CN113992347A - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN113992347A
CN113992347A CN202111090839.5A CN202111090839A CN113992347A CN 113992347 A CN113992347 A CN 113992347A CN 202111090839 A CN202111090839 A CN 202111090839A CN 113992347 A CN113992347 A CN 113992347A
Authority
CN
China
Prior art keywords
message
address
tunnel
flow cleaning
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111090839.5A
Other languages
Chinese (zh)
Other versions
CN113992347B (en
Inventor
佟立超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN202111090839.5A priority Critical patent/CN113992347B/en
Publication of CN113992347A publication Critical patent/CN113992347A/en
Application granted granted Critical
Publication of CN113992347B publication Critical patent/CN113992347B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The application provides a message processing method and device. After receiving a remote traction instruction of a target IP address, the flow cleaning equipment issues a traction route to the core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment; receiving a first network message sent by a core router through a first interface, wherein the destination IP address of the first network message is a first IP address; according to a pre-configured next hop IP address of a second interface, tunnel encapsulation is carried out on the first network message to obtain a first tunnel message, the target IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment; and sending the first tunnel message to the high-defense center equipment through a first tunnel corresponding to the second interface, so that the high-defense center equipment analyzes the first network message from the first tunnel message and performs flow cleaning on the first network message.

Description

Message processing method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a packet.
Background
With the development of the network, the attack traffic is increased, and in order to avoid the attack of the abnormal traffic, traffic cleaning is introduced, while the conventional abnormal traffic cleaning system only supports local cleaning, referring to the abnormal traffic cleaning system shown in fig. 1. And the management center issues a traction instruction to the cleaning equipment, configures a guard route so that BGP introduces the guard route and issues the guard route to a neighbor core router. The original route of the core router is 24-bit mask, and the traffic generated by the server 192.168.1.2 is hit in the guard route through the exact match, so that the traffic generated by the server is forwarded to the cleaning equipment. The cleaning equipment can clean the flow, and after cleaning is completed, the searched route is forwarded to the core router. In order to avoid hitting the traction route again, a reinjection strategy is configured, and the next hop of the strategy route is a downstream aggregation switch, so that the cleaned flow can be forwarded to the aggregation switch, and then the route is searched on the aggregation switch to complete normal forwarding.
However, in recent years, DDoS attacks frequently occur, the attack traffic and the influence become larger, and the situation that the cleaning capability of the cleaning device is insufficient may be caused, so that a large number of high-protection central devices pull the attack traffic to the high-protection central devices for protection. Therefore, how to pull the traffic flow to the high-defense central equipment and how to reinject the cleaned traffic flow to the original network becomes a difficulty of the high-defense central equipment, and the currently provided scheme is that when an attack occurs and the traffic is found to be abnormal, the CNAME domain name is manually changed to the domain name server, so that the DNS server updates the DNS domain name of the network, and thus when new traffic reaches the network, the traffic flow is forwarded to the high-defense central equipment by default. However, the conventional method for manually modifying the CNAME has a manual processing delay, and the user equipment may be attacked for a long time in the modification process; in addition, the attack system can acquire the IP address of the DNS server before the attack, and if the attacker attacks the IP address, the modified DNS may not be immediately valid, and further subsequent traffic cannot be pulled to the defense center device.
Therefore, how to timely draw the abnormal traffic to the high-security central device and avoid the user device from being attacked is one of the considerable technical problems.
Disclosure of Invention
In view of this, the present application provides a message processing method and apparatus, so as to timely pull the abnormal traffic to the high-security central device and prevent the user equipment from being attacked.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a method for processing a packet is provided, where the method is applied to a traffic cleaning device, and the method includes:
after receiving a remote traction instruction of a target IP address, issuing a traction route to a core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
receiving a first network message sent by the core router through the first interface, wherein a destination IP address of the first network message is the first IP address;
according to a pre-configured next hop IP address of the second interface, tunnel encapsulation is carried out on the first network message to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment;
and sending the first tunnel message to high-defense center equipment through a first tunnel corresponding to the pre-established second interface, so that the high-defense center equipment analyzes the first network message from the first tunnel message and performs flow cleaning on the first network message.
According to a second aspect of the present application, there is provided a packet processing method applied to a high-defense center device, the method including:
receiving a first tunnel message sent by a flow cleaning device, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning device receives a remote traction instruction;
and analyzing the first network message from the first tunnel message, and carrying out flow cleaning on the first network message.
According to a third aspect of the present application, there is provided a message processing apparatus disposed in a traffic cleaning device, the apparatus including:
and the control module is used for receiving a remote traction instruction of the target IP address.
The first sending module is used for issuing a traction route to a core router through a first interface after the control module receives a remote traction instruction of a target IP address, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
a first receiving module, configured to receive, through the first interface, a first network packet sent by the core router, where a destination IP address of the first network packet is the first IP address;
the encapsulation module is used for performing tunnel encapsulation on the first network message according to a pre-configured next hop IP address of the second interface to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment;
and the second sending module is used for sending the first tunnel message to the high-defense center equipment through a first tunnel corresponding to the pre-established second interface, so that the high-defense center equipment can analyze the first network message from the first tunnel message and perform flow cleaning on the first network message.
According to a fourth aspect of the present application, there is provided a message processing apparatus disposed in a high-defense center device, the apparatus including:
the receiving module is used for receiving a first tunnel message sent by a flow cleaning device, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning device receives a remote traction instruction;
and the flow cleaning module is used for analyzing the first network message from the first tunnel message and cleaning the flow of the first network message.
According to a fifth aspect of the present application, there is provided an electronic device comprising a processor and a machine-readable storage medium, the machine-readable storage medium storing a computer program executable by the processor, the processor being caused by the computer program to perform the method provided by the first aspect of the embodiments of the present application.
According to a sixth aspect of the present application, there is provided a machine-readable storage medium storing a computer program which, when invoked and executed by a processor, causes the processor to perform the method provided by the first aspect of the embodiments of the present application.
The beneficial effects of the embodiment of the application are as follows:
after receiving a remote traction instruction of a target IP address, the flow cleaning equipment sends a traction route comprising a second interface to the core router, so that the core router sends a first network message comprising the target IP address to the flow cleaning equipment; after receiving the first network message, the traffic cleaning device encapsulates the first network message based on a preconfigured next hop IP address of the second interface, that is, a tunnel IP address of the high-defense center device, and then sends the encapsulated first tunnel message to the high-defense center device, so that the high-defense center device performs traffic cleaning on the received message.
Drawings
FIG. 1 is a schematic diagram of a flow purge architecture;
fig. 2 is a schematic flowchart of a message processing method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another message processing method according to an embodiment of the present application;
fig. 4 is an interaction diagram of a message processing method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a message processing apparatus according to an embodiment of the present application;
fig. 6 is an architecture diagram of a remote message processing provided in an embodiment of the present application;
fig. 7 is an architecture diagram of a local processing packet according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of another message processing apparatus according to an embodiment of the present application;
fig. 9 is a schematic diagram of a hardware structure of an electronic device implementing a message processing method according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with aspects such as the present application.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes the message processing method provided in the present application in detail.
Referring to fig. 2, fig. 2 is a flowchart of a message processing method provided in the present application, and the method is applied to a traffic cleaning device, and the method may include the following steps:
s201, after receiving a remote traction instruction of a target IP address, issuing a traction route to a core router through a first interface.
The traction route comprises a first IP address of a second interface used for remotely forwarding the message on the flow cleaning equipment.
In this step, when detecting that the flow on the core router satisfies the flow cleaning condition and the high-protection center is required to protect the flow, the detection device sends a remote traction instruction to the flow cleaning device. Specifically, the remote traction instruction is sent by the detection device when detecting that the traffic corresponding to the target IP address reaches the set traffic.
Optionally, the set traffic may be, but not limited to, 10Gbps or the like, that is, when the traffic corresponding to the target IP address reaches 10Gbps, it is determined that the traffic corresponding to the target IP address needs to perform traffic protection, which may include, but is not limited to, traffic detection, traffic flushing, and the like.
Specifically, when the traffic cleaning device receives a remote pulling instruction, in order to enable traffic corresponding to a target IP address to be able to perform traffic cleaning on the high-defense center device, the traffic cleaning device sends a pulling route to the core router, where the pulling route includes a first IP address of a second interface used for forwarding a message, and then sends the pulling route to the core router through the first interface.
It should be noted that before the first interface sends the pull route to the core router, a communication relationship may be established with the core router in advance, specifically, a BGP protocol may be used to establish a communication relationship with the core router, and after the communication relationship is established, an interface corresponding to the communication relationship, that is, the first interface, may be recorded on each device. In this way, after receiving the remote pulling command, the traffic cleansing device locally generates a pulling route, and then sends the pulling route to the core router through the first interface.
Optionally, the flow cleaning apparatus itself has a flow protection function. Generally, when the detection device determines that the flow of the target IP address is between the preset threshold and the set flow, the local flow protection function of the flow cleaning device is started, that is, the detection device sends a local pulling instruction to the flow cleaning device.
It should be noted that the set threshold may be, but is not limited to, 1Gbps or the like. And when the detection equipment detects that the flow of the target IP address is more than 1Gbps but less than 10Gbps, the detection equipment sends a local traction instruction to the flow cleaning equipment. Therefore, when the flow cleaning device receives the local traction instruction, the local flow protection function is started, and the flow executed by the flow cleaning device after the flow cleaning device triggers the local flow protection function can adopt the existing local flow protection function, which is not described in detail herein.
In addition, when the detection device detects that the flow of the target IP address is smaller than 1Gbps, the detection device indicates that the flow corresponding to the target IP address is in a normal detection range, and the flow protection function does not need to be triggered. It should be noted that, when the detection device sends a local or remote traction instruction to the flow cleaning device, the local or remote traction instruction is sent to the management center, and then the management center issues the local or remote traction instruction to the flow cleaning device.
S202, receive, through the first interface, a first network packet sent by the core router, where a destination IP address of the first network packet is a first IP address.
In this step, after the core router receives the pull route, the core router modifies the route table entry corresponding to the destination IP address, so that the core router pulls all the traffic of the destination IP address to the traffic cleaning device. In this way, the traffic cleansing device receives the first network packet with the target IP address having the outer IP address as the first IP address in the pull route. That is, the inner IP address of the first network packet is the destination IP address, and the outer IP address is the first IP address of the second interface in the pull route.
S203, according to the pre-configured next hop IP address of the second interface, performing tunnel encapsulation on the first network message to obtain a first tunnel message.
And the destination IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment.
Specifically, in order to be able to send a message to the high-defense center device without manually modifying the CNAME, after receiving the first network message, the traffic cleaning device may parse a first IP address from the first network message, then search the routing table, query that an interface corresponding to the first IP address is the second interface, then query a next-hop IP address of the first network message based on the second interface, and perform tunnel encapsulation on the first network message according to the next-hop IP address of the second interface to obtain the first tunnel message, where the tunnel IP address of the first tunnel message is the tunnel IP address of the high-defense center.
And S204, sending the first tunnel message to the high-defense center device through a first tunnel corresponding to the pre-established second interface, so that the high-defense center device can analyze the first network message from the first tunnel message and perform flow cleaning on the first network message.
In this step, after the traffic cleaning device encapsulates the first network packet to obtain a first tunnel packet, the first tunnel packet is sent to the high defense center device through the first tunnel corresponding to the pre-established second interface. Therefore, after receiving the first tunnel message, the high-defense center device can analyze the first network message of the cluster from the first tunnel message and then perform traffic cleaning on the first network message. Therefore, the message needing to be cleaned is sent to the high-protection central equipment through the tunnel, and the mode of manually modifying the CNAME in the prior art is not needed, so that the flow needing to be cleaned can be timely and quickly sent to the high-protection central equipment, and further the user equipment is prevented from being attacked.
It should be noted that the first tunnel is pre-established, and the first tunnel may be, but is not limited to, a GRE (Generic Routing Encapsulation) tunnel. And the first tunnel is pre-established. Specifically, the traffic cleaning device establishes a first tunnel with the high-defense center device through the core router, specifies an interface and a tunnel IP address of the first tunnel in the traffic cleaning device, and an interface and a tunnel IP address of the first tunnel in the high-defense center device, and records the interfaces and the tunnel IP addresses in the traffic cleaning device and the high-defense center device.
By implementing the message processing method provided by the application, after receiving a remote traction instruction of a target IP address, the flow cleaning equipment sends a traction route comprising a second interface to the core router, so that the core router sends a first network message comprising the target IP address to the flow cleaning equipment; after receiving the first network message, the traffic cleaning device encapsulates the first network message based on a preconfigured next hop IP address of the second interface, that is, a tunnel IP address of the high-defense center device, and then sends the encapsulated first tunnel message to the high-defense center device, so that the high-defense center device performs traffic cleaning on the received message.
Optionally, the message processing method provided by the present application further includes: receiving a second tunnel message sent by the high defense center equipment through a second tunnel corresponding to a pre-established third interface, wherein the second tunnel message carries a second network message which has no abnormality after flow cleaning; analyzing the second network message from the second tunnel message; and sending the second network message to a core router corresponding to the next hop IP address in the re-injection route according to the pre-configured next hop IP address in the re-injection route.
Specifically, in order to ensure real-time performance of message sending and receiving and mutual noninterference, the application proposes that a second tunnel is established between the flow cleaning equipment and the high-protection central equipment, and then negotiation is performed with the high-protection central equipment, so that the high-protection central equipment receives the network message needing flow cleaning by using the first tunnel, and then sends the network message passing the flow cleaning by using the second tunnel. Therefore, after the high-defense center equipment receives the tunnel message, the network message needing to be cleaned can be analyzed from the tunnel message, and then the flow cleaning is carried out on the network message. When the network message is confirmed to be abnormal after cleaning, for convenience of description, the network message which is not abnormal after flow cleaning is marked as a second network message, tunnel encapsulation is carried out on the second network message, and the second tunnel message obtained through encapsulation is sent to the flow cleaning equipment through the second tunnel.
Therefore, after the traffic cleaning device receives the second tunnel message, because the second tunnel message is a message returned after traffic cleaning, it indicates that the inner layer message in the second tunnel message is safe, and therefore the traffic cleaning device needs to parse the second network message from the second tunnel message and then reinject the second network message into the core router, and then the traffic cleaning device sends the second network message to the core router according to the next hop IP address in the pre-configured reinjection route. Therefore, the reinjection process of the cleaned message is realized, and the message without abnormality can normally reach the actual receiver.
It should be noted that the second network packet may be a first network packet with no abnormal traffic cleaning function.
Based on any of the foregoing embodiments, the message processing method provided in this embodiment further includes: after receiving a remote traction instruction of a target IP address, closing a local flow cleaning function of the flow cleaning equipment; and when a local traction instruction is received, starting a local flow cleaning function of the flow cleaning equipment.
Specifically, after the flow cleaning device receives the remote traction instruction sent by the detection device, because the flow cleaning device is subsequently mainly used for sending the message to be cleaned to the high-protection central device, in order to reduce the resource consumption of the flow cleaning device, the embodiment proposes that after the remote traction instruction is received, the local flow cleaning function of the flow cleaning device is closed, so that the resource occupied by the local flow cleaning function can be reduced, the message can be better forwarded for remote protection, the flow cleaning real-time performance is further improved to a certain extent, and further, the user equipment is prevented from being attacked.
Furthermore, some flows also need to be protected from attack locally on the flow cleaning device, so that after a local pulling instruction sent by the detection device is received, the local flow cleaning function of the flow cleaning device is started, and thus the flow cleaning device can better perform flow cleaning locally.
In conclusion, the flow cleaning device can realize remote cleaning of flow as well as flow, does not need manual modification of CNAME, and greatly improves the efficiency of flow cleaning. In addition, the CNAME does not need to be modified, so that the condition that an attacker can not pull the flow to the high-security central equipment after artificially modifying the CNAME due to the fact that the attacker obtains the IP address of the DNS before attacking is avoided, and the situation that the attacker attacks the IP address is avoided.
Based on the same inventive concept, the present application further provides a message processing method, which is applied to a high-defense center device, and when the high-defense center device implements the method, the method can be implemented according to the flow shown in fig. 3, and includes the following steps:
s301, receiving a first tunnel message sent by a flow cleaning device, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning device receives a remote traction instruction;
in this step, the high defense center device receives a first tunnel message sent by the flow cleaning device based on a first tunnel established in advance with the flow cleaning device, where the first tunnel message is a message to be cleaned, and the first tunnel message is obtained by tunnel encapsulation of a first network message sent by the core router after the flow cleaning device receives the remote pulling instruction. The outer layer destination IP address of the first tunnel message is the tunnel IP address of the high defense center equipment.
S302, a first network message is analyzed from the first tunnel message, and flow cleaning is carried out on the first network message.
In this step, after receiving the first tunnel message, the high defense center device may peel off the outer layer encapsulation of the first tunnel message to peel off the first network message, and then may perform traffic cleaning on the first network message.
It should be noted that, when performing traffic cleaning on the first network packet, the traffic cleaning policies of different user equipments may be the same or different, and when the cleaning policies are different, the cleaning policy for processing the first network packet may be queried based on the packet information of the first network packet, and then the cleaning flow is executed on the cleaning policy.
By adopting the flow shown in fig. 3, the message to be cleaned is accurately sent to the high-defense central equipment, and the timely detection and protection of the message are further realized.
Optionally, based on the foregoing embodiment, the message processing method provided by the present application further includes: when the first network message is subjected to flow cleaning and no abnormality of the first network message is confirmed, the first network message is packaged into a second tunnel message according to a pre-configured next hop IP address, wherein the next hop IP address is a tunnel IP address of flow cleaning equipment; and sending the second tunnel message to the flow cleaning equipment.
Specifically, after the high-protection central equipment cleans a received message to be cleaned according to a cleaning protection strategy, when the message is determined to be abnormal, the message is reinjected into the flow cleaning equipment, based on the fact that the high-protection central equipment can pre-configure a reinjection route of the cleaned flow, namely, the reinjection route is pre-recorded in the high-protection central equipment, and a next hop IP address in the reinjection route is a tunnel IP address of the flow cleaning equipment; based on this, when the high-defense center device performs flow cleaning on the first network message and confirms that the first network message is abnormal, the routing table is inquired, then the next-hop IP address (the tunnel IP address of the flow cleaning device) of the first network message is confirmed, then tunnel encapsulation processing is performed on the first network message by using the next-hop IP address, so as to obtain a second tunnel message, wherein the outer IP address of the second tunnel message is the tunnel IP address of the high-defense center device and the flow cleaning device, and the inner IP address is the actual IP address of the first network message. And then sending the second tunnel message to the flow cleaning equipment through a second tunnel configured in advance. Therefore, after the traffic cleaning device receives the second tunnel message, the traffic cleaning device may decapsulate the second tunnel message to analyze the second network message, and then send the second network message to the core router based on the next-hop IP address (the IP address of the core router) recorded in the local reinjection route, so that the core router sends the second network message to the actual receiver of the message. Therefore, the message is cleaned and accurately reinjected, and then accurately sent to the actual receiver of the message.
Optionally, in order to better ensure isolation of the cleaning policy among different users, the high defense center device may pre-configure Virtual Route Forwarding (VRF) for each user, and then record the traffic cleaning policy under different VRFs, that is, different users correspond to different traffic cleaning policies respectively. In a specific implementation, each user may be configured with a unique VRF, and then a physical interface for the user to receive or send a message of the user is established for the user based on the VRF.
It should be noted that the high-defense center device may be, but is not limited to, a network node dedicated to efficient security protection, and the like.
For better understanding of the message processing method provided by the present application, the interactive diagram shown in fig. 4 is taken as an example for description, and the flow detected by the detection device at the destination IP address of 192.168.1.254 is taken as an example for description, and no matter the flow cleaning device performs local cleaning or remote cleaning at the high-defense center device, when the flow cleaning device issues the pull route, the process is the same, but the content of the issued pull route is different. Specifically, when the traffic cleansing device receives a local pulling instruction (which is triggered when the detection device detects that the traffic of 192.168.1.254 is between 1Gbps and 10 Gbps) or a remote pulling instruction (which is triggered when the detection device detects that the traffic of 192.168.1.254 is not less than 10 Gbps), the traffic cleansing device sends a pulling route to the core router after receiving the local pulling instruction, as shown in fig. 4, the next-hop IP address next-hop with the target IP address of 192.168.1.254 in the issued pulling route is 10.1.1, which is the IP address of the first interface of the traffic cleansing device, so that when the core router receives the pulling route, the core router modifies the routing table entry corresponding to 192.168.1.254 in the core router to modify the next-hop IP address in the routing table entry to 10.1.1.1, so that the core router subsequently receives a network message with the destination IP address of 192.168.1.254, and sending the network message to flow cleaning equipment so that the flow cleaning equipment can locally execute a flow cleaning function on the network message.
And when the traffic cleansing device receives the remote pulling instruction, issue the pulling route shown in fig. 4 to the core router, where the pulling route carries the first IP address of the second interface, that is, 11.1.1.1, and the first IP address is the physical address of the second interface. In addition, in order to implement that the message can be successfully uploaded to the high-defense center device without modifying the CNAME, the traffic cleaning device may pre-establish a first tunnel (for the traffic cleaning device, the first tunnel is a sending tunnel and is a GRE tunnel) between the traffic cleaning device and the high-defense center device, so as to transmit the message to be cleaned, the manner of establishing the tunnel may refer to the existing scheme, which is not described in detail here, and the tunnel IP address of the first interface related to the first tunnel is also shown in fig. 4 and is 12.1.1.1, the IP address of the interface on the side of the high-defense center device of the first tunnel is 15.1.1.1, the tunnel IP address is 16.1.1.1, and then record the route enabling the first interface, the next hop IP address of the route is the tunnel IP address of the high-defense center device, and is shown in fig. 4. Meanwhile, the high-defense center equipment records and stores a reinjection route which comprises a next hop IP address, namely the IP address used for reinjecting the message to the flow cleaning equipment, namely the tunnel IP address 14.1.1.1 of the flow cleaning equipment, and is 0.0.0.0/0next-hop 14.1.1.1. Therefore, when the traffic cleaning device receives a first network message sent by the core router, the first network message is encapsulated based on the tunnel IP addresses of the two sides of the first tunnel, and then the encapsulated first tunnel message is sent to the core router, and then the first network message is forwarded to the high-defense center device by the core router; after receiving the first tunnel message, the high-defense center equipment analyzes a first network message from the first tunnel message, and then performs flow cleaning on the first network message; when the cleaning is completed and the message is confirmed to be abnormal, the first network message is recorded as a second network message, then based on the reinjection route recorded by the high-defense center device, the message is encapsulated into a second tunnel message and is sent to the flow cleaning device through a second tunnel (for the flow cleaning device, the second tunnel is a receiving tunnel and is pre-established, and the second tunnel is a GRE tunnel) via the core router, and an interface of the second tunnel on the flow cleaning device is recorded as a third interface corresponding to the tunnel address 14.1.1.1. In this way, the traffic cleansing device receives the second tunnel packet through the third interface, and then decapsulates the second network packet from the second tunnel packet. In order to successfully forward the second network packet to the core router, a reinjection route of the third interface is preconfigured in the traffic cleaning device, and the next hop IP address included in the reinjection route is the IP address of the core router: 13.1.1.2, referring to fig. 4, such that the traffic cleansing device can find the next hop IP address of the second network packet by querying the reply route, and then send the second network packet to the core router. Therefore, on the premise of not modifying CNAME, the high-protection center can clean and reinject the message.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method implemented by the flow cleaning equipment. The implementation of the message processing apparatus may refer to the above description of the message processing method implemented by the traffic cleaning device, and is not discussed here one by one.
Referring to fig. 5, fig. 5 is a message processing apparatus provided in a flow cleaning device according to an exemplary embodiment of the present application, where the apparatus includes:
and the control module 501 is configured to receive a remote traction instruction of the target IP address.
A first sending module 502, configured to, after the control module 501 receives a remote pulling instruction of a target IP address, issue a pulling route to a core router through a first interface, where the pulling route includes a first IP address of a second interface on the traffic cleaning device, where the second interface is used to remotely forward a packet;
a first receiving module 503, configured to receive, through the first interface, a first network packet sent by the core router, where a destination IP address of the first network packet is the first IP address;
an encapsulating module 504, configured to perform tunnel encapsulation on the first network packet according to a pre-configured next-hop IP address of the second interface to obtain a first tunnel packet, where a destination IP address of the first tunnel packet is the next-hop IP address, and the next-hop IP address is a tunnel IP address of the high-protection central device;
a second sending module 505, configured to send the first tunnel packet to a high-defense center device through a first tunnel corresponding to the second interface, where the first tunnel packet is pre-established, so that the high-defense center device analyzes the first network packet from the first tunnel packet and performs traffic cleaning on the first network packet.
Optionally, the message processing apparatus provided in this embodiment further includes:
a second receiving module (not shown in the figure), configured to receive, through a second tunnel corresponding to a pre-established third interface, a second tunnel packet sent by the high defense center device, where the second tunnel packet carries a second network packet that has no exception after traffic cleaning;
an analyzing module (not shown in the figure), configured to analyze the second network packet from the second tunnel packet;
a third sending module (not shown in the figure), configured to send the second network packet to a core router corresponding to a next hop IP address in a re-injection route according to the next hop IP address in the pre-configured re-injection route.
Optionally, the message processing apparatus provided in this embodiment further includes:
a closing module (not shown in the figure) for closing the local flow cleaning function of the flow cleaning equipment after receiving the remote traction instruction of the target IP address;
and the starting module (not shown in the figure) is used for starting the local flow cleaning function of the flow cleaning equipment when receiving the local traction instruction.
Optionally, the remote traction instruction is sent by the detection device when detecting that the traffic corresponding to the target IP address reaches a set traffic.
For better understanding of the message processing method provided in the present application, the description is made with reference to the message processing architecture diagram shown in fig. 6, it should be noted that the first sending module, the first receiving module, and the second sending module in fig. 5 may be disposed in the forwarding module shown in fig. 6, and fig. 6 does not show all the modules in fig. 5, which is only an example and does not constitute a limitation on a message device structure. On the basis, after receiving a remote traction instruction sent by the detection equipment, the control module locally generates a traction route, and then sends the traction route to a first sending module in the forwarding module, so that the first sending module sends the traction route to the core router through a first interface; then a first receiving module of the forwarding module receives a first network message sent by a core router through a first interface, and forwards the first network message to a packaging module, then the packaging module performs tunnel packaging on the first network message according to a pre-configured next hop IP address of a second interface to obtain a first tunnel message, and sends the first tunnel message to a second sending module in the forwarding module, and the second sending module sends the first tunnel message to a high-protection center through a first tunnel, so that the high-protection center equipment analyzes the first network message from the first tunnel message and performs flow cleaning. After the flow of the highly defense center equipment is cleaned, a second tunnel message is sent to the flow cleaning equipment, a second receiving module in the forwarding module receives the second tunnel message and forwards the second tunnel message to the analysis module, the second network message is sent to a third sending module in the forwarding module after the analysis module analyzes the second network message from the second tunnel message, and then the third sending module sends the second network message to a core router corresponding to a next hop IP address in the reinjection route according to the next hop IP address in the pre-configured reinjection route. Therefore, the cleaning and reinjection of the high-protection center equipment to the message are completed.
In addition, the traffic cleansing device further has a local protection function, and referring to fig. 7, as for a rough processing logic, the traffic cleansing device receives a local pulling instruction sent by the detection device, and the control module in the traffic cleansing device sends a local pulling route to the core router based on the local pulling instruction, so that the core router pulls subsequent traffic of the target IP address to the traffic cleansing device. Thus, the protection module in the flow cleaning device in fig. 7 receives the pulling traffic (the traffic corresponding to the target IP address) sent by the core router, and when receiving the pulling traffic, the protection module performs flow cleaning on the pulling traffic; and after the cleaning is finished, if the traction flow is confirmed to be correct, the traction flow is sent to the forwarding module, so that the forwarding module injects the cleaned traction flow back to the core router, and the core router sends the traction flow to an actual receiving party of the flow.
Based on the same inventive concept, the application also provides a message processing device corresponding to the message processing method implemented by the high defense center equipment. The implementation of the message processing apparatus may specifically refer to the above description of the message processing method implemented by the high defense center device, and is not discussed here one by one.
Referring to fig. 8, fig. 8 is a message processing apparatus provided in a high-defense center device according to an exemplary embodiment of the present application, where the apparatus includes:
a receiving module 801, configured to receive a first tunnel message sent by a traffic cleaning device, where the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the traffic cleaning device receives a remote pulling instruction;
a traffic cleaning module 802, configured to analyze the first network packet from the first tunnel packet, and perform traffic cleaning on the first network packet.
Optionally, the message processing apparatus provided in this embodiment further includes:
an encapsulation module (not shown in the figure), configured to encapsulate the first network packet into a second tunnel packet according to a pre-configured next hop IP address when the first network packet is subjected to traffic cleaning and it is determined that the first network packet is abnormal, where the next hop IP address is a tunnel IP address of a traffic cleaning device;
a sending module (not shown in the figure) configured to send the second tunnel packet to the traffic cleaning device.
Based on the same inventive concept, the embodiment of the present application provides an electronic device, which may be, but is not limited to, the flow cleaning device, the high-defense center device, and the like. As shown in fig. 9, the electronic device includes a processor 901 and a machine-readable storage medium 902, where the machine-readable storage medium 902 stores a computer program capable of being executed by the processor 901, and the processor 901 is caused by the computer program to execute the message processing method provided in any embodiment of the present application. In addition, the electronic device further comprises a communication interface 903 and a communication bus 904, wherein the processor 901, the communication interface 903 and the machine-readable storage medium 902 are in communication with each other through the communication bus 904.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM), a DDR SRAM (Double Data Rate Dynamic Random Access Memory), and a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In addition, the embodiment of the present application provides a machine-readable storage medium, which stores a computer program, and when the computer program is called and executed by a processor, the computer program causes the processor to execute the message processing method provided by the embodiment of the present application.
For the embodiments of the electronic device and the machine-readable storage medium, since the contents of the related methods are substantially similar to those of the foregoing embodiments of the methods, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the embodiments of the methods.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The implementation process of the functions and actions of each unit/module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the units/modules described as separate parts may or may not be physically separate, and the parts displayed as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed on a plurality of network units/modules. Some or all of the units/modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (11)

1. A message processing method is applied to flow cleaning equipment, and the method comprises the following steps:
after receiving a remote traction instruction of a target IP address, issuing a traction route to a core router through a first interface, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
receiving a first network message sent by the core router through the first interface, wherein a destination IP address of the first network message is the first IP address;
according to a pre-configured next hop IP address of the second interface, tunnel encapsulation is carried out on the first network message to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment;
and sending the first tunnel message to high-defense center equipment through a first tunnel corresponding to the pre-established second interface, so that the high-defense center equipment analyzes the first network message from the first tunnel message and performs flow cleaning on the first network message.
2. The method of claim 1, further comprising:
receiving a second tunnel message sent by the high defense center equipment through a second tunnel corresponding to a pre-established third interface, wherein the second tunnel message carries a second network message which has no abnormality after flow cleaning;
analyzing the second network message from the second tunnel message;
and sending the second network message to a core router corresponding to the next hop IP address in the re-injection route according to the pre-configured next hop IP address in the re-injection route.
3. The method of claim 1, further comprising:
after receiving a remote traction instruction of a target IP address, closing a local flow cleaning function of the flow cleaning equipment;
and when a local traction instruction is received, starting a local flow cleaning function of the flow cleaning equipment.
4. The method of claim 1, wherein the remote traction command is sent by a detection device when detecting that the traffic corresponding to the target IP address reaches a set traffic.
5. A message processing method is applied to high defense center equipment, and the method comprises the following steps:
receiving a first tunnel message sent by a flow cleaning device, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning device receives a remote traction instruction;
and analyzing the first network message from the first tunnel message, and carrying out flow cleaning on the first network message.
6. The method of claim 5, further comprising:
when the first network message is subjected to flow cleaning and no abnormality of the first network message is confirmed, the first network message is packaged into a second tunnel message according to a pre-configured next hop IP address, wherein the next hop IP address is a tunnel IP address of flow cleaning equipment;
and sending the second tunnel message to the flow cleaning equipment.
7. A message processing device is characterized in that the message processing device is arranged in a flow cleaning device, and the device comprises:
the control module is used for receiving a remote traction instruction of a target IP address;
the first sending module is used for issuing a traction route to a core router through a first interface after the control module receives a remote traction instruction of a target IP address, wherein the traction route comprises a first IP address of a second interface used for remotely forwarding a message on the flow cleaning equipment;
a first receiving module, configured to receive, through the first interface, a first network packet sent by the core router, where a destination IP address of the first network packet is the first IP address;
the encapsulation module is used for performing tunnel encapsulation on the first network message according to a pre-configured next hop IP address of the second interface to obtain a first tunnel message, wherein the destination IP address of the first tunnel message is the next hop IP address, and the next hop IP address is the tunnel IP address of the high-protection central equipment;
and the second sending module is used for sending the first tunnel message to the high-defense center equipment through a first tunnel corresponding to the pre-established second interface, so that the high-defense center equipment can analyze the first network message from the first tunnel message and perform flow cleaning on the first network message.
8. The apparatus of claim 7, further comprising:
a second receiving module, configured to receive a second tunnel message sent by the high defense center device through a second tunnel corresponding to a pre-established third interface, where the second tunnel message carries a second network message that is not abnormal after traffic cleaning;
the analysis module is used for analyzing the second network message from the second tunnel message;
and a third sending module, configured to send the second network packet to a core router corresponding to a next hop IP address in a re-injection route according to the next hop IP address in the pre-configured re-injection route.
9. The apparatus of claim 7, further comprising:
the closing module is used for closing the local flow cleaning function of the flow cleaning equipment after receiving the remote traction instruction of the target IP address;
and the starting module is used for starting the local flow cleaning function of the flow cleaning equipment when a local traction instruction is received.
10. A message processing device, which is arranged in a high-defense center device, the device comprises:
the receiving module is used for receiving a first tunnel message sent by a flow cleaning device, wherein the first tunnel message is obtained by performing tunnel encapsulation on a first network message sent by a core router after the flow cleaning device receives a remote traction instruction;
and the flow cleaning module is used for analyzing the first network message from the first tunnel message and cleaning the flow of the first network message.
11. The apparatus of claim 10, further comprising:
the encapsulation module is used for encapsulating the first network message into a second tunnel message according to a pre-configured next hop IP address when the first network message is subjected to flow cleaning and no abnormality of the first network message is confirmed, wherein the next hop IP address is a tunnel IP address of flow cleaning equipment;
and the sending module is used for sending the second tunnel message to the flow cleaning equipment.
CN202111090839.5A 2021-09-17 2021-09-17 Message processing method and device Active CN113992347B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111090839.5A CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111090839.5A CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Publications (2)

Publication Number Publication Date
CN113992347A true CN113992347A (en) 2022-01-28
CN113992347B CN113992347B (en) 2023-09-19

Family

ID=79735985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111090839.5A Active CN113992347B (en) 2021-09-17 2021-09-17 Message processing method and device

Country Status (1)

Country Link
CN (1) CN113992347B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140331308A1 (en) * 2013-05-03 2014-11-06 Centurylink Intellectual Property Llc Combination of Remote Triggered Source and Destination Blackhole Filtering
CN107995324A (en) * 2017-12-04 2018-05-04 北京奇安信科技有限公司 A kind of cloud means of defence and device based on tunnel mode
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system
CN112532621A (en) * 2020-11-26 2021-03-19 杭州迪普科技股份有限公司 Flow cleaning method and device, electronic equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140331308A1 (en) * 2013-05-03 2014-11-06 Centurylink Intellectual Property Llc Combination of Remote Triggered Source and Destination Blackhole Filtering
CN107995324A (en) * 2017-12-04 2018-05-04 北京奇安信科技有限公司 A kind of cloud means of defence and device based on tunnel mode
CN111355649A (en) * 2018-12-20 2020-06-30 阿里巴巴集团控股有限公司 Flow reinjection method, device and system
CN111294365A (en) * 2020-05-12 2020-06-16 腾讯科技(深圳)有限公司 Attack flow protection system, method and device, electronic equipment and storage medium
CN112532621A (en) * 2020-11-26 2021-03-19 杭州迪普科技股份有限公司 Flow cleaning method and device, electronic equipment and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
程作品;: "分布式防范DDos攻击的解决方案探析", 科协论坛(下半月), no. 05 *
聂利颖;高静;: "基于P2P的僵尸网络防治技术研究", 现代电子技术, no. 11 *

Also Published As

Publication number Publication date
CN113992347B (en) 2023-09-19

Similar Documents

Publication Publication Date Title
US9923815B2 (en) Network based service function chaining on top of rack switches
US10191758B2 (en) Directing data traffic between intra-server virtual machines
US8509243B2 (en) Method and device for sending a packet based on tunneling protocol used in layer 2
WO2017071269A1 (en) Method and apparatus for redirecting forwarding path of service flow, and service flow forwarding system
US11533334B2 (en) Infrastructure distributed denial of service protection
US9769202B2 (en) Event driven route control
US8750314B2 (en) Method and device for link protection in virtual private local area network
US10263808B2 (en) Deployment of virtual extensible local area network
EP2773073B1 (en) Entry generation method, message receiving method, and corresponding device and system
CN106341423B (en) Message processing method and device
CN105791072A (en) Access method and device of Ethernet virtual network
CN102571738A (en) Intrusion prevention system (IPS) based on virtual local area network (VLAN) exchange and system thereof
WO2020108531A1 (en) Packet forwarding
CN104283882A (en) Intelligent safety protection method for router
CN103475559A (en) Method and system for processing and transmitting message according to contents of message
WO2009121253A1 (en) Network configuring method for preventing attack, method and device for preventing attack
CN105915428A (en) SDN L2VPN implementation method and system based on OPEN_FLOW protocol
WO2011021145A1 (en) Link state identifier collision handling
WO2007082405A1 (en) An implementing method for detecting the legitimacy of label message path
CN101141396B (en) Packet processing method and network appliance
CN113992347A (en) Message processing method and device
WO2007106639A2 (en) Method and system for obviating redundant actions in a network
CN111131135B (en) Data transmission method, system, computer readable storage medium and electronic device
KR100432167B1 (en) Hidden-type intrusion detection and blocking control system and control method thereof
WO2023185502A1 (en) Traffic reinjection method and protection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant