CN116455653A

CN116455653A - Data processing method and device

Info

Publication number: CN116455653A
Application number: CN202310459638.0A
Authority: CN
Inventors: 李家康; 鲁洁
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2023-04-24
Filing date: 2023-04-24
Publication date: 2023-07-18

Abstract

The application provides a data processing method and device, which are applied to DDoS defense equipment, wherein the DDoS defense equipment comprises a programmable chip and a processor, and the method comprises the following steps: the programmable chip acquires a first data packet; the programmable chip acquires detection information, wherein the detection information is obtained by determining a processor according to a data packet acquired by the programmable chip in a historical period; the programmable chip executes first cleaning processing on the first data packet according to the detection information, and the processor executes second cleaning processing on the first data packet according to the detection information to obtain a cleaning result, wherein the cleaning result is that the first data packet is discarded or the first data packet is not discarded; if the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet. The processing efficiency of DDoS attack is improved.

Description

Data processing method and device

Technical Field

The present disclosure relates to the field of computers, and in particular, to a data processing method and apparatus.

Background

In the internet, servers may be subject to a number of distributed denial of service attacks (Distributed Denial of Service attack, DDoS). A DDoS attack may be to send a large number of abnormal packets to a server to occupy the resources of the server, such that normal packets cannot be processed at the server.

In the related art, the DDoS detection device and the washing device may be provided before the server. The DDoS attack detection device can detect DDoS attack through a detection algorithm, and the cleaning device can clean DDoS attack through a cleaning strategy. However, in the above manner, the DDoS detection apparatus and the cleaning apparatus are generally two independent apparatuses, and are generally processed by a processor, and the processing resources of the processor are limited, resulting in low processing efficiency for DDoS attack.

Disclosure of Invention

Various aspects of the present application provide a data processing method and apparatus, so as to improve the processing efficiency of DDoS attack.

In a first aspect, an embodiment of the present application provides a data processing method, which is applied to a DDoS defense device, where the DDoS defense device includes a programmable chip and a processor, and includes:

the programmable chip acquires a first data packet;

the programmable chip acquires detection information, wherein the detection information is obtained by determining the processor according to a data packet acquired by the programmable chip in a history period;

the programmable chip executes first cleaning processing on the first data packet according to the detection information, and the processor executes second cleaning processing on the first data packet according to the detection information to obtain a cleaning result, wherein the cleaning result is that the first data packet is not discarded or the first data packet is discarded;

And if the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet.

In one possible implementation manner, the programmable chip performs a first cleaning process on the first data packet according to the detection information, and the processor performs a second cleaning process on the first data packet according to the detection information, so as to obtain a cleaning result, where the cleaning result includes:

the programmable chip judges whether at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information;

if yes, the programmable chip executes first cleaning processing on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes second cleaning processing on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result;

if not, the programmable chip determines that the cleaning result is that the first data packet is not discarded.

In a possible implementation manner, the programmable chip determines whether at least one cleaning policy identifier corresponding to the first data packet exists in the detection information, including:

The programmable chip determines a first destination network address corresponding to the first data packet;

if the cleaning strategy identifier corresponding to the first destination network address exists in the detection information, the programmable chip determines that at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information;

if the cleaning strategy identifier corresponding to the first destination network address does not exist in the detection information, the programmable chip determines that at least one cleaning strategy identifier corresponding to the first data packet does not exist in the detection information.

In a possible implementation manner, the at least one cleaning policy identifier corresponds to a cleaning policy including a network layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

the programmable chip determines at least one network layer cleaning strategy corresponding to the at least one cleaning strategy identifier;

and the programmable chip performs network layer cleaning processing on the first data packet according to the at least one network layer cleaning strategy to obtain the cleaning result, wherein the first cleaning processing is the network layer cleaning processing.

In one possible implementation, the at least one cleaning policy identifier corresponds to a cleaning policy comprising an application layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

the processor determines at least one application layer cleaning policy corresponding to the at least one cleaning policy identifier;

and the processor performs application layer cleaning processing on the first data packet according to the at least one application layer cleaning strategy to obtain the cleaning result, and the second cleaning processing is the application layer cleaning processing.

In a possible implementation manner, the at least one cleaning policy identifier corresponds to a cleaning policy including a network layer cleaning policy and an application layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

The programmable chip determines a network layer cleaning strategy according to the at least one cleaning strategy identifier;

the programmable chip performs network layer cleaning processing on the first data packet according to the network layer cleaning strategy to obtain an intermediate cleaning result, wherein the first cleaning processing is the network layer cleaning processing;

if the intermediate cleaning result is that the first data packet is discarded, the programmable chip determines that the cleaning result is that the first data packet is discarded;

and if the intermediate cleaning result is that the first data packet is not discarded, determining an application layer cleaning strategy by the processor according to the at least one clear strategy identifier, and performing application layer cleaning processing on the first data packet according to the application layer cleaning strategy to obtain the cleaning result, wherein the second cleaning processing is the application layer cleaning processing.

In one possible implementation manner, before the programmable chip obtains the detection information, the method further includes:

the programmable chip determines a plurality of data packets acquired in a history period;

the programmable chip determines destination network addresses and data packet types of the plurality of data packets;

the programmable chip determines statistical information corresponding to the plurality of destination network addresses according to the destination network addresses and the data packet types of the plurality of data packets, wherein the statistical information comprises the number of the data packets corresponding to the plurality of data packet types;

And the processor determines the detection information according to the statistical information corresponding to the plurality of destination network addresses.

In one possible implementation manner, the processor determines the detection information according to statistical information corresponding to the destination network addresses, including:

for any one destination network address, the processor determines a cleaning strategy identifier corresponding to the destination network address according to the statistical information corresponding to the destination network address;

the processor determines that the detection information includes cleaning policy identifications corresponding to the plurality of destination network addresses.

In a possible implementation manner, the processor determines, according to the statistical information corresponding to the destination network address, a cleaning policy identifier corresponding to the destination network address, including:

the processor determines a first throughput rate and a first bit rate corresponding to the destination network address according to the statistical information corresponding to the destination network address;

determining an address state of the destination network address according to the first throughput rate and the first bit rate, wherein the address state is a normal state or an abnormal state;

if the address state of the destination network address is an abnormal state, determining a second throughput rate corresponding to a plurality of data packet types according to the statistical information corresponding to the destination network address, and determining a cleaning strategy identifier corresponding to the destination network address according to the second throughput rate corresponding to the plurality of data packet types.

In a possible implementation manner, determining, according to the second throughput rates corresponding to the multiple packet types, a cleaning policy identifier corresponding to the destination network address includes:

determining at least one target data packet type in the data packet types according to second throughput rates corresponding to the data packet types, wherein the ratio of the second throughput rate corresponding to the target data packet type to the first throughput rate is greater than or equal to a first threshold;

determining at least one attack type according to the at least one target data packet type;

and determining a cleaning strategy identifier corresponding to the target network address according to the cleaning strategy corresponding to the at least one attack type.

In a second aspect, an embodiment of the present application provides a DDoS defense device, including: a memory, a processor, and a programmable chip;

the memory stores computer-executable instructions;

the processor and the programmable chip execute computer-executable instructions stored by the memory such that the processor and the programmable chip perform the data processing method of any of the first aspects.

In a third aspect, embodiments of the present application provide a computer-readable storage medium having stored therein computer-executable instructions for implementing the data processing method of any one of the first aspects when the computer-executable instructions are executed by a processor.

In a fourth aspect, embodiments of the present application provide a computer program product comprising a computer program which, when executed by a processor, implements the data processing method of any of the first aspects.

The embodiment of the application provides a data processing method and device, and DDoS defense equipment can comprise a programmable chip and a processor. The programmable chip may acquire the first data packet and may acquire the detection information. The programmable chip executes a first cleaning process on the first data packet according to the detection information, and the processor executes a second cleaning process on the first data packet according to the detection information, so that a cleaning result is obtained. If the cleaning result is that the first data packet is not discarded, the programmable chip can forward the first data packet. Because the DDoS attack detection and the DDoS attack cleaning can be integrated on one DDoS defense device; the first cleaning treatment can be carried out on the data packet through the programmable chip, and the second cleaning treatment can be carried out on the data packet through the processor, so that compared with the cleaning treatment of the data packet through the processor, the cleaning efficiency of DDoS attack is improved; the process of determining the detection information through the processor and the process of cleaning the data packet through the programmable chip and the processor can be executed in parallel, so that the link for cleaning the data packet is shortened, and the processing efficiency of DDoS attack is comprehensively improved.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:

fig. 1 is a schematic view of a scenario provided in an exemplary embodiment of the present application;

FIG. 2 is a schematic diagram of a related art provided in the present application;

FIG. 3 is a flow chart of a data processing method according to an exemplary embodiment of the present application;

FIG. 4 is a flow chart of another data processing method according to an exemplary embodiment of the present application;

fig. 5 is a schematic process diagram of determining at least one attack type corresponding to a destination network address according to an exemplary embodiment of the present application;

FIG. 6 is a schematic diagram of an architecture provided in an exemplary embodiment of the present application;

FIG. 7 is a process diagram of a data processing method according to an exemplary embodiment of the present application;

fig. 8 is a schematic structural diagram of a DDoS defending device according to an exemplary embodiment of the present application.

Detailed Description

It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.

For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

Fig. 1 is a schematic view of a scenario provided in an exemplary embodiment of the present application. Referring to fig. 1, a network device, a DDoS defending device, and a plurality of servers are included. The plurality of servers may be server 1, servers 2, … …, and server n, respectively.

The network device and the DDoS defense device can communicate with each other, and the network device and any one of the servers can communicate with each other. For example, the network device may be an onlay switch.

The network device may receive a plurality of data packets. For any one data packet, the network device may determine the destination network address of the data packet to send the data packet to the destination server.

To defend against a DDoS attack, the network device may send a data packet to the DDoS defending device before the network device sends the data packet to the target server. After the DDoS defending device receives the data packet, the data packet can be cleaned, and the cleaning result of the data packet can be determined. The cleaning result may be that the first data packet is not discarded or that the first data packet is discarded. The DDoS defending device can send the data packet to the network device according to the cleaning result of the data packet. For example, if the cleaning result of the data packet 1 is that the first data packet is not discarded, the DDoS defense device may send the data packet 1 to the network device; if the cleaning result of the data packet 2 is that the first data packet is discarded, the DDoS defending device does not need to send the data packet 2 to the network device.

After the network device may receive the data packet, the data packet may be sent to the destination server. For example, if the network device may receive the data packet 1, and the destination server corresponding to the data packet 1 is the server 1, the network device may send the data packet 1 to the server 1.

In the embodiment of the application, the DDoS defense device can comprise a programmable chip and a processor. The processor can determine detection information, the programmable chip can execute first cleaning processing on the data packet according to the detection information, and the processor can execute second cleaning processing on the data packet according to the detection information, so that a cleaning result is obtained. Because the data packet can be cleaned by the programmable chip and the processor, compared with the data packet which is cleaned by the processor, the cleaning efficiency of DDoS attack is improved; and the process of determining the detection information by the processor and the process of cleaning the data packet by the programmable chip and the processor are executed in parallel, so that the link for cleaning the data packet is shortened, and the processing efficiency of DDoS attack is comprehensively improved.

To facilitate understanding of the technical solution of the present application, the prior art will be first described with reference to fig. 2.

Fig. 2 is a schematic diagram of a related art provided in the present application. Referring to fig. 2, a programmable chip and a processor are included.

The programmable chip can process the flow through a suspicious flow algorithm to determine whether the flow is suspicious. If so, the suspicious traffic information may be sent to the processor.

After the processor receives the suspicious traffic information, the attack traffic model can be issued to the programmable chip, and the monitoring mode can be started.

The programmable chip receives the attack flow model and can determine whether the suspicious flow is attacked or not through the attack flow model. When suspicious traffic is attacked, notification information can be sent to the processor.

After the processor receives the notification information, the processor can perform cleaning processing on suspicious traffic with attack.

It should be noted that, the traffic shown in fig. 2 refers to data packets.

In the related art shown in fig. 2, the cleaning process is performed on the data packet in the processor, which results in a heavy load on the processor and low processing efficiency for DDoS attack; in addition, the execution steps of the programmable chip and the processor are executed in series in the whole process, so that a link for cleaning the data packet is longer, and the processing efficiency of DDoS attack is further low.

The technical scheme shown in the application is described in detail through specific embodiments. It should be noted that the following embodiments may exist alone or in combination with each other, and for the same or similar content, the description will not be repeated in different embodiments.

Fig. 3 is a flow chart of a data processing method according to an exemplary embodiment of the present application. Referring to fig. 3, the method may include:

s301, the programmable chip acquires a first data packet.

A programmable chip and a processor may be included in the DDoS defense device.

The programmable chip may be a chip comprising a data processor (Data Processing Unit, DPU).

The processor may be a central processing unit (Central Processing Unit, CPU).

After the network device receives the first data packet, the network device may send the first data packet to the DDoS defense device, so that a programmable chip in the DDoS defense device may acquire the first data packet.

For example, after the network device receives the first data packet 1, the first data packet 1 may be sent to the DDoS defense device, so that a programmable chip in the DDoS defense device may obtain the first data packet 1.

S302, the programmable chip acquires detection information.

The detection information may be determined by the processor from data packets acquired by the programmable chip during a history period.

The history period refers to a period of time between the current time and the history time. The history period may be preset by a worker. For example, if the history period may be 1 second(s), the current time is 2023/4/3:9:05:12, and the history time may be 2023/4/3:9:05:11, the history period may be 1s between 2023/4/3:9:05:11 and 2023/4/3:9:05:12.

The programmable chip may acquire a plurality of data packets during the history period, and the processor may determine the detection information according to the plurality of data packets, so that the programmable chip acquires the detection information.

For example, if the history period is 1s, and if the programmable chip acquires 4 ten thousand data packets within 1s, the processor may determine the detection information according to the 4 ten thousand data packets, so that the programmable chip acquires the detection information.

And S303, the programmable chip executes a first cleaning process on the first data packet according to the detection information, and the processor executes a second cleaning process on the first data packet according to the detection information, so that a cleaning result is obtained.

The cleaning result may include the first data packet not being discarded or the first data packet being discarded.

In an alternative embodiment, the cleaning result may be obtained by: the programmable chip judges whether at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information; if yes, executing first cleaning processing on the first data packet according to at least one cleaning strategy identifier, and/or executing second cleaning processing on the first data packet by the processor according to at least one cleaning strategy identifier, so as to obtain a cleaning result; if not, the programmable chip determines that the cleaning result is that the first data packet is not discarded.

The cleaning policy identification may be used to indicate a cleaning policy. For example, the cleaning policy identification 1 may be used to indicate the cleaning policy 1.

The cleaning policy may include a cleaning algorithm or a black-and-white list, etc., and the cleaning process may be performed on the first data packet by the cleaning policy.

Optionally, the programmable chip may determine whether at least one cleaning policy identifier corresponding to the first data packet exists in the detection information, by using the following manner: the programmable chip determines a first destination network address corresponding to the first data packet; if the cleaning strategy identifier corresponding to the first target network address exists in the detection information, the programmable chip determines that at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information; if the cleaning strategy identification corresponding to the first destination network address does not exist in the detection information, the programmable chip determines that at least one cleaning strategy identification corresponding to the first data packet does not exist in the detection information.

The first destination network address refers to a network address of a destination server corresponding to the first data packet. The first data packet may carry a first destination network address.

The detection information may include a plurality of cleaning policy identifiers corresponding to the plurality of destination network addresses, respectively. For example, the detection information may include a cleansing policy identifier 1 and a cleansing policy identifier 2 corresponding to the destination network address 1, a cleansing policy identifier 1 and cleansing policy identifiers 3 and … … corresponding to the destination network address 2, a cleansing policy identifier 1 and a cleansing policy identifier 2 corresponding to the destination network address 10, and the like. Wherein, cleaning policy identification 1 may be used to indicate cleaning policy 1, cleaning policy identification 2 may be used to indicate cleaning policy 2, and cleaning policy identification 3 may be used to indicate cleaning policy 3.

Because the network address corresponding to the first data packet is the first destination network address, the cleaning strategy identifier corresponding to the first destination network address is the cleaning strategy identifier corresponding to the first data packet, and the programmable chip determines whether at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information.

For example, if the first destination network address of the first data packet is 198.169.1.1, if the cleaning policy identifier corresponding to the first destination network address 198.169.1.1 exists in the detection information, and if the cleaning policies corresponding to the destination network address 198.169.1.1 are respectively the cleaning policy identifier 1, the cleaning policy identifier 2, and the cleaning policy identifier 3, the programmable chip may determine that at least one cleaning policy identifier corresponding to the first data packet exists in the detection information, which is respectively the cleaning policy identifier 1, the cleaning policy identifier 2, and the cleaning policy identifier 3; if the cleaning policy identifier corresponding to the first destination network address 198.169.1.1 does not exist in the detection information, the programmable chip determines that at least one cleaning policy identifier corresponding to the first data packet does not exist in the detection information.

If at least one cleaning policy identifier corresponding to the first data packet does not exist in the detection information, the first cleaning process and/or the second cleaning process are not required to be executed on the first data packet, and the cleaning result of the first data packet can be determined as that the first data packet is not discarded.

For example, if the first data packet is the data packet 1, if the programmable chip determines that at least one cleaning policy corresponding to the data packet 1 does not exist in the detection information, it is not necessary to perform the first cleaning process and/or the second cleaning process on the data packet 1, and it may be determined that the cleaning result of the data packet 1 is that the data packet 1 is not discarded.

If at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information, the programmable chip can execute first cleaning processing on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes second cleaning processing on the first data packet according to the at least one cleaning strategy identifier, so that a cleaning result is obtained.

For example, if the first data packet is the data packet 1, and if the programmable chip determines that at least one cleaning policy identifier corresponding to the data packet 1 exists in the detection information, and the cleaning policy identifiers are the cleaning policy identifier 1, the cleaning policy identifier 2 and the cleaning policy identifier 3, the programmable chip may execute the first cleaning process on the first data packet according to the 3 cleaning policy identifiers, and/or the processor performs the second cleaning process on the first data packet according to the 3 cleaning policy identifiers, so as to obtain a cleaning result.

Optionally, the programmable chip may determine whether a network layer cleaning policy identifier and/or an application layer cleaning policy identifier exist in the at least one cleaning policy identifier, so as to determine whether a network layer cleaning policy and/or an application layer cleaning policy is included in a cleaning policy corresponding to the at least one cleaning policy identifier.

For example, if at least one cleaning policy identifier is a cleaning policy identifier 1, a cleaning policy identifier 2, and a cleaning policy identifier 4, where the cleaning policy identifier 1 and the cleaning policy identifier 2 are network layer cleaning policy identifiers, and the cleaning policy identifier 4 is application layer cleaning policy identifiers, the programmable chip may determine that the network layer cleaning policy identifier and the application layer cleaning policy identifier exist in the 3 cleaning policy identifiers, so as to determine that the network layer cleaning policy exists in the cleaning policies corresponding to the 3 cleaning policy identifiers, that is, the cleaning policies corresponding to the cleaning policy identifier 1 and the cleaning policy identifier 2 respectively, and the cleaning policy corresponding to the application layer cleaning policy, that is, the cleaning policy identifier 4.

Optionally, the programmable chip may perform a first cleaning process on the first data packet according to the at least one cleaning policy identifier, and/or the processor may perform a second cleaning process on the first data packet according to the at least one cleaning policy identifier, to obtain a cleaning result, which may include 3 cases as follows:

case 1: the at least one cleaning policy identification corresponds to a cleaning policy including a network layer cleaning policy.

In this case, the programmable chip may determine at least one network layer cleaning policy corresponding to the at least one cleaning policy identifier, and may perform network layer cleaning processing on the first data packet according to the at least one network layer cleaning policy, to obtain a cleaning result. The network layer cleaning process may be a first cleaning process.

The network layer cleaning strategy refers to a cleaning strategy corresponding to network layer attack. For example, the network layer attack may include a SYN flooding attack or an ACK Flood attack, etc., and the cleaning policy corresponding to the SYN flooding attack or the ACK Flood attack may be referred to as a network layer cleaning policy.

For example, if the first data packet is the data packet 1, if at least one cleaning policy identifier corresponding to the data packet 1 is the cleaning policy identifier 1, the cleaning policy identifier 2 and the cleaning policy identifier 3, and if all the cleaning policies corresponding to the 3 cleaning policy identifiers are network layer cleaning policies, the programmable chip may determine the cleaning policy 1, the cleaning policy 2 and the cleaning policy 3 in a preset storage space through the 3 cleaning policy identifiers, and perform network layer cleaning processing, namely, first cleaning processing, on the data packet 1 according to the 3 cleaning policies, to obtain a cleaning result. The cleaning result may be that packet 1 is not discarded or packet 1 is discarded.

Case 2: the at least one cleaning policy identifies that the corresponding cleaning policy includes an application layer cleaning policy.

In this case, the processor may determine at least one application layer cleaning policy corresponding to the at least one cleaning policy identifier, and perform an application layer cleaning process on the first data packet according to the at least one application layer cleaning policy, to obtain a cleaning result. The application layer cleaning process may be a second cleaning process.

The application layer cleaning strategy refers to a cleaning strategy corresponding to application layer attack. For example, the application layer attack may be a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) flood attack, and the cleaning policy corresponding to the HTTP flood attack may be referred to as an application layer cleaning policy. The application layer cleaning policy may be executed by the processor.

For example, if the first data packet is the data packet 2, if at least one cleaning policy identifier corresponding to the data packet 2 is the cleaning policy identifier 4 and the cleaning policy identifier 5, respectively, and if the cleaning policies corresponding to the 2 cleaning policy identifiers are the application layer cleaning policies, the processor may clean the data packet 2 in the preset storage space through the 2 cleaning policy identifiers by using the cleaning policy identifier 4 and the cleaning policy 5, and perform the application layer cleaning process, that is, the second cleaning process, on the data packet 2 according to the cleaning policy 4 and the cleaning policy 5, to obtain the cleaning result. The cleaning result may be that packet 2 is not discarded or packet 2 is discarded.

Case 3: the at least one cleaning policy identifier corresponds to a cleaning policy including a network layer cleaning policy and an application layer cleaning policy.

In this case, the programmable chip may determine a network layer cleaning policy according to at least one cleaning policy identifier, and perform a network layer cleaning process on the first data packet to obtain an intermediate cleaning result; if the intermediate cleaning result is that the first data packet is discarded, the programmable chip determines that the cleaning result is that the first data packet is discarded; if the intermediate cleaning result is that the first data packet is not discarded, the processor may determine an application layer cleaning policy according to at least one cleaning policy identifier, and perform application layer cleaning processing on the first data packet according to the application layer cleaning policy, to obtain a cleaning result. The network layer cleaning process is a first cleaning process, and the application layer cleaning process is a second cleaning process.

For example, if the first data packet is the data packet 3, if at least one of the cleaning policy identifiers corresponding to the data packet 3 is the cleaning policy identifier 1, the cleaning policy identifier 2, and the cleaning policy identifier 4, where the cleaning policy 1 corresponding to the cleaning policy identifier 1, the cleaning policy 2 corresponding to the cleaning policy identifier 2 are network layer cleaning policies, and the cleaning policy corresponding to the cleaning policy identifier 4 is an application layer cleaning policy, the programmable chip may determine the cleaning policy 1 and the cleaning policy 2 in a preset storage space according to the cleaning policy identifier 1 and the cleaning policy identifier 2, and perform network layer cleaning processing, that is, first cleaning processing, on the data packet 3 according to the cleaning policy 1 and the cleaning policy 2, to obtain an intermediate cleaning result.

If the intermediate cleaning result is that the data packet 3 is discarded, the programmable chip can determine that the cleaning result is that the data packet 3 is discarded according to the intermediate cleaning result; if the intermediate cleaning result is that the data packet 3 is not discarded, the processor may determine the cleaning policy 4 in the preset storage space according to the cleaning policy identifier 4, and perform an application layer cleaning process, that is, a second cleaning process, on the data packet 3 according to the cleaning policy 4, to obtain a cleaning result. The cleaning result may be that packet 3 is discarded or packet 3 is not discarded.

Optionally, for any one of the first data packets, the first data packet may have a corresponding cleaning result identifier, and the cleaning result identifier may be 0 or 1. For example, a "0" may indicate that the first packet is not discarded as a result of the flushing of the first packet, and a "1" may indicate that the first packet is discarded as a result of the flushing of the first packet.

And S304, if the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet.

When the cleaning result is that the first data packet is not discarded, that is, the cleaning result of the first data packet is marked as '0', it is indicated that the first data packet is a normal data packet, and the programmable chip can forward the first data packet. The programmable chip can send the first data packet to the network device, so that the network device can send the first data packet to a destination server corresponding to the first data packet.

For example, in the above case 1, if the programmable chip performs the network layer cleaning process on the data packet 1, and the obtained cleaning result is that the data packet 1 is not discarded, the programmable chip may perform the forwarding process on the data packet 1; in the above case 2, if the processor performs the application layer cleaning process on the data packet 2, and the cleaning result is that the data packet 2 is not discarded, the programmable chip may perform forwarding process on the data packet 2; in case 3, if the processor performs the application layer cleaning process on the data packet 3, and the cleaning result is that the data packet 3 is not discarded, the programmable chip may perform the forwarding process on the data packet 3.

In the embodiment of the application, the programmable chip may acquire the first data packet and may acquire the detection information. The programmable chip executes a first cleaning process on the first data packet according to the detection information, and the processor executes a second cleaning process on the first data packet according to the detection information, so that a cleaning result is obtained. If the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet. Because the programmable chip can carry out network layer cleaning treatment, namely first cleaning treatment, on the data packet, the processor can carry out application layer cleaning treatment, namely second cleaning treatment, on the data packet, and compared with the method that the data packet is only cleaned by the processor, the processing efficiency of DDoS attack is improved.

The above data processing method will be described in further detail with reference to fig. 4 based on the embodiment shown in fig. 3.

Fig. 4 is a flowchart of another data processing method according to an exemplary embodiment of the present application. Referring to fig. 4, the method may include:

s401, the programmable chip acquires a first data packet.

It should be noted that, the execution process of step S401 may refer to step S301, and will not be described herein.

S402, the programmable chip determines a plurality of data packets acquired in a history period.

For example, the history period may be 1s between 2023/4/3 9:05:11-9:05:12, and the programmable chip may determine a plurality of data packets acquired within the preset time period. Assume that the programmable chip acquired 4 ten thousand data packets during this historical period.

S403, the programmable chip determines destination network addresses and data packet types of the data packets.

The packet types may include a sync sequence number (Synchronize Sequence Numbers, SYN) type, an ACK (Acknowledge character, ACK) acknowledgement character type, a user datagram protocol (User Datagram Protocol, UDP) type, an HTTP type, and the like.

Alternatively, for any one data packet, the programmable chip may determine the destination network address and the packet type of the data packet. For example, if the destination network address carried by the data packet 1 is 198.169.1.1 and the data packet 1 is a SYN data packet, the programmable chip may determine that the destination network address 1 of the data packet 1 is 198.169.1.1 and the data packet type 1 is a SYN data packet. If there are 4 ten thousand data packets, the programmable chip can determine the destination network address and the packet type of the 4 ten thousand data packets, respectively.

It should be noted that, each time a programmable chip obtains a data packet, the destination network address and the data packet type corresponding to the data packet can be determined.

S404, the programmable chip determines statistical information corresponding to the plurality of destination network addresses according to the destination network addresses of the plurality of data packets and the data packet types.

The statistics may include the number of packets corresponding to the plurality of packet types. For example, if the history period is 1s between 2023/4/39:05:11-9:05:12, and the programmable chip acquires 4 ten thousand data packets in the history period, statistics can be performed on the destination network addresses and the data packet types of the 4 ten thousand data packets to obtain statistical information.

Optionally, the destination network address may be a key, and the number of data packets corresponding to the multiple data packet types may be a value (value), and corresponding statistics is performed to obtain statistical information. The statistical information obtained is assumed to be as shown in table 1:

TABLE 1

As shown in table 1, from the destination network addresses of the 4 ten thousand data packets, 4 destination network addresses, 198.169.1.1, 198.167.1.2, 198.168.2.1, and 198.168.2.3, respectively, can be determined. The programmable chip can determine statistical information corresponding to the 4 destination network addresses respectively. For example, assuming that the destination network address 198.169.1.1 corresponds to 41 ten thousand packets, the statistical information corresponding to the destination network address 198.169.1.1 includes: the packet type with 8 ten thousand packets is SYN type, the packet type with 11 ten thousand packets is ACK type, the packet type with 9 ten thousand packets is UDP type, and the packet type with 13 ten thousand packets is HTTP type.

Optionally, after determining the statistical information corresponding to the plurality of destination network addresses, the programmable chip may store the statistical information corresponding to the plurality of destination network addresses in a preset storage space; the statistics corresponding to the plurality of destination network address pairs may also be sent to the processor in real time.

S405, the processor determines a first throughput rate and a first bit rate according to statistical information corresponding to a plurality of destination network addresses.

The first throughput rate (Packet Per Second, PPS) may be a number of packets corresponding to the destination network address per unit time. The unit time may be seconds.

Alternatively, the processor may determine a ratio of a total amount of data packets corresponding to the destination network address in the history period to the history period as the first throughput rate. For example, if the destination network address 198.169.1.1 corresponds to 6000 data packets within the history period 1s, the corresponding first throughput rate is 6000PPS.

The first Bit rate (BPS) refers to the number of bits of the packet corresponding to the destination network address in a unit time.

Alternatively, the processor may determine the ratio of the total number of data packet bits corresponding to the destination network address in the history period to the history period as the first bit rate. For example, if 6000 packets are corresponding to the destination network address 198.169.1.1 in the history period 1s, and the total number of bits corresponding to the 6000 packets is 2 gigabits (Gbit), the corresponding first bit rate is 2Gbps.

For any one destination network address, the processor may determine a first throughput rate and a first bit rate corresponding to the destination network address according to statistical information corresponding to the destination network address. For example, if the statistics corresponding to the destination network address 198.169.1.1 are shown in table 1, it may be determined that the first throughput corresponding to the destination network address 198.169.1.1 is 6000PPS and the first bit rate corresponding to the first bit rate is 2Gbps according to the statistics.

S406, the processor determines the address state of the destination network address according to the first throughput rate and the first bit rate.

In an alternative embodiment, the processor may determine the address state of the destination network address from the first throughput rate and the first bit rate by: the processor may determine an address state of the destination network address based on whether the first throughput rate is greater than a throughput rate threshold and whether the first bit rate is greater than a bit rate threshold.

The throughput rate threshold may be manually preset. For example, the throughput rate threshold may be 7000PPS.

The bit rate threshold may be manually preset. For example, the bit rate threshold may be 3Gbps.

Optionally, determining the address state of the destination network address according to the first throughput rate and the first bit rate may include the following 3 cases:

Case 1: the first throughput rate is less than the throughput rate threshold and the first bit rate is less than the bit rate threshold.

In this case, the processor may determine that the address state of the destination network address is a normal state, indicating that the destination network address is not under attack.

For example, if the destination network address 1 is 198.169.1.1, the corresponding first throughput rate is 6000PPS, the corresponding first bit rate is 2Gbps, and if the throughput rate threshold is 7000PPS and the bit rate threshold is 3Gbps, since the first throughput rate 6000PPS corresponding to the destination network address 1 is smaller than the throughput rate threshold 7000PPS and the first bit rate 2Gbps is smaller than the bit rate threshold 3Gbps, it can be determined that the address state of the destination network address 1 is a normal state, which means that the destination network address 1 is not attacked.

Case 2: the first throughput rate is greater than or equal to the throughput rate threshold and/or the first bit rate is greater than or equal to the bit rate threshold.

In this case, the processor may determine that the address state of the destination network address is an abnormal state, indicating that the destination network address is attacked.

For example, if the throughput threshold is 7000PPS, the bit rate threshold is 3Gbps, if the destination network address 2 is 198.167.1.2, the corresponding first throughput is 9000PPS, and the corresponding first bit rate is 2.8Gbps, and although the first bit rate 2.8Gbps is smaller than the bit rate threshold 3Gbps, since the first throughput 9000PPS corresponding to the destination network address 2 is larger than the throughput threshold 7000PPS, it is possible to determine that the address state of the destination network address 2 is an abnormal state; if the destination network address 3 is 198.168.2.1, the corresponding first throughput rate is 12000PPS, the corresponding first bit rate is 3.5Gbps, and since the first throughput rate 12000PPS corresponding to the destination network address 3 is greater than the throughput rate threshold 7000PPS and the first bit rate 3.5Gbps is greater than the bit rate threshold 3Gbps, it can be determined that the address state of the destination network address 3 is an abnormal state, which indicates that the destination network address 3 is attacked.

And S407, if the address state of the destination network address is an abnormal state, the processor determines a second throughput rate corresponding to the plurality of data packet types according to the statistical information corresponding to the destination network address, and determines a cleaning strategy identifier corresponding to the destination network address according to the second throughput rate corresponding to the plurality of data packet types.

In an alternative embodiment, the cleaning policy identifier corresponding to the destination network address may be determined according to the second throughput rates corresponding to the multiple packet types in a possible manner as follows: determining at least one target data packet type in the plurality of data packet types according to the second throughput rate corresponding to the plurality of data packet types; determining at least one attack type according to the at least one target data packet type; and determining a cleaning strategy identifier corresponding to the destination network address according to the cleaning strategy corresponding to the at least one attack type.

The ratio of the second throughput rate corresponding to the target data packet type to the throughput rate corresponding to the destination network address is greater than or equal to the corresponding first threshold.

The first threshold may be set manually. For example, the first threshold may be 20%. For any one data packet type, the data packet type has a corresponding first threshold. For example, the first threshold corresponding to SYN type may be 20% and the first threshold corresponding to ACK type may be 50%.

For example, if the first threshold may be 20%, and if the statistical information corresponding to the destination network address is as shown in table 1, the destination network address 2 is 198.167.1.2, the corresponding first throughput rate is 9000PPS, where the second throughput rate corresponding to the SYN type is 3142PPS, and the ratio of the second throughput rate 3142PPS to the first throughput rate 9000PPS is 35%, and is greater than 20% of the first threshold, it may be determined that the destination packet type is the SYN type.

For any one destination network address, the processor may determine a second throughput rate corresponding to a plurality of packet types according to statistical information corresponding to the destination network address, and sequentially determine at least one target packet type according to the second throughput rates corresponding to the plurality of packet types, thereby determining at least one attack type corresponding to the destination network address according to the at least one target packet type.

Next, description will be made with reference to fig. 5 for determining at least one attack type corresponding to the destination network address.

Fig. 5 is a schematic process diagram of determining at least one attack type corresponding to a destination network address according to an exemplary embodiment of the present application. Referring to fig. 5, if there are 4 types of data packet types, namely, SYN type, ACK type, UDP type and HTTP type, then, for any one destination network address, the processor may determine a second throughput rate of the 4 types of data packet types corresponding to the destination network address, and determine at least one target data packet type according to the second throughput rate corresponding to the 4 types of data packet, thereby determining at least one attack type according to the at least one target data packet type.

For example, if there are 4 network addresses, the statistics corresponding to the 4 network addresses are shown in table 1, where the address states of the destination network addresses 198.167.1.2, 198.168.2.1, 198.168.2.3 are abnormal states, the second throughput rates corresponding to the plurality of packet types corresponding to the 3 destination network addresses may be determined, and it is assumed that the second throughput rates corresponding to the plurality of packet types are shown in table 2:

TABLE 2

For example, if the first threshold corresponding to the SYN type is 20%, the first threshold corresponding to the ACK type is 30%, the first threshold corresponding to the UDP type is 35%, and the first threshold corresponding to the HTTP type is 50%, then for the destination network address 198.167.1.2, the processor may determine that the ratio of the second throughput rate corresponding to the SYN type to the first throughput rate is 3142/9000≡35%, and is greater than the first threshold corresponding to the SYN type by 20%, then may determine that the SYN type is the destination packet type, and may further determine that the destination network address is subject to SYN attack;

likewise, the ratio of the second throughput rate corresponding to the ACK type to the first throughput rate is 2900/9000 approximately equal to 32% and is larger than the first threshold value 30% corresponding to the ACK type, the ACK type can be determined to be the target data packet type, and further the target network address can be determined to be attacked by the ACK;

Likewise, the ratio of the second throughput rate corresponding to the UDP type to the first throughput rate is 1526/9000 approximately 17% and is smaller than the first threshold value 35% corresponding to the UDP type, so that the UDP type can be determined to be a non-target data packet type, and further, the destination network address can be determined not to receive UDP attack;

likewise, it may be determined that the ratio of the second throughput rate corresponding to the HTTP type to the first throughput rate is 1432/9000≡16%, which is smaller than the first threshold value 50% corresponding to the HTTP type, and then it may be determined that the HTTP type is a non-target packet type, and further it may be determined that the destination network address does not receive the HTTP attack.

From the above, the processor may determine that the attack type corresponding to the destination network address 198.167.1.2 includes SYN attack and ACK attack; likewise, the processor may determine that the type of attack to which the destination network address 198.168.2.1 corresponds includes an HTTP attack; the processor may determine that the type of attack to which the destination network address 198.168.2.3 corresponds includes SYN attacks and HTTP attacks.

After determining at least one attack type corresponding to the destination network address, the processor may determine a cleaning policy identifier corresponding to the destination network address according to a cleaning policy corresponding to the at least one attack type.

Alternatively, there may be a plurality of cleaning policies corresponding to one attack type, and the plurality of cleaning policies may be a group, that is, one attack type may correspond to a group of cleaning policies, and at least one cleaning policy may be included in a group of cleaning policies.

The DDoS defending device can pre-store the corresponding relation between the attack type and the cleaning strategy group. The cleaning policy group may include a plurality of cleaning policies, and it is assumed that the correspondence between the attack type and the cleaning policy group may be as shown in table 3:

TABLE 3 Table 3

Attack type	Cleaning strategy group	At least one cleaning policy included in the cleaning policy group
			SYN type	Cleaning strategy group 1	Cleaning strategy 1, cleaning strategy 2, and cleaning strategy 3
ACK type	Cleaning policy group 2	Cleaning strategy 4, cleaning strategy 5
			UDP type	Cleaning policy group 3	Cleaning strategy 1, cleaning strategy 3, cleaning strategy 4
HTTP type	Cleaning policy group 4	Cleaning strategy 2, cleaning strategy 6
			……	……	……

The processor may determine at least one cleaning policy corresponding to the attack type according to the attack type and a correspondence between the attack type and the cleaning policy group. For example, if the attack type is SYN attack, the processor may determine, in the correspondence between the attack type and the cleaning policy group, that the cleaning policy group corresponding to SYN attack is the cleaning policy group 1, and specifically includes the cleaning policy 1, the cleaning policy 2, and the cleaning policy 3.

For any one cleaning policy group, the cleaning policy group can have a corresponding cleaning policy group identifier, and the cleaning policy group identifier can include at least one cleaning policy identifier, so that the cleaning policy group corresponding to at least one attack type determines the cleaning policy group identifier corresponding to the destination network address, and further determines at least one cleaning policy identifier corresponding to the destination network address.

For example, if the attack type corresponding to the destination network address 198.168.2.3 includes SYN attack and HTTP attack, if the processor may determine that the SYN attack corresponds to the cleaning policy group 1, if the cleaning policy group identifier of the cleaning policy group 1 is a, the cleaning policy group 1 includes cleaning policy 1, cleaning policy 2, and cleaning policy 3, and the cleaning policy identifiers of the 3 cleaning policies are 001, 002, and 003, respectively, then cleaning policy identifiers 001, 002, and 003 may be determined according to the cleaning policy group identifier a; if the processor can make an HTTP attack, the processor will be assigned to the cleaning policy group 4. The cleaning policy identifier corresponding to the cleaning policy group 4 is D, the cleaning policy group 4 includes a cleaning policy 2 and a cleaning policy 6, the cleaning policy identifiers of the 2 cleaning policies are 002 and 006 respectively, then the cleaning policy identifiers 002 and 006 can be determined according to the cleaning policy group identifier D, and then the processor can include 001, 002, 003 and 006 according to the cleaning policy identifier corresponding to the destination network address 198.168.2.3.

And S408, the processor determines detection information according to the cleaning strategy identification corresponding to the destination network address.

After determining the cleaning policy identifier corresponding to each destination network address, the processor determines detection information, where the detection information may include cleaning policies corresponding to a plurality of destination network addresses.

For example, if the processor determines that the cleaning policy identification corresponding to destination network address 198.167.1.2 includes 001, 002, 003, 004, and 005; the cleaning policy identifier corresponding to the destination network address 198.168.2.1 includes 002 and 006; if it is determined that the cleaning policy identifier corresponding to the destination network address 198.168.2.3 includes 001, 002, 003 and 006, the processor may determine detection information, and the detection information may include cleaning policy identifiers corresponding to the 3 destination network addresses respectively.

Optionally, after the processor determines the detection information, the detection information may be stored in a preset storage space, or the detection information may be sent to the programmable chip.

S409, the programmable chip acquires detection information.

Optionally, if the processor stores the detection information in a preset storage space, the programmable chip may acquire the detection information in the preset storage space. If the processor can send the detection information to the programmable chip, the programmable chip can receive the detection information sent by the processor.

S410, the programmable chip executes a first cleaning process on the first data packet according to the detection information, and the processor executes a second cleaning process on the first data packet according to the detection information, so that a cleaning result is obtained.

It should be noted that, the execution process of step S410 may refer to step S303, and will not be described herein.

S411, if the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet.

It should be noted that, the execution process of step S411 may refer to step S304, and will not be described herein.

In the embodiment of the application, the programmable chip may acquire the first data packet and determine a plurality of data packets acquired in the history period. The programmable chip can determine destination network addresses and data packet types of the plurality of data packets, and can determine statistical information corresponding to the plurality of destination network addresses according to the destination network addresses and the data packet types of the plurality of data packets. The processor may determine a first throughput rate and a first bit rate according to statistical information corresponding to the plurality of destination network addresses, and may further determine an address state of the destination network address according to the first throughput rate and the first bit rate. If the address state of the destination network address is an abnormal state, the processor may determine a second throughput rate corresponding to the plurality of packet types according to the statistical information corresponding to the destination network address, and determine a cleaning policy identifier corresponding to the destination network address according to the second throughput rate corresponding to the plurality of packet types, and further determine the detection information according to the cleaning policy identifier corresponding to the destination network address. The programmable chip may obtain the detection information. The programmable chip can execute a first cleaning process on the first data packet according to the detection information, and the processor can execute a second cleaning process on the first data packet according to the detection information, so that a cleaning result is obtained. If the cleaning result is that the first data packet is not discarded, the programmable chip forwards the first data packet. Because the DDoS attack detection and the DDoS attack cleaning can be integrated on one DDoS defense device; the programmable chip can carry out network layer cleaning treatment, namely first cleaning treatment, on the data packet, and the processor can carry out application layer cleaning treatment, namely second cleaning treatment, on the data packet, so that compared with the cleaning treatment of the data packet by the processor, the cleaning efficiency of DDoS attack is improved; and the process of determining the detection information by the processor and the process of cleaning the data packet by the programmable chip and the processor can be executed in parallel, so that the link for cleaning the data packet is shortened, and the processing efficiency of DDoS attack is comprehensively improved.

Next, an architecture according to the technical solution in the present application will be described with reference to fig. 6.

Fig. 6 is a schematic diagram of an architecture provided in an exemplary embodiment of the present application. Please refer to fig. 6, which includes a DDoS defense device and a network device. Both the DDoS defense device and the network device have ports for receiving or transmitting data packets.

The network device may send a plurality of data packets to the DDoS defense device through the port 0, and the DDoS defense device may receive the plurality of data packets through the port 0; the DDoS defending device can send a plurality of data packets to the network device through the port 1, and the network device can receive the plurality of data packets through the port 1.

A programmable chip and a processor may be included in the DDoS defense device. Information interaction can be performed between the programmable chip and the processor.

The programmable chip can carry out statistical processing on the data packet based on the destination network address, and determine statistical information corresponding to a plurality of network addresses; the network layer cleaning process, i.e., the first cleaning process, may be performed on the data packet, and the forwarding process may be performed on the data packet.

An attack detection module and an application layer cleaning module may be included in the processor. The attack detection module may be configured to determine detection information, and the application layer cleaning module may be configured to perform an application layer cleaning process, i.e., a second cleaning process, on the data packet.

After the DDoS defense device performs the cleaning process on the data packet, the data packet may be sent to the network device through the port 1 according to the cleaning result, so that the network device may receive the data packet through the port 1. After the network device receives the data packet, the network device may send the data packet to the destination network address according to the destination network address of the data packet.

The process of determining the detection information is the process of performing DDoS attack detection, and the process of performing cleaning treatment on the data packet is the process of performing DDoS attack cleaning, so that the DDoS attack detection and the DDoS attack cleaning are integrated on one DDoS defending device, and compared with the two independent devices, the detection efficiency of the DDoS attack and the cleaning efficiency of the DDoS attack are improved. Under the condition that DDoS attack does not occur, the programmable chip can only carry out type statistics on the data packet; when DDoS attack occurs, only the first cleaning process and/or the second cleaning process are needed to be carried out on the data packet of the destination network address which is attacked by the DDoS, the destination network address which is not attacked by the DDoS is not affected, and the probability of mistakenly discarding the data packet is reduced.

In addition, the programmable chip is used for cleaning the data packet in a network layer, so that the problem that the processor is easy to be exploded by an elephant stream is effectively solved, and the cleaning capability of the programmable chip is higher than that of the processor, so that the cost of cleaning the data packet is reduced.

In the embodiment of the application, the DDoS defending device can include a processor and a programmable chip, and the processor can include an attack detection module and an application layer cleaning module. Because the detection information can be determined by the attack detection module in the processor, the programmable chip performs the first cleaning processing on the data packet and the application layer cleaning module in the processor performs the second cleaning processing on the data packet, and compared with the process of cleaning the data packet by the processor only, the processing efficiency of DDoS attack is improved.

Next, the above data processing method will be described in further detail by way of a specific example on the basis of any of the above embodiments with reference to fig. 7.

Fig. 7 is a process schematic diagram of a data processing method according to an exemplary embodiment of the present application. Referring to fig. 7, a programmable chip and a processor are included. An attack detection module and an application layer cleaning module may be included in the processor.

The programmable chip can be used for executing the steps (1) (2) (3) (4) (5) (6) (7). In the processor, the attack detection module can be used for executing the step (8) (9), and the application layer cleaning module can be used for executing the step (8).

In step (1), the programmable chip may receive a plurality of data packets sent by the network device, where the plurality of data packets may include a first data packet.

In step (2), the programmable chip may determine, in real time, statistical information corresponding to the plurality of destination network addresses according to the plurality of data packets. Because any one data packet can carry a destination network address, the programmable chip can determine the destination network address and the data packet type of the data packet for any one data packet, and then the programmable chip can determine the destination network addresses and the data packet types of a plurality of data packets. Further, the programmable chip can determine statistical information corresponding to the plurality of destination network addresses based on the destination network addresses. The statistics may include the number of packets corresponding to the plurality of packet types. For example, the statistics may be as shown in table 1.

In step (3), the programmable detection chip may acquire detection information. The detection information is determined in advance through the attack detection module in the processor.

Next, the first step is described.

Alternatively, the DDoS defending device may store the list to be detected in advance. The list to be detected may include a plurality of destination network addresses to be detected. For example, network addresses 198.169.1.1, 198.167.1.2, 198.168.2.1, 198.168.2.3 may be included in the to-be-detected list.

In the processor, the attack detection module may detect, in sequence, a plurality of destination network addresses to be detected in the list to be detected. In step one, a destination network address to be detected may be determined in a list to be detected, assuming that the destination network address is 198.168.2.3. In the step, statistical information corresponding to the destination network address may be obtained from the programmable chip. The statistics corresponding to the destination network address 198.168.2.3 are assumed to be shown in table 1. In step iii, a first throughput rate and a first bitrate corresponding to the destination network address 198.168.2.3 may be determined according to the statistical information corresponding to the destination network address.

In the step, it may be determined whether the address state of the destination network address is normal according to the first throughput rate and the first bit rate corresponding to the destination network address. If the first throughput rate is smaller than the throughput rate threshold value and the first bit rate is smaller than the bit rate threshold value, the address state of the destination network address can be determined to be in a normal state, detection information corresponding to the destination network address is not required to be determined, and the next destination network address to be detected can be determined in the to-be-detected list; if the first throughput rate is greater than or equal to the throughput rate threshold value and/or the first bit rate is greater than or equal to the bit rate threshold value, it may be determined that the address status of the destination network address is an abnormal status, and then the step may be performed.

In step h, for any one destination network address, the processor may determine, according to the statistical information corresponding to the destination network address, a cleaning policy identifier corresponding to the destination network address, and determine the detection information. The detection information may include cleaning policy identifiers corresponding to a plurality of destination network addresses.

Specifically, a plurality of data packet types corresponding to the destination network address can be determined, and a second throughput rate corresponding to the plurality of data packet types is determined; and may determine whether a ratio of the second throughput rate to the first throughput rate corresponding to any one of the packet types is greater than a corresponding first threshold. If the attack type is greater than or equal to the corresponding first threshold value, determining that the attack type corresponding to the destination network address comprises the data packet type; if the attack type is smaller than the first threshold value, it can be determined that the attack type corresponding to the destination network address does not include the data packet type. After determining the attack type corresponding to the destination network address, the cleaning policy group identifier may be determined according to the corresponding relationship between the attack type and the cleaning policy group, and at least one cleaning policy identifier may be determined according to the cleaning policy group identifier, so as to determine the detection information corresponding to the destination network address. The detection information may include at least one cleaning policy identifier corresponding to the destination network address. After the step of performing the step is completed, the step of performing the step of first may be performed to determine the next destination network address to be detected in the to-be-detected list, and detect the next destination network address to be detected.

Because the statistical information is determined by the programmable chip according to the destination network addresses and the data packet types of the data packets, in the process of determining the detection information, the processor can directly determine the detection information according to the statistical information so as to realize DDoS attack detection on the destination network addresses.

After the processor determines the detection information, the detection information may be sent to the programmable chip in real time. After the programmable chip obtains the detection information in the step (3), whether at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information or not can be judged through the step (4). If yes, the programmable chip executes the step (5), determines at least one network layer cleaning strategy according to the at least one cleaning strategy mark, and performs network layer cleaning treatment, namely first cleaning treatment, on the first data packet to obtain a cleaning result; if not, the first data packet is not required to be cleaned, and the programmable chip can execute step (i.e. forward the first data packet).

In step (6), the programmable chip may determine whether the cleaning result of the first data packet is that the first data packet is discarded. If not, step (7) may be performed to further determine whether the at least one cleaning policy identifier includes an application layer cleaning policy identifier. If not, the first data packet can be cleaned without application layer cleaning treatment, and the step (i.e. forwarding the first data packet) can be executed; if yes, the programmable chip can send the first data packet and the application layer cleaning strategy identification to the processor, so that an application layer cleaning module in the processor can execute the step (8), namely, the application layer cleaning strategy is determined according to the application layer cleaning strategy identification, and the first data packet is subjected to application layer cleaning treatment, namely, second cleaning treatment, so that a cleaning result is obtained.

In step (9), the application layer cleaning module may determine whether the cleaning result of the application layer cleaning process is that the first packet is discarded. If not, the first data packet can be sent to the programmable chip, so that the programmable chip can execute step (d), i.e. forward the first data packet.

And the application layer cleaning module is used for carrying out application layer cleaning treatment on the data packet in the processor, so that the capability of the processor on the programmable chip is fully utilized.

It should be noted that, the programmable chip forwards the first data packet, that is, sends the first data packet to the network device; the first data packet is cleaned through the (1), the (2), the (3), the (4), the (5), the (6), the (7), the (8) and the (9) roller, namely DDoS attack cleaning is carried out; the steps (1), (2), (3), (4), (5), (6), (7), (8), (9) and (3) can be executed in real time and in parallel.

In the embodiment of the application, the programmable chip may receive a plurality of data packets, and may determine statistical information corresponding to a plurality of destination network addresses according to the plurality of data packets. An attack detection module in the processor determines a target network address to be detected in a to-be-detected list, and can determine a first throughput rate and a first bit rate according to statistical information corresponding to the target network address, so that whether the address state of the target network address is normal or not can be determined according to the first throughput rate and the first bit rate. If the address state of the destination network address is an abnormal state, the attack detection module can determine the cleaning strategy identification corresponding to the destination network address, and further determine the detection information. The programmable chip may obtain the detection information. The programmable chip determines whether at least one cleaning strategy identifier corresponding to the first data packet exists in the detection information. If yes, at least one network layer cleaning strategy can be determined according to at least one cleaning strategy identification, and network layer cleaning processing is carried out on the first data packet, so that a cleaning result is obtained. If the cleaning result is that the first data packet is not discarded, whether an application layer cleaning strategy identifier exists in at least one cleaning strategy identifier can be further determined, if so, the application layer cleaning strategy is determined through an application layer cleaning module in the processor, and application layer cleaning processing is performed on the first data packet, so that a cleaning result is obtained. If the cleaning result is that the first data packet is not discarded, forwarding the first data packet through the programmable chip. Because the DDoS attack detection and the DDoS attack cleaning can be integrated on one DDoS defense device; the programmable chip can carry out network layer cleaning treatment on the data packet, and the processor can carry out application layer cleaning treatment on the data packet, so that compared with the cleaning treatment on the data packet by the processor, the cleaning efficiency on DDoS attack is improved; the process of determining the detection information through the processor and the process of cleaning the data packet through the programmable chip and the processor can be executed in parallel, so that the link for cleaning the data packet is shortened, and the processing efficiency of DDoS attack is comprehensively improved.

An exemplary embodiment of the present application provides a schematic structural diagram of a DDoS defense device, referring to fig. 8, the DDoS defense device 10 may include a processor 11, a memory 12, and a programmable chip 13. The processor 11, the memory 12, and the programmable chip 13 are illustratively interconnected by a bus 14.

The memory 12 stores computer-executable instructions;

the processor 11 and the programmable chip 13 execute computer-executable instructions stored in the memory 12, so that the processor 11 and the programmable chip 13 execute the data processing method as shown in the above-described method embodiments.

Accordingly, embodiments of the present application provide a computer readable storage medium having stored therein computer executable instructions for implementing the data processing method according to any of the method embodiments described above when the computer executable instructions are executed by a processor.

Accordingly, embodiments of the present application may also provide a computer program product, including a computer program, which, when executed by a processor, may implement a data processing method as shown in any of the above-mentioned method embodiments.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims

1. A data processing method, which is applied to a DDoS defending device of a distributed denial of service attack, wherein the DDoS defending device comprises a programmable chip and a processor, and the method comprises:

The programmable chip acquires a first data packet;

the programmable chip executes a first cleaning process on the first data packet according to the detection information, and the processor executes a second cleaning process on the first data packet according to the detection information to obtain a cleaning result, wherein the cleaning result is that the first data packet is discarded or the first data packet is not discarded;

2. The method of claim 1, wherein the programmable chip performing a first cleaning process on the first data packet according to the detection information, and the processor performing a second cleaning process on the first data packet according to the detection information, resulting in a cleaning result, comprises:

3. The method of claim 2, wherein the programmable chip determining whether at least one cleaning policy identifier corresponding to the first data packet exists in the detection information includes:

4. A method according to claim 2 or 3, wherein the at least one cleaning policy identification corresponds to a cleaning policy comprising a network layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

5. A method according to claim 2 or 3, wherein the at least one cleaning policy identification corresponds to a cleaning policy comprising an application layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

6. A method according to claim 2 or 3, wherein the at least one cleaning policy identification corresponds to a cleaning policy comprising a network layer cleaning policy and an application layer cleaning policy; the programmable chip executes a first cleaning process on the first data packet according to the at least one cleaning strategy identifier, and/or the processor executes a second cleaning process on the first data packet according to the at least one cleaning strategy identifier, so as to obtain the cleaning result, which comprises the following steps:

and if the intermediate cleaning result is that the first data packet is not discarded, determining an application layer cleaning strategy by the processor according to the at least one cleaning strategy identifier, and performing application layer cleaning processing on the first data packet according to the application layer cleaning strategy to obtain the cleaning result, wherein the second cleaning processing is the application layer cleaning processing.

7. The method of any of claims 1-6, wherein before the programmable chip obtains the detection information, further comprising:

8. The method of claim 7, wherein the processor determining the detection information based on statistics corresponding to the plurality of destination network addresses comprises:

9. The method of claim 8, wherein the processor determining the cleaning policy identification corresponding to the destination network address based on the statistics corresponding to the destination network address comprises:

10. The method of claim 9, wherein determining the cleaning policy identification corresponding to the destination network address according to the second throughput rates corresponding to the plurality of packet types comprises:

11. A DDoS defense device, comprising: a memory, a processor, and a programmable chip;

the memory stores computer-executable instructions;

the processor and the programmable chip execute computer-executable instructions stored in the memory to cause the processor to perform the method of any one of claims 1-10.

12. A computer readable storage medium having stored therein computer executable instructions which, when executed by a processor, implement the method of any of claims 1-10.

13. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1-10.