CN113315744A

CN113315744A - Programmable switch, flow statistic method, defense method and message processing method

Info

Publication number: CN113315744A
Application number: CN202010714377.9A
Authority: CN
Inventors: 汤明
Original assignee: Alibaba Group Holding Ltd
Current assignee: Alibaba Group Holding Ltd
Priority date: 2020-07-21
Filing date: 2020-07-21
Publication date: 2021-08-27
Also published as: WO2022017249A1

Abstract

The embodiment of the application provides a programmable switch, a flow statistic method, a defense method and a message processing method. The programmable switch comprises a programmable switch chip and a processor adopting an X86 architecture, wherein the programmable switch chip is in communication connection with the processor, the processor is configured to transmit control information to the programmable switch chip, and the control information is used for controlling the programmable switch chip to execute target operation logic before executing message forwarding logic; the programmable switching chip is configured to execute the target operation logic in response to receiving the message; and after the execution of the target operation logic is finished, executing the message forwarding logic. The programmable switch can integrate the functions of other network equipment on the basis of the message forwarding function, reduces the deployment quantity of the network equipment serving as the infrastructure in the data center construction process, and reduces the construction cost of the network infrastructure.

Description

Programmable switch, flow statistic method, defense method and message processing method

Technical Field

The embodiment of the application relates to the technical field of communication, in particular to a programmable switch, a flow statistic method, a defense method and a message processing method.

Background

A programmable switch is a switch that utilizes a programmable switch chip to implement message forwarding logic. The programmable exchange chip provides programmable function related to packet processing, and the user can flexibly expand the match-action table through programming, so that the forwarding logic of the message can be controlled through programming.

In the existing programmable switch, the programmable switch chip only has the function of executing message forwarding logic. After receiving the message, the programmable exchange chip immediately and automatically executes the message forwarding logic, thereby forwarding the message. However, in the process of building a network infrastructure such as a data center, other network devices besides switches are usually needed to implement more network functions, such as traffic statistics, security defense, load balancing, gateway functions, and the like. The implementation of these functions requires the deployment of a large number of network devices, and it is therefore desirable to provide a solution that can reduce the cost of network infrastructure construction.

Disclosure of Invention

The embodiment of the application provides a programmable switch, a flow counting method, a defense method and a message processing method, so that the functions of other network equipment are fused on the basis of realizing the message forwarding function, the number of network equipment deployment is reduced, and the construction cost of network infrastructure is reduced.

An embodiment of the present application provides a programmable switch, including: programmable switching chips and processors employing the X86 architecture, the programmable switching chips being communicatively coupled to the processors.

An embodiment of the present application further provides a programmable switch, including: a processor configured to transmit a traffic statistics table entry to the programmable switch chip; the programmable switching chip is configured to respond to the matching of the message and the flow statistic table entry, take the message as a target message, perform flow statistic on the target message, generate a flow statistic result and forward the message; the processor is further configured to obtain the flow statistics from the programmable switching chip.

An embodiment of the present application further provides a programmable switch, including: the programmable switching chip is configured to respond to a received message, intercept key information in the message and mirror the key information to a processor; the processor is configured to analyze the received key information and generate a defense table entry and a defense strategy corresponding to the defense table entry; transmitting the defense table entry and the defense strategy to the programmable switching chip; the programmable switching chip is further configured to take a subsequently received message as a message to be detected, and detect whether the message to be detected is matched with the defense table item; responding to matching, and defending the message to be detected based on the defense strategy; and responding to mismatching, and forwarding the message to be detected.

An embodiment of the present application further provides a programmable switch, including: a programmable switching chip configured to determine a category of a destination IP address in a message in response to receiving the message; in response to the class being any target class, transmitting the message to a processor; the processor is configured to take the destination IP address as a first destination IP address, and determine a second destination IP address based on the category of the first destination IP address; replacing the first destination IP address with the second destination IP address to obtain a target message; transmitting the target message to the programmable switching chip; the programmable switch chip is further configured to forward the destination packet to the second destination IP address.

The embodiment of the present application further provides a traffic statistical method, which is applied to a programmable switch chip in a programmable switch, where the programmable switch further includes a processor, and the method includes: receiving a flow statistic table item transmitted by the processor; responding to the received message, and detecting whether the message is matched with the flow statistic table item; responding to the matching of the message and the flow statistic table item, taking the message as a target message, carrying out flow statistic on the target message, generating a flow statistic result, and forwarding the message; and transmitting the flow statistic result to the processor.

The embodiment of the present application further provides a security defense method, which is applied to a programmable switch chip in a programmable switch, where the programmable switch further includes a processor, and the method includes: in response to receiving a message, intercepting key information in the message, and mirroring the key information to a processor; receiving a defense table entry and a defense strategy transmitted by the processor, wherein the defense table entry and the defense strategy are generated after the processor analyzes the key information; taking a subsequently received message as a message to be detected, and detecting whether the message to be detected is matched with the defense list item; and responding to matching, and defending the message to be detected based on the defense strategy.

The embodiment of the present application further provides a message processing method, which is applied to a processor in a programmable switch, where the programmable switch further includes a programmable switch chip, and the method includes: receiving a message transmitted by the programmable switching chip, wherein the type of a destination IP address in the message is any target type; taking the destination IP address in the message as a first destination IP address, and determining a second destination IP address based on the category of the first destination IP address; replacing the first destination IP address with the second destination IP address to obtain a target message; and transmitting the target message to the programmable switching chip so that the programmable switching chip forwards the target message to the second destination IP address.

The embodiment of the present application further provides a flow statistics apparatus, which is applied to a programmable switch chip in a programmable switch, where the programmable switch further includes a processor, and the apparatus includes: a receiving unit configured to receive the traffic statistic table item transmitted by the processor; a detection unit configured to detect whether a message is matched with the traffic statistic table entry in response to receiving the message; the statistical unit is configured to respond to the matching of the message and the flow statistical table entry, take the message as a target message, perform flow statistics on the target message, generate a flow statistical result and forward the message; a transmitting unit configured to transmit the traffic statistic result to the processor.

The embodiment of the present application further provides a security defense apparatus, which is applied to a programmable switch chip in a programmable switch, wherein the programmable switch further includes a processor, and the apparatus includes: the mirror image unit is configured to intercept key information in a message in response to receiving the message, and mirror the key information to a processor; a receiving unit configured to receive a defense table entry and a defense policy transmitted by the processor, wherein the defense table entry and the defense policy are generated by the processor after analyzing the key information; the matching unit is configured to take a subsequently received message as a message to be detected and detect whether the message to be detected is matched with the defense list item; and the defense unit is configured to respond to matching and defend the message to be detected based on the defense strategy.

The embodiment of the present application further provides a packet processing apparatus, which is applied to a processor in a programmable switch, where the programmable switch further includes a programmable switch chip, and the apparatus includes: the receiving unit is configured to receive a message transmitted by the programmable switching chip, wherein the type of a destination IP address in the message is any target type; a determining unit configured to determine a second destination IP address based on a category of a first destination IP address, with a destination IP address in the message as the first destination IP address; the replacing unit is configured to replace the first destination IP address with the second destination IP address to obtain a target message; a transmission unit configured to transmit the target message to the programmable switch chip so that the programmable switch chip forwards the target message to the second destination IP address

Embodiments of the present application also provide one or more machine-readable media having executable code stored thereon, which when executed, cause a processor to perform a traffic statistics method, a security defense method, or a message processing method as described in one or more of the embodiments of the present application.

Compared with the prior art, the embodiment of the application has the following advantages:

in the embodiment of the application, the programmable chip and the processor adopting the X86 architecture are integrated on one device, so that the programmable switch can integrate the functions of other network devices on the basis of the message forwarding function, the deployment number of the network devices serving as an infrastructure network facility in the data center construction process is reduced, and the network infrastructure construction cost is reduced.

Drawings

Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:

fig. 1A is an exemplary architecture diagram of a programmable switch of an embodiment of the present application;

fig. 1B is a schematic processing diagram of a programmable switch according to an embodiment of the present application;

fig. 2A is a schematic diagram of a processing procedure of a programmable switch in a traffic statistics scenario according to an embodiment of the present application;

FIG. 2B is a process diagram of a programmable switch security defense scenario according to an embodiment of the present application;

FIG. 3 is a flow chart diagram of one embodiment of a traffic statistic method of the present application;

FIG. 4 is a flow diagram of one embodiment of a security defense method of the present application;

FIG. 5 is a flow diagram of one embodiment of a message processing method of the present application;

FIG. 6 is a schematic block diagram of an embodiment of a flow statistics apparatus of the present application;

FIG. 7 is a schematic structural diagram of one embodiment of the security defense apparatus of the present application;

fig. 8 is a schematic structural diagram of an embodiment of a message processing apparatus according to the present application.

Detailed Description

The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings.

It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.

The embodiment of the application can be applied to the field of communication, and particularly can be applied to network infrastructure construction scenes, such as scenes of network infrastructure construction of traditional cloud data centers, edge cloud data centers and the like. In the process of network infrastructure construction, a large number of network devices, such as switches, servers, optical splitters, etc., need to be deployed to implement functions such as message forwarding, traffic statistics, security defense, load balancing, traffic charging, gateways, etc.

Conventional cloud data centers typically contain thousands of network devices, and thus the infrastructure consumption is relatively small in conventional cloud data centers. However, with the gradual rise of edge computing, the construction of edge cloud data centers is more and more required. While edge cloud data centers are typically built by leasing racks in an operator's room, and thus are typically only on the scale of tens of servers. At the scale of tens of servers, tens of servers are consumed to implement the above functions. Therefore, the infrastructure consumption occupies a large proportion of the whole edge cloud data center, and the development of the edge cloud is seriously hindered.

The programmable switch in the embodiment of the application can realize the message forwarding function and simultaneously integrate the functions of other network equipment, thereby reducing the deployment quantity of the network equipment serving as the infrastructure in the data center construction process and reducing the construction cost of the network infrastructure.

Referring to fig. 1A, an exemplary architecture diagram of a programmable switch of an embodiment of the present application is shown. As shown in fig. 1A, a programmable switch includes a programmable switch chip and a processor. The programmable switch chip herein may be any of various existing programmable switch chips. The processor may be an X86 architecture, and specifically may be a Central Processing Unit (CPU) adopting an X86 architecture (The X86 architecture). The programmable exchange chip is in communication connection with the processor to transmit data and signals.

The processor can execute logic of the switch control layer, and also can execute flow charging logic, act as a load scheduler to execute load balancing logic, execute gateway logic, make defense strategy, and issue various table entries (such as flow statistics table entries and defense table entries) to the programmable switch chip. Because the processor has the function of executing various logics, the programmable switch can have the functions of servers, gateways and other network equipment, the deployment quantity of the network equipment serving as infrastructure network facilities in the data center construction process is reduced, and the network infrastructure construction cost is reduced.

It should be noted that the programmable switch may include other components required by the programmable switch, such as a memory and a bus, besides the programmable switch chip and the processor, and this embodiment is not limited thereto.

Fig. 1B is a process diagram of a programmable switch according to an embodiment of the present application. As shown in fig. 1B, the processor may be configured to transmit control information to the programmable switching chip. The control information is used for controlling the programmable switching chip to execute the target operation logic before executing the message forwarding logic. The target operation logic may include, but is not limited to, traffic statistics operation logic, security defense operation logic, mirroring operation logic, offload operation logic, and the like.

A programmable switch chip configurable to first execute target operation logic upon receipt of a message; and after the execution of the target operation logic is finished, executing the message forwarding logic. In practice, the target operation logic may be written in the programmable switch chip in advance through a domain-specific programming language of the programmable switch chip, such as P4, so that the execution sequence of different logics by the programmable switch chip is controlled by the processor.

The processor transmits control information to the programmable switching chip, so that the programmable switching chip can be controlled to firstly execute the target operation logic after receiving the message, and then execute the message forwarding logic after the execution of the target operation logic is finished. Therefore, the programmable switch can integrate the functions of other network equipment on the basis of the message forwarding function, reduces the deployment quantity of the network equipment serving as the infrastructure in the data center construction process, and reduces the construction cost of the network infrastructure.

Fig. 2A is a schematic processing procedure of a programmable switch in a traffic statistics scenario according to an embodiment of the present application. In a traffic statistics scenario, a processor in a programmable switch may be configured to transmit traffic statistics entries to a programmable switch chip, which may be located in control information. The traffic statistics table entry may be a table entry used for screening a target packet to perform traffic statistics. The entry may be a field, etc.

A programmable switch chip may be configured to first execute traffic statistics operation logic in response to receiving a message. Specifically, it may be first detected whether the packet is matched with the traffic statistic table entry in a string matching manner. And in response to the matching of the message and the flow statistic table entry, taking the message as a target message, and carrying out flow statistic on the target message so as to generate a flow statistic result. The flow statistics herein may include, but are not limited to, at least one of: the total number of target messages and the total byte number of the target messages.

The programmable switching chip may be further configured to execute the message forwarding logic after the flow statistics operation logic is executed. Therefore, the programmable switch has a flow statistic function on the basis of the traditional message forwarding function. In the process of executing the message forwarding logic, some messages are filtered by using an Access Control List (ACL), so that the situation that the flow statistics result is inaccurate can be avoided by performing flow statistics first and then forwarding the messages.

One or more fields may be included in the traffic statistics table entry. Optionally, at least one of the following fields may be included, but not limited to: internet Protocol (IP) address, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Control Message Protocol (ICMP), synchronization Sequence Numbers (SYN), Acknowledgement Characters (ACK), and port Numbers.

Since the field is typically located in the header of the message, the programmable switching chip may be further configured to detect whether the message matches the traffic statistic table entry by: first, in response to receiving a message, a header of the message is read. The header usually contains fields such as IP address, protocol type, port number, acknowledgement character, sync sequence number, etc. Then, it may be detected whether the header includes a field in the flow statistics table entry. And responding to a field in a message header containing a flow statistic table item, and determining that the message is matched with the flow statistic table item. Otherwise, the message may be considered not to match the traffic statistics table entry.

As an example, the flow statistics table entry is a field "IP 1.1.1.1", and if the header of the received packet includes the field "IP 1.1.1.1", the packet may be considered to be matched with the flow statistics table entry, so that the packet may be included as a target packet in the flow statistics result. As yet another example, the flow statistics table entry includes fields "IP 2.2.2.2", "TCP", and "80", and if the above fields are included in the packet, that is, the IP address is 2.2.2, the protocol type is TCP, and the source port number is 80, the packet may be considered to match the flow statistics table entry, so that the packet may be included as a target packet in the flow statistics result.

It should be noted that the number of the traffic statistic table entries may be one or more, and each traffic statistic table entry may include one or more fields. When the number of the flow statistic table entries is multiple, the messages can be matched respectively aiming at each flow statistic table entry.

In addition, it should be noted that the IP address in the traffic statistics table entry may be further defined as a source IP address or a destination IP address. Similarly, the port number may be further defined as a source port number or a destination port number, so as to perform finer-grained traffic statistics.

Optionally, the programmable switching chip may be further configured to generate the flow statistics by: firstly, the total number of target messages and the total byte number of the target messages are counted. For example, each time a target packet is received, an additional calculation may be performed on the total number of packets of the target packet, so as to obtain a new total number of packets. Meanwhile, when a target message is received, the byte number of the target message can be read, and the byte number is summed with the total byte number obtained last time to obtain a new total byte number. Then, a traffic statistic result including the newly determined total number of target packets and the total number of bytes may be generated. Therefore, the flow statistic result can be updated once a target message matched with the flow statistic table entry is received. The accumulation calculation process is simple and convenient, and the performance of the programmable exchange chip is ensured.

On the basis, optionally, the processor can also obtain the flow statistic result at two time points by reading the external interface provided by the programmable switching chip, and continue to perform other types of flow statistic operations. Specifically, the processor may first obtain a first traffic statistic at a first time from the programmable switching chip. Then, a second flow statistics is obtained from the programmable switching chip at a second time. Then, a time difference between the second time and the first time is determined. And then, determining a first difference value between the total number of the messages in the second flow statistic result and the total number of the messages in the first flow statistic result, and determining a second difference value between the total byte number in the second flow statistic result and the total byte number in the first flow statistic result. Then, the ratio of the first difference to the time difference is determined as a Packet forwarding rate (PPS), and the ratio of the Second difference to the time difference is determined as a bit rate (BPS). And finally generating a target flow statistical result containing the packet forwarding rate and the bit rate. And the packet forwarding rate and the bit rate are used as the target flow statistic result, so that the subsequent flow charging operation is facilitated.

Optionally, after obtaining the target traffic statistic, the processor may be further configured to: and packaging the target flow statistical result to obtain a packaged message. Wherein, the encapsulated message comprises the IP address of the target server. The target server may be a server for performing traffic billing or other operations based on target traffic statistics. And then, transmitting the packaged message to a programmable switching chip. Therefore, the programmable switching chip can forward the encapsulated message to the IP address of the target server so as to facilitate the target server to carry out operations such as flow charging and the like.

In the conventional traffic statistical mode, firstly, the traffic input to a switch is split and mirrored through a wind-solar device, and the traffic is copied to a plurality of servers; then, fine-grained statistics is carried out on the flow on each server, and finally, the statistical results of each server are accumulated, so that accurate information of the flow is obtained. Since the traffic received by the switch is typically 3.2T, and the server can only handle 40G of traffic, tens of servers need to be deployed. Meanwhile, an additional beam splitter is required. Therefore, a large number of devices need to be deployed to realize the traffic statistic function, and the construction cost of the network infrastructure is high.

The programmable switch provided by the embodiment of the application has the flow statistics function on the basis of the traditional message forwarding function, can complete the flow statistics operation with fine granularity only by one programmable switch, does not need to deploy the optical splitter and the server, reduces the number of network equipment deployments, and reduces the network infrastructure construction cost.

Fig. 2B is a schematic processing procedure of a programmable switch in a security defense scenario according to an embodiment of the present application. In a security defense scenario, a processor in a programmable switch may transmit a defense entry and a defense policy to a programmable switch chip. The defense entries and defense policies may be located in the control information. The defense table entry is used for screening attack messages to perform defense. The defense table entry may contain information of the attack packet recognized in advance, such as an IP address, TCP, UDP, and the like. Similar to the traffic statistics table entry described above, the defense table entry may also contain one or more fields. The attack message may refer to a message in which a large number of attack requests are sent to network devices such as a server, so that a normal legitimate user cannot obtain a service. The defense strategy is used for indicating operation logic executed after the attack message is detected based on the defense table item.

The programmable switch chip may first execute defensive operation logic in response to receiving the message. Specifically, the message may be first used as a message to be detected, and whether the message to be detected is matched with the defense table entry or not may be detected. Here, the manner of detecting whether the message to be detected is matched with the defense table entry is basically the same as the manner of detecting whether the message is matched with the flow statistic table entry, and therefore, the description is omitted. And responding to the matching of the message and the defense list item, defending the message to be detected based on the defense strategy, namely executing the operation logic in the defense strategy, and defending the message to be detected.

It should be noted that the number of the defense entries may be one or more, and each defense entry may include one or more fields. When the number of the defense entries is multiple, the messages to be tested can be matched respectively aiming at each flow defense entry.

In addition, it should be noted that different defense entries may correspond to different defense strategies. For example, the defense entry a is the field "IP 1.1.1.1", and the defense entry B includes the field "IP 2.2.2.2" and port "80". The defense strategy corresponding to the defense table entry A can be set to limit the speed and forward 10 requests per second, and the defense strategy corresponding to the defense table entry B is set to forbid access within 3 minutes.

The programmable switching chip can execute the message forwarding logic after the execution of the defense operation logic is finished. Specifically, if the message to be detected is not discarded after the execution of the defense operation logic is completed, it means that the message to be detected is not an attack message or a message that can be continuously forwarded after the execution of the defense strategy, and at this time, the message to be detected can be forwarded. If the defense operation logic is executed completely, the message to be detected is discarded, and the message to be forwarded does not exist, so that the message forwarding logic can be automatically ended. Therefore, the programmable switch has the function of safety defense before message forwarding on the basis of the traditional message forwarding function, thereby discarding or reducing attack messages. The functions of the programmable switch are enriched, the construction cost of network infrastructure is reduced, and the network security is ensured.

Optionally, the defense strategy may be to limit the number of forwarded packets matching the defense table entry within the unit duration to be below a first preset value (e.g., 10). Thus, the programmable switch chip may be further configured to defend against the message to be tested by: firstly, the forwarding number of messages with the same source of the message to be detected in unit time length is detected. The message with the same source is a message which contains the same source IP as the message to be detected. And in response to the forwarding number being greater than or equal to a first preset threshold (such as 10), discarding the message to be tested, so that the access number of the attack traffic to the network equipment can be effectively reduced.

Optionally, the defense policy may be to limit the access interval duration of the packet matched with the defense table entry to be below a second preset value (e.g., 3 seconds). Thus, the programmable switch chip may be further configured to defend against the message to be tested by: first, a first receiving time of a message to be detected is obtained. And then, acquiring second receiving time of a target same-source message of the message to be detected, wherein the target same-source message is the same-source message with the latest receiving time, and the same-source message is a message which contains the same source IP as the message to be detected. Thereafter, a time difference between the first reception time and the second reception time is determined. And in response to the time difference being smaller than a second preset threshold (for example, 3 seconds), discarding the message to be tested, so that the access quantity of the attack traffic to the network equipment can be effectively reduced.

Optionally, the defense table entry and the defense strategy may be generated by analyzing, by the processor, the message received by the programmable switch chip. Thus, the programmable switch chip may be further configured to intercept critical information in the received message and mirror the critical information to the processor prior to receiving the control information. The key information may be a header of the message, or some key fields in the header, such as an IP address, a protocol type, and a port number. And the processor can be further configured to analyze the received key information and generate a defense table entry and a defense strategy corresponding to the defense table entry.

As an example, the processor may generate the defense entry and the defense policy corresponding to the defense entry by: firstly, counting the key information received in the target time length, and determining the number of the same key information in the target time length. Wherein the target duration may be a unit duration, such as 1 second; or may be any other preset time length. And then, taking the same key information with the quantity larger than a third preset threshold (such as 10 ten thousands) as the key information in the attack message, extracting at least one field from the key information in the attack message, generating a defense table item, and creating a defense strategy corresponding to the defense table item. Taking an example that the key information includes a source IP address, if the number of messages including the source IP address per second is greater than 10 ten thousand, which is far greater than the normal message sending number in unit time, the message including the source IP address can be regarded as an attack message. Then, the source IP address can be used as a defense table entry, and a defense strategy corresponding to the defense table entry is created. Therefore, the defense table entries and the defense strategy can be generated by the processor based on the analysis of the messages received by the programmable switching chip without the help of other network equipment.

Conventional security defense systems are generally bypass defense or serial defense. The bypass defense is to additionally provide an optical splitter and a server for the switch, split the flow to the server through the optical splitter, perform flow statistics through the server to formulate a defense table entry and a defense strategy, and then issue the defense table entry and the defense strategy to an access control list of the switch, so as to filter some messages through the access control list. However, the access control list has limited table entries, and it is usually necessary to ensure that the number of table entries is within 1 ten thousand, so that security defense cannot be performed comprehensively. The bypass defense means that the traffic is mirrored to the security server, and the traffic is forwarded by the switch after all the traffic is filtered by the security server. However, since the ingress traffic of the switch is usually very large, such as 800G or T level, and the servers currently stay at 40G, 100G, etc., a large number of security servers need to be deployed to implement comprehensive security defense, and multiple security servers also cause a problem of difficulty in coordination.

The programmable switch provided by the embodiment of the application can generate the defense table entry and the defense strategy after the processor analyzes the message received by the programmable switch chip, and can perform subsequent message defense by the programmable switch chip based on the defense table entry and the defense strategy. Therefore, the programmable switch has the safety defense function on the basis of the traditional message forwarding function. The comprehensive security defense operation can be completed only by one programmable switch without deploying the optical splitter and the security server, thereby reducing the number of network equipment deployments and lowering the construction cost of network infrastructure.

It should be noted that the security defense scenario may also be combined with the traffic statistics scenario. After receiving the message, the programmable switching chip may perform traffic statistics first. And then the processor acquires the flow statistic result through an interface provided by the programmable switching chip, analyzes the flow statistic result, generates a defense table item and a defense strategy, and sends the defense table item and the defense strategy to the programmable switching chip. Therefore, the programmable switching chip can execute security defense operation on the subsequent message. In addition, the programmable switching chip can continue to keep the flow statistic operation on the subsequent message before executing the security defense operation on the subsequent message, so that the processor can change the defense list items and the defense strategy in time according to the flow statistic result, thereby being convenient for adapting to the scene that the attack message changes.

In another scenario, the programmable switch also merges other functions, such as load balancing functions, or gateway functions, etc., for the class of IP addresses in the message.

Specifically, after receiving the message, the programmable switching chip may first execute an IP address class detection logic to determine whether the class of the destination IP address in the message is any target class. The target category may include, but is not limited to: a Virtual IP (VIP) address class of a Virtual Server (Linux Virtual Server, LVS) cluster, a public network IP address class of a cloud Server, an edge cloud IP address class, a cloud data center IP address class, and the like. In practice, the type of the destination IP address can be detected by means of string matching.

And then, responding to the type of the destination IP address as any target type, and transmitting the message to the processor by the programmable switching chip. The processor may modify the destination IP address based on the category of the destination IP address to generate a destination message, and return the destination message to the programmable switch chip. Finally, the programmable exchange chip can replace the original message with the target message and execute message forwarding logic on the target message.

The target IP address can be modified differently according to different types of the target IP address, so that different functions are realized. The following is a detailed description taking different cases as examples:

in one example, if the type of the destination IP address in the message received by the programmable switch chip is a virtual IP address class of the virtual server cluster, that is, the VIP of the LVS cluster, the programmable switch can be used as a load balancer (LVS) to implement a load balancing function. In practice, the VIP of an LVS cluster typically refers to the extranet IP of the LVS cluster. For the user, the user can connect to the Real Server (Real Server) at the back end by accessing the VIP of the LVS cluster, and the user does not need to determine the location and number of the Real Server actually accessed. The dispatcher of the LVS cluster may be regarded as a front-end external to the LVS cluster, and is a unique Entry Point (Single Entry Point) of the LVS cluster, and is responsible for sending a request of a client to a group of real servers for execution in a manner of load balancing, and the like.

Specifically, after the programmable switching chip transmits the message to the processor through the network card and the board interface connection channel, the processor may first use the destination IP address in the message as the first destination IP address. And then selecting a real server through a load balancing algorithm. The processor can select a server with a smaller current load from the server pool according to the load condition of each server in the server pool of the LVS cluster. And finally, taking the IP address of the selected real server as a second destination IP address, and replacing the first destination IP address of the message with the second destination IP address to generate a target message. Therefore, the programmable switch chip can forward the target message to the second target IP address, so that the target IP address of the message is replaced by the IP address of the real server selected by the load balancing algorithm from the original virtual IP address, and the programmable switch realizes the load balancing function.

In another example, if the type of the destination IP address in the message received by the programmable switch chip is a public network IP address class, an edge cloud IP address class, or a cloud data center IP address class of a cloud server of the cloud server, the programmable switch can be used as a gateway to determine an IP address of a physical server bearing the destination IP address, and forward the message to the IP address of the physical server, so as to implement a gateway function.

Specifically, after the programmable switching chip transmits the message to the processor through the network card and the board interface connection channel, the processor may first use the destination IP address in the message as the first destination IP address. If the first destination IP address is a public network IP address of the cloud server, the IP address of the physical server bearing the public network IP address may be obtained, and the IP address of the physical server is used as the second destination IP address. Then, the first destination IP address of the message may be replaced with a second destination IP address to generate a target message. Therefore, the programmable switch chip can forward the target message to the second target IP address, so that the target IP address of the message is changed from the original public network IP address of the cloud server to the IP address of the physical server bearing the public network IP address, and the programmable switch realizes the gateway function in the process of intercommunication between the cloud and the cloud.

Similarly, if the first destination IP address is an edge cloud IP address, the IP address of the physical server bearing the edge cloud IP address may be obtained, and the IP address of the physical server is used as the second destination IP address. Then, the first destination IP address of the message may be replaced with a second destination IP address to generate a target message. Therefore, the programmable switching chip can forward the target message to the second destination IP address, so that the destination IP address of the message is changed from the original edge cloud IP address to the IP address of the physical server bearing the edge cloud IP address. Therefore, when the source IP address in the message is the IP address of the user equipment, the programmable switch realizes the gateway function in the cloud-on-cloud intercommunication process. When the source IP address in the message is the IP address of the cloud data center, the programmable switch realizes the gateway function in the intercommunication process of the cloud data center and the edge cloud.

Similarly, if the first destination IP address is a cloud data center IP address, the IP address of the physical server bearing the cloud data center IP address may be obtained, and the IP address of the physical server is used as the second destination IP address. Then, the first destination IP address of the message may be replaced with a second destination IP address to generate a target message. Therefore, the programmable switching chip can forward the target message to the second destination IP address, so that the destination IP address of the message is changed from the original IP address of the cloud data center to the IP address of the physical server bearing the IP address of the cloud data center. Therefore, when the source IP address in the message is the edge cloud IP address, the programmable switch realizes the gateway function in the intercommunication process of the cloud data center and the edge cloud.

When the programmable switching chip detects that the type of the destination IP address in the message is the target type, the message is transmitted to the processor, and the processor modifies the destination IP address according to the type of the destination IP address in the message, so that the programmable switching chip can integrate a load balancing function or a gateway function, the number of network equipment deployments is further reduced, and the construction cost of network infrastructure is reduced.

With continued reference to FIG. 3, a flow diagram of one embodiment of a traffic statistic method of the present application is shown. The flow statistical method is applied to a programmable switching chip in a programmable switch. Also included in the programmable switch is a processor, such as a central processing unit of the X86 architecture or the like.

The flow statistical method comprises the following steps:

step 301, receiving a flow statistic table item transmitted by a processor.

In this embodiment, the execution body (such as the programmable switch chip described above) of the traffic statistic method may receive the traffic statistic table entry transmitted by the processor. The traffic statistics table entry may be a table entry used for screening the target packet to perform traffic statistics.

Optionally, the traffic statistics table entry may include, but is not limited to, at least one of the following fields: IP address, protocol type (e.g., TCP, UDP, ICMP, etc.), sync sequence number, acknowledgement character, port number, etc.

Step 302, in response to receiving the message, detecting whether the message matches the traffic statistic table entry.

In this embodiment, in response to receiving the message, the execution main body may detect whether the message is matched with the traffic statistic table entry in a character string matching manner. It should be noted that the number of the traffic statistic table entries may be one or more, and each traffic statistic table entry may include one or more fields. When the number of the flow statistic table entries is multiple, the messages can be matched respectively aiming at each flow statistic table entry.

Since the field is usually located in the header of the packet, in some optional implementations of this embodiment, it may be detected whether the packet matches the traffic statistic table entry by the following steps: first, in response to receiving a message, a header of the message is read. The header usually contains fields such as IP address, protocol type, port number, acknowledgement character, sync sequence number, etc. Then, it may be detected whether the header includes a field in the flow statistics table entry. And determining that the message is matched with the flow statistic table item in response to whether the message header contains the field in the flow statistic table item. Otherwise, the message may be considered not to match the traffic statistics table entry.

Step 303, in response to the matching between the message and the flow statistic table entry, taking the message as a target message, performing flow statistic on the target message, generating a flow statistic result, and forwarding the message.

By executing the flow statistic operation before the message forwarding operation, the programmable switch has the flow statistic function of fine granularity on the basis of the traditional message forwarding function. In the process of executing the message forwarding logic, some messages are filtered by using an Access Control List (ACL), so that the situation that the flow statistics result is inaccurate can be avoided by performing flow statistics first and then forwarding the messages.

It should be noted that, in response to that the received packet does not match the traffic statistic table entry, it indicates that the packet is not a packet that needs to be subjected to traffic statistic, and therefore the packet can be directly forwarded.

In some optional implementations of this embodiment, the flow statistics may be generated by: firstly, the total number of target messages and the total byte number of the target messages are counted. And then generating a flow statistic result containing the total number of the target messages and the total number of bytes.

For example, each time a target packet is received, an additional calculation may be performed on the total number of packets of the target packet, so as to obtain a new total number of packets. Meanwhile, when a target message is received, the byte number of the target message can be read, and the byte number is summed with the total byte number obtained last time to obtain a new total byte number. Therefore, the flow statistic result can be updated once a target message matched with the flow statistic table entry is received. The accumulation calculation process is simple and convenient, and the performance of the programmable exchange chip is ensured.

Step 304, transmitting the flow statistics to the processor.

In this embodiment, the execution main body may transmit the traffic statistic result to the processor through an external interface of the programmable switch chip, so that the processor may continue to perform other types of traffic statistic operations.

In some optional implementations of this embodiment, transmitting the traffic statistics to the processor includes: transmitting the first traffic statistic to the controller at a first time; transmitting the second traffic statistic to the controller at a second time; and responding to the received packaged message transmitted by the processor, and forwarding the packaged message. The encapsulated message comprises a target flow statistic result, and the target flow statistic result is generated by the processor based on the first flow statistic result and the second flow statistic result. In addition, the encapsulated message may also include the IP address of the target server. The target server may be a server for performing traffic billing or other operations based on target traffic statistics. Therefore, the encapsulated message is forwarded to the IP address of the target server, so that the target server can conveniently carry out operations such as flow charging and the like.

The steps of this embodiment are similar to the corresponding steps of the above embodiment, and specific reference may be made to the description of the above embodiment.

The method provided by the above embodiment of the present application performs the traffic statistics operation before forwarding the packet, which not only can avoid the situation that the traffic statistics result is inaccurate due to the influence of the access control list, but also can enable the programmable switch to have the traffic statistics function on the basis of having the conventional packet forwarding function. The fine-grained traffic statistics operation can be completed only by one programmable switch without deploying optical splitters and servers, so that the number of deployed network equipment is reduced, and the construction cost of network infrastructure is reduced.

With further reference to FIG. 4, a flow diagram of one embodiment of a security defense method of the present application is shown. The security defense method is applied to a programmable switching chip in a programmable switch. Also included in the programmable switch is a processor, such as a central processing unit of the X86 architecture or the like.

The security defense method comprises the following steps:

step 401, in response to receiving the message, intercepting key information in the message, and mirroring the key information to the processor.

In this embodiment, the executing entity of the security defense (such as the programmable switching chip mentioned above) may intercept the key information in the message, such as the header or the IP address, TCP, UDP, port number, etc. in the header, in response to receiving the message. And then mirroring the intercepted key information to a processor in a mirroring mode. Mirroring refers to an operation of copying a message to a designated location.

Step 402, receiving a defense table entry and a defense strategy transmitted by a processor.

In this embodiment, the execution subject may receive the defense table entry and the defense policy transmitted by the processor. The defense table entry is used for screening attack messages to perform defense. The defense table entry may contain information of the attack packet recognized in advance, such as an IP address, TCP, UDP, and the like. Similar to the traffic statistics table entry described above, the defense table entry may also contain one or more fields. The attack message may refer to a message in which a large number of attack requests are sent to network devices such as a server, so that a normal legitimate user cannot obtain a service. The defense strategy is used for indicating operation logic executed after the attack message is detected based on the defense table item.

The defense table entries and the defense strategy can be generated after the processor analyzes the key information. As an example, the processor may generate the defense entry and the defense policy corresponding to the defense entry by: firstly, counting the key information received in the target time length, and determining the number of the same key information in the target time length. Wherein the target duration may be a unit duration, such as 1 second; or may be any other preset time length. And then, taking the same key information with the quantity larger than a third preset threshold (such as 10 ten thousands) as the key information in the attack message, extracting at least one field from the key information in the attack message, generating a defense table item, and creating a defense strategy corresponding to the defense table item. Taking an example that the key information includes a source IP address, if the number of messages including the source IP address per second is greater than 10 ten thousand, which is far greater than the normal message sending number in unit time, the message including the source IP address can be regarded as an attack message. Then, the source IP address can be used as a defense table entry, and a defense strategy corresponding to the defense table entry is created. Therefore, the defense table entries and the defense strategy can be generated by the processor based on the analysis of the messages received by the programmable switching chip without the help of other network equipment.

Step 403, taking the subsequently received message as a message to be detected, and detecting whether the message to be detected is matched with the defense list item.

Wherein, the subsequently received message is the message received after receiving the defense list item and the defense strategy. And detecting whether the message to be detected is matched with the defense list item or not, wherein a character string matching mode can also be adopted.

And step 404, responding to the matching, and defending the message to be detected based on the defense strategy.

In this embodiment, in response to the matching between the message to be detected and the defense table entry, the message to be detected may be considered as an attack message hit by the defense table entry, and thus, the execution main body may defend the message to be detected based on the defense strategy. In addition, in response to the mismatching, it may be considered that the message to be detected is not hit by the defense table entry, and at this time, the message to be detected may be directly forwarded without executing a defense strategy on the message to be detected.

In some optional implementation manners of this embodiment, the defense policy may be to limit the number of message forwarding entries matching the defense entry in the unit time duration to be below a first preset value (e.g., 10). Therefore, the message to be detected can be defended through the following steps: firstly, the forwarding number of messages with the same source of the message to be detected in unit time length is detected. The message with the same source is a message which contains the same source IP as the message to be detected. And in response to the forwarding number being greater than or equal to a first preset threshold (such as 10), discarding the message to be tested, so that the access number of the attack traffic to the network equipment can be effectively reduced.

Optionally, the defense policy may be to limit the access interval duration of the packet matched with the defense table entry to be below a second preset value (e.g., 3 seconds). Therefore, the message to be detected can be defended through the following steps: first, a first receiving time of a message to be detected is obtained. And then, acquiring second receiving time of a target same-source message of the message to be detected, wherein the target same-source message is the same-source message with the latest receiving time, and the same-source message is a message which contains the same source IP as the message to be detected. Thereafter, a time difference between the first reception time and the second reception time is determined. And in response to the time difference being smaller than a second preset threshold (for example, 3 seconds), discarding the message to be tested, so that the access quantity of the attack traffic to the network equipment can be effectively reduced.

Note that the defense policy is not limited to the above list, and other defense policies may be set as necessary.

According to the security defense method provided by the embodiment of the application, the receiving processor is used for analyzing the message received by the programmable switching chip to generate the defense list item and the defense strategy, then the subsequent message is defended based on the defense list item and the defense strategy, the defense operation is executed after the defense operation is executed, and meanwhile, the security defense method has a security defense function, so that the comprehensive security defense operation can be completed only by one programmable switch, the arrangement of the optical splitter and the security server is not needed, the number of network equipment arrangement is reduced, and the construction cost of network infrastructure is reduced.

With further reference to fig. 5, a flow diagram of one embodiment of a message processing method of the present application is shown. The message processing method is applied to a programmable switching chip in a programmable switch. Also included in the programmable switch is a processor, such as a central processing unit of the X86 architecture or the like.

The message processing method comprises the following steps:

step 501, receiving a message transmitted by a programmable switching chip.

In this embodiment, the execution main body of the message processing method receives a message transmitted by the programmable switch chip. The type of the destination IP address in the message is any target type. Target categories may include, but are not limited to: the virtual IP address (i.e., VIP of the LVS cluster) of the virtual server cluster, the public network IP address of the cloud server, the edge cloud IP address, the cloud data center IP address, and so on. In practice, the programmable switching chip may transmit the packet to the execution main body after detecting that the destination IP address in the packet is of any destination class.

Step 502, using the destination IP address in the message as a first destination IP address, and determining a second destination IP address based on the category of the first destination IP address.

In this embodiment, for different types of first destination IP addresses, the execution body may modify the first destination IP address differently to generate the target packet.

In some optional implementation manners of this embodiment, in response to that the category of the first destination IP address is a virtual IP address class of a virtual server cluster, that is, the VIP of the LVS cluster, the executing body may select the real server through a load balancing algorithm, for example, according to a load condition of each server in a server pool of the LVS cluster, select a real server with a smaller current load from the server pool, so as to determine the IP address of the real server as the second destination IP address. Therefore, the function of load balancing integrated during message forwarding does not need to independently set a dispatcher of the LVS cluster, and the construction cost of network infrastructure is reduced.

In some optional implementation manners of this embodiment, in response to that the category of the first destination IP address is any one of a public network IP address class, an edge cloud IP address class, and a cloud data center IP address class of the cloud server, the IP address of the physical server bearing the first destination IP address is determined, so that the IP address of the physical server is used as the second destination IP address.

Step 503, replacing the first destination IP address with the second destination IP address to obtain the target packet.

By replacing the first destination IP address with the IP address of the physical server bearing the first destination IP address, the programmable switch can play a gateway function in the cloud-on-cloud and cloud-off intercommunication process under the condition that the first destination IP address is the public network IP address of the cloud server. In addition, when the first destination IP address is an edge cloud IP address and the source IP address in the message is the IP address of the user equipment, the programmable switch can play a gateway function in the cloud-on-cloud and cloud-off intercommunication process. In addition, when the first destination IP address is an edge cloud IP address and the source IP address in the message is a cloud data center IP address, the programmable switch can implement a gateway function in the interworking process between the cloud data center and the edge cloud. Meanwhile, when the first destination IP address is the IP address of the cloud data center, the programmable switch can realize the gateway function in the intercommunication process of the cloud data center and the edge cloud.

Step 504, the target message is transmitted to the programmable switching chip, so that the programmable switching chip forwards the target message to the second destination IP address.

In this embodiment, the execution entity may transmit the target packet to the programmable switching chip, so that the programmable switching chip forwards the target packet to the second destination IP address.

According to the message processing method provided by the embodiment of the application, the destination IP address in the original message is replaced, so that the programmable server can be integrated with a load balancing function or a gateway function, the number of network equipment deployments is further reduced, and the construction cost of network infrastructure is reduced.

It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.

With further reference to fig. 6, as an implementation of the foregoing traffic statistic method embodiment, the present application provides an embodiment of a traffic statistic apparatus, which may be specifically applied to a programmable switch chip in a programmable switch. The programmable switch also comprises a processor.

As shown in fig. 6, the flow rate statistic device 600 of the present embodiment includes: a receiving unit 601 configured to receive the traffic statistic table item transmitted by the processor; a detecting unit 602, configured to detect whether a message is matched with the traffic statistic table entry in response to receiving the message; a statistic unit 603 configured to, in response to the message being matched with the traffic statistic table entry, take the message as a target message, perform traffic statistic on the target message, generate a traffic statistic result, and forward the message; a transmitting unit 604 configured to transmit the traffic statistic result to the processor.

In some optional implementations of this implementation, the apparatus further includes: and the first forwarding unit is configured to forward the message in response to the message not matching the flow statistic table entry.

In some optional implementations of this implementation, the traffic statistics table entry includes at least one of the following fields: internet Protocol (IP) address, transmission control protocol, user datagram protocol, control message protocol, synchronous sequence number, confirmation character and port number; and, the detecting unit 602 is further configured to: reading the message header of the message; detecting whether the message header contains a field in the flow statistic table item; and responding to whether the message header contains the field in the flow statistic table item or not, and determining that the message is matched with the flow statistic table item.

In some optional implementations of this implementation, the statistical unit 603 is further configured to: counting the total number of the target messages and the total byte number of the target messages; and generating a flow statistic result containing the total number of the target messages and the total number of bytes.

In some optional implementations of this implementation, the apparatus further includes: a second forwarding unit configured to: transmitting a first traffic statistic to the controller at a first time; transmitting a second traffic statistic to the controller at a second time; and forwarding the encapsulated message in response to receiving the encapsulated message transmitted by the processor, wherein the encapsulated message comprises a target traffic statistic result, and the target traffic statistic result is generated by the processor based on the first traffic statistic result and the second traffic statistic result.

The apparatus provided in the foregoing embodiment of the present application performs traffic statistics operation before forwarding a packet, which not only can avoid the situation that a traffic statistics result is inaccurate due to the influence of an access control list, but also can enable a programmable switch to have a traffic statistics function on the basis of having a conventional packet forwarding function. The fine-grained traffic statistics operation can be completed only by one programmable switch without deploying optical splitters and servers, so that the number of deployed network equipment is reduced, and the construction cost of network infrastructure is reduced.

With further reference to fig. 7, as an implementation of the foregoing security defense method embodiment, the present application provides an embodiment of a security defense apparatus, which may be specifically applied to a programmable switch chip in a programmable switch. The programmable switch also comprises a processor.

As shown in fig. 7, the security defense apparatus 700 of the present embodiment includes: a mirroring unit 701 configured to intercept key information in a message in response to receiving the message, and mirror the key information to a processor; a receiving unit 702, configured to receive a defense table entry and a defense policy transmitted by the processor, where the defense table entry and the defense policy are generated after the processor analyzes the key information; a matching unit 703 configured to use a subsequently received message as a message to be detected, and detect whether the message to be detected matches the defense table entry; and the defense unit 704 is configured to respond to matching and defend the message to be tested based on the defense strategy.

In some optional implementations of this embodiment, the apparatus further includes: a forwarding unit configured to: and responding to mismatching, and forwarding the message to be tested.

In some optional implementations of this embodiment, the mirroring unit 701 is further configured to: intercepting the message header of the message; and taking the message header as key information, and mirroring the key information to the processor.

In some optional implementations of this embodiment, the defense unit 704 is further configured to: detecting the forwarding number of messages with the same source of the message to be detected in unit time length, wherein the messages with the same source comprise the same source IP (Internet protocol) as the message to be detected; and in response to the forwarding number being greater than or equal to a first preset threshold value, discarding the message to be tested.

In some optional implementations of this embodiment, the defense unit 704 is further configured to: acquiring first receiving time of the message to be detected; acquiring second receiving time of a target same-source message of the message to be detected, wherein the target same-source message is the same-source message with the latest receiving time, and the same-source message is a message which contains the same source IP (Internet protocol) as the message to be detected; determining a time difference between the first receiving time and the second receiving time; and in response to the time difference being smaller than a second preset threshold, discarding the message to be detected.

The device provided by the above embodiment of the application, the defense table item and the defense strategy generated after the message received by the programmable switching chip is analyzed by the receiving processor, then the defense of the subsequent message is performed based on the defense table item and the defense strategy, the defense is performed after the defense operation is performed, and meanwhile, the device has the safety defense function, so that the comprehensive safety defense operation can be completed only by one programmable switch, the deployment of the optical splitter and the safety server is not needed, the quantity of network equipment deployment is reduced, and the construction cost of the network infrastructure is reduced.

With further reference to fig. 8, as an implementation of the foregoing message processing method embodiment, the present application provides an embodiment of a message processing apparatus, which may be specifically applied to a programmable switch chip in a programmable switch. The programmable switch also comprises a processor.

As shown in fig. 8, the message processing apparatus 800 of the present embodiment includes: a receiving unit 801 configured to receive a message transmitted by the programmable switching chip, where a type of a destination IP address in the message is any target type; a determining unit 802, configured to determine a second destination IP address based on a category of the first destination IP address, by using the destination IP address in the message as a first destination IP address; a replacing unit 803, configured to replace the first destination IP address with the second destination IP address, to obtain a target packet; a transmitting unit 804, configured to transmit the target message to the programmable switching chip, so that the programmable switching chip forwards the target message to the second destination IP address.

In some optional implementations of this embodiment, the target class includes a virtual IP address class of the virtual server cluster; and, the determining unit 802 is further configured to: responding to the type of the first target IP address as the virtual IP address of the virtual server cluster, and selecting a real server through a load balancing algorithm; and determining the IP address of the real server as a second destination IP address.

In some optional implementations of the embodiment, the target category includes at least one of: the cloud server comprises a public network IP address class, an edge cloud IP address class and a cloud data center IP address class; and, the determining unit 802 is further configured to: determining an IP address of a physical server bearing the first destination IP address in response to the type of the first destination IP address being any one of a public network IP address type of the cloud server, the edge cloud IP address type and the cloud data center IP address type; and taking the IP address of the physical server as a second destination IP address.

The device provided by the above embodiment of the present application, by replacing the destination IP address in the original message, can enable the programmable server to merge the load balancing function or the gateway function, further reduce the number of network device deployments, and reduce the network infrastructure construction cost.

An embodiment of the present application further provides a programmable switch, including:

and the processor is configured to transmit the flow statistic table entry to the programmable switching chip.

And the programmable switching chip is configured to respond to the matching of the message and the flow statistic table entry, take the message as a target message, perform flow statistic on the target message, generate a flow statistic result and forward the message.

The processor is further configured to obtain the traffic statistic from the programmable switching chip.

The programmable switch provided in this embodiment is similar to the corresponding description of the foregoing embodiment, and reference may be made to part of the description of the foregoing embodiment for relevant points.

An embodiment of the present application further provides another programmable switch, including:

and the programmable switching chip is configured to intercept the key information in the message and mirror the key information to the processor in response to receiving the message.

The processor is configured to analyze the received key information and generate a defense table entry and a defense strategy corresponding to the defense table entry; and transmitting the defense list item and the defense strategy to the programmable switching chip.

The programmable switching chip is further configured to detect whether a subsequently received message is matched with the defense table item or not by using the message to be detected as a message to be detected; responding to matching, and defending the message to be detected based on the defense strategy; and responding to mismatching, and forwarding the message to be tested.

the programmable switching chip is configured to respond to a received message and determine the type of a destination IP address in the message; and responding to the type as any target type, and transmitting the message to a processor.

The processor is configured to determine a second destination IP address based on a category of the first destination IP address by using the destination IP address as a first destination IP address; replacing the first target IP address with the second target IP address to obtain a target message; and transmitting the target message to the programmable switching chip.

The programmable switch chip is further configured to forward the destination packet to the second destination IP address.

The present application further provides a non-transitory, readable storage medium, where one or more modules (programs) are stored, and when the one or more modules are applied to a device, the device may execute instructions (instructions) of method steps in this application.

Embodiments of the present application provide one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an electronic device to perform the methods as described in one or more of the above embodiments. In the embodiment of the present application, the electronic device includes various types of devices such as a terminal device and a server (cluster).

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.

Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.

The programmable switch, the traffic statistic method, the defense method, and the message processing method provided by the present application are introduced in detail, and a specific example is applied in the present application to explain the principle and the implementation manner of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims

1. A programmable switch, comprising a programmable switch chip and a processor employing an X86 architecture, the programmable switch chip communicatively coupled to the processor.

2. The programmable switch of claim 1,

the processor is configured to transmit control information to a programmable switching chip, wherein the control information is used for controlling the programmable switching chip to execute target operation logic before executing message forwarding logic;

the programmable switching chip configured to execute the target operating logic in response to receiving a message; and executing the message forwarding logic after the target operation logic is executed.

3. The programmable switch of claim 2, wherein the control information comprises a traffic statistics table entry and the target operation logic comprises traffic statistics operation logic; and

the programmable switch chip further configured to execute the traffic statistics operation logic by:

detecting whether the message is matched with the flow statistic table item;

and responding to the matching of the message and the flow statistic table item, taking the message as a target message, carrying out flow statistic on the target message, and generating a flow statistic result.

4. The programmable switch of claim 3, wherein the traffic statistics table entry includes at least one of the following fields: internet Protocol (IP) address, transmission control protocol, user datagram protocol, control message protocol, synchronous sequence number, confirmation character and port number; and

the programmable switch chip is further configured to detect whether the packet matches the traffic statistic table entry by:

reading a message header of a message in response to receiving the message;

detecting whether the message header contains a field in the flow statistic table item;

and responding to the field contained in the flow statistic table item in the message header, and determining that the message is matched with the flow statistic table item.

5. The programmable switch of claim 3, wherein the programmable switch chip is further configured to generate traffic statistics by:

counting the total number of the target messages and the total byte number of the target messages;

generating a flow statistic comprising the total number and the total number of bytes.

6. The programmable switch of claim 5, wherein the processor is further configured to:

obtaining a first traffic statistic from the programmable switching chip at a first time;

obtaining a second flow statistics from the programmable switching chip at a second time;

determining a time difference between the second time and the first time;

determining a first difference value between the total number of the target messages in the second flow statistic result and the total number of the target messages in the first flow statistic result, and determining a second difference value between the total byte number in the second flow statistic result and the total byte number in the first flow statistic result;

determining the ratio of the first difference value to the time difference as a packet forwarding rate;

determining a ratio of the second difference to the time difference as a bit rate;

and generating a target flow statistic result containing the packet forwarding rate and the bit rate.

7. The programmable switch of claim 6, wherein the processor is further configured to:

packaging the target flow statistical result to obtain a packaged message, wherein the packaged message comprises an IP address of a target server;

transmitting the packaged message to the programmable switching chip; and

the programmable switching chip is further configured to forward the encapsulated packet to an IP address of the target server.

8. The programmable switch of claim 2, wherein the control information comprises defense entries and defense policies, and wherein the target operation logic comprises defense operation logic against traffic attacks; and

the programmable switch chip further configured to execute the defensive operation logic by:

taking the message as a message to be detected, and detecting whether the message to be detected is matched with the defense table item;

and responding to the matching of the message and the defense list item, and defending the message to be detected based on the defense strategy.

9. The programmable switch of claim 8, wherein the programmable switch chip is further configured to defend against the message under test by:

detecting the forwarding number of messages with the same source of the message to be detected in unit time length, wherein the messages with the same source comprise the same source IP (Internet protocol) as the message to be detected;

and in response to the forwarding number being greater than or equal to a first preset threshold value, discarding the message to be detected.

10. The programmable switch of claim 8, wherein the programmable switch chip is further configured to defend against the message under test by:

acquiring first receiving time of the message to be detected;

acquiring second receiving time of a target same-source message of the message to be detected, wherein the target same-source message is the same-source message with the latest receiving time, and the same-source message is a message which contains the same source IP (Internet protocol) as the message to be detected;

determining a time difference between the first receive time and the second receive time;

and in response to the time difference being smaller than a second preset threshold, discarding the message to be detected.

11. The programmable switch of claim 8,

the programmable switching chip is further configured to intercept key information in the received message and mirror the key information to the processor before receiving the control information; and

the processor is further configured to analyze the received key information and generate a defense table entry and a defense strategy corresponding to the defense table entry.

12. The programmable switch of claim 11, wherein the critical information comprises a source IP address; and

the processor is further configured to generate a defense table entry and a defense policy corresponding to the defense table entry by:

counting the received key information in the target time length, and determining the number of the same key information in the target time length;

and taking the same key information with the quantity larger than a third preset threshold value as key information in the attack message, extracting at least one field from the key information in the attack message, generating a defense table item, and creating a defense strategy corresponding to the defense table item.

13. The programmable switch of claim 2, wherein the target operation logic comprises IP address class detection logic; and

the programmable switch chip further configured to execute the IP address class detection logic by:

reading a destination IP address from a message header of the message;

detecting the category of the destination IP address;

and responding to the fact that the type is any target type, transmitting the message to a processor, and replacing the message with a target message returned by the processor, wherein the target message is generated after the processor modifies a target IP address in the message.

14. The programmable switch of claim 13, wherein the target class comprises a virtual IP address class of a virtual server cluster; and

the processor is further configured to generate the target packet by:

taking the destination IP address as a first destination IP address, responding to the fact that the category of the first destination IP address is the virtual IP address category of the virtual server cluster, and selecting a real server through a load balancing algorithm;

and taking the IP address of the real server as a second destination IP address, replacing the first destination IP address of the message with the second destination IP address, and generating a target message.

15. The programmable switch of claim 13, wherein the target class comprises at least one of: the cloud server comprises a public network IP address class, an edge cloud IP address class and a cloud data center IP address class; and

the processor is further configured to generate the target packet by:

taking the destination IP address as a first destination IP address, and determining the IP address of a physical server bearing the first destination IP address in response to the fact that the type of the first destination IP address is any one of the public network IP address class, the edge cloud IP address class and the cloud data center IP address class of the cloud server;

and taking the IP address of the physical server as a second destination IP address, replacing the first destination IP address of the message with the second destination IP address, and generating a target message.

16. A programmable switch, comprising:

a processor configured to transmit a traffic statistics table entry to the programmable switch chip;

the programmable switching chip is configured to respond to the matching of the message and the flow statistic table entry, take the message as a target message, perform flow statistic on the target message, generate a flow statistic result and forward the message;

the processor is further configured to obtain the flow statistics from the programmable switching chip.

17. A programmable switch, comprising:

the programmable switching chip is configured to respond to a received message, intercept key information in the message and mirror the key information to a processor;

the processor is configured to analyze the received key information and generate a defense table entry and a defense strategy corresponding to the defense table entry; transmitting the defense table entry and the defense strategy to the programmable switching chip;

the programmable switching chip is further configured to take a subsequently received message as a message to be detected, and detect whether the message to be detected is matched with the defense table item; responding to matching, and defending the message to be detected based on the defense strategy; and responding to mismatching, and forwarding the message to be detected.

18. A programmable switch, comprising:

a programmable switching chip configured to determine a category of a destination IP address in a message in response to receiving the message; in response to the class being any target class, transmitting the message to a processor;

the processor is configured to take the destination IP address as a first destination IP address, and determine a second destination IP address based on the category of the first destination IP address; replacing the first destination IP address with the second destination IP address to obtain a target message; transmitting the target message to the programmable switching chip;

19. A traffic statistic method, applied to a programmable switch chip in a programmable switch, wherein the programmable switch further includes a processor, the method comprising:

receiving a flow statistic table item transmitted by the processor;

responding to the received message, and detecting whether the message is matched with the flow statistic table item;

responding to the matching of the message and the flow statistic table item, taking the message as a target message, carrying out flow statistic on the target message, generating a flow statistic result, and forwarding the message;

and transmitting the flow statistic result to the processor.

20. The method of claim 19, wherein after the detecting whether the packet matches the traffic statistic table entry, the method further comprises:

and responding to the mismatching of the message and the flow statistic table item, and forwarding the message.

21. The method of claim 19, wherein the traffic statistics table entry comprises at least one of the following fields: internet Protocol (IP) address, transmission control protocol, user datagram protocol, control message protocol, synchronous sequence number, confirmation character and port number; and

the detecting whether the packet is matched with the flow statistic table entry includes:

reading a message header of the message;

22. The method according to claim 19, wherein the performing traffic statistics on the target packet to generate a traffic statistics result comprises:

and generating a flow statistic result containing the total number of the target messages and the total byte number.

23. The method of claim 22, further comprising:

transmitting a first traffic statistic to the controller at a first time;

transmitting a second traffic statistic to the controller at a second time;

and forwarding the encapsulated message in response to receiving the encapsulated message transmitted by the processor, wherein the encapsulated message comprises a target traffic statistical result, and the target traffic statistical result is generated by the processor based on the first traffic statistical result and the second traffic statistical result.

24. A security defense method applied to a programmable switch chip in a programmable switch, wherein the programmable switch further comprises a processor, the method comprising:

in response to receiving a message, intercepting key information in the message, and mirroring the key information to a processor;

receiving a defense table entry and a defense strategy transmitted by the processor, wherein the defense table entry and the defense strategy are generated after the processor analyzes the key information;

taking a subsequently received message as a message to be detected, and detecting whether the message to be detected is matched with the defense list item;

and responding to matching, and defending the message to be detected based on the defense strategy.

25. The method of claim 24, wherein after the detecting whether the message under test matches the defense table entry, the method further comprises:

and responding to mismatching, and forwarding the message to be detected.

26. The method of claim 24, wherein intercepting key information in the message and mirroring the key information to a processor comprises:

intercepting a message header of the message;

and taking the message header as key information, and mirroring the key information to the processor.

27. The method of claim 24, wherein the defending the message under test based on the defense policy comprises:

28. The method of claim 24, wherein the defending the message under test based on the defense policy comprises:

acquiring first receiving time of the message to be detected;

29. A message processing method, applied to a processor in a programmable switch, wherein the programmable switch further includes a programmable switch chip, the method comprising:

receiving a message transmitted by the programmable switching chip, wherein the type of a destination IP address in the message is any target type;

taking the destination IP address in the message as a first destination IP address, and determining a second destination IP address based on the category of the first destination IP address;

replacing the first destination IP address with the second destination IP address to obtain a target message;

and transmitting the target message to the programmable switching chip so that the programmable switching chip forwards the target message to the second destination IP address.

30. The programmable switch of claim 29, wherein the target class comprises a virtual IP address class of a virtual server cluster; and

the determining a second destination IP address based on the category of the first destination IP address comprises:

responding to the type of the first target IP address as the virtual IP address type of the virtual server cluster, and selecting a real server through a load balancing algorithm;

and determining the IP address of the real server as a second destination IP address.

31. The programmable switch of claim 29, wherein the target class comprises at least one of: the cloud server comprises a public network IP address class, an edge cloud IP address class and a cloud data center IP address class; and

determining an IP address of a physical server bearing the first destination IP address in response to the first destination IP address being any one of a public network IP address class of the cloud server, the edge cloud IP address class and a cloud data center IP address class;

and taking the IP address of the physical server as a second destination IP address.

32. A traffic statistic device, applied to a programmable switch chip in a programmable switch, wherein the programmable switch further comprises a processor, the device comprising:

a receiving unit configured to receive the traffic statistic table item transmitted by the processor;

a detection unit configured to detect whether a message is matched with the traffic statistic table entry in response to receiving the message;

the statistical unit is configured to respond to the matching of the message and the flow statistical table entry, take the message as a target message, perform flow statistics on the target message, generate a flow statistical result and forward the message;

a transmitting unit configured to transmit the traffic statistic result to the processor.

33. A security defense apparatus, applied to a programmable switch chip in a programmable switch, wherein the programmable switch further comprises a processor, the apparatus comprising:

the mirror image unit is configured to intercept key information in a message in response to receiving the message, and mirror the key information to a processor;

a receiving unit configured to receive a defense table entry and a defense policy transmitted by the processor, wherein the defense table entry and the defense policy are generated by the processor after analyzing the key information;

the matching unit is configured to take a subsequently received message as a message to be detected and detect whether the message to be detected is matched with the defense list item;

and the defense unit is configured to respond to matching and defend the message to be detected based on the defense strategy.

34. A message processing apparatus, for use in a processor in a programmable switch, the programmable switch further including a programmable switch chip, the apparatus comprising:

the receiving unit is configured to receive a message transmitted by the programmable switching chip, wherein the type of a destination IP address in the message is any target type;

a determining unit configured to determine a second destination IP address based on a category of a first destination IP address, with a destination IP address in the message as the first destination IP address;

the replacing unit is configured to replace the first destination IP address with the second destination IP address to obtain a target message;

a transmission unit configured to transmit the target packet to the programmable switching chip, so that the programmable switching chip forwards the target packet to the second destination IP address.

35. One or more machine-readable media having executable code stored thereon that, when executed, causes a processor to perform the method of one or more of claims 19-31.