CN113810383A - WEB application firewall, congestion control method, medium and electronic device - Google Patents

WEB application firewall, congestion control method, medium and electronic device Download PDF

Info

Publication number
CN113810383A
CN113810383A CN202110981546.XA CN202110981546A CN113810383A CN 113810383 A CN113810383 A CN 113810383A CN 202110981546 A CN202110981546 A CN 202110981546A CN 113810383 A CN113810383 A CN 113810383A
Authority
CN
China
Prior art keywords
function module
data message
safety function
current node
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110981546.XA
Other languages
Chinese (zh)
Other versions
CN113810383B (en
Inventor
石达锋
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110981546.XA priority Critical patent/CN113810383B/en
Publication of CN113810383A publication Critical patent/CN113810383A/en
Application granted granted Critical
Publication of CN113810383B publication Critical patent/CN113810383B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1012Server selection for load balancing based on compliance of requirements or conditions with available server resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method, medium and electronic device for WEB application firewall and congestion control are provided, the method comprises: receiving a data message, and judging whether the data message is sent by a safety function module of the last node; if yes, setting an overtime timestamp for the data message; determining the residual processing time of the data message according to the current time and the overtime timestamp; judging whether the residual processing time is more than or equal to the message processing time of the safety function module of the current node needing to work; if so, sending the data message to the safety function module of the current node so that the safety function module of the current node processes the data message and returns the processed data message to the forwarding controller; if not, the next node is taken as the current node needing to work, and the step of judging that the data message is not sent by the safety function module of the last node is returned, so that the method can be maximally compatible with various complex environments.

Description

WEB application firewall, congestion control method, medium and electronic device
Technical Field
The present invention relates to the field of firewall technologies, and in particular, to a firewall for WEB applications, a congestion control method, a medium, and an electronic device.
Background
The mature development of the WEB application system and the increasingly complex service environment gradually raise the requirements on the WEB application firewall. The Web application firewall sets various emergency mechanisms for self stability. Only one emergency mechanism classification of the WEB application firewall in the market is provided, namely a threshold setting mode, and when the monitored threshold is reached, the WEB application firewall directly makes an emergency action. Currently common thresholds include, but are not limited to, CPU, memory, throughput, TPS, etc.
In fact, the mechanism for setting the threshold value to execute the emergency action belongs to a relatively rough cutting idea. Early service types were simple and could temporarily meet market requirements. The market demand is increasing today, and further demands are made on the performance and stability of WEB application firewalls. Considering that the standards of the HTTP services are not uniform, the requirements for the WEB application firewall are different in the environment where each WEB application firewall is deployed.
The existing WEB application firewall cannot be tightly attached to each business scene, so that the WEB application firewall is in a dilemma situation. If the threshold value is not set to be lower, the performance of WEB application firewall equipment is vacant, and the high value of the product cannot be effectively reflected; if the threshold value is not set to be higher, the equipment of the WEB application firewall is easy to trigger unexpected downtime in a complex service environment, the stability of the WEB application firewall cannot be guaranteed, and the damage of WEB services is avoided.
In order to solve the problems, the compatibility of the equipment to scenes is optimized, a new congestion mechanism is innovated and invented, and a WEB application firewall can be used for the service with the highest value.
Disclosure of Invention
In view of the above, it is necessary to provide a firewall for WEB application, a congestion control method, a medium, and an electronic device, which are directed to the problem that the firewall for WEB application in the prior art is not highly adaptable.
A congestion control method for a WEB application firewall comprises a forwarding controller and a plurality of node safety function modules, wherein the safety function modules of the nodes are used for processing data messages sent from a client to a server according to a preset working sequence, the method is applied to the forwarding controller, and the congestion control method for the WEB application firewall comprises the following steps:
receiving the data message, and judging whether the data message is sent by the safety function module of the last node;
when the data message is not sent by the safety function module of the last node, setting an overtime timestamp for the data message;
determining the residual processing time of the data message according to the current time and the overtime timestamp;
judging whether the residual processing time is more than or equal to the message processing time of the safety function module of the current node needing to work or not;
if so, sending the data message to the safety function module of the current node so that the safety function module of the current node processes the data message and returns the processed data message to the forwarding controller;
if not, the next node is used as the current node needing to work, and the step of judging that the data message is not sent by the safety function module of the last node is returned.
Further, the above method for controlling congestion of a WEB application firewall, wherein the step of determining whether the remaining processing time is greater than or equal to the message processing time of the security function module of the current node that needs to work further includes:
calculating the average time of the security function module of the current node for processing the data messages according to historical processing data, and taking the calculated average time as the message processing time of the security function module of the current node, wherein the historical processing data comprises the processing time of a plurality of successfully processed data messages in the latest preset time period of the security function module of the current node.
Further, in the above method for controlling congestion of a WEB application firewall, the security function module is configured to perform anomaly detection processing on the received data packet, and when the security function module detects that the data packet is anomalous, the security function module returns a blocking signal to the forwarding controller;
the method for controlling the congestion of the WEB application firewall further comprises the following steps:
and blocking the data message sent to the server by the client when the blocking signal is received.
Further, in the above method for controlling congestion of a WEB application firewall, the security function module of the current node returns a processed data packet to the forwarding controller, and also returns a processing time for completing processing of the data packet;
the method for controlling the congestion of the WEB application firewall further comprises the following steps:
and updating the processing time of the safety function module in real time.
Further, the method for controlling congestion of a WEB application firewall, where the sending the data packet to the security function module of the current node, so that the security function module of the current node processes the data packet and returns the processed data packet to the forwarding controller, further includes:
and when receiving an overtime signal and an error return code fed back by the safety function module of the current node, taking the next node as the current node needing to work, and returning to execute the step of judging whether the residual processing time is greater than or equal to the message processing time of the safety function module of the current node needing to work.
Further, the method for controlling congestion of the WEB application firewall further includes:
calculating the error rate of the safety function module in a preset time, and calculating a transmittable window of the safety function module according to the error rate, wherein the error rate is the ratio of the sum of the response overtime times, the error return times and the abandoned times of the safety function module in the preset time to the total data message processing times in the preset time, and the abandoned times are the times of the safety function module in the preset time for processing data messages without time.
Further, the method for controlling congestion of the WEB application firewall further includes:
and when the data message is sent by the safety function module of the last node, sending the data message to the server.
The invention also discloses a WEB application firewall, which comprises a forwarding controller and a plurality of node safety function modules, wherein the safety function modules of each node are used for processing data messages sent from a client to a server according to a preset working sequence, and the forwarding controller comprises:
a receiving module, configured to receive the data packet;
the first judging module is used for judging whether the data message is sent by the safety function module of the last node;
the setting module is used for setting an overtime timestamp for the data message when the data message is not sent by the safety function module of the last node;
the determining module is used for determining the residual processing time of the data message according to the current time and the overtime timestamp;
the second judgment module is used for judging whether the residual processing time is more than or equal to the message processing time of the safety function module of the current node needing to work;
a sending module, configured to send the data packet to the security function module of the current node when the remaining processing time is greater than or equal to a packet processing time of the security function module of the current node that needs to work, so that the security function module of the current node processes the data packet, and returns the processed data packet to the forwarding controller;
and the execution module is used for taking the next node as the current node needing to work when the residual processing time is less than the message processing time of the safety function module of the current node needing to work, and returning to execute the step of judging that the data message is not sent by the safety function module of the last node.
Further, the above-mentioned WEB application firewall further includes:
the computation module is configured to compute, according to historical processing data, an average time for processing a data packet by the security function module of the current node, and use the computed average time as a packet processing time of the security function module of the current node, where the historical processing data includes processing times of a plurality of successfully processed data packets within a preset time period that is closest to the security function module of the current node.
Further, the above-mentioned WEB application firewall further includes:
and the blocking module is used for blocking the data message sent to the server by the client when a blocking signal is received.
The invention also discloses a readable storage medium on which a program is stored, which program, when executed by a processor, performs any of the methods described above.
The invention also discloses an electronic device, which comprises a memory, a processor and a program stored on the memory and capable of running on the processor, and is characterized in that the processor implements any one of the methods when executing the program.
The invention adds the overtime timestamp to each message of the HTTP request by depending on the proxy working mechanism of the WEB application firewall, and judges whether to execute congestion control or not according to the time delay. Based on the forwarding processing of the HTTP request, the congestion control of each request is executed, the defect of early rough one-cut congestion control is overcome, the processing capacity of each request can be accurately controlled, and each environment application system is protected to the maximum extent by equipment. The invention can maximally utilize the processing capacity of the WEB application firewall, maximally is compatible with various complex environments, and maximally utilizes the value of the WEB application firewall, thereby having great value.
Drawings
FIG. 1 is a schematic diagram illustrating a workflow of a Web application firewall according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for controlling congestion of a WEB application firewall according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for controlling congestion of a WEB application firewall according to a second embodiment of the present invention;
FIG. 4 is a block diagram of a firewall for WEB application according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device in a fourth embodiment of the invention.
The following detailed description will further illustrate the invention in conjunction with the above-described figures.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The main protection detection object of the WEB application firewall in the embodiment of the invention is an HTTP request, and the congestion and the performance of WEB application firewall equipment are related to the number of the HTTP requests, the content of HTTP request messages, the HTTP request frequency and the size of the HTTP request messages. As shown in fig. 1, the Web application firewall in the embodiment of the present invention includes a forwarding controller 11 and a plurality of node security function modules 12, where the security function modules 12 of each node process data packets sent from a client 13 to a server 14 according to a preset working sequence. After the data stream enters the device, the first module that enters is the central forwarding controller 11. Then, the data packets are gradually distributed to the security function modules 12 of the respective nodes for processing through the distribution of the forwarding controller 11, and after the final processing is completed, the data packets are executed to perform a processing result action, and the processing result action is, for example, blocked or sent to the server 14.
Referring to fig. 2, a method for controlling congestion of a WEB application firewall according to a first embodiment of the present invention includes steps S11-S17.
And step S11, receiving the data message.
Step S12, determine whether the data packet is sent by the security function module of the last node.
Step S13, when the data packet is not sent by the security function module of the last node, setting a timeout timestamp for the data packet.
The congestion control method for the WEB application firewall in the embodiment is applied to a forwarding controller of the WEB application firewall. Data messages sent by a client to a server enter the forwarding controller, and the forwarding controller gradually distributes the data messages to the safety function modules of all the nodes for processing. After the safety function module finishes the processing of the data message, the processed data message is returned to the forwarding controller, and then the data message is forwarded to the safety function module of the next node by the forwarding controller.
In specific implementation, after receiving a data message sent by a client or a security function module, the forwarding controller sets an overtime timestamp for the data message. Each message is provided with an overtime timestamp indicating that the message will be overtime at that time. The timeout timestamp is set to allow the forwarding controller to conveniently calculate whether there is enough time downstream to process the packet or whether there is enough time to perform the next action.
Taking the HTTP request as an example, the completion process of the HTTP request involves three-way handshake of TCP and transmission of HTTP protocol message. When the message data of the HTTP request enters Web application firewall equipment, the message data arrives at a forwarding controller, and the forwarding controller sets timeout timestamps for single messages of all steps of the HTTP request respectively or sets the timeout timestamps for a complete request after all the steps are completed. The timeout timestamp precision is on the order of milliseconds, with the current time plus the maximum processing time, indicating that the frame will timeout at that time.
Step S14, determining the remaining processing time of the data packet according to the current time and the timeout timestamp.
Step S15, determining whether the remaining processing time is greater than or equal to the message processing time of the security function module of the current node to be operated, if yes, executing step S14, otherwise executing step S15.
Step S16, sending the data packet to the security function module of the current node, so that the security function module of the current node processes the data packet, and returning the processed data packet to the forwarding controller.
And step S17, taking the next node as the current node needing to work, and returning to step S22.
The remaining time is the timeout timestamp minus the current time. The forwarding controller estimates whether the security function module of the current node has the capability or enough time to process or not by calculating the average processing speed of the N data messages which are successfully processed recently by the security function module of the current node needing to work, according to the overtime timestamp of the data message, and otherwise, the forwarding controller gives up the security function module of the current node and enters the processing flow of the next node.
For example, after the forwarding controller receives a data packet sent by a client, the forwarding controller sets an timeout timestamp for the data packet, and compares the remaining time with the packet processing time of the security function module of the first node, if the remaining time is greater than or equal to the processing time, it indicates that the security function module of the first node has enough time to process the data packet, the data packet is sent to the security function module of the first node, the security function module of the first node processes the packet, and returns the processed data packet to the forwarding controller, and the forwarding controller enters the next node. If the remaining time is less than the message processing time of the security function module of the first node, it is indicated that the security function module of the first node does not have enough time to process the data message, it is determined whether the remaining processing time is greater than or equal to the message processing time of the security function module of the second node, if so, the data message is sent to the security function module of the second node for processing, and so on until the security function module of the last node completes the processing of the data message, and the processed message data is directly sent to the server.
It can be understood that each security function module is configured to perform anomaly detection processing on the received data packet. Detection rules are arranged in the safety function module, and the safety function module can block the messages after the safety function rules are hit, until the processing is finished. The rule missing is a function block check that continues on to the next node. And after the data message missing from all the functional modules is gone, sending the data message to the server.
In this embodiment, an agent working mechanism of the WEB application firewall itself is used to add a timeout timestamp to each message of the HTTP request, and whether to execute congestion control is determined according to the time delay. Based on the forwarding processing of the HTTP request, the congestion control of each request is executed, the defect of early rough one-cut congestion control is overcome, the processing capacity of each request can be accurately controlled, and each environment application system is protected to the maximum extent by equipment. The embodiment can maximally utilize the processing capacity of the WEB application firewall, maximally is compatible with various complex environments, and maximally utilizes the value of the WEB application firewall, thereby having great value.
Referring to fig. 3, a method for controlling congestion of a WEB application firewall according to a second embodiment of the present invention includes steps S21-S30.
Step S21, the forwarding controller receives the data message;
in step S22, the forwarding controller determines whether the data packet is sent by the security function module of the last node, if not, performs step S23, and if so, performs step S31.
The WEB application firewall in this embodiment includes a forwarding controller and a plurality of security function modules, for example, n security function modules. Data messages sent by a client to a server are firstly detected by each safety function module of the WEB application firewall, detection rules are arranged in the safety function modules, the detection rules can be blocked after the safety function rules are hit, and the messages are blocked until the processing is finished. If the rule is not hit, the processed data message is returned to the forwarding controller, the forwarding controller distributes the data message to the security function module of the next node for detection, and the server sends the data message to the server after all the messages which are not hit by the function module are gone.
The forwarding controller implements the same principle for the processes from the security function module 1 to the security function module n-1, while the processing for the last security function module n is slightly different. Therefore, after receiving the data packet, the forwarding controller needs to determine whether the data packet is sent by the security function module of the last node. If not, the process proceeds to step S23, and if yes, the process proceeds to step S31.
Step S23, the forwarding controller sets an overtime timestamp for the data packet, and determines the remaining processing time of the data packet according to the current time and the overtime timestamp.
After entering Web application firewall equipment, the data message reaches a forwarding controller, and the forwarding controller sets an overtime timestamp to indicate that the time is overtime when the next safety function module processes the data message. The forwarding controller judges whether the security function module of the current node has enough time to process the message or whether the security function module of the current node has enough time to execute the next action according to the processing time of the security function module of the current node needing to work and the timeout timestamp.
It can be understood that the forwarding controller may calculate an average time for the security function module of the current node to process the data packet according to the historical processing data, and use the calculated average time as the packet processing time of the security function module of the current node. The historical processing data comprises processing time of a plurality of successfully processed data messages in a latest preset time period of the security function module of the current node.
In step S24, the forwarding controller determines whether the remaining processing time is greater than or equal to the message processing time of the security function module of the current node that needs to operate, if so, executes step S25, otherwise, executes step S30.
Step S25, the forwarding controller sends the data packet to the security function module of the current node.
When the forwarding controller judges that the remaining processing time is greater than or equal to the message processing time of the security function module of the current node needing to work, the data message is sent to the security function module of the current node if the security function module of the current node has enough time to process the data message.
Step S26, the security function module of the current node receives the data packet, and performs anomaly detection processing.
Step S27, when the security function module of the current node detects that the data packet is abnormal, sending a blocking signal to the forwarding controller.
Step S28, after receiving the blocking signal, the forwarding controller blocks the data packet sent by the client to the server.
Step S29, when the security function module of the current node detects that there is no abnormality in the data packet and normal processing is completed, the data packet after processing is sent to the forwarding controller, and step S21 is executed again.
When the safety function module of the current node detects that the data message is abnormal, a blocking signal is sent to the forwarding controller, the forwarding controller blocks the data message, if the data message is abnormal, the data message is returned to the forwarding controller, the forwarding controller resets the timeout timestamp again, whether the safety function module of the next node has enough time to process is judged, if the data message is abnormal, the data message is sent to the safety function module of the next node to be processed in and out, and the process is repeated until the processing module of the last node.
In step S30, the forwarding controller takes the next node as the current node to be operated, and returns to step S22.
If the forwarding controller determines that the remaining processing time is less than the message processing time of the security function module of the current node to be operated, it indicates that the security function module of the current node does not have enough time to process the data message, the processing procedure of the security function module of the current node is abandoned, and the next node is taken as the current node to be operated, and the process returns to step S22.
Step S31, the forwarding controller sends the data packet to a server.
It can be understood that after the safety function module of the last node finishes processing, the processed packet is sent to the forwarding controller, and meanwhile, a processing completion signal of the safety function module of the last node is sent to the forwarding controller. And the forwarding controller determines that the currently received data message is sent by the safety function module of the last node according to the processing completion signal, and directly sends the data message to the server.
Further, in another embodiment of the present invention, when the security function module of the current node detects that there is no abnormality in the data packet and normal processing is completed, the processing result further includes processing time for completing processing of the data packet. Further, the method for controlling the congestion of the WEB application firewall further comprises:
and the forwarding controller updates the processing time of the safety function module in real time.
The message processing time of the security function module may be an average processing time of the N messages that have been successfully processed recently. After receiving the processing time sent by the safety function module, the forwarding controller updates the message processing time in real time, and ensures that the forwarding controller accurately judges the processing capacity of the safety function module.
Further, in another embodiment of the present invention, when the security function module of the current node detects an exception and processes a response timeout or a processing error to the data packet, a response timeout signal or an error return code is sent to the forwarding controller. When the forwarding controller receives the response timeout signal or the error return code sent by the security function module of the current node, the process of the next node is entered, that is, the next node is used as the current node to be operated, and the process returns to step S22.
Further, the method for controlling the congestion of the WEB application firewall further comprises:
and the forwarding controller calculates the error rate of the safety function module in the preset time, and dynamically calculates a sending window according to the error rate, wherein the error rate is the ratio of the sum of the response overtime times, the error return times and the abandoned times of the safety function module in the preset time to the total data message processing times in the preset time. The discarded times are the times of the security function module processing the data message without time in the preset time.
Specifically, when the error of the safety function module exceeds the acceptable range, the window of the safety function module is reduced; when the window is insufficient, the error and timeout are 0, and the window can be enlarged. The effect of changing the window is to control traffic forwarding, when the downstream pressure exceeds its processing capacity, no more pressure is given to the downstream, increasing accuracy and quality of service, reducing the timeout rate.
Referring to fig. 4, the WEB application firewall in the third embodiment of the present invention includes a forwarding controller and a plurality of node security function modules, where the security function module of each node is configured to process a data packet sent from a client to a server according to a preset work sequence, and the forwarding controller includes:
a receiving module 31, configured to receive the data packet;
a first judging module 32, configured to judge whether the data packet is sent by the security function module of the last node;
a setting module 33, configured to set an timeout timestamp for the data packet when the data packet is not sent by the security function module of the last node;
a determining module 34, configured to determine the remaining processing time of the data packet according to the current time and the timeout timestamp;
a second judging module 35, configured to judge whether the remaining processing time is greater than or equal to a message processing time of the security function module of the current node that needs to work;
a sending module 36, configured to send the data packet to the security function module of the current node when the remaining processing time is greater than or equal to a packet processing time of the security function module of the current node that needs to work, so that the security function module of the current node processes the data packet, and returns the processed data packet to the forwarding controller;
and an executing module 37, configured to, when the remaining processing time is less than the message processing time of the security function module of the current node that needs to work, take the next node as the current node that needs to work, and return to execute the step of determining that the data message is not sent by the security function module of the last node.
Further, the above-mentioned WEB application firewall further includes:
the computation module is configured to compute, according to historical processing data, an average time for processing a data packet by the security function module of the current node, and use the computed average time as a packet processing time of the security function module of the current node, where the historical processing data includes processing times of a plurality of successfully processed data packets within a preset time period that is closest to the security function module of the current node.
Further, the above-mentioned WEB application firewall further includes:
and the blocking module is used for blocking the data message sent to the server by the client when a blocking signal is received.
The implementation principle and the generated technical effect of the WEB application firewall provided by the embodiment of the present invention are the same as those of the method embodiment described above, and for the sake of brief description, no mention is made in the device embodiment, and reference may be made to the corresponding contents in the method embodiment described above.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
In addition, the method for controlling the congestion of the WEB application firewall in the embodiment of the present application described with reference to fig. 1 to fig. 2 is mainly implemented by an electronic device. The electronic device is for example a controller, a computer device, a server electronic device.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application. The electronic device may include a processor 81 and a memory 82 having stored computer program instructions.
Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.
The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.
The processor 81 realizes the WEB application firewall congestion control method in the above embodiment by reading and executing the computer program instructions stored in the memory 82.
In some of these embodiments, the data-providing terminal and platform may also include a communication interface 83 and bus 80. As shown in fig. 5, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.
The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication interface 83 may also enable communication with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.
Bus 80 includes hardware, software, or both to couple the components of the corresponding devices to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
In addition, with reference to the method for controlling congestion of a WEB application firewall in the foregoing embodiment, an embodiment of the present application may provide a computer-readable storage medium to implement the method. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any one of the above-described WEB application firewall congestion control methods in the embodiments.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A congestion control method for a WEB application firewall is characterized in that the WEB application firewall comprises a forwarding controller and a plurality of safety function modules of nodes, the safety function module of each node is used for processing a data message sent from a client to a server according to a preset working sequence, the method is applied to the forwarding controller, and the congestion control method for the WEB application firewall comprises the following steps:
receiving the data message, and judging whether the data message is sent by the safety function module of the last node;
when the data message is not sent by the safety function module of the last node, setting an overtime timestamp for the data message;
determining the residual processing time of the data message according to the current time and the overtime timestamp;
judging whether the residual processing time is more than or equal to the message processing time of the safety function module of the current node needing to work or not;
if so, sending the data message to the safety function module of the current node so that the safety function module of the current node processes the data message and returns the processed data message to the forwarding controller;
if not, the next node is used as the current node needing to work, and the step of judging that the data message is not sent by the safety function module of the last node is returned.
2. The method for controlling firewall congestion of WEB application according to claim 1, wherein the step of determining whether the remaining processing time is greater than or equal to the message processing time of the security function module of the current node that needs to work further comprises:
calculating the average time of the security function module of the current node for processing the data messages according to historical processing data, and taking the calculated average time as the message processing time of the security function module of the current node, wherein the historical processing data comprises the processing time of a plurality of successfully processed data messages in the latest preset time period of the security function module of the current node.
3. The WEB application firewall congestion control method according to claim 1, wherein the security function module is configured to perform anomaly detection processing on the received data packet, and when the security function module detects that the data packet is anomalous, the security function module returns a blocking signal to the forwarding controller;
the method for controlling the congestion of the WEB application firewall further comprises the following steps:
and blocking the data message sent to the server by the client when the blocking signal is received.
4. The WEB application firewall congestion control method according to claim 1, wherein the security function module of the current node returns a processing completed data packet to the forwarding controller and also returns a processing time for completing the processing of the data packet;
the method for controlling the congestion of the WEB application firewall further comprises the following steps:
and updating the processing time of the safety function module in real time.
5. The method for controlling congestion of a WEB application firewall according to claim 1, wherein the step of sending the data packet to the security function module of the current node so that the security function module of the current node processes the data packet and returns the processed data packet to the forwarding controller further includes:
and when receiving an overtime signal and an error return code fed back by the safety function module of the current node, taking the next node as the current node needing to work, and returning to execute the step of judging whether the residual processing time is greater than or equal to the message processing time of the safety function module of the current node needing to work.
6. The WEB application firewall congestion control method of claim 5, further comprising:
calculating the error rate of the safety function module in a preset time, and calculating a transmittable window of the safety function module according to the error rate, wherein the error rate is the ratio of the sum of the response overtime times, the error return times and the abandoned times of the safety function module in the preset time to the total data message processing times in the preset time, and the abandoned times are the times of the safety function module in the preset time for processing data messages without time.
7. The WEB application firewall congestion control method according to claim 1, further comprising:
and when the data message is sent by the safety function module of the last node, sending the data message to the server.
8. The utility model provides a WEB application prevents hot wall, its characterized in that, WEB application prevents hot wall includes the safety function module of forwarding controller and a plurality of node, the safety function module of each node is used for processing the data message that the client sent to the server according to preset work order, forwarding controller includes:
a receiving module, configured to receive the data packet;
the first judging module is used for judging whether the data message is sent by the safety function module of the last node;
the setting module is used for setting an overtime timestamp for the data message when the data message is not sent by the safety function module of the last node;
the determining module is used for determining the residual processing time of the data message according to the current time and the overtime timestamp;
the second judgment module is used for judging whether the residual processing time is more than or equal to the message processing time of the safety function module of the current node needing to work;
a sending module, configured to send the data packet to the security function module of the current node when the remaining processing time is greater than or equal to a packet processing time of the security function module of the current node that needs to work, so that the security function module of the current node processes the data packet, and returns the processed data packet to the forwarding controller;
and the execution module is used for taking the next node as the current node needing to work when the residual processing time is less than the message processing time of the safety function module of the current node needing to work, and returning to execute the step of judging that the data message is not sent by the safety function module of the last node.
9. A readable storage medium on which a program is stored, which program, when executed by a processor, carries out the method according to any one of claims 1 to 7.
10. An electronic device comprising a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1-7 when executing the program.
CN202110981546.XA 2021-08-25 2021-08-25 WEB application firewall, congestion control method, medium and electronic device Active CN113810383B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110981546.XA CN113810383B (en) 2021-08-25 2021-08-25 WEB application firewall, congestion control method, medium and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110981546.XA CN113810383B (en) 2021-08-25 2021-08-25 WEB application firewall, congestion control method, medium and electronic device

Publications (2)

Publication Number Publication Date
CN113810383A true CN113810383A (en) 2021-12-17
CN113810383B CN113810383B (en) 2022-12-20

Family

ID=78894033

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110981546.XA Active CN113810383B (en) 2021-08-25 2021-08-25 WEB application firewall, congestion control method, medium and electronic device

Country Status (1)

Country Link
CN (1) CN113810383B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618590A (en) * 2013-11-20 2014-03-05 北京先进数通信息技术股份公司 Overtime control method and device of business processing process
CN112671835A (en) * 2020-12-07 2021-04-16 深圳市晨北科技有限公司 Request processing method, device, system and storage medium
CN112787951A (en) * 2020-08-07 2021-05-11 中兴通讯股份有限公司 Congestion control method, device, equipment and computer readable storage medium
CN112839049A (en) * 2021-01-18 2021-05-25 北京长亭未来科技有限公司 Web application firewall protection method and device, storage medium and electronic equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618590A (en) * 2013-11-20 2014-03-05 北京先进数通信息技术股份公司 Overtime control method and device of business processing process
CN112787951A (en) * 2020-08-07 2021-05-11 中兴通讯股份有限公司 Congestion control method, device, equipment and computer readable storage medium
CN112671835A (en) * 2020-12-07 2021-04-16 深圳市晨北科技有限公司 Request processing method, device, system and storage medium
CN112839049A (en) * 2021-01-18 2021-05-25 北京长亭未来科技有限公司 Web application firewall protection method and device, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN113810383B (en) 2022-12-20

Similar Documents

Publication Publication Date Title
US7929436B2 (en) Network communication control methods and systems
CN106921587B (en) Message flow control method, device and related system
CN106612284B (en) Streaming data transmission method and device
CN109379246B (en) Memory detection method and device
CN105978821B (en) The method and device that network congestion avoids
CN113992588A (en) Data transmission method and device, electronic equipment and readable storage medium
CN106789723B (en) Method and device for limiting forwarding speed of multi-core network
CN111538572A (en) Task processing method, device, scheduling server and medium
CN107547561B (en) Method and device for carrying out DDOS attack protection processing
CN111092849B (en) Traffic-based detection method and device for distributed denial of service
CN113810383B (en) WEB application firewall, congestion control method, medium and electronic device
JP6376609B2 (en) Access control apparatus and authentication control method
CN108804152B (en) Method and device for adjusting configuration parameters
JP4849270B2 (en) Computer equipment
CN114401224B (en) Data current limiting method and device, electronic equipment and storage medium
US20050223056A1 (en) Method and system for controlling dataflow to a central system from distributed systems
CN111865722B (en) Node health state detection and processing method
CN112996041B (en) Flow control method, device and equipment
CN109039900B (en) Method and device for sending stop signal of credit packet
WO2019220746A1 (en) Abnormality detection device and abnormality detection method
CN107872820B (en) EPC network data processing method and device and EPC network
EP3757781A1 (en) Data processing method and system
CN111817906B (en) Data processing method, device, network equipment and storage medium
CN115378872B (en) Flow control method, system, computer equipment and readable storage medium
US20220329519A1 (en) Packet transmission method and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant