CN113783778A - Policy routing method, system, computer and storage medium based on DDoS equipment - Google Patents
Policy routing method, system, computer and storage medium based on DDoS equipment Download PDFInfo
- Publication number
- CN113783778A CN113783778A CN202110967943.1A CN202110967943A CN113783778A CN 113783778 A CN113783778 A CN 113783778A CN 202110967943 A CN202110967943 A CN 202110967943A CN 113783778 A CN113783778 A CN 113783778A
- Authority
- CN
- China
- Prior art keywords
- strategy
- tailq
- policy
- routing
- network segment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/14—Routing performance; Theoretical aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a strategy routing method, a system, a computer and a storage medium based on DDoS equipment, wherein the method comprises the following steps: issuing the strategy routing configuration to the received executable file according to the format specified by the command line; analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration, and storing the strategy routing configuration into different tailq bidirectional queues; and when a strategy route searching instruction sent by the service message is received, traversing and matching the tailq bidirectional queue to search a corresponding strategy route. The strategy routing can be stored in different tailq bidirectional queues in the mode, because the tailq bidirectional queues have the characteristic of fast insertion elements, the corresponding strategy routing can be stored and searched more quickly, and the optimal strategy routing can be matched more quickly and simply by utilizing the algorithm of characteristic matching, so that the storage and searching speed of the strategy routing in the DDoS equipment is greatly improved, and the efficiency of network transmission is improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a policy routing method, system, computer, and storage medium based on a DDoS device.
Background
Distributed Denial of Service (DDoS) attack is one of the mainstream attack means at present, and its principle mainly uses a large number of puppet machines to initiate requests to a target server, which results in that the target server cannot respond to all the requests, so that the server crashes or slows down, and finally causes serious events such as Service interruption or fund damage.
The existing DDoS protection mainly exists in DDoS equipment, and a user needs to pass through the DDoS equipment when accessing server resources, and at the moment, the DDoS protection can be started to intercept attack messages.
However, the existing DDoS attack occupies a large amount of device resources in the DDoS device, which results in a great reduction in the storage and search speed of policy routing in the device, so that when a large amount of attack messages exist, normal service messages are very slow when being forwarded by the DDoS device, and even serious consequences of searching overtime and service interruption occur.
Disclosure of Invention
The embodiment of the application provides a policy routing method, a policy routing system, a policy routing computer and a storage medium based on DDoS (distributed denial of service) equipment, so that the problem that the storage and search speed of the policy routing in the equipment is greatly reduced due to the fact that a large number of equipment resources are occupied in the DDoS equipment in the existing DDoS attack in the related art is at least solved.
In a first aspect, an embodiment of the present application provides a policy routing method based on a DDoS device, where the method includes:
issuing the strategy routing configuration to the received executable file according to the format specified by the command line;
analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration, and storing the strategy routing configuration into different tailq bidirectional queues;
and when a strategy route searching instruction sent by a service message is received, traversing and matching the tailq bidirectional queue to search a corresponding strategy route.
In some embodiments, before the step of issuing the policy routing configuration for the received executable file in the format specified by the command line, the method includes:
and compiling the executable file by calling C language.
In some embodiments, the step of issuing the policy routing configuration for the received executable file in a format specified by the command line includes:
and issuing a strategy routing configuration to the compiled executable file according to a format specified by a command line, wherein the strategy routing configuration comprises a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority and a next hop address.
In some embodiments, the step of parsing the policy routing configuration, and performing feature matching on the policy routing configuration and storing the policy routing configuration in different tailq bidirectional queues includes:
analyzing the strategy routing configuration through a preset program;
performing feature matching on the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol in the policy routing configuration;
and respectively storing the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol into different tailq bidirectional queues.
In some embodiments, the step of performing traversal matching on the tailq bidirectional queue to find the corresponding policy route when receiving a policy route lookup instruction sent by a service packet includes:
and when a strategy searching routing instruction sent by a service message is received, traversing and matching the target address network segment, the source address network segment, the target port range, the source port range and the tailq queue corresponding to the protocol respectively.
In some embodiments, the step of performing traversal matching on the tailq queues corresponding to the destination address network segment, the source address network segment, the destination port range, the source port range, and the protocol respectively includes:
and respectively matching different rules for the destination address network segment, the source address network segment, the destination port range, the source port range and the tailq queue corresponding to the protocol according to different stored characteristics of the policy routing configuration.
In a second aspect, an embodiment of the present application provides a policy routing system based on a DDoS device, where the system includes:
the receiving module is used for sending the received executable file to the strategy routing configuration according to the format specified by the command line;
the analysis module is used for analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration and storing the strategy routing configuration into different tailq bidirectional queues;
and the matching module is used for traversing and matching the tailq bidirectional queue when receiving a policy routing searching instruction sent by the service message so as to find out the corresponding policy routing.
In some embodiments, the receiving module in the policy routing system based on the DDoS device is specifically configured to:
and compiling the executable file by calling C language.
In some embodiments, the receiving module in the policy routing system based on DDoS device is further specifically configured to:
and issuing a strategy routing configuration to the compiled executable file according to a format specified by a command line, wherein the strategy routing configuration comprises a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority and a next hop address.
In some embodiments, the parsing module in the policy routing system based on the DDoS device is specifically configured to:
analyzing the strategy routing configuration through a preset program;
performing feature matching on the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol in the policy routing configuration;
and respectively storing the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol into different tailq bidirectional queues.
In some embodiments, the matching module in the policy routing system based on the DDoS device is specifically configured to:
and when a strategy searching routing instruction sent by a service message is received, traversing and matching the target address network segment, the source address network segment, the target port range, the source port range and the tailq queue corresponding to the protocol respectively.
In some embodiments, the matching module in the DDoS device-based policy routing system is further configured to:
and respectively matching different rules for the destination address network segment, the source address network segment, the destination port range, the source port range and the tailq queue corresponding to the protocol according to different stored characteristics of the policy routing configuration.
In a third aspect, an embodiment of the present application provides a computer, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the above-described policy routing method based on a DDoS device when executing the computer program.
In a fourth aspect, an embodiment of the present application provides a storage medium, on which a computer program is stored, where the program, when executed by a processor, implements the above-described policy routing method based on a DDoS device.
Compared with the related art, the policy routing method, the system, the computer and the storage medium based on the DDoS device provided by the embodiment of the application can issue the received executable file to the corresponding policy routing configuration according to the format specified by the command line, further can analyze the policy routing configuration, perform feature matching on the policy routing configuration, store the policy routing configuration in different tailq bidirectional queues, and finally perform traversal matching on the tailq bidirectional queues to find out the corresponding policy routing. The strategy routing can be stored in different tailq bidirectional queues in the above mode, because the tailq bidirectional queues have the characteristic of fast insertion elements, so that the corresponding strategy routing can be stored and searched more quickly, and when the strategy routing is matched with the message according to different strategy routing storage queues, the optimal strategy routing can be matched faster and more simply by utilizing the algorithm of characteristic matching, thereby the storage and search speed of the strategy routing in the DDoS equipment are greatly improved, the efficiency of network transmission is improved, and when the DDoS equipment prevents DDoS attack, normal service flow can be forwarded faster and more efficiently.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a policy routing method based on a DDoS device according to a first embodiment of the present invention;
fig. 2 is a flowchart of a policy routing method based on a DDoS device according to a second embodiment of the present invention;
fig. 3 is a block diagram of a policy routing system based on a DDoS device according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Existing DDoS attacks occupy a large amount of device resources in DDoS devices, which results in a great reduction in the storage and search speed of policy routing in the devices, so that normal service messages can be very slow when being forwarded by the DDoS devices in the presence of a large amount of attack messages, and even serious consequences of search timeout and service interruption occur.
Referring to fig. 1, a policy routing method based on a DDoS device according to a first embodiment of the present invention is shown, and the policy routing method based on the DDoS device is mainly applied to the DDoS device, and is used to improve the searching efficiency of the DDoS device, so as to improve the usability of the DDoS device.
Specifically, the policy routing method based on the DDoS device specifically includes the following steps:
and step S10, issuing the strategy route configuration according to the format specified by the command line.
Specifically, in this embodiment, a user may input an executable file to the DDoS device, and preset a command line in a specified format in the DDoS device. When the DDoS device receives the executable file, the device can issue the executable file to the strategy routing configuration according to the format specified in the command line.
And step S20, analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration, and storing the strategy routing configuration into different tailq bidirectional queues.
Specifically, when the DDoS device obtains the policy routing configuration, it may invoke a program that has been preset at a back end to analyze the issued policy routing configuration, perform feature matching on the policy routing configuration, and store the policy routing configuration in different tailq bidirectional queues, where it is to be noted that the tailq bidirectional queues have a feature of fast insertion of elements.
Step S30, when receiving a policy route searching instruction sent by the service packet, performing traversal matching on the tailq bidirectional queue to find a corresponding policy route.
Specifically, when a user sends a service request to the DDoS device, the DDoS device can receive service messages, and it should be noted that each service message needs to be matched with a policy route, so that an instruction for searching the policy route is sent.
Therefore, in this embodiment, when the DDoS device receives a policy routing lookup instruction sent by a service packet, traversal matching can be performed on the tailq bidirectional queue obtained in step S20, so as to find out a policy route corresponding to each service packet.
When the method is used, the received executable file can be issued with the corresponding strategy routing configuration according to the format specified by the command line, further, the strategy routing configuration can be analyzed, the characteristic matching of the strategy routing configuration is carried out and the strategy routing configuration is stored in different tailq bidirectional queues, and finally, the tailq bidirectional queues are traversed and matched to find out the corresponding strategy routing. The strategy routing can be stored in different tailq bidirectional queues in the above mode, because the tailq bidirectional queues have the characteristic of fast insertion elements, so that the corresponding strategy routing can be stored and searched more quickly, and when the strategy routing is matched with the message according to different strategy routing storage queues, the optimal strategy routing can be matched faster and more simply by utilizing the algorithm of characteristic matching, thereby the storage and search speed of the strategy routing in the DDoS equipment are greatly improved, the efficiency of network transmission is improved, and when the DDoS equipment prevents DDoS attack, normal service flow can be forwarded faster and more efficiently.
It should be noted that the implementation procedure described above is only for illustrating the applicability of the present application, but this does not represent that the DDoS device-based policy routing method of the present application has only the above-mentioned one implementation procedure, and on the contrary, as long as the DDoS device-based policy routing method of the present application can be implemented, the implementation procedure can be incorporated into a feasible implementation scheme of the present application.
In summary, in the policy routing method based on the DDoS device in the embodiments of the present invention, the policy route can be stored in different tailq bidirectional queues, because the tailq bidirectional queues have the characteristic of fast insertion of an element, the corresponding policy route can be stored and searched faster, and when a message matches the policy route according to different policy route storage queues, the optimal policy route can be matched faster and simpler by using a feature matching algorithm, so that the storage and search speed of the policy route in the DDoS device is greatly increased, the efficiency of network transmission is improved, and the normal traffic flow can be forwarded faster and more efficiently while the DDoS device prevents DDoS attacks.
Referring to fig. 2, a policy routing method based on DDoS equipment according to a second embodiment of the present invention is shown, where the policy routing method based on DDoS equipment specifically includes the following steps:
specifically, in this embodiment, before the step of issuing the policy routing configuration to the received executable file according to the format specified by the command line, the method includes:
step S11, compiling the executable file by calling C language.
It should be noted that, in this embodiment, a C language is set in the DDoS device in advance, and when it needs to be used, the C language can be called out, so that, it can be understood that, in the actual use process, a DDoS user may first compile the executable file by calling the C language, so that the executable file can meet the requirement of format conversion and execute the following step S21.
Specifically, the step of issuing the policy routing configuration to the received executable file according to the format specified by the command line includes:
step S21, issuing policy routing configuration to the compiled executable file according to the format specified by the command line, where the policy routing configuration includes a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority, and a next hop address.
Specifically, in the present embodiment, this step S21 is similar to the step S10 provided in the first embodiment described above. After the executable file is compiled, the DDoS user can input the executable file to the DDoS device, and a command line in a specified format is preset in the DDoS device. When the DDoS device receives the executable file, the device can issue the executable file to a policy routing configuration according to a format specified in a command line, and more specifically, the policy routing configuration comprises a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority and a next hop address.
Specifically, the step of analyzing the policy routing configuration, performing feature matching on the policy routing configuration, and storing the policy routing configuration in different tailq bidirectional queues includes:
step S31, analyzing the strategy route configuration through a preset program; performing feature matching on the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol in the policy routing configuration; and respectively storing the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol into different tailq bidirectional queues.
Specifically, in this embodiment, it should be noted that a DDoS user can analyze the policy routing configuration obtained in step S21 by calling a preset analysis program at a back end, and further perform feature matching according to five elements, namely, the destination address network segment, the source address network segment, the destination port range, the source port range, and the protocol in the policy routing configuration, and store the destination address network segment, the source address network segment, the destination port range, the source port range, and the protocol in different tailq bidirectional queues respectively.
More specifically, the matching principle provided by this embodiment is as follows: and performing configuration analysis according to the destination address network segment, the source address network segment, the destination port range, the source port range and the sequence of the protocol, wherein the five elements can be selected not to be configured or configured, so that a first configured element matched in the policy routing configuration is stored in a tailq list according to the preset sequence, and if none of the five elements is configured, the five elements are stored in a sixth tailq bidirectional queue. For example: if a user configures a destination address network segment, the element does not perform corresponding configuration policy routing, and the source address network segment configures policy routing, whether other elements are configured with policy routing or not is stored in the tailq bidirectional queue configured by the source address network segment according to the preset sequence, namely the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol sequence when the configuration is analyzed. And similarly, other elements are matched according to the matching principle.
Specifically, when receiving a policy routing lookup instruction sent by a service packet, the step of performing traversal matching on the tailq bidirectional queue to find a corresponding policy routing includes:
step S41, when receiving a policy routing lookup command sent by a service packet, performing traversal matching on the target address network segment, the source address network segment, the target port range, the source port range, and the tailq queues corresponding to the protocols respectively.
In this embodiment, when a user sends a service request to a DDoS device, the DDoS device can receive service messages, and it should be noted that each service message needs to be matched with a policy route, so that an instruction for searching the policy route is sent.
Therefore, in this embodiment, when the DDoS device receives a policy routing lookup instruction sent by a service packet, the step S51 can be performed by performing traversal matching on the tailq bidirectional queue obtained in the step S20.
Specifically, the step of performing traversal matching on the target address network segment, the source address network segment, the target port range, the source port range, and the tailq queues corresponding to the protocols respectively includes:
and step S51, matching different rules for the destination address network segment, the source address network segment, the destination port range, the source port range and the tailq queue corresponding to the protocol according to different stored characteristics of the policy routing configuration.
Specifically, in this embodiment, the DDoS device performs matching algorithms of different rules on 6 tailq queues according to different characteristics of the policy routing during storage. Specifically, for example: if the DDoS user searches for the tailq bidirectional queue corresponding to the destination port range, the DDoS equipment stores the strategy routing according to different characteristics. Then, in the queue of the destination port range, two elements of the destination address network segment and the source address network segment in the sequence before the two elements are necessarily successfully matched, because the two elements of the destination address network segment and the source address network segment are not configured when configured under the command line, that is, the destination address source address can be any address. Therefore, matching can be completed only by matching the three elements of the source address network segment, the destination port range and the source port range in the five-tuple. In the same way, by analogy, in this embodiment, the search efficiency can be greatly improved by using different policy routing feature matching algorithms during search, and the device performance is improved.
It should be noted that, the method provided by the second embodiment of the present invention, which implements the same principle and produces some technical effects as the first embodiment, can refer to the corresponding contents in the first embodiment for the sake of brief description, where this embodiment is not mentioned.
In summary, the policy routing method based on the DDoS device in the embodiments of the present invention can issue the received executable file to the corresponding policy routing configuration according to the format specified by the command line, and further, can analyze the policy routing configuration, perform feature matching on the policy routing configuration, store the policy routing configuration in different tailq bidirectional queues, and finally perform traversal matching on the tailq bidirectional queues to find out the corresponding policy routing. The strategy routing can be stored in different tailq bidirectional queues in the above mode, because the tailq bidirectional queues have the characteristic of fast insertion elements, so that the corresponding strategy routing can be stored and searched more quickly, and when the strategy routing is matched with the message according to different strategy routing storage queues, the optimal strategy routing can be matched faster and more simply by utilizing the algorithm of characteristic matching, thereby the storage and search speed of the strategy routing in the DDoS equipment are greatly improved, the efficiency of network transmission is improved, and when the DDoS equipment prevents DDoS attack, normal service flow can be forwarded faster and more efficiently.
Referring to fig. 3, a policy routing system based on DDoS equipment according to a third embodiment of the present invention is shown, where the policy routing system based on DDoS equipment specifically includes:
a receiving module 12, configured to issue a policy routing configuration to the received executable file according to a format specified by the command line;
the analysis module 22 is configured to analyze the policy routing configuration, perform feature matching on the policy routing configuration, and store the policy routing configuration in different tailq bidirectional queues;
and the matching module 32 is configured to perform traversal matching on the tailq bidirectional queue when receiving a policy routing lookup instruction sent by a service packet, so as to find a corresponding policy routing.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In the policy routing system based on the DDoS device, the receiving module 12 is specifically configured to:
and compiling the executable file by calling C language.
In the policy routing system based on the DDoS device, the receiving module 12 is specifically configured to:
and issuing a strategy routing configuration to the compiled executable file according to a format specified by a command line, wherein the strategy routing configuration comprises a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority and a next hop address.
In the policy routing system based on the DDoS device, the parsing module 22 is specifically configured to:
analyzing the strategy routing configuration through a preset program;
performing feature matching on the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol in the policy routing configuration;
and respectively storing the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol into different tailq bidirectional queues.
In the policy routing system based on the DDoS device, the matching module 32 is specifically configured to:
and when a strategy searching routing instruction sent by a service message is received, traversing and matching the target address network segment, the source address network segment, the target port range, the source port range and the tailq queue corresponding to the protocol respectively.
In the above policy routing system based on DDoS device, the matching module 32 is further configured to:
and respectively matching different rules for the destination address network segment, the source address network segment, the destination port range, the source port range and the tailq queue corresponding to the protocol according to different stored characteristics of the policy routing configuration.
A fourth embodiment of the present invention provides a computer, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the policy routing method based on the DDoS device provided in the first embodiment or the second embodiment when executing the computer program.
A fifth embodiment of the present invention provides a storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the policy routing method based on the DDoS device provided in the first embodiment or the second embodiment.
To sum up, in the embodiments of the present invention, the method, the system, the computer, and the storage medium for policy routing based on DDoS equipment can issue the received executable file to the corresponding policy routing configuration according to the format specified by the command line, further, the policy routing configuration can be analyzed, the policy routing configuration is subjected to feature matching and stored in different tailq bidirectional queues, and finally, the tailq bidirectional queues are subjected to traversal matching to find out the corresponding policy routing. The strategy routing can be stored in different tailq bidirectional queues in the above mode, because the tailq bidirectional queues have the characteristic of fast insertion elements, so that the corresponding strategy routing can be stored and searched more quickly, and when the strategy routing is matched with the message according to different strategy routing storage queues, the optimal strategy routing can be matched faster and more simply by utilizing the algorithm of characteristic matching, thereby the storage and search speed of the strategy routing in the DDoS equipment are greatly improved, the efficiency of network transmission is improved, and when the DDoS equipment prevents DDoS attack, normal service flow can be forwarded faster and more efficiently.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A policy routing method based on DDoS equipment is characterized by comprising the following steps:
issuing the strategy routing configuration to the received executable file according to the format specified by the command line;
analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration, and storing the strategy routing configuration into different tailq bidirectional queues;
and when a strategy route searching instruction sent by a service message is received, traversing and matching the tailq bidirectional queue to search a corresponding strategy route.
2. A method as claimed in claim 1, wherein before the step of issuing policy routing configuration to the received executable file in a format specified by a command line, the method comprises:
and compiling the executable file by calling C language.
3. A policy routing method according to claim 1 or 2, wherein said step of issuing policy routing configuration to the received executable file according to the format specified by the command line comprises:
and issuing a strategy routing configuration to the compiled executable file according to a format specified by a command line, wherein the strategy routing configuration comprises a source address network segment, a destination address network segment, a source port range, a destination port range, a protocol, a routing priority and a next hop address.
4. A DDoS device based policy routing method according to claim 3, wherein said step of parsing said policy routing configuration and feature matching and storing said policy routing configuration in different tailq bidirectional queues comprises:
analyzing the strategy routing configuration through a preset program;
performing feature matching on the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol in the policy routing configuration;
and respectively storing the destination address network segment, the source address network segment, the destination port range, the source port range and the protocol into different tailq bidirectional queues.
5. The policy routing method based on DDoS device of claim 4, wherein said step of performing traversal matching on said tailq bidirectional queue to find a corresponding policy route when receiving a policy routing lookup instruction sent by a service packet comprises:
and when a strategy searching routing instruction sent by a service message is received, traversing and matching the target address network segment, the source address network segment, the target port range, the source port range and the tailq queue corresponding to the protocol respectively.
6. The DDoS device-based policy routing method of claim 5, wherein the step of performing traversal matching on the tailq queues respectively corresponding to the destination address network segment, the source address network segment, the destination port range, the source port range, and the protocol comprises:
and respectively matching different rules for the destination address network segment, the source address network segment, the destination port range, the source port range and the tailq queue corresponding to the protocol according to different stored characteristics of the policy routing configuration.
7. A policy routing system based on DDoS device, the system comprising:
the receiving module is used for sending the received executable file to the strategy routing configuration according to the format specified by the command line;
the analysis module is used for analyzing the strategy routing configuration, performing characteristic matching on the strategy routing configuration and storing the strategy routing configuration into different tailq bidirectional queues;
and the matching module is used for traversing and matching the tailq bidirectional queue when receiving a policy routing searching instruction sent by the service message so as to find out the corresponding policy routing.
8. The DDoS device-based policy routing system of claim 7, wherein the receiving module is specifically configured to:
and compiling the executable file by calling C language.
9. A computer comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the DDoS device-based policy routing method of any one of claims 1 to 6 when executing the computer program.
10. A storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the DDoS device-based policy routing method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110967943.1A CN113783778B (en) | 2021-08-23 | 2021-08-23 | Policy routing method, system, computer and storage medium based on DDoS equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110967943.1A CN113783778B (en) | 2021-08-23 | 2021-08-23 | Policy routing method, system, computer and storage medium based on DDoS equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113783778A true CN113783778A (en) | 2021-12-10 |
| CN113783778B CN113783778B (en) | 2023-02-28 |
Family
ID=78838833
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110967943.1A Active CN113783778B (en) | 2021-08-23 | 2021-08-23 | Policy routing method, system, computer and storage medium based on DDoS equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113783778B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112600752A (en) * | 2020-12-14 | 2021-04-02 | 盛科网络(苏州)有限公司 | Chip implementation method of default policy routing, chip processing method and device of data message |
| CN112866214A (en) * | 2021-01-04 | 2021-05-28 | 广州品唯软件有限公司 | Firewall strategy issuing method and device, computer equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112910721A (en) * | 2019-11-19 | 2021-06-04 | 苏州至赛信息科技有限公司 | Access path query method and device, computer equipment and storage medium |
| CN111163061B (en) * | 2019-12-11 | 2022-02-15 | 中盈优创资讯科技有限公司 | Method and device for analyzing policy information of gateway equipment |
| CN112422430B (en) * | 2020-11-27 | 2022-05-17 | 迈普通信技术股份有限公司 | QoS queue scheduling method and device, electronic equipment and storage medium |
-
2021
- 2021-08-23 CN CN202110967943.1A patent/CN113783778B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112600752A (en) * | 2020-12-14 | 2021-04-02 | 盛科网络(苏州)有限公司 | Chip implementation method of default policy routing, chip processing method and device of data message |
| CN112866214A (en) * | 2021-01-04 | 2021-05-28 | 广州品唯软件有限公司 | Firewall strategy issuing method and device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113783778B (en) | 2023-02-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10459777B2 (en) | Packet processing on a multi-core processor | |
| CN109547580B (en) | Method and device for processing data message | |
| US10564994B2 (en) | Network policy implementation with multiple interfaces | |
| US9462084B2 (en) | Parallel processing of service functions in service function chains | |
| US20030231632A1 (en) | Method and system for packet-level routing | |
| CN112585915B (en) | Apparatus and method for controlling data transmission in network system | |
| JP3993092B2 (en) | Methods to prevent denial of service attacks | |
| US8234361B2 (en) | Computerized system and method for handling network traffic | |
| US7895348B2 (en) | Virtual dispersive routing | |
| US9356844B2 (en) | Efficient application recognition in network traffic | |
| KR102155262B1 (en) | Elastic honeynet system and method for managing the same | |
| US11343187B2 (en) | Quantitative exact match distance in network flows | |
| CN114244560B (en) | Flow processing method and device, electronic equipment and storage medium | |
| EP3742307A1 (en) | Managing network traffic flows | |
| US11347488B2 (en) | Compiling domain-specific language code to generate executable code targeting an appropriate type of processor of a network device | |
| CN114567481B (en) | Data transmission method and device, electronic equipment and storage medium | |
| EP2916516A1 (en) | Packet processing method and apparatus | |
| US20120140640A1 (en) | Apparatus and method for dynamically processing packets having various characteristics | |
| CN112511438B (en) | Method and device for forwarding message by using flow table and computer equipment | |
| CN113783778B (en) | Policy routing method, system, computer and storage medium based on DDoS equipment | |
| CN106790441B (en) | Method and device for creating policy template table and method and device for session processing | |
| CN113489775B (en) | Seven-layer load balancing server and load balancing method based on VPP | |
| CN111324382B (en) | Instruction processing method and chip | |
| CN111314347A (en) | Illegal traffic processing method, device, system and storage medium | |
| CN116016687B (en) | Message distribution method and system based on DPDK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |