CN113329048B - Cloud load balancing method and device based on switch and storage medium - Google Patents

Cloud load balancing method and device based on switch and storage medium Download PDF

Info

Publication number
CN113329048B
CN113329048B CN202110396255.4A CN202110396255A CN113329048B CN 113329048 B CN113329048 B CN 113329048B CN 202110396255 A CN202110396255 A CN 202110396255A CN 113329048 B CN113329048 B CN 113329048B
Authority
CN
China
Prior art keywords
bloom filter
bloom
connection
routing table
filters
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110396255.4A
Other languages
Chinese (zh)
Other versions
CN113329048A (en
Inventor
张娇
高煜轩
文殊博
潘恬
黄韬
刘韵洁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Network Communication and Security Zijinshan Laboratory
Original Assignee
Network Communication and Security Zijinshan Laboratory
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Communication and Security Zijinshan Laboratory filed Critical Network Communication and Security Zijinshan Laboratory
Priority to CN202110396255.4A priority Critical patent/CN113329048B/en
Publication of CN113329048A publication Critical patent/CN113329048A/en
Application granted granted Critical
Publication of CN113329048B publication Critical patent/CN113329048B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5083Techniques for rebalancing the load in a distributed system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • H04L45/7453Address table lookup; Address filtering using hashing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the invention discloses a cloud load balancing method and device based on a switch and a storage medium, relates to the technical field of big data, and can solve the problem of memory exhaustion of a load balancer of the switch caused by DDOS attack. The invention comprises the following steps: a controller deployed in the control plane to add an entry to a connection table in the data plane; importing a result of the hit into a mapping table, and inputting a result of the miss into a bloom Long Guolv set, wherein the bloom filter set comprises at least 3 bloom filters which are sequentially connected in series and trigger the cyclic update of the bloom filter set according to the number of elements recorded in the bloom filters; importing results output by the bloom filter group into a synchronization table; and importing the hit result output by the synchronous table into the mapping table through the routing table. The invention is suitable for the fourth layer load balance.

Description

Cloud load balancing method and device based on switch and storage medium
Technical Field
The invention relates to the technical field of big data, in particular to a cloud load balancing method and device based on a switch and a storage medium.
Background
With the rapid development of the information age, the demands for network speed and bandwidth are continuously increasing. With the improvement of the service volume, the processing capacity and the computing intensity of each core part of the existing network are required to be correspondingly increased by continuously increasing huge data flow and access volume, so that a single server device cannot bear the processing capacity and the computing intensity.
In this case, if the hardware is upgraded in a large amount, the existing resources will be wasted, and even the hardware with the excellent performance cannot meet the increasing traffic demand. The number of serviceable users can be increased by increasing the number of servers. If the number of servers reaches a certain degree, a four-layer load balancing system needs to be adopted to uniformly distribute the service requests of the users to a large number of servers in the background and continuously transmit subsequent data packets for the servers.
The fourth tier load balancer, one of the core technologies, plays a crucial role in large data centers. One current solution is a load balancer implemented on a programmable switch, which has the advantage of overcoming the disadvantages of low flexibility and high cost of dedicated load balancers and high latency of software load balancers. However, since the storage space of the switch is relatively limited, the maintenance of each connection state easily causes the storage exhaustion of the large data center, and it is difficult to cope with the resource exhaustion attack.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for balancing cloud load based on a switch, and a storage medium, which can mitigate the problem of resource exhaustion attack.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a method, including:
a controller deployed in the control plane to add an entry to a connection table in the data plane; importing a result of the hit into a mapping table, and inputting a result of the miss into a bloom Long Guolv group, wherein the bloom filter group comprises at least 3 bloom filters which are connected in series in sequence and trigger the cyclic update of the bloom filter group according to the number of elements recorded in the bloom filters; importing results output by the bloom filter group into a synchronization table; and importing the hit result output by the synchronous table into the mapping table through the routing table.
In a second aspect, an embodiment of the present invention provides an apparatus, including:
a data management module for a controller deployed in a control plane to add entries to a connection table in a data plane;
the data transmission module is used for importing the hit result into a mapping table and inputting the miss result into a bloom Long Guolv set, wherein the bloom filter set comprises at least 3 bloom filters which are sequentially connected in series and trigger the cyclic update of the bloom filter set according to the number of elements recorded in the bloom filters;
the table management module is used for importing the result output by the bloom filter group into a synchronization table; and importing the hit result output by the synchronous table into the mapping table through the routing table.
In a third aspect, an embodiment of the present invention provides a storage medium for implementing the method, and a computer program or instruction is stored, and when the computer program or instruction is executed, the method in the first aspect is implemented.
The switch-based cloud load balancing method, the switch-based cloud load balancing device and the storage medium provided by the embodiment of the invention realize a programmable switch-based four-layer load balancer framework with a half state, which can be used for a large-scale data center, and combine the advantages of a stateful load balancer and a stateless load balancer, wherein the load balancer has the advantages of low delay and jitter, high-efficiency memory utilization, resistance to resource exhaustion attack and the like. A state compression structure is specifically designed, and compared with the method of directly storing quintuple information of each connection, data compression with higher proportion can be carried out, and meanwhile, the percentage of disconnection is reduced in the resource exhaustion attack. Therefore, the problem of memory exhaustion of the load balancer of the switch caused by DDOS attack is effectively relieved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of an architecture of a four-layer load balancer according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a cyclic update provided by an embodiment of the present invention;
FIG. 3 is a diagram illustrating the effect of resisting DDOS according to an embodiment of the present invention;
fig. 4 is a schematic diagram illustrating an effect of updating a server pool according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a method flow provided by the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the present invention is further described in detail with reference to the accompanying drawings and the detailed description below. Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings, wherein like reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the accompanying drawings are exemplary only for explaining the present invention and are not construed as limiting the present invention. As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element in the present embodiment, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
In the general sense, the basic functions of a four-layer load balancer are: the work of the load balancer is to map the connections of VIP (Virtual IP addresses) evenly to DIP (real IP). Large data centers are typically served by a large number of back-end servers. Each backend server has a unique Direct IP (DIP) address. Large services in a data center typically provide multiple public VIP addresses for users to access the services, while the actual services are provided by a large number of back-end servers with dedicated DIP addresses. For a user, VIP can only be obtained through DNS and DIP cannot be known. The VIP is a traffic indication that it does not correspond to a real server, and only packets addressed to the DIP are actually served. The load balancer of the data center is then required to distribute requests to these VIPs to one of the corresponding back end Servers (DIPs). In practical application, a client sends a request to load balancing equipment at the front end of a server group, the load balancing equipment receives the client request, selects a real server through a scheduling algorithm, and sends the request to the selected real server after rewriting a target address of a request message by a real server address through network address conversion. This allows a large number of users to access the same VIP but actually share the load with all servers in the DIP pool. An ideal layer 4 load balancer should incur fairly low latency in each case and maintain per-connection consistency to ensure that users' traffic is not interrupted in the middle. The consistency of each connection means that even if the DIP pool is updated or the mapping between VIP and DIP changes, the connection will always map to the same DIP server.
Existing load balancers can be roughly classified into three types according to their implementation platforms. Proprietary load balancers, software load balancers, and switch-based load balancers. First, a dedicated load balancer. Such load balancers are often expensive and difficult to scale. Second, a software load balancer. By implementing the load balancer in a large number of commercial servers, the software load balancer has high scalability and availability. However, such load balancers process packets in software, which can result in high packet processing delay and high delay jitter when traffic load is large. In large data centers, a large number of software load balancers are required to handle the large volume of traffic. It is stated that over 4000 commercial servers, costing over ten million dollars, are required to balance the connectivity of a medium-sized data center. Third, the switch load balancer. To address the shortcomings of dedicated load balancers and software load balancers, some attempts have been made to implement load balancers in switches. This approach results in low cost. In addition, the data packets can be processed at line speed like a dedicated load balancer. However, the switch load balancer is limited by the fixed processing logic.
However, most load balancers locally record the mapping between each connection and its corresponding backend server. That is, the load balancer typically assigns the back-end server to the first packet of the new connection by using a hash function. The allocation result will then be recorded locally. In this way, it is ensured that all subsequent packets of the connection are sent to the same backend server even if the hash function changes or the backend server pool is updated. However, hardware switch resources are limited. Maintaining the state of all connections consumes a large amount of memory space. Moreover, once a resource exhaustion attack occurs, the memory of the switch is easily exhausted, and the consistency of each connection cannot be guaranteed. Although several stateless load balancers have recently been proposed to address the state management problem, they shift the burden of maintaining per-connection consistency to the back-end servers. Each backend server needs to implement a module to detect whether a received packet should be processed by it. If not, the packet needs to be forwarded to other servers that should have the packet status. This approach will increase packet processing delay. Furthermore, installing new modules can result in deployment costs. Moreover, the backend servers may occupy some computing resources and bandwidth resources to continuously forward the data packets. Although several stateless load balancers have been proposed to cope with resource exhaustion attacks, the state management burden is shifted to the backend servers, which results in increased deployment and operational costs.
The design objective of this embodiment is: load balancers play a crucial role in large data centers from the fourth tier. In recent years, load balancers implemented on programmable switches have attracted much attention because they overcome the disadvantages of low flexibility and high cost of dedicated load balancers and high latency of software load balancers. However, since the storage space of the switch is relatively limited, the maintenance of each connection state can easily result in the storage exhaustion of a large data center, especially under a resource exhaustion attack. Therefore, it is required that: 1. the occupation of the internal memory of the switch is reduced, the storage structure is compressed, and the space utilization rate of the SRAM of the switch is improved; 2. the server pool update is handled, and after the server pool update, the flow can be equally distributed to the updated servers. 3. The method can resist SYN flood attack, can effectively relieve the problem Of memory exhaustion Of a switch load balancer caused by DDOS (Distributed Denial Of Service) attack, and can process data packets at line speed. In order to achieve the design purpose, a four-layer load balancer is specifically designed, and the four-layer load balancer is specifically implemented on a programmable switch through P4 programming.
The design idea of this embodiment lies in: it is a very good solution to improve the utilization of Static Random-Access Memory (SRAM) to resist SYN (synchronous) Flood attack by designing and implementing a space-efficient load balancer on a programmable switch. By having extremely high performance running on a hardware switch, forwarding at wire speed can be achieved. Meanwhile, the memory occupation on the switch is reduced, 3460 ten thousand connections can be supported by only using 50MB of SRAM, the utilization rate of the storage space for directly storing the whole connection information is improved by 10 times to 27 times, and the utilization rate of the storage space is improved by about 2.4 times compared with the solution scheme of compressing according to the entries. In response to the server pool update, after the DIP pool update occurs, the present embodiment can equally distribute the request to all backend servers at any time, and can maintain the consistency of each connection after the pool update. For resisting DDOS attacks, the present embodiment may reduce the percentage of disconnections by up to 57% under a SYNflood attack, as compared to a stateful load balancer.
An embodiment of the present invention provides a cloud load balancing method, and in particular, to a cloud load balancing method with state compression based on a switch, as shown in fig. 5, including:
s1, a controller deployed in a control plane adds entries to a connection table in a data plane.
Specifically, as shown in fig. 1, the present embodiment may be implemented as a four-layer load balancer, which includes a data plane and a control plane. The control plane can be realized on a general server and is used for carrying out data plane state management and issuing a flow table. The data plane may use programmable switches that support the P4 language to self-define packet processing flows. The data plane is mainly composed of four matching action tables and a plurality of bloom filters (bloom filters). The data plane is used to perform high speed processing and forwarding of data packets. Specifically, the data plane sends the newly connected data packet to the selected background server according to the flow table issued by the current control plane and the query result of the bloom filter.
And S2, importing the hit result into a mapping table, and inputting the miss result into a cloth Long Guolv group.
In this embodiment, "hit" may be referred to as "hit" or "hit", and "miss" may be referred to as "miss", or "miss", which are technical terms in the field of big data, for example: hit displayed in the CDN log indicates that a cache node is hit, and data can be pulled at the cache node without returning to the source. And miss in the CDN log represents a miss cache node, and data needs to be pulled back to the source. Those skilled in the art will appreciate that hit and miss may be used depending on the particular application environment.
The bloom filter group comprises at least 3 bloom filters which are sequentially connected in series, and the cyclic update of the bloom filter group is triggered according to the number of elements recorded in the bloom filters. For example: when the number of elements or the amount of data recorded in the new bloom filter exceeds a corresponding threshold, a round robin update will be triggered.
The bloom filter mentioned in this embodiment may be understood as a space-efficient probabilistic data structure, which is intended to answer whether an element is in a set or not. The data structure of the bloom filter is a bit vector. Initially, all bits in the vector are set to 0, which means that there are no elements in the bloom filter. The bloom filter is a data structure used for inquiring whether an element is inserted into the bloom filter, wherein the element in the design indicates whether a position corresponding to a hash value of a 5-tuple of the data packet as an index is set to be 1. These elements are not decremented, but only the index of the corresponding position is initially 0, and then set to 1 according to the hash function. Then, k different independent hash functions need to be selected. The insert operation applies all k hash functions to each element in the bloom filter and sets the position corresponding to the hash result to 1. To query an element, the present embodiment needs to pass the queried element itself to each of the k hash functions to obtain k positions. If any of the bits of these positions is 0, then the element must not be in the set. For example: when it is required to determine whether a certain element is in the set, the k hash functions need to calculate all the k hash functions and then see whether all the bits of the corresponding k position indexes are set to be 1.
And S3, importing results output by the bloom filter group into a synchronization table.
And S4, importing the hit result output by the synchronization table into the mapping table through the routing table.
For example: as shown in fig. 1, conn _ table represents a connection table, syn _ table represents a synchronization table, route _ table represents a routing table, and map _ table represents a mapping table. Where the connection table maintains the exact state of a small percentage of connections, it maps the connections to DIPs. The DIP specifically refers to the backend server, i.e., the DIP is the IP address of the backend server. The connection table stores fewer connections than the bloom filter and is used primarily to avoid inconsistent matches due to false positives. For example: a false positive event means that a packet is a syn packet and it hits any bloom filter. Whether a false alarm event is generated is judged by the synchronous table. When a syn packet hits a bloom filter, the connection is forwarded to a server in the backend server pool of the version corresponding to the bloom filter, and when the backend server pool is updated, if the version of the backend server pool corresponding to the bloom filter changes, the wrong version is matched, and the connection is inserted into the connection table for recording, so that the problem can be avoided.
To reduce the size of the match field, the join table stores hash values instead of five-tuples. Although this may lead to hash collisions, by using longer hash results, this probability can be reduced to 10-8, i.e., can be ignored. The hash value in the connection table is a hash value obtained by performing a hash algorithm such as crc32 on a 5-tuple of the data packet, that is, a source IP address, a source port, a destination IP address, a destination port, and a transport layer protocol, and occupies a much smaller storage space than the 5-tuple of the data packet. The connection table is not maintained updated in the design of this embodiment because there are few connections.
In this embodiment, the bloom filter is used to answer whether the packet should be applied to an older version of the routing table. The bloom filter serves as a classifier for new and old connections.
In a preferred scheme, as shown in fig. 2, the bloom filters at least include 3 bloom filters, where one bloom filter corresponds to an old version of the routing table, another bloom filter corresponds to a new version of the routing table, an update timestamp of the new version of the routing table is later than that of the old version of the routing table, and the remaining bloom filter is used for maintaining a new connection.
In the process of the cyclic updating of the bloom filter group, the method comprises the following steps: the bloom filter 1, the bloom filter 2, and the bloom filter 3 are cyclically shifted among logical positions, after the cyclic shift, the content of the bloom filter 1 is cleared and placed at a third position, the bloom filter 2 is placed at the first position, the bloom filter 3 is placed at the second position, and the bloom filter 2 and the bloom filter 3 retain the stored connections during the shift. Wherein the number of logical locations is greater than and equal to the number of bloom filters, before a cyclic shift occurs, bloom filter 1 and bloom filter 2 are used for querying connections, bloom filter 3 is used for storing newly arrived connections, bloom filter 1 is placed in a first location, bloom filter 2 is placed in a second location, and bloom filter 3 is placed in a third location. For example:
one bloom filter (new bloom in fig. 2) is used to maintain the new connection. Wherein the new bloom filter is an insert bloom filter, and the old bloom filter is a query bloom filter. C1-C4 means that connections 1 to 4, i.e. 4 different connections, are inserted into the corresponding bloom filters. As shown in fig. 2, three bloom filters, a bloom filter 1, a bloom filter 2, and a bloom filter 3, are used. They correspond to the routing tables from the old version to the latest version. Wherein, bloom filter 1 corresponds to the routing table of the old version, and bloom filter 3 corresponds to the routing table of the latest version.
Before the cycle update, bloom filter 3 corresponds to a new routing table, bloom filter 1 and bloom filter 2 correspond to an old routing table, bloom filter 1 and bloom filter 2 are used for querying connections, and bloom filter 3 is used for storing newly arrived connections. The whole update process is actually a cyclic shift of the bloom filter 1, the bloom filter 2 and the bloom filter 3. After the loop update, bloom filter 1 is cleared and corresponds to the new routing table, bloom filter 2 and bloom filter 3 correspond to the old routing table, and bloom filter 1 will clear its contents and place it in the third location, bloom filter 2 will be placed in the first location, and bloom filter 3 will be placed in the second location. Thus, after a round robin update, an empty bloom filter will be obtained to store the new connection, while the old connection will be saved at the first location and 2 in the bloom filter.
Further, the method also comprises the following steps: and after the result output by the bloom filter group is imported into a synchronization table, detecting whether false alarm occurs or not. And if the output of the bloom filter group is a SYN data packet and the bloom filter hits, triggering a false alarm event. Specifically, the synchronization table is used to determine a false positive event if the processing packet is a SYN (synchronization) packet, and the bloom filter gives a positive answer. The synchronization table will trigger a false positive event. The false alarm event is that a data packet is a syn data packet, but the data packet hits a bloom filter to obtain a version, the synchronization table judges according to a syn field and the version, the syn field is 1, and if the version field is not 0, the false alarm event is considered to occur. Since the SYN packet is the first packet of a connection, if the SYN packet is matched in the query bloom filter, a false positive event is indicated. If not, the old version of the routing table may be used to forward the packet.
In this embodiment, the field information in the entry written in the routing table may also be read, and the version value of the entry may be obtained. And classifying the connections according to version values by utilizing the bloom filter group to obtain the old connections. And sending the subsequent data packet of the old connection to the back-end server pointed by the old connection through the bloom filter stored with the old connection. Wherein the connections recorded in the routing table are mapped into the DIP server.
Specifically, the routing table maps each connection to a DIP server. The match field includes a hash modulo and a version field. The hash modulo is obtained by modulo the quintuple hash result. e is the total number of entries in the routing table in a single version, e is the number of entries in the table, and how many entries are specifically inserted is determined according to the actual operation condition. I.e. the routing table entries may be distinguished by different version values in the version field. Subsequent packets of the old connection can then be sent to the correct backend server based on the routing table entries with the older version, using the classification capabilities of the query bloom filter, thereby maintaining consistency of each connection. The query bloom filter is also a bloom filter, but in the design of this embodiment, the query bloom filter is used to query whether a connection is in the query bloom filter, and this embodiment is named according to its function.
Further optionally, in this embodiment, the DIP encoding may be compressed, which specifically includes: the controller compresses the obtained DIP code, generates a DIP index, and writes the generated DIP index into a mapping table. For example: the mapping table is used to implement mapping from DIP (Direct IP addresses) indices to DIP. Since the operation field also occupies a large amount of SRAM on the hardware switch, this embodiment adds a mapping table at the end of all tables to compress the storage space of the DIP. For example, the raw DIP may comprise two parts: IPv4 addresses and ports, consuming a total of 40 bits. In practice, the number of backend servers to be served by the load balancer is much less than 2 40 . Therefore, the present embodiment encodes each DIP using a controller and compresses 40 bits into 16 bits. The compressed 16 bits used to represent the DIP are referred to as the DIP index, which can represent up to 65,536 backend servers. The value can be flexibly changed.
In practical application of this embodiment, the control plane completes operations such as inserting and modifying entries of the connection table and the routing table in the data plane according to the current running state. And meanwhile, when a pool updating event occurs, the controller updates the routing table and processes a false alarm event. Therefore, false positive events do not affect connection consistency. In addition, each pool update event triggers the controller to perform a loop update to help the bloom filter store the new connection state. Specifically, a triple API module may be established to complete communication between the control plane and the data plane. Firstly, after a background server is selected for new connection in the data plane, the recording message is received, and the corresponding table entry is inserted into the route according to the recording message so as to ensure that the subsequent data packet of the connection is sent to the correct server. And secondly, inserting the connection of the data packet with the false alarm event of the bloom filter into the connection table so as to reduce the false alarm event. And a loop update establishing module, which is used for processing the pool update event and resisting SYN flood attack, thereby maintaining the normal False Positive Rate of the bloom filter.
In prior art solutions, when a pool update occurs, the new bloom filter will become the query bloom filter for classifying incoming connections, and the oldest bloom filter will be cleared and reused to record new connections with new version values. Second, a loop update using the bloom filter is used to maintain a normal FPR. Elements in the bloom filter cannot be deleted. However, the FPR will increase as the number of elements in the bloom filter increases. Thus, when the number of elements in the new bloom filter reaches a certain threshold, a round robin update of the bloom filter will be performed. The cyclic update can effectively alleviate the influence of resource exhaustion attacks (such as SYN Flood). For a stateful load balancer, a SYNflood may result in a connection table being populated quickly. The load balancer degenerates to a hash function that fails to maintain per-connection consistency as the resource pool updates.
In this embodiment, although a SYN Flood attack results in a large number of new connections being quickly inserted into the bloom filter, a round robin update will be triggered when the number of elements recorded in the new bloom filter exceeds a threshold. Assume that the ratio of SYN Flood connections to normal connections is 19:1, then the frequency of the cyclic update will become 20 times that of the normal case. Such a high-speed round robin update will drop a large number of SYN flood connections without subsequent packets. However, for a normal connection, its state may still be maintained since the subsequent packets for that connection will arrive. When a pool update occurs, the bloom filter for the query will be cleared, resulting in the loss of state for some connections. If three Bloom filters are used, approximately two-thirds of the connection state may be preserved after the resource pool is updated. When the stateful load balancer runs out of memory resources due to the SYNflood, only about 5% of the entries are valuable. Thus, many regular connections cannot be stored until some entries of the connection table are deleted. The consistency of the connection cannot be guaranteed. If the number of bloom filters is further increased, the present embodiment will be more resistant to the SYN Flood attack.
In summary, the present embodiments present a programmable switch based four-tier load balancer architecture with half-states that can be used in large-scale data centers. The advantages of the stateful load balancer and the stateless load balancer are combined, and the proposed load balancer has the advantages of low delay and jitter, high-efficiency memory utilization, resource exhaustion attack resistance and the like. Compared with the method of directly storing quintuple information of each connection, the method realizes data compression of 10 to 27 times, and reduces the percentage of disconnection by 57 percent in the attack of resource exhaustion. For example: as shown in fig. 4, by reducing the memory occupation of the switch and designing a compressed storage structure, the space utilization rate of the SRAM of the switch can be improved; the method comprises the steps of dealing with server pool updating, and after the server pool is updated, equally distributing flow to the updated servers; as shown in fig. 3, in the process of resisting SYN flood attack, the problem of memory exhaustion of the load balancer of the switch caused by DDOS attack can be effectively alleviated, and at the same time, the data packet can be processed at the wire speed.
This embodiment still provides a cloud load balancing unit based on switch, includes:
and the data management module is used for controlling a controller deployed in the plane and adding entries to the connection table in the data plane.
And the data transmission module is used for importing the hit result into a mapping table and inputting the miss result into a bloom Long Guolv group, wherein the bloom filter group comprises at least 3 bloom filters which are sequentially connected in series and trigger the cyclic update of the bloom filter group according to the number of elements recorded in the bloom filters.
And the table management module is used for importing the result output by the bloom filter group into the synchronization table. And importing the hit result output by the synchronous table into the mapping table through the routing table.
Specifically, the data transmission module is configured to: triggering cyclic shift of bloom filter 1, bloom filter 2, and bloom filter 3 between logical positions, after the cyclic shift, clearing the contents of bloom filter 1 and placing in a third position, bloom filter 2 position to first position, bloom filter 3 position to second position, and bloom filter 2 and bloom filter 3 retaining the stored connections during the shift. The method comprises the steps that at least 3 bloom filters are included in the bloom filters, one bloom filter corresponds to an old version routing table, the other bloom filter corresponds to a new version routing table, the update time stamp of the new version routing table is later than that of the old version routing table, the rest bloom filter is used for maintaining new connection, the number of logic positions is larger than and equal to that of the bloom filters, before cyclic shift occurs, the bloom filters 1 and 2 are used for inquiring connection, the bloom filters 3 are used for storing newly arrived connection, the bloom filters 1 are placed at a first position, the bloom filters 2 are placed at a second position, and the bloom filters 3 are placed at a third position.
Further still include: and the connection management module is used for reading field information written in the entry in the routing table and acquiring the version value of the entry, wherein the connection recorded in the routing table is mapped to the DIP server. And classifying the connections according to version values by utilizing the bloom filter group to obtain the old connections. And sending the subsequent data packet of the old connection to the back-end server pointed by the old connection through the bloom filter stored with the old connection.
And the compression module is used for triggering the controller to compress the obtained DIP codes and generate a DIP index, and the generated DIP index is written into a mapping table.
The present embodiment also provides a storage medium, which stores a computer program or instructions, and when the computer program or instructions are executed, the method flow shown in fig. 5 is implemented.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are also within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. The cloud load balancing method based on the switch is characterized in that the method is applied to a four-layer load balancer, the four-layer load balancer comprises a data plane and a control plane, and the data plane mainly comprises four matching action tables and a cloth Long Guolv set; the four matching action tables comprise a connection table, a synchronization table, a routing table and a mapping table, and comprise:
a controller deployed in the control plane to add an entry to a connection table in the data plane;
importing a result of the hit into a mapping table, and inputting a result of the miss into a bloom Long Guolv set, wherein the bloom filter set comprises at least 3 bloom filters which are sequentially connected in series and trigger the cyclic update of the bloom filter set according to the number of elements recorded in the bloom filters;
importing results output by the bloom filter group into a synchronization table;
and importing the hit result output by the synchronous table into the mapping table through the routing table.
2. The method of claim 1, wherein at least 3 bloom filters are included in the bloom filters, wherein one bloom filter corresponds to an old version of the routing table, another bloom filter corresponds to a new version of the routing table, the new version of the routing table has a timestamp later than the old version of the routing table, and the remaining bloom filter is used for maintaining a new connection.
3. The method according to claim 1 or 2, wherein during the process of the cyclic update of the bloom filter group, the method comprises:
the bloom filter 1, the bloom filter 2 and the bloom filter 3 are circularly shifted among the logic positions, after the circular shift, the content of the bloom filter 1 is cleared and is placed at a third position, the bloom filter 2 is placed at the first position, the bloom filter 3 is placed at the second position, and the stored connection is reserved between the bloom filter 2 and the bloom filter 3 in the shifting process;
wherein the number of logical locations is greater than and equal to the number of bloom filters, before a cyclic shift occurs, bloom filter 1 and bloom filter 2 are used for querying connections, bloom filter 3 is used for storing newly arrived connections, bloom filter 1 is placed in a first location, bloom filter 2 is placed in a second location, and bloom filter 3 is placed in a third location.
4. The method of claim 1, further comprising:
after the result output by the bloom filter group is imported into a synchronization table, whether false alarm occurs is detected;
and if the output of the bloom filter group is a SYN data packet and the bloom filter hits, triggering a false alarm event.
5. The method of claim 3, further comprising:
reading field information in the entries written in the routing table, and acquiring version values of the entries, wherein the connection recorded in the routing table is mapped to a DIP server;
classifying each connection according to the version value by utilizing a bloom filter group to obtain an old connection;
and sending the subsequent data packet of the old connection to the back-end server pointed by the old connection through the bloom filter stored with the old connection.
6. The method of claim 5, further comprising:
the controller compresses the obtained DIP code and generates a DIP index, and writes the generated DIP index into a mapping table.
7. The cloud load balancing device based on the switch is characterized in that the device is applied to a four-layer load balancer, the four-layer load balancer comprises a data plane and a control plane, and the data plane mainly comprises four matching action tables and a cloth Long Guolv set; the four matching action tables comprise a connection table, a synchronization table, a routing table and a mapping table, and comprise:
a data management module for a controller deployed in a control plane to add entries to a connection table in a data plane;
the data transmission module is used for importing the hit result into a mapping table and inputting the miss result into a bloom Long Guolv set, wherein the bloom filter set comprises at least 3 bloom filters which are sequentially connected in series and trigger the cyclic update of the bloom filter set according to the number of elements recorded in the bloom filters;
the table management module is used for importing the results output by the bloom filter group into a synchronization table; and importing the hit result output by the synchronous table into the mapping table through the routing table.
8. The apparatus of claim 7, wherein the data transmission module is specifically configured to: the touch bloom filter 1, the bloom filter 2 and the bloom filter 3 are circularly shifted among logic positions, after the circular shift, the content of the bloom filter 1 is cleared and is placed at a third position, the bloom filter 2 is placed at the first position, the bloom filter 3 is placed at the second position, and the bloom filter 2 and the bloom filter 3 keep the stored connection in the shifting process;
the method comprises the steps that at least 3 bloom filters are included in the bloom filters, one bloom filter corresponds to an old version routing table, the other bloom filter corresponds to a new version routing table, the update time stamp of the new version routing table is later than that of the old version routing table, the rest bloom filter is used for maintaining new connection, the number of logic positions is larger than and equal to that of the bloom filters, before cyclic shift occurs, the bloom filters 1 and 2 are used for inquiring connection, the bloom filters 3 are used for storing newly arrived connection, the bloom filters 1 are placed at a first position, the bloom filters 2 are placed at a second position, and the bloom filters 3 are placed at a third position.
9. The apparatus of claim 7, further comprising: the connection management module is used for reading field information in the entries written in the routing table and acquiring version values of the entries, wherein the connections recorded in the routing table are mapped to the DIP server; classifying each connection according to the version value by utilizing a bloom filter group to obtain an old connection; sending a subsequent data packet of the old connection to a back-end server pointed by the old connection through a bloom filter storing the old connection;
and the compression module is used for triggering the controller to compress the obtained DIP codes and generate a DIP index, and the generated DIP index is written into a mapping table.
10. A storage medium, in which a computer program or instructions are stored which, when executed by a computer, implement the method of any one of claims 1 to 6.
CN202110396255.4A 2021-04-13 2021-04-13 Cloud load balancing method and device based on switch and storage medium Active CN113329048B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110396255.4A CN113329048B (en) 2021-04-13 2021-04-13 Cloud load balancing method and device based on switch and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110396255.4A CN113329048B (en) 2021-04-13 2021-04-13 Cloud load balancing method and device based on switch and storage medium

Publications (2)

Publication Number Publication Date
CN113329048A CN113329048A (en) 2021-08-31
CN113329048B true CN113329048B (en) 2023-04-07

Family

ID=77414750

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110396255.4A Active CN113329048B (en) 2021-04-13 2021-04-13 Cloud load balancing method and device based on switch and storage medium

Country Status (1)

Country Link
CN (1) CN113329048B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174583B (en) * 2022-06-28 2024-03-29 福州大学 Server load balancing method based on programmable data plane

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9917891B2 (en) * 2013-09-27 2018-03-13 Intel Corporation Distributed in-order load spreading resilient to topology changes
US10237350B2 (en) * 2016-04-06 2019-03-19 Reniac, Inc. System and method for a database proxy
CN110704419A (en) * 2018-06-21 2020-01-17 中兴通讯股份有限公司 Data structure, data indexing method, device and equipment, and storage medium
US10938923B2 (en) * 2019-04-17 2021-03-02 Home Depot Product Authority, Llc Customizable router for managing traffic between application programming interfaces

Also Published As

Publication number Publication date
CN113329048A (en) 2021-08-31

Similar Documents

Publication Publication Date Title
CN102474467B (en) Server-side load balancing using parent-child link aggregation groups
EP2793436B1 (en) Content router forwarding plane architecture
US9973400B2 (en) Network flow information collection method and apparatus
US9407687B2 (en) Method, apparatus, and network system for acquiring content
US20200287964A1 (en) Implementing History-Based Connection-Server Affinity On A Network Load Balancer
CN102255932A (en) Load balancing method and load equalizer
JP2013090072A (en) Service provision system
MX2014014462A (en) Service node switching method and system.
CN106375355B (en) Load balancing processing method and device
CN113329048B (en) Cloud load balancing method and device based on switch and storage medium
CN102857547B (en) The method and apparatus of distributed caching
CN113726907A (en) Routing processing method, network element equipment, device and readable storage medium
KR101384794B1 (en) Message routing platform
US10892991B2 (en) Resilient hashing with multiple hashes
CN1182680C (en) Pacing synchronizing method for rout selecting information in data exchange environmemt
CN102647424B (en) Data transmission method and data transmission device
CN112333172B (en) Signature verification method and system
Ma et al. A distributed storage framework of FlowTable in software defined network
CN107113244B (en) Data forwarding method, device and system
Jiang et al. DCP: An efficient and distributed data center cache protocol with Fat-Tree topology
CN113824781B (en) Data center network source routing method and device
CN114640682B (en) Load balancing method and system based on improved stateless hash
CN110913039B (en) TCP stream drift processing method and device with separated data and control
EP2785014A1 (en) Device and method for organizing forwarding information in nodes of a content centric networking
CN117099356A (en) Instance-affine service scheduling

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant