user mode buffer area by the central processing unit to obtain a network address and a network port.
And the third deleting module is used for deleting the data message from the user mode buffer area by the central processing unit if the network address and the network port meet a second preset condition, and the second preset condition is used for filtering the data message suspected to be attacked.
Optionally, in this embodiment of the present application, the message processing apparatus may further include:
and the fourth reading module is used for reading the data message from the annular buffer area and storing the data message into the user mode buffer area if the data message does not match the data byte code.
Optionally, in this embodiment of the present application, the message processing apparatus may further include:
and the fourth analysis module is used for analyzing the data message stored in the user mode buffer area by the central processing unit to obtain the first mark and the second mark.
And the fourth deleting module is used for deleting the data message from the user mode buffer area by the central processing unit if the first mark and the second mark meet a third preset condition, and the third preset condition is used for filtering the data message suspected to be attacked.
The above description is only a specific implementation of the embodiments of the present application, but the scope of the embodiments of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the embodiments of the present application, and all the changes or substitutions should be covered by the scope of the embodiments of the present application.
Claims (9)
1. A message processing method is characterized by comprising the following steps:
after the network adapter stores the received data message into a ring buffer area, a central processing unit reads the data message from the ring buffer area;
the central processing unit judges whether the data message is matched with a pre-generated data byte code, wherein the data byte code is used for matching a suspected attacked data message;
if yes, the central processing unit deletes the data message from the annular buffer area;
and if the data message does not match the data byte code, the central processing unit reads the data message from the annular buffer area and stores the data message into a socket cache.
2. The method of claim 1, wherein the determining by the central processing unit whether the data packet matches a pre-generated data bytecode includes:
analyzing the data message to obtain the message length and the message format;
and the central processing unit judges whether the message length and the message format are matched with the data byte code.
3. The method of claim 1, wherein after the central processor reads the data packet from the ring buffer and stores the data packet in the socket cache, further comprising:
the central processing unit analyzes the data message stored in the socket cache to obtain a protocol type and a protocol field;
the central processing unit judges whether the protocol type and the protocol field meet a first preset condition, wherein the first preset condition is used for filtering data messages suspected to be attacked;
and if so, deleting the data message from the socket cache by the central processing unit.
4. The method according to claim 3, after the central processing unit determines whether the protocol type and the protocol field satisfy a first preset condition, further comprising:
and if the protocol type and the protocol field do not meet the first preset condition, the central processing unit reads the data message from the socket cache and stores the data message in a user mode buffer area.
5. The method of claim 4, wherein after the central processor reads the data packet from the socket cache and stores the data packet in a user mode buffer, further comprising:
the central processing unit analyzes the data message stored in the user mode buffer area to obtain a network address and a network port;
and if the network address and the network port meet a second preset condition, deleting the data message from the user mode buffer area by the central processing unit, wherein the second preset condition is used for filtering the data message suspected to be attacked.
6. The method of claim 1, wherein after the cpu determines whether the data packet matches a pre-generated data bytecode, the method further comprises:
and if the data message does not match the data byte code, the central processing unit reads the data message from the annular buffer area and stores the data message into a user mode buffer area.
7. The method of claim 6, after the central processor reads and stores the datagram from the ring buffer to the user mode buffer, further comprising:
the central processing unit analyzes the data message stored in the user mode buffer area to obtain a first mark and a second mark;
and if the first mark and the second mark meet a third preset condition, deleting the data message from the user mode buffer area by the central processing unit, wherein the third preset condition is used for filtering the data message suspected to be attacked.
8. A message processing apparatus, comprising:
the first reading module is used for reading the data message from the annular buffer area by the central processing unit after the network adapter stores the received data message into the annular buffer area;
the first judgment module is used for judging whether the data message is matched with a pre-generated data byte code or not by the central processing unit, wherein the data byte code is used for matching a suspected attacking data message;
a first deleting module, configured to delete the data packet from the ring buffer by the central processing unit if the data packet matches a pre-generated data bytecode;
and the second reading module is used for reading the data message from the annular buffer area and storing the data message into a socket cache if the data message does not match the data byte code.
9. The apparatus of claim 8, wherein the first determining module comprises:
the first analysis module is used for analyzing the data message to obtain the message length and the message format;
and the second judgment module is used for judging whether the message length and the message format are matched with the data byte code or not by the central processing unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910445067.9A CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910445067.9A CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110138797A CN110138797A (en) | 2019-08-16 |
| CN110138797B true CN110138797B (en) | 2021-12-14 |
Family
ID=67581861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910445067.9A Active CN110138797B (en) | 2019-05-27 | 2019-05-27 | Message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110138797B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021078233A1 (en) * | 2019-10-24 | 2021-04-29 | 北京大学 | Multipath transport device and architecture |
| CN112153013B (en) * | 2020-09-02 | 2023-04-18 | 杭州安恒信息技术股份有限公司 | Socket data forwarding method and device, electronic equipment and storage medium |
| CN113572774B (en) * | 2021-07-27 | 2023-04-28 | 杭州迪普科技股份有限公司 | Message forwarding method and device in network equipment |
| CN114189455B (en) * | 2021-12-08 | 2023-06-06 | 兴业银行股份有限公司 | Container network flow monitoring and counting method and system based on ebpf technology |
| TWI825763B (en) * | 2022-03-21 | 2023-12-11 | 瑞昱半導體股份有限公司 | Method for configuring network traffic and computer system thereof |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633110A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | Flow analysis method based on Linux core |
| US8112491B1 (en) * | 2009-01-16 | 2012-02-07 | F5 Networks, Inc. | Methods and systems for providing direct DMA |
| CN103023914A (en) * | 2012-12-26 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Firewall system and implementation method thereof |
| CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
| CN105260378A (en) * | 2015-09-08 | 2016-01-20 | 上海上讯信息技术股份有限公司 | Database audit method and device |
| CN105281984A (en) * | 2015-11-27 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Virtual terminal and method for message capturing and filtering |
| US9537972B1 (en) * | 2014-02-20 | 2017-01-03 | Fireeye, Inc. | Efficient access to sparse packets in large repositories of stored network traffic |
| CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022998B (en) * | 2013-03-01 | 2016-12-28 | 北京瑞星信息技术股份有限公司 | Transmitted data on network Viral diagnosis processing method |
| CN103581181B (en) * | 2013-10-28 | 2017-02-15 | 清华大学 | Data packet capturing, processing and sending method and system |
-
2019
- 2019-05-27 CN CN201910445067.9A patent/CN110138797B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1633110A (en) * | 2005-01-14 | 2005-06-29 | 中国科学院计算技术研究所 | Flow analysis method based on Linux core |
| US8112491B1 (en) * | 2009-01-16 | 2012-02-07 | F5 Networks, Inc. | Methods and systems for providing direct DMA |
| CN103023914A (en) * | 2012-12-26 | 2013-04-03 | 北京神州绿盟信息安全科技股份有限公司 | Firewall system and implementation method thereof |
| CN103391256A (en) * | 2013-07-25 | 2013-11-13 | 武汉邮电科学研究院 | Base station user plane data processing and optimizing method based on Linux system |
| US9537972B1 (en) * | 2014-02-20 | 2017-01-03 | Fireeye, Inc. | Efficient access to sparse packets in large repositories of stored network traffic |
| CN105260378A (en) * | 2015-09-08 | 2016-01-20 | 上海上讯信息技术股份有限公司 | Database audit method and device |
| CN105281984A (en) * | 2015-11-27 | 2016-01-27 | 上海斐讯数据通信技术有限公司 | Virtual terminal and method for message capturing and filtering |
| CN107181738A (en) * | 2017-04-25 | 2017-09-19 | 中国科学院信息工程研究所 | A kind of software implementation intruding detection system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110138797A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110138797B (en) | Message processing method and device | |
| US8086609B2 (en) | Graph caching | |
| Beverly et al. | Forensic carving of network packets and associated data structures | |
| US20080134332A1 (en) | Method and apparatus for reduced redundant security screening | |
| US20110016154A1 (en) | Profile-based and dictionary based graph caching | |
| CN108881328B (en) | Data packet filtering method and device, gateway equipment and storage medium | |
| CN113127077B (en) | Server-based microkernel operating system deployment method and operating system | |
| JP4290198B2 (en) | Flexible network security system and network security method permitting reliable processes | |
| CN112532538A (en) | Flow control method and device, electronic equipment and computer readable storage medium | |
| US8332941B2 (en) | Exploit nonspecific host intrusion prevention/detection methods and systems and smart filters therefor | |
| CN116545978B (en) | Data processing method, device and system, readable storage medium and import network card | |
| KR101076683B1 (en) | Apparatus and method for splitting host-based networks | |
| RU2634175C2 (en) | Method for implementation of anti-virus checks | |
| CN111355686B (en) | Method, device, system and storage medium for defending flood attacks | |
| JP2020109649A (en) | System and method for creating log when executing vulnerable file in virtual machine | |
| CN115225349B (en) | Honeypot flow processing method and device, electronic equipment and storage medium | |
| WO2019089158A1 (en) | Application identification and control in a network device | |
| US9306908B2 (en) | Anti-malware system, method of processing packet in the same, and computing device | |
| US20170300349A1 (en) | Storage of hypervisor messages in network packets generated by virtual machines | |
| US11128602B2 (en) | Efficient matching of feature-rich security policy with dynamic content using user group matching | |
| JP7166969B2 (en) | Router attack detection device, router attack detection program, and router attack detection method | |
| CN114281547B (en) | Data message processing method and device, electronic equipment and storage medium | |
| CN114024758B (en) | Flow characteristic extraction method, system, storage medium and electronic equipment | |
| Hsu et al. | Scalable network-based buffer overflow attack detection | |
| US20200145379A1 (en) | Efficient matching of feature-rich security policy with dynamic content using incremental precondition changes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |