CN113938325B - Method and device for processing aggressive traffic, electronic equipment and storage equipment - Google Patents

Method and device for processing aggressive traffic, electronic equipment and storage equipment Download PDF

Info

Publication number
CN113938325B
CN113938325B CN202111541582.0A CN202111541582A CN113938325B CN 113938325 B CN113938325 B CN 113938325B CN 202111541582 A CN202111541582 A CN 202111541582A CN 113938325 B CN113938325 B CN 113938325B
Authority
CN
China
Prior art keywords
sub
cache
cache region
attack
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111541582.0A
Other languages
Chinese (zh)
Other versions
CN113938325A (en
Inventor
彭涛
于新晖
阎博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ziguang Hengyue Technology Co ltd
Original Assignee
Ziguang Hengyue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ziguang Hengyue Technology Co ltd filed Critical Ziguang Hengyue Technology Co ltd
Priority to CN202111541582.0A priority Critical patent/CN113938325B/en
Publication of CN113938325A publication Critical patent/CN113938325A/en
Application granted granted Critical
Publication of CN113938325B publication Critical patent/CN113938325B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method and a device for processing aggressive traffic, electronic equipment and storage equipment, and relates to the technical field of network security. The method is applied to the terminal and comprises the following steps: firstly, processing a cache region of a terminal according to a preset segmentation mode to obtain a plurality of sub-cache regions, wherein each sub-cache region comprises an attack cache region; then, when an original message is received, processing the original message according to a preset filtering strategy to obtain an attack message to be cached, and distributing a target sub-cache region for the attack message according to a preset load balancing algorithm; and finally, caching the attack message to an attack cache region of the target sub-cache region. According to the method for processing the aggressive traffic, the aggressive traffic is prevented from attacking all cache spaces provided by the host or the server from multiple aspects, and then flooding attack is effectively suppressed.

Description

Method and device for processing aggressive traffic, electronic equipment and storage equipment
Technical Field
The application relates to the technical field of network security, in particular to a method and a device for processing aggressive traffic, electronic equipment and storage equipment.
Background
At present, although there are firewalls, DDos attack detection and prevention, intrusion prevention mechanisms, and the like to intercept traffic attacks, when we fix a bug or detect a DDos attack, such a flooding attack (i.e., aggressive traffic) distributed around a host and a server may cause the host to be temporarily or permanently paralyzed. Specifically, the cache generated by the aggressive traffic quickly occupies the CPU in the host or the server, causing it to burst, and further causing the CPU to fail to process normal traffic and to break down.
Therefore, how to solve the flooding attack distributed around the host and the server is an urgent need.
Disclosure of Invention
The embodiment of the application aims to solve the problem of flooding attacks distributed around a host or a server.
According to an aspect of an embodiment of the present application, a method for processing aggressive traffic is provided, which is applied to a terminal, and the method includes:
processing a cache region of a terminal according to a preset segmentation mode to obtain a plurality of sub-cache regions, wherein each sub-cache region comprises an attack cache region;
when an original message is received, processing the original message according to a preset filtering strategy to obtain an attack message to be cached;
distributing a target sub-cache region for the attack message according to a preset load balancing algorithm;
and caching the attack message to an attack cache region of the target sub-cache region.
In a possible implementation manner, processing a cache region of a terminal according to a preset partition manner to obtain a plurality of sub-cache regions includes:
equally dividing the cache area into a plurality of sub-cache areas;
configuring a priority level, a cache threshold value and a bandwidth corresponding to the priority level for each sub-cache region, wherein the priority level and the corresponding cache threshold value and bandwidth are in positive correlation;
and determining a normal cache region and an attack cache region of each sub-cache region according to the cache threshold value.
In another possible implementation manner, allocating a target sub-cache region for the attack packet according to a preset load balancing algorithm includes:
determining a first set of sub-cache regions of which the residual memory of an attack cache region is larger than zero in the plurality of sub-cache regions;
determining a second set of sub-buffers with residual bandwidth larger than zero in the first set;
accumulating the residual memories of the sub-cache regions in the second set according to the sequence of the priority levels from low to high until the accumulated residual memories are larger than or equal to the data volume of the attack message;
and determining the sub-cache regions participating in accumulation in the second set as target sub-cache regions.
In another possible implementation manner, processing the original packet according to a preset filtering policy to obtain an attack packet to be cached includes:
processing the original message according to an intrusion prevention strategy to obtain a cacheable message;
screening message data required by normal service from the message capable of being cached, and caching;
and processing the residual messages in the cacheable messages according to the preset IP address and the preset port number to obtain the attack messages to be cached.
In another possible implementation manner, after the buffer area of the terminal is processed according to the preset partitioning manner to obtain a plurality of sub-buffer areas, a state of each of the plurality of sub-buffer areas is an active state, and the method further includes:
when the residual memory of the attack cache region of any sub-cache region in the plurality of cache regions is zero, adjusting any sub-cache region from an active state to a rest state, wherein any sub-cache region does not comprise the sub-cache region with the highest priority level;
when an adjusting instruction aiming at any sub-cache region input by a user is received, adjusting the cache threshold value of any sub-cache region in a rest state so as to adjust the state of any sub-cache region to be in an active state.
In another possible implementation manner, when the remaining memory of the attack cache region of the sub-cache region corresponding to the highest priority level is zero, the method further includes:
analyzing the attack message according to a preset analysis mode so as to feed back according to an analysis result;
and deleting the attack cache region of the sub cache region with the highest priority level.
According to another aspect of the embodiments of the present application, there is provided an apparatus for processing offensive traffic, the apparatus including:
the first processing module is used for processing the cache region of the terminal according to a preset segmentation mode to obtain a plurality of sub-cache regions, wherein each sub-cache region comprises an attack cache region;
the second processing module is used for preprocessing the original message according to a preset filtering strategy when the original message is received, so as to obtain an attack message to be cached;
the load balancing module is used for distributing a target sub-cache region for the message to be cached according to a preset load balancing algorithm;
and the caching module is used for caching the attack message to be cached to the attack cache region of the target sub-cache region.
According to another aspect of the embodiments of the present application, there is provided an electronic device, including a memory, a processor and a computer program stored on the memory, the processor executing the computer program to implement the steps of the method for processing aggressive traffic shown in one aspect of the present application.
According to a further aspect of embodiments of the present application, there is provided a storage device having stored thereon a computer program that, when executed by a processor, implements the steps of the method of handling aggressive traffic as illustrated in one aspect of the present application.
According to an aspect of an embodiment of the present application, there is provided a computer program product comprising a computer program that, when executed by a processor, implements the steps of the method of processing aggressive traffic shown in an aspect of the present application.
The technical scheme provided by the embodiment of the application has the following beneficial effects:
the application provides a method for processing aggressive traffic, which comprises the steps of processing an original cache region to obtain a plurality of sub-cache regions, and determining a cache space-an attack cache region, in which each sub-cache region stores the attack traffic, wherein the technical means does not take the whole cache space of each sub-cache region as the cache space of the attack traffic, but leaves a part of space in each sub-cache region to provide normal service, so that the whole cache region is not completely filled with the attack traffic; after the original message is received, the original message is processed by a preset strategy to obtain an attack message to be cached, and the technical means carries out strategic slimming on the original message and reduces the data volume of the attack message to be cached; and finally, determining a target sub-cache region from the plurality of sub-cache regions according to a preset load balancing algorithm, thereby determining the cache position of the message to be cached and attacked. According to the method for processing the aggressive traffic, the aggressive traffic is prevented from attacking and occupying all the cache space provided by the host or the server from multiple aspects, and then flooding attack is effectively restrained.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic flowchart of a method for processing aggressive traffic according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of a terminal including a load balancing apparatus according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an apparatus for processing aggressive traffic according to an embodiment of the present application.
Detailed Description
Embodiments of the present application are described below in conjunction with the drawings in the present application. It should be understood that the embodiments set forth below in connection with the drawings are exemplary descriptions for explaining technical solutions of the embodiments of the present application, and do not limit the technical solutions of the embodiments of the present application.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the terms "comprises" and/or "comprising," when used in this specification in connection with embodiments of the present application, specify the presence of stated features, information, data, steps, operations, elements, and/or components, but do not preclude the presence or addition of other features, information, data, steps, operations, elements, components, and/or groups thereof, as embodied in the art. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or wirelessly coupled. The term "and/or" as used herein indicates at least one of the items defined by the term, e.g., "a and/or B" indicates either an implementation as "a", or an implementation as "a and B".
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The terms referred to in this application will first be introduced and explained:
load balancing: the clustering technology means that loads (e.g., work tasks) are distributed to a plurality of operation units with corresponding processing capabilities in a balanced manner to be processed, and then the work tasks are completed cooperatively. In this embodiment of the present application, the load may refer to packet data, the operation unit may be a plurality of sub-cache regions, and the processing operation may specifically be a cache operation.
An intrusion prevention system: the English name of the Intrusion prediction System is called IPS for short. The IPS is a set of computer network security devices capable of monitoring network data transmission behaviors in a network and network devices, and can timely interrupt, adjust or isolate abnormal or harmful network data transmission behaviors. In the IPS, a blacklist is generally set, a plurality of network addresses, message feature data, and the like are recorded on the blacklist, matching operation is performed based on the blacklist, and if matching is successful, transmission behaviors of some abnormal or harmful network data may be interrupted, adjusted, or isolated.
Caching: a memory capable of high-speed data exchange which exchanges data with a CPU prior to a memory. The working principle of the cache is that when the CPU needs to read a piece of data, the CPU cache is firstly searched, and the data is immediately read and sent to the CPU for processing when being found; if the data is not found, the data is read from the memory with relatively low speed and sent to the CPU for processing, and the data block where the data is located is called into the cache, so that the whole data can be read from the cache later without calling the memory. The reading mechanism ensures that the hit rate of the CPU for reading the cache is very high, thereby saving the time for the CPU to directly read the memory and ensuring that the CPU does not need to wait when reading the data basically.
As such, the CPU cache being in a normal state is one of the conditions for the CPU to operate normally. Generally, the traffic related to normal traffic does not always occupy the cache and cause the cache to be full, while the aggressive traffic is the data volume such as the flood and has no normality, and the IPS mechanism configured by the terminal cannot intercept the aggressive traffic temporarily. Thus, the cache generated by the traffic dominates the CPU cache, causing the CPU cache to be burst full. Even if the space of the provided buffer area is larger, the processing cannot be carried out. In a short time, the CPU cannot process other normal services due to the full cache, so that the terminal is halted or abnormal in process and is paralyzed.
The application provides a method, an apparatus, an electronic device, a storage device, and a computer program product for processing aggressive traffic, which aim to solve the above technical problems in the prior art.
The technical solutions of the embodiments of the present application and the technical effects produced by the technical solutions of the present application will be described below through descriptions of several exemplary embodiments. It should be noted that the following embodiments may be referred to, referred to or combined with each other, and the description of the same terms, similar features, similar implementation steps and the like in different embodiments is not repeated.
Referring to fig. 1, an embodiment of the present application provides a flowchart of a method for processing aggressive traffic, where the method includes:
s110, processing a cache region of the terminal according to a preset segmentation mode to obtain a plurality of sub-cache regions, wherein each sub-cache region comprises an attack cache region;
specifically, the cache region of the CPU of the terminal is processed according to a preset partitioning manner, so that the cache region of the CPU is partitioned into a plurality of sub-cache regions.
In a possible implementation manner, S110 may specifically include:
equally dividing the cache area into a plurality of sub-cache areas; configuring a priority level, a cache threshold value and a bandwidth corresponding to the priority level for each sub-cache region, wherein the priority level and the corresponding cache threshold value and bandwidth are in positive correlation; and determining a normal cache region and an attack cache region of each sub-cache region according to the cache threshold value.
Specifically, the cache region is divided in an average manner, so that the cache space size of each sub-cache region obtained by dividing is consistent.
Specifically, according to the number of the sub-cache regions, a plurality of priority levels with corresponding numbers are determined, and the priority levels are in an increasing trend. And sequentially distributing the priority levels to the sub-cache regions to ensure that each sub-cache region has a configured priority level.
Specifically, after configuring the priority level for each sub-buffer, a corresponding buffer threshold and a bandwidth are configured for each sub-buffer according to the configured priority level. The sub-cache region is divided into a normal cache region and an attack cache region by the cache threshold value, the normal cache region is used for caching message data related to normal industrial services, the attack cache region is used for caching attack messages, and a cache space corresponding to the cache threshold value is the attack cache region. Wherein, the bandwidth represents the data transmission rate when the attack message is cached to the attack cache region. In addition, the higher the priority level is, the larger the configured cache threshold and the bandwidth are, that is, the positive correlation is formed.
Illustratively, the cache is equally partitioned into N sub-caches: buffer 1 and buffer 2 … buffer N. Determining N priority levels: level 1, level 2 … level N. After the N priority levels are configured to the N sub-buffers, the states of the N sub-buffers are: the priority level of buffer 1 is priority 1, the priority level of buffer 2 is priority 2 … the priority level of buffer N is priority N. The size of the buffer area is V, after the buffer area is evenly divided into N equal parts, the size of each sub-buffer area is V (V = V/N), the buffer threshold corresponding to the level 1-level N is t1-tN, the bandwidth is bw1-bwN, wherein t1-tN and bw1-bwN are in increasing trend, i.e. t1< t2 … < tN, bw1< bw2< … < bwN, the size of tN is infinitely close to the size of V, and after the buffer threshold and the bandwidth are set, the states of the N sub-buffer areas are as follows: the attack cache size of cache 1 is t1, and the normal cache size is: v-t1, and bandwidth bw1, attack buffer size of buffer 2 is t2, normal buffer size is: v-t2, and the size of an attack cache region with the bandwidth of bw2 … cache region N is tN, and the size of a normal cache region is as follows: v-tN and a bandwidth of bwN.
In the specific operation of dividing the cache region, the cache region is divided in an average mode to obtain sub-cache regions with consistent memory, a unique priority level is configured for each sub-cache region, corresponding cache thresholds and bandwidths are respectively determined according to the priority levels, and different processing capacities are configured for the sub-cache regions under the condition that cache spaces are the same. Different priority levels are configured for the sub-cache regions, so that all the sub-cache regions can be distinguished from each other in terms of processing capacity, and on the basis, the target sub-cache region can be determined according to a preset load balancing algorithm.
In one possible implementation, after obtaining the plurality of sub-buffers, the status of each sub-buffer is determined to be an active status. In the embodiment of the present application, only the sub-cache in the active state may participate in the determination process of the target sub-cache, so as to cache the attack packet.
S120, when the original message is received, processing the original message according to a preset filtering strategy to obtain an attack message to be cached;
specifically, the original packet may be a batch of traffic data received by the terminal device.
S130, distributing a target sub-cache region for the attack message according to a preset load balancing algorithm;
s140, caching the attack message to an attack cache region of the target sub-cache region.
The embodiment of the application provides a method for processing aggressive traffic, which comprises the steps of processing an original cache region to obtain a plurality of sub-cache regions, and determining a cache space-an attack cache region, in which each sub-cache region stores the attack traffic, wherein the technical means does not take the whole cache space of each sub-cache region as the cache space of the attack traffic, but leaves a part of space in each sub-cache region for normal service, so that the whole cache region is not completely filled with the attack traffic; after the original message is received, the original message is processed by a preset strategy to obtain an attack message to be cached, and the technical means carries out strategic slimming on the original message and reduces the data volume of the attack message to be cached; and finally, determining a target sub-cache region from the plurality of sub-cache regions according to a preset load balancing algorithm, thereby determining the cache position of the message to be cached and attacked. According to the method for processing the aggressive traffic, the aggressive traffic is prevented from attacking all cache spaces provided by the host or the server from multiple aspects, and then flooding attack is effectively suppressed.
The embodiment of the present application provides a possible implementation manner, and S120 may specifically include:
processing the original message according to an intrusion prevention strategy to obtain a cacheable message; screening message data required by normal service from the message capable of being cached, and caching; and processing the residual messages in the cacheable messages according to the preset IP address and the preset port number to obtain the attack messages to be cached.
Specifically, the original packet is filtered according to an intrusion prevention policy configured by the terminal, where the intrusion prevention policy may be an intrusion prevention mechanism, i.e., IPS. Firstly, according to the IPS, extracting features of each message data in an original message, wherein the extracted features include but are not limited to: target address information, source address information, IP address, request mode, request time and carried identification information. According to the information recorded in the blacklist, the extracted features are matched one by one, the successfully matched message data is intercepted, and the remaining message data in the original message is determined as a message capable of being cached;
further, the cacheable messages are primarily screened according to the normal service. Similarly, the cacheable messages may be screened based on the extracted features, and message data required by normal services may be screened out and then stored in the normal cache region of any sub-cache region.
And screening the cacheable data again according to the preset information such as the IP address, the port number and the like. The preset IP address may be: 0:0:0:0, the address can match any message data, therefore, when the IP address is the address, the message data can be determined as the attack message to be cached; the preset IP address may also be set to a specific IP address (e.g., 168.168.1.1) for matching the message data with the IP address, and the message data with the IP address is determined as the attack message to be cached. Also, the port number may be set to: 80 (representing message data of an http server type), or 21 (representing message data of an ftp server type), and the like, determining the message data with the corresponding port number as the attack message to be cached.
It should be noted that, the user can set an IP address, and/or a port number, and/or other information as needed to specifically deal with a certain type of message data.
The method comprises the steps of processing an original message according to an IPS (in-plane switching) strategy, screening message data required by normal services from the cacheable message, and finally processing the screened cacheable message according to a preset IP (Internet protocol) address and a preset port number to obtain an attack message to be cached.
The embodiment of the present application provides a possible implementation manner, and S130 may specifically include:
determining a first set of sub-cache regions of which the residual memory of an attack cache region is larger than zero in the plurality of sub-cache regions; determining a second set of sub-buffers with residual bandwidth larger than zero in the first set; accumulating the residual memories of the sub-cache regions in the second set according to the sequence of the priority levels from low to high until the accumulated residual memories are larger than or equal to the data volume of the attack message; and determining the sub-cache regions participating in accumulation in the second set as target sub-cache regions.
The target sub-cache region comprises at least one sub-cache region.
Specifically, the remaining memory of the attack cache region of each sub-cache region is calculated, and then the sub-cache regions with the remaining memory larger than zero are used as a set, namely a first set; secondly, calculating the residual bandwidth of each sub-cache region in the first set, and then taking the sub-cache regions with the residual bandwidth larger than zero as a set, namely a second set; accumulating the residual memories of the attack cache regions of each sub cache region in sequence according to the sequence of the priority levels of the sub cache regions from low to high, calculating the data volume of the attack message, and judging whether the accumulated residual memories are more than or equal to the data volume of the attack message after one residual memory is accumulated; in a certain judgment process, when the judgment result is greater than or equal to the judgment result, the accumulation is stopped, and the sub-cache region participating in the accumulation is used as a target sub-cache region.
For the sub-cache region whose residual memory of the attack cache region is greater than zero, the state of the sub-cache region may be set to be an active state.
According to the method for processing the aggressive traffic, the sub-cache regions which can be used as the cache destinations are screened out according to the residual memories of the attack cache regions of the sub-cache regions and the bandwidths of the sub-cache regions, and finally the target sub-cache regions are determined from the screened sub-cache regions according to the sequence of the priority levels from low to high.
The embodiment of the present application further provides a possible implementation manner, and the method further includes:
when the residual memory of the attack cache region of any sub-cache region in the plurality of cache regions is zero, adjusting any sub-cache region from an active state to a rest state, wherein any sub-cache region does not comprise the sub-cache region with the highest priority level;
specifically, after the attack packet is cached in the target sub-cache region, the remaining memory of the attack cache region of a part of the sub-cache regions is zero, and then the attack cache region of the sub-cache region does not receive the cached data any more, and the state of the sub-cache region needs to be set to the rest state in time.
When an adjusting instruction aiming at any sub-cache region input by a user is received, adjusting the cache threshold value of any sub-cache region in a rest state so as to adjust the state of any sub-cache region to be in an active state.
Specifically, the adjustment instruction input by the user may be for any one sub-cache region, or may be for any plurality of sub-cache regions. The adjustment instruction further includes a new cache threshold of any sub-cache region, and the cache space of the attack cache region in any sub-cache region is adjusted according to the new cache threshold, so that more message data can be accommodated in any sub-cache region.
Illustratively, the terminal further configures a health detection mode for each sub-cache region, so as to detect a state of the remaining memory of the cache region attacked by each sub-cache region. Specifically, the size of the remaining memory of the attack cache region of each sub-cache region is collected in real time, when the remaining memory is zero, the state of the sub-cache region is set to be unknown (corresponding to a rest state), and when the remaining memory is greater than zero, the state of the sub-cache region is set to be active (corresponding to an active state). After receiving an adjustment instruction input by a user, updating the cache threshold of the sub-cache region corresponding to the adjustment instruction, so that the remaining memory of the cache space of the attack cache region of the corresponding sub-cache region is not zero, and the state needs to be adjusted to be active.
In a possible implementation manner, when the remaining memory of the attack cache region of the sub-cache region corresponding to the highest priority level is zero, the method further includes:
analyzing the attack message according to a preset analysis mode so as to feed back according to an analysis result; and deleting the attack cache region of the sub cache region with the highest priority level.
Specifically, the attack packet may be stored, for example, in a fixed memory space or in a log, so as to analyze the attack packet, and feed back the attack packet to the user according to an analysis result. The characteristics extracted by the IPS step can be used for analyzing and recording the attributes of the attack message so as to feed back the attributes to the user.
Specifically, the deleting operation may include performing a zero clearing operation on the attack cache region of the sub-cache region of the highest priority level; or after determining the sub-cache region with the highest priority level as the target sub-cache region, deleting the attack message to be cached, which exceeds the threshold value, that is, not caching.
Referring to fig. 2, an embodiment of the present application further provides a schematic structural diagram of a terminal including a load balancing device. The terminal 200 includes an IPS device 210, a conventional screening device 220, a load balancing device 230, and a buffer 240. After entering the terminal 200, the traffic is sequentially processed by the IPS device 210 and the conventional screening device 220 to obtain an attack packet, and then the attack packet is input to the load balancing device 230 to perform screening again to determine an attack packet to be cached, and then the attack packet to be cached is matched with the sub-cache region; and finally buffers it into the target sub-buffer in the value buffer 240.
The load balancing apparatus 230 may be configured with a virtual server and a real service group, where the real service group includes a plurality of real servers and establishes a connection with the virtual server. Each real server has a corresponding sub-cache in the cache 240, which is similar to the proxy of the sub-cache in the load balancing apparatus. The virtual server is used for receiving the attack message to be cached and filtering the original message data to obtain the attack message needing to be cached. The real service group also configures a health detection mode for each real server, and is used for acquiring the current state of the sub-cache region corresponding to each real server. The real service group is also provided with a load balancing algorithm used for distributing the attack messages to be cached to the corresponding real servers for processing, and the real servers are the agents of the sub-cache regions, so after the attack messages to be cached are determined, the real servers need to inform the sub-cache regions of the cached attack messages to inform the sub-cache regions of the attack messages to be cached to prepare for caching the attack messages.
Referring to fig. 3, an embodiment of the present application further provides a schematic structural diagram of an apparatus for processing aggressive traffic, which is applied to a terminal, where the apparatus 300 includes:
a first processing module 310, configured to process a cache region of a terminal according to a preset partition manner to obtain a plurality of sub-cache regions, where each sub-cache region includes an attack cache region;
the second processing module 320 is configured to, when an original packet is received, pre-process the original packet according to a preset filtering policy to obtain an attack packet to be cached;
the load balancing module 330 is configured to allocate a target sub-cache region for the attack packet to be cached according to a preset load balancing algorithm;
the caching module 340 is configured to cache the attack packet to be cached in an attack cache region of the target sub-cache region.
In a possible implementation manner, the first processing module 310 is configured to, in the multiple sub-cache regions obtained by processing the cache region of the terminal according to the preset partition manner, specifically:
equally dividing the cache area into a plurality of sub-cache areas; configuring a priority level, a cache threshold value and a bandwidth corresponding to the priority level for each sub-cache region, wherein the priority level and the corresponding cache threshold value and bandwidth are in positive correlation; and determining a normal cache region and an attack cache region of each sub-cache region according to the cache threshold value.
In a possible implementation manner, the load balancing module 330 is specifically configured to, in allocating a target sub-cache region for an attack packet according to a preset load balancing algorithm:
determining a first set of sub-cache regions of which the residual memory of an attack cache region is larger than zero in the plurality of sub-cache regions; determining a second set of sub-buffers with residual bandwidth larger than zero in the first set; accumulating the residual memories of the sub-cache regions in the second set according to the sequence of the priority levels from low to high until the accumulated residual memories are larger than or equal to the data volume of the attack message; and determining the sub-cache regions participating in accumulation in the second set as target sub-cache regions.
In a possible implementation manner, the second processing module 320 is specifically configured to, in processing the original message according to a preset filtering policy to obtain the attack message to be cached:
processing the original message according to an intrusion prevention strategy to obtain a cacheable message; screening message data required by normal service from the message capable of being cached, and caching; and processing the residual messages in the cacheable messages according to the preset IP address and the preset port number to obtain the attack messages to be cached.
In a possible implementation manner, after the cache region of the terminal is processed according to the preset partition manner to obtain a plurality of sub-cache regions, a state of each sub-cache region in the plurality of sub-cache regions is an active state, and the apparatus 300 further includes an adjusting module 350, specifically configured to:
when the residual memory of the attack cache region of any sub-cache region in the plurality of cache regions is zero, adjusting any sub-cache region from an active state to a rest state, wherein any sub-cache region does not comprise the sub-cache region with the highest priority level;
when an adjusting instruction aiming at any sub-cache region input by a user is received, adjusting the cache threshold value of any sub-cache region in a rest state so as to adjust the state of any sub-cache region to be in an active state.
In a possible implementation manner, when the remaining memory of the attack cache region of the sub-cache region corresponding to the highest priority level is zero, the apparatus further includes an optimization module 360, specifically configured to:
analyzing the attack message according to a preset analysis mode so as to feed back according to an analysis result;
and deleting the attack cache region of the sub cache region with the highest priority level.
The device for processing the aggressive traffic, which is provided in the embodiment of the present application, may execute the method for processing the aggressive traffic, which is shown in the above embodiment of the present application, and the implementation principles are similar, and are not described herein again.
An embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory, where the processor executes the computer program to implement the steps of the method for processing aggressive traffic shown in the embodiment of the present application.
Embodiments of the present application provide a storage device, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for processing aggressive traffic shown in the embodiments of the present application.
Embodiments of the present application further provide a computer program product, which includes a computer program, and when the computer program is executed by a processor, the steps of the method for processing aggressive traffic shown in the embodiments of the present application are implemented.
It should be understood that, although each operation step is indicated by an arrow in the flowchart of the embodiment of the present application, the implementation order of the steps is not limited to the order indicated by the arrow. In some implementation scenarios of the embodiments of the present application, the implementation steps in the flowcharts may be performed in other sequences as desired, unless explicitly stated otherwise herein. In addition, some or all of the steps in each flowchart may include multiple sub-steps or multiple stages based on an actual implementation scenario. Some or all of these sub-steps or stages may be performed at the same time, or each of these sub-steps or stages may be performed at different times, respectively. In a scenario where execution times are different, an execution sequence of the sub-steps or the phases may be flexibly configured according to requirements, which is not limited in the embodiment of the present application.
The foregoing is only an optional implementation manner of a part of implementation scenarios in this application, and it should be noted that, for those skilled in the art, other similar implementation means based on the technical idea of this application are also within the protection scope of the embodiments of this application without departing from the technical idea of this application.

Claims (8)

1. A method for processing aggressive traffic, applied to a terminal, the method comprising:
equally dividing the cache region of the terminal into a plurality of sub-cache regions;
configuring a priority level, a cache threshold value and a bandwidth corresponding to the priority level for each sub-cache region, wherein the priority level and the corresponding cache threshold value and bandwidth are in positive correlation;
determining a normal cache region and an attack cache region of each sub-cache region according to the cache threshold value;
when an original message is received, processing the original message according to a preset filtering strategy to obtain an attack message to be cached;
distributing a target sub-cache region for the attack message according to a preset load balancing algorithm;
and caching the attack message to an attack cache region of the target sub-cache region.
2. The method according to claim 1, wherein the allocating a target sub-buffer for the attack packet according to a preset load balancing algorithm comprises:
determining a first set of sub-cache regions of which the residual memory of the attack cache region is larger than zero in the plurality of sub-cache regions;
determining a second set of sub-buffers with residual bandwidth larger than zero in the first set;
accumulating the residual memories of the sub-cache regions in the second set according to the sequence of the priority levels from low to high until the accumulated residual memories are larger than or equal to the data volume of the attack message;
and determining the sub-cache regions participating in accumulation in the second set as the target sub-cache region.
3. The method according to claim 1, wherein the processing the original packet according to the preset filtering policy to obtain the attack packet to be cached comprises:
processing the original message according to an intrusion prevention strategy to obtain a cacheable message;
screening message data required by normal service from the cacheable messages, and caching;
and processing the residual messages in the cacheable messages according to the preset IP address and the preset port number to obtain the attack messages to be cached.
4. The method of any of claims 1-3, wherein the status of each of the plurality of sub-buffers is active after determining the normal buffer and the attack buffer of each sub-buffer based on the caching threshold, the method further comprising:
when the residual memory of the attack cache region of any sub-cache region in the plurality of sub-cache regions is zero, adjusting the active state of any sub-cache region to a rest state, wherein any sub-cache region does not comprise the sub-cache region with the highest priority level;
when an adjusting instruction aiming at any sub-cache region input by a user is received, adjusting the cache threshold value of the any sub-cache region in a rest state so as to adjust the state of the any sub-cache region to be an active state.
5. The method according to any one of claims 1 to 3, wherein when the remaining memory of the attack cache of the sub-cache corresponding to the highest priority level is zero, the method further comprises:
analyzing the attack message according to a preset analysis mode so as to feed back according to an analysis result;
performing a deletion operation on an attack cache region of the sub-cache region with the highest priority level, wherein the deletion operation includes any one of: and carrying out zero clearing operation on the attack cache region of the sub-cache region with the highest priority level, and deleting the attack message to be cached, which exceeds the cache threshold value part of the sub-cache region with the highest priority level.
6. An apparatus for processing aggressive traffic, applied to a terminal, the apparatus comprising:
the first processing module is used for equally dividing the cache region of the terminal into a plurality of sub-cache regions, configuring a priority level for each sub-cache region, and configuring a cache threshold value and a bandwidth corresponding to the priority level, wherein the priority level and the corresponding cache threshold value and bandwidth are in positive correlation, and determining a normal cache region and an attack cache region of each sub-cache region according to the cache threshold value;
the second processing module is used for preprocessing the original message according to a preset filtering strategy when the original message is received, so as to obtain an attack message to be cached;
the load balancing module is used for distributing a target sub-cache region for the message to be cached according to a preset load balancing algorithm;
and the caching module is used for caching the attack message to be cached to the attack cache region of the target sub-cache region.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory, characterized in that the processor executes the computer program to implement the steps of the method of handling aggressive traffic according to any of claims 1 to 5.
8. A storage device having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method of handling aggressive traffic according to any of claims 1 to 5.
CN202111541582.0A 2021-12-16 2021-12-16 Method and device for processing aggressive traffic, electronic equipment and storage equipment Active CN113938325B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111541582.0A CN113938325B (en) 2021-12-16 2021-12-16 Method and device for processing aggressive traffic, electronic equipment and storage equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111541582.0A CN113938325B (en) 2021-12-16 2021-12-16 Method and device for processing aggressive traffic, electronic equipment and storage equipment

Publications (2)

Publication Number Publication Date
CN113938325A CN113938325A (en) 2022-01-14
CN113938325B true CN113938325B (en) 2022-03-18

Family

ID=79289160

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111541582.0A Active CN113938325B (en) 2021-12-16 2021-12-16 Method and device for processing aggressive traffic, electronic equipment and storage equipment

Country Status (1)

Country Link
CN (1) CN113938325B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103384252A (en) * 2013-07-18 2013-11-06 北京星网锐捷网络技术有限公司 Network device attack prevention method and device and network device
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110493145A (en) * 2019-08-01 2019-11-22 新华三大数据技术有限公司 A kind of caching method and device
CN110768976A (en) * 2019-10-21 2020-02-07 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN112187665A (en) * 2020-09-28 2021-01-05 杭州迪普科技股份有限公司 Message processing method and device
CN113297107A (en) * 2020-04-07 2021-08-24 阿里巴巴集团控股有限公司 Data processing method and device and electronic equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6640284B1 (en) * 2000-05-12 2003-10-28 Nortel Networks Limited System and method of dynamic online session caching
KR100486259B1 (en) * 2002-09-09 2005-05-03 삼성전자주식회사 Processor having cache structure and Cache management method for elevating operation speed
US20140101761A1 (en) * 2012-10-09 2014-04-10 James Harlacher Systems and methods for capturing, replaying, or analyzing time-series data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103384252A (en) * 2013-07-18 2013-11-06 北京星网锐捷网络技术有限公司 Network device attack prevention method and device and network device
CN109495504A (en) * 2018-12-21 2019-03-19 东软集团股份有限公司 A kind of firewall box and its message processing method and medium
CN110493145A (en) * 2019-08-01 2019-11-22 新华三大数据技术有限公司 A kind of caching method and device
CN110768976A (en) * 2019-10-21 2020-02-07 新华三信息安全技术有限公司 Message processing method, device and network equipment
CN113297107A (en) * 2020-04-07 2021-08-24 阿里巴巴集团控股有限公司 Data processing method and device and electronic equipment
CN112187665A (en) * 2020-09-28 2021-01-05 杭州迪普科技股份有限公司 Message processing method and device

Also Published As

Publication number Publication date
CN113938325A (en) 2022-01-14

Similar Documents

Publication Publication Date Title
US7540028B2 (en) Dynamic network security apparatus and methods or network processors
US9160761B2 (en) Selection of a countermeasure
US8325607B2 (en) Rate controlling of packets destined for the route processor
US9088605B2 (en) Proactive network attack demand management
US7580351B2 (en) Dynamically controlling the rate and internal priority of packets destined for the control plane of a routing device
JP3568850B2 (en) How the data packet filter works
US11153334B2 (en) Automatic detection of malicious packets in DDoS attacks using an encoding scheme
US8769681B1 (en) Methods and system for DMA based distributed denial of service protection
US11671402B2 (en) Service resource scheduling method and apparatus
JP5870009B2 (en) Network system, network relay method and apparatus
US10469528B2 (en) Algorithmically detecting malicious packets in DDoS attacks
EP3399723B1 (en) Performing upper layer inspection of a flow based on a sampling rate
EP3295348A1 (en) Method and device for defending against network attacks
US10951649B2 (en) Statistical automatic detection of malicious packets in DDoS attacks using an encoding scheme associated with payload content
US20070289014A1 (en) Network security device and method for processing packet data using the same
CN111431881A (en) Method and device for trapping nodes based on windows operating system
US10462166B2 (en) System and method for managing tiered blacklists for mitigating network attacks
CN112073376A (en) Attack detection method and device based on data plane
CN113938325B (en) Method and device for processing aggressive traffic, electronic equipment and storage equipment
CN111131337B (en) UDP Flood attack detection method and device
CN109862016B (en) Countermeasure method for cloud computing automatic expansion Yo-Yo attack
CN115913784B (en) Network attack defense system, method and device and electronic equipment
US20100157806A1 (en) Method for processing data packet load balancing and network equipment thereof
KR100518844B1 (en) Check method of network packet
Shafiq et al. Detection and prevention of distributed denial of services attacks by collaborative effort of software agents, first prototype implementation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant