CN112350939A - Bypass blocking method, system, device, computer equipment and storage medium - Google Patents
Bypass blocking method, system, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN112350939A CN112350939A CN202011180005.9A CN202011180005A CN112350939A CN 112350939 A CN112350939 A CN 112350939A CN 202011180005 A CN202011180005 A CN 202011180005A CN 112350939 A CN112350939 A CN 112350939A
- Authority
- CN
- China
- Prior art keywords
- blocking
- traffic
- flow
- core router
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000000903 blocking effect Effects 0.000 title claims abstract description 754
- 238000000034 method Methods 0.000 title claims abstract description 74
- 238000012545 processing Methods 0.000 claims abstract description 33
- 230000004044 response Effects 0.000 claims description 30
- 230000005540 biological transmission Effects 0.000 claims description 24
- 230000001681 protective effect Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 14
- 238000004891 communication Methods 0.000 description 8
- 238000001514 detection method Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 230000003993 interaction Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 8
- 238000004590 computer program Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000011160 research Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000009471 action Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 208000033748 Device issues Diseases 0.000 description 1
- 241000029811 Equus burchellii quagga Species 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/34—Source routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a bypass blocking method, a bypass blocking system, a bypass blocking device, computer equipment and a storage medium, and relates to the technical field of networks. The method comprises the following steps: the method comprises the steps that a blocking switch receives target traffic sent by a core router through a BGP channel, wherein the target traffic is service traffic with specified routing information; carrying out mirror image processing on the target flow to obtain the mirror image flow of the target flow; target flow is reinjected to the core router through the BGP channel; sending the mirror image flow to a protection blocking device through a BGP channel; receiving a blocking packet sent by a protection blocking device through a BGP channel when the target traffic is the blocking traffic; and forwarding the blocking packet to the core router through the BGP channel so as to block the target traffic. By the method, when protection blocking is carried out, the protection blocking equipment only needs to block and judge partial flow, so that the pressure and performance consumption of the protection blocking equipment are reduced.
Description
Technical Field
The embodiment of the application relates to the technical field of networks, in particular to a bypass blocking method, a bypass blocking system, a bypass blocking device, computer equipment and a storage medium.
Background
With the continuous development of computer and network application technologies, network security guarantee is of great importance, and usually, a bypass blocking mode is adopted to defend network attacks and intercept illegal websites.
In the related technology, a core router and a protection blocking device are directly connected through a port mirror, the protection blocking device determines candidate blocking traffic in the core router by blocking and judging mirror traffic of service traffic in the core router and sends a blocking packet, and blocking of the candidate blocking traffic is achieved.
However, in the above solution, all the traffic flows in the core router need to be mirrored and subjected to blocking judgment, and the traffic flow cardinality in the core router is huge, thereby causing huge pressure and performance consumption on the protection blocking device.
Disclosure of Invention
The embodiment of the application provides a bypass blocking method, a bypass blocking system, a bypass blocking device, computer equipment and a storage medium, which can reduce the pressure and the performance consumption of protection blocking equipment when protection blocking is carried out, and the technical scheme is as follows:
in one aspect, a bypass blocking method is provided, where the method is applied in a blocking switch, where the blocking switch is disposed between a protection blocking device and a core router, and the method includes:
receiving a target flow sent by the core router, wherein the target flow is a service flow with specified routing information;
carrying out mirror image processing on the target flow to obtain the mirror image flow of the target flow;
reinjecting the target traffic to the core router;
sending the mirror image traffic to the protection blocking equipment;
receiving a blocking packet sent by the protection blocking equipment; the blocking packet is sent by the protection blocking device in response to the mirror traffic matching a blocking rule; the blocking rule is a rule which is arranged in the protective blocking equipment and is used for carrying out blocking judgment;
and forwarding the blocking packet to the core router so as to block the target flow.
In another aspect, a bypass blocking method is provided, where the method is applied to a protection blocking device, and a blocking switch is disposed between the protection blocking device and a core router, and the method includes:
receiving mirror image traffic corresponding to target traffic sent by the blocking switch, wherein the target traffic is service traffic with specified routing information;
generating a blocking packet in response to the mirror flow matching a blocking rule;
and sending the blocking packet to the blocking switch to block the target flow.
In another aspect, a bypass blocking system is provided, the system comprising a protection blocking device, a blocking switch, and a core router; the blocking switching equipment is arranged between the core router and the protection blocking equipment;
the protection blocking equipment is used for issuing a route advertisement to the blocking switch; the blocking rule is used for declaring the specified routing information;
the blocking switch is used for forwarding the route advertisement to the core router;
the core router is used for sending the target traffic with the specified routing information to the blocking switch;
the blocking switch is used for carrying out mirror image processing on the target flow to obtain mirror image flow, sending the mirror image flow to the protection blocking equipment and reinjecting the target flow to the core router;
the protection blocking equipment is used for responding to the matching of the mirror flow and a blocking rule and sending a blocking packet to the blocking switch;
and the blocking switch is used for sending the blocking packet to the core router so as to block the target flow.
In one possible implementation, the blocking switch includes at least two switches;
and the core router and the at least two switches are respectively connected.
In another aspect, a bypass blocking apparatus is provided, where the apparatus is applied in a blocking switch, and the blocking switch is disposed between a protection blocking device and a core router, and the apparatus includes:
a target traffic receiving module, configured to receive a target traffic sent by the core router, where the target traffic is a service traffic having specified routing information;
the mirror image processing module is used for carrying out mirror image processing on the target flow to obtain the mirror image flow of the target flow;
a reinjection module, configured to reinject the target traffic to the core router;
the mirror image flow sending module is used for sending the mirror image flow to the protection blocking equipment;
a blocking packet receiving module, configured to receive a blocking packet sent by the protection blocking device; the blocking packet is sent by the protection blocking device in response to the mirror traffic matching a blocking rule; the blocking rule is a rule which is arranged in the protective blocking equipment and is used for carrying out blocking judgment;
and the blocking packet forwarding module is used for forwarding the blocking packet to the core router so as to block the target flow.
In a possible implementation manner, the blocking switch is connected to the core router through a first Border Gateway Protocol (BGP) channel, and the blocking switch is connected to the protection blocking device through a second BGP channel;
the target traffic receiving module is configured to receive the target traffic sent by the core router through the first BGP channel;
the reinjection module is configured to reinject the target traffic to the core router through the first BGP channel;
the mirror traffic sending module is configured to send the mirror traffic to the protection blocking device through the second BGP channel;
the blocking packet receiving module is configured to receive the blocking packet sent by the protection blocking device through the second BGP channel;
the blocking packet forwarding module is configured to forward the blocking packet to the core router through the first BGP channel.
In a possible implementation manner, before the target traffic receiving module receives the target traffic sent by the core router, the apparatus further includes:
a route advertisement receiving module, configured to receive a route advertisement sent by the protection blocking device, where the route advertisement is used to declare the specified route information;
a route advertisement forwarding module, configured to forward the route advertisement to the core router;
and the target flow receiving module is used for receiving the target flow sent by the core router based on the route advertisement.
In one possible implementation, a spectroscope is configured in the blocking switch;
the mirror image processing module is used for carrying out mirror image processing on the target flow through the spectroscope to obtain the mirror image flow of the target flow.
In another aspect, a bypass blocking apparatus is provided, where the apparatus is applied to a protection blocking device, and a blocking switch is disposed between the protection blocking device and a core router, and the apparatus includes:
the mirror image flow receiving module is used for receiving mirror image flow corresponding to target flow sent by the blocking switch, wherein the target flow is service flow with specified routing information;
the blocking packet generating module is used for responding to the matching of the mirror image flow and the blocking rule and generating a blocking packet;
and the blocking packet sending module is used for sending the blocking packet to the blocking switch so as to block the target flow.
In a possible implementation manner, the protection blocking device is connected to the blocking switch through a second BGP channel;
the mirror traffic receiving module is configured to receive the mirror traffic sent by the blocking switch through the second BGP channel;
and the blocking packet sending module is configured to send the blocking packet to the blocking switch through the second BGP channel.
In a possible implementation manner, before the mirror traffic receiving module receives the mirror traffic corresponding to the target traffic sent by the blocking switch, the apparatus further includes:
a blocking rule reading module, configured to read a blocking rule, where the blocking rule includes the specified routing information;
a route advertisement publishing module, configured to send a route advertisement for declaring the specified route information to the blocking switch, so that the blocking switch forwards the route advertisement to the core router, so as to trigger the core router to send the target traffic corresponding to the specified route information to the blocking switch.
In a possible implementation manner, the specified routing information includes at least one of first specified routing information and second specified routing information; the first designated routing information is used for indicating that an internet protocol IP address corresponding to the service flow is a protected IP address; and the second specified routing information is used for indicating that the IP address corresponding to the service flow is the illegal IP address.
In one possible implementation, the blocking rule includes a first blocking rule and a second blocking rule; before the blocking packet generating module generates a blocking packet in response to the mirror traffic matching a blocking rule, the apparatus further includes:
a transmission layer information obtaining module, configured to obtain the transmission layer information of the mirror image traffic;
the first matching module is used for matching the transmission layer information with a first blocking rule;
a first determining module, configured to determine that the mirror traffic matches the blocking rule in response to that the transport layer information matches the first blocking rule;
an application layer information obtaining module, configured to obtain the application layer information of the mirror traffic in response to that the transmission layer information is not matched with the first blocking rule;
the second matching module is used for matching the application layer information with the second blocking rule;
a second determining module, configured to determine that the mirror traffic matches the blocking rule in response to that the application layer information matches the second blocking rule.
In another aspect, a computer device is provided, the computer device comprising a processor and a memory, the memory having stored therein at least one instruction, at least one program, set of codes, or set of instructions, which is loaded and executed by the processor to implement the bypass blocking method provided in the various alternative implementations described above.
In another aspect, there is provided a computer readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions, which is loaded and executed by a processor to implement the bypass blocking method provided in the various alternative implementations described above.
In another aspect, a computer program product or computer program is provided, the computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the bypass blocking method provided in the various alternative implementations described above.
The technical scheme provided by the application can comprise the following beneficial effects:
the received target traffic sent by the core router is mirrored by the blocking switch to obtain the mirrored traffic of the target traffic, the target traffic is traffic with the specified routing information, and sends the mirrored traffic to the protection blocking device, so as to make blocking judgment based on the mirror flow of the target flow, generate a corresponding blocking packet, forward the blocking packet generated by the protection blocking device to the core router to block the target flow, therefore, when the protection blocking is carried out, the protection blocking equipment only needs to carry out blocking judgment on partial flow, thereby reducing the pressure and the performance consumption of the protection blocking equipment, because the blocking switch performs mirror image processing on the target traffic and simultaneously injects the target traffic back to the core processor in time, therefore, the normal interaction of the service flow of the user side and the service side is ensured while the protection blocking is ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 illustrates a schematic structural diagram of a bypass blocking system shown in an exemplary embodiment of the present application;
FIG. 2 illustrates a flow chart of a bypass blocking method shown in an exemplary embodiment of the present application;
FIG. 3 illustrates a flow chart of a bypass blocking method shown in an exemplary embodiment of the present application;
FIG. 4 illustrates a flow chart of a bypass blocking method shown in an exemplary embodiment of the present application;
FIG. 5 illustrates a flow chart of a bypass blocking method shown in an exemplary embodiment of the present application;
FIG. 6 illustrates a schematic structural diagram of a bypass blocking system shown in an exemplary embodiment of the present application;
fig. 7 is a schematic diagram illustrating a core router and a blocking switch according to an exemplary embodiment of the present application;
FIG. 8 illustrates a block diagram of a bypass blocking system shown in an exemplary embodiment of the present application;
FIG. 9 illustrates a block diagram of a bypass blocking device shown in an exemplary embodiment of the present application;
FIG. 10 illustrates a block diagram of a bypass blocking device shown in an exemplary embodiment of the present application;
fig. 11 shows a block diagram of a computer device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The embodiment of the application provides a bypass blocking method, which is mainly applied to nodes such as an internet outlet and an internet access point which can check flow, and can reduce the pressure and performance consumption of protection blocking equipment when protection blocking is carried out. For ease of understanding, the terms referred to in this application are explained below.
1) Cloud Security (Cloud Security)
Cloud security refers to the generic name of security software, hardware, users, organizations, and security cloud platforms applied based on cloud computing business models. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, the latest information of trojans and malicious programs in the internet is acquired by monitoring the abnormality of software behaviors in the network through a large number of meshed user terminals, the latest information is sent to a server for automatic analysis and processing, and then the virus and trojan solution is distributed to each user terminal.
The main research directions of cloud security include: 1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network; 3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
2) BGP (Border Gateway Protocol)
BGP is a distance vector routing protocol that enables routes between autonomous systems as (autonomous systems) to be reachable and selects the best route.
BGP enables route optimization, avoids routing loops, more efficiently transfers routes, and maintains a large amount of routing information.
3) Bypass blocking technique
The bypass blocking technology is a technology for acquiring a data packet on the internet by adopting a bypass interception mode, restoring protocol content, analyzing and identifying illegal information in the restored content and carrying out corresponding blocking. The method can realize the maintenance of network information safety and the interception of illegal websites under the condition of not influencing the internet access speed.
4) Switch
A switch is a network device for electrical signal forwarding that provides an exclusive electrical signal path for any two network nodes accessing the switch.
The switch types include ethernet switches, voice over telephone switches, and fiber optic switches.
5) Router (Router)
The router is a device for connecting each local area network and wide area network in the internet, and automatically selects and sets a route according to the condition of a channel, and sends information in a front-back sequence by using an optimal path.
When the data packet enters the router, the router firstly decapsulates the data packet to a data link layer, checks a Media Access Control (MAC) Address of a target MAC Address, and discards the data packet if the MAC Address of the target MAC Address is not the MAC Address of the router; if the target MAC address is the MAC address of the router, decapsulating the data packet to a network layer, checking the target IP address, if the target IP address is a local router, continuing decapsulating, and if the target IP address is other equipment, querying a local routing Table (TCAM) by the router, and forwarding the data packet.
Referring to fig. 1, a schematic structural diagram of a bypass blocking system according to an exemplary embodiment of the present application is shown, and as shown in fig. 1, the bypass blocking system includes a core router 110, a blocking switch 120, and a protection blocking device 130.
The core router 110 is configured to connect the user end and the service end to implement service traffic transmission therebetween, that is, the user end sends service traffic to the service end through the core router, and the service end sends service outgoing traffic to the user end through the core router according to the received service traffic, thereby implementing service traffic between the user end and the service end.
The blocking switch 120 is disposed between the core router 110 and the protection blocking device 130.
The protection blocking device 130 may be implemented as a server, configured with a blocking rule, and configured to perform blocking matching on the received traffic, and if the matching is successful, generate a corresponding blocking packet to block the successfully matched traffic. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, a cloud database, cloud computing, a cloud function, cloud storage, Network service, cloud communication, middleware service, domain name service, security service, CDN (Content Delivery Network), big data and an artificial intelligence platform.
In a possible implementation manner, the protection blocking device 130 is externally connected with a terminal 140, the terminal 140 is configured to implement configuration of a blocking rule in the protection blocking device based on user operation, and the terminal may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the application is not limited herein.
The terminal 140 and the protection blocking apparatus 130 are connected through a communication network. Optionally, the communication network is a wired network or a wireless network.
Optionally, the wireless network or wired network described above uses standard communication techniques and/or protocols. The Network is typically the Internet, but may be any Network including, but not limited to, a Local Area Network (LAN), a Metropolitan Area Network (MAN), a Wide Area Network (WAN), a mobile, wireline or wireless Network, a private Network, or any combination of virtual private networks. In some embodiments, data exchanged over a network is represented using techniques and/or formats including Hypertext Mark-up Language (HTML), Extensible Markup Language (XML), and the like. All or some of the links may also be encrypted using conventional encryption techniques such as Secure Socket Layer (SSL), Transport Layer Security (TLS), Virtual Private Network (VPN), Internet Protocol Security (IPsec). In other embodiments, custom and/or dedicated data communication techniques may also be used in place of, or in addition to, the data communication techniques described above. The application is not limited thereto.
In the embodiment of the present application, the core router 110 and the blocking switch 120 both belong to network forwarding devices and have a BGP route management function, and a BGP channel is established between the blocking switch 120 and the protection blocking device 130 to announce a route and transmit a blocking packet.
In one possible implementation, the BGP channel between the blocking switch and the protection blocking device is established through virtual routing software, for example, the virtual routing software is Quagga.
Fig. 2 is a flowchart illustrating a bypass blocking method according to an exemplary embodiment of the present application, which may be applied to the bypass blocking system shown in fig. 1 and executed by a blocking switch in the system, where the blocking switch is disposed between a protection blocking device and a core router, and as shown in fig. 2, the bypass blocking method includes:
The routing information mainly includes information such as a source IP address, a destination IP address, a subnet mask, a destination network segment, and the like of the service information.
In the embodiment of the application, the service traffic with the designated routing information in the user side and the service side, namely the service traffic of the designated IP is the target traffic, and the blocking judgment is carried out based on the target traffic, so that the blocking judgment pressure of the protection blocking equipment is reduced.
In one possible implementation, the specifying the service traffic of the IP includes: traffic for the protected IP address and traffic for the offending IP address. The protected IP address refers to the risk that an attacker scans through a port or violently cracks an attack on a designated port of the IP address; the illegal IP address is a website where the service end corresponding to the IP address is an illegal website, that is, a domain name is not registered, an illegal domain name exists, and the content of a URL (Uniform Resource Locator) is forbidden.
In the embodiment of the application, in order to ensure that information interaction between the user side and the service side is not affected while bypass detection is performed, the blocking switch completes mirroring on the target traffic and simultaneously injects the target traffic back to the core router, so that the core router can perform normal subsequent operations on the target traffic.
In a possible implementation manner, a blocking rule is preset in the protection blocking device, where the blocking rule is a relevant rule set by a relevant person based on the found characteristics of the blocking flow, or the blocking rule may also be a relevant rule set by the user based on actual needs. The protection blocking device may perform blocking judgment on the target traffic based on the blocking rule, and when the mirror traffic matches the blocking rule, determine that the target traffic corresponding to the mirror traffic is the blocking traffic, and need to perform a corresponding blocking operation, that is, generate a corresponding blocking packet.
In a possible implementation manner, the core router preferentially sends the blocking packet to the user side, and since the setting position of the protection blocking device is closer to the user side, the blocking packet is preferentially sent to the user side when the blocking packet is sent, and the probability of successful blocking is higher; if the blocking packet sent to the user side does not successfully block the target flow, the blocking packet is continuously sent to the user side and the service side simultaneously, so that blocking is realized on the user side as far as possible, and the pressure on the service side is reduced.
To sum up, in the bypass blocking method provided in the embodiment of the present application, a blocking switch performs mirroring on a received target traffic sent by a core router to obtain a mirror traffic of the target traffic, where the target traffic is a service traffic having specified routing information, and sends the mirror traffic to a protection blocking device, so that the protection blocking device performs blocking judgment based on the mirror traffic of the target traffic to generate a corresponding blocking packet, and forwards the blocking packet generated by the protection blocking device to the core router to block the target traffic, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on the part of the traffic, thereby reducing pressure and performance consumption of the protection blocking device, and meanwhile, since the blocking switch performs mirroring on the target traffic, the target traffic is timely reinjected into the core processor, so that while ensuring that protection blocking is performed, the normal interaction of the service flow of the user side and the service side is ensured.
Fig. 3 is a flowchart illustrating a bypass blocking method according to an exemplary embodiment of the present application, which may be applied to the bypass blocking system shown in fig. 1 and executed by a protection blocking device in the system, as shown in fig. 3, and the bypass blocking method includes:
In a possible implementation manner, the protection blocking device is connected to the blocking switch through a second BGP channel, and the foregoing steps are implemented as:
and receiving mirror image traffic sent by the blocking switch through the second BGP channel.
In a possible implementation manner, before receiving a mirror traffic corresponding to a target traffic sent by a blocking switch, the protection blocking device is further configured to:
reading a blocking rule, wherein the blocking rule comprises designated routing information;
and sending a route advertisement for declaring the specified route information to the blocking switch, so that the blocking switch forwards the route advertisement to the core router to trigger the core router to send the target traffic corresponding to the specified route information to the blocking switch.
In one possible implementation, the blocking device performs the blocking judgment based on the mirror traffic according to the blocking rule.
In a possible implementation manner, the blocking rule is used to perform blocking judgment on the mirror traffic, that is, the protection blocking device performs the blocking judgment based on the mirror traffic according to the blocking rule.
In one possible implementation, the specific routing information includes at least one of first specific routing information and second specific routing information; the first designated routing information is used for indicating that an internet protocol IP address corresponding to the service flow is a protected IP address; the second specified routing information is used for indicating that the IP address corresponding to the service flow is the illegal IP address.
That is, when the target traffic is screened, the traffic having the first specified routing information or the second specified routing information in the traffic is acquired as the target traffic.
Corresponding to the service flow with different specified routing information, the blocking rule comprises a first blocking rule and a second blocking rule; the first blocking rule is a blocking rule set based on transport layer information, and the second blocking rule is a blocking rule set based on application layer information. That is, the first blocking rule is used to perform the blocking determination based on the transmission information of the acquired traffic flow, and the second blocking rule is used to perform the blocking determination based on the blocking rule set by the application layer information of the acquired traffic flow. Generally, since an access object of the service traffic having the first routing information is a protected IP address, when the blocking determination is performed on the first routing information, the determination of whether the access object is the blocking information can be usually achieved based on information obtained by analyzing a transport layer of the access object, such as a port number; the access object of the service flow with the second routing information is an illegal IP address, so when the second routing information is blocked and judged, the blocking and judgment can not be usually carried out only according to the information obtained by analysis of the transmission layer, the information of the application layer needs to be further analyzed, and the judgment on whether the access object is the blocking information or not is realized according to the information of the application layer; however, when performing blocking judgment, both the traffic flow with the first routing information and the traffic flow with the second routing need to be respectively matched with the first blocking rule and the second blocking rule.
In a possible implementation manner, based on the relationship between the service traffic having the first routing information and the service traffic having the second routing and the blocking rule, the protection blocking device may match the obtained mirror traffic with the first blocking rule, and in response to a failure in matching the mirror traffic with the first blocking rule, match the mirror traffic with the first blocking rule, and implement the following:
acquiring transmission layer information of mirror image flow;
matching the transport layer information with a first blocking rule;
determining that the mirror flow matches the blocking rule in response to the transport layer information matching the first blocking rule;
acquiring application layer information of mirror image flow in response to the fact that the transmission layer information is not matched with the first blocking rule;
matching the application layer information with a second blocking rule;
and determining that the mirror traffic matches the blocking rule in response to the application layer information matching the second blocking rule.
And step 320, responding to the matching of the mirror image flow and the blocking rule, and generating a blocking packet.
The protection blocking equipment preferentially matches the mirror flow with a first blocking rule, and if the mirror flow is matched with the first blocking rule, the mirror flow is determined to be a blocking flow, and a corresponding blocking packet is generated;
matching the mirror image traffic with a second blocking rule in response to the mirror image traffic not matching the first blocking rule;
and responding to the matching of the mirror image flow and the second blocking rule, determining the target flow corresponding to the mirror image flow as the blocking flow, and producing a corresponding blocking packet.
By the method, when the mirror flow is the service flow with the first routing information, the blocking packet can be obtained when the mirror flow is matched with the first blocking rule, and subsequent unnecessary secondary analysis and judgment steps are reduced, so that the pressure of protection blocking equipment is reduced.
In a possible implementation manner, blocking rules in the protection blocking equipment are configured in advance, and when the protection blocking equipment is used, in response to receiving a specified protection blocking instruction, corresponding blocking rules are automatically issued, for example, a receiving place scans an explosion-proof port opened by a user on the cloud through a terminal console based on a specified control, and a first blocking rule (a four-layer blocking rule) is automatically issued, so that service traffic containing specified routing information specified in the first blocking rule is pulled to the protection blocking equipment; and automatically issuing a second blocking rule (seven-layer blocking rule) to the protection blocking equipment in response to the fact that the compliance detection system detects that the webpage contains illegal contents or finds that the domain name is not recorded, wherein the compliance detection system is a system which is independent of the bypass blocking system and is used for detecting whether the webpage is illegal or not, and therefore the service flow containing the specified routing information specified in the second blocking rule is pulled to the protection blocking equipment.
In one possible implementation manner, the four-layer blocking rule and the seven-layer blocking rule adopt different matching algorithms, and illustratively, the four-layer blocking rule adopts an ACL (Access Control Lists, computer network security) matching rule; the seven-layer blocking rule adopts a matching rule searched by a hash table.
The ACL matching rules follow the principle of stopping matching once hit, and when the target traffic matches the ACL rules, two matching results are generated, namely "match" and "no match": matching, namely, hitting the rule, means that an ACL exists, and the rule meeting the matching condition is found in the ACL, and the matching action is called as matching whether the matching action is 'permit' or 'deny'; the rule is not matched, namely the rule is not hit, the value does not have an ACL, or the ACL is irregular, or the ACL is traversed by all rules, and no rule meeting the matching condition is found.
The hash table in the matching rule of the hash table search is a data structure accessed according to the keywords, the hash table maps the keywords to the storage addresses through a hash function, and a direct mapping relation between the keywords and the storage addresses is established. The hash function, also called hash function, is a function for mapping a key word to a storage address, and is equivalent to a mapping rule. When the mirror flow decoded by the seven-layer protocol hits the keywords with the preset threshold number in the hash table, determining the target flow hit rule, namely matching; otherwise, the mirror traffic miss rule is determined, i.e., it does not match.
In one possible implementation manner, the protection blocking device sends the blocking packet to the blocking switch through the second BGP channel.
To sum up, in the bypass blocking method provided in this embodiment of the present application, the protection blocking device receives the mirror traffic of the target traffic having the specified routing information, performs blocking judgment based on the mirror traffic, and sends the blocking packet through the BGP channel, so as to block the blocking traffic, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on part of the traffic, thereby reducing the pressure and performance consumption of the protection blocking device.
In order to realize information interaction among the devices in the bypass blocking system without calling additional external resources and causing unnecessary overhead and loss, in a possible implementation manner, BGP channels are arranged among the devices in the bypass blocking system. Fig. 4 is a flowchart illustrating a bypass blocking method according to an exemplary embodiment of the present application, where the bypass blocking method may be applied to the bypass blocking system shown in fig. 1 and executed by a blocking switch in the system, where the blocking switch is connected to a core router through a first border gateway protocol BGP channel, and the blocking switch is connected to a protection blocking device through a second BGP channel, as shown in fig. 4, the bypass blocking method includes:
and step 410, receiving a route advertisement sent by the protection blocking device through the second BGP channel, where the route advertisement is used to declare the specified route information.
In the embodiment of the application, the BGP channel is a data transmission channel and is used for performing traffic transmission, routing distribution, blocking packet transmission, and the like, based on the BGP channel, the protection blocking device may implement direct information interaction with the blocking switch, and compared with the case where the protection blocking device in the related art needs to transmit a blocking packet to the user side and the service side through other routes when transmitting the blocking packet through the extranet network card, the BGP channel avoids an influence on the blocking success rate due to a difference between a link path of the transmission blocking packet and a transmission path of the original service traffic, thereby improving the blocking success rate and saving the cost caused by introducing the extranet network card.
In one possible implementation, the route advertisement is generated by the protection blocking device based on a blocking rule, where the blocking rule includes specified route information.
The route advertisement is forwarded to the core router via the first BGP channel, step 420.
In one possible implementation, the target traffic is sent by the core router based on route advertisements. The route advertisement is used to instruct the core router to send the target traffic to the blocking switch, that is, after the core router receives the route advertisement, based on the specified route information stated in the route advertisement, the target message with the specified route information is pulled to the blocking switch.
In one possible implementation, a blocking switch is configured with a beam splitter;
the above steps can be implemented by performing mirror image processing on the target flow through the spectroscope to obtain the mirror image flow of the target flow.
In one possible implementation, step 440 is performed concurrently with step 450, i.e., the target traffic is mirrored and injected back into the core router.
For the process of blocking judgment by the protection blocking device based on the mirror image traffic, please refer to relevant contents in the embodiment shown in fig. 3, which is not described herein again.
The blocking packet is forwarded to the core router via the first BGP channel, step 480.
In a possible implementation manner, the blocking switch plays a role in mirroring copy and information transfer, after the blocking packet is generated by the protection blocking device, the blocking packet is not directly sent to the service end or the user end through the external network card, but is sent to the blocking switch through a BGP channel established between the blocking switch and the blocking switch, and then forwarded to the core router by the blocking switch, so that the core router can send the packet content of the blocking packet to the user end and/or the service end, thereby implementing blocking.
In a possible implementation manner, the blocking packet is established on a three-way handshake of a Transmission Control Protocol (TCP) and a data Transmission principle of the TCP, and in a TCP handshake phase, the generated blocking packet is sent to a user side to destroy establishment of a connection, thereby realizing blocking;
if the blocking packet sent in the handshake stage is not successfully blocked due to uncontrollable factors such as network delay or packet loss, data packets for the user side and the service side are constructed according to the subsequent target flow and are sent to the user side and the service side simultaneously, so that the blocking success rate is improved.
In a possible implementation manner, the packet content of the blocking packet includes a reset (rert) message for instructing a device receiving the reset message to reset the TCP link.
To sum up, in the bypass blocking method provided in the embodiment of the present application, a blocking switch performs mirroring on a received target traffic sent by a core router to obtain a mirror traffic of the target traffic, where the target traffic is a service traffic having specified routing information, and sends the mirror traffic to a protection blocking device, so that the protection blocking device performs blocking judgment based on the mirror traffic of the target traffic to generate a corresponding blocking packet, and forwards the blocking packet generated by the protection blocking device to the core router to block the target traffic, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on the part of the traffic, thereby reducing pressure and performance consumption of the protection blocking device, and meanwhile, since the blocking switch performs mirroring on the target traffic, the target traffic is timely reinjected into the core processor, so that while ensuring that protection blocking is performed, the normal interaction of the service flow of the user side and the service side is ensured.
Fig. 5 is a flowchart illustrating a bypass blocking method according to an exemplary embodiment of the present application, where the bypass blocking method may be applied to the bypass blocking system shown in fig. 1, where the bypass blocking system is interactively executed by a protection blocking device, a blocking switch, and a core router, and the blocking switch device is disposed between the core router and the protection blocking device; the blocking switch is connected with the core router and the protection blocking equipment through a BGP channel; as shown in fig. 5, the bypass blocking method includes:
step 501, the protection blocking device reads a blocking rule, where the blocking rule includes specified routing information.
Step 502, the protection blocking device sends a route advertisement for declaring the specified route information to the blocking switch through the second BGP channel, and correspondingly, the blocking switch receives the route advertisement.
Step 503, the blocking switch forwards the route advertisement to the core router through the first BGP channel, and correspondingly, the core router receives the route advertisement forwarded by the blocking switch.
Step 504, the core router sends the target traffic to the blocking switch through the first BGP channel based on the route advertisement, and correspondingly, the blocking switch receives the target traffic sent by the core router based on the route advertisement.
When the core router receives the service flow containing the designated routing information, the core router determines the service flow as a target flow and sends the target flow to the blocking switch.
And 505, the blocking switch mirrors the target traffic to obtain mirrored traffic of the target traffic.
In step 506, the blocking switch reinjects the target traffic to the core router through the first BGP channel.
Step 507, the blocking switch sends the mirror traffic to the protection blocking device through the second BGP channel, and the protection blocking device receives the mirror traffic accordingly.
Step 508, the protection blocking device generates a blocking packet in response to the mirror traffic matching the blocking rule.
In step 509, the protection blocking device sends a blocking packet to the blocking switch through the second BGP channel, and the blocking switch receives the blocking packet accordingly.
Step 510, the blocking switch sends the blocking packet to the core router through the first BGP channel, and the core router receives the blocking packet accordingly.
In step 511, the core router blocks the target traffic based on the blocking packet.
In one possible implementation, in response to that the connection between the user side and the service side is not established, the core router sends a blocking packet to the user side to block the target traffic;
in response to the connection between the user side and the service side being established, the core router sends a blocking packet to both the user side and the service side to block the target traffic.
To sum up, the bypass blocking system provided in the embodiment of the present application obtains a mirror flow of a target flow by mirroring the received target flow sent by a core router through a blocking switch, where the target flow is a service flow having specified routing information, and sends the mirror flow to a protection blocking device, so as to perform blocking judgment based on the mirror flow of the target flow, generate a corresponding blocking packet, and forward the blocking packet generated by the protection blocking device to the core router, so as to block the target flow, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on the partial flow, thereby reducing pressure and performance consumption of the protection blocking device, and meanwhile, because the blocking switch performs mirroring on the target flow, timely reinjects the target flow to the core processor, so that while ensuring that protection blocking is performed, the normal interaction of the service flow of the user side and the service side is ensured.
Referring to fig. 6, a schematic structural diagram of a bypass blocking system according to an exemplary embodiment of the present application is shown, and as shown in fig. 6, the bypass blocking system includes a core router 610, a blocking switch 620, and a protection blocking device 630, where the blocking switch 620 is disposed between the core router 610 and the protection blocking device 630.
The protection blocking equipment is used for issuing a route advertisement to a blocking switch; the blocking rule is used for declaring specified routing information;
the blocking switch is used for forwarding the route advertisement to the core router;
the core router is used for sending the target flow with the specified routing information to the blocking switch;
the blocking switch is used for carrying out mirror image processing on the target flow to obtain mirror image flow, sending the mirror image flow to the protection blocking equipment and reinjecting the target flow to the core router;
the protection blocking equipment is used for responding to the matching of the mirror flow and the blocking rule and sending a blocking packet to the blocking switch;
and the blocking switch is used for sending the blocking packet to the core router so as to block the target flow.
Taking a complete bypass blocking process as an example, a first BGP channel is established between the core router 610 and the blocking switch 620, a second BGP channel is established between the blocking switch 620 and the protection blocking device 630, and the blocking switch 620 includes a mirroring unit 621 and a reinjection unit 622.
The bypass blocking process can be divided into a route advertisement sending process and a target traffic detection process:
in the process of sending the route advertisement, the protection blocking device 630 generates the route advertisement by receiving and reading a blocking rule containing the specified route information sent by the terminal 640, and sends the route advertisement to the blocking switch 620 through the second BGP channel; blocking switch 620, upon receiving the route advertisement, forwards the route advertisement to core router 610 via the first BGP channel.
In the target traffic detection process, the core router 610 screens out a target traffic from the service traffic based on the received route advertisement, and sends the target traffic to the blocking switch 620 through the first BGP channel, the mirroring unit 621 in the blocking switch 620 performs mirroring copy on the received target traffic, and meanwhile, the reinjection unit 622 in the blocking switch 620 reinjects the target traffic migrated to the blocking switch 620 to the core router 610 through the first BGP channel; after the mirroring of the mirroring unit 621 is completed, the blocking switch 620 sends the obtained mirror traffic of the target traffic to the protection blocking device 630 through the second BGP channel, and the protection blocking device 630 performs blocking judgment on the mirror traffic based on the blocking rule, and ignores the mirror traffic and does not perform processing in response to that the mirror traffic is not matched with the blocking rule; in response to that the mirror traffic matches the blocking rule, it indicates that the target traffic corresponding to the mirror traffic is blocking traffic, the protection blocking system 630 generates a corresponding blocking packet based on the mirror traffic, and sends the blocking packet to the blocking switch 620 through the second BGP channel, and then the blocking switch 620 forwards the blocking packet to the core router through the first BGP channel, and the core router 610 sends the blocking packet to the user side and/or the service side according to the stage of TCP connection between the user side and the service side, so as to block the target traffic.
In a possible implementation manner, the mirror traffic of the detected target traffic is deleted, so as to reduce the occupation of the mirror traffic on the storage space of the protection blocking system.
In order to ensure high availability of the core processor to the blocking switch, in one possible implementation, the blocking switch includes at least two switches, and connections are respectively established between the core router and the at least two switches. Referring to fig. 7, which illustrates a schematic diagram of a core router and a blocking switch provided in an exemplary embodiment of the present application, as shown in fig. 7, taking an example that one core processor corresponds to two blocking switches, a core router 711 is respectively connected to a blocking switch 721 and a blocking switch 722, and traffic in the core router 710 may be sent to the blocking switch 721 for mirroring and then blocked by a blocking device 731 corresponding to the blocking switch 721, or may also be sent to the blocking switch 722 for mirroring and then blocked by a blocking device 732 corresponding to the blocking switch 722.
In a possible case, after the protection blocking device issues the BGP pulled route advertisement, when the core router receives the IP pulled route advertisements from the multiple blocking switches, the target traffic is uniformly loaded on the blocking switches based on the quintuple (source IP address, source port, destination IP address, destination port, and transport layer protocol), and the same target traffic is sent to only one blocking switch in one sending process.
In a possible implementation manner, when the core router performs uniform target traffic load, multiple blocking switches are traversed, one of the blocking switches with the smallest traffic load is selected as the target blocking switch, and the target traffic is sent to the target blocking switch.
In a possible implementation manner, in response to a shutdown of one blocking switch (a first blocking switch) of the multiple blocking switches, the BGP channel established by the blocking switch may be terminated therewith, and at this time, the core router may automatically pull the target traffic originally distributed to the first blocking switch to the blocking switch that operates normally, thereby implementing high availability of the blocking switch to the core router.
In a possible implementation manner, after a switch is blocked, in addition to a protection blocking device, other types of devices may be simultaneously mounted, fig. 8 shows a framework diagram of a bypass blocking system shown in an exemplary embodiment of the present application, taking as an example that a compliance detection device is also mounted while the protection blocking device is mounted after the switch is blocked, as shown in fig. 8, the compliance detection device 810 is configured to perform compliance detection on target traffic obtained based on preset blocking rule migration, so as to further determine a blocking traffic common characteristic, such as a more accurate routing information characteristic, in the target traffic, and feed back detected information to the protection blocking device 820, so that the protection blocking device completes a blocking rule configured therein according to the received feedback information.
Fig. 9 is a block diagram illustrating a bypass blocking apparatus according to an exemplary embodiment of the present application, where the bypass blocking apparatus may be applied to a blocking switch in the bypass blocking system shown in fig. 1, the blocking switch being disposed between a protection blocking device and a core router, and as shown in fig. 9, the bypass blocking apparatus includes:
a target traffic receiving module 910, configured to receive a target traffic sent by a core router, where the target traffic is a service traffic with specified routing information;
a mirror processing module 920, configured to perform mirror processing on the target traffic to obtain a mirror traffic of the target traffic;
a reinjection module 930 for reinjecting the target traffic to the core router;
a mirror flow sending module 940, configured to send the mirror flow to the protection blocking device;
a blocking packet receiving module 950, configured to receive a blocking packet sent by a protection blocking device; the blocking packet is sent by the protection blocking equipment in response to the mirror image flow matched with the blocking rule; the blocking rule is a rule which is arranged in the protective blocking equipment and is used for carrying out blocking judgment;
a blocking packet forwarding module 960, configured to forward the blocking packet to the core router to block the target traffic.
In a possible implementation manner, the blocking switch is connected with the core router through a first Border Gateway Protocol (BGP) channel, and the blocking switch is connected with the protection blocking device through a second BGP channel;
a target traffic receiving module 910, configured to receive, through a first BGP channel, a target traffic sent by a core router;
a reinjection module 930, configured to reinject the target traffic to the core router through the first BGP channel;
a mirror traffic sending module 940, configured to send the mirror traffic to the protection blocking device through the second BGP channel;
a blocking packet receiving module 950, configured to receive a blocking packet sent by the protection blocking device through the second BGP channel;
a blocking packet forwarding module 960, configured to forward the blocking packet to the core router through the first BGP channel.
In a possible implementation manner, before the target traffic receiving module receives the target traffic sent by the core router, the apparatus further includes:
the device comprises a route advertisement receiving module, a route advertisement receiving module and a route advertisement receiving module, wherein the route advertisement receiving module is used for receiving the route advertisement sent by the protection blocking equipment and declaring appointed route information;
the routing advertisement forwarding module is used for forwarding the routing advertisement to the core router;
the target traffic receiving module 910 is configured to receive target traffic sent by the core router based on the route advertisement.
In one possible implementation, a beam splitter is configured in the blocking switch;
the mirror image processing module 920 is configured to perform mirror image processing on the target flow through the spectroscope to obtain a mirror image flow of the target flow.
To sum up, the bypass blocking device provided in the embodiment of the present application is applied in a blocking switch, and performs mirroring processing on a received target traffic sent by a core router through the blocking switch to obtain a mirror traffic of the target traffic, where the target traffic is a service traffic having specified routing information, and sends the mirror traffic to a protection blocking device, so as to perform blocking judgment based on the mirror traffic of the target traffic, generate a corresponding blocking packet, and forward the blocking packet generated by the protection blocking device to the core router, so as to block the target traffic, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on the partial traffic, thereby reducing pressure and performance consumption of the protection blocking device, and meanwhile, since the blocking switch performs mirroring processing on the target traffic and simultaneously injects the target traffic back to the core processor in time, therefore, the normal interaction of the service flow of the user side and the service side is ensured while the protection blocking is ensured.
Fig. 10 is a block diagram of a bypass blocking apparatus according to an exemplary embodiment of the present application, where the bypass blocking method may be applied to a protection blocking device of the bypass blocking system shown in fig. 1, where a blocking switch is disposed between the protection blocking device and a core router, and as shown in fig. 10, the bypass blocking method includes:
a mirror flow receiving module 1010, configured to receive a mirror flow corresponding to a target flow sent by a blocking switch, where the target flow is a service flow with specified routing information;
a blocking packet generating module 1020 configured to generate a blocking packet in response to matching of the mirror traffic with a blocking rule;
a blocking packet sending module 1030, configured to send a blocking packet to the blocking switch, so as to block the target traffic.
In a possible implementation manner, the protection blocking device is connected to the blocking switch through a second BGP channel;
a mirror traffic receiving module 1010, configured to receive mirror traffic sent by the blocking switch through the second BGP channel;
a blocking packet sending module 1030, configured to send a blocking packet to the blocking switch through the second BGP channel.
In a possible implementation manner, before the mirror traffic receiving module receives the mirror traffic corresponding to the target traffic sent by the blocking switch, the apparatus further includes:
the blocking rule reading module is used for reading a blocking rule, and the blocking rule comprises specified routing information;
and the route advertisement releasing module is used for sending the route advertisement used for declaring the specified route information to the blocking switch, so that the blocking switch forwards the route advertisement to the core router, and the core router is triggered to send the target flow corresponding to the specified route information to the blocking switch.
In one possible implementation, the specific routing information includes at least one of first specific routing information and second specific routing information; the first designated routing information is used for indicating that an internet protocol IP address corresponding to the service flow is a protected IP address; the second specified routing information is used for indicating that the IP address corresponding to the service flow is the illegal IP address.
In one possible implementation, the blocking rule includes a first blocking rule and a second blocking rule; before the blocking packet generating module generates the blocking packet in response to the mirror traffic matching the blocking rule, the apparatus further includes:
the transmission layer information acquisition module is used for acquiring the transmission layer information of the mirror image flow;
the first matching module is used for matching the transmission layer information with the first blocking rule;
the first determining module is used for responding to the matching of the transmission layer information and the first blocking rule and determining that the mirror flow is matched with the blocking rule;
the application layer information acquisition module is used for responding to the mismatching of the transmission layer information and the first blocking rule and acquiring the application layer information of the mirror image flow;
the second matching module is used for matching the application layer information with a second blocking rule;
and the second determining module is used for responding to the matching of the application layer information and the second blocking rule and determining that the mirror flow is matched with the blocking rule.
To sum up, the bypass blocking device provided in the embodiment of the present application is applied to a protection blocking device, and the protection blocking device performs blocking judgment based on a mirror flow of a target flow having specified routing information by receiving the mirror flow, and transmits a blocking packet through a BGP channel, thereby realizing blocking of the blocking flow, so that when performing protection blocking, the protection blocking device only needs to perform blocking judgment on the part of the flow, thereby reducing pressure and performance consumption of the protection blocking device.
FIG. 11 illustrates a block diagram of a computer device 1100 according to an exemplary embodiment of the present application. The computer device may be implemented as a protection blocking device in the above-mentioned aspect of the present application. The computer device 1100 includes a Central Processing Unit (CPU) 1101, a system Memory 1104 including a Random Access Memory (RAM) 1102 and a Read-Only Memory (ROM) 1103, and a system bus 1105 connecting the system Memory 1104 and the CPU 1101. The computer device 1100 also includes a basic Input/Output system (I/O system) 1106, which facilitates transfer of information between devices within the computer, and a mass storage device 1107 for storing an operating system 1113, application programs 1114, and other program modules 1115.
The basic input/output system 1106 includes a display 1108 for displaying information and an input device 1109 such as a mouse, keyboard, etc. for user input of information. Wherein the display 1108 and input device 1109 are connected to the central processing unit 1101 through an input output controller 1110 connected to the system bus 1105. The basic input/output system 1106 may also include an input/output controller 1110 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, input-output controller 1110 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 1107 is connected to the central processing unit 1101 through a mass storage controller (not shown) that is connected to the system bus 1105. The mass storage device 1107 and its associated computer-readable media provide non-volatile storage for the computer device 1100. That is, the mass storage device 1107 may include a computer-readable medium (not shown) such as a hard disk or Compact disk-Only Memory (CD-ROM) drive.
Without loss of generality, the computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, Erasable Programmable Read-Only Memory (EPROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), flash Memory or other solid state Memory technology, CD-ROM, Digital Versatile Disks (DVD), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. The system memory 1104 and mass storage device 1107 described above may be collectively referred to as memory.
The computer device 1100 may also operate as a remote computer connected to a network via a network, such as the internet, in accordance with various embodiments of the present disclosure. That is, the computer device 1100 may connect to the network 1112 through the network interface unit 1111 that is coupled to the system bus 1105, or may connect to other types of networks or remote computer systems (not shown) using the network interface unit 1111.
The memory further comprises at least one instruction, at least one program, code set, or instruction set, which is stored in the memory, and the central processing unit 1101 implements all or part of the steps of the bypass blocking method shown in the above embodiments by executing the at least one instruction, at least one program, code set, or instruction set.
In an exemplary embodiment, a non-transitory computer readable storage medium including instructions, such as a memory including at least one instruction, at least one program, set of codes, or set of instructions, executable by a processor to perform all or part of the steps of the method shown in any of fig. 2, fig. 3, fig. 4, or fig. 5, described above, is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a computer program product or a computer program is also provided, which comprises computer instructions, which are stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions to cause the computer device to perform all or part of the steps of the method described in any of the embodiments of fig. 2, fig. 3, fig. 4, or fig. 5.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
Claims (15)
1. A bypass blocking method applied to a blocking switch, the blocking switch being disposed between a protection blocking device and a core router, the method comprising:
receiving a target flow sent by the core router, wherein the target flow is a service flow with specified routing information;
carrying out mirror image processing on the target flow to obtain the mirror image flow of the target flow;
reinjecting the target traffic to the core router;
sending the mirror image traffic to the protection blocking equipment;
receiving a blocking packet sent by the protection blocking equipment; the blocking packet is sent by the protection blocking device in response to the mirror traffic matching a blocking rule; the blocking rule is a rule which is arranged in the protective blocking equipment and is used for carrying out blocking judgment;
and forwarding the blocking packet to the core router so as to block the target flow.
2. The method of claim 1, wherein the blocking switch is connected to the core router through a first Border Gateway Protocol (BGP) channel, and wherein the blocking switch is connected to the protection blocking device through a second BGP channel;
the receiving the target traffic sent by the core router includes:
receiving the target traffic sent by the core router through the first BGP channel;
the reinjecting the target traffic to the core router includes:
reinjecting the target traffic to the core router through the first BGP channel;
the sending the mirror traffic to the protection blocking device includes:
sending the mirror image traffic to the protection blocking device through the second BGP channel;
the receiving of the blocking packet sent by the protection blocking device includes:
receiving the blocking packet sent by the protection blocking device through the second BGP channel;
the forwarding the blocking packet to the core router includes:
forwarding the blocking packet to the core router over the first BGP channel.
3. The method of claim 1, wherein before receiving the target traffic sent by the core router, the method further comprises:
receiving a route advertisement sent by the protection blocking equipment, wherein the route advertisement is used for declaring the specified route information;
forwarding the route advertisement to the core router;
the receiving the target traffic sent by the core router includes:
and receiving the target traffic sent by the core router based on the route advertisement.
4. The method of claim 1, wherein the blocking switch has a beam splitter disposed therein;
the performing mirror image processing on the target flow to obtain the mirror image flow of the target flow includes:
and carrying out mirror image processing on the target flow through the spectroscope to obtain the mirror image flow of the target flow.
5. A bypass blocking method is applied to a protection blocking device, a blocking switch is arranged between the protection blocking device and a core router, and the method comprises the following steps:
receiving mirror image traffic corresponding to target traffic sent by the blocking switch, wherein the target traffic is service traffic with specified routing information;
generating a blocking packet in response to the mirror flow matching a blocking rule;
and sending the blocking packet to the blocking switch to block the target flow.
6. The method of claim 5, wherein the protection blocking device is connected to the blocking switch through a second BGP channel;
the receiving of the mirror traffic corresponding to the target traffic sent by the blocking switch includes:
receiving the mirror image traffic sent by the blocking switch through the second BGP channel;
the sending the blocking packet to the blocking switch includes:
and sending the blocking packet to the blocking switch through the second BGP channel.
7. The method according to claim 5, wherein before receiving the mirror traffic corresponding to the target traffic sent by the blocking switch, the method further comprises:
reading a blocking rule, wherein the blocking rule comprises the specified routing information;
sending a route advertisement for declaring the specified route information to the blocking switch, so that the blocking switch forwards the route advertisement to the core router to trigger the core router to send the target traffic corresponding to the specified route information to the blocking switch.
8. The method of claim 5, wherein the specified routing information comprises at least one of first specified routing information and second specified routing information; the first designated routing information is used for indicating that an internet protocol IP address corresponding to the service flow is a protected IP address; and the second specified routing information is used for indicating that the IP address corresponding to the service flow is the illegal IP address.
9. The method of claim 5, wherein the blocking rule comprises a first blocking rule and a second blocking rule; before generating a blocking packet in response to the mirror traffic matching with the blocking rule, the method further includes:
acquiring transmission layer information of the mirror image flow;
matching the transport layer information with a first blocking rule;
determining that the mirror traffic matches the blocking rule in response to the transport layer information matching the first blocking rule;
responding to the mismatching of the transmission layer information and the first blocking rule, and acquiring application layer information of the mirror image flow;
matching the application layer information with the second blocking rule;
in response to the application layer information matching the second blocking rule, determining that the mirror traffic matches the blocking rule.
10. A bypass blocking system, comprising a protection blocking device, a blocking switch, and a core router; the blocking switching equipment is arranged between the core router and the protection blocking equipment;
the protection blocking equipment is used for issuing a route advertisement to the blocking switch; the blocking rule is used for declaring the specified routing information;
the blocking switch is used for forwarding the route advertisement to the core router;
the core router is used for sending the target traffic with the specified routing information to the blocking switch;
the blocking switch is used for carrying out mirror image processing on the target flow to obtain mirror image flow, sending the mirror image flow to the protection blocking equipment and reinjecting the target flow to the core router;
the protection blocking equipment is used for responding to the matching of the mirror flow and a blocking rule and sending a blocking packet to the blocking switch;
and the blocking switch is used for sending the blocking packet to the core router so as to block the target flow.
11. The system of claim 10, wherein the blocking switch comprises at least two switches;
and the core router and the at least two switches are respectively connected.
12. A bypass blocking apparatus, wherein the apparatus is applied in a blocking switch, the blocking switch is disposed between a protection blocking device and a core router, the apparatus comprises:
a target traffic receiving module, configured to receive a target traffic sent by the core router, where the target traffic is a service traffic having specified routing information;
the mirror image processing module is used for carrying out mirror image processing on the target flow to obtain the mirror image flow of the target flow;
a reinjection module, configured to reinject the target traffic to the core router;
the mirror image flow sending module is used for sending the mirror image flow to the protection blocking equipment;
a blocking packet receiving module, configured to receive a blocking packet sent by the protection blocking device; the blocking packet is sent by the protection blocking device in response to the mirror traffic matching a blocking rule; the blocking rule is a rule which is arranged in the protective blocking equipment and is used for carrying out blocking judgment;
and the blocking packet forwarding module is used for forwarding the blocking packet to the core router so as to block the target flow.
13. A bypass blocking device is applied to a protection blocking device, a blocking switch is arranged between the protection blocking device and a core router, and the device comprises:
the mirror image flow receiving module is used for receiving mirror image flow corresponding to target flow sent by the blocking switch, wherein the target flow is service flow with specified routing information;
the blocking packet generating module is used for responding to the matching of the mirror image flow and the blocking rule and generating a blocking packet;
and the blocking packet sending module is used for sending the blocking packet to the blocking switch so as to block the target flow.
14. A computer device comprising a processor and a memory, said memory having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions; the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by the processor to implement the bypass blocking method of any of claims 1 to 9.
15. A computer readable storage medium having stored therein at least one instruction, at least one program, set of codes, or set of instructions; the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by a processor to implement the bypass blocking method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011180005.9A CN112350939B (en) | 2020-10-29 | 2020-10-29 | Bypass blocking method, system, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011180005.9A CN112350939B (en) | 2020-10-29 | 2020-10-29 | Bypass blocking method, system, device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112350939A true CN112350939A (en) | 2021-02-09 |
| CN112350939B CN112350939B (en) | 2023-11-10 |
Family
ID=74356518
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011180005.9A Active CN112350939B (en) | 2020-10-29 | 2020-10-29 | Bypass blocking method, system, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112350939B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
| CN116016284A (en) * | 2022-12-09 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0198344A (en) * | 1987-10-12 | 1989-04-17 | Nippon Telegr & Teleph Corp <Ntt> | Congestion control method |
| US20010039623A1 (en) * | 2000-03-30 | 2001-11-08 | Ishikawa Mark M. | System, method and apparatus for preventing transmission of data on a network |
| US20070169162A1 (en) * | 2006-01-18 | 2007-07-19 | Srinivas Kola | Hierarchical communications network with upstream signal controllable from head end |
| CN101299724A (en) * | 2008-07-04 | 2008-11-05 | 杭州华三通信技术有限公司 | Method, system and equipment for cleaning traffic |
| CN101771608A (en) * | 2009-10-14 | 2010-07-07 | 莱克斯科技(北京)有限公司 | Bypass blocking way technology |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| US20190173901A1 (en) * | 2016-10-31 | 2019-06-06 | Tencent Technology (Shenzhen) Company Limited | Traffic attack protection method and system, controller, router, and storage medium |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
| CN111478888A (en) * | 2020-03-24 | 2020-07-31 | 武汉思普崚技术有限公司 | Bypass blocking method, device and storage medium |
-
2020
- 2020-10-29 CN CN202011180005.9A patent/CN112350939B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPH0198344A (en) * | 1987-10-12 | 1989-04-17 | Nippon Telegr & Teleph Corp <Ntt> | Congestion control method |
| US20010039623A1 (en) * | 2000-03-30 | 2001-11-08 | Ishikawa Mark M. | System, method and apparatus for preventing transmission of data on a network |
| US20070169162A1 (en) * | 2006-01-18 | 2007-07-19 | Srinivas Kola | Hierarchical communications network with upstream signal controllable from head end |
| CN101299724A (en) * | 2008-07-04 | 2008-11-05 | 杭州华三通信技术有限公司 | Method, system and equipment for cleaning traffic |
| CN101771608A (en) * | 2009-10-14 | 2010-07-07 | 莱克斯科技(北京)有限公司 | Bypass blocking way technology |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN107645470A (en) * | 2016-07-20 | 2018-01-30 | 阿里巴巴集团控股有限公司 | A kind of method for blocking bypass by, device, system, electronic equipment |
| US20190173901A1 (en) * | 2016-10-31 | 2019-06-06 | Tencent Technology (Shenzhen) Company Limited | Traffic attack protection method and system, controller, router, and storage medium |
| CN111478888A (en) * | 2020-03-24 | 2020-07-31 | 武汉思普崚技术有限公司 | Bypass blocking method, device and storage medium |
| CN111294365A (en) * | 2020-05-12 | 2020-06-16 | 腾讯科技(深圳)有限公司 | Attack flow protection system, method and device, electronic equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884707A (en) * | 2022-04-24 | 2022-08-09 | 金祺创(北京)技术有限公司 | Intelligent security monitoring and networking alarm method and system for large-scale network attack |
| CN116016284A (en) * | 2022-12-09 | 2023-04-25 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
| CN116016284B (en) * | 2022-12-09 | 2024-05-28 | 中国联合网络通信集团有限公司 | Data analysis method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112350939B (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11349881B2 (en) | Security-on-demand architecture | |
| US7464407B2 (en) | Attack defending system and attack defending method | |
| US10187422B2 (en) | Mitigation of computer network attacks | |
| US8516575B2 (en) | Systems, methods, and media for enforcing a security policy in a network including a plurality of components | |
| CN101496025B (en) | System and method for providing network security to mobile devices | |
| US11743296B2 (en) | Secure network device management in a telecommunications network | |
| CN112153049B (en) | Intrusion detection method, device, electronic equipment and computer readable medium | |
| US20200213359A1 (en) | Generating collection rules based on security rules | |
| US11140132B1 (en) | Network flow management | |
| US20230007032A1 (en) | Blockchain-based host security monitoring method and apparatus, medium and electronic device | |
| CN114117532A (en) | Cloud server access method and device, electronic equipment and storage medium | |
| CN112350939B (en) | Bypass blocking method, system, device, computer equipment and storage medium | |
| CN113614718A (en) | Abnormal user session detector | |
| CN111464528A (en) | Network security protection method, system, computing device and storage medium | |
| US20230291758A1 (en) | Malware Detection Using Document Object Model Inspection | |
| JP4042776B2 (en) | Attack detection device and attack detection method | |
| JP2007325293A (en) | System and method for attack detection | |
| CN112491836B (en) | Communication system, method, device and electronic equipment | |
| CN112751900B (en) | Network request processing method and device | |
| KR101160219B1 (en) | Tracking system and method of connecting route for the network security | |
| Chiu et al. | Detection and defense of DDoS attack and flash events by using Shannon entropy | |
| CN116545665A (en) | Safe drainage method, system, equipment and medium | |
| CN113206852B (en) | Safety protection method, device, equipment and storage medium | |
| CN115603974A (en) | Network security protection method, device, equipment and medium | |
| CN114301707B (en) | Data packet sequence feature extraction method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40038306 Country of ref document: HK |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |