CN110381175A - A kind of security strategy accelerometer construction method and device - Google Patents

A kind of security strategy accelerometer construction method and device Download PDF

Info

Publication number
CN110381175A
CN110381175A CN201910611878.1A CN201910611878A CN110381175A CN 110381175 A CN110381175 A CN 110381175A CN 201910611878 A CN201910611878 A CN 201910611878A CN 110381175 A CN110381175 A CN 110381175A
Authority
CN
China
Prior art keywords
address
domain name
list item
security strategy
accelerometer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910611878.1A
Other languages
Chinese (zh)
Other versions
CN110381175B (en
Inventor
岳伟国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201910611878.1A priority Critical patent/CN110381175B/en
Publication of CN110381175A publication Critical patent/CN110381175A/en
Application granted granted Critical
Publication of CN110381175B publication Critical patent/CN110381175B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/58Caching of addresses or names
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1036Load balancing of requests to servers for services different from user content provisioning, e.g. load balancing across domain name servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present application provides a kind of security strategy accelerometer construction method and device.Scheme includes: the address caching table that storage has multiple address caching list items;Each address caching list item is the IP address set of different domain names, and each IP address set is used to store M IP address and the ageing time of each IP address is greater than M+1 domain name addresses switching cycle;Receive the first domain name system protocol massages;Find the matched first address caching list item of domain name carried with the first domain name system protocol massages;The IP address set for determining the first address caching list item includes the IP address that the first domain name system protocol massages carry, then does not generate the event that triggering refreshes security strategy accelerometer;Refresh the storage time for the IP address that the first domain name system protocol massages carry in the IP address set of the first address caching list item.Using technical solution provided by the embodiments of the present application, the consumption of memory and cpu resource can reduce, reduce the probability of security strategy inspection failure.

Description

A kind of security strategy accelerometer construction method and device
Technical field
This application involves technical field of network security, more particularly to a kind of security strategy accelerometer construction method and dress It sets.
Background technique
In order to improve the efficiency of message safe handling, the network equipment is by the corresponding IP of the domain name of user's appointed website (Internet Protocol, network protocol) address as Key (key), using the corresponding security strategy rule of the IP address as Value (value) constructs security strategy accelerometer, calculates hash value according to the IP address of domain name, is quickly found out the IP address of domain name The security strategy of corresponding domain name avoids in Policy Table according to the safe plan of the IP address of domain name matched and searched domain name one by one Slightly.
In load balancing networking, multiple servers provide same service, this makes a domain name with corresponding to multiple IP Location, but sometime each domain name can only be resolved to an IP address.Thus, domain name is between corresponding multiple IP address When switching repeatedly, domain name change events can be generated every time.When the security strategy accelerometer of the network equipment reaches the refresh cycle, Security strategy accelerometer is written into the security strategy of domain name and currently used IP address according to each domain name change events.Such as The security strategy accelerometer refresh cycle of the fruit network equipment does not arrive, and each domain name that address switching occurs is in current time IP address Security strategy accelerometer can not be written with the corresponding relationship of security strategy, will lead to security strategy inspection failure.
In addition, accelerometer building process can largely consume memory and CPU, and the duration is long.The network equipment such as gateway Need to access a large amount of domain names, each domain name switches between multiple IP address will lead to the network equipment and have a large amount of domain name variation thing Part needs to handle, and can not be completed whole domain name to be treated variation things within a security strategy accelerometer refresh cycle Part also can not be written security strategy accelerometer in the corresponding relationship of current time IP address and security strategy, lead to safe plan Slightly check failure.
Summary of the invention
The embodiment of the present application is designed to provide a kind of security strategy accelerometer construction method and device, to reduce memory With the consumption of cpu resource, the probability of security strategy inspection failure is reduced.Specific technical solution is as follows:
In a first aspect, the embodiment of the present application provides a kind of security strategy accelerometer construction method, which comprises
Store the address caching table with multiple address caching list items;Wherein, each address caching list item is difference The IP address set of domain name, each IP address set is used to store M IP address and the ageing time of each IP address is greater than M+1 A domain name addresses switching cycle, M are the integer more than or equal to 2;
Receive the first domain name system protocol massages;
Find the matched first address caching list item of domain name carried with the first domain name system protocol massages;
Determine that the IP address set of the first address caching list item is carried comprising the first domain name system protocol massages IP address, then do not generate triggering refresh security strategy accelerometer event;
Refresh the carrying of the first domain name system protocol massages described in the IP address set of the first address caching list item The storage time of IP address.
Second aspect, the embodiment of the present application provide a kind of security strategy accelerometer construction device, and described device includes:
Storage unit, for storing the address caching table with multiple address caching list items;Wherein, each address is slow The IP address set that list item is different domain names is deposited, each IP address set is used to store the old of M IP address and each IP address Change the time greater than M+1 domain name addresses switching cycle, M is the integer more than or equal to 2;
Receiving unit, for receiving the first domain name system protocol massages;
Searching unit, for finding matched first address of domain name carried with the first domain name system protocol massages Buffer list entry;
Determination unit, for determining that the IP address set of the first address caching list item includes first domain name system The IP address that protocol massages carry does not generate the event that triggering refreshes security strategy accelerometer then;
Refresh unit, for refreshing the association of the first domain name system described in the IP address set of the first address caching list item Discuss the storage time for the IP address that message carries.
The third aspect, the embodiment of the present application provide a kind of network equipment, including processor and machine readable storage medium, The machine readable storage medium is stored with the machine-executable instruction that can be executed by the processor, and the processor is by institute It states machine-executable instruction to promote: realizing any of the above-described method and step.
Fourth aspect, the embodiment of the present application provide a kind of machine readable storage medium, the machine readable storage medium It is stored with the machine-executable instruction that can be executed by the processor, the processor is promoted by the machine-executable instruction Make: realizing any of the above-described method and step.
In a kind of security strategy accelerometer construction method and device provided by the embodiments of the present application, wrapped in address caching list item The ageing time of each IP address contained is sufficiently large, and each IP address is not when domain name switches between multiple IP address, in buffer list entry It can be aging.When the network equipment needs to access a large amount of domain names and domain name switches between the whole IP address obtained, no Triggering can be generated and refresh the event of security strategy accelerometer, it is, accelerating the building of security strategy accelerometer, avoid domain name IP address and domain name security strategy after switching can not update to security strategy accelerometer, reduce memory and cpu resource Consumption, reduce security strategy inspection failure probability.
Certainly, any product or method for implementing the application must be not necessarily required to reach all the above excellent simultaneously Point.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of application for those of ordinary skill in the art without creative efforts, can be with It obtains other drawings based on these drawings.
A kind of schematic diagram of Fig. 1 load balancing networking provided by the embodiments of the present application;
Fig. 2 is the first flow diagram of security strategy accelerometer construction method provided by the embodiments of the present application;
Fig. 3 is a kind of schematic diagram of preset cache table provided by the embodiments of the present application;
Fig. 4 is second of flow diagram of security strategy accelerometer construction method provided by the embodiments of the present application;
Fig. 5 is the third flow diagram of security strategy accelerometer construction method provided by the embodiments of the present application;
Fig. 6 is the 4th kind of flow diagram of security strategy accelerometer construction method provided by the embodiments of the present application;
Fig. 7 is a kind of structural schematic diagram of security strategy accelerometer construction device provided by the embodiments of the present application;
Fig. 8 is a kind of structural schematic diagram of the network equipment provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of embodiments of the present application, instead of all the embodiments.It is based on Embodiment in the application, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall in the protection scope of this application.
The word occurred in the embodiment of the present application is explained below.
Security strategy rule: including occurrence and action item.After the network equipment receives data message, by data message with Occurrence is matched, the determining and matched occurrence of data message, and handles data according to the corresponding action item of the occurrence Message.
Domain name change events: the network equipment determine IP address that domain name original uses and DNS (Domain Name System, Domain name system) IP address that carries of protocol massages is different, then generate domain name change events.
In load balancing networking, multiple servers provide same service, this makes a domain name with corresponding to multiple IP Location.Load balancing networking as shown in Figure 1, including user equipment 100, firewall box 101 and server 102-104.Wherein, it takes Business device 102-104 externally provides same service, and server 102-104 uses a domain name, such as domain name 1.At this point, domain name 1 is divided Not with the IP address IP3 of the IP address IP1 of server 102, the IP address IP2 of server 103 and server 104 this 3 IP Location.The corresponding IP address of domain name 1 switches repeatedly between IP address IP1-IP3.And domain name 1 is between corresponding multiple IP address When switching repeatedly, firewall box 101 can generate domain name change events every time.When security strategy accelerometer reaches the refresh cycle When, the security strategy of domain name 1 and currently used IP address are written according to each domain name change events for firewall box 101 Security strategy accelerometer.If the security strategy accelerometer refresh cycle does not arrive, domain name 1 is in current time IP address and security strategy Corresponding relationship security strategy accelerometer can not be written, will lead to security strategy inspection failure.
In addition, firewall box 101 needs to access a large amount of domain names, each domain name switches between multiple IP address be will lead to The network equipment has a large amount of domain name change events to need to handle, and can not be completed within a security strategy accelerometer refresh cycle complete Also peace can not be written in the corresponding relationship of current time IP address and security strategy in the domain name change events to be treated in portion Full strategy accelerometer, causes security strategy inspection to fail.
To solve the above-mentioned problems, the embodiment of the present application provides a kind of security strategy accelerometer construction method.This method It can be applied to the network equipments such as firewall box, router and interchanger.Refering to what is shown in Fig. 2, this method comprises the following steps:
Step 201, storage has the address caching table of multiple address caching list items;Wherein, each address caching list item is The IP address set of different domain names, each IP address set is used to store M IP address and the ageing time of each IP address is big In M+1 domain name addresses switching cycle, M is the integer more than or equal to 2.
Step 202, the first DNS Protocol message is received.
Step 203, the matched first address caching list item of domain name carried with the first DNS Protocol message is found.
Step 204, with determining the IP that the IP address set of the first address caching list item is carried comprising the first DNS Protocol message Location does not generate the event that triggering refreshes security strategy accelerometer then.
Step 205, refresh the IP address that the first DNS Protocol message carries in the IP address set of the first address caching list item Storage time.
For example, M is 10, domain name addresses switching cycle is 20 seconds.The network equipment stores the address of multiple address caching list items Cache table.Each address caching list item is for storing 10 IP address.Each IP address ageing time is big in address caching list item In 20* (10+1)=220 second.
The network equipment receives DNS Protocol message 1, wherein DNS Protocol message 1 carries domain name 1 and IP address IP1.Network is set It is for future reference to find and the matched address caching list item 1 of domain name 1.The network equipment determines that the IP address set of address buffer list entry 1 includes IP address IP1 does not generate the event that triggering refreshes security strategy accelerometer then, meanwhile, the IP address of refresh address buffer list entry 1 The storage time of IP address IP1 is current time in set.
In a kind of security strategy accelerometer construction method provided by the embodiments of the present application, include in address caching list item is each The ageing time of IP address is sufficiently large, and when domain name switches between multiple IP address, each IP address will not be old in buffer list entry Change.When the network equipment needs to access a large amount of domain names and domain name switches between the whole IP address obtained, will not generate Triggering refreshes the event of security strategy accelerometer, it is, the building of security strategy accelerometer is accelerated, after avoiding domain name switching IP address and domain name security strategy can not update to security strategy accelerometer, reduce the consumption of memory and cpu resource, Reduce the probability of security strategy inspection failure.
In the embodiment of the present application, each IP address set is used to store the ageing time of M IP address and each IP address It can be N times of M+1 domain name addresses switching cycle.N is the integer more than or equal to 1.For example, N is 2, M 10, domain name addresses Switching cycle is 20 seconds.Each IP address ageing time is 2*20* (10+1)=440 second in address caching list item.
In one embodiment of the application, the network equipment detects various regions in address caching table according to predetermined period duration With the presence or absence of the IP address for reaching ageing time in the IP address set of location buffer list entry.If it exists, then the network equipment by address The IP address for reaching ageing time in cache table in the IP address set of each address buffer list entry is deleted, and is generated triggering and refreshed peace The event of full strategy accelerometer.The network equipment refreshes the event of security strategy accelerometer according to triggering, rebuilds security strategy Accelerometer.Specifically, the IP that the IP address set of the security strategy of domain name and each address buffer list entry is included by the network equipment Security strategy accelerometer is written in address.
For example, address caching table is as shown in Figure 3.The IP address set of the matched address caching list item of domain name 1 include IP1, IP2 and IP3.The IP address set of the matched address caching list item of domain name 2 includes IP4, IP5 and IP6.The matched address of domain name 3 The IP address set of buffer list entry includes IP7, IP8 and IP9.
It is assumed that ageing time is 1 hour a length of 5 minutes when predetermined period.The network equipment detected IP1-9 every 5 minutes In with the presence or absence of storage duration reach 1 hour IP address.Wherein, storage duration be IP address storage time and it is current when Between time difference.If IP3 stores the IP address that duration reaches 1 hour in IP1-9, i.e. IP3 reaches ageing time, then the network equipment IP3 is deleted from the IP address set of the matched address caching list item of domain name 1.The network equipment refreshes security strategy according to triggering and adds Security strategy accelerometer is written in the security strategy of domain name 1 and IP1-2 by the event of fast table.
In the embodiment of the present application, if the IP address in the IP address set of each address buffer list entry reaches ageing time, Illustrate that the IP address is invalid IP address, with deleting the IP that ageing time is reached in the IP address set of each address buffer list entry Storage resource has been saved in location.In addition, the IP of ageing time is not reached in IP address set using each address buffer list entry Location rebuilds security strategy accelerometer, avoids the data that invalid IP address is carried using the clearance of security strategy accelerometer Message.
Based on security strategy accelerometer construction method shown in Fig. 2, the embodiment of the present application also provides a kind of security strategies Accelerometer construction method, refering to what is shown in Fig. 4, this method may include steps of.
Step 401, the second DNS Protocol message is received.
Step 402, the matched second address caching list item of domain name carried with the second DNS Protocol message is found.
Step 403, the IP address set for determining the second address caching list item does not include the IP that the second DNS Protocol message carries The address number of the IP address set of address and the second address caching list item is less than M.
Step 404, the IP of the second DNS Protocol message carrying is recorded in the IP address set of the second address caching list item Location and storage time.
Step 405, the event that triggering refreshes security strategy accelerometer is generated.
For example, M is 10, domain name addresses switching cycle is 20 seconds.The network equipment stores the address of multiple address caching list items Cache table.Each address caching list item is for storing 10 IP address.Each IP address ageing time is big in address caching list item In 20* (10+1)=220 second.
The network equipment receives DNS Protocol message 2, wherein DNS Protocol message 2 carries domain name 1 and IP address IP21.Network Equipment is found and the matched address caching list item 1 of domain name 1.The network equipment determines the IP address set of address buffer list entry 1 not Comprising IP address IP21, also, the address number of the IP address set of address caching list item 1 is less than 10, then in address caching table IP address IP21 is recorded in the IP address set of item 1, meanwhile, IP address in the IP address set of refresh address buffer list entry 1 The storage time of IP21 is current time.The network equipment generates the event that triggering refreshes security strategy accelerometer.Network equipment root The event for refreshing security strategy accelerometer according to triggering, by the security strategy of domain name 1 and the IP address set of address caching list item 1 In all IP address security strategy accelerometers are written.
In the embodiment of the present application, the second address caching list item can not include any IP address, also may include other IP Address.It is not specifically limited in this embodiment.
Using embodiment illustrated in fig. 4, the network equipment domain name is switched after IP address and domain name security strategy in time more Security strategy accelerometer is newly arrived, avoids and rebuilds security strategy accelerometer not in time by the period, and then generates safe plan Slightly check failure.
Based on security strategy accelerometer construction method shown in Fig. 2, the embodiment of the present application also provides a kind of security strategies Accelerometer construction method, refering to what is shown in Fig. 5, this method may include steps of.
Step 501, third DNS Protocol message is received.
Step 502, the matched third address caching list item of domain name carried with third DNS Protocol message is found.
Step 503, the IP address set for determining third address caching list item does not include the IP that third DNS Protocol message carries The address number of the IP address set of address and third address caching list item is equal to M.
Step 504, the earliest IP address of storage time in the IP address set of third address caching list item is deleted.
Step 505, the IP that third DNS Protocol message carries is recorded in the IP address set of third address caching list item Location and storage time.
Step 506, the event that triggering refreshes security strategy accelerometer is generated.
For example, M is 10, domain name addresses switching cycle is 20 seconds.The network equipment stores the address of multiple address caching list items Cache table.Each address caching list item is for storing 10 IP address.Each IP address ageing time is big in address caching list item In 20* (10+1)=220 second.
The network equipment receives DNS Protocol message 3, wherein DNS Protocol message 3 carries domain name 1 and IP address IP31.Network Equipment is found and the matched address caching list item 1 of domain name 1.The network equipment determines the IP address set of address buffer list entry 1 not Comprising IP address IP31, also, the address number of the IP address set of address caching list item 1 is equal to 10, by address caching list item 1 IP address set in the earliest IP address of storage time delete.IP is recorded in the IP address set of address caching list item 1 Location IP31, meanwhile, the storage time of IP address IP31 is current time in the IP address set of refresh address buffer list entry 1.Net Network equipment generates the event that triggering refreshes security strategy accelerometer.The network equipment refreshes the thing of security strategy accelerometer according to triggering Part accelerates IP address all in the security strategy of domain name 1 and the IP address set of address caching list item 1 write-in security strategy Table.
Using embodiment illustrated in fig. 5, the network equipment deletes in the IP address set of each address buffer list entry storage time most Early IP address, that is, delete most possible invalid IP address, avoids and lets pass carrying in vain using security strategy accelerometer IP address data message.Meanwhile the security strategy of the IP address and domain name after switching domain name updates to safe plan Slightly accelerometer, avoids and rebuilds security strategy accelerometer not in time by the period, and then generates security strategy inspection failure.
Based on security strategy accelerometer construction method shown in Fig. 1-5, the embodiment of the present application also provides a kind of safe plans Slightly accelerometer construction method, refering to what is shown in Fig. 6, this method may include steps of.
Step 601, the 4th DNS Protocol message is received.
Step 602, the IP address and the 4th DNS Protocol message that the domain name original that the 4th DNS Protocol message carries uses are determined The IP address of carrying is different.
Step 603, the matched 4th address caching list item of domain name carried with the 4th DNS Protocol message is found.
Step 604, with determining the IP that the IP address set of the 4th address caching list item is carried comprising the 4th DNS Protocol message Location does not generate the event that triggering refreshes security strategy accelerometer then.
Step 605, refresh the IP address that the 4th DNS Protocol message carries in the IP address set of the 4th address caching list item Storage time.
Step 606, the IP address set for determining the 4th address caching list item does not include the IP that the 4th DNS Protocol message carries The address number of the IP address set of address and the 4th address caching list item is less than M.
Step 607, the IP that the 4th DNS Protocol message carries is recorded in the IP address set of the 4th address caching list item Location and storage time.
Step 608, the event that triggering refreshes security strategy accelerometer is generated.
Step 609, the IP address set for determining the 4th address caching list item does not include the IP that the 4th DNS Protocol message carries The address number of the IP address set of address and the 4th address caching list item is equal to M.
Step 610, the earliest IP address of storage time in the IP address set of the 4th address caching list item is deleted.It executes Step 607.
For example, M is 10.The network equipment receives DNS Protocol message 4, wherein DNS Protocol message 4 is with carrying domain name 1 and IP Location IP41.The IP address that the domain name original that 4th DNS Protocol message carries uses is IP address IP1.The network equipment determines DNS Protocol The IP address IP1 that the domain name original that message 4 carries uses is different from the IP address IP41 that the 4th DNS Protocol message carries, and generates DNS Domain name change events.The network equipment is found and the matched address caching list item 1 of domain name 1 according to DNS domain name change events.
The network equipment determines that the IP address set of address buffer list entry 1 includes IP address IP41, then does not generate triggering and refresh The event of security strategy accelerometer, meanwhile, the storage time of IP address IP41 in the IP address set of refresh address buffer list entry 1 For current time.
The network equipment determines that the IP address set of address buffer list entry 1 does not include IP address IP41, also, address caching table The address number of the IP address set of item 1 then records IP address in the IP address set of address caching list item 1 less than 10 IP41, meanwhile, the storage time of IP address IP41 is current time in the IP address set of refresh address buffer list entry 1.Network Equipment generates the event that triggering refreshes security strategy accelerometer.
The network equipment determines that the IP address set of address buffer list entry 1 does not include IP address IP41, also, address caching table The address number of the IP address set of item 1 is equal to 10, by the earliest IP of storage time in the IP address set of address caching list item 1 It deletes address.IP address IP41 is recorded in the IP address set of address caching list item 1, meanwhile, refresh address buffer list entry 1 The storage time of IP address IP41 is current time in IP address set.The network equipment generates triggering and refreshes security strategy accelerometer Event.
In one embodiment of the application, the network equipment determines what the domain name original that the 4th DNS Protocol message carries used IP address is identical as the IP address that the 4th DNS Protocol message carries, then does not generate DNS domain name change events, would not also search The matched 4th address caching list item of domain name carried with the 4th DNS Protocol message, and then triggering will not be generated and refresh safe plan The slightly event of accelerometer.
Using embodiment illustrated in fig. 6, the network equipment is determining that generation triggering is brushed when DNS domain name change events occur The event of new security strategy accelerometer, only IP address changes in the IP address set of address caching list item, Cai Huisheng The event for refreshing security strategy accelerometer at triggering, so easily solves the frequent Construct question of security strategy accelerometer, drops The low burden of CPU.
In one embodiment of the application, the network equipment periodically can send DNS Protocol request report to dns server Text.Dns server obtains the IP address that the domain name that current time DNS Protocol request message carries uses at current time, and will The domain name of acquisition carries in the IP address that current time uses and is sent to the network equipment in DNS Protocol message.
In another embodiment of the application, the dns server timing IP that uses each domain name at current time Location carries and is sent to the network equipment in DNS Protocol message.
In the embodiment of the present application, above-mentioned first DNS Protocol message, the second DNS Protocol message, third DNS Protocol message and 4th DNS Protocol message can be got using above two mode, and the embodiment of the present application is to this without limiting.
Based on above-mentioned security strategy accelerometer construction method embodiment, the embodiment of the present application also provides a kind of security strategies Accelerometer construction device.With reference to Fig. 7, Fig. 7 is a kind of knot of security strategy accelerometer construction device provided by the embodiments of the present application Structure schematic diagram.The device is applied to the network equipment, which includes:
Storage unit 701, for storing the address caching table with multiple address caching list items;Wherein, each address is slow The IP address set that list item is different domain names is deposited, each IP address set is used to store the old of M IP address and each IP address Change the time greater than M+1 domain name addresses switching cycle, M is the integer more than or equal to 2;
Receiving unit 702, for receiving the first domain name system protocol massages;
Searching unit 703, for finding matched first address of domain name carried with the first domain name system protocol massages Buffer list entry;
Determination unit 704, for determining that the IP address set of the first address caching list item includes the first domain name system agreement The IP address that message carries does not generate the event that triggering refreshes security strategy accelerometer then;
Refresh unit 705, the first domain name system agreement report in the IP address set for refreshing the first address caching list item The storage time for the IP address that text carries.
In an optional embodiment, receiving unit 702 can be also used for receiving the second domain name system protocol massages;
Searching unit 703 can be also used for finding the domain name carried with the second domain name system protocol massages matched the Double-address buffer list entry;
Determination unit 704 can be also used for determining that the IP address set of the second address caching list item does not include the second domain name The address number of IP address and the IP address set of the second address caching list item that system protocol message carries is less than M;
Refresh 705 yuan of list, can be also used for recording the second domain name system in the IP address set of the second address caching list item The IP address and storage time that protocol massages of uniting carry;
Above-mentioned security strategy accelerometer construction device can also include:
Generation unit refreshes the event of security strategy accelerometer for generating triggering.
In an optional embodiment, receiving unit 702 can be also used for receiving unit, be also used to receive third domain name System protocol message;
Searching unit 703 can be also used for finding the domain name carried with third domain name system protocol massages matched the Three address caching list items;
Determination unit 704 can be also used for determining that the IP address set of third address caching list item does not include third domain name The address number of IP address and the IP address set of third address caching list item that system protocol message carries is equal to M;
Refresh unit 705 can be also used for that storage time in the IP address set of third address caching list item is earliest IP address is deleted;The IP that third domain name system protocol massages carry is recorded in the IP address set of third address caching list item Location and storage time;
Above-mentioned security strategy accelerometer construction device can also include:
Generation unit refreshes the event of security strategy accelerometer for generating triggering.
In an optional embodiment, refresh unit 705 be can be also used for address each in address caching table buffer list entry IP address set in reach ageing time IP address delete;
Above-mentioned security strategy accelerometer construction device can also include:
Generation unit refreshes the event of security strategy accelerometer for generating triggering.
In a kind of security strategy accelerometer construction device provided by the embodiments of the present application, include in address caching list item is each The ageing time of IP address is sufficiently large, and when domain name switches between multiple IP address, each IP address will not be old in buffer list entry Change.When the network equipment needs to access a large amount of domain names and domain name switches between the whole IP address obtained, will not generate Triggering refreshes the event of security strategy accelerometer, it is, the building of security strategy accelerometer is accelerated, after avoiding domain name switching IP address and domain name security strategy can not update to security strategy accelerometer, reduce the consumption of memory and cpu resource, Reduce the probability of security strategy inspection failure.
Based on above-mentioned security strategy accelerometer construction method embodiment, the embodiment of the present application also provides a kind of networks to set It is standby, as shown in figure 8, including processor 801 and machine readable storage medium 802, machine readable storage medium 802 is stored with can The machine-executable instruction executed by processor 801.Processor 801 is promoted to realize above-mentioned Fig. 2-Fig. 6 by machine-executable instruction Shown in either step.
In an optional embodiment, as shown in figure 8, the network equipment can also include: communication interface 803 and communication bus 804;Wherein, processor 801, machine readable storage medium 802, communication interface 803 are completed mutual by communication bus 804 Communication, communication interface 803 is for the communication between the above-mentioned network equipment and other equipment.
Based on above-mentioned security strategy accelerometer construction method embodiment, the embodiment of the present application also provides a kind of machine readable Storage medium, machine readable storage medium are stored with the machine-executable instruction that can be executed by processor.Processor is by machine Executable instruction promotes to realize above-mentioned Fig. 2-either step shown in fig. 6.
Above-mentioned communication bus can be PCI (Peripheral Component Interconnect, Peripheral Component Interconnect Standard) bus or EISA (Extended Industry Standard Architecture, expanding the industrial standard structure) bus Deng.The communication bus can be divided into address bus, data/address bus, control bus etc..
Above-mentioned machine readable storage medium may include RAM (Random Access Memory, random access memory), It also may include NVM (Non-Volatile Memory, nonvolatile memory), for example, at least a magnetic disk storage.Separately Outside, machine readable storage medium can also be that at least one is located remotely from the storage device of aforementioned processor.
Above-mentioned processor can be general processor, including CPU (Central Processing Unit, central processing Device), NP (Network Processor, network processing unit) etc.;Can also be DSP (Digital Signal Processing, Digital signal processor), ASIC (Application Specific Integrated Circuit, specific integrated circuit), It is FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete Door or transistor logic, discrete hardware components.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for safe plan Slightly for accelerometer construction device, the network equipment, machine readable storage medium embodiment, since it is substantially similar to security strategy Accelerometer construction method embodiment, so being described relatively simple, related place is real referring to security strategy accelerometer construction method Apply the part explanation of example.
The foregoing is merely the preferred embodiments of the application, are not intended to limit the protection scope of the application.It is all Any modification, equivalent replacement, improvement and so within spirit herein and principle are all contained in the protection scope of the application It is interior.

Claims (10)

1. a kind of security strategy accelerometer construction method, which is characterized in that the described method includes:
Store the address caching table with multiple address caching list items;Wherein, each address caching list item is different domain names Network protocol IP address set, each IP address set is for storing M IP address and the ageing time of each IP address is big In M+1 domain name addresses switching cycle, M is the integer more than or equal to 2;
Receive the first domain name system protocol massages;
Find the matched first address caching list item of domain name carried with the first domain name system protocol massages;
The IP address set for determining the first address caching list item includes the IP that the first domain name system protocol massages carry Address does not generate the event that triggering refreshes security strategy accelerometer then;
With refreshing the IP of the carrying of the first domain name system protocol massages described in the IP address set of the first address caching list item The storage time of location.
2. the method according to claim 1, wherein the method also includes:
Receive the second domain name system protocol massages;
Find the matched second address caching list item of domain name carried with the second domain name system protocol massages;
The IP address set for determining the second address caching list item does not include that the second domain name system protocol massages carry The address number of IP address and the IP address set of the second address caching list item is less than the M;
The IP that the second domain name system protocol massages carry is recorded in the IP address set of the second address caching list item Address and storage time;
Generate the event that the triggering refreshes security strategy accelerometer.
3. the method according to claim 1, wherein the method also includes:
Receive third domain name system protocol massages;
Find the matched third address caching list item of domain name carried with the third domain name system protocol massages;
The IP address set for determining the third address caching list item does not include that the third domain name system protocol massages carry The address number of IP address and the IP address set of the third address caching list item is equal to the M;
The earliest IP address of storage time in the IP address set of the third address caching list item is deleted;
The IP that the third domain name system protocol massages carry is recorded in the IP address set of the third address caching list item Address and storage time;
Generate the event that the triggering refreshes security strategy accelerometer.
4. the method according to claim 1, wherein the method also includes:
The IP address that ageing time is reached in the IP address set of address buffer list entry each in the address caching table is deleted;
Generate the event that the triggering refreshes security strategy accelerometer.
5. a kind of security strategy accelerometer construction device, which is characterized in that described device includes:
Storage unit, for storing the address caching table with multiple address caching list items;Wherein, each address caching table Item is the network protocol IP address set of different domain names, and each IP address set is for storing M IP address and each IP address Ageing time be greater than M+1 domain name addresses switching cycle, M is integer more than or equal to 2;
Receiving unit, for receiving the first domain name system protocol massages;
Searching unit, for finding matched first address caching of domain name carried with the first domain name system protocol massages List item;
Determination unit, for determining that the IP address set of the first address caching list item includes the first domain name system agreement The IP address that message carries does not generate the event that triggering refreshes security strategy accelerometer then;
Refresh unit, for refreshing the first domain name system agreement report described in the IP address set of the first address caching list item The storage time for the IP address that text carries.
6. device according to claim 5, which is characterized in that
The receiving unit is also used to receive the second domain name system protocol massages;
The searching unit is also used to find matched second ground of domain name carried with the second domain name system protocol massages Location buffer list entry;
The determination unit is also used to determine that the IP address set of the second address caching list item does not include second domain name The address number of IP address and the IP address set of the second address caching list item that system protocol message carries is less than described M;
The refresh unit is also used to record second domain name system in the IP address set of the second address caching list item The IP address and storage time that protocol massages of uniting carry;
Described device further include:
Generation unit refreshes the event of security strategy accelerometer for generating the triggering.
7. device according to claim 5, which is characterized in that
The receiving unit is also used to receive third domain name system protocol massages;
The searching unit, with being also used to find the matched third of domain name carried with the third domain name system protocol massages Location buffer list entry;
The determination unit is also used to determine that the IP address set of the third address caching list item does not include the third domain name The address number of IP address and the IP address set of the third address caching list item that system protocol message carries is equal to described M;
The refresh unit is also used to by the earliest IP of storage time in the IP address set of the third address caching list item It deletes location;Record what the third domain name system protocol massages carried in the IP address set of the third address caching list item IP address and storage time;
Described device further include:
Generation unit refreshes the event of security strategy accelerometer for generating the triggering.
8. device according to claim 5, which is characterized in that
The refresh unit is also used to that aging will be reached in the IP address set of address buffer list entry each in the address caching table The IP address of time is deleted;
Described device further include:
Generation unit refreshes the event of security strategy accelerometer for generating the triggering.
9. a kind of network equipment, which is characterized in that including processor and machine readable storage medium, the machine readable storage is situated between Matter is stored with the machine-executable instruction that can be executed by the processor, and the processor is promoted by the machine-executable instruction Make: realizing any method and step of claim 1-4.
10. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with can be by the place The machine-executable instruction that device executes is managed, the processor is promoted by the machine-executable instruction: realizing that claim 1-4 appoints Method and step described in one.
CN201910611878.1A 2019-07-08 2019-07-08 Security policy acceleration table construction method and device Active CN110381175B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910611878.1A CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910611878.1A CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Publications (2)

Publication Number Publication Date
CN110381175A true CN110381175A (en) 2019-10-25
CN110381175B CN110381175B (en) 2022-02-25

Family

ID=68252333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910611878.1A Active CN110381175B (en) 2019-07-08 2019-07-08 Security policy acceleration table construction method and device

Country Status (1)

Country Link
CN (1) CN110381175B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049840A (en) * 2019-12-17 2020-04-21 锐捷网络股份有限公司 Message detection method and device
CN112866438A (en) * 2021-03-26 2021-05-28 新华三信息安全技术有限公司 Address allocation method and device and address allocation server
CN114006763A (en) * 2021-11-01 2022-02-01 许昌许继软件技术有限公司 Rapid retrieval matching method and system based on rapid table
CN114050925A (en) * 2021-11-09 2022-02-15 京东科技信息技术有限公司 Access control list matching method and device, electronic equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060136570A1 (en) * 2003-06-10 2006-06-22 Pandya Ashish A Runtime adaptable search processor
US9602539B1 (en) * 2012-09-28 2017-03-21 Palo Alto Networks, Inc. Externally defined objects in security policy
CN108965337A (en) * 2018-09-17 2018-12-07 新华三信息安全技术有限公司 Rule matching method, device, firewall box and machine readable storage medium
CN109617927A (en) * 2019-01-30 2019-04-12 新华三信息安全技术有限公司 A kind of method and device matching security strategy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060136570A1 (en) * 2003-06-10 2006-06-22 Pandya Ashish A Runtime adaptable search processor
US9602539B1 (en) * 2012-09-28 2017-03-21 Palo Alto Networks, Inc. Externally defined objects in security policy
CN108965337A (en) * 2018-09-17 2018-12-07 新华三信息安全技术有限公司 Rule matching method, device, firewall box and machine readable storage medium
CN109617927A (en) * 2019-01-30 2019-04-12 新华三信息安全技术有限公司 A kind of method and device matching security strategy

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111049840A (en) * 2019-12-17 2020-04-21 锐捷网络股份有限公司 Message detection method and device
CN111049840B (en) * 2019-12-17 2022-04-26 锐捷网络股份有限公司 Message detection method and device
CN112866438A (en) * 2021-03-26 2021-05-28 新华三信息安全技术有限公司 Address allocation method and device and address allocation server
CN112866438B (en) * 2021-03-26 2022-07-22 新华三信息安全技术有限公司 Address allocation method and device and address allocation server
CN114006763A (en) * 2021-11-01 2022-02-01 许昌许继软件技术有限公司 Rapid retrieval matching method and system based on rapid table
CN114050925A (en) * 2021-11-09 2022-02-15 京东科技信息技术有限公司 Access control list matching method and device, electronic equipment and storage medium
CN114050925B (en) * 2021-11-09 2024-03-01 京东科技信息技术有限公司 Access control list matching method, device, electronic equipment and storage medium

Also Published As

Publication number Publication date
CN110381175B (en) 2022-02-25

Similar Documents

Publication Publication Date Title
CN110381175A (en) A kind of security strategy accelerometer construction method and device
CN102246489B (en) Systems and methods for connection management for asynchronous messaging over http
US11347797B2 (en) Asset search and discovery system using graph data structures
US10225231B2 (en) Method and server of remote information query
CN107360184B (en) Terminal equipment authentication method and device
CN107645525A (en) Detection processing, dispatching method and related device, the node of content distributing network
CN105635342B (en) Establish method, name server and the memory node of connection
CN105991660B (en) System for resource sharing among multiple cloud storage systems
US10447741B2 (en) Server-managed notifications for maintaining registered state
JP2017534110A (en) Apparatus and method for identifying resource exhaustion attack of domain name system
US20210036995A1 (en) Data processing method, device, and system
CN105338128B (en) Domain name analytic method and domain name mapping device
CN108418806A (en) A kind of processing method and processing device of message
CN107070988A (en) Message processing method and device
CN106470251A (en) Domain name analytic method and virtual DNS authority server
CN102624750A (en) Method and system for resisting domain name system (DNS) recursion attack
CN108429743A (en) A kind of security policy configuration method, system, domain control server and firewall box
CN107770193A (en) A kind of rule matching method, device, firewall box and storage medium
WO2017113082A1 (en) Url filtering method and device
CN113055503B (en) IPv6 webpage link processing method, device, equipment and readable storage medium
CN108173979A (en) A kind of message processing method, device, equipment and storage medium
CN105653717B (en) A kind of method and device that information is shared
Farnan et al. Analysing censorship circumvention with VPNs via DNS cache snooping
CN104618414B (en) A kind of implementation method of Distributed Services, service broker's device and distributed system
CN101507231A (en) A system for classifying an Internet protocol address

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant