CN114024731A - Message processing method and device - Google Patents

Message processing method and device Download PDF

Info

Publication number
CN114024731A
CN114024731A CN202111275013.6A CN202111275013A CN114024731A CN 114024731 A CN114024731 A CN 114024731A CN 202111275013 A CN202111275013 A CN 202111275013A CN 114024731 A CN114024731 A CN 114024731A
Authority
CN
China
Prior art keywords
acl
policy
strategy
external network
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111275013.6A
Other languages
Chinese (zh)
Other versions
CN114024731B (en
Inventor
方海成
董俊文
赵旭东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202111275013.6A priority Critical patent/CN114024731B/en
Publication of CN114024731A publication Critical patent/CN114024731A/en
Application granted granted Critical
Publication of CN114024731B publication Critical patent/CN114024731B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The application provides a message processing method and device. The method comprises the following steps: acquiring a target message through the external network interface; matching the target message according to an effective ACL release strategy on the external network interface, wherein the ACL release strategy is generated aiming at an external network IP address contained in an effective IP strategy on any interface in the network equipment; and processing the target message according to the matching result. According to the technical scheme, the external network IP address is extracted from the effective IP strategy on any interface of the network equipment, the ACL strategy can be automatically generated based on the extracted external network IP address, and message filtering is realized based on the generated ACL strategy, so that attack protection aiming at the network equipment is realized, time and labor cost consumed by artificial configuration of a protection means are avoided, and misoperation possibly caused by artificial configuration is prevented.

Description

Message processing method and device
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for processing a packet.
Background
With the increase of internet bandwidth and the continuous release of various DDoS (Distributed Denial of Service) hacking tools, the implementation of DDoS attacks is easier and easier, and DDoS attack events are on the rise.
In order to defend against DDoS attacks in the related art, a related protection means, such as a white list, needs to be configured for a network device, such as a server, manually. When configuring the white list, a legal IP address needs to be added into the white list maintained by the network equipment in advance, but the white list configuration process needs to check whether the access IP address is legal or not through first packet discarding operation, so that the message processing speed is reduced. Meanwhile, a large amount of time and labor cost are consumed in the manual configuration process, and misoperation is easily caused.
Disclosure of Invention
In view of this, the present application provides a message processing method and device to solve the deficiencies in the related art.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, there is provided an ACL policy generation method, the method including:
acquiring an effective IP strategy on any interface in the network equipment under the condition that the external network interface is in an ACL protection open state;
generating a corresponding ACL release strategy aiming at an external network IP address contained in the IP strategy;
and validating the ACL put-through strategy to the external network interface.
According to a second aspect of the present application, there is provided a message processing method, including:
acquiring a target message through the external network interface;
matching the target message according to an effective ACL release strategy on the external network interface, wherein the ACL release strategy is generated aiming at an external network IP address contained in an effective IP strategy on any interface in the network equipment;
and processing the target message according to the matching result.
According to a third aspect of the present application, there is provided an ACL policy generation apparatus, the apparatus including:
a policy obtaining unit, configured to obtain an IP policy that takes effect on any interface in the network setting;
an ACL policy generating unit, which is used for generating a corresponding ACL release policy aiming at the external network IP address contained in the IP policy;
and the ACL strategy configuration unit is used for enabling the ACL put-through strategy to be effective to the external network interface.
According to a fourth aspect of the present application, there is provided a message processing apparatus, including:
a message obtaining unit, configured to obtain a target message through the extranet interface;
an ACL policy generating unit, which is used for generating a corresponding ACL release policy aiming at the external network IP address contained in the IP policy;
the matching unit is used for matching the target message according to the effective ACL put-through strategy on the external network interface;
and the processing unit is used for processing the target message according to the matching result.
According to a fifth aspect of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method of the first or second aspect.
According to a sixth aspect of the present application, there is provided an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method of the first or second aspect when executing the program.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, the external network IP address is extracted from the effective IP strategy on any interface of the network equipment, the ACL strategy can be automatically generated based on the extracted external network IP address, and the message filtering is realized based on the generated ACL strategy, so that the attack protection aiming at the network equipment is realized, the time and labor cost consumed by manually configuring a protection means is avoided, and the possible misoperation caused by manually configuring is prevented.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a flowchart illustrating an ACL policy generation method according to an embodiment of the present application;
fig. 2 is a flowchart of a message processing method according to an embodiment of the present application;
fig. 3 is a system architecture diagram of a message processing apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a firewall device according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a message processing method based on an ACL policy according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device shown in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an ACL policy generation apparatus according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
DDoS attack (Distributed Denial of Service) refers to launching DDoS attack on one or more targets by combining a plurality of computers as an attack platform by means of a client/server technology, thereby exponentially improving the power of Denial of Service attack.
A SYN Flood is a typical DDoS attack, which exploits a vulnerability of the TCP handshake protocol. Both communication parties can enter the fully-open state of the connection after at least 3 successful information exchanges. The three successful information exchange processes comprise:
first handshake: when establishing connection, the client SENDs a SYN packet (SYN ═ j) to the server, enters a SYN _ SEND state, and waits for the server to confirm;
second handshake: the server receives the SYN packet, must confirm the SYN (ACK ═ j +1) of the customer, send a SYN packet (SYN ═ k) at the same time (SYN ═ k), namely SYN + ACK packet, the server enters SYN _ RECV state at this moment;
third handshake: the client receives the SYN + ACK packet of the server, and sends an acknowledgement packet ACK (ACK ═ k +1) to the server, and after the packet is sent, the client and the server enter an ESTABLISHED state, and the three-way handshake is completed.
In the three-way handshake protocol, the server maintains an unconnected queue that opens an entry for each client's SYN packet (SYN j), indicating that the server has received the SYN packet and sent an acknowledgement to the client, waiting for the client's acknowledgement packet. These entries place the server in the Syn _ RECV state, which is deleted when the server receives the client's acknowledgement packet, and the server enters the ESTABLISHED state.
The SYN Flood is just a leak utilizing a three-way handshake process, a large number of nonexistent IP addresses are forged by a large number of clients in a short time, SYN packets are continuously sent to the server, the server replies a confirmation packet and waits for confirmation of the clients, the server needs to continuously retransmit until timeout due to nonexistent source addresses, the forged SYN packets occupy unconnected queues for a long time, normal SYN requests are discarded, a large number of CPU and memory resources of the server are consumed, and a target system runs slowly to cause network congestion and even system paralysis.
In the related art, the protection against SYN Flood can be achieved by configuring a white list policy, when a client accesses a server, whether a user IP address is in a white list is detected, and if the user IP address is in the white list, smooth access is achieved. However, in the white list configuration process, whether the access IP address is legal or not needs to be checked through first packet discarding operation, which reduces the speed of message processing, and the manual configuration process also needs to consume a large amount of time and cost and has human errors.
Therefore, the application provides a new message processing scheme, and the application extracts the external network IP address from the effective IP strategy on any interface of the network equipment, can automatically generate the ACL strategy based on the extracted external network IP address, and can realize message filtering based on the generated ACL strategy so as to realize attack protection aiming at the network equipment, avoid time and labor cost consumed by manually configuring a protection means, and prevent misoperation possibly caused by manual configuration.
Embodiments of the message processing method according to the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of an ACL policy generation method according to an embodiment of the present disclosure, and as shown in fig. 1, the ACL policy generation method is applied to a network device, where an extranet interface is configured on the network device, and the method may include the following steps:
step 101, acquiring an effective IP policy on any interface in the network equipment under the condition that the external network interface is in an ACL protection open state.
The network device refers to a physical entity connected to a network, and may specifically be a firewall device. The network equipment is arranged between the outer network and the inner network and used for protecting the inner network where the server is located by the network equipment and resisting network attack when the client attacks the inner network of the server through the outer network.
The external network interface is an interface used for connecting an external network in the network equipment. And the network equipment receives a target message sent to the server by the client through the external network interface.
The ACL protection is configured on the extranet interface, and a user can manually select whether to open the ACL protection. And if the user selects not to open the ACL protection, the network equipment does not execute the subsequent steps, and the server directly processes the target message.
The effective IP strategy can be an effective NAT strategy or a packet filtering strategy on any interface, and any interface can be an external network interface or an internal network interface.
The NAT strategy is an address translation technology, which can translate an intranet IP address in an IP data message header into an extranet IP address, and certainly can also translate the extranet IP address in the IP data message header into an intranet IP address, and achieves the purpose of address reuse by translating port numbers, and is a transition technology for relieving the exhaustion of IPv4 public network addresses. The public network address pool of the NAT policy can be embodied as follows:
nat address-group 1 202.38.160.101
as can be seen from the above, the address pool group 1 contains the external network IP address: 202.38.160.101. after the intranet IP address is converted through NAT strategy configuration, the intranet IP address can be converted into an extranet IP address 202.38.160.101, so that the intranet of the server can successfully access the extranet through the NAT strategy.
As previously described, according to the NAT policy, the legitimate external network IP address contained in the NAT policy, i.e., 202.38.160.101, can be obtained.
The packet filtering strategy is a strategy for realizing message filtering based on IP addresses, wherein the discarding or forwarding of the message is judged according to the external network IP address in the packet header, and if the external network IP address in the packet header of the message meets the standard, the message is forwarded. If the external network IP address in the packet header does not meet the standard, the packet is discarded, and the standards can be called as a filter. The general form may be:
policy 0
action permit
policy destination 116.117.129.245
as noted above, the extranet IP address 116.117.129.245 conforms to the standard and allows passage.
As previously described, the legitimate foreign network IP address contained within the packet filtering policy, 116.117.129.245, may be obtained according to the packet filtering policy.
The IP policy described in the embodiment of the present application focuses on a legal external network IP address, so the specific type of the policy is not limited, and the policy may be an NAT policy or a packet filtering policy, and any policy that can provide a legal IP address should be included in the protection scope of the present application.
The effective IP policy means that the IP policy is in a normal working state, and the network device performs the above-mentioned NAT conversion or packet filtering processing on the packet received by the corresponding interface based on the effective IP policy. If the IP policy is not valid, the network device does not perform the above-mentioned NAT conversion or packet filtering processing on the packet received by the corresponding interface based on the IP policy, and at this time, even if the ACL protection is opened by the above-mentioned external network interface, the network device will not acquire the IP policy that is not valid on the interface.
And 102, generating a corresponding ACL release strategy aiming at the external network IP address contained in the IP strategy.
An ACL policy is a type of access Control list, ACL, (access Control list) that is a collection of one or more rules. The rule is a judgment statement describing message matching conditions, and the conditions may be a source address, a destination address, a port number, and the like of the message. An ACL is essentially a message filter and the rules are the filter elements of the filter. The device performs message matching based on these rules, can filter out a specific message, and allow or prevent the message from passing through according to the processing policy of the service module applying the ACL.
Generally, conditions in the ACL policy need to be manually configured, and taking a message source IP address as an example, the specific form may be:
[Switch]acl number 2001
[Switch-acl-basic-2001]rule permit source 172.168.100.1
allowing the message with source IP address 172.168.100.1 to pass through.
[Switch]acl number 2002
[Switch-acl-basic-2002]rule deny source any
All messages are rejected from passing.
The network device may generate the ACL release policy according to the IP address included in the IP policy only when the ACL protection in step 101 is turned on and the IP policy on the arbitrary interface is valid.
The ACL strategy generated in the embodiment of the application is an ACL release strategy aiming at the IP address of the external network automatically written according to the extracted IP address of the external network. And the priority of the generated ACL release strategy can be manually set according to the security domain of the interface where the IP strategy is quoted, and is slightly higher than the default priority of the interface.
The security domain of the interface is a collection of several asset or information systems having the same security level. For example, the interface of the network device may be divided into 3 security domains, which are:
1. untrunt, a low level secure domain, with a default priority of 10, is typically used to define an unsecured network such as the Internet for access to the network entry line.
2. DMZ (hierarchical Zone, isolation Zone) with default priority of 20, and a middle-level security Zone, which is generally used to define the network where the internal server is located, and is used to connect the servers, such as WEB, E-mail, etc., that allow external access to the port of the Zone separately, so that the whole internal network to be protected does not allow any access after connecting the port of the trust Zone, thereby realizing separation of the internal network from the external network, and meeting the user requirements. The DMZ is understood to be a special network area different from an external network or an internal network, and some public servers without confidential information, such as Web, Mail, FTP and the like, are usually placed in the DMZ. Thus, a visitor from the external network can access the service in the DMZ, but cannot come into contact with company confidential information, private information, and the like stored in the internal network, and even if the server in the DMZ is damaged, the confidential information in the internal network is not affected.
3. Trust, high level security domain, default priority of 30, is usually used to define the network where the internal user is located, which can be understood as the most tightly protected zone.
The various security domains contain various interfaces, and the number of the interfaces in the security domains is not limited.
Taking the NAT policy and the packet filtering policy described in step 101 as examples:
the external network IP address in the NAT policy is: 203.38.160.101, the network device generates corresponding ACL release strategy according to the two groups of external network IP addresses. It may specifically be:
[Switch]acl number 2003
[Switch-acl-basic-2003]rule permit source 203.38.160.101
and the security domain of the interface where the NAT strategy is located is Untrust, and the default priority is 10, so that the priority of the two ACL passing strategies can be manually or automatically set to be 11 or higher.
The larger the priority value is, the higher the priority is represented in the present embodiment. It should be noted that the size of the priority value does not affect the technical principle of the present application, and should not be excluded from the scope of the present application because of the difference of the value or the difference of the expression of the priority.
The outer network IP address within the packet filtering policy is: 116.117.129.245, the network device generates an ACL put through policy for the set of external network IP addresses. It may specifically be:
[Switch]acl number 2004
[Switch-acl-basic-2004]rule permit source 116.117.129.245
and the security domain of the interface where the packet filtering policy is located is Untrust, and the default priority is 10, so that the priority of the ACL policy can be manually or automatically set to be 11 or higher.
If the same external network IP address contains a plurality of IP strategies in the network equipment, the network equipment generates a plurality of ACL release strategies with different priorities according to different interface security domains where the IP strategies are located.
For example, a NAT policy is configured on a certain intranet interface, and the included IP addresses of the extranet are: 202.38.160.101, respectively; meanwhile, another NAT policy is configured on another intranet interface, and the included IP address of the extranet is also: 202.38.160.101. however, the two interfaces referencing the NAT policy are in different security domains, and although the NAT policies of the two interfaces include the same external network IP address, the priority of the two ACL release policies generated by the IP address 202.38.160.101 can be determined according to the security domain referencing the interface where the NAT policy is located.
And if the interface security domains of the IP strategies quoted by the same external network IP address are the same, only generating an ACL release strategy corresponding to the priority.
For example, a NAT policy is configured on a certain intranet interface, and the included IP addresses of the extranet are: 202.38.160.101, respectively; meanwhile, another NAT policy is configured on another intranet interface, and the included IP address of the extranet is also: 202.38.160.101. but two interfaces referring to the NAT strategy are in the same security domain, only one corresponding ACL putting-through strategy is generated, and the priority is set according to the interface referring to the NAT strategy.
And if the same external network IP address appears in the same IP strategy for multiple times, only one corresponding ACL release strategy is generated, and the network equipment configures the priority of the ACL release strategy according to the security domain of the interface which refers to the IP strategy.
For example, an NAT policy is configured on an intranet interface, where the content of the NAT policy is: different intranet IP addresses are converted into the same external network IP address, and the converted external network IP address is as follows: 202.38.160.101. the same external network IP address can be written many times when writing the NAT policy because the internal network IP addresses are different and the external network IP addresses are the same, and based on the above situation, the network device only generates one corresponding ACL release policy.
In this embodiment, the "extranet IP address" in step 102 is stored in a cache table in the network device, where the cache table in this embodiment is implemented by a hash table, and under the action of the cache table, the extranet IP address can be stored, and when the ACL release policy is abnormal, the ACL release policy can be recovered through the cache table, so as to improve the remediation capability of the network device.
The hash table is a data structure directly accessed from a Key Value (Key Value). That is, it accesses the record by mapping the key value to a location in the table to speed up the lookup. This mapping function is called a hash function and the array of stored records is called a hash table. The hash table stores data, which can be equivalent to an array, and the storage can be performed in two steps:
the first step is as follows: the key of the data element is acquired, and the hash function value (address) of the key is calculated. If the storage space corresponding to the address is not occupied, storing the element; otherwise, executing the second step to resolve the conflict.
The second step is that: the next memory address of the key is calculated. If the next memory address is still occupied, step2 continues until an available memory address is found.
When data is searched, the hash address is calculated by adopting the same function according to the keyword to be searched, and then the hash address is directly sent to the corresponding storage unit to obtain the data element to be searched.
The hash table stores the external network IP address by specifically adopting the following method:
first, a part of the memory in the memory needs to be divided in advance to be used for storing IP addresses, and the addresses of the part of the memory are known. And setting the memory address corresponding to the hash function value, namely, each hash function value corresponds to one memory address.
And the external network IP address contained in the NAT strategy is as follows: 202.38.160.101 and 116.117.129.245 are examples, wherein the security domain of the interface where the NAT policy is located is untrusty and the default priority is 10.
The keyword is set to be IP1,
after the network equipment acquires the external network IP address contained in the NAT strategy, the network equipment calculates by using the keyword IP1 to obtain a hash function value, acquires the memory storage address of 00 according to the corresponding relation, and stores the external network IP address 202.38.160.101 in the external network IP address according to the memory storage address 00.
The keyword is set to be IP2,
after the network device obtains the external network IP address included in the NAT strategy, the network device calculates to obtain a hash function value by using the keyword IP2, obtains the memory storage address of the network device as 11 according to the corresponding relation, and stores the external network IP address 202.38.160.101 in the external network IP address according to the memory storage address 11.
The method for storing multiple external network IP addresses is the same as described above, and is not described herein again.
Its hash table content can be shown as:
Key memory storage address Value
IP1 00 202.38.160.101
IP2 11 116.117.129.245
TABLE 1
The priority of the hash table shown in table 1 is determined according to the interface security domain where the referenced NAT policy is located, and is slightly higher than the default priority of the interface, because the interface security domain where the NAT policy is referenced in table 1 is untrunt and the default priority is 10, the priority of the hash table shown in table 1 may be 11 or higher.
At this time, the network device generates a corresponding ACL release strategy at regular time according to the external network IP address stored in the hash table and the priority of the hash table, and the priority of the generated ACL release strategy is consistent with the priority of the hash table.
The network equipment is used for: IP1 and IP2 can calculate the initial storage address of the outer network IP address array through a hash function so as to obtain the outer network IP address, and further generate a corresponding ACL release strategy according to the outer network IP address.
Wherein the timing generation is to avoid excessive tying up device performance by frequently and continuously generating ACL policies. The hash table can realize storage and data recovery of the IP address, and when the ACL strategy is failed unexpectedly, the data recovery can be realized according to the IP address stored in the hash table.
For example, two ACL gating policies with a priority level of 11 or higher may be generated according to the IP address of the extranet stored in the hash table of table 1 and the priority level of the hash table of table 1. It may specifically be:
[Switch]acl number 2005
[Switch-acl-basic-2005]rule permit source 202.38.160.101
[Switch]acl number 2006
[Switch-acl-basic-2006]rule permit source 116.117.129.245
and 103, enabling the ACL release strategy to take effect to the external network interface.
The ACL access strategy is generated according to an external network IP address contained in the IP strategy, and each ACL access strategy has the corresponding priority.
The present application also provides an embodiment that acts after a user opens an ACL guard.
If the user selects to start the ACL protection, the network equipment can automatically generate an ACL full blocking strategy for defaulting all IP addresses to be fully blocked, and the default ACL full blocking strategy is determined according to a security domain where the external network interface is located.
For example, after the ACL protection configured on the extranet interface is turned on, the user automatically generates a default ACL full blocking policy, and since the security domain where the extranet interface is located is untrunt and the default priority is 10, the priority of the ACL full blocking policy is 10. The concrete can be represented as follows:
[Switch]acl number 2007
[Switch-acl-basic-2007]rule deny source any
it can be understood that the default ACL full blocking policy may prevent all messages from passing through, but the priority of the default ACL full blocking policy is 10, which is lower than the ACL putting-through policy described above, and the default ACL full blocking policy with the priority of 10 may be executed only when none of the ACL putting-through policies is hit, so that there is no corresponding processing method when none of the ACL putting-through policies is hit by a message.
In this case, the effective ACL release policy in step 103 may include:
1) ACL put-through strategy;
2) default ACL full blocking policy.
Fig. 2 is a flowchart of a message processing method shown in the embodiment of the present disclosure, where the method is applied to the network device, and the method may include the following steps:
step 201, obtaining a target message through the extranet interface.
A message (message) is a data unit exchanged and transmitted in the network, i.e. a data block to be sent by a station at one time. The message contains complete data information to be sent, and the length of the message is not consistent, and is not limited and variable. The target packet described in the embodiment of the present application refers to a packet that is sent by a client and includes a source IP address.
The external network interface is, as described in the embodiment of fig. 1, an interface for connecting an external network in the network device.
Step 202, matching the target message according to an effective ACL release strategy on the external network interface, wherein the ACL release strategy is generated aiming at the external network IP address contained in the effective IP strategy on any interface in the network equipment.
The specific ACL release policy generation method is described in detail in the embodiment of fig. 1, and is not described herein again.
The effective ACL releasing strategy on the external network interface comprises an external network IP address allowing to pass.
And if the source IP address of the target message hits the effective ACL passing strategy on the external network interface, allowing the target message to pass.
And if the source IP address of the target message hits a plurality of effective ACL releasing strategies on the external network interface, only executing the ACL releasing strategy with the highest priority.
And if the source IP address of the target message does not hit the effective ACL put-through strategy on the external network interface but only hits the default ACL full blocking strategy, discarding the target message and refusing to access the server.
For example, the source IP address of the target packet is 202.38.160.101, and the ACL placement policy that takes effect on the external network interface is:
[Switch]acl number 2008
[Switch-acl-basic-2008]rule permit source 202.38.160.101
the default ACL full blocking policy is:
[Switch]acl number 2009
[Switch-acl-basic-2009]rule deny source any
the target message misses the IP address in the ACL put-through strategy and only hits the default ACL full blocking strategy, so the target message is discarded and the server is refused to be accessed.
The application also provides another embodiment, and the network device comprises a switching chip and a CPU.
The switch chip is an integrated circuit with simple function and excellent performance, and can realize most functions of the switch. However, the present application does not limit what kind of switch chip is, and the switch chip may be a CPU with an instruction set as a core or an FPGA with an LUT gate as a core, and any switch chip that can implement the functions of the embodiments described in the present application should be included in the scope of protection of the present application.
The switching chip and the CPU can be used for configuring the ACL strategy, so that the switching chip or the CPU performs matching and processing on the target message based on the ACL strategy.
Wherein the ACL policies may include an ACL put through policy and a default ACL full block policy.
Specifically, after the target packet enters the network device:
when the exchange chip is normal, the exchange chip matches the message and determines whether to pass.
If the matching result is only hit in the default ACL policy, the access is denied by the switching chip,
and if the matching result is that a plurality of ACL releasing strategies are hit, the switching chip only executes the ACL releasing strategy with the highest priority.
And the ACL release strategy configured on the exchange chip is generated by the network equipment at regular time according to the external network IP address stored in the hash table. And after the target message is matched and allowed to be accessed, the CPU in the network equipment carries out subsequent service processing. And if the target message is matched and access is denied, discarding the target message.
When the exchange chip is abnormal, the CPU performs message matching and processing.
If the matching result is only hit in the default ACL policy, the CPU will deny access,
and if the matching result is that a plurality of ACL releasing strategies are hit, the CPU only executes the ACL releasing strategy with the highest priority.
And the ACL release strategy configured on the CPU is generated by the network equipment at regular time according to the external network IP address stored in the hash table.
And after the target message is matched and allowed to be accessed, the CPU in the network equipment carries out subsequent service processing.
And if the target message is matched and access is denied, discarding the target message.
And under the action of the switching chip or the CPU, filtering the target message based on the generated ACL release strategy, blocking the attack of malicious messages and enabling the server to normally operate.
And 203, processing the target message according to the matching result.
And if the target message hits an ACL put-through strategy, allowing to access the server and processing the target message according to the service type.
And if the target message does not hit the ACL release strategy and only hits the default ACL full blocking strategy, discarding the target message without performing subsequent service processing on the target message.
Fig. 3 is a system architecture diagram of a message processing apparatus according to an embodiment of the present application, including a client 301, a firewall device 302, and a server 303.
The client 301 is configured to send the target packet.
And the firewall device 302 is used for matching and processing the target message sent by the client 301, so as to protect the server 303 from being attacked by a large number of malicious messages sent by the client 301.
And the server 303 is used for receiving and processing the target message which is matched and processed by the firewall device 302 and then released.
The network where the server 303 is located is an intranet, the network where the client 301 is located is an extranet, and the firewall device 302 acts between the server 303 and the client 301 to protect the server 303 from malicious attacks of a large number of clients 301.
Specifically, the schematic structure of the firewall device 302 is shown in fig. 4, and may include:
and the switching chip 401 is configured to match and process the target packet based on the configured ACL release policy.
And the CPU 402 is used for matching and processing the target message based on the configured ACL strategy when the switching chip is abnormal.
The extranet interface 403 is an interface for the firewall device 302 to connect to an extranet.
Interface 404 is an interface configured with IP policies.
And the security domain 405 is a security domain artificially divided according to the extranet interface 403, and the priority of the default ACL full blocking policy is determined according to the priority of the security domain 405.
And a security domain 406, which is artificially divided according to the interface 404, wherein the priority of the generated ACL release policy is determined according to the priority of the security domain 406, and is slightly higher than the default ACL full blocking policy.
When the switching chip 401 is abnormal, the firewall device 302 regularly generates an ACL release policy according to the external network IP address stored in the hash table, and configures the ACL release policy to the CPU 402, and the CPU 402 performs packet matching and processing based on the configured ACL release policy.
Under the action of the switching chip or the CPU, matching, filtering, and processing of the packet are completed, and the server 303 is protected from being attacked by malicious packets. And the hash table caches the IP address of the public network, so that data recovery of the ACL release strategy can be completed when the ACL release strategy is abnormal, and the remedial capability of the system is improved.
Fig. 5 is a flowchart of a message processing method based on an ACL policy according to an embodiment of the present application. How the target message is matched, filtered and processed is described in detail below with reference to fig. 3, 4 and 5.
Step 501, the extranet interface 403 opens ACL protection.
The user can choose whether to turn on the ACL protection.
If the user chooses not to open ACL protection:
step 502 is executed to directly receive two target messages sent by the client 301.
The source IP address of the first target packet is 202.38.160.101, the source IP address of the second target packet is 116.117.129.245, and the server 303 directly processes the target packet according to the service type of the target packet.
In this embodiment, the user selects to open ACL protection configured on the extranet interface 403, and the firewall device performs the following steps:
and step 503, generating a default ACL full blocking strategy.
The firewall device 302 generates a default ACL full blocking policy for the extranet interface 403, specifically:
[Switch]acl number 2010
[Switch-acl-basic-2010]rule deny source any
the default ACL policy is Untrust based on the security domain 405 where the extranet interface is located, and the default priority is 10, and the priority of the default ACL policy is also determined to be 10.
Step 504, generating a corresponding ACL release policy according to the IP policy configured on the interface 404.
The firewall device 302 extracts a legal external network IP address according to the NAT policy on the interface 404, where the legal IP address is: 202.38.160.101. the NAT strategy address pool specifically comprises:
nat address-group 1 202.38.160.101
the firewall device 302 calculates a hash function value according to the keyword IP1, obtains a memory storage address 00 according to the hash function value, and stores an external network IP address if the memory storage address is empty. And the firewall equipment stores the extracted external network IP address in a hash table.
The firewall device 302 generates a corresponding ACL release policy on the external network IP address, that is, 202.38.160.101, stored in the hash table at regular time, where the priority of the hash table is Untrust according to the security domain 406 of the interface 404 where the NAT policy is located, the priority of the security domain Untrust is 10, and the priority of the hash table is determined to be 11.
The generated ACL release strategy is specifically as follows:
[Switch]acl number 2011
[Switch-acl-basic-2011]rule permit source 202.38.160.101
this ACL policy is kept consistent with the hash table's priority level at 11.
Step 505, the ACL release policy is configured to the switch chip 401.
The switch chip 401 is configured with 2 ACL policies:
1) default ACL full blocking policy:
[Switch]acl number 2010
[Switch-acl-basic-2010]rule deny source any
2) ACL put-through policy:
[Switch]acl number 2011
[Switch-acl-basic-2011]rule permit source 202.38.160.101
step 506, the switching chip 401 matches and processes the target message based on the configured ACL release policy.
The source IP address of the first target packet is 202.38.160.101, and the first target packet hits the ACL release policy with priority level 11 in the ACL policies configured by the switch chip 401, so that the first target packet can smoothly access the server 303 by being matched by the switch chip 401.
In the second message, the source IP address is 116.117.129.245, only the default ACL policy with the priority level of 10 is hit, and the rest ACL policies are missed, so that the second message is matched by the switch chip 401 and is denied to access the server 303.
So far, the matching and processing of the target message are realized based on the switching chip 401 and the ACL policy configured thereon.
For convenience of understanding, only two ACL policies are configured in the switching chip in the embodiment of the present application, one is a default ACL policy, and the other is an ACL policy generated based on the NAT policy. However, it should be understood that the generation and matching principles of the multiple ACL release policies are the same, and thus, the detailed description thereof is omitted.
Fig. 6 is a schematic structural diagram of an electronic device shown in this specification, and referring to fig. 6, the electronic device includes, at a hardware level, a processor 601, a network interface 602, a memory 603, a non-volatile memory 604, and an internal bus 605, and may also include hardware required by other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Corresponding to the embodiment of the method, the application also provides an embodiment of a device for generating the ACL policy.
Referring to fig. 7, fig. 7 is a block diagram of an apparatus for generating an ACL policy according to this specification, as shown in fig. 7, the apparatus for generating the ACL policy is applied to a network device, and an extranet interface is configured on the network device, and the apparatus includes:
a policy obtaining unit 701, configured to obtain an IP policy that takes effect on any interface in the network setting.
An ACL policy generating unit 702, configured to generate a corresponding ACL release policy for an external network IP address included in the IP policy.
An ACL policy configuration unit 703 is configured to validate the ACL release policy to the extranet interface.
Optionally, the apparatus further comprises:
and an ACL full blocking policy generating unit 704, configured to generate an ACL full blocking policy and validate the ACL full blocking policy to the external network interface when the external network interface is in an ACL protection open state. Wherein the ACL open policy has a higher priority than the ACL full block policy.
Optionally, the apparatus further comprises:
a cache unit 705, configured to store the external network IP address in a cache table;
the ACL policy generating unit 702 is specifically configured to:
and periodically reading all the external network IP addresses recorded in the cache table, and respectively generating corresponding ACL release strategies according to the read external network IP addresses.
Optionally, the network device is configured with a switch chip and a CPU,
the ACL policy configuration unit 703 is specifically configured to:
when the switching chip works normally, the ACL put-through strategy is configured to the switching chip,
and when the exchange chip is abnormal, configuring the ACL release strategy to the CPU.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
According to the technical scheme provided by the application, the external network IP address is extracted from the effective IP strategy on any interface of the network equipment, the ACL strategy can be automatically generated based on the extracted external network IP address, and the message filtering is realized based on the generated ACL strategy, so that the attack protection aiming at the network equipment is realized, the time and labor cost consumed by manually configuring a protection means is avoided, and the misoperation possibly caused by manually configuring is prevented.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any invention or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular inventions. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. In other instances, features described in connection with one embodiment may be implemented as discrete components or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Moreover, the separation of various system modules and components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. Further, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some implementations, multitasking and parallel processing may be advantageous.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. An ACL policy generation method applied to a network device, wherein an extranet interface is configured on the network device, the method comprising:
acquiring an effective IP strategy on any interface in the network equipment under the condition that the external network interface is in an ACL protection open state;
generating a corresponding ACL release strategy aiming at an external network IP address contained in the IP strategy;
and validating the ACL put-through strategy to the external network interface.
2. The method of claim 1, further comprising:
generating an ACL full blocking strategy and taking effect to the external network interface under the condition that the external network interface is in an ACL protection open state;
wherein the ACL open policy has a higher priority than the ACL full block policy.
3. The method of claim 1, further comprising:
storing the external network IP address in a cache table;
the generating of the corresponding ACL release strategy comprises: and periodically reading all the external network IP addresses recorded in the cache table, and respectively generating corresponding ACL release strategies according to the read external network IP addresses.
4. The method of claim 3, wherein the network device is configured with a switch chip and a CPU, and wherein validating the ACL put through policy to the extranet interface comprises:
when the switching chip works normally, configuring the ACL release strategy to the switching chip;
and when the exchange chip is abnormal, configuring the ACL release strategy to the CPU.
5. A message processing method is applied to network equipment, and is characterized in that the method comprises the following steps:
acquiring a target message through the external network interface;
matching the target message according to an effective ACL release strategy on the external network interface, wherein the ACL release strategy is generated aiming at an external network IP address contained in an effective IP strategy on any interface in the network equipment;
and processing the target message according to the matching result.
6. The method of claim 5, wherein an ACL full block policy is also asserted on the extranet interface, and wherein the ACL open policy has a higher priority than the ACL full block policy.
7. An ACL policy generation apparatus applied to a network device, the network device having an extranet interface configured thereon, the apparatus comprising:
a policy obtaining unit, configured to obtain an IP policy that takes effect on any interface in the network setting;
an ACL policy generating unit, which is used for generating a corresponding ACL release policy aiming at the external network IP address contained in the IP policy;
and the ACL strategy configuration unit is used for enabling the ACL put-through strategy to be effective to the external network interface.
8. A message processing apparatus, applied to a network device, the apparatus comprising:
a message obtaining unit, configured to obtain a target message through the extranet interface;
an ACL policy generating unit, which is used for generating a corresponding ACL release policy aiming at the external network IP address contained in the IP policy;
the matching unit is used for matching the target message according to the effective ACL put-through strategy on the external network interface;
and the processing unit is used for processing the target message according to the matching result.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of claims 1 to 6 are implemented when the processor executes the program.
CN202111275013.6A 2021-10-29 2021-10-29 Message processing method and device Active CN114024731B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111275013.6A CN114024731B (en) 2021-10-29 2021-10-29 Message processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111275013.6A CN114024731B (en) 2021-10-29 2021-10-29 Message processing method and device

Publications (2)

Publication Number Publication Date
CN114024731A true CN114024731A (en) 2022-02-08
CN114024731B CN114024731B (en) 2023-04-25

Family

ID=80058825

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111275013.6A Active CN114024731B (en) 2021-10-29 2021-10-29 Message processing method and device

Country Status (1)

Country Link
CN (1) CN114024731B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116996332A (en) * 2023-09-28 2023-11-03 无锡沐创集成电路设计有限公司 Network message filter, filtering method and network message filter set

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267437A (en) * 2008-04-28 2008-09-17 杭州华三通信技术有限公司 Packet access control method and system for network devices
WO2012167541A1 (en) * 2011-11-09 2012-12-13 华为技术有限公司 Method, system and apparatus for implementing intercommunication multicast in passive optical network
CN103152269A (en) * 2013-02-26 2013-06-12 杭州华三通信技术有限公司 NAT (Network Address Translation)-based message forwarding method and equipment
CN105337890A (en) * 2014-07-16 2016-02-17 杭州迪普科技有限公司 Control strategy generation method and apparatus
WO2018137384A1 (en) * 2017-01-24 2018-08-02 华为技术有限公司 Method, device, and system for adjusting a forwarding path
CN110505176A (en) * 2018-05-16 2019-11-26 中兴通讯股份有限公司 Determination, sending method and device, the route system of message priority
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267437A (en) * 2008-04-28 2008-09-17 杭州华三通信技术有限公司 Packet access control method and system for network devices
WO2012167541A1 (en) * 2011-11-09 2012-12-13 华为技术有限公司 Method, system and apparatus for implementing intercommunication multicast in passive optical network
CN103152269A (en) * 2013-02-26 2013-06-12 杭州华三通信技术有限公司 NAT (Network Address Translation)-based message forwarding method and equipment
CN105337890A (en) * 2014-07-16 2016-02-17 杭州迪普科技有限公司 Control strategy generation method and apparatus
WO2018137384A1 (en) * 2017-01-24 2018-08-02 华为技术有限公司 Method, device, and system for adjusting a forwarding path
CN110505176A (en) * 2018-05-16 2019-11-26 中兴通讯股份有限公司 Determination, sending method and device, the route system of message priority
CN113079097A (en) * 2021-03-24 2021-07-06 新华三信息安全技术有限公司 Message processing method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HIROKAZU SAYAMA: ""Test Tool for Equivalence of Access Control List"" *
薄鹏: ""巧用IP安全策略与ACL限制网站访问"" *
陈昌奇;吴军平;: "ACL功能在MDU设备中研究与实现" *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116996332A (en) * 2023-09-28 2023-11-03 无锡沐创集成电路设计有限公司 Network message filter, filtering method and network message filter set
CN116996332B (en) * 2023-09-28 2023-12-26 无锡沐创集成电路设计有限公司 Network message filter, filtering method and network message filter set

Also Published As

Publication number Publication date
CN114024731B (en) 2023-04-25

Similar Documents

Publication Publication Date Title
Ambrosin et al. Lineswitch: Tackling control plane saturation attacks in software-defined networking
Ambrosin et al. Lineswitch: Efficiently managing switch flow in software-defined networking while effectively tackling dos attacks
EP3923551A1 (en) Method and system for entrapping network threat, and forwarding device
Weaver et al. Very fast containment of scanning worms, revisited
US6738814B1 (en) Method for blocking denial of service and address spoofing attacks on a private network
JP3993092B2 (en) Methods to prevent denial of service attacks
US7830898B2 (en) Method and apparatus for inter-layer binding inspection
EP2036060A2 (en) Malicious attack detection system and an associated method of use
CN111756712B (en) Method for forging IP address and preventing attack based on virtual network equipment
JP4768020B2 (en) Method of defending against DoS attack by target victim self-identification and control in IP network
JPH11167538A (en) Fire wall service supply method
JP2009295187A (en) Method for providing firewall service
JPH11163940A (en) Method for inspecting packet
CN112134891A (en) Configuration method, system and monitoring method for generating multiple honey pot nodes by single host based on linux system
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
EP3618355B1 (en) Systems and methods for operating a networking device
KR100533785B1 (en) Method for preventing arp/ip spoofing automatically on the dynamic ip address allocating environment using dhcp packet
US20110265181A1 (en) Method, system and gateway for protection against network attacks
CN114024731A (en) Message processing method and device
US20160205135A1 (en) Method and system to actively defend network infrastructure
US11159533B2 (en) Relay apparatus
CN111245858A (en) Network flow interception method, system, device, computer equipment and storage medium
Kavisankar et al. CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack
KR102046612B1 (en) The system for defending dns amplification attacks in software-defined networks and the method thereof
Mopari et al. Detection of DDoS attack and defense against IP spoofing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant