CN110224947A - Message processing method, device and equipment in a kind of multicore repeater system - Google Patents
Message processing method, device and equipment in a kind of multicore repeater system Download PDFInfo
- Publication number
- CN110224947A CN110224947A CN201910486626.0A CN201910486626A CN110224947A CN 110224947 A CN110224947 A CN 110224947A CN 201910486626 A CN201910486626 A CN 201910486626A CN 110224947 A CN110224947 A CN 110224947A
- Authority
- CN
- China
- Prior art keywords
- message
- cpu
- abnormal flow
- flow
- forwarding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/70—Admission control; Resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The application discloses message processing method, device and the equipment in a kind of multicore repeater system, the multicore repeater system includes forwarding core, the first CPU and the 2nd CPU, the described method includes: the forwarding core judges whether the message belongs to abnormal flow after receiving the message from network interface card;If the message belongs to abnormal flow, the message is forwarded to default first CPU by the forwarding core, to be handled by the first CPU;If the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the message is forwarded to default 2nd CPU by the forwarding core, to be handled by the 2nd CPU.The application can be avoided influence of the normal discharge by abnormal flow by the design divided and rule to flow, guarantee the smoothness of normal discharge.
Description
Technical field
This application involves data processing fields, and in particular to message processing method, device in a kind of multicore repeater system
And equipment.
Background technique
With the development of science and technology, more and more firewalls use multicore treatment mechanism, that is to say, that firewall at present
Forwarding performance it is not only related with the complexity of process flow and algorithm, it is also related with the resource contention of multicore concurrent design.
Such as the dedicated networks such as campus network, the smoothness of usual normal stream amount have a high requirement, but this net
Network is also suffering from various network attacks (such as reflection attack, ack flood attack, syn from the school and outside school simultaneously
The ddos such as flood attack, udp flood attack attack).Therefore, the firewall of multicore treatment mechanism not only will be to various nets
The abnormal flows such as network attack are handled, it is often more important that guarantee the smoothness of normal discharge.
Summary of the invention
In view of this, utilizing individual first this application provides the message processing method in a kind of multicore repeater system
CPU handles abnormal flow, while handling outer net flow using individual 2nd CPU, and flow is divided and rule, normal discharge is avoided
It is influenced by abnormal flow, guarantees the smoothness of normal discharge.
In a first aspect, for achieving the above object, this application provides the Message processings in a kind of multicore repeater system
Method, the multicore repeater system include forwarding core, the first CPU and the 2nd CPU, which comprises
The forwarding core judges whether the message belongs to abnormal flow after receiving the message from network interface card;
If the message belongs to abnormal flow, the message is forwarded to default first CPU by the forwarding core, so as to
It is handled by the first CPU;
If the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the forwarding core will be described
Message is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
In a kind of optional embodiment, the method also includes:
If the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the forwarding nuclear statistics are pre-
If the number of message identical with the purpose IP address of the message in the message received in first time;
The forwarding core judges whether the number is greater than preset first threshold value;If it is, determining have with the message
There is the message of identical purpose IP address to belong to abnormal flow.
In a kind of optional embodiment, the method also includes:
If the message is not belonging to abnormal flow, and the message belongs to Intranet flow, then the forwarding nuclear statistics are pre-
If the number of message identical with the source IP address of the message in the message received in the second time;
The forwarding core judges whether the number is greater than default second threshold;If it is, determining have with the message
There is the message of identical source IP address to belong to abnormal flow.
It is described to judge whether the message belongs to before abnormal flow in a kind of optional embodiment, further includes:
The forwarding core reads default mirror list without lock, and the message is matched with the mirror list;
If it fails to match, the forwarding core is by the packet loss;Otherwise it executes and described whether judges the message
The step of belonging to abnormal flow;
Wherein, the mirror list is that Policy Table obtains through too fast watch mirror image space formula.
It is described to judge whether the message belongs to before abnormal flow in a kind of optional embodiment, further includes:
The forwarding core is after receiving the message from network interface card, it is determined whether there are the corresponding session moulds of the message
Plate;
If it is, being forwarded based on the session template to the message;Otherwise, execution is described will judge the report
The step of whether text belongs to abnormal flow;Wherein, the session template is the pre-set discharge pattern for allowing to access.
In a kind of optional embodiment, the method also includes:
First CPU is when receiving the message, it is determined whether there are the corresponding session templates of the message;
The message is forwarded if it is, the first CPU is based on the session template;Otherwise, by the report
Text abandons;Wherein, the session template is the pre-set discharge pattern for allowing to access.
Second aspect, present invention also provides the message process device in a kind of multicore repeater system, described device includes
Core, the first CPU and the 2nd CPU are forwarded, the forwarding core includes first judgment module, the first forwarding module and the second forwarding mould
Block:
First judgment module, for judging whether the message belongs to exception stream after receiving the message from network interface card
Amount;
First forwarding module will be described for when the first judgment module determines that the message belongs to abnormal flow
Message is forwarded to default first CPU, to be handled by the first CPU;
Second forwarding module, for determining that the message is not belonging to abnormal flow in the first judgment module, and it is described
When message belongs to outer net flow, the message is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
In a kind of optional embodiment, described device further include:
First statistical module, for being not belonging to abnormal flow in the message, and when the message belongs to outer net flow, system
Count the number of message identical with the purpose IP address of the message in the message received in default first time;
Second judgment module, for judging whether the number is greater than preset first threshold value;
First determining module is when being for the result in second judgment module, and determination has phase with the message
Message with purpose IP address belongs to abnormal flow.
In a kind of optional embodiment, described device further include:
Second statistical module, for being not belonging to abnormal flow in the message, and when the message belongs to Intranet flow, system
Count the number of message identical with the source IP address of the message in the message received in default second time;
Third judgment module, for judging whether the number is greater than default second threshold;
Second determining module is when being for the result in the third judgment module, and determination has phase with the message
The message of source IP address belongs to abnormal flow.
In a kind of optional embodiment, described device further include:
Matching module for reading default mirror list without lock, and the message is matched with the mirror list;
First discard module is used for when it fails to match for the matching module, by the packet loss;
First trigger module, for triggering the first judgment module in the matching module successful match;
Wherein, the mirror list is that Policy Table obtains through too fast watch mirror image space formula.
In a kind of optional embodiment, described device further include:
Third determining module, for after receiving the message from network interface card, it is determined whether there are the message is corresponding
Session template;
Third forwarding module is when being, based on the session template to institute for the result in the third determining module
Message is stated to be forwarded;
Second trigger module, for the result in the third determining module be it is no when, trigger the first judgment module;
Wherein, the session template is the pre-set discharge pattern for allowing to access.
In a kind of optional embodiment, the first CPU includes:
4th determining module, for when receiving the message, it is determined whether there are the corresponding session moulds of the message
Plate;
4th forwarding module is when being, based on the session template to the report for the result in the determining module
Text is forwarded;
Second discard module, for the result in the determining module be it is no when, by the packet loss;Wherein, described
Session template is the pre-set discharge pattern for allowing to access.
The third aspect, present invention also provides a kind of computer readable storage medium, the computer readable storage medium
In be stored with instruction, when described instruction is run on the terminal device so that the terminal device execute such as any of the above-described institute
The method stated.
Fourth aspect, present invention also provides the Message processing processing equipment in a kind of multicore repeater system, feature exists
In, comprising: memory, processor, and it is stored in the computer program that can be run on the memory and on the processor,
When the processor executes the computer program, method as described in any one of the above embodiments is realized.
In message processing method in multicore repeater system provided by the present application, forwarding core is receiving the report from network interface card
Wen Hou, judges whether the message belongs to abnormal flow, if the message belongs to abnormal flow, forwards it at the first CPU
Reason, if the message is not belonging to abnormal flow, but the message belongs to outer net flow, then forward core forward it to the 2nd CPU into
Row processing.Wherein, the first CPU is dedicated for the abnormal flow in processing firewall, and the 2nd CPU is dedicated for processing firewall
In be not belonging to the outer net flow of abnormal flow normal discharge can be avoided by exception by the design divided and rule to flow
The influence of flow guarantees the smoothness of normal discharge.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the drawings in the following description are only some examples of the present application, for
For those of ordinary skill in the art, without any creative labor, it can also be obtained according to these attached drawings
His attached drawing.
Fig. 1 is the flow chart of the message processing method in a kind of multicore repeater system provided by the embodiments of the present application;
Fig. 2 is a kind of framework of the firewall of the multicore treatment mechanism suitable for campus network provided by the embodiments of the present application
Figure;
Fig. 3 is the structural schematic diagram of the message process device in a kind of multicore repeater system provided by the embodiments of the present application;
Fig. 4 is the structural schematic diagram of the message processor in a kind of multicore repeater system provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on
Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment shall fall in the protection scope of this application.
Multicore repeater system in the embodiment of the present application refers to the firewall of multicore treatment mechanism, for different in firewall
Normal flow typically refers to that the biggish flow of number of sessions is handled up or created in the short time.In the embodiment of the present application, forwarding core is being connect
After receiving the message from network interface card, judge whether the message belongs to abnormal flow, if the message belongs to abnormal flow, by it
Be forwarded to the first CPU processing, if the message is not belonging to abnormal flow, but the message belongs to outer net flow, then forward core by its
The 2nd CPU is forwarded to be handled.Wherein, the first CPU is dedicated for the abnormal flow in processing firewall, and the 2nd CPU is special
Door is used to handle the outer net flow for being not belonging to abnormal flow in firewall and can be avoided by the design divided and rule to flow
Normal discharge is influenced by abnormal flow, guarantees the smoothness of normal discharge.
Message processing method in multicore repeater system provided by the present application can be suitable for campus network, enterprises and institutions' net
The scenes such as network, following the embodiment of the present application for the firewall suitable for the multicore treatment mechanism of campus network to be introduced.
Embodiment of the method
It is the flow chart of the message processing method in a kind of multicore repeater system provided by the embodiments of the present application with reference to Fig. 1,
The multicore repeater system includes forwarding core, the first CPU and the 2nd CPU, this method comprises:
S101: the forwarding core judges whether the message belongs to abnormal flow after receiving the message from network interface card,
If it is, executing S102, S103 is otherwise executed.
Abnormal flow is handled using individual first CPU in the embodiment of the present application, it is therefore, each in multicore repeater system
It forwards core after receiving the message from network interface card, first determines whether the message belongs to abnormal flow, if it is, executing
S102。
Wherein, abnormal flow can be discharge pattern predetermined, for example, total interface receives SYN report in firewall
When literary quantity is more than threshold value, SYN message is then abnormal flow, alternatively, total interface receives UDP message amount and is more than in firewall
When threshold value, UDP message is then abnormal flow.Specifically, the definition mode of abnormal flow is with no restrictions.
In practical application, abnormal flow that may be present may include following a few classes in campus network:
First, the network attack that campus user is initiated by real IP address, including to campus user and outside school user's
Attack.The characteristics of this kind of network attack is excessive by the message flow issued in the same source IP address short time.For this kind of
Network attack, the application has the number of the message of same source IP address by statistics, if reaching threshold value, it is determined that the source IP
The doubtful network attack of message that address issues, belongs to abnormal flow.
The second, Client-initiated is attacked for the network attack for fixing user in the school, such as ddos outside school.This network attack
The characteristics of be that message flow is excessive in the same purpose IP address short time.For this kind of network attack, the application is pre- by statistics
If the number of the message at the first time with same purpose IP address, if reaching threshold value, it is determined that be sent to the destination IP
The doubtful network attack of the message of address, belongs to abnormal flow.
The characteristics of scientific research flow in third, campus network, such as crawler or SYN scanning operation, scientific research flow is same source
Message flow is excessive in the IP address short time, and by counting the message with same source IP address in default second time
Number, if reaching threshold value, it is determined that the message that the source IP address issues belongs to abnormal flow.
By above-mentioned it is found that judging that the condition of abnormal flow is based on corresponding to fixed ip address in the embodiment of the present application
What flow was counted, and the sum of a certain class message of non-statistical.Flow based on campus network is big, and whole flowed fluctuation and
The related features such as raw work and rest are easy to appear if determining whether the judgment method for abnormal flow based on accounting message sum
The case where reporting situation by mistake, while timely learning may being unable to when meeting with attack.Therefore, the embodiment of the present application is based on to fixation
The flow of IP address carries out counting determining abnormal flow, promptly and accurately can targetedly determine abnormal flow, and can
It is accurately handled for the abnormal flow of the IP address, is not influenced the flow of other IP address.
In practical application, after forwarding core to receive the message from network interface card, if it is determined that the message belongs to outer net flow,
I.e. outside school Client-initiated for the access of resource in the school, then count in the message received in default first time with the message
The identical message of purpose IP address number, and judge whether the number is more than preset first threshold value, if it is, illustrating needle
It is excessive to the message flow of the purpose IP address, the message with the purpose IP address can be defined as abnormal flow.
In addition, if it is determined that the message belongs to Intranet flow, i.e. the resource access initiated of campus user, then statistics default the
The number of message identical with the source IP address of the message in the message received in two times, and judge the number whether be more than
Default second threshold can will have the source IP address if it is, explanation is excessive for the message flow of the source IP address
Message is defined as abnormal flow.
As it can be seen that above-mentioned three kinds of messages can be determined as abnormal flow by the embodiment of the present application, by above embodiment
It is forwarded to the first CPU to be handled, avoids the forwarding for influencing normal discharge in forwarding core.S102: the forwarding core is by the report
Text is forwarded to default first CPU, to be handled by the first CPU.
In the embodiment of the present application, when forwarding core to determine that the message received belongs to exception message, which is forwarded to
First CPU, and it is handled by the first CPU, avoid influence of the abnormal flow to normal discharge in forwarding core.
For campus network, since the scientific research flow in above-mentioned third class in campus network in fact belongs to legal stream
Amount, but this kind of scientific research flows newly-built 1-5w that is likely to be breached per second is even higher, occupies campus network and creates stream under normal circumstances
Most of resource of amount, may influence the forwarding of normal discharge in campus network.In general, source used in scientific research flow in campus network
IP address is by application, and only by approval, which could be used for scientific research flow, otherwise, even scientific research stream
Amount can be also dropped, in order to avoid influence the forwarding of normal discharge.
In order to guarantee that the scientific research flow by approval can be forwarded normally, while being not take up whole Session Resources, the application
It is in advance the scientific research flow set session template by approval in first CPU of embodiment, including predetermined by approval
The source IP address discharge pattern that allows to access and conversation strategy etc., wherein the life cycle of each conversation strategy is static state
Addition is deleted, and is not changed as message forwards, therefore the first CPU does not need individually to create session when handling scientific research flow.
First CPU is received belong to the message of abnormal flow after, the message is matched with session template first, if belonging to the report
The source IP address of text allows the discharge pattern accessed, then illustrates the scientific research flow that the message belongs in campus network, dialogue-based mould
Plate is forwarded;Otherwise, illustrate that the message belongs to network attack, the first CPU can be directly by the packet loss, and realization is attacked
Hit defence.In addition, the whole flowed fluctuation due to campus network is related to student's work and rest, usual scientific research flow is arranged in student's use
Network relatively small number of night, therefore, the embodiment of the present application are not provided only with the source IP address by approval in session template
Allow the discharge pattern accessed, the period that source IP address allows to access can also be set.That is, the first CPU also needs
The period accessed is allowed to match by what is be arranged in the time for receiving message and session template, if successful match,
Dialogue-based template is forwarded the message, is otherwise abandoned.
In the embodiment of the present application, since the first dialogue-based template of CPU handles scientific research flow, it is able to ascend
The process performance of the scientific research flow of campus network does not need individually to establish meeting in addition, dialogue-based template is forwarded message
Words, so that both having reduced conversational list storage to the forwarding of scientific research flow under the resource situation for being not take up normal discharge user completely
Space promotes overall performance but also performance cost caused by newly-built session is greatly decreased.
In another implementation, for the scientific research flow by approval, forward core after receiving message, it is first determined
With the presence or absence of the corresponding session template of the message;If it is present illustrating that the message belongs to scientific research flow, it is based on by forwarding core
Session template is forwarded the message;Otherwise, continue to judge whether the message belongs to abnormal flow.Above-mentioned implementation
It can reduce the performance consumption of the first CPU, improve the efficiency of the first CPU processing abnormal flow.
S103: if the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the forwarding core will
The message is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
In the embodiment of the present application, when the message that receives of forwarding core is not belonging to abnormal flow, and the message belongs to outer net stream
When amount, forwarding core forwards it to the 2nd CPU, is handled by the 2nd CPU it.Specifically, being provided with outer net in the 2nd CPU
The conversational list of flow, the 2nd dialogue-based table of CPU are forwarded the message for belonging to outer net flow.
In message processing method in multicore repeater system provided by the embodiments of the present application, forwarding core is being received from net
After the message of card, judge whether the message belongs to abnormal flow, if the message belongs to abnormal flow, forwards it to first
CPU processing, if the message is not belonging to abnormal flow, but the message belongs to outer net flow, then forwards core to forward it to second
CPU is handled.Wherein, the first CPU is dedicated for the abnormal flow in processing firewall, and the 2nd CPU is dedicated for processing
The outer net flow of abnormal flow is not belonging in firewall, by the design divided and rule to flow, can be avoided normal discharge by
To the influence of abnormal flow, guarantee the smoothness of normal discharge.
The embodiment of the present application provides a kind of architecture diagram of the firewall of multicore treatment mechanism suitable for campus network, reference
Fig. 2, including N number of forwarding core CPU1-N, one is used to handle the CPU D of abnormal flow, and one for handling the CPU of outer net flow
S can guarantee that in the school flow can not influence outside school, can also guarantee the processing of abnormal flow with normal discharge in the school, outside school
It is independent of each other.
In practical application, each network interface card in firewall is established with N number of forwarding core when configuring receiving queue and connect team entirely
Column relationship, so that the either flow still flow outside school in the school in network interface card, can be received by N number of forwarding core.In addition, each
Network interface card is established with N number of forwarding core, CPU D and CPU S when configuring transmit queue and connect queue relationship entirely, can guarantee to prevent
Each CPU in wall with flues can directly send message from network interface card.
In practical application, when forwarding core receives the message for being not belonging to abnormal flow, needs to inquire conversational list and realizes forwarding,
If not inquiring corresponding session entry, newly-built session is needed.In a kind of situation, if the message from network interface card in the school
Interface then illustrates that the message belongs to flow in the school, needs to create session at this time in the forwarding core, final to realize turning for message
Hair;If outside school interface of the message from network interface card, is forwarded to CPU S for the message, session is created to it by CPU S, it is real
The forwarding of existing message.
In a kind of embodiment, firewall is realized based on heterogeneous platform, including quick module and slow-side module, wherein fast
Fast module is to be realized based on dpdk platform in User space, and slow-side module is then the traps context realization in kernel state.Quickly
CPU in module mainly carries out high-performance forwarding after network interface card packet receiving and (including searches session, and dialogue-based E-Packet
Deng), and the CPU in slow-side module is then the sophisticated strategies matching for carrying out some time-consumings, for example CPU in quick module is not found
The CPU that the message is sent into slow-side module is then carried out strategy matching by the corresponding session of message.Currently, the function that quickly module is realized
It can mainly include fast-forwarding, state machine, content-addressable memory and ddos attacking and defending module, and the function that slow-side module is realized then includes strategy
Matching, arp table, routing table, Policy Table etc..
Wherein, it is pre-configured with regular in the Policy Table in slow-side module, can specifically include: allowing to access internet
IP sections of school net, can be filtered out by this setting initiate in the school to forge the network attack for wanting principle based on IP address;
It can also include: the IP address in the school and port numbers for allowing extranet access, can be filtered out by this setting from outside school
Network attack, such as udp flood attack.
For above embodiment, application scenarios very big for attack traffic, it is also desirable to enter slow-side module and carry out
The discarding of attack message, specifically, quickly module is sent into slow-side module after receiving this kind of message, by slow-side module by itself and strategy
Table matching.Obviously, if attack traffic is very big, it may result in the channel blockage between quick module and slow-side module,
Other normal discharges also will receive influence.To solve the above problems, the embodiment of the present application will be in the Policy Table in slow-side module
A part of content, which is made fast table and moves on in quick module, to be realized, so that quickly module directly matches in fast table after receiving message
Rule, directly abandoned if mismatching, avoid attack traffic it is larger caused by quickly module and slow-side module it
Between channel blockage the problem of.
In practical application, the processing core in slow-side module is based on Policy Table and obtains mirror list using fast table mirror-image fashion, fastly
The mirror list is checked in forwarding in fast module has read right, and the mirror list is checked in the processing in slow-side module to be had addition and delete
Except etc. permissions.Specifically, forwarding core after receiving the message from network interface card, first without lock read the mirror list, by the message with
Mirror list is matched, if it fails to match, is directly abandoned, and realizes attack defending;If it fails to match, continue to hold
Row judges the step of whether message belongs to abnormal flow.
Installation practice
It is that the structure of the message process device in a kind of multicore repeater system provided by the embodiments of the present application is shown with reference to Fig. 3
It is intended to, wherein described device includes forwarding core 301, the first CPU302 and the 2nd CPU303, and the forwarding core 301 includes first
Judgment module 310, the first forwarding module 311 and the second forwarding module 312:
First judgment module 310, for judging whether the message belongs to exception after receiving the message from network interface card
Flow;
First forwarding module 311, for when the first judgment module determines that the message belongs to abnormal flow, by institute
It states message and is forwarded to default first CPU, to be handled by the first CPU;
Second forwarding module 312, for determining that the message is not belonging to abnormal flow, and institute in the first judgment module
When stating message and belonging to outer net flow, the message is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
In a kind of optional embodiment, described device further include:
First statistical module, for being not belonging to abnormal flow in the message, and when the message belongs to outer net flow, system
Count the number of message identical with the purpose IP address of the message in the message received in default first time;
Second judgment module, for judging whether the number is greater than preset first threshold value;
First determining module is when being for the result in second judgment module, and determination has phase with the message
Message with purpose IP address belongs to abnormal flow.
In another optional embodiment, described device further include:
Second statistical module, for being not belonging to abnormal flow in the message, and when the message belongs to Intranet flow, system
Count the number of message identical with the source IP address of the message in the message received in default second time;
Third judgment module, for judging whether the number is greater than default second threshold;
Second determining module is when being for the result in the third judgment module, and determination has phase with the message
The message of source IP address belongs to abnormal flow.
In addition, described device further include:
Matching module for reading default mirror list without lock, and the message is matched with the mirror list;
First discard module is used for when it fails to match for the matching module, by the packet loss;
First trigger module, for triggering the first judgment module in the matching module successful match;
Wherein, the mirror list is that Policy Table obtains through too fast watch mirror image space formula.
In a kind of optional embodiment, described device further include:
Third determining module, for after receiving the message from network interface card, it is determined whether there are the message is corresponding
Session template;
Third forwarding module is when being, based on the session template to institute for the result in the third determining module
Message is stated to be forwarded;
Second trigger module, for the result in the third determining module be it is no when, trigger the first judgment module;
Wherein, the session template is the pre-set discharge pattern for allowing to access.
Specifically, the first CPU includes:
4th determining module, for when receiving the message, it is determined whether there are the corresponding session moulds of the message
Plate;
4th forwarding module is when being, based on the session template to the report for the result in the determining module
Text is forwarded;
Second discard module, for the result in the determining module be it is no when, by the packet loss;Wherein, described
Session template is the pre-set discharge pattern for allowing to access.
In message process device in multicore repeater system provided by the embodiments of the present application, forwarding core is being received from net
After the message of card, judge whether the message belongs to abnormal flow, if the message belongs to abnormal flow, forwards it to first
CPU processing, if the message is not belonging to abnormal flow, but the message belongs to outer net flow, then forwards core to forward it to second
CPU is handled.Wherein, the first CPU is dedicated for the abnormal flow in processing firewall, and the 2nd CPU is dedicated for processing
The outer net flow of abnormal flow is not belonging in firewall, by the design divided and rule to flow, can be avoided normal discharge by
To the influence of abnormal flow, guarantee the smoothness of normal discharge.
In addition, the embodiment of the present application also provides the message processor in a kind of multicore repeater system, institute referring to fig. 4
Show, may include:
Processor 401, memory 402, input unit 403 and output device 404.Message processing in multicore repeater system
The quantity of processor 401 in equipment can be one or more, take a processor as an example in Fig. 4.In some realities of the invention
It applies in example, processor 401, memory 402, input unit 403 and output device 404 can be connected by bus or other means,
Wherein, in Fig. 4 for being connected by bus.
Memory 402 can be used for storing software program and module, and processor 401 is stored in memory 402 by operation
Software program and module, thereby executing the various function application and data of the message processor in multicore repeater system
Processing.Memory 402 can mainly include storing program area and storage data area, wherein storing program area can storage program area,
Application program needed at least one function etc..It, can be in addition, memory 402 may include high-speed random access memory
Including nonvolatile memory, for example, at least a disk memory, flush memory device or other volatile solid-states
Part.Input unit 303 can be used for receiving at the message in the number or character information of input, and generation and multicore repeater system
Manage the user setting and the related signal input of function control of equipment.
Specifically in the present embodiment, processor 401 can be according to following instruction, by one or more application program
The corresponding executable file of process be loaded into memory 402, and run and be stored in memory 402 by processor 401
Application program, to realize the various functions in the above method.
In addition, being deposited in the computer readable storage medium present invention also provides a kind of computer readable storage medium
Instruction is contained, when described instruction is run on the terminal device, so that the terminal device executes above-mentioned method.
It is understood that for device embodiment, since it corresponds essentially to embodiment of the method, so correlation
Place illustrates referring to the part of embodiment of the method.The apparatus embodiments described above are merely exemplary, wherein described
Unit may or may not be physically separated as illustrated by the separation member, and component shown as a unit can be with
It is or may not be physical unit, it can it is in one place, or may be distributed over multiple network units.It can
It is achieved the purpose of the solution of this embodiment with selecting some or all of the modules therein according to the actual needs.This field is common
Technical staff can understand and implement without creative efforts.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
Above to message processing method, device and the equipment in a kind of multicore repeater system provided by the embodiment of the present application
It is described in detail, specific examples are used herein to illustrate the principle and implementation manner of the present application, the above reality
The explanation for applying example is merely used to help understand the present processes and its core concept;Meanwhile for the general technology of this field
Personnel, according to the thought of the application, there will be changes in the specific implementation manner and application range, in conclusion this theory
Bright book content should not be construed as the limitation to the application.
Claims (10)
1. the message processing method in a kind of multicore repeater system, which is characterized in that the multicore repeater system include forwarding core,
First CPU and the 2nd CPU, which comprises
The forwarding core judges whether the message belongs to abnormal flow after receiving the message from network interface card;
If the message belongs to abnormal flow, the message is forwarded to default first CPU by the forwarding core, so as to by institute
The first CPU is stated to be handled;
If the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the forwarding core is by the message
It is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
2. the method according to claim 1, wherein the method also includes:
If the message is not belonging to abnormal flow, and the message belongs to outer net flow, then the forwarding nuclear statistics default the
The number of message identical with the purpose IP address of the message in the one time inscribed message received;
The forwarding core judges whether the number is greater than preset first threshold value;If it is, determining have phase with the message
Message with purpose IP address belongs to abnormal flow.
3. method according to claim 1 or 2, which is characterized in that the method also includes:
If the message is not belonging to abnormal flow, and the message belongs to Intranet flow, then the forwarding nuclear statistics default the
The number of message identical with the source IP address of the message in the message received in two times;
The forwarding core judges whether the number is greater than default second threshold;If it is, determining have phase with the message
The message of source IP address belongs to abnormal flow.
4. the method according to claim 1, wherein it is described judge the message whether belong to abnormal flow it
Before, further includes:
The forwarding core reads default mirror list without lock, and the message is matched with the mirror list;
If it fails to match, the forwarding core is by the packet loss;Otherwise it executes and described judges whether the message belongs to
The step of abnormal flow;
Wherein, the mirror list is that Policy Table obtains through too fast watch mirror image space formula.
5. the method according to claim 1, wherein it is described judge the message whether belong to abnormal flow it
Before, further includes:
The forwarding core is after receiving the message from network interface card, it is determined whether there are the corresponding session templates of the message;
If it is, being forwarded based on the session template to the message;Otherwise, execution is described will judge that the message is
No the step of belonging to abnormal flow;Wherein, the session template is the pre-set discharge pattern for allowing to access.
6. the method according to claim 1, wherein the method also includes:
First CPU is when receiving the message, it is determined whether there are the corresponding session templates of the message;
The message is forwarded if it is, the first CPU is based on the session template;Otherwise, the message is lost
It abandons;Wherein, the session template is the pre-set discharge pattern for allowing to access.
7. the message process device in a kind of multicore repeater system, which is characterized in that described device includes forwarding core, the first CPU
With the 2nd CPU, the forwarding core includes first judgment module, the first forwarding module and the second forwarding module:
First judgment module, for judging whether the message belongs to abnormal flow after receiving the message from network interface card;
First forwarding module, for when the first judgment module determines that the message belongs to abnormal flow, by the message
It is forwarded to default first CPU, to be handled by the first CPU;
Second forwarding module, for determining that the message is not belonging to abnormal flow, and the message in the first judgment module
When belonging to outer net flow, the message is forwarded to default 2nd CPU, to be handled by the 2nd CPU.
8. device according to claim 7, which is characterized in that described device further include:
First statistical module, for being not belonging to abnormal flow in the message, and when the message belongs to outer net flow, statistics is pre-
If the number of message identical with the purpose IP address of the message in the message received in first time;
Second judgment module, for judging whether the number is greater than preset first threshold value;
First determining module is when being for the result in second judgment module, and determination has identical mesh with the message
The message of IP address belong to abnormal flow.
9. a kind of computer readable storage medium, which is characterized in that instruction is stored in the computer readable storage medium, when
When described instruction is run on the terminal device, so that the terminal device executes as the method according to claim 1 to 6.
10. the Message processing processing equipment in a kind of multicore repeater system characterized by comprising memory, processor, and
It is stored in the computer program that can be run on the memory and on the processor, the processor executes the computer
When program, as the method according to claim 1 to 6 is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910486626.0A CN110224947A (en) | 2019-06-05 | 2019-06-05 | Message processing method, device and equipment in a kind of multicore repeater system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910486626.0A CN110224947A (en) | 2019-06-05 | 2019-06-05 | Message processing method, device and equipment in a kind of multicore repeater system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110224947A true CN110224947A (en) | 2019-09-10 |
Family
ID=67819480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910486626.0A Pending CN110224947A (en) | 2019-06-05 | 2019-06-05 | Message processing method, device and equipment in a kind of multicore repeater system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110224947A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110545291A (en) * | 2019-09-29 | 2019-12-06 | 东软集团股份有限公司 | defense method for attack message, multi-core forwarding system and related products |
| CN111049758A (en) * | 2019-11-22 | 2020-04-21 | 东软集团股份有限公司 | Method, system and equipment for realizing QoS processing of message |
| CN111654474A (en) * | 2020-05-19 | 2020-09-11 | 杭州迪普科技股份有限公司 | Safety detection method and device |
| CN111935108A (en) * | 2020-07-24 | 2020-11-13 | 杭州安恒信息技术股份有限公司 | Cloud data security access control method and device, electronic device and storage medium |
| CN112671653A (en) * | 2020-12-02 | 2021-04-16 | 国家计算机网络与信息安全管理中心 | CAM table operation method based on multi-core heterogeneous platform |
| CN114095426A (en) * | 2021-09-28 | 2022-02-25 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN114513343A (en) * | 2022-01-26 | 2022-05-17 | 广州晨扬通信技术有限公司 | Method, device, system, equipment and storage medium for hierarchical interception of signaling firewall |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286996A (en) * | 2008-05-30 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Storm attack resisting method and apparatus |
| CN102014109A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Flood attack prevention method and device |
| US20120144487A1 (en) * | 2010-12-02 | 2012-06-07 | Electronics And Telecommunications Research Institute | Routing apparatus and method for detecting server attack and network using the same |
| CN103384252A (en) * | 2013-07-18 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network device attack prevention method and device and network device |
| CN105245549A (en) * | 2015-10-30 | 2016-01-13 | 上海红神信息技术有限公司 | Active defense method against DDoS attacks |
| CN106576099A (en) * | 2014-08-04 | 2017-04-19 | 微软技术许可有限责任公司 | Data center architecture supporting attack detection and mitigation |
| CN106874796A (en) * | 2017-02-16 | 2017-06-20 | 深圳前海生生科技有限公司 | The safety detection and fault-tolerance approach of instruction stream in system operation |
| CN106888217A (en) * | 2017-03-27 | 2017-06-23 | 上海斐讯数据通信技术有限公司 | A kind of management-control method attacked for ARP and system |
| CN107070862A (en) * | 2016-12-28 | 2017-08-18 | 上海优刻得信息科技有限公司 | Data distribution method, data distribution device and the gateway system of gateway |
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN109246057A (en) * | 2017-07-10 | 2019-01-18 | 东软集团股份有限公司 | Message forwarding method, device, repeater system, storage medium and electronic equipment |
| CN109495504A (en) * | 2018-12-21 | 2019-03-19 | 东软集团股份有限公司 | A kind of firewall box and its message processing method and medium |
| CN109525601A (en) * | 2018-12-28 | 2019-03-26 | 杭州迪普科技股份有限公司 | The lateral flow partition method and device of terminal room in Intranet |
| CN109558206A (en) * | 2017-09-26 | 2019-04-02 | 中兴通讯股份有限公司 | The partition method and its system of cpu resource |
-
2019
- 2019-06-05 CN CN201910486626.0A patent/CN110224947A/en active Pending
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286996A (en) * | 2008-05-30 | 2008-10-15 | 北京星网锐捷网络技术有限公司 | Storm attack resisting method and apparatus |
| CN102014109A (en) * | 2009-09-08 | 2011-04-13 | 华为技术有限公司 | Flood attack prevention method and device |
| US20120144487A1 (en) * | 2010-12-02 | 2012-06-07 | Electronics And Telecommunications Research Institute | Routing apparatus and method for detecting server attack and network using the same |
| CN103384252A (en) * | 2013-07-18 | 2013-11-06 | 北京星网锐捷网络技术有限公司 | Network device attack prevention method and device and network device |
| CN106576099A (en) * | 2014-08-04 | 2017-04-19 | 微软技术许可有限责任公司 | Data center architecture supporting attack detection and mitigation |
| CN105245549A (en) * | 2015-10-30 | 2016-01-13 | 上海红神信息技术有限公司 | Active defense method against DDoS attacks |
| CN107070862A (en) * | 2016-12-28 | 2017-08-18 | 上海优刻得信息科技有限公司 | Data distribution method, data distribution device and the gateway system of gateway |
| CN106874796A (en) * | 2017-02-16 | 2017-06-20 | 深圳前海生生科技有限公司 | The safety detection and fault-tolerance approach of instruction stream in system operation |
| CN106888217A (en) * | 2017-03-27 | 2017-06-23 | 上海斐讯数据通信技术有限公司 | A kind of management-control method attacked for ARP and system |
| WO2018177210A1 (en) * | 2017-03-27 | 2018-10-04 | 新华三技术有限公司 | Defense against apt attack |
| CN109246057A (en) * | 2017-07-10 | 2019-01-18 | 东软集团股份有限公司 | Message forwarding method, device, repeater system, storage medium and electronic equipment |
| CN109558206A (en) * | 2017-09-26 | 2019-04-02 | 中兴通讯股份有限公司 | The partition method and its system of cpu resource |
| CN108090346A (en) * | 2017-12-04 | 2018-05-29 | 华中科技大学 | A kind of code reuse attack defense method and system based on data stream monitoring |
| CN107864156A (en) * | 2017-12-18 | 2018-03-30 | 东软集团股份有限公司 | Ssyn attack defence method and device, storage medium |
| CN109495504A (en) * | 2018-12-21 | 2019-03-19 | 东软集团股份有限公司 | A kind of firewall box and its message processing method and medium |
| CN109525601A (en) * | 2018-12-28 | 2019-03-26 | 杭州迪普科技股份有限公司 | The lateral flow partition method and device of terminal room in Intranet |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110545291A (en) * | 2019-09-29 | 2019-12-06 | 东软集团股份有限公司 | defense method for attack message, multi-core forwarding system and related products |
| CN110545291B (en) * | 2019-09-29 | 2022-02-11 | 东软集团股份有限公司 | Defense method for attack message, multi-core forwarding system and related products |
| CN111049758A (en) * | 2019-11-22 | 2020-04-21 | 东软集团股份有限公司 | Method, system and equipment for realizing QoS processing of message |
| CN111049758B (en) * | 2019-11-22 | 2022-12-09 | 东软集团股份有限公司 | Method, system and equipment for realizing QoS processing of message |
| CN111654474A (en) * | 2020-05-19 | 2020-09-11 | 杭州迪普科技股份有限公司 | Safety detection method and device |
| CN111654474B (en) * | 2020-05-19 | 2022-11-01 | 杭州迪普科技股份有限公司 | Safety detection method and device |
| CN111935108A (en) * | 2020-07-24 | 2020-11-13 | 杭州安恒信息技术股份有限公司 | Cloud data security access control method and device, electronic device and storage medium |
| CN112671653A (en) * | 2020-12-02 | 2021-04-16 | 国家计算机网络与信息安全管理中心 | CAM table operation method based on multi-core heterogeneous platform |
| CN114095426A (en) * | 2021-09-28 | 2022-02-25 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN114095426B (en) * | 2021-09-28 | 2023-04-04 | 浪潮软件科技有限公司 | Message processing method and device of VPP platform |
| CN114513343A (en) * | 2022-01-26 | 2022-05-17 | 广州晨扬通信技术有限公司 | Method, device, system, equipment and storage medium for hierarchical interception of signaling firewall |
| CN114513343B (en) * | 2022-01-26 | 2022-10-04 | 广州晨扬通信技术有限公司 | Hierarchical intercepting method and device for signaling firewall, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110224947A (en) | Message processing method, device and equipment in a kind of multicore repeater system | |
| US9825841B2 (en) | Method of and network server for detecting data patterns in an input data stream | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| CN109194684B (en) | Method and device for simulating denial of service attack and computing equipment | |
| US9590922B2 (en) | Programmable and high performance switch for data center networks | |
| US10880220B1 (en) | Credit mechanisms for packet policing | |
| US20190044856A1 (en) | Quantitative Exact Match Distance | |
| Teixeira et al. | PacketScope: Monitoring the packet lifecycle inside a switch | |
| US20210029052A1 (en) | Methods and apparatuses for packet scheduling for software- defined networking in edge computing environment | |
| CN110324198A (en) | Loss treating method and packet loss processing unit | |
| CN110226155A (en) | Context property is collected and handled on host | |
| CN113489711B (en) | DDoS attack detection method, system, electronic device and storage medium | |
| CN115174269B (en) | Linux host network communication security protection method and device | |
| Shen et al. | A markov game theoretic data fusion approach for cyber situational awareness | |
| CN113709052B (en) | Processing method and device of network message, electronic equipment and storage medium | |
| CN111224882A (en) | Message processing method and device and storage medium | |
| US10021031B1 (en) | Pipelined packet policer | |
| US20180167337A1 (en) | Application of network flow rule action based on packet counter | |
| WO2021197128A1 (en) | Traffic rate-limiting method and apparatus | |
| KR101191251B1 (en) | 10 Gbps scalable flow generation and control, using dynamic classification with 3-level aggregation | |
| KR102144594B1 (en) | Time-locked network and nodes for exchanging secure data packets | |
| CN108989233A (en) | Congestion management and device | |
| Ruia et al. | Flowcache: A cache-based approach for improving SDN scalability | |
| CN111245858A (en) | Network flow interception method, system, device, computer equipment and storage medium | |
| CN115941264A (en) | Firewall management system based on network security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190910 |