CN112350988A - Method and device for counting byte number and connection number of security policy - Google Patents

Method and device for counting byte number and connection number of security policy Download PDF

Info

Publication number
CN112350988A
CN112350988A CN202010991950.0A CN202010991950A CN112350988A CN 112350988 A CN112350988 A CN 112350988A CN 202010991950 A CN202010991950 A CN 202010991950A CN 112350988 A CN112350988 A CN 112350988A
Authority
CN
China
Prior art keywords
data
strategy
connection
data packet
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010991950.0A
Other languages
Chinese (zh)
Inventor
刘亚轩
何建锋
陈宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Jiaotong University Jump Network Technology Co ltd
Original Assignee
Xi'an Jiaotong University Jump Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi'an Jiaotong University Jump Network Technology Co ltd filed Critical Xi'an Jiaotong University Jump Network Technology Co ltd
Priority to CN202010991950.0A priority Critical patent/CN112350988A/en
Publication of CN112350988A publication Critical patent/CN112350988A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2282Tablespace storage structures; Management thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2458Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
    • G06F16/2462Approximate or statistical queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods

Abstract

The invention discloses a method and a device for counting byte number and connection number of a security strategy, wherein a corresponding strategy data counting table is set for recording statistical data while a security strategy table is established, security strategy matching is carried out on a first data packet of a received connection, once matching is successful, a corresponding strategy ID is copied and stored to form a connection table, subsequent data packets of the same connection do not need to be subjected to strategy matching again, the strategy ID is directly obtained by searching the connection table, the connection number counted at fixed time and the byte number are stored into the corresponding strategy data counting table according to the strategy ID, the statistics of the connection number and the byte number in a user state is realized, an additional functional module is not needed, and the statistical efficiency is improved.

Description

Method and device for counting byte number and connection number of security policy
Technical Field
The invention belongs to the technical field of network security, and particularly relates to a method and a device for counting the number of bytes and the number of connections of a security policy.
Background
With the continuous development of internet technology, the scale of websites and data is larger and larger, the service types are more and more abundant, in order to make the corresponding services operate stably, many relevant parameters need to be monitored effectively, and the number of connections and the number of bytes are important parameters related to various application scenarios.
For example, an intranet user initiates a large amount of connections to the outside through network devices (including security devices such as firewalls) in a short time, and resources of the devices are rapidly consumed, so that other intranet users cannot normally use the network resources; or an internal server receives a large number of connection requests in a short time, causing the server to be busy processing the connection requests so that other normal connection requests can no longer be processed. In particular, if a malicious IP initiates a large number of connection requests, the number of connections of the web site increases greatly, which may cause a delay or failure in normal IP access. The connection number established on the equipment is counted and limited through connection number control, the problems can be effectively solved, and internal network resources (hosts or servers) are protected and system resources are reasonably distributed.
For another example, a distributed storage service is a cluster formed by a plurality of server nodes to provide services, and in order to ensure normal services of the cluster when the access amount of a client is too large or a server fails, load balancing is generally required in the cluster. One of the techniques is to implement load balancing through a connection number policy, that is, when a client request is received, a management node determines the connection number of each node in a cluster, and returns the IP address of the node with the minimum connection number to the client for the client to access.
The number of connections satisfying a specific condition needs to be counted up in the above-described execution of the connection number control, the load balancing based on the number of connections, and the like.
Disclosure of Invention
Based on the above background, the present invention is directed to a method and an apparatus for counting the number of bytes and the number of connections of a security policy, which count the number of connections and the number of bytes passing through the security policy of a network device, and further implement related technical applications based on the statistical results, such as the connection number control or load balancing.
Firstly, a method for counting the number of bytes and the number of connections of a security policy is provided, which comprises the following steps:
for the first data packet of the connection, the security policy matching is carried out, the matched policy ID is copied into the data packet and stored into the connection table,
for the connected non-first data packet, searching a corresponding connection table according to the quintuple to obtain a strategy ID;
and updating the byte number and the connection number in the corresponding strategy data statistical table according to the strategy ID.
As a preference, for the first packet of a received connection,
judging whether a strategy of successful matching exists, and if the strategy of successful matching exists, carrying out the next step;
judging whether to discard the data packet according to the strategy rule, if not, copying the strategy ID successfully matched into the data packet and storing the strategy ID into a connection HASH table;
counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table;
whereas for non-first packets of a received connection,
searching whether a corresponding connection HASH table exists or not according to the quintuple, and if so, carrying out the next step;
counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table.
Furthermore, the statistical method includes periodically counting and outputting the byte number of all data packets of the same connection, and periodically counting and outputting all connection numbers and the byte number corresponding to each connection under the same strategy. The connection number and the byte number under the same strategy comprise the connection number and the byte number which are released and blocked by the strategy; the timing statistics include a timing of 15 seconds.
Further, the statistical method also comprises the steps of creating a security policy table and setting a corresponding policy data statistical table before; when the security policy table is updated, deleting all data and recreating the policy table and the data statistical table; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.
In addition, a device for counting the number of bytes and the number of connections of the security policy is also provided, which comprises an electric connection:
the Linux kernel module is used for calling rules to match the security policy of the data packet, copying the matched current policy ID to the data packet and sending the data packet to KNI user mode data information;
the KNI user state connection module is used for respectively searching corresponding strategy data statistical tables for the first data packet and the non-first data packet connected according to the strategy ID so as to update the statistical data;
and the KNI security policy module is used for creating and updating the security policy table and the corresponding policy data statistical table, and regularly counting the byte number and the connection number of the policies in the table.
As an optimization, sending a received first connected data packet to a Linux kernel module for security policy matching, judging whether the data packet is discarded according to a policy rule, if not, copying a matched policy ID to the data packet, storing the data packet into a connection HASH table of a KNI user state connection module, searching a corresponding policy statistical data table according to the policy ID, counting the number of bytes of the data packet, sending the data packet to the KNI security policy module, and updating the data packet data statistical table;
and sending the received non-first data packet of the connection to a KNI user state connection module, searching the connection HASH table, judging whether the corresponding connection is found, searching a corresponding strategy statistical data table according to the corresponding strategy ID if the corresponding connection is found, counting the byte number of the data packet, sending the data packet to a KNI safety strategy module, and updating the data packet to the strategy data statistical table.
Further, the KNI security policy module counts and outputs the number of bytes of all data packets of the same connection at a fixed time of 15 seconds, and counts and outputs the number of bytes of all connections and the number of bytes corresponding to each connection under the same policy at a fixed time of 15 seconds.
When the security policy table is updated, deleting all data and recreating the policy table and the data statistical table; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.
According to the technical scheme, the corresponding strategy data statistical table is set for recording statistical data while the security strategy table is created, the security strategy matching is carried out on the received connected first data packet, once the matching is successful, the corresponding strategy ID is copied and stored to form the connection table, the strategy matching is not needed for the subsequent data packet of the same connection, the strategy ID is directly obtained by searching the connection table, the connection number and the byte number counted in a timing mode are stored into the corresponding strategy data statistical table according to the strategy ID, the statistics of the connection number and the byte number in a user mode is realized, an additional functional module is not needed, and the statistical efficiency is improved.
Drawings
Fig. 1 is a schematic diagram of a module and a workflow (data flow direction) of an embodiment of a method for counting the number of bytes and the number of connections of a security policy according to the present invention.
Detailed Description
First, a brief description of related technical terms is provided.
The packet filtering firewall adopts a 'packet-by-packet detection' mechanism, namely, all messages received by the equipment are checked each time according to packet filtering rules to determine whether the messages are allowed to pass through. For a message to be forwarded, a conventional packet filtering firewall obtains header information of the message, including a source IP address, a destination IP address, a protocol number of an upper layer protocol carried by an IP layer, a source port number, a destination port number, and the like of the message, matches the header information with a preset filtering rule, and forwards or discards the message according to a matching result. This mechanism severely impacts the device forwarding efficiency, making the packet filtering firewall a forwarding bottleneck in the network.
More and more firewall products then employ "stateful inspection" mechanisms for packet filtering. The message is detected and forwarded by taking the flow as a unit, and an IP data message with the same data flow can be judged by judging the quintuple of the IP data message.
At present, a firewall basically uses a state checking mechanism, and only performs packet filtering checking on the first packet of the same connection, and records the judgment result as the "state" of the flow, which is the session table entry commonly described by us. If the first packet can pass the inspection of the packet filtering rule and establish the session, the subsequent message will not continue to be detected by the packet filtering mechanism, but directly judge whether to forward or discard through the session table.
After the connection is established, the data packets of the same connection can be quickly forwarded without routing and strategy matching of each packet, and each connection simultaneously stores the state information of the data flow. Because each connection is established to consume system memory, the number of connections that can be supported in a system is limited. Once a large number of connections occur simultaneously, the system capacity of the firewall may be exceeded, and in the current firewall, connection number control may be performed according to some characteristics of the connection, such as a group of source IPs or traffic matching a certain IP quintuple, to ensure the normal operation of the system. The connection number control needs to count the connection number and the byte number thereof.
Therefore, the technical scheme of the invention is provided.
The following describes embodiments of a method and an apparatus for counting the number of bytes and the number of connections of a security policy in detail with reference to the accompanying drawings.
Complement a related application embodiment
As shown in fig. 1, first, a method for counting the number of bytes and the number of connections of a security policy is provided, which includes:
and for the first data packet connected, performing security policy matching, copying the matched policy ID into the data packet, and storing the data packet into a connection table. Specifically, whether a strategy of successful matching exists is judged, and if the strategy of successful matching exists, the next step is carried out; judging whether to discard the data packet according to the strategy rule, if not, copying the strategy ID successfully matched into the data packet and storing the strategy ID into a connection HASH table; counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table.
And for the non-first data packet connected, searching a corresponding connection table according to the five-tuple to obtain the strategy ID. Specifically, according to the quintuple, whether a corresponding connection HASH table exists is searched, and if the connection HASH table exists, the next step is carried out; counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table.
Furthermore, the statistical method includes periodically counting and outputting the byte number of all data packets of the same connection, and periodically counting and outputting all connection numbers and the byte number corresponding to each connection under the same strategy. The connection number and the byte number under the same strategy comprise the connection number and the byte number which are released and blocked by the strategy; the timing statistics include a timing of 15 seconds.
Further, the statistical method also comprises the steps of creating a security policy table and setting a corresponding policy data statistical table before; when the security policy table is updated, deleting all data and recreating the policy table and the data statistical table; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.
In addition, a device for counting the number of bytes and the number of connections of the security policy is also provided, which comprises an electric connection:
the Linux kernel module is used for calling rules to match the security policy of the data packet, copying the matched current policy ID to the data packet and sending the data packet to KNI user mode data information;
the KNI user state connection module is used for respectively searching corresponding strategy data statistical tables for the first data packet and the non-first data packet connected according to the strategy ID so as to update the statistical data;
and the KNI security policy module is used for creating and updating the security policy table and the corresponding policy data statistical table, and regularly counting the byte number and the connection number of the policies in the table.
Preferably, the statistical device implements a statistical method process: sending the received first connected data packet to a Linux kernel module for security policy matching, judging whether the data packet is discarded according to a policy rule, if not, copying a matched policy ID to the data packet, storing the data packet into a connection HASH table of a KNI user mode connection module, searching a corresponding policy statistical data table according to the policy ID, counting the number of bytes of the data packet, sending the data packet to the KNI security policy module, and updating the data packet data statistical table; and sending the received non-first data packet of the connection to a KNI user state connection module, searching the connection HASH table, judging whether the corresponding connection is found, searching a corresponding strategy statistical data table according to the corresponding strategy ID if the corresponding connection is found, counting the byte number of the data packet, sending the data packet to a KNI safety strategy module, and updating the data packet to the strategy data statistical table.
Further, the KNI security policy module counts and outputs the number of bytes of all data packets of the same connection at a fixed time of 15 seconds, and counts and outputs the number of bytes of all connections and the number of bytes corresponding to each connection under the same policy at a fixed time of 15 seconds.
When the security policy table is updated, deleting all data and recreating the policy table and the data statistical table; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.

Claims (10)

1. A method for counting the number of bytes and the number of connections of a security policy is characterized by comprising the following steps:
for the first data packet of the connection, the security policy matching is carried out, the matched policy ID is copied into the data packet and stored into the connection table,
for the connected non-first data packet, searching a corresponding connection table according to the quintuple to obtain a strategy ID;
and updating the byte number and the connection number in the corresponding strategy data statistical table according to the strategy ID.
2. Statistical method in accordance with claim 1, characterized in that for the first packet of a received connection,
judging whether a strategy of successful matching exists, and if the strategy of successful matching exists, carrying out the next step;
judging whether to discard the data packet according to the strategy rule, if not, copying the strategy ID successfully matched into the data packet and storing the strategy ID into a connection HASH table;
counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table.
3. Statistical method in accordance with claim 2, characterized in that for non-first packets of a received connection,
searching whether a corresponding connection HASH table exists or not according to the quintuple, and if so, carrying out the next step;
counting the byte number of the data packet, searching a corresponding strategy data statistical table according to the strategy ID, and updating the byte number to the strategy data statistical table.
4. The statistical method according to any one of claims 1 to 3, comprising timing statistics and outputting the number of bytes of all data packets of the same connection, and timing statistics and outputting the number of bytes corresponding to all connections and each connection under the same policy.
5. The statistical method of any one of claims 4, wherein the number of connections and the number of bytes under the same policy include the number of connections and the number of bytes that are released and blocked by the policy; the timing statistics include a timing of 15 seconds.
6. The statistical method according to any one of claims 1 to 3, wherein the statistical method further comprises creating a security policy table and setting a corresponding policy data statistical table; when the security policy table is updated, deleting all data and recreating the policy table and the data statistical table; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.
7. The device for counting the number of bytes and the number of connections of the security policy is characterized by comprising an electric connection part:
the Linux kernel module is used for calling rules to match the security policy of the data packet, copying the matched current policy ID to the data packet and sending the data packet to KNI user mode data information;
the KNI user state connection module is used for respectively searching corresponding strategy data statistical tables for the first data packet and the non-first data packet connected according to the strategy ID so as to update the statistical data;
and the KNI security policy module is used for creating and updating the security policy table and the corresponding policy data statistical table, and regularly counting the byte number and the connection number of the policies in the table.
8. The statistical apparatus of claim 7,
sending the received first connected data packet to a Linux kernel module for security policy matching, judging whether the data packet is discarded according to a policy rule, if not, copying a matched policy ID to the data packet, storing the data packet into a connection HASH table of a KNI user mode connection module, searching a corresponding policy statistical data table according to the policy ID, counting the number of bytes of the data packet, sending the data packet to the KNI security policy module, and updating the data packet data statistical table;
and sending the received non-first data packet of the connection to a KNI user state connection module, searching the connection HASH table, judging whether the corresponding connection is found, searching a corresponding strategy statistical data table according to the corresponding strategy ID if the corresponding connection is found, counting the byte number of the data packet, sending the data packet to a KNI safety strategy module, and updating the data packet to the strategy data statistical table.
9. The statistic device according to claim 8, wherein the KNI security policy module counts and outputs the number of bytes of all data packets of the same connection at a timing of 15 seconds, and counts and outputs the number of bytes of all connections and the number of bytes corresponding to each connection under the same policy at a timing of 15 seconds.
10. The statistics apparatus of claim 8, wherein when a security policy table is updated, all data is deleted and the policy table and data statistics table are re-created; when the statistic data of the strategy is updated, the byte count and the connection count in the data statistic table of the corresponding strategy are updated.
CN202010991950.0A 2020-09-21 2020-09-21 Method and device for counting byte number and connection number of security policy Pending CN112350988A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010991950.0A CN112350988A (en) 2020-09-21 2020-09-21 Method and device for counting byte number and connection number of security policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010991950.0A CN112350988A (en) 2020-09-21 2020-09-21 Method and device for counting byte number and connection number of security policy

Publications (1)

Publication Number Publication Date
CN112350988A true CN112350988A (en) 2021-02-09

Family

ID=74357972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010991950.0A Pending CN112350988A (en) 2020-09-21 2020-09-21 Method and device for counting byte number and connection number of security policy

Country Status (1)

Country Link
CN (1) CN112350988A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115334136A (en) * 2022-07-05 2022-11-11 北京天融信网络安全技术有限公司 Connection aging control method, system, equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115334136A (en) * 2022-07-05 2022-11-11 北京天融信网络安全技术有限公司 Connection aging control method, system, equipment and storage medium
CN115334136B (en) * 2022-07-05 2024-02-02 北京天融信网络安全技术有限公司 Connection aging control method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
US7870611B2 (en) System method and apparatus for service attack detection on a network
US8631113B2 (en) Intelligent integrated network security device for high-availability applications
CN108040057B (en) Working method of SDN system suitable for guaranteeing network security and network communication quality
US9647954B2 (en) Method and system for optimizing a network by independently scaling control segments and data flow
US8245300B2 (en) System and method for ARP anti-spoofing security
CN101106518B (en) Service denial method for providing load protection of central processor
Dang et al. Sdn-based syn proxy—a solution to enhance performance of attack mitigation under tcp syn flood
Ubale et al. SRL: An TCP SYNFLOOD DDoS mitigation approach in software-defined networks
CN108810008A (en) Transmission control protocol traffic filtering method, apparatus, server and storage medium
US20190007327A1 (en) Automatic rule generation for flow management in software defined networking networks
CN112350988A (en) Method and device for counting byte number and connection number of security policy
JPH11167487A (en) Virus check network, virus check device, client terminal and virus information managing station
CN112437077A (en) Third party ARP attack and exception handling method, VRRP network and system
Song et al. Using FDAD to prevent DAD attack in secure neighbor discovery protocol
US20230208874A1 (en) Systems and methods for suppressing denial of service attacks
CN114745142B (en) Abnormal flow processing method and device, computer equipment and storage medium
Chan et al. Intrusion detection routers: design, implementation and evaluation using an experimental testbed
Perlegos DoS defense in structured peer-to-peer networks
CN113765858A (en) Method and device for realizing high-performance state firewall
WO2008047141A1 (en) Method and apparatus for monitoring a digital network
Yuan et al. Research on Security Protection of the Communication Network for Space TT&C Based on TCP/IP Protocol Vulnerabilities
Aldabbagh et al. Space-efficient and accurate forwarding loop detection method using bloom-filter for fast and reliable internet routing
Cao et al. The research on the detection and defense method of the smurf-type DDos attack
CN115865456A (en) DDoS attack defense method, device and system based on SDN network
CN115941223A (en) BGP Flowspec route issuing method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination